Obligations of GDPR Representative in the United Kingdom
What is dati personali?
Jian Jia, Ginger Zhe Jin and Liad Wagman in their paper titled, "The short run effects of GDPR on technology venture investment" in the year November 2018 argue the following:
- Individuals have become producers of data, as opposed to merely being consumers of goods, information and services. At this stage, it is not important to understand the difference between goods, information and services. This is because the line between all three of them is getting blurred.
- The scope of "data" of a data subject ranges from them expressing themselves in all forms. As time progresses, such data becomes valuable and transforms into an asset for businesses. From a computational lawyer's perspective, such expressions are termed as " proprietary datasets".
- It is quite possible that a data subject does not have an idea about the exact volume of their data. The platform views each expression of the data subject as a data point.
- The platforms on which such data subjects express themselves make profits and utilize the preferences of such data subjects to target their services or offers and provide advertisements that are relevant for the individuals depending on their interests. Such platforms make an offer to buy their services with the expectation that the buyer would agree to buy their services. If the buyer agrees, then the platform on which such offer is advertised gets a percentage of the selling price of the relevant good, information or service of the original provider of good, information or service. At this point, such data becomes an asset that is identifiable with the buyer. From an inhouse counsel's perspective, such data can be quantified in terms of its value based on the following variables:
- How many pageviews of the primary website have been recorded?
- How much data has become valuable data, i.e., rate of conversion from offer to buy to consensus ad idem, for the primary website and the secondary websites?
- How many secondary websites, i.e., entities that want to advertise their goods, services and information, are willing to put up their offers in the primary website?
This differentiation between a primary website and secondary website is important because there is a difference in the choice architecture of both these websites, from the data subject's perspective.
5. The downside of such technology is that the prices are dynamic and thus are not equal for all the consumers alike. It is argued in this paper that, there are communities whose income is low and are offered goods, services and information with increased prices.
6. The above example shows that there was a need to draft a set of principles and incorporate adequate safeguards, that shall act as "obligations and not as rights", for such firms that handle the data of such data subjects.
7. From a mergers and acquisition lawyer's perspective, the main challenge is to assess the balance between innovation policy and regulating data. As per the authors, advertisements are bracketed under the innovation policy. From a competition lawyer's perspective, one must account for the possibility of the amount incurred towards advertisement as being converted to a sunk cost, on which there is no return on investment. If that is the case, then a small firm in the field of legal tech is prevented from entering the market of online publishing (Krasteva et al, 2015 and Campbell et al, 2015).
8. A technology venture is funded by venture capitalists. A technology venture can be personalised as a human with different categories of age, namely: a. New firms ( 0 to 3 years old ); b. Young firms (3 to 6 years old ); c. Established firms ( 6 to 9 years old ); and d. Mature firms ( 9 plus years old ). Like humans, technology ventures can change their age groups and switch from one age group to another age group. The reasons for doing so is not clear at this stage. The date on which such an entity is incorporated could be one of the factors that can be accounted for in such a case. Before moving further, please find below a list of terms that are generally used in the ecosystem of technology ventures: a. The different types of fundings are Angel, Seed, Series A and Series B. b. Once the funding is done, then the transaction is called as a deal in layperson's terms. c. The different stages of funding are as follows: - Pre stage Group angel, Seed, Pre-seed, Convertible Note and Product Crowdfunding; - Main stage Series A, Series B, Series C, Bridge Series A-B, Initial Coin Offering and Equity Crowdfunding; - Late stage Series D followed by Private Equity, Debt Financing and other post IPO activities The authors conclude that, most of the deals get funded in the pre stage and in the main stage. Venture capitalists fund the technology venture in different rounds. Each round is called as a financing round. Prior to funding, a venture capitalist requires the following información, namely: a. Information about the venture, i.e., name, location, number of employees; b. Information about the competition that such technology ventures enter into and compete for funding; c. Information about the amount that they shall be required to pay in USD for each financing round, date on which such financing rounds have been scheduled; c. Information about the shareholders of the venture, present and in future; d. Information about the sector of venture, i.e, software, e-commerce, finance etc. From the perspective of a venture capitalist, a technology venture from US is not comparable with a technology venture from EU, because the applicable law for ventures in the field of healthcare or finance are subject to industry specific regulations. On the other hand, technology ventures in these two fields fall under the purview of the GDPR. However, the authors argue that, bothese sectors' sensitivity to the GDPR varies, i.e., "differential effect".
It is to be noted that, in the United States, the following are the sector specific regulations, namely:
- The Health Insurance Portability and Accountability Act ("HIPPA") : It governs collection of data, usage of data and security of data in the healthcare sector; and
- The Gramm Leach Biley Act ("GLB"): It governs collection of data, usage of data and security of data in the financial sector.
Who is a GDPR Representative?
A GDPR Representative is a personnel that is appointed by a company who does not have a base in the European Economic Area ("EEA"), as per the provisions of the General Data Protection Regulation ("GDPR").
It is not necessary for such a GDPR Representative to be individual. Such a GDPR Representative can be a company or an organization who is established in the EEA. It is important for such a GDPR Representative to have the requisite authorization to be able to represent the interests of the company, so that it can fulfill its obligations under the EU GDPR.
A few examples of such GDPR Representatives are a law firm, a consultancy or a private company.
Why is it important for companies to have GDPR Representatives?
Such a representative shall look after the dati personali of the individuals who are based in the European Union ("EU") or the EEA state, if the entity is processing their data.
How will the company appoint a GDPR Representative?
The company will appoint GDPR Representative via a simple service contract.
What will happen if a company does not have a GDPR Representative?
If the company does not have a GDPR Representative, then there shall be no one to do the following tasks, namely:
a. Acting on behalf of the company for keeping the EU GDPR compliance in place; and
b. Dealing with any supervisory authorities or data subjects in this regard.
Post Brexit, how will the GDPR Representative view its work?
Prior to Brexit, the following were the main roles and responsibilities:
a. Such GDPR Representative shall be given the details of the EEA based individuals whose personal data the company is processing.
b. The individuals whose personal data is being processed, namely the data subjects, shall be acquainted about the GDPR Representative in the privacy notice.
It is argued that, a privacy notice is an abridged version of privacy policy. A privacy policy is a part of the broader innovation policy of an entity and is linked to the emergence of digitization process [ Goldfarb and Tucker (2011,2012) ].
c. Such data subjects may also be acquainted about the presence of GDPR Representative in the "upfront information" that the company gives them from the moment they collect their data. The scope of "upfront information" is not clear in the website of the Information Commissioner's Office ("ICO").
One of the arguments posed by the authors of the paper titled, "The short run effects of GDPR on technology venture investment" with reference to Brexit is that, the Great Britain has adopted a regulation that is a mirror image of the GDPR, i.e., pari materia. Thus, there shall be no change in the way a GDPR Representative views the work with the completion of the transition period.