The implementation of the one-stop-shop in the control of cross-border data exploitation

The institution of General Data Protection Regulation (RGPD) constitutes a considerable step forward in the supervision and protection of the personal data of users of online platforms. For example, it places the onus on organizations that process personal data with information and transparency obligations regarding the processing of data that is carried out within their territory.

Obligations relating to the information and consent of its users concerning the deposit of tracers

However, there is a problem, in the event of cross-border data processing, which authority is competent to act? On June 15, 2021, the Court of Justice of the European Union put an end to the debate around this issue between the Belgian Data Protection Authority and Facebook Ireland. She believes that the fact that the GDPR designates the Irish Local Authority as the lead does not deprive other authorities of all means of action.

On September 11, 2015, the Belgian Commission for the Protection of Privacy (CPVP) seized the Brussels Court of First Instance for an action for violation, by the giant Facebook, of its obligations relating to information and the consent of its users concerning the deposit of tracers.

The Commission considers that the collection of user data and the use of information on the surfing behavior of Belgian Internet users are carried out in violation of Belgian and European legislation. The Belgian supervisory authority accuses Facebook of tracking its Internet users, whether or not they have an account in the application via “social modules”, programs which allow Internet users to “like” a post or share an article. Whether the user is a member of the application or not, Facebook will have access to personal data on their computer when they visit a public Facebook page, such as a public event for example. This then allows Facebook to identify all the websites that this user goes to when they contain a redirection button with the famous white “f” on a blue background. Considering that the data processing takes place across borders, the complaint lodged by the CPVP targets both Facebook Belgium and Facebook Ireland and Facebook USA.

On February 16, 2018, the Brussels Court of First Instance sanctioned the social network and ordered the giant to comply with Belgian law. This implies that Facebook must stop collecting data from its users without informing them first. Facebook appealed to the Brussels Court of Appeal. However, on May 25, 2018, the GDPR entered into force which establishes the one-stop-shop mechanism in Article 56, paragraph 1 [1] . This is a new procedure which aims to harmonize at European level the decisions of data protection authorities concerning cross-border processing.

Before the entry into force of the GDPR, companies established in more than one member state had to contact the authorities of each of the states in which they were established. These steps prevented a uniform application of Union law. To alleviate the problems surrounding this system, the European single window was created. It allows companies established in the European Union which implement cross-border data processing, to benefit from a simplified control procedure: from now on there will be a single point of contact who will make a single decision valid throughout the territory of the Union. The single point of contact is called the “lead authority”, it corresponds to the supervisory authority of the Member State in which the company has established its main establishment. She will be responsible for all procedures and for coordinating decision-making with the other data protection authorities concerned. This consultation will then lead to a single decision.

In view of these new provisions, the Court of Appeal will wonder whether this mechanism guarantees Facebook Ireland against injunctions carried out by authorities other than the Irish Authority and, consequently whether it is only competent to adjudicate on the action brought against Facebook Belgium. By its judgment of May 8, 2019, the Court of Appeal decided to refer a preliminary question to the Court of Justice of the Union inEuropean: “ Article 55, paragraph 1, Articles 56 to 58 and Articles 60 to 66 of [Regulation 2016/679], read in conjunction with Articles 7, 8 and 47 of the [Charter], should they be interpreted as meaning that a supervisory authority which, by virtue of national legislation adopted pursuant to Article 58 (5) of that Regulation, is competent to take legal action before a court of its Member State against breaches of said regulation, cannot exercise this competence in relation to cross-border data processing if it is not the lead supervisory authority in relation to this cross-border data processing? “. The Belgian Court of Appeal wonders whether, in view of the establishment of the one-stop-shop mechanism, the Belgian supervisory authority can indeed continue its proceedings against Facebook.

The national authority which does not have the competence in principle to act must cooperate and dialogue with the lead authority to try to reach a decision

The CJEU confirms that it is possible for an authority which is not a “lead authority” to take legal action if the cooperation mechanism does not work properly if the GDPR has given it the competence to adopt a decision who finds violations of the GDPR and whether it has exercised this power in compliance with the cooperation and control procedures provided for by the GDPR. Article 60 of the GDPR provides that, in principle, it is the lead authority that is competent to adopt any decision relating to a breach of the GDPR in the context of cross-border data processing. It is only by way of exception, that article 56 according to which “ each supervisory authority is competent to deal with a complaint lodged with it or a possible violation of this regulation, if its object concerns only an establishment in the Member State to which it reports or significantly affects data subjects in that Member State only ‘will apply. Nevertheless, the CJEU recalled in its press release that “This mechanism [of the one-stop-shop] requires close, loyal and efficient cooperation between these authorities, in order to ensure a coherent and homogeneous protection of the rules relating to the protection of personal data and thus preserve its useful effect. In this regard, the GDPR establishes the competence in principle of the lead supervisory authority to adopt a decision finding that cross-border processing disregards the rules provided for by this regulation, while the competence of other national supervisory authorities to adopt a such decision, even provisionally, constitutes the exception. ”. This means that before any decision is taken, the national authority which does not have the competence in principle to act must cooperate and dialogue with the lead authority to try to reach a decision.

The second question that arises is whether a State supervisory authority or the data controller does not have an establishment can act. Article 3 (1) of the GDPR provides that the regulation applies to the processing of personal data is carried out within the framework of the activities of an establishment of a controller or of a processor on the territory of the Union, whether or not the processing takes place in the Union. According to Article 58, paragraph 5, it is necessary for each member state to adopt a law which its supervisory authority to sue. However, the judges will recall that the GDPR is not intended to limit the powers of action of the Supervisory Authority so it is not necessary for the company to have an establishment in the territory of the Supervisory Authority. control who wishes to take legal action, however, the territorial scope of the regulation must be respected, which implies that the data controller must have an establishment in the territory of the Union.

Finally, the Court of Appeal considered whether the Belgian supervisory authority should take action against the establishment located on its territory or against the main establishment which is established in another State of the Union. It emerges from the reasoning of European judges that the processing of dataThe personal data in question is carried out exclusively by Facebook Ireland, this processing must be regarded as being carried out “within the framework of the activities of an establishment of the controller”, within the meaning of Article 3 (1) of the Regulation 2016/679. Consequently, the Belgian Supervisory Authority had as much power to institute legal proceedings against the main establishment which is located in Belgium as against Facebook Ireland since “ the action in court refers to data processing carried out within the framework of the activities of this establishment and that the said authority is competent to exercise this power ”. In other words, the Belgian court had jurisdiction to act against Facebook Ireland.

With this decision, the CJEU clarifies the terms of application of the one-stop-shop and provides a solution, at least partially, to the misappropriation of which this system could be subject. Now, even in the absence of a law, a Supervisory Authority has the power to take legal action to sanction the violation of the GDPR. This procedure could help combat the omnipotence that Ireland seemed to want to protect.

All the authorities of the Member States of the Union are competent to control the actions of these giants in cross-border affairs

This judgment allows the Data Protection Control Commissions to strengthen their power against the giants. In France, Facebook has been in the sights of the National Commission for Informatics and Liberties since the data breach of 20 million French people. A flaw resulted in the disclosure of the phone numbers of half of French Facebook users and despite the information obligations arising from the GDPR, the multinational has refrained from alerting the users concerned. Another case surrounding Facebook, where the company came under heavy criticism, was the rollout of a WhatsApp update that involved the collection of payment data to Facebook without users being clearly informed.

We now know that almost all digital companies have established their European establishment in Ireland. In principle, the control of these companies such as Facebook, Twitter, Google etc. Reportedly to the Data Protection Commission of Ireland, but it seems that now all the authorities of the Member States of the Union are competent to monitor the actions of these giants in cross-border affairs and not only the lead authority.

Ireland’s dealings with GAFA have often attracted strong criticism from EU data protection authorities. The Irish Authority has been accused of not taking enough action against IT companies. On March 25, 2021, MEPs voted for a resolution in which they spoke: the European Parliament “ is particularly concerned that the Irish data protection authority usually closes most cases by regulation rather than a sanction and that the cases brought to Ireland in 2018 have not even reached the draft decision stage. ”

And unfortunately, the “one-stop-shop” does not make up for the lack of action on the part of the Irish authorities, “ the success of the“ one-stop-shop mechanism ”depends on the time and effort that the authorities responsible for protecting data may devote to the processing of individual cross-border cases and to the cooperation on these cases within the EDPS, and that the lack of political will and resources has immediate consequences for the proper functioning of this mechanism ”and the resolution deplores the lack of resources which prevents its proper functioning.

On May 20, 2021, MEPs united to put an end to these abuses and have voted in favor of a resolution calling for the implementation of an infringement procedure by the European Commission against Ireland for failure to apply the GDPR.

This European resolution follows in particular the Schrems II judgment in which European judges invalidated the “protective shield” governing the sharing of data between the European Union and the United States. MEPs oThey expressed their disappointment at the actions of the Irish Data Protection Commission (DPC) which preferred to go to court rather than take a decision, despite its competence. But this is only one disappointment among others, the real point of contention is the multitude of complaints on which the Irish authorities have refrained from ruling since the entry into force of the GDPR in 2018. According to the Austrian association Noyb, only 0.07% of complaints lodged with the Irish CNIL are successful, this situation is a boon for GAFAM which can continue their activity without respecting the principles of the RGPD without being worried.

Eternoscorp remains at your disposal for any questions relating to data protection and the controls exercised over it

[1] “ Without prejudice to Article 55, the supervisory authority of the main establishment or of the sole establishment of controller or processor is competent to act as the lead supervisory authority in relation to cross-border processing carried out by this controller or processor, in accordance with the procedure provided for in Article 60. ”