The data protection authorities of the EU Member States (DPAs) are imposing ever high fines for violations of the GDPR. In June and July 2019, the UK DPA imposed large fines on Marriott (€111 million) and British Airways (€204 million) for data breaches that breached the GDPR. But it is clear that increasingly larger fines are not the only problem facing companies worried about their exposure to the GDPR. Non-EU companies in particular face a risk of parallel GDPR investigations for the same conduct, and in each such case, the investigating DPR is authorized by GDPR to impose fines up to the maximums provided for the GDPR, which can be 2% or 4% of the company's global group turnover, depending on the nature of the infringement. How can this be possible?
One-stop shop mechanism
One of the primary selling points of the GDPR when it was proposed legislation was its provision of a "one-stop shop mechanism." This mechanism, which is discussed in Recitals 127-28 of the GDPR, is intended to streamline investigations which may, in theory, be pursued in more than Member State, by providing that the "lead supervisory authority" of the company in question would receive input from all other affected DPAs, and would issue one consolidated decision.
Importance of a "lead supervisory authority"
But the consolidation of multiple investigations presupposes that a company has a lead supervisory authority. Pursuant to Article 56(1) of the GDPR, it is the DPA of the company's main EU establishment or of its single EU establishment which is competent to act as the lead supervisory authority. Moreover, as the French DPA made clear in its GDPR decision against Google in February 2019, the fact that Google had its EU headquarters in Ireland was not dispositive. The French DPA considered that Google could only have a main EU establishment if the essential decisions relating to its EU data processing were taken in that Member State. In Google's case, those data processing decisions were taken in the US. Therefore, the French DPA concluded that Google had no "main" EU establishment despite having its EU corporate headquarters in Ireland. This conclusion enabled not only the French DPA to investigate Google, but also, in theory, DPAs from around the EU.
Companies with multiple EU establishments do not, therefore, have a "main" EU establishment unless they are able to relocate their important data processing decisions to one of those EU establishments. This is what Google did the day after the French DPA reached its decision, i.e. it moved those decisions from the US to Ireland. In doing so, Google seems to have succeeded in cutting off any investigations that may been pending in other Member States (apart from France). As Google's case suggests, this manoeuver does not appear to be unduly burdensome.
As noted above, the alternative means of obtaining access to the one-stop-shop mechanism lies with having a single EU establishment. This implies that the company concerned is subject to jurisdiction in multiple Member States, therefore permitting investigations by DPAs where the company has no EU establishment whatsoever. This would be the case, most obviously, when the company is targeting (and obtaining personal data from) consumers in multiple Member States. In these instances, the DPA in which the company has its only EU establishment would constitute the lead supervisory authority.
Companies without an EU establishment at risk of parallel investigations and fines
The companies most at risk of parallel investigations and multiple fines are those without any EU establishment. They are not legally entitled to a lead supervisory authority. This is clear from Para. 3.3 of the relevant GDPR guidelines, which states that companies "without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in..."
Companies without an EU establishment may not be able to move expeditiously to create one. For larger companies, there are likely to be various administrative and strategic hurdles involved in deciding whether an EU establishment should be created at all and, if so, in which Member State, with which personnel, and to carry out what activities? If these burdens were not enough, the European Data Protection Board warned in Opinion 9/2019 that such decisions must not be taken "artificially," that is, simply to avoid multiple investigations or to forum-shop.
Until now, there are no known instances of parallel investigations entailing multiple fines. But the prospect is very real and the GDPR legal apparatus appears to compel this outcome when a company without an EU establishment is engaged in cross-border data processing in the EU.
Enforcement of fines when the company has no EU assets
DPAs throughout the EU are able to enforce their decisions in the local courts. Jurisdiction would against companies without an EU presence would be based on the "effects" doctrine, by which extraterritorial jurisdiction is permitted under international law by virtue of the acts of a company having effects within the jurisdiction concerned.
Whether the company defended the enforcement action or not, the problem would arise that there are no EU assets to seize. In this event, particularly when a Chinese company is involved, there would seem to be no mechanism for the enforcement of an EU judgment in China.
Therefore the main fallout for the Chinese company would be:
Loss of reputation and embarrassment for having failed to complied with GDPR
If the Chinese company is an SOE, it would be running against the December 2018 directive of SASAC to comply with foreign regulatory requirements
The Chinese company may find it very difficult to invest in the EU in the future because of its poor track record of non-compliance and failure to pay DPA fines; and even if the investment were permitted, the past GDPR fines would have to be paid with interest.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.