News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Is Article 27 the GDPR's 'hidden obligation'? Related reading: GDPR: Lost in translation?

rss_feed

""

As we approach the last few weeks before ‘GDPR Day’ (if I keep calling it that, it’ll catch on…), almost all companies know at least something about the EU General Data Protection Regulation, even if it’s just that they don’t yet know enough! Statistics tell us that few companies will be 100 percent ready, but that almost all companies are now somewhere along their GDPR journey.

At least that’s what is happening in the EU. Outside of the Union, where the GDPR does apply to companies processing personal data of people in the EU, the situation is a little less clear.

The European Commission has done a poor job of notifying the rest of the world that they could face fines in Europe for the manner in which they process personal data, perhaps of the view that the privacy consultant market would be able to push this agenda for them. Certainly, the majority of consultants have been working to educate their non-EU clients, although too often the response is incredulity; why should they worry about a new law in the EU when they have no base of operations in Europe?

One of the prime areas where a lack of knowledge is placing non-EU companies at risk of GDPR fines is the representative obligation under Article 27.

For those unfamiliar with it, Article 27 requires companies that are not established in the EU, but that monitor or process the personal data of people within the EU, to appoint an EU-based representative to act as their Europe-facing point of contact for individuals and local data protection authorities. The purpose of this is simple: It ensures that EU citizens will be able to contact the controllers and processors outside of Europe that hold their personal data, without having the potentially confusing, difficult and costly efforts required to contact them at their base (imagine the situation in which a French citizen is trying to contact a data controller in a less-developed country with an unreliable postal system; the likelihood of them receiving a response within the regulatory response period of a month is very unlikely).

So why is the message on the representative not reaching the companies obliged to appoint one?

The main reason appears to be the lack of information on this role coming out of the EU. Companies outside of Europe that have appointed a privacy consultant will be receiving the benefit of that consultant’s expertise in respect of applying the GDPR to the specifics of their business, but, for companies that have chosen to go it alone, they will largely be basing their preparations on materials coming out of the EU – none of which will mention the representative, because that obligation doesn’t apply to anyone in the EU.

The result? Many companies around the world, even those that are taking seriously their preparations for the GDPR, are going to be in breach of this obligation and in line for a potential administrative fine of up to 10 million euros or 2 percent of global turnover.

Many companies around the world, even those that are taking seriously their preparations for the GDPR, are going to be in breach of this obligation and in line for a potential administrative fine of up to 10 million euros or 2 percent of global turnover.

Another likely reason for the relatively low appointment levels for representatives is the confusion between the role of the data protection officer appointed pursuant to Article 37 (an in-house role directing the company’s privacy and GDPR-compliance program) and the representative appointed pursuant to Article 27, which is appointed in an external role in the EU for that company. This is made considerably worse as a result of foreign language issues – many translations will give the same result for "officer" and "representative," which makes compliance much more difficult for companies based in jurisdictions where the first language isn’t European by origin.

What of the representatives themselves?

Companies offering this service have been slow to appear, mainly because of the liability the role attracts. Under Recital 80 of the GDPR, the representative “should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.” This liability for the failures of their clients is an extraordinary step for the EU to have taken, and while the aim is noble (to ensure that a non-EU company can’t simply walk away without meeting penalties handed down), there is little in the way of precedent for giving such a high risk for an agent of a company. Compare the situation to that of a lawyer, which a third party would likely never be in a position to approach directly if they had suffered loss as a result of that lawyer’s client. With each EU country having some scope to add their own additional flourishes to implementation of the GDPR, there are also situations arising like that in Spain, where their draft Data Protection Act codifying the GDPR specifies that the representative would automatically have joint and several liability with their client for GDPR failures (and any other resulting penalties).

What should a data controller or processor look for in their representative?

Article 27 appears to only require that they be established in one country where the controller or processor has data subjects. However, as the controller/processor, you may want to ask yourself whether a representative in only one country would be capable of performing the role of representing a non-EU controller or processor to people based in an EU country far from that representative (i.e. using a representative based only in Spain may not provide adequate representation for data subjects based in Estonia or Romania). I personally suspect this is an area where the Court of Justice of the EU is likely to side with the individual and follow the intent of Article 27 to provide an effective EU contact location for those companies.

Despite that, the main reason a controller or processor is likely to want a representative with wider coverage is simply the increasingly important "customer experience" factor. If an individual is raising a subject access request with the controller processing their data, it is likely that individual already has concerns about the processing. At times like that, it’s important to make sure those customers are receiving the red-carpet treatment; doing so in the bad times can generate a significant amount of customer loyalty, whereas failing to do so is likely to result in a negative response and potentially a lost customer. In this respect, the representative can be seen as an offshoot of the customer services team for the controller or processor.

Which leads me on to one of the key reasons non-EU companies should consider the appointment of a representative as one of their first steps in their GDPR preparation: It is the obligation for which it is most immediately obvious where a company has failed to meet the requirement.

Which leads me on to one of the key reasons non-EU companies should consider the appointment of a representative as one of their first steps in their GDPR preparation: It is the obligation for which it is most immediately obvious where a company has failed to meet the requirement.

Whereas most GDPR obligations exist in the background where the controller or processor carries out the actual processing, the representative is front and center of the company’s data documentation. Put simply, if a company does not have a base in the EU and does not have details of their representative in their customer-facing privacy notice, it is immediately apparent that it's failed to meet the Article 27 duty. For the EU data protection authorities, spotting this failure is likely a red flag of potential non-compliance elsewhere; conversely, having a representative listed provides a clear indication to the DPAs (and anyone else) that the company is taking their GDPR responsibilities seriously.

There is one final question which I hear from companies outside the EU: “How does the EU think they’re going to enforce the GDPR outside of Europe?”

It’s a fair question, as decisions of the European courts have no weight of precedent outside of the EU. However, principles of international law will apply and the European fine will likely be enforceable outside the EU in most jurisdictions, although a visit to the local courts for their confirmation will probably be required in many cases. There is also a particular reason why it will be seen by non-EU countries as desirable to be able to enforce GDPR fines, which is the desire among the international community to obtain (or keep) an adequacy finding. This status, conferred upon countries deemed by the EU to have equivalent legal protections for personal data to those in the EU, is a very beneficial one for the international commerce of that country, as it allows organizations in that country to receive personal data from the EU without needing to provide evidence of additional measures put in place to protect that data as it passes across international borders. If a country fails to support a fine under the GDPR in its jurisdiction, it is likely to be treated by the EU as evidence of inferior protections for personal data and will impact that country’s assertion that it provides protections equivalent to the EU.

So, if your company or client is based outside the EU and processes the personal data of people in the EU, please ensure you have appointed your data protection representative under Article 27 of GDPR in time for GDPR Day. Don’t let the "hidden obligation" catch you out!

photo credit: Lawrence Wang 王治钧 落地玻璃上的反光+雨幕 Reflection +rain curtain on the windows #上海 #shanghai #shanghaicity #rain #umbrella #onlyiphone #phonepic via photopin (license)

Author
Headshot Tim Bell IAPP Member Contributor
Tags
Enforcement
Privacy Law
Privacy Operations Management
Privacy Opinion
Transborder Data Flow
15 Comments

If you want to comment on this post, you need to login.

  • comment Robert Madge • May 3, 2018 
    It will take time for the message to sink in...
  • comment Robert Cattanach • May 3, 2018 
    To be precise, Article 27 does not apply to "processing which is occasional, does not include, on a large scale, processing of special categories of data ...[Article 9] or processing of personal data relating to criminal convictions ...[Article 10} and is unlikely to result in a risk to the rights and freedoms of natural persons taking into account the nature, context, scope and purpose of the processing" -- perhaps a not-insignificant exception for many modest-sized companies with only a website that processes occasional orders from EU residents and has modest data analytics.
  • comment Peter Miller • May 3, 2018 
    Controllers and processors not established in the EU who have concerns about the extent and validity of GDPR’s extraterritoriality might also be considering whether appointment of an Article 27 representative – “mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues relating to processing for the purposes of ensuring compliance with [GDPR]” – amounts to consent to EU and Member State jurisdiction and thus a potential relinquishment of their ability to later challenge GDPR, whether directly or during the attempt to enforce a foreign judgment.
  • comment Lyn Boxall • May 3, 2018 
    I am well aware that my clients to whom the GDPR applies need to appoint an EU representative.  And I spent some time earlier this year trying to locate individuals/firms that might provide such services.  I encountered confusion among potential appointees about their potential liability and thus a lack of appetite to take on the role, except at an exorbitantly high price.  (Such pricing is quite understandable when liability is unknown - this is not a criticism of them).  In addition, I have clients with business in all EU Member States without having an establishment in any of them.  There is confusion as to whether the need an EU representative in many, if not all, Member States.  I'm about to re-start the search in the hope that things have developed and changed and I can find a slate of candidates for my clients.  Anyone with suggestions, please contact me and let me know - lyn@lynboxall.com in Singapore.
  • comment Jennee DeVore • May 3, 2018 
    Article 27 uses the term "representative" and not "data protection officer" as discussed in Article 37. I'm concerned that this article may confuse this distinction. The representative is a data protection liaison that must work with the DPO but it does not necessarily need to be the DPO.
  • comment Ryan Costello • May 4, 2018 
    I do not believe that Art. 27 was written with the intention of extending liability to EU representatives for the failures of their clients. Article 27 (5) specifically says that the "designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or processor themselves." I believe that language makes it clear that the representative is not "on-the-hook" for GDPR non-compliance on the part of the controller/processor. The fact that Spain seeks to introduce a joint and several liability provision for representatives only reinforces this point, in my view. 

I do concede that the language of Recital 80 stating that "the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor" does muddy the water somewhat, but I believe the language suggests that the representative should be party to, or present for, those proceedings... the physical stand-in for the controller/processor, as it were... but does not extend liability to the representative for non-compliance. Moreover, recital language is not legally binding, unlike the regulatory text itself.
  • comment Jeroen Terstegge • May 4, 2018 
    It’s a hidden, but also pointless obligation (which by the way already existed in the past 23 years). It’s pointless for several reasons: 1) the representative is not the DPO (although it could be), so representatives do not contribute to compliance and fair processing; 2) in the days of internet and e-mail contacting controllers by postal mail is completely outdated; 3) the data protection authorities may issue a fine directly against the representative (see recital 80), so many companies will find it hard to find a representative willing to take the fall for them first and hoping to be indemnified later.
WhatsApp was forced by the Dutch DPA to appoint a representative in The Netherlands. In court, WhatsApp argued that it -unsurprisingly- couldn’t find one. The court noted that that is not a defense under the law. But this shows the problem. The riskier the company and the larger their turnover, the less likely they will be able to find a representative. On the other hand, the DPA’s enforcement priorities will generally not lie with the low-risk non-EEA companies that have failed to appoint a representative, so in such cases, appointing a representative is just an administrative burden. I expect that we will see a lot window-dressing here, where a shell company will be set up acting a representative that handles any data subject requests and DPA inquiries, but that goes bankrupt as soon as a fine is issued against it.
The obligation for processors to appoint a representative is also pointless given the fact that data subjects and the DPA should first and foremost contact the controller in the EEA anyway, article 28 already requires that the data processor agreement must stipulate that the processor informs the controller on request that he provides all information relating to the processor’s compliance with the GDPR, and the controller is in principle jointly and severally liable for the processor’s non-compliance (art. 82.2), although he could in theory discharge himself (art. 82.3), but that is very hard to do given the heavy burden placed on the controller by art. 24. So in the end, the most logical way is that the controller acts as the processo’s representative.
  • comment Diana Andrade • May 4, 2018 
    Congratulations, your article is excellent! The requirement is very well explained, the challenges of direct liability of the DP Reps and reasons for this being somehow a "hidden obligation" and the imminent risk for companies for not appointing a DP Rep when it's one of the first requirements SA's will look at when verifying compliance.
  • comment Alejandra Brown • May 4, 2018 
    I am in the same situation as Lyn Boxall. I haven't been able to find a company in the EU that can represent some of my customers in Canada that do not have a physical presence in the EU, yet the EU is a big market for them. If anyone has some guidance around what specific companies will provide this service, I will appreciate your feedback as well. My email is abrown@kirke-consulting.com
  • comment Karn Jani • May 7, 2018 
    Good insights Tim! Even though most of us have been busy talking about SARs, DPIAs, PbD, etc., it would not be wrong in assuming that this critical aspect of compliance would have been missed in a majority of compliance exercises/ audits. Having said that, Article 27 leaves a lot for interpretation and does not come out as a prominent 'to-do' item (aptly called 'hidden'). As mentioned in a few comments above, finding a EU representative who would be prepared to bear the burnt of enforcement actions is a tedious exercise, unless there is a guidance available. Recital 80 just makes the job more difficult. Nevertheless, as is the case at present, law firms established within EU could still continue to represent their non-EU clients, while the monetary liability factor would then be re-considered. But are the firms ready to put their neck in?
  • comment Emma Butler • May 8, 2018 
    This will also become an issue for UK-based businesses after Brexit. Given the liability, no-one is offering these services, so it's unclear what small businesses are supposed to do.
  • comment Ken Baylor • May 25, 2018 
    In the last few weeks a few new services have come online for EU Representation, from all over the EU. However, please choose the location of your EU Rep carefully: https://www.linkedin.com/pulse/where-should-you-place-your-eu-representative-gdpr-ken-baylor-ph-d-/
  • comment Jan Lange • Oct 19, 2018 
    Hi Tim, very nice article, congratulations! Now, five months after the go live of the GDPR it is quite surprising to see that not many non-EU companies have assigned a representative in the EU. Even most international airlines from non-EU countries that fly into EU do not have any information about a representative in the EU in their privacy notes, despite the fact that they process data of their EU customers on a regular basis (and not „occasionally“). I assume that we need the first rulings and case law in order to wake up companies regarding the EU GDPR requirements. Best regards, Jan from „idc-representative.de“
  • comment Cornelia Maria Schmitt • Feb 28, 2019 
    This will also be very interesting in the context of Brexit. Companies outside of the EU, but with branches in EU might face that scenario as well unless they can clearly identify and prove that a branch in the EU can be identified as main establishment. Any thoughts?
  • comment Nazeem Patel • Mar 13, 2019 
    Its about time that people that needs to work start working...
Related Stories
GDPR: Lost in translation?
6
For privacy professionals who are not familiar with the EU’s legal culture: Even if you think you understand all the ins and outs of the GDPR, you may still run into nasty surprises. The root cause of the problem? Translations! The EU has 24 official languages. Add Norway and Iceland (EEA-countries...
Read More queue Save This
New study highlights lack of GDPR preparedness
2
Recently, we endeavored to conduct a new major survey, sponsored by our internationally focused law firm McDermott Will & Emery and carried out by the Ponemon Institute (hat tip to the IAPP for helping with some question development). Quite simply, it has revealed that many companies are behind ...
Read More queue Save This
Most member states won't be ready for GDPR
1
The EU's incoming General Data Protection Regulation is, as the name makes clear, a regulation. Unlike an EU directive, it applies across all member states without the need for each country to transpose it into national law.  However, each member state does still need to update its national data pr...
Read More queue Save This
Avoiding three GDPR pitfalls
A recent industry report found that an overwhelming number of organizations in the U.S. and EU are unprepared for the EU General Data Protection Regulation, which becomes enforceable May 25, 2018. And, industry firm Gartner predicts that more than 50 percent of companies affected by the regulation w...
Read More queue Save This
DPAs to pros: There's no grace period, folks
In a session at the IAPP Data Protection Intensive here in London today, representatives from four European data protection authorities offices were on hand to share some insights into what their offices are doing to prepare for the General Data Protection Regulation's forthcoming implementation, an...
Read More queue Save This
Related Stories
Tags
Enforcement
Privacy Law
Privacy Operations Management
Privacy Opinion
Transborder Data Flow
Recent Comments