Among the many operational details needed to get in compliance with the soon-arriving General Data Protection Regulation (which goes live on May 25), companies dealing with the data of EU citizens, yet without a physical EU presence, face some additional challenges. The requirements for dealing with EU Member State data protection authorities (DPAs)—breach notification, consultation, reporting, and so on—are still in effect for non-EU-based companies, so many are choosing to engage with an EU-based representative to work with DPAs on their behalf.
This representative must be ‘available’ to authorities and individuals and speak the language. A close relationship between client and representative is important, since requirements like notifying the authorities of a data breach requires action within 72 hours. Critically, there is no distinction made between representative and controller/processor regarding penalties, so companies vying to act as representatives for non-EU parties will be liable for fines and other sanctions along with their clients. With this in mind, making the choice to get into that relationship is critical from the perspective of both parties.
Data protection authorities have previously existed in various forms in various Member States (Germany has multiple, for instance), and are appointed and governed by national legislations. They generally have jurisdiction and enforcement powers only within the territory of that state. However, a ‘one-stop-shop’ rule is envisaged to allow a given DPA’s regulatory actions to affect processing that occurs in other member states, to account for broad activities that span different EU nations.
Furthermore, increased cooperation between DPAs will be required, which is a positive sign for potentially complicated regulatory cases. In case a particular DPA plans to take action over a cross-border processing activity, they will need to coordinate with other concerned DPAs and theoretically have a consistent approach. The European Data Protection Board is created (the EDPB), which replaces the Article 29 Working Party, has representatives from each national DPA, and theoretically oversees harmonization and joint cases. In practice, though, it remains to be seen how much of a direct role the EDPB will play.
‘Lead’ DPA and establishment of ‘main base of operations’ critical factors
A company already dealing with one single DPA, with activities restricted to that country and its citizens, may not see many changes to their existing DPA interactions as a result of the GDPR. Companies with broader activities, however, will have to choose a ‘lead’ DPA.
All controllers or processors that engage in cross-border processing of protected data must understand the need to have a lead DPA. The primary method for selection is defining the ‘main establishment’ of operations—the country in which the majority of processing decisions are taken. The regulation specifically prevents forum shopping, and, in cases where the ‘main establishment’ is debatable, the final decision might need to be defended on the basis of questions such as:
· Where decisions are made;
· Where the capabilities to implement these decisions are based;
· Where the responsible decision-makers are based; and
· Where corporate registrations are kept.
Critically, in cases where no ‘main establishment’ of operations can be defined (so no EU-based decisions, management, etc.), it is currently planned that companies will have to deal with each different member state DPA individually. With this in mind, companies with complicated multi-country activities, but no main establishment, may want to make a decision to create such an establishment in order to qualify for ‘one-stop-shop’ processing and simplify procedures.
Investigations and Penalties
A good relationship, and physical proximity where appropriate, is essential considering the powers DPAs will have. If a DPA suspects a violation, they will engage other DPAs and the EDPB as necessary, and use a variety of investigative tools, including:
· Request of all personal data and records regarding said data;
· Data protection audits;
· Physical access to the premises of the location where data is processed, including to equipment.
If a violation is confirmed, penalties can proceed along a hierarchy:
· Issuance of reprimands;
· An order to bring processing activities into compliance, including to respond to the concerns of an affected individual;
· Orders to erase or modify data, either specific data or entire categories;
· Orders to communicate information about a breach to stakeholders and individuals;
· For more severe cases, DPAs will have the authority to impose temporary or ongoing halts on processing activities, with obvious consequences on ongoing business;
· Orders to suspend transfer of data to outside/third party individuals, organizations, or countries;
· And, finally, imposition of fines: 10 million euro or 2% of global turnover (whichever is higher) for lesser violations, and 20 million euro or 4% of global turnover for severe ones.
Ultimately, while the GDPR is a detailed regulation, some key aspects will need to be seen in practice to completely understand the new paradigm, such as the involvement of the EDPB or the precise interplay and coordination between different DPAs on a multi-country case. We can be sure, however, of the requirement for close availability and contact between DPAs and company representatives, whether they be in-house or contracted out. With this in mind, the choices of whether to create a ‘main establishment’, careful selection of ‘lead’ DPA, and the decision to engage an agency to act as representative need to be carefully weighed by all non-EU companies preparing to deal with the GDPR.