On May 8, 2019, the Brussels Court of Appeal referred the Belgian Data Protection Authority’s (DPA) case against Facebook to the European Court of Justice (CJEU) to address jurisdictional issues regarding which DPA is competent to bring enforcement actions against Facebook. The case deals with Facebook’s collection of individuals’ data through cookies stored in Facebook’s social plugins. The Belgian DPA alleges that Facebook’s data collection is unlawful as it lacks valid consent and does not provide appropriate notice to individuals. Several courts in Belgium have already examined the issues, but it now reaches a new phase as the Brussels Court of Appeal Court referred critical questions to the CJEU dealing with the interpretation of the concept of “Lead Supervisory Authority” under the General Data Protection Regulation (GDPR).
On June 10, 2015, the Belgian Privacy Commission, the predecessor to the Belgian DPA, introduced proceedings before the Brussels Court of First Instance against several Facebook entities (i.e., Facebook Ireland Limited, Facebook Inc., and Facebook Belgium Bvba). The Belgian Privacy Commission alleged that Facebook did not provide sufficient notice to both Facebook users and non-Facebook users about its data processing activities through cookies stored in Facebook’s social plugins. In addition, the Belgian Privacy Commission found that Facebook did not have a legal basis for its processing of personal data of non-Facebook users, as it did not obtain valid consent for the processing of their data.
On February 16, 2018, the Brussels Court of First Instance ordered Facebook to halt any further processing of Belgian individuals’ personal data through such cookies, subject to penalty payments of $250,000 per day up to a maximum of EUR100 million.
Facebook appealed the decision before the Brussels Court of Appeal, claiming that Belgian courts are not territorially competent to rule against Facebook Ireland Limited and Facebook Inc. On May 8, 2019, the court determined that it does not have jurisdiction over Facebook Ireland and Facebook, Inc., but it concluded that it remains competent to hear the case against Facebook Belgium Bvba.
However, the court questioned whether the Belgian DPA has ‘standing’ to pursue its claim after the introduction of the “one-stop-shop mechanism” by the GDPR. This mechanism facilitates cooperation among national supervisory authorities by designating a lead supervisory authority in matters involving cross-border processing activities. A ‘lead supervisory authority’ is the authority with the primary responsibility for dealing with cross-border data processing. A ‘cross-border data processing activity’ occurs when the processing is performed by entities in different EU Member States, or when it affects individuals located in different EU member states. Facebook’s lead supervisory authority is the Irish DPA.
The Brussels Court of Appeal has requested a preliminary ruling from the CJEU to determine the scope of a national supervisory authority’s competence in light of the GDPR’s one-stop-shop mechanism.
The Brussels Court of Appeal requested the CJEU to rule on the following questions:
- Are the articles of the GDPR, which determine the competence of and cooperation between supervisory authorities in the context of cross-border processing activities, read in conjunction with the articles of the Charter of Fundamental Rights of the European Union which set out the principles of respect for private and family life, protection of personal data, and the right to an effective remedy and a fair trial, to be interpreted as meaning that a supervisory authority which has the power to initiate legal proceedings against infringements of the GDPR before a domestic court cannot exercise that power in relation to cross-border processing, if it is not the lead supervisory authority?
- Does it make a difference if the controller of the cross-border processing does not have its main establishment in that member state, but has another establishment there?
- Does it make a difference whether the national supervisory authority initiates the proceedings against the main establishment of the controller or against the entity established in its own member state?
- Does it make a difference if the national supervisory authority has already initiated the proceedings before the date upon which the GDPR entered into force (May 25, 2018)?
- If the response to the first question is positive, does this mean that the article of the GDPR, which provides that each member state’s domestic law must grant its supervisory authority the power to bring infringements of the GDPR before judicial authorities and to otherwise engage in legal proceedings where appropriate, has direct effect, such that a national supervisory authority can rely on this article to initiate or continue judicial proceedings against private actors, even if this article has not specifically been transposed into member state law, notwithstanding that such is required?
- If the response to the previous questions is positive, could the result of such proceedings obstruct a contrary finding of a lead supervisory authority, where the lead supervisory authority would be investigating the same or similar cross-border processing activities in accordance with the mechanism of the GDPR which determines the competence of and cooperation between supervisory authorities in the context of cross-border processing activities?
The one-stop-shop mechanism is an important new development under GDPR. Industry has welcomed it as it aims to streamline procedures against companies operating in several EU member states. However, as is demonstrated by the Facebook case, numerous questions remain regarding its actual application.
This case will have a significant impact on data protection regulatory enforcement actions and litigation in the EU as it should provide more clarity on the GDPR’s provisions regarding the lead supervisory authority’s jurisdiction and will help determine which supervisory authority is competent to investigate cross-border data processing activities. In particular, the CJEU will determine whether the Belgian DPA can pursue its claim against Facebook’s Belgian entity. In addition, the case should determine whether the one-stop-shop principle applies to proceedings initiated prior to the GDPR’s effective date, which may impact similar proceedings pending in other EU member states.
WSGR will continue to monitor further developments in this case.