On 12 January, Advocate General Michal Bobek delivered his Opinion on a regulatory competence tussle related to the respective roles of a ‘lead supervisory authority’ (“LSA”) under the GDPR and a local supervisory authority. His Opinion upholds the general application of the GDPR ‘one-stop-shop’ mechanism and emphasises that the LSA has a primary role in regulating cross border processing of personal data. However, he also indicates that the LSA cannot be deemed the sole enforcer of the GDPR in every instance involving cross-border data processing and envisages a limited role for local authorities. In this briefing, we review the most striking points of the Advocate General’s Opinion.
In September 2015, the Belgian data protection authority (the “Belgian DPA”) commenced proceedings before Belgian courts against Facebook for data protection law violations. Facebook’s position was that, under the GDPR, it has a main establishment in Ireland, meaning the Data Protection Commission in Ireland is competent to act as its LSA in respect of cross-border processing of personal data. On this basis, it argued that the Belgian DPA was precluded from continuing the relevant proceedings. The Belgian courts referred six questions to the CJEU for a preliminary ruling, with Facebook, the Belgian DPA and the European Commission presenting their oral arguments to the Court at a hearing on 5 October 2020.
Advocate General’s Opinion
At the outset, Advocate General Bobek notes that the wording of the relevant provisions of the GDPR, especially when read in context, support the interpretation that the LSA (in this case, the Data Protection Commission in Ireland) has a general competence over matters concerning cross-border processing of personal data, and by implication, the local supervisory authority concerned (in this case, the Belgian DPA) wields a limited power to act. In his view, the LSA’s general competence is cemented by the fact that the situations in which regulatory competence (with regard to cross-border processing) is given to other supervisory authorities are described as ‘exceptions’ to the general rule.
In Advocate Bobek’s view, it is this general rule that provides meaning to the ‘one-stop-shop’ mechanism provided for in the GDPR; a mechanism that gives rise to a central point of enforcement through recognising an LSA surrounded by a system of cooperation and consistency procedures designed to ensure the involvement of all interested supervisory authorities. This is also in line with the GDPR’s objective of preventing fragmentation in the implementation of data protection across the Union, legal uncertainty and widespread public perception that there are significant privacy risks, which he notes were all shortcomings of the previous EU data protection regime.
Advocate General Bobek clarified, however, that when the system set up by the GDPR is observed in its entirety, it is clear that the LSA is not the sole enforcer of the GDPR in cross-border processing situations. Effectively, the ‘one-stop-shop’ mechanism does not impose a general bar on a supervisory authority from appearing before its domestic courts for potential infringements of the GDPR, despite not being the LSA, provided that it does so in situations and according to procedures expressly set out in the GDPR.
Advocate General Bobek briefly considered the exceptional circumstances in which a supervisory authority that is not a LSA can initiate court proceedings that concern cross border processing. These are limited situations where the local supervisory authority:
- acts outside the material scope of the GPDR;
- investigates cross-border data processing carried out by public authorities, in the public interest, in the exercise of official authority or by controllers not established in the Union;
- takes urgent actions, which include facing persistent inertia from the LSA in investigating the matter; or
- intervenes where the LSA “decides not to handle the case”, which potentially accommodates an agreement between the LSA and the other supervisory authority on which of them is better placed to handle the case.
The Advocate General’s assessment of the law is not binding on the CJEU. Additionally, as the Advocate General’s Opinion is given on a preliminary reference, he does not comment on the merits of this case, as that remains a matter for the referring court to assess.
The CJEU will now begin its own deliberations in this case. The Belgian DPA, in its press release, has welcomed the Opinion and hopes that the CJEU will uphold the conclusions of the Advocate General for data protection authorities to defend the rights of their citizens before national courts in the limited circumstances reflected in the Opinion. The conclusions of the CJEU on this preliminary reference will be eagerly awaited.