GDPR tactic: “forum shopping”, by choosing a data controller’s HQ.. does this work? - Sopuli
sopuli.xyz
Many member states a daft when it comes to GDPR enforcement. But there are an exceptional few member states that have a Data Protection Authority that actually does their job. E.g., in principle, I might want to file all Article 77 complaints in Norway. Of course, without living there and having no transaction there, it’s outside of the jurisdiction. OTOH, what happens when a company like Microsoft or Google abuses your data and violates the GDPR? I think MS has headquarters in multiple countries: France, Finland, Spain, Norway, Germany, etc. If I have zero confidence in the DPA for the country I am in, can it be effective to direct the GDPR to a another country if MS has a headquarters there? Is there a heirchy of headquarters whereby an ultimate top level headquarters where a corporation is most relevant?

Many member states a daft when it comes to GDPR enforcement. But there are an exceptional few member states that have a Data Protection Authority that actually does their job. E.g., in principle, I might want to file all Article 77 complaints in Norway. Of course, without living there and having no transaction there, it’s outside of the jurisdiction. OTOH, what happens when a company like Microsoft or Google abuses your data and violates the GDPR? I think MS has headquarters in multiple countries: France, Finland, Spain, Norway, Germany, etc. If I have zero confidence in the DPA for the country I am in, can it be effective to direct the GDPR to a another country if MS has a headquarters there? Is there a heirchy of headquarters whereby an ultimate top level headquarters where a corporation is most relevant?