The GDPR has been in force for nearly four years, but the challenges of enforcing it set it up to be a paper tiger. The one-stop-shop seems to benefit companies, underdelivering on the GDPR’s promise to give individuals back control of their personal data. NGOs and individuals start to turn to courts to enforce GDPR-conferred rights, including to compensation. Yet, the divergences between national laws of EU countries make private cross-border actions challenging. National laws may significantly differ as to the burden of proof, the notions of infringement and damage, causality as well as compensation. With no clear rules determining the applicable law there is a growing risk of fragmentation of individuals’ level of protection. The upcoming Collective Redress Directive holds a promise to offset some of the existing challenges and facilitate collective actions, yet comes with its own uncertainties.
• Why going to court might be more effective than going to a DPA?
• Can courts rectify the deficiencies of enforcement via DPAs?
• How do national divergences in substantive and procedural laws impact cross-border private actions?
• What are the specific challenges faced by NGOs when bringing cross-border private actions, and what are the recent private actions launched?
• What is the interlink between the Collective Redress Directive and the GDPR, and does it signal the advent of a new era for GDPR enforcement?