Nowadays, the GDPR’s extraterritoriality (Article 3.2) and its related obligation to designate a representative in the EU (Article 27) are some of its best-known features.
According to these, any entity without a European establishment but nevertheless subject to the GDPR must appoint a dedicated representative in the EU. The role and responsibilities of the latter have been detailed in numerous articles and guidelines.
However, as with any piece of legislation, GDPR risk is managed through a balancing act. The likelihood and severity of potential penalties are first identified, before being compared with the cost of the measures required to mitigate or eliminate the risk.
So, what is the actual likelihood and severity of the risk involved here?
Does this somewhat obscure Article 27, far removed from the GDPR’s cardinal principles, really make up the Supervisory Authorities’ top priority? Furthermore, wouldn’t the absence of any European establishment allow companies to evade scrutiny, and exclude this obligation from their risk management system?
Until mid-2020, this position was fairly arguable. However, the EU Commission’s new political will (I) has since been translated into a myriad of administrative sanctions, relating to both the absence of a representative (II) and the improper execution of his role (III).
Initially, the confused implementation of the GDPR within the European Economic Area was a sufficiently gargantuan task to monopolize both the EU Commission and the national Supervisory Authorities.
However, as intra-European enforcement became more systematic, the European Commission wished to revive the momentum for extra-European controls through a June 2020 Communication.
In the latter, the Commission recalls that “an important aspect […] of EU data protection rules is the extended territorial scope of the GDPR, which also covers the processing activities of foreign operators active on the EU market”.
It also considers it “essential that this extension is reflected […] in the implementing measures taken by data protection authorities“.
Finally, the Communication is concluded with an injunction to Supervisory Authorities: “The Committee is invited to […] ensure effective enforcement against operators established in third countries falling within the territorial scope of the GDPR, in particular as regards the appointment of a representative, where appropriate (Article 27)“.
With hindsight, this request has unmistakably been followed up by its recipients.
As a first step, sanction procedures were initiated against companies that did not have any GPDR representative. In this regard, two cases are particularly noteworthy: “Locatefamily” and “Clearview AI”.
The platform, whose business is to list personal data on the internet, was fined solely for failing to appoint a GDPR representative in the EU.
Moreover, the SME was ordered to make this designation as soon as possible, under a penalty of an additional 20,000 euros per 15 days of non-compliance.
On February 10th, 2022, the Italian supervisory authority inflicted a 20 million euro fine (in Italian only) on the US company Clearview. On July 13th of the same year, the Greek authority found the same failings and imposed an identical and additional fine (in Greek only) of 20 million euros.
Clearview AI’s activity consists of scraping the web to collect images of people for facial recognition purposes. In this filing, the company has been accused of numerous breaches of the GDPR, including the lack of an EU GDPR representative.
However, it was the company’s poor management of people’s rights that attracted the attention of the supervisory authorities. Without a DPO or representative in the EU, the company failed to deal with several requests to exercise rights, which then turned into complaints to the authorities.
As a second step, and in addition to the lack of EU GDPR representatives, European Supervisory Authorities are also turning to the appointment of representatives who are unsuitable, or who do not fulfill all the obligations of Article 27.
In the second phase, the European authorities have started to check the effectiveness of the appointment of RGPD representatives in the EU. In this respect, two cases stand out: those of Senseonics and Alpha Exploration.
This US company, which had no establishment in the EU, was introducing medical devices into the European market. As such, it had appointed a “single representative” within the meaning of Directive 93/42/EEC on medical devices, whose role was to represent it before the European authorities.
However, the Italian authority considered that the appointment of a representative under this directive was “not adapted to meet the requirements of the GDPR”. Far from being a mere “mediator who merely puts people in touch, the GDPR representative must therefore be a person who acts on behalf of the principal about the GDPR obligations”.
Due to the efforts made to comply immediately, including the appointment of a dedicated GDPR representative, the company was only fined a relatively small amount.
On October 6th, 2022, the Italian supervisory authority imposed a 2 million euro fine (in Italian only) on Alpha Exploration.
While the mining exploration company was accused of several breaches, the GDPR representative in the EU it had appointed did not fully perform the functions for which he was responsible.
In this case, the representative seemed to play the role of, at best a passive mediator, at worst a strawman meant to protect his clients from a sanction.
Undoubtedly, European authorities have now taken up the issue of GDPR EU representation. Clearly defined in theory, extensively monitored and sanctioned in practice, this obligation has become very real and palatable. Up-to-date risk management systems are seemingly left with no choice, but to integrate article 27 from now on.