Last week the Court of Justice delivered an important judgment in case C-645/19 Facebook Ireland. The case offered an opportunity to clarify procedural aspects of the General Data Protection Regulation 2016/679. In particular, it involved topical problems related to the one-stop-shop mechanism provided for in case of cross-border data processing. The GDPR assigns the role of a "lead authority" in this context to the supervisory authority of the main establishment or of the single establishment of the relevant controller or processor. Since many digital companies undertaking large-scale data processing in the EU have their main establishments in Ireland, it is the Irish Data Protection Commissioner that appears to be a lead authority in respective cases. Over past years, however, the authority has come under strong criticism for failing to effectively act on complaints brought before it and particulars of the one-stop-shop mechanism have been a subject of debate (see e.g. our previous posts €50m fine imposed on Google..., Further updates on consumer protection..., BEUC files complaints against Tik Tok). In case C-645/19 Facebook Ireland, the Court addressed some of the issues raised, clarifying when authorities of other Member States are competent to exercise their powers.
Facts of the case
The background of the case was primarily procedural. The Belgian authority brought a case before a Belgian court against Facebook Ireland, Facebook Inc. and Facebook Belgium, with the aim to bring an end to the collection of information on the internet browsing behaviour of Facebook users and non-users by means of cookies, social plug-ins, pixels, etc. The court of first instance considered itself competent to give a ruling and confirmed the alleged infringements. The trader brought an appeal against the judgment and a question was raised whether the Belgian supervisory authority had the required standing and interest to bring proceedings in the first place, and if so, in relation to which violations (e.g. committed by Facebook Inc., Facebook Belgium, and/or Facebook Ireland; before and/or after 25 May 2018, that is the date on which the GDPR and its one-stop-shop mechanism became applicable).
Judgment of the Court
Since the judgment is rather technical, the present post does not aspire to provide its comprehensive overview. An interested reader is rather advised to consult the judgment directly. In this post we will rather pick up on selected points, partly in a different order from the one adopted by the Court.
Firstly, the Court engaged with the argument put forward by the platform operator that the legal action concerning the facts precedings 25 May 2018 was inadmissible, given that the previously applicable provisions of Belgian law were repealed following the entry into force of the GDPR. The Court addressed this problem from the perspective of EU law, finding that a supervisory authority which brought an action related to cross-border processing taking place before 25 May 2018 may continue to pursue such an action on the basis of the previously applicable Directive 95/46 (para. 105). Put differently, the one-stop-shop mechanism established in the GDPR does not stand in way of the proceedings by different DPAs in relation to violations preceding the GDPR's date of application. The Court, however, did not engage with the interpretation of previously applicable Directive 95/46, and the question whether its provisions on supervisory authorities could be deemed to have direct effect. By contrast, such an effect was confirmed in relation to the relevant provisions of the GDPR (para. 113).
Arguably, the most interesting part of the judgment concerns the one-stop-shop mechanism itself (the first question). This is where the judgment gets particularly technical, the reasoning is intertwined with extensive references to GDPR provisions and appears to often change direction. Ultimately, para. 71 and the following deserve particular attention. Here the Court finds that the exercise of the power by a non-lead authority to bring actions before the courts of its state cannot be ruled out in the following situations. Firstly, this is the case when the mutual assistance of the lead supervisory authority had been sought under Article 61 of the GDPR and the lead authority did not provide the other authority with the requested information. Secondly, under Article 64(2) of the GDPR, a supervisory authority may request that any matter that is of general application or that produces effects in more than one Member State be examined by the European Data Protection Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance imposed on it by Article 61 of the GDPR. Following the relevant procedure (that is, if the EDPB approves), the supervisory authority should be able to exercise the power conferred on it by Article 58(5) of the GDPR and take the necessary measures to ensure compliance with the GDPR.
The remaining part of the judgment involved the potential additional prerequisites for the exercise of the power by a national authority other than lead authority in the above described cases; specifically, whether the actions of such non-lead DPAs should be limited to the controllers having a main
establishment or another establishment on their territory. The Court looked at this problem from a twofold perspective and opted for a reading that does not significantly restrict the powers of such non-lead authorities (paras. 84 and 96). Put differently, it remains theoretically possible that a non-lead Belgian authority initiates or engages in legal proceedings against a company like Facebook Inc.