The Philosophy of the EU Data Protection Representative – We Represent, Therefore You Are?
For those familiar with the role of the EU Representative under Article 27 of GDPR, there have always been a number of interesting legal points to debate. Prime issues among these (although there are plenty more) are where the EU Representative should be located in the EU, how liable they should be for the acts or omissions of their clients, and whether a non-EU data controller or data processor is undertaking only “occasional” data processing activities, meaning they have no obligation to appoint a Representative.
Recent guidelines issued by the European Data Protection Board deal with some of these legal aspects which had been open to interpretation, but I believe an important part of the discussion has been left out – what is the philosophical purpose of the EU Representative? Why, when in the Data Protection Officer there is already a point of responsibility for many organizations processing personal data, is the EU Representative required? The Regulation itself isn’t particularly clear on this, and even the (only) Recital which deals with the Representative – Recital 80 – doesn’t explain its purpose.
Put simply, I believe the EU Representative is designed to ensure that EU-based data subjects are able to access and enforce their rights with organizations outside the EU where attempts to do so might otherwise be frustrated; either deliberately, or as a result of a differing level of communications infrastructure in those non-EU countries.
The key is first to look at the purpose for the extra-territorial effect of GDPR. Without naming specific organizations (it shouldn’t take much imagination for you, dear reader, to come up with a few names), there was considerable frustration in the EU at the inability under the 1995 Data Protection Directive to get organizations outside the EU, particularly in the USA, to adhere to data protection principles when processing personal data of individuals based in the EU. People in the EU had a good degree of reassurance that their personal data was being protected when working with EU-based organizations, but much less when dealing with organizations outside the EU, avoiding which would be next-to-impossible if an individual desires access to social media. This frustration was felt particularly deeply because the largest private sector data-processing organizations are located in the USA, which had relatively few protections for that personal data.
The extra-territorial effect of GDPR gave EU-based data subjects rights in respect of those non-EU organizations – but the issue then became about how to enforce those rights, both in respect of direct enforcement to the data-processing organization (i.e. how to make subject access requests, requests to be forgotten etc. outside of the EU territory), and then how to bring legal enforcement action for a failure to meet GDPR obligations, when those non-EU organizations are unlikely to fall under the jurisdiction of the EU courts or Authorities which would issue enforcement proceedings.
The answer, to a large extent, is the EU Data Protection Representative.
The need for those non-EU organizations to appoint a Representative ensures that the EU-based data subject has a clear route of communication to the data controller or processor without needing to be concerned about the cost and inconvenience of sending communications outside of the EU. They can easily raise their subject access requests (etc) to the Representative, meaning they have the ability to access their rights. As far as enforcing those rights (and, particularly, obtaining appropriate redress for the breach of those rights), the ability to bring such claims against the EU Representative directly as set out in Recital 80 has, despite some academic guesswork to the contrary (see, for example, Lothar Determann at the IAPP website here), been confirmed in the recent guidelines.
To my mind, the aim is clear – the EU Representative is to be the EU-based ‘outpost’ of the non-EU organization, to act as the beacon to enable access and enforcement for EU-based individuals (and Authorities).
Once that purpose is clear, based on the philosophy of access to personal data and being able to take action against abuses of rights, it becomes easily apparent that the Representative is designed to be accountable and responsible for their clients’ application of GDPR rights to the processing of personal data about EU-based individuals. It is then down to the Representative to ensure their clients are GDPR complaint so that they can accept an appointment as that organization’s Representative satisfied that such a position is consistent with their trusted role.
In summary, the philosophy of the EU Data Protection Representative is to ensure the protection of the data subject. To paraphrase the (already pre-paraphrased!) title of this article: We represent, therefore our clients are accountable.
DPR Group is a leading provider of EU Data Protection Representative service, which it delivers from 28 EU contact locations, one established in each EU member state. Please contact us for details of how we can assist you meet this obligation: firstname.lastname@example.org