Competence in cross-border data protection matters

Wednesday, 1 July 2020

The Conseil d'Etat rejected Google's complaint against the administrative fine of EUR 50 million, which was imposed against the company by the French Data Protection Authority CNIL. In addition to confirming the factual argumentation as well as the amount of the fine, the French Supreme Administrative Court has also ruled on the issue of CNIL's competence for the specific case: Although Google has an European headquarter established in Ireland, the French Supervisory Authority is competent to judge on the company's data processings. DORDA's data protection experts have done a more detailed review of the decision and its consequences for the practice:


Immediately after the GDPR came into force, numerous complaints were submitted to the CNIL by NGOs, including the Austrian organization "None Of Your Business". These complaints mainly concerned the registration process for a Google account on a mobile phone with an Android operating system. The CNIL essentially established a violation of the information obligation pursuant to Art 13 and 14 GDPR. In particular, the information on personalised advertising was held incomplete and thus not transparent. In addition, the required information was difficult to locate because it was provided in different documents connected via several links, only. The CNIL therefore also draw the conclusion that the consent obtained by Google was inadmissible due to the lack of information. Finally, the CNIL hold that due to the number of different services and data involved the processing leads to invasive encroachment on personal rights. Accordingly, a high fine of EUR 50 million was imposed on Google.

The search engine operator has lodged a complaint against the fine imposed by arguing that the CNIL was not competent because (i) Google's European headquarter is established in Ireland and (ii) the "one-stop shop principle" according to Art 56 GDPR would apply. Consequently, the Irish Data Protection Authority shall be competent. The court has dismissed the appeal and confirmed both the penalty and the competence of the French Data Protection Authority:

Argumentation of the French Supreme Administrative Court

It is accurate that the data protection authority of the Member State, in which the responsible data controller has its main establishment, is competent. However, the one-stop-shop principle deliberately applies within the EU, only: If the main establishment is located in a third country, each European data protection authority can assess independently on the lawfulness of data processings conducted in its jurisdiction. The fact that Google Ireland Limited was formally established as headquarter within the EU has no impact: When deciding on the competence of the authority one has to assess which company actually takes the decision on the specific data processing concerned. In the particular case with regard to the privacy settings and declarations of consent for personalised advertising this had not been the Irish company, but the parent company Google LLC located in the USA. Accordingly, the one-stop-shop principle does not apply and Google is liable to prosecution in France.

Lessons learned

This decision pointed out, that as to GDPR competence the main establishment of a data controller remains relevant. However, in practice it is decisive which company actually takes the decisions regarding the data processings concerned. If an European company is actually responsible, the authority in its state of domicile has exclusive jurisdiction for any legal infringements. If this not the case and a parent company in a third country takes the decisive decisions, the one-stop shop principle does not apply. Instead, all EU data protection authorities can potentially assess on compliance with the GDPR independently and without the need of any coordination. This must be taken into account when developing group-wide data processing models. In this regard all main decisions have to be bundled with the established European headquarter in order to safeguard the one stop principle and avoid multiple proceedings.

Besides, the decision highlights the importance to design ones GDPR documentation in a clear and transparent way. It is well understood that this is a difficult task in n practice, in particular when numerous tools and processes or different services shall be covered. However, since documents are also frequently attacked from consumer protection and its transparency point of view this issue should be paid greatest attention.