CJEU clarifies competence of non-lead supervisory authorities in cross-border GDPR infringements (C-645/19)
21/06/2021

On 16 February 2018, the Brussels Court of First Instance condemned Facebook, including Facebook Ireland Limited and Facebook Inc., for having tracked internet users without their knowledge or consent. The court ordered the ceasing of the unlawful processing under the penalty of a fine of EUR 250,000 per day with a maximum of EUR 100,000,000.

The judgment was, however, appealed by Facebook before the Court of Appeal of Brussels. The latter referred the case for a ruling to the European Court of Justice (C-645/19).  

The case concerns questions on the lead supervisory authority and the cooperation between authorities in cross-border GDPR cases.  

In his opinion of 13 January 2021, the Advocate General stated that the supervisory authority in the Member State where a data controller or processor (in this case Facebook) has its main EU establishment (which is Ireland for Facebook) has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing. The Advocate General emphasised the one-stop-shop nature of a ‘lead’ supervisory authority in cross-border data processing cases.  

However, such lead supervisory authority cannot be the sole enforcer of the GDPR in cross-border cases, and ought to closely cooperate with other relevant supervisory authorities. The lead supervisory authority may not ignore the views of the other supervisory authorities, and any relevant and reasoned objection made by one of the other supervisory authorities has the effect of blocking, at least temporarily, the adoption of a draft decision by the lead supervisory authority.

Moreover, the Advocate-General did not exclude the possibility of other national supervisory authorities commencing proceedings in their respective Member States, if the GDPR expressly allows them to do so, for example, where national supervisory authorities: 

  • act outside the material scope of the GDPR; 
  • investigate into cross-border data processing carried out by public authorities, in the public interest, in the exercise of official authority or by controllers not established in the Union; 
  • adopt urgent measures; or 
  • intervene following the lead supervisory authority having decided not to handle a case.

In its decision of 15 June 2021, the Court of Justice considers that the GDPR authorises, under certain conditions, a non-lead supervisory authority of a Member State to exercise its power to bring any alleged infringement of the GDPR before a court of that State and to initiate or engage in legal proceedings in relation to an instance of cross-border data processing.

Firstly, the Court specifies the conditions governing whether a non-lead supervisory authority must exercise its power to bring any alleged infringement of the GDPR before a court of a Member State and, where necessary, to initiate or engage in legal proceedings in order to ensure the application of the GDPR. 

The GDPR confers on that supervisory authority (i) a competence to adopt a decision finding that that processing infringes the rules laid down by the GDPR and (ii) that power must be exercised with due regard to the cooperation and consistency procedures provided for by the GDPR.

Such exercise has to comply with the rules on the allocation of competences between the lead supervisory authority and the other supervisory authorities and to guarantee data subjects the right to the protection of their personal data and the right to an effective remedy.

Secondly, the Court holds that it is not a prerequisite that the controller has a main establishment or another establishment on the territory of that Member State. However, the exercise of that power must fall within the territorial scope of the GDPR, which presupposes that the controller or the processor with respect to the cross-border processing has an establishment in the European Union.

Thirdly, the Court rules that the power of a non-lead supervisory authority may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power. The Court adds that the exercise of that power presupposes that the GDPR is applicable.

Finally, the Court recognises the direct effect of the provision of the GDPR under which each Member State is to provide by law that its supervisory authority is to have the power to bring infringements of that regulation to the attention of the judicial authorities and, where appropriate, to initiate or engage otherwise in legal proceedings. Consequently, such an authority may rely on that provision in order to bring or continue a legal action against private parties, even where it has not been specifically implemented in the legislation of the Member State concerned.

Will this lead to more actions initiated by non-lead supervisory authorities ? What will be the impact on the one-stop-shop mechanism? It is too early to predict, but what is sure is that the Brussels Court of Appeal will be competent to deal with the appeal initiated by Facebook and will pronounce a decision on the merits within the coming months/years. Stay tuned! 

Voir aussi : Lydian ( Ms. Olivia Santantonio ,  Mr. Bastiaan Bruyndonckx )

[+ http://www.lydian.be]

Ms. Olivia Santantonio Ms. Olivia Santantonio
Counsel
[email protected]
Mr. Bastiaan Bruyndonckx Mr. Bastiaan Bruyndonckx
Partner
[email protected]

Tous les articles Droit Européen

Derniers articles Droit Européen

European Commission unveils its 'Fit for 55' package
23/07/2021

On Wednesday 14 July 2021, the European Commission took a major step to accomplish its ambitious goal of making Europe the...

European Commission unveils its 'Fit for 55' package Read more

Draft revised vertical regulation and guidelines
22/07/2021

The European Commission takes a hard line against online platforms, dual distribution and MFNs

Draft revised vertical regulation and guidelines Read more

EU and US Merger review and privacy law: Does the Google/Fitbit decision draw a line in the sand?
19/07/2021

The interplay between merger enforcement and privacy policy has recently attracted significant attention. The key question...

EU and US Merger review and privacy law: Does the Google/Fitbit decision draw a line in the sand? Read more

General Court of the CJ annuls State aid decision in Amazon case
13/07/2021

The case concerned the arm’s length nature of a royalty paid by a Luxembourg operating company (LuxOpCo) to a L...

General Court of the CJ annuls State aid decision in Amazon case Read more

Derniers articles de Ms. Olivia Santantonio

World Anti-Counterfeiting Day: Fighting fake goods remains a priority
08/06/2021

Today is the World Anti-Counterfeiting Day. The day on which we recognize the hard work necessary to stop the manufacture,...

Read more

Data transfer tool – Adoption of new sets of Standard Contractual Clauses
08/06/2021

In the absence of an adequacy decision or derogations, undertakings may only transfer personal data outside the European E...

Read more

The E-Privacy Regulation: light at the end of the tunnel?
18/02/2021

On 10 February 2021, after years of failed attempts, the Council of the European Union finally agreed on a negotiating&nbs...

Read more

Belgian DPA’s Litigation Chamber publishes procedural rules
30/01/2021

As we found out last year, data protection remains on the rise. In the meantime, many data subjects found their way to the...

Read more

Derniers articles de Mr. Bastiaan Bruyndonckx

Checklist pour la préparation et l’implémentation d’une procédure de lanceurs d’alerte
14/06/2021

Les travailleurs jouent un rôle clé en tant que lanceurs d’alerte en divulguant et prévenant les...

Read more

Data transfer tool – Adoption of new sets of Standard Contractual Clauses
08/06/2021

In the absence of an adequacy decision or derogations, undertakings may only transfer personal data outside the European E...

Read more

The Belgian DPA approved the EU Cloud Code of Conduct for cloud service providers acting as a pro...
03/06/2021

On 20 May 2021, the Belgian Data Protection Authority (hereinafter DPA) has approved the first transnational code of ...

Read more

European Commission publishes proposal for AI regulation
26/04/2021

In recent years, artificial intelligence (AI) has been a popular buzzword and a hot topic that has caught the attention of...

Read more

LexGO Network