Luxemburg’s watchdog refuses to show its teeth to US companies
GDPR: A Law without Authority? Luxemburg’s Data Protection watchdog refuses to show its teeth to US companies. noyb files court case
Today, noyb filed an appeal against two decisions of the Luxemburg Data Protection Authority (CNPD) before the administrative tribunal of Luxemburg on a fundamental matter: the authority dismissed two complaints lodged against US-based data controllers, Apollo and RocketReach. The CNPD explicitly confirmed that the General Data Protection Regulation (GDPR) applies to these non-EU companies. However, the CNPD considered that it could not enforce the GDPR against these US controllers, despite multiple enforcement options within the EU. These decisions fundamentally undermine the application of the GDPR to all foreign companies on the EU market - a key promise of the law when it was introduced in 2018.
- Read the acts of appeal before the administrative tribunal here (Apollo FR) and here (Rocktreach FR).
- You can also read an automated translation in English here (Apollo) and here (Rocketreach).
Initial complaints to the CNPD. The complainant, a Luxemburg resident, discovered that his data were processed by Apollo and RocketReach, two US-based companies which collect and commercialise personal data available online. Having seen this, the complainant attempted to exercise his GDPR rights of access (Article 15) and erasure (Article 17) without success. As the two data controllers did not answer adequately his request to exercise his GDPR rights, the complainant filed complaints against both Apollo and RocketReach before the CNPD. After several reminders from the complainant, the Luxembourg DPA dismissed the complaint on the mere basis that the data controllers did not have a representative in the EU (which is by itself a violation of the GDPR), and that therefore, no effective enforcement measures could be imposed against these data controllers. No material investigation was undertaken and no decision was formed.
Undermining the international reach of the GDPR. The Luxembourg DPA’s decision to dismiss the complaints merely because the controller is not established in the EU, clearly undermines the international application of the GDPR, which was a key promise to EU citizens when it was introduced. The law explicitly covers all companies that operate on the European market - no matter where they are based.
“If DPAs refuse to enforce the GDPR every time a company has no presence in the EU, that would just give the signal to companies to stay abroad to bypass the law…That’s the GDPR version of getting away with murder” – Romain Robert, lawyer at noyb.eu.
Enforcing the GDPR. Even when a company does not have a presence in the EU, it is perfectly possible to run a procedure and enforce the provisions of the GDPR. If a company does not make submissions, they usually simply give up their right to be heard. Several procedural avenues exist to also enforce a decision against a foreign entity: from traditional tools, like freezing assets with third parties (like banks or customers), all the way to more modern approaches like the blocking of a website. The DPAs should use all the possibilities under their national law to enforce their decisions, instead of giving up on fundamental rights.
“The CNPD has a duty to ensure that individual rights under the GDPR are protected. It also has the means to do so for foreign companies, from freezing assets in the EU, all the way to blocking a service. Enforcing EU law against companies and people that do not cooperate or hide abroad is not a new thing for regulators and courts. Hiding in another jurisdiction is as old as borders. There are tools to proceed with a case nevertheless. The point of going to court now is to ensure that the CNPD will actually use its enforcement powers in the future and no longer dismiss a case just because enforcement would be too difficult or burdensome.” - Catherine Warin, lawyer representing noyb in the procedure.
Inactive DPAs: This case shows that some DPAs still sleep on their duties. They should not and will not get away with it. This may be the beginning of a series of action against DPAs that remain inactive despite the crucial role they play in ensuring the respect of EU data protection law. noyb will closely follow such cases and monitor the effective enforcement of the GDPR by the DPAs.
“The CNPD explicitly confirmed that the GDPR was applicable to these companies, but decided not to act claiming it could not enforce any decision. This left the complainant without any procedure to enforce his fundamental rights. The CNPD considered that it was its power to simply reject a case. Fortunately, the GDPR provides that individuals should have an effective remedy and can challenge the decisions of DPAs before the courts. We will now ask the court to do the job that the CNPD refused to do.” – Romain Robert, lawyer at noyb.eu.