On Jan. 13, 2021, Court of Justice of the European Union Advocate General Michal Bobek issued his Opinion in case 645/19 opposing Facebook to Belgium's Data Protection Authority. The opinion has been widely covered in the media, with reports that the advocate general will allow “any EU country to take legal action against Facebook or any other tech firm,” therefore undermining the one-stop-shop enforcement mechanism of the EU General Data Protection Regulation.
Contrary to media reports, the advocate general’s opinion fully upholds the one-stop shop, under which the DPA of the “main establishment” of a company in the EU has a general competence to oversee cross-border processing activities, which includes the competence to bring litigation against the company.
Limited exceptions are listed by the advocate general, but these relate to specific cases only when the one-stop shop does not apply in the first place. Examples include when the GDPR does not apply to the relevant claim (but ePrivacy rules do, for example), the case is about infringements that precede the GDPR, the relevant company does not have a main establishment in the EU (so there is no lead supervisory authority to start with), or the processing activities relate to public action.
Why the advocate general’s opinion is important
Prior to the GDPR, all supervisory authorities were competent to enforce and bring proceedings within their own jurisdiction. At the time of the adoption of the GDPR, the European Commission touted the benefit for companies that the GDPR would bring an OSS for businesses with cross-border processing activities in the EU: “companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.”[1]
The GDPR provides for one-stop-shop enforcement by the supervisory authority of the “main establishment” of a company in the EU, the lead supervisory authority. That power is to the detriment of the national enforcement powers of the supervisory authority in their own territories. The lead supervisory authority does not act fully independently though. Rather, it is the “first among equals.” Other concerned supervisory authority (e.g., located in member states where the company has local establishments) can join in enforcement actions initiated by the lead supervisory authority and receive their shares of the fines imposed.
Though this seems to streamline EU-wide enforcement, the application of the one-stop shop has been met with resistance from many supervisory authorities, raising concerns that, for political and practical reasons, the one-stop shop works against the protection of individuals rather than enhancing enforcement by enabling EU-wide enforcement as it was intended.
Some commonly reported issues include under-enforcement as some supervisory authorities, due to a lack of funding and staffing, cannot properly enforce the GDPR in their territory, let alone act as a lead supervisory authority for one-stop-shop purposes.
Another reality is that some member states have made it attractive for technology companies to establish their EU headquarters in their territory and for that reason do not seem inclined to empower their supervisory authorites sufficiently as this would potentially undermine these efforts. The thinking here is that one would need the supervisory authority of another member state to go after these companies, as these are not hindered by national political and economic self-interests of the country of establishment. A lead supervisory authority might thus become a “nest” for certain companies that, rather than being monitored[2], would in fact be shielded from other supervisory authority. This may lead to a race to the bottom of enforcement among member states, which runs afoul of the GDPR’s will to strengthen the protection of individual rights and pan-EU privacy cohesion.
Rather, the Belgian DPA suggests that there is strength in numbers, i.e., in the possibility for each supervisory authority to launch proceedings. Other issues include the risk of “privatization” of enforcement as the one-stop shop does not apply to individuals, who may well choose to enforce against the controller in their place of residence, which may be different from the one of the controller’s lead supervisory authority. This might lead to complications, such as the potential that private enforcement would supersede that of supervisory authorities.
The advocate general echoes these issues and acknowledges that these are valid concerns. However, overall, the advocate general’s message is that the GDPR “is still in its infancy” and “one should give the infant the benefit of doubt, at least for the time being.”
In other words, it is too early to tell whether these issues will materialize. According to the advocate general, the one-stop shop set up by the EU legislators must be given a chance, and if the one-stop shop later proves to be failing to protect individuals, then “the entire system would be ripe for a major revision."
So, the entire one-stop shop might be overhauled some day but not now.
Context of the decision
In 2015, the Belgian DPA initiated legal proceedings before the Belgian courts against various Facebook companies. The Belgian DPA, in particular, accused Facebook of failing to properly inform and obtain the consent of individuals in respect of Facebook’s tracking cookies and pixel tags. In 2018, the Belgian DPA won before the Brussels First Instance Court. The court ruled against Facebook Belgium, Ireland and U.S. on account of breaches to the Belgian Data Protection Act of 1992, now repealed post-GDPR, as well as breaches of the Belgian law on electronic communications of 2005 governing cookies, which implements the ePrivacy Directive. Facebook appealed the decision before the Brussels Court of Appeal.
In a decision May 8, 2019, decision, the Court of Appeal found that it only had jurisdiction against Facebook Belgium. Further, the Court of Appeal decided to stay proceedings and referred a number of questions to the CJEU. This included, in essence, whether a supervisory authority can pursue proceedings against a company in respect of its cross-border processing if the supervisory authority is not the lead supervisory authority for the company. According to Facebook, Ireland's Data Protection Commission is the competent authority in this case, because it is the supervisory authority of Facebook’s main establishment in the EU, i.e., its lead supervisory authority.
Advocate general's findings
One-stop shop is the rule for cross-border processing
The advocate general found that under the GDPR, the lead supervisory authority has a general competence to oversee cross-border processing under the one-stop shop, including in respect of enforcement. The advocate general considered a number of factors to reach that conclusion.
The advocate general reviewed all relevant provisions of the GDPR in a holistic manner from a literal standpoint and examined the history and intent of the GDPR. The advocate general concluded that the one-stop-shop mechanism excludes the possibility for supervisory authorities (such as Belgium's DPA) to initiate proceedings before its national court. Only the lead supervisory authority can file proceedings in cross-border processing cases. The advocate general used strikingly strong language to reach that conclusion, stating, for example, that there is an “abundantly clear legislative design“ and “the EU legislature made a clear institutional and structural choice, and there is, to my mind, no doubt about what it intended to achieve.”
Limited exemptions may apply to one-stop shop
The advocate general did recognize that there are situations where the one-stop shop would not apply in respect of cross-border situations. As a result, the national supervisory authority would remain competent in its own jurisdiction. For example, this is the case where:
- The GDPR does not apply to the processing at hand (e.g., in case the breach is governed by ePrivacy rules, which may be the case in the context of the use of cookies).
- The processing is carried out in the context of the activities specifically excluded from the scope of the GDPR, which can include processing by competent authorities for purposes of criminal enforcement and safeguarding national security (e.g., the situations listed in Article 2(2) GDPR).
- There is no lead supervisory authority, such as in cases where the company does not have one or more establishments in the EU.
- Cross-border data processing is carried out by public authorities or private bodies acting on the basis of Article 6(1) Subsection (c) or (e) of the GDPR; therefore, in the public interest or in the exercise of official authority (e.g., the situations set out in Article 55(2) of the GDPR).
- Supervisory authorities are authorized to adopt urgent measures (e.g., the situations set out in Article 66(1) of the GDPR).
- The lead supervisory authority “decides not to handle the case” and the supervisory authority regains the power to go to its national court (e.g., the situation set out in Article 56(5) of the GDPR).
Regarding the first point, we note France's DPA, the Commission nationale de l'informatique et des libertés, in its recent fine against Google, used this approach to exclude the one-stop shop. The CNIL fined Google 100 million euros in respect of cookies under France’s implementation of the ePrivacy Directive rather than the GPDR.
Other noteworthy comments from the advocate general include that:
- A supervisory authority should be allowed to continue proceedings launched before the GDPR but only in relation to pre-GDPR infringements.
- A lead supervisory authority could act against an establishment located abroad (not just in its own member state).
- Where the one-stop shop applies, the lead supervisory authority should not be deemed the sole enforcer. Instead, it must closely cooperate with other concerned supervisory authority in accordance with the relevant rules set forth under the GDPR. So even if there is one supervisory authority spearheading proceedings, enforcement must be a collaborative, consensus-based, effort.
What next?
As usual, it remains to be seen whether and to what extent the advocate general’s opinions will be followed by the CJEU when it renders its decision. A date for a decision is still unknown. The CJEU does follow the decisions of the advocate general in a majority of its cases. If the CJEU does follow the advocate general, it will then be for the Brussels Court of Appeal to determine which of the facts precede the GDPR or are out of the scope of the GDPR (e.g., such as cookie rules under the LCE), and therefore remain under its national competence.
[1] European Commission (April 11, 2012), COM (2016) 214 final.
[2] As argued by the Belgian SA, see point 124 of the advocate general’s opinion.
Photo from Unsplash.com