GDPR’s one-stop-shop mechanism under scrutiny- Who is competent against Big Tech?
The judgement has repeatedly been cited as significantly enhancing enforcement actions against Big Tech. However, a closer look reveals that the ECJ added little to the derogations from the OSS already enshrined in the GDPR itself.
What is the one-stop-shop mechanism?
The OSS mechanism has been newly introduced with the GDPR. It regulates instances of cross-border processing, that is when companies process personal data in the context of the activities of multiple EU establishments or of a single establishment which substantially affects (or is likely to) data subjects in several Member States.
Simply put, the OSS holds that in such cases the data protection authority (DPA) of the Member State of the controller’s or processor’s main establishment is competent. Article 56 (1) GDPR stipulates that the DPA of the main establishment acts as the lead supervisory authority. This is a derogation from the main rule that each DPA is competent within the territory of its own Member State and shields businesses from being simultaneously held responsible by multiple DPAs. According to the EU Commission’s communication to the Council, the European Economic and Social Committee and the Committee of the Regions of 2012, the OSS remedies the previous unnecessary costs and administrative burdens for business and enhances ‘the Single Market dimension of data protection’.
The lead authority must cooperate with the other authorities concerned. These are the authorities of the Member State in which the controller or processor is established, on which citizens the processing has a substantial impact (or is likely to do so) and the authority to which data subjects have initially complained. Once the lead authority has finalised a draft decision, it must forward it to all concerned authorities which can issue a relevant and reasoned objection. If the authorities cannot agree on a decision, the dispute resolution mechanism of Art. 65 GDPR allows the European Data Protection Board (EDPB) to take a binding decision instead.
Case-645/19 – Facts & Ruling
In 2015, the Belgian Privacy Commission had brought proceedings before Belgian courts seeking an injunction against Facebook Ireland, Facebook Inc and Facebook Belgium. Facebook allegedly violated the old Directive 95/46 by using cookies, social plug ins or pixels to collect information on the internet browsing behaviour of internet users. On appeal, the court stayed proceedings to ask the ECJ whether the Belgian DPA, the successor of the Privacy Commission, has the competence to initiate proceedings. In essence, the ECJ was asked to decide on possible exceptions to the OSS since the Irish Data Protection Commissioner would normally be the lead authority due to Facebook’s European headquarters being located in Dublin.
The ECJ, after restating the general rule that each DPA is competent on the territory of its own Member State, upheld the OSS mechanism by citing Art. 56(1) GDPR and the possibility for relevant and reasoned objections by the authorities concerned as well as the dispute resolution mechanism of the EDPB. It then went on to outline possible exceptions to the OSS. It referred to Article 56(2) GDPR which authorizes any DPA to handle a complaint about cross-border processing lodged with it, if the processing solely relates to an establishment within its own Member State or only substantially affects data subjects within its Member State. Alternatively, the urgency procedure of art. 66 authorizes each concerned DPA to adopt provisional measures producing legal effect on its own territory for up to three months where exceptional circumstances and an urgent need to act to protect the rights and freedoms of data subjects are present. If it deems the adoption of final measures necessary, it can request an urgent opinion or binding decision from the EDPB.
It is ultimately for the Belgian court to decide whether one of the exceptions applies to the Belgian DPA.
Relevance of the judgement for enforcement actions against Big Tech
Most Big Tech companies have established their European headquarters in Ireland or Luxembourg. Consequently, the Irish DPA finds itself in the role of lead authority for Apple, Facebook, Microsoft, Twitter, TikTok and co. Having accepted the lead in 196 cases but only adopted four decisions so far, the Irish DPA stands in the centre of much criticism. Many accuse the OSS mechanism of being inefficient against Big Tech. The Belgian DPA is certainly not the first to investigate in cross-border processing actions despite not being the lead authority. The French DPA has fined Google in 2019, the Hamburg Data Protection Commissioner informed Google of its intention to start proceedings in 2019 and the Italian DPA issued a decision against TikTok in 2021.
However, the recent judgement does not seem to be the key to the problem either. While indeed outlining the loopholes for national DPAs to investigate despite lacking the lead role, it simply restates the exceptions contained in the GDPR. Additionally, these exceptions are likely not as efficient in practice as one might assume. Given the widespread processing of personal data of data subjects across the entire EU by Facebook, Twitter and co., the derogation of Art. 56(2) will rarely be relevant. Most processing evidentially relates to establishments in multiple Member States and substantially affects data subjects in several Member States. Similarly, the urgency procedure imposes a high threshold: there must be exceptional circumstances and an urgent need to act to protect the interests of the data subjects. Additionally, measures so adopted only take effect on the territory of the adopting DPA and do not last longer than three months. Even where the DPA asks for final measures from the EDPB, the board has recently demonstrated that it will not easily follow such request: the adoption of updated terms by WhatsApp could not ‘on its own’ justify such urgency.
It seems that instead of heavily relying on the derogations from the OSS mechanism at the risk of undermining its purpose, one should rather tackle the source of the problem and aim at improving the enforcement rate in Ireland. Helen Dixon, the Irish Commissioner for Data Protection, has repeatedly complained of a lack of funding and staffing and the introduction of two additional Commissioners has been discussed. More resources together with the increasing political pressure on the Irish DPA, will likely lead to more and faster decision-making in Ireland. Where national DPAs are still discontent with Irish decisions, the possibility of relevant and reasoned objections and, where necessary, a final EDPB decision should be able to resolve remaining issues.