EU Court Backs Data Protection Enforcement Consistency

BY Heather Greenfield
June 15, 2021

Brussels, BELGIUM — The EU Court of Justice has ruled that data protection authorities, under limited circumstances, can go after companies that do not have the main establishment in their EU Member State.

Consistent interpretation and enforcement of data protection rules ensure that organisations operating in several Member States cannot be judged twice for the same practice and that individuals have their rights protected uniformly across the EU. Unlike its predecessor, the General Data Protection Regulation includes substantive and procedural rules to ensure consistent interpretation and enforcement of data protection rules in cases involving organisations operating in multiple EU jurisdictions. 

Under the so-called One-Stop-Shop mechanism, organisations should be accountable to a single, lead data protection authority. It is then for this authority to work with any other “concerned” authorities in order to reach a common decision. Lawmakers also agreed on suspensive measures for judicial proceedings to avoid “irreconcilable judgments resulting from separate proceedings”. 

In today’s decision, the EU Court ruled that a data protection authority has a general competence over cross-border processing if a company has its main establishment in its jurisdiction. Other authorities in the EU may only commence legal proceedings against companies under certain conditions, providing that they work jointly with their peers to ensure consistent enforcement at European level.  

Any enforcement inconsistencies could bring long-term uncertainty for organisations seeking to comply with the GDPR, and it could increase liability exposure and compliance costs. It would also conflict with EU lawmakers’ original promise that the GDPR would reduce “costly administrative burdens, leading to savings for businesses of around €2.3 billion a year.” 

The following can be attributed to CCIA Europe Senior Policy Manager Alex Roure:

“While the Court allows European data protection enforcers to launch multiple proceedings against companies, they may only do so after observing due process and dialogue with other agencies. This is the right approach to ensure the consistent application of data protection rules in Europe. 

“Enforcement consistency and clarity should always prevail, especially when authorities choose to deviate from the One-Stop-Shop mechanism. We urge national authorities to be cautious about launching multiple proceedings that would weaken legal certainty and further complicate data protection compliance in the EU.”

Related Articles

Study Offers Reasons Why Government Technology and Procurement Practices Needs to Change

Nov 15, 2021

Washington — A study by market research firm Omdia released Monday explores reasons why most government departments rely on just one vendor for productivity software and why IT departments are choosing to select ease of management and end user familiarity with the tools at the expense of developing a best of breed approach that would…

Senate Commerce Hearing On Privacy; CCIA Welcomes Push To Fund FTC, Pass Privacy Legislation

Sep 29, 2021

Washington — The Senate Commerce Committee held a hearing today on consumer privacy with Chairwoman Maria Cantwell focusing on the need to pass baseline federal privacy and to ensure the FTC has adequate resources to address privacy. Ahead of the hearing, the Computer & Communications Industry Association sent a letter to committee leaders expressing appreciation…

EU Court Opinion Sets Limits to Use of Upload Filters in New EU Copyright Rules

Jul 15, 2021

Brussels, BELGIUM  — The EU top court’s Advocate General, Henrik Saugmandsgaard Øe, today provided his opinion on the Polish government’s request to annul the controversial Article 17 in the new EU Copyright rules. Poland requested that the Court of Justice of the EU (CJEU) annul Article 17 due to infringement of the right to freedom…