Privacy & Information Security Law Blog

On September 27, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper on the “GDPR Enforcement Cooperation and the One-Stop-Shop (“OSS”) - Learning from the First Three Years” (the “Paper”). The Paper identifies the challenges faced by the OSS, defines CIPL’s position, and proposes possible solutions to improve the OSS mechanism, taking into account the European Data Protection Board’s (“EDPB”) recent work and decisions by the Court of Justice of the European Union (“CJEU”).

CIPL believes the OSS is essential to supporting the consistent implementation of the GDPR in order to achieve the EU single market, bringing important benefits to individuals, organizations, and Supervisory Authorities (“SAs”). CIPL advocates for making a strong effort at the European level and among SAs to address challenges facing the OSS.

In the Paper, CIPL recommends that the EDPB:

• Continue to work to foster respect, mutual recognition, sharing, and understanding of the different regulatory approaches among the EU Member States;
• Encourage the creation of a common framework for procedural rules, including rules on transparency and the right to be heard;
• Continue to promote the application of the OSS in the e-Privacy Regulation and other EU digital drafts to ensure consistent enforcement and reduce the risk of double jeopardy;
• Foster exchanges between SAs regarding different regulatory approaches, the compliance effects they deliver, and methods of encouraging behavioral changes focused on desired outcomes;
• Continue to ensure that relevant and reasoned objections, mutual assistance and joint operation procedures are used in limited cases of serious concern to further promote SAs’ self-restraint;
• Consider enabling organizations to validate their main establishments and set up a voluntary register;
• Adopt guidelines on how corrective measures should apply, including a clear and transparent decision matrix for calculating administrative fines;
• Foster “self-regulation” among SAs themselves through commitments in a Memorandum of Understanding to complement the GDPR cooperation processes; and
• Because the OSS is subject to a complex arrangement under which supervisory authorities from other jurisdictions (Concerned Supervisory Authorities or “CSAs”) may have views in enforcement actions, consider working over the long term with a panel of three CSAs that is set up to coordinate a single composite response to a proposed Lead Supervisory Authority decision.