On Tuesday, the Court of Justice of the European Union (CJEU) ruled that privacy watchdogs in any EU country can enforce the General Data Protection Regulation (GDPR) against a company, under certain circumstances.

The judgment augurs the end of a six-year argument between Facebook and the Belgian privacy authority, which in 2015 ordered Facebook to stop using cookies and hidden tracking tools to follow Belgians (even those without Facebook accounts) around the web. Although the case spans both the pre-GDPR and GDPR eras—the tough EU rulebook only came into effect in May 2018—Facebook has consistently argued that it is not answerable to the Belgian authority.

Instead, Facebook claimed, only the Irish Data Protection Commission can enforce EU privacy law against it. That’s because (as with Google, Microsoft and many others) Facebook’s EU headquarters are in Ireland, making the Irish watchdog the “lead supervisory authority” when it comes to cases that involve multiple EU countries, as Facebook’s activities generally do.

However, according to the CJEU on Tuesday, the Irish regulator’s special status under the GDPR’s so-called one-stop shop mechanism does not mean other regulators’ hands are always tied.

The GDPR “authorizes, under certain conditions, a supervisory authority of a Member State to exercise its power to bring any alleged infringement of the GDPR before a court of that State and to initiate or engage in legal proceedings in relation to an instance of cross-border data processing, although that authority is not the lead supervisory authority with regard to that processing,” the court said.

Irish bottleneck

What might those “certain conditions” entail?

For one thing, the court said, the GDPR’s one-stop shop mechanism requires the lead authority to talk and cooperate with other EU watchdogs that are involved in a case. “Accordingly, in the context of that cooperation, the lead supervisory authority may not ignore the views of the other supervisory authorities, and any relevant and reasoned objection made by one of the other supervisory authorities has the effect of blocking, at least temporarily, the adoption of the draft decision of the lead supervisory authority,” it said.

The under-resourced Irish Data Protection Commission has been heavily criticized for failing to crack down on Big Tech—the GDPR allows it to issue fines worth billions of euros, but its biggest fine thus far is $548,000, issued to Twitter over a 2019 data breach. The criticism has come not just from privacy campaigners, but also from other European data protection authorities that are frustrated at the GDPR’s effective toothlessness.

So it is unsurprising that consumer advocates have warmly greeted the CJEU’s Tuesday ruling.

“This is a positive development in the bid to have our privacy respected regardless of where the company is established in the EU,” said Monique Goyens, director-general of the European Consumer Organisation (BEUC), in a statement. “Given the existing bottlenecks in the GDPR cross-border enforcement system, all national authorities must be able, under certain conditions, to proactively take matters into their own hands and use their full powers when our rights are trampled on.”

The statement continued, “Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500 million consumers in the EU, especially if it does not rise to the challenge.”

The Irish regulator had not responded to a request for comment at the time of writing; nor had the Belgian watchdog. However, the European wing of the Computer & Communications Industry Association (CCIA)—a major tech industry lobbyist—was unhappy.

“While the Court has upheld the one-stop-shop principle, which is essential to the consistent application of data protection rules in Europe, it has also opened the back door for all national data protection enforcers to start multiple proceedings against companies,” said CCIA Europe senior policy manager Alex Roure in a statement.

“Data protection compliance in the EU risks becoming more inconsistent, fragmented, and uncertain. We urge national authorities to be cautious about launching multiple proceedings that would weaken legal certainty and further complicate data protection compliance in the EU.”

As for Facebook itself, the company issued a sanguine statement that was almost identical to the one it released in January, when the court’s chief adviser recommended the course of action that the court ultimately took.

“We are pleased that the CJEU has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU,” said Facebook associate general counsel Jack Gilbert.