Highest EU court strengthens regulatory enforcement under GDPR – and the one-stop-shop

In its recent decision in the case Facebook Ireland Ltd and Others v Gegevensbeschermingsautoriteit (the Belgian data protection supervisory authority) dated 15 June 2021 (case C‑645/19), the Court of Justice of the European Union (CJEU) strengthened regulatory enforcement under the EU General Data Protection Regulation (GDPR) by allowing member state data protection supervisory authorities to directly sue private companies under Article 58 para. 5 GDPR – irrespective of whether the respective member state law provides for such a right to sue.

The decision was somewhat surprising since the wording of this particular provision

so far was mostly read as a compulsory mandate to the member states to create respective procedural laws. In case a member state failed to comply with this duty, it would have been up to the Commission to initiate an infringement procedure.

The CJEU however took a totally different approach and found that Article 58 para. 5 GDPR “lays down a specific and directly applicable rule” (recital 111) which allows a member state data protection supervisory authority “to bring or continue a legal action against private parties, even where that provision has not been specifically implemented in the legislation of the Member State concerned” (recital 113).

Nevertheless, the CJEU also clarified that in case of cross-border processing (Article 4 (23) GDPR), a data protection supervisory authority which is not the lead supervisory authority in terms of Article 56 GDPR can exercise its rights under Article 58 para. 5 GDPR only in consistency with the (complex) one-stop-shop mechanism and its exceptions (Articles 55, 56, 60-67 GDPR). That said, the CJEU also strengthened the one-stop-shop mechanism and the general right of a controller or processor which operates in multiple member states to only have deal to with one data protection supervisory authority. On the other hand, once a data protection supervisory authority of a member state has jurisdiction under this mechanism, this authority is neither limited to only sue controllers/processors which have their main establishment or any other establishment in this member state nor limited to only act against a local establishment.

Finally, the CJEU once more broadens the understanding of processing of personal data “in the context of the activities” of an establishment of a controller or a processor in the EU in terms of Article 3 para. 1 GDPR, a crucial provision as it deals with the territorial scope of the GDPR. To establish a potential jurisdiction of the Belgian data protection supervisory authority over Facebook Ireland Ltd and the U.S.-based Facebook Inc., the CJEU starts with the argument already known from the cases Google Spain and Google (decision dated 13 May 2014 – C-131/12) and Wirtschaftsakademie (decision dated 5 June 2018 – C-210/16) that social networks generate a substantial proportion of their income from advertising. According to the court, the activity of Facebook Belgium BVBA is intended to ensure, within Belgium, even if it is only a secondary function, the promotion and sale of advertising spots which serve to make Facebook services profitable. But the CJEU didn’t stop here. It also found that “the activity primarily carried out by Facebook Belgium, which consists in engaging with the EU institutions and constituting a point of contact for those institutions [a.k.a. lobbying], seeks, inter alia, to determine the personal data processing policy of Facebook Ireland.” Consequently, the activities Facebook Belgium BVBA must be considered to be inextricably linked to the processing of personal data at issue by Facebook Ireland Ltd. The processing of personal data by Facebook Ireland Ltd is therefore conducted “in the context of the activities” of an establishment in Belgium. This broad understanding gives rise to the question what activities of local subsidiaries, branches and offices in the EU won’t fall within the scope of Article 3 para. 1 GDPR in the future.

Whether and to what extent data protection supervisory authorities will make use of their new power or if they stick to orders under Article 58 para. 2 lit. d), lit. f) and lit. j) GDPR and administrative fines under Article 83 GDPR remains to be seen. However, the CJEU’s bold interpretation of Article 58 para. 5 GDPR and Article 3 para. 1 GDPR may serve is a teaser to how the CJEU will approach other (soon to be) pending questions regarding the interpretation of the GDPR, such as the term “undertaking” in Article 83 para. 4-6 GDPR and how to impose administrative fines against an undertaking, the requirements for awarding “non-material damages” under Article 82 GDPR or whether consumer protection organizations may initiate civil actions against companies after GDPR infringements: always with the aim in mind to ensure a high level of protection of the rights guaranteed in Article 16 TFEU and Article 8 of the EU Charter of Fundamental Rights.

Together with my trainee Dr. Jan Niklas Bunnenberg, I have published an in-depth analysis of the CJEU’s decision in issue no. 9 of Kommunikation & Recht (Die aufsichtsbehördliche Klagebefugnis unter der DSGVO – German language) which can be downloaded here for free:
 

Download "Die aufsichtsbehördliche Klagebefugnis unter der DSGVO"