GDPR EU representative enforcement continues

When the EU General Data Protection Regulation replaced the EU Data Protection Directive in 2018, one of the main reasons for the change was the need to protect EU data subjects from the data processing taking place outside the EU, which the previous regime had no method of impacting.

That was great, of course, but one of the most important aspects of any law is the ability to enforce it — if no enforcement is possible, it is more of a request than a rule. Enforcing legal requirements across international borders — and being able to force a transgressor to pay their fine — has always been a challenge, particularly when a company resides in a country with different rules where the infringement wouldn’t be considered noncompliant and, potentially for political reasons, the fine might be deemed an unfair tax on companies from that country. As a result, the GDPR needed procedures to ensure it was able to bring its protective stance to bear on those overseas companies which it proposed to regulate.

One of the main methods of ensuring that action could be effectively brought against non-EU companies was the expansion of the EU representative role under GDPR Article 27. Previously, this requirement only applied to non-EU companies that used IT infrastructure within the EU to process personal data. The expanded role requires most companies with no EU presence; they are required to comply with the GDPR because they sell to the EU or monitor people there, to appoint a representative. 

With a representative available, requiring a company outside of Europe to respond becomes much easier and — if one hasn’t been appointed — that’s an apparent and immediate GDPR failure that can be used to encourage that company to engage with the process or face an immediate penalty.