A recent fine of €525,000 by the Autoriteit Persoonsgegevens (AP), the Dutch Data Protection Authority, has focused attention on one of the least discussed provisions of the GDPR – Article 27. This provision requires those who are subject to the GDPR but who do not have a base in the EU to appoint an EU representative to act as a point of contact for supervisory authorities such as the AP and individuals (data subjects) within the EU. Although the subject of this decision is a website that appears to be based in Canada it is a warning to those businesses within the UK that may not have understood the need to appoint such a representative following the end of the Brexit transition period on 31 December 2020 and the UK’s exit from the EU.
The AP had received numerous complaints about a website called Locatefamily.com. The website displayed the personal information (e.g. full addresses and telephone numbers) of people who had not provided their information to the website and were unaware of how the platform had obtained their personal information.
It was the view of the AP that it is unacceptable for a website to publish these details without the individuals’ knowledge or consent. It highlighted the importance of having an effective mechanism for the removal of such information at the request of a data subject. This was not possible in this case largely because the website did not have an EU representative.
This is the first time enforcement action has been taken by an authority for a breach of this requirement. The lack of enforcement of this provision to date may have led organisations to believe that this was not a key provision of the GDPR, however this first action suggests otherwise. It will be interesting to see how enforcement of this fine progresses, particularly as it seems unclear who is operating the website. The AP has given the website 12 weeks to pay the fine and to remedy this breach by appointing a representative. If it does not designate a representative in that time it faces an additional penalty of €20,000 every two weeks up to a maximum of €120,000, and it may be that the threat of this additional penalty will result in an acceptable response.
Having had little discussion of the scope of an EU representative’s role to date, we also now have further guidance on this point. Although the Dutch decision emphasises the importance of having a representative in place to facilitate enforcement action, the recent High Court case of Rondon v LexisNexis Risk Solutions UK Ltd makes it clear that the EU representative is not liable for GDPR compliance failures in place of, or in addition to, the organisation that they represent. They are merely a conduit for information. In this case, data subjects arguing compliance failures by World Compliance Inc were looking to sue the appointed representative for the controller’s failures to comply with the GDPR. The court considered the relevant provisions of the GDPR and other relevant laws as well as related guidance from the European Data Protection Board/ICO. Particular focus was given to the wording of Recital 80 of the GDPR, which had led some to suggest that there was joint and several liability for the controller and the representative.
The court ultimately struck out the action against the representative, holding that a representative is not liable for the failures of compliance by the controller who appoints them. The ICO had been contacted by the defendant for its view and had confirmed its position, namely, “the ICO is not seeking an interpretation of Article 27 that allows representatives to be held directly liable should a controller or processor they represent fail in their data protection obligations.” Although this decision brings helpful clarity for those acting as representatives it must be recognised that this is a UK court/ICO interpreting the GDPR. It will require a court ruling on this issue in one of the remaining EU 27 Member States to put the matter beyond doubt.
Do I need to appoint an EU representative?
Your organisation needs to appoint an EU representative if it has no offices, branches or other establishments in an EU country and it is offering goods or services to individuals in the EU or monitoring the behaviour of individuals in the EU (which could include the use of tracking cookies on a website). In addition, if your organisation is based outside the EU but previously used a UK-based entity as its EU representative then it will need to appoint a new EU representative based in an EU member state.
To assist clients in meeting this requirement, we offer a fixed-fee European Representative Service through our Irish subsidiary, Saltire Data Protection Services Limited, based in Dublin.