News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | CJEU's advocate general: One-stop shop means one-stop shop Related reading: What happened to the one-stop shop?

rss_feed

""

On Jan. 13, 2021, Court of Justice of the European Union Advocate General Michal Bobek issued his Opinion in case 645/19 opposing Facebook to Belgium's Data Protection Authority. The opinion has been widely covered in the media, with reports that the advocate general will allow “any EU country to take legal action against Facebook or any other tech firm,” therefore undermining the one-stop-shop enforcement mechanism of the EU General Data Protection Regulation.

Contrary to media reports, the advocate general’s opinion fully upholds the one-stop shop, under which the DPA of the “main establishment” of a company in the EU has a general competence to oversee cross-border processing activities, which includes the competence to bring litigation against the company.

Limited exceptions are listed by the advocate general, but these relate to specific cases only when the one-stop shop does not apply in the first place. Examples include when the GDPR does not apply to the relevant claim (but ePrivacy rules do, for example), the case is about infringements that precede the GDPR, the relevant company does not have a main establishment in the EU (so there is no lead supervisory authority to start with), or the processing activities relate to public action.

Why the advocate general’s opinion is important

Prior to the GDPR, all supervisory authorities were competent to enforce and bring proceedings within their own jurisdiction. At the time of the adoption of the GDPR, the European Commission touted the benefit for companies that the GDPR would bring an OSS for businesses with cross-border processing activities in the EU: “companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.”[1]

The GDPR provides for one-stop-shop enforcement by the supervisory authority of the “main establishment” of a company in the EU, the lead supervisory authority. That power is to the detriment of the national enforcement powers of the supervisory authority in their own territories. The lead supervisory authority does not act fully independently though. Rather, it is the “first among equals.” Other concerned supervisory authority (e.g., located in member states where the company has local establishments) can join in enforcement actions initiated by the lead supervisory authority and receive their shares of the fines imposed.

Though this seems to streamline EU-wide enforcement, the application of the one-stop shop has been met with resistance from many supervisory authorities, raising concerns that, for political and practical reasons, the one-stop shop works against the protection of individuals rather than enhancing enforcement by enabling EU-wide enforcement as it was intended.

Some commonly reported issues include under-enforcement as some supervisory authorities, due to a lack of funding and staffing, cannot properly enforce the GDPR in their territory, let alone act as a lead supervisory authority for one-stop-shop purposes.

Another reality is that some member states have made it attractive for technology companies to establish their EU headquarters in their territory and for that reason do not seem inclined to empower their supervisory authorites sufficiently as this would potentially undermine these efforts. The thinking here is that one would need the supervisory authority of another member state to go after these companies, as these are not hindered by national political and economic self-interests of the country of establishment. A lead supervisory authority might thus become a “nest” for certain companies that, rather than being monitored[2], would in fact be shielded from other supervisory authority. This may lead to a race to the bottom of enforcement among member states, which runs afoul of the GDPR’s will to strengthen the protection of individual rights and pan-EU privacy cohesion.

Rather, the Belgian DPA suggests that there is strength in numbers, i.e., in the possibility for each supervisory authority to launch proceedings. Other issues include the risk of “privatization” of enforcement as the one-stop shop does not apply to individuals, who may well choose to enforce against the controller in their place of residence, which may be different from the one of the controller’s lead supervisory authority. This might lead to complications, such as the potential that private enforcement would supersede that of supervisory authorities.

The advocate general echoes these issues and acknowledges that these are valid concerns. However, overall, the advocate general’s message is that the GDPR “is still in its infancy” and “one should give the infant the benefit of doubt, at least for the time being.”

In other words, it is too early to tell whether these issues will materialize. According to the advocate general, the one-stop shop set up by the EU legislators must be given a chance, and if the one-stop shop later proves to be failing to protect individuals, then “the entire system would be ripe for a major revision."

So, the entire one-stop shop might be overhauled some day but not now.

Context of the decision

In 2015, the Belgian DPA initiated legal proceedings before the Belgian courts against various Facebook companies. The Belgian DPA, in particular, accused Facebook of failing to properly inform and obtain the consent of individuals in respect of Facebook’s tracking cookies and pixel tags. In 2018, the Belgian DPA won before the Brussels First Instance Court. The court ruled against Facebook Belgium, Ireland and U.S. on account of breaches to the Belgian Data Protection Act of 1992, now repealed post-GDPR, as well as breaches of the Belgian law on electronic communications of 2005 governing cookies, which implements the ePrivacy Directive. Facebook appealed the decision before the Brussels Court of Appeal.

In a decision May 8, 2019, decision, the Court of Appeal found that it only had jurisdiction against Facebook Belgium. Further, the Court of Appeal decided to stay proceedings and referred a number of questions to the CJEU. This included, in essence, whether a supervisory authority can pursue proceedings against a company in respect of its cross-border processing if the supervisory authority is not the lead supervisory authority for the company. According to Facebook, Ireland's Data Protection Commission is the competent authority in this case, because it is the supervisory authority of Facebook’s main establishment in the EU, i.e., its lead supervisory authority.

Advocate general's findings

One-stop shop is the rule for cross-border processing

The advocate general found that under the GDPR, the lead supervisory authority has a general competence to oversee cross-border processing under the one-stop shop, including in respect of enforcement. The advocate general considered a number of factors to reach that conclusion.

The advocate general reviewed all relevant provisions of the GDPR in a holistic manner from a literal standpoint and examined the history and intent of the GDPR. The advocate general concluded that the one-stop-shop mechanism excludes the possibility for supervisory authorities (such as Belgium's DPA) to initiate proceedings before its national court. Only the lead supervisory authority can file proceedings in cross-border processing cases. The advocate general used strikingly strong language to reach that conclusion, stating, for example, that there is an “abundantly clear legislative design“ and “the EU legislature made a clear institutional and structural choice, and there is, to my mind, no doubt about what it intended to achieve.”

Limited exemptions may apply to one-stop shop

The advocate general did recognize that there are situations where the one-stop shop would not apply in respect of cross-border situations. As a result, the national supervisory authority would remain competent in its own jurisdiction. For example, this is the case where:

  1. The GDPR does not apply to the processing at hand (e.g., in case the breach is governed by ePrivacy rules, which may be the case in the context of the use of cookies).
  2. The processing is carried out in the context of the activities specifically excluded from the scope of the GDPR, which can include processing by competent authorities for purposes of criminal enforcement and safeguarding national security (e.g., the situations listed in Article 2(2) GDPR).
  3. There is no lead supervisory authority, such as in cases where the company does not have one or more establishments in the EU.
  4. Cross-border data processing is carried out by public authorities or private bodies acting on the basis of Article 6(1) Subsection (c) or (e) of the GDPR; therefore, in the public interest or in the exercise of official authority (e.g., the situations set out in Article 55(2) of the GDPR).
  5. Supervisory authorities are authorized to adopt urgent measures (e.g., the situations set out in Article 66(1) of the GDPR).
  6. The lead supervisory authority “decides not to handle the case” and the supervisory authority regains the power to go to its national court (e.g., the situation set out in Article 56(5) of the GDPR).

Regarding the first point, we note France's DPA, the Commission nationale de l'informatique et des libertés, in its recent fine against Google, used this approach to exclude the one-stop shop. The CNIL fined Google 100 million euros in respect of cookies under France’s implementation of the ePrivacy Directive rather than the GPDR.

Other noteworthy comments from the advocate general include that:

  • A supervisory authority should be allowed to continue proceedings launched before the GDPR but only in relation to pre-GDPR infringements.
  • A lead supervisory authority could act against an establishment located abroad (not just in its own member state).
  • Where the one-stop shop applies, the lead supervisory authority should not be deemed the sole enforcer. Instead, it must closely cooperate with other concerned supervisory authority in accordance with the relevant rules set forth under the GDPR. So even if there is one supervisory authority spearheading proceedings, enforcement must be a collaborative, consensus-based, effort.

What next?

As usual, it remains to be seen whether and to what extent the advocate general’s opinions will be followed by the CJEU when it renders its decision. A date for a decision is still unknown. The CJEU does follow the decisions of the advocate general in a majority of its cases. If the CJEU does follow the advocate general, it will then be for the Brussels Court of Appeal to determine which of the facts precede the GDPR or are out of the scope of the GDPR (e.g., such as cookie rules under the LCE), and therefore remain under its national competence.

[1] European Commission (April 11, 2012), COM (2016) 214 final.

[2] As argued by the Belgian SA, see point 124 of the advocate general’s opinion.

Photo from Unsplash.com


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Lokke Moerel IAPP Member Contributor
Headshot Ronan Tigner Nonmember Contributor
Tags
Europe
Enforcement
Privacy Law
Privacy Opinion
Comments

If you want to comment on this post, you need to login.

Related Stories
What happened to the one-stop shop?
7
"Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU."  - European Commission At the time of the adoption of the EU General Data Protection Regulation, the European Commission touted as the benefit for ...
Read More queue Save This
Related Stories
Tags
Europe
Enforcement
Privacy Law
Privacy Opinion
Recent Comments