EU Data Protection and the Conflict of Laws: The Usual "Bag of Tricks" or a Fight against the Evasion of the Law?

UNTIL April 2016, the basic principles on the protection of personal data of EU citizens were laid down in Directive 95/46/EC, issued October 24, 1995. (1) This Directive served a double purpose: to ensure the free flow of data from one Member State to another within the internal market; while safeguarding the individual's fundamental rights and freedoms including, notably, his right to privacy. Because differences in the level of protection of an individual's rights with regard to the processing of his data constitute obstacles to the free flow of data, and thus distort competition, the Directive sought to coordinate the divergent laws of the member States in order to remove these obstacles in a manner that provides for a high level of protection for all EU citizens. As a legal instrument, a directive is only binding upon each Member State with regards to the result to be achieved; it has no direct effect and cannot be invoked by private parties. Moreover, Member States are still left a margin to maneuver, which allows them to specify in their national law the general conditions governing the parameters of lawful of data processing, so the Directive acknowledges that new disparities may well arise. (2) The new General Data Protection Regulation (GDPR), (3) adopted by the Council and the European Parliament in April 2016, brings data protection within the EU to a higher level by establishing a new and harmonized data protection framework across the EU. As a legal instrument, it is of a higher order than a directive because it establishes a single body of law that is directly applicable in the EU Member States. As of May 26, 2018, the GDPR will be directly effective in all EU Member States without the need for national implementing laws, as were required under the Directive. The aim of the GDPR is to set up a digital single market, with the highest possible common standards for all citizens of the EU Member States, so that each individual remains in control of his or her personal data. This set of unified rules will not only warrant the consumer's trust but also provide businesses with a level playing field throughout the EU when setting up new businesses in the digital economy. At the core of the GDPR lies the rule: "one continent, one law." Companies based outside of the EU will have to apply the same rules when offering services in the EU and should only have to deal with one supervisory authority (a one-stop-shop system), leading to savings estimated at EUR 2.3 billion per year. (4) Under the Directive, the legal issues of jurisdiction and applicable law were extremely controversial, giving rise to much case-law and doctrine. A new element introduced by the GDPR is its extra-territorial reach: it will not only apply to businesses established within the EU but also to businesses based outside the Union that offer goods and services to, or monitor individuals in, the Union. This article examines to what extent the principles developed by the case law of the Court of Justice of the European Union (CJEU) still apply under the GDPR and, if so, to what extent they can still be used as a source of inspiration in resolving these questions. I. From a Patchwork of 27 National Rules to the 'One-Stop-Shop' The framework established by the GDPR consolidates the "one-stop-shop" principle already set forth under the Directive; the aim of the GDPR is to ensure that businesses only need to deal with a single supervisory authority (SA) for all processing carried out in the Union, rather than having to deal with the SA of each of the Member States in which the business is active. However, this initial proposal was watered down, mostly following concerns from Member States over the inability of some smaller supervisory authorities to adequately regulate larger businesses, and that these larger businesses would therefore seek to establish themselves in their jurisdiction. Language barriers and local laws were also seen as an impediment to a true "one-stop-shop" system. …