|Author (Corporate)||Cardiff EDC|
|Content Type||Blog, News, Overview|
Information Guide concerning Case C-645/19 from the Court of Justice of the European Union (CJEU) concerning the start of court proceedings for GDPR infringements in relation to cross-border data processing.
In September 2015, the Belgian data protection authority commenced proceedings before the Belgian courts against several companies belonging to the Facebook group, some of which not based in the country. The data protection authority requested that Facebook be ordered to cease with respect to any internet user established in Belgium, to place, without their consent, certain cookies on the device those individuals use when they browse a web page in the Facebook.com domain or when they end up on a third party’s website, as well as to collect data by means of social plugins and pixels on third party websites in an excessive manner. In addition, it requested the destruction of all personal data obtained by means of cookies and social plugins, about each internet user established in Belgium.
The proceedings taking place before the Court of Appeal in Brussels (Hof van beroep te Brussels) had their scope limited to Facebook Belgium and excluding Facebook INC and Facebook Ireland Ltd. as the court determined not having jurisdiction over those companies. Furthermore, the company has sustained that, as of the date on which the General Data Protection Regulation (GDPR) became applicable, only the data protection authority in the Member State where Facebook's main establishment is based (Ireland) is empowered to engage in judicial proceedings against Facebook for infringements of the GDPR in relation to cross-border data processing.
The Court of Appeal therefore submitted in 2019 to the CJEU a request for a preliminary ruling regarding the role of national data protection authorities other than the leading authority when it comes to cross-border data processing.
On 13 January 2021, the CJEU Advocate General issued an opinion stating that, while the lead data protection controller has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing, the other national data protection authorities are still entitled to commence such proceedings in their respective Member State in situations where the GDPR specifically allows them to do so.
|Subject Categories||Internal Markets, Law, Values and Beliefs|
|Subject Tags||Court of Justice of the European Union [CJEU], Fundamental | Human Rights|
|Keywords||CJEU Judgments, Data Privacy | Protection, General Data Protection Regulation [GDPR]
|Countries / Regions||Belgium|
|International Organisations||European Union [EU]|