21/06/21

CJEU clarifies competence of non-lead supervisory authorities in cross-border GDPR infringements (C-645/19)

On 16 February 2018, the Brussels Court of First Instance condemned Facebook, including Facebook Ireland Limited and Facebook Inc., for having tracked internet users without their knowledge or consent. The court ordered the ceasing of the unlawful processing under the penalty of a fine of EUR 250,000 per day with a maximum of EUR 100,000,000.

The judgment was, however, appealed by Facebook before the Court of Appeal of Brussels. The latter referred the case for a ruling to the European Court of Justice (C-645/19).  

The case concerns questions on the lead supervisory authority and the cooperation between authorities in cross-border GDPR cases.  

In his opinion of 13 January 2021, the Advocate General stated that the supervisory authority in the Member State where a data controller or processor (in this case Facebook) has its main EU establishment (which is Ireland for Facebook) has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing. The Advocate General emphasised the one-stop-shop nature of a ‘lead’ supervisory authority in cross-border data processing cases.  

However, such lead supervisory authority cannot be the sole enforcer of the GDPR in cross-border cases, and ought to closely cooperate with other relevant supervisory authorities. The lead supervisory authority may not ignore the views of the other supervisory authorities, and any relevant and reasoned objection made by one of the other supervisory authorities has the effect of blocking, at least temporarily, the adoption of a draft decision by the lead supervisory authority.

Moreover, the Advocate-General did not exclude the possibility of other national supervisory authorities commencing proceedings in their respective Member States, if the GDPR expressly allows them to do so, for example, where national supervisory authorities: 

  • act outside the material scope of the GDPR; 
  • investigate into cross-border data processing carried out by public authorities, in the public interest, in the exercise of official authority or by controllers not established in the Union; 
  • adopt urgent measures; or 
  • intervene following the lead supervisory authority having decided not to handle a case.

In its decision of 15 June 2021, the Court of Justice considers that the GDPR authorises, under certain conditions, a non-lead supervisory authority of a Member State to exercise its power to bring any alleged infringement of the GDPR before a court of that State and to initiate or engage in legal proceedings in relation to an instance of cross-border data processing.

Firstly, the Court specifies the conditions governing whether a non-lead supervisory authority must exercise its power to bring any alleged infringement of the GDPR before a court of a Member State and, where necessary, to initiate or engage in legal proceedings in order to ensure the application of the GDPR. 

The GDPR confers on that supervisory authority (i) a competence to adopt a decision finding that that processing infringes the rules laid down by the GDPR and (ii) that power must be exercised with due regard to the cooperation and consistency procedures provided for by the GDPR.

Such exercise has to comply with the rules on the allocation of competences between the lead supervisory authority and the other supervisory authorities and to guarantee data subjects the right to the protection of their personal data and the right to an effective remedy.

Secondly, the Court holds that it is not a prerequisite that the controller has a main establishment or another establishment on the territory of that Member State. However, the exercise of that power must fall within the territorial scope of the GDPR, which presupposes that the controller or the processor with respect to the cross-border processing has an establishment in the European Union.

Thirdly, the Court rules that the power of a non-lead supervisory authority may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power. The Court adds that the exercise of that power presupposes that the GDPR is applicable.

Finally, the Court recognises the direct effect of the provision of the GDPR under which each Member State is to provide by law that its supervisory authority is to have the power to bring infringements of that regulation to the attention of the judicial authorities and, where appropriate, to initiate or engage otherwise in legal proceedings. Consequently, such an authority may rely on that provision in order to bring or continue a legal action against private parties, even where it has not been specifically implemented in the legislation of the Member State concerned.

Will this lead to more actions initiated by non-lead supervisory authorities ? What will be the impact on the one-stop-shop mechanism? It is too early to predict, but what is sure is that the Brussels Court of Appeal will be competent to deal with the appeal initiated by Facebook and will pronounce a decision on the merits within the coming months/years. Stay tuned! 

dotted_texture