An upcoming judgment of the Court of Justice may have interesting consequences for companies operating in a cross-border context. In a recent opinion on the case of the Belgian Data Protection Authority (DPA) against Facebook, the Advocate General of the Court of Justice wrote that ‘the DPA of the country in which the registered office of a company is located has a general power to initiate legal proceedings against that company. The other DPAs also have this power, but only in a limited number of cases.’
Local and leading authorities
A DPA is an independent government body that, among other things, watches over our right to privacy. Each European country has at least one such authority that exercises its powers within its territory. Sometimes several DPAs can be competent, because data processing problems occur increasingly cross-borders. In that case, there is a leading DPA. This is the DPA of the country in which the registered office of the processor or controller committing the infringement is located.
Belgium vs. Facebook
The case started about five years ago when the predecessor of the Belgian DPA took Facebook to court. The reason for this was, among other things, the use of tracking cookies. These are cookies used to follow Internet users across different websites. The court initially ruled in favor of the predecessor of the Belgian DPA, but Facebook appealed the decision. Facebook claims that the Belgian DPA does not have the authority to commence legal proceedings against it. It is of the opinion that only the DPA of the place of its registered office is competent to start legal proceedings. In this case, that would be the DPA of Ireland.
Subsequently, the Brussels Court of Appeal asked the Court of Justice in Luxembourg who is competent to bring legal proceedings against a company in the event of cross-border infringements. Is it only the leading DPA or can any national DPA do so?
One DPA to rule them all
We are still waiting for a judgment from the Court of Justice, but Advocate General Michal Bobek has already shared his opinion. These opinions are almost always followed by the Court of Justice. In his opinion, he clarifies that DPAs do indeed have the power to take infringers to court, but in the case of cross-border disputes, this power is limited. In that case, only the leading DPA may initiate proceedings in consultation with the other competent authorities.
This is called the one-stop shop mechanism. This means that a company can only be sued in the first instance by the DPA of its registered office. In the Facebook case, this means that the Irish DPA has the authority to initiate proceedings in the first instance. However, it should always do this in close cooperation with the other DPAs. Mind you, the victims of infringement can still start proceedings in their own country against companies with a registered office in another country.
The Advocate General emphasises that in five cases the national DPAs can initiate legal proceedings when they are not the leading DPA:
- For breaches outside the framework of the GDPR. For example, the French DPA (CNIL) has already imposed fines in this context for breaches of the cookie rules in the ePrivacy Directive.
- In the case of cross-border processing operations carried out by public authorities in the public interest or in the exercise of their official powers or by controllers not established in the European Economic Area.
- When the controller has no establishment in the European Economic Area.
- For urgent measures.
- After the leading DPA has decided not to hear a case.
It will now be several months before the Court of Justice gives its final ruling on the case. After that, the Brussels Court of Appeal will rule on the case, taking into account the Court of Justice’s replies.
A possible consequence of this situation is that some companies will move their headquarters to the country with the least stringent DPA. Indeed, some DPAs are more lenient on certain issues than other DPAs.