A national data protection authority which is responsible for the protection of private data, but not a ‘lead’ data protection authority within the meaning of the GDPR Regulation (2016/679), can only take legal action in its Member State in cases explicitly provided for by EU law, said Advocate General at the Court of Justice of the EU, Michal Bobek, in a Opinion delivered on Wednesday 13 January (Case C-645/19).
In 2015, the Belgian data protection authority had filed a lawsuit against several companies in the Facebook group, including the digital giant’s main EU headquarters in Ireland. In particular, it requests that Facebook be ordered to cease, with regard to any Internet user established on Belgian territory, to place - without the latter’s consent - certain cookies on the navigation device used when this Internet user navigates on the Facebook.com site or on the sites of third parties.
The US group argues that since the entry into force of the GDPR Regulation, only the Irish Data Protection Authority has been empowered to act against Facebook in matters of cross-border transfers of private data.
Referred to the Court of Appeal in Brussels, the Court is asked to interpret EU law.
Mr Bobek notes, first of all, that the ‘lead’ authority has general competence regarding cross-border data processing, including the power to take legal action against violations of the GDPR Regulation, and that the other national authorities have only limited power in this area.
The introduction of one-stop-shop mechanisms and cooperation between national authorities was precisely aimed at solving the problems, linked to the compliance of economic operators with different national rules, that were posed by the previous Directive (95/46/EC).
Nevertheless, in the Opinion of the Advocate General, the input of national authorities is crucial to enable a ‘lead’ authority to apply the GDPR Regulation in cross-border situations.
Mr Bobek recalled the following different situations in which a national data protection authority can bring actions before the Courts of its own Member State even when it is not the ‘lead’ authority: (1) when it acts outside of the material scope of the GDPR Regulation; (2) when it investigates cross-border data processing carried out by public authorities, in the public interest, in the exercise of official authority or by controllers not established in the Union; (3) when it adopts urgent measures; (4) when it intervenes following the ‘lead’ data protection authority having decided not to handle a case.
See the opinion: https://bit.ly/3soaeNd (Original version in French by Mathieu Bion)