On January 13, 2021, the Advocate General (“AG”), Michal Bobek, of the Court of Justice of the European Union (“CJEU”) issued his Opinion in Case C-645/19 Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v. the Belgian Data Protection Authority (“Belgian DPA”). The AG determined that the one-stop shop mechanism under the EU’s General Data Protection Regulation (“GDPR”) prevents supervisory authorities, who are not the lead supervisory authority (“LSA”) of a controller or processor, from bringing proceedings before their national court, except in limited and exceptional cases specifically provided for by the GDPR. The case will now move to the CJEU for a final judgment.
While the background of this case goes back to 2015, long before the GDPR came into force in 2018, the primary question the CJEU considered was whether supervisory authorities can circumvent the one-stop-shop (“OSS”) mechanism by relying on Article 58(5) of the GDPR, which allows them to bring controllers and processors before judicial authorities (rather than launching an administrative procedure subject to the OSS).
In his opinion, the AG considered that the LSA has a “general competence” over cross-border processing, including commencing judicial proceedings for breaches of the GDPR. While any supervisory authority has the power to commence proceedings against possible infringements affecting their territories, this power is limited in cases of cross-border processing to enable the LSA to exercise its regulatory role. As the AG explains, any other interpretation would render the OSS mechanism void: “permitting supervisory authorities freely to go before their national courts, when they cannot use their administrative powers without going through the cooperation and consistency mechanisms set out in the regulation, would pave the way for an easy circumvention of those mechanisms” (paragraph 72).
However, the AG emphasized that the LSA cannot be deemed the “sole enforcer of the GDPR in cross-border situations” and must closely cooperate with other concerned supervisory authorities (“CSAs”). The AG proposes that supervisory authorities, who are not the controller or processor’s LSA, can only commence proceedings before their national courts in the exceptional cases, where the GDPR expressly permits them to do so. For example, where supervisory authorities are:
- acting outside the material scope of the GDPR (e.g., because the processing does not involve personal data or personal data that is not within the scope of the GDPR);
- investigating cross-border processing carried out by public authorities; in the public interest; in the exercise of official authority; or by controllers not established in the EU;
- adopting urgent measures, in accordance with Article 66 of the GDPR; or
- intervening following a decision of the LSA not to handle a case.
The AG further considered that the current OSS system is new and remains to be tested, asserting that: “[p]ractical experience might, one day, reveal genuine problems with the quality or even the level of legal protection inherent in the new system. However, at present, any such issues remain at the level of conjecture” (paragraph 107). The AG concludes that a textual, theological, and historical approach to interpreting the GDPR confirms the importance of the OSS and the general competence of the LSA with regard to cross-border data processing.
The CJEU will now take a decision on the case, and their final judgment is expected in the coming months. Although the CJEU will take into account the AG’s opinion, it is not legally binding on the Court. After the CJEU has issued a final judgment, the case will return to the Belgian Court of Appeal for it to issue a decision in accordance with the CJEU’s ruling.