In Defense of the One-Stop Shop: CNIL Stands Corrected


08 Jul 2020

Alex van der Wolk, Lokke Moerel, and Ronan Tigner authored an article for Law360 covering the decision made by the French Council of State, which confirmed French data protection authority CNIL’s decision fining Google €50 million, and also corrected CNIL on a key element of General Data Protection Regulation (GDPR) enforcement: how to rightfully apply the “one-stop-shop” mechanism (OSS).

“The French Council of State corrects CNIL where it required that, for the EU headquarters of Google in Ireland to qualify as the ‘main establishment’ under the OSS provided in the GDPR, it also has to determine ‘the purposes and means’ of the relevant cross-border processing (and therefore also has to qualify as the controller for the relevant processing),” the authors said.

“If that were correct, the OSS mechanism would de facto not be available for non-EU-based companies (such as Google), as their EU administrative headquarters will rarely independently decide on the purposes and means of its cross-border processing activities in the EU. This would entail that these companies be exposed to a potential accumulation of fines for their cross-border processing activities in the EU, as each and every national data protection authority, or DPA, would be able to fine the company up to the maximum allowed under GDPR.”

Read the full article.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.