On June 15, 2021, the Court of Justice of the European Union (CJEU) confirmed[1] that non-leading supervisory authorities (SAs) can initiate national judicial proceedings concerning cross-border data processing in two circumstances:[2] i) where there is an “urgent need” to act, or ii) if the case has a local impact.
Although the general rule of the one-stop-shop mechanism remains, this development shows that companies may face SA enforcement actions in multiple EU countries, not just the country of the lead SA.
Background
In 2015, the Belgian SA sought an injunction against Facebook from the Brussels Court of First Instance regarding alleged violations of data protection law with respect to the use of cookies and similar technologies.[3] The Court of First Instance ruled in favor of the Belgian SA,[4] Facebook filed an appeal before the Brussels Court of Appeal, and the case was referred to the CJEU for a preliminary ruling.[5]
The Brussels Court of Appeal raised a number of questions regarding the authority of SAs to act in cross-border proceedings, and their nexus with the lead SA.[6] The Court of Appeal also asked whether the fact that the national proceeding occurred before the effective date of the General Data Protection Regulation(GDPR) has an impact on other SAs’ authority.
On January 13, 2021, Advocate-General Bobek presented his non-binding opinion,[7] arguing in favor of exceptions to the general rule of the sole competence of the lead SA for legal proceedings. For instance, Bobek argued that SAs may go before a national court to enforce items outside the GDPR’s scope, like the ePrivacy Directive, or to initiate criminal enforcement. The Advocate-General also opined that SAs may go before a national court if the controller has no establishment in the EU, when the SA is acting urgently to protect the rights and freedoms of individuals,[8] or when the lead SA has decided not to handle the case.[9]
CJEU Ruling
The CJEU confirmed that non-leading SAs can initiate proceedings before a national court in the following circumstances:
- When there is an urgent need to act to protect the rights and freedoms of data subjects (according to the so-called “urgency procedure”).[10] The CJEU did not further clarify what qualifies as an “urgent need”;
- If the case only relates to an establishment of the controller or processor located in a non-leading SA Member State, or substantially affects individuals only in that non-leading SA Member State (local impact).[11]
The CJEU further clarified that non-leading SAs can bring legal proceedings against a company even if the company has no establishment in that country.
In addition, the CJEU differentiated between: 1) proceedings related to violations that occurred before the GDPR effective date (prior to May 25, 2018), in which case proceedings would be initiated on the basis of the now defunct Directive 95/46; and 2) proceedings related to violations occurring after the GDP effective date, in which case the GDPR procedural rules would apply, and the non-leading SA would act pursuant to the GDPR cooperation and consistency mechanisms.
Key Takeaways and Conclusion
The CJEU judgment provided some clarity on the SAs’ authority in the context of the one-stop-shop mechanism, and shared further insights relating to cross-border data processing and cooperation between SAs. In particular, the outcome of the CJEU ruling is that:
- There are exceptions to the one-stop-shop mechanism. Companies need to take into account that, under certain conditions, non-leading SAs may still pursue legal action against them. This can lead to multiple proceedings in different EU countries.
- The lead SA must take the views of the other SAs into consideration.[12] GDPR provisions recognize that non-leading SAs can have a meaningful impact on the lead SA’s decision in a cross-border case, e.g., by submitting relevant and reasoned objections to the draft decision.
- The lead SA should cooperate with the other SAs. The one-stop-shop mechanism requires cooperation between SAs, notwithstanding the lead SA’s competence.
Overall, companies may not be able to always benefit from the one-stop-shop mechanism and may need to cope with multiple SAs instead of one lead SA in the context of cross-border processing.
[1] CJEU judgment in case C-645/19, Facebook and Others v Belgian SA, June 15, 2021.
[2] Within the meaning of Article 4 (23) GDPR.
[3] CJEU judgment in case C-645/19, Facebook and Others v Belgian SA, June 15, 2021, par. 30: “(…) collection by [Facebook] of information on the internet browsing behaviour both of Facebook account holders and of non-users of Facebook services by means of various technologies, such as cookies, social plug-ins (for example, the ‘Like’ or ‘Share’ buttons) or pixels.”
[4] Judgment of the Dutch-speaking Court of First Instance in Brussels, dated February 16, 2018.
[5] Brussels Court of Appeal, request for a preliminary ruling pursuant to Article 98(1) of the Rules of Procedure of the Court of Justice, May 8, 2019.
[6] The lead SA is an SA of the main establishment or of the single establishment of the controller or processor.
[7] https://curia.europa.eu/juris/document/document.jsf?text=&docid=236410&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=13755616.
[8] Article 66 GDPR.
[9] Article 56(5) GDPR. This applies to the SA which informed the lead SA about a complaint lodged with it or a possible infringement of the GDPR.
[10] Article 66 GDPR.
[11] Article 56(2) GDPR.
[12] CJEU judgment in case C-645/19, Facebook and Others v Belgian SA, June 15, 2021, par. 53.