International Jurisdiction over Crossborder Private Enforcement Actions under the GDPR

Abstract

The new European Union (EU) Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “General Data Protection Regulation or “GDPR”) aims to strengthen individual rights for the protection of personal data by, inter alia, facilitating private enforcement actions. To this end, the GDPR clarifies the data subject’s right to a direct and independent private enforcement action directly against the controller or processer. As the infringement of personal data rights increasingly takes on cross border dimensions, the GDPR sets out rules on jurisdiction allowing the data subject to bring a private enforcement action in the Member State where the offending controller or processor has its establishment, or alternatively in the Member State where the data subject has his or her habitual residence. The aim of this article is to analyze the jurisdictional options available to a data subject to bring a private enforcement action to enforce his/her data protection rights before the GDPR, under the Member States’ general rules on jurisdiction in private international law, and after the GDPR, under the GDPR’s own rules on jurisdiction. In addition, the article analyzes whether the new rules on jurisdiction in the GDPR supplement or supplant the Member States’ general rules on jurisdiction. The article discusses and analyzes the areas where the application and interpretation of the rules are unclear, and proposes interpretations that best serve the objectives of the GDPR to strengthen the rights of data subjects by facilitating private enforcement actions without jeopardizing the principle of legal certainty deemed necessary for the free movement of data within the EU.