Facebook Ireland Ltd – CJEU Judgment (Belgium, 2021)

The Belgian DPA brought an action before Court of First Instance of Brussels, Belgium on 11 September 2015, seeking an injunction against Facebook Ireland, Facebook Inc. and Facebook Belgium. This action aimed to put an end to what the Belgian DPA described as ‘serious and large-scale infringements, by Facebook, of the legislation relating to privacy’. On 16 February 2018, the Court of First Instance held that the Facebook social network did not adequately inform Belgian internet users of the collection and use of the information concerned. Furthermore, the consent given by the internet users to the collection and processing of that data was held to be invalid. Facebook Ireland, Facebook Inc. and Facebook Belgium, however, appealed that judgement before the Brussels Court of Appeal. Before ruling on the substance of the case, the Court of Appeal referred certain questions to the CJEU regarding the ‘one-stop shop’ mechanism provided for by the GDPR. Indeed, Facebook Ireland (established in Ireland) was identified as the controller. The Court of Appeal of Brussel therefore referred six questions to the CJEU: (1) Should Article 55(1), Articles 56 to 58 and Articles 60 to 66 of [Regulation 2016/679], read together with Articles 7, 8 and 47 of the [Charter], be interpreted as meaning that a supervisory authority which, pursuant to national law adopted in implementation of Article 58(5) of that regulation, has the competence to initiate or engage in legal proceedings before a court in its Member State against infringements of that regulation cannot exercise that competence in connection with cross-border data processing if it is not the lead supervisory authority for that cross-border data processing? (2) Does the answer to the first question referred differ if the controller of that cross-border data processing does not have its main establishment in that Member State but does have another establishment there? (3) Does the answer to the first questio