On 16 February 2018 (i.e. before the entry into effect of the GDPR), the Court of First Instance of Brussels convicted Facebook on the merits for non-compliance with the Belgian privacy and cookie rules. The Court ordered Facebook to cease its current cookie use practices under forfeiture of an incremental penalty of 250.000 EUR per calendar day of non-compliance (with a maximum of 100 million EUR).
This was the provisional outcome of an intense legal battle between the Belgian Privacy Commission and Facebook, which started end of 2014 (For more information about this decision see our previous blog).
As expected, Facebook appealed this decision, and on 8 May 2019, the Brussels Court of Appeal ruled as follows:
It has no international jurisdiction with respect to Facebook Ireland Limited and Facebook Inc.
It has jurisdiction with respect to Facebook Belgium BVBA.
The claim against Facebook Belgium BVBA is in principle admissible.
Before judging on the merits of the case against Facebook Belgium BVBA for matters that occurred after 25 May 2018 (i.e. the entry into effect of the GDPR), the Court has referred questions for preliminary ruling to the Court of Justice of the European Union.
1. Questions referred for preliminary ruling
The Court of Appeal requested a preliminary ruling on the following 6 questions, which in essence aim at clarifying whether the Belgian DPA is able to pursue the proceedings against Facebook Belgium BVBA following the entry into effect of the One-stop-shop mechanism introduced by the GDPR:
Does the right of a national supervisory authority to commence legal proceedings regarding infringements of the GDPR in its Member State (art. 58.5 GDPR) not apply in case of cross-border processing for which it is not the lead supervisory authority?
Does it make a difference if the controller of this cross-border processing does not have its main establishment in that Member State but has another establishment in this Member State?
Does it make a difference whether the national supervisory authority brings the action against the main establishment of the controller or against the establishment in its own Member State?
Does it make a difference if the national supervisory authority has already initiated the action prior to the entry into effect of the GDPR?
Does article 58.5 GDPR have direct effect, so that it can be relied upon by the national supervisory authority to initiate or continue proceedings against private parties, even if article 58.5 of the GDPR has not been specifically transposed in the legislation of the Member States?
In case the national supervisory authority would be allowed to bring claims, could the outcome of such procedures stand in the way of a contrary finding/decision of the lead supervisory authority in case the lead supervisory authority investigates the same or similar cross-border processing activities?
2. Background and analysis
When the Belgian Privacy Commission initiated its legal proceedings against Facebook, the GDPR did not yet apply. Under the then applicable Belgian Data Protection Act, the chairman of the Belgian Privacy Commission was entitled to bring claims before the Court of First Instance.
However, since its entry into effect on 25 May 2018, the GDPR not only increased the powers of supervisory authorities but also introduced the One-stop-shop mechanism for cross-border data processing in European data protection law.
The question is therefore whether the Belgian DPA is still entitled to pursue its legal action. The fact that the Court of Appeal referred the case to the CJEU does not come as a surprise. Despite commonly being referred to as the One-stop-shop mechanism, we all know that it is all but that. The lead supervisory mechanism is the result of a political compromise and therefore very technical and complex (see in this regard, Nuria Pastor's blog post on the topic).
By way of recap, the essence of the One-stop-shop mechanism is to identify one lead supervisory authority with the primary responsibility for dealing with a cross-border data processing activity. This authority will coordinate/lead the supervision of cross-border processing, if applicable also involving other supervisory authorities "concerned".
In the case at hand, Facebook argues that its Irish affiliate is the main establishment and that consequently the Irish supervisory authority is the lead supervisory authority for its cross-border processing activities. It seems that this analysis is not challenged as such by the Court of Appeal.
The Belgian DPA should therefore be regarded as a supervisory authority concerned, with which the lead supervisory authority should cooperate in the context of its enforcement actions.
3. Conclusion and final remarks
On the basis of the above, we would argue that the Belgian DPA is in principle not entitled to take enforcement action against Facebook.
What is currently unclear however, is whether or not a supervisory authority concerned is able to initiate legal proceedings in its Member State on the basis of art. 58.5 GDPR. In other words, for cross-border data processing, are the powers that are attributed to supervisory authorities in article 58 GDPR conditional to it being lead supervisory authority?
Looking at it from a consistency point of view, one should almost hope that the answer is yes. Should the CJEU rule that supervisory authorities concerned can freely bring claims before their national jurisdictions, this would risk creating huge contradictions between what national courts rule and what the lead supervisory authority decides. As flawed and complicated the one-stop-shop mechanism is today, allowing DPA's such an 'easy' escape route would potentially mean that the mechanism only continues to exist on paper.
One can therefore not underestimate the importance of this request for preliminary ruling. If the CJEU confirms that supervisory authorities concerned cannot initiate legal proceedings in cross-border processing cases, a first major One-stop-shop crisis is avoided.
If however it rules that they are able to bring claims before national courts, it might seriously impair the functioning of the One-stop-shop mechanism and voices calling for a real, single EU-wide data protection authority might become louder and louder. One might wonder whether that is necessarily a bad thing as it would simplify things substantially. After all, this approach has already been adopted in the field of cross-border competition issues and it seems to work fine.
Sign up to our email digest