(ANSA) - BRUSSELS, JUN 15 - Even a national privacy authority, and not just the Irish one, can sue Facebook in case of violation of the data protection directive (GDPR): this was established by the Court of Justice of the EU, in a ruling that sees the Belgian data protection authority against Facebook Ireland, Facebook Belgium and Facebook Inc. for collecting data through cookies, in violation of the directive. The Court clarified that, although the Irish authority is the "lead" of the data processing since Facebook Ireland is the data controller, the other national authorities can also act in court.
Everything arises because from the entry into force of the GDPR, ie on 25 May 2018, in application of the 'one-stop shop' principle provided for by the directive, "only the Irish data protection commissioner would be competent to bring an injunction, under the control of Irish judges ".
Then the Belgian judges asked the Court whether the Belgian privacy authority was entitled to bring an action or not.
In its judgment, delivered in the Grand Chamber, the Court therefore specifies the powers of the national supervisory authorities in the context of the GDPR. And it declares in particular that, "in the presence of certain conditions", the directive "authorizes a supervisory authority of a Member State to exercise its power to bring an action before a judge of that State and to take legal action in the event of an alleged violation of the GDPR, with regard to a cross-border processing of data, even though it is not the leading supervisory authority for such processing ".
Among the conditions, for example, there is territorial competence, or "in the case of cross-border processing of data", the supervisory authority of a Member State can bring legal action even if the data controller does not have a main establishment in its territory, as long as it has one in an EU state. (HANDLE).