On January 13, 2021, Advocate General (“AG”) Michal Bobek of the Court of Justice of the European Union (“CJEU”) issued his Opinion in the Case C-645/19 of Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”).
Background
The Belgian DPA initiated judicial proceedings against several members of the Facebook group before the Belgian Courts in September 2015. The Belgian DPA requested that the Court order Facebook to stop placing cookies on Internet users’ devices without their consent and stop collecting data in an allegedly excessive manner when they browse a web page in the Facebook.com domain or on third parties’ websites, including via Facebook social plug-ins and pixels. The proceedings, which are currently still in progress before the Court of Appeal of Brussels, were limited to Facebook Belgium BVBA after the Court of Appeal of Brussels previously established that it had no jurisdiction over Facebook Inc. and Facebook Ireland Ltd.
Facebook had asserted that with the General Data Protection Regulation (“GDPR”) becoming applicable in May 2018, the Belgian DPA did not have competence to continue the judicial proceedings for infringements of the GDPR in relation to cross-border data processing. According to Facebook, the competent DPA in this case is the DPA of Facebook’s main establishment in the EU, the Irish DPA (i.e. the so-called “lead DPA”).
Against this background, the Court of Appeal of Brussels referred a number of questions to the CJEU aimed at clarifying whether the GDPR’s One-Stop-Shop regime prevents a national DPA (other than the lead DPA) from initiating court proceedings in its Member State against infringements of the GDPR with respect to cross-border data processing.
AG Opinion
In his opinion, the AG addresses several points:
- Based on the GDPR, the lead DPA has general competence over cross-border data processing, including competence to commence judicial proceedings for infringements of the GDPR. Concerned DPAs have a more limited power to act in that regard. While any DPA has the power to commence proceedings against possible infringements affecting their territories, this power is limited with respect to cross-border data processing to enable the lead DPA to exercise its regulatory role in this regard.
- The goal of the GDPR’s One-Stop-Shop mechanism, which establishes a cooperation mechanism and gives the lead DPA a significant role, was to address the shortcomings of the Data Protection Directive, which required companies to comply with various sets of national rules and to liaise with the DPAs of all EU Member States. This was costly, burdensome and time-consuming, and risked individual DPAs taking different approaches with regard to cross-border data processing activities. According to the AG, a textual, teleological and historical approach to the interpretation of the GDPR confirms that DPAs are bound to follow the rules on competence and the cooperation and consistency mechanisms set out in the GDPR.
- As to the arguments relating to data subjects’ access to court, the AG notes that data subjects can bring proceedings directly against controllers or processors before the courts of the Member State in which they reside. They can also lodge a complaint before the DPA of their Member State, even if the lead DPA is located in another Member State.
- The AG emphasizes that the lead DPA cannot be deemed the sole enforcer of the GDPR in cross-border situations and must closely cooperate with other concerned DPAs, in accordance with the relevant rules set forth under the GDPR.
- The AG finally indicates that national DPAs that do not act as the lead DPA can nonetheless bring proceedings before their national courts where they are (1) acting outside the material scope of the GDPR (for example, because the processing does not involve personal data, which may be the case in the context of the use of cookies); (2) investigating cross-border data processing carried out by public authorities, in the public interest, in the exercise of official authority or by controllers not established in the EU; (3) adopting urgent measures in situations envisioned by Article 66 of the GDPR; or (4) intervening following a decision of the lead DPA not to handle a case. Effectively, the AG’s view is that the GDPR does not include a general bar for other DPAs, including concerned DPAs, to start proceedings against potential infringement of data protection rules.
Accordingly, the AG considers that the GDPR permits the DPA of a Member State that is not the lead DPA for a company to bring proceedings against that company before its national court for an alleged infringement of the GDPR with respect to cross-border data processing, but only in situations where the GDPR specifically allows it to do so and provided it follows the appropriate procedures set out in the GDPR.
Next Steps
The CJEU will now begin its deliberation, and the final judgment is expected in the coming months. Although the CJEU will take into account the AG’s opinion, it is not legally binding on the Court. After the CJEU has issued a final judgment, the Belgian Court of Appeal will decide the case in accordance with the CJEU’s ruling.
Read the full text of the Advocate General’s Opinion.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code