In the latest episode of the case between Facebook and the Belgian Data Protection Authority, the Brussels Court of Appeal has referred 6 preliminary questions concerning the power of the Authority to engage in proceedings against the social network to the Court of Justice of the European Union.
Following the judgment of the Dutch-speaking Court of First Instance of Brussels of 16 February 2018, which had ruled against Facebook on all accounts, Facebook brought the case before the Brussels Court of Appeal. Oral hearings took place on 27 and 28 March 2019, in which the Belgian Data Protection Authority ("BDPA") argued that Facebook is (still) in violation of Belgian and EU privacy legislation by tracking the browsing behavior of Internet users in Belgium regardless of whether or not they have an account with the social network.
On 8 May 2019, the Court of Appeal issued a judgment in which it does not yet rule on the merits of the case, but instead refers the case to the Court of Justice of the European Union ("CJEU"). The Court of Appeal wants assurance that the BDPA indeed has the power to pursue the case against Facebook, in light of the GDPR which entered into application on 25 May of last year.
The questions referred to the CJEU relate to the cooperation mechanism between the various national supervisory authorities, which was introduced by the GDPR, and in particular to the concept of the 'one-stop shop'. The Brussels Court of Appeal turns to the CJEU to clarify whether this cooperation mechanism also affects the possibility of a supervisory authority initiating proceedings before a court, among others in light of the GDPR concepts of 'lead supervisory authority', 'cross-border processing' and a controller's 'main establishment' in the EU. In particular, the Court also asks whether Article 58(5) of the GDPR has direct effect. This Article stipulates that EU Member States must provide that supervisory authorities have the power to bring GDPR infringements before judicial authorities and engage in legal proceedings where appropriate.
The BDPA itself has announced being pleased with the referral, regardless of the outcome of the procedure before the CJEU. The authority notes that progress is being made with respect to the issues caused by Facebook's practices and the impact thereof on the protection of citizen's personal data. The BDPA has publicly committed itself to bringing the case to the attention of its EU colleagues, which gather within the context of the European Data Protection Board, to make sure that citizens are guaranteed a high level of personal data protection in the near future.
Background of the case
The Facebook case dates back to 2015, when it was initiated by the Privacy Commission, the BDPA's predecessor in pre-GDPR times. The Privacy Commission had investigated Facebook's practice of tracking the browsing behavior of Internet users in Belgium and learned that the social media giant engages in extensive tracking practices. Through the use of various technologies, including cookies, so-called "social plug-ins" such as like or share buttons, and invisible "pixels", Facebook tracks the browsing behavior of just about all internet users, including individuals never having visited the Facebook website.
In the judgment of 16 February 2018, the Court of First Instance concluded that Facebook insufficiently informs users about these practices and its use of the collected personal data, and also that it does not have valid consent to process the information thus obtained. The Court therefore ordered Facebook to stop tracking and recording the browsing behavior of persons browsing from Belgium as long as it does not bring its practices in line with Belgian privacy legislation, to destroy all illegally obtained personal data and to publish the full judgment on its website.
Please find here a link to an English version of the preliminary questions referred to the CJEU on 8 May 2019.