In an article for IAPP, “Dodging the One-Stop Shop,” MoFo’s Lokke Moerel and Alex van der Wolk discuss the reluctance of some EU data protection authorities (DPAs) to apply the one-stop-shop enforcement mechanism under the EU General Data Protection Regulation (GDPR), whereby DPAs are seeking to enforce within their borders despite not being a “lead DPA” on a particular case.
While it used the one-stop-shop enforcement mechanism in its decision against IAB Europe, the Belgian DPA has shown a reluctance on several occasions to do so in cases where it does not qualify as the lead DPA. Lokke and Alex discuss a recent decision—labelled by the Belgian DPA as a “decision of principle”—where it declared the one-stop-shop mechanism not applicable: “This decision by the Belgian DPA to circumvent the one-stop-shop is noteworthy as the complaint concerned a ‘cross-border processing’ in the EU and it acknowledged the U.S. search engine provider’s ‘main establishment’ in Ireland. It declared itself competent based on GDPR Article 55(1), which grants a DPA the right to exercise its powers within the territory of its own member state. The Belgian DPA finds the Brussels Court of Appeal is blocking its way by striking down the decision in its entirety due to a lack of adequate motivation.”
Read the IAPP article.