Is Article 27 the GDPR's 'hidden obligation'?
Six months on from 'GDPR Day' on 25 May 2018, almost all companies know at least something about the EU General Data Protection Regulation, even if it’s just that they don’t yet know enough! Statistics tell us that few companies are 100 percent ready, but that almost all companies are now somewhere along their GDPR journey.
At least that’s what is happening in the EU. Outside of the Union, where the GDPR still applies to companies processing personal data of people in the EU, the situation is a little less clear.
The European Commission has done a poor job of notifying the rest of the world that they could face fines in Europe for the manner in which they process personal data, perhaps of the view that the privacy consultant market would be able to push this agenda for them. Certainly, the majority of consultants have been working to educate their non-EU clients, although too often the response is incredulity; why should they worry about a new law in the EU when they have no base of operations in Europe?
One of the prime areas where a lack of knowledge is placing non-EU companies at risk of GDPR fines is the EU Representative obligation under Article 27.
For those unfamiliar with it, Article 27 requires companies that are not established in the EU, but that monitor or process the personal data of people within the EU, to appoint an EU-based Representative to act as their Europe-facing point of contact for individuals and local data protection authorities. The purpose of this is simple: It ensures that EU citizens will be able to contact the controllers and processors outside of Europe that hold their personal data, without having the potentially confusing, difficult and costly efforts required to contact them at their base (imagine the situation in which a French citizen is trying to contact a data controller in a less-developed country with an unreliable postal system; the likelihood of them receiving a response within the regulatory response period of a month is very unlikely).
So why is the message on the Representative not reaching the companies obliged to appoint one?
The main reason appears to be the lack of information on this role coming out of the EU. Companies outside of Europe that have appointed a privacy consultant will be receiving the benefit of that consultant’s expertise in respect of applying the GDPR to the specifics of their business but, for companies that have chosen to go it alone, they will largely be basing their preparations on materials coming out of the EU – none of which will mention the EU Representative, because that obligation doesn’t apply to anyone in the EU.
The result? Many companies around the world, even those that are taking seriously their preparations for the GDPR, are going to be in breach of this obligation and in line for a potential administrative fine of up to 10 million euros or 2 percent of global turnover.
Another likely reason for the relatively low appointment levels for Representatives is the confusion between the role of the Data Protection Officer (DPO) appointed pursuant to Article 37 (an in-house role directing the company’s privacy and GDPR-compliance program) and the Representative appointed pursuant to Article 27, which is appointed in an external role in the EU for that company. This is made considerably worse as a result of foreign language issues – many translations will give the same result for "officer" and "representative," which makes compliance much more difficult for companies based in jurisdictions where the first language isn’t European by origin.
What of the EU Representatives themselves?
Companies offering this service have been slow to appear, mainly because of the liability the role attracts. Under Recital 80 of the GDPR, the Representative “should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.” This liability for the failures of their clients is an extraordinary step for the EU to have taken, and while the aim is noble (to ensure that a non-EU company can’t simply walk away without meeting penalties handed down), there is little in the way of precedent for giving such a high risk for an agent of a company. Compare the situation to that of a lawyer, which a third party would likely never be in a position to approach directly if they had suffered loss as a result of that lawyer’s client. With each EU country having some scope to add their own additional flourishes to implementation of the GDPR, there are also situations arising like that in Spain, where their draft Data Protection Act codifying the GDPR specifies that the EU Representative would automatically have joint and several liability with their client for GDPR failures (and any other resulting penalties).
What should a data controller or processor look for in their EU Representative?
Article 27 appears to only require that they be established in one country where the controller or processor has data subjects. However, as the controller/processor, you may want to ask yourself whether a Representative in only one country would be capable of performing the role of representing a non-EU controller or processor to people based in an EU country far from that Representative (i.e. using a Representative based only in Spain may not provide adequate representation for data subjects based in Estonia or Romania). I personally suspect this is an area where the Court of Justice of the EU is likely to side with the individual and follow the intent of Article 27 to provide an effective EU contact location for those companies. DPR Group is the only EU Representative available with an establishment by way of a contact location in each of the 28 EU member states.
Despite that, the main reason a controller or processor is likely to want an EU Representative with wider coverage is simply the increasingly important "customer experience" factor. If an individual is raising a subject access request with the controller processing their data, it is likely that individual already has concerns about the processing. At times like that, it’s important to make sure those customers are receiving the red-carpet treatment; doing so in the bad times can generate a significant amount of customer loyalty, whereas failing to do so is likely to result in a negative response and potentially a lost customer. In this respect, the Representative can be seen as an offshoot of the customer services team for the controller or processor.
Which leads me on to one of the key reasons non-EU companies should consider the appointment of an EU Representative as one of their first steps in their GDPR preparation: It is the obligation for which it is most immediately obvious where a company has failed to meet the requirement.
Whereas most GDPR obligations exist in the background where the controller or processor carries out the actual processing, the Representative is front and center of the company’s data documentation. Put simply, if a company does not have a base in the EU and does not have details of their EU Representative in their customer-facing privacy notice, it is immediately apparent that it's failed to meet the Article 27 duty. For the EU data protection authorities, spotting this failure is likely a red flag of potential non-compliance elsewhere; conversely, having a Representative listed provides a clear indication to the DPAs (and anyone else) that the company is taking their GDPR responsibilities seriously.
There is one final question which I hear from companies outside the EU: “How does the EU think they’re going to enforce the GDPR outside of Europe?”
It’s a fair question, as decisions of the European courts have no weight of precedent outside of the EU. However, principles of international law will apply and the European fine will likely be enforceable outside the EU in most jurisdictions, although a visit to the local courts for their confirmation will probably be required in many cases. There is also a particular reason why it will be seen by non-EU countries as desirable to be able to enforce GDPR fines, which is the desire among the international community to obtain (or keep) an adequacy finding. This status, conferred upon countries deemed by the EU to have equivalent legal protections for personal data to those in the EU, is a very beneficial one for the international commerce of that country, as it allows organizations in that country to receive personal data from the EU without needing to provide evidence of additional measures put in place to protect that data as it passes across international borders. If a country fails to support a fine under the GDPR in its jurisdiction, it is likely to be treated by the EU as evidence of inferior protections for personal data and will impact that country’s assertion that it provides protections equivalent to the EU.
So, if your company or client is based outside the EU and processes the personal data of people in the EU, please ensure you have appointed your data protection Representative under Article 27 of GDPR in time for GDPR Day. Don’t let the "hidden obligation" catch you out!
(Slightly amended from the original, published on the website of the International Association of Privacy Professionals - https://iapp.org/news/a/is-article-27-the-gdprs-hidden-obligation/)