15 June 2021 (*1)

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Charter of Fundamental Rights of the European Union – Articles 7, 8 and 47 – Regulation (EU) 2016/679 – Cross-border processing of personal data – ‘One-stop shop’ mechanism – Sincere and effective cooperation between supervisory authorities – Competences and powers – Power to initiate or engage in legal proceedings)

In Case C‑645/19,

REQUEST for a preliminary ruling under Article 267 TFEU from the hof van beroep te Brussel (Court of Appeal, Brussels, Belgium,), made by decision of 8 May 2019, received at the Court on 30 August 2019, in the proceedings

Facebook Ireland Ltd,

Facebook Inc.,

Facebook Belgium BVBA,

Gegevensbeschermingsautoriteit,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, R. Silva de Lapuerta, Vice‑President, A. Arabadjiev, A. Prechal, M. Vilaras, M. Ilešič and N. Wahl, Presidents of Chambers, E. Juhász, D. Šváby, S. Rodin, F. Biltgen, K. Jürimäe, C. Lycourgos, P.G. Xuereb and L.S. Rossi (Rapporteur), Judges,

Advocate General: M. Bobek,

Registrar: M. Ferreira, Principal Administrator,

having regard to the written procedure and further to the hearing on 5 October 2020,

after considering the observations submitted on behalf of:

–Facebook Ireland Ltd, Facebook Inc. and Facebook Belgium BVBA, by S. Raes, P. Lefebvre and D. Van Liedekerke, advocaten,

–the Gegevensbeschermingsautoriteit, by F. Debusseré and R. Roex, advocaten,

–the Belgian Government, by J.‑C. Halleux, P. Cottin, and C. Pochet, acting as Agents, and by P. Paepe, advocaat,

–the Czech Government, by M. Smolek, O. Serdula and J. Vláčil, acting as Agents,

–the Italian Government, by G. Palmieri, acting as Agent, and by G. Natale, avvocato dello Stato,

–the Polish Government, by B. Majczyna, acting as Agent,

–the Portuguese Government, by L. Inez Fernandes, A.C. Guerra, P. Barros da Costa and L. Medeiros, acting as Agents,

–the Finnish Government, by A. Laine and M. Pere, acting as Agents,

–the European Commission, by H. Kranenborg, D. Nardi and P.J.O. Van Nuffel, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 13 January 2021,

gives the following

1This request for a preliminary ruling concerns the interpretation of Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2), read together with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (‘the Charter’).

2The request has been made in proceedings between Facebook Ireland Ltd, Facebook Inc. and Facebook Belgium BVBA, on the one hand, and the Gegevensbeschermingsautoriteit (the Belgian Data Protection Authority) (‘the DPA’), as the successor of the Commissie ter bescherming van de Persoonlijke Levenssfeer (the Belgian Privacy Commission) (‘the Privacy Commission’), on the other, concerning injunction proceedings brought by the President of the Privacy Commission seeking to bring to an end the processing of personal data, of internet users within Belgium, by the Facebook online social network, using cookies, social plug-ins and pixels.

Legal context

European Union law

3Recitals 1, 4, 10, 11, 13, 22, 123, 141 and 145 of Regulation 2016/679 state:

‘(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the [Charter] and Article 16(1) [TFEU] provide that everyone has the right to the protection of personal data concerning him or her.

…

(4) The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

…

(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …

…

(11) Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

…

(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States.

…

(22) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

…

(123) The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. For that purpose, the supervisory authorities should cooperate with each other and with the [European] Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation.

…

(141) Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. …

…

(145) For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or processor has an establishment or where the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of its public powers.’

4Article 3(1) of that regulation, that article being headed ‘Territorial scope’, provides:

‘This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.’

5Article 4 of that regulation defines, in point (16), the concept of ‘main establishment’ and, in point (23), the concept of ‘cross-border processing’ as follows:

‘(16) “main establishment” means:

(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

(b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

…

(23) “cross-border processing” means either:

(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.’

6Article 51 of that regulation, headed ‘Supervisory authority’, provides:

‘1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union …

…’

7Article 55 of that regulation, headed ‘Competence’, which forms part of Chapter VI of that regulation, entitled ‘Independent supervisory authorities’, provides:

‘1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.

‘1. Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory:

(a)monitor and enforce the application of this Regulation;

…

(g)cooperate with, including sharing information, and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;

…’

Article 58(1), (4) and (5) of that regulation, that article being headed ‘Powers’, provide:

‘1. Each supervisory authority shall have all of the following investigative powers:

(a)to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks;

…

(d)to notify the controller or the processor of an alleged infringement of this Regulation;

…

Within Chapter VII of Regulation 2016/679, entitled ‘Cooperation and consistency’, Section I, entitled ‘Cooperation’, contains Articles 60 to 62 of that regulation. Article 60, headed ‘Cooperation between the lead supervisory authority and the other supervisory authorities concerned’, provides:

‘1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.

3. The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.

10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.

11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.

…’

Article 61(1) of that regulation, that article being headed ‘Mutual assistance’, states:

‘Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective cooperation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and investigations.’

Article 62 of that regulation, headed ‘Joint operations of supervisory authorities’, provides:

‘1. The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.

…’

Section 2, entitled ‘Consistency’, of Chapter VII of Regulation 2016/679 contains Articles 63 to 67 of that regulation. Article 63, headed ‘Consistency mechanism’, is worded as follows:

‘In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.’

Article 64(2) of that regulation is worded as follows:

‘Any supervisory authority, the Chair of the [European Data Protection] Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the [European Data Protection] Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in accordance with Article 62.’

Article 65(1) of that regulation, that article being headed ‘Dispute resolution by the Board’, provides:

‘In order to ensure the correct and consistent application of this Regulation in individual cases, the [European Data Protection] Board shall adopt a binding decision in the following cases:

(a)where, in a case referred to in Article 60(4), a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead supervisory authority and the lead supervisory authority has not followed the objection or has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of this Regulation;

(b)where there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment;

…’

Article 66(1) and (2) of Regulation 2016/679, that article being headed ‘Urgency procedure’, provide:

‘1. In exceptional circumstances, where a supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65 or the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months. The supervisory authority shall, without delay, communicate those measures and the reasons for adopting them to the other supervisory authorities concerned, to the [European Data Protection] Board and to the Commission.

Article 77 of that regulation, headed ‘Right to lodge a complaint with a supervisory authority’, states:

‘1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

Article 78 of that regulation, headed ‘Right to an effective judicial remedy against a supervisory authority’, provides:

‘1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

Article 79 of that regulation, headed ‘Right to an effective judicial remedy against a controller or processor’, states:

‘1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.

National law

The wet tot bescherming van de persoonlijke levensfeer ten opzichte van de verwerking van persoonsgegevens (law on the protection of privacy with regard to the processing of personal data) of 8 December 1992 (Belgisch Staatsblad, 18 March 1993, p. 5801), as amended by the law of 11 December 1998 (Belgisch Staatsblad, 3 February 1999, p. 3049) (‘the law of 8 December 1992’), transposed into Belgian law Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

The law of 8 December 1992 established the Privacy Commission, an independent body responsible for ensuring that the processing of personal data should comply with that law, in order to protect citizens’ privacy.

Article 32(3) of the Law of 8 December 1992 provided:

‘Without prejudice to the jurisdiction of the ordinary courts and tribunals for the application of the general principles relating to the protection of privacy, the President of the [Privacy Commission] may bring before the court of first instance any dispute concerning the application of this legislation and its implementing measures.’

The wet tot oprichting van de Gegevensbeschermingsautoriteit (law creating a data protection authority) of 3 December 2017 (Belgisch Staatsblad, 10 January 2018, p. 989; ‘the law of 3 December 2017’), which entered into force on 25 May 2018, established the DPA as a supervisory authority, within the meaning of Regulation 2016/679.

Article 3 of the Law of 3 December 2017 provides:

‘There shall be established at the Belgian Chamber of Representatives a “Data Protection Authority”. It shall succeed the [Privacy Commission].’

Article 6 of the Law of 3 December 2017 provides:

‘The [DPA] has the power to bring any infringement of the fundamental principles of personal data protection, within the framework of this law and laws containing provisions on the protection of the processing of personal data, to the attention of the judicial authorities and, where appropriate, to initiate or engage in legal proceedings to have these fundamental principles applied.’

There is no specific provision in relation to court proceedings already commenced by the President of the Privacy Commission as at 25 May 2018 on the basis of Article 32(3) of the law of 8 December 1992. As regards solely complaints or applications lodged with the DPA itself, Article 112 of the law of 3 December 2017 states:

‘Chapter VI shall not apply to complaints or applications still pending at the [DPA] at the time when this legislation enters into force. The complaints or applications mentioned in subparagraph 1 shall be dealt with by the [DPA], as the legal successor of the [Privacy Commission], in accordance with the procedure applicable before the entry into force of this legislation.’

The law of 8 December 1992 was repealed by the wet betreffende de bescherming van natuurlijke personen met betrekking tot de verwerking van persoonsgegevens (law on the protection of individuals with regard to the processing of personal data) of 30 July 2018 (Belgisch Staatsblad, 5 September 2018, p. 68616; ‘the law of 30 July 2018’). That law transposes into Belgian law the provisions of Regulation 2016/679 requiring or permitting Member States to adopt more detailed rules, to supplement that regulation.

The dispute in the main proceedings and the questions referred for a preliminary ruling

On 11 September 2015 the President of the Privacy Commission brought legal proceedings seeking an injunction against Facebook Ireland, Facebook Inc. and Facebook Belgium before the Nederlandstalige rechtbank van eerste aanleg Brussel (Dutch-language Court of First Instance, Brussels, Belgium). Since the Privacy Commission had no legal personality, it was necessary that the President of that body take legal action in order to ensure compliance with the legislation on the protection of personal data. However, the Privacy Commission itself sought leave to intervene in the proceedings brought by its President.

…

The object of those injunction proceedings was to bring to an end what the Privacy Commission describes, inter alia, as a ‘serious and large‑scale infringement, by Facebook, of the legislation relating to the protection of privacy’ consisting in the collection by that online social network of information on the internet browsing behaviour both of Facebook account holders and of non-users of Facebook services by means of various technologies, such as cookies, social plug-ins (for example, the ‘Like’ or ‘Share’ buttons) or pixels. Those features permit Facebook to obtain certain data of an internet user who visits a website page containing them, such as the address of that page, the ‘IP address’ of the visitor to that page and the date and time of the visit in question.

31By judgment of 16 February 2018, the Nederlandstalige rechtbank van eerste aanleg Brussel (Dutch-language Court of First Instance, Brussels) held that it had jurisdiction to give a ruling on those injunction proceedings, in so far as the action concerned Facebook Ireland, Facebook Inc. and Facebook Belgium, and declared that the application for leave to intervene made by the Privacy Commission was inadmissible.

32On the substance, that court held that Facebook was not adequately informing Belgian internet users of the collection of the information concerned and of the use of that information. Further, the consent given by the internet users to the collection and processing of that data was held to be invalid. Consequently, that court ordered Facebook Ireland, Facebook Inc. and Facebook Belgium (i) to desist, as regards all internet users established in Belgium, from placing, without their consent, cookies that remain active for two years on the devices used by them when browsing a web page in the Facebook.com domain or visiting the website of a third party, and from placing cookies and collecting data by means of social plug-ins, pixels or similar technological means on third‑party websites, in a manner that was excessive in the light of the objectives thereby pursued by the Facebook social network, (ii) to desist from providing information that might reasonably mislead the data subjects as to the real extent of the mechanisms put in place by Facebook for the use of cookies, and (iii) to destroy all the personal data obtained by means of cookies and social plug-ins.

33On 2 March 2018 Facebook Ireland, Facebook Inc. and Facebook Belgium brought an appeal against that judgment before the hof van beroep te Brussel (Court of Appeal, Brussels, Belgium). Before that court, the DPA acts as the legal successor both of the President of the Privacy Commission, who had brought the injunction proceedings, and of the Privacy Commission itself.

34The referring court held that it has jurisdiction solely to give a ruling on the appeal brought in so far as that appeal concerns Facebook Belgium. Conversely, the referring court held that it lacked jurisdiction to hear that appeal in relation to Facebook Ireland and Facebook Inc.

35Before giving a ruling on the substance of the main proceedings, a question raised by the referring court is whether the DPA had the required standing and interest to bring proceedings. In the view of Facebook Belgium, the action brought seeking an injunction is inadmissible, in so far as it concerns facts prior to 25 May 2018, given that, following the entry into force of the law of 3 December 2017 and of Regulation 2016/679, Article 32(3) of the law of 8 December 1992, which is the legal basis for bringing such an action, was repealed. As regards the facts subsequent to 25 May 2018, Facebook Belgium claims that the DPA has no competence and has no right to bring such an action given the existence of the ‘one-stop shop’ mechanism now provided for under the provisions of Regulation 2016/679. On the basis of those provisions, it is claimed that only the Data Protection Commissioner (Ireland) is competent to bring injunction proceedings against Facebook Ireland, the latter being the sole controller of the personal data of the users of the social network concerned within the European Union.

36The referring court has held that the DPA had not demonstrated the required standing to bring the injunction proceedings in so far as those proceedings related to facts prior to 25 May 2018. As regards the facts subsequent to that date, the referring court is however uncertain as to the effect of the entry into force of Regulation 2016/679, in particular the effect of the application of the ‘one-stop shop’ mechanism provided for by that regulation, on the competences of the DPA and on its power to bring such injunction proceedings.

37In particular, in the view of the referring court, the question that now arises is whether, with respect to the facts subsequent to 25 May 2018, the DPA may bring an action against Facebook Belgium, since Facebook Ireland has been identified as the controller of the data concerned. Since that date and by virtue of the ‘one-stop shop’ rule, it appears that, in accordance with Article 56 of Regulation 2016/679, only the Data Protection Commissioner (Ireland) is competent, subject to review only by the Irish courts.

38The referring court recalls that, in the judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein (C‑210/16, EU:C:2018:388), the Court held that the ‘German supervisory authority’ was competent in respect of data processing where the controller of the data concerned was established in Ireland and the subsidiary that was established in Germany (namely Facebook Germany GmbH) was responsible solely for the sale of advertising spots and other marketing activities in Germany.

39However, in the case that gave rise to that judgment, the Court was required to give a ruling on a request for a preliminary ruling concerning the interpretation of the provisions of Directive 95/46, which has been repealed by Regulation 2016/679. The referring court is uncertain to what extent the Court’s interpretation in that judgment is still of relevance to the application of Regulation 2016/679.

40The referring court also mentions a decision of the Bundeskartellamt (the German competition authority) of 6 February 2019 (the so-called ‘Facebook’ decision), in which that competition authority took the view that Facebook was abusing its position by merging data from different sources, which is now permitted only if users have given their explicit consent, with the proviso that any user who does not give his or her consent may not be excluded from Facebook services. The referring court notes that the Bundeskartellamt clearly considered itself to be competent, in spite of the ‘one-stop shop’ mechanism.

41Further, the referring court considers that Article 6 of the law of 3 December 2017, which permits, as a general rule, the DPA, where necessary, to initiate or to engage in legal proceedings, does not imply that the action may, in all circumstances, be brought by the DPA before the Belgian courts, since the ‘one-stop shop’ mechanism appears to require that such an action should be brought before the court with jurisdiction in the place where the data processing is carried out.

In those circumstances, the hof van beroep te Brussel (Court of Appeal, Brussels) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

(1)‘(1) Should Article 55(1), Articles 56 to 58 and Articles 60 to 66 of [Regulation 2016/679], read together with Articles 7, 8 and 47 of the [Charter], be interpreted as meaning that a supervisory authority which, pursuant to national law adopted in implementation of Article 58(5) of that regulation, has the competence to initiate or engage in legal proceedings before a court in its Member State against infringements of that regulation cannot exercise that competence in connection with cross-border data processing if it is not the lead supervisory authority for that cross-border data processing?’

(2)Does the answer to the first question referred differ if the controller of that cross-border data processing does not have its main establishment in that Member State but does have another establishment there?

(3)Does the answer to the first question referred differ if the national supervisory authority initiates the legal proceedings against the main establishment of the controller in respect of the cross‑border data processing rather than against the establishment in its own Member State?

(4)Does the answer to the first question referred differ if the national supervisory authority had already initiated the legal proceedings before the date on which [Regulation 2016/679] entered into force (25 May 2018)?

(5)If the first question referred is answered in the affirmative, does Article 58(5) of [Regulation 2016/679] have direct effect, meaning that a national supervisory authority can rely on that provision to initiate or continue legal proceedings against private parties even if Article 58(5) of [Regulation 2016/679] has not been specifically transposed into the legislation of the Member States, notwithstanding the requirement to do so?

(6)If questions (1) to (5) are answered in the affirmative, could the outcome of such proceedings prevent the lead supervisory authority from making a contrary finding when the lead supervisory authority investigates the same or similar cross-border processing activities in accordance with the mechanism laid down in Articles 56 and 60 of [Regulation 2016/679]?

Consideration of the questions referred

The first question

By its first question, the referring court seeks, in essence, to ascertain whether Article 55(1), Articles 56 to 58 and Articles 60 to 66 of Regulation 2016/679, read together with Articles 7, 8 and 47 of the Charter, must be interpreted as meaning that a supervisory authority of a Member State which, under the national legislation adopted in order to implement Article 58(5) of that regulation, has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings, may exercise that power with respect to cross-border data processing even though it is not the ‘lead supervisory authority’, within the meaning of Article 56(1) of that regulation, in relation to such data processing.

In that regard, it must recalled, as a preliminary point, that, first, unlike Directive 95/46, which had been adopted on the basis of Article 100 A of the EC Treaty, concerning the harmonisation of the common market, the legal basis of Regulation 2016/679 is Article 16 TFEU, which enshrines the right of everyone to the protection of personal data concerning them and authorises the European Parliament and the Council of the European Union to lay down the rules relating to the protection of individuals with regard to the processing of that data by European Union institutions, bodies, offices and agencies, and by the Member States, when carrying out activities which fall within the scope of EU law, and the rules relating to the free movement of such data. Second, recital 1 of that regulation confirms that ‘the protection of natural persons in relation to the processing of personal data is a fundamental right’ and states that Article 8(1) of the Charter and Article 16(1) TFEU lay down the right of everyone to the protection of personal data concerning them.

Consequently, as is clear from its Article 1(2), read together with recitals 10, 11 and 13 thereof, Regulation 2016/679 requires the European Union institutions, bodies, offices and agencies, and the competent authorities of the Member States, to ensure a high level of protection of the rights guaranteed in Article 16 TFEU and Article 8 of the Charter.

Further, as stated in its recital 4, Regulation 2016/679 respects all fundamental rights and observes the freedoms and principles recognised in the Charter.

Against that background, Article 55(1) of Regulation 2016/679 states the general rule that each supervisory authority is to be competent for the performance of the tasks assigned to it and the exercise of the powers conferred on it, in accordance with that regulation, on the territory of its own Member State (see, to that effect, judgment of 16 July 2020, Facebook Ireland and Schrems, C‑311/18, EU:C:2020:559, paragraph 147).

One of the tasks assigned to those supervisory authorities is the task of monitoring the application of Regulation 2016/679 and enforcing its application, as laid down in Article 57(1)(a) of that regulation, while another is the task of cooperating with other supervisory authorities, including sharing information, and providing mutual assistance with a view to ensuring the consistency of application and enforcement of that regulation, as laid down in Article 57(1)(g) of that regulation. The powers conferred on those supervisory authorities, for the performance of those tasks, include various investigative powers, laid down in Article 58(1) of Regulation 2016/679, and the power to bring any infringement of that regulation to the attention of the judicial authorities and, where appropriate, to initiate or engage in legal proceedings in order to enforce the provisions of that regulation, as laid down in Article 58(5) of that regulation.

The performance of those tasks and the exercise of those powers presupposes, however, that a supervisory authority is competent with respect to a particular instance of data processing.

In that regard, without prejudice to the rule on competence set out in Article 55(1) of Regulation 2016/679, Article 56(1) of that regulation establishes, with respect to ‘cross-border processing’, within the meaning of Article 4, point (23), of that regulation, the ‘one-stop shop’ mechanism, based on an allocation of competences between one ‘lead supervisory authority’ and the other supervisory authorities concerned. Under that mechanism, the supervisory authority of the main establishment or of the single establishment of the controller or processor is to be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor, in accordance with the procedure set out in Article 60 of that regulation.

Article 60 establishes the procedure for cooperation between the lead supervisory authority and the other supervisory authorities concerned. As part of that procedure, the lead supervisory authority is, in particular, required to endeavour to reach consensus. To that end, in accordance with Article 60(3) of Regulation 2016/679, the lead supervisory authority is without delay to submit a draft decision to the other supervisory authorities concerned for their opinion and is to take due account of their views.

It follows more specifically from Articles 56 and 60 of Regulation 2016/679 that, with respect to ‘cross-border processing’, within the meaning of Article 4, point (23), of that regulation, and subject to Article 56(2) thereof, the various national supervisory authorities concerned must cooperate, in accordance with the procedure laid down in those provisions, in order to reach a consensus and a single decision, which is binding on all those authorities and with which decision the controller must ensure compliance as regards processing activities undertaken in the context of all its establishments within the European Union. Further, Article 61(1) of that regulation obliges the supervisory authorities, inter alia, to provide each other with relevant information and mutual assistance in order to implement and apply that regulation in a consistent manner throughout the European Union. Article 63 of Regulation 2016/679 states that it was for that purpose that provision was made for the consistency mechanism, set out in Articles 64 and 65 of that regulation (judgment of 24 September 2019, Google(Territorial scope of de‑referencing), C‑507/17, EU:C:2019:772).