One Stop Shop: Big tech companies exposed to privacy challenges
Back in July 2021, the European Court of Justice held that social media platforms can now be sued not only by the Data Protection Authority (DPA) of the Member State (MS) in which the company’s headquarters are found, but also by the Authorities of other MS affected by the cross-border data breach in question. The Courts have thus, to the varying pleasure and displeasure of many, altered the “One Stop Shop” mechanism.
The “One Stop Shop” mechanism comes into play when a cross border data complaint arises. Under this interpretation of the GDPR, a data breach complaint against a company must be dealt with and processed by the DPA of the MS in which resides the company’s headquarters. However, because Facebook, Twitter, Google, and other social media giants all have their EU headquarters in Dublin, most cross border data breach complaints must be referred to and dealt with by Ireland’s Data Protection Commission. If the Belgian Data Protection Officer wanted to bring an action against Twitter, it would be required under the GDPR to hand the case over to the Irish Authority.
The benefits of this “One Stop Shop” system are that the data protection rules are unified and centralized via Dublin (not to use the term monopolised). Another benefit, as Helen Dixon (Irish Data Protection Commissioner) said in 2018, is that "The bottom-line advantage of the one-stop shop is [companies] are subject to one decision, one appeal and one fine, they're not subject to the jurisdiction of lots of supervisory authorities and therefore fines in the member states." In other words, the OSS system simplifies enforcement actions.
On the other hand, Dublin has been receiving mounting criticism from EU regulators for allowing an accumulation of cases to go untreated or treated too slowly. "Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500 million consumers in the EU, especially if it does not rise to the challenge." Indeed, the sheer amount of data complaints being brought to Ireland by 26 other MS has created a bottleneck effect.
But the July 2021 case brought an alteration to the OSS system: as of July 2021, the GDPR is to be interpreted as allowing Data Protection Authorities of MS who do not host the company’s headquarters (Concerned Authorities) to bring an action against the company without necessarily going through the Authority of the MS who does hosting the headquarters (Lead Authority).
Indeed, one of the questions referred to the Court of Justice was whether the GDPR must be interpreted as meaning that a “Concerned Authority” has the competence to bring an action against the company in breach of data protection rules in addition to the Lead Authority. In other words, if a Concerned Authority can bring an action against a company in cross border data complaints without being the Lead Authority, which the One Stop Shop mechanism has prevented until now.
To answer the referring court, the Court of Justice evaluated the legal basis of the GDDR via the TFEU and Charter, concluding that the GDPR requires EU institutions, bodies, offices and agencies as well as competent MS authorities to ensure a “high level of protection” of the rights enshrined in Article 16 of the TFEU and Article 8(1) of the Charter. However, the court exposed a paradox in this conclusion whereby MS authorities cannot uphold their obligation to protect at a “high level” the rights of EU residents as enshrined in article 16(1) of the TFEU without first having the competence to act in certain instances of data processing. The result of this is that Concerned Data Authorities, in addition to Lead Authorities, must be able to exercise certain competences, but not all or this would completely overturn the OSS.
The Courts found a compromise which allows MS to uphold their duties without repealing the OSS: the “Urgency Procedure”, enshrined in Article 66 of the GDPR. Article 66 states that in exceptional circumstances, a Concerned Data Protection Authority acting on an urgent need to protect the rights of data subjects may derogate from the consistency principle and adopt in the immediate measures which will be provisory and valid up to but not beyond a period of three months. All measures taken by the Concerned Authority shall immediately be reported to the lead authority and the Commission. Furthermore, it is in the concerned authority’s competences to request an urgent opinion or binding decision from the Board if the lead authority is not deemed by the concerned authority to have taken appropriate measures in relation to the rights and freedoms of those concerned. The exercise of the concerned authority’s rights under Article 66 are qualified, not only in that it requires an element of urgency but also that it must notify the Lead Authority of its decision so that the Lead Authority may, at its discretion, take on the case or not. This was highlighted in the hearing, in which it was stated that the Lead Authority having competence to take a binding decision is the rule, and “the competence of the other supervisory authorities concerned for the adoption of such a decision, even provisionally, constitutes the exception” (paragraph 63).
In lay terms, the courts did not give free reign to Concerned Data Protection Authorities, but rather gave them a limited scope in which to act. This modifies rather than overhaul the OSS system, and supports the not only Treaty based obligations placed upon the MS but also Lead Authorities, who are currently experiencing the bottleneck effect in Dublin. The hope is that such a revised system better serve the data rights of 500 million EU residents.
Reactions to the ECJ ruling remain conflicted: The European Consumer’s Organisation is pleased by the verdict and predicts it will help protect consumer personal data. Even Facebook’s associate general counsel has expressed pleasure that the court “upheld the value and principles of the OSS mechanism” for the most part. However, CCIA tech lobby group fears that data protection compliance in the EU is thus set to become “more inconsistent, fragmented and uncertain”. The group’s EU Senior Policy Manager stated that “while the court has upheld the one-stop-shop principle ... it has also opened the back door for all national data protection enforcers to start multiple proceedings against companies”.
We shall see in the coming months how this modified system impacts data processing and breach enforcement.
If you have any queries about your personal data practices in the EU or if you have any queries about the One Stop Shop Principle, please do note hesitate to get in touch!