Forum shopping, in this sense, refers to the practice of choosing to establish a company in or move headquarters to another jurisdiction with a more favourable regulatory environment. For the GDPR, this means countries with relaxed privacy laws, small fines and lacklustre monitoring in general. The GDPR aims to put an end to the practice.
Forum Shopping Today
Until 25 May 2018, when the General Data Protection Regulation will be implemented, the Data Protection Directive (DPD) remains valid.
Under the DPD, companies deal with several Data Protection Authorities (DPAs), depending on which countries they operate in. Aside from being an administrative burden, each of these authorities can have different powers, and different legislative rules may apply for similar operation from country to country.
This can have more insidious consequences than just increasing legal costs for companies. They can use it to their advantage by purposefully choosing countries with permissive privacy regulations. For example, a company from Poland is bound by the Polish data protection laws, no matter whose data the company is processing and collecting.
This can put some of the countries with stricter laws at a disadvantage, and unwittingly expose their citizens to a lower level of data security, with an added risk of moving said data to another country.
A Current Issue
Legal issues have stemmed from this. For example, a German DPA has decided to take action against Facebook for its policy of not allowing profiles with fake names. The DPA claimed it is against German law, and since Facebook has got an office in Germany, it should be bound by the German laws. Facebook, on the other hand, claimed it was bound by Irish law, where its main European headquarters are. Eventually, Facebook won the case. Under the GDPR, such cases should not be possible, since the legislation will be the same in both Ireland and Germany.
Forum Shopping and the GDPR
The GDPR aims to prevent forum shopping by streamlining and harmonising the rules for the whole European Union. In theory, the privacy regulations should be consistently applied and equal in the entire internal market, and so it should not matter much where the company is based; or at least not because of data protection laws.
A Two-Tiered Approach
While the GDPR will certainly close one wide gap that would enable companies to ‘forum shop’, namely legislative differences, some of these inconsistencies will be difficult to eliminate completely. The European Commission is aware of that problem, and they have created a two-tiered approach to ensure a fair implementation of the GDPR.
The regulatory authorities within each country are independent, but major decisions are reached in cooperation with other authorities and the European Data Protection Board. It, along with the European Commission, is responsible for ensuring consistency in the practical application of the GDPR provisions.
The concept of a company dealing with only a single regulatory authority is called the ‘one-stop shop’ approach, although it has been mellowed down over time. In its original form, only the SA of a country where the company is based would be responsible. In its current form, all SAs in the countries where the company operates may investigate. However, There is still one single lead authority, and the company communicates only with it.
This has the unintended consequence of reducing the incentive to forum shop, as the authorities have the right to ‘snoop around’ regardless of where the company is based.
Feasibility of Forum Shopping
Still, there are external factors not inherent to the GDPR that might not prevent ‘forum shopping’ to an extent that the lawmakers would like. Formally, it is forbidden in the GDPR, but if properly implemented, technically such practices could not even be dubbed as ‘forum shopping’, since the law is the same for all.
Our take on this issue is that the burden for ensuring consistency would fall on the European Commission and the EDBP. Certain practices could still be in a grey legal area. For example, companies from abroad wishing to set up shop in the EU are free to choose where to incorporate. They must bear in mind, however, that the country in which they do the bulk of their processing operations is the one whose supervisory authority will be responsible.
Companies from within the EU who wish to choose a ‘better’ supervisory authority must provide quality evidence showing why such an authority should be competent. Records of processing activities could help with proving where and how the processing took place.
Fines as a Deterrent?
Obviously, the companies will move to more permissive countries if their operations are sufficiently large-scale to justify the costs. However, there is a myriad of other factors that influence where a company will base its operations, and privacy-related issues are usually among the bottom of the list.
The most obvious reason for companies to move are tax-related benefits, and those are the major push-pull factors. Besides, other laws pertaining to doing business still are not harmonized, so the level of bureaucracy in a more demanding country privacy-wise could still be lower overall. The benefit of doing business easier could far outweigh the possible benefits of permissive privacy regulators.
A counterpoint to that is the threat of huge fines. Since they can range to as much as EUR 20 million or more – up to 4 percent of global annual turnover – it could pay to choose a regulator that gives one a bit more leeway, as being fined could result in the whole company being shut down.
Inequalities Likely to Persist
However, there are other practical factors to take into consideration. Authorities from English-speaking countries, and to a lesser extent French and German, could face themselves with disproportionate work load. Companies could set up shop there due to language considerations. After Brexit, the Irish regulators could easily find themselves in a bind.
Regulators in countries with a thriving IT industry could be more apt to answer many regulatory issues. Even though that should not overly concern the companies, the perception is difficult (likely impossible) to shake off.
We do not expect to see a marked forum shopping phenomenon after the GDPR becomes implemented. We do expect to see inconsistent treatment of similar cases across the EU. They should occur only in the first few months until the authorities adapt to the new state of affairs.
Regardless, any benefits from moving from country to country just for the sake of privacy regulators will probably not be worth it. Ample appeal mechanisms will be available for the companies to overturn the decisions they deem unfair, especially if there are fines involved.
It remains to be seen how well the supervisory authorities will cooperate with one another and what steps the companies will take. In any case, they should ensure they are in compliance with the GDPR before 25 May, to reduce the risks of ever needing a lenient regulator.