Under the GDPR, controllers or processors not established in the European Union are required to appoint a representative in the EU when they process personal data within the scope of the GDPR. Data protection authorities and data subjects can interact with the representative instead of the controller or processor they represent, which provides a mechanism for ensuring the GDPR is complied with even when the controller or processor is outside the EU.
On 12 May 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) announced its decision to fine Locatefamily.com €525,000 . The AP fined the company for its failure to appoint a GDPR representative in the EU. The AP also ordered the company to remedy this shortcoming within 12 weeks, failing which it would impose an additional penalty of €20,000 for every two weeks of non-compliance (up to a maximum of €120,000).
To our knowledge, this is the first time a data protection authority in the EU has imposed a fine for not having an GDPR representative. However, we would not be surprised if the AP or other data protection authorities carry out similar enforcement action in the future. A number of other data protection authorities were involved in the AP’s Locatefamily.com case, indicating that this is a topic of interest not just in the Netherlands but for regulators around the EU.
Companies not established in the EU are therefore advised to assess (or re-assess) whether they need to appoint a GDPR representative in the EU. Broadly, this will be the case for any entity which offers goods or services to data subjects in the EU or monitors the behaviour of data subjects in the EU. The requirement to appoint a representative also applies to the UK as the UK has a similar obligation, though organisations should note that the requirements are separate and thus two separate representatives are often needed.
Locatefamily.com offers a platform for individuals who are looking for the contact details of people they lost track of by providing personal information such as name, address and sometimes phone number. Locatefamily.com offers this information to any interested party free of charge on a website which is publicly accessible, and which contains data of both EU and non-EU residents. Locatefamily.com obtains information from various sources such as social media accounts, government records and telecommunication providers, all without the individuals concerned having to become members of the platform or create an account. Since the GDPR came into force, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has received a number of complaints about.
Locatefamily.com. These range from issues raised by individuals wishing to exercise their rights, non-compliance such as the lack of a GDPR representative to more general privacy concerns about the purpose of the website and its potential to facilitate stalking.
Following these complaints, the AP took it upon itself to locate where the company was based, which ironically proved to be a difficult task itself. Initial requests sent to Locatefamily.com only resulted in the company stating that it is not located in the European Union and does not have any business relationships in the Union, nor an office or a representative, and that it does not offer goods or services to the Union. After futile follow-up attempts to get more information on this (Locatefamily.com responded that it was “puzzled as to why you would you need to know where we are situated”), the AP reached out to its fellow data protection authorities in other EU countries in search for more information. This confirmed that Locatefamily.com did not have an representative in the EU, and that there were a substantial number of complaints in other EU member states.
Following this, the AP conducted ‘technical investigations’, which led to it believing that Locatefamily.com might be a Canadian company due to the fact that the website is hosted by a Canadian webhost. On behalf of itself and ten other European DPAs, the AP reached out to the Canadian Office of the Privacy Commissioner (OPC). Although the OPC provided assistance, the AP was not able to determine the location of Locatefamily.com. The fining decision (dated 20 December 2020) mentions that “to date, this did not result in concrete clues on the location of establishment of Locatefamily.com”.
The extra territorial effect of the EU GDPR
In the relatively brief fining decision, the AP comes to the conclusion that Locatefamily.com is the controller for the processing of the individual contact details on its platform, which includes information on individuals in the EU. The AP further concludes that these services are partially aimed at EU residents and are offered in multiple EU member states, and that as a consequence, the GDPR applies to Locatefamily.com by virtue of article 3(2)(a) GDPR. This article describes that the GDPR “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
The nature of the services that Locatefamily.com provides (ie. getting in touch with family abroad) makes it easier for the AP to argue that the services are indeed also offered to and directed at EU data subjects, and the regulator does not make much effort to really substantiate this conclusion in the decision. We assume that this lack of detail is also likely to be a consequence of Locatefamily.com’s failure to respond to the initial investigative report of the AP.
This is a missed opportunity, as the decision could have resulted in an interesting discussion on how article 3(2) GDPR would need to be applied in practice, and to better understand when goods or services are “offered to data subjects in the Union”. For example, does only having a website or app that is available to EU citizens already trigger application of the GDPR? Recital 23 of the GDPR suggests it doesn’t: “(…) the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention.” On the other hand, the recital continues that “factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”
The direct consequence of the GDPR applying to Locatefamily.com is that based on article 27 GDPR, Locatefamily.com is required to appoint a representative that is based in the EU, as it could not rely on the limited exemptions to this requirement. We note that pursuant to Article 27(2) the requirement does not apply to (a) processing which is occasional, does not include, on a large scale, processing of special categories of data and does not result in a risk for individuals, or (b) a public authority or body.
Under the GDPR a representative functions as an interlocutor for organisations that are not established in the European Union, for example in discussions with supervisory authorities and individuals. The GDPR makes clear that the designation of a representative by the controller or processor is without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Fine and order under penalty
For the violation of article 27 GDPR, the AP imposed a fine of €525,000. The AP calculated this fine by applying the Guidelines on Administrative Fines (see here for more information).
Under these Guidelines, a violation of article 27 GDPR is qualified as a ‘Category III’ violation, which has a base level fine of €525,000 is connected. This amount can be adjusted upwards or downwards depending on relevant factors, such as the duration of the violation, the impact on individuals, and the degree of cooperation with the investigation. Despite the fact that Locatefamily.com at some point no longer seemed to respond to questions from the AP, the AP did not use this as a reason to increase the fine, nor did it otherwise amend the fine.
This is line with our experience from other cases – it seems that the AP will not lightly deviate from the base amounts it has set for violations of the GDPR, which range from €100,000 for the lowest Category I (which applies for example to a violation of article 26 GDPR on joint-controllers or not seeking the views of data subjects or their representatives in case of a DPIA as per article 35(9) GDPR) to €725,000 for Category IV violations (which apply for example to a violation of article 9 GDPR containing the general prohibition to process sensitive personal data). To be clear, the AP could still impose the GDPR’s maximum penalty of €20 million or 4% turnover, but this seems to be an option only in exceptional cases.
To force Locatefamily.com to appoint a representative, the regulator also imposed an order subject to a penalty. The company had until 18 March 2021 to appoint a representative in the EU. For every 2 weeks that the order was not complied with, the company would be required to pay €20,000, with a maximum of €120,000. In the press release of 12 May 2021, the AP confirmed that to its knowledge Locatefamily.com did not appoint a representative on time, and the maximum additional fine of €120,000 will be due in addition to the initial fine.
As a result of its failure to appoint a representative, Locatefamily.com is therefore required to pay a total of €645,000 to the AP. However, we expect that the AP will not be able to collect that amount easily. Although there are international (multinational and bilateral) agreements for international matters of criminal or administrative law which might in theory be used by the AP for cross border enforcement of orders, fines and penalties, these agreements are patchy and difficult to use in practice by the AP, especially since Locatefamily.com’s location is not known. Effective enforcement of the fine is more likely if the AP were to determine that Locatefamily.com has assets on Dutch territory that can be seized (for example, money on bank accounts or payment claims against third parties in the Netherlands). The fine and the AP’s public comments will doubtless have an impact on Locatefamily.com’s reputation in the Netherlands and elsewhere.
For your company
Companies that are not established in the European Union but might have customers or users in the EU or otherwise process personal data relating to EU data subjects are strongly advised to (re-)assess whether they need an EU representative. With this case the AP in particular, but also the other DPAs that provided assistance, such as the French CNIL and Irish DPC, have sent a signal to such companies that EU data protection laws have a wide applicability and can extend far beyond the EU’s borders. Actual enforcement however remains difficult in practice, as this case illustrates.
For completeness sake we note that a similar obligation to appoint a representative exists in the UK. This means that any company that is not established in the UK but offers good or services to the UK or monitors the behaviour of its citizens would generally need to appoint a representative in the UK too.
While it remains to be seen to what the effect of this fining decision is on the way this is approached in the UK, companies would thus do well to specifically verify the above for the UK too.