CJEU: DPAs can take a company to court in their own country even when not Lead Authority

The Court of Justice of the European Union (CJEU) has today confirmed that a national data protection authority can, under the GDPR and under certain conditions, start court proceedings against a controller in its own country even if it is not the Lead Authority. This refers to a situation in cross-border cases where the company’s main EU establishment is in another country.

The question arose in proceedings started in 2015 by Belgium’s Data Protection Commission against Facebook, which has its EU headquarters in Ireland. The decision offers important clarification on how the GDPR and its One-Stop-Shop rule can be interpreted.

Monique Goyens, Director General of the European Consumer Organisation (BEUC), said:

“This is a positive development in the bid to have our privacy respected regardless of where the company is established in the EU. Given the existing bottlenecks in the GDPR cross-border enforcement system, all national authorities must be able, under certain conditions, to proactively take matters into their own hands and use their full powers when our rights are trampled on. Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500 million consumers in the EU, especially if it does not rise to the challenge.”

See: The judgement of 15 June