Lorna Woods, Professor of Law, University of Essex
Like their comic-book counterparts, the national data protection authorities in EU Member States, given their super regulatory powers by EU legislation, sometimes pause in battling high-tech villains – to fight with each other instead. To resolve such conflicts of jurisdiction, the GDPR created a one-stop-shop system to determine which authority could bring proceedings in principle.
This case is the first judicial test of the one-stop-shop in the GDPR and its lead supervisory authority (LSA) mechanism, according to which the main responsibility with the EU for regulating a data controller under the GDPR falls to the regulator of the jurisdiction in which the controller has its main establishment (Article 56 GDPR). While Article 56 establishes the idea of the lead supervisory authority based on the location of the controller’s main establishment, it operates without prejudice to Article 55 GDPR, which gives each national supervisory authority competence to regulate, and other provisions envisage that, even when not a lead supervisory authority, national supervisory authorities retain some interests in regulation. Further, the GDPR envisages cooperation between the national supervisory authorities. The question here is about the circumstances in which this residual competence may be exercised. The question arises against a backdrop in which some differences in approach to regulation can be detected and perhaps some distrust between the different national supervisory authorities (as also illustrated with the difficulties in agreeing the fine for Twitter in relation to a data breach that lead to the first decision of the European Data Protection Board (EDPB) under Article 65 GDPR).
The Advocate General’s opinion in this case (Case C-645/19 Facebook Belgium v Gegevensbeschermingsautoriteit, Opinion 13 January 2021) sought to chart a middle ground between the two positions argued before the court as to whether only the LSA may take action. While he agreed that the primary responsibility lay with the LSA, in his view the consequences of that position were not as extreme as Facebook sought to claim.
The Advocate General took a literal and systemic approach to the interpretation of Article 56 (referring also to Recital 124 in the GDPR preamble) to find that the LSA has general competence over cross-border data processing. Any role for other national supervisory authorities is exceptional -. The fact that Article 56, which sets up the LSA mechanism, is said to operate without prejudice to Article 55, attributing competence to the various national supervisory authorities, does not change this position. Such an interpretation would deprive Article 56 of any meaning . This is incompatible with the importance ascribed to the LSA mechanism by where it is placed: the second provision in the relevant section of the regulation, before all the other general provisions on ‘tasks’ and ‘powers’ in that section. Significantly, Chapter VII (cooperation) refers back to Article 56.
In the view of the Advocate General, the GDPR makes it ‘clear that that is meant to be the procedure to be followed when enforcement action against cross-border processing is necessary’ (emphasis in original) . Consequently, the term ‘without prejudice’ does not refer to competence but refers to the fact that ‘all supervisory authorities naturally retain the general powers assigned to them by virtue of Article 55 (and Article 58) of the GDPR’ . The Advocate General therefore confirmed the approach of the EDPB in Opinion 8/2019 which views Article 56(1) as an ‘overriding rule’ and as ‘lex specialis’ taking priority over the general rules of competence in Article 55 in the circumstances specified in Article 56. To take the approach put forward by the Belgian data protection authority would frustrate the purpose of the GDPR as found in recital 10, and return the position to that under the Data Protection Directive.
It was also argued that Article 58(5) means that all supervisory authorities must be able to start judicial proceedings against any potential infringement of the data protection rules affecting their territory, irrespective of the (local or cross-border) nature of the processing; the one-stop shop mechanism applies only to administrative action. The Advocate General criticised this interpretation for, again, taking one provision in isolation and out of context. Article 58(5) of the GDPR sets out ‘powers that are to be given to all supervisory authorities without exception’ but ‘does not regulate the situations and manner in which that power to bring proceedings is to be exercised’ . The distinction between judicial and administrative proceedings was unjustified in the light of the text and structure of Article 58 as a whole. The interpretation proposed by the Belgian data protection authority ‘would not allow a supervisory authority to (administratively) investigate, prepare, process, and decide, but would allow it instead immediately to bring judicial proceedings before a court’ , which is netiher reasonable nor appropriate.
The Advocate General then supported his arguments through a teleological and historical interpretation of the GDPR and its emphasis to avoid fragmentation (Recital 9), incoherence and double regulation. The one stop shop mechanism was the means introduced to achieve this goal. However, the Advocate General noted that the Commission’s original proposal for a very strict idea of the one stop shop gave rise to discussions with the Council and the Parliament, leading to the introduction of a number of exceptions, including a concern to emphasis the proximity between data subjects and the relevant supervisory authorities.  The Advocate General described this process as turning the one stop shop mechanism ‘into a more balanced two-pillar mechanism’ with an enhanced role for the other supervisory authorities .
The third approach to interpreting the GDPR adopted by the Advocate General is that of a Charter -oriented approach, to ensure maximum protection of Articles 7, 8 and 47 of the EU Charter of Fundamental Rights. The Advocate General criticised what in his view was an assumption that a high level of protection requires a multiplicity of authorities that may enforce compliance with the GDPR. Rather, a high level of protection requires a coherent framework, as seen in recitals 7, 9 and 10 GDPR, for coherent application of the rules. In the view of the Advocate General
a coherent and uniform level of protection certainly does not preclude that protection from being placed at a high level. It is simply a question of where that uniform yardstick should be set .
A second issue relating to rights concerns the proximity of the complainant and the relevant national supervisory authority and its impact of the right of that individual to complaint (as in Article 78 GDPR). This is specifically so given that the data subject has the right to choose where to launch legal action under Article 79 between the courts of the Member States where the controller or processor has an establishment or where the data subjects reside. The position would be slightly more difficult as regards the right to challenge the action (or inaction) of a national supervisory authority: such actions should be brought before the courts of the Member State where the supervisory authority is established. (Article 78 and Recital 143). The Advocate General however envisaged that a complaint could be lodged with the complainant’s home supervisory authority, whether or not that authority is the LSA so safeguarding the right to the data subject to take action in his or her home jurisdiction . The Advocate General accepted that this structure may lead to practical problems though these at the moment lie in the realm of conjecture.
The Advocate General finally considered concerns about a risk of under-enforcement. First and specifically as regards criminal enforcement, the Advocate General commented that while the cooperation and consistency mechanisms
are obligatory for the supervisory authorities, they do not apply to other Member States’ authorities, in particular those charged with the task of prosecuting criminal offences (emphasis in original) .
More generally, and in the view of the Advocate General, more importantly the GDPR does not operate so as to make the LSA the sole enforcer in cross border situations. The system is built on cooperation and consensus (Article 60(1)) and persistent disputes are referred to the EDPB to the extent that ‘the LSA’s position in that regard is no stronger than that of any other authority’ . The GDPR also contains provisions to deal with regulatory inertia. The Advocate General suggests two enforcement routes, though he accepts that both are cumbersome and potentially paper tigers:
- a supervisory authority may request another supervisory authority to provide ‘information and mutual assistance in order to implement and apply the GDPR as provided in Article 60 and a failure of the LSA to respond would give rise by virtue of Article 61 to a right on the part of the requesting authority to ‘adopt a provisional measure on the territory of its Member State in accordance with Article 55(1)’, triggering the urgent processes under Article 66.
- Article 64 provides a mechanism whereby matters producing effects in more than one Member State are brought to the EDPB, though it is not clear what the legal effect of such a decision would be.
If under-enforcement turns out to be a real problem, for example where the one stop shop mechanism ‘were to lead to regulatory ‘nests’ for certain operators who, after having effectively chosen their national regulator themselves by accordingly placing their main establishment within the Union, rather than being monitored, they would in fact be shielded from other regulators by a specific LSA’ , then the entire system would be ripe for major revision. The GDPR is still in its infancy, however, and it would be a bad idea for the Court to fundamentally alter the GDPR structures without evidence.
Thus, the GDPR permits the supervisory authority of a Member State to bring proceedings before a court of that State for an alleged infringement of the GDPR with respect to cross-border data processing, despite not being the LSA, provided that it does so in the situations and according to the procedures set out in the GDPR . The position does not change depending on whether the controller has a secondary establishment in another Member State . Nor does it matter whether the national supervisory authority commences legal proceedings against the controller’s main establishment or against the establishment situated in its own Member State . In this, the Advocate General dismissed an argument based on Article 55(1) that a national supervisory authority can only act within its own state, and therefore only against local establishments; the territorial element relates to the effects of the data processing . By creating a central point for enforcement the LSA mechanism implies that the LSA must be able to take action against actors established other than in its territory . Finally, the Advocate General confirmed that Article 58(5) has direct effect as well as direct applicability.
Both sides had claimed victory in this opinion. Facebook emphasises the re-iteration of the LSA mechanism and the Belgian authorities point to the fact that the Advocate General made clear that the LSA is not the sole enforcer in such cases. If the Court follows its Advocate General, this should give some comfort to those operating in multiple jurisdictions that they will not continue to face the difficulties of multiple and potentially incoherent enforcement found under the Data Protection Directive. Nonetheless, the result of the GDPR is not a simple, bright-line allocation of jurisdiction to one national supervisory authority.
Firstly, there are moreover a number of exceptions to the LSA mechanism, which also reflect the ‘two-pillared’ nature of the enforcement system. These arise when:
- supervisory authorities act outside the material scope of the GDPR;
- the processing is necessary for compliance with a legal obligation, in the public interest or in the exercise of official authority;
- processing is carried out by controllers that have no establishment in the European Union;
- a national supervisory authority other than the LSA considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects (Art. 66 GDPR); or
- the LSA decides not to handle the case.
Beyond this, however, the Advocate General emphasised the importance of cooperation within the system, implicitly pointing towards the need towards an EU settlement on the question of standards that lies in the shadows of this case (see eg. para 97). An LSA cannot ride roughshod over the views of other relevant national supervisory authorities; this is potentially a prophylactic against the creation of ‘nests’ for privacy averse data controllers. The approach to interpretation, while it allowed the Advocate General to bring through the delicate balance between potentially conflicting concerns, reflects approaches typically adopted in the interpretation of EU law, emphasising the purposive approach. In any event, the Opinion drew out the existence of possible mechanisms by which the failure of an LSA to act – whether through choice or because of resourcing – could be challenged and decisions of the other national regulatory authorities/EDPB put in place. In this, the Opinion is a welcome review of the mechanisms in the GDPR, a set of systems which are complex and not necessarily easily understood.
In terms of enforcement of the GDPR, it is important to remember that enforcement does not lie in the hands of the national regulatory authorities alone; and the Opinion reminds us of this in terms both of direct enforcement of data subjects’ rights but also in terms of challenging the inaction of a national supervisory authority. Here the choice of jurisdiction is not determined by the LSA mechanism. Strategic litigation, including some forum shopping, may still be possible.
Where this leaves Facebook and the Belgian authorities is not yet clear. This is of course an opinion, not the judgment of the Court. While the Court usually follows the opinion of its Advocate General it is not obliged so to do. Moreover, action against the Irish DPC, the LSA as regards Facebook, has settled a judicial review action brought by Max Schrems in respect of the DPC’s failure to stop data transfers to the US. While this is action, it does not cover exactly the same issues brought by the Belgian authorities.