Inaccurate media reports abounded shortly after the landmark judgment of the Court of Justice of the European Union on the one-stop shop enforcement mechanism. Headlines after the judgment said “supervisory authorities can now take a company to court in their own country even when not lead authority” and that companies “can’t limit GDPR enforcement to lead watchdog,” thus undermining the OSS of the EU General Data Protection Regulation.

Contrary to these media reports, the judgment does not open the door wide for each supervisory authority to launch its own court proceeding regarding cross-border processing. Following the opinion of its advocate general, the CJEU fully upholds the OSS, under which the supervisory authority of the “main establishment” of a company in the EU — the lead supervisory authority — has a general competence to oversee cross-border processing. That competence extends not only to enforcement by the supervisory authority but also to launching court proceedings.

In line with the advocate general, the CJEU recognizes that exceptions may apply to the OSS, but these are exceptional cases only. Exceptions include when the supervisory authority may adopt provisional measures under the urgency procedure and when it may take on a case because it is of national relevance only (but only after it first informed the lead supervisory authority, who then declined to act).

As the advocate general, the court lists some other general exceptions listed by the advocate general, include when the GDPR does not apply because infringements precede it or specific ePrivacy rules apply. In a previous IAPP article, we discussed the advocate general’s opinion.

The CJEU leaves it to the Belgian courts to assess whether any exceptions apply in the current case. Clarity around whether (and which parts of) the case can proceed before the Belgian courts and against which parties therefore remains to be decided.

What is at stake?

Before the GDPR, all supervisory authorities were competent to enforce and bring proceedings within their jurisdiction. Upon the GDPR’s adoption, the European Commission touted the benefit of the OSS: “companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.”

The GDPR provides for one-stop shop enforcement by the supervisory authority of the “main establishment” of a company in the EU, the lead supervisory authority. That power is to the detriment of the national enforcement powers of the supervisory authorities in their territories. The lead supervisory authority does not act fully independently, though. Rather, it is “first among equals.” Other supervisory authorities (e.g., where the company has local establishments) can join in enforcement by the lead supervisory authority and receive their share of the fine imposed.

Though this seems to streamline EU-wide enforcement, the one-stop shop application has been met with resistance from many supervisory authorities, raising concerns that, for political and practical reasons, it works against protecting individuals rather than enhancing pan-European enforcement as it was intended.

For example, resistance against the OSS led to France's data protection authority, the Commission nationale de l'informatique et des libertés, to decide it was competent in a case against Google. According to the CNIL, the OSS did not apply as Google’s EU headquarters in Ireland did not qualify as its main establishment because it did not have decision-making power (which was corrected by the French High Court on appeal).

The novelty of the current case is that Belgium’s Data Protection Authority does not deny the company’s main establishment is in Ireland and the Irish DPA is the lead supervisory authority. Rather, it claims the OSS does not extend to supervisory authorities' power to launch proceedings before the courts, under GDPR Article 58(5).

Context of the judgment

National procedure

As of 2015, the Belgian supervisory authority took various Facebook entities to court in Belgium in connection with alleged privacy violations regarding cookies. In 2018, the Brussels First Instance Court considered the Belgian supervisory authority competent to bring proceedings, despite not being the lead supervisory authority. It ruled in relation to breaches of the Belgian Data Protection Act — now repealed after the GDPR — and the law on electronic communications governing cookies, implementing the ePrivacy Directive.

On appeal, the Brussels Court found the supervisory authority only had jurisdiction against Facebook Belgium, not Ireland. It stayed proceedings and asked the CJEU various questions, including if a supervisory authority could pursue court proceedings against a company for cross-border processing when the supervisory authority is not the lead for the company.

Belgian supervisory authority’s main argument

The Belgian supervisory authority attacks the OSS head on, arguing it undermines the right of individuals to privacy and effective remedy. Their reasoning is that some Member States made it attractive for technology companies to establish their EU headquarters in their territory and therefore are not inclined to empower their supervisory authorities — acting as lead — as this would potentially undermine these efforts. This leads to a race to the bottom of enforcement among Member States. Rather, the Belgian supervisory authority suggests there is strength in numbers, i.e., in the possibility for each supervisory authority to launch proceedings.

The CJEU judgment

OSS is the rule

Tracking its advocate general, the CJEU indicates the competence of the lead supervisory authority is a general rule. The lead supervisory authority is a company’s “sole interlocutor” for cross‑border processing (GDPR Article 56(6)).

This competence applies not only to direct enforcement (i.e., finding a breach) but also to launching court proceedings. If supervisory authorities can launch their own proceedings, this would risk “jeopardizing” the OSS’s effectiveness.

The lead supervisory authority does not have unrestrained power

The “allocation of competences” between lead and other supervisory authorities “takes nothing away” from the right to privacy and effective remedy, according to the court. There are ample safeguards to the competence of the lead supervisory authority. It is the lead authority, not the single authority. It cannot dismiss “essential dialogue with and sincere and effective cooperation with the other supervisory authorities concerned.” It has a duty to cooperate with other authorities. For example, it must seek consensus in taking an enforcement decision and may not ignore the views of other supervisory authorities (GDPR Article 60). It must further provide mutual assistance (GDPR Article 61).

Limited exemptions apply to the OSS only

There are cases when another supervisory authority can be entitled to act, but these are exceptions only. Other supervisory authorities may remain competent:

  1. In cases of mainly national relevance: When the subject of a complaint or possible infringement relates only to an establishment on the supervisory authority’s own Member State or substantially affects individuals only in that Member State (GDPR Article 56(2)). Before taking on the matter, the supervisory authority needs to inform the lead supervisory authority, and the lead must decline to handle the case (GDPR Article 56(5)).
  2. Urgent cases: When provisional measures are justified under the urgency procedure (GDPR Article 66). The CJEU gives an example where a supervisory authority requests assistance from the lead authority and does not receive a response within one month. The requesting supervisory authority can then take provisional measures on its territory with a three-month validity at most (e.g., impose a temporary processing ban). It is noteworthy that the CJEU explicitly notes the Belgian Supervisory Authority sent the Irish authority a request for mutual assistance but did not receive a response. However, the CJEU leaves it to the Brussels Court to assess whether this exception could apply in the current case.
  3. Pre-GDPR cases: Matters relating to cross-border processing before May 25, 2018 (GPDR entry into force) could be continued based on its predecessor, the Data Protection Directive, and thus not under the OSS. Proceedings for infringements after are subject to the OSS.
  4. Non-GDPR cases: The CJEU acknowledges that the OSS does not apply when other legislation like the ePrivacy Directive applies. However, it also highlights that “all earlier processing operations, and all subsequent processing activities, with respect to that personal data, by means of other technologies, do fall within the scope of [the GDPR].” This interpretation drastically limits what could be excluded from the GDPR. For example, it makes it more difficult for supervisory authorities to circumvent the OSS via cookie rules (see, for example, another case of CNIL and Google).

Other noteworthy findings

  1. When another supervisory authority can demonstrate that one of the exceptions to the OSS applies, it could act against companies even if these don’t have a main establishment or another establishment in that supervisory authority’s Member State. In other words, what is relevant is whether the GDPR applies to the company, and not where the company is established.
  1. The GDPR’s requirement that Member States grant supervisory authorities power to bring infringements before courts has direct effect. Supervisory authorities can act even if their Member State has not yet implemented the power locally. This interpretation could have repercussions on other GDPR provisions. For example, it might entitle individuals to act even if Member States are late in implementing collective redress rights (GDPR Article 80).

What next?

It is now up to the Brussels Court of Appeal to determine to what extent any of the above exceptions apply, such that the Belgian supervisory authority could pursue court proceedings outside of the ambit of the OSS. That is, as explained, a high threshold.

Photo by Will Porada on Unsplash