On May 12, 2021, the Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) issued a press release on a EUR 525,000 fine against Locatefamily.com for failing to appoint an EU representative, with additional penalty payments pending should the violation persist. The press release is available in English here, and the decision is available in Dutch here (“Decision”).
Background
Locatefamily.com provides a free and publicly accessible platform for individuals to find acquaintances with whom they have lost contact, such as family, long lost friends, or old neighbors. Individuals can publish search announcements on Locatefamily.com, which may include lost acquaintances’ personal information (such as their name, address, and phone number). The website displays personal information of individuals across the globe, including those of approximately 700,000 Dutch residents. On its website, Locatefamily.com does not explain where it is located, but technical research conducted by the AP into the web host indicated that Locatefamily.com may be based in Canada.
As of late July 2019, several European supervisory authorities, including the AP, had received complaints regarding Locatefamily.com. In response to the AP’s requests for information, Locatefamily.com stated that it is not located in the EU, does not have an EU representative, and does not offer goods or services to the EU. The AP disagreed and concluded that Locatefamily.com’s services are offered to data subjects in the EU. Under the EU General Data Protection Regulation (GDPR), a controller located outside of the EU, such as Locatefamily.com, who offers services to individuals located in the EU, is required to appoint an EU representative.[1]
On December 10, 2020, the AP fined Locatefamily.com EUR 525,000 for its failure to do so. The AP also required Locatefamily.com to appoint a representative in the EU or face a penalty of EUR 20,000 for every two weeks of non-compliance (up to a maximum additional fine of EUR 120,000).[2] This is not the first time the AP has taken enforcement action against an organization’s failure to appoint a local representative. In 2014, the AP took similar action against WhatsApp Inc. under the Dutch data protection law preceding the GDPR. However, before the fine was finalized, WhatsApp had created an EU establishment in Ireland, which meant that the GDPR requirement no longer applied.
Key Takeaways
- Extraterritorial reach of the GDPR. The Decision reaffirms the broad territorial scope of the GDPR. The GDPR applies not only to organizations established in the EU, but also to organizations established outside of the EU that i) offer goods or services to; or ii) monitor the behavior of individuals in the EU. The AP opines that, even though Locatefamily.com is located outside of the EU, it is subject to the GDPR on the basis that it provides its services to individuals in several EU countries, including the Netherlands. The Decision does not specify the bases for the AP’s determination that LocateFamily.com should be considered to be offering its services in the EU.
- Obligation to appoint an EU representative. The Decision reaffirms the GDPR’s obligation to appoint an EU representative. Non-EU established organizations falling within the scope of the GDPR should ensure that they i) appoint an EU representative to assist with maintaining records of processing activities and to liaise with EU supervisory authorities and individuals, and ii) update their privacy policies to ensure the identity and contact details of the EU representative are easily accessible. In this case, the AP, consistent with the GDPR’s mutual assistance mechanism, consulted with other EU supervisory authorities to determine whether Locatefamily.com had appointed an EU representative outside of the Netherlands. In light of the UK’s departure from the EU, organizations should further consider whether they are required to appoint a UK representative instead of, or in addition to, their EU representative, depending on the scope of their processing activities. For more information on post-Brexit obligations, please consult our post on the WSGR Data Advisor, The Privacy Impact of the New Brexit Deal.
- Importance of accommodating individuals’ rights. The AP concluded that Locatefamily.com’s failure to appoint an EU representative, combined with the number of affected individuals and the duration of non-compliance, amounted to a serious violation of data subject rights. The complaints submitted by individuals to the AP and other EU supervisory authorities revealed that without an EU representative, individuals in the EU lacked a single contact point to exercise their rights under the GDPR and contributed to Locatefamily.com’s failure to adequately respond to their data erasure requests.
Conclusion
The AP’s Decision reaffirms the extraterritorial reach of the GDPR and the importance of complying with data subject rights appropriately. It particularly underscores the obligation to appoint an EU representative as a mechanism to ensure an appropriate and timely response to data subject rights as well as the AP’s continued vigilance on this matter.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Jan Dhont, or another member of the firm’s privacy and cybersecurity practice.
[1] Article 4 and 27 GDPR.
[2] Since the AP has not ascertained where the organization behind Locatefamily.com is formally located, it could have a jurisdictional issue in case Locatefamily.com disregards the AP’s decision by deciding not to comply with the order and not to pay the fine.