Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
The Claimant was somebody whose profile was included in a database which was designed to help subscribing businesses comply with laws combating money laundering and terrorism financing. World Compliance Inc, an American company, published and maintained that database. The American Company designated Lexisnexis Risk Solutions UK Ltd as its “representative” for the purposes of Article 27 GDPR. The Claimant sought to hold the representative liable for a variety of breaches of the GDPR which had been brought about by the inclusion of his personal data in the published database.
Recital 80 to the GDPR, which explains the policy reasons for the Articles of the GDPR, provides that “the representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority”, “the designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation” and “the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.
Where an organisation is controlling and processing data of European subjects outside of the jurisdiction, Collins Rice J described the role of a representative as “an enriched one, active rather than passive”, saying that “the job focuses on providing local transparency and availability to data subjects, and local regulatory co-operation” [74]. The Court held that if the Claimant was right that it could hold a representative responsible for the breaches occasioned by a controller, it would amount to an obligation on foreign data controllers of “fully on-shoring their liability… as a precondition of compliant processing” but this was not supported by the language of the GDPR [78]. Moreover, if a representative were to stand in the shoes of the controller for liability, it would “require the controller to provide remedies which involve direct access to and operations on the personal data themselves” [80].
The Court held that the representative was the wrong defendant. It was only the last sentence of Recital 80, concerning “enforcement proceedings” which gave any indication that there should be representative lianility and even that was not “strong compulsion” [101].
We understand there to be an outstanding appeal.
A monthly data protection bulletin from the barristers at 5 Essex Chambers
The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.
