The General Data Protection Regulation (GDPR) has extra-territorial scope – Article 3(2) says that it applies to those (whether controller or processor) outside the EU who process personal data in relation to the offering of goods or services to data subjects in the EU, or who monitor the behaviour of data subjects in the EU. And where this is the case, Article 27 says that the organisation outside the EU must appoint a representative in the EU, to whom data subjects and regulators can address issues.
The possible catch, though, for those acting as representatives, was seen to lie in recital 80 to GDPR, which says that "the…representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor". What this means, and what potential liability there might be for a representative, are questions which have exercised those considering whether to appoint, and those considering whether to be appointed.
In the UK, this subject could acquire particular significance in the event of a no-deal Brexit, because, as we have previously discussed, controller or processors in the UK doing business in the EU might themselves need to appoint a representative in the EU, under the GDPR itself, and a controller or processor outside of the UK might have to appoint a representative in the UK under the "UK GDPR".
In November 2018 the European Data Protection Board (EDPB) issued draft guidance, which appeared to make forbidding reading in this context, saying that data protection authorities (such as the Information Commissioner, in the UK) should be able to "initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable". When one considers that maximum fines under GDPR are €20m or 4% of global annual turnover (whichever is higher), one can understand why many organisations would have baulked at the idea of becoming a representative (and why those that did would have tried to negotiate hefty indemnities from the controller or processor appointing them).
However, in a notable about-turn, the EDPB's finalised guidance, adopted on 12 November this year, now says that "The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union". The intention (the EDPB now says) was actually "to enable supervisory authorities to initiate enforcement proceedings through the representative designated by the controllers or processors not established in the Union" by addressing notices etc. to them, but not "to hold a representative directly liable" (representatives are directly liable merely in respect of keeping a record of processing activities, under Article 30 and in respect of providing information to supervisory authorities when ordered to do so, under Article 58(1)).
At a stroke, therefore, the role of representative under Article 27 appears to be much less onerous, and potentially more commercially attractive, than it did a mere few weeks ago. And the importance of noting the guidance of the EDPB (and the importance of tracking its development from draft to final version) is reinforced.