Belgian DPA’s territorial competence to proceed against Facebook at CJEU

The Court of Justice of the European Union (CJEU) has heard the case C-645/19 Facebook Ireland & Others on the competence of the Belgian Data Protection Authority (DPA) to proceed against Facebook Ireland.

In 2015, the Belgian DPA asked for a court order against  Facebook Ireland and others stating that Facebook infringes Belgian and EU legislation by collecting information on the browsing behavior of Internet users, whether or not they are members of the social network. The court order has been challenged by Facebook and the Belgian appellate court sought guidance from the CJEU on whether the Belgian DPA has territorial competence to proceed against Facebook in Ireland (where it is headquartered) when protecting the data privacy rights of Belgian citizens.

According to Reuters, in the hearing, Facebook argued for a one-stop solution for proceeding in case of data breaches in the country of incorporation and preventing judicial fragmentation. The Belgian DPA, supported by the Belgian and Polish governments, argued that the General Data Protection Regulation (GDPR) allows for national agencies to act in their respective countries and it does not stipulate a lead data protection authority in cases of data breach.

This case could potentially open other tech companies incorporated in Ireland – Google, Apple, Twitter, or LinkedIn – to data breach investigations and enforcement by the EU national data protection authorities. The non-binding opinion in this case is expected on 17 December 2020, and the ruling in June 2021.