One-Stop-Shop
“Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.”
European Commission, at the time of the adoption of the GDPR
At the time of the adoption of the European General Data Protection Regulation (GDPR), the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism (1SS), whereby in respect to controllers or processors with multiple establishments in the EU, the supervisory authority (SA) of the ‘main establishment’ of such controller or processor in the EU will serve as the ‘lead SA’ for its ‘cross-border processing’ activities.
In the first landmark enforcement decision under the GDPR, the French SA (CNIL) fined Google 50 million euros (the highest fine so far), despite the fact that the complaints (PDF: 1.03 MB) concerned a cross-border processing in the EU, which calls for 1SS enforcement. The CNIL considered that although Google has its EU headquarters in Ireland, this Irish entity ‘did not have a decision-making power’ in relation to the purposes and means of the relevant cross-border data processing activities. For that reason, the CNIL decided that the 1SS mechanism did not apply and that the CNIL was therefore competent to make a decision.[2]
This is noteworthy, as apparently the main complainant[3] filed similar complaints against Instagram, Facebook, and WhatsApp with the SAs of Austria, Belgium, and Germany, which all passed the complaints to the Irish SA (as the ‘lead SA’), as these companies have their EU headquarters in Ireland.
What Is The issue?
Is the CNIL right to require that the EU administrative headquarters must have decision making power over the purposes and means of processing activities (i.e. qualify as the ‘controller’)? If so, the 1SS mechanism will de facto not be available for non-EU controllers (such as Google), as their EU administrative headquarters will rarely independently decide on the purposes and means of its cross-border processing activities in the EU (these being part of their global service offerings). These companies will then be exposed to a potential accumulation of fines for their cross-border processing activities, as each and every SA would be able to fine the company up to the maximum allowed under the GDPR.
What To Think?
As the CNIL’s decision may have a major impact, it is worth evaluating its merits. The outcome is surprising. The intention of the EU legislators was to also apply the 1SS to non-EU controllers having establishments in the EU. Enforcement against such non-EU controllers is possible in their place of central administration in the EU. The justification for enforcement against non-EU controllers in their place of central administration in the EU, is that a company’s central administration in the EU has the corporate power to ensure the implementation of compliance by the establishments in the EU, thereby greatly enhancing practical enforcement in the EU against non-EU controllers.[4] The requirement of the CNIL that the central administration in the EU must also qualify as the controller therefore undermines the 1SS as provided by the GDPR. This decision may be a short-term benefit to the CNIL and its national enforcement powers against Google, but it will ultimately prove detrimental to effective EU-wide enforcement (including uniformity in application and legal certainty) in the longer term. The SAs cannot have it both ways. The 1SS cannot be selectively applied when it suits them. Either there is a 1SS enforcement option against Google (whereby the lead SA renders one single decision that ensures EU-wide enforcement) or we go back to the pre-GDPR days where each and every SA needs to act independently against Google to ensure enforcement in its own jurisdiction. The GDPR stands for the first option.[5]
Déjà Vu
Given the benefits of 1SS enforcement, you would expect all SAs to warmly embrace the concept. But the reality was that many SAs opposed the 1SS, so much so that it proved to be the last hurdle for adopting the GDPR. The opposition was triggered by the realization that not all Member States have an equal number of EU headquarters in their territories. The ones with more (mostly the northern Member States) would act more often as lead SA, gain more control, and (most importantly) collect the newly increased fines. To ensure adoption, ultimately a compromise was struck. The lead SA would no longer act independently, but would act as a ‘first among equals,’ whereby other relevant SAs (e.g. with local establishments) could join in any enforcement action by the lead SA (and receive their share of the fine). Important here is that the core of the 1SS, whereby one lead SA coordinates EU wide enforcement (to the detriment of the national enforcement powers of the SAs) remained firmly in place.[6]
The Definition of ‘Main Establishment’
Let’s look at the definition of ‘main establishment’ in Article 4(16) GDPR:
‘a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;’
At first glance, the literal text could be taken to provide support for the decision of the CNIL, as it may be read to imply that the central administration in the EU is the place where decisions about the purposes and means are made.[7] This could be implied by the use of term ‘unless,’ which could be taken to mean that if decisions on purposes and means will be made by another establishment instead of by the central administration, such other establishment will qualify as the main establishment.
As is often the case, however, the provisions of the GDPR cannot be taken at face value.
Controller Does Not Have To Be Established In The EU
The GDPR is set up in such a manner that its provisions apply regardless of whether the controller itself is established in the EU. It is sufficient that the personal data is processed ‘in the context of an establishment in the EU,’ whereby the controller itself may well be established outside the EU.[8]
In wording similar to that found in the scope provision of Article 3(1) of the GDPR, the definition of “main establishment” does not require that the controller itself be established in the EU, just that the controller ‘must have establishments in more than one Member State.’ This provision is therefore equally meant to provide for 1SS enforcement in a case of a non-EU controller having establishments in the EU, whereby it is understood that these establishments may therefore not qualify as controllers in their own right.
In order to ensure that efficient enforcement pursuant to 1SS can be achieved for non-EU controllers, the EU legislators chose the ‘place of central administration’ as the best port of call for the 1SS. The EU legislators opted for the place of ‘central administration’ rather than the ‘EU headquarters’ in order to ensure that in cases where there would be no official legal EU headquarters, another establishment could be identified as the best placed (in terms of management functions) to qualify as the main establishment, therefore ensuring an extensive scope for 1SS enforcement against non-EU controllers.
Alternative Interpretation
Read from this perspective, it is clear why the 1SS mechanism does not specify that the central administration in the EU must decide the purposes and means of data processing activities. The provision is written so that it can cover non-EU controllers, even if these decisions are made by a non-EU controller.
This is also the logical interpretation of why the term ‘the place of central administration’ is included in the first place. If the EU regulators had intended for the central administration to only include places where decisions on purposes and means of data processing activities are made (as the CNIL assumes), the provision could have simply provided that the main establishment is ‘the EU establishment being the controller of the relevant processing.’ The reference to ‘place of central administration’ would have no function. The inclusion thereof must therefore mean something different than the alternative option in the definition which refers to ‘establishment where the decisions on purposes and means of the relevant processing are taken’ (referring to who qualifies as the controller), as otherwise why include this element in the provision in the first place? This argument also works the other way: if the place of central administration would also be the place where decisions on purposes and means are taken, why include the alternative option? The alternative option would be irrelevant.
The construction of the definition of main establishment providing for two options, is only consistent if the central administration is understood as the place where corporate control is exercised and compliance can be streamlined across establishments. In this interpretation, the alternative option provided for in the definition also has significant relevance. The alternative option kicks in when another establishment in the EU can both decide on purposes and means of processing activities (i.e. is the controller) and also have these decisions implemented. In these cases, enforcement against this establishment is more efficient than against the center of administration. Note that the alternative option is different from mere controllership; the relevant establishment needs to be a controller but further also have the power to implement decisions throughout the EU. The underlying rationale again is how to best enforce decisions throughout the EU (ensuring the power to direct compliance) rather than identifying the party that has the legal responsibility to comply with the GDPR (i.e. the controller).
The above interpretation is confirmed by Recitals 36 and 37 (PDF: 959 KB) of the GDPR, which provide a clarification for which entity of a group of undertakings qualifies as the main establishment. These Recitals make clear that where processing is carried out by a group of undertakings, the establishment of the undertaking in the EU with overall control over the other EU establishments should be considered to be the main establishment for the group.
Legislative History
The above interpretation is supported by the legislative history of the relevant provisions of the GDPR. The definition of ‘main establishment’ in the EC’s initial proposal (PDF: 423 KB) very much deviated from the final provision in the GDPR. Initially, the main establishment of the controller was the place of its establishment ‘in the EU where the main decisions as to purposes and means are made,’ and in contrast the place of establishment for a processor, was the ‘place of its central administration.’ The interpretation now given by the CNIL was therefore fully in line with the definition provided within the Initial Proposal, but this provision changed drastically thereafter. It is also worth noting that already in this first draft the ‘place where decisions are taken’ (for controllers) had a different meaning from the expression “place of central administration” (for processors).
The European Data Protection Supervisor (EDPS) recommended (PDF: 840 KB) refining the definition of ‘controllers’ to identify a controller’s main establishment:
‘taking into account the ‘dominant influence’ of one establishment over others in close connection to the power to implement personal data protection rules or rules relevant for data protection. Alternatively, the definition could focus on the main establishment of the group as a whole.’
This input was subsequently taken to heart in various subsequent versions of the definition, ultimately making the place of central administration the predominant place for 1SS enforcement for controllers as well (aligning this with the connecting factor for processors).
Conclusion
The 1SS enforcement mechanism should also be available to non-EU controllers that have establishments in the EU. Enforcement against such non-EU controllers is possible in their place of central administration in the EU, where their corporate power can ensure the implementation of decisions by the lead SAs. The decision of the CNIL to bypass 1SS is contrary to the GDPR and will ultimately prove detrimental to effective EU enforcement. According to media reports, Google is expected to appeal the decision before the highest administrative court in France, the Council of State, in an attempt to overrule the decision.[9]
***
Editor’s note: this blog post is a summary version of a full article published on SSRN.
Footnotes
[1] Lokke Moerel is a Professor of Global ICT Law at Tilburg University and Senior of Counsel at Morrison & Foerster in Berlin. Prof. Moerel thanks Karine e Silva for her assistance with research and footnotes.
[2] To support its decision, the CNIL refers to Guidelines of the European Data Protection Board on identifying a ‘lead SA’, see Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority (WP 244), as endorsed by the EDPB.
[3] None of Your Business (NOYB), Current Projects – Forced Consent (last visited on 4 April 2019). NOYB, one of the two complaining parties, is an Austrian non-profit organization founded by privacy activist Maximilian Schrems, whose prior lawsuits led to the invalidation of the Safe Harbor agreement between the EU and the US.
[4] See for the benefits of a 1SS over several competent SAs, Balboni, Pelino, & Scudiero (2014), Rethinking the one-stop-shop mechanism: Legal certainty and legitimate expectation, Computer Law & Security Review, Vol. 30(4), p. 396: “In our opinion, the presence of several competent authorities is in itself a factor that makes each DPA more dependent on the others and, hence, less reliable as a source of stable decisions related to the processing of personal data. This institutional arrangement risks generating a situation of uncertainty that can undermine data subjects’ rights, frustrate the legitimate expectations of data controllers and, eventually, decrease the authoritativeness of the DPAs called to oversee the process of personal data.”
[5] The 1SS was adopted by the EU regulators in order to “enhance consistency in application, legal certainty and reduce the administrative burden for controllers and processors” (EC Initial Proposal, Recital 97 (PDF: 423 KB)). The EU legislators further made clear that the 1SS would also bring ‘significant added value’ for individuals, i.e. by facilitating central enforcement by a single decision of one lead SA, see European Commission (11 April 2016), COM(2016) 214 final (PDF: 261 KB), p. 4.
[6] European Commission (11 April 2016), COM(2016) 214 final (PDF 261: KB).
[7] Article 29 Working Party, Guidelines for identifying a controller or processor’s lead supervisory authority (WP 244), as endorsed by the EDPB, p. 5.
[8] European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), p. 6. In wording similar to that found in the scope provision of Article 3(1) GDPR, the definition of “main establishment” does not require that the controller itself should be established in the EU, just that the controller “must have establishments in more than one Member State.”
[9] Silicon Republic (24 January 2019), Google confirms it will appeal €50m GDPR fine (last visited on 4 April 2019).
Professor Lokke Moerel is a Professor of Global ICT Law at Tilburg University and Senior of Counsel at Morrison & Foerster in Berlin.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.