Data Protection Report - Norton Rose Fulbright

This is Part 1 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation.

The Council of the European Union (the Council) has recently published a partial general agreement on its version of the so-called ‘One Stop Shop’ mechanism. The Council’s internal deliberations are expressly caveated to the effect that ‘nothing is agreed until everything is agreed’, and a required ‘trilogue’ between the three EU institutions involved in policy and law making cannot commence until the Council has agreed a complete version of the draft General Data Protection Regulation COM (2012) 11/4 (the Regulation).

Why is the One Stop Shop mechanism so controversial in this regard?  Here we discuss why that is the case, we examine the differences in approach between the EU policy and lawmakers of what it should encompass, and we consider the issues that may arise on implementation.

Why the need for a One Stop Shop?

A draft Regulation that would overhaul the existing EU data protection laws is currently under consideration. Its primary aim is to harmonise data protection legislation and enforcement across the EU.

The idea is that there would be a single Regulation that applies throughout the EU Member States. A crucial challenge to its successful implementation lies in achieving consistent and coordinated application across the EU. In an attempt to address that problem, the Regulation introduces a ‘One Stop Shop’ procedure. It is intended to cover situations where a data controller or processor processes information relating to individuals in several EU Member States. In general terms, the rationale underlying the One Stop Shop procedure is that a supervisory authority (SA) in one EU Member State would assume control of the controller’s or processor’s activities, with the assistance and oversight of SAs in other relevant EU Member States.

The One Stop Shop is but one of a number of areas currently under discussion between the European Commission (Commission), European Parliament (Parliament) and Council.  At the risk of over-simplification, these are the three institutions of EU government, and each has its own version of the text of the Regulation. All three must agree a single text before the Regulation can become law.

The One Stop Shop has become a point of controversy between the Commission, Parliament and Council. Here we examine their differences in approach and consider the issues that may arise on implementation of the One Stop Shop.

To understand how the EU arrived at the current position in relation to the One Stop Shop, it is necessary to have some appreciation of the journey.  We examine:

  • the position under the Commission proposal for the new Regulation in 2012  (Commission 2012 Proposal);
  • the most significant differences between the Commission 2012 Proposal and the Parliament’s adopted text of 12 March 2014 (Parliament March 2014 Position); and
  • the Council’s latest internal compromise position: the ‘Partial Agreement’ on this aspect of the Regulation reached between its members on 13 March 2015 (Council March 2015 Position).

What makes up the One Stop Shop?

Many large businesses have operations in multiple EU Member States.  As a result, they process the personal data of individuals from across the EU and undertake such processing in multiple EU Member States.

Embracing this reality, in broad terms the One Stop Shop determines that the SA in a business’s ‘main establishment’ Member State will take on the role of the lead SA in relation to the matter at issue.  Such SA would then be responsible for overseeing all supervisory and enforcement actions across other EU Member States.

The One Stop Shop relies on three building blocks:

  • the concept of a main establishment of data controllers and data processors. As noted above, this determines the lead SA;
  • an expanded jurisdictional competence of SAs, cooperation between SAs, and the concept of a lead SA; and
  • a mechanism to ensure consistency in the interpretation and enforcement of the Regulation across the EU by SAs.


Check back tomorrow for Part 2 of the “One Stop Shop” series, which will examine the concept of “main establishment” and the position of entities without an EU establishment.