It’s a common criticism of the current EU Data Protection Directive that its provisions determining applicable law invite forum shopping - i.e. encourage businesses to establish themselves in the Member State perceived as being the most “friendly”. In fact, while there is some truth to this belief, its effect is often overstated. Typically, businesses choose which country to set up shop in based on a number of factors - size of the local market, access to talent and infrastructure, local labor laws and (normally the overwhelming consideration) the local tax regime. We privacy pros like to consider data protection the determining factor but, at least in my experience, that’s hardly ever the case.
Nevertheless, it’s easy to understand why many worry about forum shopping. Under the Directive, a business that has a data controlling “establishment” in one Member State is subject only to the national data protection laws of that Member State, to the exclusion of all other Member States. So, for example, if I have a data controlling establishment in the UK, then the Directive says I’m subject only to UK data protection law, even when I collect data from individuals in France, Germany, Spain and so on. A rule that works this way naturally lends itself to a concern that it might encourage a "race to the bottom", with ill-intentioned businesses scampering to set up shop in “weak” data protection regimes where they face little to no risk of penalty - even if that concern is overstated in practice.
But a concern it is, nevertheless, and one that the new General Data Protection Regulation aims to resolve - most notably by applying a single, uniform set of rules throughout the EU. However, the issue still arises as to which regulatory authorities should have jurisdiction over pan-EU businesses and this point has generated much excited debate among legislators looking to reach agreement on the so-called “one stop shop” mechanism under the Regulation.
This mechanism, which began life as a concept intended to provide greater regulatory certainty to businesses by providing them with a single “lead” authority to which they would be answerable, has slowly been whittled away to something scarcely recognizable. For example, under the most recent proposals by the Council of the European Union, the concept of a lead protection authority remains but there are highly complicated rules for determining when other “concerned” data protection authorities may instead exercise jurisdiction or challenge the lead authority’s decision-making.
All of which begs the question, will the General Data Protection Regulation prevent forum shopping? In my view, no, and here’s why:
- Businesses don't choose their homes based on data protection alone. As already noted, businesses determine the Member States in which they will establish based on a number of factors, king of all being tax. The General Data Protection Regulation will not alter this. Countries, like Ireland or the UK, that are perceived as attractive on those other factors today will remain just as attractive once the new Regulation comes into effect.
- While you can legislate the rules, you can’t legislate the culture. Anyone who practices data protection in the EU knows that the cultural and regulatory attitudes towards privacy vary enormously from Member State to Member State. Even once the new Regulation comes in, bringing legislative uniformity throughout the EU with it, those cultural and regulatory differences will persist. Countries whose regulators are perceived as being more open to relationship-building and “slow to temper” will remain just as attractive to businesses under the Regulation as they are under the Directive.
- The penalties under the General Data Protection Regulation will incentivize forum shopping. It has been widely reported that the General Data Protection Regulation carries some pretty humungous fines for non-compliance - up to 5% of worldwide turnover. In the face of that kind of risk, data protection takes on an entirely new level of significance and attracts serious Board level attention. The inevitable behavioral consequence of this is that it will actively incentivize businesses to look for lower risk countries - on any grounds they can (local regulatory culture, resourcing of the local regulator and so on).
- Mature businesses won't restructure. The Regulation is unlikely to have an effect on the corporate structure of mature businesses, including the existing Internet giants, who have long since already established an EU controller in a particular Member State. To the extent that historic corporate structuring decisions can be said to have been based on data protection forum shopping grounds, the General Data Protection Regulation won't undo the effects of those decisions. And new businesses moving into Europe always look to their longer-standing peers as a model for how they, too, should establish - meaning that those historic decisions will likely still have a distorting effect going forward.