General Data Protection Regulation (GDPR): the Court specifies the conditions for the exercise of the national supervisory authorities’ powers with respect to the cross-border processing of data.
Under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a Member State, even though that authority is not the lead supervisory authority with regard to that processing.
On 11 September 2015, the President of the Belgian Privacy Commission (‘the Privacy Commission’) brought an action before the Nederlandstalige rechtbank van eerste aanleg Brussel (Dutch-language Court of First Instance, Brussels, Belgium), seeking an injunction against Facebook Ireland, Facebook Inc. and Facebook Belgium, aiming to put an end to alleged infringements of data protection laws by Facebook. Those infringements consisted, inter alia, of the collection and use of information on the browsing behaviour of Belgian internet users, whether or not they were Facebook account holders, by means of various technologies, such as cookies, social plug-ins 1 or pixels.
On 16 February 2018, that court held that it had jurisdiction to give a ruling on that action and, on the substance, held that the Facebook social network had not adequately informed Belgian internet users of the collection and use of the information concerned. Further, the consent given by the internet users to the collection and processing of that data was held to be invalid.
On 2 March 2018, Facebook Ireland, Facebook Inc. and Facebook Belgium brought an appeal against that judgment before the Hof van beroep te Brussel (Court of Appeal, Brussels), the referring court in the present case. Before that court, the Data Protection Authority (Belgium) (‘the DPA’) acted as the legal successor of the President of the Privacy Commission. The referring court held that it solely has jurisdiction to give a ruling on the appeal brought by Facebook Belgium.
The referring court was uncertain as to the effect of the application of the ‘one-stop shop’ mechanism provided for by the GDPR 2 on the competences of the DPA and, in particular, whether, with respect to the facts subsequent to the date of entry into force of the GDPR, namely 25 May 2018, the DPA may bring an action against Facebook Belgium, since it is Facebook Ireland which has been identified as the controller of the data concerned. Since that date, and in particular under the ‘one-stop shop’ rule laid down by the GDPR, only the Data Protection Commissioner (Ireland) is competent to bring injunction proceedings, subject to review by the Irish courts.
In its Grand Chamber judgment, the Court of Justice specifies the powers of national supervisory authorities within the scheme of the GDPR. Thus, it considers, inter alia, that that regulation authorises, under certain conditions, a supervisory authority of a Member State to exercise its power to bring any alleged infringement of the GDPR before a court of that State and to initiate or engage in legal proceedings in relation to an instance of cross-border data processing, 3 although that authority is not the lead supervisory authority with regard to that processing.
Findings of the Court
In the first place, the Court specifies the conditions governing whether a national supervisory authority, which does not have the status of lead supervisory authority in relation to an instance of cross-border processing, must exercise its power to bring any alleged infringement of the GDPR before a court of a Member State and, where necessary, to initiate or engage in legal proceedings in order to ensure the application of that regulation. Thus, the GDPR must confer on that supervisory authority a competence to adopt a decision finding that that processing infringes the rules laid down by that regulation and, in addition, that power must be exercised with due regard to the cooperation and consistency procedures provided for by that regulation. 4
With respect to cross-border processing, the GDPR provides for the ‘one-stop shop’ mechanism, 5 which is based on an allocation of competences between one ‘lead supervisory authority’ and the other national supervisory authorities concerned. That mechanism requires close, sincere and effective cooperation between those authorities, in order to ensure consistent and homogeneous protection of the rules for the protection of personal data, and thus preserve its effectiveness. As a general rule, the GDPR guarantees in this respect the competence of the lead supervisory authority for the adoption of a decision finding that an instance of cross-border processing is an infringement of the rules laid down by that regulation, 6 whereas the competence of the other supervisory authorities concerned for the adoption of such a decision, even provisionally, constitutes the exception to the rule. 7 However, in the exercise of its competences, the lead supervisory authority cannot eschew essential dialogue with and sincere and effective cooperation with the other supervisory authorities concerned. Accordingly, in the context of that cooperation, the lead supervisory authority may not ignore the views of the other supervisory authorities, and any relevant and reasoned objection made by one of the other supervisory authorities has the effect of blocking, at least temporarily, the adoption of the draft decision of the lead supervisory authority.
The Court also adds that the fact that a supervisory authority of a Member State which is not the lead supervisory authority with respect to an instance of cross-border data processing may exercise the power to bring any alleged infringement of the GDPR before a court of that State and to initiate or engage in legal proceedings only when that exercise complies with the rules on the allocation of competences between the lead supervisory authority and the other supervisory authorities 8 is compatible with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, which guarantee data subjects the right to the protection of his or her personal data and the right to an effective remedy, respectively.
In the second place, the Court holds that, in the case of cross-border data processing, it is not a prerequisite for the exercise of the power of a supervisory authority of a Member State, other than the lead supervisory authority, to initiate or engage in legal proceedings 9 that the controller with respect to the cross-border processing of personal data to which that action relates has a main establishment or another establishment on the territory of that Member State. However, the exercise of that power must fall within the territorial scope of the GDPR, 10 which presupposes that the controller or the processor with respect to the cross-border processing has an establishment in the European Union.
In the third place, the Court rules that, in the event of cross-border data processing, the power of a supervisory authority of a Member State, other than the lead supervisory authority, to bring any alleged infringement of the GDPR before a court of that Member State and, where appropriate, to initiate or engage in legal proceedings, may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power.
However, the Court adds that the exercise of that power presupposes that the GDPR is applicable. In this instance, since the activities of the establishment of the Facebook group located in Belgium are inextricably linked to the processing of personal data at issue in the main proceedings, with respect to which Facebook Ireland is the controller within the European Union, that processing is carried out ‘in the context of the activities of an establishment of the controller’ and, therefore, does fall within the scope of the GDPR.
In the fourth place, the Court holds that, where a supervisory authority of a Member State which is not the ‘lead supervisory authority’ brought, before the date of entry into force of the GDPR, legal proceedings concerning an instance of cross-border processing of personal data, that action may be continued, under EU law, on the basis of the provisions of the Data Protection Directive, 11 which remains applicable in relation to infringements of the rules laid down in that directive committed up to the date when that directive was repealed. In addition, that action may be brought by that authority with respect to infringements committed after the date of entry into force of the GDPR, provided that that action is brought in one of the situations where, exceptionally, that regulation confers on that authority a competence to adopt a decision finding that the processing of data in question is in breach of the rules laid down by that regulation, and that the cooperation and consistency procedures provided for by the regulation are respected.
In the fifth place, the Court recognises the direct effect of the provision of the GDPR under which each Member State is to provide by law that its supervisory authority is to have the power to bring infringements of that regulation to the attention of the judicial authorities and, where appropriate, to initiate or engage otherwise in legal proceedings. Consequently, such an authority may rely on that provision in order to bring or continue a legal action against private parties, even where it has not been specifically implemented in the legislation of the Member State concerned.
1 For example, the ‘Like’ or ‘Share’ buttons.
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’). Under Article 56(1) of the GDPR: ‘Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor’.
3 Within the meaning of Article 4, point (23), of the GDPR.
4 Laid down in Articles 56 and 60 of the GDPR.
5 Article 56(1) of the GDPR.
6 Article 60(7) of the GDPR.
7 Article 56(2) and Article 66 of the GDPR set out exceptions to the general rule that it is the lead supervisory authority that is competent to adopt such decisions.
8 Laid down in Articles 55 and 56, read together with Article 60 of the GDPR.
9 Pursuant to Article 58(5) of the GDPR.
10 Article 3(1) of the GDPR provides that that regulation is applicable to the processing of personal data ‘in the context of the activities of an establishment of a controller or a processor in the [European] Union, whether or not the processing takes place in the [European] Union’.
11 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).