Is there a risk of jurisdiction arbitrage in enforcement of the GDPR?

The GDPR is enforced by national Data Protection Authorities and civil courts. In our opinion the risk of jurisdiction arbitrage is low because:

  • Individuals can sue companies (in courts) and file complaints (with DPAs) in their country of residence or in the European country where data protection infringement took place (so it does not matter where the company is located).
  • If the complaint is filed with the DPA (not the court), the EU coordination mechanism (European Data Protection Board will ensure that national DPAs do not make arbitrary decisions in matters that are relevant to other countries.