The Court of Justice of the European Union ruled today in the case between Facebook and the Belgian Data Protection Authority, which has been ongoing since 2015. According to the CJEU a national supervisory authority may indeed, under certain conditions (provided for in the GDPR), exercise its power to bring an alleged infringement of the GDPR to the attention of the judicial authorities of a Member State, even if this supervisory authority is not the lead authority for that processing. The CJEU also gives a broad interpretation of the powers of the (national) authority who is not lead authority, as advocated by the BE DPA. The BE DPA will now analyse the judgment to better understand its impact on its ongoing case before the Brussels Court of Appeal.
The year 2020 was marked by an unprecedented health crisis, which also had a significant impact on data protection and the work of the Belgian Data Protection Authority. As a result of the increased awareness of citizens about the importance of protecting their data, the year 2020 saw a sharp increase in the number of complaints (+ 290.64%) and data breach notifications (+ 25.09%) received by the BE DPA and, more generally, a significant increase in the DPA's workload. In 2020, the DPA has therefore focused on the supervision of initiatives to fight the coronavirus involving data processing, while not losing sight of all the other priorities identified in its Strategic Plan 2020-2025.
The Belgian Data Protection Authority has approved today the first transnational code of conduct to be adopted within the European Union since the entry into force of the GDPR. The EU Cloud CoC aims to establish good data protection practices for cloud service providers and will contribute to a better protection of personal data processed in the cloud in Europe.
Today January the 13th, the Advocate General of the Court of Justice of the European Union (CJEU) has delivered his opinion in the case opposing Facebook and the Belgian Data Protection Authority. According to his opinion, which reiterates the principle defended by the BE DPA, the one-stop shop mechanism established by the GDPR does not prevent supervisory authorities from bringing proceedings to court before a national judge as long as it is in situations specifically provided for in the GDPR. The CJEU will now take a decision in this case. The date of delivery of the judgment is not yet known.
The Belgian Data Protection Authority (DPA) as well as the Hessian authority of Germany have been notified by Mastercard company of a data breach detected on 19 August 2019 which would have affected a large number of data subjects, a significant portion of which would be German customers. Since the main establishment of Mastercard is located in Waterloo, the Belgian DPA is working closely with its Hessian counterpart and the other competent authorities to defend the interests of the persons affected by this incident.