On. Feb. 2, the Belgian Data Protection Authority issued its long-awaited decision against IAB Europe, finding the IAB Europe’s Transparency and Consent Framework in violation of General Data Protection Regulation. The decision has EU-wide impact as the Belgian DPA acted as the "lead DPA" under the one-stop-shop enforcement mechanism of the GDPR. This is noteworthy, as the Belgian DPA (in cases where it does not qualify as the lead DPA), has shown a reluctance on several occasions to apply the one-stop-shop enforcement mechanism. In a case that went before the Court of Justice of the European Union, the Belgian DPA argued the one-stop-shop did not extend to the powers of DPAs to launch proceedings before the courts, under GDPR Article 58(5), with which the CJEU disagreed.
In another case, discussed here, the Belgian DPA acted on a complaint of a Belgian resident (an executive of a large company) saying the Belgian establishment of a U.S. search engine provider refused to remove URLs the individual considered harmful to his reputation. In a decision — labeled by the Belgian DPA as a “decision of principle” — it fined the Belgian establishment 600,000 euros (its highest fine to date). It declared the one-stop-shop was not applicable and ordered the removal of the relevant search results throughout the EU. The Belgian DPA now finds the Brussels Court of Appeal is blocking its way by striking down the decision in its entirety due to a lack of adequate motivation.
Why is the decision important?
The decision by the Belgian DPA to circumvent the one-stop-shop is noteworthy as the complaint concerned a “cross-border processing” in the EU and it acknowledged the U.S. search engine provider’s “main establishment” in Ireland. However, the Belgian DPA considers the one-stop-shop to be inapplicable, as the relevant processing does not take place in the context of the Irish establishment’s activities. It declared itself competent based on GDPR Article 55(1), which grants a DPA the right to exercise its powers within the territory of its own member state.
As the original complaint was directed only at the Belgian establishment and not also at the U.S. parent, being the controller, this decision led to several unnecessary complications. The main complication was if a national DPA could take action against an EU establishment in its territory when the establishment itself is not the controller of the processing. The Belgian DPA relied on case law of the CJEU to justify this decision.
Court of Appeal
The appeal only concerned the issue of whether a national DPA could take action against an EU establishment of a non-EU controller. Because the Belgian DPA did not dispute the U.S. parent was the sole controller, the court reasoned that where the GDPR imposes requirements on the controller, the Belgian DPA can — in principle — not issue a fine against the Belgian establishment without violating the definition of “controller.” The court agreed with the Belgian DPA that CJEU case law allows an exception in principle but found that it did not adequately demonstrate the principle also applied in the case at hand. The Belgian DPA did not demonstrate the activities of the Belgian establishment were inextricably linked to those of the U.S. parent.
In their respective decisions, both the Belgian DPA and court confuse the applicability rules of the GDPR (Article 3) and the jurisdiction rules of the GDPR (Articles 55-56). This leads to complications, which could have been avoided if the one-stop-shop had been applied correctly.
Applicability – When does the GDPR apply?
The Belgian DPA considers the GDPR applicable to the processing based on Article 3(1) GDPR. The controller (U.S. parent) has an establishment in the EU (Belgium), and processing is considered to take place also in the context of the activities of this establishment. In line with the Google v. Agencia Espanola de Proteccion de Datos case (C‑131/12), the Belgian DPA considers the activities of the U.S. parent and Belgian establishment to be “inextricably linked,” since the activities of the Belgian establishment “relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed.”
The Belgian DPA applied the applicability rule in the correct manner, which is not in dispute before the court. The criteria for being “inextricably linked” are very much part of the jurisprudence on the applicability regime of the GDPR rather than the jurisdiction regime. The court, however, confuses these issues in its decision. On the one hand, it accepts the GDPR applies to the processing on this basis, but on the other hand, it considers the Belgian DPA did not demonstrate that the activities of the Belgian establishment and the U.S. parent are inextricably linked. These positions cannot be aligned; if the activities had not been inextricably linked, the GDPR would not have applied in the first place.
Jurisdiction — Competence to act
The Belgian DPA declared itself competent to act against the Belgian establishment based on GDPR Article 55(1), which grants DPAs the right to exercise their powers within the territory of their member states. Although the Belgian DPA recognizes the U.S. parent’s main establishment is in Ireland, it found that the one-stop-shop did not apply, as the processing in question did not take place in the context of the activities of the Irish establishment.
For starters, if the Belgian DPA considers the activities of the Belgian establishment (sales and marketing of advertising space) to be inextricably linked with those of the U.S. parent, it is hard to see why this would not equally apply to those of the Irish establishment.
But, more importantly, the Belgian DPA confuses the requirements for applicability with the rules on jurisdiction. The one-stop shop does not require that processing take place in the context of the activities of the main establishment. In a similar vein, the one-stop shop does not require that the main establishment must also be the controller of the processing (which was the position of the French DPA, Commission nationale de l’informatique et des libertés, in the CNIL/Google case, which the French High Court corrected on appeal).
The rationales of the applicability rules and the jurisdiction rules are different and cannot be conflated. The purpose of the one-stop shop enforcement mechanism is to also facilitate enforcement against non-EU controllers in their place of central administration in the EU, where the justification for enforcement against such central administration (rather than the non-EU controller) is the fact that such central administration in the EU has the corporate power to ensure the implementation of compliance by the establishments in the EU, thereby greatly enhancing practical enforcement in the EU against non-EU controllers. The requirement of the Belgian DPA that relevant processing should be in the context of the main establishment therefore undermines the one-stop shop rationale.
The DPAs cannot have it both ways. The one-stop shop cannot be applied when it suits the DPA. Either there is a one-stop-shop enforcement option against the Irish establishment (whereby the Irish Data Protection Commission as the lead authority can in one single decision ensure EU-wide enforcement), or we go back to the pre-GDPR days where each and every DPA needs to act against the non-EU controller to ensure enforcement in its own jurisdiction.
The one-stop shop and its regulated exceptions
It is difficult to understand why the Belgian DPA felt it was necessary to discard the one-stop shop in its entirety, considering it provides for a specific exception where other DPAs remain competent in cases of mainly national relevance. This was explicitly confirmed in Belgian SA/Facebook (C-645/19), when the CJEU confirmed that the competence of the lead DPA is the general rule but recognized that other DPAs may in limited cases remain competent, such as "… concerning a cross-border processing of personal data or a possible infringement of that regulation, if the subject matter relates only to an establishment in its own Member State or substantially affects data subjects only in that Member State” (GDPR Article 56(2)). This exception includes a number of safeguards to ensure consistency of enforcement throughout the EU. For example, before being able to take on the matter, the DPA needs to inform the lead DPA, which must decline to handle the case (GDPR Article 56.5).
Since the one-stop-shop mechanism does not require the main establishment to also be the controller of the relevant processing, the regulated exception to the one-stop shop also does not require the relevant establishment to be the controller of the processing. The whole purpose of the system of the one-stop-shop and the controlled exception is to facilitate EU-wide enforcement against an EU establishment of a non-EU controller. In other words, if the Belgian DPA had applied the exception to the one-stop shop, the issue of whether it can enforce laws against the Belgian establishment (which is not the controller) would not have come up at all.
Competence against EU establishment not being the controller
In reference to Wirtshaftsakademie (C‑210/16), the Belgian DPA argued on appeal that because the activities of the Belgian establishment and the U.S. parent are “inextricably linked,” the Belgian establishment should be treated as if it were the controller. In the Wirtshaftsakademie case, the CJEU considered the German DPA competent to act against a German establishment, even though the U.S. parent and an Irish establishment were joint controllers for the processing. The CJEU stated that where German data protection law applied because of the activities of the German establishment being inextricably linked to those of the U.S. parent and the Irish establishment, the German DPA could act against the German establishment.
The court agreed that based on the Wirtshaftsakademie decision, the Belgian DPA could have in principle acted against the Belgian establishment. However, the court found the Belgian DPA did not adequately demonstrate that the principle also applies to the case at hand; it failed to demonstrate the activities of the Belgian establishment are inextricably linked to those of the U.S. parent.
This confuses all of the issues at stake. First, whether the processing takes place in the context of the EU establishment is relevant to determine if the GDPR applies to a non-EU controller. If the court accepts that the GDPR applies to the U.S. parent, this implies the activities of the Belgian establishment and U.S. parent are inextricably linked (because GDPR would not apply in the first place).
Second, whether the Belgian DPA is competent to act against the Belgian establishment should be decided based on the rules of the one-stop shop. The Wirtshaftsakademie case was filed under the Data Protection Directive, which did not provide for the one-stop shop. Only in case the one-stop-shop and its exceptions do not apply, the Belgian DPA would be competent to act against the Belgian establishment (based on the case law cited above). Not because the Belgian establishment should be treated as if it were the controller, but because it is an EU establishment of a non-EU controller whose processing is governed by the GDPR under Article 3(1).
What’s next
The Belgian DPA has not indicated whether it will appeal the court’s decision before the Belgian Supreme Court. The Belgian DPA has removed its original decision from its website, and it is no longer available.
Photo by Elena Mozhvilo on Unsplash