On January 13, 2021, Advocate General (“AG”) Michal Bobek from the Court of Justice of the European Union (“ECJ”) gave his opinion in Case C-645/19 by Facebook Ireland Limited, Facebook Inc., Facebook, ab Belgium BVBA against the Belgian Data Protection Authority (“Belgian Data Protection Authority”).
The Belgian data protection authority initiated legal proceedings against several members of the Facebook group in the Belgian courts in September 2015. The Belgian Data Protection Agency asked the court to order Facebook to stop placing cookies on Internet users’ devices and to stop collecting data when browsing a website in the Facebook.com domain or on third party websites without their consent, including via social plug-ins and pixels from Facebook. The proceedings that are currently pending before the Brussels Court of Appeal were limited to Facebook Belgium BVBA after the Brussels Court of Appeals previously ruled that it was not applicable to Facebook Inc. and Facebook Ireland Ltd. responsible is.
Facebook had asserted that with the General Data Protection Regulation (GDPR) coming into force in May 2018, the Belgian data protection authority was not authorized to continue legal proceedings for violations of the GDPR in connection with cross-border data processing. According to Facebook, the relevant data protection authority in this case is the data protection authority of Facebook’s main branch in the EU, the Irish data protection authority (ie the so-called “lead data protection authority”).
Against this background, the Brussels Court of Appeal has submitted a series of questions to the ECJ to clarify whether the one-stop-shop regime of the GDPR prevents a national data protection authority (with the exception of the lead data protection authority) from initiating legal proceedings in their Member State for violations against the GDPR in relation to cross-border data processing.
Statement of the AG
In his opinion, the working group addresses several points:
- On the basis of the GDPR, the lead data protection authority has general responsibility for cross-border data processing, including the power to initiate legal proceedings for violations of the GDPR. The data protection authorities concerned have limited authority to act in this regard. While any data protection authority has the power to initiate proceedings against possible violations in its territory, this power is limited in relation to cross-border data processing in order for the lead data protection authority to exercise its regulatory role in this regard.
- The aim of the one-stop-shop mechanism of the GDPR, which establishes a cooperation mechanism and gives the lead data protection authority an important role, was to address the shortcomings of the data protection directive, according to which companies must comply with various national regulations and liaise with data protection authorities of all EU member states. This was costly, tedious, and time consuming, and risked individual data protection authorities taking different approaches to cross-border data processing activities. According to the AG, a textual, teleological and historical approach to the interpretation of the GDPR confirms that the data protection authorities are obliged to comply with the competence rules set out in the GDPR as well as the cooperation and consistency mechanisms.
- With regard to the arguments relating to data subjects’ access to the court, the WG notes that data subjects can bring an action directly against the controllers or processors in the courts of the Member State in which they are domiciled. You can also lodge a complaint with the data protection authority in your Member State, even if the lead data protection authority is in another Member State.
- The WG emphasizes that the lead data protection authority cannot be viewed as the sole executor of the GDPR in cross-border situations and must work closely with other data protection authorities concerned in accordance with the relevant provisions set out in the GDPR.
Accordingly, the AG is of the opinion that the GDPR allows the data protection authority of a member state that is not the lead data protection authority of a company to bring an action against this company for an alleged violation of the GDPR in relation to cross-border data processing. but only in situations where the GDPR expressly allows this and the procedures set out in the GDPR are followed.
The ECJ will now begin its deliberation and the final judgment is expected in the coming months. Although the ECJ will take the AG’s opinion into account, it is not legally binding for the Court of Justice. After the ECJ has issued a final judgment, the Belgian Court of Appeal will decide the case according to the ECJ’s decision.
Read the full text of the Advocate General’s opinion.