Is Centralised General Data Protection Regulation Enforcement a Constitutional Necessity?

Protection of personal data as a fundamental right – GDPR’s enforcement dilemma in cross-border cases – “One-stop-shop” model’s inadequacies highlighted – Distinction: regular cross-border enforcement versus cases of common European concern – Proposal: centralised enforcement mechanism for cases of common European concern – Union supervisory authority as a solution – Insufficiencies of the harmonisation proposal of the European Commission – Centralisation’s advantages: uniform enforcement, better coordination, and curbing forum shopping – Implications: fundamental rights protection and EU’s constitutional obligations – Constructive critique of the one-stop-shop model, not a dismissal – European constitutional law mandates effective data protection enforcement.

procedural setup renders data protection authorities unable to effectively enforce the General Data Protection Regulation, 2 this presents not merely a problem of administrative underperformance but a deficit of protection of a fundamental right.
This article addresses the challenge of the General Data Protection Regulation's suboptimal enforcement in cross-border cases from the point of view of the EU's constitutional law.There is a growing consensus among personal data protection law experts that the status quo should be assessed negatively. 3The Regulation has been applicable since 25 May 2018, 4 yet an average EU resident still has data about her activities shared with, or used by, advertising companies 376 times a day. 5Moreover, a substantial number of cross-border enforcement cases remain unresolved. 6We argue that this deficiency of fundamental rights protection stems from the specific oversight model adopted by the General Data Protection Regulation. 7he second section of this article begins by recalling the governance model of the General Data Protection Regulation and pointing out its shortcomings.Currently, enforcement of the Regulation is decentralised and lies solely in the hands of national supervisory authorities.For all cases of cross-border enforcement, the Regulation adopted the so-called 'one-stop-shop' model. 8Under that model, there is always one national authorityadmittedly bound by a duty to cooperate with 2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or GDPR).3   See G. Gentile and O. Lynskey, 'Deficient by Design?The Transnational Enforcement of the GDPR', 71 International and Comparative Law Quarterly (2022) p. 799; see also the European Data Protection Supervisor's Conference Report summarising the discussions of 'The future of data protection: Effective enforcement in the digital world' conference held in Brussels on 16-17 June 2022, p. 13-14, 20-21, 24-25, 27-28, 33-34, 53-54, 60-64, available at https://www.edpsconference2022.eu/sites/default/files/2022-11/22-11-10-EDPS-Conference-Report-2022_EN.pdf,visited 29 September 2023.
Art. 99 GDPR.5   See Irish Council for Civil Liberties, 'The Biggest Data Breach: ICCL Report on the Scale of Real-Time Bidding Data Broadcasts in the US and Europe' (16 May 2022), p. 2, available at https:// www.iccl.ie/digital-data/iccl-report-on-the-scale-of-real-time-bidding-data-broadcasts-in-the-u-sand-europe/,visited 29 September 2023.6   See Irish Council for Civil Liberties, 'Europe's Enforcement Paralysis: ICCL's 2021 Report on the Enforcement Capacity of Data Protection Authorities', p. 4, available at https://www.iccl.ie/digital-data/2021-gdpr-report/, visited 29 September 2023.others 9 competent to conduct the proceedings and issue a decision. 10In some cases, even if the model could be made more effective on the margins, 11 this is a valid choice.However, not all cross-border enforcement is the same.We propose to distinguish the regular cross-border enforcement of the General Data Protection Regulation from what we call the cases of common European concern. 12The latter would comprise situations where an act of data processing puts in jeopardy the fundamental rights of the residents of the entire Union and, due to the high number of persons or jurisdictions involved, the significantly risky nature of processing at hand, or the complexity of the interpretative questions raised, cannot be effectively overseen by the national authorities acting within the one-stop-shop model.To ensure fundamental rights protection in such cases, we argue, the Union needs a different approach.
As the third section explains, we posit that the flaws resulting from the administrative structure of the one-stop-shop model, which are particularly severe in cases of common European concern, cannot be solved with the harmonisation of procedural provisions, as the European Commission has recently proposed.Instead, we argue, the EU should adopt a centralised enforcement model for the cases of common European concern and delegate their oversight to a newly empowered Union supervisory authority. 13Centralisation would tap into the unique institutional advantages of the Union administration by ensuring that the law is interpreted and enforced equally in all member states, and by preventing mishaps and delays resulting from poor coordination between national authorities.In addition, centralisation would curb the negative effects of forum shopping by the most notorious third-country data controllers, such as the influence of national enforcement strategies on the Union-wide case outcomes or the unfair distributive consequences of the one-stop-shop model.
As we argue in the fourth section, there are concrete implications to the fact that centralised enforcement might be the only viable option to effectively protect 9 Arts.60-63 GDPR.
In some cases, subject to revision by the European Data Protection Board, see Arts.63-67 GDPR.
11 See Gentile and Lynskey, supra n. 3, p. 823-828; see also the European Data Protection Board 'Statement on Enforcement Cooperation' adopted in Vienna on 28 April 2022, available at https:// edpb.europa.eu/system/files/2022-04/edpb_statement_20220428_on_enforcement_cooperation_en.pdf, visited 29 September 2023.12 See below, section titled 'Distinguishing the cases of common European concern '.   13   This could mean either the creation of a whole new administrative agency or designating an already existing onelike the European Data Protection Supervisor or the European Data Protection Boardas the Union supervisory authority.For a discussion of various possibilities, see below, section titled 'Centralisation, independence, and the limits to delegation'.the fundamental rights of data subjects.Given the EU's positive obligations to protect the fundamental right to data protection, and given that the availability of an independent data protection authority constitutes part of that right, centralising enforcement for some cases is arguably not only a sound political choice but a move required by the EU's constitutional law.
Two caveats are in order.First, the proposal to create the Union supervisory authority solely competent to oversee the cases of common European concern should not be read as an attack on the one-stop-shop model altogether.The authors agree that, in many simple cross-border cases, this is the most effective approach, and refer to some ideas on how it could be improved without a general overhaul. 14Second, the idea to centralise the enforcement of the General Data Protection Regulation in (some) cross-border cases was timidly, though repeatedly, flagged by various speakers at the European Data Protection Supervisor's conference in June 2022. 15The authors do not claim the authorship of the idea.Rather, as a follow-up, they decided to scrutinise it from the point of view of European constitutional law, demonstrating how not only is such a development consistent with the Treaties but also, effectively, required by them.

T --   
The General Data Protection Regulation is the EU's horizontal regulation governing the processing of personal data of EU residents (data subjects) by both private and public actors (data controllers). 16It aims to, simultaneously, guarantee the protection of fundamental rights and facilitate the free movement of personal data within the EU. 17 To this end, the General Data Protection Regulation obliges data controllers to abide by several principles, 18 secure a legal basis for each act of processing, 19 and fulfil numerous regulatory requirements, 20 while endowing data subjects with various rights. 21Albeit creating a complex system of substantive rules, the General Data Protection Regulation has been clearly and  succinctly presented in the scholarly literature. 22The enforcement of the Regulation is to be guaranteed by the national supervisory authorities. 23here are three defining administrative features of the General Data Protection Regulation's current enforcement model: (i) its decentralised character; (ii) its cooperative character; and (iii) the dominant role it accords to the 'lead supervisory authority' in cases of cross-border data processing.First, regarding the decentralised character, enforcement is undertaken by a plurality of national supervisory authorities, each acting within the territory of its own member state. 24econd, given the cooperative character of enforcement, the national authorities are required to mutually assist each other, e.g. by exchanging information or carrying out inspections on each other's behalf. 25urther, third, under the General Data Protection Regulation's one-stop-shop system, the lead authority, i.e. the national authority 'of the main establishment or of the single establishment of the controller or processor', is solely competent to exercise supervisory powers over a controller. 26Such powers are, however, exercised in consultation and cooperation with the national authorities from other member states whose residents are affected by the data processing in question (i.e. the 'concerned supervisory authorities'). 27While the lead authority enjoys exclusive power to decide whether to initiate investigations and to take decisions vis-à-vis controllers, it must also circulate draft decisions, e.g.imposing fines, to the concerned authorities.The role of the latter in that context is limited to raising 'relevant and reasoned objections' to the draft decision. 28The lead authority is, however, not obliged to decide in accordance with such objections.It is only obliged to bring the matter to the European Data Protection Board (the Board) so that the Board may issue a binding decision to settle the specific points of disagreement between the lead and concerned authorities. 29It should be emphasised that despite holding the power to take binding decisionsas it recently did in an investigation  concerning Meta 30the Board's involvement does not represent any deviation from the fundamentally decentralised character of General Data Protection Regulation enforcement.Indeed, the Board's intervention is not to enforce the General Data Protection Regulation as a Union supervisory authority but rather to assist its true enforcers, the national supervisory authorities.Crucially, national authorities are bound by the Board's decisions, but the Board itself is bound by what the national authorities ask it to rule upon.It is always the lead supervisory authority requesting the Board for a decision that, by defining the scope of the disagreement between itself and the concerned authorities, effectively defines the extent of the Board's role in the procedure.
As the one-stop-shop model of enforcement only applies in cases of crossborder processing of personal data, it is important to clarify what this notion entails.Cross-border processing occurs when a data controller established in one member state operates in several jurisdictions or when a controller established outside of the Union offers goods or services to the Union residents in several member states or monitors their behaviour. 31We illustrate this in the table below.
Hence, if a Romanian pizzeria serves consumers only in Romania, this is a case of purely national processing, and a Romanian authority will be competent to oversee its activities (case A).If a company from a third country, like Mexico, directs an app predominantly to residents of one member state, like Spain, it should establish a representative in Spain and will be overseen by the Spanish authority (case B). 32 If a company based in a member state, like Sweden, offers a streaming service to residents of several member states, it will be monitored by the authority of the member state where it is based, i.e. the Swedish authority (case C).However, companies from third countries that offer their services throughout the Union (case D) pose entirely distinct problems.Data controllers established outside of the EU must designate a representative 'in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are'. 33hough this is a problem that the General Data Protection Regulation has attempted to solve, the provision makes it possible for controllers to forum shop for the national authorities that will be responsible for their supervision.Put differently, companies from third countriesparadigmatically, the US 'Big Tech' companies like Google, Meta, and Amazon but also corporations from China, offering services like TikTokare free to choose their own supervisor quite liberally, for as long as they are able to demonstrate that decisions about processing are indeed taken in that jurisdiction. 34This is what aggravates the problems raised by cases of common European concern.

The generic shortcomings of the one-stop-shop model
Admittedly, there might be many cross-border cases where the one-stop-shop model functions or could function well.For example, in its public-oriented communications, 35 the European Data Protection Board describes a situation where three residents of Italy believe their rights were violated by a data controller in Sweden and, thanks to the one-stop-shop, can lodge a complaint in Italian, with the Italian supervisory authority.Then, the authority can contact its counterpart in Sweden, who (as the lead authority) will investigate and determine whether the General Data Protection Regulation has, in fact, been infringed.This scenario, arguably, is a win-win-win situation for the data subjects (who can communicate, in their own language, with the authority familiar to them), supervisory authorities (who each investigate controllers located in their own jurisdiction), and data controllers (who communicate with only one supervisory authority, in their own language, following a familiar procedure).
However, the reality of enforcement is often far more complex.In fact, the one-stop-shop system has been widely criticised.In a powerful recent critique, Gentile and Lynskey have described the one-stop-shop model as 'deficient by design'. 36They contend that, despite containing the most comprehensive and stringent substantive rules in the world, the General Data Protection Regulation also institutes an enforcement model that is ill-suited to ensure effective compliance with data protection law. 37hough the Treaties contain no precise definition of what constitutes effective enforcement of EU law, one may infer one possible test from the Court's case law.Among others, effectiveness requires public authorities to resort to 'the least distortive means of achieving their policy objectives'. 38One should, therefore, question whether the three defining administrative features of the General Data Protection Regulation cause, or are unable to prevent, distortion in achieving the objective of protecting 'fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data'. 39The four points of critique raised by Gentile and Lynskey, in fact, all concern precisely the three administrative features that we highlightthe decentralised structure of enforcement, its cooperative nature, and the dominant role of the lead authority. 40Despite looming reforms in terms of enforcement, these four weaknesses are unlikely to be overcome anytime soon.
It is the decentralisation that enables the distortion of enforcement by national particularities, both in terms of applicable laws and in terms of political and economic contexts.One problem that Gentile and Lynskey point out concerns 'insufficient procedural fairness guarantees' that hamper the procedural rights of the parties to the proceedings and might even lead to the exclusion of some data subjects from the process. 41A second problem that Gentile and Lynskey note is that the 'preponderant influence of national, rather than European, priorities and regulatory approaches in the transnational [General Data Protection Regulation] enforcement by [national supervisory authorities]'42 might lead to divergent application of law depending on who the lead authority is.Ultimately, this threatens a basic tenant of the rule of law, i.e. equality before the law, as the data protection rights of individuals may enjoy vastly different levels of protection in different member states.
Another problem concerns the tension between decentralisation and the requirement that supervisory authorities cooperate.Due to 'procedural ambiguities and divergences in the cooperation procedure', 43 Gentile and Lynskey write, 'disparities between national procedural rules have become a 37 Ibid., p. 799.source of friction and delay'. 44Put differently, as is common in the EU's administrative system, the General Data Protection Regulation's administrative procedures represent 'incomplete' procedures. 45The Regulation specifies only part of the decision-making procedures that the supervisory authorities must follow.In most instances, it is the relevant authority's national administrative law that will apply.As member states' laws differ, e.g. on the notion of 'draft decision', on the scope of procedural rights and on the timing for their exercise, the lead and concerned authorities involved in the same decision-making process grapple with the lack of a shared procedural framework.This generates legal uncertainty and makes it more unpredictable for data subjects to know whether and how their rights will be protected, which in turn may discourage taking steps to protect themselves.
Finally, Gentile and Lynskey identify the problems emerging from the dominant role of lead authorities.Given that they solely enjoy the prerogative in critical steps of enforcement procedures, e.g. in shaping initial inquiries into General Data Protection Regulation infringements, concerned authorities have only a limited ability to protect data subjects within their jurisdiction. 46In July 2023, the European Commission published a proposal for a regulation meant to harmonise the procedural rules that national supervisory authorities should follow while enforcing the data protection law. 47The regulation aims to improve cooperation and effectiveness of enforcement.As is elaborated below, the proposal represents a missed opportunity.It does not, in any way, call the one-stop-shop model into question.Despite some positive steps, the proposal does not completely resolve any of the model's fundamental weaknesses, such as those noted by Gentile and Lynskey; in fact, the proposal risks making some of them even worse.The reasons are elaborated on below in the section titled 'Harmonisation of procedure?',which considers procedural harmonisation as a potential strategy to improve the enforcement of the General Data Protection Regulation.

Distinguishing the cases of common European concern
The critique offered by Gentile and Lynskey is both novel and powerful.However, in our view, the gravity of the concerns raised and, thereby, the desirable solution 44   Ibid., at p. 807. to the one-stop-shop's 'deficiency by design' will not be the same in every case of cross-border enforcement.Arguably, the situation of the data subjects and the national authorities is very different in cases of simple, regular cross-border enforcement (when two or three authorities need to communicate regarding a straightforward matter) and in cases of complex, Union-wide proceedings (where essentially all the supervisory authorities are entitled to be 'concerned', and the decision to be made is controversial on substance).
For this reason, we propose to distinguish between the standard cases of crossborder enforcement and what we call the 'cases of common European concern'.How to distinguish them?The best way to explain what we mean by the cases of common European concern, and to see why the problems with the one-stop-shop are different in these cases than in standard cases of cross-border enforcement, is to compare paradigmatic examples of each.
First, let one imagine a model, simple case of cross-border enforcement.There might be a pizzeria in Hungary that serves customers just across the border in Austria and ends up using data collected for the purpose of performing the contract to send commercial communications to its former clients.A resident of Austria, who does not speak Hungarian, and might not know how to file a complaint in Hungary, can complain to the Austrian supervisory authority, which then contacts the Hungarian authority, which can investigate (including by collecting evidence within its own jurisdiction) and issue a decision.The matter at hand is rather simple (it involves minimal legal questions requiring interpretation and limited discretion) and concerns only one data subject, represented by one lead authority and one concerned authority.
Would such a case, given the limitations of the one-stop-shop, present a danger to the fundamental rights of the Austrian customers?It might.The lead authority might be slow to act; national enforcement strategies can deem such cases a low priority, different procedural rules might lead to misunderstandings, etc.There may be room for improving the law in ways that render the proceedings more effective.However, in our view, such simple, cross-border cases do not challenge the very concept of the one-stop-shop.
Second, let one consider a case recently making the headlines, namely that of the Irish supervisory authority fining Meta Inc (formerly Facebook Inc) €390m, 48 following a complaint brought by Max Schrems's organisation noyb on behalf of an Austrian and a Belgian user, for relying on the wrong legalising basis, namely the necessity for the performance of the contract, to process data for the purposes of personalised advertising. 49Detailed press coverage allows one to learn a lot about the specifics of the case.It was filed in January 2019 50 (so it took four years to issue the first decision), and the Irish authority (acting as the lead authority since Facebook has its European establishment in Ireland) has been overruled by the European Data Protection Board through the Article 65 procedure. 51Initially, the Irish authority wanted to side with Facebook's interpretation (and find no General Data Protection Regulation violation), then it proposed a much lower fine (between €28m and 36m), only for the Board to take a completely different view.
This is an example of what we call a case of common European concern.First, even though it was filed by data subjects from two specific member states, its outcome affects the fundamental rights of all the millions of Union residents using Meta's products, like Facebook or Instagram, who reside in all member states.In this sense, every single supervisory authority has a title to act as a concerned authority; and if every authority in the Union is concerned, the entire Union is concerned.Second, the matter at hand involves a legal issue requiring complex interpretation open to good-faith disagreement.Though it constitutes a clear proprivacy move, the Board's ultimate decision was not the only possible interpretation, as demonstrated by the draft decision of the Irish authority and Meta's definite willingness to appeal.In such cases, the divergence in national enforcement strategies, given the lead authority's privileged position, can negatively affect the fundamental rights of data subjects all across the Union.Third, Meta is a third-country data controller generating significant profit.Its business model has been forged in a non-European environment, 52 and it specifically and with free will chose Ireland as its place of establishment.This presents a risk of home bias, given the possible convergence of interests between the controller (looking for a lenient authority) and the member state willing to attract companies of this nature.
Moving from these paradigmatic examples to a clear-cut legal test presents a challenge.In our view, though this might initially seem a circular definition, the best way to understand the cases of common European concern is as cases in which the fundamental rights of the Union's residents, in the view of the central European supervisory authority (whose establishment we advocate), would be best protected at the Union level and not a national level within the one-stopshop-model.Such an understanding contains a clear, albeit general, threshold for assessment (effectiveness of protection of fundamental rights) while leaving a significant amount of discretion to the central supervisory authority.Let us elaborate on why such an approach promises to be the most effective.
One could imagine the core of the specific legal test for distinguishing between regular cross-border cases and the cases of common European concern involving a combination of the following factors: (i) the number of member states and/or the Union residents whose fundamental rights are affected; (ii) the gravity of the threat to the fundamental rights; (iii) the complexity of the case which, if high, presents a risk that the one-stop-shop model would render the proceedings excessively long or invite the national enforcement priorities to significantly influence the outcome; (iv) the origin of the data controller.Admittedly, within this frame, several possible tests could be proposed.For example, one could imagine a simple test stating that if data processing concerns the residents in every member state, such a case is of common concern.However, this would risk being simultaneously over-and underinclusive.On the one hand, every single website collecting any personal data 53 Union-wideregardless of the level of risk for fundamental rightsshould be seen as of common concern.Suddenly, Cambridge University Press, politico.eu,chess.com,and a myriad of others, would have to be supervised centrally, even though the types of processing these controllers engage in are neither specifically risky nor present complicated interpretative questions.On the other hand, a start-up engaging in potentially very dangerous data processing, e.g.involving new applications of facial recognitionone that could, in the near future, put the rights of the entire Union's residents at riskwould not be considered of common concern as long as it limits its processing to just a handful of member states.
What defines the cases of common European concern is precisely the unpredictability of their nature and their systemic impact on fundamental rights.The private sector is creative and innovative, also in the ways in which data can be used or misused.For this reason, we posit, the central supervisory authority should have a default competencee.g.cases that involve three-quarters of the member states, or at least ten million users in at least six member states, etc.while retaining the ability to take over enforcement of cases it considers best protected on the Union level, and delegate back to the national authorities the cases it considers best protected on the national level.The usefulness of this approach will become even more apparent when discussing the shortcomings of the one-stop-shop model in cases of common European concern.
The shortcomings of the one-stop-shop in cases of common European concern The one-stop-shop model is decentralised, through and through, and applies indistinctly to any case involving cross-border data processing.Unlike in other areas of Union law, the enforcement of the General Data Protection Regulation does not require certain kinds of cases, i.e. those with Union-wide implications, to be overseen at the Union level.A comparison with competition law may prove illuminating.If a multinational IT company from a third country, like Google or TikTok, established its European branch in Czechia and later planned to merge with a large Union-based company in the same sector, then the merger would be considered a 'concentration with a Union dimension'. 54Unless the impact of a merger is confined to a single member state, the European Commission acts as a 'one-stop shop' with the exclusive power to decide on whether the merger should be authorised. 55In contrast, even if its operations affect the fundamental right to data protection of millions of residents in every EU member state, the same multinational IT company would be exclusively supervised by an altogether different 'one-stop-shop'the Czech lead authority, albeit in cooperation with other concerned authorities.Controllers originating from third countries may pick a national authority to handle what are, in effect, Union-wide fundamental rights questions.Some key problems that emerge from cases of common European concern result from this setup.It will be conceded that data protection law is not the only field under Union law where firms are effectively 'clients' of administrative agencies, with the liberty to choose their own 'provider' authority. 56In many decentralised networks similar to the General Data Protection Regulation's system, and depending on their goals, 'regulatees may exploit the opportunities resulting from multiple regulators' and select the best, the most sympathetic, or even the least efficient administration. 57here are numerous examples of procedures similar to the General Data Protection Regulation's one-stop-shop model.The regulation of veterinary medicines is just one of many.When a company wishes to market a medicine in several member states, one of their respective national authorities will act as a 'reference' authority.That authority prepares an assessment report on the medicine and circulates it to the remaining authorities.If the remaining authorities do not raise any objections, the drug must be authorised in all the relevant member states.If they do, a new procedure is initiated to settle the disagreement and, if necessary, the European Commission itself will take the final decision. 58owever, decentralised regulatory networks such as this also present crucial differences from the General Data Protection Regulation's one-stop-shop model.First, while the reference authority competent to authorise a veterinary drug will be 'the competent authority in the member state chosen by the applicant', 59 the range of that choice is necessarily limited to one of the regulators of the member states where the medicine will actually be marketed, and where it may raise public health concerns.In contrast, the sole test under the General Data Protection Regulation (if the data controller processes data of residents of the entire Union) is the state where corporations have chosen to set up their own 'main establishment', i.e.where decisions about processing are made.Second, unlike pharmaceutical regulators, which regulate specific classes of products, lead authorities under the General Data Protection Regulation do not supervise specific services involving the processing of personal data but the entire data processing activity of a controller.Lastly, the very nature and purpose of administrative powers differ.In other domains, regulators' powers are predominantly preventive and aim at protecting from future harm certain public interests, such as public health, which are abstract interests rather than specific individual rights.Under the General Data Protection Regulation, the powers of supervisory authorities are predominantly reactive and aim at offering remedies to individuals whose fundamental rights have been infringed or at imposing corrective measures to put an end to infringements.
Put differently, the General Data Protection Regulation allows forum shopping in ways that simply do not exist in other regulatory regimes.In the cases of common European concern, the controller may artificially choose the regulator of a member state where only a small proportion of affected fundamental rights holders live.The controller's power to make that choice is no less than a power to decide which authority the controller would like to be sanctioned by, or to whose corrective powers it would like to be subject to, in case it ends up violating fundamental rights.
The fact that third-country multinationals may choose the jurisdiction in which they desire to be policed accentuates the weaknesses of the one-stop-shop model.The combination of decentralised enforcement and dominance of the lead authorities, on the one hand, with the ability to forum shop for a preferred supervisory authority, on the other, risks serious distortion to the aim of protecting data subjects' fundamental rights.Put differently, that combination structurally undermines the one-stop-shop to secure effectiveness in the enforcement of the General Data Protection Regulation.
It may be noted that three problems are specifically exacerbated in the cases of common European concern.The first is that the one-stop-shop compromises the principle of equality. 60As such cases present a threat to the fundamental rights of individuals in every EU member state, they present, in fact, Union-wide threats to such rights which, to be effectively tackled, require a Union-wide response.However, the one-stop-shop leads to the fragmentation of enforcement into a multitude of national jurisdictions.This makes it possible for individuals located throughout the Union, faced with exactly the same threat to their fundamental rights, to be protected differentlyor not at alldepending on the resolve or resources of their respective national authorities to defend their rights when objecting to lead authority's decisions that will profoundly affect them.This represents an obvious problem from the perspective of equal treatment of data subjects.Yet, the very fact that significantly different enforcement practices may exist throughout the Union also generates a problem from the perspective of the principle of legal certainty, another constitutional principle of Union law.According to the Court's case law, 'the principle of legal certainty requires that rules of law be clear and precise and predictable in their effect, so that interested parties can ascertain their position in situations and legal relationships governed by EU law'. 61Individuals may understandably feel discouraged from requesting the protection of their rights if they cannot anticipate how the General Data Protection Regulation will be enforced in the midst of a myriad of different national enforcement approaches.
Yet another problem in cases of common European concern emerges from the structural incentive to overburden certain national authorities.As companies in the same sector are unlikely to forum shop for wildly different reasons, the onestop-shop makes it possible for cases of common European concern to accumulate in the hands of the same lead authorities.The freedom to forum shop embedded in the General Data Protection Regulation thus enables extensive backlogs.It is no secret that the extremely competitive Irish tax system, as well as the fact that Ireland is an English-speaking country where US-based law firms can be directly involved in compliance, have been some of the key motivations for giants such as 60 Art.20 Charter.Google, Meta, Apple, Microsoft, Twitter and TikTok to choose the Irish authority. 62It should also be no surprise that, as of 2021, more than 97% of major General Data Protection Regulation cases referred to the Irish authority remained unresolved. 63One could argue that such backlogs could be solved by drastically increasing the resources of the most challenged authorities so that they could enforce the Regulation more actively.To put things in perspective, the yearly budget of the Irish authority was €19.1m in 2021, 64 whereas Meta alone, in the same year, spent US$9.8 billion on administrative and legal operations. 65Yet, it is difficult to miss the deep redistributive dilemmas here.The lead authority in crossborder cases, of common concern or otherwise, also exercises its powers as a purely national authority, in purely national cases.Using its resources to supervise a flood of cases involving some of the most powerful companies in the world, to act as a de facto EU-wide regulator, necessarily means using fewer of that authority's resources to protect the fundamental rights of the member state's residents in purely national cases.The one-stop-shop, in short, is structurally vulnerable to the overburdening of the same lead authorities with the responsibility to deal with Union-wide threats to fundamental rights, to the detriment of more delimited threats originating in the territory of their own member state.
Finally, the one-stop-shop carries a serious risk of a domestic bias.This is close to the point made by Gentile and Lynskey, already alluded to above, that effective enforcement of the General Data Protection Regulation risks being hampered by a 'preponderant influence of national, rather than European, priorities'.Such a bias is not a phenomenon specific to the enforcement of data protection law.The absence of centralised enforcement in EU-wide issues often risks parochial business or political pressures distorting the Union's regulatory objectives.Prior to the Eurozone crisis, such pressures reflected in a pervasive problem of national banking supervisors proving excessively permissive with respect to national credit institutions considered 'national champions', which ended up harming financial stability in the EU. 66Accusations of a similar bias have been levelled against the Irish authority, as suspicions mount that the Irish economy's reliance on Big Tech, and the Data Protection Commission's singularly Big Tech-friendly approach to enforcement, when compared to every remaining authority, might not be unrelated. 67

S        E 
Given the enforcement deficits of the status quo under the General Data Protection Regulation, different proposals have been made to better address crossborder cases.The first proposed approach has been to enact EU legislation harmonising the rules governing the administrative procedures that the national supervisory authorities must follow while enforcing the Regulation.This is the approach favoured by the European Commission, which has recently proposed a regulation to harmonise provisions governing administrative procedures for the enforcement of the General Data Protection Regulation.A second proposed approach, however, was signalled repeatedly at the European Data Protection Supervisor's Conference in June 2022, a year prior to the publication of the Commission's Proposed Regulation.That proposal was to centralise the enforcement powers in some cases at the Union level.While both approaches have their merits, the first would likely leave many of the drawbacks discussed above unresolvedindeed, despite some positive steps, the Commission's Proposed Regulation may even worsen some of them.We discuss these two alternative approaches in the following sections.

Harmonisation of procedure?
In April 2022, the European Data Protection Board adopted a statement on cooperation between supervisory authorities on the enforcement of the General Data Protection Regulation. 68The statement set out the Board's intention to 'identify a list of procedural aspects that could be further harmonised in EU law to maximise the positive impact of GDPR cooperation', 69 as such harmonisation 'could bridge differences in the [authorities'] conduct of (cross-border) proceedings to increase efficiency'. 70This 'wish-list', as termed by the media, 71  European Commission and published in October 2022. 72In a nutshell, the absence of clear common standards in administrative procedure was felt to 'hinder the full effectiveness of the GDPR's cooperation and consistency mechanism'. 73The list covered matters ranging from the status and rights of complainants to amicable dispute settlement and deadlines for decisions to be taken.
The Commission took note.The Board's 'wish-list' is reflected in the Commission's proposal for the harmonisation of procedures in General Data Protection Regulation enforcement, which was published in July 2023. 74n essence, the Proposed Regulation pursues three aims. 75The first is to clarify the legal position of complainants.To this end, among others, the Proposed Regulation establishes uniform formal requirements for complaints, sets our complainants' procedural rights, including the right to be heard, and regulates the possibility of amicable settlements between complainants and the parties subject to investigation.The second aim is to strengthen and standardise the procedural rights of parties under investigation.To that end, the Proposed Regulation introduces common provisions, e.g. on the right of said parties to access the administrative case file concerning the investigation.The third aim is to reinforce the cooperation between the lead authority and concerned authorities.To that end, the Proposed Regulation regulates with greater detail and clarity aspects relating to the earlier stages of the investigation, including the possibility for an urgent decision by the Board to settle disputes concerning the scope of the investigation in complaint-based cases. 76n effort to harmonise procedural rules, such as the one embodied by the Proposed Regulation, has several advantages.From a political standpoint, harmonisation is consistent with recent efforts of the EU legislatorfor instance, in the reformed European Competition Network 77to ensure uniformity of Union law by standardising enforcement powers of national authorities rather than, more controversially, centralising such powers in the Union administration.From a practical standpoint, harmonisation avoids reopening the General Data Protection Regulation for reform, which the Board itself considers 'premature', 78   the Regulation's system of cooperative decentralised enforcement.Lastly, harmonisation can doubtless serve as a useful tool to remedy many of the discrepancies between national practices that hamper adequate cooperation and hence the enforcement of Union law.
The Proposed Regulation certainly displays such advantages.It also takes several positive steps that are likely to improve cooperation and procedural protection under the one-stop-shop mechanism.And yet, the Proposed Regulation falls short of remedying the fundamental weaknesses of the onestop-shop modelparticularly so in terms of the weaknesses that become apparent in cases of common European concern.
First, in terms of procedural rights, there is no doubt that the Proposed Regulation clarifies several issues and generates some uniformity in the protection of procedural rights throughout the Union.For instance, the Proposed Regulation regulates the timing of the exercise of the right to be heard by lead supervisory authorities and the Board 79 or the scope of the contents that must be available to parties under investigation who exercise their right of access to the case file. 80One particularly positive step is that complainants will enjoy the right to be heard without distinction as to whether their interests are personally impacted by decisions to reject a complaint (i.e.civil society actors representing data subjects have the right to be heard in the same terms as a data subject who filed a complaint to obtain a remedy). 81This is by no means a given, as the Charter and the European Court of Justice's case law only entitle a person to be heard before a decision 'which would affect him or her adversely is taken'. 82nd yet, it is striking how the procedural rights of parties under investigation, and especially of complainants, are placed at the discretionat the goodwillof lead supervisory authorities.Complainants, for example, will enjoy the right to access administrative case files but only if the lead supervisory authority 'considers that it is necessary' (emphasis added) to share documents contained in them for complainants to be able to make their views known effectively. 83A lead authority that revises a draft decision after receiving other authorities' objections will be required to observe the right to be heard.That is, of course, if the lead authority decides that a hearing is convenientwhen, according to the Proposed  See Art.41(2)(a) Charter.One should note that, even though the Art.41 Charter itself does not apply to national administrative procedures, the ECJ has made it clear that the rights enshrined in it constitute general principles of law that must be respected by Union as well as national authorities: see ECJ 24 November 2020, Joined Cases C-225/19 and C-226/19, R.N.N.S., at paras.33-34 (emphasis added).
Regulation, it 'considers that the revised draft decision : : : raises elements on which the parties under investigation should have the opportunity to make their views known' (emphasis added). 84Moreover, in the absence of any minimum delay, the Proposed Regulation will give the lead authority full discretion to define the time limit within which complainants and parties under investigation may state their views, which is inadequate to ensure sufficient time for them to prepare their case. 85econd, one must acknowledge that the Proposed Regulation contains some common, pre-established standards that are likely to generate legal certainty for individuals, firms, and supervisory authorities themselves.And yet, no harmonisation can ever be so extensive as to entirely remove discrepancies between national rules which inevitably hinder effective cooperation.Indeed, administrative procedures not only involve rules about the procedural rights of complainants, the handling of complaints, amicable settlement, the scope of case files, or the calculation of deadlinesall of which are included in the Proposed Regulation and certainly represent a useful step towards greater effectiveness of General Data Protection Regulation enforcementfor authorities involved in (simpler) cross-border cases. 86Administrative procedures also involve detailed rules on issues as diverse as quorum, conflicts of interest, preparation of decisions, the burden of proof, the internal distribution of caseload or cooperation with authorities operating in distinct sectors.No provisions on these issues appear in the Proposed Regulation.Moreover, administrative procedures involve the use of legal concepts, such as 'resolved case', 'draft decision', or 'interested party', that are occasionally defined in the legislation but usually are only a matter of national doctrinal consensus. 87The Proposal only covers discrepancies in procedural rules and legal concepts that have proven detrimental to General Data Protection Regulation enforcement thus faronly five years since such enforcement began.One simply cannot anticipate the number or severity of other discrepancies that might only become visible in the future.Suffice it to give one simple example.The Proposed Regulation clarifies that the complainant must be informed of the judicial remedies available to him or her when a supervisory authority decides to fully or partially reject a complaint. 88Yet the appropriate judicial remedies may differ significantly between member states when the administration refuses a request to make a decision.Remedies may range from judicial annulment of the 84 Ibid., Art.17(1).85 Ibid., Arts.12 and 17(2).86 Ibid., Arts.4, 5, 11, 13, 19 and 29.87   This kind of concept has raised significant practical problems in the enforcement of the GDPR: see Gentile and Lynskey, supra n. 3, at p. 806-808.refusal decision to judicial injunctions for the administration to decide as requested.
To the best of our knowledge, no piece of Union sectoral legislation exists that exhaustively regulates every aspect of national administrative procedures.Moreover, it should be recalled that the Union's competences in harmonising national administrative procedures are limited.Such competences may only be strictly accessory to the substantive harmonisation of the policy fields they address (e.g.harmonising rules for the marketing of medicines may involve not only uniform safety requirements but also uniform licensing procedures).The further harmonisation goes, the more it verges on the complete replacement of administrative procedural laws (at least in one policy field).Such harmonisation would lack any legal basis.Article 197 TFEU, though providing that effective enforcement is a matter of common interest to the member states, explicitly rules out harmonisation legislation; Article 298 authorises the Union to legislate general procedural provisions but only to regulate procedures of the Union's own administration. 89astly, even if the Proposed Regulation somewhat patches up the General Data Protection Regulation's gaps in procedural protection or generates a degree of similarity in national legal standards, it is unable to solve other deficiencies that necessarily arise from the one-stop-shop model.These deficiencies lie in how the model's structural administrative featuresdecentralised governance and dominance of the lead supervisory authoritylead to the unequal treatment of data subjects, forum shopping, the overburdening and over-empowering of the lead supervisory authority, and risks of domestic bias.
None of these problems can be remedied by simply establishing common procedural provisions.All of them lead to the failure of the General Data Protection Regulation's enforcement model in cases of common European concern.In fact, despite some likely benefits in simpler cross-border cases, the Proposed Regulation not only fails to recognise that large, systemic, serious crossborder cases need a different approach to enforcement, it also even appears to worsen some of the one-stop-shop's shortcomings that it aims to improve.
The Proposed Regulation intends to strengthen the influence of all concerned supervisory authorities in cross-border enforcement procedures. 90Ensuring that they are informed and can comment on the initial stages of investigations is certainly a useful step.However, the overall dominance of lead supervisory authorities is not only not mitigated, but indeed entrenched.First, the muchvaunted protection of procedural rights will, as explained above, remain a matter 89 For many, see J. for the lead authority's discretionary prerogatives after all.Second, the concerned authorities' relevant and reasoned objections are significantly more restricted in their scope in comparison to how they are framed in the General Data Protection Regulation.For instance, concerned authorities may only relate their objections to factual elements already contained in the draft decisioni.e. they may not object by adding factual elements of their ownand they may not change the scope of the allegations in the lead authority's investigation by raising points amounting to the identification of additional allegations. 91The Proposed Regulation's Explanatory Memorandum even states that the mechanism of objections is to be used only 'sparingly'. 92Lastly, despite providing that the Board will enjoy the power to issue an urgent binding decision in cases where national authorities disagree on the scope of an investigation, the Proposed Regulation significantly restricts that power.The Board can only exercise that power in investigation proceedings initiated with complaints, andat least according to the Preambleit may not do so to expand the scope of an investigation on its own initiative. 93e case for centralisation Alongside procedural harmonisation, a second possible remedy has been proposed to mend the one-stop-shop model.The remedy was suggested repeatedly at the 2022 European Data Protection Supervisor's conference on the topic of enforcement and concerns the option of centralising enforcement.It was even mentioned in the speech made by the European Data Protection Supervisor himself, who advocated for a 'pan-European model' of enforcement. 94entralised enforcement would mean that some cases of cross-border data processingthose that we here designate as cases of common European concernwould be removed from the scope of the existing one-stop-shop model and would thus not be supervised by national lead authorities, in consultation with concerned authorities.Such cases would rather be exclusively handled by a Union authority (newly created or designated from within the existing ones, like the European Data Protection Board or the European Data Protection Supervisor).For example, an Irish university processing students' and employees' data would still be supervised by the Irish national authority, while a social media platform 91 Ibid., Art.18.   92   This limitation stems from the Commission's concern that a swift resolution of the administrative procedure is necessary to provide data subjects with a remedy.like Facebook, targeting all the residents of the Union, would be supervised not by the Irish authority but by thenewly empoweredcentral authority.
Centralising the enforcement of data protection law can tap into the unique institutional advantages of the Union administration.As Zglinski explains, 'different institutions are good at making different kinds of decisions [so that] when allocating the authority to decide it is crucial that we take these relative strengths and weaknesses into account'. 95The institutional advantages of the Union administration prove especially relevant in the enforcement of data protection law to address the failures of the one-stop-shop in cases of common European concern.
Centralised enforcement is better at ensuring that Union law is interpreted and enforced equally throughout the Union.Unlike national authorities, 96 the Union administration's jurisdiction is not confined by member states' borders and instead covers the sum of their territories.This minimises the risk of different national enforcement strategies influencing the decisions and thereby presenting the threat of unequal treatment of the citizens of the Union.
Centralised enforcement prevents mishaps and delays that often result from poor coordination between authorities in decentralised enforcement models.This was one of the reasons why the regulation of financial markets shifted towards a more centralised model, with the European Supervisory Authorities playing a powerful, albeit subsidiary, role.Indeed, the recitals of the regulation instituting the European Security and Markets Authority, when justifying its creation, bear striking resemblance to the criticism of the one-stop-shop model under the General Data Protection Regulation.The regulation intended to remedy a status quo 'where there is insufficient cooperation and information exchange between national supervisors' and 'where joint action by national authorities requires complicated arrangements to take account of the patchwork of regulatory and supervisory requirements'. 97

C       G D P R' 
In most areas of the law, centralised enforcement is simply a matter of political debate as to its advantages and, ultimately, of political choice.We submit, however, that the administrative enforcement of data protection law is constitutionally distinctive from other policy areas.
Article 16 TFEU, the legal basis for the General Data Protection Regulation, 98 as well as Article 8 of the Charter, listing the components of the fundamental right to data protection, state that 'compliance' with rules concerning data subjects' rights 'shall be subject to the control of independent authorities'.Both provisions imply that, if it constitutes the only viable solution to ensure effective 'control', centralising enforcement in data protection is not merely desirable, but constitutionally required.They further imply that, because it must be ensured by 'independent' authorities, effective enforcement cannot be entrusted to one of the bodies qualified in the Treaties as EU institutions, like the European Commission.Instead, it must be entrusted to a Union agencya Union body created by secondary legislationin terms that necessarily derogate from the constitutional limitations on the delegation of vast powers to Union agencies that apply in any other policy areas.The two points are elaborated upon below.

Centralisation and the ability to effectively 'control'
Remarkably, the right to the protection of personal data is the only fundamental right in the Charter that specifically demands the setting up of specialised administrative authorities.Article 8 requires data protection rights to be 'subject to control' by supervisory authorities. 99The very existence of such authorities, the Court stresses, constitutes 'an essential component of the protection of individuals with regard to the processing of personal data'such authorities are 'the guardians of those fundamental rights and freedoms'. 100Accordingly, given that it is 'intended to ensure the effectiveness and reliability of the monitoring of compliance', the guarantee of an independent supervisory authority 'must be interpreted in the light of that aim'. 101he effectiveness of data protection authorities' powers is, therefore, inextricably linked with the effectiveness of the right to data protection itself.If the supervisory authorities tasked with 'control' of compliance with data protection rights lack adequate means to actually fulfil that taski.e. if the administrative governance of data protection is structurally unable to ensure the effectiveness of those rightsthat represents a problem of far more than mere administrative underperformance.It is a problem of a deficit of protection of a fundamental right.It is a violation of a fundamental right by omission rather than by contravention.
Fundamental rights do not merely impose negative obligationsi.e. a prohibition for public authorities, such as Union agencies or national legislatures, to act in a manner that disturbs or harms said rights.Fundamental rights also impose positive obligations, or 'duties to protect' (Schutzpflichten), i.e. a command to actively take the measures necessary for the right of an individual to be effectively protected against other individuals or companies.The right to life does not simply prohibit the state from killing an individual; it also requires the state to effectively safeguard human life, including preventing, investigating and sanctioning murder. 102The existence of such positive obligations has been recognised by the Court, e.g. in the context of general and indiscriminate retention of traffic and location data to prevent, investigate and prosecute criminal offences, when balancing the need to protect the physical and mental integrity of individuals, or the rights of minors, with the rights to privacy and inviolability of communications. 103ositive obligations are especially important in scenarios where an uneven balance of power exists between private parties.In such cases, the state is under a duty to legislate in such a manner as to protect, e.g. the rights of an employee visà-vis the employer. 104The right of individuals to data protection is another prime example of a fundamental right commonly violated by other private parties in respect of whom they find themselves vulnerable, namely data controllers.
The positive obligations attached to the fundamental right to data protection are not only found in Article 8 of the Charter 105 but in Article 16 TFEU, which unequivocally creates a competence for the Union legislature to regulate and protect that right.In fact, the basic content of such obligations is plain.Article 16 includes, among others, the requirement addressed to the Union legislature that it creates, or ensures that the member states create, independent supervisory authorities.Article 16 TFEU (and Article 8 of the Charter) entail a requirement, addressed to supervisory authorities, that they ensure compliance with data protection rights.If one takes the general interpretive criterion of effet utile seriously -'the principle that provisions of EU law should be given full effect, practical effect, or their useful effect'106 then Article 16 must also imply a requirement, addressed to the Union legislature, that supervisory authorities, by their legal powers, procedures and institutional setup, have a real ability to ensure effective compliance.
It has been suggested that, when establishing whether positive fundamental rights obligations are complied with, the Court could draw inspiration from the case law of the European Court of Human Rights.The Strasbourg Court accords states with a broad margin of appreciation, i.e. of discretion when choosing the concrete means to the end of protecting fundamental rights.107Indeed, this should also be the approach when establishing what measures the Union legislature could take to ensure the protection of personal data.
However, if in certain categories of cases only centralised enforcement can ensure the effectiveness of such protection, then the margin of discretion of the Union concerns not whether it may choose to centralise, but how it may choose to centralise.If the one-stop-shop enforcement system is inherently flawed in the cases of the common European concern because of its decentralised structure, then the political discretion of the Union legislature is only circumscribed to a choice between potential alternative models of centralised enforcement that are fit for the purpose of data protection.

Centralisation, independence, and the limits to delegation
Unlike with other administrative authorities, the Union Treaties are uniquely specific as to the institutional characteristics that data protection authorities must have.Under Article 8(3) of the Charter and Article 16 TFEU, these supervisory authorities are required not only to effectively 'control compliance' but also to be Regarding the limitations of the Union's agencies' power, the matter seems constitutionally more nuanced.At its core, Meroni aims to preserve the powers of Union institutions and the balance that the Treaties establish between them.As Union agencies are typically not mentioned in the Treaties, Meroni bans the granting to Union agencies of powers implying such a 'a wide margin of discretion' that it would bring about 'a transfer of responsibility' from the Union legislator to a Union agency. 110Crucially, however, the Meroni limits apply to 'cases where autonomous powers have been conferred on an Agency by the EU legislature'. 111The Court has, for instance, denied the Single Resolution Board to have been granted 'autonomous powers', given that its measures required the assent of the Council and the Commission. 112resumably, if it were to act as effectively as its national counterparts, a Union data protection authority would require powers similar to those currently enjoyed by national supervisory authorities.Many such powers involve a broad margin of discretiona margin of autonomy to assess, on a case-by-case basis, what decisions and choices most adequately serve the policy objectives of data protection law.Supervisory authorities exercise discretion, for example, when they 'order the controller or processor to bring processing operations into compliance with the provisions of [the General Data Protection Regulation], where appropriate, in a specified manner and within a specified period'. 113evertheless, Meroni does not forbid equally broad discretionary powers from being delegated to a Union data protection authority.First, even though the Meroni limits have traditionally been subject to a rather conservative reading, as banning any delegation of discretion, more recent literature has demonstrated that it allows some degree of administrative discretion, i.e. a margin of autonomy in deciding how to implement policy choices, as opposed to making such choices. 114How broad that margin may exactly be, and how the line between political and administrative discretion can be drawn, remains to be established.
Second, and more importantly, we submit that delegation of administrative decision-making powers to a Union supervisory simply does not come under the scope of the Meroni doctrine.The very rationale for the doctrine, i.e. preventing a 'transfer of responsibility' away from Union institutions to the benefit of authorities absent from the Treaties, does not apply.Article 16(2) TFEU does foresee the existence of 'independent authorities' devoted to the 'control' of compliance data subjects' rights.On the one hand, the provision means that, unlike Union agencies in other policy areas, the legislative creation of a specialised Union-level authority is not only mentioned, not only allowed, but indeed required by the Treaties.The constitutional status of a Union authority is thus less like agencies that were birthed by purely legislative choice and more like the European Central Bank.It is true that the Treaties directly create the European Central Bank, whereas they simply require the creation of a Union data protection authority.Yet both authorities are similar in that the Treaties do foresee their existence, independence from other actors, and intended mandate.Precisely because the Treaties provide that it may be vested with 'specific tasks' of banking supervision (Article 127(6) TFEU), the European Central Bank was, within the Single Supervisory Mechanism, endowed with extensive and independently exercised discretionary powers of a sort which would have been constitutionally impossible with agencies like the Single Resolution Board. 115Similarly, precisely because its mandate and independence from other authorities are foreseen in the Treaties, a Unionlevel data protection authority can be delegated with extensive discretionary powers, without the involvement of Union institutions, which would be unthinkable with other agencies.
On the other hand, the constitutional requirement of independence entails that a Union data protection agency must be able to exercise 'autonomous powers'precisely the sort of powers that Meroni aims to limit.This precludes in data protection the use of 'endorsement' mechanisms, such as the ones existing in bank resolution or financial or pharmaceutical regulation. 116Such mechanisms are introduced in order to preserve the powers of Union institutions and therefore comply with Meroni.When Union agencies have the power to make complex technical and economic assessments, their measures often require the approvaloften, in practice, the rubberstampingof the Commission or the Council.authorities. 119We understand the possible hesitance of some actors to 'reopen' the General Data Protection Regulation or to fundamentally change the status quo of the one-stop-shop.However, when dealing with matters of constitutional gravity, we owe an obligation to act bravely not only to the law but, most importantly, to the people whose rights the law promises to protect.In cases of common European concern, we might face choices on how exactly to centralise enforcement.Yet, the affirmative answer to the 'whether?' question is provided by the Treaties.

38
See P. Nicolaides and M. Geilmann, 'What is Effective Implementation of EU Law?', 19 Maastricht Journal of European and Comparative Law (2012) p. 383 at p. 398.

53
See N. Purtova, 'The Law of Everything.Broad Concept of Personal Data and Future of EU Data Protection Law', 10 Law, Innovation and Technology (2018) p. 40.
58 Arts.49 and 54 of Regulation (EU) 2019/6 of the European Parliament and of the Council of 11 December 2018 on veterinary medicinal products and repealing Directive 2001/82/EC.

77
Directive (EU) 2019/1 of the European Parliament and of the Council of 11 December 2018 to empower the competition authorities of the Member States to be more effective enforcers and to ensure the proper functioning of the internal market. 82 Schwarze, 'European Administrative Law in the Light of the Treaty of Lisbon', 18 European Public (2012) p. 285.90 See Recital (12) Proposed Regulation.

95
See J. Zglinski, Europe's Passive Virtues: Deference to National Authorities in EU Free Movement Law (Oxford University Press 2020) p. 162.96 For a recent example, see the Facebook Ireland ruling, supra n. 27, at paras.47 and 77.The principle of territoriality has shaped the powers of data protection authorities even since before the GDPR.See ECJ 1 October 2015, Case C-230/14, Weltimmo, ECLI:EU:C:2015:639, paras.50 and 56, where the ECJ stated that the territorial legal limits of national authorities' powers derive from the 'territorial sovereignty' of the member states.97 Regulation (EU) No. 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), Recital (8).

98
See the Preamble to the GDPR.99 Indeed, some fundamental rights commentators list the existence of such authorities as constitutive of the right to the protection of personal data, alongside substantive principles such as purpose limitation or fairness.See M. Brkan, 'The Essence of the Fundamental Rights to Privacy and Data Protection: Finding the Way through the Maze of the CJEU's Constitutional Reasoning', 20 German Law Journal (2019) p. 864 at p. 880-881.100ECJ 9 March 2010, Case C-518/07, European Commission v Federal Republic of Germany, at paras.22-23.
See below, section titled 'Harmonization of procedure?'.
See, e.g.N. Purtova, 'The Law of Everything.Broad Concept of Personal Data and Future of EU Data Protection Law', 10 Law, Innovation and Technology (2018) p. 40; C.J. Hoofnagle et al., 'The European Union General Data Protection Regulation: What It Is and What It Means', 28 Information & Communications Technology Law (2019) p. 65; B. Petkova, 'Privacy as Europe's First Amendment', 25 European Law Journal (2019) p. 140; T. Streinz, 'The Evolution of European Data Law', in P. Craig and G. de Búrca (eds.),The Evolution of EU Law, 3 rd edn.(Oxford University Press 2021) p. 902; K. Yeung and L.A. Bygrave, 'Demystifying the Modernized European Data Protection Regime: Cross-disciplinary Insights from Legal and Regulatory Governance Scholarship', 16 Regulation & Governance (2022) p. 137.

49
See noyb, 'Meta Prohibited from Use of Personal Data for Advertising' (4 January 2023), available at https://noyb.eu/en/breaking-meta-prohibited-use-personal-data-advertising,visited29 September 2023.See European Data Protection Board, Binding Decision 1/2023 on the dispute submitted by the Irish SA on data transfers by Meta Platforms Ireland Limited for its Facebook service (Art.65 GDPR) adopted on 13 April 2023.
51 52For the differences in approach to personal data protection in the US, see P. Schwartz and D. Solove, 'Reconciling Personal Information in the United States and European Union', 102 California Law Review (2014) p. 877.