A judgment rendered by the Court of Justice of the European Union clarified certain aspects of the GDPR. With this decision, it is confirmed that Facebook and any other company are well exposed to the action of any European CNIL, conditions permitting.
This is a potential concern for Facebook, but good news for the National Commission for Informatics and Freedoms (Cnil). This Tuesday, June 15, the Court of Justice of the European Union issued a judgment that could relatively modify the panorama of proceedings launched against the social network, and more generally against any company in potential breach of the GDPR.
Indeed, this judgment opens prospects for the national authorities responsible for ensuring the proper use of personal data – in France, it is the Cnil. Concretely, the decision says that a national authority can, in certain cases, act directly, without having to go through its counterpart in the country in which the company accused of being in breach operates at European level.
In other words, the Cnil could in certain circumstances directly attack Facebook, without going through its Irish counterpart, which since 2018 has assumed the role of lead authority, since it is from Ireland that Facebook has been piloting its activities in within the European Union. This notion of lead supervisory authority arrived with the General Data Protection Regulation.
The decision rendered by the Court of Justice of the European Union is the consequence of a dispute between Facebook and the Belgian Commission for the protection of privacy (CPBP) which dates back to 2015. The Belgian body accused Facebook of proceeding to the tracking of Internet users, via cookies on websites, regardless of their consent, whether or not they have an account.
The affair between the CPBP and Facebook for several years, given the length of the procedure and the appeal mechanisms, it ended up continuing until 2018, when the GDPR came into full force. The question then arose as to whether the procedure launched by the CPBP was still viable, since the GDPR provides for the famous mechanism of the lead authority.
A decision that potentially consolidates the CNIL
The judgment of the Court therefore clarifies what comes under the lead authority, by virtue of the one-stop-shop, a cooperation mechanism which ensures that it is the protection authority of the European country in which the company involved (Luxembourg for the European activities of Amazon, Ireland for Google or Facebook, for example) which takes charge of the files concerning it.
Thus, an action that was launched against a company by a data protection authority before the date of entry into force of the GDPR can continue, even if it does not turn out to be the lead authority. This is one of the exceptions accepted by the Court of Justice of the European Union. ” This action can be maintained, under Union law She writes.
But, more importantly, the Court of Justice considers that such an action can also be brought ” for offenses committed after the date of entry into force of the GDPR », If special conditions are met. Thus, it is possible to free oneself from the leading authority if it turns out that it is not showing itself to be cooperative or if it does not integrate the points of view of its counterparts into its thinking.
” In the exercise of its competences, explains the Court, the lead supervisory authority cannot do without an indispensable dialogue as well as loyal and effective cooperation with the other supervisory authorities concerned “. Otherwise, the other European bodies have the right, exceptionally, to act on their own. This does not only apply to Facebook: it concerns any entity.
” Therefore, in the context of this cooperation, the lead supervisory authority cannot ignore the views of the other supervisory authorities concerned and any relevant and reasoned objection formulated by one of the latter authorities shall have the effect of block, at least temporarily, the adoption of the draft decision of the lead supervisory authority », Adds the Court.
The existence of the one-stop-shop and the lead supervisory authority does not prevent the CNIL from launching actions against companies which base their European activities elsewhere than in France. Proof of this is the significant financial penalty against Google and Amazon at the end of 2020. Facebook is therefore potentially exposed to action, if the conditions for doing so are met. The grievances, in any case, are not lacking.