Lorna Woods, Professor of Internet Law, University of Essex
This recent CJEU judgment concerns the one stop shop in the GDPR and the way that very large corporations that have operations in most if not all Member States are regulated. Facebook has its European headquarters in Ireland so that the Irish Data Protection Commissioner (DPC) is ‘lead authority’ – that is, the DPC has primary responsibility for regulating Facebook under the GDPR. There have been some concerns about how this one stop shop has been working, especially since some of the larger companies have tended to establish themselves in the same, small Member State. The one stop shop mechanism relies on trust between the Member States, but different Member States have varying degrees of enthusiasm for the enforcement of data protection and also have different levels of money to throw at the issue. As is the case with other one-stop shop mechanisms in other legislation, there are exceptions or ways for other affected regulators to be involved. This case is about the space left to those other regulators.
In 2015 the Belgian Privacy Commissioner (subsequently the Data Protection Authority) sought an injunction in the Belgian courts against Facebook Belgium with the objective of ending alleged infringements of data protection laws by Facebook through the collection and use of information on the browsing behaviour of Belgian internet users, whether or not they were Facebook account holders, by means of various technologies, such as cookies, plug-ins (like or share buttons) or pixels. The matter ended up in the Hof van beroep te Brussel (an appeal court) which was uncertain as to the effect of the one stop shop in the GDPR on the competence to the Belgian Data Protection Authority to bring action against Facebook Belgium. So while Article 55(1) GDPR establishes the principle that each national regulatory authority is competent to carry out its role as regards its own national territory, Article 56(1) states:
the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor.
The central question concerned the circumstances in which, given the one stop shop established by Article 56(1) GDPR, a supervisory authority could take action in relation to specific instances of processing. In this, the Court emphasised two underpinning considerations: that the high level of data protection applied across the EU; and that the one stop shop depended on the process for cooperation laid down in Article 60.
While Article 60 envisages that it is the responsibility of the lead authority to adopt decisions in relation to cross-border processing, and that position is the general rule, there are exceptions found in Articles 56(2) (matter only affecting its own territory) and Article 66 (urgency procedure). The Court noted, however, that the exercise of these provisions “must be compatible with the need for sincere and effective cooperation with the lead supervisory authority” as set [para 60] – but this obligation applies also to the lead authority - so that it cannot eschew dialogue with those other authorities [para 63]. Specifically, any relevant and reasoned objection made by one of the other supervisory authorities has the effect of blocking, at least temporarily, the adoption of the draft decision of the lead supervisory authority.
In terms of the protection of fundamental rights, the Court noted this allocation of responsibilities is compatible with the Charter. It noted that:
the use of the ‘one-stop shop’ mechanism cannot under any circumstances have the consequence that a national supervisory authority, in particular the lead supervisory authority, does not assume the responsibility incumbent on it under Regulation 2016/679 to contribute to providing effective protection of natural persons from infringements of their fundamental rights as recalled in the preceding paragraph of the present judgment, as otherwise that consequence might encourage the practice of forum shopping, particularly by data controllers, designed to circumvent those fundamental rights and the practical application of the provisions of that regulation that give effect to those rights [para 68].
The Court noted that legal action by a regulatory authority could not be completely excluded- for example when the lead supervisory authority has not responded to a request for information (see Article 61(8) GDPR), where there is an urgent need for the adoption of final measures (Article 66(2) GDPR), or where the matter is referred for consideration by the European Data Protection Board (EDPB) (Article 64(2) GDPR). In this instance, the Belgian DPA asked the DPC to respond to its request for mutual assistance as expeditiously as possible, but no response was given.
The Court also addressed the question of whether the data controller must have a ‘main establishment’ in the territory of that other regulator, concluding that there was no such prerequisite [para 84]. A third question asked whether the non-lead supervisory would be limited as to which body to sue – that is, whether it can take action against the main establishment of the controller or against the establishment that is located in its own Member State. In the national proceedings in this case, the litigation was brought against Facebook Belgium although the headquarters of the Facebook group is situated in Ireland and Facebook Ireland is the sole controller with respect to the collection and processing of personal data throughout the European Union. Facebook Belgium was set up to sell advertising in Belgium but also to lobby the EU institutions. The Court determined that the non-lead regulatory authority may take action with respect to the main establishment of the controller located in that authority’s own Member State but also with respect to another establishment of that controller, provided that the object of the legal proceedings is data processing carried out in the context of the activities of that establishment and that that authority is competent to exercise that power [para 96].
A fourth question addressed the impact of the change in regime from the Data Protection Directive (which did not have a one stop shop) and the GDPR. The Court distinguished between actions brought before the date the GDPR became applicable and actions after that date. As regards the first situation, such legal action may be continued (on the basis of the Directive); for other actions the GDPR rules apply – and this allows such a regulatory authority to take action where one of the exceptions applies.
The Court held that Article 58(5) GDPR (on the power of data protection authorities to bring legal proceedings) has direct effect, so that the relevant authorities may rely on the provision even when it has not been specifically implemented in the national legal system.
This seems to be a balanced judgment in which the Court aims to reconcile competing pressures. It has re-emphasised the one stop shop, but is aware of the unevenness of resources and alive to the risk of forum shopping against that background. One of the key elements of this judgment is the Court’s emphasis on the obligation to cooperate, which applies to lead authority and other authorities alike. Nonetheless, while the lead regulator must be given the chance to act, lead regulators cannot choose to ignore the importunate demands of other national regulators – whether for lack of resources, or other reasons (eg a different assessment as to what’s important). The significance of this comes down to the concerns about the effectiveness of the DPC (especially bearing in mind the size of the companies under the DPC’s jurisdiction). Against this background, the judgment will probably be welcomed by privacy advocates. Whether it is equally good from the perspective of data controllers, at least those based in Ireland, seems far less likely. What is potentially problematic from the perspective of the data controller is the greater unpredictability of the data protection regime. This may be less about fragmenting standards (especially if the decision is referred to the EDPB) but about where enforcement actions may start; this agenda may not rest entirely in the hands of the lead authority.
Photo credit: Niamfrifruli, via Wikimedia Commons