The European Data Protection Board (EDPB) during its 90th plenary session, on 14 February 2024, amongst other things:

• adopted an opinion (the Opinion) on the notion of a controller’s main establishment, including criteria for the application of the one-stop shop mechanism;
• issued a statement (the Statement) on the legislative developments in relation to European Commission’s proposal for a regulation outlining rules to prevent and combat child sexual abuse; and
• discussed the scope of guidance relating to the “consent or pay” model used by certain online platforms in the context of personalised advertising, and acknowledged the need for additional guidelines on the issue, which would complement an upcoming Opinion addressing consent or pay models of large online platforms.

Opinion on main establishment under Article 4(16)(a)

The Opinion was issued at the request of the French supervisory authority (the CNIL), which had identified the possible different interpretations of the definition of “main establishment” (under Article 4(16)(a) GDPR) and the relevance of the term “place of central administration” in Recital 36 GDPR. The CNIL queried whether, when considering whether a place of central administration constitutes a main establishment, supervisory authorities must first collect evidence to verify that the identified establishment takes decisions on the purposes and means of processing and has the power to have those decisions implemented.

The Opinion outlines the following key considerations:

• The EDPB concludes that a controller’s place of central administration can only be its main establishment pursuant to Article 4(16)(a) GDPR if it is where the controller decides the purpose and means of the processing operations and can implement these decisions, and the controller has establishments in more than one Member State. The EDPB confirms that the GDPR does not permit “forum shopping” and the determination of the main establishment should be based on objective criteria (and not a subjective designation).
• The EDPB clarifies that if the decisions on the purposes and means of processing, and the power to have such decisions implemented, are exercised outside of the Union (or where there is no evidence of such decision-making or decision-implementing powers in the Union), then there is no main establishment, and the one-stop-shop mechanism should not apply. The EDPB encourages supervisory authorities to assess in practice where decisions are taken, and where there is power to implement such decisions, before qualifying that an establishment is a “main establishment”.
• The EDPB highlights that supervisory authorities have the power to challenge and disagree with controllers’ claims on (main) establishment based on an objective examination of the facts, and can request further information through their respective information gathering powers under Article 58(1)(a) GDPR. Where a supervisory authority concludes that a controller has failed to prove a main establishment, the Opinion states the assessment should be shared with other supervisory authorities to ensure alignment.
• The EDPB acknowledges that determining a place of central management in the Union (such as a regional headquarters) provides a starting point for supervisory authorities to identify where decisions could be taken, though supervisory authorities must still assess whether this constitutes a main establishment based on the criteria outlined in the Opinion. The Opinion confirms that the burden of proof in demonstrating a main establishment (and where decisions are taken) remains on the controller, and notes that effective records of processing activities under Article 30 GDPR (among other considerations) could assist the controller in demonstrating a main establishment.

Statement on Proposal for a Regulation on preventing and combatting child sexual abuse

The Statement relates to the Commission’s proposal for a new regulation that would impose qualified obligations on certain service providers concerning the detection, reporting and blocking of child sexual abuse imagery (the Proposal).

In the Statement, the EDPB acknowledges the recent amendments to the Commission’s Proposal by the European Parliament, which seek to address certain concerns raised by the EDPB (and the European Data Protection Supervisor (EDPS), most notably in the Joint Opinion 04/2022, as to the proportionality of envisaged limitations on the protection of the fundamental rights to privacy and protection of personal data under the Proposal. For example, the EDPB welcomed the exemption on end-to-end encrypted communications from detection orders.

However, the EDPB highlights that the Proposal still contains areas of ambiguity and does not adequately safeguard privacy and data protection – noting that the amendments do not resolve all of the joint concerns of the EDPB and the EDPS, particularly in relation to indiscriminate monitoring of private communications. For example, the EDPB warns that the criteria outlined in the current Proposal for issuing detection orders are ambiguous and there are significant error rates for the proposed detection technologies envisaged by the Proposal.

The press release is available here, the Opinion here and the Statement here.