Dodging the One-Stop Shop


03 Feb 2022

In an article for IAPP, “Dodging the One-Stop Shop,” MoFo’s Lokke Moerel and Alex van der Wolk discuss the reluctance of some EU data protection authorities (DPAs) to apply the one-stop-shop enforcement mechanism under the EU General Data Protection Regulation (GDPR), whereby DPAs are seeking to enforce within their borders despite not being a “lead DPA” on a particular case.

While it used the one-stop-shop enforcement mechanism in its decision against IAB Europe, the Belgian DPA has shown a reluctance on several occasions to do so in cases where it does not qualify as the lead DPA. Lokke and Alex discuss a recent decision—labelled by the Belgian DPA as a “decision of principle”—where it declared the one-stop-shop mechanism not applicable: “This decision by the Belgian DPA to circumvent the one-stop-shop is noteworthy as the complaint concerned a ‘cross-border processing’ in the EU and it acknowledged the U.S. search engine provider’s ‘main establishment’ in Ireland. It declared itself competent based on GDPR Article 55(1), which grants a DPA the right to exercise its powers within the territory of its own member state. The Belgian DPA finds the Brussels Court of Appeal is blocking its way by striking down the decision in its entirety due to a lack of adequate motivation.”

Read the IAPP article.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.