On January 13, 2021, the Advocate General (“AG”), Michal Bobek, of the Court of Justice of the European Union (“CJEU”) issued his Opinion in Case C-645/19 Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”).  The AG determined that the one-stop shop mechanism under the EU’s General Data Protection Regulation (“GDPR”) prevents supervisory authorities, who are not the lead supervisory authority (“LSA”) of a controller or processor, from bringing proceedings before their national court, except in limited and exceptional cases specifically provided for by the GDPR.  The case will now move to the CJEU for a final judgment.

Background

While the background of this case goes back to 2015, long before the GDPR came into force in 2018, the primary question the CJEU considered was whether supervisory authorities can circumvent the one-stop-shop (“OSS”) mechanism by relying on Article 58(5) of the GDPR, which allows them to bring controllers and processors before judicial authorities (rather than launching an administrative procedure subject to the OSS).

AG Opinion

In his opinion, the AG considered that the LSA has a “general competence” over cross-border processing, including commencing judicial proceedings for breaches of the GDPR.  While any supervisory authority has the power to commence proceedings against possible infringements affecting their territories, this power is limited in cases of cross-border processing to enable the LSA to exercise its regulatory role.  As the AG explains, any other interpretation would render the OSS mechanism void: “permitting supervisory authorities freely to go before their national courts, when they cannot use their administrative powers without going through the cooperation and consistency mechanisms set out in the regulation, would pave the way for an easy circumvention of those mechanisms” (paragraph 72).

However, the AG emphasized that the LSA cannot be deemed the “sole enforcer of the GDPR in cross-border situations” and must closely cooperate with other concerned supervisory authorities (“CSAs”).  The AG proposes that supervisory authorities, who are not the controller or processor’s LSA, can only commence proceedings before their national courts in the exceptional cases, where the GDPR expressly permits them to do so.  For example, where supervisory authorities are:

  • acting outside the material scope of the GDPR (e.g., because the processing does not involve personal data or personal data that is not within the scope of the GDPR);
  • investigating cross-border processing carried out by public authorities; in the public interest; in the exercise of official authority; or by controllers not established in the EU;
  • adopting urgent measures, in accordance with Article 66 of the GDPR; or
  • intervening following a decision of the LSA not to handle a case.

The AG further considered that the current OSS system is new and remains to be tested, asserting that: “[p]ractical experience might, one day, reveal genuine problems with the quality or even the level of legal protection inherent in the new system.  However, at present, any such issues remain at the level of conjecture” (paragraph 107).  The AG concludes that a textual, theological, and historical approach to interpreting the GDPR confirms the importance of the OSS and the general competence of the LSA with regard to cross-border data processing.

Next Steps

The CJEU will now take a decision on the case, and their final judgment is expected in the coming months.  Although the CJEU will take into account the AG’s opinion, it is not legally binding on the Court.  After the CJEU has issued a final judgment, the case will return to the Belgian Court of Appeal for it to issue a decision in accordance with the CJEU’s ruling.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Shona O'Donovan Shona O'Donovan

Advising clients on a broad range of data protection, e-privacy and online content issues under EU, Irish, and UK law, Shóna O’Donovan works with her clients on technology regulatory and policy issues.
With multi-jurisdictional and in-house experience, Shóna advises global companies on complying…

Advising clients on a broad range of data protection, e-privacy and online content issues under EU, Irish, and UK law, Shóna O’Donovan works with her clients on technology regulatory and policy issues.
With multi-jurisdictional and in-house experience, Shóna advises global companies on complying with data protection laws in the EU. In particular, she represents organizations in regulatory investigations and inquiries, advises on children’s privacy issues and provides strategic advice on incident response. Shóna also advises clients on policy developments in online content and online safety.

In her current role, Shóna has gained experience on secondment to the data protection team of a global technology company. In a previous role, she spent seven months on secondment to the European data protection team of a global social media company.

Shóna’s recent pro bono work includes providing data protection advice to the International Aids Vaccine Initiative and a UK charity helping people with dementia, and working with an organization specializing in providing advice to states involved in conflict on documenting human rights abuses.

Marianna Drake

Marianna Drake is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence and online platforms. Her practice encompasses regulatory compliance…

Marianna Drake is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence and online platforms. Her practice encompasses regulatory compliance and advisory work. Marianna also advises clients on policy developments in online content and online safety.