News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | What happened to the one-stop shop? Related reading: Inside the EU AI Act negotiations: A conversation with Laura Caroli

rss_feed

"Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU."  - European Commission

At the time of the adoption of the EU General Data Protection Regulation, the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism, whereby in respect of controllers or processors with more establishments in the EU, the supervisory authority of the "main establishment" of such controller or processor in the EU will serve as the "lead SA" in respect of its "cross-border processing" activities.

In the first landmark enforcement decision under the GDPR, the CNIL fined Google 50 million euros, despite the fact that the complaints concerned cross-border processing in the EU, which calls for one-stop shop enforcement. The CNIL considered that although Google has EU headquarters in Ireland, this Irish entity "did not have a decision-making power" in relation to the purposes and means of the relevant cross-border data processing activities. For that reason, the CNIL decided that the one-stop shop mechanism did not apply and that the CNIL was therefore competent to make a decision (under reference to the EDPB guidelines for identifying a lead SA).

What is the issue?

Is the CNIL right to require that the EU administrative headquarters also has to decide on purposes and means (i.e. qualify as the controller)?

If so, the one-stop shop mechanism will de facto not be available for non-EU controllers (such as Google), as their EU administrative headquarters will rarely independently decide on the purposes and means of its cross-border processing activities in the EU (these being part of their global service offerings). These companies will then be exposed to potential accumulation of fines for their cross-border processing activities, as each SA would be able to fine the company up to the maximum allowed under the GDPR. Though some may find this an acceptable outcome for the "Googles of this world," it is overlooked that the CNIL’s decision also limits the availability of the one-stop shop for EU-headquartered companies.  

What to think?

As the CNIL’s decision is already followed by the U.K. ICO announcing similar enforcement action against Google, it is worth evaluating its merits.

The outcome is surprising. The intention of the EU legislators was to apply one-stop shop to non-EU controllers having establishments in the EU. Enforcement against such non-EU controllers is then possible in their place of central administration in the EU, whereby the justification for enforcement against such central administration (rather than the controller), is that such central administration in the EU has the corporate power to ensure the implementation of compliance by the establishments in the EU, thereby greatly enhancing practical enforcement in the EU against non-EU controllers.

The requirement of the CNIL that the central administration in the EU must also qualify as the controller therefore undermines the one-stop shop as provided by the GDPR. This decision may be a short-term benefit to the CNIL and its national enforcement powers against Google but will ultimately prove detrimental to effective EU-wide enforcement (including uniformity in application and legal certainty) in the longer term.

The SAs cannot have it both ways. The one-stop shop cannot be applied when it suits them. Either there is a one-stop shop enforcement option against Google (whereby the lead SA in one single decision ensures EU-wide enforcement) or we go back to the pre-GDPR days where each and every SA needs to act against Google to ensure enforcement in its own jurisdiction.

The GDPR stands for the first option.

Essence of the one-stop shop

The one-stop shop was adopted by the EU regulators in order to "enhance consistency in application, legal certainty and reduce the administrative burden for controllers and processors" (EC Initial Proposal, Recital 97). The EU legislators further made clear that the one-stop shop would also bring "significant added value" for individuals, i.e. by facilitating central enforcement by a single decision of one lead SA (EC communication, at [p. 4]).  

Déjà vu

Given the benefits, you would expect all SAs to warmly embrace the concept, or so you would think.

The reality was that many SAs opposed the one-stop shop, so much so that it proved to be the last hurdle for adopting the GDPR. The opposition was triggered by the realization that not all member states have an equal number of EU headquarters in their territories. The ones with more would act more often as lead SA, gain more control, and most importantly, collect the newly increased fines.

To ensure adoption, ultimately a compromise was struck. The lead SA would no longer act independently, but would act as a "first among equals," whereby other relevant SAs (e.g. with local establishments) could join in any enforcement action by the lead SA (and receive their share of the fine). Important here is that the core of the one-stop shop, whereby one lead SA coordinates EU wide enforcement (to the detriment of the national enforcement powers of the SAs), remained firmly in place (EC Communication).

The definition of ‘main establishment

Let’s look at the definition of ‘main establishment’ in Article 4(16) GDPR:

format_quote"(a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment..."

At first glance, the literal text could be taken to provide support for the decision of the CNIL, as it may be read to imply that the central administration in the EU is the place where decisions about the purposes and means are made (EDPB Guidelines at [p.5]). This could be implied by the use of term "unless," which could be taken to mean that if decisions on purposes and means will be made by another establishment instead of by the central administration, such other establishment will qualify as the main establishment.

As is often the case, however, the provisions of the GDPR cannot be taken at face value.

Controller does not have to be established in the EU

The GDPR is set up in such a manner that its provisions apply regardless of whether the controller itself is established in the EU. It is sufficient that the personal data is processed "in the context of an establishment in the EU," whereby the controller itself may well be established outside the EU (EDPB on scope, at [p. 6]).   

In wording similar to that found in the scope provision of Article 3(1) GDPR, the definition of "main establishment" does not require that the controller itself should be established in the EU, just that the controller "must have establishments in more than one Member State." This provision is therefore equally meant to provide for a one-stop shop in a case of a non-EU controller having establishments in the EU, whereby it is understood that these establishments may therefore not qualify as controllers in their own right.

In order to ensure that also in case of non-EU controllers efficient enforcement can be achieved, the EU legislators chose as the best port of call for the one-stop shop the "place of central administration."  The EU legislators opted for the "central administration" rather than for "EU headquarters" in order to ensure that also in cases where there would be no official legal EU headquarters, another establishment could be identified as best placed (in terms of management functions) to qualify as the main establishment, therefore guaranteeing the one-stop shop enforcement also against non-EU controllers.

Read from this perspective, it is clear why the one-stop shop mechanism does not specify that the central administration in the EU must decide the purposes and means. The provision may well cover non-EU controllers, whereby these decisions may be made by such non-EU controller.

This is also the logical interpretation of why "the place of central administration" is included in the first place.

If the EU regulators had intended that the central administration should also make decisions on purposes and means (as the CNIL assumes), the provision could have simply provided that the main establishment is "the EU establishment being the controller of the relevant processing." The reference to "place of central administration" would have no function.

This inclusion must therefore mean something different than the reference to "establishment where the decisions on purposes and means of the relevant processing are taken" (referring to who qualifies as the controller), as otherwise why include this element in the provision in the first place?

This argument also works the other way: If the central administration would also be the place where decisions on purposes and means are taken, why include the alternative option? The alternative option would be irrelevant. 

The construction is only consistent if the central administration is understood as the place where corporate control is exercised and compliance can be streamlined across establishments. In this interpretation, the alternative option has significant relevance as enforcement against the latter establishment is more efficient than against the center of administration, as it can both decide on purposes and means and also have these decisions implemented.

Note that the alternative option is different from mere controllership; the controller needs to be in the EU itself and further also have the power to implement decisions. The underlying rationale again is how to best enforce decisions throughout the EU (ensuring the power to direct compliance) rather than by first and foremost identifying the party having the legal responsibility to comply with the GDPR (i.e. the controller).

The above interpretation is confirmed by Recitals 36 and 37 GDPR, which provide a clarification for which entity of a group of undertakings qualifies as the main establishment. These Recitals make clear that where processing is carried out by a group of undertakings, the establishment of the undertaking in the EU with overall control over the EU establishments should be considered to be the main establishment for the group: “whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented.”

Legislative history

The above interpretation is supported by the legislative history of the relevant provisions.

The definition of "main establishment" in the EC’s initial proposal very much deviated from the final provision in the GDPR; initially, the main establishment of the controller was the place of its establishment "in the EU where the main decisions as to purposes and means are made," and in contrast for processors, the "place of its central administration."

The interpretation now given by the CNIL was therefore fully in line with the definition in the Initial Proposal, but this provision changed drastically thereafter. Note that already in this first draft the "place where decisions are taken" (for controllers) was meant to have a different meaning from the expression "place of central administration" (for processors).

The European Data Protection Supervisor (EDPS) recommended in respect of the definition of "controllers" to refine the criteria to identify a controller’s main establishment: "taking into account the ‘dominant influence’ of one establishment over others in close connection to the power to implement personal data protection rules or rules relevant for data protection. Alternatively, the definition could focus on the main establishment of the group as a whole."

In other words, not so much the decisions on purposes and means should be relevant according to the EDPS, but rather the power to get data protection rules implemented (i.e. "dominant influence") should be relevant here.

This input was subsequently taken to heart in various subsequent versions of the definition ultimately making the place of central administration the main establishment also for controllers (aligning this with the connecting factor for processors).

Impact on EU headquartered companies

The CNIL’s decision also impacts the one-stop shot for EU companies, in cases where decisions about purposes and means of a cross-border processing activity are not made by the EU headquarters but by a local subsidiary.

The requirement of the CNIL that the "place of central administration" also decides on purposes and means will lead to a mutually exclusive situation where no lead SA can be identified at all: The main option (place of central administration) would not apply since the EU headquarters does not make these decisions, but neither would the alternative option (establishment making decisions), since the local subsidiary would not have the power to implement decisions.

This interpretation is at odds with the rationale for the one-stop shop mechanism, which is clearly intended to always lead to a main establishment regarding a cross-border processing activity. This also follows from the drafting of the definition, where the options are not equal alternatives: The main option is intended to be the default solution, unless the alternative option applies.

Again, the construction is only consistent if the place of central administration is understood as the place where corporate control is exercised and compliance can be streamlined across establishments.

photo credit: Sieboldianus Animated Map of geotagged Flickr photos (Europe), 2007-2017 via photopin (license)

Editor's Note:

This blog is a summary version of a full article published on SSRN.

Author
Headshot Lokke Moerel IAPP Member Contributor
Tags
Europe
Enforcement
Privacy Law
Privacy Opinion
Transborder Data Flow
7 Comments

If you want to comment on this post, you need to login.

  • comment Lucia Canga Roza • Feb 22, 2019 
    This article is super interesting, thank you so much Lokke for your contribution. I believe that the situation of Google in the CNIL's decision is equivalent to the one of non-EU based companies that sell goods, provide services or target the EU without having an establishment in the EU. These are usually companies that have appointed an EU Representative, and cannot benefit from the one-stop-shop principle either. Are these situations even comparable? Do both deserve a similar treatment?
  • comment Toine Stokkermans • Feb 22, 2019 
    Interesting analysis (as always), though how will we eventually get more clarity, or even more important, make the promised simplification of a one-stop-shop more widely available to non-EU headquartered companies?
  • comment Simon Hania • Feb 22, 2019 
    Can't say I disagree with Lokke on this. Largely unnoticed: Dutch DPA recently deemed Uber US (Uber Technologies Inc) and Uber in NL, the EU main establishment (Uber B.V.) "joint controllers", rather than EU=controller/US=processor.
Only published in Dutch though: https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boetebesluit_uber.pdf
  • comment Ian Williams • Feb 25, 2019 
    Really interesting article but I wonder how this plays into the EDPB's final paragraph in supervisory authority's that "The GDPR’s cooperation and consistency mechanism only applies to controllers with an establishment, or establishments, within the European Union. If the company does not have an establishment in the EU, the mere presence of a representative in a Member State does not trigger the one-stop-shop system. This means that controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative."  With Brexit looming I just wonder how this will play out for many UK data controllers with subsidiaries in the EU.  On the face of it this seems to suggest that non-EU companies may find themselves subject to any enforcement action by any supervisory authority in the jurisdiction their representatives are based.
  • comment Emma Butler • Feb 25, 2019 
    I agree with Lokke on this one, but the CNIL decision is not surprising given the resistance from all DPAs to having another authority make decisions on processing affecting their citizens. It has always been the case that some DPAs simply don't trust other authorities and insist they must have the independence to take any action they like where their citizens are affected, regardless of what the law says or the resulting impact on companies and an effective, consistent enforcement approach. Response to Lucia's comment: in this case Google has an EU HQ in Ireland, so it is not the same as non-EU companies having no establishments and only a representative.
  • comment Lokke Moerel • Feb 26, 2019 
    Thank you for the comments posted here as well as to those who emailed me with their views or posted these on LinkedIn. I will not be able to respond to all comments individually. If I summerize the reactions, the gist is that the senders acknowledge that the 1SS is intended as described in the article, but are VERY concerned that for political and practical reasons the 1SS works against protection of individuals rather than enhancing the efficiency by enabling EU wide enforcement as it is intended. Issues that are highlighted are that due to lack of funding and staffing, quite some SAs cannot properly enforce the GDPR in their territory, let alone act as lead SA for 1SS purposes. Another reality highlighted is that some member states have given 'a foot and an arm' to get tech companies to establish their European headquarters in their territory, and for that reason do not seem inclined to empower their SAs sufficiently as this would potentially undermine these efforts. The thinking is that you need the SA of ANOTHER member state to go after these companies, not being hindered by national political and economic self-interests of the country of establishment.   

To those who expressed these concerns, I want to respond that I do of course see that there currently are many practical issues that hinder the 1SS to work efficiently. My take, however, is that if you facilitate from the start that some SAs cannot live up to their role, and basically have other SAs take over their tasks, they will never be empowered to do so. We should give the system a chance, by putting maximum pressure on countries to make sure their SAs can live up to what is expected of them. I think we need to take a longer term vision and strategy to improve enforcement, as was adopted by the EU legislators in the GDPR. I further give more credit than some to the SAs in the various countries being able to act independently from their national governments. Again, if there is an issue in this respect, this should be raised rather than other SAs taking over their role. The EDPB is well placed to put pressure on these SAs to fulfill their responsibilities. In case of a lack of required staff and expertise, Article 62 further provides adequate options for the SAs to organize joint investigation and enforcement operations, very much like the WP29 coordinated these in the past.
  • comment Alex Krylov • Mar 3, 2019 
    Lokke, thank you very much for not only the excellent analysis, but also your insightful response in comments. The CNIL appears to put their fingr on the scale. Deserving or not, other US companies with offices in the may feel disenfranchised by the decision. In your view, if all was fair and right in the universe, what would the Irish DPC, the EDPB or other powers do to set the scales back to neutral?
Related Stories
Contracting for AI: Finding balance
The EU Artificial Intelligence Act was carefully crafted with a risk-based approach to regulating AI — heavily regulating high-risk AI models, lightly regulating generative AI models with systemic risk and leaving low-risk models alone. Not all purchasers of AI functionality have adopted this risk-...
Read More queue Save This
Op-ed: The value in Global CBPR Forum participation
The Global Cross-Border Privacy Rules Forum is seeking to connect the dots for the international free flow of data through its own rules framework and its newly released Privacy Recognition for Processors System. Both certification systems involve accountability agents, with the BBB National Program...
Read More queue Save This

Related Stories
Tags
Europe
Enforcement
Privacy Law
Privacy Opinion
Transborder Data Flow
Recent Comments