Facebook Ireland and Others (Protection of natural persons with regard to the processing of personal data - Charter of Fundamental Rights of the European Union - Judgment) [2021] EUECJ C-645/19 (15 June 2021)


BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

Court of Justice of the European Communities (including Court of First Instance Decisions)


You are here: BAILII >> Databases >> Court of Justice of the European Communities (including Court of First Instance Decisions) >> Facebook Ireland and Others (Protection of natural persons with regard to the processing of personal data - Charter of Fundamental Rights of the European Union - Judgment) [2021] EUECJ C-645/19 (15 June 2021)
URL: http://www.bailii.org/eu/cases/EUECJ/2021/C64519.html
Cite as: [2022] 1 CMLR 4, [2021] EUECJ C-645/19, EU:C:2021:483, ECLI:EU:C:2021:483, [2021] 1 WLR 5161, [2021] WLR 5161, [2021] WLR(D) 346

[New search] [Contents list] [View ICLR summary: [2021] WLR(D) 346] [Buy ICLR report: [2021] 1 WLR 5161] [Help]


Provisional text

JUDGMENT OF THE COURT (Grand Chamber)

15 June 2021 (*)

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Charter of Fundamental Rights of the European Union – Articles 7, 8 and 47 – Regulation (EU) 2016/679 – Cross-border processing of personal data – ‘One-stop shop’ mechanism – Sincere and effective cooperation between supervisory authorities – Competences and powers – Power to initiate or engage in legal proceedings)

In Case C‑645/19,

REQUEST for a preliminary ruling under Article 267 TFEU from the hof van beroep te Brussel (Court of Appeal, Brussels, Belgium,), made by decision of 8 May 2019, received at the Court on 30 August 2019, in the proceedings

Facebook Ireland Ltd,

Facebook Inc.,

Facebook Belgium BVBA,

v

Gegevensbeschermingsautoriteit,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, R. Silva de Lapuerta, Vice‑President, A. Arabadjiev, A. Prechal, M. Vilaras, M. Ilešič and N. Wahl, Presidents of Chambers, E. Juhász, D. Šváby, S. Rodin, F. Biltgen, K. Jürimäe, C. Lycourgos, P.G. Xuereb and L.S. Rossi (Rapporteur), Judges,

Advocate General: M. Bobek,

Registrar: M. Ferreira, Principal Administrator,

having regard to the written procedure and further to the hearing on 5 October 2020,

after considering the observations submitted on behalf of:

–        Facebook Ireland Ltd, Facebook Inc. and Facebook Belgium BVBA, by S. Raes, P. Lefebvre and D. Van Liedekerke, advocaten,

–        the Gegevensbeschermingsautoriteit, by F. Debusseré and R. Roex, avocaten,

–        the Belgian Government, by J.‑C. Halleux, P. Cottin, and C. Pochet, acting as Agents, and by P. Paepe, advocaat,

–        the Czech Government, by M. Smolek, O. Serdula and J. Vláčil, acting as Agents,

–        the Italian Government, by G. Palmieri, acting as Agent, and by G. Natale, avvocato dello Stato,

–        the Polish Government, by B. Majczyna, acting as Agent,

–        the Portuguese Government, by L. Inez Fernandes, A.C. Guerra, P. Barros da Costa and L. Medeiros, acting as Agents,

–        the Finnish Government, by A. Laine and M. Pere, acting as Agents,

–        the European Commission, by H. Kranenborg, D. Nardi and P.J.O. Van Nuffel, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 13 January 2021,

gives the following

Judgment

1        This request for a preliminary ruling concerns the interpretation of Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2), read together with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (‘the Charter’).

2        The request has been made in proceedings between Facebook Ireland Ltd, Facebook Inc. and Facebook Belgium BVBA, on the one hand, and the Gegevensbeschermingsautoriteit (the Belgian Data Protection Authority) (‘the DPA’), as the successor of the Commissie ter bescherming van de Persoonlijke Levenssfeer (the Belgian Privacy Commission) (‘the Privacy Commission’), on the other, concerning injunction proceedings brought by the President of the Privacy Commission seeking to bring to an end the processing of personal data, of internet users within Belgium, by the Facebook online social network, using cookies, social plug-ins and pixels.

 Legal context

 European Union law

3        Recitals 1, 4, 10, 11, 13, 22, 123, 141 and 145 of Regulation 2016/679 state:

‘(1)      The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the [Charter] and Article 16(1) [TFEU] provide that everyone has the right to the protection of personal data concerning him or her.

(4)      The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

(10)      In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …

(11)      Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

(13)      In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States.

(22)      Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

(123)      The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. For that purpose, the supervisory authorities should cooperate with each other and with the [European] Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation.

(141)      Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. …

(145)      For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or processor has an establishment or where the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of its public powers.’

4        Article 3(1) of that regulation, that article being headed ‘Territorial scope’, provides:

‘This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.’

5        Article 4 of that regulation defines, in point (16), the concept of ‘main establishment’ and, in point (23), the concept of ‘cross-border processing’ as follows:

‘(16)      “main establishment” means:

(a)      as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

(b)      as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

(23)      “cross-border processing” means either:

(a)      processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b)      processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.’

6        Article 51 of that regulation, headed ‘Supervisory authority’, provides:

‘1.      Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union …

2.      Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII.

…’

7        Article 55 of Regulation 2016/679, headed ‘Competence’, which forms part of Chapter VI of that regulation, entitled ‘Independent supervisory authorities’, provides:

‘1.      Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.

2.      Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.’

8        Article 56 of that regulation, headed ‘Competence of the lead supervisory authority’, states:

‘1.      Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.

2.      By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.

3.      In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it.

4.      Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).

5.      Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62.

6.      The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.’

9        Article 57(1) of Regulation 2016/679, that article being headed ‘Tasks’, provides:

‘1.      Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:

(a)      monitor and enforce the application of this Regulation;

(g)      cooperate with, including sharing information, and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;

…’

10      Article 58(1), (4) and (5) of that regulation, that article being headed ‘Powers’, provide:

‘1.      Each supervisory authority shall have all of the following investigative powers:

(a)      to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;

(d)      to notify the controller or the processor of an alleged infringement of this Regulation;

4.      The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in [EU law] and Member State law in accordance with the Charter.

5.      Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to initiate or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.’

11      Within Chapter VII of Regulation 2016/679, entitled ‘Cooperation and consistency’, Section I, entitled ‘Cooperation’, contains Articles 60 to 62 of that regulation. Article 60, headed ‘Cooperation between the lead supervisory authority and the other supervisory authorities concerned’, provides:

‘1.      The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.

2.      The lead supervisory authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.

3.      The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.

4.      Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.

5.      Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.

6.      Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.

7.      The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be, and inform the other supervisory authorities concerned and the [European Data Protection] Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.

8.      By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.

9.      Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. …

10.      After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.

11.      Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.

…’

12      Article 61(1) of that regulation, that article being headed ‘Mutual assistance’, states:

‘Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective cooperation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and investigations.’

13      Article 62 of that regulation, headed ‘Joint operations of supervisory authorities’, provides:

‘1.      The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.

2.      Where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in joint operations. …

…’

14      Section 2, entitled ‘Consistency’, of Chapter VII of Regulation 2016/679 contains Articles 63 to 67 of that regulation. Article 63, headed ‘Consistency mechanism’, is worded as follows:

‘In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.’

15      Article 64(2) of that regulation is worded as follows:

‘Any supervisory authority, the Chair of the [European Data Protection] Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the [European Data Protection] Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in accordance with Article 62.’

16      Article 65(1) of that regulation, that article being headed ‘Dispute resolution by the Board’, provides:

‘In order to ensure the correct and consistent application of this Regulation in individual cases, the [European Data Protection] Board shall adopt a binding decision in the following cases:

(a)      where, in a case referred to in Article 60(4), a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead supervisory authority and the lead supervisory authority has not followed the objection or has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of this Regulation;

(b)      where there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment;

…’

17      Article 66(1) and (2) of Regulation 2016/679, that article being headed ‘Urgency procedure’, provide:

‘1.      In exceptional circumstances, where a supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65 or the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months. The supervisory authority shall, without delay, communicate those measures and the reasons for adopting them to the other supervisory authorities concerned, to the [European Data Protection] Board and to the Commission.

2.      Where a supervisory authority has taken a measure pursuant to paragraph 1 and considers that final measures need urgently be adopted, it may request an urgent opinion or an urgent binding decision from the [European Data Protection] Board, giving reasons for requesting such opinion or decision.’

18      Article 77 of that regulation, headed ‘Right to lodge a complaint with a supervisory authority’, states:

‘1.      Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2.      The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.’

19      Article 78 of that regulation, headed ‘Right to an effective judicial remedy against a supervisory authority’, provides:

‘1.      Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

2.      Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.

3.      Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

4.      Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the [European Data Protection] Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.’

20      Article 79 of that regulation, headed ‘Right to an effective judicial remedy against a controller or processor’, states:

‘1.      Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.

2.      Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.’

 National law

21      The wet tot bescherming van de persoonlijke levensfeer ten opzichte van de verwerking van persoonsgegevens (law on the protection of privacy with regard to the processing of personal data) of 8 December 1992 (Belgisch Staatsblad, 18 March 1993, p. 5801), as amended by the law of 11 December 1998 (Belgisch Staatsblad, 3 February 1999, p. 3049) (‘the law of 8 December 1992’), transposed into Belgian law Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

22      The law of 8 December 1992 established the Privacy Commission, an independent body responsible for ensuring that the processing of personal data should comply with that law, in order to protect citizens’ privacy.

23      Article 32(3) of the Law of 8 December 1992 provided:

‘Without prejudice to the jurisdiction of the ordinary courts and tribunals for the application of the general principles relating to the protection of privacy, the President of the [Privacy Commission] may bring before the court of first instance any dispute concerning the application of this legislation and its implementing measures.’

24      The wet tot oprichting van de Gegevensbeschermingsautoriteit (law creating a data protection authority) of 3 December 2017 (Belgisch Staatsblad, 10 January 2018, p. 989; ‘the law of 3 December 2017’), which entered into force on 25 May 2018, established the DPA as a supervisory authority, within the meaning of Regulation 2016/679.

25      Article 3 of the Law of 3 December 2017 provides:

‘There shall be established at the Belgian Chamber of Representatives a “Data Protection Authority”. It shall succeed the [Privacy Commission].’

26      Article 6 of the Law of 3 December 2017 provides:

‘The [DPA] has the power to bring any infringement of the fundamental principles of personal data protection, within the framework of this law and laws containing provisions on the protection of the processing of personal data, to the attention of the judicial authorities and, where appropriate, to initiate or engage in legal proceedings to have these fundamental principles applied.’

27      There is no specific provision in relation to court proceedings already commenced by the President of the Privacy Commission as at 25 May 2018 on the basis of Article 32(3) of the law of 8 December 1992. As regards solely complaints or applications lodged with the DPA itself, Article 112 of the law of 3 December 2017 states:

‘Chapter VI shall not apply to complaints or applications still pending at the [DPA] at the time when this legislation enters into force. The complaints or applications mentioned in subparagraph 1 shall be dealt with by the [DPA], as the legal successor of the [Privacy Commission], in accordance with the procedure applicable before the entry into force of this legislation.’

28      The law of 8 December 1992 was repealed by the wet betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens (law on the protection of individuals with regard to the processing of personal data) of 30 July 2018 (Belgisch Staatsblad, 5 September 2018, p. 68616; ‘the law of 30 July 2018’). That law transposes into Belgian law the provisions of Regulation 2016/679 requiring or permitting Member States to adopt more detailed rules, to supplement that regulation.

 The dispute in the main proceedings and the questions referred for a preliminary ruling

29      On 11 September 2015 the President of the Privacy Commission brought legal proceedings seeking an injunction against Facebook Ireland, Facebook Inc. and Facebook Belgium before the Nederlandstalige rechtbank van eerste aanleg Brussel (Dutch-language Court of First Instance, Brussels, Belgium). Since the Privacy Commission had no legal personality, it was necessary that the President of that body take legal action in order to ensure compliance with the legislation on the protection of personal data. However, the Privacy Commission itself sought leave to intervene in the proceedings brought by its President.

30      The object of those injunction proceedings was to bring to an end what the Privacy Commission describes, inter alia, as a ‘serious and large‑scale infringement, by Facebook, of the legislation relating to the protection of privacy’ consisting in the collection by that online social network of information on the internet browsing behaviour both of Facebook account holders and of non-users of Facebook services by means of various technologies, such as cookies, social plug-ins (for example, the ‘Like’ or ‘Share’ buttons) or pixels. Those features permit Facebook to obtain certain data of an internet user who visits a website page containing them, such as the address of that page, the ‘IP address’ of the visitor to that page and the date and time of the visit in question.

31      By judgment of 16 February 2018, the Nederlandstalige rechtbank van eerste aanleg Brussel (Dutch-language Court of First Instance, Brussels) held that it had jurisdiction to give a ruling on those injunction proceedings, in so far as the action concerned Facebook Ireland, Facebook Inc. and Facebook Belgium, and declared that the application for leave to intervene made by the Privacy Commission was inadmissible.

32      On the substance, that court held that Facebook was not adequately informing Belgian internet users of the collection of the information concerned and of the use of that information. Further, the consent given by the internet users to the collection and processing of that data was held to be invalid. Consequently, that court ordered Facebook Ireland, Facebook Inc. and Facebook Belgium (i) to desist, as regards all internet users established in Belgium, from placing, without their consent, cookies that remain active for two years on the devices used by them when browsing a web page in the Facebook.com domain or visiting the website of a third party, and from placing cookies and collecting data by means of social plug-ins, pixels or similar technological means on third‑party websites, in a manner that was excessive in the light of the objectives thereby pursued by the Facebook social network, (ii) to desist from providing information that might reasonably mislead the data subjects as to the real extent of the mechanisms put in place by Facebook for the use of cookies, and (iii) to destroy all the personal data obtained by means of cookies and social plug-ins.

33      On 2 March 2018 Facebook Ireland, Facebook Inc. and Facebook Belgium brought an appeal against that judgment before the hof van beroep te Brussel (Court of Appeal, Brussels, Belgium). Before that court, the DPA acts as the legal successor both of the President of the Privacy Commission, who had brought the injunction proceedings, and of the Privacy Commission itself.

34      The referring court held that it has jurisdiction solely to give a ruling on the appeal brought in so far as that appeal concerns Facebook Belgium. Conversely, the referring court held that it lacked jurisdiction to hear that appeal in relation to Facebook Ireland and Facebook Inc.

35      Before giving a ruling on the substance of the main proceedings, a question raised by the referring court is whether the DPA had the required standing and interest to bring proceedings. In the view of Facebook Belgium, the action brought seeking an injunction is inadmissible, in so far as it concerns facts prior to 25 May 2018, given that, following the entry into force of the law of 3 December 2017 and of Regulation 2016/679, Article 32(3) of the law of 8 December 1992, which is the legal basis for bringing such an action, was repealed. As regards the facts subsequent to 25 May 2018, Facebook Belgium claims that the DPA has no competence and has no right to bring such an action given the existence of the ‘one-stop shop’ mechanism now provided for under the provisions of Regulation 2016/679. On the basis of those provisions, it is claimed that only the Data Protection Commissioner (Ireland) is competent to bring injunction proceedings against Facebook Ireland, the latter being the sole controller of the personal data of the users of the social network concerned within the European Union.

36      The referring court has held that the DPA had not demonstrated the required standing to bring the injunction proceedings in so far as those proceedings related to facts prior to 25 May 2018. As regards the facts subsequent to that date, the referring court is however uncertain as to the effect of the entry into force of Regulation 2016/679, in particular the effect of the application of the ‘one-stop shop’ mechanism provided for by that regulation, on the competences of the DPA and on its power to bring such injunction proceedings.

37      In particular, in the view of the referring court, the question that now arises is whether, with respect to the facts subsequent to 25 May 2018, the DPA may bring an action against Facebook Belgium, since Facebook Ireland has been identified as the controller of the data concerned. Since that date and by virtue of the ‘one-stop shop’ rule, it appears that, in accordance with Article 56 of Regulation 2016/679, only the Data Protection Commissioner (Ireland) is competent, subject to review only by the Irish courts.

38      The referring court recalls that, in the judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein (C‑210/16, EU:C:2018:388), the Court held that the ‘German supervisory authority’ was competent in respect of data processing where the controller of the data concerned was established in Ireland and the subsidiary that was established in Germany (namely Facebook Germany GmbH) was responsible solely for the sale of advertising spots and other marketing activities in Germany.

39      However, in the case that gave rise to that judgment, the Court was required to give a ruling on a request for a preliminary ruling concerning the interpretation of the provisions of Directive 95/46, which has been repealed by Regulation 2016/679. The referring court is uncertain to what extent the Court’s interpretation in that judgment is still of relevance to the application of Regulation 2016/679.

40      The referring court also mentions a decision of the Bundeskartellamt (the German competition authority) of 6 February 2019 (the so-called ‘Facebook’ decision), in which that competition authority took the view that Facebook was abusing its position by merging data from different sources, which is now permitted only if users have given their explicit consent, with the proviso that any user who does not give his or her consent may not be excluded from Facebook services. The referring court notes that the Bundeskartellamt clearly considered itself to be competent, in spite of the ‘one-stop shop’ mechanism.

41      Further, the referring court considers that Article 6 of the law of 3 December 2017, which permits, as a general rule, the DPA, where necessary, to initiate or to engage in legal proceedings, does not imply that the action may, in all circumstances, be brought by the DPA before the Belgian courts, since the ‘one-stop shop’ mechanism appears to require that such an action should be brought before the court with jurisdiction in the place where the data processing is carried out.

42      In those circumstances, the hof van beroep te Brussel (Court of Appeal, Brussels) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Should Article 55(1), Articles 56 to 58 and Articles 60 to 66 of [Regulation 2016/679], read together with Articles 7, 8 and 47 of the [Charter], be interpreted as meaning that a supervisory authority which, pursuant to national law adopted in implementation of Article 58(5) of that regulation, has the competence to initiate or engage in legal proceedings before a court in its Member State against infringements of that regulation cannot exercise that competence in connection with cross-border data processing if it is not the lead supervisory authority for that cross-border data processing?

(2)      Does the answer to the first question referred differ if the controller of that cross-border data processing does not have its main establishment in that Member State but does have another establishment there?

(3)      Does the answer to the first question referred differ if the national supervisory authority initiates the legal proceedings against the main establishment of the controller in respect of the cross‑border data processing rather than against the establishment in its own Member State?

(4)      Does the answer to the first question referred differ if the national supervisory authority had already initiated the legal proceedings before the date on which [Regulation 2016/679] entered into force (25 May 2018)?

(5)      If the first question referred is answered in the affirmative, does Article 58(5) of [Regulation 2016/679] have direct effect, meaning that a national supervisory authority can rely on that provision to initiate or continue legal proceedings against private parties even if Article 58(5) of [Regulation 2016/679] has not been specifically transposed into the legislation of the Member States, notwithstanding the requirement to do so?

(6)      If questions (1) to (5) are answered in the affirmative, could the outcome of such proceedings prevent the lead supervisory authority from making a contrary finding when the lead supervisory authority investigates the same or similar cross-border processing activities in accordance with the mechanism laid down in Articles 56 and 60 of [Regulation 2016/679]?’

  Consideration of the questions referred

 The first question

43      By its first question, the referring court seeks, in essence, to ascertain whether Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation 2016/679, read together with Articles 7, 8 and 47 of the Charter, must be interpreted as meaning that a supervisory authority of a Member State which, under the national legislation adopted in order to implement Article 58(5) of that regulation, has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings, may exercise that power with respect to cross-border data processing even though it is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, in relation to such data processing.

44      In that regard, it must recalled, as a preliminary point, that, first, unlike Directive 95/46, which had been adopted on the basis of Article 100 A of the EC Treaty, concerning the harmonisation of the common market, the legal basis of Regulation 2016/679 is Article 16 TFEU, which enshrines the right of everyone to the protection of personal data concerning them and authorises the European Parliament and the Council of the European Union to lay down the rules relating to the protection of individuals with regard to the processing of that data by European Union institutions, bodies, offices and agencies, and by the Member States, when carrying out activities which fall within the scope of EU law, and the rules relating to the free movement of such data. Second, recital 1 of that regulation confirms that ‘the protection of natural persons in relation to the processing of personal data is a fundamental right’ and states that Article 8(1) of the Charter and Article 16(1) TFEU lay down the right of everyone to the protection of personal data concerning them.

45      Consequently, as is clear from its Article 1(2), read together with recitals 10, 11 and 13 thereof, Regulation 2016/679 requires the European Union institutions, bodies, offices and agencies, and the competent authorities of the Member States, to ensure a high level of protection of the rights guaranteed in Article 16 TFEU and Article 8 of the Charter.

46      Further, as stated in its recital 4, Regulation 2016/679 respects all fundamental rights and observes the freedoms and principles recognised in the Charter.

47      Against that background, Article 55(1) of Regulation 2016/679 states the general rule that each supervisory authority is to be competent for the performance of the tasks assigned to it and the exercise of the powers conferred on it, in accordance with that regulation, on the territory of its own Member State (see, to that effect, judgment of 16 July 2020, Facebook Ireland and Schrems, C‑311/18, EU:C:2020:559, paragraph 147).

48      One of the tasks assigned to those supervisory authorities is the task of monitoring the application of Regulation 2016/679 and enforcing its application, as laid down in Article 57(1)(a) of that regulation, while another is the task of cooperating with other supervisory authorities, including sharing information, and providing mutual assistance with a view to ensuring the consistency of application and enforcement of that regulation, as laid down in Article 57(1)(g) of that regulation. The powers conferred on those supervisory authorities, for the performance of those tasks, include various investigative powers, laid down in Article 58(1) of Regulation 2016/679, and the power to bring any infringement of that regulation to the attention of the judicial authorities and, where appropriate, to initiate or engage in legal proceedings in order to enforce the provisions of that regulation, as laid down in Article 58(5) of that regulation.

49      The performance of those tasks and the exercise of those powers presupposes, however, that a supervisory authority is competent with respect to a particular instance of data processing.

50      In that regard, without prejudice to the rule on competence set out in Article 55(1) of Regulation 2016/679, Article 56(1) of that regulation establishes, with respect to ‘cross-border processing’, within the meaning of Article 4, point (23), of that regulation, the ‘one-stop shop’ mechanism, based on an allocation of competences between one ‘lead supervisory authority’ and the other supervisory authorities concerned. Under that mechanism, the supervisory authority of the main establishment or of the single establishment of the controller or processor is to be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor, in accordance with the procedure set out in Article 60 of that regulation.

51      Article 60 establishes the procedure for cooperation between the lead supervisory authority and the other supervisory authorities concerned. As part of that procedure, the lead supervisory authority is, in particular, required to endeavour to reach consensus. To that end, in accordance with Article 60(3) of Regulation 2016/679, the lead supervisory authority is without delay to submit a draft decision to the other supervisory authorities concerned for their opinion and is to take due account of their views.

52      It follows more specifically from Articles 56 and 60 of Regulation 2016/679 that, with respect to ‘cross-border processing’, within the meaning of Article 4, point (23), of that regulation, and subject to Article 56(2) thereof, the various national supervisory authorities concerned must cooperate, in accordance with the procedure laid down in those provisions, in order to reach a consensus and a single decision, which is binding on all those authorities and with which decision the controller must ensure compliance as regards processing activities undertaken in the context of all its establishments within the European Union. Further, Article 61(1) of that regulation obliges the supervisory authorities, inter alia, to provide each other with relevant information and mutual assistance in order to implement and apply that regulation in a consistent manner throughout the European Union. Article 63 of Regulation 2016/679 states that it was for that purpose that provision was made for the consistency mechanism, set out in Articles 64 and 65 of that regulation (judgment of 24 September 2019, Google (Territorial scope of dereferencing), C‑507/17, EU:C:2019:772, paragraph 68).

53      The application of the ‘one-stop shop’ mechanism consequently requires, as confirmed in recital 13 of Regulation 2016/679, sincere and effective cooperation between the lead supervisory authority and the other supervisory authorities concerned. Accordingly, as the Advocate General stated in point 111 of his Opinion, the lead supervisory authority may not ignore the views of the other supervisory authorities, and any relevant and reasoned objection made by one of the other supervisory authorities has the effect of blocking, at least temporarily, the adoption of the draft decision of the lead supervisory authority.

54      Thus, in accordance with Article 60(4) of Regulation 2016/679, where one of the other supervisory authorities concerned expresses, within a period of four weeks after having been consulted, such a relevant and reasoned objection to the draft decision, the lead supervisory authority, if it does not follow the relevant and reasoned objection or is of the opinion that that objection is not relevant or reasoned, is to submit the matter to the consistency mechanism provided for in Article 63 of that regulation, in order to obtain a binding decision, adopted on the basis of Article 65(1)(a) of that regulation, from the European Data Protection Board.

55      Under Article 60(5) of Regulation 2016/679, where the lead supervisory authority intends, on the other hand, to follow the relevant and reasoned objection made, it must submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision is to be subject to the procedure referred to in Article 60(4) within a period of two weeks.

56      In accordance with Article 60(7) of that regulation, it is the responsibility of the lead supervisory authority, as a general rule, to adopt a decision with respect to the cross-border processing concerned, to give notice of that decision to the main establishment or the single establishment of the controller or processor, as the case may be, and to inform the other supervisory authorities concerned and the European Data Protection Board of the decision in question, including a summary of the relevant facts and grounds.

57      That said, it must be noted that Regulation 2016/679 establishes exceptions to the general rule that it is the lead supervisory authority which is competent to adopt decisions in the context of the ‘one-stop shop’ mechanism provided for in Article 56(1) of that regulation.

58      The first of those exceptions is to be found in Article 56(2) of Regulation 2016/679, which provides that a supervisory authority which is not the lead supervisory authority is to be competent to handle a complaint lodged with it concerning a cross-border processing of personal data or a possible infringement of that regulation, if the subject matter relates only to an establishment in its own Member State or substantially affects data subjects only in that Member State.

59      The second exception is in Article 66 of Regulation 2016/679, which provides, by way of derogation from the consistency mechanisms referred to in Articles 60 and Article 63 to 65 of that regulation, for an urgency procedure. That urgency procedure makes it possible, in exceptional circumstances, where the supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, immediately to adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which is not to exceed three months, while Article 66(2) of Regulation 2016/679 further provides that, where a supervisory authority has taken a measure under Article 66(1) and considers that final measures must urgently be adopted, it may request an urgent opinion or an urgent binding decision from the European Data Protection Board, giving reasons for requesting such an opinion or decision.

60      However, the exercise of that competence by the supervisory authorities must be compatible with the need for sincere and effective cooperation with the lead supervisory authority, in accordance with the procedure referred to in Article 56(3) to (5) of Regulation 2016/679. In such circumstances, under Article 56(3) of that regulation, the supervisory authority concerned must without delay inform the lead supervisory authority, which, within a period of three weeks of being informed, is to decide whether or not it will handle the case.

61      Under Article 56(4) of Regulation 2016/679, where the lead supervisory authority decides to handle the case, the cooperation procedure laid down in Article 60 of that regulation is applicable. In that context, the supervisory authority which informed the lead supervisory authority may submit to the latter a draft for a decision and the latter must take the utmost account of that draft when preparing the draft decision referred to in Article 60(3) of that regulation.

62      However, under Article 56(5) of Regulation 2016/679, where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the former is to handle the case in accordance with Articles 61 and 62 of that regulation, those provisions requiring the supervisory authorities to comply with the rules on mutual assistance and cooperation within the framework of joint operations, in order to ensure effective cooperation between the authorities concerned.

63      It follows from the foregoing that, first, in relation to the cross-border processing of personal data, the competence of the lead supervisory authority for the adoption of a decision finding that such processing is an infringement of the rules relating to the protection of the rights of natural persons as regards the processing of personal data found in Regulation 2016/679 constitutes the rule, whereas the competence of the other supervisory authorities concerned for the adoption of such a decision, even provisionally, constitutes the exception. Second, while the competence as a general rule of the lead supervisory authority is confirmed in Article 56(6) of Regulation 2016/679, which states that the lead supervisory authority is the ‘sole interlocutor’ of the controller or processor with respect to the cross-border processing carried out by that controller or that processor, that authority must exercise such competence within a framework of close cooperation with the other supervisory authorities concerned. In particular, the lead supervisory authority cannot, in the exercise of its competences, as stated in paragraph 53 of the present judgment, eschew essential dialogue with and sincere and effective cooperation with the other supervisory authorities concerned.

64      In that regard, it is stated in recital 10 of Regulation 2016/679 that that regulation seeks, inter alia, to ensure consistent and homogeneous application of the rules for the protection of the freedoms and fundamental rights of natural persons with regard to the processing of personal data throughout the European Union and to remove obstacles to flows of personal data within the Union.

65      That objective, and the effectiveness of the ‘one-stop shop’ mechanism, might be jeopardised if a supervisory authority which is not, with respect to an instance of cross-border data processing, the lead supervisory authority, could exercise the power laid down in Article 58(5) of Regulation 2016/679 in situations other than those where it has competence for the adoption of a decision as referred to in paragraph 63 of the present judgment. The exercise of that power is indeed intended to lead to a binding judicial decision, which is no less liable to undermine that objective and that mechanism than a decision adopted by a supervisory authority which is not the lead supervisory authority.

66      Contrary to what is claimed by the DPA, the fact that a supervisory authority of a Member State which is not the lead supervisory authority may exercise the power laid down in Article 58(5) of Regulation 2016/679 only when that exercise complies with the rules on the allocation of competences to adopt decisions laid down, in particular, in Articles 55 and 56 of that regulation, read together with Article 60 thereof, is compatible with Articles 7, 8 and 47 of the Charter.

67      First, as regards the argument concerning an alleged breach of Articles 7 and 8 of the Charter, it must be recalled that Article 7 guarantees that everyone has the right to respect for his or her private and family life, home and communications, whereas Article 8(1) of the Charter, like Article 16(1) TFEU, expressly recognises that everyone has the right to the protection of personal data concerning him or her. It is clear, in particular, from Article 51(1) of Regulation 2016/679 that the supervisory authorities are responsible for monitoring the application of that regulation, for the purpose, inter alia, of protecting the fundamental rights of natural persons as regards the processing of their personal data. It follows that, in line with what has been said in paragraph 45 of the present judgment, the rules on the allocation of competences to adopt decisions between the lead supervisory authority and the other supervisory authorities, as laid down by that regulation, take nothing away from the responsibility incumbent on each of those authorities to contribute to a high level of protection of those rights, with due regard to those rules and to the requirements of cooperation and mutual assistance mentioned in paragraph 52 of the present judgment.

68      That means, in particular, that the use of the ‘one-stop shop’ mechanism cannot under any circumstances have the consequence that a national supervisory authority, in particular the lead supervisory authority, does not assume the responsibility incumbent on it under Regulation 2016/679 to contribute to providing effective protection of natural persons from infringements of their fundamental rights as recalled in the preceding paragraph of the present judgment, as otherwise that consequence might encourage the practice of forum shopping, particularly by data controllers, designed to circumvent those fundamental rights and the practical application of the provisions of that regulation that give effect to those rights.

69      Second, as regards the argument concerning the alleged breach of the right to an effective remedy, guaranteed in Article 47 of the Charter, that argument cannot be accepted either. The manner in which, as set out in paragraphs 64 and 65 of the present judgment, the possibility that a supervisory authority other than the lead supervisory authority may exercise the power laid down in Article 58(5) of Regulation 2016/679, with respect to an instance of cross-border processing of personal data, is circumscribed takes nothing away from the right of every data subject, laid down in Article 78(1) and (2) of that regulation, to an effective legal remedy, in particular, against a legally binding decision of a supervisory authority concerning him or her, or against a failure by the supervisory authority which has the competence to adopt decisions under Articles 55 and 56 of that regulation, read together with Article 60 thereof, to handle a complaint that that data subject has lodged.

70      That is particularly true in the situation described in Article 56(5) of Regulation 2016/679, by virtue of which, as stated in paragraph 62 of the present judgment, the supervisory authority which has given information on the basis of Article 56(3) of that regulation, may handle the case in accordance with Articles 61 and 62 thereof, where the lead supervisory authority decides, after having been so informed, that it will not itself handle the case. If a case is to be handled in such a way, it is not inconceivable that the supervisory authority concerned may, where appropriate, decide to exercise the power conferred on it by Article 58(5) of Regulation 2016/679.

71      That said, it must be emphasised that the exercise of the power of a Member State’s supervisory authority to bring actions before the courts of that State cannot be ruled out where, after the mutual assistance of the lead supervisory authority has been sought, under Article 61 of Regulation 2016/679, the latter does not provide the former with the requested information. In that situation, under Article 61(8) of that regulation, the supervisory authority concerned may adopt a provisional measure on the territory of its own Member State and, if it considers that there is an urgent need for the adoption of final measures, that authority may, in accordance with Article 66(2) of that regulation, request an urgent opinion or an urgent binding decision from the European Data Protection Board. Further, under Article 64(2) of that regulation, a supervisory authority may request that any matter that is of general application or that produces effects in more than one Member State be examined by the European Data Protection Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance imposed on it by Article 61 of that regulation. Following the adoption of such an opinion or such a decision, and provided that the European Data Protection Board approves, after taking account of all the relevant circumstances, the supervisory authority concerned must be able to take the necessary measures to ensure compliance with the rules on the protection of the rights of natural persons as regards the processing of personal data contained in Regulation 2016/679 and, for that purpose, exercise the power conferred on it by Article 58(5) of that regulation.

72      The sharing of competences and responsibilities among the supervisory authorities is of necessity underpinned by the existence of sincere and effective cooperation, between those authorities and with the Commission, in order to ensure the correct and consistent application of that regulation, as Article 51(2) of that regulation confirms.

73      In this instance, it will be for the referring court to determine whether the rules on the allocation of competences and the relevant procedures and mechanisms laid down by Regulation 2016/679 have been correctly applied in the main proceedings. In particular, it will be the task of the referring court to ascertain whether, although the DPA is not the lead supervisory authority in this case, the processing in question, to the extent that it involves the conduct of the Facebook online social network subsequent to 25 May 2018, may be classified as occurring in, in particular, the situation referred to in paragraph 71 of the present judgment.

74      In that regard, the Court observes that the European Data Protection Board, in its Opinion 5/2019 of 12 March 2019 on the interplay between the [Directive on privacy and electronic communications] and the [General Data Protection Regulation], in particular regarding the competence, tasks and powers of data protection authorities, stated that storing and obtaining access to personal data by means of cookies fell within the scope of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37), and not within the scope of the ‘one-stop shop’ mechanism. On the other hand, all earlier processing operations, and all subsequent processing activities, with respect to that personal data, by means of other technologies, do fall within the scope of Regulation 2016/679, and consequently within the scope of the ‘one‑stop shop’ mechanism. Given that its request for mutual assistance concerned subsequent personal data processing operations, the DPA in April 2019 asked the Data Protection Commissioner (Ireland) to respond to its request as expeditiously as possible, but no response was provided.

75      In the light of all the foregoing, the answer to the first question referred is that Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation 2016/679, read together with Articles 7, 8 and 47 of the Charter, must be interpreted as meaning that a supervisory authority of a Member State which, under the national legislation adopted in order to transpose Article 58(5) of that regulation, has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings, may exercise that power in relation to an instance of cross‑border data processing even though it is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, with respect to that data processing, provided that that power is exercised in one of the situations where that regulation confers on that supervisory authority a competence to adopt a decision finding that such processing is in breach of the rules contained in that regulation, and that the cooperation and consistency procedures laid down by that regulation are respected.

 The second question

76      By its second question, the referring court seeks, in essence, to ascertain whether Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, in the event of cross-border data processing, it is a prerequisite for the exercise of the power of a supervisory authority of a Member State, other than the lead supervisory authority, to initiate or engage in legal proceedings, within the meaning of that provision, that the controller with respect to the cross-border processing of personal data against whom such proceedings are brought has a ‘main establishment’, within the meaning of Article 4, point 16, of Regulation 2016/679, on the territory of that Member State or another establishment on that territory.

77      In that regard, it must be recalled that, under Article 55(1) of Regulation 2016/679, each supervisory authority is to be competent for the performance of the tasks assigned to it and the exercise of the powers conferred on it, in accordance with that regulation, on the territory of its own Member State.

78      Article 58(5) of Regulation 2016/679 lays down, further, the power of each supervisory authority to bring any alleged infringement of that regulation to the attention of a court of its Member State and, where appropriate, to initiate or engage in legal proceedings, in order to enforce the provisions of that regulation.

79      It must be observed that Article 58(5) of Regulation 2016/679 is worded in general terms and that the EU legislature has not specified that the exercise of that power by a Member State’s supervisory authority is subject to the condition that its legal action should be brought against a controller who has a ‘main establishment’, within the meaning of Article 4, point 16, of that regulation, or another establishment on the territory of that Member State.

80      However, a Member State’s supervisory authority may exercise the power conferred on it by Article 58(5) of Regulation 2016/679 only if it is demonstrated that that power falls within the territorial scope of that regulation.

81      Article 3(1) of Regulation 2016/679, which governs the territorial scope of that regulation, provides, in that regard, that the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, whether or not the processing takes place in the European Union.

82      In that connection, recital 22 of Regulation 2016/679 states that the existence of such an establishment implies the effective and real exercise of activity through stable arrangements and that the legal form of such arrangements, whether through a branch or a subsidiary with legal personality, is not the determining factor in that respect.

83      It follows that, in accordance with Article 3(1) of Regulation 2016/679, the territorial scope of that regulation is determined, without prejudice to the situations referred to in paragraphs 2 and 3 of that article, by the condition that the controller or the processor with respect to the cross‑border processing has an establishment in the European Union.

84      Consequently the answer to the second question referred is that Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, in the event of cross‑border data processing, it is not a prerequisite for the exercise of the power of a supervisory authority of a Member State, other than the lead supervisory authority, to initiate or engage in legal proceedings, within the meaning of that provision, that the controller with respect to the cross-border processing of personal data against whom such proceedings are brought has a main establishment or another establishment on the territory of that Member State.

 The third question

85      By its third question, the referring court seeks, in essence, to ascertain whether Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, in the event of cross-border data processing, it is a prerequisite of the exercise by a supervisory authority of a Member State, other than the lead supervisory authority, of the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where appropriate, to initiate or engage in legal proceedings, within the meaning of that provision, that the supervisory authority concerned directs its legal proceedings against the main establishment of the controller or against the establishment that is located in its own Member State.

86      It is clear from the order for reference that that question has arisen in the context of argument by the parties in relation to the issue whether the referring court has jurisdiction to hear the injunction proceedings in so far as those proceedings are brought against Facebook Belgium, given that, first, within the European Union, the headquarters of the Facebook group is situated in Ireland and that Facebook Ireland is the sole controller with respect to the collection and processing of personal data throughout the European Union, and, second, due to the internal division of that group, the establishment located in Belgium was created, primarily, to allow the Facebook group to engage with the EU institutions and, secondarily, to promote the advertising and marketing of that group to people residing in Belgium.

87      As stated in paragraph 47 of the present judgment, Article 55(1) of Regulation 2016/679 establishes the competence, as a general rule, of each supervisory authority for the performance of the tasks assigned to it and the exercise of the powers conferred on it, in accordance with that regulation, on the territory of its own Member State.

88      As regards the power of a supervisory authority of a Member State to bring legal proceedings, within the meaning of Article 58(5) of Regulation 2016/679, it must be recalled, as the Advocate General stated in point 150 of his Opinion, that that provision is worded in general terms and that it does not specify against which entities the supervisory authorities should or might direct legal proceedings in relation to any infringement of that regulation.

89      Consequently, that provision does not restrict the exercise of the power to initiate or engage in legal proceedings in such a way that those proceedings can solely be brought against a ‘main establishment’ or against some other ‘establishment’ of the controller. On the contrary, under Article 58(5) of that regulation, where the supervisory authority of a Member State has the necessary competence for that purpose, under Articles 55 and 56 of Regulation 2016/679, it may exercise the powers conferred by that regulation on its national territory, irrespective of the Member State in which the controller or its processor is established.

90      However, the exercise of the power conferred on each supervisory authority in Article 58(5) of Regulation 2016/679 presupposes that that regulation is applicable. In that regard, and as stated in paragraph 81 of the present judgment, Article 3(1) of that regulation provides that it is applicable to the processing of personal data ‘in the context of the activities of an establishment of a controller or a processor in the [European] Union, whether or not the processing takes place in the [European] Union’.

91      Having regard to the objective pursued by Regulation 2016/679, which is to ensure effective protection of the freedoms and fundamental rights of individuals, in particular, their right to protection of privacy and the protection of personal data, the condition that the processing of personal data must be carried out ‘in the context of the activities’ of the establishment concerned, cannot be interpreted restrictively (see, by analogy, judgment of 5 June 2018, Wirtschaftsakademie SchleswigHolstein, C‑210/16, EU:C:2018:388, paragraph 56 and the case-law cited).

92      In this instance, it is clear from the order for reference and from the written observations lodged by Facebook Belgium that the function of that company is, primarily, to engage with the EU institutions and, secondarily, to promote the advertising and marketing of the Facebook group aimed at people residing in Belgium.

93      The objective of the processing of personal data at issue in the main proceedings, which is carried out within the European Union exclusively by Facebook Ireland and which consists in the collection of information on the internet browsing behaviour both of Facebook account holders and of non-users of Facebook services by means of various technologies, such as, inter alia, social plug-ins and pixels, is precisely to enable the social network concerned to make its advertising system more efficient by disseminating targeted communications.

94      It must be observed that, first, a social network such as Facebook generates a substantial proportion of its income from, inter alia, the advertising that is disseminated on that social network, and that the activity carried out by the establishment located in Belgium is intended to ensure, within Belgium, even if it is only a secondary function, the promotion and sale of advertising spots which serve to make Facebook services profitable. Second, the activity primarily carried out by Facebook Belgium, which consists in engaging with the EU institutions and constituting a point of contact for those institutions, seeks, inter alia, to determine the personal data processing policy of Facebook Ireland.

95      In those circumstances, the activities of the establishment of the Facebook group located in Belgium must be considered to be inextricably linked to the processing of personal data at issue in the main proceedings, with respect to which Facebook Ireland is the controller within the European Union. Accordingly, that processing must be regarded as being carried out ‘in the context of the activities of an establishment of a controller’, within the meaning of Article 3(1) of Regulation 2016/679.

96      In the light of all the foregoing, the answer to the third question referred is that Article 58(5) of Regulation 2016/679 must be interpreted as meaning that the power of a supervisory authority of a Member State, other than the lead supervisory authority, to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where appropriate, to initiate or engage in legal proceedings, within the meaning of that provision, may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power, in accordance with the terms of the answer to the first question referred.

 The fourth question

97      By its fourth question, the referring court seeks, in essence, to ascertain whether Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, where a supervisory authority of a Member State which is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, has before 25 May 2018 brought legal proceedings concerning an instance of cross-border processing of personal data, that is, before the date when that regulation became applicable, that fact is such as to affect the conditions governing whether a Member State’s supervisory authority may exercise the power to initiate or engage in legal proceedings conferred on it by Article 58(5).

98      The claim made before that court by Facebook Ireland, Facebook Inc. and Facebook Belgium is that the consequence of Regulation 2016/679 becoming applicable after 25 May 2018 is that the continuation of an action brought before that date is inadmissible, or unfounded.

99      It must be noted, first, that Article 99(1) of Regulation 2016/679 provides that that regulation is to enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. Since that regulation was published in the Official Journal on 4 May 2016, it therefore entered into force on 25 May 2016. Further, Article 99(2) of that regulation provides that it is to apply from 25 May 2018.

100    In that regard, it should be borne in mind that a new rule of law applies from the entry into force of the act introducing it, and, while it does not apply to legal situations that have arisen and become definitive under the old law, it does apply to their future effects, and to new legal situations. It is otherwise, subject to the principle of the non‑retroactivity of legal acts, only if the new rule is accompanied by special provisions which specifically lay down its conditions of temporal application. In particular, procedural rules are generally taken to apply from the date on which they enter into force, as opposed to substantive rules, which are usually interpreted as applying to situations existing before their entry into force only in so far as it follows clearly from their terms, their objectives or their general scheme that such an effect must be given to them (judgment of 25 February 2021, Caisse pour l’avenir des enfants (Employment at the time of birth), C‑129/20, EU:C:2021:140, paragraph 31 and the case-law cited).

101    Regulation 2016/679 contains no transitional rule nor any other rule governing the status of court proceedings which were initiated before that regulation became applicable and which were still ongoing when it became applicable. In particular, there is no provision of that regulation which states that its effect is to bring to an end all court proceedings that are pending as at 25 May 2018 concerning alleged infringements of rules governing the processing of personal data laid down by Directive 95/46, even where the conduct that is a constituent element of such alleged infringements persists beyond that date.

102    In this instance, Article 58(5) of Regulation 2016/679 lays down rules governing the power of a supervisory authority to bring any infringement of that regulation to the attention of the judicial authorities and, where appropriate, to initiate or engage otherwise in legal proceedings, in order to enforce the provisions of that regulation.

103    In those circumstances, a distinction must be drawn between actions brought by a supervisory authority of a Member State with respect to infringements of the rules for the protection of personal data committed by controllers or processors before the date when Regulation 2016/679 became applicable and actions brought with respect to infringements committed after that date.

104    In the first situation, from the perspective of EU law, a legal action, such as that at issue in the main proceedings, may be continued on the basis of the provisions of Directive 95/46, which remains applicable in relation to infringements committed up to the date of its repeal, namely 25 May 2018. In the second situation, such an action may be brought, under Article 58(5) of Regulation 2016/679, solely on the condition that, as was stated in the context of the answer to the first question referred, that action is brought in a situation where, exceptionally, that regulation confers on a supervisory authority of a Member State which is not the ‘lead supervisory authority’ a competence to adopt a decision finding that the processing of data in question is in breach of the rules contained in that regulation with respect to the protection of the rights of natural persons as regard the processing of personal data, with due regard to the procedures laid down by that regulation.

105    In the light of all the foregoing, the answer to the fourth question referred is that Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, where a supervisory authority of a Member State which is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, has brought a legal action, the object of which is an instance of cross-border processing of personal data, before 25 May 2018, that is, before the date when that regulation became applicable, that action may, from the perspective of EU law, be continued on the basis of the provisions of Directive 95/46, which remains applicable in relation to infringements of the rules laid down in that directive committed up to the date when that directive was repealed. That action may, in addition, be brought by that authority with respect to infringements committed after that date, on the basis of Article 58(5) of Regulation 2016/679, provided that that action is brought in one of the situations where, exceptionally, that regulation confers on a supervisory authority of a Member State which is not the ‘lead supervisory authority’ a competence to adopt a decision finding that the processing of data in question is in breach of the rules contained in that regulation with respect to protection of the rights of natural persons as regard the processing of personal data, and that the cooperation and consistency procedures laid down by that regulation are respected, which it is for the referring court to determine.

 The fifth question

106    By its fifth question, the referring court seeks, in essence, to ascertain whether, if the answer to the first question referred is in the affirmative, Article 58(5) of Regulation 2016/679 must be interpreted as meaning that that provision has direct effect, with the result that a national supervisory authority may rely on that provision in order to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State concerned.

107    Article 58(5) of Regulation 2016/679 states that each Member State is to provide by law that its supervisory authority is to have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to initiate or engage otherwise in legal proceedings, in order to enforce the provisions of that regulation.

108    First, it must be observed that, as submitted by the Belgian Government, Article 58(5) of Regulation 2016/679 has been implemented in the Belgian legal order by Article 6 of the law of 3 December 2017. Under that Article 6, the wording of which is essentially the same as that of Article 58(5) of Regulation 2016/679, the DPA has the power to bring any breach of the fundamental principles of the protection of personal data, in the context of that law and legislation containing provisions on the protection of processing of personal data, to the attention of the judicial authorities and, where appropriate, to initiate or engage in legal proceedings to enforce those fundamental principles. Consequently, it must be held that the DPA may rely on a provision of national law, such as Article 6 of the law of 3 December 2017, which implements Article 58(5) of Regulation 2016/679 in Belgian law, in order to initiate or engage in legal proceedings seeking to enforce that regulation.

109    Further, for the sake of completeness, it must be observed that, under the second paragraph of Article 288 TFEU, a regulation is to be binding in its entirety and is to be directly applicable in all Member States, so that its provisions do not, as a general rule, require the adoption of any implementing measures by the Member States.

110    In that regard, it must be recalled that, according to the Court’s settled case-law, pursuant to Article 288 TFEU and by virtue of the very nature of regulations and of their function in the system of sources of EU law, the provisions of those regulations generally have immediate effect in the national legal systems without its being necessary for the national authorities to adopt measures of application. Nonetheless, some of those provisions may necessitate, for their implementation, the adoption of measures of application by the Member States (judgment of 15 March 2017, Al Chodor, C‑528/15, EU:C:2017:213, paragraph 27 and the case‑law cited).

111    However, as the Advocate General stated, in essence, in point 167 of his Opinion, Article 58(5) of Regulation 2016/679 lays down a specific and directly applicable rule which states that the supervisory authorities must have legal standing before the national courts and must have the power to initiate or engage in legal proceedings under national law.

112    It is not stated in Article 58(5) of Regulation 2016/679 that Member States should determine by means of an express legal provision under what circumstances the national supervisory authorities may initiate or engage in legal proceedings, within the meaning of Article 58(5). It is sufficient that the supervisory authority should have the possibility, in accordance with national legislation, to bring to the attention of the judicial authorities infringements of that regulation and, where appropriate, to initiate or engage in legal proceedings or to commence, in some other manner, a procedure for the enforcement of the provisions of that regulation.

113    In the light of all the foregoing, the answer to the fifth question referred is that Article 58(5) of Regulation 2016/679 must be interpreted as meaning that that provision has direct effect, with the result that a national supervisory authority may rely on that provision in order to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State concerned.

 The sixth question

114    By its sixth question, the referring court seeks, in essence, to ascertain whether, in the event that the answer to the questions (1) to (5) referred is in the affirmative, the outcome of legal proceedings brought by a Member State’s supervisory authority in relation to an instance of cross‑border processing of personal data may preclude the lead supervisory authority from adopting a decision in which it comes to the opposite conclusion where the latter authority investigates the same cross-border processing activities or similar activities, in accordance with the mechanism laid down in Articles 56 and 60 of Regulation 2016/679.

115    In that regard, it should be borne in mind that, according to settled case‑law, questions on the interpretation of EU law enjoy a presumption of relevance. The Court may refuse to give a ruling on a question referred for a preliminary ruling by a national court only where it is quite obvious that the interpretation of EU law that is sought bears no relation to the actual facts of the main action or its purpose, where the problem is hypothetical, or where the Court does not have before it the factual or legal material necessary to give a useful answer to the questions submitted to it (judgments of 16 June 2015, Gauweiler and Others, C‑62/14, EU:C:2015:400, paragraph 25, and of 7 February 2018, American Express, C‑304/16, EU:C:2018:66, paragraph 32).

116    Moreover, according to equally settled case-law, the justification for a reference for a preliminary ruling is not that it enables advisory opinions on general or hypothetical questions to be delivered but rather that it is necessary for the effective resolution of a dispute (judgment of 10 December 2018, Wightman and Others, C‑621/18, EU:C:2018:999, paragraph 28 and the case-law cited).

117    In this instance, it is clear that, as observed by the Belgian Government, the factual premiss of the sixth question referred has not been shown to have any reality in the context of the main proceedings, namely the premiss that, with respect to the cross-border processing that is the object of the dispute, there exists a lead supervisory authority which not only will investigate the same cross-border personal data processing activities as are the object of the legal proceedings initiated by the supervisory authority of the Member State concerned or similar activities, but, further, will contemplate the adoption of a decision that will reach the opposite conclusion.

118    In those circumstances, it must be stated that the sixth question referred bears no relation to the actual facts of the main proceedings or their purpose, and concerns a hypothetical problem. Consequently, that question must be declared to be inadmissible.

 Costs

119    Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the referring court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Grand Chamber) hereby rules:

1.      Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), read together with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a supervisory authority of a Member State which, under the national legislation adopted in order to transpose Article 58(5) of that regulation, has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings, may exercise that power in relation to an instance of crossborder data processing even though it is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, with respect to that data processing, provided that that power is exercised in one of the situations where Regulation 2016/679 confers on that supervisory authority a competence to adopt a decision finding that such processing is in breach of the rules contained in that regulation and that the cooperation and consistency procedures laid down by that regulation are respected.

2.      Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, in the event of cross-border data processing, it is not a prerequisite for the exercise of the power of a supervisory authority of a Member State, other than the lead supervisory authority, to initiate or engage in legal proceedings, within the meaning of that provision, that the controller with respect to the cross-border processing of personal data against whom such proceedings are brought has a main establishment or another establishment on the territory of that Member State.

3.      Article 58(5) of Regulation 2016/679 must be interpreted as meaning that the power of a supervisory authority of a Member State, other than the lead supervisory authority, to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where appropriate, to initiate or engage in legal proceedings, within the meaning of that provision, may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power, in accordance with the terms of the answer to the first question referred.

4.      Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, where a supervisory authority of a Member State which is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, has brought a legal action, the object of which is an instance of cross-border processing of personal data, before 25 May 2018, that is, before the date when that regulation became applicable, that action may, from the perspective of EU law, be continued on the basis of the provisions of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which remains applicable in relation to infringements of the rules laid down in that directive committed up to the date when that directive was repealed. That action may, in addition, be brought by that authority with respect to infringements committed after that date, on the basis of Article 58(5) of Regulation 2016/679, provided that that action is brought in one of the situations where, exceptionally, that regulation confers on a supervisory authority of a Member State which is not the ‘lead supervisory authority’ a competence to adopt a decision finding that the processing of data in question is in breach of the rules contained in that regulation with respect to the protection of the rights of natural persons as regards the processing of personal data, and that the cooperation and consistency procedures laid down by that regulation are respected, which it is for the referring court to determine.

5.      Article 58(5) of Regulation 2016/679 must be interpreted as meaning that that provision has direct effect, with the result that a national supervisory authority may rely on that provision in order to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State concerned.

[Signatures]


*      Language of the case: Dutch.

© European Union
The source of this judgment is the Europa web site. The information on this site is subject to a information found here: Important legal notice. This electronic version is not authentic and is subject to amendment.


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/eu/cases/EUECJ/2021/C64519.html