Lorna Woods, Professor of Internet Law, University of Essex
Introduction
This recent CJEU judgment concerns
the one stop shop in the GDPR and the way
that very large corporations that have operations in most if not all Member
States are regulated. Facebook has its
European headquarters in Ireland so that the Irish Data Protection Commissioner
(DPC) is ‘lead authority’ – that is, the DPC has primary responsibility for
regulating Facebook under the GDPR.
There have been some concerns about how this one stop shop has been
working, especially since some of the larger companies have tended to establish
themselves in the same, small Member State. The one stop shop mechanism relies
on trust between the Member States, but different Member States have varying
degrees of enthusiasm for the enforcement of data protection and also have
different levels of money to throw at the issue. As is the case with other
one-stop shop mechanisms in other legislation, there are exceptions or ways for
other affected regulators to be involved. This case is about the space left to
those other regulators.
Facts
In 2015 the Belgian Privacy
Commissioner (subsequently the Data Protection Authority) sought an injunction
in the Belgian courts against Facebook Belgium with the objective of ending
alleged infringements of data protection laws by Facebook through the
collection and use of information on the browsing behaviour of Belgian internet
users, whether or not they were
Facebook account holders,
by means of
various technologies, such
as cookies, plug-ins (like or
share buttons) or pixels. The matter ended up in the Hof van beroep te Brussel
(an appeal court) which was uncertain as to the effect of the one stop shop in
the GDPR on the competence to the Belgian Data Protection Authority to bring
action against Facebook Belgium. So while Article 55(1) GDPR establishes the
principle that each national regulatory authority is competent to carry out its
role as regards its own national territory, Article 56(1) states:
the
supervisory authority of the main establishment or of the single establishment
of the controller or processor shall be competent to act as lead supervisory
authority for the cross-border processing carried out by that controller or
processor.
Judgment
The central question concerned
the circumstances in which, given the one stop shop established by Article
56(1) GDPR, a supervisory authority could take action in relation to specific
instances of processing. In this, the Court emphasised two underpinning
considerations: that the high level of data protection applied across the EU;
and that the one stop shop depended on the process for cooperation laid down in
Article 60.
While Article 60 envisages that
it is the responsibility of the lead authority to adopt decisions in relation
to cross-border processing, and that position is the general rule, there are
exceptions found in Articles 56(2) (matter only affecting its own territory)
and Article 66 (urgency
procedure). The Court noted, however, that the exercise of these provisions
“must be compatible with the need for sincere and effective cooperation with
the lead supervisory authority” as set [para 60] – but this obligation applies
also to the lead authority - so that it cannot eschew dialogue with those other
authorities [para 63]. Specifically, any
relevant and reasoned
objection made by
one of the
other supervisory authorities has the effect of blocking, at
least temporarily, the adoption of the draft decision of the lead supervisory
authority.
In terms of the protection of
fundamental rights, the Court noted this allocation of responsibilities is
compatible with the Charter. It noted that:
the use of
the ‘one-stop shop’ mechanism cannot under any circumstances have the
consequence that a national supervisory authority, in particular the lead
supervisory authority, does not assume the responsibility incumbent on it under
Regulation 2016/679 to contribute to providing effective protection of natural
persons from infringements of their fundamental rights as recalled in the
preceding paragraph of the present judgment, as otherwise that consequence
might encourage the practice of forum shopping, particularly by data
controllers, designed to circumvent those fundamental rights and the practical
application of the provisions of that regulation that give effect to those
rights [para 68].
The Court noted that legal action
by a regulatory authority could not be completely excluded- for example when
the lead supervisory authority has not responded to a request for information
(see Article 61(8) GDPR), where
there is an urgent need for the adoption of final measures (Article 66(2)
GDPR), or where the matter is referred for consideration by the European Data
Protection Board (EDPB) (Article
64(2) GDPR). In this instance, the Belgian DPA asked the DPC to respond to its request for mutual assistance as
expeditiously as possible, but no response was given.
The Court also addressed the
question of whether the data controller must have a ‘main establishment’ in the
territory of that other regulator, concluding that there was no such
prerequisite [para 84]. A third question asked whether the non-lead supervisory
would be limited as to which body to sue – that is, whether it can take action
against the main establishment of the controller or against the establishment
that is located in its own Member State. In the national proceedings in this
case, the litigation was brought against Facebook Belgium although the headquarters of the Facebook group is situated in
Ireland and Facebook Ireland is the sole controller with respect to the
collection and processing of personal data throughout the European Union.
Facebook Belgium was set up to sell advertising in Belgium but also to lobby
the EU institutions. The Court determined that the non-lead regulatory
authority may take action with respect to the main establishment of the controller
located in that authority’s own Member State but also with respect to another
establishment of that controller, provided that the object of the legal
proceedings is data processing carried
out in the context of the activities of that establishment and that that
authority is competent to exercise that power [para 96].
A fourth question addressed the
impact of the change in regime from the Data
Protection Directive (which did not have a one stop shop) and the GDPR. The
Court distinguished between actions brought before the date the GDPR became
applicable and actions after that date. As regards the first situation, such
legal action may be continued (on the basis of the Directive); for other
actions the GDPR rules apply – and this allows such a regulatory authority to
take action where one of the exceptions applies.
The Court held that Article 58(5) GDPR (on the power
of data protection authorities to bring legal proceedings) has direct effect,
so that the relevant authorities may rely on the provision even when it has not
been specifically implemented in the national legal system.
Comment
This seems to be a balanced
judgment in which the Court aims to reconcile competing pressures. It has re-emphasised the one stop shop, but
is aware of the unevenness of resources and alive to the risk of forum shopping
against that background. One of the key
elements of this judgment is the Court’s emphasis on the obligation to
cooperate, which applies to lead authority and other authorities alike.
Nonetheless, while the lead regulator must be given the chance to act, lead
regulators cannot choose to ignore the importunate demands of other national
regulators – whether for lack of resources, or other reasons (eg a different
assessment as to what’s important). The
significance of this comes down to the concerns about the effectiveness of the DPC
(especially bearing in mind the size of the companies under the DPC’s
jurisdiction). Against this background,
the judgment will probably be welcomed by privacy advocates. Whether it is
equally good from the perspective of data controllers, at least those based in
Ireland, seems far less likely. What is potentially problematic from the
perspective of the data controller is the greater unpredictability of the data
protection regime. This may be less about fragmenting standards (especially if
the decision is referred to the EDPB) but about where enforcement actions may
start; this agenda may not rest entirely in the hands of the lead authority.
Photo credit: Niamfrifruli, via Wikimedia
Commons
.jpg){kind=link}
No comments:
Post a Comment