Invoking the GDPR in a non-EU court ?
Data protection authorities are in charge of verifying and enforcing GDPR compliance, but what about legal courts ?
Image illustrating the article Invoking the GDPR in a non-EU court ?

The GDPR is now no secret to anyone. It is the European regulation defining the requirements for companies and organizations concerning privacy and security.

Are you wondering what it is exactly or trying to find how to explain it to someone else ? Here’s an article to give you a cluehttps://www.alias.dev/blog/what-is-gdpr, and one to help you be compliant with it.

Its particularity is that it is the toughest privacy and security law in the world. Not only does it impose obligations on organizations collecting or processing personal data, it also levies harsh fines against companies violating its privacy and security standards. Penalties may reach up to millions of euros !

Obviously, European companies are concerned. However, those not in the EU are not entirely safe from a penalty if the requirements are not met. Indeed, the GDPR also applies to organizations that may have little to do with the EU.

A Canadian development company, based in Toronto, whose clients are mainly Canadian or American may not be; at first look involved with the EU legislation. However, does it track its visitors ? If yes, data from EU visitors may be tracked and analyzed. In that case, that is enough for said company to be subject to the provisions of the GDPR.

Does the GDPR apply abroad ?

In this regard, it is important to mention that the GDPR has an extra-territorial effect.
It is article 3 that defines the territorial scope.

Article 3.1 states that the GDPR applies to organizations that are based in the EU even if the data are being stored or used outside of the EU. Article 3.2 goes even further by stating that the law also applies to organizations that are not in the EU, if two conditions are met. The organization must offer goods or services to people in the EU, and monitor their online behavior.

A famous fine against GOOGLE LLC AND GOOGLE IRELAND LIMITED, that reached a total of 100 millions euros shows the way the CNIL’s power of sanction does cross the borders. In this case, on December 7th, of 2020, those companies were fined for having placed advertising cookies on the computers of users of the search engine google.fr without prior consent or satisfactory information.

It is important to note that users are allowed to make a request to a data protection authority in order to challenge a data controller's refusal to respect its rights. Such a request then leads to an examination of the situation by the authority, and eventually a fine and an order to comply with the request if the data controller is proved to be guilty.

There is no question asked about the fields of action of data protection authorities. However, what about legal courts ?

Can the GDPR be invoked in a legal court ?

First of all, it is to note that an user is allowed to bring a GDPR-based suit to court.
More and more privacy activists have been going to court in order to bypass the never-ending delays to get a decision from regulators and to get more control over a case. The underlying goal is often to use this opportunity to set a legal precedent once a verdict is rendered. People have become increasingly aware and dissatisfied with the disparity of power between them and huge corporations. As a result, they have started taking the matter in their own hands.

That is the case of Martin SFP Bryant who filed a data breach group action in the High Court of England and Wales against Mariott International for a data breach they have been subject to.

GDPR allowed people to claim compensation for data protection violations that did not harm them financially; something that was not allowed by many EU jurisdictions before 2018.

However, the GDPR specifically states that cases should be brought to EU courts. The nuance lays in the fact some national laws do not specify that suits need to go to domestic courts. As such, it is possible for plaintiffs to go to international courts. It is the case with the UK data protection law.

As a matter of fact, it is under this principle that Hugo Elliott, a UK citizen, living in England the plaintiff seeked “to weld UK substantive law on to US procedural law for litigation purposes, and essentially import UK GDPR litigation into the United States, just on the grounds that PubMatic is based here,” claimed Edward Takashima, one of PubMatic’s attorneys at the law firm Boies Schiller Flexner. He hoped that a decision would open the door for similar cases against US-based tech companies, sued in the US under UK law. However, the court firmly put a stop to his ambition.

He claimed that PubMatic tracked him across the web, along with other residents of England and Wales in violation of the GDPR. The Court rejected his attempt by adopting the Defendant’s forum non conveniens and international comity grounds. As such, it raised the argument that “a district court may dismiss a litigation once it determines that “the appropriate forum is located in a foreign country.”

As a conclusion, invoking the GDPR in a non-EU court is impossible, except if the law of the country the plaintiff originates from states otherwise. However, it is important to note that as the GDPR may be in conflict with the country’s national law, the courts may be reluctant to go in the direction of the plaintiff; specifically as it would create a precedent that would risk putting the GDPR above their own law.

Stéphanie Exposito-Rosso

Sat Dec 04 2021