Guest blog written by Tim Bell, of DataRep. Tim Bell is the Founder and Managing Director of DataRep, a leading provider of EU and UK Representative services, via their unique network of contact locations in each of the 27 EU member states, Norway and Iceland in the EEA, and the UK, enabling them to represent clients regardless of where their data subjects are based.
The Dutch Data Protection Authority has issued a fine of €525,000 against a website which has failed to appoint an EU Representative for the purposes of GDPR Article 27, despite the clear obligation that they must do so, the first instance of enforcement for this obligation.
It is generally accepted that the enforcement of GDPR since it became punishable in May 2018 has been patchy. In particular, the enforcement against companies based outside the EU – the regulation of which had been a major aim of GDPR when it replaced the 1995 Data Protection Directive – has been almost exclusively limited to the “major players”: the Googles and Facebooks of the world.
As a result, the enforcement of the Representative “hidden obligation”(1) – that companies outside the EU which are caught by GDPR must appoint a Representative in the EU – has been nearly non-existent; there has been mention of the Representative role in enforcement proceedings (2), but largely to confirm that it hasn’t applied to the entities whose GDPR compliance was in question, usually as a result of those transgressing companies being large multinationals with offices in a number of EU countries, therefore negating the need for them to have appointed a Representative.
That changed on 12th May 2021, with the publication by the Dutch Data Protection Authority (the Autoriteit Persoonsgegevens) of their enforcement action against LocateFamily.com (3), a website whose purpose is notionally to locate individuals with whom one has lost touch. This website has been fined €525,000 for having failed to appoint an EU Representative, with an additional €20,000 for each two-week period during which they remain uncompliant (up to a maximum of €120,000). There are a number of other apparent GDPR failings on the website, which I anticipate will be the subject of additional enforcement proceedings in the future. LocateFamily.com lists a large number of individuals (the website claims 350,000,000 individuals globally at the date of writing this article), along with their addresses, and often their phone numbers, to help connect people who have lost touch.
The Dutch Authority (and others) had received several complaints from EU-based individuals that their data had been included on this website without their consent, and that their requests that the data be removed had not been adequately met by the website’s operators. In conjunction with other EU data protection authorities, the Dutch Authority investigated LocateFamily.com and, based on their published decision (4), they seem to have had very little cooperation from the providers of this website. One of the most-significant issues is that they haven’t been able to locate where in the world the company operating the website is based (despite being asked, the company behind the website has failed to provide an answer other than to confirm they have no EU location), although technical investigations indicate that it may be based in Canada.
There is a webform to request the removal of data, but it is conditional on providing an email address which contains the person’s name, so if they have a more generic email address (e.g. [email protected]), that request would likely be rejected. Because the individual themselves would not have provided any information when their data was added to the site (the source of the data listed remains vague, and presumably the subject of further enforcement action to come), there seems to be no adequate way of confirming the identity of a data subject who is requesting deletion of their data – and any individual who did choose to have their data included on the site could potentially have it taken down by someone else pretending to be the data subject (removing such data – when doing so is against the wishes of the data subject to which it related – would also be a violation of GDPR).
The authorities were easily able to conclude that GDPR applied to the processing of the personal data of EU-based individuals listed on the site: a service is being provided to EU-based individuals to assist them to find other individuals, therefore causing the website’s processing of that data to be subject to regulation under GDPR (Article 3(2)(a)). The (brief) responses they received from the website advised that they had no EU establishment or Representative, and nothing in the authorities’ investigations indicated otherwise.
Accordingly, with GDPR applying to the personal data processing, and no EU establishment, the obligation under GDPR Article 27 – that the website should appoint a Representative in the EU – applies.
Out of interest, the authorities concluded that the website is acting a controller and not processor of this information – again, this appears quite clear from the website itself (and their Twitter feed), as they seem to choose the manner in which the personal data is being processed, publishing it at their discretion.
The authorities were also able to discount the applicability of the various exclusions: the website does not appear to be connected to a public authority (Article 27(2)(b)), nor did the processing appear to be outside the scope of EU law (e.g. relating to national security etc). There was some helpful clarification of the Dutch Authority’s interpretation of the “occasional processing” exemption in Article 27(2)(a). The Authority found that the processing of this personal data was not incidental to the website’s operation so, even if there was only a small volume of EU personal data being processed (which appears not to be the case), the occasional exemption would not apply because the process was a usual part of the website’s operation. This interpretation of “occasional” is in line with how that term is interpreted regarding the need to appoint a Data Protection Officer, and this ruling serves as confirmation that the same interpretation should apply to the exclusion from the Representative requirement.
Therefore, the company is required by GDPR to appoint a Representative and clearly (including by their own admission) they have not done so.
The full decision also sets out some of the thinking behind the scale of the fine. To summarise, in the absence of any mitigating factors, the standard level of fine for this type of transgression (as set out in the Dutch authorities Fining Policy Rules 2019 (6)), taking into account the relevant factors, set the fine at €525,000 (noting that the maximum possible fine is the larger of €10m or 2% global revenue, in line with GDPR Article 83).
It is worth noting the Dutch Authority has a history – albeit not an extensive one – of raising fines against non-EU companies for breach of Representative obligations under data protection law (7). In 2016, under the pre-GDPR Data Protection Directive regime (and its transposition into Dutch law as the Netherlands Data Protection Act 2000), the Authority fined WhatsApp for having failed to meet the obligation (under Article 4 § 3 of the 2000 Act) to appoint a Representative if they were processing EU personal data on IT infrastructure within the EU, notwithstanding that the company didn’t have an EU establishment.
The Dutch Authority found that WhatsApp was processing personal data on the phone handsets of its users in the Netherlands and – in the absence of a Dutch Representative having been appointed – were in breach of the law as it applied then. Their punishment in that case also included an ongoing element related to any continuing transgression – in addition to the €1,000,000 base fine, WhatsApp were ordered to pay an additional €10,000 for each day they continued to have not appointed a Representative.
It should be recognised that the LocateFamily.com case is an extreme example of GDPR failures, given the flagrant abuse of EU personal data. However, what we can clearly conclude is that the EU Data Protection Authorities are aware that GDPR gives them the expectation of a point of contact within the EU for any company which processes EU personal data under the regulatory framework of GDPR, and the scale of the fine makes clear that they take a failure to provide that point of contact very seriously indeed.
If you believe you may need to appoint a Representative in the EU (or, post-Brexit, in the UK), our partners at DataRep can assist you with free, no-obligation advice. Find out more information by clicking the button below:
(3) – https://autoriteitpersoonsgegevens.nl/en/news/dutch-dpa-imposes-fine-%E2%82%AC525000-locatefamilycom – English language version
(4) – https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/20210512_boetebesluit_ap_locatefamily.pdf in Dutch – we hope to have an English translation available shortly