Member State proceedings against international companies under the GDPR

The GDPR legislation is in force since 25 May 2018 and is applicable among the countries of the European Economic Area. One of its main novelty is that it introduced much stricter and stronger rules regarding data protection than ever before, and the legislation can be applied extensively, so companies that have their registered seat outside of the European Economic Area can be involved in proceedings.

On 13 January 2021 the advocate general has expressed his opinion about the possible Member State actions against large international companies (such as Facebook, Google, etc.). He argued that during the proceedings of the main supervisory authority, it shall cooperate also with other data protection authorities. The company’s registered seat determines the competent authority under the GDPR regime, as the regulation introduced a one-stop-shop system. This is why in most large cases the Irish Authority has the right to initiate proceedings, as the biggest tech companies such as Facebook, Google or Twitter have their registered seat in Ireland. This is true even if there is a foreign element in the dispute such as the nationality of the complainant.

If the abovementioned opinion is accepted by the Court of Justice of the European Union, it can have a significant impact on large tech companies, as some countries previously initiated harsh proceedings against them. If the advocate general’s opinion is passed, it will result in that authorities apart from the main supervisory authority can take part in proceedings, thus it would open a way to greater accountability regarding data protection of European citizens.