Jurisdiction, the GDPR and Brussels I

How is jurisdiction determined in a claim for breach of the GDPR? We know the rule in Article 79(2) GPDR. But how does that interplay with the ordinary private international law rules of jurisdiction, set out in Brussels I Recast Regulation: Regulation (EU) 1215/2012? What about where the controller seeks to rely on a jurisdiction agreement, which under Article 25 of the Brussels I Recast Regulation, would take priority?

The answer lies in the GDPR itself. Article 79(2) provides that “Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.” It appears to contain a self-contained code of rules determining which courts have jurisdiction over GDPR claims, and recital (147) goes further.

Recital (147) says: “Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a controller or processor, general jurisdiction rules such as those of Regulation (EU) No 1215/2012 of the European Parliament and of the Council should not prejudice the application of such specific rules.” That appears to underline that the GDPR is, in effect, the lex specialis, regardless of the jurisdictional rules for civil and commercial matters in Brussels I Recast.

Happily, the Brussels I Recast Regulation itself supports this approach. Buried within it is Article 67, which provides that “This Regulation shall not prejudice the application of provisions governing jurisdiction and the recognition and enforcement of judgments in specific matters which are contained in instruments of the Union or in national legislation harmonised pursuant to such instruments.” The GDPR is, fairly plainly, such an instrument.

So held Andrew Baker J in Ramona AG v Reliantco Investments Ltd [2019] EWHC 879 (Comm), finding that these provisions do indeed mean what they appear to say, and that they leave no room for a controller to rely upon a jurisdiction agreement to assign exclusive jurisdiction to some other court not identified by Article 79 GDPR. That would prejudice the rights afforded to the data subject to enforce the GDPR.

However, Andrew Baker J also held, no equivalent provisions were contained in the DPA 1998 or Directive 95/46/EC. Under those regimes, no such rule can be read in, and jurisdiction must be founded upon the rules applicable in the Brussels I Recast Regulation regime (or its predecessor). A claim for breach of the DPA 1998 is, in principle, a claim in tort for breach of statutory duty and so – absent any other applicable rule, such as exclusive jurisdiction agreements – the usual rule is that in Article 7(2) that it is the court for the place where the harmful event occurred which has jurisdiction. Where that is, of course, is highly fact-sensitive.​

Christopher Knight