AG Bobek’s Opinion on standing for different data protection authorities in GDPR disputes: Facebook case
Advocate General Bobek has issued his Opinion on which Member State’s data protection authority may commence legal proceedings in situations where data protection rights under the General Data Protection Regulation 2016/679 are concerned (Facebook Ireland Limited, Facebook INC, Facebook Belgium BVBA v Gegevensbeschermingsautoriteit, C-645/19).
In the case at hand, the Belgian data protection authority had commenced proceedings before the Belgian courts against several companies belonging to the Facebook group, asking that cookies cease to be collected, and the personal data of internet users in Belgium be deleted.
Facebook Belgium argued that proceedings can only be commenced by the Irish data protection authority under the GDPR, as Facebook’s main establishment is based in Ireland (and not Belgium).
Lead data protection authority in cross-border GDPR cases
Advocate General Bobek’s view is that the data protection authority in the Member State where a data controller or processor (Facebook) has its main EU establishment (Ireland) has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing (it not being relevant whether there was a secondary establishment set up in another Member State (Belgium). In coming to that conclusion, he found that this was supported by the wording of the GDPR and emphasised the one-stop-shop nature of a ‘lead’ data protection authority in cross-border data processing cases – a contrary situation meaning the coherence of the whole system would be impacted.
Cooperation between data protection authorities in cross-border GDPR cases
However he adds that the ‘lead’ data protection authority cannot be the sole enforcer of the GDPR in cross-border cases, and ought to closely cooperate with other relevant data protection authorities.
Still possible in some cases for other data protection authorities than the lead DPA to commence proceedings
Moreover, he does not rule out that other national data protection authorities can also commence proceedings in their respective Member States, as long as the GDPR expressly allows them to do so, for example, where national data protection authorities:
i) act outside the material scope of the GDPR;
ii) investigate into cross-border data processing carried out by public authorities, in the public interest, in the exercise of official authority or by controllers not established in the Union;
iii) adopt urgent measures; or
iv) intervene following the lead data protection authority having decided not to handle a case.
He also responded to the question of whether Article 58(5) GDPR has direct effect, finding that it does, so that a data protection authority can rely on it against private parties to commence or continue legal proceedings before national courts, even if that provision has not been specifically transposed into national law.
Read the Opinion in full here, and the Court’s press release here.