The Data Protection Authority (‘DPA’) announced, on 8 May 2019, that the Brussels Court of Appeal (‘the Court’) issued its judgment in relation to the DPA’s proceedings against Facebook, Inc., following the pleading of the parties to the Court on 27 and 28 March 2019. In particular, the DPA highlighted that the Court did not rule on the merits of the case and decided to refer it to the Court of Justice of the European Union (‘CJEU’) to be assessed in line with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) seeking to ensure that the DPA can pursue the case against Facebook. The case arises as the DPA alleged that Facebook infringes Belgian and European data protection legislation by accumulating data on the browsing habits of internet users, irrespective of whether the data subjects are members of Facebook.
The DPA postulated that through Facebook’s placement of cookies on the subjects’ computers, through its social plugins and pixels on visited websites, Facebook is able to extract data on the browsing behaviour of millions of internet users. Furthermore, the questions referred by the Court include, among others, whether Articles 55(1), 56-58 and 60-66 of the GDPR addressing the competence of supervisory authorities, read in conjunction with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, allow for a supervisory authority to engage in legal proceedings before a court of its Member State, if it is not the lead supervisory authority in connection with certain cross-border processing operations.
In addition, the Court asked from the CJEU to clarify whether a supervisory authority’s powers are different if the controller of the cross-border processing does not have its main establishment in that Member State but has a different establishment there and, in addition, whether it makes a difference when the national supervisory authority initiates proceedings against the main establishment of the controller or against the establishment in its own Member State. Following the above, the Court asked if the initiation of legal proceedings before the entry into force of the GDPR made a difference in the supervisory authority’s current powers and, if yes, whether Article 58(5) of the GDPR has direct effect and whether the outcome of such proceedings prevent an opposite finding by the lead supervisory authority where the lead supervisory authority investigates the same or similar cross-border processing activities in accordance with the mechanism contained in Articles 56 and 60 of the GDPR.
The DPA stated that it was pleased that the Court had decided to refer the case to the CJEU because of the impact on the protection of citizens’ data and highlighted its commitment to raise the case with the European Data Protection Board in order to ensure a high level of protection of rights in the short term.
ADETOKUNBO HUSSAIN Privacy Analyst