Insights Court of Justice of EU rules that a Member State data protection authority can bring proceedings in that Member State for alleged infringement of the GDPR in relation to cross-border data processing, despite not being the Lead Supervisory Authority, under certain conditions


The ruling relates to proceedings first issued in September 2015 by the Belgian Data Protection Authority (DPA) against Facebook Inc, Facebook Ireland Ltd and Facebook Belgium BVBA in the Belgian court for alleged infringements of data protection law, including the unlawful collection and use of information on the private browsing behaviour of internet users in Belgium by means of “cookies”, “social plugins” and “pixels”. The DPA alleged that Facebook uses these technologies to monitor and track individuals, whether they have a Facebook account or not, in order to profile their browsing behaviour for the purposes of targeted advertising without properly informing them or obtaining their valid consent.

The DPA issued proceedings in the Belgian courts seeking an injunction against Facebook to restrain it from placing cookies on Belgian internet user’s devices without consent, and to stop it from excessively collecting data through the use of social plugins and pixels on third-party websites. It also requested the destruction of all personal data obtained this way.

At first instance, the Belgian court found that it had jurisdiction and provisionally ordered Facebook to cease certain activities in relation to internet users in Belgium. Facebook appealed and the Belgian Court of Appeal ruled that it had no jurisdiction with regard to proceedings against Facebook Inc and Facebook Ireland, but did have jurisdiction in relation to proceedings against Facebook Belgium.

Facebook Belgium then argued that since the new “one-stop-shop” mechanism under the GDPR had come into effect, the DPA had lost authority to continue with the proceedings because it was not the Lead Supervisory Authority (LSA), which was in fact the Irish Data Protection Commission, as Facebook’s main establishment in the EU is in Ireland (Facebook Ireland).

The Belgian Court of Appeal referred various questions to the CJEU in relation to the “one-stop-shop” mechanism under the GDPR, including whether the Belgian DPA can continue legal proceedings against Facebook Belgium.

The CJEU specified the conditions under which a national supervisory authority (NSA), which is not the LSA, can bring and engage in proceedings for infringement of the GDPR in relation to cross-border processing in its own Member State courts.

First, the GDPR must confer on the NSA the authority to make a finding of GDPR infringement and the NSA must exercise that power in accordance with the cooperation and consistency procedures under the GDPR.

The CJEU said that in cross-border processing situations, the GDPR’s “one-stop shop” mechanism allocates different roles to the LSA and the other NSAs concerned. That mechanism requires close, sincere and effective cooperation between those authorities in order to ensure the consistent and homogeneous application of the rules on the protection of personal data, thereby preserving its effectiveness. As a general rule, it is the LSA that has primary authority for making a finding of cross-border processing infringement and the authority of the NSAs to make a finding is the exception to the rule. However, when exercising its powers, the LSA cannot avoid dialogue, and sincere and effective cooperation, with the other NSAs concerned. Accordingly, in the context of cooperation, the LSA cannot ignore the views of the other NSAs, and any relevant and reasoned objection made by one of the NSAs has the effect of blocking, at least temporarily, the adoption of the LSA’s draft decision.

Secondly, the CJEU held that in the case of cross-border data processing, it is not a prerequisite for the exercise of the power of an NSA, other than the LSA, to initiate or engage in legal proceedings, that the data controller in question has an establishment in the territory of that Member State. However, the exercise of that power must fall within the territorial scope of the GDPR, which presupposes that the controller/processor has an establishment in the EU.

Thirdly, the CJEU ruled that, in the event of cross-border data processing, the power of a NSA, other than the LSA, to bring and engage in infringement proceedings before a court of that Member State can be exercised both with respect to the main establishment of the controller located in that NSA’s own Member State and with respect to another of the controller’s establishments, if the legal proceedings concern the processing of data carried out in the context of the activities of that other establishment and the NSA has authority to exercise that power.

However, the CJEU added that the exercise of that power presupposes that the GDPR is applicable. In this case, since the activities of Facebook Belgium were inextricably linked to the processing by Facebook Ireland, as the data controller within the EU, of the personal data in question, the processing was indeed carried out “in the context of the activities of an establishment of the controller” and therefore fell within the scope of the GDPR.

Fourthly, the CJEU found that, where an NSA that is not the LSA has issued legal proceedings in relation to the cross-border processing of personal data before the GDPR came into force, those legal proceedings can continue under the Data Protection Directive (95/46/EC). Further, those proceedings can include infringements committed after the date of entry into force of the GDPR, provided that the action is brought in one of the situations where, exceptionally, the GDPR confers on that NSA authority to adopt an infringement decision and the cooperation and consistency procedures of the GDPR are respected.

Lastly, the CJEU recognised the direct effect of the provision of the GDPR under which Member States must provide by law that its NSA will have the power to bring any infringement of the GDPR to the attention of the judicial authorities and, where appropriate, to initiate or engage in legal proceedings. Consequently, such NSA may rely on that provision in order to bring or continue a legal action against private parties, even where it has not been specifically implemented in the legislation of the Member State concerned. (Case C-645/19 Facebook Ireland v Gegevensbeschermingsautoriteit EU:C:2021:483 (15 June 2021) — to read the judgment in full, click here).