Authors: Heidi Waem, Simon Verschaeve
When the GDPR was adopted back in 2016, its new cooperation and consistency mechanism, coined as the one-stop-shop, was marketed as one of the major advancements that the GDPR would bring to organisations. Instead of having to engage with multiple local data protection authorities, controllers and processors established in the EU would be able to deal with only a single data protection authority (DPA) with respect to their cross-border processing activities. The mechanism is often seen as a counterbalance for the additional compliance burden for organisations that came along with the GDPR.
On 15 June 2021, the EU Court of Justice (CJEU) for the first time clarified the conditions under which this one-stop-shop mechanism applies. In this landmark ruling, the CJEU explains in particular to what extent a non-lead DPA remains entitled, under the GDPR, to bring proceedings before the courts of its own Member State against a multinational company – in this case, Facebook – with its main establishment elsewhere in the EU.
Origin of the case
The preliminary ruling of the CJEU is another step in a long-running case of the Belgian DPA against Facebook (for alleged cookie infringements) in the context of which the competence of the Belgian DPA, being a non-lead DPA, to bring proceedings against Facebook was disputed as Facebook’s lead DPA is the Irish DPA (ie its main establishment in the EU is in Ireland).
The case however originates from the pre-GDPR era. In 2015, the Belgian DPA initiated proceedings against Facebook Inc., Facebook Ireland Limited and Facebook Belgium on the basis of the “old” Belgian Data Protection Act (which transposed Directive 95/46/EC). In the absence of sanctioning powers at that time, one of the few remedies at the DPA’s disposal was for its president to initiate court proceedings.
The Court of First Instance found that Facebook’s practices were unlawful and ordered it to cease these activities for internet users in the Belgian territory – subject to a penalty payment of EUR 250,000 a day, with a maximum of EUR 100 million. On Facebook’s appeal, in contrast, the Brussels Court of Appeal dismissed the claims against Facebook Inc. and Facebook Ireland in an interim decision in 2019. In addition, to ascertain whether it can proceed with the case against Facebook Belgium, it referred the case for a preliminary ruling to the CJEU as the GDPR had meanwhile come into force (ie introducing the one-stop-shop mechanism).
The starting point of the CJEU’s reasoning is the general statement in the GDPR that each DPA is competent to perform its tasks and exercise its powers on the territory of its own Member State (Article 55.1), including, inter alia, its power to initiate legal proceedings to enforce the GDPR (Article 58.5).
One-stop-shop as the general rule
However, to exercise this general competence, a DPA must be competent “with respect to a particular instance of data processing.” Where the processing is cross-border in nature, the allocation of competences between “lead” and “concerned” DPAs need to be taken into account (or applies “as a lex specialis” as stated by Advocate-General (AG) Bobek in its Opinion).
If the one-stop-shop applies, DPAs must cooperate through that mechanism. Its use is mandatory, not only for administrative actions, but also for judicial proceedings.
That said, the cooperation must also be “sincere and effective.” The lead DPA must take into account each “relevant and reasoned objection” of another DPA. Such objection will, at least temporarily, block the adoption of the draft decision of the lead DPA.
Notwithstanding the clear confirmation that the one-stop-shop is and remains the main mechanism to determine the competence of a DPA in cross-border cases covered by the GDPR, the CJEU at the same time also clarifies that several exceptions apply to this principle, which are in essence:
- Local cases: As set out in the GDPR (Article 56.2), a non-lead DPA has competence where the subject matter of a complaint or potential infringement relates (i) only to an establishment in that Member State; or (ii) “substantially affects data subjects” only in that Member State.
- Urgent cases: If a non-lead DPA considers there is “an urgent need to act,” it may, in exceptional circumstances, immediately adopt interim measures on its own territory with a maximum validity of three months (Article 66). Where final measures would be – urgently – required, it can request an opinion or binding decision from the EDPB.
- Unsuccessful mutual assistance requests: DPAs can request information and mutual assistance from each other. In case of such request, the requested DPA must inform the requesting DPA of “the results or, as the case may be, of the progress of the measures taken to respond.” If the requested DPA does not provide this information within one month after the request, the requesting DPA may adopt temporary measures and request a binding decision from the EDPB (without the need to demonstrate urgency) (Article 61.8).
- Matters of general (or broad) application: A non-lead DPA can also request a (non-binding) opinion, and ultimately, a binding decision from the EDPB for any matter (i) of general application; or (ii) producing effects in more than one Member State (Article 64.2).
In these cases, non-lead DPAs may eventually exercise their competences under the GDPR, which includes, where appropriate, initiating legal proceedings before the courts of its own Member State.
Other relevant considerations
The CJEU further clarified that, if a DPA has competence in one of the circumstances listed above, it is not required that the controller against whom a DPA wishes to initiate legal proceedings has an establishment on the territory of the Member State of that non-lead DPA, provided that the processing falls within the territorial scope of the GDPR (Article 3).
Moreover, the non-lead DPA can direct its legal proceedings against both the main establishment of the controller or against another establishment whether or not located in its own Member State (i) insofar the processing that is the object of the legal proceedings is carried out “in the context of the activities of an establishment” and (ii) where the non-lead DPA has competence (as set out above).
Finally, it is noteworthy – especially for the main proceedings before the Brussels Court of Appeal – that the CJEU confirms that Directive 95/46 (and legislation adopted on the basis thereof – such as the former Belgian Data Protection Act) remains applicable in relation to infringements committed up to the data of its repeal (ie 25 May 2018), regardless of whether the Belgian DPA must be considered as a lead DPA or not under the GDPR. It is now clear that the claim made by Facebook in respect of the Belgian DPA’s lack of competence to continue its legal proceedings after the GDPR (and the one-stop-shop) became applicable should not be accepted – at least for the part that relates to infringements by Facebook from before 25 May 2018.
For infringements as from the GDPR’s entry into force, it is for the Brussels Court of Appeal to check whether the Belgian DPA has complied with the GDPR procedures (eg in relation to a mutual assistance request) to gain competence as a non-lead DPA, against the – according to the AG – “peculiar procedural background” of this case.
What does this case mean for (multinational) companies?
For organisations relying on the one-stop-shop, this decision provokes quite some controversy – which is caused by the fact that the outcome of the case is that the Belgian DPA can continue, at least part of its proceedings, while it is not the lead DPA for Facebook.
The outcome of the case is all the more relevant in light of the continuing struggles around the growing backlog of the Irish Data Protection Commissioner which demonstrates, according to some, that the one-stop-shop mechanism fails to contribute to effective data protection enforcement in the EU. It is therefore relevant to many organisations to understand the relatively nuanced approach the CJEU took on the scope of the one-stop-shop mechanism of the GDPR.
On the other hand, the decision does not contain too many surprises either. Each of the carve-outs from the one-stop-shop mechanism that were set out by the CJEU are already expressly included in the text of the GDPR. Although there might have been doubts for some (procedural) rules of the GDPR, the non-retroactivity of the GDPR was also to be expected.
At long last, there is still a rather broad competence reserved to the lead DPA. If a lead DPA prefers to handle a case, most of the exceptions to the one-stop-shop mechanism will prove to be rather theoretical. For example, for local and urgent cases, the CJEU confirms that the lead DPA has a “revocation right” within three weeks after being informed by the non-lead DPA. Even in case of these exceptions, the lead DPA could thus still prevent a non-lead DPA from continuing with the case. Where a binding decision of the EDPB is required to proceed, the non-lead DPA can only continue where it is successful in securing a (two-third or simple) majority among the other DPAs. Therefore, it could be said that the one-stop-shop – aside from some interesting clarifications – largely remains intact after this decision of the CJEU.
For further information and advice, please get in touch with firstname.lastname@example.org or your usual DLA Piper contact.