Facebook case: the Advocate General of the CJEU has delivered his opinion
Today January the 13th, the Advocate General of the Court of Justice of the European Union (CJEU) has delivered his opinion in the case opposing Facebook and the Belgian Data Protection Authority. According to his opinion, which reiterates the principle defended by the BE DPA, the one-stop shop mechanism established by the GDPR does not prevent supervisory authorities from bringing proceedings to court before a national judge as long as it is in situations specifically provided for in the GDPR. The CJEU will now take a decision in this case. The date of delivery of the judgment is not yet known.
Background : The Facebook case
In 2015, the Privacy Commission (which on May 25 2018 became the Belgian Data Protection Authority) went to court against Facebook for what she considered to be a serious invasion of the privacy of Belgian citizens : collecting information on the surfing behavior of millions of internet users in Belgium by placing cookies on their computers and then collecting these cookies via social plugins and pixels on the websites that they visit.
Before ruling on the merits of the case, the Court of Appeal of Brussels, that was examining the case, decided to refer certain questions to the Court of Justice of the European Union in order to verify whether the BE DPA has indeed the possibility to pursue its legal action against Facebook given the entry into force of the General Data Protection Regulation (GDPR) on May 25 2018.
The position of the BE DPA
The GDPR does establish a new cooperation mechanism between European data protection authorities called the “one-stop shop”. This mechanism provides that the authority of the country where the main establishment of the respondent company is located (in the case of Facebook, the Irish DPC) is competent to take sanctions.
The question therefore arises as to whether this one-stop shop mechanism also affects the possibility for data protection authorities (such as the BE DPA) to initiate proceedings before a court or not. This is the essence of the questions referred to the CJEU by the Court of appeal of Brussels.
The BE DPA defends the point of view that it is competent to see these proceedings through to the end. For the BE DPA, the new one-stop shop mechanism does not affect its capability to go to civil court in exceptional cases.
The Opinion of the Advocate General
A first hearing has taken place in front of the CJEU on October 5 2020. Today, January the 13th, the Advocate General Michal Bobek has delivered his opinion, which confirm the principle defended by the BE DPA, as these indicate that a national authority which is not the lead authority for a cross-border data processing operation may indeed apply to a national judge under certain conditions, namely «in the situations where the GDPR specifically confers upon it competences to this end. » (Source: Press release CJEU)
David Stevens, Chairman of the BE DPA : « We are pleased to see that the Advocate General confirms that in principle data protection authorities can bring proceedings before their national courts, provided that this does not encroach on the loyal cooperation between data protection authorities. If data subjects can go to court to defend their rights, data protection authorities should also be able to do this on their behalf in certain exceptional cases. »
Next steps in the procedure
With this opinion in hands, the Court of Justice of the EU will now take a decision in this case. The date of delivery of the judgment is not yet known.
Hielke Hijmans, Chairman of the Litigation Chamber of the BE DPA : « It is important to note that today’s opinion is not final, as ultimately only the Court can take a decision in this case. She alone has the final word in deciding on the correct interpretation of the GDPR. Anyhow we hope that the Court of Justice of the EU will confirm the opening made in the conclusions of the Advocate General for data protection authorities to defend the rights of their citizens before national courts.Of course, this will not impact the importance of the one-stop shop mechanism of efficient and harmonious cooperation between European data protection authorities. The one-stop shop is a key instrument for an efficient enforcement of the GDPR vis-à-vis international companies. »
The conclusions of the Advocate General are available here.
A press release by the Court of Justice of the EU is available here.
The course of procedures before the Court of Justice is described here.
The case, including the questions referred to the Court of Justice, is recorded on this link.
Timeline of the Facebook case
- The Privacy Commission (which on May 25 2018 became the Belgian Data Protection authority) goes to court against Facebook
- The Court of First Instance rules in favor of the Privacy Commission.
- Facebook appeals against the judgment of 16 February 2018 of the Dutch-speaking Court of First Instance in Brussels
27 et 28 March 2019
- The BE DPA argues before the Belgian Court of Appeal that Belgian courts are competent in this case
8 May 2019
- Before ruling on the merits of the case, the Court of Appeal of Brussels decides to refer certain questions to the Court of Justice of the EU
5 October 2020
- The BE DPA argues her case before the CJEU
13 January 2021
- The Advocate General of the Court of Justice of the EU presents its opinion confirming that, in principle, national supervisors have the possibility - in certain cases - to bring cases before national courts, even in cross-border cases.