On January 13, 2021, the Advocate General (“AG”), Michal Bobek, of the Court of Justice of the European Union (“CJEU”) issued his Opinion in Case C-645/19 Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”).  The AG determined that the one-stop shop mechanism under the EU’s General Data Protection Regulation (“GDPR”) prevents supervisory authorities, who are not the lead supervisory authority (“LSA”) of a controller or processor, from bringing proceedings before their national court, except in limited and exceptional cases specifically provided for by the GDPR.  The case will now move to the CJEU for a final judgment.

Background

While the background of this case goes back to 2015, long before the GDPR came into force in 2018, the primary question the CJEU considered was whether supervisory authorities can circumvent the one-stop-shop (“OSS”) mechanism by relying on Article 58(5) of the GDPR, which allows them to bring controllers and processors before judicial authorities (rather than launching an administrative procedure subject to the OSS).

AG Opinion

In his opinion, the AG considered that the LSA has a “general competence” over cross-border processing, including commencing judicial proceedings for breaches of the GDPR.  While any supervisory authority has the power to commence proceedings against possible infringements affecting their territories, this power is limited in cases of cross-border processing to enable the LSA to exercise its regulatory role.  As the AG explains, any other interpretation would render the OSS mechanism void: “permitting supervisory authorities freely to go before their national courts, when they cannot use their administrative powers without going through the cooperation and consistency mechanisms set out in the regulation, would pave the way for an easy circumvention of those mechanisms” (paragraph 72).

However, the AG emphasized that the LSA cannot be deemed the “sole enforcer of the GDPR in cross-border situations” and must closely cooperate with other concerned supervisory authorities (“CSAs”).  The AG proposes that supervisory authorities, who are not the controller or processor’s LSA, can only commence proceedings before their national courts in the exceptional cases, where the GDPR expressly permits them to do so.  For example, where supervisory authorities are:

  • acting outside the material scope of the GDPR (e.g., because the processing does not involve personal data or personal data that is not within the scope of the GDPR);
  • investigating cross-border processing carried out by public authorities; in the public interest; in the exercise of official authority; or by controllers not established in the EU;
  • adopting urgent measures, in accordance with Article 66 of the GDPR; or
  • intervening following a decision of the LSA not to handle a case.

The AG further considered that the current OSS system is new and remains to be tested, asserting that: “[p]ractical experience might, one day, reveal genuine problems with the quality or even the level of legal protection inherent in the new system.  However, at present, any such issues remain at the level of conjecture” (paragraph 107).  The AG concludes that a textual, theological, and historical approach to interpreting the GDPR confirms the importance of the OSS and the general competence of the LSA with regard to cross-border data processing.

Next Steps

The CJEU will now take a decision on the case, and their final judgment is expected in the coming months.  Although the CJEU will take into account the AG’s opinion, it is not legally binding on the Court.  After the CJEU has issued a final judgment, the case will return to the Belgian Court of Appeal for it to issue a decision in accordance with the CJEU’s ruling.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Shona O'Donovan Shona O'Donovan

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy and online content issues under EU, Irish and UK law.

Shóna advises multinational companies…

Shóna O’Donovan is an associate in the technology regulatory group in the London office. She advises clients, particularly in the technology industry, on a range of data protection, e-privacy and online content issues under EU, Irish and UK law.

Shóna advises multinational companies on complying with EU and UK data protection and e-privacy rules. She regularly defends clients in regulatory investigations and inquiries, and provides strategic advice on incident response. She advises clients on existing and emerging online content laws, including those affecting intermediary services and audiovisual media services. In this context, she regularly advises clients on the intersection between online content and privacy rules.

Shóna also counsels clients on policy developments and legislative proposals in the technology sector, and the impacts of these developments for their business.

In her current role, Shóna gained experience on secondment to the data protection team of a global technology company. In a previous role, she spent seven months on secondment to the European data protection team of a global social media company.

Shóna’s recent pro bono work includes providing data protection advice to the International Aids Vaccine Initiative and a UK charity helping people with dementia, and working with an organization specializing in providing advice to states involved in conflict on documenting human rights abuses.

Photo of Marianna Drake Marianna Drake

Marianna Drake counsels leading multinational companies on some of their most complex regulatory, policy and compliance-related issues, including data privacy and AI regulation. She focuses her practice on compliance with UK, EU and global privacy frameworks, and new policy proposals and regulations relating…

Marianna Drake counsels leading multinational companies on some of their most complex regulatory, policy and compliance-related issues, including data privacy and AI regulation. She focuses her practice on compliance with UK, EU and global privacy frameworks, and new policy proposals and regulations relating to AI and data. She also advises clients on matters relating to children’s privacy, online safety and consumer protection and product safety laws.

Her practice includes defending organizations in cross-border, contentious investigations and regulatory enforcement in the UK and EU Member States. Marianna also routinely partners with clients on the design of new products and services, drafting and negotiating privacy terms, developing privacy notices and consent forms, and helping clients design governance programs for the development and deployment of AI technologies.

Marianna’s pro bono work includes providing data protection advice to UK-based human rights charities, and supporting a non-profit organization in conducting legal research for strategic litigation.