Cyber and Information Law Newsletter: Issue 1 - General Information
DAC Beachcroft
Show/Hide Tags

Cyber and Information Law Newsletter: Issue 1 - General Information's Tags

Tags related to this article

Download PDF Print page

Cyber and Information Law Newsletter: Issue 1 - General Information

Published 30 April 2019

Japan granted an Adequacy Decision 

On 23 January 2019, the European Commission adopted its adequacy decision on Japan, meaning that companies can now freely transfer personal data from the EU to Japan and vice versa. The European Commission’s press release can be accessed here.

Author
Michael McMillen

Spotlight on the Irish Data Protection Commission’s “One-Stop-Shop” 

Nearly one year since the GDPR came into force, statistics are starting to trickle in as to the effects of the regulation, and the impact felt by data protection authorities across Europe. One such area is the “one-stop-shop” arrangements, which have been introduced by the GDPR.

Under the GDPR, the supervisory authority in the Member State where a company has its “main establishment” holds primary responsibility for dealing with data protection matters, such as complaints raised by data subjects, even where these are cross-border in nature.

As is well known, Ireland is an attractive corporate destination, meaning a large number of US multinationals have their main establishment in Ireland. These include Apple, Facebook, Microsoft, Twitter, Dropbox and LinkedIn. However, it is worth noting that the French data protection authority, CNIL, recently found that Google did not have a “main establishment” in the EU and that, therefore, CNIL had authority to investigate the complaints, rather than exclusively the Irish Data Protection Commission, despite the fact that at the time in question Google’s main office was in Ireland. This decision was based on the fact that key decisions were not in fact being taken by the Irish entity, but were instead being taken by Google in the US, which opened Google to enforcement by any supervisory authority in the EU. This led CNIL to take its own action and demonstrates that the concept of “main establishment” may be construed narrowly.

During the seven months from 25 May to 31 December 2018, the Irish Data Protection Commission dealt with 136 one-stop-shop complaints; it was notified of 38 personal-data breaches, concerning 11 tech multinationals, with a number of statutory investigations ongoing.  They are also acting as lead reviewer on a number of binding corporate rule applications.

Reminder: Who uses the one-stop-shop?

The one-stop-shop applies to: organisations “processing the same set of personal data in the context of the activities of an establishment in one Member State as well as one or more EEA offices, branches, or other establishments”; and organisations who “only have offices, branches or other establishments in one Member State, but whose processing of personal data is likely to substantially affect data subjects in one or more other EEA states”. The examples provided by the ICO are where:

1. A fashion retailer:

  • has a head office in London which handles all its customer data;
  • has a distributor in Paris for French sales; and
  • sells only in the UK and France.

For the purposes of the data of the French customers, this will be cross-border processing and the UK data protection authority (the ICO) will be the lead supervisory authority.

2. A fashion retailer:

  • has a single office in London which handles all of its customer data; and
  • it sells via its website to the UK, France and Italy.

To the extent the London office’s processing of the customer data substantially affects data subjects in France and Italy, this will be cross-border processing and the ICO will be the lead supervisory authority.

The one-stop-shop does not impact on the data subject directly, as they still make complaints to their own data protection authority (and in their own language). However, from an organisation’s perspective, the system simplifies compliance, as it means only one authority will investigate matters and they need only deal with that one regulator.

Organisations with international operations should ensure they are aware of who the relevant lead supervisory authority is. In particular from a UK perspective, this will need to be kept under review in the light of the ongoing Brexit negotiations.

Authors

Michael McMillen

Michael McMillen

London - Walbrook

+44(0)20 7894 6981

Key Contacts

Jade Kowalski

Jade Kowalski

London - Walbrook

+44(0)20 7894 6744

Next Article

< Back to articles

Collection articles

International data transfers: one step forwards, two steps back?

By Jade Kowalski, Stuart Hunt

The UK Government’s White Paper on AI Regulation - 5 Key Take aways

By Jade Kowalski, Florence Cathcart

The European Commission concludes consultation on regulating metaverses

By Alexander Dimitrov, Tim Ryan

UK data protection reform, reformed? Data Protection and Digital Information (No.2) Bill published

By Jade Kowalski, Nadia Belkacemi

ICO Tech Horizons Report – what does it mean for the use of emerging technology?

By Jade Kowalski, Christopher Air, Omar Kamal

ICO Tech Horizons Report – what does it mean for the use of emerging technology in the insurance industry?

By Jade Kowalski, Omar Kamal

European Commission publishes draft adequacy decision for the EU-US

By Jade Kowalski, Holly Eastwood

The UK’s Online Safety Bill: Where are we now?

By Astrid Hardy, Alexander Dimitrov

ICO International Transfers Guidance Update

By Charlotte Halford, Holly Eastwood

Update: US signs Executive Order establishing a new EU-US Data Privacy Framework

By Charlotte Halford, Holly Eastwood

Reminder: Use of UK International Data Transfer Agreement or UK Addendum mandatory from today 21 September

By Charlotte Halford

Latest on what lies ahead for data in health and social care

By Darryn Hale, David Hill, Sophie Devlin

EDPB Announcement on New EU-US Privacy Framework

By Aidan Healy, Christopher Air

Can processors re-use personal data for their own purposes? A view from France.

By Jade Kowalski, Christophe Wucher-North, Christopher Air, Alexander Dimitrov

Schrems II related enforcement on the rise: transfers to the U.S. via Google Analytics cookies found to breach EU GDPR

By Jade Kowalski, Pavan Trivedi

The ICO’s Age Appropriate Design Code: is your organisation in scope?

By Jade Kowalski

UK adequacy, new SCCs and finalised EDPB recommendations - all change for international data transfers

By Jade Kowalski, Charlotte Halford, Rebecca Morgan

Top themes and takeaways from the 2021 ICO Conference

By Jade Kowalski, Charlotte Halford, Rebecca Morgan

Data Transfers: Rules for the transfer window and beyond

By Jade Kowalski

Cyber and Information Law Newsletter: Issue 1 - Round up of 2019

By Jade Kowalski, Ceri Fuller, Khurram Shamsee, Sophie Devlin, Christopher Air

This website uses cookies so that we can improve your experience. By continuing to use the site you are agreeing to our use of cookies. For more details please view our Cookies Policy.
DAC Beachcroft