On October 24, 2017, an opinion issued by the EU’s Advocate General Bot (“Bot”) rejected Facebook’s assertion that its EU data processing activities fall solely under the jurisdiction of the Irish Data Protection Commissioner. The non-binding opinion was issued in relation to the CJEU case C-210/16, under which the German courts sought to clarify whether the data protection authority (“DPA”) in the German state of Schleswig-Holstein could take action against Facebook with respect to its use of web tracking technologies on a German education provider’s fan page without first providing notice.
Although Facebook’s EU data processing activities are handled jointly by Facebook, Inc. in the U.S. and Facebook Ireland, its European headquarters, Facebook has a number of subsidiaries in other EU Member States that promote and sell advertising space on the social network. In line with Directive 95/46/EC and the Google Spain decision, Bot held that the processing of personal data via cookies, which Facebook used to improve its targeting of advertisements, had to be considered as being in the context of the activities of the German establishment. It therefore followed that Facebook fell under the jurisdiction of the German DPA and other DPAs in which its subsidiaries engaged in the promotion and sale of advertising space.
The opinion is non-binding and Facebook awaits the CJEU’s verdict. It should be noted, however, that most CJEU verdicts follow the prior opinions of Advocate Generals. Also, this situation may be interpreted differently under the EU’s General Data Protection Regulation (“GDPR”), which replaces existing EU Member State data protection laws based on Directive 95/46/EC when it enters into force on May 25, 2018. Under the GDPR, the One-Stop-Shop mechanism will see the DPA in an organization’s main EU establishment take the role of lead authority. In other EU Member States where the organization has establishments, DPAs will be regarded as ‘concerned authorities,’ but any regulatory action will be driven by the lead authority – which in Facebook’s case likely is the Irish Data Protection Commissioner.