On 13 January 2021, the Advocate General (AG) of the Court of Justice of the European Union (CJEU) issued an important opinion in the case of Facebook Belgium v Gegevensbeschermingsautoriteit (C-645/19) which considers the vital role of the GDPR’s one-stop-shop mechanism. The AG’s opinion unequivocally affirms the significance of the role of the lead supervisory authority (LSA) in being the primary investigator and enforcer of data protection law within the EU, while at the same time acknowledging the active role that other supervisory authorities concerned (SAC) have in scrutinising organisations’ compliance with the GDPR.
Background
In 2015, the Belgian Privacy Commission (now the Belgian DPA) first commenced proceedings against Facebook in its local courts. The Commission alleged that Facebook had unlawfully collected and used personal data relating to the private browsing information of Internet users in Belgium, through the use of cookies and similar technologies.
While the initial proceedings related to alleged violations of the now repealed Directive 95/46/EC, following various appeals made by Facebook since 2015, the current proceedings are instead concerned with the GDPR. On that basis, Facebook contends that since the one-stop-shop mechanism has now become operational, the Belgian DPA is no longer competent to act on this matter because Facebook’s LSA is the Irish Data Protection Commission. This resulted in the Belgian court referring to the CJEU a number of questions which have implications well beyond the parties involved in the original proceedings.
The most important of these questions is whether the GDPR permits a supervisory authority to bring proceedings before its national courts in connection with alleged infringements of the regulation by an organisation, where it is not the lead supervisory authority. Or alternatively, does the one-stop-shop mechanism prevent such proceedings from being brought?
Upholding the role of the LSA
In response to this question, the AG stated that, while an SAC can bring proceedings in their own national courts, this right is subject to the GDPR’s one-stop-shop, and co-operation and consistency mechanisms. As further explained by the AG, this confirms that as a general rule the LSA is considered the competent authority and the power for SACs to bring action against an organisation is the exception.
Assuming that the CJEU agrees with the AG's opinion, SACs within the EU may be prevented from taking direct action against an organisation for alleged infringement of the GDPR, except in certain limited circumstances, if the organisation can demonstrate that it has an LSA for cross-border processing. According to the AG, the circumstances allowing for SAC action include:
- When supervisory authorities act outside the material scope of the GDPR, for instance because the processing does not involve personal data or is specifically excluded by Article 2 of the GDPR.
- Where the processing is necessary for compliance with a legal obligation, in the public interest or in the exercise of official authority.
- Where processing is carried out by controllers that have no establishment in the European Union.
- In exceptional circumstances, where an SAC considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects (in accordance with Art. 66 GDPR).
- Where the LSA decides not to handle the case.
Preventing under-enforcement
Amongst the specific concerns raised by the Belgian DPA in its submissions was the risk of under-enforcement, if only LSAs could take action against organisations that have not complied with the GDPR. This argument was robustly dismissed by the AG, who believes that the GDPR provides appropriate mechanisms to address any risk of under-enforcement.
The AG particularly emphasised the rights of SACs under Art. 61 GDPR. This includes the ability to request mutual assistance from LSAs in investigating allegations of non-compliance and, where this assistance is not provided, the SAC can take its own independent action under the GDPR’s urgency procedure.
Interaction between the ePrivacy Directive and GDPR
In addition to providing his opinion on the specific questions referred to the CJEU, the AG also offered interesting and potentially significant commentary on the interaction between the GDPR and other legislative frameworks. The AG stated that given the context of the present case, data processing activities may fall within the scope of more than one legislative instrument and in such circumstances all of the instruments will apply at the same time.
We can potentially infer from this commentary that where an alleged infringement involves both the GDPR and another law, such as the ePrivacy Directive (which is likely to be the case in the context cookie compliance), then the GDPR’s one-stop-shop and co-operation and consistency mechanisms would still apply.
Impact of the CJEU decision
The CJEU's decision is still several months away, but taking into account the AG's line of reasoning, it is likely to have a number of potentially significant impacts, including:
- Re-emphasising the importance of organisations having a clear understanding of the identity and crucial role of their LSA and which other supervisory authorities may be concerned with their cross-border processing activities.
- Establishing the role that SACs still play in monitoring GDPR compliance and their ability to take direct enforcement action in certain circumstances. So, while the main focus of regulatory outreach and interaction is still on the LSA, organisations should continue to proactively engage and co-operate with SACs that are most likely to be relevant to their processing activities.
- Ensuring that SACs pay close attention to the mechanisms provided under the GDPR for taking action where they may feel an LSA has failed to adequately do so.
- Challenging the competence of national authorities who wish to take action without consideration of the one-stop-shop mechanism, in particular for matters covered by the ePrivacy Directive where there are also parallel implications under the GDPR.
[View source.]