UK businesses urged to appoint EU representative after Canadian firm fined under GDPR

LocateFamily.com fell foul of Article 27

Last week the Dutch data protection authority Autoriteit Persoonsgegevens (AP) fined Canadian firm LocateFamily.com for processing the data of EU citizens in a case that should be a warning to UK firms.

LocateFamily.com was found to be processing the data of EU citizens in contravention of Article 27 of the GDPR following complaints that information about was being published without their consent.

AP fined LocateFamily.com €525,000 because the company did not comply with its Article 27 obligation to designate an EU representative in writing. The Canadian company, which offers a platform to help people locate friends they knew in the past, was also ordered to pay an additional €20,000 for each two-week period that passes without the fine being paid.

"Not having a representative in the EU is a violation of privacy law and the reason for the fine," AP said.

Article 27 of the GDPR sets out obligations for organisations that do not have a presence in the EU but that process data (including storing it) on EU subjects, including that they appoint an EU-based representative.

According to Wouter Seinen, a partner with Pinsent Masons, the fine should serve as a warning to UK companies who have not yet appointed EU data protection representatives, but whose activities will likely fall under EU GDPR once the Brexit agreements have been finalised.

"Due to the binary nature of the data rep requirement, it is quite easy for a regulator to establish that an organisation is in breach, whilst it is almost impossible to find an excuse for not having met this requirement," said Seinen in a blog post. "This is why this topic should be higher on the risk radar of non-European businesses - in particular operators of apps and websites."

Following Brexit, Britain is not directly subject to the EU's jurisdiction, although it still needs to have sufficient measures in place to protect the personal data of European users.

The ICO advises that "EU GDPR may also still apply directly to you if you operate in the European Economic Area (EEA), offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA."

It is thought there are many UK businesses that have not yet appointed an EU data protection representative, some because they appointed the ICO for that purpose pre-Brexit, and are therefore in danger of being fined.

Currently, the UK's data protection legislation matches that in the EU, as the provisions of the GDPR were incorporated directly into UK law at the end of the transition period, but there are signs that it may begin to diverge. Digital secretary Oliver Dowden said in March that Britain will take a 'slightly less European approach' to data privacy laws.