The “Hidden Obligation” rides again! – EU Representatives under DSA, NIS2, TCO and others
Summary:
With several EU laws relating to data and digital matters (either enforceable now or shortly to become so) requiring organisations outside the EU to appoint an EU-based Representative – including GDPR, the Digital Services Act (DSA), the Network & Information Security Directive (NIS, soon to be replaced with NIS2), the Terrorist Content Online Regulation (TCO), the Data Governance Act (DGA) plus, in due course, the Data Act and AI Act – now is the time for organisations outside the EU, and their advisors, to re-engage with this obligation.
?
The beginning – GDPR Data Protection Representative:
?
Those with a good understanding of how GDPR applies to companies outside the EU, no doubt including those kind readers who continue to follow my articles, will be familiar with the role of the GDPR Representative. An obligation placed on organisations outside of the EU by GDPR Article 27, it requires that they appoint a Representative within the EU to act as their point of contact, so that data subjects & EU authorities can reach them with their concerns about data processing, and – for the individuals – exercise the rights which GDPR grants them respect to their personal data.
?
Unfortunately, as I observed in 2018 when GDPR became enforceable[1], this requirement was something of a hidden obligation. It wasn’t discussed with any particular gusto in the EU, simply because it mostly wasn’t relevant – the GDPR experts in Europe were (rightly) focused on ensuring their EU-based clients were meeting the other obligations which GDPR placed upon them, and appointing a Representative was not one.
?
The effect of this was to keep the Representative obligation out of the discussion elsewhere as well; if the EU – home of GDPR – wasn’t discussing this requirement, why would anyone outside the EU give it any thought? Apart from anything, it simply wasn’t on their radar; because much more attention was being paid in the EU to the DPO, the cross-border transfers and data protection impact assessments, logically the companies outside the EU (which – in their view – had GPDR pushed upon them without any opportunity to object) were also focusing their attention on those other aspects. Which isn’t to suggest that those fundamental parts of GDPR aren’t important – they absolutely are – but simply to note that the Representative obligation remained hidden for large numbers of those organisations to which it was intended to apply.
?
This wasn’t the case with everyone of course – those companies which had invested in good advice around GDPR were keen to ensure they appointed a GDPR Representative – but compliance was certainly not universal.
?
Brexit – the cause of many issues on both sides of the English Channel – threw another spanner into the works, by adding a separate obligation to appoint a UK Representative for organisations without a UK establishment. Whether it was a result of the EU’s lack of attention to Article 27 in the first place, or an expectation that the UK Information Commissioner’s approach to enforcement of UK GDPR would be (at best) inconsistent, few EU companies sought out the services of a UK Representative. A large number of UK companies – now established solely in a “third country” from EU GDPR’s perspective – which were targeting sales in the EU did appoint an EU Representative, but certainly not all.
?
Enforcement of the Representative obligation has been undertaken, but sporadically. A few big names, most-significantly ClearView AI[2], did receive orders to appoint a GDPR Representative where they had not done so, but the main focus of the EU authorities in the first half-decade of GDPR’s enforceability has been the organisations within their own borders.
?
However, the Representative gradually emerged from the shadows during the early 2020s, as more EU-based organisations – concerned by the greater scrutiny of, and enforcement against, their peers with regard to international data transfers – began to apply a more-detailed due diligence approach to their partners and suppliers outside the EU. This led to a greater focus on the compliance of those external organisations, an increasingly-vigorous approach to vendor management (driven, to an extent, by an increasing use of privacy platforms to manage compliance), and a resurgence in the world of the GDPR Representative. Driven not directly by the enforcement activities of the EU authorities, but instead by the commercial requirement to evidence GDPR compliance, the Representative increasingly became an expectation placed on non-EU suppliers by their EU clients.
?
The Representative Renaissance:
?
The EU, in a world where data continues to grow in both scale and mobility, recognises the increasing importance of protecting its population from digital threats both foreign and domestic, and has doubled down on the obligation that organisations outside the EU need to have an EU location at which they can be contacted regarding compliance. Or, to view it from another angle, have identified that – without a method of local contact for those non-EU companies – bringing effective action was easily hindered, reduced in effectiveness, or simply ignored by those companies which were giving rise to that growth.
?
Whatever the cause, the EU has made clear that the Representative obligation is going nowhere by adding it to a raft of new Regulations and Directives enacted by them. Some of these are already enforceable, some have been brought into effect but have not yet (at the time of writing in January 2024) reached the deadline by which enforcement can commence. In the case of the Network & Information Security Directive (NIS), enforcement has been an option since 9 May 2018 – before GDPR – although the number of organisations outside the EU to which it applied is potentially much smaller than will be the case under the NIS2, which replaces it from 18 October 2024.
?
Some specifics of the obligation under new EU laws are set out below. It is worth nothing that each obligation only applies to organisations providing services into the EU, and must be made in writing (e.g. under contract) rather then via an informal arrangement.
?
A table setting out – by commercial sector – the particular EU Representative obligations which apply to organisations outside the EU, can be found here: www.datarep.com/summary.
?
Digital Services Act (DSA) Legal Representative:
?
Currently, the most discussed example of this is the Digital Services Act (“DSA”). Applying to “providers of intermediary services” (hereafter “Providers”) – a very wide definition taking in most organisations which provides a service online – the DSA places obligations (among others) to ensure that illegal online content can be removed, illegal products and services are made unavailable, and online traders can be identified.
?
To ensure the effectiveness of these expectations, against a backdrop of reluctance from Providers across the globe to impose additional gatekeeping to their services, the DSA anticipates that Providers with no EU establishment which are targeting their service to the EU will appoint a Legal Representative in the EU (DSA Article 13).
?
The Representative will act as the point of contact for (among other) orders to remove the illegal content, make unavailable illegal products, and provide information about online traders. One of the most significant aspects of this, when compared to the GDPR Representative obligation, is the need to notify the details of that Representative to the Digital Services Coordinator (“DSC”) in the EU member state which the Provider identifies as the most appropriate for this purpose. This prevents a wait-and-see approach to compliance, where some elements are only added when the specific need arises (e.g. only appointing a Representative if and when they’re asked who their DSA Legal Representative is); it will be very clear to the EU authorities when a Representative has been appointed, as the DSC will have a specific record of the date on which they were notified of that appointment.
?
Network & Information Security Directive (NIS and NIS2) Representative:
?
The current NIS Directive – enacted in each EU member state, rather than having direct effect as is the case for the other laws described here – anticipates minimum cybersecurity standards and applies primarily to providers of critical infrastructure-type services (e.g. water, energy, transport etc), which are almost always organisations within the EU member states themselves.
?
However, it does also apply to online marketplaces (allowing creation of contracts between two external parties), online search engines and cloud computing service providers (“a digital service that enables access to a scalable and elastic pool of shareable computing resources” – Article 4(19)). These companies, where they have no establishment in the EU, are expected to appoint an EU Representative.
?
The NIS2, which takes over from NIS on 18 October 2024, applies to a much-wider group of organisations, taking in many additional providers of services delivered online which will also be covered by the DSA. These include domain registration services, DNS service providers, and (where at least medium-sized[3], sole provider in the country, or their disruption would have significant impact) data centres, content delivery networks, social networks and IT managed services including security managed services.
?
领英推荐
The majority of these organisations, where outside the EU, will need to be registered (along with the details of their Representative) with the relevant authority in the most-relevant EU member state. The EU Agency for Cybersecurity (ENISA) will prepare an EU-wide list of these organisations from the information provided to each member state – again, this gives a clear list of organisations which will be expected to have a Representative, so a wait-and-see approach becomes less viable as an option.
?
Terrorist Content Online (TCO) Regulation Legal Representative:
?
The TCO is a relatively brief document compared to those above, and deals with a single issue. However, it does so in a manner which is likely to be very challenging for those to which it applies.
?
Essentially, the TCO requires a hosting service provider (“HSP”) – any organisation which allows a company or individual to store material using their service, whether it is made available to others or not – to remove terrorist content (material which incites, solicits or instructs terrorist activity) within one hour of receiving an order from a competent authority to do so. Although the first order made to any HSP will be pre-empted by a 12-hour warning that the order is to follow, that will not be the case for the second or any subsequent order.
?
Many professionals who have been working with GDPR for the last few years have been observed to point out the timelines it requires have been difficult to achieve – particularly the 72-hour breach notification, and providing a formal response to some data requests within one month. I anticipate those same experts are wondering how they can operationalise this incredibly short timescale. Frankly, it is going to be extremely difficult, and many (the author included) are hoping that those competent authorities will be willing to apply a degree of reasonableness in their enforcement of this time limit, taking into account relevant factors.
?
Although this timeline is tight for companies based in the EU, consider for a moment how much more difficult this could be for an organisation outside the EU, which would likely be in an entirely different time zone which doesn’t intersect with those in the EU, and whose staff may not have an official EU language as their primary language. Nonetheless, this one-hour time limit applies to them. There is an argument that this requirement is anti-competitive, as only the largest platforms would be able to apply the resources necessary to meet the one-hour deadline, preventing smaller organisations from being able to operate in the EU.
?
The TCO Legal Representative in the EU would need to receive and identify the order (potentially among a large number of spam or other superfluous communications received by them as a result of the obligation to publicly declare their details, compounded by the sharing of this information by the competent authorities), and forward it to their client, within a timescale which would not make pointless the one-hour limit which their client would face when they received that order (i.e. if the Representative takes 3 days to forward the request, their client achieving the one hour removal would hardly be an overall benefit to society at large). This does at least prevent any delay on the part of the Representative from hampering the compliance of their clients, but it may be difficult to argue before the European Court of Justice that any delay was the result of the Representative they had appointed.
There is another interpretation to the Representative’s obligation though – TCO expects the Representative to be granted by their HSP clients “the necessary powers and resources to comply with those removal orders”, which might be read as requiring the Representative to have access to their clients’ hosting service and the powers to take down material themselves. This has clear issues under GDPR and NIS/NIS2 (protecting the personal data processed by those clients, and ensuring the security of their networks), so it’s hard to imagine that was what was intended – but that interpretations remains possible, given the strong desire of the TCO to have that material taken down as an immediate priority.
?
The details of the Legal Representative must be notified to the relevant competent authority in the member state in which that Representative has been designated.
?
Data Governance Act (DGA) Legal Representative:
?
In what is hopefully something of a relief to those reading, the DGA applies to significantly fewer organisations than the laws listed above. It is intended only to cover those organisations which facilitate voluntary data sharing, either for commercial benefit (Data Intermediation Service Providers) or for charitable purposes (Data Altruism Organisations). DGA aims to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data and, to achieve this, it facilitates data sharing for appropriate purposes and protects the data being shared.
?
The Legal Representative role for these organisations outside the EU is largely limited to the usual Representative activity – receiving, within the EU, communications on behalf of their clients – but a curious additional obligation has been added: the Legal Representative under DGA is expected to be able to “comprehensively demonstrate to the competent authorities … upon request, the actions taken and provisions put in place … to ensure compliance with this Regulation”.
?
The details of the Legal Representative are to be notified to the competent authority in the relevant EU member state as part of a wider obligation on Data Intermediation Service Providers and Data Altruism Organisations to register.
?
Switzerland Federal Act on Data Protection (FADP) – Data Protection Representative:
?
For the sake of completeness, it’s also worth noting the obligation under the new Swiss law to appoint a Data Protection Representative in Switzerland where an organisation lacks a Swiss location. This requirement became enforceable in September 2023.
?
The obligation arises in fewer circumstances that the EU or UK equivalents, as it only applies to organisations acting in the role of data controller (and not, as is the case with GDPR, also for data processors) which undertake the processing of Swiss personal data regularly and on a large scale.
?
Summary:
?
Although these additional EU Representative obligations place additional requirements onto the already-substantial compliance burden for organisations outside the EU, the purpose and benefits are clear: without an EU point of contact, the effectiveness of EU laws – and therefore the protections of the individuals based in the EU – would be hindered in a very real way.
?
The challenge now is meeting these obligations in an affordable and operationally-achievable manner. Time will tell how many organisations fail to do so, and the implications of those failures for them.
?
?
Tim Bell is the Managing Director of DataRep, a leading provider of services to meet the Representative obligations under GDPR, the Digital Services Act, NIS & NIS2, Terrorist Content Online Regulation and Data Governance Act. If you have any questions about the content of this article, or anticipate a need to appoint a Representative in the EU, please reach out to [email protected].
A table setting out – by commercial sector – the particular EU Representative obligations which apply to organisations outside the EU, can be found here: www.datarep.com/summary.
[3] At least one of: (i) 250 employees; (ii) annual turnover of €50m; (iii) annual balance sheet of €43m (Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article)