Data reps not liable for actions of data controllers, says UK judge

Out-Law News | 03 Jun 2021 | 2:57 pm | 2 min. read

Organisations that act in a representative capacity for foreign businesses under data protection laws in Europe cannot be held liable for the actions of those data controllers, according to a judge in the UK.

The ruling of Mrs Justice Collins Rice in the High Court in London confirmed the limited role played by data representatives under the UK General Data Protection Regulation (GDPR). Though not binding on courts within the EU, the judgment also points to a similar interpretation of the role of data representatives under the EU GDPR – the UK legislation sits separately from the EU regulation following Brexit but is almost identical, including in respect of the role of data representatives.

Under Article 27 of the UK GDPR, controllers or processors that are not established in the UK but nevertheless process UK citizens’ personal data for the purposes of offering goods or services or monitoring their behaviour must designate in writing a representative in the UK, subject to limited exceptions.

Tasks of the designated representative include liaising with data subjects and regulators. The obligation to appoint a representative does not apply to public sector bodies.

In the case before the High Court, businessman Sansó Rondón argued that UK-based LexisNexis Risk Solutions was liable for alleged breaches of data protection law by the US-based data controller it represents under the UK GDPR, World Compliance Inc. World Compliance operates a substantial database of profiles on individuals which it enables subscribers to access. The database is designed to support businesses in complying with anti-money laundering and counter-terrorist financing laws.

Rondón objected to the creation of a profile about him and asked the court to require LexisNexis Risk Solutions to act to ensure that his data was erased and that others on World Compliance’s database were notified that profiles had been created about them. He also asked the court to order LexisNexis Risk Solutions to compensate him for the alleged data protection breaches.

However, Rondón’s claim was struck out by the judge after she found there was “no basis in law” for it to be brought against LexisNexis Risk Solutions in its capacity as data representative.

The judge had considered the wording of the GDPR as well as guidelines issued by the European Data Protection Board prior to reaching her decision. Among other faults she found with the case brought by Rondón, the judge considered there was a practical issue with the concept of representative liability.

“Standing in the controller's shoes for enforcement purposes implies representatives' ability to provide, or require the controller to provide, remedies which involve direct access to and operations on the personal data themselves,” Mrs Justice Collins Rice said. “That includes rectification and erasure of data, and giving subject access not just to ancillary information but to the actual data. That is nowhere discernibly provided for in the GDPR (or the 2018 [UK Data Protection] Act).”

The judge also considered the perspective of the UK’s data protection authority, the Information Commissioner’s Office (ICO), on the scope of the liability of data representatives. She said: “The ICO has no expectation of holding representatives liable or available for enforcement purposes other than as clearly provided: in relation to their own bespoke functions and in providing co-operative assistance.”