GDPR并行调查的风险——对于没有在欧盟设立分支机构的公司而言
2019-10-12
2019年1月,谷歌因未履行GDPR规定义务,被法国监管机构国家信息与自由委员会(CNIL)处以5000万欧元罚款。7月8日,英国信息专员办公室ICO因数据泄露事件,对英国航空公司处以2.04亿欧元的罚款处罚。7月9日,国际知名酒店万豪集团因泄露客户信息,将面临ICO1.11欧元罚款……数据合规进程任重而道远。
THE RISK OF PARALLEL GDPR INVESTIGATIONS…
TO COMPANIES WITHOUT AN EU PRESENCE
Introduction
The data protection authorities of the EU Member States (DPAs) are imposing ever high fines for violations of the GDPR. In June and July 2019, the UK DPA imposed large fines on Marriott (€111 million) and British Airways (€204 million) for data breaches that breached the GDPR. But it is clear that increasingly larger fines are not the only problem facing companies worried about their exposure to the GDPR. Non-EU companies in particular face a risk of parallel GDPR investigations for the same conduct, and in each such case, the investigating DPR is authorized by GDPR to impose fines up to the maximums provided for the GDPR, which can be 2% or 4% of the company’s global group turnover, depending on the nature of the infringement. How can this be possible?
One-stop shop mechanism
One of the primary selling points of the GDPR when it was proposed legislation was its provision of a “one-stop shop mechanism.” This mechanism, which is discussed in Recitals 127-28 of the GDPR, is intended to streamline investigations which may, in theory, be pursued in more than Member State, by providing that the “lead supervisory authority” of the company in question would receive input from all other affected DPAs, and would issue one consolidated decision.
Importance of a “lead supervisory authority”
But the consolidation of multiple investigations presupposes that a company has a lead supervisory authority. Pursuant to Article 56(1) of the GDPR, it is the DPA of the company’s main EU establishment or of its single EU establishment which is competent to act as the lead supervisory authority. Moreover, as the French DPA made clear in its GDPR decision against Google in February 2019, the fact that Google had its EU headquarters in Ireland was not dispositive. The French DPA considered that Google could only have a main EU establishment if the essential decisions relating to its EU data processing were taken in that Member State. In Google’s case, those data processing decisions were taken in the US. Therefore, the French DPA concluded that Google had no “main” EU establishment despite having its EU corporate headquarters in Ireland. This conclusion enabled not only the French DPA to investigate Google, but also, in theory, DPAs from around the EU.
Companies with multiple EU establishments do not, therefore, have a “main” EU establishment unless they are able to relocate their important data processing decisions to one of those EU establishments. This is what Google did the day after the French DPA reached its decision, i.e. it moved those decisions from the US to Ireland. In doing so, Google seems to have succeeded in cutting off any investigations that may been pending in other Member States (apart from France). As Google’s case suggests, this manoeuver does not appear to be unduly burdensome.
As noted above, the alternative means of obtaining access to the one-stop-shop mechanism lies with having a single EU establishment. This implies that the company concerned is subject to jurisdiction in multiple Member States, therefore permitting investigations by DPAs where the company has no EU establishment whatsoever. This would be the case, most obviously, when the company is targeting (and obtaining personal data from) consumers in multiple Member States. In these instances, the DPA in which the company has its only EU establishment would constitute the lead supervisory authority.
Companies without an EU establishment at risk of parallel investigations and fines
The companies most at risk of parallel investigations and multiple fines are those without any EU establishment. They are not legally entitled to a lead supervisory authority. This is clear from Para. 3.3 of the relevant GDPR guidelines, which states that companies “without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in…”
Companies without an EU establishment may not be able to move expeditiously to create one. For larger companies, there are likely to be various administrative and strategic hurdles involved in deciding whether an EU establishment should be created at all and, if so, in which Member State, with which personnel, and to carry out what activities? If these burdens were not enough, the European Data Protection Board warned in Opinion 9/2019 that such decisions must not be taken “artificially,” that is, simply to avoid multiple investigations or to forum-shop.
Until now, there are no known instances of parallel investigations entailing multiple fines. But the prospect is very real and the GDPR legal apparatus appears to compel this outcome when a company without an EU establishment is engaged in cross-border data processing in the EU.
Enforcement of fines when the company has no EU assets
DPAs throughout the EU are able to enforce their decisions in the local courts. Jurisdiction would against companies without an EU presence would be based on the “effects” doctrine, by which extraterritorial jurisdiction is permitted under international law by virtue of the acts of a company having effects within the jurisdiction concerned.
Whether the company defended the enforcement action or not, the problem would arise that there are no EU assets to seize. In this event, particularly when a Chinese company is involved, there would seem to be no mechanism for the enforcement of an EU judgment in China.
Therefore the main fallout for the Chinese company would be:
Loss of reputation and embarrassment for having failed to complied with GDPR
If the Chinese company is an SOE, it would be running against the December 2018 directive of SASAC to comply with foreign regulatory requirements
The Chinese company may find it very difficult to invest in the EU in the future because of its poor track record of non-compliance and failure to pay DPA fines; and even if the investment were permitted, the past GDPR fines would have to be paid with interest.
Dr. Frank Fine
德恒布鲁塞尔办公室/国际反垄断业务主管
Head of International Antitrust and Data Protection, DeHeng Law Offices (Brussel) Executive Director, China Institute of International Antitrust and Investment Visiting Professor of Law, China University of Political Science and Law(Admitted to practice in England & Wales, California and District of Columbia)
中国国际反垄断和投资研究中心担任执行主任,中国政法大学法学院国际反垄断与投资研究所访问教授。(拥有英格兰、威尔士、加利福尼亚和哥伦比亚地区执业资格。)
E-mail:frank.fine@dehenglaw.com
This article was written by the lawyer of DeHeng Law Offices. It represents only the opinions of the authors and should not in any way be considered as formal legal opinions or advice given by DeHeng Law Offices or its lawyers. If any part of these articles is reproduced or quoted, please indicate the source.
声明:
本文由德恒律师事务所律师原创,仅代表作者本人观点,不得视为德恒律师事务所或其律师出具的正式法律意见或建议。如需转载或引用本文的任何内容,请注明出处。
