Any EU country can, under certain conditions, sue a web company for violating personal data legislation, and not just the state where it has its main HQ, the European justice said, entering a dispute with Facebook.
Read also: GDPR: the Irish "weak link" heightens tension among regulators
The Court of Justice of the EU (CJEU), established in Luxembourg, was questioned by the Brussels Court of Appeal, in the context of an action brought in 2015 against the American giant by the boss of the Belgian authority of Data protection. In particular, it was invited to clarify the question of the application of the so-called “one-
stop-shop
” mechanism
provided for by the General Data Protection Regulation (GDPR), which entered into force in May 2018. Under this mechanism, these are the Irish courts, those of the country in which Facebook has established its European headquarters, which must be seized of an alleged violation of the GDPR by this multinational. TheIrish Data Protection Authority has been appointed as the 'lead
authority
' for bringing legal actions.
Details for national authorities
In its judgment, the CJEU specifies the conditions for the exercise of national authorities, such as the CNIL in France, and judges that “
under certain conditions
” they can take legal action in their State concerning cross-border data processing.
The Court of Justice considers in particular that when a national supervisory authority, which is not "
leader
", brought a legal action before the entry into force of the GDPR, "
this action can be maintained, under Union law
”.
Read also: Data leak: the Irish CNIL opens an investigation against Facebook
This is precisely the Belgian case.
In September 2015, the president of the Belgian privacy control authority (the CPVP, which has since become the Data Protection Authority) brought proceedings before the Brussels court.
The goal ?
That Facebook stop collecting and using information about their online behavior without the knowledge of Internet users, via “
cookies
”,
among other things
, these microfiles retaining the habits of Internet users.
In February 2018, this court ordered Facebook to stop tracking Internet users in Belgium without their consent, under penalty of a fine of 250,000 euros per day.
The multinational appealed and it was during the appeal process that the Luxembourg Court was questioned.
"
A positive development
"
Its judgment constitutes "
a positive development
" in the fight for better data protection, welcomes the European Bureau of Consumers' Unions (BEUC). For this federation of associations from 32 countries in Europe, the GDPR one-stop shop has "
gaps
". “
Most of the tech giants, nicknamed the
'
Big Tech
',
are based in Ireland, and it shouldn't be the sole authority of this country to protect 500 million consumers in the EU,
” he said. it belongs. Facebook, for its part, was delighted that the CJEU "
confirmed the value and the principles of the
" one-stop-shop "
mechanism
"
and underlined its importance, in order to apply the GDPR effectively and consistently across the EU,
”said Jack Gilbert, associate lawyer for the social network.
But the lobby of tech giants, the ICC, expressed concerns, saying the judgment had "
opened a back door
" and that it risked making data protection compliance in the EU "
more inconsistent. , fragmented and uncertain
”.