Application of One Stop Shop – CNIL vs Google LLC

The French Data Protection Authority (CNIL) issued on 21 January 2019 the landmark decision against Google LLC for breaches of the GDPR on grounds of lack of transparency, insufficient information and lack of legal basis. Being the first decision issued by CNIL under the GDPR with the largest fine (€50 million) issued by that time, the case was also the first to address the question of application of the One Stop Shop mechanism. This article elaborates how in the absence of a main establishment, Google LLC could not benefit from the mechanism on appointing a lead DPA to act on behalf of other DPAs and argues that CNIL´s investigation and decision respected the EU procedures on cooperation and consistency.