European Court of Justice (ECJ): In a long-fought battle against Facebook the Belgian Data Protection Authority had secured a major win. The decision of the Grand Chamber composed of K. Lenaerts, President, R. Silva de Lapuerta, Vice‑President, A. Arabadjiev, A. Prechal, M. Vilaras, M. Ilešič and N. Wahl, Presidents of Chambers, E. Juhász, D. Šváby, S. Rodin, F. Biltgen, K. Jürimäe, C. Lycourgos, P.G. Xuereb and L.S. Rossi (Rapporteur), JJ., had made Facebook and other Tech companies vulnerable to potential sanctions in the European Union after the Court authorized the supervisory authority of a Member State to lift the “one-stop-shop” veil.
- Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- Repealing Directive 95/46/EC (General Data Protection Regulation) read together with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the EU.
Privacy Infringement by Facebook
The President of the Privacy Commission, Belgium had brought legal proceedings seeking an injunction against Facebook Ireland, Facebook Inc. and Facebook Belgium before the Court of First Instance. The object of those injunction proceedings was to bring to an end to the ‘serious and large scale infringement, by Facebook, of the legislation relating to the protection of privacy’ consisting in the collection by that online social network of information on the internet browsing behaviour both of Facebook account holders and of non-users of Facebook services by means of various technologies, such as cookies, social plug-ins (Like or Share buttons) or pixels. The Commission contended that those features had permitted Facebook to obtain certain data of an internet user who visits a website page containing them, such as the address of that page, the ‘IP address’of the visitor etc.
Directions of the Court of First Instance
On the substance, that Court held that Facebook was not adequately informing Belgian internet users of the collection of the information concerned and of the use of that information. Further, the consent given by the internet users to the collection and processing of that data was held to be invalid. Consequently, that Court ordered Facebook Ireland, Facebook Inc. and Facebook Belgium
- to desist from placing, without consent, cookies that remain active for two years on the devices when browsing a web page in the Facebook.com domain or visiting the website of a third party, and from placing cookies and collecting data by means of social plug-ins, pixels or similar technological means on third party websites, in a manner that was excessive in the light of the objectives pursued by the Facebook social network,
- to destroy all the personal data obtained by means of cookies and social plug-ins.
Stand Taken by Facebook
Facebook approached the Court of Appeal Brussels, Belgium contending that the action brought for injunction was inadmissible, as the DPA had no competence and right to bring such an action given the existence of the ‘one-stop shop’ mechanism provided under the provisions of Regulation 2016/679. On the basis of those provisions, it was only the Data Protection Commissioner (Ireland) who could bring injunction proceedings against Facebook, the latter being the sole controller (one-stop shop) of the personal data of the users of the social network concerned within the European Union.
The Court of Appeal referred the question raised by Facebook regarding one-stop shop to the European Court of Justice for its opinion on the matter.
Analysis by the Court
To ascertain whether under Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation 2016/679, read together with Articles 7, 8 and 47 of the Charter, a supervisory authority of a Member State other than the ‘lead supervisory authority’ has the power to bring any alleged infringement of that regulation to the attention of a Court of that Member State and to initiate or engage in legal proceedings with respect to cross-border data processing; the Bench noticed,
“In relation to such data processing the legal basis of Regulation 2016/679 is Article 16 TFEU, which enshrines the right of everyone to the protection of personal data concerning them and authorises the European Parliament and the Council of the European Union to lay down the rules relating to the protection of individuals with regard to the processing of that data by European Union institutions and by the Member States, when carrying out activities which fall within the scope of EU law, and the rules relating to the free movement of such data. Second, recital 1 of that regulation confirms that ‘the protection of natural persons in relation to the processing of personal data is a fundamental right’ and states that Article 8(1) of the Charter and Article 16(1) TFEU lay down the right of everyone to the protection of personal data concerning them.”
Exceptions to “One-stop Shop” Mechanism
One-stop Shop: The ‘one-stop shop’ mechanism, is based on an allocation of competences between one ‘lead supervisory authority’ (Data Protection Commissioner (Ireland)), wherein only the supervisory authority of the main establishment is to be competent to act as lead supervisory authority and handle can handle legal cases involving cross-border data complaints.
The top Court, though upheld the ‘one-stop shop’ shop mechanism, at the same time proceeded to carve out certain exceptions for the same:
Exception 1: As per Article 56(2) of Regulation 2016/679, a supervisory authority which is not the lead supervisory authority is to be competent to handle a complaint lodged with it concerning a cross-border processing of personal data or a possible infringement of that regulation, if the subject matter relates only to an establishment in its own Member State or substantially affects data subjects only in that Member State.
Exception 2: Article 66 of Regulation 2016/679 provides for an urgency procedure. That urgency procedure makes it possible, in exceptional circumstances, where the supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, immediately to adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which is not to exceed three months, while Article 66(2) of Regulation 2016/679 further provides that, where a supervisory authority has taken a measure under Article 66(1) and considers that final measures must urgently be adopted, it may request an urgent opinion or an urgent binding decision from the European Data Protection Board, giving reasons for requesting such an opinion or decision.
Hence, a supervisory authority of a Member State has the power to bring any alleged infringement to the attention of a court of that Member State and to initiate or engage in legal proceedings in relation to cross‑border data processing even though it is not the ‘lead supervisory authority’ provided that that power is exercised in one of the situations where Regulation 2016/679 confers on that supervisory authority a competence to adopt a decision finding that such processing is in breach of the rules contained in that regulation.
The controller against whom such proceedings are brought need not to have a main establishment in the member State taking action
In the event of cross-border data processing, it is not a prerequisite for the exercise of the power of a supervisory authority of a Member State, other than the lead supervisory authority, to initiate or engage in legal proceedings that the controller against whom such proceedings are brought has a main establishment or another establishment on the territory of that Member State.
Action can be brought under EU Directive against processing of personal data happened prior to when the regulation became applicable
Where a supervisory authority of a Member State other than the ‘lead supervisory authority’, has brought a legal action on the instance of cross-border processing of personal data before the date when that regulation became applicable, that action may be continued on the basis of the provisions of Directive 95/46/EC of the European Parliament and of the Council of 24-10-1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which remains applicable in relation to infringements of the rules laid down in that directive committed up to the date when that directive was repealed. Article 58(5) of Regulation 2016/679 must be interpreted as meaning that that provision has direct effect, with the result that a national supervisory authority may rely on that provision in order to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State concerned.[Facebook Ireland Ltd, Facebook Inc. & Facebook Belgium v. Belgian Data Protection Authority, C‑645/19, decided on 15-06-2021]
Kamini Sharma, Editorial Assistant has reported this brief.