The first fine for not appointing an EU General Data Protection Regulation representative imposed by the Netherlands' data protection authority, Autoriteit Persoonsgegevens, and a recent high court decision in the U.K. put the spotlight on the obligation of Article 27 of the GDPR and brings some more clarity to the role of the representative.

The quote, “the bad guys do not appoint Article 27 representatives,” was part of the defendant’s pleading in the recent decision of the High Court of England and Wales in Sanso Rondon v LexisNexis Risk Solutions UK EWHC 1427 (QB). The court rephrased the pleading in a more positive way:

'The appointment by an Article 3.2 controller of a representative is, in and of itself, an important signal that the controller is engaging with the [EU General Data Protection Regulation], understands its scope provisions, and accepts the conditionalities it imposes on its access to data and data subjects. It signals, in other words, a recognition of the bargain involved: the burden to be shouldered for the benefit to be gained. It is an acceptance of the application of Article 3.2 and a signal of good intent."

As the defendant's legal counsel put it, "the bad guys do not appoint Article 27 representatives." But the question of appointing a representative is no longer only about demonstrating compliance and showcasing the effort to gain trust. The failure to appoint a representative becomes an existential threat to a company in light of the fine imposed by the AP on a company with a Canadian website.

The lack of awareness and literacy on the applicability of the GDPR and misconceptions on the exemptions are widespread. It results in a compliance gap that manifests itself publicly in privacy policies where every data subject and every data protection authority can see the noncompliance at a glance, particularly regarding the obligation to appoint a representative according to Article 27 of the GDPR. 

The failure to appoint a representative has cost the presumably Canadian website Locatefamily.com very dearly: The AP imposed a fine of over half a million euro. 

About the case

Locatefamily.com is a platform that allows users to seek out the contact information of family members, former classmates, or friends with whom they have lost touch. Therefore, the website uses personal data such as names, addresses and sometimes even the phone numbers of individuals located all over the world. Often, the individuals are not even aware their data is being used and published.

Over the last few years, the AP received multiple complaints from European data subjects claiming Locatefamily.com failed to appropriately react to requests to delete their personal data from the website. The Dutch DPA investigated these complaints further and found several data protection authorities in other Member States received similar messages. When the number of complaints got out of hand, the AP decided to investigate the alleged infringement of Article 27 of the GDPR, as the company also seemed to be neither seated within the European Union nor have establishments within it. The mandatory appointment of an Article 27 representative was not documented in the very short and incomplete privacy policy. 

The failure to appoint a GDPR representative 

Article 27 of the GDPR obligates companies outside of the European Union to appoint a European representative if they offer goods or services to or monitor the behavior of European individuals if the company has no establishment within the European Union.

The reason for this requirement is that data protection authorities and individuals should have a local contact person for privacy-related questions and individuals may address the representative with subject data requests under the GDPR, such as the right to ask for deletion of their personal data. 

One point of contention in this case was if Locatefamily.com is offering its services to EU citizens. Contrary to what the company believed, the AP considered Locatefamily.com to be offering its services to individuals based in the European Union, as the company's website was designed to reach those individuals. Following the above, this requires Locatefamily.com, in the absence of an establishment within the EU, to appoint a representative. The AP Deputy Chair, Monique Verdier, stressed "there must be an easy way to have that information removed. That's not possible here, partly because Locatefamily.com does not have a representative in the EU. That's why we issued the website with a fine."

The inaction of the company to meet this requirement led the Dutch DPA to impose a fine of 525,000 euros. Additionally, the DPA imposed an order subject, obligating Locatefamily.com to appoint a European representative by March 18, 2021, or they would be fined 20,000 euros every two weeks they continue to fail to appoint one, up to a maximum of 120,000 euros. However, this fine could have been considerably higher. The GDPR allows supervisory authorities to impose fines of up to 10,000,000 euros or 2% of the company's annual turnover — whichever is higher. One might think they got off lightly here. 

Conclusion

One may think it was only a matter of time until data protection authorities started imposing fines for not appointing an Article 27 representative. Nevertheless, the vast majority of non-EU and non-U.K. companies without an establishment have not yet appointed a representative either because they are or want to be unaware of the obligation, or know about the requirement and accept the potentially devastating risk. 

This case shows supervisory authorities are willing to fine instances of noncompliance and enforce the obligation to appoint a representative. The AP and nine other data protection authorities participated in the investigation of this case, which shows compliance with Article 27 is relevant for supervisory authorities in the European Union. Furthermore, non-EU and non-U.K. companies should bear in mind that not only may the national data protection authorities question the compliance of a company but the GDPR grants 447 million data subjects in the EU and 66 million data subjects in the U.K. rights to complain and enforce their own privacy rights individually. 

Finally, imposing fines for noncompliance like in this case is a well-known power of data protection authorities, but by far not the only one which can be an existential threat to a non-EU or non-U.K. company. Amongst others, data protection authorities have the power to impose limitations such as processing bans or the suspension of data flows to a recipient in a third country, both of which may prevent a company from continuing its usual business.

So companies and their advisors should question their understanding of the applicability of GDPR and the obligation to appoint a representative and reassess their stance, taking into account the recent literature. Brexit also makes this a necessity for EU companies reaching out to the U.K. and U.K. companies targeting or monitoring individuals in the EU. In case of any doubt, it is recommendable to appoint a representative as the service is easily accessible and a signal of good intent according to the High Court of England and Wales.

Photo by Chiara Daneluzzi on Unsplash