On 13 January 2021, Advocate General issued his opinion on the role of one-stop-shop mechanism and the data protection authorities’ competence over cross-border data processing.

The case under review

In 2015, the Belgian data protection authority commenced judicial proceedings against Facebook Belgium and the case is at present in progress before the Belgian Court of Appeal.

The Belgian data protection authority claimed that Facebook had illegally obtained personal data linked to browsing information of its Internet users in Belgium by using cookies and social plugins.

In this context, Facebook Belgium claimed that by the time the GDPR became applicable, the Belgian data protection authority has lost competence to continue the judicial proceedings at issue against Facebook. This derived from the fact that under the GDPR, only the lead data protection supervisory authority (LSA) of the State of Facebook’s main establishment in the EU – namely the Irish Data Protection Commission in this case – is competent to engage in judicial proceedings against Facebook for infringements of the GDPR in relation to cross-border data processing.

Subsequently, the Belgian Court of Appeal addressed the Court of Justice to clarify if the GDPR prevents a national data protection authority other than the LSA from engaging in judicial proceedings in its Member State against infringements of its rules relating to cross-border data processing.

Key points of the Advocate’s opinion

Advocate General Bobek indicated that under the GDPR, the LSA has a general competence over cross-border data processing. As to the fact that the GDPR confers on any data protection authority the power to start judicial proceedings against possible infringements which affect their territories, he sets out that this power is curtailed as regards cross-border data processing precisely with a view to enabling the LSA to exercise its tasks. He emphasized that the reason for the introduction of the one-stop-shop mechanism, whereby a significant role has been given to the lead data protection authority and cooperation mechanisms have been set up to involve other data protection authorities, was to address certain shortcomings resulting from the former legislation.

Nevertheless, Advocate General highlighted that the LSA cannot be deemed as the sole enforcer of the GDPR in cross-border situations and should, in compliance with the rules provided by the GDPR, cooperate with the other data protection authorities concerned. He also argued that national data protection authorities, even where they do not act as lead authority, can nonetheless bring proceedings before the courts of their respective Member State in case of infringements of the GDPR in relation to cross-border data processing under certain circumstances and particularly, in cases where they:

(i) act outside the material scope of the GDPR
(ii) investigate into cross-border data processing carried out by public authorities, in the public interest, in the exercise of official authority or by controllers not established in the Union
(iii) adopt urgent measures, or
(iv) intervene following the lead data protection authority having decided not to handle a case.
Impact of the Advocate’s opinion on privacy cases

Although Advocate’s opinion is not binding and the CJEU’s decision has yet to come, it is likely to have a significant impact on the way data privacy cases are handled.

Moreover, it will most likely have a lasting impact on the division of roles between LSAs and other national data supervisory authorities.

Specifically, even though Advocate General’s opinion establishes the crucial role that LSAs play in monitoring GDPR compliance and their ability to take direct enforcement action, it acknowledges that national supervisory authorities have the competence – in certain exceptional cases and without undermining the one-stop-shop mechanism- to bring cases before national courts, even in cross-border cases.

As a result, Advocate’s opinion- if adopted by the CJEU- can possibly pave the way for an increase in the number of enforcement actions taken against tech companies that process personal data.

                                                                                                                                                                                                            The editorial team