Home / News / 'Data protection authorities are aware of the issues...

'Data protection authorities are aware of the issues, regulatory action will follow soon'

EDPO founder Jane Murphy on the GDPR and non-EEA organizations

15/07/2019

It has been more than a year since the General Data Protection Regulation (GDPR) came into effect, imposing multiple obligations on organizations that process personal data. One of the so called "hidden obligations" of the GDPR is Article 27 GDPR which requires organizations that are not established in the EEA to appoint a Data Protection Representative (DPR) in the EEA. This requirement enables the Data Protection Authorities (DPA's) in the EEA to get in contact with such organizations that might otherwise be difficult to reach.

The GDPR protects the Data Protection Officer (DPO) from being subject to enforcement proceedings. This is not the case for DPR's. This potentially impactful fact of the matter has however not barred Jane Murphy from establishing the European Data Protection Office (EDPO). EDPO is based in Brussels and acts as a DPR for organizations that are not based in the EEA but that have to comply with the GDPR.

In the coming time the CMS Data Protection & Privacy team will speak to several professionals that have experience with (the implementation of) the GDPR. In that context the Data Protection & Privacy team had the pleasure to interview Jane Murphy, founder and chair of the board of the EDPO, to talk about the special role and risks of a DPR.

What services does EDPO provide?
"Based on Article 27 of the GDPR, we are mandated by the controller or processor to be addressed by DPA’s and data subjects on all issues related to processing for the purposes of ensuring compliance with the GDPR. This means that we serve as a first point of contact on behalf of non-EU organizations. We also provide support services with regard to data breaches. Given that non-EU organizations don’t benefit from the one-stop-shop principle under the GDPR, this means that they may have to notify all DPA’s separately within 72 hours. The procedures for filing data breach notifications have not been harmonized and a lot of DPA’s only accept the notification forms in their country's official language. We provide organizations with English translations of these forms and support them in filing the notifications."

Murphy emphasizes that the EDPB does not provide general GDPR implementation guidance. "This means, for example, that we do not advise organizations on whether they are required to notify the DPA’s of a data breach. That's the job of a DPO and of external lawyers."

Can you tell us more about the differences between the role of a DPR and the role of a DPO?
"A lot of non-EU organizations claim or believe that they don't need us because they already have a DPO. However, the role of the DPO is quite the opposite to that of the DPR role. The DPO is a person who advises the company regarding its GDPR obligations. DPO’s act independently and can't be subject to enforcement proceedings. We, as DPR, can only act under instructions of our client based on a mandate, which means that we cannot act independently. In addition, we can be subject to enforcement proceedings jointly with our clients in the event of a breach on their end – even if we have acted within the scope of our mandate and committed no breach on our side."

What should a DPR do in case the instructions as provided in the mandate of its client contradict with the provisions of the GDPR?
"We haven't encountered such contradictions yet, but this might happen in the future, especially regarding the records of processing activities. Based on Article 30 of the GDPR, a DPR is required to maintain the record of processing activities of the controller or processor. A DPA could require us to provide such record, but the mandate may prevent us from doing so. We hope to receive more guidance of the DPA’s and of the European Data Protection Board (EDPB) in this respect."

What could be the consequences for a DPR if he decides to follow such instructions?
"It is one of the grey zones of the GDPR.

''We hope that we will not be in a position where we have to choose between following the instructions of our client and complying with the GDPR.''
Jane Murphy

It is not clear what is expected of a DPR in such situations and to what extent a DPR can or will be subject to enforcement proceedings. This is something that needs to be clarified as soon as possible."

Do organizations actually know when they are required to appoint a DPR?
"The degree of awareness in that regard is extremely low. Guidelines for organizations such as the numerous "Ten steps on how to implement the GDPR" type of guidelines are written from a European perspective so most of them don’t mention the obligation to appoint a DPR. Organizations following these guidelines therefore have the misconception that they are GDPR compliant without appointing a DPR. Other organizations believe that they only need to appoint a DPR to be GDPR compliant and can neglect the other obligations of the GDPR. To raise awareness in this regard we have participated in a lot of data protection conferences and we are very active on social media."

Which statement of a DPA was the most notable or striking in the past year?
"I think that the guidelines that the EDPB published on the territorial scope of the GDPR had quite an impact. These guidelines confirm, amongst others, that the role of the DPO is not compatible with the role of the DPR. This means that non-EU organizations that hire a DPO that is also their DPR might be at risk."

Do you expect any regulatory action in this regard any time soon?
"DPA's are aware of these issues. I've been at multiple conferences where members of DPAs were present and based on the conversations that took place there I believe regulatory action will definitely follow soon. 

''We have seen an increase in regulatory action in the last year and I believe sanctioning non-EU organizations that did not appoint a DPR is the next step.''
Jane Murphy

Do you experience a lot of differences between the statements of the different DPA's?
"On the one hand, I see a high level of cooperation between the different DPA's, for example within the context of the EDPB. On the other hand, I see a lot of uncertainty regarding the manner in which different DPA's decide on cases. For example, the huge fine that was imposed on Google by the French DPA raises a lot of questions on how the one-stop-shop principle should - or not - be applied."

Murphy explains that she has also noticed a difference in approach between the DPA's with regard to data breach notifications. "Some DPA's don’t take non-EU organizations into consideration. Besides the fact that not all DPA's offer an English version of the notification forms, there are also DPA's who require a national enterprise number in order to fill out the forms. Given that non-EU organizations obviously don’t have local EU enterprise numbers, they can’t even access the data breach notification platforms on the websites of certain DPA’s."

She adds that: "We've also experienced DPA's not responding to notifications whilst other DPA's, such as the UK’s Information Commissioner’s Office (ICO), provide very detailed responses."

In view of Brexit, are UK organizations already approaching EDPO to be their DPR?
"Yes, we’ve received quite a number of requests from controllers and processors based in the UK. Given that they will be considered as controllers and processors from a “third country” after the exit date, such organizations will be required to appoint a DPR within the EEA. Most organizations don't realize that this applies both ways: EEA-based organizations will most likely also be required to appoint a DPR in the UK. Although the degree of awareness in this regard is low, we have already received a lot of requests, especially from law firms."

What other developments do you expect in the upcoming year?
"Artificial Intelligence (AI) will be a hot topic. AI will have a huge effect on organizations and their GDPR compliance. DPA's will also play an important role in the perception of data protection rules in light of these new technologies."

Finally, what would you like to point out to organizations that process personal data?
"Don't focus on the potential negative consequences of the GDPR on your business activities. The GDPR protects our privacy and should not be seen as a barrier to international trade."

Related people

Portrait ofEdmon Oude Elferink
Edmon Oude Elferink
Partner
Amsterdam
Stephanie Dekker