Brussels, BELGIUM — The EU Court of Justice has ruled that data protection authorities, under limited circumstances, can go after companies that do not have the main establishment in their EU Member State.
Consistent interpretation and enforcement of data protection rules ensure that organisations operating in several Member States cannot be judged twice for the same practice and that individuals have their rights protected uniformly across the EU. Unlike its predecessor, the General Data Protection Regulation includes substantive and procedural rules to ensure consistent interpretation and enforcement of data protection rules in cases involving organisations operating in multiple EU jurisdictions.
Under the so-called One-Stop-Shop mechanism, organisations should be accountable to a single, lead data protection authority. It is then for this authority to work with any other “concerned” authorities in order to reach a common decision. Lawmakers also agreed on suspensive measures for judicial proceedings to avoid “irreconcilable judgments resulting from separate proceedings”.
In today’s decision, the EU Court ruled that a data protection authority has a general competence over cross-border processing if a company has its main establishment in its jurisdiction. Other authorities in the EU may only commence legal proceedings against companies under certain conditions, providing that they work jointly with their peers to ensure consistent enforcement at European level.
Any enforcement inconsistencies could bring long-term uncertainty for organisations seeking to comply with the GDPR, and it could increase liability exposure and compliance costs. It would also conflict with EU lawmakers’ original promise that the GDPR would reduce “costly administrative burdens, leading to savings for businesses of around €2.3 billion a year.”
The following can be attributed to CCIA Europe Senior Policy Manager Alex Roure:
“While the Court allows European data protection enforcers to launch multiple proceedings against companies, they may only do so after observing due process and dialogue with other agencies. This is the right approach to ensure the consistent application of data protection rules in Europe.
“Enforcement consistency and clarity should always prevail, especially when authorities choose to deviate from the One-Stop-Shop mechanism. We urge national authorities to be cautious about launching multiple proceedings that would weaken legal certainty and further complicate data protection compliance in the EU.”