The one stop shop principle was one of the key facets of the European Commission's initial proposals for the General Data Protection Regulation (GDPR) in 2012. The admirable objective was to reduce the administrative burden, uncertainty and inconsistency which currently exist for data controllers under the Directive. Where they are "established" in more than one EU Member State, data controllers are currently subject to the jurisdiction of the data protection supervisory authorities (SAs) in each of those States. The ability to gold-plate the Data Protection Directive means that often these SAs are enforcing distinct data protection requirements, producing diverse best practice guidelines and setting very different enforcement priorities.
The Commission's proposals sought to eliminate this rather untidy hotchpotch of regulatory obligations, and allow a single SA to take responsibility for the EU-wide data processing obligations of controllers which had their "main establishment" within their territory.
Unfortunately for the Commission, its vision for this one stop shop was fraught with difficulties, not least of which were the likelihood of forum shopping by data controllers with broad processing activities, and the difficulties that data subjects would encounter in seeking to enforce their rights in jurisdictions distant from their own. As a result, the European Parliament and the Council of Ministers completely reworked the Commission's proposals, and the approach to the one stop shop we now see in the GDPR is very different indeed from what the Commission first tabled.
The GDPR has abandoned the Commission's initial approach of having a single SA being solely and wholly responsible for supervising all data processing by data controllers which had their main establishment within its territory. Instead, the (more or less) final text specifies that where controllers or processors carry out processing activities through establishments in multiple Member States (or a single establishment with processing activities that affect data subjects in multiple Member States), the SA in the jurisdiction of their "main establishment" will take the role of Lead SA.
National SAs, however, remain competent to investigate and enforce data protection law if a complaint is directed to them, or if there is an infringement within their Member State or which substantially affects only data subjects located within it. It is expected that the newly-formed European Data Protection Board (EDPB) will issue guidance on the scope of the term "substantially", but it seems likely that more than the odd bun-fight might break out where there are also non-"substantial" effects on data subjects located elsewhere.
Where a National SA wishes to commence an investigation despite not being the Lead SA, it must notify the Lead SA of its intentions. The Lead SA then has a period of three weeks to determine whether it wishes to intervene and apply the co-operation procedure (see below). If it wishes to intervene, the National SA can produce draft decisions for the Lead SA's consideration. If it does not wish to intervene, the National SA will carry out the investigation and can be expected to make use of the new mutual assistance and/or joint investigation provisions of the GDPR (further below).
The GDPR also introduces the concept of Concerned Supervisory Authorities (CSAs), with whom Lead SAs have an obligation to co-operate in their investigations. Lead SAs must provide information to CSAs and endeavour to reach a consensus on their decisions. Lead SAs can seek CSAs' assistance, and conduct joint investigations within the CSA's territory. Lead SAs must also submit drafts of their decisions to CSAs, and provide a four-week window for CSAs to raise objections (this can be subject to a further round with a two-week objection window).
Where a Lead SA does not propose to act in accordance with the views of a CSA, it must approach the EDPB and engage the "consistency procedure" (below). This is subject to the ability of the Lead SA to take urgent temporary action on its territory to protect the rights of its data subjects without completing this procedure, and instead utilising the "urgency procedure" (you may detect the development of a theme here). Of course, such urgent actions and the reasoning behind them must be communicated to the CSAs and the EDPB without delay.
Mutual assistance and joint operations
The GDPR imposes obligations on SAs to provide one another with mutual assistance. This may involve responding to information requests, obtaining requisite authorisations, carrying out inspections, investigations and consultations, and implementing supervisory measures. All SAs are required to reply to such requests without undue delay (and in any event within one month) and take all appropriate measures required to respond.
SAs will have the right to be involved in enforcement operations if a controller has an establishment in its territory or a significant number of its data subjects are likely to be affected. Of course, although to some extent joint enforcement action has taken place under the current law, this promises to be an area where under-resourced SAs, with their own investigations to prioritise, might seek to resist requests by Lead SAs which are seen as overly broad or resource-intensive. This may be the reason that the GDPR grants powers to the Commission to specify the format and procedures pertaining to mutual assistance.
Consistency and the EDPB
The EDPB is likely to have a vital part to play in the success of the reformulated one stop shop. In part, the EDPB will take over the activities of the deposed Article 29 Working Party (WP) and will have a similar composition, being formed from the heads of the national SAs and the European Data Protection Supervisor. However, in response to concerns about the Commission's somewhat overzealous influence over the WP, the Commission's representative on the EDPB will be a non-voting member, and the GDPR strongly emphasises the EDPB's independent status. Unlike the WP, the EDPB is an independent body of the European Union with its own legal personality, and its chief remit is to contribute to the consistent application of the GDPR throughout the EU.
In addition to providing guiding opinions on key issues relating to data protection across the EU and providing centralised approval for binding corporate rules, a key element of the EDPB's role will be exercising its authority to conciliate and ultimately determine the many disputes that may arise between SAs through the various procedures outlined above. In relation to such disputes (which may typically be expected to arise between a Lead SA and a CSA) the EDPB will issue a binding verdict on the basis of a two-thirds majority vote.
Four years well spent?
The one stop shop is barely recognisable from the Commission's original proposals. It can be said that the (more or less) final text does much to address the chief initial concerns around protecting rights and redress for data subjects and preventing forum shopping by businesses, seeking to balance greater consistency with an effective local channel for complaints. Another chief criticism was that the Commission (perhaps unsurprisingly) gave itself far too much authority in the drive to achieve a consistent approach in its original proposals. This role has, instead, been allocated to a much-bolstered, independent advisory body with far greater influence than the WP.
However, the major criticisms of the approach advocated by the Council and the European Parliament remain in relation to the text of the GDPR. In an attempt to protect the objectives above, the system has become extremely complex and highly dependent on good relations between SAs which are sure to value effective enforcement in their own territory above a uniform EU-wide regime. Of course, the EDPB is there to act as referee, but it would seem that it will take quite some time and quite a few decisions to work out the kinks in these procedures.
Perhaps, however, the legislators should be commended for switching, if not eliminating, the administrative burden in cases involving multi-jurisdictional data processing. Clearly such cases may require substantial procedural hurdles to be overcome, but at least it is now the regulators, rather than controllers or processors who must bear the brunt of that burden. It is also to be hoped that the majority of cases will be non-controversial regarding the determination of Lead SAs and, where they are not, that regulators can work together efficiently to allow for clear, predictable and efficient outcomes.