On the international scene, the GDPR is a key element led by the EU and serves as a standard of protection welcomed by a significant number of States. But it is not just a European apparatus: the GDPR is intended to sanction non-compliance with the practical obligations it imposes, and this, outside the EU’s borders.
While one of the interests, when applying the GDPR, is to make the most of it, the fact remains that the competitive advantage that companies can derive from their compliance is not the only advantage.
The regulation must be applied, and, to this end, resources are invested in a specific sanction mechanism. One immediately thinks of the sanctions applicable in Europe in view of the enhanced cooperation between Member States. Should we believe we are above the rules of the GDPR when we process personal data while being established outside the EU? Nothing is less certain: the “old continent” puts its heart into the hearts of individuals by imposing respect for their privacy outside its borders. A look back at the rules of the game….
1. Breakdown of the GDPR territorial scope
The GDPR applies to companies outside the EU that process personal data in the following situations:
If your company is in one of these cases, then it may be necessary to establish a representative on the territory of the EU. Exceptions to the principle exist, such as being a public authority or body or processing personal data occasionally.
The representative on the territory of the European Union
The representative is an entity specifically mandated by the data controller. It is the privileged interlocutor of the supervisory authorities and of individuals undergoing processing on all matters relating to them. The guidelines of the European Data Protection Board (EDPB) on the territorial scope of the Regulation are expected in the coming weeks and will address precisely this “EU representative”*1.
As far as companies located outside the EU are concerned, two things are already known:
The representative is thus a kind of facilitating belt to achieve compliance with the GDPR by companies outside the EU. In doing so, it could be subject to coercive procedures in the event of non-compliance with the Regulation by the controller or processor. In the context of the adaptation of the provisions of the GDPR by the Member States, it is also noted that countries such as Belgium or Spain have provided for increased responsibility of this representative who ensures the compliance of the processor or controller in the EU.
However, all this can be very enigmatic for a company outside the EU: why would it be afraid of a control authority whose jurisdiction is enclosed within the EU’s borders? Wouldn’t the sanctions be deprived of any enforceability outside of them?
2. Applicability and nature of sanctions imposed by supervisory authorities outside the European Union
Implementation of controls
If a company based outside the EU and subject to the GDPR does not comply, the CNIL or another European Data Protection Authority may attack it through the designated representative in the EU. There is therefore no need for control at the company’s headquarters outside the EU.
If no representative is present, to the extent that the provisions of the GDPR are not automatically complied with, it is reasonable to assume that a request for suspension of the transfer of personal data will be successful without any further control. For example, in the context of the sale of physical assets, it would then be possible for these assets to be seized at the border or for trade restrictions to prevent the company from selling its assets in the EU. This is of course to be specified on the basis of the legislation of each Member State, in accordance with Article 84.1 of the GDPR.
Nature of sanctions
First, the sanctions are not only financial, since the supervisory authorities make extensive use of their soft law power by publishing their decisions, thus breaking the marketing velvet of the target company. Secondly, it should be recalled that any European supervisory authority may impose administrative fines of up to €20 million or 4% of worldwide turnover if this figure is higher. Finally, it should be recalled that it is always possible for a company outside the EU to be held liable even when it has appointed a representative.
To clarify the sanction system of Article 83, it should be noted that the imposition of administrative fines is a judgment in its own right. In France, it is a special formation of the CNIL with the status of a court that pronounces the sanction.
Effectiveness of sanctions
There are at least two reasons why we can say that even a company based outside the EU should be concerned about the possible sanctions of a supervisory authority in a European country for the protection of personal data.
The first reason is based on the work carried out by the G29, in cooperation with the CNIL, on Article 50 of the GDPR, which provides for international cooperation in this area. States are given a wide margin and there are many administrative arrangements between countries that address the practical aspects of controls on personal data abroad and cooperation between supervisory authorities. They are called in English memorandum of understanding and are often translated into international treaties in the long term. There is no lack of political will in this area, as states such as Morocco, Canada, Japan and Mexico are refocusing on the EU in terms of markets. The perfect illustration is the response of the Privacy Commissioner of Canada to the Cambridge Analityca Facebook investigation: “The time has come… to give my Office the power to issue orders and impose fines against those who refuse to comply with the law ».
The second reason is the recovery of fines imposed by the supervisory authorities of EU countries. To cite the French example, when the CNIL sanctions, the Public Treasury receives the amount. It is therefore also the Public Treasury which recovers, with all the facilities that this implies, and in particular the possibility of relying on bilateral or multilateral conventions signed specifically to provide administrative assistance. There is therefore nothing new on this point, the various governments have always collaborated to recover the fines they impose outside their borders. An example is the agreement between the Organisation for Economic Cooperation and Development (OECD) and the EU that allows French tax administrations to cooperate with their international counterparts. Of course, the fine that the Public Treasury collects here is not of a fiscal nature, but nothing prevents the recovery from being carried out abroad by the local administration, either directly on behalf of the administration of the EU Member State by agreement, or by means of an exequatur decision. In addition, international treaties facilitate the process, recognizing the protection of personal data as universal.
The trend is clear: the conclusion of international agreements such as the CETA, or the ever-increasing importance of the WTO and arbitration in relations between multinationals and States, leads us to consider that sanction enforcement procedures are likely to evolve towards harmonisation mechanisms. And failing that, it should be recalled that binding corporate rules and standard contractual clauses concluded between private actors take over for the enforcement of the GDPR.
àThis analysis clearly shows an overall commitment to making the extended scope of the GDPR effective. However, as a company located outside the European Union, reasoning through fear is not the most appropriate and effective solution. So to the question “Should companies be afraid? “, we answer a big “No”. The GDPR is becoming a global standard because it corresponds exactly to what people expect when it comes to protecting their personal data. In addition to the sanction, the application of the GDPR remains above all an opportunity that companies must seize. Preparing for this by adapting your infrastructures means getting ahead of the next local legislation and respecting the rights of the people concerned.
3. Who to contact if you are a company located outside the EU and the GDPR concerns you?
Insofar as the Regulation is a European legal act, we advise you to address your questions concerning its application to a European data protection authority such as the CNIL, the Belgian CPVP or the Luxembourg CNDP. We also recommend that you consult their websites, which contain practical guides, fact sheets and practical tools for compliance with the Regulation.
Finally, we have prepared three key recommendations for you if you are a company located outside the European Union.
Recommendation Number 1: Get Organized
Companies involved in the processing of personal data must be aware of their responsibilities and how they fit into the broader picture. However, some do not even know whether they collect data on people located in the EU. It therefore seems that each company established outside the EU should assess the specific details of its data processing activities in the light of these requirements and decide on the necessary measures to be taken.
Recommendation Number 2: Anticipate
Be ready before administrative arrangements between countries facilitate sanctions: the GDPR gave EU Member States two years between its adoption and entry into force, yet today many companies are not prepared and risk heavy sanctions. The same mistake should not be made by companies outside the EU.
Recommendation Number 3: Get Help
It is advisable to pay particular attention to the choice of the person appointed as representative in the EU, with serious consideration given to outsourcing this function as we have already been able to analyse.
By Philippe Prince Tritto
*1Since the publication of this article, the EDPB guidelines on the territorial scope of the GDPR have been published and can be found here.