CJEU - C-645/19 - Facebook Ireland and others v Gegevensbeschermingsautoriteit

From GDPRhub
CJEU - C-645/19 Facebook Ireland and others v Gegevensbeschermingsautoriteit
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 55(1) GDPR
Article 56(1) GDPR
Article 56(2) GDPR
Article 58(5) GDPR
Article 60 GDPR
Article 61(1) GDPR
Article 62 GDPR
Article 64(2) GDPR
Article 65(1) GDPR
Article 66(1) GDPR
Article 66(2) GDPR
Article 78 GDPR
Article 7, 8 and 47 CFR
Decided: 15.06.2021
Parties: Facebook Ireland Ltd
Facebook Inc.
Facebook Belgium
Case Number/Name: C-645/19 Facebook Ireland and others v Gegevensbeschermingsautoriteit
European Case Law Identifier: ECLI:EU:C:2021:483
Reference from: Court of Appeal of Brussels (Belgium)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Lisette Mustert

In the context of the one-stop-shop mechanism, the CJEU ruled that a DPA that is not the LSA can refer a case to a national Court under certain circumstances.

English Summary[edit | edit source]

Facts[edit | edit source]

The Belgian DPA brought an action before Court of First Instance of Brussels, Belgium on 11 September 2015, seeking an injunction against Facebook Ireland, Facebook Inc. and Facebook Belgium. This action aimed to put an end to what the Belgian DPA described as ‘serious and large-scale infringements, by Facebook, of the legislation relating to privacy’.

On 16 February 2018, the Court of First Instance held that the Facebook social network did not adequately inform Belgian internet users of the collection and use of the information concerned. Furthermore, the consent given by the internet users to the collection and processing of that data was held to be invalid. Facebook Ireland, Facebook Inc. and Facebook Belgium, however, appealed that judgement before the Brussels Court of Appeal.

Before ruling on the substance of the case, the Court of Appeal referred certain questions to the CJEU regarding the ‘one-stop shop’ mechanism provided for by the GDPR. Indeed, Facebook Ireland (established in Ireland) was identified as the controller.

The Court of Appeal of Brussel therefore referred six questions to the CJEU:

(1) Should Article 55(1), Articles 56 to 58 and Articles 60 to 66 of [Regulation 2016/679], read together with Articles 7, 8 and 47 of the [Charter], be interpreted as meaning that a supervisory authority which, pursuant to national law adopted in implementation of Article 58(5) of that regulation, has the competence to initiate or engage in legal proceedings before a court in its Member State against infringements of that regulation cannot exercise that competence in connection with cross-border data processing if it is not the lead supervisory authority for that cross-border data processing?

(2) Does the answer to the first question referred differ if the controller of that cross-border data processing does not have its main establishment in that Member State but does have another establishment there?

(3) Does the answer to the first question referred differ if the national supervisory authority initiates the legal proceedings against the main establishment of the controller in respect of the cross border data processing rather than against the establishment in its own Member State?

(4) Does the answer to the first question referred differ if the national supervisory authority had already initiated the legal proceedings before the date on which [Regulation 2016/679] entered into force (25 May 2018)?

(5) If the first question referred is answered in the affirmative, does Article 58(5) of [Regulation 2016/679] have direct effect, meaning that a national supervisory authority can rely on that provision to initiate or continue legal proceedings against private parties even if Article 58(5) of [Regulation 2016/679] has not been specifically transposed into the legislation of the Member States, notwithstanding the requirement to do so?

(6) If questions (1) to (5) are answered in the affirmative, could the outcome of such proceedings prevent the lead supervisory authority from making a contrary finding when the lead supervisory authority investigates the same or similar cross-border processing activities in accordance with the mechanism laid down in Articles 56 and 60 of [Regulation 2016/679]?

Holding[edit | edit source]

The holding largely followed the opinion of the Advocate General.

I. By its answer to the first question, the Court confirmed that the competence of the LSA for the adoption of a decision is the rule, whereas the competence for other DPAs for the adoption of a decision, even provisional, constitutes the exception (§63).

The CJEU therefore considered that that a DPA has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings. The DPA may exercise that power in relation to an instance of cross border data processing even though it is not the LSA, within the meaning of Article 56(1), provided that this power is exercised in one of the situations where that regulation confers to that DPA a competence to adopt a decision finding that such processing is in breach of GDPR and that the cooperation and consistency procedures laid down by that regulation are respected (§75).

II. In its answer to the second question, the Court held that the DPA that is not the LSA can initiate legal proceedings against the controllers, under the conditions laid down by the GDPR in cross border processing, even when the data controller does not have an establishment (be it a main establishment or not) in the territory of the Member State of the SA (§84).

III. The third question asked whether the DPA, other than the LSA, would only be able to bring legal proceedings against the establishment located in its Member State, or also against the main establishment of the controller. Article 58(5) GDPR is worded in general terms and does not restrict the exercise of powers to initiate legal proceedings. If a DPA is competent to act under Articles 55 and 56 GDPR, it may exercise the powers conferred by the GDPR on its national territory, irrespective of the Member State in which the controller or processor is established (§89). In this instance, since the activities of the establishment of the Facebook group located in Belgium were inextricably linked to the processing of personal data at issue in the main proceedings, with respect to which Facebook Ireland is the controller within the EU, that processing was carried out ‘in the context of the activities of an establishment of the controller’ and, therefore, fell within the scope of the GDPR.

IV. For the fourth question, the Court held that the GDPR contains no transitional rule nor any other rule governing the status of court proceedings which were initiated before that regulation became applicable and which were still ongoing when it became applicable (§101). Therefore, the Court concluded that the action brought before the 25th of May 2018 may be continued on the basis of the Data Protection Directive, which remains applicable in relation to infringements of the rules laid down in that Directive committed up to the date when that Directive was repealed (§104).

V. In the fifth place, the Court recognized the direct effect of the provision of the GDPR, with the result that a DPA may rely on that provision in order to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State concerned (§113).

VI. The Court declared the sixth question inadmissible since the question referred bears no relation to the actual facts of the main proceedings or their purpose, and concerns a hypothetical problem.

Comment[edit | edit source]

Since most large data processing companies are located in Ireland, it is the Irish Data Protection Commissioner who is often responsible for investigating and sanctioning GDPR violations. Seeing the huge backlog that this authority is facing and the lack of decisions it took so far, this decision confirms that other SA can be competent and can act in very specific circumstances. As a conclusion, the CJEU confirms the wording of the GDPR with no surprise: the non lead SA cannot circumvent the Lead SA by filing a judicial action before the courts. They can only do that when one of the exceptions to the one stop shop mechanism applies (Article 55(2), Article 56(2), or Article 66). It interesting to note that the Court confirms that a SA can adopt an urgent decision under Article 66 GDPR when the lead SA fails to respond to provide mutual assistance within a month as per Article 61(8) GDPR.

The CJEU adopted a broad interpretation of the powers of national DPAs.

Further Resources[edit | edit source]

Share blogs or news articles here!