Companies based outside of the European Union sometimes find it challenging to determine whether the General Data Protection Regulation (GDPR) applies to them. And if they finally work out that the GDPR applies, they then have the challenge of finding a local representative as required by Art. 27. Failing to appoint a local representative when required to do so can trigger fines of 10 million euros, or, if higher, up to 2% of the corporate group’s total worldwide annual turnover.
The European Data Protection Board’s newly issued guidelines on territorial scope (the “Guidelines”) help only slightly with the jurisdictional analysis. In fact, the main news in the Guidelines is almost a footnote to the jurisdictional analysis: In the last paragraph of the Guidelines, the EDPB has confirmed that local representatives appointed under Article 27 are directly exposed to fines, penalties and other liabilities if the company that they represent has breached the GDPR.
The first part of this blog post takes a closer look at the local representative problem. We will then spend some time examining the jurisdictional guidance in a second blog post.
First, the local representative problem.
From the US company perspective, we care about whether or not local representative are liable for breaches of the GDPR by the company they represent because imposing that liability will inevitably increase the costs of local representative services and may also limit the number of service providers willing to enter into the market for local representative services. High costs and a limited pool of service providers create a barrier to US companies entering the European marketplace. One could even argue that, intended or not, the effect is protectionist. Ultimately, if the dearth of local representatives and their high costs prevents US and other foreign companies from entering the EU market because there’s no cost-effective way to comply with that one GDPR requirement, it limits the choices of EU consumers and potentially increases the costs that they end up paying for goods and services.
How did the EDPB get to its conclusion that local representatives are liable for breaches by the companies they represent? Art. 27 does not expressly say that local representatives will be liable for breaches of the GDPR by the company they represent. Art. 27(4) only states that the representative must by authorized by the company (which could be either a controller or a processor, or both) to “be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.” Being “addressed by” a supervisory authority does not clearly equate to vicarious liability. Art. 27(5) goes on to state that the designation of a local representative does not affect the ability of a data subject or supervisory authority to bring a legal action against the controller or processor – which certainly makes sense, since appointing a representative should not let the controller or processor off the hook.
However, the EDPB has picked up on the statement in Recital 80 that “[t]he designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.” The EDPB interprets this as meaning that it was the intent of the European legislators that representatives be liable for any breaches by the controller or processor that they represent, and that the full weight of the GDPR’s extensive fines can be brought to bear on the representative.
Of course, Recital 80 could also be interpreted as meaning that the representative is subject to orders to cooperate with the supervisory authority by providing documents and information, as required under various provisions of the GDPR. But instead of leaving it up to the courts to determine the correct gloss of Recital 80 on Article 27, the EDPB has confirmed the worst fears of many who see a real down-side to imposing a huge financial risks on local representative service providers. The financial risk might be mitigated by indemnification provisions in the contract between the foreign company and the local representative services provider, but even that would require an analysis under local law to ensure that the indemnification would be enforceable.
One thing’s for sure: the Guidelines do nothing to encourage local representative services providers to jump into the market, and companies that are not based in Europe but are subject to the GDPR will continue to struggle to find cost-effective local representative services to meet their GDPR obligations under Art. 27.
More on the jurisdictional guidance to come in Part II.