On 13 January 2021, CJEU AG Michael Bobek issued his non-binding opinion (the “Opinion”) (Opinion Press Release) in relation to Facebook and the Belgian Data Protection Authority’s ongoing battle about the scope of a domestic DPA’s powers in relation to cross-border processing.
The Opinion appears, at one level, clear in that “the competence of the LSA [the Lead Supervisory Authority] is the rule, and the competence of other supervisory authorities is the exception” and that “It is clear that one-stop shop is meant to be the procedure to be followed when enforcement action against cross-border processing is necessary”.
In other words in any cross-border case which fits the definition of cross-border processing in Article 4(23) GDPR, and where there is a competent Lead Supervisory Authority (“LSA”), the one stop shop principle will apply . Other interested DPAs should therefore both respect the competent LSA and cooperate with them under Article 60 (and of course generally comply with Articles 51(2) and 63 in terms of ensuring consistent application of the GDPR) – as opposed to going their own way with any domestic enforcement, be it court action or their own investigations.
The Opinion does however set out a number of exceptions to this principle which indicate that the GDPR’s LSA principle is not an absolute barrier to domestic DPAs taking action. A couple of highlights, without exception:
First, where the relevant company does not have a main establishment in the EU for the purposes of Article 56 and thus lacks an LSA. Post Brexit (with many companies arguably having their “main establishment” in the UK and not in the EU), this is likely to be a significant area of challenge. Whilst it is a good idea to re-assess where your LSA might be, companies need to recognise that domestic DPAs might well challenge any claim to an apparent LSA that does not quite fit with Article 56 (and the EDPB’s related guidance Guidance).
Second, the AG specifically mentions a data subject’s right to bring proceedings directly against controllers or processors before the courts of the Member State in which they reside (as per Article 82 GDPR) and to lodge a complaint with the DPA of the Member State in which they reside (as per Article 77 GDPR). So best laid plans utilising your LSA to reduce administrative hassle, can soon go awry through the behaviour of savvy data subjects.
We have further seen in some high profile cases involving a number of DPAs across the EU, that DPAs are willing, when it suits them, and no doubt in the interests of protecting data subjects, to take ownership of a case themselves despite there being material one stop shop arguments. While this Opinion, if followed by the CJEU might bring some welcome clarity on the one stop shop, it is possible that some DPAs will still see it as an opportunity to “fit” with the exceptions the AG mentions to take control themselves as they see fit; and this is just a fact of life that controllers and processors around the EU need to get used to.
Note also that post Brexit, the ICO is no longer within the LSA framework, so any breach that involves the UK and any other EU Member State will at least involve the ICO, as well as either the EU LSA or possibly multiple EU DPAs.
“the competence of the LSA [the Lead Supervisory Authority] is the rule, and the competence of other supervisory authorities is the exception” and “It is clear that one-stop shop is meant to be the procedure to be followed when enforcement action against cross-border processing is necessary”.