In this thesis, I critically assess two related questions; the scope of EU data protection law pursuant to the new General Data Protection Regulation, and the one-stop-shop mechanism in the Regulation. The first part of the thesis is a comparison of Article 4 in the Data Protection Directive and Article 3 of the General Data Protection Regulation. The conclusion on this point is that the scope of EU data protection law has broadened. We have gone from a scope linked to territory, to a scope that also covers undertakings with no establishment, equipment or means for processing on the territory of the Union. This unequivocally severs the link between the scope of EU data protection law and the territory of the Union. The second part of the thesis is an assessment of the new one-stop-shop mechanism in the Regulation. I evaluate whether or not the one-stop-shop mechanism adopted in the Regulation is likely to fulfil the promises of the EU legislature, and reduce administrative burdens, facilitate more efficient cross border flows of personal data and increase legal certainty for controllers, processors and supervisory authorities. My main conclusion for this part of the thesis is that the Regulation fails to live up to the promises made by the legislature by introducing too many and varied exceptions to the one-stop-shop mechanism. The various exceptions influence both data subjects, supervisory authorities, controllers and processors. In sum, there are grounds for doubting whether the one-stop-shop mechanism succeeds in drastically cutting red tape and doing away with the formalities plaguing the current system. For some controllers and processors covered by the scope of EU data protection law – particularly those without an establishment in the Union – the mechanism may lead to less legal certainty and in fact increase the administrative burden. Considering that the Council considered the one-stop-shop mechanism to be one of two central pillars of the proposal, these are important concerns.