The internet may be global, but enforcement is always local—and there are plenty of (expensive) ways to find out the wrong way that you should have been doing something where you might not expect it.
A typical example is the legal requirement to appoint an EU data protection representative if you’re not based in the EU, or a UK representative if you’re not based in the UK.
Appointing a ‘rep’ is a simple thing to do, but it has fallen under the radar for many businesses or simply been overlooked—understandable perhaps, as Brexit and COVID-19 have dominated the headlines in recent months and years. But a recent decision by the Dutch data protection authority means this important obligation can be no longer be put on the back burner.
The Dutch decision, its hefty one-off fine and significant continuing-breach fines have upended the risk profile of doing nothing. For many businesses, now’s the time to act.
The Dutch authority fined a business based outside of the EU, Locatefamily.com, over half a million euros (ie, €525,000; about US$635,000) for failing to appoint an EU representative. But it went even further: it said that it had until 18 March 2021 to appoint a representative, failing which it must pay €20,000 (US$25,000) for every two weeks that it’s in breach of this requirement, up to a maximum of €120,000 (US$145,000). The result? For this one business alone, seemingly based in Canada, the total fines could add up to an eye-watering €645,000 (US$785,000).
The business, which publishes the addresses and telephone numbers of millions of people across the globe—often without them knowing, says on its website that ‘LocateFamily.com and its parent company are not located in the European Union and have no business relationships in the EU’. That might well be the case; however, the territorial-scope provisions in GDPR make it clear that this sort of processing falls under the GDPR and therefore this type of business has to appoint an EU representative.
The decision itself is a masterclass in Dutch straight-talking. As the authority says, the consequences of not having a representative are clear: ‘it is not easy if [people] want their data deleted, because Locatefamily does not have a representative in the EU. Not having a representative in the EU is a violation of privacy law and the reason for the fine.’
And this affects the UK too. Although the UK has left the EU, including the transition period, its data protection laws closely mirror those of the GDPR. It’s likely that this Dutch decision could also significantly influence how the UK data protection authority, the ICO, approaches a similar situation in the UK, if, for example, a business based outside of the UK were to fail to appoint a UK representative. The recent fines in the Marriott and British Airways cases, although reduced, were still significant and show that the ICO is willing to issue fines, and do so in amounts that could be damaging to a business’s bottom line.
What’s more, data protection regulators across the globe continue to liaise with one another on matters such as this. In this case, the Dutch regulator collaborated in its investigation with nine other EU data protection authorities and the Office of the Privacy Commissioner of Canada.
Put simply, the cost of inaction could prove to be expensive. So what should you do now?
- If you are a private sector business with no physical presence in the UK, then under the UK GDPR you are likely to need to appoint a UK representative if you target your goods or services at UK individuals, or if you monitor the behaviour of UK individuals. This legal requirement is mandatory, and failure to comply with it can result in large fines of up to £8.7M or (if higher) 2% of worldwide turnover. The UK Representative Service, provided by Shoosmiths Privacy Services Limited (a wholly owned subsidiary of Shoosmiths LLP), provides a simple, online solution to this requirement at a fixed annual or monthly fee. By subscribing to the Service, you can appoint us as your representative and ensure you remain compliant with this GDPR requirement. For more details, check out: UK Representative Service (shoosmiths.co.uk)
- Similarly, any businesses not based in the EU need to consider whether they need to appoint an EU representative if they do the same in connection with the EU. At Shoosmiths we have arrangements in place with EU representative providers and so we can also assist here.
Appointing a representative is typically quick and pain free. Not doing so can put your business at considerable risk. The Dutch decision may well be the first in this area, but there are likely to be others. A stitch in time now could save a lot of costly hassle in the future.