Following four years of intensive negotiations and a two-year post-adoption grace period, the European General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, came into effect on May 25, 2018, replacing the previous European Data Protection Directive (DPD), Directive 95/46/EC. Compared with the DPD, the GDPR extends the territorial reach of European data protection law. See Bird & Bird LLP, Guide to the General Data Protection Regulation 1–3 (2017).
July 03, 2019 Articles
GDPR Extraterritoriality and Cross-Border Litigation
New rules, broader reach: mitigating top GDPR litigation risks for non-E.U. market players
By Catalina-Luisa Resmerita and Noriswadi Ismail
In addition to organizations “established” (as defined in GDPR Article 3(1)) in the European Union (E.U.), the GDPR also applies to non-E.U. organizations offering goods or services to individuals located in the E.U. or monitoring their behavior. See GDPR art. 3(2) (defining targeting criteria). The concept of GDPR “extraterritoriality” refers to the applicability of the GDPR outside E.U. borders.
In this article, we examine the extent to which the extraterritoriality of the GDPR can lead to cross-border litigation by reference to a hypothetical case study, while identifying strategic mitigative steps that non-E.U. organizations can take to limit their risk exposure to the GDPR.
Guiding Hypothetical Scenario
We will consider this scenario: Corporate Group X established its global headquarters in California and its Europe, Middle East, and Africa (EMEA) headquarters in the United Kingdom. The group has an additional 20-plus subsidiaries located across different U.S. states. The group processes “Personal Data” as defined in GDPR Article 4(1), including sensitive personal data, such as data revealing racial or ethnic origin, political opinions, and the like, as defined in GDPR Article 9(1). The data relate to the group’s U.S. and E.U. customers, vendors, and business partners, and is accessible to its global entities across the corporate group. All processing operations are outsourced to Company Y in India, which serves as the group’s Global Shared Services hub.
A personal data breach at Company Y affecting Corporate Group X’s E.U. data may lead affected individuals to initiate complaints with regulators or legal proceedings in E.U. courts, or both, against either X’s data processor in India or X’s global headquarters in the U.S., or both. Such claims are authorized not only by the GDPR (in Article 77) but also by European conflict-of-laws regulations (e.g., Council Regulation (EC) 44/2001 of 22 Dec. 2000 on Jurisdiction and the Recognition and Enforcement of Judgments in Civil and Commercial Matters (Brussels I)), which allow E.U. individuals to bring privacy-related claims against non-E.U. organizations caught by the European privacy regime in the member state of their habitual residence.
Top Risks
In such a scenario, there are three primary risks that non-E.U. organizations such as Group X’s Asian processor and its U.S. global headquarters can potentially face: diversified regulatory and judicial interpretations, (2) European privacy overregulation, and (3) the lack of one-stop-shop access. These are described in greater detail below.
- Diversified regulatory and judicial interpretations. In addition to explicit extraterritorial scope provisions in the GDPR, E.U. and national regulators and courts have the authority to expand this mandate further by ascribing (potentially widely) divergent interpretations to the official text of the regulation, undermining its goal of achieving harmonization of personal data protection across the E.U. member states.
Although admittedly unprecedented, the issue of the extraterritorial applicability of the GDPR has been brought to the attention of the European Court of Justice in the recent, seminal case of Google Inc. v. CNIL, No. C‑507/17, which—at the time of writing—is still pending a preliminary ruling. The technology giant’s chief argument in challenging the request of the French regulator (the Commission nationale de l’informatique et des libertés, or CNIL) to extend erasure rights to its U.S. data subjects proves instructive for present purposes because it highlights the risk of compelling non-E.U. organizations to breach local laws by extending the scope of the GDPR outside the European territory. - European privacy overregulation. The European Data Protection Board (EDPB) suggests that non-E.U. organizations caught by the GDPR also must comply with other applicable E.U. and national laws at a sectorial level. EDPB, Guidelines 3/2018 on the Territorial Scope of the GDPR 12 (Nov. 16, 2018). Linking to the scenario above, if the Asian data processor were to carry out an email marketing campaign on behalf of the U.S. global headquarters targeting the German market, the non-E.U. entities involved would have to comply not only with the GDPR but also with the ePrivacy Directive, Directive 2002/58/EC, and specific German marketing rules, such as the double opt-in procedure whereby individuals whose personal data are processed reconfirm their consent to receive email marketing.
- Lack of one-stop-shop access. As the EDPB’s Guidelines 3/2018 on the Territorial Scope of the GDPR explicitly confirms, in the absence of an establishment in the E.U., foreign organizations are unable to benefit from the one-stop-shop mechanism provided for in the GDPR. See GDPR art. 56. That mechanism essentially allows organizations with multiple E.U. establishments to liaise with the leading supervisory authority in the E.U. state where the organization handles all privacy matters. This effectively prevents non-E.U. organizations from enjoying the benefits of a single supervisory decision that would offer a consistent application of the regulatory framework and legal certainty, as well as reduced administrative burdens. Moreover, this leaves the organization open to accumulating high fines across the E.U. member states.
Risk Mitigation: Next Steps to Consider
Non-E.U. international organizations should potentially consider strategies aimed at minimizing the risks identified above.
Harmonization issues. In the absence of harmonized interpretations of the GDPR across the E.U. Data Protection Authorities—which is outside private sector’s control—and given that individuals may choose where to sue under European conflict-of-laws regulations (e.g., Brussels I, above), data subjects may feel encouraged to engage in forum shopping, litigating against non-E.U. organizations in the jurisdiction that promotes the most favorable privacy rules so as to increase their chances of succeeding in court. To avoid forum shopping by claimants in the E.U., non-E.U. organizations have a range of strategic options available to them, including the following:
- Becoming acquainted with European laws. Become familiar with substantive and procedural laws across the E.U. to be in a better position to foresee and defend claims, while recognizing claimants’ forum-shopping tactics.
- Jurisdictional objection or anti-suit injunction. Objecting to the claimant’s chosen forum on the basis that there is another, more relevant jurisdiction to the facts of the case or bringing an anti-suit injunction claim (to prevent the claimant from commencing or continuing a proceeding in another forum) exposing the claimant’s forum-shopping efforts, while pointing to its own inability to successfully defend the claim in that particular jurisdiction.
- Avoiding inadvertent behavior in court proceedings. Care should be taken to not exhibit conduct that may be interpreted as the non-E.U. organization submitting to the jurisdiction of the forum or waiving its rights to object to that court’s jurisdiction.
One-stop-shop access. Non-E.U. organizations’ inability to access the GDPR’s one-stop-shop mechanism is dependent on the entity not having an “establishment” in the E.U. For present purposes, “establishment” requires an effective and real exercise of activity through stable arrangements, although the form of those arrangements is not relevant. The breadth of the concept may be leveraged by non-E.U. organizations as a workaround enabling them to access the mechanism on the basis of a loose establishment in the E.U. Alternatively, non-E.U. organizations may, where commercially feasible, adopt the strictest of the E.U. Data Protection Authorities’ approaches uniformly across the organization.
Overregulation concerns. While private organizations established in one jurisdiction may have little control over regulatory activity by foreign legislators, there are strategic investments that can help non-E.U. organizations, such as the following:
- Develop consultative relationships with governments. Governments’ regulatory activities across the E.U. member states have a direct financial impact on non-E.U. companies targeting an E.U. market. While investing in a strong compliance program reflects a durable commitment to achieve compliance, perhaps developing strategic and consultative relationships with foreign governments whose activities have such a significant impact on private non-E.U. organizations can be prudent.
- Stay current with regulatory developments. Staying current with regulatory developments that are under way in the sector in which your core business operates may pave the way for developing tactical relationships with E.U. governments. Consult an experienced local professional for help in identifying relevant local laws and overcoming language barriers.
- Adopt internal organizational measures. Accommodate E.U. regulatory changes through internal organizational measures such as securing leadership support for enterprise global compliance programs. Plan and deliver operational privacy and cybersecurity solutions and be able to demonstrate accountability and assurance.
Conclusion
Following an intense six-year period of negotiations, drafting efforts, and grace period, the GDPR became effective, having an impact on non-E.U. organizations targeting an E.U. market or monitoring behavior in the E.U. (extraterritorial application). In this context, the GDPR may receive divergent interpretations among E.U. Data Protection Authorities, while non-E.U. companies targeted would be facing the costs of overregulation, while unable to access the one-stop-shop mechanism. Tactical responses in the face of such exposures include developing strategic relationships with foreign regulatory authorities, staying current with regulatory developments, and challenging the court’s jurisdiction as a means to combat forum shopping.
Catalina-Luisa Resmerita, LLM, CIPP/E, CIPM, CIPT, is a data privacy senior associate, and Noriswadi Ismail is managing director, data privacy (U.K., EMEA, and Asia), in the London office of Ankura Consulting Group, LLC.
Ankura is the Litigation Advisory Services Sponsor of the ABA Section of Litigation. This article should be not construed as an endorsement by the ABA or ABA Entities. |
Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).