Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ L 119 of 4 May 2016, hereinafter the ‘GDPR’) lays down rules on international jurisdiction for civil liability disputes whose relationship with the grounds of jurisdiction provided in Regulation 1215/2012 (‘Brussels I Recast’) may be controversial in cases where the case falls within the scope of both texts.
Art. 79 GDPR is entitled “Right to an effective judicial remedy against a controller or processor” and provides that “1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation. 2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers”.
The cases to which this article applies are essentially disputes of a civil nature involving contractual or non-contractual liability claims to which, until its entry into force, Brussels I Recast’s grounds of jurisdiction had been applied. In these circumstances, it becomes necessary to determine whether the venues provided in the GDPR are added to those of the previous text or whether, on the contrary, they prevent their application, so that a claim by a data subject against the data controller or processor can only be filed in the places listed in Art. 79(2).
If the first option is accepted, it is possible to add to the venue where the data controller or processor has an establishment and the venue where the data subject has his or her habitual residence, as provided in the GDPR, that of the State of the defendant’s domicile (the concept of habitual residence does not necessarily match that of establishment, but it does however absorb it, since the ‘venue of the branch’ under Art. 7(5) Brussels I Recast is broader), as well as the courts expressly or tacitly chosen by the parties. In addition, the action, if in tort, can be brought before the courts of the place of damage, which according to the view of the CJEU could be understood to have occurred in the place where the victim had his centre of main interests, usually, but not in all cases, coinciding with the habitual residence, or in other places where the damage could be understood to have originated or manifested itself. In contractual liability claims, the courts of the place of performance of the obligation that serves as grounds for the claim would have jurisdiction, unless the data subject has the status of consumer, in which case the venues of protection provided for them would apply (and all this without prejudice to the venues by reason of procedural connection as per Art. 8 Brussels I Recast).
Here, scholarly writings are divided. Confining ourselves to Spanish authors, P. de Miguel (Competencia y Derecho aplicable en el Reglamento general sobre protección de datos en la UE, REDI, 69 (1), 2017, pp. 705-108) argues for the cumulative application of the GDPR and Brussels I Recast primarily on the basis of the wording of recitals 145 and 147 of the GDPR (“For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or processor has an establishment or where the data subject resides [...]” and “Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a controller or processor, general jurisdiction rules such as those of Regulation (EU) No 1215/2012 of the European Parliament and of the Council (13) should not prejudice the application of such specific rules”) and of the enhanced protection that this interpretation means for the data subject, in a context in which the GDPR pursues precisely that objective. Nonetheless, this author suggests a restrictive reading in respect of some of the Brussels I Recast venues - such as that of express agreement – in order to not deprive Art. 79(2) GDPR of its ‘useful effect’.
Among those who defend the opposite, M. Requejo (La aplicación privada del derecho para la protección de las personas físicas en materia de tratamiento de datos personales en el Reglamento UE 2016/679, La Ley Mercantil, 2017, no. 42) basis her position on the very wording of Art. 79 GDPR, which establishes the mandatory nature of the competition rules it contains (“proceedings [...] shall be brought”) and that the protection of the data subject cannot be considered an absolute value, but must respect the balance with other fundamental rights, such as that to an effective judicial remedy, which could be affected if an excessive proliferation of venues is allowed. Moreover, alongside the protection of personal data, there is another essential objective of regulation: the free movement of such data as a necessity for the proper functioning of the internal market, which may be called into question if the system is perceived as excessively burdensome by data controllers or processors, to the extent that it dissuades them from entering or remaining in the market.
In the absence of a decision of the CJEU interpreting this question, the arguments in favour of a restrictive interpretation, which prevents the joint application of both texts, are stronger. In addition to the above-mentioned arguments, the wording of Art. 79(2) GDPR is not incompatible with what is expressed in the recitals: when recital 145 refers to the claimant’s choice, it is referring only to the two possibilities which the regulation includes and which are none other than those provided for in the articles. Similarly, the requirement in recital 147 that Brussels I Recast should not prejudice the application of the specific rules of the GDPR in the sense of preventing the application of the GDPR can be understood. On the other hand, ensuring the necessary balance between two fundamental rights - personal data protection and effective judicial remedy - can be decisive. We will, however, have to wait for the CJEU to have the chance to settle the issue.