NOYB Appeal Keeps Spotlight on Extraterritorial GDPR Enforcement

January 26, 2021Alerts

Can we enforce the General Data Protection Regulation (GDPR) extraterritorially? Yes we can, says privacy organization NOYB in an appeal against decisions by the Luxembourg National Commission on Data Protection (CNPD) declining to enforce GDPR against two U.S.-based providers.

What CNPD Said: No Establishment, No Local Representative, No Enforcement

"The CNPD has no means of action against a data controller established on the territory of the United States of America which does not have an establishment on the territory of the European Union (EU) or which has not designated a representative in the EU under Article 27 of the GDPR. Indeed, in these cases, it is impossible for it to enforce the provisions of the GDPR on the territory of the United States of America".

NOYB Objects, Saying Yes, You Can

"Following the reasoning of the CNPD, it would be sufficient for any data controller to remain established outside the Union, especially not to appoint a representative in the EU, and not to respond to requests from a supervisory authority in order to never be worried and not be subject to any measure decided by an authority of the Union"

"The possibility for national authorities to take measures whose scope goes beyond the territory of the European Union is nothing exceptional, since this possibility exists not only in the field of data protection but also in competition law, tax law and ecommerce."

"Several procedural avenues exist to also enforce a decision against a foreign entity: from traditional tools, like freezing assets with third parties (like banks or customers), all the way to more modern approaches like the blocking of a website. The DPAs should use all the possibilities under their national law to enforce their decisions, instead of giving up on fundamental rights".

"If the CNPD pronounces a fine or penalty payment, it has at its disposal the significant means of the Luxembourg tax administration to enforce it. The Registration Administration can ensure the recovery of the sums due by resorting to a constraint procedure with regard to the company concerned or to a procedure of summons to a third party holder, not only on Luxembourg territory but also beyond by relying on the relevant instruments of Union law or even international law".

Another example is a cooperation protocol recently concluded between the Belgian Data Protection Authority and a nonprofit association specializing in the registration of domain names. Under this protocol, the nonprofit association undertakes to block websites with the ".be" extension in application of sanction decisions taken by the Authority.

Key Takeaways for Non-EU Companies

  • Mind your data subject rights. Respond to requests. This case started because the non-EU data controllers refused to reply to data subject requests for access and deletion.
  • Respond to requests from supervisory authorities (SA) in the EU. If you missed a data subject request and get a request from an SA to accommodate it, it's easier to cooperate and avoid — if not enforcement — the PR fallout that ensues.
  • About that local representative... This case may provide more clarity to the age-old Article 27 representative question of "Doomed if you do (easier enforcement) and doomed if you don't" (it's a GDPR violation but is it one that causes EU Supervisory Authorities to step back and not enforce?)
  • Be on your toes. Article 3(2) extraterritorial application of GDPR is heating up with a number of decisions and appeals in the past few weeks alone (SorianoSaxony Annual report). In addition, extraterritorial cooperation and enforcement was specifically mentioned by the European Data Protection Board as a priority for it's 2021-2023 plan. Keep watching the developments.

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with GDPR compliance issues, contact Odia at [email protected] or 215.444.7313.