Data protection: Representative liability

On the true construction of General Data Protection Regulation (EU) 2016/679 (the GDPR), a representative appointed under art 27 thereof could not be held liable for a controller’s breaches of the GDPR. Accordingly, the Queen’s Bench Division, held that there was no basis in law for a claim, alleging breaches of the GDPR by a data controller company, to be brought against the defendant company in its capacity as the art 27 representative of that company. The claim was struck out.

The claimant was a businessman with an international practice in business consultancy and investment. He held Italian and Venezuelan citizenship and he was resident in Italy.

World Compliance Inc (WorldCo) was a US company which owned (and was the ‘data controller’ of) a database designed to help subscribing businesses globally to comply with laws combating money laundering and terrorism financing. The database included millions of profiles of individuals, including the claimant. The claimant objected to that profile, in the successive versions in which it had been published, contending that WorldCo had not respected his rights under The General Data Protection Regulation (EU) 2016/679 (the GDPR).

The defendant company was a data analytics, risk intelligence and compliance business, incorporated in England and Wales, and it was WorldCo’s formally designated ‘representative’ for the purposes of art 27 of the GDPR.

The claimant brought a claim against the defendant, alleging breaches of the GDPR in WorldCo’s processing of the claimant’s personal data, in producing the profile to which he objected. The particulars of claim asserted that the defendant, as WorldCo’s representative, was liable for any breaches of the GDPR for which WorldCo, as data controller, was liable. The claimant sought: (i) a compliance order under s 167 of the Data Protection Act 2018 (DPA 2018), requiring the defendant to erase (or cause to be erased) the claimant’s personal data, and restraining the defendant from further unlawful processing of the claimant’s personal data; (2) an order under art 19 of the GDPR that (a) the defendant notify (or cause to be notified) each recipient to whom the claimant’s personal data had been disclosed, through their having accessed any version of the profile, of such erasure, and (b) the defendant provide the claimant with details of the identities of the recipients; and (3) compensation pursuant to art 82 of the GDPR.

The defendant applied for the claim to be struck out (under CPR 3.4) or, alternatively, for summary judgment to be entered in its favour (under CPR 24). The parties disputed a point of interpretation of the GDPR. On the defendant’s interpretation, the claimant had (in effect) tried to sue the wrong person and the litigation should end in its present form. On the claimant’s interpretation, his underlying claim should proceed, with time for filing and serving a defence starting to run in accordance with an extant case management order.

Whether the claim should be struck out (under CPR 3.4) or, alternatively, whether summary judgment should be entered in the defendant’s favour.

The defendant submitted that there were no reasonable grounds for bringing the claim or, alternatively, that it had no realistic prospect of success, because it was brought against the wrong defendant. It  contended that a representative could not be held liable for the actions of a controller as proposed, and the remedies sought could be obtained only from a controller, not its representative.

The dispute between the parties concerned the effect of arts 27.4 and 27.5 of the GDPR. Article 27.4 provided that: ‘The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation’. Article 27.5 provided that: ‘The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.’

There was no basis in law for the present claim to be brought against the defendant, in its capacity as the art 27 representative of WorldCo. Accordingly, the claim would be struck out (see [103] of the judgment).

The GDPR, read together with DPA 2018, formed the data protection law of England and Wales. The GDPR originally took effect in the UK as directly-effective EU law during the UK’s membership of the EU. It continued in force through the ‘retained EU law’ provisions of the Brexit legislative regime (see [13] of the judgment).

The idea that resolving any point of law could be a ‘pure’ or abstract exercise in parsing language was a dangerous proposition, and certainly so when looking at one part of a mature and systematised legal structure with a highly practical purpose. In the global information age, data protection - the law and practice of personal information privacy - was,  above all, an intensely practical regime (see [52] of the judgment).

There were other dangers in the present exercise. It would be a mistake, for example, to consider the functions of an art 27 representative in isolation, when, on any basis, it was a relational role. Data protection, itself, was a regime based on the triangular relationship between data subjects with rights, data controllers with duties, and the ICO with regulatory functions (DPA 2018 s 2). Representatives occupied a place in that triangular relationship, and understanding it required a suitably triangulated perspective (see [53] of the judgment).

There was also a danger in starting with the aspect raised by the present application -enforcement and litigation - rather than with a sound grasp of what one could know from the GDPR about appointing a representative and what it had to do. While data protection was given force by compulsive powers and remedies, it worked day to day on the basis of established and shared practical protocols to enable the vast and vital data flows which power modern life consistently with fair protection for individuals. Enforcement was key, but exceptional, relative to the sheer everyday ubiquity and systematised realities of data processing (see [54] of the judgment).

It was important not to lose sight of the fact that the policy given fine-tuned effect in data protection law involved a balance between facilitating the free flow of data on which modern life relies and protecting individual rights which had their ultimate origin in art 8 of the European Convention on Human Rights. Data processing was global business, and data protection law was both a market regulation measure with a specific transnational application regime, and a species of detailed privacy protection. The opening recitals of the GDPR made important contextual reading (see [55] of the judgment).

Accordingly, the present court approached the question by standing back to look at the uncontroversial, everyday role of a representative, and its place in the triangle of relationships between controllers, data subjects and the ICO (see [56] of the judgment).

The starting point in understanding the role of representatives was the territorial scope provision of art 3.2 of the GDPR, which applied domestic data protection law to certain processing activities of foreign controllers (see [57] of the judgment).

The appointment by an art 3.2 controller of a representative was, in and of itself, an important signal that the controller was engaging with the GDPR, understood its scope provisions, and accepted the conditionalities it imposed on its access to data and data subjects. It signalled, in other words, a recognition of the bargain involved: the burden to be shouldered for the benefit to be gained. It was an acceptance of the application of art 3.2 and a signal of good intent. Article 27 of the GDPR made clear that, at the very least, a representative was a mandated, permanent, established, intra-jurisdictional presence representing an extra-jurisdictional controller. The controller could not rely on access to art 3.2 data subject markets or monitoring without it. It was also a generalised presence. A representative could expect to be addressed on all issues related to processing by the foreign controller, and it was a presence which made a contribution to the reliability of the controller’s GDPR compliance in circumstances in which there was a degree of practical risk to the position of data subjects (see [61] of the judgment).

The GDPR, therefore, made the representative the subject of mandatory appointment and, once appointed, of specified legal obligations. The controller had to ‘mandate’ the representative as such. That indicated a measure of formality, and the controller’s acceptance that, for its own part, it would enable the representative to fulfil the obligations that went with the appointment, not least by furnishing it with the information forming the content of its record-keeping functions. A contractual relationship suggested itself (the Information Commissioner’s Office (the ICO)) envisaged a ‘simple service contract’), but it was not expressly specified (see [62]-[64] of the judgment).

The importance of the provision in art 30.4 for representatives to make any and all aspects of the full art 30 record available to the ICO on request was hard to overstate. After the primary source material of the data and processing operations themselves, the art 30 record was the best and most complete secondary source of compliance information available within the jurisdiction. It was the obvious starting point for the exercise by the ICO of its functions in relation to the foreign controller (see [65] of the judgment).

It was also fully backed by the reciprocal investigative powers of the ICO under art 58.1(a). The legal power for the ICO to order a representative to provide any information it required for the performance of its tasks left no room for doubt about the importance of the representative’s function as local custodian of the full record of the controller’s operation and, therefore, its role in guaranteeing the regulatory transparency of that operation (see [66] of the judgment).

That was also to be understood from the general obligation imposed by art 31 (cumulatively on controller and representative) to co-operate with the ICO in the performance of its tasks. That set a tone in encouraging a supportive, rather than defensive, stance towards the regulator. It also reinforced the transparency theme in the data protection regime (see [67] of the judgment).

Making it an express and specific responsibility of local representatives was significant. The task of the ICO was indisputably more complex and difficult where foreign controllers were concerned. There might be additional practical difficulties (of language, time zone, business culture or national politics, for example) to overcome. There might be additional legal complexities (as to ‘adequacy’ status or particular ‘safeguards’ for data transfer, or international law considerations) to be navigated. The duty to co-operate was recognisable as an active, genuinely ambassadorial, role for a representative: being ready to explain such matters to the ICO, and being equally ready fully to understand and acknowledge any ICO request for co-operation, and to work together with a controller to comply with it (see [68] of the judgment).

Two very broad propositions might be risked in an attempt to distil the perspective of data subjects to a few general principles. The first was that data subjects were basically entitled to two things: to have their data processed in accordance with the duties imposed on controllers (compliance), and to know who was doing what with their data in the first place (transparency). The second broad proposition was that, although there was no formal hierarchy of enforcement, the powers and duties of the ICO were there to secure entrenched and systemic compliance, and to tackle non-compliance with a full toolkit of regulatory responses, rather than routinely leave data subjects with the considerable burden of enforcing their rights through litigation (see [69] of the judgment).

The right of ‘subject access’ might be considered the primary and fundamental data subject right. It had two functions. The first was that, together with the right to the provision of information at the point of data acquisition by the controller, it was the principal transparency right - the ‘right to know’ whether any controller had your personal data and, if so, what it was doing with it. That was an end in itself. The second function was instrumental. Subject access could provide a first step in monitoring or securing compliance. The knowledge it provided might allay any concerns, or furnish a basis for further investigation, for example if the data subject was not satisfied that data was accurate or being processed compliantly. It might equip a data subject to seek help and advice from the ICO. It might provide a basis for the exercise of investigatory powers by the ICO and be the start of a process which ultimately led to enforcement by the ICO or by data subjects themselves (see [70] of the judgment).

Article 27.4 was clear that representatives might be addressed in particular by data subjects on all issues related to processing. Since the right of subject access was a primary data subject right, there was no reason to doubt its inclusion in that formulation. The right comprised being given access to the personal data themselves and the right to specified ancillary information about the processing (art 15). Much of the ancillary information was information within the ambit of the record-keeping duties of representatives. Data subjects were also entitled to be informed of their right to lodge complaints with the ICO. Representatives were well equipped to assist data subjects in the exercise of their rights of subject access, and they were bound to assist the ICO in the performance of its tasks in upholding those rights in practice (see [71] of the judgment).

Where the knowledge given by subject access led to compliance concerns by a data subject, then the spotlight moved from the record-keeping functions of representatives to their obligations to co-operate with the ICO and their subjection to the ICO’s investigatory powers. From the data subject’s point of view, the representative provided a local and accessible point of engagement with a foreign controller (a relationship in which there might be a substantial imbalance of power), understanding and facilitating the exercise of subject access rights, and staying engaged if the data subject had concerns, up to, and including, the involvement of the ICO and the potential service of process (see [72] of the judgment).

‘Representative liability’ was harder than the alternative to reconcile with the scheme of the GDPR and the interpretative aids set out [in the judgment]. However, recital 80 of the GDPR challenged that view and demanded pause for thought before any conclusion was reached. Among other things, the GDPR created the representative role with care and specificity, and did not unambiguously provide for the liability for which the claimant contended. That was not (just) the linguistic point that, if the GDPR had intended that result, it would, and should, have said so more clearly. It was a point about the consistency and logic of the GDPR’s overall scheme for the global dimension of data processing. The policy for which the claimant contended effectively required relevant foreign controllers to adopt a form of establishment within the jurisdiction, fully on-shoring their liability and putting them on a par with established controllers, as a precondition of compliant processing of the data in question. That was an ambition which was not asserted in anything like equivalent terms in the GDPR (see [24], [76]-[78] of the judgment).

Standing in the controller’s shoes for enforcement purposes implied representatives’ ability to provide, or require the controller to provide, remedies which involved direct access to, and operations on, the personal data themselves. That included rectification and erasure of data, and giving subject access, not just to ancillary information, but to the actual data. That was nowhere discernibly provided for in the GDPR (or DPA 2018). The GDPR neither expressly conferred those functions on representatives, nor placed them under anything like the duties controllers and processors (and data protection officers) were under, concomitant to their access to personal data (see [80], [81] of the judgment).

It was not apparent that the GDPR envisaged representatives processing personal data themselves at all, whether directly or via contractual powers to compel controllers. ‘Standing in the shoes’ of controllers for enforcement and remedial purposes sounds like a simple proposition. It was not. The enforcement powers of the courts and the ICO mirrored the full range of the duties of controllers and processors which were imposed because of the power they had on a day to day basis over how and why data were processed. A representative did not have that; it was not constituted as a controller or processor in its own right (see [82] of the judgment).

If the policy of the GDPR had been to require foreign controllers to appoint and establish local processors, within the terms of art.28, to access the data on the controller’s behalf for the purposes of substantiating local liability, it could have done that. However,  representatives were different from processors. The representative’s ‘mandate’ bore no visible resemblance to the processor’s contract, as extensively provided for by art 28.3-9. The core job the GDPR specifically gave representatives had to do with the activities of a controller or processor (processing personal data), but stopped short of doing those activities and becoming one (see [83] of the judgment).

If a representative stood in the shoes of a controller, the package of duties the GDPR imposed directly on it was otiose. No visible difference need be made between the investigative and corrective powers of the ICO, such as art 58 provided for, if both could be exercised against a representative. A representative need not be given special record-keeping responsibilities if it was liable to guarantee full transparency (information provision and subject access) rights in any event. What the GDPR did say about the liability of representatives appeared directed at excluding, rather than emphasising, it (see [84]-[86] of the judgment).

Among other things, the GDPR was a market harmonisation measure and the primary function of the European Data Protection Board (EDPB) was to enhance consistent interpretation of the regime. On the one hand, that acknowledged that there was legal space for variation in interpretation in the first place, but on the other, it was intended to occupy some of that space. The EDPB Guidelines (the Guidelines) left little or no space for ‘representative liability’. They made clear that a representative ‘is not itself responsible for complying with data subject rights’, and that it was the controller which remained responsible for the content of the record which both controller and representative had to maintain; the controller had to put the representative in a proper position to fulfil the latter’s discrete responsibility (not the other way around) (see [87], [88] of the judgment).

Where the Guidelines addressed the legal liability of representatives at all, they did so in exclusionary terms: ‘The GDPR did not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union’ and ‘The possibility to hold a representative directly liable is however limited to its direct obligations referred to in articles 30 and 58.1 of the GDPR’ (see [89] of the judgment).

Article 50 of the GDPR acknowledged the limitations of the legal reach of the GDPR and addressed the territory which lay beyond, where international co-operation and international law, including mutual enforcement agreements, were the only effective means of securing data protection (see [90]-[92] of the judgment).

The present court gave weight to the perspective of the ICO, not so much as an aid to the interpretation of the GDPR as a legal text (notwithstanding the undoubted expertise of our national regulatory authority on the proper interpretation of data protection law), as because of what it said about its practical approach to the exercise of its own functions in relation to representatives (see [94] of the judgment).

All of the above, taking the fullest and most rounded perspective of the scheme of the GDPR and the other aids to interpretation available, would comfortably have led to the conclusion for which the defendant contended. It was a contextualised, functional, practical and positive analysis in support of that conclusion. Notwithstanding the claimant’s arguments that none of it absolutely excluded his interpretation, the absence of positive support for that in the places one would look for it, and the contrary indications of intention to exclude it, did not  add up to a persuasive case for ‘representative liability’ (see [95] of the judgment).

The best positive support for it was, however, recital 80. Up until the last sentence of the recital, its text was fully conformable to, consistent with and supportive of the analysis set out above, and positively advanced no different or problematic proposition. The final sentence was, however, a challenge: ‘The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.’ It had to be read alongside art 27.5: ‘The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves’.

The court’s starting point was that, properly contextualised, and for all the reasons set out above, art 27 was not ambiguous about whether it required that a representative stand in the shoes of a controller as a respondent or defendant to enforcement action: it did not create ‘representative liability’. The fact that art 27 might not absolutely exclude the claimant’s contended interpretation did not make it ambiguous (see [97] of the judgment).

It was not beyond debate what ‘subject to’ meant in recital 80. Read alongside the original consultation text of the EDPB Guidelines it might have been thought tolerably clear: it meant ‘the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. That included the possibility to impose administrative fines and penalties and to hold representatives liable.’ Read alongside the final EDPB Guidelines, ‘subject to enforcement proceedings’ could be understood to mean subject to the possibility ‘for supervisory authorities to initiate enforcement proceedings through the representative’, including ‘the possibility for supervisory authorities to address corrective measures … imposed on the controller … to the representative’ (that was, an obligation to accept service of process) (see [99] of the judgment).

Recital 80 had to be read as a whole, and could no more be taken out of context than any other provision in the complex and interconnected system of the GDPR. The Guidelines expressly reference recital 80 in what they said about the obligations and responsibilities of representatives: they had it clearly in view. Without speculating about the historical development of those provisions, ‘representative liability’, at any rate so far as concerned the relationship between national regulators and representatives, might have been a live policy idea at some point, the last sentence of recital 80 and the first draft of the Guidelines being high watermarks of a policy tide which receded. That it had receded appeared from the Guidelines and the ICO’s position (see [100] of the judgment).

It followed that the court found no positive encouragement for ‘representative liability’ anywhere other than the last sentence of recital 80. In those circumstances, the interpretation of art 27 contended for by the claimant was over-extended and under-supported, and that contended for by the defendant was to be preferred as more consistent with the letter and spirit of the GDPR (see [101], [102] of the judgment).

Blanche v EasyJet Airline Company Ltd [2019] EWCA Civ 69 considered.

Hugh Tomlinson QC and Aidan Wills (instructed by Schillings International LLP) for the claimant.

Lorna Skinner QC (instructed by Osborne Clarke LLP) for the defendant.

Carla Dougan-Bacchus - Barrister.