Facebook Ireland Limited and Others v Gegevensbeschermingsautoriteit.

• Jurisdiction: European Union
• ECLI: ECLI:EU:C:2021:483
• Date: 15 June 2021
• Docket Number: C-645/19
• Celex Number: 62019CJ0645
• Court: Court of Justice (European Union)

Provisional text

JUDGMENT OF THE COURT (Grand Chamber)

15 June 2021 (*)

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Charter of Fundamental Rights of the European Union – Articles 7, 8 and 47 – Regulation (EU) 2016/679 – Cross-border processing of personal data – ‘One-stop shop’ mechanism – Sincere and effective cooperation between supervisory authorities – Competences and powers – Power to initiate or engage in legal proceedings)

In Case C‑645/19,

REQUEST for a preliminary ruling under Article 267 TFEU from the hof van beroep te Brussel (Court of Appeal, Brussels, Belgium,), made by decision of 8 May 2019, received at the Court on 30 August 2019, in the proceedings

Facebook Ireland Ltd,

Facebook Inc.,

Facebook Belgium BVBA,

v

Gegevensbeschermingsautoriteit,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, R. Silva de Lapuerta, Vice‑President, A. Arabadjiev, A. Prechal, M. Vilaras, M. Ilešič and N. Wahl, Presidents of Chambers, E. Juhász, D. Šváby, S. Rodin, F. Biltgen, K. Jürimäe, C. Lycourgos, P.G. Xuereb and L.S. Rossi (Rapporteur), Judges,

Advocate General: M. Bobek,

Registrar: M. Ferreira, Principal Administrator,

having regard to the written procedure and further to the hearing on 5 October 2020,

after considering the observations submitted on behalf of:

– Facebook Ireland Ltd, Facebook Inc. and Facebook Belgium BVBA, by S. Raes, P. Lefebvre and D. Van Liedekerke, advocaten,

– the Gegevensbeschermingsautoriteit, by F. Debusseré and R. Roex, avocaten,

– the Belgian Government, by J.‑C. Halleux, P. Cottin, and C. Pochet, acting as Agents, and by P. Paepe, advocaat,

– the Czech Government, by M. Smolek, O. Serdula and J. Vláčil, acting as Agents,

– the Italian Government, by G. Palmieri, acting as Agent, and by G. Natale, avvocato dello Stato,

– the Polish Government, by B. Majczyna, acting as Agent,

– the Portuguese Government, by L. Inez Fernandes, A.C. Guerra, P. Barros da Costa and L. Medeiros, acting as Agents,

– the Finnish Government, by A. Laine and M. Pere, acting as Agents,

– the European Commission, by H. Kranenborg, D. Nardi and P.J.O. Van Nuffel, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 13 January 2021,

gives the following

Judgment

1 This request for a preliminary ruling concerns the interpretation of Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2), read together with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (‘the Charter’).

2 The request has been made in proceedings between Facebook Ireland Ltd, Facebook Inc. and Facebook Belgium BVBA, on the one hand, and the Gegevensbeschermingsautoriteit (the Belgian Data Protection Authority) (‘the DPA’), as the successor of the Commissie ter bescherming van de Persoonlijke Levenssfeer (the Belgian Privacy Commission) (‘the Privacy Commission’), on the other, concerning injunction proceedings brought by the President of the Privacy Commission seeking to bring to an end the processing of personal data, of internet users within Belgium, by the Facebook online social network, using cookies, social plug-ins and pixels.

Legal context

European Union law

3 Recitals 1, 4, 10, 11, 13, 22, 123, 141 and 145 of Regulation 2016/679 state:

‘(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the [Charter] and Article 16(1) [TFEU] provide that everyone has the right to the protection of personal data concerning him or her.

…

(4) The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

…

(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …

(11) Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

…

(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States.

…

(22) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

…

(123) The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. For that purpose, the supervisory authorities should cooperate with each other and with the [European] Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation.

…

(141) Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. …

…

(145) For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or processor has an establishment or where the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of its public powers.’

4 Article 3(1) of that regulation, that article being headed ‘Territorial scope’, provides:

‘This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.’

5 Article 4 of that regulation defines, in point (16), the concept of ‘main establishment’ and, in point (23), the concept of ‘cross-border processing’ as follows:

‘(16) “main establishment” means:

(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

…

(23) “cross-border processing” means either:

(a) processing of personal data which takes place in the context of the...