.jpg)
Article 27 of the GDPR requires some organisations with no physical presence in the European Economic Area (EEA) to appoint a representative in the EEA. This will include some UK organisations after the Brexit “transition” period ends on 31 December 2020.
This requirement is relatively new, and raises an important question: why?
Why are organisations outside Europe required to appoint a local representative?
There are, broadly, two possible answers.
A contact point
The European Data Protection Board (or “EDPB” – the group of supervisory authorities in the EEA) has issued guidance about the role of representatives. That guidance affects how the supervisory authorities act, although it has no impact on the meaning of the law.
In its guidance, the EDPB suggests that GDPR representatives are intended to “facilitate liaison” with organisations outside the EEA that are regulated by the GDPR. In other words, the EDPB thinks that a representative provides a contact point enabling supervisory authorities and data subjects to establish communication with the representative’s client outside Europe.
At a basic level, the EDPB is right. Article 27(4) of the GDPR specifies that a representative can be “addressed” by data subjects and supervisory authorities in relation to its clients' processing of personal data.
But is this the only reason why organisations outside Europe are required to appoint representatives?
In practice, a representative will be contacted by data subjects and supervisory authorities usually by email, or perhaps by telephone or post.
If a supervisory authority or data subject communicates by email, it will no harder to contact the organisation outside Europe than its local representative. It might be a little harder to telephone an organisation outside Europe – it might cost more, and might involve a time difference. And it might cost slightly more, and take slightly longer, to send a letter to an organisation outside Europe.
But can that slight inconvenience really be the reason why organisations outside Europe are required to appoint European representatives?
A redress mechanism
The alternative explanation is that the representative provides a redress mechanism: an entity within Europe that can be sued for compensation, or have financial penalties imposed on it, when the client outside Europe breaches its obligations under the GDPR.
As we’ve explained previously, there are important questions about how to enforce regulatory sanctions and judicial decisions for breach of the GDPR against organisations outside Europe. If representatives provide a redress mechanism through which they are liable for their clients’ infringements, this would resolve the enforcement problem.
Recital 80
This interpretation is suggested by recital 80 to the GDPR, which states that a representative is “subject to enforcement proceedings in the event of non-compliance by [its client]”.
Recitals are a key part of EU legislation. They state the “purposes” that the legislation was designed to fulfil, and which guide its interpretation.
The “legislative history”
This interpretation is also supported by the “legislative history” – in other words the story of the creation of the GDPR.
The wording in recital 80 seems to have been introduced for the first time (with very slightly different phrasing) in this working draft of the GDPR dated 27 March 2013 (draft recital 63, p. 24).
That draft seems to have been created in response to two comments made during negotiations at the European Council earlier in 2013. First, the UK delegation noted that previous drafts did “not clearly set out the scope of a representative’s mission, his/her role or liability”. Second, the German delegation stated that “[i]t should […] be made clear that supervisory authority or judicial measures and sanctions can be effectively imposed, served and enforced against the representative”. Both comments are included in this record of negotiations on the draft GDPR dated 1 February 2013 (at pages 66 and 257).
So the legislative history suggests that recital 80 was created precisely in order to clarify that representatives are liable for their clients’ infringements.
Arguments against this interpretation
As the EPDB has rightly noted, Article 27(5) of the GDPR states that the appointment of a representative is “without prejudice to” any legal action that can be brought directly against the representative’s client.
That provision means that an organisation outside the EEA won’t escape liability just because it appoints a representative. But it’s consistent with a situation in which the representative becomes jointly liable (with its client) for the client’s breaches of the GDPR – and so provides a redress mechanism within Europe.
Others have objected to the principle that a representative might be made liable for someone else’s wrongs. It’s easy to see why a person shouldn’t normally be sent to prison for a theft committed by someone else. But when a representative accepts its appointment in a commercial arrangement, the situation is arguably quite different.
How will this debate be resolved?
Only the EU Court of Justice will be able to decide definitively whether GDPR representatives are liable for their clients’ infringements.
For this to happen, the question will need to be raised in a case before the court. We’ve described previously how and when this might happen.
It’s impossible to predict with certainty what the court will decide. But it would be unusual for the court to ignore the plain wording of recital 80.
What about UK representatives?
After the Brexit transition period ends on 31 December 2020, the new “UK GDPR” will require some organisations without a physical presence in the UK to appoint a UK representative.
The question whether UK representatives are liable for their clients’ infringements will ultimately be resolved by the courts in the UK. But, at least at the start, the UK GDPR will closely mirror the EU GDPR. So the arguments for the UK courts to resolve are likely to be very similar.
How DataAgent can help
We’re a GDPR representative based in Ireland and the UK. We provide both an EU and a UK representative service.
We were founded in the expectation that there will be attempts to hold representatives liable for their clients’ breaches of the GDPR. Our mission is to provide best-in-class service guarantees and resilience for these situations.
For most clients, we charge no more than two hours of your usual lawyer’s time each month. Our monthly fees cover all our time for the lifetime of your subscription – no matter what happens.
To find out more, please contact us.
.jpg)
