Enforcement of EU data protection law against non-EU companies​

By Thomas Vink, 6th December 2021

A Luxembourg resident discovered that their data was collected and offered for sale by Apollo and RocketReach, two US-based companies which collect and commercialise personal data on different online platforms. The person concerned exercised their right of access to obtain the information they are entitled to receive under the General Data Protection Regulation (GDPR). Neither company answered this request in a satisfactory manner. A complaint was filed with the Luxembourg Data Protection Authority (DPA), asking the DPA to order both companies to comply with their obligations. The complainant stressed that the processing of their data was illegal and that these two companies did not have a representative in the EU, in violation of the GDPR.

The DPA dismissed the complaint precisely on the basis that the two US companies did not have a representative in the EU and that, therefore, they did not have the power to investigate, nor to adopt, effective enforcement measures against them.

noyb challenged this decision before the courts on the basis that it contravenes the GDPR. Many companies and organisations not established in the EU are subject to the GDPR and should therefore comply with EU data protection law. noyb consider that when DPAs fail to act against these companies, they refuse to protect individuals from non-EU companies. This sends a message that companies can escape the GDPR and the jurisdiction of DPAs jurisdiction simply by not having a presence in the EU.

Enforcement of EU data protection law against non-EU companies

Organisation Name

noyb – European Center for Digital Rights

Country/Jurisdiction

Luxembourg

Amount Granted

EUR 28,411

Current Status

Ongoing

Grant type

Litigation Track Support

Description

A Luxembourg resident discovered that their data was collected and offered for sale by Apollo and RocketReach, two US-based companies which collect and commercialise personal data on different online platforms. The person concerned exercised their right of access to obtain the information they are entitled to receive under the General Data Protection Regulation (GDPR). Neither company answered this request in a satisfactory manner. A complaint was filed with the Luxembourg Data Protection Authority (DPA), asking the DPA to order both companies to comply with their obligations. The complainant stressed that the processing of their data was illegal and that these two companies did not have a representative in the EU, in violation of the GDPR.

The DPA dismissed the complaint precisely on the basis that the two US companies did not have a representative in the EU and that, therefore, they did not have the power to investigate, nor to adopt, effective enforcement measures against them.

noyb challenged this decision before the courts on the basis that it contravenes the GDPR. Many companies and organisations not established in the EU are subject to the GDPR and should therefore comply with EU data protection law. noyb consider that when DPAs fail to act against these companies, they refuse to protect individuals from non-EU companies. This sends a message that companies can escape the GDPR and the jurisdiction of DPAs jurisdiction simply by not having a presence in the EU.

"The DPA dismissed the complaint precisely on the basis that the two US companies did not have a representative in the EU and that, therefore, they did not have the power to investigate, nor to adopt, effective enforcement measures against them"

Strategic Goal

Better enforcement of data subjects’ rights in the EU by ensuring that the GDPR can be enforced against companies and organisations not established in the EU.

Organisation Name

Women’s Link Worldwide

Image credit: Jason Dent on Unsplash