What is the one-stop shop?
The General Data Protection Regulation (GDPR) has set up a procedure to organize and harmonize the cooperation of the different European protection authorities in cases of cross-border data processing.
The mechanism only concerns cross-border processing as defined in Article 4.23 of the GDPR. That is:
- data processing carried out by a company established in more than one European state (i.e., in the European Union, Lichtenstein, Iceland or Norway); and,
- data processing by a company established in only one State, but which substantially affects individuals in at least one other Member State.
What are the applicable procedural rules?
Each company is handled by a data protection authority as a single point of contact, referred to as the lead supervisory authority[1]. Therefore, the supervisory authority of the main establishment[2] or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing.
This lead supervisory authority is thus responsible for coordinating the decision-making referred to in Article 60 of the GDPR with the other authorities involved in the cross-border processing according to the following steps:
- First, the lead authority must prepare the draft decision to be sent to the other data protection authorities concerned in order to collect and take into account their comments;
- Then, in case of disagreement, the lead supervisory authority must amend the draft decision and submit a new one to the authorities concerned[3].
- However, in case of persistent disagreement with the authorities concerned, the lead supervisory authority must refer the matter to the European Data Protection Board (EDPB) to settle the issue and to adopt a binding decision[4].
- Finally, the lead authority must notify the company concerned of the final decision.
The decision taken, will be the result of consultation between all the data protection authorities concerned and will be valid throughout the European Union.
Why this mechanism may be subject to some criticism?
In its report from June 2020[5], the European Commission notes that « the largest multinational technology companies are based in Ireland and Luxembourg« , and that the data protection authorities located in these countries do not have the resources to absorb a large flow of requests.
When they are the lead supervisory authority, they are therefore very much in demand. Hence, this mechanism is criticized because of the imbalance it creates between data protection authorities in Europe.
For this reason, the Commission has always insisted on the obligation for Member States to allocate sufficient human, financial and technical resources to data protection authorities. Moreover, it has stressed that the budget issue strongly affects the proper functioning of the one-stop shop.
However, there is still a large number of pending cases despite the considerable increase in the budget[6] of the Irish Data Protection Commissioner (DPC). In fact, the Irish authority is the lead supervisory authority for major technology companies such as Apple, Meta, Google, Microsoft, TikTok, Twitter and eBay. DPC received 160 cases in 3 years and rendered only 4 decisions, i.e., it ruled in only 2% of the cases[7].
This slow and inefficient handling of cases in countries such as Ireland and Luxembourg, caused an inequality in the treatment of these disputes. On this matter, the Commission had the opportunity to specify that the situation of the one-stop shop « remains unequal from one Member State to another and is not yet globally satisfactory« .
[1] Article 56 of RGPD – https://www.privacy-regulation.eu/en/56.htm
[2] Article 4.16) of RGPD.
[3] Article 60 of RGPD – https://www.privacy-regulation.eu/en/60.htm
[4] Article 65 of RGPD – https://www.privacy-regulation.eu/en/65.htm
[5] https://ec.europa.eu/commission/presscorner/detail/fr/ip_20_1163
[6] An increase of 4 million euros for 2022 https://dataprotection.ie/en/news-media/press-releases/data-protection-commission-publishes-2021-annual-report
[7] Report of Irish Council of Civil Liberties for 2021 on the enforcement capacity of data protection authorities https://www.iccl.ie/wp-content/uploads/2021/09/Europes-enforcement-paralysis-2021-ICCL-report-on-GDPR-enforcement.pdf