On October the 5th, DigitalEurope organised a high-level panel on the enforcement of the Consistency mechanism in the GDPR, looking in particular at the One-Stop-Shop requirement.

One of the core motivations behind the General Data Protection Regulation (GDPR) has been to ensure that all Member States are aligned to a common EU framework, for which consistent enforcement is of paramount importance. GDPR enforcement is built around a one-stop-shop (OSS) mechanism that assigns the leadership of cross-border cases to the data protection authority (DPA) of a company’s main establishment. This mechanism allows companies to deal with one lead supervisory authority, as opposed to 27, strengthening the single market and avoiding conflicting decisions, while still putting in place rules for cooperation and consistency between authorities. However, this mechanism has come under intense criticism from activists, lawmakers and regulators. For some it is not functioning as intended, or not as fast. Join us for this interactive discussion to find out how much of this criticism is fair, and how much of it is hype.

Gianclaudio Malgieri was invited, as Co-Director of the Brussels Privacy Hub. He addressed the problematic aspects of one-stop-shop, in particular looking at the recent CJEU case on Facebook (June-July 2021) and at the CNIL decisions against Amazon and Facebook. He claimed that it is not sustainable a system where e-privacy matters are decided by different DPAs and general data protection issues are dealt with under a centralized approach. However, also the “country-of-origin” mechanism to choose the Lead Authority is fallacious and should be adapted to a “country-of-impact” mechanism, as already partially allowed under Article 56(2) (mostly, as interpreted by the CJEU).

Among other panelists, there were the Head of the EDPS, Wojciech Wiewiórowski; the head of Cabinet of the European Commissioner Věra Jourová.