EU Court Backs Data Protection Enforcement Consistency

BY Heather Greenfield
June 15, 2021

Brussels, BELGIUM — The EU Court of Justice has ruled that data protection authorities, under limited circumstances, can go after companies that do not have the main establishment in their EU Member State.

Consistent interpretation and enforcement of data protection rules ensure that organisations operating in several Member States cannot be judged twice for the same practice and that individuals have their rights protected uniformly across the EU. Unlike its predecessor, the General Data Protection Regulation includes substantive and procedural rules to ensure consistent interpretation and enforcement of data protection rules in cases involving organisations operating in multiple EU jurisdictions. 

Under the so-called One-Stop-Shop mechanism, organisations should be accountable to a single, lead data protection authority. It is then for this authority to work with any other “concerned” authorities in order to reach a common decision. Lawmakers also agreed on suspensive measures for judicial proceedings to avoid “irreconcilable judgments resulting from separate proceedings”. 

In today’s decision, the EU Court ruled that a data protection authority has a general competence over cross-border processing if a company has its main establishment in its jurisdiction. Other authorities in the EU may only commence legal proceedings against companies under certain conditions, providing that they work jointly with their peers to ensure consistent enforcement at European level.  

Any enforcement inconsistencies could bring long-term uncertainty for organisations seeking to comply with the GDPR, and it could increase liability exposure and compliance costs. It would also conflict with EU lawmakers’ original promise that the GDPR would reduce “costly administrative burdens, leading to savings for businesses of around €2.3 billion a year.” 

The following can be attributed to CCIA Europe Senior Policy Manager Alex Roure:

“While the Court allows European data protection enforcers to launch multiple proceedings against companies, they may only do so after observing due process and dialogue with other agencies. This is the right approach to ensure the consistent application of data protection rules in Europe. 

“Enforcement consistency and clarity should always prevail, especially when authorities choose to deviate from the One-Stop-Shop mechanism. We urge national authorities to be cautious about launching multiple proceedings that would weaken legal certainty and further complicate data protection compliance in the EU.”

Related Articles

EU Court Opinion Sets Limits to Use of Upload Filters in New EU Copyright Rules

Jul 15, 2021

Brussels, BELGIUM  — The EU top court’s Advocate General, Henrik Saugmandsgaard Øe, today provided his opinion on the Polish government’s request to annul the controversial Article 17 in the new EU Copyright rules. Poland requested that the Court of Justice of the EU (CJEU) annul Article 17 due to infringement of the right to freedom…

Industry Groups Urge Protection of Fundamental Principles and Rights in the Digital Services Act

Jul 9, 2021

Brussels, BELGIUM — The Computer & Communications Industry Association (CCIA) today joined other industry organizations in a joint statement asking EU Member States to respect the fundamental principles of the e-Commerce Directive during the negotiations of the Digital Services Act (DSA)  The signatories support an ambitious DSA and its objectives to protect consumers and their…

CCIA Statement on the Enactment of the Colorado Privacy Act

Jul 8, 2021

Washington – Governor Jared Polis has signed the Colorado Privacy Act into law, making Colorado the third U.S. state to enact comprehensive consumer privacy legislation. New rules are set to take effect July 1, 2023. The Computer & Communications Industry Association welcomes Colorado lawmakers’ successful efforts to enact new rights and protections for consumer privacy.…