One-Stop-Non?
What the CNIL decision means for the regulation of cross-border data processing in Europe
In January, France’s data protection supervisory authority, the Commission nationale de l’informatique et des libertés (CNIL), fined Google €50 million for breaching data protection rules under the GDPR. There were two issues which the authority highlighted in particular. Firstly, it found that there was a lack of transparency in relation to Google’s personalised advertisements and that users were not able to fully understand the extent of the data processing taking place. Secondly, it found that the use of pre-ticked boxes to gain user consent for all of Google’s processing operations contravened the requirement that consent be ‘unambiguous’ with a clear affirmative action by the user. Google is the first US company to be sanctioned under the GDPR.
There is little doubt as to the significance of this event in relation to the data processing practices of Google and other companies like it. For years, Google and others have benefited from the rather difficulty-free collection of vast amounts of data to generate lucrative personalised online advertisements. The advent of the GDPR, however, may now produce sand in the wheels of this Big Data phenomenon. The introduction of more robust data protection laws could have the effect of making personal data more valuable by making it more scarce: if companies are required to be more transparent about their processing operations, users may be far less acquiescent in providing their information.
Accordingly, companies will have to make the provision of personal data worthwhile for consumers by offering better services and making greater efforts to prevent irresponsible or unethical uses of their information. In doing so, data privacy will have to be treated as a competitive advantage rather than a regulatory burden. Otherwise, Google and others might struggle to uphold their traditional business models, impacting their reputation and revenues.
However, the CNIL’s decision may also have an impact on the ‘one-stop-shop’, a notable change in the regulation of cross-border data processing in the EU introduced by the GDPR. In fact, Eduardo Ustaran, a privacy and data protection lawyer from Hogen Lovells, believes that the decision is an example of the one-stop-shop not working, and shows that ‘the law in this area is still settling and will not settle for quite some time’.
All Together Now
The GDPR requires all EU Member States to have an independent public authority that is responsible for the monitoring of the application of data protection rules. Defined as a ‘supervisory authority’ under the Regulation, these bodies are required to carry out their responsibilities ‘in order to protect the fundamental rights and freedoms’ in relation to data processing within the Union.
Among the variety of tasks that they undertake, the authorities are required to support the consistent application of the Regulation across the Member States. This includes working in accordance with the ‘consistency mechanism’, providing mutual assistance to other authorities and supporting the European Data Protection Board (EDPB). The GDPR contains a variety of provisions to meet these aims and achieve legal harmonisation across the Union, all of which make up what is colloquially known as the one-stop-shop.
The starting point for this is Article 55, which provides that supervisory authorities are competent to regulate in the territory of its own Member State. Such regulatory competence rests on the notion of ‘establishment’. Thus, an authority can regulate a data controller or processor which is established in their territory.
However, this issue becomes more complex where the controller or processor is established in multiple Member States. In this case, where a controller or processor is established in more than one jurisdiction, the regulatory competence lies in the place of the ‘main establishment’. Article 4 defines this as the place of central administration or the place where the power to make and implement data processing decisions takes place.
Accordingly, Article 56 provides that the supervisory authority located in the same territory as the main establishment will be the ‘lead authority’ for regulating the cross-border processing of the controller or processor in question. Under the Regulation, this lead authority is ‘the sole interlocutor’ for cross-border processing carried out by a controller or processor. Guidelines issued by the Article 29 Working Party, the predecessor to the EDPB, provide the following example:
A bank has its corporate headquarters in Frankfurt, and all its banking processing activities are organised from there, but its insurance department is located in Vienna. If the establishment in Vienna has the power to decide on all insurance data processing activity and to implement these decisions for the whole EU, then as foreseen in Art 4(16) of the GDPR, the Austrian supervisory authority would be the lead authority in respect of the cross border processing of personal data for insurance purposes, and the German authorities (Hessen supervisory authority) would supervise the processing of personal data for banking purposes, wherever the clients are located.¹
Article 56 does also allow non-leading authorities to take action in cross-border cases if either the complaint received relates only to their territory or if the complaint substantially affects individuals only in their territory. When doing so, that non-leading authority will need to notify the lead authority. This is where a so-called ‘battle of competence’ could take place: if the lead authority rejects the assertion of competence by the non-lead authority, then Article 60, which contains rules on cooperation between the supervisory authorities, applies. Conversely, if such an assertion is accepted, then that non-lead authority can proceed subject to the rules under Articles 61 and 61 in relation to mutual assistance (exchange of information) and joint operations.
The procedure under Article 60 begins with the lead authority working with the other concerned authorities to carry out investigations into the controller or processor in question. The lead authority will then be required to submit a draft decision to the other authorities who can either accept or reject the text. If it is rejected, the authorities must give their reasons for such a rejection for consideration by the lead authority. If the reasoned objections are accepted, then a revised draft decision is produced and sent for approval. This process continues until a draft is agreed on, in which case the decision can be adopted.
The EDPB plays a key role in this process. The Board, established under Article 68 of the GDPR, oversees a dispute settlement mechanism where it can decide on a dispute between authorities in relation to regulatory competence for cross-border processing. In particular, under Article 65, the Board can make binding decisions regarding disputes over draft decisions being drawn up by the relevant authorities.
The CNIL Decision
The CNIL is the supervisory authority in France, and therefore automatically has the competence to investigate those controllers and processors established in France. However, the entity in this case was Google, a company which has multiple establishments in Europe. Thus, the provisions pertaining to the one-stop-shop are applicable.
On 25 and 28 May, the Commission received complaints from None of Your Business (NOYB), a non-profit organisation based in Austria, and La Quadrature du Net (LQDN), an advocacy group based in France. Both complaints pertained to Google’s data processing practices, with the CNIL commencing its investigation in September 2018 and finishing later in October. It then handed down its decision in January 2019, issuing a Google with a fine for breaching the rules under the GDPR.
In its decision, the CNIL considered whether it possessed the regulatory competence to investigate and sanction the American company. It firstly acknowledged the case put forward that the main establishment for the European operations of Google was Ireland (Google Ireland Limited), and therefore the Irish Data Protection Commission (IDPC) had regulatory competence. Google believed that this was evidenced by the fact Ireland has been its ‘registered office for European operations since 2003 and that it is the body in charge of several organisational functions necessary to the performance of these operations’.² It also pointed out that ‘all advertising sales contracts with clients based in the European Union are signed by this company’.³
The CNIL argued that Article 4 and Recital 36 of the GDPR suggested that for there to be a main establishment, that establishment ‘must have decision-making power with regard to the processing of the personal data in question’.⁴ Therefore, ‘the main establishment is not automatically the registered office of the data controller in Europe’.⁵
Following this logic, the French authority determined that although Google’s Irish office did ‘possess many financial and human resources enabling [it] to effectively provide services in Europe’,⁶ they were not enough to show that it had ‘any decision-making powers as regards the purposes and the means of processing governed by the privacy policy’.⁷ In addition, the authority pointed out that Google Ireland ‘is not referred to in the company’s “Privacy Policy” dated 25 May 2018 as being the entity where’ data processing decisions are made.⁸ As such, Google Ireland Limited was not Google’s main establishment in the EU for the purposes of the GDPR, and so CNIL took action in accordance with Article 56.
Even the IDPC stated back in August 2018 that it is not the ‘lead regulator’ (lead supervisory authority) for Google. Thus, when the CNIL communicated the complaints to the other authorities concerned, no battle of competence was triggered. The French authority pointed out that, since the exchanges with the other authorities ‘did not lead to the identification of a main establishment or, subsequently, a lead authority’, the CNIL was competent to investigate Google.⁹
The Fate of the One-Stop-Shop
One inference that can be drawn from this decision is that the one-stop-shop mechanism will not be automatically available for non-EU controllers if they cannot show that they have a main establishment somewhere in Europe. More specifically, if an entity cannot provide sufficient evidence to show that its proposed main establishment has decision-making powers in relation to the processing of personal data, then such an entity could be vulnerable to multiple fines in multiple jurisdictions by different supervisory authorities.
However, not everyone agrees with the CNIL’s approach. Lokke Moerel, a professor of global ICT law and senior of counsel with Morrison & Foster, argues that the decision by the French authority was ‘surprising’. She argues that determining the main establishment for non-EU controllers should pivot on the place of central administration, not whether that establishment is the controller. Otherwise, the one-stop-shop mechanism is undermined by contravening the ‘intention of the EU legislators’ when drafting the GDPR. The French authority ‘cannot have it both ways’ and apply the mechanism ‘when it suits them’. Moerel contends that ‘[e]ither there is a one-stop-shop enforcement option against Google (whereby the lead SA in one single decision ensures EU-wide enforcement) or we go back to the pre-GDPR days where each and every SA needs to act against Google to ensure enforcement in its own jurisdiction’.
Moerel’s issue with the CNIL decision stems from its definition of ‘the main establishment’. She believes that the interpretation deployed by the authority was incorrect because it did not take account ‘of the legislative history of the GDPR and the underlying rationale of the relevant provisions’.¹⁰ Enforcement against non-EU controllers should be in their place of central administration, justified on the basis that ‘such central administration in the EU has the corporate power to ensure the implementation of compliance by the establishments in the EU’.¹¹ The reason why the EU legislators took this approach, according to Moerel, was ‘to ensure that institutions where there is no official legal EU headquarters, another establishment could be identified as best placed (in terms of management functions and corporate controls) to qualify as the main establishment’.¹²
The CNIL assumed that the EU regulators had intended for the place of central administration to be the place where the decision-making power lies. But if this were the case, the GDPR could have simply provided that, for cross-border processing, the main establishment is ‘the establishment in the EU deciding on purposes and means of the relevant cross-border processing’.¹³
Thus, when looking at the CNIL decision more closely, the issue does not relate to the one-stop-shop mechanism necessarily, but instead to the correct interpretation of the GDPR. Accordingly, the way in which the one-stop-shop mechanism operates depends largely on the interpretation deployed by the various authorities in the EU when faced with a complaint involving cross-border data processing.
Nevertheless, the consequence of the decision is that companies may start to think about restructuring their European operations to avoid the cost of multiple fines. However, such a task would be costly itself barring a scenario in which the cost of fines for non-compliance outweighs that of rearranging corporate structures, an analysis that some companies will have to take into account.
There is also the point made by Emily Jones and other lawyers at Osborne Clark that ‘there is no guarantee that an EU regulator would agree with a company’s interpretation of who should be its lead supervisory authority and so any restructuring may ultimately have little impact’. The Irish authority has insisted that forum shopping should not be permitted under the GDPR, and such a consideration might have heavily influenced its opinion that it was not the lead authority for Google. Jones and others also highlight that ‘data subjects are still free to lodge complaints with the regulatory authority where they reside, which may not be the lead supervisory authority’.
Thus, it remains to be seen whether the one-stop-shop works as effectively as intended. Since this mechanism, as with the other new changes brought by the GDPR, is still in its infancy with many grey areas still not definitively resolved, only time will tell as to whether the CNIL was right in its approach. Recent investigations into Google taking place in the UK and Ireland are therefore key events to keep an eye on.
Sources:
[1] Article 29 Data Protection Working Party, Guidelines for identifying a controller and processor’s lead supervisory authority (2017), 6.
[2] CNIL, Deliberation of the Restricted Committee SAN-2019-001 of 21 January 2019 pronouncing a financial sanction against GOOGLE LLC (2019), [para 24].
[3] Ibid.
[4] Ibid, [para 30].
[5] Ibid, [para 31].
[6] Ibid, [para 35].
[7] Ibid, [para 36].
[8] Ibid, [para 37].
[9] Ibid, [para 41].
[10] Lokke Moerel, CNIL’s Decision Fining Google Violates One-Stop-Shop (2019), 3.
[11] Ibid
[12] Ibid, 7.
[13] Ibid.