BEERG Newsletter - GDPR: One-stop-shop under threat?

In the BEERG newsletters #5 and #6 (February 2021) we raised the prospect of there being: “…a creeping attempt by member state data protection authorities across the EU to unpick Ms Reding’s one big blanket approach and return to the loose patchwork quilt which she rightly criticised as inefficient and costly”. 

This move to undermine the GDPR’s core One-Stop-Shop principle moved a step forwards on 15 June when the Court of Justice of the European Union (CJEU) issued a ruling that might have far-reaching consequences for GDPR’s one-stop shot mechanism. The CJEU specified that under specific conditions already defined in the privacy framework, national authorities might bring alleged GDPR breaches to court even for cross-border cases where they are not the leading authority. 

The exceptional circumstances include urgency and the limited impact of the GDPR breach in the authority’s jurisdiction. In the one-stop shop mechanism, the leading authority is determined by where the data processing organisation is legally based, and since most tech giants have their legal basis in Ireland and to a lesser extent in Luxembourg these countries had to face an overwhelming number of complaints.

Civil society organisations assessed that the Court decision might finally end the deadlock over GDPR enforcement. Industry associations, however, fear this might lead to multiple legal proceedings against the same complaint. For further information see here.

From BEERG Newsletter Issue #22 – June 24, 2021