Canadian organizations take note – Data Protection Authority fines foreign-based business under GDPR for not having “Article 27” representative

May 17, 2021 | David Krebs, Samantha Santos

As we have discussed in several previous articles, Canadian businesses and other organizations can be subject to the European General Data Protection Regulation (“GDPR”) for a number of reasons and in a number of different contexts, be it as a “data processor” (i.e. the service provider to the data controller), as “data controller” (the organization deemed in control of the personal data at issue) or as “joint controller” with another organization, irrespective of whether the Canadian concern has a physical presence in the EU. The requirement to have an “Article 27” representative has existed since the inception of the GDPR but it has been an elusive and quite enigmatic requirement. Not to be confused with the concept of a “Data Protection Officer”, an “Article 27 representative” should serve as a contact and gatekeeper for matters pertaining to the processing of EU personal data. This requirement had not at first been enforced but this appears to be changing with a company facing a considerable fine of €525,000.00 (approximately $900,000CDN) for failing to have a representative established.

Dutch Regulator Fines LocateFamily.com €525,000

On May 12, 2021, the Autoriteit Persoonsgegevens, Dutch Data Protection Authority (“DPA”), released its decision to impose a fine of €525,000 against Locatefamily.com, a platform that allows people to search for the contact information of family members or other people that they would like to connect with. The DPA found Locatefamily.com in breach of Article 27 of the GDPR which requires businesses without an establishment in a Member State of the European Union (the “EU”) but who are subject to the GDPR by virtue of Art. 3.2(a) or 3.2(b) to designate a “representative” in the EU.

In addition to the fine, the DPA mandated that Locatefamily.com designate a representative in the EU by March 18, 2021. If it was unable to do so, Locatefamily.com was required to pay €20,000 for each two (2) week period that it does not have a representative, up to a maximum fine of up to €120,000.

The DPA reported that their decision came following the receipt of multiple complaints regarding Locatefamily.com and an international investigation in cooperation with nine other European privacy supervisory authorities and the Office of the Privacy Commissioner of Canada.

The DPA expressed concern regarding Locatefamily.com’s practice of publishing full addresses and phone numbers of individuals who most often are reported to be unaware of how their details came to appear on the site. With the contact information of approximately 700,000 Dutch people on the site, DPA deputy chair Monique Verdier mentioned that:

 “for a website to publish your phone number and address without your knowledge is unacceptable. You can certainly share this information if you want to, but this should be your choice to make. With Locatefamily.com, many people aren’t given that choice. And if your address and phone number do end up on this site, there must be an easy way to have that information removed. That’s not possible here, partly because Locatefamily.com does not have a representative in the EU.

Pursuant to Article 27, a representative is a natural or a legal person based in one of the EU member states who acts as a gatekeeper or local representative for an organization in the EU that serves as a record keeper and contact point for all issues or questions related to an organization’s processing of personal data under the GDPR. Companies may claim an exemption from Article 27 if their processing is “occasional” and “does not include, on a large scale, processing of special categories of data” (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation) and is unlikely to result in a risk to individual’s privacy rights.

Recommendations

The Dutch DPA’s decision brings about practical compliance implications for Canadian business particularly as the GDPR applies to many Canadian businesses who do business internationally. It is recommended for all businesses that consider themselves subject to GDPR but do not have an establishment in the EU, that an analysis is conducted of whether or not this Article 27 Representative obligation applies.

Miller Thomson’s privacy and cybersecurity team is ready to assist in these and other privacy and data security matters, and we will continue to monitor GDPR enforcement impacting Canadian businesses.

Disclaimer

This publication is provided as an information service and may include items reported from other sources. We do not warrant its accuracy. This information is not meant as legal opinion or advice.

Miller Thomson LLP uses your contact information to send you information electronically on legal topics, seminars, and firm events that may be of interest to you. If you have any questions about our information practices or obligations under Canada’s anti-spam laws, please contact us at [email protected].

© Miller Thomson LLP. This publication may be reproduced and distributed in its entirety provided no alterations are made to the form or content. Any other form of reproduction or distribution requires the prior written consent of Miller Thomson LLP which may be requested by contacting [email protected].