Sir, – I write to clarify the references to the Data Protection Commission (DPC) as the "lead regulator" and "principal regulator" for Google ("Ireland on the front line of Google location tracking scandal", Business Opinion, August 16th), and the contention that the DPC "would be Google's de facto primary regulator" ("Data commissioner will need to show mettle dealing with Google", Business Opinion, August 23rd).
This position is not borne out by the general data protection rules (GDPR).
At present, the Data Protection Commission is not Google’s “primary regulator” (or, in data protection terms, its “lead supervisory authority”).
This in no way diminishes an individual’s data protection rights or the Data Protection Commission’s enforcement powers.
The concept of lead or “primary regulator” only arises where multinational companies (“data controllers”), operating in multiple EU member states, avail of a mechanism called the One-Stop-Shop (OSS). The OSS allows companies to be supervised by the regulator in the member state in which they have their “main establishment”, rather than being supervised by multiple regulators. “Main establishment” is assessed by objective criteria including where decisions on the processing of personal data are taken.
“Forum shopping” is not permitted.
In this case, Google LLC, an American company, is the data controller and so Google cannot avail of the OSS mechanism at all.
At the point that Google meets the objective criteria of “main establishment” that will change.
Accordingly, the question of lead or “primary regulator” does not currently arise.
The current position is that Google is subject to supervision by all of the EU supervisory authorities, including the Data Protection Commission.
In the immediate aftermath of the Associated Press report, on August 15th, the Data Protection Commission commenced its supervision of Google in relation to the issue of location tracking. – Yours, etc,
Head of Communications,