Rethinking the one-stop-shop mechanism: Legal certainty and legitimate expectation 1

This paper aims to contribute to the discussion concerning the one-stop-shop mechanism proposed in the General Data Protection Regulation (hereinafter “GDPR”). The choice of regulation as the instrument to legislate on data protection is already an unmistakable indication that unification and simplification (together with respect of data subjects' interests) shall be the guide for every legal discussion on the matter. The one-stop-shop mechanism (hereinafter “OSS”) clearly reflects the unification and simplification which the reform aims for. We believe that OSS is logically connected with the idea of one Data Protection Authority (hereinafter “DPA”) with an exclusive jurisdiction and that this can only mean that, given one controller, no other DPA can be a competent authority.2 In other words, OSS implies a single and comprehensive competent authority of a given controller. In our analysis we argue that such architecture: a) works well with the “consistency mechanism”; b) provides guarantees to data subjects for a clear allocation of powers (legal certainty); and c) is not at odds with the complaint lodging procedure. Our position on fundamental questions is as follows. What is the perimeter of competence of the DPA in charge? We believe that it should have enforcement power on every issue of the controller, including issuing the fines. How to reconcile such dominant role of one DPA with the principle of co-operation among DPAs? We do not consider co-operation at odds with the rule that decisions are taken by just one single authority. Finally, we share some suggestions on how to make the jurisdiction allocation mechanism (the main establishment criterion) more straightforward.