On 15 June 2021, the Court of Justice of the European Union (CJEU) delivered its judgment in Case C-645/19 Facebook Ireland Ltd and others.  In this judgment, the CJEU set out the conditions for the exercise of national supervisory authorities’ powers regarding cross border personal data processing and concluded that, in certain circumstances, a national supervisory authority may bring alleged infringements of the GDPR before a court of a Member State, despite the fact that such authority is not the lead supervisory authority in respect of that processing.

The CJEU made various findings.  First, it set out the requirements which determine whether national supervisory authorities, which are not the lead supervisory authority in cases of cross-border personal data processing, must bring alleged breaches of the GDPR before a court of a Member State and, where required, begin or join in legal proceedings to ensure that the GDPR is enforced. 

The CJEU held that the GDPR must give such national supervisory authorities the power to adopt decisions that processing infringes the GDPR and also that such power must be used with appropriate consideration for the GDPR’s cooperation and consistency procedures.

The CJEU noted that, generally, the lead supervisory authority will be the competent supervisory authority to adopt decisions as to whether cross-border personal data processing infringes the GDPR, while instances of other relevant supervisory authorities being competent to make such decisions, even provisionally, are exceptional (see Articles 56(2) and 66 GDPR).  The lead supervisory authority must, however, take the opinions of the other supervisory authorities into account and cooperate with them and the CJEU notes that “any relevant and reasoned objection made by one of the other supervisory authorities has the effect of blocking, at least temporarily, the adoption of the draft decision by the lead supervisory authority”.

The CJEU also observed that supervisory authorities other than the lead supervisory authority which bring alleged breaches of the GDPR regarding cross-border data processing before the courts of their own Member State and begin or participate in legal proceedings must observe the rules on the allocation of competences between the lead supervisory authority and other supervisory authorities and ensure that data subjects’ rights to protection of their personal data and to effective remedies are assured.

Secondly, the CJEU held that, regarding cross-border personal data processing, where supervisory authorities other than the lead supervisory authority begin or take part in legal proceedings, it is not necessary for the controller in respect of the relevant processing to have an establishment in the Member State of such supervisory authorities, although the relevant controller or processor must have an establishment in the EU.

Thirdly, the CJEU decided that, regarding cross-border data processing, supervisory authorities other than the lead supervisory authority may bring alleged breaches of the GDPR before their Member State’s courts and begin or take part in legal proceedings, both regarding the main establishment of the relevant controller located in that supervisory authority’s Member State and also regarding another establishment of that controller, as long as the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power. 

The CJEU also noted, however, that the exercise of that power assumes that the GDPR applies.  In this case, as the activities of the establishment of the Facebook group located in Belgium were held to be inextricably linked to the processing of personal data which was the subject of the main proceedings, regarding which Facebook Ireland is the EU controller, that processing was held to be carried out “in the context of the activities of an establishment of the controller” and within the GDPR’s scope.

Fourthly, the CJEU held that, where a supervisory authority other than the lead supervisory authority brought relevant legal proceedings prior to the enforcement of the GDPR, that action may be continued on the basis of the previous EU Data Protection Directive (95/46/EC).  Furthermore, such actions may be brought by those supervisory authorities regarding breaches occurring after 25 May 2018 as long as such actions are covered by one of the exceptions where the GDPR allows supervisory authorities other than the lead supervisory authority to adopt decisions that the relevant personal data processing breaches the GDPR and that the cooperation and consistency procedures set out in the GDPR are adhered to.

Finally, the CJEU acknowledged the direct effect of the GDPR’s provision under which each EU Member State must provide in law that its supervisory authority may make the judicial authorities aware of infringements of the GDPR and, where appropriate, begin or take part in legal proceedings.   

Hopefully, this judgment will bring welcome clarification for supervisory authorities regarding the GDPR’s 'one-stop shop' regime and the circumstances in which such authorities (when not acting as lead supervisory authority) may bring alleged infringements of the GDPR regarding cross-border personal data processing before their own Member State’s courts and commence or participate in related legal proceedings.  As cross-border processing is commonplace for large multinationals, it will be interesting to see the impact of this judgment and how easy it will be for regulators to adhere to the GDPR’s co-operation and consistency mechanisms in practice.