The GDPR provides for the “one stop shop” privacy rule which might be of difficult implementation for multinational companies that could still face disputes in several countries.
Updated on 19 April 2017 after the publication of the final version of the WP29 Guidelines for identifying a controller or processor’s lead supervisory authority
The so called “one stop shop” mechanism is one of the main changes introduced by the European Privacy Regulation (GDPR) even if its impact on businesses is going to be lower than initially planned.
The current privacy regime
The EU Data Protection Directive 95/46 at the moment provides that companies established in the European Union are subject only to the privacy laws of their country of establishment and only the data protection authority of such country has jurisdiction on them. This is regardless of where they operate across the European Union.
According to the position of the European Union, this mechanism has been deemed unfair in some instances since individuals are forced to face a dispute in a country different from their country of residence.
From one to many privacy authorities
The new data protection regime to be introduced by means of the GDPR will provide that
each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation.
The effect of the above rule is that companies operating in different EU Member States might have to deal with the data protection authority of each of such States that might take different positions. In order to mitigate the negative effects of such rule, the European Data Protection Regulation provides for the one-stop-shop rule.
The one stop shop rule in case of cross border data processing under the GDPR
The so called “one stop shop” rule applies under the GDPR when
- either the data processing activity takes place in the context of the activities of establishments of controllers or processors in more than one EU Member State
- or the data processing is performed by a single establishment of the controller/processor in the EU, but substantially affects or is likely to substantially affect individuals in more than one EU Member State.
Under the scenario above, the privacy authority of the country where there is the sole or the main establishment of the controller/processor will act as “lead authority” on cross border data processing activities and in particular with investigations.
The lead supervisory authority shall cooperate with the other data protection authorities involved in the matter, but will be entitled to take binding decisions on transnational matters. Also, for the most relevant cases which mainly relate to the infringement of the EU Privacy Regulation and in case of conflicting views by the authorities involved, the matter shall be escalated by a newly established European Data Protection Board.
How to identify the lead supervisory authority?
The Guidelines for identifying a controller or processor’s lead supervisory authority issued by the Article 29 Working Party (the “WP29 Guidelines“) clarify that the “main establishment” might be
- either the central administration of an organization
- or where the decisions on data processing activities are taken and the power to have them implemented is located.
The scenario is more complex in case of groups of undertakings. Under such scenario, the WP29 Guidelines provide that “the parent, or operational headquarters of the group of undertakings in the EU, is likely to be the main establishment, because that would be the place of its central administration“. This principle can be quite easily applied to structures that have a centralised decision making headquarter or branch type structures, but in other scenarios a case by case assessment will be necessary. In any case, the matter shall be assessed on a case by case basis depending on how the group is structured and how central decisions define the actions of the whole group.
The identification of the main establishment and therefore of the lead supervisory authority in some cases might be complex if there is no central administration. Under such scenario, the WP29 Guidelines even consider the option that a company designates internally the establishment that will act as main establishment. Such designation though shall be accompanied by decisions powers and responsibilities in relation to data processing activities as the purpose is to avoid the so called “forum shopping“.
What happens to local matters?
The above rule applies only to cross-border data processing activities i.e. to scenarios involving either data of individuals located in different countries of the European Union or cases when a company is established in an EU country and processes personal data in another EU country. The GDPR one stop shop rule does not apply to non-transnational/non cross border matters which relate to data of individuals located in a single specific jurisdiction processed by an organization based in the same jurisdiction. Under such scenario, the data protection authority of that jurisdiction will have jurisdiction.
Also, if a controller/processor is established in more than one EU Member States and a complaint is lodged in a country different from the one of the lead supervisory authority and involves only individuals in such EU Member State, the lead authority shall be informed and can decide whether it wants to handle the case applying the one-stop-shop rule.
Finally, the one stop shop rule does not apply under the GDPR to organizations that do not have an establishment within the European Union.
Will the rule work in practice?
This new rule has been highly criticised since its implementation is very complex and because it may oblige the same entity to face data protection related disputes in several European countries where it operates. The purpose of the new EU Privacy Regulation is to ensure a higher level of consistency on privacy laws across the European Union. But this new rule risks just to create a higher level of bureaucracy.
It will be interesting to see how the rule will work in practice once the GDPR becomes binding. The future of the rule might depend also on how active the Board will be to ensure consistency across the European Union.
You may find also interesting the following posts of the series on the top 10 Privacy Regulation issues