Big tech companies like Facebook, Google, and Twitter can be challenged on data privacy by any EU country regulator, the bloc's top court has ruled.
The EU Court of Justice concluded that platforms can now be sued under certain conditions by any data protection authority in the European Union, not just the lead regulator.
The decision clarifies the EU's stringent privacy rules, known as the General Data Protection Regulation (GDPR).
The court announced its decision on Tuesday while deciding a 2015 case involving Facebook and Belgium's data protection watchdog.
The verdict has huge privacy implications for all big tech companies who operate in the European Union, as well as smaller businesses.
The European Consumers' Organisation (BEUC) has welcomed the verdict, which they say will help better protect consumers’ personal data.
But a tech lobbying group has said the ruling risked making data protection compliance in the EU "more inconsistent, fragmented and uncertain".
The "one-stop-shop" mechanism
Under GDPR, only one EU country’s national data protection authority can handle legal cases involving cross-border data complaints.
For Facebook, Apple, Twitter, and Google -- which have their European headquarters in Dublin -- it is Ireland’s Data Protection Commission.
Even if another member state's watchdog wanted to sue Facebook or Google for violating privacy rights, they would need to hand the case to the Irish authority under this "one-stop-shop" mechanism.
The system has been widely criticised, however, with many EU regulators blaming Dublin for not clearing a backlog of rising data privacy cases.
Ireland's authority has faced backlash for taking too long to resolve GDPR cases involving tech giants, but it argues that the cases are complicated.
But on Tuesday, the Luxembourg-based court ruled that the so-called "one-stop-shop" could be lifted in exceptional circumstances.
"Under certain conditions," a national watchdog has the power to take a company to court over a GDPR violation even if it’s not the lead regulator, the court said.
Watchdogs must still cooperate closely, the court added, and cases could only be brought if the violations occurred in the relevant country.
This ruling supports a preliminary opinion in January from the court's Advocate General, Michal Bobek.
What was the 2015 Belgium case about?
Belgium's data protection authority (CPVP) had been in a lengthy legal battle with Facebook over data privacy since 2015.
Belgian regulators have complained that Facebook has been gathering data on people for advertising purposes without their consent, including people who aren’t even on the social network.
In February 2018, Facebook were ordered to stop tracking users, under penalty of a fine of 250,000 euros per day.
But The company had argued that the Belgian watchdog no longer had jurisdiction after GDPR took effect in 2018.
The Brussels Court of Appeal then asked the EU Court of Justice to rule on the case involving Facebook's online cookies, which track the behaviour of users.
And the court noted that where a national supervisory authority -- which is not the "lead authority" -- brought an action before GDPR came into force, "that action may be maintained under EU law".
Experts had suggested that this ruling would potentially pave the way for a fresh onslaught of privacy cases across the EU’s 27 member nations.
What are the implications of this decision?
The verdict doesn't just affect Facebook, Google, Twitter, and Apple, but also smaller internet companies that operate in the EU.
The BEUC said the decision should have "positive repercussions" for protecting user's online data.
"This is a positive development in the bid to have our privacy respected regardless of where the company is established in the EU," said BEUC Director General, Monique Goyens.
"Given the existing bottlenecks in the GDPR cross-border enforcement system, all national authorities must be able, under certain conditions, to proactively take matters into their own hands and use their full powers when our rights are trampled on."
"Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500 million consumers in the EU, especially if it does not rise to the challenge."
Facebook, for their part, have also welcomed the decision, noting that under the ruling the Irish regulator remains in charge except in limited circumstances.
"We are pleased that the court has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU," said Jack Gilbert, the company’s associate general counsel.
But the CCIA tech lobby group has expressed concern over the verdict.
"While the court has upheld the one-stop-shop principle ... it has also opened the back door for all national data protection enforcers to start multiple proceedings against companies," said CCIA Europe Senior Policy Manager Alex Roure.
"Data protection compliance in the EU risks becoming more inconsistent, fragmented, and uncertain," he added.
"We urge national authorities to be cautious about launching multiple proceedings that would weaken legal certainty and further complicate data protection compliance in the EU."