Canadian organizations take note – Data Protection Authority fines foreign-based business under GDPR for not having “Article 27” representative

17 mai 2021 | David Krebs, Samantha Santos

( Disponible en anglais seulement )

As we have discussed in several previous articles, Canadian businesses and other organizations can be subject to the European General Data Protection Regulation (“GDPR”) for a number of reasons and in a number of different contexts, be it as a “data processor” (i.e. the service provider to the data controller), as “data controller” (the organization deemed in control of the personal data at issue) or as “joint controller” with another organization, irrespective of whether the Canadian concern has a physical presence in the EU. The requirement to have an “Article 27” representative has existed since the inception of the GDPR but it has been an elusive and quite enigmatic requirement. Not to be confused with the concept of a “Data Protection Officer”, an “Article 27 representative” should serve as a contact and gatekeeper for matters pertaining to the processing of EU personal data. This requirement had not at first been enforced but this appears to be changing with a company facing a considerable fine of €525,000.00 (approximately $900,000CDN) for failing to have a representative established.

Dutch Regulator Fines LocateFamily.com €525,000

On May 12, 2021, the Autoriteit Persoonsgegevens, Dutch Data Protection Authority (“DPA”), released its decision to impose a fine of €525,000 against Locatefamily.com, a platform that allows people to search for the contact information of family members or other people that they would like to connect with. The DPA found Locatefamily.com in breach of Article 27 of the GDPR which requires businesses without an establishment in a Member State of the European Union (the “EU”) but who are subject to the GDPR by virtue of Art. 3.2(a) or 3.2(b) to designate a “representative” in the EU.

In addition to the fine, the DPA mandated that Locatefamily.com designate a representative in the EU by March 18, 2021. If it was unable to do so, Locatefamily.com was required to pay €20,000 for each two (2) week period that it does not have a representative, up to a maximum fine of up to €120,000.

The DPA reported that their decision came following the receipt of multiple complaints regarding Locatefamily.com and an international investigation in cooperation with nine other European privacy supervisory authorities and the Office of the Privacy Commissioner of Canada.

The DPA expressed concern regarding Locatefamily.com’s practice of publishing full addresses and phone numbers of individuals who most often are reported to be unaware of how their details came to appear on the site. With the contact information of approximately 700,000 Dutch people on the site, DPA deputy chair Monique Verdier mentioned that:

 “for a website to publish your phone number and address without your knowledge is unacceptable. You can certainly share this information if you want to, but this should be your choice to make. With Locatefamily.com, many people aren’t given that choice. And if your address and phone number do end up on this site, there must be an easy way to have that information removed. That’s not possible here, partly because Locatefamily.com does not have a representative in the EU.

Pursuant to Article 27, a representative is a natural or a legal person based in one of the EU member states who acts as a gatekeeper or local representative for an organization in the EU that serves as a record keeper and contact point for all issues or questions related to an organization’s processing of personal data under the GDPR. Companies may claim an exemption from Article 27 if their processing is “occasional” and “does not include, on a large scale, processing of special categories of data” (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation) and is unlikely to result in a risk to individual’s privacy rights.

Recommendations

The Dutch DPA’s decision brings about practical compliance implications for Canadian business particularly as the GDPR applies to many Canadian businesses who do business internationally. It is recommended for all businesses that consider themselves subject to GDPR but do not have an establishment in the EU, that an analysis is conducted of whether or not this Article 27 Representative obligation applies.

Miller Thomson’s privacy and cybersecurity team is ready to assist in these and other privacy and data security matters, and we will continue to monitor GDPR enforcement impacting Canadian businesses.

Avis de non-responsabilité

Les renseignements affichés sur ce blogue contiennent des points de droit variés fournis uniquement à des fins informatives et non commerciales. Ces renseignements ne constituent pas un avis juridique de la part de l’auteur. Nous mettons en garde les lecteurs de ne pas prendre de décision particulière sans avoir préalablement obtenu l’avis juridique d’un professionnel qualifié. Toute personne qui décide de prendre une décision en s’appuyant sur ces renseignements le fait à ses propres risques.