The CJEU Advocate General delivered his opinion on the ongoing case between Facebook and the Belgian Data Protection Authority.
On January 13th the CJEU Advocate General delivered his opinion on the Facebook case, outlined in a recent press release from the CJEU. This case has been ongoing since May 25th 2018, when the Belgian DPA (which was at the time known as the Privacy Commission) found Facebook to be in serious violation of the privacy rights of Belgian citizens. The company was found to have been placing cookies on internet users’ computers and subsequently, collecting these cookies via social plugins and pixels on the websites that these users visit, resulting in the collection of information on the surfing behavior of millions of internet users in Belgium. The court of Brussels, after examining the details of this case, decided to refer to the CJEU for clarification on certain aspects of this case to determine whether the Belgian DPA could indeed pursue legal action against Facebook, under the GDPR. The CJEU Advocate General reiterated the principle defended by the Belgian DPA, that the one-stop-shop mechanism as per the GDPR, does not prevent supervisory authorities from bringing proceedings before a national judge as long as it is in situations specifically provided for in the GDPR. As a result, the CJEU will take a decision in this case. It is unknown when a judgement will be delivered.
The Belgian DPA argues that the one-stop-shop mechanism does not affect its competency in seeing these proceedings through in a civil court.
The ‘one-stop-shop mechanism’ established by the GDPR ensures cooperation between the Data Protection Authorities in the case of cross-border processing. With Facebook’s European headquarters in Dublin, Ireland, this mechanism provides that the Irish DPC is competent to take sanctions against the company. The question raised by the Belgian DPA was as to whether this one-stop shop mechanism also allows for data protection authorities (such as the BE DPA) to initiate court proceedings as well. The Belgian DPA argues that the one-stop-shop mechanism does not affect its competency in seeing these proceedings through in a civil court.
The CJEU Advocate General confirmed that the Belgian DPA, though not the lead authority, may proceed with court action.
This case was heard by the CJEU in an initial hearing on October 5th, 2020, and on January 13th, Michal Bobek, the CJEU Advocate General delivered his opinion on this case. He confirmed that a national authority, which is not the lead authority for a cross border data processing operation may indeed initiate court proceedings in certain situations, particularly in situations where the GDPR specifies its competency to proceed with such action. In this case, the CJEU Advocate General is of the opinion that the Belgian DPA, though not the lead authority, may proceed with court action. In the press release by the CJEU, Mr Bobek was quoted as saying “The data protection authority in the State where a data controller or processor has its main EU establishment has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing. The other national data protection authorities concerned are nevertheless entitled to commence such proceedings in their respective Member State in situations where the GDPR specifically allows them to do so.” With this information, the CJEU will now be the court delivering a decision in this case. At this time, it is not known when this decision can be expected.