Nearly one year since the GDPR came into force, statistics are starting to trickle in as to the effects of the regulation, and the impact felt by data protection authorities across Europe. One such area is the “one-stop-shop” arrangements, which have been introduced by the GDPR.
Under the GDPR, the supervisory authority in the Member State where a company has its “main establishment” holds primary responsibility for dealing with data protection matters, such as complaints raised by data subjects, even where these are cross-border in nature.
As is well known, Ireland is an attractive corporate destination, meaning a large number of US multinationals have their main establishment in Ireland. These include Apple, Facebook, Microsoft, Twitter, Dropbox and LinkedIn. However, it is worth noting that the French data protection authority, CNIL, recently found that Google did not have a “main establishment” in the EU and that, therefore, CNIL had authority to investigate the complaints, rather than exclusively the Irish Data Protection Commission, despite the fact that at the time in question Google’s main office was in Ireland. This decision was based on the fact that key decisions were not in fact being taken by the Irish entity, but were instead being taken by Google in the US, which opened Google to enforcement by any supervisory authority in the EU. This led CNIL to take its own action and demonstrates that the concept of “main establishment” may be construed narrowly.
During the seven months from 25 May to 31 December 2018, the Irish Data Protection Commission dealt with 136 one-stop-shop complaints; it was notified of 38 personal-data breaches, concerning 11 tech multinationals, with a number of statutory investigations ongoing. They are also acting as lead reviewer on a number of binding corporate rule applications.
Reminder: Who uses the one-stop-shop?
The one-stop-shop applies to: organisations “processing the same set of personal data in the context of the activities of an establishment in one Member State as well as one or more EEA offices, branches, or other establishments”; and organisations who “only have offices, branches or other establishments in one Member State, but whose processing of personal data is likely to substantially affect data subjects in one or more other EEA states”. The examples provided by the ICO are where:
1. A fashion retailer:
For the purposes of the data of the French customers, this will be cross-border processing and the UK data protection authority (the ICO) will be the lead supervisory authority.
2. A fashion retailer:
To the extent the London office’s processing of the customer data substantially affects data subjects in France and Italy, this will be cross-border processing and the ICO will be the lead supervisory authority.
The one-stop-shop does not impact on the data subject directly, as they still make complaints to their own data protection authority (and in their own language). However, from an organisation’s perspective, the system simplifies compliance, as it means only one authority will investigate matters and they need only deal with that one regulator.
Organisations with international operations should ensure they are aware of who the relevant lead supervisory authority is. In particular from a UK perspective, this will need to be kept under review in the light of the ongoing Brexit negotiations.