CJEU clarifies application of One-Stop-Shop mechanism and the competence of national DPAs to bring cases before national courts under GDPR

The CJEU confirmed that there are limited exceptions to the OSS and that, under certain conditions, SAs that are not the relevant Lead SA, may initiate and bring cases of alleged breach of the GDPR to national courts.

The decision of the CJEU was rendered in the case of Facebook Ireland Ltd, Facebook Inc., Facebook Belgium BVBA v. Gegevensbeschermingsautoriteit (Case C-645/19), following the Belgian Court of Appeal’s request for a preliminary ruling in relation to the application of the OSS mechanism under the GDPR. The key takeaways of the CJEU judgement are summarised below.

One-Stop-Shop mechanism and the powers of national SAs to initiate their own procedures or bring court actions

The CJEU ruled that a l SA, that is not the relevant Lead SA, may bring an alleged infringement of the GDPR to the attention of a court of its Member State and, where necessary, initiate or engage in legal proceedings in relation to cross border data processing, as long as (i) the SA exercises its competence under one of the situations provided by the GDPR; and (ii) the cooperation and consistency procedures of the OSS under GDPR are respected. In coming to this conclusion, the CJEU made the following observations:

• the CJEU confirmed that in relation to the cross-border processing of personal data, it is the Lead SA that has the principal competence to adopt a decision finding that such processing is an infringement of the data protection law. The competence of the other SAs concerned to adopt these decisions, even provisionally, should only occur on an exceptional basis. 
• the GDPR requires the Lead SA to exercise its competence within a framework of close cooperation with the other SAs concerned. The Lead SA may not avoid essential dialogue and effective cooperation with the other SAs concerned. The use of the OSS mechanism cannot have the consequence that SAs, particularly the relevant Lead SA do not assume responsibility, as that might encourage the practice of forum shopping, particularly by data controllers, to circumvent fundamental rights of individuals and the practical application of the GDPR.
• the CJEU analysed the exceptional situations when SAs concerned may deviate from the OSS, while fully taking into account the GDPR procedures. For example, under Article 56(2) of the GDPR, an SA may handle a complaint about cross border processing if the subject matter relates only to an establishment in its own Member State or substantially affects data subjects only in that Member State. Under Article 66 of the GDPR, an SA may adopt provisional measures intended to produce legal effects on its own territory (for not more than 3 months) where the it considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects. A national SA may bring an action before the courts of its Member State if the Lead SA has not provided information sought under the mutual assistance provisions of Article 61 GDPR. The national SA may then, for instance, adopt a provisional measure on the territory of its own Member State and may request an urgent binding decision from the European Data Protection Board (EDPB) under Article 66 GDPR. An SA may also request an opinion of the EDPB under Article 64(2) GDPR on any matter that is of general application or that produces effects in more than one Member State, in particular where a competent SA does not comply with the obligations for mutual assistance. Following the adoption of such an opinion or such a decision by the EDPB and after taking account of all the relevant circumstances, the SA concerned must be able to take the necessary measures to ensure compliance with the GDPR and, for that purpose, bring cases to courts.
• national courts will need to determine whether the allocation of competences between SAs and compliance with all the GDPR procedures have been correctly applied in specific cases.
• the CJEU also made a brief observation on the interplay between the ePrivacy Directive and the GDPR, which was relevant for this case. The CJEU referred to the EDPB guidance and confirmed that the competence, tasks and powers of national SAs in relation to storing and obtaining access to personal data by means of cookies fall under the ePrivacy Directive and are not within the scope of the GDPR OSS mechanism. However, all earlier processing operations, and all subsequent processing activities, with respect to that personal data, by means of other technologies, do fall within the scope of OSS mechanism. 

Main establishment of the controller in the EU

The CJEU ruled that, in the event of cross‑border data processing, a national SA other than the Lead SA could exercise its powers to initiate or engage in legal proceedings even if the controller does not have a main establishment or another establishment on the territory of that Member State, subject to certain conditions. 

According to the CJEU, this power of the national SA may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, subject to two conditions: 

• the object of the legal proceedings is data processing carried out in the context of the activities of that establishment, and 
• the national SA is competent to exercise that power (i.e. under the exceptional situations explained above).

In the current case, the CJEU considered that Facebook has a main establishment located in Ireland, and an establishment in Belgium for engagement with EU institutions and to promote the advertising and marketing of the Facebook group to people residing in Belgium. The CJEU noted, in line with previous case law, that the condition that data processing must be carried out “in the context of the activities of the establishment” should not be interpreted restrictively. 

The CJEU further held that it considers the activities of the establishment of the Facebook group in Belgium to be inextricably linked to the processing of personal data at issue in the main proceedings, with respect to which Facebook Ireland is the controller within the EU. This is because (i) a social network such as Facebook generates a substantial proportion of its income from the advertising, and the activity of Belgian establishment is intended to ensure, even if only as a secondary function, the promotion and sale of advertising spots in Belgium which serve to make Facebook services profitable; and (ii) the activity carried out by Facebook Belgium, i.e. of engaging with the EU institutions and serving as a point of contact for those institutions, is to help determine the personal data processing policy of Facebook Ireland.

Pre-GDPR processing

The CJEU also ruled that an SA, which is not the Lead SA under the GDPR, may continue legal action that concerns the cross-border processing of personal data before the GDPR became applicable on basis of the pre-GDPR data protection law, such as the Data Protection Directive 95/46/EC. In addition, an action may be brought by that SA with respect to infringements committed after 25 May 2018 on the basis of the GDPR, using the analysis set out above.

Direct effect of the GDPR

The CJEU also ruled that Article 58(5) GDPR has direct effect, with the result that a national SA may rely on that provision in order to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State.

The CJEU’s press release is available here, and the judgment in full is available here.