Communications Litigation Today was a Warren News publication.

Belgian Case Against Facebook Can Proceed: ECJ

Privacy watchdogs may enforce breaches even if they're not the lead authority -- under certain conditions -- the European Court of Justice ruled Tuesday. ECJ's decision prompted cheers from consumer groups and a cautious response from Facebook and the tech sector. The case arose when the Belgian Privacy Commission tried to stop Facebook Ireland, Facebook Inc. and Facebook Belgium from allegedly collecting personal information on the browsing behavior of account holders and non-users via cookies, social plug-ins and pixels. In 2018, a Brussels court held that it had jurisdiction and that Facebook wasn't adequately informing Belgian users about its data collection. The court ordered the social media giant to stop gathering the information in Belgium. The company appealed; that court said its jurisdiction covered only Facebook Belgium, not Facebook Ireland or Facebook Inc. The appeals court asked the ECJ to determine whether Belgium's data protection authority had the required standing to bring the proceedings, given that general data protection regulation created a "one-stop shop" for enforcement actions, and that only the Irish Data Protection Commission had jurisdiction because it's the controller for Facebook personal data in the EU. The ECJ held that a national data protection authority has the power to pursue alleged GDPR violations involving cross-border data processing even though it's not the lead supervisory authority and that it's not necessary that the controller of such personal data have a main establishment in that country. However, the ECJ said the non-lead authority can enforce only if it complies with rules governing the relationship between itself and the lead authority. The one-stop shop mechanism "requires close, sincere and effective cooperation" between authorities to ensure consistent application of the rules, the court said. Facebook said it's pleased the court "upheld the value and principles of the one-stop shop mechanism, and highlighted its importance" in ensuring uniform application of the GDPR. "While the Court has upheld the one-stop shop principle ... it has also opened the back door for all national data protection enforcers to start multiple proceedings against companies," said the Computer & Communications Industry Association, adding that this risks compliance becoming more fragmented and uncertain. "Given the existing bottlenecks in the GDPR cross-border enforcement system, all national authorities must be able, under certain conditions, to proactively take matters into their own hands, said the European Consumer Organisation.