TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout
GDPR-Ready_300x250-Ad
PrivacyTraining_ad300x250.Promo1-01

"Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU."  - European Commission

At the time of the adoption of the EU General Data Protection Regulation, the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism, whereby in respect of controllers or processors with more establishments in the EU, the supervisory authority of the "main establishment" of such controller or processor in the EU will serve as the "lead SA" in respect of its "cross-border processing" activities.

In the first landmark enforcement decision under the GDPR, the CNIL fined Google 50 million euros, despite the fact that the complaints concerned cross-border processing in the EU, which calls for one-stop shop enforcement. The CNIL considered that although Google has EU headquarters in Ireland, this Irish entity "did not have a decision-making power" in relation to the purposes and means of the relevant cross-border data processing activities. For that reason, the CNIL decided that the one-stop shop mechanism did not apply and that the CNIL was therefore competent to make a decision (under reference to the EDPB guidelines for identifying a lead SA).

What is the issue?

Is the CNIL right to require that the EU administrative headquarters also has to decide on purposes and means (i.e. qualify as the controller)?

If so, the one-stop shop mechanism will de facto not be available for non-EU controllers (such as Google), as their EU administrative headquarters will rarely independently decide on the purposes and means of its cross-border processing activities in the EU (these being part of their global service offerings). These companies will then be exposed to potential accumulation of fines for their cross-border processing activities, as each SA would be able to fine the company up to the maximum allowed under the GDPR. Though some may find this an acceptable outcome for the "Googles of this world," it is overlooked that the CNIL’s decision also limits the availability of the one-stop shop for EU-headquartered companies.  

What to think?

As the CNIL’s decision is already followed by the U.K. ICO announcing similar enforcement action against Google, it is worth evaluating its merits.

The outcome is surprising. The intention of the EU legislators was to apply one-stop shop to non-EU controllers having establishments in the EU. Enforcement against such non-EU controllers is then possible in their place of central administration in the EU, whereby the justification for enforcement against such central administration (rather than the controller), is that such central administration in the EU has the corporate power to ensure the implementation of compliance by the establishments in the EU, thereby greatly enhancing practical enforcement in the EU against non-EU controllers.

The requirement of the CNIL that the central administration in the EU must also qualify as the controller therefore undermines the one-stop shop as provided by the GDPR. This decision may be a short-term benefit to the CNIL and its national enforcement powers against Google but will ultimately prove detrimental to effective EU-wide enforcement (including uniformity in application and legal certainty) in the longer term.

The SAs cannot have it both ways. The one-stop shop cannot be applied when it suits them. Either there is a one-stop shop enforcement option against Google (whereby the lead SA in one single decision ensures EU-wide enforcement) or we go back to the pre-GDPR days where each and every SA needs to act against Google to ensure enforcement in its own jurisdiction.

The GDPR stands for the first option.

Essence of the one-stop shop

The one-stop shop was adopted by the EU regulators in order to "enhance consistency in application, legal certainty and reduce the administrative burden for controllers and processors" (EC Initial Proposal, Recital 97). The EU legislators further made clear that the one-stop shop would also bring "significant added value" for individuals, i.e. by facilitating central enforcement by a single decision of one lead SA (EC communication, at [p. 4]).  

Déjà vu

Given the benefits, you would expect all SAs to warmly embrace the concept, or so you would think.

The reality was that many SAs opposed the one-stop shop, so much so that it proved to be the last hurdle for adopting the GDPR. The opposition was triggered by the realization that not all member states have an equal number of EU headquarters in their territories. The ones with more would act more often as lead SA, gain more control, and most importantly, collect the newly increased fines.

To ensure adoption, ultimately a compromise was struck. The lead SA would no longer act independently, but would act as a "first among equals," whereby other relevant SAs (e.g. with local establishments) could join in any enforcement action by the lead SA (and receive their share of the fine). Important here is that the core of the one-stop shop, whereby one lead SA coordinates EU wide enforcement (to the detriment of the national enforcement powers of the SAs), remained firmly in place (EC Communication).

The definition of ‘main establishment

Let’s look at the definition of ‘main establishment’ in Article 4(16) GDPR:

format_quote"(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment..."

At first glance, the literal text could be taken to provide support for the decision of the CNIL, as it may be read to imply that the central administration in the EU is the place where decisions about the purposes and means are made (EDPB Guidelines at [p.5]). This could be implied by the use of term "unless," which could be taken to mean that if decisions on purposes and means will be made by another establishment instead of by the central administration, such other establishment will qualify as the main establishment.

As is often the case, however, the provisions of the GDPR cannot be taken at face value.

Controller does not have to be established in the EU

The GDPR is set up in such a manner that its provisions apply regardless of whether the controller itself is established in the EU. It is sufficient that the personal data is processed "in the context of an establishment in the EU," whereby the controller itself may well be established outside the EU (EDPB on scope, at [p. 6]).   

In wording similar to that found in the scope provision of Article 3(1) GDPR, the definition of "main establishment" does not require that the controller itself should be established in the EU, just that the controller "must have establishments in more than one Member State." This provision is therefore equally meant to provide for a one-stop shop in a case of a non-EU controller having establishments in the EU, whereby it is understood that these establishments may therefore not qualify as controllers in their own right.

In order to ensure that also in case of non-EU controllers efficient enforcement can be achieved, the EU legislators chose as the best port of call for the one-stop shop the "place of central administration."  The EU legislators opted for the "central administration" rather than for "EU headquarters" in order to ensure that also in cases where there would be no official legal EU headquarters, another establishment could be identified as best placed (in terms of management functions) to qualify as the main establishment, therefore guaranteeing the one-stop shop enforcement also against non-EU controllers.

Read from this perspective, it is clear why the one-stop shop mechanism does not specify that the central administration in the EU must decide the purposes and means. The provision may well cover non-EU controllers, whereby these decisions may be made by such non-EU controller.

This is also the logical interpretation of why "the place of central administration" is included in the first place.

If the EU regulators had intended that the central administration should also make decisions on purposes and means (as the CNIL assumes), the provision could have simply provided that the main establishment is "the EU establishment being the controller of the relevant processing." The reference to "place of central administration" would have no function.

This inclusion must therefore mean something different than the reference to "establishment where the decisions on purposes and means of the relevant processing are taken" (referring to who qualifies as the controller), as otherwise why include this element in the provision in the first place?

This argument also works the other way: If the central administration would also be the place where decisions on purposes and means are taken, why include the alternative option? The alternative option would be irrelevant. 

The construction is only consistent if the central administration is understood as the place where corporate control is exercised and compliance can be streamlined across establishments. In this interpretation, the alternative option has significant relevance as enforcement against the latter establishment is more efficient than against the center of administration, as it can both decide on purposes and means and also have these decisions implemented.

Note that the alternative option is different from mere controllership; the controller needs to be in the EU itself and further also have the power to implement decisions. The underlying rationale again is how to best enforce decisions throughout the EU (ensuring the power to direct compliance) rather than by first and foremost identifying the party having the legal responsibility to comply with the GDPR (i.e. the controller).

The above interpretation is confirmed by Recitals 36 and 37 GDPR, which provide a clarification for which entity of a group of undertakings qualifies as the main establishment. These Recitals make clear that where processing is carried out by a group of undertakings, the establishment of the undertaking in the EU with overall control over the EU establishments should be considered to be the main establishment for the group: “whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented.”

Legislative history

The above interpretation is supported by the legislative history of the relevant provisions.

The definition of "main establishment" in the EC’s initial proposal very much deviated from the final provision in the GDPR; initially, the main establishment of the controller was the place of its establishment "in the EU where the main decisions as to purposes and means are made," and in contrast for processors, the "place of its central administration."

The interpretation now given by the CNIL was therefore fully in line with the definition in the Initial Proposal, but this provision changed drastically thereafter. Note that already in this first draft the "place where decisions are taken" (for controllers) was meant to have a different meaning from the expression "place of central administration" (for processors).

The European Data Protection Supervisor (EDPS) recommended in respect of the definition of "controllers" to refine the criteria to identify a controller’s main establishment: "taking into account the ‘dominant influence’ of one establishment over others in close connection to the power to implement personal data protection rules or rules relevant for data protection. Alternatively, the definition could focus on the main establishment of the group as a whole."

In other words, not so much the decisions on purposes and means should be relevant according to the EDPS, but rather the power to get data protection rules implemented (i.e. "dominant influence") should be relevant here.

This input was subsequently taken to heart in various subsequent versions of the definition ultimately making the place of central administration the main establishment also for controllers (aligning this with the connecting factor for processors).

Impact on EU headquartered companies

The CNIL’s decision also impacts the one-stop shot for EU companies, in cases where decisions about purposes and means of a cross-border processing activity are not made by the EU headquarters but by a local subsidiary.

The requirement of the CNIL that the "place of central administration" also decides on purposes and means will lead to a mutually exclusive situation where no lead SA can be identified at all: The main option (place of central administration) would not apply since the EU headquarters does not make these decisions, but neither would the alternative option (establishment making decisions), since the local subsidiary would not have the power to implement decisions.

This interpretation is at odds with the rationale for the one-stop shop mechanism, which is clearly intended to always lead to a main establishment regarding a cross-border processing activity. This also follows from the drafting of the definition, where the options are not equal alternatives: The main option is intended to be the default solution, unless the alternative option applies.

Again, the construction is only consistent if the place of central administration is understood as the place where corporate control is exercised and compliance can be streamlined across establishments.

photo credit: Sieboldianus Animated Map of geotagged Flickr photos (Europe), 2007-2017 via photopin (license)

Editor's Note:

This blog is a summary version of a full article published on SSRN.

7 Comments

If you want to comment on this post, you need to login.

  • comment Lucia Canga Roza • Feb 22, 2019
    This article is super interesting, thank you so much Lokke for your contribution. I believe that the situation of Google in the CNIL's decision is equivalent to the one of non-EU based companies that sell goods, provide services or target the EU without having an establishment in the EU. These are usually companies that have appointed an EU Representative, and cannot benefit from the one-stop-shop principle either. Are these situations even comparable? Do both deserve a similar treatment?
  • comment Toine Stokkermans • Feb 22, 2019
    Interesting analysis (as always), though how will we eventually get more clarity, or even more important, make the promised simplification of a one-stop-shop more widely available to non-EU headquartered companies?
  • comment Simon Hania • Feb 22, 2019
    Can't say I disagree with Lokke on this. Largely unnoticed: Dutch DPA recently deemed Uber US (Uber Technologies Inc) and Uber in NL, the EU main establishment (Uber B.V.) "joint controllers", rather than EU=controller/US=processor.
    Only published in Dutch though: https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boetebesluit_uber.pdf
  • comment Ian Williams • Feb 25, 2019
    Really interesting article but I wonder how this plays into the EDPB's final paragraph in supervisory authority's that "The GDPR’s cooperation and consistency mechanism only applies to controllers with an establishment, or establishments, within the European Union. If the company does not have an establishment in the EU, the mere presence of a representative in a Member State does not trigger the one-stop-shop system. This means that controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative."  With Brexit looming I just wonder how this will play out for many UK data controllers with subsidiaries in the EU.  On the face of it this seems to suggest that non-EU companies may find themselves subject to any enforcement action by any supervisory authority in the jurisdiction their representatives are based.
  • comment Emma Butler • Feb 25, 2019
    I agree with Lokke on this one, but the CNIL decision is not surprising given the resistance from all DPAs to having another authority make decisions on processing affecting their citizens. It has always been the case that some DPAs simply don't trust other authorities and insist they must have the independence to take any action they like where their citizens are affected, regardless of what the law says or the resulting impact on companies and an effective, consistent enforcement approach. Response to Lucia's comment: in this case Google has an EU HQ in Ireland, so it is not the same as non-EU companies having no establishments and only a representative.
  • comment Lokke Moerel • Feb 26, 2019
    Thank you for the comments posted here as well as to those who emailed me with their views or posted these on LinkedIn. I will not be able to respond to all comments individually. If I summerize the reactions, the gist is that the senders acknowledge that the 1SS is intended as described in the article, but are VERY concerned that for political and practical reasons the 1SS works against protection of individuals rather than enhancing the efficiency by enabling EU wide enforcement as it is intended. Issues that are highlighted are that due to lack of funding and staffing, quite some SAs cannot properly enforce the GDPR in their territory, let alone act as lead SA for 1SS purposes. Another reality highlighted is that some member states have given 'a foot and an arm' to get tech companies to establish their European headquarters in their territory, and for that reason do not seem inclined to empower their SAs sufficiently as this would potentially undermine these efforts. The thinking is that you need the SA of ANOTHER member state to go after these companies, not being hindered by national political and economic self-interests of the country of establishment.   
    
    To those who expressed these concerns, I want to respond that I do of course see that there currently are many practical issues that hinder the 1SS to work efficiently. My take, however, is that if you facilitate from the start that some SAs cannot live up to their role, and basically have other SAs take over their tasks, they will never be empowered to do so. We should give the system a chance, by putting maximum pressure on countries to make sure their SAs can live up to what is expected of them. I think we need to take a longer term vision and strategy to improve enforcement, as was adopted by the EU legislators in the GDPR. I further give more credit than some to the SAs in the various countries being able to act independently from their national governments. Again, if there is an issue in this respect, this should be raised rather than other SAs taking over their role. The EDPB is well placed to put pressure on these SAs to fulfill their responsibilities. In case of a lack of required staff and expertise, Article 62 further provides adequate options for the SAs to organize joint investigation and enforcement operations, very much like the WP29 coordinated these in the past.
  • comment Alex Krylov • Mar 3, 2019
    Lokke, thank you very much for not only the excellent analysis, but also your insightful response in comments. The CNIL appears to put their fingr on the scale. Deserving or not, other US companies with offices in the may feel disenfranchised by the decision. In your view, if all was fair and right in the universe, what would the Irish DPC, the EDPB or other powers do to set the scales back to neutral?