None of Your Business (noyb) announced on Monday it had filed the appeal in the country’s administrative court against two decisions from Luxembourg’s CNPD which dismissed complaints that Apollo and RocketReach had not conformed with general data protection regulations (GDPR).
“These decisions fundamentally undermine the application of the GDPR to all foreign companies on the EU market--a key promise of the law when it was introduced in 2018,” noyb wrote. According to the platform, a Luxembourg resident lodged a complaint with the CNPD after learning his data was being processed by Apollo and RocketReach, US-based firms that collect and monetise personal data. Efforts to access the data and request its removal were unsuccessful.
According to noyb, the Luxembourg authority dismissed the complaint on the basis that the data controllers did not have a representative office in the EU and could not enforce the matter. Noyb claims that “No material investigation was undertaken and no decision was formed.”
“If DPAs refuse to enforce the GDPR every time a company has no presence in the EU, that would just give the signal to companies to stay abroad to bypass the law…That’s the GDPR version of getting away with murder,” said Romain Robert, lawyer at noyb.eu.
A CNPD spokesperson told Delano that the body had not been formally notified of the appeal but had learned of it through the media. He added that the CNPD does not communicate on ongoing cases and awaits the judgement of the Luxembourg administrative courts.
The GDPR, which entered into force on 25 May 2018, applies to EU data regardless of whether it is handled inside or outside the EU. According to law firm DLA Piper, Luxembourg has notified regulators of 920 data breaches since then, of which 375 were in the past 12 months. It has, however, issued no fines.
DLA Piper Luxembourg partner of intellectual property and technology Olivier Reisch said regulators had shown a “degree of leniency” in response to the pandemic with “several high profile fines being reduced due to financial hardship.” He reckoned the first enforcement actions relating to breaches on transfers of personal data to the US and other third countries would start in 2021.