The EU General Data Protection Regulation's one-stop-shop mechanism received a boost amid ongoing questions about the best way to approach cross-border enforcement. Court of Justice of the European Union Advocate General Michal Bobek issued a non-binding opinion supporting the future application of OSS while bringing clarity to the limited exceptions that would allow data protection authorities besides a lead supervisory authority to act on a cross-border action.

"It is clear that one-stop shop is meant to be the procedure to be followed when enforcement action against cross-border processing is necessary," Bobek wrote in his opinion published Jan. 13. "The imperative terms included, particularly in Article 51(2) and Article 63 of the GDPR, unequivocally indicate that supervisory authorities must cooperate and must do so through the (compulsory) use of the procedures and mechanisms established for that purpose."

The opinion came in response to a case between Facebook and Belgium's Data Protection Authority involving whether a concerned supervisory authority has the ability to bring a cross-border case before its state court. Bobek all but ruled out any direct circumvention of one-stop shop, noting "the competence of the LSA is the rule, and the competence of other supervisory authorities is the exception."

Fieldfisher Partner Tim Van Canneyt, CIPP/E, characterized the opinion as a "nuanced position," but a clear one from Bobek nonetheless.

"The advocate general puts forward a lot of arguments to stress the fact that as a rule, only the LSA should be able to act in cross-border processing cases," Van Canneyt said. "He stresses that it is 'of the utmost importance' that DPAs 'duly follow' the rules of the one-stop shop."

IAPP Research Director Caitlin Fennessy, CIPP/US, expects Bobek's opinion to bolster perceptions of one-stop shop. She called it "an important opinion" that "encourages greater attention to strengthening the EDPB’s cooperation procedures."

While the opinion favors one-stop shop, Bobek did leave open the potential for considering future reform of the mechanism. The Belgian DPA raised concerns about under-enforcement of the GDPR through one-stop shop, which Bobek rebuffed for now given the "infancy" of the GDPR, but indicated it's possibly worth revisiting if claims ever materialize.

"I must admit that, in my view, if the dangers concerning under-enforcement of the GDPR suggested by the (Belgian DPA) and some other interveners were to materialise, the entire system would be ripe for a major revision," Bobek said.

Belgian DPA Chairman David Stevens said his office was overall pleased with Bobek's opinion, but especially happy with the acknowledgment of exceptions to one-stop shop that can be brought before the courts. Stevens said, "If data subjects can go to court to defend their rights, data protection authorities should also be able to do this on their behalf in certain exceptional cases."

Despite a mostly clear description from Bobek of the six exceptions that would allow for a court to take up a DPA's case instead of following one-stop shop, Morrison & Foerster Senior Counsel Lokke Moerel is already seeing misinterpretations from onlookers.

"The advocate general indicates there are some very limited situations when a concerned supervisory authority can still act in litigation," Moerel said. "For example: Where the GDPR does not apply to the processing of data (e.g. the ePrivacy Directive); where the case is about facts preceding GDPR; where the relevant company does not have a main establishment in the EU and thus lacks an LSA; and where enforcement or court action is taken by other Member States’ authorities. All no brainers."

Van Canneyt believes many DPAs will take the opinion as confirmation that they can proceed with national enforcement. In an effort to avoid gray areas with the application of one-stop shop versus invoking exceptions, Van Canneyt suggests a designated cross-border regulator could be proposed.

"It is interesting to note that the recently published draft Digital Services Act, which contains many principles that are inspired by the GDPR, does not introduce an LSA mechanism, but instead confers the enforcement of cross-border issues to the European Commission," Van Canneyt said. "Should this be interpreted as an implicit acknowledgment by the European Commission that the GDPR one-stop-shop is not working?"

Photo by Christian Lue on Unsplash