Facebook/Belgian DPA: Landmark ruling on cross-border enforcement under the GDPR

Article
EU Law

On 15 June 2021, the CJEU delivered an important judgment on the one-stop-shop mechanism. While the CJEU reinforced that the lead supervisory authority is the sole interlocutor in cross-border processing operations, it also contributed to the effective enforcement of the GDPR by reiterating the conditions under which supervisory authorities other than the lead supervisory authority can bring enforcement actions against such processing operations.

Introduction

On 15 June 2021, the Court of Justice of the European Union (“CJEU”) delivered an important judgment on the one-stop-shop mechanism in Facebook/Belgian DPA. While the CJEU reinforced that the lead supervisory authority (“Lead DPA”) is the sole interlocutor in cross-border processing operations, it also contributed to the effective enforcement of the General Data Protection Regulation (“GDPR”) by reiterating the conditions under which supervisory authorities other than the lead supervisory authority (“Concerned DPA”) can bring enforcement actions against such processing operations. On its face, the judgment appears to be rather technical, but the controversial aspects lie in the consequences arising from it. The judgment must be seen against the backdrop of growing criticism over the lack of enforcement by certain Data Protection Authorities (“DPA”), especially the Irish Data Protection Commissioner.

Origin of the case

In September 2015, the “Belgian DPA” brought legal proceedings against Facebook Ireland, Facebook Inc. and Facebook Belgium (“Facebook”), alleging that Facebook systematically violated data protection law by tracking the browsing behaviour of Belgian Facebook users and non-users without their consent. The Belgian DPA sought an injunction against Facebook in an effort to put an end to the alleged serious and large-scale illegal tracking. As the main establishment, Facebook Ireland was responsible for all processing operations within the European Union (“EU”), while Facebook Belgium was primarily responsible for lobbying in Brussels and advertising and marketing in Belgium.

In February 2018, the Belgian Court of First Instance ruled in favour of the Belgian DPA, after which Facebook quickly launched an appeal with the Belgian Court of Appeal. Referencing the one-stop-shop mechanism, Facebook argued that the Irish DPA was the Lead DPA and thus exclusively competent to initiate legal proceedings against Facebook Ireland before the Irish courts, while the Belgian DPA was the Concerned DPA and should have waited its turn. The appeal gave rise to questions concerning the one-stop shop mechanism, cross-border enforcement and enforcement cooperation. Even though the legal proceedings were initiated before the GDPR becoming applicable, the one-stop-shop mechanism was called into question because the alleged violations continued to exist under the GDPR. The Belgian Court of Appeal referred six preliminary questions to the CJEU.

Findings of the Court

Among its six questions, the Belgian Court of Appeal essentially asked whether the GDPR poses a barrier to Concerned DPAs, preventing them from undertaking enforcement actions against cross-border processing operations.

Setting the stage, the CJEU repeated the core objective of the GDPR: protecting the fundamental rights and establishing the internal market by ensuring its consistent and homogenous application. Among its many offerings, the GDPR erects a multifaceted enforcement scheme, which not only includes the one-stop shop mechanism but also calls for mutual assistance between and joint operations of DPAs.

The CJEU explained that in cases of cross-border processing operations, the one-stop-shop mechanism streamlines the enforcement process by declaring a Lead DPA exclusively competent to undertake enforcement actions. Concerned DPAs can undertake such actions only in one of two exceptional cases:

  • They are competent to handle complaints concerning cross-border processing operations where the complaints concern only an establishment within their territory or substantially affect only data subjects within their territory. The GDPR provides as an example the processing of employees’ personal data in the specific employment context within a specific Member State.
  • They are competent to adopt provisional measures where they consider it urgent to act against cross-border processing operations.

Notwithstanding these general rules, DPAs need to endeavour towards sincere and effective cooperation. This essentially means that they need to work together, though the Lead DPA remains in control. Against that backdrop, the CJEU concluded that Concerned DPAs are not competent to undertake enforcement actions against unlawful cross-border processing operations in cases other than those expressly covered by the GDPR. Beside, Concerned DPAs need to act in line with the cooperation and consistency procedures in the GDPR.

Furthermore, the CJEU set aside the Belgium DPA’s criticism that such an interpretation encroaches on fundamental rights. First, the one-stop-shop mechanism takes nothing away from Concerned DPAs’ responsibility to contribute to the protection of the fundamental right to privacy and data protection. Concerned DPAs need to assume full responsibility for such protection to effectively protect data subjects and prevent forum shopping.

One may question the efficacy of such protection when the current reality is that overburdened, underfunded and understaffed Lead DPAs, in particular the Irish Data Protection Commissioner, are exclusively competent to oversee major technology companies. Most major technology companies are based in Ireland and, as a result, put under the oversight of the Irish Data Protection Commissioner, who has long been criticised for being too lenient and taking too long to decide on cases. The risk of forum shopping and enforcement bottlenecks lingers.

Second, the one-stop-shop mechanism does not pose barriers to data subjects’ right to an effective legal remedy; even more so because the GDPR allows several methods for Concerned DPAs to assert control over cross-border processing operations. They are competent to:

  • initiate legal proceedings against unlawful cross-border processing operations where the Lead DPA refrains from addressing such conduct;
  • adopt provisional measures where the Lead DPA does not respond to their requests for mutual assistance; and
  • submit general matters and matters producing cross-border effect to the European Data Protection Board. In turn, the European Data Protection Board can issue an opinion or binding decision on the matter. Following an affirmative opinion or decision, Concerned DPAs can initiate legal proceedings against unlawful cross-border processing operations.

Conclusion

Depending on whom you ask, the judgment is a huge victory either for DPAs and data subjects, or for controllers and processors. The CJEU’s relatively nuanced approach appears to have been aimed at reconciling competing pressures. The Belgian DPA heralded the judgment, stating that “it is important that authorities retain the ability to act on behalf of users”, whereas Facebook interpreted the judgments as confirmation that Concerned DPAs have little room to derogate from the one-stop-shop mechanism.

Even though the practical implications of the judgment have not yet materialised, we could see improved liaising between DPAs, with smaller Lead DPAs potentially letting larger Concerned DPAs take over some of their cases. Alternatively, we could see larger Concerned DPAs conducting most of the preparatory investigations before providing mutual assistance to smaller Lead DPAs, which would then only need to adopt a decision. That being said, the judgment may have a polarising effect, with larger Concerned DPAs adopting provisional measures as they please, arguing that smaller Lead DPAs did not timely respond to their request for mutual assistance.

What is clear is that it is time for the European Data Protection Board to position itself more firmly as the lynchpin in enforcement cooperation. Besides, the European Data Protection Board should communicate more clearly about how DPAs cooperate on cross-border processing operations from beginning to end. Meanwhile, controllers and processors are well advised to take stock of their cross-border processing operations, identify their respective interlocutors, and prepare strategic policies for when Concerned DPAs come knocking on their door.

With special thanks to Jolijn Gijsen.