On 13 January 2021, the Advocate General (AG) of the Court of Justice of the European Union (CJEU) issued an important opinion in the case of Facebook Belgium v Gegevensbeschermingsautoriteit (C-645/19) which considers the vital role of the GDPR’s one-stop-shop mechanism. The AG’s opinion unequivocally affirms the significance of the role of the lead supervisory authority (LSA) in being the primary investigator and enforcer of data protection law within the EU, while at the same time acknowledging the active role that other supervisory authorities concerned (SAC) have in scrutinising organisations’ compliance with the GDPR.
While the initial proceedings related to alleged violations of the now repealed Directive 95/46/EC, following various appeals made by Facebook since 2015, the current proceedings are instead concerned with the GDPR. On that basis, Facebook contends that since the one-stop-shop mechanism has now become operational, the Belgian DPA is no longer competent to act on this matter because Facebook’s LSA is the Irish Data Protection Commission. This resulted in the Belgian court referring to the CJEU a number of questions which have implications well beyond the parties involved in the original proceedings.
The most important of these questions is whether the GDPR permits a supervisory authority to bring proceedings before its national courts in connection with alleged infringements of the regulation by an organisation, where it is not the lead supervisory authority. Or alternatively, does the one-stop-shop mechanism prevent such proceedings from being brought?
In response to this question, the AG stated that, while an SAC can bring proceedings in their own national courts, this right is subject to the GDPR’s one-stop-shop, and co-operation and consistency mechanisms. As further explained by the AG, this confirms that as a general rule the LSA is considered the competent authority and the power for SACs to bring action against an organisation is the exception.
Assuming that the CJEU agrees with the AG's opinion, SACs within the EU may be prevented from taking direct action against an organisation for alleged infringement of the GDPR, except in certain limited circumstances, if the organisation can demonstrate that it has an LSA for cross-border processing. According to the AG, the circumstances allowing for SAC action include:
Amongst the specific concerns raised by the Belgian DPA in its submissions was the risk of under-enforcement, if only LSAs could take action against organisations that have not complied with the GDPR. This argument was robustly dismissed by the AG, who believes that the GDPR provides appropriate mechanisms to address any risk of under-enforcement.
The AG particularly emphasised the rights of SACs under Art. 61 GDPR. This includes the ability to request mutual assistance from LSAs in investigating allegations of non-compliance and, where this assistance is not provided, the SAC can take its own independent action under the GDPR’s urgency procedure.
In addition to providing his opinion on the specific questions referred to the CJEU, the AG also offered interesting and potentially significant commentary on the interaction between the GDPR and other legislative frameworks. The AG stated that given the context of the present case, data processing activities may fall within the scope of more than one legislative instrument and in such circumstances all of the instruments will apply at the same time.
We can potentially infer from this commentary that where an alleged infringement involves both the GDPR and another law, such as the ePrivacy Directive (which is likely to be the case in the context cookie compliance), then the GDPR’s one-stop-shop and co-operation and consistency mechanisms would still apply.
The CJEU's decision is still several months away, but taking into account the AG's line of reasoning, it is likely to have a number of potentially significant impacts, including: