European Union: CJEU ruling clarifying conditions for the exercise of national data protection authorities' powers on cross-border processing of data

On 15 June 2021, the CJEU issued a decision in Case C-645/19 Facebook Ireland vs Belgian Privacy Commission. In particular, the Court assessed whether the General Data Protection Regulation (GDPR) permits a Data Protection Authority (DPA), that is not the lead supervisory body, to notify a national court of any alleged breach of the GDPR caused by cross-border data processing. The Court claims that the exercise of the Data Protection Authoritiy powers must be applied within the GDPR scope: in this case, since the activities of Facebook in Belgium were inextricably linked to the processing of personal data controlled by Facebook Ireland, and the processing was carried out "‘in the context of the activities of an establishment of the controller", the action of the Belgian DPA was justified. However, the Court holds that in the field of cross-border processing the power to take decisions by non-leading DPAs is an exception.