In its recent decision of June 15, 2021, involving Facebook and the Belgium Data Protection Authority (“DPA”), the European Court of Justice (the “ECJ” or the “Court”) clarified the conditions under which the non-lead supervisory authorities may exercise their powers in the context of cross–border processing of personal data.
According to this decision, under certain circumstances, a national supervisory authority still has the power to bring any alleged infringement of the GDPR before a court of a Member State, even though that authority is not the lead supervisory authority with regard to that processing.
1. Background information
1.1. Reminder of what the one-stop-shop mechanism consists of
The General Data Protection Regulation (GDPR) provides for the one-stop-shop mechanism when processing operations are carried out across or concerns data subjects in more than one Member States (i.e. cross-border processing).
In practice, this mechanism allows controllers or processors of cross-border processing operations to interact with only one supervisory authority throughout the EU (i.e. the Lead Supervisory Authority). The Lead Supervisory Authority is the authority of the Member State where the main establishment of the controller or processor is located. This authority take the lead when it comes to audit, fines etc.
However, the other concerned national authorities are still involved in the decision-making process through the consistency mechanism (see here for more details about the one stop shop).
1.2. The issues with the One-stop-shop mechanism
Some authorities (e.g. German ones) have recently complained about other authorities such as Ireland and Luxembourg for being too lenient and not serving fines on the big tech companies where the latter have their main establishment. Therefore, we may suspect that they tried to find loopholes in the regulation to sanction directly infringing companies.
For example, the CNIL managed to serve a 100 million and 35 million euros fine, respectively, on Google and Amazon for breach of the cookies rules on the basis that, cookies issues are under the scope of the e-privacy directive and, in this case, the one-stop-shop mechanism provided for in the GDPR does not apply. (see here)
Now, it seems this the turn of the Belgian DPA to find a loophole and exercise its power directly.
1.3. The proceeding
In september 2015, the Belgian DPA brought an action before the competent Belgium Court against Facebook Ireland, Facebook Inc. and Facebook Belgium, in order to end an alleged data protection infringements by Facebook.
Those infringements consisted of the collection and use of information on the browsing behaviour of Belgian internet users, whether or not they were Facebook account holders, by means of various technologies, such as cookies, social plug–ins or pixels.
After an appeal of Facebook, the Court of Appeal or referring Court was not certain as to whether the Belgium DPA was still competent given that it brought an action before the entry into force of the GDPR (25 May 2018) and Facebook Ireland has been identified as the controller of these processing operations.
Indeed, if we applied strictly the one-stop-shop mechanism under the GDPR, it is a cross-border data processing carried out by Facebook Ireland, its main establishment and therefore, the Irish DPA should be the lead authority.
Besides, the CNIL reasoning on the cookies could not apply because the case concerned subsequent processing operations to the access and storage of personal data in the users’ terminal by means of cookies.
2. Findings of the Court
2.1. A non-lead supervisory authority may bring a GDPR infringement before a court
The Court considers that a supervisory authority of a Member State may bring any alleged infringement of the GDPR before a court of that Sate and to initiate in legal proceedings in relation to a cross-border data processing, even though this supervisory authority is not the lead supervisory authority.
However, it may exercise that power only in one of the situations where that regulation confers on that supervisory authority a competence to adopt a decision finding that such processing is in breach of the rules contained in that regulation, and that the cooperation and consistency procedures laid down by that regulation are respected.
Indeed, the GDPR provides for exceptions to the one-stop-shop rules in order to avoid the so-called “forum shopping”, for example, in case of emergency or if the Lead Supervisory Authority does not cooperate as required under the GDPR.
In this case, the ECJ recalls that it is for the referring court to determine whether it fall within one of these exceptions but also adds that the DPA in April 2019 asked the Data Protection Commissioner (Ireland) to respond to its request as expeditiously as possible, but no response was provided.
2.2. The Authority may bring an action against either of the controller or its main establishment regardless of their location in the European Union
The ECJ ruled that it was not a prerequisite that the controller with respect to the cross-border processing of personal data against whom such proceedings are brought has a main establishment or another establishment on the territory of the Member State of that Authority.
It may bring an action (or exercise its power) against the main establishement (i.e. the controller of the processing activities) or against another establishment of that controller provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power.
In this case, Facebook raised the issue that the DPA could not bring an action against Facebook Belgium since Facebook Ireland was the main establishment and the sole controller.
The ECJ recalls that Facebook Belgium was an establishment created in Belgium primarily, to allow the Facebook group to engage with the EU institutions and, secondarily, to promote the advertising and marketing of that group to people residing in Belgium.
Because of that second purpose, it was considered that the cross-border data processing carried out by Facebook Ireland was also carried out in the context of the activities of the Facebook Belgium establishment and therefore an action could also be brought against it. (see also the case Google Spain).
For a full reading of the decision click here
For any question or help, contact Arnaud Blanc