Privacy & Information Security Law Blog

On June 15, 2021, the Court of Justice of the European Union (the “CJEU”) released its judgment in case C-645/19 of Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”). We previously reported on the background of the case and the Advocate General’s opinion.

The CJEU mainly examined the question of whether a national supervisory authority that is not the lead supervisory authority (“lead SA”) under the EU General Data Protection Regulation’s (“GDPR”) One-Stop-Shop may bring legal proceedings against a company for GDPR violations before a court in its Member State. In this context, the CJEU concluded that the national supervisory authority may exercise its powers and bring legal proceedings in its Member State only if:

• the GDPR “confers on a supervisory authority of a Member State which is not the ‘lead supervisory authority’ a competence to adopt a decision finding that the processing of data in question is in breach of the rules contained in that regulation with respect to protection of the rights of natural persons as regard the processing of personal data;” and
• the “cooperation and consistency procedures laid down by that regulation are respected.”

Key considerations of the CJEU judgement include:

• The GDPR permits a national supervisory authority that is not the lead SA for the relevant data processing activity to adopt a finding if that power is exercised under the GDPR’s cooperation and consistency procedures.
• The GDPR’s cooperation and consistency procedures provide for exceptions whereby a national supervisory authority that is not the lead SA is permitted to issue a finding in certain cases (e.g., in the case of handling a purely local complaint or adopting a provisional measure in accordance with the GDPR’s urgency procedure).
• The competence of adopting the decision remains with the lead SA and requires “close, sincere and effective” cooperation with the other national supervisory authorities.
• In exercising its competence, the lead SA may not ignore the views of the other supervisory authorities, and any relevant and reasoned objection made by one of the other supervisory authorities has the effect of blocking, at least temporarily, the adoption of the draft decision of the lead SA.
• It is not a prerequisite for the exercise of the power of a national supervisory authority that the controller has a main establishment or another establishment on the territory of the supervisory authority’s Member State.

In addition, the CJEU ruled that where a national supervisory authority (which is not the lead SA under the One-Stop-Shop) brought legal proceedings in its Member State before the date of entry into force of the GDPR (i.e., May 25, 2018), the legal proceedings are subject to the jurisdictional rules applicable under the previous legal framework. The legal proceedings may continue in relation to facts subsequent to May 25, 2018, provided that (1) the proceedings relate to a situation where the GDPR, as an exception, allows a national supervisory authority (that is not the lead SA) to adopt a decision, and (2) the cooperation and consistency procedures of the GDPR’s One-Stop Shop mechanism are followed.

In the case at hand, the CJEU concluded that it will be for the referring national court to determine whether the rules regarding the allocation of competences and the relevant procedures and mechanisms under the GDPR have been correctly applied in the main proceedings.

Read the CJEU decision.