TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Does the recent fine for a Canadian website without an EU representative signal a change in GDPR enforcement priorities? Related reading: EU representative on 'How to operationalize Article 27' of the GDPR

rss_feed

""

GDPR-Ready_300x250-Ad

""

The role of representative under the EU General Data Protection Regulation remains one of the lesser-known obligations under the GDPR — it has been referred to as a "hidden obligation." 

The problem is this obligation applies to companies with no EU establishment, which likely refers to small and medium-sized business enterprises and companies that may still be in the early stages of growth. They are less likely to pay for a quality privacy consultant to inform them they need an EU representative. Instead, they will likely obtain their GDPR advice from the internet and work from materials written by European lawyers for a European audience — which do not need a representative due to their EU establishment. To give an idea of the scale of noncompliance with the representative obligation, research by our company DataRep found more than 90% of the companies that participated in the EU-U.S. Privacy Shield and didn't have an EU location failed to make this appointment.

Some companies in this position may have been loosely aware of the obligation but either relied on a common misunderstanding of the "occasional" exemption or took a risk on it because there was no enforcement to date. 

The reassurance that no one else was punished for this failure effectively ended May 12 when the Netherland's data protection authority, Autoriteit Persoonsgegevens, issued the first fine for failure to appoint a representative under GDPR Article 27. The DPA fined LocateFamily.com 525,000 euros, plus 20,000 euros every two weeks the appointment is not made up to a maximum of 120,000 euros. In its decision, the DPA explained the size of the fine was in line with the Dutch Fining Policy Rules and well within the maximum 10 million euros fine permitted for this failure.

LocateFamily.com is somewhat shrouded in mystery. According to its website, it helps people locate individuals they have lost touch with, aided by a published list of 350 million individuals worldwide on the site. The data of EU-based individuals is shared with the website's Twitter page, where requests to find individuals and the country the request came from are posted, seemingly contradicting their privacy policy claiming data is not shared. 

It isn't possible from the website to establish the company that sits behind it. However, from the minimal response the Dutch DPA received from the website's operators and the apparent North American focus — gathered information suggests the site may be based in Canada — it appears it doesn't have an EU establishment and has not appointed an EU representative. It is clear the website is processing EU personal data given it identifies the location of individuals, including home addresses and sometimes phone numbers.

As a result, the website is regulated under Article 3(2) GDPR as it provides a service to EU-based individuals without an EU establishment. They are obligated to appoint a representative based in the EU under Article 27 and had not done so.

Even if the number of EU-based data subjects were few, which it isn't, the "occasional" exemption from the representative obligation in Article 27(2)(a) would not apply. This exemption applies to companies that process EU personal data on an occasional process and not occasionally process EU personal data as part of a usual business process. This is a major distinction clarified by the European Data Protection Board in their guidance note 03/2018. The language used by the Dutch DPA appears to confirm this interpretation also applies to the representative; roughly translated, the wording in the Dutch decision is that the processing of EU personal data is more than "incidental," so the occasional exemption does not apply.

There are a number of other GDPR issues with the website, most notably regarding the unclear source of the data LocateFamily.com published, whether adequate consent or any other lawful basis for the data use was obtained from EU-based individuals, and the effectiveness of the process to raise concerns and deletion requests in respect of that data. However, this specific decision is quite clear — the large fine relates solely to LocateFamily.com's failure to appoint the representative. 

Issuing a fine in this manner for a failure to appoint a representative might be a useful tool for the EU authorities trying to gain access to a rogue company processing EU data. Now that there is a financial penalty for the Dutch DPA to pursue, procedures in the home jurisdiction of the processor that were previously unavailable may open up. For example, they may now be in a position to demand information from the company that hosts the offending website and other providers working with the website's operators to facilitate payment of the fine, which might not have been an option when they were simply investigating a potential violation. I anticipate that once it is possible to "land" this initial fine, or at least locate the parties against which it has been made, further sanctions will follow relating to other GDPR failings that appear on the website.

So, does this signal a new direction in EU enforcement of the GDPR outside of the EU and the European Economic Area? 

I believe it does. Previously, we've seen enforcement in the EU and enforcement against Big Tech companies headquartered overseas with EU locations but we haven't seen much enforcement against smaller companies entirely outside the EU. It should be noted that the Netherland's DPA did not start the investigation from its own concerns; it originated from the complaints of Dutch and other EU data subjects, so the authorities don't have the capacity within their meager resources to investigate non-EU companies based on their concerns. Yet as expected, the DPA follows up on the concerns of its data subjects regardless of where transgressing organizations are based.

If the failure by non-EU-based companies to appoint an EU representative can be seen as a route to facilitate wider enforcement, it may become the first step taken by EU authorities in cases relating to non-EU companies. Previously, I've heard an argument that a failure to appoint a representative could be an advantage because it makes it harder to bring actions against a non-EU entity without an EU address. It may now become a disadvantage, with a failure to appoint a representative used as a method for the authorities to get their regulatory foot in the door before bringing other sanctions related to the processing taking place.

There will now be a period of silence as the Dutch DPA seeks to locate the company behind this site but there will be a lot of privacy professionals watching for the enforcement of this fine, along with those companies that have declined to appoint a representative.

Photo by Christine Roy on Unsplash


Approved
CDPO, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Comments

If you want to comment on this post, you need to login.