IAPP Privacy Perspectives
At the time of the adoption of the EU General Data Protection Regulation, the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism, whereby the supervisory authority of the "main establishment" of such controller or processor in the EU will serve as the "lead SA" in respect of its "cross-border processing" activities. In the first landmark enforcement decision under the GDPR, however, the French supervisory authority (CNIL) fined Google, despite the fact that the complaints concerned cross-border processing in the EU, which calls for one-stop-shop enforcement.
In her op-ed for IAPP Privacy Perspectives, Morrison & Foerster Senior Of Counsel Lokke Moerel explores the merits of the CNIL’s decision against Google. She argues that this decision undermines the essence of the one-stop-shop as provided by the GDPR, which may be a short-term benefit to the CNIL and its national enforcement powers against Google but will ultimately prove detrimental to effective EU-wide enforcement (including uniformity in application and legal certainty) in the longer term. The SAs further cannot have it both ways. The one-stop shop cannot be applied when it suits them. Either there is a one-stop shop enforcement option against Google (whereby the lead SA in one single decision ensures EU-wide enforcement) or we go back to the pre-GDPR days where each and every SA needs to act against Google to ensure enforcement in its own jurisdiction. The GDPR stands for the first option.
The op-ed is a summary version of a full article published on SSRN.