Practical considerations from EU enforcement: One-stop shop

This article is the first in a two-part series. The first part covers legal bases and transparency.

If privacy years are measured by the passing of International Data Privacy Days, then the last year (January 28, 2022 – January 27, 2023) was yet another record-breaking one for EU General Data Protection Regulation fines. European data protection authorities issued more than 1.6B euros ($1.7B USD) in fines, an increase of more than 50% from the previous year.

Perhaps more consequential than the fines are enforcement orders mandating corrective action on what personal data organizations process, for what purposes, and how they do it, as well as on how they communicate that to data subjects.

January’s trilogy of enforcement against Meta nearly doubled the European Data Protection Boards’s tally of binding decisions arising out of the one-stop-shop dispute resolution mechanism. The EDPB has now adopted seven decisions in all, with an additional binding decision adopted under the separate urgency procedure.

Previously, I commented on the key practical takeaways of January’s enforcement as concerns legal bases and transparency. Here, I break down and comment on the key practical takeaways on the GDPR “one-stop-shop” dispute resolution mechanism, including on how to work with the lead supervisory authority and what to expect from the EDPB and other supervisory authorities.

As before, helpful links and extra reading are at the end of this article. On the facts of — and reaction to — the case, there’s no better place to look than IAPP Staff Writer Jenn Bryant’s reporting on the initial fines and industry reaction.

This note will be of relevance to organizations established in the EU engaged in cross-border EU data processing.

Top tips for privacy pros: