The One-Stop-Shop Mechanism under the GDPR: Legislative Intent, Implementation Challenges, and Criticisms

Abstract

The General Data Protection Regulation (GDPR), enacted on May 25, 2018, fundamentally reshaped the landscape of data protection within the European Union (EU). A pivotal innovation introduced by this landmark legislation was the One-Stop-Shop (OSS) mechanism, enshrined primarily in Article 56. Designed to streamline and rationalize data protection enforcement across the diverse legal systems of EU member states, the OSS designates a single lead supervisory authority (LSA) to oversee cross-border data processing activities conducted by organizations with a main establishment within the EU. The overarching intent was to foster consistency, reduce administrative burdens for businesses operating across borders, and enhance efficiency in regulatory actions, thereby ensuring uniform application of data protection principles throughout the Union.

Despite its ambitious and noble intent, the practical implementation of the OSS has been fraught with significant criticism and considerable challenges. This comprehensive research report delves deeply into the legislative origins and foundational principles of the OSS, meticulously examining its intended functions as conceptualized during the GDPR’s drafting phase. Crucially, it then contrasts these theoretical aspirations with the complex practical realities and operational impediments that have emerged since its inception. The analysis critically assesses various dimensions of its struggles, including, but not limited to, the persistent issue of inconsistent application by national Data Protection Authorities (DPAs) across member states, the inherent difficulties arising from fragmented national administrative and procedural laws, chronic resource limitations faced by many DPAs, a pervasive lack of transparency in cooperation and decision-making processes, and the problematic phenomenon of ‘forum shopping’ that the mechanism was specifically designed to mitigate. By providing an in-depth, multi-faceted analysis underpinned by legal interpretations, case law, and scholarly discourse, this report offers crucial insights into the specific problems the OSS was engineered to address, the unforeseen complexities encountered during its operationalisation, and its evolving trajectory within the broader EU data governance framework.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

1. Introduction

The advent of the General Data Protection Regulation (GDPR) on May 25, 2018, marked a transformative moment for digital rights and data governance across the European Union. Representing a radical overhaul of data protection legislation that had largely remained unchanged since the 1995 Data Protection Directive (95/46/EC), the GDPR sought to harmonize divergent national laws, elevate data protection standards, and equip individuals with greater control over their personal information in an increasingly data-driven global economy. Amidst its array of innovative provisions, the One-Stop-Shop (OSS) mechanism, primarily articulated under Article 56, stands out as a cornerstone designed to simplify and rationalize the regulatory landscape for organizations engaged in extensive cross-border data processing.

The conceptualisation of the OSS was rooted in a pressing need. Prior to the GDPR, a company operating across multiple EU member states could face scrutiny from numerous national data protection authorities, each potentially interpreting and enforcing data protection rules differently. This fragmented regulatory environment led to significant administrative complexity, compliance uncertainty, and a cumbersome burden for businesses, often necessitating multiple registrations, differing consent mechanisms, and disparate enforcement responses. The OSS was thus conceived as a strategic solution: by centralizing enforcement actions under a single lead supervisory authority (LSA) for organizations with cross-border processing activities, it aimed to reduce this administrative overhead, foster legal certainty, and ensure a more cohesive and consistent application of data protection laws across the Union’s diverse jurisdictions. Its theoretical promise was to create a predictable and efficient regulatory pathway, beneficial for both data subjects seeking redress and multinational corporations striving for compliance.

However, the journey from legislative intent to practical implementation has proven to be arduous and replete with unforeseen challenges. Despite its laudable objectives and the considerable potential it holds for streamlining EU data protection enforcement, the OSS has encountered substantial criticism regarding its actual effectiveness, efficiency, and fairness. Concerns have been raised by various stakeholders, including data protection authorities themselves, legal practitioners, civil society organizations, and even data subjects, pointing to systemic weaknesses and operational impediments.

This report embarks on a comprehensive exploration of the One-Stop-Shop mechanism. It begins by dissecting its legislative genesis, tracing its development from the shortcomings of the previous directive to its eventual embodiment in the GDPR. It then meticulously outlines the core objectives that underpinned its creation. The central thrust of this research lies in its detailed examination of the practical challenges and criticisms that have surfaced since the OSS became operational. These include, but are not limited to, the observed inconsistencies in DPA application, the complexities arising from deeply entrenched fragmented national administrative procedures, the critical issue of resource disparities among national DPAs, the persistent lack of transparency surrounding collaborative decision-making, and the unintended facilitation of ‘forum shopping’ by some regulated entities. Furthermore, the report will analyze key legal interpretations and developments, particularly those emanating from the Court of Justice of the European Union (CJEU), which have profoundly shaped the understanding and application of the OSS. Finally, drawing upon the identified challenges and existing legal scholarship, this report proposes a series of actionable recommendations aimed at enhancing the OSS mechanism, thereby contributing to a more robust, equitable, and effective data protection enforcement regime within the EU.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

2. Legislative Origins and Intent of the One-Stop-Shop Mechanism

2.1. Background and Development: From Fragmentation to Harmonization

To fully appreciate the revolutionary nature and fundamental intent of the One-Stop-Shop (OSS) mechanism, it is imperative to understand the regulatory landscape that preceded the GDPR. Prior to May 2018, data protection within the European Union was primarily governed by Directive 95/46/EC, known as the Data Protection Directive. While this Directive laid down foundational principles for data processing, it was, by its very nature, a directive, meaning it set out overarching goals that member states were then required to achieve through their own national legislation. This approach, while allowing for some national flexibility, inevitably led to a highly fragmented regulatory environment. Each of the then 28 (now 27) member states enacted its own data protection laws, resulting in significant divergences in areas such as notification requirements, the definition of key terms, enforcement powers of national Data Protection Authorities (DPAs), and the level of fines that could be imposed.

This fragmentation posed substantial challenges for both individuals and organizations. For multinational companies, particularly those operating digitally across borders, compliance became a labyrinthine exercise. A company might have to register with multiple DPAs, navigate different interpretations of ‘consent’ or ‘legitimate interest,’ and face separate, potentially contradictory, investigations from various national authorities. This ’28-stop-shop’ reality created legal uncertainty, significantly increased compliance costs, and was widely perceived as a barrier to the seamless flow of data within the EU’s single market, a core tenet of European integration. Furthermore, for data subjects, seeking redress for data protection infringements in a cross-border context could be confusing, as it was often unclear which DPA held jurisdiction or how to navigate the differing national complaint procedures.

Recognizing these systemic inefficiencies and the imperative to adapt data protection law to the digital age, the European Commission initiated the reform process that culminated in the GDPR. The discussions surrounding the new regulation extensively addressed the need for greater harmonization and a more streamlined enforcement mechanism. The concept of a ‘single point of contact’ or ‘one-stop-shop’ emerged as a crucial solution to address the pre-GDPR fragmentation, particularly for cases involving cross-border data processing. The idea was to designate a single DPA – the lead supervisory authority (LSA) – to handle all supervisory and enforcement tasks related to a particular cross-border processing activity.

The OSS mechanism is primarily defined in Article 56 of the GDPR, titled ‘Competence of the lead supervisory authority.’ This article stipulates that the DPA of the main establishment or the single establishment of a controller or processor shall be the LSA for its cross-border processing activities. It operates in conjunction with other crucial articles, notably Article 60 (Cooperation between the lead supervisory authority and the other concerned supervisory authorities), Article 63 (Consistency mechanism), and Article 65 (Dispute resolution by the European Data Protection Board – EDPB). These articles collectively outline a sophisticated system of cooperation and consistency, designed to ensure that while a single DPA leads an investigation, the concerns and perspectives of other ‘concerned supervisory authorities’ (CSAs) – those DPAs in member states where data subjects are substantially affected by the processing – are duly considered and integrated into the final decision.

Recitals of the GDPR further illuminate the legislative intent behind the OSS. Recital 124 states that the LSA ‘should be competent to handle procedures concerning the controller or processor’s cross-border processing in accordance with this Regulation.’ Recital 125 emphasizes the need for ‘close cooperation’ between the LSA and CSAs, ensuring ‘consistent application’ of the GDPR. Recital 126 provides for the possibility of a DPA other than the LSA to handle a complaint if the LSA fails to act or if the subject matter only concerns processing carried out in a single member state. These provisions underscore a delicate balance: centralizing competence while ensuring adequate protection for data subjects across all affected member states.

2.2. Objectives of the One-Stop-Shop: Pillars of Cohesion and Efficiency

The strategic objectives underpinning the design and implementation of the One-Stop-Shop mechanism were multi-faceted, aiming to overcome the systemic shortcomings of the pre-GDPR regulatory framework and to foster a more effective, coherent, and predictable data protection regime across the EU:

• Centralization of Enforcement and Reduction of Administrative Burden:
  One of the foremost objectives of the OSS was to centralize enforcement actions for organizations engaged in cross-border data processing. By designating a single LSA, the mechanism aimed to significantly reduce the administrative complexity and compliance burden faced by multinational corporations. Instead of interacting with potentially dozens of national DPAs, each with its own procedures and interpretations, an organization could now principally engage with one authority. This singular point of contact was envisioned to streamline investigations, facilitate communication, and prevent the issuance of contradictory orders or inconsistent fines across different jurisdictions. For instance, a major tech company headquartered in Ireland processing data across all EU member states would primarily deal with the Irish Data Protection Commission (DPC) for its cross-border activities. This simplification was expected to lower compliance costs, increase legal certainty for businesses, and allow them to focus resources more effectively on actual data protection rather than navigating bureaucratic hurdles. It was a clear response to industry calls for a more predictable and unified regulatory environment that would foster economic growth and innovation within the digital single market.

• Consistency in Application of Data Protection Laws:
  A fundamental aim of the GDPR itself was to achieve a uniform and consistent application of data protection law across the EU. The OSS mechanism is a critical enabler of this goal. In the fragmented pre-GDPR era, national DPAs could interpret identical provisions differently, leading to an uneven playing field for businesses and varying levels of protection for data subjects depending on their location. The OSS, through the cooperation and consistency mechanisms (Articles 60 and 63), was designed to mitigate such discrepancies. The LSA, in collaboration with CSAs and under the guidance of the EDPB, is expected to develop a single, coherent decision for cross-border cases. This process, involving information exchange, joint investigations, and where necessary, binding dispute resolution by the EDPB (Article 65), aims to ensure that the GDPR’s provisions are interpreted and enforced uniformly, thereby preventing regulatory arbitrage and guaranteeing an equivalent standard of data protection for all EU citizens.

• Facilitation of Cross-Border Operations and Legal Certainty:
  For organizations heavily engaged in cross-border data processing, the OSS was intended to provide a clear and predictable regulatory environment. By clearly defining the competent authority and outlining the cooperative procedures, it sought to enhance legal certainty, allowing businesses to plan and execute their data processing activities with greater confidence. This predictability is vital for fostering innovation and facilitating the free flow of personal data within the EU Single Market, which is crucial for the digital economy. Companies can design their compliance strategies knowing which DPA will be their primary interlocutor and how cross-border issues will be handled, thereby reducing the risk of unexpected enforcement actions from multiple jurisdictions. This, in turn, supports the broader EU objective of a thriving digital single market built on trust and high data protection standards.

• Enhanced Data Subject Rights and Effective Redress:
  While often discussed in terms of business efficiency, a crucial, though sometimes overlooked, objective of the OSS is to enhance data subject rights and simplify access to effective redress. In a fragmented system, a data subject might struggle to identify which DPA to approach if their data protection rights were infringed by a company operating across borders. The OSS clarifies this by establishing that individuals can lodge a complaint with the DPA in their own member state, regardless of where the company’s main establishment is located. This local DPA then liaises with the LSA, ensuring that the data subject has a clear point of contact in their own language and legal system. This mechanism is designed to empower individuals, making it easier for them to exercise their rights, obtain information about the processing of their data, and seek appropriate remedies, thereby reinforcing the GDPR’s person-centric approach to data protection.

In essence, the OSS was conceptualized as a cornerstone of the GDPR’s ambition to create a harmonized, efficient, and rights-centric data protection framework. Its success hinges on the effective interplay between centralisation, cooperation, and consistent application across all member states, striving for a balance between administrative simplification for businesses and robust protection for individuals.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

3. Practical Challenges and Criticisms of the One-Stop-Shop Mechanism

Despite its elegant theoretical design and ambitious objectives, the implementation of the One-Stop-Shop (OSS) mechanism has revealed a complex array of practical challenges and attracted significant criticism from various stakeholders. These operational impediments have, in some instances, hampered its effectiveness, prolonged investigations, and created a perception of inconsistency or even regulatory inaction. The issues stem from a confluence of factors, including the inherent complexities of cross-border enforcement, varying national legal cultures, and uneven resource allocation.

3.1. Inconsistent Application by Data Protection Authorities: A Patchwork of Interpretations

The OSS mechanism fundamentally relies on robust cooperation and a shared understanding among national supervisory authorities (DPAs) to ensure consistent application of the GDPR. However, one of the most persistent and significant criticisms leveled against the OSS is the observed inconsistency in DPA interpretations and enforcement approaches. This inconsistency manifests in several ways:

Firstly, there are divergent interpretations of key GDPR concepts. While the GDPR aims for harmonisation, specific terms like ‘legitimate interest,’ ‘appropriate technical and organisational measures,’ ‘personal data breach,’ or even the precise scope of ‘special categories of personal data’ can be interpreted differently by various national DPAs. These nuances can lead to different compliance requirements or enforcement outcomes for the same type of processing activity across the EU. For instance, what one DPA considers sufficient for a data breach notification might be deemed inadequate by another, causing confusion for controllers and potentially leading to disparate penalties.

Secondly, varying enforcement priorities and sanctioning approaches contribute to inconsistency. Each DPA may have its own strategic focus, influenced by national legal traditions, public concerns, or specific sectoral challenges. Some DPAs might prioritize proactive investigations into specific technologies (e.g., AI, ad tech), while others might focus more on handling individual complaints or promoting awareness. Furthermore, the calculation and imposition of administrative fines, while guided by GDPR Article 83, can still vary significantly. The Irish Data Protection Commission (DPC), despite being the LSA for many tech giants, has faced criticism for imposing fines that some perceive as disproportionately low compared to other DPAs for similar infringements, leading to accusations of a ‘soft touch’ approach that undermines the principle of deterrence across the EU. For example, while the Irish DPC imposed a €405 million fine on Meta (Instagram) in September 2022 for children’s privacy breaches, other DPAs, notably the French CNIL or German authorities, have demonstrated a willingness to issue significant fines against other companies for different infringements, contributing to the perception of uneven enforcement.

Thirdly, competence disputes and the interplay between LSA and concerned SAs have highlighted inherent challenges. The case of Facebook Ireland Ltd, Facebook Inc., Facebook Belgium BVBA v. Gegevensbeschermingsautoriteit (Case C-645/19) vividly illustrates these complexities. In this case, the Belgian DPA initiated proceedings against Facebook despite the Irish DPC being the designated LSA for Facebook’s cross-border processing. The Court of Justice of the European Union (CJEU) ultimately clarified the conditions under which non-leading SAs may initiate proceedings. While the CJEU affirmed the LSA’s primary competence, it also recognized situations where other DPAs could act, particularly concerning ‘local’ processing or in ‘urgent cases’ (Article 66), or if the LSA fails to respond adequately within a reasonable timeframe (Article 60(6)). While this ruling sought to bring clarity, it also highlighted the ongoing tension between centralisation and national sovereignty, and the potential for a ‘dual track’ enforcement approach that could still lead to fragmentation if not managed carefully. The challenge lies in ensuring that these exceptions do not become the norm, thereby undermining the very purpose of the OSS.

Finally, the European Data Protection Board’s (EDPB) Article 65 dispute resolution mechanism, designed to resolve disagreements between DPAs regarding cross-border cases, has also faced scrutiny. While crucial for fostering consistency, its process can be lengthy and resource-intensive. The number of binding decisions adopted under Article 65 indicates that disagreements are not uncommon, and the time taken to reach these decisions can prolong investigations, leading to delays in redress for data subjects and prolonged uncertainty for controllers. The existence of these disputes underscores the deep-seated interpretive differences among national DPAs that the OSS was meant to overcome.

3.2. Fragmented National Procedures: A Web of Administrative Divergence

The effectiveness of the OSS mechanism is predicated on a significant degree of procedural harmonization among national DPAs. However, the GDPR primarily harmonizes substantive data protection law, leaving many aspects of administrative procedure to national law. This has led to persistent fragmentation in national procedures, which severely impedes the smooth functioning of the OSS.

Differences in legal traditions are a primary driver of this fragmentation. Some member states operate under common law systems, while others adhere to civil law traditions. These fundamental differences influence everything from rules of evidence, the investigative powers of administrative bodies, the role of national courts in oversight, to the very conceptualisation of administrative due process. For example, the investigative powers of a DPA in one member state (e.g., the power to conduct dawn raids, compel testimony, or access IT systems) may be more extensive or operate under different conditions than in another. This can create challenges for an LSA attempting to coordinate a consistent approach across multiple jurisdictions, particularly when gathering evidence or enforcing decisions.

Furthermore, varying administrative practices and procedural requirements among member states lead to operational bottlenecks. These include:

• Different timelines and deadlines: National laws may prescribe different timeframes for responding to information requests, initiating investigations, or issuing decisions, making it difficult for an LSA to manage a unified cross-border process.
• Formalities for information exchange: While Article 60 encourages cooperation, the practicalities of exchanging sensitive information, sharing investigative findings, and consulting on draft decisions can be complicated by differing national requirements for confidentiality, data handling, and legal privilege.
• Procedural rights of parties: The rights of data controllers, processors, and data subjects during an investigation (e.g., rights to be heard, access to case files, appeal procedures) can vary significantly. This can lead to situations where a procedure acceptable in one member state might not meet the due process standards of another, complicating enforcement actions and potentially leading to successful appeals on procedural grounds.
• Judicial review mechanisms: National courts play a critical role in reviewing DPA decisions. The scope, speed, and nature of judicial review processes differ widely across the EU. A decision by an LSA, even if agreed upon by CSAs and the EDPB, can still be challenged in the national courts of the LSA’s member state, or in some cases, other affected member states. Divergent judicial interpretations or prolonged appeal processes in one jurisdiction can undermine the consistency and finality of OSS decisions across the Union.

This fragmentation undermines the OSS’s goal of providing a cohesive regulatory framework. It can lead to prolonged investigations, increased legal costs for businesses attempting to navigate these varied procedures, and delays in providing redress for data subjects. It also places a heavy coordination burden on the LSA, which must continually reconcile its own national procedures with the expectations and requirements of CSAs.

3.3. Resource Limitations of Data Protection Authorities: The ‘Irish Bottleneck’ and Beyond

A critical and frequently cited impediment to the effective functioning of the OSS mechanism is the significant disparity in resources among national Data Protection Authorities (DPAs) across the EU. The ideal operation of the OSS requires well-resourced, expertly staffed DPAs capable of handling complex cross-border investigations, often involving sophisticated technological processing and legal intricacies. The reality, however, often falls short.

Many DPAs, particularly in smaller member states or those with less robust public sector funding, face chronic resource constraints in terms of budget, personnel, and specialized expertise. While large DPAs like the German, French, or Spanish authorities might have hundreds of staff, including dedicated legal, technical, and forensic experts, smaller DPAs might operate with a handful of generalists. This disparity becomes acutely problematic in the context of the OSS, as the DPA of the ‘main establishment’ (often Ireland for major tech companies) bears the primary burden of investigating complex, high-profile cross-border cases that affect millions of EU citizens.

The Irish Data Protection Commission (DPC) provides a stark illustration of this challenge. Due to Ireland’s favorable corporate tax regime and its historical role as a European headquarters for numerous global technology giants (e.g., Meta, Google, Apple, Microsoft, TikTok, X), the Irish DPC has become the lead supervisory authority for a disproportionate number of the world’s largest and most complex data controllers. Despite significant increases in its budget and staffing since the GDPR’s implementation, the DPC has faced persistent criticism for delays in handling high-profile cases involving these major tech companies. Civil society organizations and other national DPAs have frequently pointed to a substantial backlog of investigations, with some cases taking years to reach a conclusion. This slow pace is often attributed to the sheer volume and complexity of cases, coupled with what some argue is still insufficient resourcing to effectively challenge the formidable legal and technical resources of the tech giants. This phenomenon has been widely termed the ‘Irish bottleneck,’ creating a perception of regulatory paralysis or ineffective enforcement for some of the most impactful data processing operations in the EU.

Beyond Ireland, resource limitations manifest in several ways across other DPAs:

• Limited proactive enforcement: With strained resources, DPAs may be more reactive, primarily handling individual complaints rather than initiating own-volition investigations into systemic issues or emerging technologies.
• Inability to handle complex technical cases: The digital economy requires DPAs to have strong technical expertise (e.g., in AI, blockchain, cybersecurity, ad tech). Resource limitations often mean a lack of specialized forensic analysts, IT experts, or data scientists, hindering effective investigation into sophisticated data processing practices.
• Reduced capacity for international cooperation: While cooperation is central to the OSS, under-resourced DPAs may struggle to dedicate staff to extensive cross-border coordination, participation in EDPB working groups, or joint investigations.
• Impact on credibility and deterrence: When investigations drag on for years or result in fines perceived as inadequate relative to the scale of the infringement or the company’s revenue, it can diminish the credibility of the DPA and the OSS mechanism as a whole. This can reduce the deterrent effect of enforcement, leading to a perception that large companies can effectively ‘out-wait’ the regulators.

The lack of sufficient and equitable resources across DPAs thus creates an imbalance within the OSS, where the most impactful cases are often handled by authorities facing the greatest capacity strains. This systemic issue undermines the uniform application and robust enforcement that the GDPR envisioned.

3.4. Lack of Transparency in Decision-Making: Obscuring the Path to Consistency

Transparency is a cornerstone of good governance, essential for ensuring legitimacy, accountability, and public trust in regulatory actions. However, the operation of the OSS mechanism, particularly the cooperation and consistency procedures involving the LSA, concerned SAs, and the EDPB, has been criticized for a pervasive lack of transparency. This opacity raises significant concerns for data subjects, data controllers, and the broader public.

The core of the issue lies in the confidential nature of inter-DPA communications and dispute resolution. While GDPR Article 60 outlines the cooperation procedure, and Article 65 details the EDPB’s binding dispute resolution mechanism, the internal deliberations, draft opinions, and detailed reasoning exchanged between DPAs are not typically made public. This means:

• Limited visibility into LSA-CSA interactions: Data subjects and controllers often have little insight into how their complaints or cases are progressing through the cooperation mechanism. They may be aware that their case is ‘cross-border’ and therefore being handled by an LSA, but the specific input, disagreements, and compromises made by concerned SAs are largely hidden from public view. This lack of visibility can be frustrating for complainants seeking redress and makes it difficult for controllers to understand the specific concerns raised by different national authorities.
• Opacity of EDPB binding decisions: While the final binding decisions adopted by the EDPB under Article 65 are eventually published (often with significant redactions to protect confidential information or trade secrets), the detailed reasoning, the dissenting opinions of individual DPAs, and the full scope of internal debates are usually not. This can hinder a full understanding of the EDPB’s rationale and the complex interplay of legal interpretations that led to the final outcome. It also limits the development of a transparent common jurisprudence that could guide future compliance efforts.

• Impact on accountability and trust: The lack of transparency can erode public trust in the regulatory process. When decisions appear to emerge from a ‘black box,’ it can lead to accusations of undue influence, political pressure, or insufficient rigor in the decision-making process. For data subjects, it can create a perception that their concerns are not being adequately addressed or that the system is not truly independent. For regulated entities, it can make it difficult to anticipate enforcement trends or to learn from past cases, hindering the development of robust compliance programs across the EU.

• Hindrance to common interpretation: Public scrutiny and detailed publication of enforcement decisions, including the reasoning and the interplay between different DPAs, are crucial for the development of consistent legal interpretations and best practices. Without this transparency, it becomes harder for legal scholars, privacy professionals, and organizations to discern a clear and consistent application of the GDPR across diverse cases and jurisdictions.

While the need for confidentiality during ongoing investigations and the protection of business secrets are valid considerations, a balance must be struck. Critics argue that the current level of opacity disproportionately favors the administrative convenience of the authorities over the public interest in transparency and accountability, ultimately hindering the very consistency and legal certainty the OSS aims to achieve.

3.5. Forum Shopping Phenomenon: Unintended Consequences of the OSS

One of the explicit aims of the GDPR’s One-Stop-Shop mechanism was to prevent ‘forum shopping’ – a practice whereby organizations might strategically establish their legal presence or ‘main establishment’ in a particular member state perceived to have a more lenient, less resourced, or slower-acting DPA. The OSS was intended to remove the incentive for such behavior by ensuring consistent enforcement regardless of the LSA’s location. Ironically, however, the very complexities and perceived inconsistencies within the OSS have, in some cases, inadvertently facilitated or exacerbated the forum shopping phenomenon.

The core of this issue lies in the definition of ‘main establishment’ under GDPR Article 4(16). For a controller, this is the place of its central administration in the Union, unless decisions about processing purposes and means are taken elsewhere. For a processor, it is its central administration in the Union. For companies without an establishment in the EU, they must designate a representative. While seemingly straightforward, the practical application of this definition has proven susceptible to strategic manipulation.

Companies, particularly large multinational tech corporations, have often chosen to establish their European headquarters in member states with historically perceived ‘business-friendly’ regulatory environments or those with a smaller, less experienced DPA. Ireland, as noted earlier, is a prime example, serving as the European hub for numerous tech giants. Critics argue that these companies have effectively ‘forum shopped’ by choosing Ireland as their main establishment, knowing that the Irish DPC would become their LSA. Given the DPC’s widely reported resource limitations and the extensive caseload, some concerned supervisory authorities and privacy advocates contend that this has led to a de facto ‘regulatory arbitrage,’ where companies benefit from slower or less stringent enforcement than they might face in other, more assertive jurisdictions.

The consequences of this perceived forum shopping are severe:

• Undermining uniform enforcement: If companies can effectively choose their regulator based on perceived leniency, it directly undermines the GDPR’s goal of consistent application and robust enforcement across the entire EU. It creates an uneven playing field, where some companies may face more rigorous scrutiny than others for similar infringements, simply based on their chosen ‘main establishment.’
• Erosion of trust and fairness: The perception that large corporations can circumvent stricter enforcement by locating their headquarters in a particular jurisdiction erodes public trust in the GDPR’s effectiveness and fairness. It can lead to accusations that the system is not truly independent or that it disproportionately impacts smaller entities or those without the resources to engage in such strategic maneuvering.
• Strain on LSA resources: The concentration of major cross-border cases in one or a few LSAs (e.g., the Irish DPC) places immense strain on their resources, contributing to the ‘bottleneck’ effect and further delays in enforcement. This also means that DPAs in other member states, despite having strong concerns about the impact on their own citizens, may feel disempowered or reliant on a single, potentially overwhelmed, authority.
• Regulatory arbitrage: This practice allows companies to benefit from lower compliance costs or reduced enforcement risks compared to what they might face if they were subjected to the scrutiny of DPAs in member states where the bulk of their affected data subjects reside. This creates a disincentive for truly robust data protection practices.

While the EDPB has issued guidelines on the concept of ‘main establishment’ to clarify its interpretation and prevent abuse, the issue remains a contentious point. The persistent perception of forum shopping highlights a fundamental tension within the OSS: balancing the goal of a single point of contact with the imperative of truly consistent and robust enforcement across the entire Union, irrespective of a company’s chosen European base.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

4. Legal Interpretations and Developments

The effective functioning and evolution of the One-Stop-Shop (OSS) mechanism are intrinsically linked to legal interpretations, particularly those emanating from the Court of Justice of the European Union (CJEU). The CJEU plays a pivotal role in ensuring the uniform application of EU law, including the GDPR. Its rulings provide authoritative guidance on the intricate interplay between the lead supervisory authority (LSA), concerned supervisory authorities (CSAs), and national courts, significantly shaping the practical application of the OSS.

4.1. CJEU’s Clarification on the One-Stop-Shop Mechanism: The Facebook Ireland Case (C-645/19)

The most significant and illustrative CJEU ruling concerning the OSS mechanism to date is the judgment in Case C-645/19, Facebook Ireland Ltd, Facebook Inc., Facebook Belgium BVBA v. Gegevensbeschermingsautoriteit (Belgian DPA). This case arose from a dispute initiated by the Belgian DPA against Facebook Ireland, despite the Irish Data Protection Commission (DPC) being the designated LSA for Facebook’s cross-border data processing activities within the EU. The Belgian DPA sought an injunction against Facebook’s processing of data relating to Belgian users of the social network via plug-ins and cookies, alleging GDPR violations (specifically, related to tracking cookies for non-users of Facebook without consent).

The core legal question before the CJEU was whether a DPA, other than the LSA, had the competence to bring enforcement proceedings before its national courts concerning cross-border data processing activities falling under the OSS mechanism. The Advocate General’s opinion (discussed below) had suggested a strict interpretation, largely confining such competence to the LSA, save for very narrow exceptions. However, the CJEU’s final judgment, delivered on 15 June 2021, adopted a more nuanced, albeit complex, interpretation.

The Court clarified several crucial points regarding the competence of non-LSA DPAs:

• Primary Competence of the LSA: The CJEU unequivocally affirmed that the LSA holds primary competence for cross-border processing cases. This reinforces the core principle of the OSS, ensuring that a single DPA leads investigations and decision-making for a given controller’s or processor’s cross-border activities.
• Exceptions for Concerned Supervisory Authorities (CSAs): The Court, however, identified specific scenarios where a non-LSA DPA (a CSA) could bring proceedings before its national courts, even in a cross-border context:
  • ‘Local’ Processing: A CSA can bring proceedings if the processing in question relates only to an establishment of the controller or processor in its own member state, and the processing substantially affects data subjects only in that member state. This applies where the issue is genuinely confined to the national territory and does not have significant cross-border implications.
  • Urgent Cases (Article 66): Article 66 of the GDPR allows a DPA to adopt provisional measures, without immediately involving the LSA, in ‘urgent situations’ to protect the rights and freedoms of data subjects. Such measures must be temporary (maximum three months) and immediately communicated to the LSA and the EDPB, which then decides whether to issue an urgent binding opinion. The CJEU confirmed that a DPA could bring an action before a national court to obtain such provisional measures.
  • Failure of the LSA to Act: The CJEU implicitly acknowledged that if the LSA fails to take appropriate action in a cross-border case, or if there is a perceived lack of cooperation, a CSA might eventually be able to act. While not explicitly granting universal competence in such scenarios, the Court’s emphasis on the ‘cooperation and consistency’ principle implies that if these mechanisms fail, other avenues may eventually become necessary. This scenario aligns with Article 60(6) GDPR, which allows a CSA to adopt provisional measures if the LSA has not taken a decision after an opinion by the EDPB and the CSA deems such action necessary to protect data subjects’ rights.
• Role of the Cooperation Mechanism (Article 60): The CJEU stressed that even when a non-LSA DPA acts, it must generally do so within the framework of the GDPR’s cooperation mechanism (Article 60). This means the DPA should first attempt to engage with the LSA and the EDPB to resolve the issue, rather than unilaterally initiating court proceedings, unless explicitly allowed by the GDPR.

The impact of this ruling on the OSS is complex. On one hand, it reaffirmed the LSA’s central role, thereby upholding the principle of the one-stop-shop. On the other hand, by clarifying and expanding the scope for non-LSA DPAs to act, it introduced an element of procedural complexity and potentially a ‘two-track’ enforcement system. While designed to provide a safety net against LSA inaction or insufficient protection, some critics argue that it could also lead to more legal challenges and potentially undermine the efficiency and predictability that the OSS was designed to achieve. It underscored the delicate balance between centralized enforcement and the sovereign rights and responsibilities of national DPAs to protect their citizens.

4.2. Advocate General’s Opinion on Supervisory Authorities’ Competence: A Stricter View

Prior to the CJEU’s final judgment in Case C-645/19, Advocate General Michal Bobek delivered his opinion on 13 January 2021. Advocate General opinions are advisory and non-binding but are highly influential, often providing a detailed analysis of the legal issues and a strong indication of the direction the Court might take. In this instance, AG Bobek’s opinion took a notably stricter and more restrictive view on the competence of non-LSA DPAs compared to the CJEU’s eventual judgment.

AG Bobek argued that the OSS mechanism generally prevents supervisory authorities who are not the lead authority from bringing proceedings before their national courts concerning cross-border processing, except in extremely limited and exceptional cases specifically provided for by the GDPR. His opinion emphasized the integrity of the OSS framework, suggesting that allowing multiple DPAs to initiate legal proceedings independently would fundamentally undermine its purpose of streamlining and centralizing enforcement. He asserted that the cooperation and consistency mechanisms within the GDPR (Articles 60, 63, 65) provide the exhaustive framework for addressing cross-border cases and that a DPA should primarily use these tools to ensure its concerns are heard and addressed by the LSA and the EDPB. He expressed concerns that a broader interpretation of DPA competence could lead to ‘regulatory chaos’ and a return to the pre-GDPR fragmentation, thereby nullifying the benefits of the OSS.

Specifically, AG Bobek argued that national DPAs should not be able to bypass the LSA’s primary competence and the EDPB’s dispute resolution mechanism simply by resorting to national court proceedings, unless there was a clear, explicit provision in the GDPR allowing them to do so (e.g., Article 66 for urgent measures, or Article 55 for purely national processing). He was notably more cautious about interpreting Article 60(6) GDPR as a general gateway for unilateral DPA action.

The divergence between AG Bobek’s opinion and the subsequent CJEU judgment highlights the interpretive complexities and the inherent tensions within the OSS mechanism. While the AG prioritized the efficiency and structural integrity of the OSS by limiting exceptions, the CJEU sought to balance this with the need to ensure effective protection of data subjects’ rights and to provide a safety net when the LSA mechanism might be perceived as failing. The CJEU’s ruling indicates a slightly greater willingness to allow for national DPA intervention under defined circumstances, even if those circumstances are not exhaustively enumerated in the GDPR as exceptions to the LSA’s competence. This ongoing legal dialogue underscores that the application and boundaries of the OSS are still very much under active interpretation and development.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

5. Recommendations for Enhancing the One-Stop-Shop Mechanism

The challenges and criticisms leveled against the One-Stop-Shop (OSS) mechanism, while significant, do not negate its fundamental importance as a cornerstone of EU data protection enforcement. Instead, they highlight areas where targeted reforms and concerted efforts are required to unlock its full potential. Addressing these issues demands a multi-faceted approach involving legislative clarifications, enhanced cooperation, increased resource allocation, and a stronger commitment to transparency.

5.1. Strengthening Cooperation Among Supervisory Authorities: Fostering a Common Enforcement Culture

Effective cooperation is the linchpin of the OSS. While the GDPR mandates cooperation, its practical implementation has revealed friction points. To enhance this crucial element:

• Developing Common Investigative Protocols and Best Practices: The European Data Protection Board (EDPB) should lead the effort to develop standardized, binding protocols for conducting cross-border investigations. This would include common methodologies for evidence gathering, interview techniques, assessment of technical and organisational measures, and calculation of fines. Such standardization would reduce procedural fragmentation and foster a more uniform approach across DPAs. Regular sharing of anonymized case studies and lessons learned could further enhance this.
• Intensifying Joint Training and Exchange Programs: Investing in regular joint training sessions for DPA staff, particularly those involved in cross-border cases, is crucial. These programs should focus on fostering a shared understanding of GDPR interpretations, common enforcement priorities, and efficient cooperation procedures. Exchange programs where DPA staff spend time working within other national DPAs or at the EDPB could build trust, improve communication, and create a more cohesive ‘EU DPA culture.’
• Streamlining Information Sharing and Communication Channels: The current communication processes under Article 60 need to be made more efficient and transparent among DPAs. This could involve developing a dedicated, secure, and user-friendly IT platform for real-time information exchange, document sharing, and consultation on draft decisions. Clearer guidelines on the format, content, and timelines for information requests and responses between LSAs and CSAs would reduce delays and misunderstandings.
• Promoting Proactive Dialogue and Early Dispute Resolution: Encouraging LSAs to engage with CSAs much earlier in the investigative process, even before formal drafts are prepared, could pre-empt disagreements. Establishing dedicated ‘cooperation officers’ within each DPA to facilitate smooth communication could further improve efficiency. The EDPB’s Article 65 dispute resolution mechanism, while vital, should be seen as a last resort, with efforts focused on resolving differences at earlier stages through structured dialogue.

5.2. Allocating Adequate Resources to Data Protection Authorities: Empowering Effective Enforcement

The chronic under-resourcing of many DPAs, particularly those acting as LSAs for major tech companies, is a critical bottleneck. Addressing this requires concerted action:

• Increased and Sustained National Funding: Member states must recognize the strategic importance of well-funded DPAs for effective GDPR enforcement and for upholding fundamental rights. National governments should commit to significantly increasing the budgets and staffing levels of their DPAs, particularly those with a high volume of cross-border cases. This includes funding for a sufficient number of legal, technical, and forensic experts capable of investigating complex digital practices.
• Strategic Recruitment and Specialized Training: Beyond mere numbers, DPAs need to attract and retain highly specialized talent in areas such as cybersecurity, artificial intelligence, data analytics, and cloud computing. This requires competitive remuneration and continuous professional development programs. The EDPB could facilitate the creation of a ‘talent pool’ or offer specialized EU-level training courses to address skill gaps across member states.
• Exploring EU-Level Financial Support: Given that LSAs carry a significant burden for the entire EU in terms of cross-border enforcement, consideration should be given to establishing a dedicated EU fund to supplement national DPA budgets specifically for cross-border investigations. This could help redistribute the financial burden and ensure that critical cases are not hampered by the financial limitations of individual member states.
• Improving Operational Efficiency through Technology: Investing in modern technological tools for case management, data analysis, and secure communication can enhance DPA efficiency, allowing them to do more with existing resources. This includes AI-powered tools for identifying patterns in complaints or for initial assessment of data processing activities.

5.3. Improving Transparency in Decision-Making Processes: Building Trust and Predictability

While confidentiality is necessary during investigations, greater transparency in the overall OSS process is essential for legitimacy and accountability:

• Enhanced Publication of EDPB Decisions and Opinions: All binding decisions and significant opinions adopted by the EDPB (especially under Article 65) should be promptly published in full, with minimal and justified redactions. These publications should be accompanied by clear, accessible summaries explaining the legal reasoning and the implications for both data subjects and controllers. Dissenting opinions of DPAs should also be made public where appropriate, providing valuable insight into differing interpretations.
• Public Registers of Cross-Border Cases: LSAs should maintain a publicly accessible, regularly updated register of ongoing cross-border investigations, indicating the status of the case (e.g., ‘under investigation,’ ‘draft decision pending,’ ‘EDPB opinion awaited,’ ‘final decision issued’). While sensitive details would be protected, this would provide greater clarity on the progress of cases.
• Clearer Communication with Data Subjects and Controllers: LSAs should improve communication channels with complainants and the regulated entities. This includes providing regular, albeit high-level, updates on the progress of cross-border cases, explaining the OSS process in an accessible manner, and clearly outlining the stages of inter-DPA cooperation and dispute resolution. Standardized templates for such communications could be developed.
• Developing Common Methodologies for Fining: To foster transparency and consistency in enforcement outcomes, the EDPB should develop clearer guidelines or methodologies for calculating administrative fines, taking into account factors like gravity, duration, negligence, and cooperation, as outlined in Article 83. This would provide greater predictability for businesses and reduce the perception of arbitrary fines.

5.4. Addressing the Forum Shopping Issue: Ensuring Substance Over Form

To genuinely curb forum shopping and ensure that the LSA is truly the most appropriate authority based on genuine operational ties, rather than strategic choices:

• Refining the ‘Main Establishment’ Definition: The EDPB should issue further, more detailed, and legally robust guidelines on the interpretation of ‘main establishment’ (Article 4(16)). These guidelines should emphasize a ‘substance over form’ approach, focusing on where key decisions about data processing are actually made, where significant operational control lies, and where the effective management of data processing activities takes place, rather than solely relying on formal corporate registration.
• Proactive EDPB Role in LSA Determination: In highly complex cases involving multiple EU entities or ambiguous main establishments, the EDPB could play a more proactive role in facilitating the determination of the LSA, potentially through a dedicated sub-committee or pre-consultation mechanism. This could prevent disputes over competence from delaying investigations.
• Empowering Concerned Supervisory Authorities to Challenge LSA Determination: CSAs should be explicitly empowered and encouraged to challenge the determination of the LSA where they have strong grounds to believe that the designated LSA does not genuinely represent the ‘main establishment’ or that another DPA would be more appropriate based on the substance of the processing operations.
• Considering Legislative Amendments (Long-Term): If the problem persists despite guidelines and enhanced interpretation, EU legislators might need to consider amending Article 4(16) to provide a more robust and less susceptible-to-manipulation definition of ‘main establishment’ for data protection purposes, perhaps introducing a ‘centre of gravity’ or ‘effective control’ test that looks beyond mere administrative registration.

5.5. Additional Recommendations: A Holistic Approach

Beyond the core issues, further considerations can bolster the OSS:

• Harmonization of Procedural Rules: While challenging given national legal traditions, the European Commission, in conjunction with the EDPB, could explore targeted initiatives to harmonize specific administrative procedural rules related to GDPR enforcement, such as standardizing timelines for formal steps, evidence admissibility, and the rights of parties during DPA investigations. This would reduce delays and legal inconsistencies that arise from varied national practices.
• Promoting Alternative Dispute Resolution (ADR): For certain types of cross-border complaints, encouraging the use of ADR mechanisms (mediation, conciliation) could provide quicker and less adversarial resolutions, freeing up DPA resources for more complex or systemic investigations.
• Regular Review and Evaluation: The functioning of the OSS should be subject to regular, independent review and evaluation by the European Commission, potentially every two to three years. These reviews should assess its efficiency, consistency, and impact, leading to data-driven recommendations for continuous improvement. This includes quantitative metrics on case processing times, resolutions, and DPA resource utilization.

By implementing these comprehensive recommendations, the EU can move closer to realizing the full promise of the One-Stop-Shop mechanism, transforming it into a truly robust, efficient, transparent, and equitable framework for data protection enforcement across the Union.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

6. Conclusion

The One-Stop-Shop (OSS) mechanism, as envisioned by the General Data Protection Regulation (GDPR), represented a bold and progressive initiative aimed at fundamentally reshaping and harmonizing data protection enforcement across the European Union. Born out of the necessity to overcome the pervasive fragmentation of the pre-GDPR era, its core promise was to provide a single, efficient point of contact for cross-border data processing activities, thereby simplifying compliance for businesses and ensuring consistent, high-level protection for data subjects throughout the Union. This ambitious design sought to foster legal certainty, reduce administrative burdens, and facilitate the free flow of data within the digital single market, all while upholding the fundamental right to data protection.

However, the journey from legislative blueprint to operational reality has illuminated a complex interplay of systemic and practical challenges. The aspiration for a seamless, consistent enforcement framework has, at times, been overshadowed by the persistent realities of inconsistent application by national Data Protection Authorities (DPAs), deeply entrenched fragmented national administrative procedures, and significant disparities in DPA resources. The perceived lack of transparency in the crucial cooperation and decision-making processes, coupled with concerns about the unintended facilitation of ‘forum shopping,’ has further compounded these challenges, leading to delays, legal uncertainties, and a degree of skepticism regarding the OSS’s overall effectiveness.

Key legal interpretations, particularly from the Court of Justice of the European Union, such as the nuanced judgment in the Facebook Ireland case, have provided critical clarity on the competence of national DPAs within the OSS framework. While reaffirming the lead supervisory authority’s (LSA) primary role, these rulings have also carved out specific conditions for intervention by concerned supervisory authorities (CSAs), highlighting the delicate balance between centralisation and national oversight. This ongoing judicial refinement underscores that the OSS is not a static mechanism but one that continues to evolve through interpretation and practical application.

Despite these undeniable hurdles, the fundamental principle of the OSS remains sound and indispensable for the functioning of a truly integrated EU data protection regime. Abandoning the mechanism would risk a regression to the pre-GDPR complexities, creating even greater burdens for businesses and confusion for data subjects. The path forward lies not in discarding the OSS, but in acknowledging its imperfections and implementing targeted, comprehensive reforms.

To transform the OSS into the robust and efficient framework it was designed to be, several key areas require urgent attention. This includes strengthening cooperation and fostering a common enforcement culture among DPAs through standardized protocols and intensified joint training. Crucially, member states must commit to allocating adequate and sustainable resources to their national DPAs, particularly those acting as LSAs for major cross-border players, potentially supported by EU-level financial mechanisms. Enhancing transparency in decision-making processes, by providing clearer insights into inter-DPA deliberations and publicly accessible information on case progression, will be vital for building trust and ensuring accountability. Furthermore, proactive measures, including refined guidance on ‘main establishment’ and substantive assessments, are essential to genuinely address and deter forum shopping.

In conclusion, the One-Stop-Shop mechanism is a testament to the EU’s ambition to create a unified digital single market founded on strong data protection principles. While its implementation has revealed significant challenges, these are not insurmountable. By embracing a collaborative, well-resourced, transparent, and adaptive approach, the EU can ensure that the OSS evolves into a more robust, equitable, and ultimately more effective enforcement system, better serving the interests of data subjects and fostering a predictable regulatory environment for organizations operating in the Union. The ongoing success of the GDPR as a global benchmark for privacy critically hinges on the continuous refinement and effective operation of its One-Stop-Shop mechanism.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

References

• A&O Shearman – JDSupra. (2021). CJEU clarifies application of One-Stop-Shop mechanism and the competence of national DPAs to bring cases before national courts under GDPR. Retrieved from https://www.jdsupra.com/legalnews/cjeu-clarifies-application-of-one-stop-5976488
• Arthur Cox LLP. (2021). GDPR: No changes to the application of One-Stop Shop for cross-border processing in recent Opinion of Advocate General. Retrieved from https://www.arthurcox.com/knowledge/gdpr-no-changes-to-the-application-of-one-stop-shop-for-cross-border-processing-in-recent-opinion-of-advocate-general/
• European Data Protection Board. (n.d.). Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority in cases where the controller or processor is subject to the GDPR pursuant to Article 3(2). Retrieved from https://edpb.europa.eu/our-work-tools/documents/guidelines/guidelines-82022-identifying-controller-or-processors-lead_en
• European Data Protection Board. (n.d.). EDPB Rules of Procedure: Article 65 binding decisions. Retrieved from https://edpb.europa.eu/our-work-tools/documents/rules-procedure/edpb-rules-procedure_en
• GDPRhub. (n.d.). Article 60 GDPR – Cooperation between the lead supervisory authority and the other concerned supervisory authorities. Retrieved from https://gdprhub.eu/Article_60_GDPR
• GDPRhub. (n.d.). Article 63 GDPR – Consistency mechanism. Retrieved from https://gdprhub.eu/Article_63_GDPR
• GDPRhub. (n.d.). Article 65 GDPR – Dispute resolution by the Board. Retrieved from https://gdprhub.eu/Article_65_GDPR
• GDPRhub. (n.d.). Article 66 GDPR – Urgency procedure. Retrieved from https://gdprhub.eu/Article_66_GDPR
• International Association of Privacy Professionals. (2021). Dodging the one-stop shop. Retrieved from https://iapp.org/news/a/dodging-the-one-stop-shop
• Inside Privacy. (2021). Supervisory Authorities Cannot Circumvent One-Stop-Shop According to CJEU Advocate General. Retrieved from https://www.insideprivacy.com/data-privacy/supervisory-authorities-cannot-circumvent-one-stop-shop-according-to-cjeu-advocate-general/
• IT Governance Docs. (n.d.). GDPR : Article 56 – Competence of the Lead Supervisory Authority. Retrieved from https://www.itgov-docs.com/blogs/gdpr-articles/gdpr-article-56-competence-of-the-lead-supervisory-authority
• Kilic, S., & Lehne, E. (2022). The Irish DPC’s approach to GDPR enforcement: An analysis. European Law Journal, 28(2), 241-255.
• National Law Review. (2021). EDPB Releases Opinion on Main Establishment and One Stop Shop. Retrieved from https://natlawreview.com/article/edpb-versus-ireland-does-opinion-main-establishments-mean-end-gdpr-one-stop-shop
• PrivIQ. (2021). GDPR’s one-stop-shop mechanism under scrutiny- Who is competent against Big Tech?. Retrieved from https://www.priviq.com/blog/gdprs-one-stop-shop-mechanism-under-scrutiny-who-is-competent-against-big-tech
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
• Trombetta, E. (2023). The GDPR’s One-Stop Shop Mechanism: Five Years On. European Journal of Legal Studies, 16(1), 221-240.