Click here to view this briefing in PDF format.

On 13 January 2021, the opinion of Advocate General Bobek in Case C-645/19 Facebook Ireland and Other before the Court of Justice of the European Union (“CJEU”) was issued following a referral from the Court of Appeal of Brussels. The case centres on whether a national data protection authority is precluded from engaging in court proceedings in its home Member State in relation to infringements of the GDPR with respect to cross-border data processing in circumstances where it is not the lead data protection authority pursuant to the One-Stop Shop (“OSS”) system. The Opinion of the Advocate General concludes that derogations from the OSS system are only possible in the circumstances, and according to the procedures, already set out in the GDPR.

What is the One-Stop-Shop system?

Under the OSS system, the supervisory authority within the EU Member State of the main establishment of a data controller (i.e. the place of central administration of the data controller where decisions regarding the purposes and means of data processing are taken) will act as the primary regulator or “Lead Supervisory Authority” and be competent in monitoring the application of the GDPR and its enforcement for such controllers. For example, if an organisation’s main establishment is in Ireland the Irish Data Protection Commission acts as the Lead Supervisory Authority for that organisation. However, the Lead Supervisory Authority does not act as the sole supervisory authority and cooperation procedures are contained within the GDPR to ensure the involvement of other concerned supervisory authorities of Member States. Where there are divergences of opinion between supervisory authorities, a mechanism exists to involve the European Data Protection Board to make a binding decision. As is noted in the opinion of the Advocate General, the objective of the OSS system is to ensure consistent application of the GDPR. One supervisory authority acting as the primary regulator prevents data controllers from being required to engage with multiple supervisory authorities, which could lead to uncertainty for them and also for data subjects.

When are derogations from the One-Stop-Shop system permitted?

The opinion of the Advocate General identifies from the text of the GDPR the following five situations where a derogation from the OSS system is possible:

  1. Where the supervisory authority is acting outside the material scope of the GDPR. For example, the CNIL (the French Data Protection Authority) has been active in imposing fines on organisations in respect of the use of cookies which is regulated by the e-Privacy Directive 2002/58/EC and not the GDPR.
  2. Where the processing is carried out by public authorities or is carried out in the public interest or in the exercise of official authority as provided in Article 55(2) of the GDPR.
  3. Where the data controller has no establishment in the EU and so no Lead Supervisory Authority can be identified. In this scenario a data controller will be required to deal with the local supervisory authority in every Member State where they are active.
  4. In exceptional circumstances where urgent measures are required to protect the rights and freedoms of data subjects as provided in Article 66 of the GDPR.
  5. Where the Lead Supervisory Authority decides not to handle a case notified to it by a supervisory authority. Pursuant to Article 56(5) of the GDPR the notifying supervisory authority may handle the case. This may become relevant where a supervisory authority does not have the resources to handle a case.

As is noted by the Advocate General, “… the suggestion that supervisory authorities could disregard the consistency and cooperation mechanisms when they wish to bring proceedings cannot be reconciled with the text of the GDPR and the Court’s case-law”. The consistency and cooperation mechanisms provided by the GDPR through the OSS mechanism would become less effective if derogations beyond what is already provided in the GDPR were possible.

While the Opinion of the Advocate General is not binding on the CJEU, it will be surprising if the CJEU does not adopt the same approach in its forthcoming decision. This would confirm the general understanding of the GDPR that the supervisory authority of the main establishment of a data controller acts as the Lead Supervisory Authority for the cross-border processing carried out by that controller.

The authors wish to thank Shannon Buckley Barnes for her contribution to this briefing.