On June 15, 2021, the Court of Justice of the European Union (“CJEU”) rendered a decision (press release here, full judgment here) addressing whether a European supervisory authority (“SA”) that is not the “Lead SA” (as defined in Article 56 GDPR) has competence to bring a case for an alleged violation of the General Data Protection Regulation (“GDPR“) before a national court in instances where the alleged violation involved the processing of personal data across multiple EU Member States.  In such scenarios, a controller with a main establishment in Europe will typically seek to benefit from the so-called “one-stop-shop” principle under Article 56 GDPR, meaning the controller would need to answer to only one SA rather than be subject to enforcement actions brought by numerous SAs.

In summary, the CJEU decided on the five legal questions presented as follows:

(1) SAs must respect the one-stop-shop principle.  According to the CJEU, “authorities concerned” (in contrast to the Lead SA) should not engage in enforcement actions except in exceptional circumstances, such as emergency cases, where the Lead SA indicates it will not intervene or where the Lead SA is not cooperative.  This same rationale applies to the SAs’ competence to bring a case before a national court – in principle, they do not have such competence unless one of the exceptions to the one-stop-shop principle applies.  Or in the words of the Court:

“[…] in relation to the cross-border processing of personal data, the competence of the lead supervisory authority for the adoption of a decision finding that such processing is an infringement of the rules […] constitutes the rule, whereas the competence of the other supervisory authorities concerned for the adoption of such a decision, even provisionally, constitutes the exception” (para. 63).

The CJEU rejected arguments raised by the Belgian SA that advocated for a broader interpretation of the right of anSA concerned to bring a case before a national court.

Turning to the other questions presented, which assume that the SA concerned has competence to bring a case, the CJEU held as follows:

(2) An SA can bring a case before a court in an EU Member State, whether or not the controller has its main establishment (or indeed any establishment) in that Member State.

(3) The CJEU confirmed again that the concept of “processing in the context of the activities of an establishment” (Art. 3(1) GDPR), first articulated in the well-known Google Spain case, must be interpreted broadly.  Accordingly, an SA can bring a case against the main establishment of the controller or against any establishment of the controller if the processing of personal data concerned occurs in the context of that establishment’s activities.

(4) Cases initiated by an SA prior to the GDPR entering into force can proceed, regardless of the one-stop-shop principle now available under Article 56 GDPR.

(5) Article 58(5) GDPR, which allows SAs to bring alleged GDPR violations to court, has direct effect.  As such, EU Member States do not have to elaborate on this issue in their national laws for an SA to assert its competence in this manner.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Nicholas is a member of the Bar of Texas and Brussels Bar (Dutch Section, B-List). District of Columbia bar application pending; supervised by principals of the firm.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.