Following up on our article on the Lead Supervisory Authority (Lead SA), we look at how the recent decision of the Court of Justice of the European Union on the Facebook versus the Belgian DPA case clarified that, under conditions, supervisory authorities other than the Lead SA can initiate legal proceedings against cross-border data processing operations that violate the GDPR.
“A supervisory authority of a Member State, which […] has the power to bring any alleged infringement of the GDPR to the attention of a court of that Member State […], may exercise that power in relation to an instance of cross‑border data processing even though it is not the ‘lead supervisory authority’. – Court of Justice of the European Union, Case C‑645/19
The history behind the case
Facebook, like most of the Big Tech companies, has its main establishment (head office) based in Ireland. This has made the Irish Data Protection Commissioner (DPC) the Lead SA that regulates their data processing on a pan-European level. At the same time, the Irish DPC is the most disputed Data Protection Authority (DPA) in the EU, having been accused many times of overlooking complaints about GDPR infringements by such companies. It has received criticism from privacy professionals, activists and other DPAs for its insufficient decision-making on GDPR matters, but has repeatedly rejected such criticism.
In 2015, the Belgian Privacy Commission found that Facebook was using cookies and other means to illegally collect information on the browsing behaviour of Belgian citizens, regardless of whether they had a Facebook account or not. Given the inactivity of the Irish Authorities, the Belgian DPA decided to bring the case in front of the Belgian courts, seeking to put an end to such collection of data. The Belgian court published its decision in 2016, recognising its jurisdiction and the illegitimacy of Facebook’s processing activities.
In 2018, Facebook appealed against the aforementioned decision and the GDPR came into force, establishing the one-stop-shop mechanism. According to this mechanism, in cases of cross-border processing of data by a company there may be many DPAs concerned, but only one, the Lead SA, is in charge of investigating complaints and enforcing the GDPR for that specific company. In that way, clarity and consistency are achieved, as controllers and processors deal only with one DPA and not with multiple. However, the mechanism allows some leeway for other national privacy regulators to make decisions when a) “there is an urgent need to act in order to protect the rights and freedoms of data subjects” (urgency procedure) or b) the violations are limited to a specific country (see: art. 56.2). Based on the second exemption, Google and H&Μ have received fines from the French and the German DPAs respectively.
In the light of the one-stop-shop mechanism, under which the Irish DPC is the Lead SA for Facebook, the Belgian Court of Appeal was unsure of whether it had the jurisdiction to issue a decision. For this reason, it raised a preliminary question to the Court of Justice of the European Union (CJEU), which led to a landmark decision on the cross-border enforcement of the GDPR.
The preliminary questions
Every time an EU member state’s national court needs to apply European law but has doubts about its interpretation, it can raise a preliminary question to the CJEU. The CJEU decides on the right interpretation and responds to the question. Its decision creates case law that is binding both for the court that issued the question and for the other national courts in case they deal with a similar case in the future, but does not solve the case in question; this task still belongs to the national court.
Based on this possibility, the Belgian Court of Appeal asked the CJEU six preliminary questions, the most important of them being:
- Is being the Lead SA a condition for a DPA to exercise the powers of article 58.5 GDPR (power to commence legal proceedings in front of the national courts), in cases of cross-border processing activities that violate the GDPR in its member state?
- Does article 58.5 GDPR have direct effect, so that it can be relied upon by the national supervisory authority to initiate or continue proceedings against private parties, even if article 58.5 of the GDPR has not been specifically transposed in the legislation of the Member States?
At first, Facebook argued that allowing concerned DPAs to freely bring claims before national jurisdictions is against the one-stop-shop mechanism of the GDPR, according to which the Irish supervisory authority is the Lead SA for its cross-border processing activities and the Belgian DPA should therefore be regarded as a supervisory authority concerned, with which the Lead SA should cooperate in the context of its enforcement actions.
Second, Facebook invoked the risk of judicial fragmentation. The company argued that looking at the question at hand from a consistency point of view, an opposite ruling of the court would allow for the creation of significant contradictions between the decisions of the national courts and the Lead SA, and, therefore, would lead to the one-stop-shop mechanism existing only on paper.
Belgian DPA’s arguments
As already mentioned, the GDPR already provides some exemptions to the one-stop-shop mechanism, based on which national agencies are allowed to act in their own country. The Belgian DPA relied on this to develop its legal argument: it’s the existence of precisely these exceptions that prove that the one-stop-shop mechanism is not as inflexible as Facebook would argue, and it is in accordance with the purpose of the GDPR to set it aside in certain cases.
Moreover, the Belgian DPA presented to the court its opinion that national watchdogs should be able to fight for their citizens’ right to data protection and privacy in general, and that preventing them from doing so, especially in cases where the Lead SA shows little willingness to take action, would force people to file private lawsuits, thus making the claiming of their rights a privilege.
Findings of the EU Court of Justice
First, the CJEU reiterated the importance of the one-stop-shop mechanism and repeated that enforcement in cases of cross-border processing of data must be examined only by the appointed Lead SA, except if one of the two exceptions apply.
However, the court gave special importance to the obligation of mutual assistance between the Lead SA and the concerned ones: the Lead SA must proceed with essential dialogue with the other authorities, it may not ignore their opinions, and any relevant and reasoned objection made by one of the other supervisory authorities has the effect of blocking, at least temporarily, the adoption of the draft decision of the Lead SA. In short, the Lead SA remains in control but has to work together with the concerned authorities in a sincere and effective way.
What happens when the Lead SA does not cooperate properly with the concerned DPAs? They have the right to:
- initiate legal proceedings against such operations, in case the Lead SA refrains from addressing the complaint about cross-border processing operations.
- adopt provisional measures, if the Lead DPA does not respond to their requests for mutual assistance,
- submit the matter to the European Data Protection Board. The European Data Protection Board can then issue an opinion or binding decision on the case. Following an affirmative opinion or decision, concerned DPAs can initiate legal proceedings against unlawful cross-border processing operations.
Second, the CJEU found that for a concerned SA to exercise its powers about a case of cross-border processing of data, it is not a condition that the controller or processor has its main establishment or another establishment on the territory of that member state. The only prerequisite is that the controller or processor has an establishment in the EU so that it falls in the territorial scope of the GDPR.
Moreover, the CJEU recognised that article 58.5 has a direct effect. Consequently, a DPA may rely on that provision to bring or continue legal action against private parties, even when it has not been specifically transposed in the legislation of the member state.
So… who won?
There is no clear win for either side. The court’s intent was not to directly solve the matter in favour of one of the opposite parties but to provide the DPAs with general guidelines on the interpretation of the GDPR. On the one hand, one could argue that this decision confirmed that national authorities retain the ability to act on behalf of users and their citizens. On the other side, controllers and processors can interpret the judgment as confirmation that concerned DPAs have little room to deviate from the one-stop-shop mechanism.
What does the case mean …
… for DPAs? For those that heralded the judgement as a win for the Belgian side, it could mean the beginning of a new era of cooperation between the DPAs. Following their obligation of mutual assistance, smaller Lead SAs could start letting larger concerned DPAs handle some of their cases. On the same note, larger concerned DPAs could in some cases conduct most of the preparatory investigations before providing mutual assistance to smaller Lead SAs, which would then only need to adopt the final decision.
Through this decision of the CJEU, it became apparent that the European Data Protection Board needs to communicate more clearly how DPAs should cooperate on cross-border processing operations. The mutual assistance obligation raises a lot of practical questions, and the DPAs could use some proper guidance on how they should conduct it from start to finish.
… for controllers and processors? They should identify not only their Lead SA but also the concerned ones, and always be in a prepared state to be investigated by any of them. The case is important not only for Facebook but for all the U.S. tech companies, such as Google and Microsoft, because it has the potential to unleash a flood of investigations by all national DPAs into their processing activities.
… for GDPR enforcement? The decision came in a period of enforcement paralysis. According to the 2021 report on the DPAs by the Irish Council for Civil Liberties, Ireland is still the big bottleneck, despite funding increases. A fifth of all complaints referred between DPAs is referred to the Irish DPC, which has left 98% of major EU cases undecided.
In July 2021, one month after the publication of the decision of the CJEU, the European Data Protection Board, following the request from the Hamburg DPA to adopt urgent measures against Facebook, adopted its first binding decision pursuant to the urgency procedure. According to the Board, the Hamburg DPA did not prove that it requested information or assistance from the Irish DPA and did not receive it. For this reason, it ruled that what was required was not to take final action against Facebook, as requested by the Hamburg DPA, but the Irish Authority to conduct an investigation. It was a clear win for Facebook and the Irish DPC.
In the light of the above, it is evident that the decision of the court could not be more relevant. Even though it was not a clear win for the Belgian DPA, it still created room for concerned DPAs to pursue the Big Tech and set the base for a data subject rights friendly interpretation of the GDPR.
The decision of the CJEU on the Facebook/Belgian DPA case is a landmark ruling on cross-border enforcement. It established that, under certain conditions, the one-stop-shop mechanism is not incompatible with allowing the concerned DPAs to bring cases of unlawful cross-border processing to the national courts. Even though it shed a lot of light on the subject of mutual assistance between the DPAs, it also made evident that more guidance is needed.