The GDPR will mean big changes in the way that European and U.S. companies do business in Europe. As we noted at a recent privacy panel, rather than being a matter of speculation, its economic impact has become an empirical question. Will the tighter privacy protections of the GDP slow growth and innovation, as skeptics claim, or will these provisions increase consumer trust and usher in a new era of European digital gains, as supporters say? We await the answers to these questions with great interest.
However, the enforcement stage of the GDPR has not gotten off on the right foot. CNIL, the French National Data Protection Commission, just fined Google 50 million euros for what they called “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” The fines were based in part on complaints filed by privacy groups on May 25, 2018, the very day that the GDPR went into effect. Moreover, the complaints were filed in France, despite that fact that Google’s European headquarters are in Ireland.
The location of the complaints is relevant because the most straightforward reading of the GDPR’s “one-stop-shop” principle suggests that the location of a company’s European headquarters is the main factor determining the company’s lead regulator for GDPR purposes. That’s not the only criterion, for sure, but it was only natural for the Irish Data Protection Commission to take the lead role in regulating Google.
The fact that the privacy organizations filed their complaints with France, not Ireland, suggests that they were forum-shopping–looking for a country which would look favorably on the issues they raised. Moreover, France’s willingness to jump to the front of the regulator queue suggests that they were interested in setting a precedent, rather than letting the GDPR process unfold.
Finally, an important part of the rationale behind the GDPR was to further move towards a digital single market, by allowing companies to only deal with a single privacy regulator. If other countries follow France’s lead and find reasons to levy data protection-related fines on multinationals that have their European headquarters elsewhere, then the GDPR will end up fragmenting markets, rather than making them more consistent. That’s a losing proposition for everyone.