The Court of Justice of the European Union (CJEU) has released a judgment in case C-645/19 Facebook Ireland and others specifying the powers of national supervisory authorities within the scheme of the General Data Protection Regulation.

It concludes that under certain conditions, a EU national supervisory authority (data protection office) may exercise its power to bring any alleged infringement of the GDPR before a court of an EU member state, even though that authority is not the lead supervisory authority with regard to that processing.

The case dealt with Belgian Privacy Commission seeking an injunction against Facebook Inc. (data controller based in Ireland) and Facebook Belgium seeking to stop collection and use of information on the browsing behaviour of Belgian users (regardless whether they had a Facebook account) which was against GDPR. CJEU has now concluded that GDPR allows for a supervisory authority of a EU member state to take GDPR infringement to court in another state in instances of cross-border data processing.