Lorna Woods, Professor of Law, University of Essex
Introduction
Like their comic-book
counterparts, the national data protection authorities in EU Member States, given
their super regulatory powers by EU legislation, sometimes pause in battling
high-tech villains – to fight with each other instead. To resolve such conflicts
of jurisdiction, the GDPR created a one-stop-shop
system to determine which authority could bring proceedings in principle.
This case is the first judicial
test of the one-stop-shop in the GDPR and its lead supervisory authority (LSA)
mechanism, according to which the main responsibility with the EU for
regulating a data controller under the GDPR falls to the regulator of the
jurisdiction in which the controller has its main establishment (Article 56 GDPR). While Article 56 establishes the idea of the
lead supervisory authority based on the location of the controller’s main
establishment, it operates without prejudice to Article 55 GDPR, which gives each
national supervisory authority competence to regulate, and other provisions
envisage that, even when not a lead supervisory authority, national supervisory
authorities retain some interests in regulation. Further, the GDPR envisages cooperation
between the national supervisory authorities.
The question here is about the circumstances in which this residual
competence may be exercised. The
question arises against a backdrop in which some differences in approach to
regulation can be detected and perhaps some distrust between the different
national supervisory authorities (as also illustrated with the difficulties in
agreeing the fine for Twitter in relation to a data breach that lead to the first
decision of the European Data Protection Board (EDPB) under Article 65 GDPR).
Facts
The Belgian data protection
authority commenced proceedings against Facebook in its local courts, alleging that
Facebook had unlawfully collected and used personal data relating to the
private browsing information of Internet users in Belgium, through the use of
cookies and the like (and there was some discussion as to whether the
technologies in issue actually fell ratione
materiae within the GDPR as opposed to the e-Privacy
Directive). Although initiated under
the Data
Protection Directive, given the length of time the matter is now concerned
with the GDPR and on that basis Facebook argued that the Belgian data
protection authority was no longer competent because Facebook fell within the
jurisdiction of the Irish Data Protection Commission (DPC). The matter was referred
to the Court of Justice, specifically referring to legal proceedings against
Facebook Belgium in respect of the cross-border processing of personal data
that took place after the GDPR has become applicable, given that the
data-processing entity was Facebook Ireland Ltd.
Opinion
The Advocate General’s opinion
in this case (Case C-645/19 Facebook
Belgium v Gegevensbeschermingsautoriteit, Opinion 13 January 2021) sought
to chart a middle ground between the two positions argued before the court as
to whether only the LSA may take action. While he agreed that the primary responsibility
lay with the LSA, in his view the consequences of that position were not as
extreme as Facebook sought to claim.
The Advocate General took a
literal and systemic approach to the interpretation of Article 56 (referring
also to Recital 124 in the
GDPR preamble) to find that the LSA has general competence over cross-border
data processing. Any role for other
national supervisory authorities is exceptional [45]-[46]. The fact that Article 56, which sets up the
LSA mechanism, is said to operate without prejudice to Article 55, attributing
competence to the various national supervisory authorities, does not change
this position. Such an interpretation would deprive Article 56 of any meaning
[52]. This is incompatible with the importance
ascribed to the LSA mechanism by where it is placed: the second provision in
the relevant section of the regulation, before all the other general provisions
on ‘tasks’ and ‘powers’ in that section. Significantly, Chapter VII (cooperation) refers
back to Article 56.
In the view of the Advocate
General, the GDPR makes it ‘clear that that is meant to be the procedure to be
followed when enforcement action against cross-border processing is necessary’
(emphasis in original) [56]. Consequently, the term ‘without prejudice’ does
not refer to competence but refers to the fact that ‘all
supervisory authorities naturally retain the general powers assigned to them by
virtue of Article 55 (and Article
58) of the GDPR’ [57]. The Advocate
General therefore confirmed the approach of the EDPB in Opinion
8/2019 which views Article 56(1) as an ‘overriding rule’ and as ‘lex
specialis’ taking priority over the general rules of competence in Article 55
in the circumstances specified in Article 56. To take the approach put forward
by the Belgian data protection authority would frustrate the purpose of the
GDPR as found in recital 10,
and return the position to that under the Data Protection Directive.
It was also argued that Article
58(5) means that all supervisory authorities must be able to start judicial proceedings
against any potential infringement of the data protection rules affecting their
territory, irrespective of the (local or cross-border) nature of the
processing; the one-stop shop mechanism applies only to administrative action. The Advocate General criticised this
interpretation for, again, taking one provision in isolation and out of
context. Article 58(5) of the GDPR sets
out ‘powers that are to be given to all supervisory authorities without
exception’ but ‘does not regulate the situations and
manner in which that power to bring proceedings is to be exercised’ [65]. The distinction between judicial and
administrative proceedings was unjustified in the light of the text and
structure of Article 58 as a whole. The interpretation proposed by the Belgian
data protection authority ‘would not allow a
supervisory authority to (administratively) investigate, prepare, process, and
decide, but would allow it instead immediately to bring judicial proceedings before
a court’ [71], which is netiher reasonable nor appropriate.
The Advocate General then
supported his arguments through a teleological and historical interpretation of
the GDPR and its emphasis to avoid fragmentation (Recital 9), incoherence and
double regulation. The one stop shop
mechanism was the means introduced to achieve this goal. However, the Advocate General noted that the
Commission’s original proposal for a very strict idea of the one stop shop gave
rise to discussions with the Council and the Parliament, leading to the
introduction of a number of exceptions, including a concern to emphasis the
proximity between data subjects and the relevant supervisory authorities. [85]
The Advocate General described this process as turning the one stop shop
mechanism ‘into a more balanced two-pillar
mechanism’ with an enhanced role for the
other supervisory authorities [87].
The third approach to
interpreting the GDPR adopted by the Advocate General is that of a Charter
-oriented approach, to ensure maximum protection of Articles 7, 8 and 47 of the
EU Charter of Fundamental Rights. The Advocate General criticised what in his
view was an assumption that a high level of protection requires a multiplicity
of authorities that may enforce compliance with the GDPR. Rather, a high level of protection requires a
coherent framework, as seen in recitals 7, 9 and 10 GDPR, for coherent application
of the rules. In the view of the
Advocate General
a coherent
and uniform level of protection certainly does not preclude that protection
from being placed at a high level. It is simply a question of where that
uniform yardstick should be set [97].
A second issue relating to rights
concerns the proximity of the complainant and the relevant national supervisory
authority and its impact of the right of that individual to complaint (as in Article 78 GDPR). This is
specifically so given that the data subject has the right to choose where to
launch legal action under Article
79 between the courts of the Member States
where the controller or processor has an establishment or where the data
subjects reside. The position would be
slightly more difficult as regards the right to challenge the action (or
inaction) of a national supervisory authority: such actions should be brought before the courts of the Member State where
the supervisory authority is established. (Article 78 and Recital 143). The Advocate
General however envisaged that a complaint could be lodged with the
complainant’s home supervisory authority, whether or not that authority is the
LSA so safeguarding the right to the data subject to take action in his or her
home jurisdiction [104]. The Advocate
General accepted that this structure may lead to practical problems though
these at the moment lie in the realm of conjecture.
The Advocate General finally
considered concerns about a risk of under-enforcement. First and specifically as regards criminal
enforcement, the Advocate General commented that while the cooperation and
consistency mechanisms
are obligatory for the supervisory authorities, they do not apply to other Member States’ authorities, in particular those charged with
the task of prosecuting criminal offences (emphasis in original) [110].
More generally, and in the view
of the Advocate General, more importantly the GDPR does not operate so as to
make the LSA the sole enforcer in cross border situations. The system is built
on cooperation and consensus (Article
60(1)) and persistent disputes are referred to the EDPB to the extent that
‘the LSA’s position in that regard is no stronger
than that of any other authority’ [111]. The GDPR also contains provisions to
deal with regulatory inertia. The Advocate General suggests two enforcement
routes, though he accepts that both are cumbersome and potentially paper
tigers:
-
a supervisory authority may request another
supervisory authority to provide ‘information and mutual assistance in order to
implement and apply the GDPR as provided in Article 60 and a failure of the LSA
to respond would give rise by virtue of Article 61 to a right on the part
of the requesting authority to ‘adopt a provisional measure on the territory of
its Member State in accordance with Article 55(1)’, triggering the urgent
processes under Article 66.
-
Article
64 provides a mechanism whereby matters producing effects in more than one
Member State are brought to the EDPB,
though it is not clear what the legal effect of such a decision would be.
If under-enforcement turns out to
be a real problem, for example where the one stop shop mechanism ‘were to lead
to regulatory ‘nests’ for certain operators who, after having effectively
chosen their national regulator themselves by accordingly placing their main
establishment within the Union, rather than being monitored, they would in fact
be shielded from other regulators by a specific LSA’ [124], then the entire
system would be ripe for major revision. The GDPR is still in its infancy,
however, and it would be a bad idea for the Court to fundamentally alter the
GDPR structures without evidence.
Thus, the
GDPR permits the supervisory authority of a Member State to bring proceedings
before a court of that State for an alleged infringement of the GDPR with
respect to cross-border data processing, despite not being the LSA, provided that
it does so in the situations and according to the procedures set out in the
GDPR [140]. The position does not change depending on whether the controller
has a secondary establishment in another Member State [143]. Nor does it matter
whether the national supervisory authority commences legal proceedings against
the controller’s main establishment or against the establishment situated in
its own Member State [147]. In this, the Advocate General dismissed an argument
based on Article 55(1) that a national supervisory authority can only act
within its own state, and therefore only against local establishments; the territorial
element relates to the effects of the data processing [152]. By creating a central point for enforcement
the LSA mechanism implies that the LSA must be able to take action against
actors established other than in its territory [155]. Finally, the Advocate General confirmed that
Article 58(5) has direct effect as well as direct applicability.
Comment
Both sides had claimed victory in
this opinion. Facebook emphasises the re-iteration of the LSA mechanism and the
Belgian
authorities point to the fact that the Advocate General made clear that the
LSA is not the sole enforcer in such cases.
If the Court follows its Advocate General, this should give some comfort
to those operating in multiple jurisdictions that they will not continue to
face the difficulties of multiple and potentially incoherent enforcement found
under the Data Protection Directive.
Nonetheless, the result of the GDPR is not a simple, bright-line
allocation of jurisdiction to one national supervisory authority.
Firstly, there are moreover a
number of exceptions to the LSA mechanism, which also reflect the
‘two-pillared’ nature of the enforcement system. These arise when:
-
supervisory authorities act outside the material
scope of the GDPR;
-
the processing is necessary for compliance with
a legal obligation, in the public interest or in the exercise of official
authority;
-
processing is carried out by controllers that
have no establishment in the European Union;
-
a national supervisory authority other than the
LSA considers that there is an urgent need to act in order to protect the
rights and freedoms of data subjects (Art. 66 GDPR); or
-
the LSA decides not to handle the case.
Beyond this, however, the
Advocate General emphasised the importance of cooperation within the system,
implicitly pointing towards the need towards an EU settlement on the question
of standards that lies in the shadows of this case (see eg. para 97). An LSA
cannot ride roughshod over the views of other relevant national supervisory
authorities; this is potentially a prophylactic against the creation of ‘nests’
for privacy averse data controllers. The approach to interpretation, while it
allowed the Advocate General to bring through the delicate balance between
potentially conflicting concerns, reflects approaches typically adopted in the
interpretation of EU law, emphasising the purposive approach. In any event, the Opinion drew out the
existence of possible mechanisms by which the failure of an LSA to act –
whether through choice or because of resourcing – could be challenged and
decisions of the other national regulatory authorities/EDPB put in place. In this, the Opinion is a welcome review of
the mechanisms in the GDPR, a set of systems which are complex and not
necessarily easily understood.
In terms of enforcement of the
GDPR, it is important to remember that enforcement does not lie in the hands of
the national regulatory authorities alone; and the Opinion reminds us of this
in terms both of direct enforcement of data subjects’ rights but also in terms
of challenging the inaction of a national supervisory authority. Here the
choice of jurisdiction is not determined by the LSA mechanism. Strategic litigation, including some forum
shopping, may still be possible.
Given the starting point for this
case was the use of cookies the question of the relationship between the
e-Privacy rules and the GDPR arises. The
Advocate General confirmed that more than one legislative instrument could
apply. This then raises the question of jurisdiction and whether such overlap
might undermine the one stop shop – though this difference might be addressed
through the revision of the e-Privacy regime (a process which has been fraught
with delay). A similar question might
arise in relation to criminal law enforcement.
Where this leaves Facebook and
the Belgian authorities is not yet clear. This is of course an opinion, not the
judgment of the Court. While the Court
usually follows the opinion of its Advocate General it is not obliged so to do. Moreover, action against the Irish DPC, the
LSA as regards Facebook, has settled
a judicial review action brought by Max Schrems in respect of the DPC’s failure
to stop data transfers to the US. While this is action, it does not cover
exactly the same issues brought by the Belgian authorities.
No comments:
Post a Comment