By: Sam Roth

Standing tall as a progressive beacon for data privacy rights, the EU’s General Data Protection Regulation (“GDPR”) now faces its latest obstacle. Posing high financial penalties and frequent enforcement actions, most companies have been weary to test the limits of the GDPR, opting to abide by its rules in order to avoid paying fines as high as 20,000,000 EUR or 4% of their total annual turnover worldwide. However, in recent months, data collectors have noted a trend in a majority of EU courts overturning or partially striking down GDPR fines, causing more and more companies to expeditiously challenge fines before determining their validity. Although companies accused of improper data collection have a right to impulsively challenge GDPR fines, their documented success in doing so reveals a grave disparity between the efficiency of EU enforcement agencies and the willingness of EU courts to follow suit.

In brief, the GDPR provides a general set of regulatory principles that apply to both data collectors in the EU and collectors that gather data from EU citizens. To process such data, collectors must have a legal basis to do so, including but not limited to consent, legitimate interests, contract, legal obligation, and more. The GDPR also provides individual rights to EU citizens including: (1) the right to be informed, (2) the right of access, (3) the right to rectification, (4) the right to erasure, (5) the right to restrict processing, (6) the right to data portability, (7) the right to object, and (8) rights in relation to automated decision making and profiling. In combination, the EU aims to modernize data privacy and protect its citizens from being taken advantage of by enforcing the GDPR through country-specific enforcement agencies known as a supervisory authority or data protection authority (“DPA”).

Each EU Member State designates a DPA as an independent, public authority who is responsible for monitoring the application of the GDPR, addressing non-compliance, and bringing forth enforcement actions when necessary. Jurisdictionally, the GDPR integrates a “one-stop-shop” mechanism, which allows GDPR authorities to channel their efforts through a central point of enforcement by recognizing a lead supervisory agent (“LSA”) and supporting that LSA by allowing all interested supervisory authorities to provide assistance. Once enforcement action is taken and a penalty is decided upon, the penalized entity has the opportunity to appeal the decision to the courts of whichever state authority brought the action. In turn, the courts may sustain, increase, or decrease the penalty, creating precedent for other courts to apply.

In late 2020, EU courts have struck down or reduced several multi-million dollar fines, including a variety of active enforcement authorities like Belgium, Germany, and France. Hielke Hijmans, president of the Belgium authority office that handles fines and other sanctions, noted that over the past 6 months, 15 appeals have been filed against the authority’s GDPR decisions and a court has overturned or partially struck down most of them. The Belgian court responsible for striking down the GDPR fines noted that the fines were overturned because the regulator didn’t follow the correct legal procedures and made mistakes. Such mistakes were likely a result of the office being short-staffed and paying an external law firm to represent it in each court appeal.

Similarly, the Berlin Commissioner for Data Protection and Freedom of Information, Maja Smoltczyk, levied a $17.3 million fine against German property company, Deutche Wohnen SE, which was overturned by a Berlin court soon after. In that case, the fine was overturned because the regulator didn’t identify an individual employee who was responsible for the violation in its decision, setting a precedent that could restrict the German agency’s enforcement powers if it stands.

However, the largest GDPR fine imposed was against Google for $57 million, issued by the French Commission nationale de l’informatique et des libertés (“CNIL”) for Google’s alleged failure to explain its data processing practices clearly for Android users. Fortunately, France’s top court for administrative law dismissed Google’s appeal, agreeing that Google had not provided clear enough information for consent to be lawfully obtained, corroborating the CNIL’s decision. Yet, the French court’s decision to sustain the fine is a rarity in recent enforcement actions, with data privacy experts noting that actions against big tech companies have mostly stalled or been overturned throughout the EU. In part, this is due to the massive amount of complaints that are being funneled through Ireland’s Data Protection Commission, a bi-product of big tech attempting to abuse the GDPR’s “one-stop-shop” mechanism.

Principally, both Google and Amazon have challenged the jurisdiction of the French CNIL, claiming to only deserve scrutiny from Ireland and Luxemburg, the respective jurisdictions they reside in. Yet, EU DPA’s and investigators are weary of companies’ forum shopping, a practice that could lead to a copious amount of complaints for a single enforcement agency to manage. On the GDPR “one-stop-shop” mechanism, and the wider problematic issue of forum shopping, the French State Council announced: “Google believed that the Irish data protection authority was solely competent to control its activities in the European Union, the control of data processing being the responsibility of the authority of the country where the main establishment of the data controller is located . . . The Council of State notes however that at the date of the sanction, the Irish subsidiary of Google had no power of control over the other European subsidiaries nor any decision-making power over the data processing, [or] the company Google LLC located in the United States with this power alone.”

Forum shopping and abuse of the “one-stop-shop” mechanism are one of many tools big tech companies are using to dilute the enforcement power of the GDPR. By channeling a majority of complaints through considerably active data protection agencies such as Ireland and Belgium, the understaffed and underfunded DPAs are spread thin, resulting in external help from law firms that not only constrain pre-existing budget concerns, but can also produce procedural mistakes. The immediate appeal of GDPR fines is concerning because it signals a weak point in EU enforcement actions, reflecting the confidence companies have in challenging what should ideally operate as a financially imposing system. Yet, on the other hand, the GDPR is relatively new, and more court interpretation on its application is important for its longevity. Although the unfavorable decisions of EU courts could spell trouble for GDPR effectiveness, the trouble of enforcement still lies with each country’s DPA.

Overall, the GDPR faces three considerable obstacles: budget and staff constraints on enforcement agencies, increasingly restrictive court interpretation, and forum shopping. Each of these obstacles contributes towards the success of the EU’s recent trend in hasty and unsubstantiated appeals, mitigating the GDPR’s progress and leaving EU citizens more vulnerable to lessened privacy rights. The coming months will likely decide whether this trend will further corrode the GDPR’s effectiveness, as more courts determine the validity of pending fines and decide the limitations of each country’s data protection capabilities. Until then, the EU must find a way to manage the rise of rapid appeals or else risk stunting the GDPR’s efficacy in its budding years.

Student Bio: Samuel Roth is a second-year law student at Suffolk University Law School. He is a staffer on the Journal of High Technology Law and member of the Business Law Association. Samuel received a Bachelor of Arts Degree in History from the University of Rochester.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.