On 25 and 28 May 2018, the National Data Protection Commission (CNIL) received group complaints from the association's None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was mandated by 10 000 people to refer the matter to the CNIL. In the two complaints, the associations reproach GOOGLE for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes. The CNIL immediately started investigating the complaints. On 1st June 2018, in accordance with the provisions on European cooperation as defined in the General Data Protection Regulation (“GDPR”), the CNIL sent these two complaints to its European counterparts to assess if it was competent to deal with them. Indeed, the GDPR establishes a “one-stop-shop mechanism” which provides that an organization set up in the European Union shall have only one interlocutor, which is the Data Protection Authority (“DPA”) of the country where its “main establishment” is located. This authority serves as “lead authority”. It must, therefore, coordinate the cooperation between the other Data Protection Authorities before taking any decision about a cross-border processing carried out by the company. In this case, the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow to consider that GOOGLE had a main establishment in the European Union. More details can be found on OUR FORUM.