by Kelly Hagedorn and Matthew Worby
Companies not established in the UK who process the personal data of UK-based individuals are required to appoint a representative in the UK pursuant to Article 27 of the UK GDPR. This requirement may become less practical (and more expensive), depending on the outcome of a UK Court of Appeal case between Baldo Sansó Rondón and LexisNexis Risk Solutions. The case will reportedly be heard in early 2022.
This case relates to the appointment of representatives under the EU GDPR, but will have significant impact in the UK because the UK GDPR framework contains an identical requirement to appoint a UK-based representative. As noted below, it will be interesting to see how EU jurisdictions subsequently interpret the liability of Article 27 Representatives required under the EU GDPR, in light of the UK paving the way on this issue.
Legal Requirement
Broadly, a controller or processor who wishes to process the personal data of UK-based individuals, but is not established in the UK, is required to appoint a representative in the UK under Article 27 of the UK GDPR. That representative’s role is to be a local point of contact about data privacy issues for UK-based individuals or the UK Information Commissioner’s Office (ICO) in addition to, or instead of, the foreign controller or processor.
Case Background
In 2020 Mr Rondón issued a claim against LexisNexis in its capacity as World Compliance Inc’s GDPR representative in the UK. World Compliance runs a database designed to help subscribers comply with anti-money laundering and terrorist financing laws, by holding profiles on millions of individuals for screening purposes. Mr Rondón claimed that World Compliance had inaccurately stated that he is related to a politically exposed person. Financial institutions and counterparties are more likely to view Mr Rondón as posing an increased compliance risk with this designation and treat him differently than if no such connection was identified.
Mr Rondón argued that a representative appointed in compliance with Article 27 of the GDPR is the local embodiment of that foreign controller or processor. That representative, therefore, is an entity within the jurisdiction to which the GDPR can apply with legal force, with the representative stepping into the shoes of the processor or controller.
LexisNexis argued in response that the GDPR was not intended to create liability for representatives arising from the actions of those they represent. Instead, it contended, such a representative was merely a conduit or liaison for the ultimate controller or processor. The ICO supported this interpretation but did not seek to intervene in the case when it was heard by the UK High Court.[1]
The High Court ruled in favour of LexisNexis, concluding that Mr Rondón’s interpretation of Article 27 was unfounded and that local representatives do not have liability for the actions of the controllers and processors they represent. The UK Court of Appeal will reconsider the question early this year following an appeal by Mr Rondón against the UK High Court’s judgment.
Issues Raised
The case raises several significant implications both for representatives under the UK GDPR, as well as the controllers or processors seeking to mandate them to ensure compliance with the UK GDPR. These include:
- the extent to which a representative may be taking on an unknown level of liability for the acts of those it represents, and the potential appetite of representatives to continue to do so;
- the ability for a representative to use a contractual mechanism to pass any liability found to exist onto the controller or processor it represents;
- the extent to which the ICO would seek to enforce such an interpretation if imposed by the UK courts; and
- how a representative might try to correct the behaviour of a non-UK based controller or processor it represents, and how it might extricate itself from a relationship it believed presented an unacceptably high level of legal risk.
Key Points of Interest at This Stage
There are two key points of interest arising from Mr Rondón’s appeal. First, if the UK Court of Appeal rules that Article 27 representatives may be liable for the actions of the controllers or processors they represent, this would almost certainly lead to fewer representatives being willing to take on the role. Non-UK based entities would then be left with increased compliance costs, because the fewer remaining representatives would be able to increase their fees.
Secondly, before the UK High Court judgment there was no relevant guidance or decided caselaw covering the role and liability of Article 27 representatives in either the UK or the EU. Whilst divergence in respect to the GDPR on the part of the UK was anticipated at some point, it will be interesting to see the extent to which the EU will rely on, or implicitly accept, the UK’s view of the liability of Article 27 representatives in the future.
Footnotes
[1] Mr Baldo Sansó Rondón v LexisNexis Risk Solutions UK Limited [2021] EWHC 1427 (QB), paras 37 and 39.
Kelly Hagedorn is a partner and Matthew Worby is an associate at Jenner & Block.
Disclaimer
The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.