Under certain circumstances, national data protection authorities may also take action if the responsible company has its headquarters abroad and is thus under the auspices of another authority. This was the conclusion reached by the European Court of Justice (ECJ) in its ruling C‑645/19 from June 15, 2021.
The starting point was an action for an injunction filed by Belgian data privacy activists against Facebook, alleging excessive data collection. The Dublin-based defendant already disputed the admissibility of the action and argued that the “One-Stop-Shop” Mechanism the European General Data Protection Regulation (GDPR) alone the lead supervisory authority – which in the case of Facebook is the Irish data protection authority known for its restraint.
The underlying Conflict of objectives between uniform assessment and effective legal protection already pervades the legal framework: On the one hand, each supervisory authority is independent and “competent in the territory of its own Member State” (Art. 55(1) GDPR). On the other hand, Art. 56 of the same Regulation declares the authority at the place of the main or the only establishment to be “.lead” (para. 1) and in matters of cross-border data processing to the “only[n] Contact person of the responsible persons” (para. 6).
Unlike the applicant, the ECJ considered this reservation in the division of tasks to be in conformity with fundamental rights (para. 66) and confirmed that “in the case of transborder processing of personal data, the Responsibility of the lead supervisory authority […] the rule and the competence of the other supervisory authorities concerned […] form the exception” (para. 63). Accordingly, Facebook evaluated the decision in a Opinion as a success, the court had nevertheless “the principle and importance of the one-stop store mechanism confirms”.
But that is only one side of the decision. For the ECJ also made it clear that that division of labor “necessarily on the Premise loyal and effective cooperation” and the “correct and coherent application“of the GDPR (para. 72). This assumption and objective are the limits of the “one-stop store” mechanism:
“[D]he rules contained in the Regulation on the division of decision-making responsibilities between the lead supervisory authority and the other supervisory authorities concerned […] change [nothing to it]that all these authorities shall contribute to a high level of protection of the aforementioned rights […]. This means in particular that the cooperation and consistency procedure must not, under any circumstances, lead to a situation where a national supervisory authority, namely the lead authority, fails to meet its obligations […] the company fails to provide effective protection. […] contribute. Otherwise one would forum shopping - especially those responsible – to circumvent these fundamental rights and the effective application of the rules. […] aided and abetted.” (para. 67 f.)
The scope of the decision-making power of lead authorities thus depends to a large extent on the effectiveness of their law enforcement and must also be put into perspective in several other respects:
- Explicit exceptions apply to cases of special Urgency (Art. 66 GDPR; para. 59) as well as in the case of Impact on only one Member State (Art. 56(2) GDPR; para. 58). Although the lead authority may also take over these cases, in this case it must follow the draft decision of the notifying authority “…”.as far as possible”(Art. 56(4) GDPR; para. 61);
- If the lead authority refuses the official transmission of information, the requesting authority is also free to take provisional measures (Art. 61(8) GDPR; para. 71);
- In addition, the Coherence procedure under Art. 63 GDPR, extensive participation possibilities for non-lead authorities and leaves the decision in disputes to the European Data Protection Board (Art. 65(1) GDPR; para. 59);
- Finally, the bringing of an action by the supervisory authorities does not require that the responsible company has a Branch has in its Member State (marg. no. 84).
With the latest decision in the Facebook matter, the exclusivity of the lead authority has been further cracked. For the “one-stop store” principle, it means at most a “yes, but”.