On November 30, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on The One-Stop-Shop and the Lead DPA as Co-operation Mechanisms in the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the GDPR’s provisions relating to the One-Stop-Shop (“OSS”) and lead DPA, which will become effective on May 25, 2018.
The GDPR’s OSS essentially stipulates that businesses active in multiple EU Member States will have one supervisory authority as their sole interlocutor (“lead DPA”) for cross-border data protection issues. The identity of the lead DPA will depend on the location of the business’s “main establishment” in the EU, as defined by the GDPR. Other “concerned DPAs” will continue to have a role in addressing relevant data protection matters.
The purposes of the White Paper are to (1) help inform EU DPAs and the Article 29 Working Party (“Working Party”) as they consider further guidance on the criteria used to define “lead DPA” and the cooperation among DPAs in the context of the OSS and lead DPA; (2) identify practical challenges in implementing these provisions from the perspective of data controllers and processors; and (3) suggest other areas for further clarification in the forthcoming guidance from the Working Party on OSS issues.
If implemented properly, the OSS would provide for:
- a more coherent and consistent interpretation of legal requirements across multiple jurisdictions and thus, legal certainty for organizations;
- pooling and coordination of DPA expertise and resources;
- stronger protections for individuals;
- more efficient and effective oversight and enforcement; and
- more focused and productive engagement between businesses and DPAs.
CIPL’s White Paper specifically comments on the importance of transparency in the operation of the OSS and the associated processes of cooperation between EU DPAs. In addition, the White Paper elaborates on issues associated with the process of designating a lead DPA and determining the location of the main establishment. The White Paper argues that significant weight should be given to a business’s own judgment of where its main establishment is located.
Further, the White Paper comments on various operational aspect of the OSS, including (1) how it applies to organizations without an establishment in the EU; (2) cooperation and decision-making between the lead DPA and concerned DPAs; (3) the issue of applying the national laws of other EU Member States in the context of a lead DPA’s investigation; (4) in what circumstances concerned DPAs have jurisdiction and (5) a business’s relationship with DPAs who are not their “sole interlocutor.”
The White Paper was developed in the context of CIPL’s ongoing GDPR Implementation Project, a multi-year initiative involving research, workshops, webinars and white papers, supported by over 70 private sector organizations, with active engagement and participation by many EU-based data protection and governmental authorities, academics and other stakeholders.