What happens if your business processes data in different EU member states? Do you come under the scope of the regulators in all the member states? (Read about other GDPR myths). To answer these questions, you should be familiar with the GDPR one-stop-shop mechanism introduced by the GDPR to facilitate and manage cross-border processing.

This blog will detail the workings of the GDPR enforcement, how it affects your business and how the GDPR one-stop-shop mechanism was put to the test by French regulator CNIL.

What is GDPR one-stop-shop?

A ‘one-stop-shop’ is usually a business offering multiple services all under one roof. From the GDPR perspective, the ‘one-stop shop’ is a single contact point mechanism whereby companies doing business in more than one EU member state will deal with a ‘lead’ Data Protection Authority (DPA).

This means that if your business conducts cross-border data processing, the GDPR requires you to work primarily with the DPA of the member state where your ‘main establishment’ or your EU headquarters is situated in. 

The GDPR one-stop-shop intends to create a more uniform approach to the regulation of data processing activities across the EU. 

How does one-stop-shop impact consumers? The one-stop-shop will put consumers in a better position to enforce their rights against businesses in case of GDPR violations. Consumers can request information from their respective national DPA about the exercise of their GDPR including requests related to cross-border processing. 

GDPR one-stop-shop is built on the principle of the consistency mechanism as underlined in Art.63. It aims to ensure that the data protection regulation is enforced uniformly across all member states and calls on the DPAs across member states to co-operate with each other and the Commission to ensure consistent application of the GDPR. Art.64(2) notes that cases that could have an impact in more than one member state may be referred to the European Data Protection Board (EDPB)

When do the one-stop-shop provisions apply? 

According to the GDPR, the one-stop-shop provisions apply in two scenarios:

  • When a company carries out cross-border processing activity and the business has several establishments in the EU
  • When a company has only one establishment in the EU but process the personal data of residents of more than one EU member state

What is cross-border processing?

As defined in the GDPR, cross-border processing is either:

  • Processing of personal data by a controller or a processor’s establishments located in more than one member state of the EU or
  • Processing of personal data by a single establishment of a controller or a processor in the EU but which can substantially affect data subjects in more than one member state.

It will not qualify as cross-border processing if it concerns businesses located outside of the European Union regardless of the location of the targeted individuals.

What is Lead Supervisory Authority?

The lead supervisory authority is the primary DPA responsible for monitoring the application of the GDPR and its enforcement by a company. As we’ve seen the lead DPA will be from the member state in which an organization has its main establishment. The rules for determining an entity’s main establishment vary depending on whether an entity is a controller or processor.

For controllers with establishments in more than one member state, the ‘main establishment’ will be the member state’s DPA where it has its central administration where the decision-making occurs. The same criterion applies to processors, but in case it does not have an establishment in the EU, the location of the processing will be a relevant determining factor. 

Also, note that, in the case of an organization that has multiple establishments in the EU, the DPAs of other member states where the data subjects reside are considered as the concerned DPAs. For instance, a business has establishments in Spain, Italy and France and its main establishment is in France, the French DPA CNIL will be the lead DPA. The Spanish and Italian DPAs can be the concerned DPAs as the data subjects who can be affected by the businesses’ processing activities reside on their territory.

What are the powers of DPAs under one-stop-shop?

The Lead Supervisory Authority (LSA) is entitled to request other DPAs to provide mutual assistance and may conduct joint operations for carrying out investigations or for joint enforcement measures.LSAs is primarily responsible for such as gathering the relevant information and drafting a decision related to a case which is then submitted to the concerned SAs for their review. The LSA must consult with concerned DPAs to finalise any decisions relating to a case and a decision is only final once all of them are in agreement. 

The DPAs are entitled to raise reasonable objections to the draft decision whereas the LSA can decide to follow or not to follow them. If the LSA decides to follow the objection, a revised draft decision must be submitted to the DPAs. In case the LSA rejects a relevant objection, it triggers the dispute resolution mechanism established under Art. 65 GDPR. The EDPB is then called on to intervene, and it will issue a binding decision according to which the LSA will adopt its final decision.

In November 2020, the EDPB adopted its first Art.65 decision after objections were raised by concerned DPAs regarding a decision taken by the Irish Data Protection Commission (DPC) acting as the LSA for Twitter International. Subsequently, the Irish DPC announced its final decision in December 2020, issuing a €450,000 fine on Twitter for not complying with data breach notification and record-keeping requirements of the GDPR.

CNIL’s workaround of one-stop-shop

In the first landmark GDPR enforcement decision, French DPA CNIL fined Google €50 million in 2019, the largest penalty issued by a European DPA against a company. This decision is of particular interest about the GDPR one-stop-shop mechanism as Google’s main establishment or headquarters were in Ireland and not France. Google responded that the Irish Data Protection Commission (DPC) would be its LSA on the basis that Google’s headquarters are in Dublin. 

CNIL acknowledged that Google’s Irish establishment participated in the relevant processing activities, but noted that it had no “decision-making power on the processing operations carried out in the context” of the complaint filed. The two separate complaints filed in 2018 by non-profit organisations — ‘La Quadrature du Net’ and ‘None Of Your Business’, were regarding Google’s targeted advertising on Android devices. According to CNIL, as there was no main establishment, in this case, the GDPR one-stop-shop mechanism was simply not applicable. While Google appealed the decision with the French State Council (Conseil d’Etat), the court upheld the fine.

In 2020, the CNIL handed down two fines — €60 million on Google LLC, €40 million on Google Ireland, and another €35 million on Amazon Europe Core.

As neither Google nor Amazon’s main establishments were located in France, but in Ireland and Luxembourg respectively, both companies argued that the CNIL cannot initiate GDPR enforcements (Read details on CNIL’s fines here).

CNIL argued that it is the competent authority to monitor the French establishments of Google, Amazon and their cookie compliance under the French Data Protection Act and the ePrivacy Directive. As the decisions were not based on GDPR, according to CNIL, the one-stop-shop mechanism does not hold ground. Google appealed the decision with the French court and lost the appeal again. 

The way forward

The GDPR one-stop-shop has been criticized by key regulators like the Irish DPC as well as the European Commission as inefficient. DPAs that want to initiate GDPR proceedings against big tech companies find their hands tied. They can only forward the complaints to the Irish DPC or Luxembourg and lack the authority to initiate investigations on their own. The Irish DPC which is currently probing high profile cases on Google, Twitter and Facebook, hasn’t taken any enforcement decision. Regulators like Germany and France are upset about the one-stop-shop bottleneck, criticising the Irish DPC, and have penalised big tech within their territorial scope. 

While one of the main benefits of the one-stop-shop is that it is the gateway to the GDPR’s consistency mechanisms, the lack of major decision concerning cross-border cases and delays arising from the cooperation point towards the tensions underlying the mechanism. The looming criticisms lead EDPB to publish a register of one-stop-shop decisions in June 2020, to boost transparency about the workings of the one-stop-shop mechanism. It notes that the LSAs have adopted 110 final OSS decisions to date.  

In a recent opinion on the case of Facebook vs DPA Belgium, the CJEU’s Advocate General reinforces the GDPR’s one-stop-shop while at the same time acknowledging the active role that other supervisory authorities play in GDPR enforcement. This comes after a long battle between Facebook and Belgium’s DPA since 2015 over the company’s use of cookies to track the behaviour of internet users. While the opinion is not binding on the CJEU, it remains to be seen if CJEU will adopt the same approach in its forthcoming decision. 

Is your website still falling behind in terms of GDPR compliance? Does your cookie usage comply with EDPB guidelines? If not, you could face heavy GDPR fines from regulators in the EU. 

CookieYes is a cookie consent solution that can help you comply with GDPR, ePrivacy Directive as well as CNIL guidelines to achieve full compliance for your websites. 

With CookieYes you can:

  • Add a cookie consent banner to your website and fully customize it
  • Block third-party cookies automatically till you obtain user consent 
  • Check cookies used by your website with automatic scanning
  • Record user consent for demonstrating proof of consent
  • Generate a privacy policy page curated for your website and much more

Start GDPR compliance with CookieYes. Sign up for 14-day free trial.