What happened to the one-stop shop?

IAPP Privacy Perspectives

21 Feb 2019

At the time of the adoption of the EU General Data Protection Regulation, the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism, whereby the supervisory authority of the "main establishment" of such controller or processor in the EU will serve as the "lead SA" in respect of its "cross-border processing" activities. In the first landmark enforcement decision under the GDPR, however, the French supervisory authority (CNIL) fined Google, despite the fact that the complaints concerned cross-border processing in the EU, which calls for one-stop-shop enforcement.

In her op-ed for IAPP Privacy Perspectives, Morrison & Foerster Senior Of Counsel Lokke Moerel explores the merits of the CNIL’s decision against Google.  She argues that this decision undermines the essence of the one-stop-shop as provided by the GDPR, which may be a short-term benefit to the CNIL and its national enforcement powers against Google but will ultimately prove detrimental to effective EU-wide enforcement (including uniformity in application and legal certainty) in the longer term. The SAs further cannot have it both ways. The one-stop shop cannot be applied when it suits them. Either there is a one-stop shop enforcement option against Google (whereby the lead SA in one single decision ensures EU-wide enforcement) or we go back to the pre-GDPR days where each and every SA needs to act against Google to ensure enforcement in its own jurisdiction. The GDPR stands for the first option.

Read Lokke’s op-ed

The op-ed is a summary version of a full article published on SSRN.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.