€525,000 Fine Under the GDPR: A Strong Signal for Businesses with No Establishment in Europe

The General Data Protection Regulation (“GDPR”)^[1] requires any business that does not have an establishment in the European Union, but targets that market,^[2] to designate a representative, thus going beyond Canadian privacy laws, so that supervisory authorities and individuals have a readily accessible point of contact.^[3]

In practice, however, that obligation does not apply to all businesses: logically, big businesses have establishments worldwide, including in the European Union. They therefore do not need to designate a representative in Europe. On the other hand, small and medium-sized businesses are particularly subject to this obligation since they do not necessarily have establishments in the Union.

While this is not the best-known obligation, the GDPR nonetheless provides for a fine of up to €10,000,000 or 2% of total worldwide annual turnover for violating it.^[4]

This is what happened for the first time on May 12, 2021, in the Netherlands, when the Dutch data protection supervisory authority, the Autoriteit Persoonsgegevens,^[5] fined Locate Family, an apparently Canadian company^[6] with no establishment in the European Union, €525,000 (approximately $776,300 Canadian).

The Dutch authority found indeed that because there was no representative in the European Union, anyone who wanted to have their data removed from the website could not easily do so. The Dutch authority added €20,000 to the already high fine every two weeks until the representative was designated, with a maximum of €120,000.

The fact that there was no representative in the EU was the basis for the fine imposed.

The decision of the Dutch authority is a reminder of two important aspects of the GDPR.

First Reminder: The Extraterritorial Application of the GDPR

Article 3 of the GDPR provides that it applies to any entity that processes personal data, one of whose establishments is in the European Union, wherever the data are processed.^[7]

That article then also provides that the Regulation may be applied to any entity, whether or not it is located in the European Union, that targets the European market by (i) monitoring the behaviour of individuals within the European Union, or (ii) offering goods or services (paid or free of charge) to individuals within the EU. It is this second scenario that interests us in this case.

While Locate Family has no establishment in Europe, it does target the European market^[8] by offering goods and services there within the meaning of Article 3(2) of the GDPR.

The GDPR provides that in order to determine whether an entity offers goods or services to data subjects who are in the EU, “it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”^[9]

In other words, in order for the GDPR to apply, two cumulative requirements must be met: (i) an offer of goods or services, (ii) to persons within Europe. It further provides that the requirement that the data subject be located in the Union must be assessed at the moment when the offering of goods or services takes place.^[10]

This is the situation that Locate Family is in.

In fact, according to its website,^[11] its aim is to help individuals find people they have lost sight of, using a list of more than 350 million names of people in the world that is published and readily accessible on the website. The data of people in the European Union are shared with the website’s Twitter page where search requests for people and the country where the request originates are posted. There is therefore no doubt that it targets the European Union market.

With the application of the GDPR to Locate Family confirmed, we then need to go further and consider Article 27.

Second Reminder: The Obligation to Designate a Representative in the European Union

Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union. (GDPR, art. 27(1))

Because Locate Family is not located in the Union, it should have designated a representative. However, it did not do so.

It remains to determine whether Locate Family could have availed itself of the exceptions to the obligation to designate a representative in the European Union. It should be noted that Article 27 of the GDPR provides that the obligation to designate a representative does not apply to:

1. processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
2. a public authority or body.

Since Locate Family is neither a public authority nor a public body, and the processing of personal information of European Union residents is not occasional, that is, processing activity that “is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor .”,^[12] it may not avail itself of the exceptions to the obligation to designate a representative.

All of this has a significant impact on the individuals whose contact information appears on Locatefamily.com. People who do not know that their contact information has been made public could be surprised by uninvited visitors at their door and should have an easily accessible point of contact.

This is the context in which the €525,000 fine was imposed, under the Dutch rules that apply to penalties. The 2019 Dutch fining policy regulation divides violations into categories numbered 1 to 3, with a range of fines for each. Failure to designate a representative falls into category 3. For that category, the fine ranges from €300,000 to €750,000, with a base fine of €525,000 provided.

More specifically, the authority must start with the base fine, which is increased or reduced, within the range provided, having regard to the following factors:

• the nature, severity and duration of the infringement and the number of people affected and extent of the damage they suffered;
• whether the infringement was intentional or negligent;
• the measures taken by the processor to reduce the damage suffered;
• the processor’s degree of responsibility, having regard to the technical or organizational measures taken by the processor;
• previous violations committed by the processor;
• cooperation between the processor and the supervisory authority to remedy the infringement and limit any negative effects;
• the categories of personal data affected by the infringement;
• the manner in which the supervisory authority was informed of the infringement;
• compliance with the measures taken by the supervisory authority, where they existed previously in relation to the processor;
• adherence to approved codes of conduct or certification mechanisms; and
• any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial profits made or avoided.

The website also poses other problems relating to the GDPR, in particular with respect to the confidentiality policy, which does not seem to comply with Article 13 of the GDPR. However, the Dutch decision seems very clear: the size of the fine is related solely to the fact that LocateFamily.com has no designated representative.

Accordingly, any company that does business in Europe, Canadian or not, should designate a representative if it has no establishment. That obligation is easy to fulfil and Fasken is available to help you.