Alex van der Wolk, Lokke Moerel, and Ronan Tigner authored an article for Law360 covering the decision made by the French Council of State, which confirmed French data protection authority CNIL’s decision fining Google €50 million, and also corrected CNIL on a key element of General Data Protection Regulation (GDPR) enforcement: how to rightfully apply the “one-stop-shop” mechanism (OSS).
“The French Council of State corrects CNIL where it required that, for the EU headquarters of Google in Ireland to qualify as the ‘main establishment’ under the OSS provided in the GDPR, it also has to determine ‘the purposes and means’ of the relevant cross-border processing (and therefore also has to qualify as the controller for the relevant processing),” the authors said.
“If that were correct, the OSS mechanism would de facto not be available for non-EU-based companies (such as Google), as their EU administrative headquarters will rarely independently decide on the purposes and means of its cross-border processing activities in the EU. This would entail that these companies be exposed to a potential accumulation of fines for their cross-border processing activities in the EU, as each and every national data protection authority, or DPA, would be able to fine the company up to the maximum allowed under GDPR.”
Read the full article.