Crossborder personal data processing: Which authority has competence? Conclusions of the advocate general in case C-645/19

2021-02-16T18:17:00

What powers do national supervisory authorities have regarding infringements caused by crossborder data processing? This is the fundamental question examined in case C-645/19 (Facebook Ireland and Others), on which the Advocate General of the CJEU has just issued his Conclusions (the “AG”).

Crossborder personal data processing: Which authority has competence? Conclusions of the advocate general in case C-645/19
February 16, 2021

What powers do national supervisory authorities have regarding infringements caused by crossborder data processing? This is the fundamental question examined in case C-645/19 (Facebook Ireland and Others), on which the Advocate General of the CJEU has just issued his Conclusions (the “AG”).

This question, referred for a preliminary ruling, stems from the following events: In 2015, the Belgian Data Protection Authority (the “DPA”) opened proceedings against several subsidiaries of the company before the Court of First Instance of Brussels for alleged infringements of data protection regulations. Initially, the Belgian court considered itself competent to hear the case and ordered the provisional cessation of some activities regarding users of the platform located in Belgium.

The defendant appealed that ruling and, among the different reasons it put forward, claimed that since the entry into force of the GDPR and the “one-stop-shop”, the DPA lacks competence to continue the proceedings in question as it is not the lead supervisory authority. Given that the company’s main establishment in the European Union is located in Ireland, it claimed that the Irish control authority has sole competence to initiate crossborder data processing infringement proceedings against it.

The main question raised was, therefore, whether the GDPR allows a supervisory authority that is not the lead supervisory authority to open proceedings before the courts of its State regarding crossborder processing.

The “one-stop-shop” mechanism was introduced as an important element in harmonizing the EU’s legal system on data protection, aiming to increase the consistent application of the regulations, provide legal certainty and reduce the administrative burden on data controllers and processors. To implement this mechanism, the GDPR establishes two important figures: the lead supervisory authority (“LSA”), which is responsible for coordinating and supervising proceedings on crossborder processing, and the interested supervisory authority (“ISA”), which assumes functions when it is “affected” by the processing in question (under Article 4.22 of the GDPR). However, when an individual case of processing with crossborder components has a particular impact on a specific Member State, the national authorities tend to assume the supervisory competences.

After several interpretations of the text of the GDPR, the AG concludes that the LCA’s competence in relation to crossborder processing is the general rule, while the competence of the other authorities is the exception. Thus, the LCA is the main interlocutor with the data controller or processor, while recognizing that close cooperation and consensus with the ISAs is necessary to make decisions in this area, under Articles 60 et seq. of the GDPR.

Ultimately, the LSA’s role does not constitute an exclusive competence; rather, the “one-stop-shop” mechanism establishes a “structured way of cooperating with other locally competent supervisory authorities.”

In fact, the GDPR establishes mechanisms to deal with cases in which the LSA fails to take sufficient action, including at least two different ways for ICAs to take over the proceedings and investigations while complying with the regulations. The AG refers to the provisional measures and the urgency procedure (regulated in Articles 61.8 and 66 of the GDPR), and the request for an opinion from the European Data Protection Board (as established in Articles 64 and 65 of the GDPR), although the effectiveness of these tools must be analyzed in practice.

Furthermore, the AG states that national control authorities can file claims before their respective courts, even if they are not the LSA, in the following circumstances:

  1. When the processing is not included in the material scope of the GDPR;
  2. When investigating the processing conducted by public authorities or in the public interest or exercising public powers;
  3. When no supervisory authority can act as LSA, which is the case when the data controller or processor in the crossborder processing has no establishment in the EU;
  4. When urgent measures are adopted to protect the affected parties’ interests; and
  5. When the corresponding LSA decides not to process a case, in accordance with Article 56.5 of the GDPR.

In summary, the AG’s provisional conclusion is that “the supervisory authority of a Member State is entitled to bring proceedings before a court of that State for an alleged infringement of the GDPR with respect to cross-border data processing, despite not being the LSA, provided that it does so in the situations and according to the procedures set out in the GDPR.”

The AG’s conclusions are provisional and are not binding on the CJEU in its decision, although they constitute a considered legal solution for the case that judges generally take into account when issuing their ruling. In any case, we await this and future rulings from the CJEU in this area as, in a digital context where demarcating national borders and supervising mass processing of data is so complex, it is particularly important to clarify which competences lie with each data protection authority.

Authors: Josu Andoni Eguiluz Castañeira and Ainhoa Rey Cendon

February 16, 2021