At the time of the adoption of the EU General Data Protection Regulation, the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism, whereby the supervisory authority of the "main establishment" of such controller or processor in the EU will serve as the "lead SA" in respect of its "cross-border processing" activities. In the first landmark enforcement decision under the GDPR, however, the CNIL fined Google, despite the fact that the complaints concerned cross-border processing in the EU, which calls for one-stop-shop enforcement. So what does that mean for the oft-touted one-stop-shop enforcement mechanism? In this post for Privacy Perspectives, Lokke Moerel of Morrison & Foerster explores this question and what it means for the future of the one-stop shop under the GDPR.
If you want to comment on this post, you need to login.