Sign up to receive regular updates, event invitations, and our Data and Cyber Club newsletter. Register your interest here.
On Friday 28 May 2021, the High Court handed down summary judgment in the case of Sanso Rondon v LexisNexis Risk Solutions UK Ltd  EWHC 1427 (QB). This decision represents an important judgment on the interpretation of Article 27 of the General Data Protection Regulation (GDPR), concerning the liability of UK representatives of data controllers based outside the UK. It will also have an impact on future claims against due diligence databases where the owner and data controller is based outside the UK.
The Court found that, although Article 27 representatives have a role beyond being an EU postbox for foreign controllers and processors, a claim for breaches of the GDPR cannot be brought against the representative where the breaches were caused by acts by the primary controller. That creates clear jurisdictional difficulties for claimants seeking compensation for breaches of their GDPR rights by foreign controllers.
World Compliance Inc (World Co) is a US company, which owns a database it says is designed to help subscribing businesses globally to comply with laws combating money laundering and terrorism financing. For the purposes of the GDPR, World Co is also the ‘data controller’ of the database. The database is said to include millions of profiles of individuals, among which includes the Claimant in these proceedings .
Any individuals or organisations who have a profile on a due diligence database may find themselves facing serious problems. This might include one day waking up to find their bank account has been closed abruptly without further explanation. Then they may face great difficulty in finding alternative banking services and with no understanding as to why they are apparently being blacklisted. Such a situation creates a kafkaesque scenario for affected individuals and as such, due diligence databases are increasingly becoming the subject of legal action, often through claims in defamation and data protection.
After the GDPR became the primary authority for EU data protection regulation in May 2018, data controllers based outside the EU caught by the GDPR’s extraterritorial effect (e.g. those organisations offering goods or services to EU citizens) have been required to appoint a representative based in the EU under Article 27 GDPR. At the conclusion of the Brexit transition period, this extraterritorial scope requirement now also extends to data controllers based in the UK with no branch, office, or other establishment in any other EU or EEA state. Conversely, under the version of the GDPR incorporated into UK law as amended (the UK GDPR), the extraterritorial scope requirement will now also extend to data controllers based outside of the UK (including the EU) with no establishment in the UK and will require them to appoint an Article 27 GDPR representative in the UK.
The Claimant in these proceedings is a businessman with an international practice in business consultancy and investment. He holds Italian and Venezuelan citizenship and resides in Italy. The Claimant objected to his profile in the World Compliance database. He considered that World Co had not respected his rights under the GDPR.
The Defendant is Lexis Nexis Risk Solutions UK, a data analytics, risk intelligence, and compliance business, incorporated in England and Wales. It is World Co’s formally designated ‘representative’ for the purposes of Article 27 GDPR. Article 4(17) GDPR defines a ‘representative’ as:
a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation.
Article 27 comes into effect due to the application of Article 3, which provides the ‘territorial scope’ of the GDPR. Article 3(2) GDPR applies to the processing of personal data of individuals who reside in the European Union by a controller or processor not established in the Union, where the processing activities are related to either; the offering of goods or services (irrespective of whether a payment from the individual is required) to such individuals in the Union and/or the monitoring of the individual’s behaviour as far as their behaviour takes place within the Union.
The underlying claim
In August 2020, the Claimant issued a data protection claim against the Defendant (the DPA claim). The DPA claim included a number of alleged breaches of the Data Protection Act 2018 and the GDPR in World Co’s processing of the Claimant’s personal data and in producing the profile to which he objects. His claim sought the following remedies:
- A compliance order requiring the Defendant to erase (or cause to be erased) his personal data, and restraining the Defendant from further unlawful processing of his personal data (see s.167 of the Data Protection Act 2018);
- an order (under Article 19 of the GDPR) that:
- the Defendant notify (or cause to be notified) each recipient to whom the Claimant’s personal data had been disclosed, through their having accessed any version of the profile, of such erasure, and
- the Defendant provide the Claimant with details of the identities of the recipients;
- compensation (see Article 82 of the GDPR).
The Claimant’s pleadings asserted that as World Co’s representative, the Defendant was ‘liable in respect of breaches of the GDPR for which World Compliance Inc is liable as data controller’.
The judgment follows the Defendant’s application for the claim to be struck out pursuant to CPR 3.4 or alternatively, for summary judgment to be entered in the Defendant’s favour under CPR 24. The Defendant’s application was premised on the contention that there was no reasonable grounds for bringing the claim, or alternatively, the claim had no realistic prospect of success because it was brought against the wrong defendant. The Defendant went on to argue that a representative cannot be held liable for the actions of a controller as the Claimant proposed and accordingly, the remedies sought could only be obtained from a controller and not its representative .
Article 27 GDPR
While the parties agreed that the GDPR (in general) and Articles 3(2) and 27 (in particular) applied to this case, the central dispute between them arose as to the parties’ rival interpretations regarding the effects of Article 27(4) and 27(5):
- 27(4) The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
- 27(5) The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
The Defendant’s position was that the ‘key, or sole,’ operative provision defining the Article 27 representative’s role and functions is the phrase ‘to be addressed’ in Article 27(4). The Defendant’s case was that this wording meant what it says: a representative is an entity who can be contacted for those who have an interest in data protection compliance by foreign controllers, i.e. supervisory authorities or regulators and data subjects themselves . The Article 27 representative functions as a liaison or conduit and cannot be sued in the place of a data controller. The Defendant relied on Article 27(5) as a basis for this point. The phrase ‘without prejudice to’ meant the designation of the representative has nothing to do with the commencement of legal actions against the controller itself and that this was also apparent from the wider scheme of the GDPR.
The Claimant’s position was that ‘representative’ meant what it says in Article 4(17) and that 27(4) requires the ‘mandation’ of a representative to be addressed ‘in addition to or instead of’ the controller ‘on all issues’ related to data processing and importantly for the purposes of ‘ensuring compliance with the GDPR’ . To support this contention, the Claimant relied on Article 27(2)(a), arguing it provided clarity that the function of a mandated representative is to address the ‘risk to the rights and freedoms’ of data subjects and that none of this suggested a mere conduit or liaison function. Accordingly, this made an Article 27 representative the local embodiment of a foreign controller, an entity within the jurisdiction on which the GDPR can apply. Furthermore, for the purpose of Article 27(5), the representative did have legal liability but that it was in addition to (and not in substitution for) the controller’s liability.
In her judgment, Mrs Justice Collins Rice found the role of an Article 27 representative as a ‘considerably fuller role than a mere postbox’  but not liable for the controller’s acts, Article 27 did not create ‘representative liability’ and accordingly, the claim was struck out.
The decision turned on the interpretation of Article 27, with the Judge considering the parties’ interpretation alongside various authorities, including the GDPR Recitals at –, guidelines from the European Data Protection Board (EDPB Guidelines) at -, the ICO at -, the Data Protection Act 2018 (DPA) at , the GDPR & the EU Charter at – and ‘Representatives’ in other Regulations at –.
Collins Rice J considered all of the aforementioned authorities before making her decision -. From the controller’s perspective, the Judge noted that Article 27 makes clear that at a minimum a representative is ‘a mandated, permanent, established, intra-jurisdictional presence representing an extra-jurisdictional controller’; that a controller cannot rely on access to Article 3(2) data subject markets or monitoring without it; and that a representative also has a generalised presence and can be expected to be addressed on all issues related to processing by the foreign controller . The role of the Article 27 representative is an enriched one, active rather than passive, with the job remit of a representative focusing on providing local transparency and availability to data subjects, as well as local regulatory co-operation . In the Judge’s view, ‘representative liability’ is harder to reconcile with the scheme of the GDPR and the interpretative aids discussed above although, the Judge acknowledged that Recital 80 challenges that view and required further analysis .
The Judge held that making a local representative personally liable in relation to the full suite of data controller responsibilities is an ‘incomparably more ambitious policy’ that is hard to reconcile with ‘much more shy articulation’ . This could lead into a second problem, which is ‘practicality’.
The Judge found it was not apparent that the GDPR envisaged Article 27 representatives processing personal data themselves at all, whether directly or via contractual powers to compel controllers. The Judge also noted that while ‘standing in the shoes’ of controllers for enforcement and remedial purposes appeared to be a simple proposition, it was not. This was because the enforcement powers of the courts and the ICO reflect the full range of the duties imposed on controllers and processors due to the authority they have on a day-to-day basis over how and why data are processed, whereas a representative does not have that authority and therefore it is not constituted as a controller or processor in its own right .
Turning to the interpretation of Recital 80 on ‘representative liability’, while acknowledging the final sentence offered support for the idea of ‘representative liability’, the Judge took the view that Recital 80 had to be read alongside Article 27(5) . When properly contextualised, Article 27 is not ambiguous and it does not require representatives to stand in the shoes of controllers for the purpose of enforcement action, meaning it did not create ‘representative liability’ . Moreover, the fact that Article 27 did not absolutely exclude the Claimant’s asserted interpretation did not make it ambiguous (the Claimant had asserted the use of wording ‘act on behalf of’ meant the representative itself is liable to enforcement in respect of a controller’s breach of its obligations).
The Judge noted she found no ‘positive encouragement’ for ‘representative liability’ anywhere other than the last sentence of Recital 80, which in itself she found no strong compulsion . Collins Rice J concluded that if the GDPR had intended to create representative liability, it would have done so more clearly in its operative provisions and such liability could not be ‘blown in by the interpretative sidewind’ of one sentence of Recital 80 .
For those reasons, the court found there was no basis in law for the claim to have been brought against the Defendant in its capacity as the Article 27 representative of World Co and therefore, ordered for the claim to be struck out.
Comment: Impact of the GDPR
This judgment contains a very detailed and methodical analysis of whether an Article 27 representative bears any liability for the acts of a controller based outside the UK or EU. In addition to clarifying that question, finding that a representative cannot be held liable for the alleged failures of an extra territorial controller, the Judge also provided a definitive overview on what exactly a GDPR representative does. The case will be essential reading for any organisation offering representative services to others following Brexit and the end of the transition period last year, after which the GDPR has been adopted and amended to become the ‘UK GDPR’. Notwithstanding the reassurance the judgment provides that the Article 27 representative will not be liable to pay damages for the data controller’s breaches of GDPR, it is likely that representatives will still seek to secure suitable indemnity provisions in their favour from the data controller in the mandate appointing them as a representative.
In addition, for any organisations who are data controllers not established in the UK (or EU for that matter), which may have had second thoughts following the judgment on the usefulness to them of appointing an Article 27 representative – they may do well to be aware that failing to do so where required is still a form of non-compliance, for which a GDPR fine can be imposed. In May 2021, the Dutch Data Protection Authority issued a fine of €525,000 against LocateFamily.com, an international website company based in Canada, whose purpose is to locate individuals one has lost touch with, and consequently which publishes people’s addresses and phone numbers without their knowledge. Anyone who wanted to exercise their GDPR rights to have their details removed from the site could not easily do so, due to lack of a representative in the EU. The fine was specifically imposed due to the lack of an Article 27 GDPR representative.
Comment: Impact on future claims against World Co
In addition to providing clarity for Article 27 Representatives, this decision will also have an effect on future claims against World Co. The decision is likely to mean that any claimant wanting to pursue legal action regarding a profile on the database against a controller based outside the UK, whether this is in the form of libel and/or DPA claims, will for now need to consider an application seeking permission to serve proceedings outside the jurisdiction under CPR 6.37. This will inevitably create additional challenges and incur further costs for claimants seeking relief for any false or outdated allegations published in World Co profiles, in addition to overcoming the burdens entailed in pleading a libel and/or DPA claims.
The decision also continues the developing case law regarding the use of profiles on due diligence systems and the effect it may have on an individual’s reputation. We wrote an article about this topic back in 2016 concerning the World-Check database, a similar database to World Co’s version. At the time, Reuters owned the World-Check database. World-Check has now been transferred to Refinitiv, following a merger. There has been a growing number of claims against Refinitiv since 2015, when the World-Check database became the subject of a BBC investigation that found a profile on the database for the Finsbury Park Mosque had led to the Mosque losing access to its banking services. The publication of the profile then became the subject of libel proceedings brought by the Mosque against Reuters. This matter settled in 2017, with the parties agreeing to make a Statement in Open Court in which Reuters agreed to remove the defamatory allegations and pay damages to the Mosque and its costs.
For any claimants considering possible claims against Article 27 Representatives in circumstances where the data controller is difficult to identify or to sue, the Judge has granted the Claimant permission to appeal the decision, meaning this matter will now proceed to be determined by an appellate Court. It remains to be seen what the Claimant’s grounds of appeal will entail.
To read more about our Data Protection and Cybersecurity services visit our web page here.
Find out more
In a data-centric world, being able to navigate the fast-moving landscape of data laws to ensure your organisation is compliant can be challenging.
Our services cover all aspects of data protection and privacy laws, including the General Data Protection Regulation (GDPR), and Freedom of Information requests. Find out more by visiting our web page here.