A Luxembourg resident discovered that their data was collected and offered for sale by Apollo and RocketReach, two US-based companies which collect and commercialise personal data on different online platforms. The person concerned exercised their right of access to obtain the information they are entitled to receive under the General Data Protection Regulation (GDPR). Neither company answered this request in a satisfactory manner. A complaint was filed with the Luxembourg Data Protection Authority (DPA), asking the DPA to order both companies to comply with their obligations. The complainant stressed that the processing of their data was illegal and that these two companies did not have a representative in the EU, in violation of the GDPR.
The DPA dismissed the complaint precisely on the basis that the two US companies did not have a representative in the EU and that, therefore, they did not have the power to investigate, nor to adopt, effective enforcement measures against them.
noyb challenged this decision before the courts on the basis that it contravenes the GDPR. Many companies and organisations not established in the EU are subject to the GDPR and should therefore comply with EU data protection law. noyb consider that when DPAs fail to act against these companies, they refuse to protect individuals from non-EU companies. This sends a message that companies can escape the GDPR and the jurisdiction of DPAs jurisdiction simply by not having a presence in the EU.
Enforcement of EU data protection law against non-EU companies
Organisation Name
noyb – European Center for Digital Rights
Country/Jurisdiction
Luxembourg
Amount Granted
EUR 28,411
Current Status
Ongoing
Grant type
Litigation Track Support
Description
A Luxembourg resident discovered that their data was collected and offered for sale by Apollo and RocketReach, two US-based companies which collect and commercialise personal data on different online platforms. The person concerned exercised their right of access to obtain the information they are entitled to receive under the General Data Protection Regulation (GDPR). Neither company answered this request in a satisfactory manner. A complaint was filed with the Luxembourg Data Protection Authority (DPA), asking the DPA to order both companies to comply with their obligations. The complainant stressed that the processing of their data was illegal and that these two companies did not have a representative in the EU, in violation of the GDPR.
The DPA dismissed the complaint precisely on the basis that the two US companies did not have a representative in the EU and that, therefore, they did not have the power to investigate, nor to adopt, effective enforcement measures against them.
noyb challenged this decision before the courts on the basis that it contravenes the GDPR. Many companies and organisations not established in the EU are subject to the GDPR and should therefore comply with EU data protection law. noyb consider that when DPAs fail to act against these companies, they refuse to protect individuals from non-EU companies. This sends a message that companies can escape the GDPR and the jurisdiction of DPAs jurisdiction simply by not having a presence in the EU.
"The DPA dismissed the complaint precisely on the basis that the two US companies did not have a representative in the EU and that, therefore, they did not have the power to investigate, nor to adopt, effective enforcement measures against them"
Strategic Goal
Better enforcement of data subjects’ rights in the EU by ensuring that the GDPR can be enforced against companies and organisations not established in the EU.