"The lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations, and must, in compliance with the relevant rules and time limits provided for by the GDPR, closely cooperate with the other data protection authorities concerned," the opinion said.
Facebook interpreted it as a victory.
“We are pleased that the Advocate General has reaffirmed the value and principles of the one-stop-shop mechanism, which was introduced to ensure the efficient and consistent application of GDPR,” said Associate General Counsel Jack Gilbert. "We await the Court’s final verdict.”
Privacy advocates and experts, however, said the advice could change how data privacy cases are handled, by taking the pressure off a single watchdog.
Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, said Bobek is signalling that Ireland’s privacy watchdog “can no longer use its status as lead authority for Google, Facebook, etc. to hold up enforcement of the GDPR across the EU.”
The Irish watchdog has faced criticism for not dealing quickly enough with a rising pile of cross-border data privacy cases involving big tech companies since GDPR took effect. It issued its first such penalty to Twitter last month, fining it for a security breach, but still has about two dozen more to go.
Businesses could also face a bigger compliance burden responding to more privacy cases in multiple EU markets, because it would be easier for people to file complaints to their local privacy watchdog, said Cillian Kieran, CEO of privacy compliance startup Ethyca.
For all of AP's tech coverage, visit https://apnews.com/apf-technology
Follow Kelvin Chan at www.twitter.com/chanman