Is a GDPR Article 27 representative liable for the actions of the Controller who appoints them? “No” is the answer from the English courts to this important question.
GDPR Article 27 Representative
Art 27 provides that where a controller or processor is caught by GDPR’s extra-territorial application under Art 3(2) because they are offering goods or services to, or monitoring the behaviour of, data subjects based in the EU, they are required – unless certain exemptions apply – to designate a “representative”. A “representative” is defined as “a legal or natural person established in the Union who…represents the controller or processor with regard to their respective obligations under this Regulation.”
Since Brexit, UK GDPR under the equivalent Article demands a UK based representative where the processing of a controller based outside the UK involves data subjects in the UK.
Facts of the case
The defendant, LexisNexis Risk Solutions (a risk intelligence and compliance business incorporated in England and Wales), acted as the representative for World Compliance Inc; a US company that is the controller of a database containing individual profiles (including that of the claimant) for the purpose of helping its clients comply with money laundering and terrorist financing laws. The claimant objected to his profile being included in the database and bought a claim against the defendant alleging a number of breaches of GDPR.
The defendant applied for the claim to be disposed of without a trial on the basis that the claim was brought against the wrong defendant as a representative cannot be held liable for the actions of the respective controller.
Role and liability of the Representative
With no relevant guidance provided by UK or EU caselaw, the English Court was asked to interpret GDPR (in particular the wording of Art 27(4) and 27(5)) as to whether the representative could be held liable:
27(4). The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
27(5). The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
The defendant argued that the phrase “to be addressed” in Art 27(4) meant that it was solely a point of contact with a liaison function and “without prejudice to” in Art 27(5) meant that the representative has nothing to do with legal actions against the controller.
The claimant highlighted that Art 27(4) states that the representative is “mandated” to be addressed on “all issues…for the purposes of ensuring compliance”. Further, the claimant said that the purpose of Art 27(5) is to confirm that the representative has legal liability in addition to – not in substitution for – the controller.
In making its judgement the court noted the GDPR Recitals which explain the policy reasons for the law and may be used as an aid to construction; in particular the last line of GDPR Recital 80 (our emphasis added):
“The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.”
The Court held that though the representative had a “considerably fuller role than a mere postbox” GDPR does not confer any obligations on a representative that suggests an intention to make the representative liable for the full suite of controller responsibilities; for example, Art 58(1) gives the supervisory authority power to investigate and request information from a representative but Art 58(2) does not give it corrective/enforcement powers against the representative.
In addition, the court noted that the European Data Protection Board (EDPB) guidelines make clear that the representative “is not itself responsible for complying with data subject rights” and that the representative’s role is to “facilitate any informational and procedural exchange” between the supervisory authority and the controller.
In respect to the last sentence of GDPR Recital 80, the Court conceded it was “a challenge” to the above analysis but the Recital needed to be read as a whole and alongside Art 27(5) which – when contextualised - is not ambiguous about whether it requires that a representative stand in the shoes of a controller as a respondent/defendant to enforcement action: it does not create “representative liability”. Meanwhile “subject to” – when read alongside the EDPB guidelines – can be understood to mean the possibility “for supervisory authorities to initiate enforcement proceedings through the representative', including 'the possibility for supervisory authorities to address corrective measures … imposed on the controller … to the representative” such as accepting service of process.
The Court did accept that representative liability may have been a “live policy” at some point and this is reflected in GDPR Recital 80 and the first draft of the EPDB guidelines; however, the EDPB has since rowed back on this approach. The Court held that had it been intended that GDPR would achieve representative liability it would have stated more clearly in the Articles and that this proposition is “too weighty to be blown in by the interpretative sidewind of the last sentence of Recital 80.”
This decision is good news for representatives and also for extra-territorial controllers who would have found it more difficult and expensive to appoint representatives had the decision gone the other way.
A word of warning - the Dutch data protection regulator has recently issued a fine of €525,000 against a controller that failed to appoint an Article 27 Representative. In its review of the first two years of GDPR in Summer 2020, the EU Commission emphasised that it wanted to see more of a focus by regulators on this area. It seems that this is beginning to happen.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, July 2021