CJEU: GDPR proceedings may be brought by watchdogs which are not lead supervisory authorities
There are circumstances in which data protection watchdogs in the EU can bring a company to court over GDPR breaches despite not being the lead supervisory authority under the ‘one-stop shop’ rule, the Court of Justice of the European Union (CJEU) has ruled.
The complex judgment, handed down by the Grand Chamber this morning and currently only published in French and Dutch, could have significant implications for the enforcement of EU data protection rules in Ireland, where many major online platforms are headquartered.
The court was asked for a preliminary ruling by the Court of Appeal in Brussels, Belgium, in a case originating in 2015 when the president of Belgium’s Privacy Commission brought an action seeking an injunction against Facebook Ireland, Facebook Inc. and Facebook Belgium, aiming to put an end to alleged infringements of data protection laws.
Those alleged infringements included the collection and use of information on the browsing behaviour of Belgian internet users, whether or not they were Facebook account holders, by means of various technologies, such as cookies, social plug-ins or pixels.
In February 2018, the court of first instance held that it had jurisdiction to give a ruling on that action and, on the substance, held that Facebook had not adequately informed Belgian internet users of the collection and use of the information concerned. Further, the consent given by the internet users to the collection and processing of that data was held to be invalid.
In March 2018, Facebook Ireland, Facebook Inc. and Facebook Belgium brought an appeal against that judgment before the Court of Appeal in Brussels. Belgium’s Data Protection Authority (DPA) acted before that court as the legal successor of the president of the Privacy Commission.
The Court of Appeal held that it solely has jurisdiction to give a ruling on the appeal brought by Facebook Belgium, but was uncertain as to the effect of the application of the ‘one-stop shop’ mechanism under the GDPR and whether the DPA could bring an action given Facebook Ireland was identified as the controller of the data concerned.
In its Grand Chamber judgment, the CJEU specified the powers of national supervisory authorities within the scheme of the GDPR.
Under certain conditions, the supervisory authority of a member state can exercise its power to bring any alleged infringement of the GDPR before a court of that state and to initiate or engage in legal proceedings in relation to an instance of cross-border data processing, although that authority is not the lead supervisory authority with regard to that processing, it said.