Juggling more than three balls at once: multilevel jurisdictional challenges in EU Data Protection Regulation.

This article analyses the rules on regulatory competence, jurisdiction and applicable in European Union (EU) data protection law in the light of recent case law of the Court of Justice of the EU and national courts and in the light of the changes that were introduced by the General Data Protection Regulation (GDPR). It finds that, in the regulatory context, the rules on applicable law effectively become rules of regulatory competence (jurisdiction in the narrower sense) and that a crucial distinction should be made between internal conflicts of law (between the Member States) and external conflicts of law (Member States vs third countries). It argues that Member States should trust each other sufficiently to apply the law of the main establishment for internal conflicts but welcomes the wide interpretation of the establishment rules in Google Spain. It argues that this wide interpretation should apply to external conflicts of law only. Finally, the article finds that enforcement cooperation has been improved through the detailed provisions in the GDPR (compared to the Data Protection Directive) but that an opportunity has been missed in not creating a single EU enforcement authority. This is unfortunate since the coordination procedure established in the GDPR is likely to be cumbersome and fraught with political wrangling. [ABSTRACT FROM AUTHOR]