EU court ruling to bolster GDPR enforcement and help protect consumer data
PRESS RELEASE - 15.06.2021
The Court of Justice of the European Union (CJEU) today delivered its ruling in a case pitting Facebook against the Belgian data protection authority. This ruling  has important implications regarding the enforcement of the General Data Protection Regulation (GDPR) and should have positive repercussions in the fight to better protect consumers’ personal data.
The CJEU has confirmed that a national data protection authority can take a company to court in its own country under the GDPR when there are cross-border data processing activities, even if it is not the lead supervisory authority because the company’s main EU establishment is in another country.
The GDPR created an enforcement system to tackle EU-wide data protection infringements to ensure an effective and consistent application of the rules. However, the shortcomings of the cross-border enforcement system, where the enforcement procedure and decision depends entirely on the authority in the country where the company has its main base , are seriously undermining the effective application of the rules and the protection of individuals.
Monique Goyens, Director General of the European Consumer Organisation (BEUC), said:
“This is a positive development in the bid to have our privacy respected regardless of where the company is established in the EU. Given the existing bottlenecks in the GDPR cross-border enforcement system, all national authorities must be able, under certain conditions, to proactively take matters into their own hands and use their full powers when our rights are trampled on. Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500 million consumers in the EU, especially if it does not rise to the challenge.”
 Details of the case can be found here CJEU - C-645/19 - Facebook v. Belgian DPA: https://gdprhub.eu/index.php?title=CJEU_-_C-645/19_-_Facebook_v._Belgian_DPA.
 BEUC position paper, The Long and Winding Road: Two Years of the GDPR. A cross-border data protection enforcement case from a consumer perspective (August 2020). See also European Parliament, Resolution of 25 March 2021 on the Commission evaluation report on the implementation of the General Data Protection Regulation two years after its application (March 2021).