Until recently, if you were a non-EU company, you would delegate to a company in the EU control over EU data and establish it as their main establishment in the EU. That’s what Google did. So did Facebook. So did almost all the other companies and banks that had their HQs outside of Europe but still wanted to have GDPR compliance limited to Europe and access to the one-stop shop mechanism.
CNIL, however, put this all into question. For CNIL, it doesn’t matter if a non-EU company says that a company in the EU is their main establishment in the EU and the controller of EU data. What matters, to CNIL, is if that EU establishment has the capacity to determine the means and purposes of processing. This is what CNIL claimed against Google, as it applied the 50 million euro fine to Google. Not Google Ireland. Google US.
For CNIL, it didn’t matter if Google US had used the terms and conditions to determine that Google Ireland is their main establishment in the EU. Because Google Ireland didn’t determine the purposes and means of processing, Google Ireland was not a main establishment. And, as a corollary, Google Ireland was not a controller of EU data, under the GDPR.
What are the consequences of this? That meant that CNIL didn’t have to follow the one-stop shop mechanism. Which meant that, in practice, the 50 million euros fine set by CNIL against Google LLC, would not be acceptable, under the one-stop shop mechanism, because the lead authority would have to be the Irish Data Protection Commissioner.
With this unprecedented step, CNIL put into question what everyone took for granted: that a company has the “right” to determine who their controllers or main establishment in Europe are.
And that creates a very big problem for any EU main establishment of non-EU companies.
Because, until the ECJ decides this, any data protection authority can claim exactly what CNIL claimed and bypass the one-stop shop mechanism. And fines will go directly to the country where the main establishment (the place where the decision-making regarding processing activities happen, in regard to EU data).
This question is now looming over every single non-EU company working in the EU with a “main establishment”. Luxembourg should, particularly, take great attention on this matter. With companies like Amazon Europe, eBay Europe, Paypal Europe and any other company, bank or insurance company that has its EU HQ in Luxembourg could be affected by the decision.
And the consequences could be overwhelming. Without a main establishment in Europe, that means that non-EU companies do not have access to the one-stop shop mechanism. That also means that any complaint by a data subject in any country, will be addressed by that country’s data protection authority.
Which also means that any country in the EU can fine a non-EU company, without having to ask “permission” to a potential lead authority. Non-EU companies do not have access to the one-stop shop mechanism. They only have access to the representative, as established under art. 27 of the GDPR.
In terms of compliance, this is also a major issue. With compliance being done under the premise that the EU headquarters of a non-EU company was controller of EU data, if CNIL gets its way, that means that the EU headquarters, in data protection terms, are not recognised as controllers by the data protection authorities. So, all the compliance done with that in mind, has to be corrected. And main establishments in the EU are, in data protection terms, just an undertaking of a non-EU company, with all the corresponding articles and recitals in the GDPR applying to it.
The legal basis of processing and the principles tied to it, for instance, have to change. DPIAs have to be redone, taking this new reality into effect. Legitimate interest may not be as legitimate as once thought out to be. And consent was given to a controller that isn’t, actually, a controller, but just an undertaking of a controller. All that has to be taken into account, if Google v. CNIL goes for CNIL.
More recently, another case highlighted the same questions we are considering here: Belgium DPA v. Facebook. In its question 2, the ECJ is asked to determine, indirectly, what consists a main establishment under the GDPR. In essence, can a non-EU company have two main establishments?
However, the Article 29 Working Party’s guideline on determining the lead supervisory authority has already addressed this issue. Even if the definition places administrative functions as the pivotal requisite of what consists a main establishment, it also adds that “the central administration in the EU is the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented”.
The European Data Protection Board has accepted this guideline as its own. Thus, creating a very solid case for CNIL : not only are European HQs not controllers, they are also not main establishments. Both of them because of the same reason : European HQs are not the place where decisions about the purpose and means of processing of personal data take place. So, if you’re not a controller, you cannot be a main establishment.
So, if you’re an establishment in the EU of a non-EU company, with delegated controllership and defined as a main establishment by decree, these decisions really matter.
The ECJ faces one of the toughest decisions it has been asked to take regarding the GDPR. But, whatever the decision, dire straits are ahead for all companies in Europe that are considered main establishments and controllers of EU data that do not have the ability to determine the purposes and means of processing.
However, with the GDPR as is, it will be difficult for the ECJ not to follow what CNIL is claiming, especially with the EDPB and the GDPR behind CNIL’s legal arguments.
So, companies need to start preparing for both scenarios as soon as possible, so that the decision doesn’t take any of them by surprise. And that means subject-matter expert meetings, internal or with external input (the bug’s eye view vs the bird’s eye view paradigm at work), to find out possible solutions to the issue.
As Seneca said, “To bear trials with a calm mind robs misfortune of its strength and burden.” That calm before the storm is what is going to determine how companies deal with this in a desirable prudent way or in a non-optimal rush state. The dire straits do not need to be so dire, if you’re ready for the coming storm.