ZigaForm version 5.5.1
Menu Close

Case C-645/19: A case on cross-border processing of personal data and competence of authorities

by Shrisha Sapkota

case management software, practice management software, legal accounting software, legaltech, technology for lawyers, case management, immigration, london, united kingdom

1) Introduction

On 30th August 2019 the Hof van beroep te Brussel lodged a request for a preliminary ruling to the Court of Justice of the European Union (Case C-645/19) in the case where  Facebook Ireland Limited, Facebook Inc, Facebook Belgium BVBA were the main applicants and Gegevensbescherming Autoriteit was the main defendant. The request for a preliminary ruling concerned whether a supervisory authority pursuant to national law adopted in implementation of a regulation has the power to commence legal proceedings before a court in its Member State against infringements of that regulation in connection with cross-border processing if it is not the lead supervisory authority for that cross-border processing based on Articles [55(1)], 56 to 58 and 60 to 66 of Regulation (EU) 2016/6791 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, read in conjunction with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union.

Supervisory authorities under the GDPR are tasked to enforce and provide guidance on privacy laws in a consistent manner across the EU. The GDPR provides a central point of enforcement through a system of cooperation and consistency procedures that has been coined the ‘one-stop shop’ mechanism. This means that if an organisation conducts cross-border data processing, the GDPR will require them to work primarily with the supervisory authority based in the same Member State as their main establishment (usually their EU headquarters) to achieve compliance and this enforcement body is the “lead supervisory authority” for all privacy-related matters[i]. Essentially, the one-stop-shop mechanism intends to ensure that organisations and individuals can deal with cross-border privacy-related issues from their home base and that such issues can be addressed consistently across the EU. In this case, the competencies and powers of supervisory authorities to initiate or engage in legal proceedings for cross-border processing of personal data are being analyzed to ensure sincere and effective cooperation between supervisory authorities.

2) Assessment

In order to assess, according to Article 55 (1) of the GDPR, each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State[i]. According to Article 56 (1), the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as the lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60[ii]. As per Article 56(2) of GDPR, it can be understood that a supervisory authority can exercise power in the Member state that it is based on if there is possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State[iii].  As per Article 58(5), this power also includes the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, to ensure good enforcement of the Regulation[iv].

Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a supervisory authority of a Member State which, under the national legislation adopted in order to transpose Article 58(5) of that regulation, has the power to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where necessary, to initiate or engage in legal proceedings, may exercise that power in relation to an instance of cross-border data processing even though it is not the ‘lead supervisory authority, within the meaning of Article 56(1) of that regulation, with respect to that data processing, provided that that power is exercised in one of the situations where Regulation 2016/679 confers on that supervisory authority a competence to adopt a decision finding that such processing is in breach of the rules contained in that regulation and that the cooperation and consistency procedures laid down by that regulation are respected[v]. Article 58(5) of Regulation 2016/679 must be interpreted as meaning that, in the event of cross-border data processing, it is not a prerequisite for the exercise of power of a supervisory authority of a Member State, other than the lead supervisory authority, to initiate or engage in legal proceedings, within the meaning of that provision, that the controller or processor with respect to the cross-border processing of personal data against whom such proceedings are brought has the main establishment or another establishment on the territory of that Member State[vi]. It must be interpreted as meaning that the power of a supervisory authority of a Member State, other than the lead supervisory authority, to bring any alleged infringement of that regulation to the attention of a court of that Member State and, where appropriate, to initiate or engage in legal proceedings, within the meaning of that provision, may be exercised both with respect to the main establishment of the controller which is located in that authority’s own Member State and with respect to another establishment of that controller, provided that the object of the legal proceedings is a processing of data carried out in the context of the activities of that establishment and that that authority is competent to exercise that power, in accordance with the terms of the answer to the first question referred[vii].

Thus, if the regulation is to be interpreted strictly, a supervisory authority is competent to commence legal proceedings before a court in its Member State against infringements of that regulation although related to cross-border processing if it substantially affects the data subjects or individuals in its Member state and if it is appropriate to do so. However, it does not seem “appropriate” for a supervisory authority to commence legal proceedings before a court in its Member State against infringements of that regulation in connection with cross-border processing if it is not the lead supervisory authority for that cross-border processing. It could be suitable for them to take such measures, however, it is not necessary and is excessively burdensome to allow them to do so. Allowing every supervisory authority to start legal proceedings in the specific Member States could potentially harm legal certainty, consistent application of the Regulation and would create complicated procedures for the companies to establish in the EU. This would go against the purpose of the GDPR which intends to provide a set of standardised data protection laws across all the member countries[viii] and simplify the regulatory environment for international business by unifying data protection regulations within the European Union[ix]. Thus, it is not necessary or proportionate for a supervisory authority to commence legal proceedings before a court in its Member State against infringements of that regulation in connection with cross-border processing if it is not the lead supervisory authority for that cross-border processing. Furthermore, it is stated in Article 56(2) GDPR that the lead supervisory authority shall be the lead interlocutor of controller and processor for the cross-border processing carried out by the company, thus it does not seem fair or legitimate for each supervisory authority to start proceedings against establishments involving cross-border processing. The statements mentioned above can be elaborated through the Google V CNIL case, where a one-shop stop mechanism was invented. According to this, if an organisation is established in the EU and is engaged in cross-border processing, the supervisory authority of the EU Member State where the main establishment is located will be the lead supervisory authority (LSA) and is mainly responsible for the cross-border processing of activities of the organization. This was enacted mainly in order to prevent inconsistencies through coherent interpretation and to promote uniformity in the application of the Regulation.

Nevertheless, the supervisory authorities can assist the lead supervisory authority to prevent infringement of the Regulation in their Member state due to cross border processing through mutual assistance procedure stated in Article 60, 61 and 63 of the GDPR. Specifically, the consistency mechanism stated in Article 63 GDPR facilitates the free flow of personal data within the internal market without the need for any agreement between the Member States on the provision of mutual assistance or on such cooperation[x]. This allows the prevention and remedy in case cross-border processing affects a Member State and thus there seems to be no legitimate necessity to allow the supervisory authority to bring a case in the court of its Member State against the infringements of that regulation in connection with cross-border processing if it is not the lead supervisory authority.

Therefore, in correspondence to the arguments given above, a supervisory may advise an establishment or national institutions and also cooperate with the lead supervisory authority, in order to prevent infringement of the Regulation due to cross-border processing. However, it is not “appropriate” for a supervisory authority to initiate a proceeding before a court in its Member state against infringement of Regulation in connection to cross-border processing in order to secure legal certainty and uniformity.

Nevertheless, where a supervisory authority of a Member State which is not the ‘lead supervisory authority’ within the meaning of Article 56(1) of that regulation, has brought a legal action, the object of which is an instance of cross-border processing of personal data, before 25 May 2018, that is, before the date when that regulation became applicable, that action may, from the perspective of EU law, be continued on the basis of the provisions of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which remains applicable in relation to infringements of the rules laid down in that directive committed up to the date when that directive was repealed. That action may, in addition, be brought by that authority with respect to infringements committed after that date, on the basis of Article 58(5) of Regulation 2016/679, provided that that action is brought in one of the situations where, exceptionally, that regulation confers on a supervisory authority of a Member State which is not the “lead supervisory authority” a competence to adopt a decision finding that the processing of data in question is in breach of the rules contained in that regulation with respect to the protection of the rights of natural persons, as regards the processing of personal data and that the cooperation and consistency procedures laid down by that regulation are respected, which it is for the referring court to determine[xi].

The second question:

The second question is whether Article [58(5)] of the GDPR has direct effect, such that a national supervisory authority can rely on the aforementioned article to commence or continue legal proceedings against private parties even if Article [58(5)] of the GDPR has not been specifically transposed into the legislation of the Member States without withstanding the requirement to do so. Article 58(5) of the GDPR has direct effect and a national supervisory authority can rely on the article to commence or continue legal proceedings against private parties without the requirement of the GDPR to be transposed. GDPR is a regulation and as per Article 288(2) TFEU, regulations have a direct effect on the legislation of the Member states and do not need to be transposed by a Member state. They are directly applicable and binding in their entirety, which is explained in the Munoz case.

Conclusion

In the light of the foregoing consideration, a supervisory authority which, pursuant to national law adopted in implementation of Article [58(5)] of that regulation, has the power to commence legal proceedings before a court in its Member State against infringements of that regulation may exercise that power in connection with cross-border processing if it is not the lead supervisory authority for that cross-border processing. Article [58(5)] of the GDPR has a direct effect

case management software, practice management software, legal accounting software, legaltech, technology for lawyers, case management, immigration, london, united kingdom

References

[1] https://www2.deloitte.com/ch/en/pages/risk/articles/gdpr-one-stop-shop.html

[2] Regulation(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ  2016/01

[3] Regulation(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ  2016/01

[4] Regulation(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ  2016/01

[5] Regulation(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ  2016/01

[6]https://curia.europa.eu/juris/document/document.jsf;jsessionid=53639F3F70D72F7580DA44B544140082?text=&docid=244838&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=35287738

[7]https://curia.europa.eu/juris/document/document.jsf;jsessionid=53639F3F70D72F7580DA44B544140082text=&docid=244838&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=35287738

[8] Ibid

[9] Anon, (2020). [Blog] Available at: https://www.privacytrust.com/gdpr/whats-the-real-purpose-of-the-gdpr.html [Accessed 10 Feb. 2020].

[10]

[11] Recital 35 GDPR

[12] https://curia.europa.eu/juris/document/document.jsf;jsessionid=53639F3F70D72F7580DA44B544140082text=&docid=244838&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=35287738