As part of a real process of extraterritorial normative expansion contextualized first by globalization and then by technological developments, European legislators in recent years have sought to extend the application of the legal norms they produce, in order to guarantee fundamental rights beyond borders and make companies located abroad accountable. This article aims to give an overview of this process and to assess its application within the current regulations on personal data protection. As a result, we will study the criteria for extraterritorial application of data protection rules, the obligation of entities located abroad to appoint a representative and the obligations of the latter, which are shared with data controllers and processors, stemming first from the Directive (95/46). Then, we will focus on the changes brought about by GDPR and the guidelines of the European Data Protection Board.
In European Union (EU) law, the obligation to appoint a representative is not new. It has existed since Directive 95/46. The introduction of the representative in this text was a way for European legislators to make organizations outside the European Union more accountable, in a context where the circulation of personal data was progressing rapidly thanks to the arrival of the Internet. The main purpose of creating the function of representative was to facilitate the work of national supervisory authorities in the event of a breach of data protection regulations. The concept of representative did not originate from this Directive and is not specific to the law of personal data protection. Similar figures exist in other disciplines, such as in tax law or in cosmetics law. These are agents appointed by natural or legal persons established outside the European Union to fulfill obligations imposed by the fact of having activities within the EU territory.
The European text provided for extraterritorial application in Article 4(1)(c). Under this standard, each Member State was obliged to adopt national provisions concerning processing of personal data where: “[…]the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community. […]“.
These conditions for the application of Article 4(1) diverge from those introduced by GDPR. Despite these differences, the purpose of these rules is to determine the connecting factors to extend the perimeter of application of the European legislation and allow for a homogeneous effectiveness of the text to entities located in the EU and outside its territory.
In the provisions adopted by the repealed Directive, the data processor was not considered a responsible actor in the processing chain, so the obligation applied only to the data controller.
Article 4 of the Directive provided that:
“In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself. […]”.
A first observation that comes under this passage is the enshrinement of the principle that ensures data subjects and supervisory authorities:
This principle is taken up by the General Data Protection Regulation (GDPR) and is even extended from the controller to the processor.
The second observation is that the appointment of the representative was made in the Member State in which the controller used means, automated or not, to process personal data.
As will be explained below, GDPR removes this criterion, which could be associated with the concept of “nexus” in US law. Thus, since the entry into force of GDPR, the representative must be established in only one of the member countries where the controller targets or follows data subjects and not in each member state, and this in the spirit of a European Union whose ambition is to erase the effect of borders between its member states.
Articles 10 and 11 of the Directive provided for the obligation to inform data subjects in the event of direct or indirect collection of their personal data, an obligation that was incumbent on both the data controller and the representative. The representative was therefore liable for this obligation in the same way as the Data Controller.
In addition to the obligation to provide information, Article 18 imposed an obligation on the data controller and on the representative, where applicable, to declare all processing operations to the supervisory authorities prior to the implementation of such processing. In addition, Article 19 provided that the name of the representative must be included in any notification.
GDPR has changed the conditions for extraterritorial application of data protection rules in order to adapt to technological developments in business and the globalization of the economy. It adopted two criteria based on targeting and monitoring of data subjects. As previously mentioned, under the Directive, only one criterion underpinned the extraterritorial application of its provisions: having recourse to processing facilities located in the European Union.
GDPR introduced the new criteria for extraterritoriality in Article 3(2). The new criteria are as follows:
To understand the scope of the two targeting criteria, it is necessary to rely on Recitals 23 and 24 of GDPR, which provide a list of indices to distinguish and characterize the activities that can be considered offers of goods or services or tracking of persons. In addition, it is essential to follow the European Data Protection Board (EDPB) Guidelines 3/2018 regarding the territorial scope of application of the GDPR.
We will emphasize that, in the aforementioned guidelines, the Board encompasses, with respect to behavioral tracking, a wide range of activities. This broad definition includes, for example:
In addition, it is important to clarify that the European Board’s guidelines indicate that extraterritorial application extends not only to GDPR but also to other texts, such as EU sectoral legislation, Member States’ sectoral legislation and the national legislation of each Member State.
However, if the conditions for extraterritoriality are met, it will still be necessary to identify other EU or national laws applicable to data subjects as well. For the latter, it will be necessary to analyze the applicable law according to the country of residence or nationality of the persons concerned, or other connecting factors that may be used. For example, a person who is in the European Union and of French nationality will benefit from the protection of GDPR but also from that of the French Data Protection Act.
In conclusion, the extraterritoriality enjoyed by GDPR also benefits national or sectoral EU texts with a similar objective. Consequently, if a controller or processor does not comply with the obligations of GDPR or of the other applicable texts mentioned above, the supervisory authorities may, in accordance with Article 58(2) of GDPR, adopt the sanctions provided for by these texts within of the Union. One example that comes to mind is the application of a corrective measure such as the suspension of the transmission of data flows or the prohibition to maintain automated processing.
Yes, GDPR maintains in its Article 27 the obligation to appoint a representative in certain cases. The controller or processor must not be established in the European Union. Otherwise, we are no longer in a case of extraterritorial application but in an application of GDPR under the criterion of establishment. A representative is then no longer necessary, but the appointment of a Data Protection Officer (DPO) may be.
In this regard, it should be noted that the Board, in Guidelines 3/2018, clarifies that the presence of a representative in the EU does not constitute an “establishment” of a controller or processor under Article 3 of GDPR.
In addition, the obligation to appoint a representative depends on the regularity, risks and volume of data.
It must be regular processing, either on a large scale of sensitive data, or criminal offenses or which involve risks to the rights and freedoms of data subjects. It is not required that the risk be high. The notion of large scale is relative and one must take into account the number of data subjects, either in absolute terms or in relation to the population concerned, the volume of data and/or the spectrum of data processed, the duration and the geographical extent of the processing activity. These criteria were defined by the DPO guidelines in its version adopted in 2017.
The appointment is therefore mandatory when one of these criteria is met and for the activity of the specific processing of persons located in the Eu.
Are there exceptions to the obligation to appoint a representative?
Article 27 (2) states that the obligation does not apply if the processing is “occasional” or does not take place on a large scale, or if it does not involve sensitive, criminal data or data that pose a risk to the rights and freedoms of individuals.
In addition, the obligation does not apply to legal persons under public law. They are therefore exempt from the obligation to designate a representative.
In other words, for the obligation to arise, the controller or processor must be a natural or legal person under private law.
In which country must the representative be appointed?Article 27(3) of GDPR provides that “The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.” This differs from the Directive, which required one representative per country.
In Guidelines 3/2018, the European Data Protection Board reaffirms that the representative must be established in the same state as the data subjects “[…]in cases where a significant proportion of data subjects whose personal data are processed are located in one particular Member State, that the representative is established in that same Member State.”
The guidelines do not clearly explain what to do if the processing involves individuals located in multiple Member States with a significant proportion of data subjects. As such, it would seem that it is up to the Controller or Processor to choose one of the States where a significant proportion of the data subjects are located. In any case, “the place of processing is here not a relevant factor for determining the location of the establishment of the representative.”
In addition, the Committee indicates that the representative must remain easily accessible to data subjects, including those who are not present in the state where the representative is located.
What are the formalities for the designation?
Previously, the representative had to be appointed by the controller after the supervisory authority. There is no obligation under GDPR for the controller or the representative themselves to inform a supervisory authority of the designation of the representative. Yet, the EDPB calls such notification good practice.
Article 27(4) of GDPR provides that the representative must be mandated and Recital 80 states that “The representative should be explicitly designated by a written mandate of the controller or of the
processor to act on its behalf.”
Violation of this obligation to designate a representative is punishable by the fine provided for in Article 83(4) of GDPR, i.e., 2% of annual worldwide turnover or up to €10 million, and could be accompanied by a penalty payment or accompanied by a remedial measure, such as those mentioned above.
Who can be appointed as a representative?
The representative can be a natural or legal person, provided that they are legally capable of representing their agents. In this regard, the EDPB explains:
Does the designation have the effect of removing accountability from the controller or processor?
As was the case with the 1995 Directive, the Regulation has maintained the principle of accountability of the controller and processor. This means that appointing a representative does not absolve the controller or processor of their responsibilities under the Regulation. Indeed, Article 27(5) provides that “the designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.” The mandate would therefore be a representation mandate.
Does the representative have to inform data subjects?
The Regulation does not impose an obligation on authorized representatives to inform data subjects in the event of direct or indirect collection of their personal data in accordance with Articles 12, 13 and 14, since this is an obligation that falls exclusively on the controller. However, in France, Article 82(1) of the French Data Protection Act provides that any subscriber or user of an electronic communication service must be informed in a clear and complete manner, unless previously informed by the controller or its representative.
This provision seems to us to provide that, in the event of the deposit of cookies or any other electronic tracker, the obligation to inform is incumbent on both, in a non-cumulative manner. In the event of non-compliance with this obligation to inform, both may therefore be prosecuted.
Does the representative have to keep the processing register and make it available to the supervisory authorities?
The answer is yes. Article 30 of GDPR obliges both controllers, processors and the representative to keep a register of processing activities and to make it available to the supervisory authority. This obligation is therefore common and shared between these three actors. The obligation to keep the register will only relate to processing activities of persons located in the European Union.
For the EDPB, the controller and the processor continue to be responsible for keeping the register, so they cannot discharge this obligation by arguing that a representative has been appointed to keep the register.
Furthermore, the EDPB considers that they must provide the representative with all accurate and up-to-date information so that the register can be kept up to date and made available to the authorities if necessary.
Does the representative have the task of serving as a point of contact?
Yes, this is one of the central obligations of the representative and shared with their mandator. Article 27(4) of GDPR provides that the representative is the person to whom supervisory authorities and data subjects should address any questions relating to processing. Recital 80 states that “such a representative should perform its tasks according to the mandate received from the controller
or processor […] to ensure compliance with this Regulation.”
The same Article 27(4) also specifies that they may be a primary or secondary point of contact with the Controller and the Processor. This obligation is therefore common between the representative and their principal, as is the maintenance of the register.
The designation of the representative does not therefore prevent data subjects or supervisory authorities from contacting the Controller and the Processor directly.
Is the duty to cooperate with the supervisory authorities part of the representative’s obligations?
Yes, Article 31 of the Regulation provides that the controller and processor and, where applicable, their representatives must cooperate with the supervisory authority, at the latter’s request. Recital 80 states that “such a representative should […] [cooperate] with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation“. This requirement is also one of the representative’s shared obligations with the controller and processor, and is attached to the obligation to facilitate communication to ensure compliance with the Regulation.
For the EDPB, in its Guidelines 3/2018 “in practice, this means that a supervisory authority would contact the representative in connection with any matter relating to the compliance obligations […] and the representative shall be able to facilitate any informational or procedural exchange.”
Is it up to the agent to present the formalities before the supervisory authorities?
The answer is yes, it is one of the shared obligations with the controller and/or processor.
Indeed, the requests for advice sent to the supervisory authorities must specify the identity and address of the representative if the controller or processor is not established in a Member State of the European Union.
However, given the active accountability regime adopted by GDPR, it is not mandatory to declare most processing operations so this is a rather exceptional activity.
Declarations to the supervisory authorities only apply to certain processing operations. In France, prior formalities are required for processing carried out for governmental purposes or for medical research.