CJEU - C-645/19 - Facebook Ireland and others v Gegevensbeschermingsautoriteit
|CJEU - C‑645/19 Facebook Ireland and others v Gegevensbeschermingsautoriteit|
|Relevant Law:||Article 55(1) GDPR|
Article 56(1) GDPR
Article 56(2) GDPR
Article 58(5) GDPR
Article 60 GDPR
Article 61(1) GDPR
Article 62 GDPR
Article 64(2) GDPR
Article 65(1) GDPR
Article 66(1) GDPR
Article 66(2) GDPR
Article 78 GDPR
Article 7, 8 and 47 CFR
|Parties:||Facebook Ireland Ltd|
|Case Number/Name:||C‑645/19 Facebook Ireland and others v Gegevensbeschermingsautoriteit|
|European Case Law Identifier:||ECLI:EU:C:2021:483|
|Reference from:||Court of Appeal of Brussels (Belgium)|
|Language:||24 EU Languages|
|Initial Contributor:||Lisette Mustert|
The CJEU confirms that in principle, only the lead DPA can act against a controller (directly or before a court). Another supervisory authority (SA) can only initiate proceedings against a controller, provided that this power is exercised in one of the limited situations where the GDPR confers on that SA a competence to adopt a final decision, and provided that the cooperation and consistency procedures laid down by the GDPR are respected. When the conditions are met, it is not a prerequisite that the main establishment or another establishment is located in the territory of the Member State of the SA. Furthermore, the competence of the SA may be exercised both with respect to the main establishment and with respect to another establishment of the controller, irrespective of the Member State in which the controller is established.
The Belgian DPA brought an action before Court of First Instance of Brussels, Belgium on 11 September 2015, seeking an injunction against Facebook Ireland, Facebook Inc. and Facebook Belgium. This action aimed to put an end to what the Belgian DPA describes as ‘serious and large-scale infringements, by Facebook, of the legislation relating to privacy’ (para. 30). This included, inter alia, the collection and use of information on the browsing behaviour of Belgian internet users, whether or not they were Facebook account holders, by means of various technologies, such as cookies, social plug-ins or pixels.
On 16 February 2018, the Court of First Instance held that it had jurisdiction to give a ruling on those injunction proceedings and held that the Facebook social network did not adequately inform Belgian internet users of the collection and use of the information concerned. Furthermore, the consent given by the internet users to the collection and processing of that data was held to be invalid (para. 32).
On 2 March 2018, Facebook Ireland, Facebook Inc. and Facebook Belgium, however, brought an appeal against that judgement before the Brussels Court of Appeal.
Before giving a ruling on the substance of the case, the Court of Appeal, wanted to know the effect of the application of the ‘one-stop shop’ mechanism provided for by the GDPR on the competences of the Belgian Data Protection Authority and, in particular, whether, with respect to the facts subsequent to the date of entry into force of the GDPR, namely 25 May 2018, the Data Protection Authority may bring an action against Facebook Belgium, since it is Facebook Ireland which has been identified as the controller of the data concerned. Since that date, and in particular under the ‘one-stop shop’ rule laid down by the GDPR, only the Data Protection Commissioner (Ireland) is competent to bring injunction proceedings, subject to review by the Irish courts.
The Court of Appeal of Brussel asked six questions to the CJEU:
(1) Should Article 55(1), Articles 56 to 58 and Articles 60 to 66 of [Regulation 2016/679], read together with Articles 7, 8 and 47 of the [Charter], be interpreted as meaning that a supervisory authority which, pursuant to national law adopted in implementation of Article 58(5) of that regulation, has the competence to initiate or engage in legal proceedings before a court in its Member State against infringements of that regulation cannot exercise that competence in connection with cross-border data processing if it is not the lead supervisory authority for that cross-border data processing?
(2) Does the answer to the first question referred differ if the controller of that cross-border data processing does not have its main establishment in that Member State but does have another establishment there?
(3) Does the answer to the first question referred differ if the national supervisory authority initiates the legal proceedings against the main establishment of the controller in respect of the cross border data processing rather than against the establishment in its own Member State?
(4) Does the answer to the first question referred differ if the national supervisory authority had already initiated the legal proceedings before the date on which [Regulation 2016/679] entered into force (25 May 2018)?
(5) If the first question referred is answered in the affirmative, does Article 58(5) of [Regulation 2016/679] have direct effect, meaning that a national supervisory authority can rely on that provision to initiate or continue legal proceedings against private parties even if Article 58(5) of [Regulation 2016/679] has not been specifically transposed into the legislation of the Member States, notwithstanding the requirement to do so?
(6) If questions (1) to (5) are answered in the affirmative, could the outcome of such proceedings prevent the lead supervisory authority from making a contrary finding when the lead supervisory authority investigates the same or similar cross-border processing activities in accordance with the mechanism laid down in Articles 56 and 60 of [Regulation 2016/679]?
I. By its answer to the first question, the Court confirms that general rule is that each SA is to be competent for the performance of its tasks and the exercise of its powers in accordance with the GDPR, on the territory of its own Member State (para. 47). With respect to cross-border processing, however, Article 56(1) GDPR provides that under the one-stop-shop mechanism, the SA of the main establishment or of the single establishment of the controller or processor is to be competent to act as lead SA for the cross-border processing carried out by that controller or processor (para. 50).
This one-stop-shop mechanism requires close, sincere and effective cooperation between those authorities, in order to ensure consistent and homogenous protection of the rules for the protection of personal data, and thus preserve its effectiveness. Therefore, Article 60 provides that the SAs cooperate with each other in an endeavor to reach consensus and according to Article 61(1) GPDR, the SAs shall exchange all relevant information and shall provide each other with mutual assistance. Under this mechanism, the lead SA may not ignore the concerned SAs’ views, as was also emphasized by Advocate General Bobek (para. 111). If a dispute arises under the cooperation mechanism, the case is referred to the Board’s dispute resolution mechanism in accordance with Article 65(1)(a) GDPR.
There are two exceptions to the general rule that the lead SA is competent to adopt a decision in cross-border cases.
- Article 56(2) GDPR provides that a SA, which is not the lead SA, is to be competent to handle a complaint lodged with it concerning a cross-border processing of personal data or a possible infringement of that regulation, if the subject matter relates only to an establishment in its own Member State or substantially affects data subjects only in that Member State.
- Article 66 GDPR which provides for an urgency procedure which makes it possible for a concerned SA to adopt provisional measures on its territory if it considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects. These provisional measures shall have a specified period of validity which is not to exceed three months. If the SA considers that final measures must urgently be adopted, it may request the urgent opinion or urgent binding decision from the EDPB in accordance with Article 66(2) GDPR (para. 58-59).
Therefore, the competence of the lead SA for the adoption of a decision is the rule, whereas the competence for other SAs for the adoption of a decision, even provisional, constitutes the exception (para. 63). The effectiveness of the one-stop-shop mechanism and the objective of the GDPR to ensure consistent and homogenous application of the rules might be jeopardized if a SA, which is not the lead SA, could exercise the power laid down in Article 58(5) GDPR in situations other than those where it has the competence for the adoption of a decision (para. 65).
This understanding is compatible with Articles 7 and 8 of the Charter of Fundamental Rights (CFR) (para. 66). It follows that the rules on the allocation of competences to adopt decisions between the lead SA and the other SAs, as laid down by that regulation, take nothing away from the responsibility incumbent on each of those authorities to contribute to a high level of protection of those rights, with due regard to those rules and to the requirements of cooperation and mutual assistance (para. 67). That means, in particular, that the use of the ‘one-stop shop’ mechanism cannot under any circumstances have the consequence that a national SA, in particular the lead SA, does not assume the responsibility incumbent on it under Regulation 2016/679 to contribute to providing effective protection of natural persons from infringements of their fundamental rights, as otherwise that consequence might encourage the practice of forum shopping, particularly by data controllers, designed to circumvent those fundamental rights and the practical application of the provisions of that regulation that give effect to those rights (para. 68). The understanding that the effectiveness of the one-stop-shop mechanism and the objective of the GDPR to ensure consistent and homogenous application of the rules might be jeopardized if a SA, which is not the lead SA, could exercise the power laid down in Article 58(5) GDPR in situations other than those where it has the competence for the adoption of a decision is also compatible with Article 47 CFR (para. 65). Because it takes nothing away from the right of every data subject, laid down in Article 78(1) and (2) of that regulation, to an effective legal remedy, in particular, against a legally binding decision of a SA concerning him or her, or against a failure by the SA which has the competence to adopt decisions under Articles 55 and 56 of that regulation, read together with Article 60 thereof, to handle a complaint that that data subject has lodged (para. 69).
The CJEU further held that bringing actions before a national court in accordance with Article 58(5) GDPR may not be ruled out if mutual assistance is not provided in accordance with Article 61(1). Then, the SA may adopt provisional measures on its territory (Article 61(8) GDPR) and if it considers that there is an urgent need for a final binding decision it may request the Board’s urgent opinion or urgent decision (Article 66(2) GDPR). Further, a SA may request the Board’s opinion on any matter of general application or that produces effects in more than one Member State in accordance with Article 64(2) GDPR. Following the adoption of such an opinion or such a decision, and provided that the EDPB approves, after taking account of all the relevant circumstances, the SA concerned must be able to take the necessary measures to ensure compliance with the rules on the protection of the rights of natural persons as regards the processing of personal data contained in the GDPR, and for that purpose exercise the power conferred on it by Article 58(5) GDPR (para. 71).
In this particular case, it is for the referring court to assess whether the rules on the allocation of competences and the relevant procedures and mechanisms laid down by the GDPR have been correctly applied in the main proceedings and whether the processing in question – subsequent to 25 May 2018 – may be classified as occurring in, in particular, the situation referred to in paragraph 71 of this judgement (since in April 2019, the Belgian DPA requested the Irish DPC to respond to its request for mutual assistance as expeditiously as possible, but no response was provided) (para. 73).
All in all, the answer to the first question is that a SA has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings. The SA may exercise that power in relation to an instance of cross border data processing even though it is not the ‘lead SA’, within the meaning of Article 56(1) of that regulation, with respect to that data processing, provided that this power is exercised in one of the situations where that regulation confers on that SA a competence to adopt a decision finding that such processing is in breach of the rules contained in that regulation, and that the cooperation and consistency procedures laid down by that regulation are respected (para. 75).
II. In its answer to the second question, the Court held that the SA that is not the lead SA can initiate legal proceedings against the controllers, under the conditions laid down by the GDPR in cross border processing, even when the data controller does not have an establishment (be it a main establishment or not) in the territory of the Member State of the SA (para. 84).
III. The third question asked whether the SA, other than the lead SA, would only be able to bring legal proceedings against the establishment located in its Member State, or also against the main establishment of the controller. Article 58(5) GDPR is worded in general terms and it does not specify against which entities the SAs should or might direct legal proceedings in relation to an infringement of the GDPR (para. 88 and opinion A-G Bobek C-645/19). Thus, the provision does not restrict the exercise of powers to initiate or engage in legal proceedings brought solely against a ‘main establishment’ or against ‘some other establishment of the controller’, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that SA is competent to exercise that power. If the SA is competent to act under Articles 55 and 56 GDPR, it may exercise the powers conferred by the GDPR on its national territory, irrespective of the Member State in which the controller or processor is established (para. 89). In this instance, since the activities of the establishment of the Facebook group located in Belgium are inextricably linked to the processing of personal data at issue in the main proceedings, with respect to which Facebook Ireland is the controller within the EU, that processing is carried out ‘in the context of the activities of an establishment of the controller’ and, therefore, does fall within the scope of the GDPR.
IV. The fourth question addressed the impact of the entry into force of the GDPR on the 25th of May 2018, and whether this affected the conditions governing whether a Member State’s SA may exercise the power to initiate or engage in legal proceedings conferred on it by Article 58(5) GDPR, since in this case the injunction proceedings were brought before this date. The Court holds that Regulation 2016/679 contains no transitional rule nor any other rule governing the status of court proceedings which were initiated before that regulation became applicable and which were still ongoing when it became applicable (para. 101). Therefore, the Court concluded that the action brought before the 25th of May 2018 may be continued on the basis of the Data Protection Directive, which remains applicable in relation to infringements of the rules laid down in that Directive committed up to the date when that Directive was repealed (para. 104).
V. In the fifth place, the Court recognizes the direct effect of the provision of the GDPR, with the result that a national SA may rely on that provision in order to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State concerned (para. 113).
VI. The Court held that the sixth question must be declared inadmissible since the question referred bears no relation to the actual facts of the main proceedings or their purpose, and concerns a hypothetical problem.
Since most large data processing companies are located in Ireland, it is the Irish Data Protection Commissioner who is often responsible for investigating and sanctioning GDPR violations. Seeing the huge backlog that this authority is facing and the lack of decisions it took so far, this decision confirms that other SA can be competent and can act in very specific circumstances. As a conclusion, the CJEU confirms the wording of the GDPR with no surprise: the non lead SA cannot circumvent the Lead SA by filing a judicial action before the courts. They can only do that when one of the exceptions to the one stop shop mechanism applies (Article 55(2), Article 56(2), or Article 66). It interesting to note that the Court confirms that a SA can adopt an urgent decision under Article 66 GDPR when the lead SA fails to respond to provide mutual assistance within a month as per Article 61(8) GDPR.
Share blogs or news articles here!