On Tuesday, the European Court of Justice ruled that under certain conditions, a data protection authority that is not the lead supervisory authority for Facebook can bring court proceedings for alleged infringement of the GDPR with respect to cross-border processing.
This ruling means that where the provisions of the GDPR allow, data protection authorities in any EU member state should be able to pursue legal action for infringement of the GDPR in the context of cross-border processing against a data controller, in this case Facebook, even if they are not the lead supervisory authority.
In this case, the Belgian data protection authority sought to bring legal action against Facebook for cross-border processing that infringed the GDPR, however Facebook sought to argue that only the Data Protection Commissioner in Ireland could take action against it for the alleged infringements of the GDPR when transferring digital information from its European users to the US, on the basis that it was the lead supervisory authority. However, the ECJ ruled that the activities of the Facebook establishment in Belgium are inextricably linked to the processing of personal data at issue in the main proceedings, the data fell within scope of the GDPR and the Belgian data protection authority was competent and would have the right to pursue legal action against Facebook in the courts in Belgium.
This decision will have a lasting impact, as although it is underpinned by a set of specific circumstances, it paves the way for EU data protection authorities to take companies to court over a GDPR violation even if they are not the lead supervisory authority. In a regulatory climate that places an ever-increasing burden on data controllers and processors, this adds to the list of reasons why organisations carrying out cross-border processing need to ensure compliance when transferring personal data out of EU member states.
...the Court rules that, in the event of cross-border data processing, the power of a supervisory authority of a Member State, other than the lead supervisory authority, to bring any alleged infringement of the GDPR before a court of that Member State and, where appropriate, to initiate or engage in legal proceedings, may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power.