The Belgian data protection authority (DPA) has been given permission to take legal proceedings against the social media giant Facebook, under certain conditions, the European Court of Justice has ruled.
The ECJ was responding to a request for a ruling made by the court of appeal in Brussels in a case dating back to 2005.
In that case, the DPA – then known as the Privacy Commission – wanted to take action against Facebook for its practice of placing cookies on users’ computers to gather information on their use of the company’s site, and their behaviour on other sites.
But Facebook argued that the EU’s 2018 directive on data protection (GDPR) meant that the Belgian DPA was no longer competent to take action in that way. The only authority competent to take action was that from the country in which the company was established, namely Ireland.
The request for a ruling on that issue went from the Brussels Court of Appeal to the European Court, which has now given its answer.
A national authority can, under certain conditions, bring the attention to its own judicial system of any alleged breach of the GDPR, even if it is not the principal supervisory authority in the matter.
In principle, the competent authority in the case of Facebook is indeed Ireland’s, but other DPAs can act in accordance with terms agreed with the Irish authority. The court also ruled that in cases introduced before the adoption of the GDPR – as in this case – the old rules still apply, and the Belgian DPA can go ahead with its case.
A reference for a preliminary ruling fro the ECJ is not a decision on the facts of the case itself, the court always stresses in its judgements. It is not up to the national court who made the request to dispose of the case.