On the 13th of January, the Advocate General of the Court of Justice of the European Union (CJEU) Michal Bobek delivered his opinion in case between Facebook and the Belgian Data Protection Authority - Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v Gegevensbeschermingsautoriteit (Case C-645/19).
The opinion follows after the Belgian Data Protection Authority went to court against Facebook for collecting information on the surfing behavior of internet users in Belgium through cookies. The Court of Appeal of Brussels decided to question the CJEU whether the Belgian DPA could indeed start legal proceedings against Facebook.
In his opinion, Bobek repeated that the privacy authority in the Member State where a data controller or processor has its main EU establishment (‘lead authority’) has the power to start court proceedings for GDPR infringements in relation to cross-border data processing (the GDPR’s so-called ‘one-stop shop mechanism’). In the case of Facebook, the Irish DPC is the lead authority. The opinion stresses that other privacy authorities' power (such as the Belgian one) to start legal proceedings against such infringements which affect their territories is restricted.
However, the opinion states that the one-stop shop mechanism does not prevent other supervisory authorities from bringing proceedings to a national court “in the situations where the GDPR specifically confers upon it competences to this end”, such as when they:
- act outside the material scope of the GDPR
- investigate into cross-border data processing carried out by public authorities, in the public interest, in the exercise of official authority, or by controllers not established in the EU (such as the Facebooks, Googles and Amazons of this world)
- adopt urgent measures
- intervene following the lead data protection authority having decided not to handle a case
Implications of the case
At first glance, the opinion seems to be in line with previous action by the Swedish authority against Google and the French CNIL against Google and Amazon, where competence was also a point of discussion.
David Stevens, Chairman of the Belgian DPA stated:
“We are pleased to see that the Advocate General confirms that in principle data protection authorities can bring proceedings before their national courts, provided that this does not encroach on the loyal cooperation between data protection authorities.”
It remains to be seen whether the CJEU will follow the opinion and if organisations, especially those whose non-EEA parent organisations decide the purpose and means of the processing, can keep relying on the one-stop-shop mechanism. If other supervisors will feel bolstered by the opinion to start their own national proceedings, we might start seeing a growing number of cross-border cases before national courts come spring.
The date of delivery of the definitive CJEU judgment is not yet known, usually this takes a couple of weeks to several months. The CJEU follows the opinion of the AG in an estimated 67% of cases.