Please enable javascript in your browser to view this site

German data protection authorities criticise the one-stop shop mechanism in GDPR

Regulators’ criticism is important in light of the upcoming two-year review of the GDPR, which the EC will carry out later in 2020.

Background: the ‘one-stop shop’ provisions in the GDPR ensure that, for each investigation related to data protection, there is one ‘lead authority’ in the EU. This makes sure businesses only have to deal with one data protection authority (DPA) for the whole EU territory, and that multiple DPAs do not take on the same case, potentially leading to inconsistency in the approach and in the conclusions. In practice, this results in the Irish Data Protection Commission (DPC) being the lead authority in most cases involving the largest tech companies, which all have their EU headquarters in Ireland.

The mechanism shows signs of weakness: In recent weeks, some European DPAs have openly criticised the one-stop shop mechanism. This has been particularly evident in Germany. On 13 February 2020, the Hamburg Commissioner for Data Protection went public on its criticism, saying that “the Europe-wide harmonised sanctioning instruments are implemented very unevenly.” The procedure is described as cumbersome, time-consuming and ineffective. The Commissioner notes that legally binding measures against “globally operating internet services” are largely still being missed, and as a result the objectives of the GDPR are turned into their opposite. Instead of establishing legal protection for data subjects, proceedings are postponed until they are almost forgotten. Despite numerous reports of data protection violations in the last two years, no measures have been taken against the largest internet platforms. This is a “bad sign” in the second year of the GDPR, the Commissioner says.

The ball is now in the EC’s court: The remarks of the German DPA echo the concerns raised by some member states in the European Council in 2019, and put pressure on the EC ahead of its two-year review of the GDPR, due in May 2020. To this end, the Hamburg Commissioner urges the EC to make proposals for legal changes when publishing the review, because “the deficits are structural” and cannot be remedied by cooperation between DPAs alone.