Any country in the EU can press Facebook and other online companies on the bloc's data privacy rules, not just the one where the firm is registered, Europe's top court ruled on Tuesday.
Such legal action, however, can only happen "under certain conditions" the European Court of Justice (ECJ) said, under a general "one-stop shop" principle which gives prime responsibility in such matters to data supervisory authorities in the registering member state.
The ruling shot down a challenge from Facebook in a case dating back to 2015, in which a Belgian court took up a data-protection issue against the US internet giant.
Facebook had argued the case should only be decided in Ireland, where its EU operations are based.
The ECJ noted that the case pre-dated the 2018 entry into force of the EU's data privacy laws, called GDPR or General Data Protection Regulation.
But, importantly, it also held that the GDPR "authorises, under certain conditions, a supervisory authority of a Member State to exercise its power to bring any alleged infringement... before a court of that State" where cross-border data processing is involved.
A GDPR cooperation requirement meant that a "lead supervisory authority may not ignore the views of the other supervisory authorities," which can raise objections that would block "at least temporarily" the lead authority's decisions, it said.
Facebook, in a statement giving its reaction, focused on the limited scope for such actions happening.
"We are pleased that the CJEU (ECJ) has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU," it said.
The 2015 Belgian case was brought by the president of the Belgian Privacy Commission -- since superseded by the country's Data Protection Authority -- alleging Facebook infringed on Belgian internet users' rights by collecting their information on their browsing behaviour whether they were Facebook users or not.
The Belgian court in 2018 found against Facebook and ordered it end the practice where it took place without users' consent, under threat of a daily fine of 250,000 euros.
Facebook appealed, with the matter being kicked up to the ECJ to determine the effects of the "one-stop shop" mechanism on the legal wrangle.
The European Consumer Organisation BEUC welcomed the ECJ's ruling, saying it "should have positive repercussions in the fight to better protect consumers' personal data".
It noted that many Big Tech companies were registered in Ireland and argued "it should not be up to that country's authority alone to protect 500 million consumers in the EU, especially if it does not rise to the challenge".