- The Belgian Court of Appeal has asked the European Court of Justice for help interpreting the application of the GDPR’s ‘one stop shop’.
- The case will have important implications for all multi-national companies who have chosen a lead supervisory authority in Europe for GDPR purposes.
- The results of the case will either open or close the doors for regulators across Europe to cast aside the one stop shop when looking to enforce GDPR compliance in their home jurisdiction.
On 8 May 2019, the Brussels Court of Appeal referred a series of clarification questions to the European Court of Justice (CJEU), relating to Facebook’s appeal against a finding that it had breached domestic and European data protection regulations. The questions referred to the CJEU ask whether the ‘one-stop-shop’ mechanism provided under the General Data Protection Regulation (GDPR) prevents a national supervisory authority from having the requisite standing to bring proceedings against a company where it is not the ‘lead supervisory authority’ for the purpose of that company’s cross-border processing.
The one-stop-shop mechanism under the GDPR enables national supervisory authorities to select a ‘lead supervisory authority’, who has primary responsibility in relation to a company’s cross-border processing. The referral to the CJEU follows Facebook’s argument in the Brussels Court of Appeal that only its lead supervisory authority, Ireland’s Data Protection Commissioner, can bring enforcement action against it where cross-border processing issues arise. If this argument were to succeed, the Belgian Data Protection Authority (BDPA) would be precluded from bringing a claim themselves. The BDPA have expressed that they are pleased with the referral, regardless of the outcome of the CJEU’s conclusions.
The case itself dates back to 2015, when the Belgian Privacy Commission (the predecessor to the BDPA) brought proceedings in Brussels against various Facebook entities, alleging that their use of plug-ins, cookies and ‘pixels’ (irrespective of whether or not a computer user had a Facebook account) to process data was not sufficiently notified to data subjects. It was also alleged that Facebook did not have valid consent, and therefore had no legal justification, to process data of individuals without a Facebook account. In February 2018, the court instructed Facebook to stop using these tracking tools, to destroy all personal data which was unlawfully obtained, and to post a copy of the judgment on its website, threatening daily fines of €250,000 (up to a total of €100 million) for non-compliance. Facebook immediately appealed the decision.
Whilst the Brussels Court of Appeal concluded that the Belgian courts are competent to hear the case against Facebook Belgium Bvba, it has sought guidance from the CJEU as to whether the one-stop-shop principle precludes anyone other than Ireland’s Data Protection Commission from bringing proceedings against Facebook.
As part of its referral to the CJEU, the Brussels Court of Appeal has also asked for guidance on whether any of the following events would make a difference to the BDPA’s ability, as a supervisory authority that is not the lead supervisory authority, to bring proceedings:
- Facebook having an establishment in Belgium (i.e. Facebook Belgium Bvba), despite that not being Facebook’s main establishment;
- BDPA bringing proceedings against the Facebook institution residing in Belgium (Facebook Belgium Bvba) directly, rather than against Facebook’s main establishment; and
- the fact that proceedings against Facebook were already initiated before the GDPR (and the relevant one-stop-shop provisions) came into effect.
The scope of the ramifications of the CJEU’s conclusions to the questions posed to it will extend far beyond Facebook and its appeal. Notably, whilst the introduction of the one-stop-shop mechanism enabled different supervisory authorities to work together for the purpose of cross-border processing, the CJEU’s conclusions will go a long way to identifying whether the supervisory authorities across Europe are entirely reliant on each other in order to successfully enforce the GDPR against companies whose outreach extends beyond their individual jurisdictions.