One-Stop-Shop
“Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.”
European Commission, at the time of the adoption of the GDPR
At the time of the adoption of the European General Data Protection Regulation (GDPR), the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism (1SS), whereby in respect to controllers or processors with multiple establishments in the EU, the supervisory authority (SA) of the ‘main establishment’ of such controller or processor in the EU will serve as the ‘lead SA’ for its ‘cross-border processing’ activities.
In the first landmark enforcement decision under the GDPR, the French SA (CNIL) fined Google 50 million euros (the highest fine so far), despite the fact that the complaints (PDF: 1.03 MB) concerned a cross-border processing in the EU, which calls for 1SS enforcement. The CNIL considered that although Google has its EU headquarters in Ireland, this Irish entity ‘did not have a decision-making power’ in relation to the purposes and means of the relevant cross-border data processing activities. For that reason, the CNIL decided that the 1SS mechanism did not apply and that the CNIL was therefore competent to make a decision.[2]
This is noteworthy, as apparently the main complainant[3] filed similar complaints against Instagram, Facebook, and WhatsApp with the SAs of Austria, Belgium, and Germany, which all passed the complaints to the Irish SA (as the ‘lead SA’), as these companies have their EU headquarters in Ireland. Continue reading