Dublin-based data protection law expert Ann Henry of Pinsent Masons, the law firm behind Out-Law.com, who specialises in working with US technology companies, said the European Data Protection Board's (EDPB's) guidance (23-page / 262KB PDF) could affect the number of EU-based organisations willing to act as 'representatives' for US-based companies under the GDPR.
As well as applying to the processing of personal data by organisations established in the EU, the GDPR also applies to the processing of personal data of data subjects in the EU by organisations based outside of the Union where the processing relates to the offering of goods or services to those individuals or the monitoring of their behaviour as far as their behaviour takes place within the Union. The Regulation's extra-territorial effect is confirmed in Article 3(2).
In such cases, non-EU based companies are generally required to designate an EU-based representative. Those representatives must be able to address all issues related to the data processing by the non-EU business that is subject to the GDPR "for the purposes of ensuring compliance" with the Regulation. This includes liaising with data protection authorities or data subjects on the business' behalf.
Non-binding recitals of the GDPR provide further clarification on the role of representatives.
"The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation," the recitals state. "The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor."
The EDPB further clarified further the potential liability of representatives in its guidance.
The EDPB said: "The concept of the representative was introduced precisely with the aim of ensuring enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable."
Ann Henry of Pinsent Masons said, though, that this approach will raise very serious concerns in the US about the capital costs of GDPR compliance.
"The sting in this document is in the last line for US corporates," Henry said. "It is the law-abiding companies that will appoint a representative. Arguably making a representative liable will make it more difficult to find people or bodies willing to take on the role of representative given the extent of potential liability both by means of regulatory enforcement and through private rights of action under the GDPR regime."
"Surely the bigger question is how companies in third counties which fail to appoint a representative will be held liable under GDPR. In terms of creating a culture of compliance around GDPR for companies subject to Article 3(2) you have to query whether imposing liability on representatives is the right approach," she said.