"Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU." - European Commission
At the time of the adoption of the EU General Data Protection Regulation, the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism, whereby in respect of controllers or processors with more establishments in the EU, the supervisory authority of the "main establishment" of such controller or processor in the EU will serve as the "lead SA" in respect of its "cross-border processing" activities.
In the first landmark enforcement decision under the GDPR, the CNIL fined Google 50 million euros, despite the fact that the complaints concerned cross-border processing in the EU, which calls for one-stop shop enforcement. The CNIL considered that although Google has EU headquarters in Ireland, this Irish entity "did not have a decision-making power" in relation to the purposes and means of the relevant cross-border data processing activities. For that reason, the CNIL decided that the one-stop shop mechanism did not apply and that the CNIL was therefore competent to make a decision (under reference to the EDPB guidelines for identifying a lead SA).
What is the issue?
Is the CNIL right to require that the EU administrative headquarters also has to decide on purposes and means (i.e. qualify as the controller)?
If so, the one-stop shop mechanism will de facto not be available for non-EU controllers (such as Google), as their EU administrative headquarters will rarely independently decide on the purposes and means of its cross-border processing activities in the EU (these being part of their global service offerings). These companies will then be exposed to potential accumulation of fines for their cross-border processing activities, as each SA would be able to fine the company up to the maximum allowed under the GDPR. Though some may find this an acceptable outcome for the "Googles of this world," it is overlooked that the CNIL’s decision also limits the availability of the one-stop shop for EU-headquartered companies.
What to think?
As the CNIL’s decision is already followed by the U.K. ICO announcing similar enforcement action against Google, it is worth evaluating its merits.
The outcome is surprising. The intention of the EU legislators was to apply one-stop shop to non-EU controllers having establishments in the EU. Enforcement against such non-EU controllers is then possible in their place of central administration in the EU, whereby the justification for enforcement against such central administration (rather than the controller), is that such central administration in the EU has the corporate power to ensure the implementation of compliance by the establishments in the EU, thereby greatly enhancing practical enforcement in the EU against non-EU controllers.
The requirement of the CNIL that the central administration in the EU must also qualify as the controller therefore undermines the one-stop shop as provided by the GDPR. This decision may be a short-term benefit to the CNIL and its national enforcement powers against Google but will ultimately prove detrimental to effective EU-wide enforcement (including uniformity in application and legal certainty) in the longer term.
The SAs cannot have it both ways. The one-stop shop cannot be applied when it suits them. Either there is a one-stop shop enforcement option against Google (whereby the lead SA in one single decision ensures EU-wide enforcement) or we go back to the pre-GDPR days where each and every SA needs to act against Google to ensure enforcement in its own jurisdiction.
The GDPR stands for the first option.
Essence of the one-stop shop
The one-stop shop was adopted by the EU regulators in order to "enhance consistency in application, legal certainty and reduce the administrative burden for controllers and processors" (EC Initial Proposal, Recital 97). The EU legislators further made clear that the one-stop shop would also bring "significant added value" for individuals, i.e. by facilitating central enforcement by a single decision of one lead SA (EC communication, at [p. 4]).
Déjà vu
Given the benefits, you would expect all SAs to warmly embrace the concept, or so you would think.
The reality was that many SAs opposed the one-stop shop, so much so that it proved to be the last hurdle for adopting the GDPR. The opposition was triggered by the realization that not all member states have an equal number of EU headquarters in their territories. The ones with more would act more often as lead SA, gain more control, and most importantly, collect the newly increased fines.
To ensure adoption, ultimately a compromise was struck. The lead SA would no longer act independently, but would act as a "first among equals," whereby other relevant SAs (e.g. with local establishments) could join in any enforcement action by the lead SA (and receive their share of the fine). Important here is that the core of the one-stop shop, whereby one lead SA coordinates EU wide enforcement (to the detriment of the national enforcement powers of the SAs), remained firmly in place (EC Communication).
The definition of ‘main establishment
Let’s look at the definition of ‘main establishment’ in Article 4(16) GDPR: [quote]"(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment..."[/quote]
At first glance, the literal text could be taken to provide support for the decision of the CNIL, as it may be read to imply that the central administration in the EU is the place where decisions about the purposes and means are made (EDPB Guidelines at [p.5]). This could be implied by the use of term "unless," which could be taken to mean that if decisions on purposes and means will be made by another establishment instead of by the central administration, such other establishment will qualify as the main establishment.
As is often the case, however, the provisions of the GDPR cannot be taken at face value.
Controller does not have to be established in the EU
The GDPR is set up in such a manner that its provisions apply regardless of whether the controller itself is established in the EU. It is sufficient that the personal data is processed "in the context of an establishment in the EU," whereby the controller itself may well be established outside the EU (EDPB on scope, at [p. 6]).
In wording similar to that found in the scope provision of Article 3(1) GDPR, the definition of "main establishment" does not require that the controller itself should be established in the EU, just that the controller "must have establishments in more than one Member State." This provision is therefore equally meant to provide for a one-stop shop in a case of a non-EU controller having establishments in the EU, whereby it is understood that these establishments may therefore not qualify as controllers in their own right.
In order to ensure that also in case of non-EU controllers efficient enforcement can be achieved, the EU legislators chose as the best port of call for the one-stop shop the "place of central administration." The EU legislators opted for the "central administration" rather than for "EU headquarters" in order to ensure that also in cases where there would be no official legal EU headquarters, another establishment could be identified as best placed (in terms of management functions) to qualify as the main establishment, therefore guaranteeing the one-stop shop enforcement also against non-EU controllers.
Read from this perspective, it is clear why the one-stop shop mechanism does not specify that the central administration in the EU must decide the purposes and means. The provision may well cover non-EU controllers, whereby these decisions may be made by such non-EU controller.
This is also the logical interpretation of why "the place of central administration" is included in the first place.
If the EU regulators had intended that the central administration should also make decisions on purposes and means (as the CNIL assumes), the provision could have simply provided that the main establishment is "the EU establishment being the controller of the relevant processing." The reference to "place of central administration" would have no function.
This inclusion must therefore mean something different than the reference to "establishment where the decisions on purposes and means of the relevant processing are taken" (referring to who qualifies as the controller), as otherwise why include this element in the provision in the first place?
This argument also works the other way: If the central administration would also be the place where decisions on purposes and means are taken, why include the alternative option? The alternative option would be irrelevant.
The construction is only consistent if the central administration is understood as the place where corporate control is exercised and compliance can be streamlined across establishments. In this interpretation, the alternative option has significant relevance as enforcement against the latter establishment is more efficient than against the center of administration, as it can both decide on purposes and means and also have these decisions implemented.
Note that the alternative option is different from mere controllership; the controller needs to be in the EU itself and further also have the power to implement decisions. The underlying rationale again is how to best enforce decisions throughout the EU (ensuring the power to direct compliance) rather than by first and foremost identifying the party having the legal responsibility to comply with the GDPR (i.e. the controller).
The above interpretation is confirmed by Recitals 36 and 37 GDPR, which provide a clarification for which entity of a group of undertakings qualifies as the main establishment. These Recitals make clear that where processing is carried out by a group of undertakings, the establishment of the undertaking in the EU with overall control over the EU establishments should be considered to be the main establishment for the group: “whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented.”
Legislative history
The above interpretation is supported by the legislative history of the relevant provisions.
The definition of "main establishment" in the EC’s initial proposal very much deviated from the final provision in the GDPR; initially, the main establishment of the controller was the place of its establishment "in the EU where the main decisions as to purposes and means are made," and in contrast for processors, the "place of its central administration."
The interpretation now given by the CNIL was therefore fully in line with the definition in the Initial Proposal, but this provision changed drastically thereafter. Note that already in this first draft the "place where decisions are taken" (for controllers) was meant to have a different meaning from the expression "place of central administration" (for processors).
The European Data Protection Supervisor (EDPS) recommended in respect of the definition of "controllers" to refine the criteria to identify a controller’s main establishment: "taking into account the ‘dominant influence’ of one establishment over others in close connection to the power to implement personal data protection rules or rules relevant for data protection. Alternatively, the definition could focus on the main establishment of the group as a whole."
In other words, not so much the decisions on purposes and means should be relevant according to the EDPS, but rather the power to get data protection rules implemented (i.e. "dominant influence") should be relevant here.
This input was subsequently taken to heart in various subsequent versions of the definition ultimately making the place of central administration the main establishment also for controllers (aligning this with the connecting factor for processors).
Impact on EU headquartered companies
The CNIL’s decision also impacts the one-stop shot for EU companies, in cases where decisions about purposes and means of a cross-border processing activity are not made by the EU headquarters but by a local subsidiary.
The requirement of the CNIL that the "place of central administration" also decides on purposes and means will lead to a mutually exclusive situation where no lead SA can be identified at all: The main option (place of central administration) would not apply since the EU headquarters does not make these decisions, but neither would the alternative option (establishment making decisions), since the local subsidiary would not have the power to implement decisions.
This interpretation is at odds with the rationale for the one-stop shop mechanism, which is clearly intended to always lead to a main establishment regarding a cross-border processing activity. This also follows from the drafting of the definition, where the options are not equal alternatives: The main option is intended to be the default solution, unless the alternative option applies.
Again, the construction is only consistent if the place of central administration is understood as the place where corporate control is exercised and compliance can be streamlined across establishments.
photo credit: Sieboldianus Animated Map of geotagged Flickr photos (Europe), 2007-2017 via photopin