Out-Law / Your Daily Need-To-Know

Ruling confirms possibility of parallel GDPR investigations

Out-Law News | 16 Jun 2021 | 9:17 am | 3 min. read

EU data protection law provides scope for national regulators to act unilaterally to address concerns they have about the cross-border personal data processing undertaken by multinational businesses, the EU’s highest court has confirmed.

The Court of Justice of the EU (CJEU) said that there are circumstances in which data protection regulators that are not the “lead supervisory authority” for a business can legitimately pursue legal action against those companies under the General Data Protection Regulation (GDPR).

This includes where lead supervisory authorities fail to investigate concerns the other authorities have raised or do not cooperate to the extent required under the GDPR’s ‘one stop shop’ mechanism, or where there is a need for urgent action to protect the interests of data subjects in which case the urgency procedure that sits alongside the one stop shop mechanism applies, it said.

The GDPR’s 'one stop shop' mechanism of regulation and enforcement was designed to enable businesses operating across the EU to deal with just one data protection authority instead of 27 different authorities across each member state. However, the Regulation makes provision for the cooperation of data protection authorities in cases where alleged infringement occurs in more than one jurisdiction. In such cases, the ‘lead supervisory authority’ must enter into dialogue with the authorities in the other countries where data subjects are impacted by the data processing at issue.

While the responsibility for investigating alleged infringement sits with the lead authority, the GDPR gives other national data protection authorities scope to input to the enquiries and to raise 'relevant and reasoned' objections against proposed decisions of the lead authority. In cases where consensus on a final decision cannot be reached, the European Data Protection Board (EDPB) operates as final arbiter.

In its ruling, the CJEU confirmed that though it is the “rule” that the one stop shop system of coordination and consistency applies, there are exceptions that allow non-lead supervisory authorities to unilaterally pursue redress for alleged data protection failings before the courts in their country in respect of a business’ cross-border data processing activities.

In those exceptional cases, the CJEU said businesses cannot escape action taken by a non-lead authority by virtue of having their main establishment or another establishment in another EU member state.

Amsterdam-based Wouter Seinen of Pinsent Masons, the law firm behind Out-Law, said: “This ruling erodes the ‘one stop shop’ mechanism significantly as it means the one stop shop does not absolutely protect multinational companies against parallel investigations in multiple member states.”

Ann Henry of Pinsent Masons in Dublin said: “It appears inevitable that this ruling will result in further references to the CJEU for clarity on the primary role of the lead supervisory authority in the regulatory oversight of cross-border processing under the GDPR. Whilst the court does acknowledge it, this ruling will inevitably result in concern from data controllers and data processors that it introduces uncertainty into the ‘one stop shop’ mechanism which, as its very title suggests, is intended to provide legal certainty in this area. Legal certainty is important for data subjects of course, but also for businesses and inward investment in Europe too.”

The CJEU was asked to rule on questions concerning the application of the one stop shop mechanism under the GDPR by the Court of Appeal in Brussels, which has been considering an appeal by Facebook against an earlier court order issued against the social media company.

Belgium’s privacy commissioner, which has now been succeeded by Belgium’s data protection authority, won an injunction before the first-instance court which required Facebook to put an end to alleged infringements of data protection law. However, Facebook appealed against that decision arguing that only the Irish Data Protection Commission was able to seek an injunction against it before the Irish courts in the circumstances of the case brought by the Belgian authority. In support of its arguments, Facebook cited the fact that it was its Irish subsidiary that was the controller of the data at issue and pointed to the application of the one stop shop mechanism under the GDPR.

It is now for the Court of Appeal in Brussels to apply the CJEU’s ruling to determine whether the unilateral action taken by the Belgian privacy commissioner was in line with the exceptions to the one stop shop mechanism provided for under the GDPR.