Websites go dark, complaints are filed within an hour, European Commission suffers an embarrassing data leak, and the US Commerce Secretary warns about the unintended trade impact of the law – all in the first week of the GDPR

The European Union’s far-reaching General Data Protection Regulation (GDPR) went into effect on 25 May amid much anticipation.  Although the date itself was seen as a watershed moment, what comes after will reveal the full impact of the law.  Even for those businesses that have declared that their GDPR compliance efforts have completed, the work of maintaining and updating their privacy and data protection framework will need to continue well after 25 May.  We have also yet to see how 28 EU member states and the Court of Justice of the European Union will interpret the law.

In the days leading up to 25 May, millions of inboxes were filled with updated privacy notices and requests for marketing consent and pop-up notices for cookies were added to websites across the globe, as many businesses contemplated if and how the new law applies to them.  Just in the first week, we are seeing glimpses of what lays ahead.  Certain American news publications decided to shut themselves off to European users on their websites, a first series of complaints were filed against US tech giants and their subsidiaries, and the European Commission, in an embarrassing turn of events, was found to have had a data leak on one of its websites, Europa.eu.  Just five days after the law has gone into effect, Wilbur Ross, the US Commerce Secretary, published an opinion piece in the Financial Times, that warns: “EU data privacy laws are likely to create barriers to trade.” 

We take a look at the initial reactions and events that occurred in the first week following the implementation of the  GDPR, provide some insight into the GDPR’s impact on the digital economy and trade and provide, as we always do, some practical tips for how to manage privacy and cybersecurity risks in this ‘new era’.

This is Part 5 — the final part — of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In Part 3 we considered the competency of supervisory authorities (SAs), the cooperation obligations in relation to SAs and the functions of the European Data Protection Board (EDPB). In Part 4 we discussed the consistency mechanism applicable to supervisory authorities. In this Part we look at the application of sanctions by the lead SA across the EU, disagreements between SAs, complaints and litigation for affected data subjects, the application of foreign laws by the lead SA, and matters of language and culture.

Application of sanctions by lead SA across the EU

A Council debate note of 26 May 2014 flagged that at least one EU Member State had raised constitutional problems regarding the legal effect of applying measures decided by the lead SA in other EU Member States.

The Italian Presidency of the Council has addressed these concerns by clarifying that the lead SA would be competent in applying its supervisory powers, deciding on the case and directing the decision, on its own territory, to the main establishment of the controller or processor. It would then be for the data controller or data processor to implement the decision as regards all its establishments in the EU.