EU: CJEU's AG opinion addresses data protection authorities' competence over cross-border data processing
The Court of Justice of the European Union ('CJEU') published, on 13 January 2021, the Advocate General Michal Bobek's opinion in Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v Gegevensbeschermingsautoriteit (Case C-645/19). In particular, the opinion provides that the data protection authority in the Member State where a data controller or processor has its main EU establishment has a general competence to start court proceedings for General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') infringements in relation to cross-border data processing. However, the opinion notes that other national data protection authorities concerned are nevertheless entitled to commence such proceedings in their respective Member State in situations where the GDPR specifically allows them to do so.
More specifically, the opinion states that it transpires from the wording of the GDPR that the lead data protection authority has a general competence over cross-border data processing, including the commencement of judicial proceedings for the breach of the GDPR, and, by implication, that the other data protection authorities concerned enjoy a more limited power to act in that regard. In fact, the opinion highlights that data protection authorities' power to start judicial proceedings against possible infringements which affect their territories is expressly curtailed as regards cross-border data processing, precisely with a view to enabling the lead data protection authority to exercise its tasks in this regard.
Moreover, the opinion stresses the fact that the lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations and must, in compliance with the relevant rules and time limits provided for by the GDPR, closely cooperate with the other data protection authorities concerned, the input of which is crucial in this area.
Furthermore, the opinion provides that national data protection authorities, even where they do not act as lead authority, can nonetheless bring proceedings before the courts of their respective Member State in case of cross-border processing in various situations, such as where they:
- act outside the material scope of the GDPR;
- investigate into cross-border data processing carried out by public authorities, in the public interest, in the exercise of official authority, or by controllers not established in the EU;
- adopt urgent measures; or
- intervene following the lead data protection authority having decided not to handle a case.
Therefore, the opinion concludes that the GDPR permits the data protection authority of a Member State to bring proceedings before a court of that state for an alleged infringement of the GDPR with respect to cross-border data processing, despite it not being the lead data protection authority entrusted with a general power to commence such proceedings, provided that it does so in the situations where the GDPR specifically confers upon it competences to this end and according to the corresponding procedures set out in the GDPR.