Whilst there were some worrying signs it was perhaps too early to simply write off the arrangement. Since then we have seen France’s top court, the Conseil d’État, confirm that, despite the one-stop-shop, the CNIL, France’s data protection authority, had the competence to impose a 50 million Euro penalty on Google. We have also seen the European Commission publish its two year review of the GDPR in which it calls for further harmonisation in applying and enforcing the GDPR and more efficient functioning of the cooperation and consistency mechanisms. So where are we now? How far is the one-stop-shop living up to its promise to provide a single point of contact and hence greater legal certainty for organizations involved in processing personal data across more than one of the EU’s member states?
The Ruling of the Conseil d’État
The case before the court concerned the CNIL’s decision to impose a fine of 50 million Euro on Google for a lack of transparency, unsatisfactory information and lack of valid consent for the personalisation of advertising when users create a Google account from a phone running the Android operating system. Whilst many observers and, presumably Google itself, might have taken the view that the place of Google’s central administration in the EU, and hence its main establishment, was in Dublin meaning that under the one-stop-shop it would be the Irish Data Protection Commission that would be the lead data protection authority for cross-border processing by Google the CNIL took a different view. The CNIL’s view, which appears to have been supported by the other EU data protection authorities and which was endorsed by the Conseil d’État, was that because decisions on the purposes and means of the processing at issue were taken in the US rather than in Google’s European Headquarters in Dublin or anywhere else in the EU Google did not have a main establishment in the EU and so could not benefit from the one-stop-shop in relation to the processing in question. The CNIL was therefore competent to impose its own fine given that Google’s processing involved the personal data of users located in France.
This interpretation of the GDPR, which is in line with the EDPB’s guidelines on identifying a lead supervisory authority, may be further challenged if Google seeks to refer the case to the CJEU. Nevertheless it is a setback for multinational businesses headquartered outside the EU. It is likely that in many cases decisions on how and why such businesses process personal data in the EU will be taken wholly or mainly in their non-EU headquarters. If so they cannot reap the benefits of either the single point of contact or the legal certainty that the one-stop-shop potentially offers them. Furthermore they risk separate fines from the data protection authorities in each of the countries with residents who are affected by what, for them, might be a single processing activity albeit one that affects residents in multiple member states. It is hard to see who gains here. Perhaps it is data protection authorities who want to retain their ability to act, and be seen to act, independently or to impose multiple fines. However one of the principal aims of the GDPR was to achieve simplification and consistency for businesses and individuals alike in the application of EU data protection law. Furthermore the European Commission, in its review, is calling for even greater harmonisation. In this context wouldn’t it make sense for the benefits of the one-stop-shop to be available for any business involved in cross-border processing in the EU regardless of where their decision making is located. Why, given the global nature of processing these days, should a business only be able to have a single point of contact in the EU if it takes its decisions on processing personal data in Dublin rather than in California?
The French ruling also begs the question of what has happened to all the other EU data protection authorities so far as the Google case is concerned. Presumably not all Google users in the EU who created accounts from phones running the Android operating system were located in France. A reasonable assumption would be that, in line with the ruling, each data protection authority was competent for addressing any infringement by Google affecting users located on its territory so what were they all up to? Did they take a different view on whether Google was in breach of the GDPR in relation to their residents? Did they take the same view but decide that sanctions were not warranted? Or were they happy just to leave it to the CNIL to carry the torch for the rest of the party ? If the latter were the data protection authorities not effectively operating a one-stop-shop in practice if not in name?
Neither the need for fairness and consistency in the treatment of businesses subject to the GDPR nor the European Commission’s call for greater harmonisation across the EU is confined to those businesses and those cases that qualify for the one-stop-shop. Some clarity on just how, in those cross-border cases that fall outside the one-stop-shop, the data protection authorities are coordinating their actions, delivering consistency in applying the GDPR and ensuring that businesses are not exposed to multiple fines for a single failing would be most welcome.
The Implications Post-Brexit
Whilst businesses with their global or European head offices in the UK still qualify for the one-stop-shop during the current Brexit transitional period all that will change when the Brexit process is completed at the end of the year. The UK will then be a “third country” so far as the EU GDPR is concerned. In line with the Conseil d’État’s decision those businesses that concentrate their decision making on the purposes and means of their processing of EU personal data in their UK office will then be excluded from the one-stop-shop. They have a choice either to accept this or, if they have other establishments in the EU, to move their decision making to one of these establishments. However, as the French court’s decision makes clear, any such move cannot simply be illusory. The EDPB explains in its guidelines that an EU establishment must have the “authority to implement decisions about the processing activity and to take liability for the processing, including having sufficient assets” if it is to qualify as the business’s main establishment and so trigger the application of the one-stop-shop. For many businesses that have their principal European office in the UK this could involve substantial reorganisation and even relocation of staff. The signs are that such businesses are generally concluding that the benefits that the one-stop-shop brings in practice are limited and will not, in any case, outweigh the cost or disruption of the necessary business changes.
The European Commission’s Review
One of the main benefits of the one-stop-shop is that it is the gateway to the GDPR’s cooperation and consistency mechanisms. Cross-border cases that come within the ambit of the one-stop-shop are dealt with initially under the cooperation arrangements by the lead supervisory authority which has to consult with other “supervisory authorities concerned” before coming to a decision. In the event of disagreement the case goes into the consistency arrangements and is dealt with by the EDPB. This is all proving to be a lengthy process. The ICO’s intended fines against BA and Marriott went into the cooperation arrangement 12 months ago and have yet to emerge. Cases against major tech companies that are being dealt with by the Irish Data Protection Commission through the cooperation arrangement are still ongoing. There are almost certainly other cases as well. The Commission in its review confirms that, “important decisions with a cross-border dimension …… are currently pending. These……..will have a substantial impact on individuals’ rights in many Member States”. It is perhaps informative to consider how long the Google case might have taken had Google in fact qualified for the one-stop-shop. The CNIL imposed its fine on Google in January 2019 less than 9 months after the GDPR came into force. Whilst it can be no more than speculation all the indications are that had the case qualified for the one stop shop it would still not have reached a conclusion.
It may be going too far to quote the legal maxim, “justice delayed is justice denied” but delay does come with a price. Perhaps it is an extreme example but both BA and Marriott are now in very different positions as a result of the coronavirus crisis that they were when their cases first went into the cooperation system. It is hard to see how anything like the fines of £183m and £99m originally proposed can be sustained in the present climate. Furthermore if other cases are addressing substantial breaches of individuals’ rights across many member states is it fair to those individuals that these breaches should be allowed to continue for so long after they have first come to light? These are amongst the reasons why the Commission, in its review, is inviting the EDPB and data protection authorities to, ”develop efficient arrangements between data protection authorities regarding the functioning of the cooperation and consistency mechanisms, including on procedural aspects…..”.
Perhaps spurred on by the Commission’s review the EDPB has announced the publication of a new register containing cross-border decisions under one-stop-shop. This is a welcome development but a quick examination of the register suggests that a great deal of cooperative effort may be going into relatively minor cases. Of the 68 cases published so far 40 (59%) were “No Violation”, “Dismissed” or “No Sanction”. A further 12(18%) resulted in a reprimand. Only 4(6%) resulted in a fine. Perhaps the cooperation system could be made quicker and more efficient if with the less serious cross border cases the data protection authorities were able simply to trust the lead authority to deal with the case without the need to consult other “concerned” authorities formally and jump the procedural hurdles associated with the cooperation mechanism. The strictures of the cooperation mechanism could them be reserved for that small proportion of cases likely to result in significant fines or otherwise have a significant impact on the rights and freedoms of individuals or the burdens placed on businesses.
Arguably the delays arising from the cooperation and consistency mechanisms are illustrative of one of the tensions underlying the GDPR. Given the aim of delivering harmonisation, which the Commission is now urging greater effort towards in its latest review, why does it make sense to have multiple national data protection authorities, inevitably with diverging views and priorities involved in what is essentially EU wide decision making? While national authorities could continue to deal with cases that are primarily local in nature and even the more minor cross border cases might it not make sense for there to be single body that could deal more quickly and more efficiently with those cases with potentially significant implications that are essentially EU wide in nature. This would almost certainly include cases focused on the major multinational tech companies. Perhaps the German Federal Commissioner had a point when he was reported earlier this year as saying that he would like to see a European data protection agency that could manage large, cross-border cases. Of course, in the unlikely event that such a centralised case handling arrangement were to come about, the UK would in any case be excluded in our new post-Brexit world.