Privacy & Information Security Law Blog

On January 13, 2021, Advocate General (“AG”) Michal Bobek of the Court of Justice of the European Union (“CJEU”) issued his Opinion in the Case C-645/19 of Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”).

Background

The Belgian DPA initiated judicial proceedings against several members of the Facebook group before the Belgian Courts in September 2015. The Belgian DPA requested that the Court order Facebook to stop placing cookies on Internet users’ devices without their consent and stop collecting data in an allegedly excessive manner when they browse a web page in the Facebook.com domain or on third parties’ websites, including via Facebook social plug-ins and pixels. The proceedings, which are currently still in progress before the Court of Appeal of Brussels, were limited to Facebook Belgium BVBA after the Court of Appeal of Brussels previously established that it had no jurisdiction over Facebook Inc. and Facebook Ireland Ltd.

Facebook had asserted that with the General Data Protection Regulation (“GDPR”) becoming applicable in May 2018, the Belgian DPA did not have competence to continue the judicial proceedings for infringements of the GDPR in relation to cross-border data processing. According to Facebook, the competent DPA in this case is the DPA of Facebook’s main establishment in the EU, the Irish DPA (i.e. the so-called “lead DPA”).

Against this background, the Court of Appeal of Brussels referred a number of questions to the CJEU aimed at clarifying whether the GDPR’s One-Stop-Shop regime prevents a national DPA (other than the lead DPA) from initiating court proceedings in its Member State against infringements of the GDPR with respect to cross-border data processing.

AG Opinion

In his opinion, the AG addresses several points:

• Based on the GDPR, the lead DPA has general competence over cross-border data processing, including competence to commence judicial proceedings for infringements of the GDPR. Concerned DPAs have a more limited power to act in that regard. While any DPA has the power to commence proceedings against possible infringements affecting their territories, this power is limited with respect to cross-border data processing to enable the lead DPA to exercise its regulatory role in this regard.
• The goal of the GDPR’s One-Stop-Shop mechanism, which establishes a cooperation mechanism and gives the lead DPA a significant role, was to address the shortcomings of the Data Protection Directive, which required companies to comply with various sets of national rules and to liaise with the DPAs of all EU Member States. This was costly, burdensome and time-consuming, and risked individual DPAs taking different approaches with regard to cross-border data processing activities. According to the AG, a textual, teleological and historical approach to the interpretation of the GDPR confirms that DPAs are bound to follow the rules on competence and the cooperation and consistency mechanisms set out in the GDPR.
• As to the arguments relating to data subjects’ access to court, the AG notes that data subjects can bring proceedings directly against controllers or processors before the courts of the Member State in which they reside. They can also lodge a complaint before the DPA of their Member State, even if the lead DPA is located in another Member State.
• The AG emphasizes that the lead DPA cannot be deemed the sole enforcer of the GDPR in cross-border situations and must closely cooperate with other concerned DPAs, in accordance with the relevant rules set forth under the GDPR.
• The AG finally indicates that national DPAs that do not act as the lead DPA can nonetheless bring proceedings before their national courts where they are (1) acting outside the material scope of the GDPR (for example, because the processing does not involve personal data, which may be the case in the context of the use of cookies); (2) investigating cross-border data processing carried out by public authorities, in the public interest, in the exercise of official authority or by controllers not established in the EU; (3) adopting urgent measures in situations envisioned by Article 66 of the GDPR; or (4) intervening following a decision of the lead DPA not to handle a case. Effectively, the AG’s view is that the GDPR does not include a general bar for other DPAs, including concerned DPAs, to start proceedings against potential infringement of data protection rules.

Accordingly, the AG considers that the GDPR permits the DPA of a Member State that is not the lead DPA for a company to bring proceedings against that company before its national court for an alleged infringement of the GDPR with respect to cross-border data processing, but only in situations where the GDPR specifically allows it to do so and provided it follows the appropriate procedures set out in the GDPR.

Next Steps

The CJEU will now begin its deliberation, and the final judgment is expected in the coming months. Although the CJEU will take into account the AG’s opinion, it is not legally binding on the Court. After the CJEU has issued a final judgment, the Belgian Court of Appeal will decide the case in accordance with the CJEU’s ruling.

Read the full text of the Advocate General’s Opinion.