One key aspect of the EU’s General Data Protection Regulation (GDPR) is its aim of streamlining the regulatory process by providing “one-stop shopping”: the opportunity to deal with a single regulator with respect to all data privacy issues that arise in Europe, rather than all 28 regulators scattered throughout the continent. For companies not headquartered in Europe, this efficiency is now very much in doubt.
In January 2019, the CNIL, the agency charged with enforcing European privacy regulations in France, fined Google €50 million for violating the GDPR. According to the decision of the CNIL, Google failed to obtain adequate consent from purchasers of Android cellphones to allow Google to direct personalized advertising to them.
While most of the information required by the GDPR was presented to purchasers of new Android phones, it was spread across several documents, making it difficult to understand. Furthermore, the CNIL found the disclosures in those documents to be too generic, vague and confusing. Thus, the CNIL found that user consent to targeted advertising was not informed consent, and was therefore invalid.
That this came from France is surprising because Google had a European headquarters in Ireland. Why didn’t the Irish data protection authority (DPA) assume control over this matter under the “one-stop shop” mechanism? After all, Article 54 and Recital 124 of the GDPR say that if a company has establishments in more than one European jurisdiction, the DPA where the company has its “main establishment” has jurisdiction. The DPA in another affected country has the right to participate in the proceeding, but not to control it. What went wrong?
Technically, CNIL’s justification for asserting jurisdiction involved an analysis of the term “main establishment.” According to CNIL, a company has a main establishment in the EU only if that establishment determines the purposes and means of processing data involving EU citizens. For a US-based company, this is unlikely to ever be the case. The executives at the US headquarters will set policy that will be carried out throughout the organization. Consequently, no US company will ever have a “main establishment” in the EU, and will not have the benefit of the one-stop shopping that the GDPR promised.
Others have observed that GDPR is not a model of consistency on this point, so the CNIL’s interpretation may end up being accepted throughout Europe. Because of the potential to impose large fines, which can be up to 4% of the company’s annual revenue, the DPAs all have reason to assert jurisdiction wherever they can. Thus, the CNIL’s analysis of the question is likely to be quite popular among the DPAs. However, Google has expressed its intention to appeal the ruling, presumably to the European Data Protection Board, so the final word on this subject has not been uttered.
If this ruling is upheld on appeal, it has the potential of increasing the exposure of US companies to fines in the EU in two ways. First, it opens up the possibility of fines even if the US parent company has a substantial EU subsidiary. (This is what happened to Google). Second, it raises the specter of fines being imposed by any number of the 28 DPAs, rather than just one.
Clearly, this puts US companies at a disadvantage, even though much of the GDPR appears to be neutral regarding its application to non-EU companies. This risk is not limited to large companies with EU establishments. Any US company that directs its products and services to the European market –as may be evidenced by offering websites translated into French, German or Italian, or by offering delivery services to Europe — is subject to the GDPR.
Until the recent Google decision, creating an establishment in the EU was a means of gaining the benefit of the one-stop shopping mechanism. Now, that path may no longer be available. US companies seeking to participate in the EU market must be especially thoughtful in addressing compliance with the GDPR. Privacy policies and consent forms that are slapped together without care will not pass muster, and the potential headaches associated with GDP violations are enormous.