Commentary on the Dutch Data Protection Authority imposing a fine of up to EUR 645,000. | Prighter
Blog
Illustration of a camera on a concrete wall.

“The bad guys do not appoint Art. 27 representatives” but get fined!

Andreas Maetzler, Clara Sator

The High Court of England and Wales concluded in its recent decision Sanso Rondon v LexisNexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB):

‘The appointment by an Art.3.2 controller of a representative is, in and of itself, an important signal that the controller is engaging with the GDPR, understands its scope provisions, and accepts the conditionalities it imposes on its access to data and data subjects. It signals, in other words, a recognition of the bargain involved: the burden to be shouldered for the benefit to be gained. It is an acceptance of the application of Art.3.2 and a signal of good intent.’ (full decision)

As the legal counsel of the defendant put it, the bad guys do not appoint Art.27 representatives. But the question of appointing a representative is no longer only about demonstrating compliance and showcasing the effort to gain trust. The failure to appoint a representative becomes an existential threat to a company in light of the fine imposed by the Dutch Data Protection Authority (“DPA”) on a company with a Canadian website. The lack of awareness and literacy on the applicability of GDPR, as well as misconceptions on the exemptions, are widespread. It results in a compliance gap which manifests itself publicly in privacy policies where every data subject and every data protection authority can see the non-compliance at a glance, particularly in regards of the obligation to appoint a representative according to Art.27 GDPR (more information on the requirement to appoint a representative). The failure to appoint a representative has cost the – presumedly Canadian - website Locatefamily.com very dearly, as the Dutch DPA has imposed a fine of well over half a million euro.

About the case

Locatefamily.com is a platform which allows users to seek out contact information of family members, former classmates, or friends whom they have lost touch with. The website therefore uses personal data such as names, addresses, and sometimes even the phone numbers of individuals located all over the world. Often, the individuals are not even aware that their personal data is being used and published. During the last couple of years, the Dutch DPA has received multiple complaints from European data subjects claiming that Locatefamily.com failed to appropriately react to requests for the deletion of their personal data from the website. The Dutch DPA investigated these complaints further and found that a couple of data protection authorities in other Member States have received similar messages. When the number of complaints got out of hand, the Dutch DPA decided to initiate an investigation into alleged infringement of Art. 27 GDPR, as the company also seemed to be neither seated within the European Union, nor have establishments within it. The mandatory appointment of an Art. 27 representative was not documented in the very short and incomplete privacy policy.

The failure to appoint an EU GDPR representative

Art. 27 GDPR obligates companies outside of the European Union to appoint a European representative if they

  • offer goods or services to; or
  • monitor the behaviour of European individuals, if the company has no establishment within the European Union.

The reason for this requirement is that data protection authorities and individuals should have a local contact person for privacy related questions and that individuals may address the representative with data subject requests under the GDPR, for example the right to ask for deletion of their personal data.

One point of contention in this case apparently was the question whether Locatefamily.com is offering their services to EU citizens. Contrary to what the company believed, the Dutch DPA considered Locatefamily.com to be offering their services to individuals based in the European Union, as the company’s website was designed to reach those individuals. Following the above, this requires Locatefamily.com, in absence of an establishment within the EU, to appoint a representative. The Dutch DPA deputy chair, Monique Verdier, stressed that ‘there must be an easy way to have that information removed. That’s not possible here, partly because Locatefamily.com does not have a representative in the EU. That’s why we issued the website with a fine.’

The inaction of the company to meet this requirement led the DPA to impose a fine of EUR 525,000.00. Additionally, the DPA imposed an order subject, obligating Locatefamily.com to appoint a European representative by 18 March 2021 or else they would be fined EUR 20,000.00 for every two weeks they continue to fail to appoint one, up to a maximum of EUR 120,000.00. However, this fine could have been considerably higher: GDPR allows supervisory authorities to impose fines of up to EUR 10,000,000.00 or 2% of the company’s annual turnover – whichever is higher. So, one might think they got off lightly here.

Conclusion

One may think it was only a matter of time until data protection authorities started imposing fines for not appointing an Art. 27 representative. Nevertheless, the vast majority of non-EU and non-UK companies without an establishment have not yet appointed a representative either because they are or want to be unaware of the obligation or know about the requirement and accept the potentially devastating risk.

This case shows that supervisory authorities are willing to fine instances of non-compliance and enforce the obligation to appoint a representative. Not just the Dutch DPA but also nine other data protection authorities participated in the investigation of this case, which shows that compliance with Art. 27 is of relevance for supervisory authorities in the European Union. Furthermore, non-EU and non-UK companies should bear in mind that not only may the national data protection authorities question the compliance of a company but that the GDPR grants 447 million data subjects in the EU and 66 million data subjects in the UK rights to complain and enforce their own privacy rights individually.

Finally, imposing fines for non-compliance such as in this case is a well-known power of data protection authorities, but by far not the only one which can be an existential threat to a non-EU or non-UK company. Amongst others, data protection authorities have the power to impose limitations such as processing bans or the suspension of data flows to a recipient in a third country, both of which may prevent a company from continuing its usual business. So companies and their advisors should question their understanding of the applicability of GDPR and the obligation to appoint a representative and reassess their stance, taking into account the recent literature (more information). Brexit also makes this a necessity for EU companies reaching out to the UK as well as for UK companies targeting or monitoring individuals in the EU. In case of any doubt it is recommendable to appoint a representative as the service is easy accessible (here) and a signal of good intent according to the High Court of England and Wales.