Insights High Court rules that the EU representative of a foreign data controller is not liable for purposes of enforcement of GDPR

Contact

The claimant, Mr Sansó Rondón, is a businessman with an international practice in business consultancy and investment, resident in Italy.

World Compliance Inc is a US company, which owns (and is the data controller of) a database designed to help subscribing businesses globally to comply with laws combating money laundering and terrorism financing. The database includes millions of profiles of individuals, including one of Mr Rondón. Mr Rondón objected to this profile and issued proceedings for breach of the General Data Protection Regulation (2016/679/EU) against the defendant, Lexisnexis, a data analytics, risk intelligence and compliance business, which WorldCo had formally designated as its “representative” for the purposes of Article 27 of the GDPR. Mr Rondón contended that, as WorldCo’s representative, Lexisnexis was “liable in respect of breaches of the GDPR for which World Compliance Inc [was] liable as data controller“.

Lexisnexis applied for the claim to be struck out under CPR Rule 3.4 or alternatively for summary judgment under CPR Part 24. It argued that there were no reasonable grounds for bringing the claim, or alternatively that the claim had no realistic prospect of success, because it was brought against the wrong defendant. It said that a representative could not be held liable for the actions of a controller, and that the remedies sought could only be obtained from a controller, not its representative.

Article 27 provides that “Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union”. The dispute related in particular to Article 27(4) and 27(5), which provide that (4) “The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation”; and (5) The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves”.

Mr Rondón relied on Recital 80, particularly the last sentence, which states that “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.

Considering the role of a representative and its place in the triangle of relationships between controllers, data subjects and the ICO, Mrs Justice Collins Rice found that from the controller’s perspective, Article 27 makes clear that a representative is a mandated, permanent, established, intra-jurisdictional presence representing an extra-jurisdictional controller. The controller cannot rely on access to Article 3(2) data subject markets or monitoring without it. It is also a generalised presence and a representative can expect to be addressed “on all issues related to processing” by the foreign controller. Once appointed, the representative has specific legal obligations.

From the regulator’s perspective, Collins Rice J said that the importance of the record-keeping obligations on controllers and their representatives under Article 30, in particular the obligation to disclose records on demand, was “hard to overstate”. The representative’s function as local custodian of the full record of the controller’s operation was significant, as demonstrated by Article 31, which imposes a general obligation on both controller and representative to cooperate with the ICO in the performance of its tasks.

From the data subject’s perspective, Collins Rice J said that Article 27(4) makes clear that representatives can be addressed by data subjects on all issues related to processing. The right of subject access is a primary data subject right, she said, and includes being given access to the personal data themselves and to specified ancillary information about the processing (Article 15), much of which is information within the ambit of the record-keeping duties of representatives. Representatives are therefore well equipped to assist data subjects in the exercise of their rights of subject access and are bound to assist the ICO in the performance of its tasks in upholding those rights in practice.

Overall, Collins Rice J said that it was clear that the representative has a considerably fuller role than that of a mere post box “to be addressed” and the words “conduit” or “liaison”, as alleged by Lexisnexis, did not fully capture this. The role is “an enriched one, active rather than passive”, she said, with a bespoke suite of directly imposed functions at its core. It is focused on providing local transparency and availability to data subjects, and local regulatory co-operation.

However, Collins Rice J said, it is difficult to reconcile “representative liability” with the scheme of the GDPR and with EDPB Guidelines 3/28 on territorial scope. For example, the GDPR does not give representatives powers to provide remedies that involve direct access to and operations on the personal data in question, such as controllers have, nor does it place representatives under the same duties as controllers and processors. Therefore, they cannot simply stand in the shoes of controllers for enforcement purposes.

As for the EDPB Guidelines, Collins Rice J said that they make it clear that a representative “is not itself responsible for complying with data subject rights” and that it is the controller that remains responsible for the content of the record that both controller and representative must maintain. The Guidelines expand on the bespoke role given to representatives by the GDPR, but stop short there.

Further, where the Guidelines address the legal liability of representatives at all, they do so in exclusionary terms, stating: “The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union”.

Collins Rice J said that the last sentence of Recital 80 challenged the findings she had made so far. Nevertheless, she found that Article 27 was clear that it did not require a representative stand in the shoes of a controller as a defendant to enforcement action. In Collins Rice J’s view, Mr Rondón was trying to use a recital to cantilever in to the operative text an entire system of liability for which it had not visibly provided. In any event, Recital 80 had to be read as a whole and could no more be taken out of context than any other provision in the complex and interconnected system of the GDPR. If the GDPR had intended to achieve representative liability then it would have said so more clearly in its operative provisions.

Collins Rice J concluded that there was no basis in law for the claim to be brought against Lexisnexis, in its capacity as the Article 27 representative of WorldCo and the claim was struck out. (Mr Baldo Sansó Rondón v Lexisnexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB) (28 May 2021) — to read the judgment in full, click here).

Expertise