The Court of Justice of the European Union has delivered its judgment in Case C-645/19 Facebook Ireland and others.
Facts of case
In 2015, the Belgian Privacy Commission brought an action before the Belgian courts seeking an injunction against Facebook Ireland, Facebook Inc. and Facebook Belgium regarding alleged infringements of data protection laws by Facebook. Those infringements related to the collection and use of information on the browsing behaviour of Belgian internet users, whether or not they were Facebook account holders, using various technologies, such as cookies, social plug-ins or pixels.
In 2018 the Belgian court held that it had jurisdiction to rule in those proceedings and decided that the Facebook social network had not adequately informed Belgian internet users about the collection and use of the information concerned. Further, it held that the consent given by the internet users to the collection and processing of that data was invalid.
Facebook Ireland, Facebook Inc. and Facebook Belgium appealed to the Court of Appeal in Brussels, which held that it solely had jurisdiction to rule on the appeal brought by Facebook Belgium.
However, the appeal court was unsure about how the GDPR’s ‘one-stop shop’ mechanism affected the competences of the data protection authority; and in particular, whether the data protection authority could bring an action against Facebook Belgium, because Facebook Ireland has been identified as the controller of the data concerned. Since the GDPR came into force, and in particular under the ‘one-stop shop’ rule laid down by the GDPR, only the Data Protection Commissioner (Ireland) is competent to bring injunction proceedings, subject to review by the Irish courts.
The Court of Justice has now detailed the powers of national supervisory authorities under the GDPR. Therefore, it considers that the GDPR authorises, under certain circumstances, a supervisory authority of a member state to exercise its power to bring any alleged infringement of the GDPR before a court of that member state and to initiate or engage in legal proceedings in relation to an instance of cross-border data processing, although that authority is not the lead supervisory authority with regard to that processing.
The CJEU’s findings
1. The Court set out the rules governing whether a national supervisory authority, which is not the lead supervisory authority, must exercise its power to bring any alleged infringement of the GDPR before a court of a member state and, where necessary, to initiate or engage in legal proceedings to ensure the application of the GDPR. Therefore, the GDPR must confer on that supervisory authority a competence to adopt a decision finding that that processing infringes the rules in the GDPR. In addition, that power must be exercised with due regard to the cooperation and consistency procedures in the GDPR.
Regarding cross-border processing, the GDPR provides for the ‘one-stop shop’ mechanism, which is based on an allocation of competences between one ‘lead supervisory authority’ and the other national supervisory authorities concerned. That mechanism requires close, sincere and effective cooperation between those authorities, to ensure consistent and homogeneous protection of the rules for the protection of personal data, and so preserve its effectiveness. As a general rule, the GDPR guarantees the competence of the lead supervisory authority for the adoption of a decision finding that an instance of cross-border processing is an infringement of the GDPR, whereas the competence of the other supervisory authorities concerned for the adoption of such a decision, even provisionally, constitutes the exception to the rule. However, in the exercise of its competences, the lead supervisory authority cannot “eschew essential dialogue and sincere and effective cooperation” with the other supervisory authorities concerned. Therefore, the lead supervisory authority may not ignore the views of the other supervisory authorities, and any relevant and reasoned objection made by one of the other supervisory authorities has the effect of blocking, at least temporarily, the adoption of the draft decision of the lead supervisory authority.
In addition, a supervisory authority of another member state may only exercise the power to bring any alleged infringement of the GDPR before a court of that state and to initiate or engage in legal proceedings if it complies with the allocation of competences between the lead supervisory authority and the other supervisory authorities in Articles 7, 8 and 47 of the Charter of Fundamental Rights of the EU, which guarantee data subjects the right to the protection of their personal data and the right to an effective remedy.
2. The Court held that, for cross-border data processing, the controller does not have to be established in the member state of the supervisory authority concerned. However, the exercise of the authority’s power must fall within the territorial scope of the GDPR, which presupposes that the controller or the processor is established in the EU. 3. The Court ruled that if there is cross-border data processing, the power of a supervisory authority to bring any alleged infringement of the GDPR before a court of that member state and, where appropriate, to initiate or engage in legal proceedings, may be exercised both with respect to the main establishment of the controller which is located in that authority’s own member state and with respect to another establishment of that controller, as long as the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power.
However, the Court added that the exercise of that power presupposes that the GDPR applies. In this instance, because the activities of the establishment of the Facebook group located in Belgium are inextricably linked to the processing of personal data at issue in the main proceedings, with respect to which Facebook Ireland is the controller within the EU, that processing is carried out ‘in the context of the activities of an establishment of the controller’ and, therefore does fall under the GDPR’s scope.
4. The Court also held that if relevant proceedings had been brought before the GDPR came into force, that action may be continued under the Data Protection Directive, which still applies to infringements of the rules in the Directive that were committed before it was repealed. Furthermore, that action may be brought by that authority with respect to infringements committed after the date of entry into force of the GDPR, provided that it is brought in one of the situations where, exceptionally, the GDPR confers on that authority a competence to adopt a decision finding that the processing of data in question is in breach of the rules, and that the cooperation and consistency procedures are respected.
5. The Court recognised the direct effect of the GDPR’s rules under which each member state is to provide by law that its supervisory authority is to have the power to bring infringements of the GDPR to the attention of the judicial authorities and, where appropriate, to initiate or engage otherwise in legal proceedings. Consequently, such an authority may bring or continue a legal action against private parties, even where it has not been specifically implemented in the legislation of the member state concerned.
