Case Summary and Outcome

The President of the Belgian Court in Brussels adopted a Recommendation issued by the Belgian Privacy Commission finding that Facebook was violating Belgian law by tracking non-users on Facebook’s site. Following an appeal by Facebook, the Court of Appeal in Brussels dismissed the case on 8 May 2019 for lack of jurisdiction over the appellant because Facebook is headquartered in Dublin, Ireland and has no physical base of operations in Belgium. For that reason, the Court of Appeal referred the case to the European Court of Justice for preliminary rulings to determine if the Commission could pursue a case against Facebook Belgium BVBA (the appellant’s domestic counterpart) instead of the appellant, following the introduction of the GDPR and its ‘one-stop shop’ mechanisms.

Columbia Global Freedom of Expression notes that some of the information contained in this report was derived from secondary sources.

Facts

In November 2014, Facebook revised its Statement of Rights and Responsibilities, Data Policy and Cookie Policy. These new policies went into effect the following calendar year, and the Belgian Privacy Commission (the Commission) launched an investigation to determine their compliance with Belgian law.

On April 29, 2015, Facebook had a hearing before the Commission in which both sides presented evidence on the issues. Thereafter, the Commission issued a Recommendation, which found that Facebook was tracking non-users of Facebook’s and surfing history through social plugins even when the user was not accessing Facebook through the use of cookies, which violated Belgian law.  Under the Belgian Privacy Act, this processing of personal data is only permitted if Facebook can establish a “legitimate basis” upon which it collects data. This legitimate basis arises only through user consent or if it is necessary for the completion of a contract. Non-users of Facebook did never consented to this data collection, nor did the provisions of a contract apply to them. Therefore, there was not a “legitimate” basis for Facebook’s processing data of non-users and, further, Facebook’s systemic collection of data from its actual users was also “excessive” based on the development of its social plug-ins. However, the Belgian Privacy Commission does not have the authority to enforce orders and therefore sought an order from the judiciary to this effect under the Belgian Data Protection Act. At this stage, the EU’s General Data Protection Regulation (GDPR), which increased the powers of supervisory authorities such as the Commission, had not yet been introduced.

On 16 February 2018, the Court of First Instance of Brussels ruled that Facebook was non-compliant with Belgian cookie and privacy legislation, and ordered it to cease its current practices or face a maximum penalty of 100 million Euros. Facebook argued that it only needed to comply with Irish law, given its headquarters were in Ireland. The Court disagreed, finding that substantial activities were conducted in Belgium, therefore establishing sufficient contact to fall under Belgian jurisdiction. The Court did not issue a ruling on Facebook’s policies regarding users, and it is unclear if the Court adopted this portion of the recommendation.

Facebook then appealed to the Court of Appeal.

Decision Overview

The Court of Appeal dismissed the case on 8 May 2019 for lack of jurisdiction over Facebook. Crucially, no judgment on the merits was made available as the Court held that it only had jurisdiction with respect to Facebook Belgium BVBA for matters occurring after 25 May 2018 (the date of the GDPR’s entry into effect) – that is, the Court held it had no international jurisdiction to cover a case concerning Facebook Ireland Limited and Facebook Inc (its American counterpart), even if Facebook was tracking Belgian non-users through cookies.

For that reason, the Court of Appeal has now referred the case to the Court of Justice of the European Union (CJEU) to determine if the Commission can still pursue a case against Facebook Belgium BVBA following the introduction of the GDPR. This is important, as the GDPR has now increased the powers of supervisory authorities such as the Commission and introduced a ‘one-stop-shop’ mechanism for cross-border data processing (whereby one member state’s lead authority has the primary responsibility for dealing with a cross-border data processing activity).

The Court has requested a preliminary ruling from the CJEU on the following six questions:

1. Does article 58.5 of the GDPR not apply in the case of cross-border processing, when the Member State wishing to commence legal proceedings is not the lead supervisory authority?
2. What happens when the controller of this cross-border processing has an establishment in a Member State, but not its main establishment in that Member State?
3. Can a national supervisory authority (i.e. the Commission) bring proceedings under the GDPR against the main establishment of this controller of data (i.e. Facebook Ireland Limited), or only the establishment in the Member State (i.e. Facebook’s Belgian counterpart)?
4. Does it matter if the national supervisory authority has already initiated legal action prior to the entry into the effect of the GDPR (i.e. 25 May 2018)?
5. Does article 58.5 have direct effect and can be relied upon by a national supervisory authority to initiate or continue proceedings against private parties even if the article has not yet been transposed into domestic law?
6. If the national supervisory authority is allowed to bring claims under article 58.5, could  the outcome of the proceedings affect a contrary decision or finding of the lead supervisory authority in a different member state, if that lead supervisory authority investigates a similar or the same cross-border processing activity?

The hearings took place in October 2020, and the CJEU’s non-binding judgment is expected on 17 December, with the ruling to follow in July 2021.