EU Court Backs Data Protection Enforcement Consistency

BY Heather Greenfield
June 15, 2021

Brussels, BELGIUM — The EU Court of Justice has ruled that data protection authorities, under limited circumstances, can go after companies that do not have the main establishment in their EU Member State.

Consistent interpretation and enforcement of data protection rules ensure that organisations operating in several Member States cannot be judged twice for the same practice and that individuals have their rights protected uniformly across the EU. Unlike its predecessor, the General Data Protection Regulation includes substantive and procedural rules to ensure consistent interpretation and enforcement of data protection rules in cases involving organisations operating in multiple EU jurisdictions. 

Under the so-called One-Stop-Shop mechanism, organisations should be accountable to a single, lead data protection authority. It is then for this authority to work with any other “concerned” authorities in order to reach a common decision. Lawmakers also agreed on suspensive measures for judicial proceedings to avoid “irreconcilable judgments resulting from separate proceedings”. 

In today’s decision, the EU Court ruled that a data protection authority has a general competence over cross-border processing if a company has its main establishment in its jurisdiction. Other authorities in the EU may only commence legal proceedings against companies under certain conditions, providing that they work jointly with their peers to ensure consistent enforcement at European level.  

Any enforcement inconsistencies could bring long-term uncertainty for organisations seeking to comply with the GDPR, and it could increase liability exposure and compliance costs. It would also conflict with EU lawmakers’ original promise that the GDPR would reduce “costly administrative burdens, leading to savings for businesses of around €2.3 billion a year.” 

The following can be attributed to CCIA Europe Senior Policy Manager Alex Roure:

“While the Court allows European data protection enforcers to launch multiple proceedings against companies, they may only do so after observing due process and dialogue with other agencies. This is the right approach to ensure the consistent application of data protection rules in Europe. 

“Enforcement consistency and clarity should always prevail, especially when authorities choose to deviate from the One-Stop-Shop mechanism. We urge national authorities to be cautious about launching multiple proceedings that would weaken legal certainty and further complicate data protection compliance in the EU.”

Related Articles

CCIA Joins Associations In Letter To Congress On Privacy Bill

Jun 14, 2022

Washington – The Computer & Communications Industry Association joined the Software & Information Industry Association, and TechNet in a letter supporting the effort toward creating a baseline federal privacy standard, but expressing concerns about the private right of action in the American Data Protection and Privacy Act. The letter  to Senate Commerce and House Energy…

CCIA Statement on the Enactment of the Utah Consumer Privacy Act

Mar 24, 2022

Washington –  Governor Spencer Cox has signed the Utah Consumer Privacy Act into law, making Utah the fourth U.S. state to enact comprehensive consumer data privacy legislation. The law will take effect December 31, 2023.  While the Computer & Communications Industry Association supports the enactment of comprehensive privacy legislation at the federal level, in its…

CCIA, 10 Associations, Groups Warn Senate Judiciary Leaders EARN IT Bill Would Make Internet Less Safe, Weaken Ability To Remove Illegal Content

Feb 9, 2022

Washington – The Senate Judiciary Committee is scheduled to mark up the “Eliminating Abusive and Rampant Neglect of Interactive Technologies” (EARN IT) Act on Thursday, which would weaken the law companies rely upon to address objectionable activity online, commonly referred to as Section 230, in a misdirected effort to combat child sexual abuse material (CSAM)…