First discussion of the EU Representative in court
As anyone working in and around GDPR is likely to know, much of the detail of how to apply the Regulation is still to be decided in court. Judicial interpretation was very much relevant to the application of the previous data protection regime in the EU (the Data Protection Directive from 1995), and the new provision in GDPR will no doubt have to be clarified in the courts around the EU and, with the more significant (and contentious) aspects, the European Court of Justice.
One of the areas which is new in GDPR, and therefore open to a degree of speculation, is the interpretation of the extra-territorial reach of GDPR outside of the EU. In particular, some aspects of the role and liability of the EU Representative under Article 27 remain unclear, including the key risk management question for the EU Representative themselves: “At what point does the liability of the Representative for fines/compensation awarded against their clients for GDPR violations (as set out in Recital 80 and European Data Protection Board Guidance 2018/3) become active?” or, to put it more simply, “When can (or should) the EU authorities and courts be requiring a Representative to pay the fines of their clients?”
On 7 March 2019, a court in Austria first addressed that question. The case involved a US-based company, which had appointed another company in the Netherlands as its EU Representative for the purposes of Article 27 of GDPR. The US-based company had breached GDPR requirements (and potentially those of the e-Privacy Directive) by sending a marketing email to an individual in Austria who had not provided their consent for such a communication.
Ultimately, the court did not need to decide when the Representative became liable; they ruled that Article 27(5) of GDPR (that the appointment of an EU Representative did not prevent the legal action being brought against the data controller), and the statute which implemented it into Austrian law, directed them to bring the matter against the non-EU data controller themselves in the first instance. However, in considering the role of the Representative, and the point at which they should be involved in legal actions, this decision from Austria has started the judicial discussion on the role of the Representative as the EU point of contact for a non-EU data controller or processor. The court report can be found here.
Interestingly, as a result of some inconsistencies in the incorporation of GDPR in different EU states, this may not always be the case in every EU country – this is particularly ironic, given that one of the purposes of GDPR was to harmonise data protection law across the EU. The law in Spain, for example, states that the EU Representative can be a defendant to such a case immediately, at the same time or instead of the non-EU data controller/processor client which that Representative acts for in the EU.
And, if the data controller (primary) defendant in the Austrian case fails to meet the fines or compensation awarded against them, the complainant may return to ask the court to demand the Representative meets those payments in the place of their clients.
There is still a great deal of legal discussion to be undertaken in respect of the EU Representative’s role, but it is clear that the legal conversation has begun.
Tim Bell is the Managing Director of DPR Group, a leading provider of EU Data Protection Representative services through its network of 28 contact locations (one in each EU member state). If you require an EU Representative as a result of Article 27 of GDPR, or are not sure whether you need one, please feel free to contact DPR Group to discuss the issues at: email@example.com.