One of the consequences of Brexit is the complicated interplay of the EUGDPR and UKGDPR, both of which have extra-territorial provisions. Those provisions mean that UK organisations might still be subject to the EUGDPR, and EU companies subject to UKGDPR. Non-UK and EU organisations may also be in scope of both. In some circumstances, where they do not have an establishment on the relevant territory, those organisations have to appoint (under Article 27 of the respective version of the GDPR) a "representative" in that territory. A number of companies have set themselves up to provide this representative service, but until now, it has not been entirely clear the extent to which such a representative might be liable itself to fines from supervisory authorities or other enforcement action, for example from data subjects. Much of the wording of Article 27 suggests that the representative might just be a conduit between the overseas organisation and a supervisory authority, or between the overseas organisation and data subjects. However, some arguments have been made, citing in particular, the final sentence of recital 80 (" the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor") that representatives might have to stand in the shoes of the overseas organisations they represent, and be subject to enforcement or legal claims in their place.
However, the High Court has now ruled that no such liability arises. In Sanso Rondon v LexisNexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB) the defendant company successfully applied for a strike out of a claim under the GDPR (as it applied at the time of the alleged infringement) for erasure and compensation, on the grounds that the claim was brought against the wrong defendant. The defendant was, for the purposes of this matter, an Article 27 representative of US company World Compliance Inc, and argued that it cannot be held liable for the actions of World Compliance Inc (which was controller), and the remedies sought can be obtained only from the controller, not its representative.
The judge agreed: apart from the sentence from recital 80 (quoted above), which she did not find particularly compelling, she could "find no positive encouragement for 'representative liability' anywhere… if the GDPR had intended to achieve 'representative liability' then it would necessarily have said so more clearly in its operative provisions". Accordingly, she granted the application for strike-out.
The judgment is likely to bring relief, and welcome clarity, for those who have set up "GDPR Representative" services. However, controllers (or processors) who appoint such representatives may feel the need to renegotiate the terms of such arrangement, as any shift in liability necessarily impacts upon the commercial terms of an agreement. . It is also possible, in our post-Brexit landscape, that an EU Member State court, or the European Court of Justice, might take a different position (one more example of potential divergence between the UKGDPR and EUGDPR regimes).