Illustrating the reach and power of the General Data Protection Regulation (GDPR), tech giant Facebook has this week seen German justices refer a GDPR suit against the company to the EU’s top court.

The case dates back to 2016 when the Bundeskartellamt (Federal Cartel Office) began investigating whether or not the social media network broke data privacy rules by not giving users a choice before tracking them via third-party websites and its own platforms.

In a potential industry first, the case links the GDPR with competition laws, potentially opening up an innovative new approach for regulators to enforce EU privacy rules. British based organisations are still subject to the GDPR despite Brexit, as it has been independently adopted by the UK government.

The German competition regulator argued that Facebook, through its dominant position, was able to issue contractual terms that breached GDPR, enabling it to build a database on users that its rivals could not match, TechCrunch reported.

While the Menlo Park-headquartered company managed to block an order in 2019 designed to make it stop tracking users, the case was reopened last summer.

The Düsseldorf Higher Regional Court has now referred the case to the European Court of Justice, which could take years before setting a court date. The German authority said only the ECJ could processes challenges under EU law in cases like this.

Facebook is already the object of several undecided GDPR cases from the Irish Data Protection Commission.

The news is another setback for the tech behemoth. It recently voiced its opposition against a new Apple policy enabling iPhone users to decide whether or not app makers could track them online, which many users are expected to decline.

Data protection officers at companies and organisations across the EU, UK and beyond will no doubt follow the cases with interest.