Advocate General Bobek: the data protection authority in the State where a data controller or processor has its main EU establishment has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing.
The other national data protection authorities concerned are nevertheless entitled to commence such proceedings in their respective Member State in situations where the GDPR specifically allows them to do so.
In September 2015, the Belgian data protection authority commenced proceedings before the Belgian courts against several companies belonging to the Facebook group (Facebook), namely Facebook INC, Facebook Ireland Ltd, which is the group’s main establishment in the EU, and Facebook Belgium BVBA (Facebook Belgium). In those proceedings, the data protection authority requested that Facebook be ordered to cease, with respect to any internet user established in Belgium, to place, without their consent, certain cookies on the device those individuals use when they browse a web page in the Facebook.com domain or when they end up on a third party’s website, as well as to collect data by means of social plugins and pixels on third party websites in an excessive manner. In addition, it requested the destruction of all personal data obtained by means of cookies and social plugins, about each internet user established in Belgium.
The proceedings at issue are at present in progress before the Hof van beroep te Brussel (Court of Appeal, Brussels, Belgium) with however their scope being limited to Facebook Belgium, as that court previously established that it had no jurisdiction with regard to the actions against Facebook INC and Facebook Ireland Ltd. In this context, Facebook Belgium asserts that, as of the date on which the General Data Protection Regulation (GDPR) 1 has become applicable, the Belgian data protection authority has lost competence to continue the judicial proceedings at issue against Facebook. It contends that, under the GDPR, only the data protection authority of the State of Facebook’s main establishment in the EU (the so-called ‘lead’ data protection authority in the EU for Facebook), namely the Irish Data Protection Commission, is empowered to engage in judicial proceedings against Facebook for infringements of the GDPR in relation to cross-border data processing.
Under these circumstances, the Hof van beroep te Brussel has asked the Court of Justice if the GDPR actually prevents a national data protection authority other than the lead data protection authority from engaging in court proceedings in its Member State against infringements of its rules with respect to cross-border data processing.
In today’s Opinion, Advocate General Mr Michal Bobek finds, first, that it transpires from the wording 2 of the GDPR that the lead data protection authority has a general competence over cross-border data processing, including the commencement of judicial proceedings for the breach of the GDPR, and, by implication, the other data protection authorities concerned enjoy a more limited power to act in that regard.
As to the fact that the GDPR confers on any data protection authority the power to start judicial proceedings against possible infringements which affect their territories, the Advocate General sets out that this power is expressly curtailed as regards cross-border data processing precisely with a view to enabling the lead data protection authority to exercise its tasks in this regard.
Second, the Advocate General recalls that the very reason for the introduction of the one-stopshop mechanism enshrined in the GDPR, whereby a significant role has been given to the lead data protection authority and cooperation mechanisms have been set up to involve other data protection authorities, was to address certain shortcomings resulting from the former legislation. 3 Indeed, economic operators used to be required to comply with the various sets of national rules implementing that legislation, and to liaise, at the same time, with all the national
data protection authorities, which proved to be costly, burdensome and time-consuming for those operators, and an inevitable source of uncertainty and conflicts for them and their customers.
As to the arguments relating to access to courts by the data subjects concerned, the Advocate General emphasises that those subjects can directly bring proceedings against data controllers or processors before, inter alia, the courts of the Member State of their residence. In addition, the Advocate General points out that data subjects can lodge a complaint with the data protection authority of their Member State even where the lead data protection authority is the data protection authority of another Member State. Should the complaint be rejected, the decision thereon will be adopted and notified to the complainant by the first authority, with it thus being possible for the complainant to challenge it before the courts of their residence.
Third, the Advocate General stresses that the lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations and must, in compliance with the relevant rules and time limits provided for by the GDPR, closely cooperate with the other data protection authorities concerned, the input of which is crucial in this area.
Fourth, the Advocate General highlights that national data protection authorities, even where they do not act as lead authority, can nonetheless bring proceedings before the courts of their respective Member State in case of cross-border processing in various situations. These situations are, in particular, as follows: where national data protection authorities i.) act outside the material scope of the GDPR; ii.) investigate into cross-border data processing carried out by public authorities, in the public interest, in the exercise of official authority or by controllers not established in the Union; iii.) adopt urgent measures; or iv.) intervene following the lead data protection authority having decided not to handle a case.
Under these conditions, the Advocate General considers that the GDPR permits the data protection authority of a Member State to bring proceedings before a court of that State for an alleged infringement of the GDPR with respect to cross-border data processing, despite it not being the lead data protection authority entrusted with a general power to commence such proceedings, provided that it does so in the situations where the GDPR specifically confers upon it competences to this end and according to the corresponding procedures set out in the GDPR.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ 2016 L 119, p. 1). The GDPR entered into force on 24 May 2016 and applies since 25 May 2018.
2 Recital 124, Article 56(1) and (6).
3 Directive 95/46/EC.