Advocate General of the CJEU delivers opinion in Facebook v Belgium DPA

The Advocate General of the Court of Justice of the European Union (CJEU) states, in his opinion of 13 January that national DPAs can, even in cross-border cases, bring proceedings before a national judge in various situations specifically provided for in the GDPR.

The Advocate General stresses that the lead data protection authority cannot be deemed as the sole enforcer of the GDPR in cross-border situations and must, in compliance with the relevant rules and time limits provided for by the GDPR, closely cooperate with the other data protection authorities concerned, the input of which is crucial in this area.

David Stevens, Chairman of Belgium’s DPA said: “We are pleased to see that the Advocate General confirms that in principle data protection authorities can bring proceedings before their national courts, provided that this does not encroach on the loyal cooperation between data protection authorities. If data subjects can go to court to defend their rights, data protection authorities should also be able to do this on their behalf in certain exceptional cases.”

Jack Gilbert, Associate General Counsel at Facebook said: “We are pleased that the Advocate General has reaffirmed the value and principles of the One-Stop-Shop mechanism, which was introduced to ensure the efficient and consistent application of GDPR. We await the Court’s final verdict.”

Hielke Hijmans, Chairman of the Litigation Chamber of Belgium’s DPA commented: “It is important to note that today’s opinion is not final, as ultimately only the Court can take a decision in this case. She alone has the final word in deciding on the correct interpretation of the GDPR.”

The CJEU will next deliver a judgment. The date for when the decision will be issued has not yet been announced.

The case has been going on since 2015 when Belgium’s DPA took Facebook to court for collecting information on the surfing behaviour of Internet users in Belgium by placing cookies on their computers.

As Facebook’s European headquarters are in Ireland, there has been a longstanding argument over where this cross-border case should be heard. Facebook has said that only the data protection authority of Ireland (the so-called ‘lead’ data protection authority in the EU for Facebook), is empowered to engage in judicial proceedings against Facebook for infringements of the GDPR in relation to cross-border data processing.

See Belgium Data Protection Authority - Facebook case: the Advocate General of the CJEU has delivered his opinion