The Opinion relates to proceedings first issued in September 2015 by the Belgian Data Protection Authority (DPA) against Facebook Inc, Facebook Ireland Ltd and Facebook Belgium BVBA in the Belgian court for alleged infringements of data protection law, including the unlawful collection and use of information on the private browsing behaviour of internet users in Belgium by means of “cookies”, “social plugins” and “pixels”. The DPA alleged that Facebook uses these technologies to monitor and track individuals, whether they have a Facebook account or not, in order to profile their browsing behaviour for the purposes of targeted advertising without properly informing them or obtaining their valid consent.

The DPA issued proceedings in the Belgian courts seeking an injunction against Facebook to restrain it from placing, without consent, cookies on Belgian internet user’s devices and to stop it from excessively collecting data through the use of social plugins and pixels on third-party websites. It also requested the destruction of all personal data obtained this way.

At first instance, the Belgian court found that it had jurisdiction and provisionally ordered Facebook to cease certain activities in relation to internet users in Belgium. Facebook appealed and the Belgian Court of Appeal ruled that it had no jurisdiction with regard to proceedings against Facebook Inc and Facebook Ireland, but did have jurisdiction in relation to proceedings against Facebook Belgium.

Facebook Belgium then argued that since the new “one-stop-shop” mechanism under the GDPR had come into effect, the DPA had lost authority to continue with the proceedings because it was not the Lead Supervisory Authority (LSA), which was in fact the Irish Data Protection Commission, as Facebook’s main establishment in the EU is in Ireland (Facebook Ireland).

The Belgian Court of Appeal has referred various questions to the CJEU in relation to the “one-stop-shop” mechanism under the GDPR, including whether the Belgian DPA can continue legal proceedings against Facebook Belgium.

Advocate General Bobek noted that according to recital 127 of the GDPR, the “one-stop-shop” mechanism is a set of rules, which in the case of cross-border data processing, hands enforcement to a central point, i.e. a LSA, which sits within a system of co-operation and consistency with the supervisory authorities (SAs) concerned, and is designed to ensure the involvement of all interested SAs.

Under Article 56(1) of the GDPR, a SA becomes the LSA where the cross-border processing in question is carried out by controllers and processors with their main establishment in its territory. Under Article 4(22), a SA is a concerned SA if: (a) the controller or processor is established in the territory of the Member State of that SA; (b) data subjects residing in the Member State of that SA are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that SA.

The AG said that a literal interpretation of the relevant GDPR provisions would support the interpretation that the LSA has a general authority over cross-border processing and therefore the relevant SAs have only limited power to act. For example, Article 56(1) states that the SA of the main establishment of the controller/processor “shall be competent to act as lead supervisory authority for the cross-border processing …” and Article 56(6) states that the LSA “shall be the sole interlocutory of the controller or processor for the cross-border processing … “. In certain situations, authority can be handed to one of the concerned SAs, but this is the exception to the general rule.

The Belgian DPA argues that, in fact, the opposite is true and that SAs have an almost unfettered right to initiate proceedings against possible infringements affecting their territories, regardless of whether the processing is cross-border, as a result of the expression “without prejudice to Article 55”, with which Article 56(1) begins. The Belgian DPA contends that this means that the authority granted to a LSA cannot impinge or limit the powers granted to each SA, which includes the power to issue legal proceedings.

The AG rejected this, saying that Article 55, which essentially gives each SA authority, impliedly refers to Articles 57, which lists the tasks each SA must carry out, and 58, which lists the powers granted to each SA (including initiating legal proceedings), but notably, one of the tasks is monitoring and enforcing the application of the GDPR, including Article 56. The AG said that agreeing with the Belgian DPA’s argument would result in the LSA having virtually no authority, thereby depriving Article 56 of any meaning at all.

Further, the AG said, the importance of the role given to the LSA and the “one-stop-shop” mechanism is clear when Articles 55, 57 and 58 are read together and in context. The prominence given to Article 56 within the scheme of the GDPR makes it clear that the EU legislature wanted to emphasise the centrality of the LSA’s authority: Article 56 comes after the general provision on “authority” and before the general provisions on “tasks” and “powers”.

In addition, Chapter VII, which sets out the various procedures and mechanisms that SAs must follow, provides that SAs must co-operate with the LSA in relation to cross-border processing disputes.

In the AG’s view, the phrase “without prejudice to Article 55” simply means that even if the LSA has authority in an individual case, all SAs naturally retain the general powers assigned to them by virtue of Articles 55 and 58. In any event, the SA’s powers have to be exercised according to the procedures and within the limits set out in the GDPR. Indeed, each concerned SA must contribute to the correct and consistent application of the GDPR, including in cross-border processing, examining the matter and providing meaningful input within the framework of co-operation and consistency. It is then for the LSA to adopt binding decisions to enforce the GDPR. The AG said that the Belgian DPA’s argument resulted from reading a specific provision of the GDPR “in clinical isolation” from the rest of the Regulation while “reading too much into it”.

The AG also examined the GDPR from a teleological and historical point of view, which he said confirmed the general authority of the LSA in cross-border data processing disputes.

To conclude, the AG opined that the LSA has a general authority over cross-border processing and that all SAs (irrespective of their role as a LSA or as a concerned SA) must act according to the procedures and mechanisms set out in the GDPR.

However, the AG said, that did not necessarily mean that a SA is always precluded, as a matter of principle, from acting before the domestic courts against a controller or processor when the processing is cross-border in nature. There are certain situations set out in the GDPR when the SA can go before a national court, e.g. the processing falls within Article 55(2) (processing by public authorities, or processing carried out in the public interest or in the exercise of official authority) and the regulatory authority remains vested in the SA, or where the LSA decides not to handle the case pursuant to Article 56(5).

In summary, the provisions in the GDPR do not include any general bar against SAs starting proceedings against potential infringers in cross-border disputes. On the contrary, various situations in which they are empowered to do so are expressly envisaged in the GDPR, or follow impliedly from it. However, the AG said that it was “of the utmost importance” that, where the procedures and mechanisms provided for in the GDRP apply, both the LSA and the concerned SAs duly follow them. It was for the Belgian court to decide whether the Belgian DPA in this case had indeed complied with those procedures and mechanisms.

Accordingly, the AG opined that the provisions of the GDPR permit the SA of a Member State to bring proceedings before a court of that State for an alleged infringement of the GDPR with respect to cross-border data processing, despite not being the LSA, provided that it does so in the situations in, and according to the procedures set out in, the GDPR. (Case C-645/19 Facebook Ireland Ltd v Gegevensbeschermingsautoriteit EU:C:2021:5 (Opinion of Advocate General) (13 January 2021) — to read the Opinion in full, click here).