EU Court Backs Data Protection Enforcement Consistency

June 15, 2021

Brussels, BELGIUM — The EU Court of Justice has ruled that data protection authorities, under limited circumstances, can go after companies that do not have the main establishment in their EU Member State.

Consistent interpretation and enforcement of data protection rules ensure that organisations operating in several Member States cannot be judged twice for the same practice and that individuals have their rights protected uniformly across the EU. Unlike its predecessor, the General Data Protection Regulation includes substantive and procedural rules to ensure consistent interpretation and enforcement of data protection rules in cases involving organisations operating in multiple EU jurisdictions. 

Under the so-called One-Stop-Shop mechanism, organisations should be accountable to a single, lead data protection authority. It is then for this authority to work with any other “concerned” authorities in order to reach a common decision. Lawmakers also agreed on suspensive measures for judicial proceedings to avoid “irreconcilable judgments resulting from separate proceedings”. 

In today’s decision, the EU Court ruled that a data protection authority has a general competence over cross-border processing if a company has its main establishment in its jurisdiction. Other authorities in the EU may only commence legal proceedings against companies under certain conditions, providing that they work jointly with their peers to ensure consistent enforcement at European level.  

Any enforcement inconsistencies could bring long-term uncertainty for organisations seeking to comply with the GDPR, and it could increase liability exposure and compliance costs. It would also conflict with EU lawmakers’ original promise that the GDPR would reduce “costly administrative burdens, leading to savings for businesses of around €2.3 billion a year.” 

The following can be attributed to CCIA Europe Senior Policy Manager Alex Roure:

“While the Court allows European data protection enforcers to launch multiple proceedings against companies, they may only do so after observing due process and dialogue with other agencies. This is the right approach to ensure the consistent application of data protection rules in Europe. 

“Enforcement consistency and clarity should always prevail, especially when authorities choose to deviate from the One-Stop-Shop mechanism. We urge national authorities to be cautious about launching multiple proceedings that would weaken legal certainty and further complicate data protection compliance in the EU.”

Related Articles

CCIA Files Comments On FTC Proposal To Expand Jurisdiction On Privacy Rules

Washington –  The Computer & Communications Industry Association submitted comments to the Federal Trade Commission (FTC) Monday in response to the agency’s Advanced Notice of Proposed Rulemaking on whether it should consider new trade rules on the collection, use and transfer of consumer data. CCIA noted that the FTC’s rulemaking and enforcement authority is limited…

CCIA Offers Comments On Implementing California Privacy Protections

Washington – As the California Privacy Protection Agency closed its 15-day public comment period regarding suggested modifications to privacy regulations under the California Privacy Rights Act on November 7,  the Computer & Communications Industry Association offered suggestions today on how to implement the rules in ways that protect consumers, improve clarity and protect innovation.  CCIA…

CCIA Files Comments On Colorado Privacy Act

Washington – The Computer & Communications Industry Association has filed comments in response to the Colorado Department of Law request for input on implementing the Colorado Privacy Act.  CCIA noted several instances where definitions were vague and asked for more legal clarity on that as well as universal opt out mechanisms. The filing also noted…