Article 3(2): The Hole in the GDPR Wall

The European Union’s General Data Protection Regulation (“GDPR”) was written to create a protective wall around the personal data of citizens of the European Union (“EU”).  All data processing within the EU is carefully regulated to protect the rights of the individuals and no unauthorized data processing is allowed in from outside the EU.  However, there is a crack in the very text of the GDPR, Article 3(2) that could allow foreign companies to process personal data of EU citizens without regard to the GDPR.

            Article 3(2), a new feature of the GDPR, creates extraterritorial jurisdiction over companies that have nothing but an internet presence in the EU and offer goods or services to EU residents[1].  While the GDPR requires these companies[2] to follow its data processing rules, it leaves the question of enforcement unanswered.  Regulations that cannot be enforced do little to protect the personal data of EU citizens.

            This article discusses how U.S. law affects the enforcement of Article 3(2).  In reality, enforcing the GDPR on U.S. companies may be almost impossible.  First, the U.S. prohibits enforcing of foreign-country fines.  Thus, the EU enforcement power of fines for noncompliance is negligible.  Second, enforcing the GDPR through the designated representative can be easily circumvented.  Finally, a private lawsuit brought by in the EU may be impossible to enforce under U.S. law.

            Government agencies in each EU nation, known as supervisory authorities, are the main enforcement mechanism for the GDPR.  Supervisory authorities have the power to issue corrective orders to bring companies into compliance.  They also have the authority to impose administrative fines of up to 20,000,000 euros or up to 4% of a company’s annual earnings for noncompliance[3].  However, their effectiveness against U.S. companies is questionable.

                                                           Barriers to Enforcement

            To enforce a fine against a U.S. company, the supervisory authority would have to bring an action in a U.S. state court to have the fine recognized as a foreign-country money judgment[4].   Most state courts would decide the issue by following the Uniform Foreign-country Money Judgments Recognition Act (“UFMJRA”).[5]  While generally U.S. law favors the recognition of foreign-country money judgements, it does not favor the recognition of foreign fines.[6]  The U.S. 9th Circuit explains this doctrine by quoting an 1825 Supreme Court decision:

The statutory exclusion of fines or penalties reflects an ancient maxim of international law that “the Courts of no country execute the penal laws of another.”[7]

The supervisory authority could argue that the court should recognize the fine under the principles of comity;[8] however, a state court may hesitate to take that route.  It would mean overturning a long held precedence to enforce a foreign fine on a company that has no physical presence in the foreign county.

                                                      The Designated Representative

            Recognizing that supervisory authorities might have difficulty enforcing regulations on foreign companies, the GDPR created a special mechanism for the enforcement of Article 3(2).   Article 27 states that the foreign company “shall designate in writing a representative” in one of the EU countries where its customers reside[9].  The duties of the representative include communicating with “supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.”[10]  Since this communication with supervisory authorities and customers needs to be in their own language,[11] a company may need to designate several representatives to cover the EU countries where it has customers.

            The responsibilities of the representatives have been benignly described as if they were little more than a direct line between the foreign company and the supervisory authorities or between the company and its EU customers.  The representative “must facilitate communication” between the customers and the foreign company and should cooperate with “supervisory authorities with regard to any action taken to ensure compliance” by the company of the GDPR.   Supervisory authorities would simply contact the representative with “any matter relating to the compliance obligations” of the company and the representative would simply “facilitate any informational or procedural exchange” between the supervisory authority and the company[12]

            However, facilitating communication is not primary reason for the representative.  The  European Data Protection Board[13] (“EDPB”) states that “the concept of the representative was introduced precisely with the aim” of enforcing compliance with GDPR.[14]  To do this, the GDPR mandates that the representative literally stands in the shoes of the foreign company.[15]  The EDPB elaborates further, describing the vicarious liability of the representative as is its primary function: 

To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors.  This includes the possibility to impose administrative fines and penalties, and to hold representatives liable.[16]

            This allows supervisory authorities to fine the representative, and not the company, up to 20,000,000 euros or 4% of the company’s annual earnings.  However, neither the text of the GDPR nor the EDPB’s guidelines indicates how the representative’s liability would have any effect on the company’s data processing policies and procedures.

            Presumably, to avoid the full force of the GDPR’s enforcement landing on its shoulders, a representative would have to the sense to insist that the foreign company indemnify it for any fines it receives.  If the company refuses to pay, the representative would have to seek a judgment in a U.S. court.  Since compensation for paying fines are not considered paying foreign fines under U.S. law,[17] the representative avoids the prohibition on enforcing foreign fines.  Consequently, judgment for the representative in a U.S. court could indirectly place the full force of the fine on the company.

            This all assumes a) that the representative negotiates an iron clad indemnification agreement, b) that the representative has the time and money to take the company to court in the U.S., c) that the representative does not settle the suit for less than the amount of the fine, d) that the U.S. court finds in favor of the representative, and, e) that the company does not go bankrupt leaving the representative with a worthless order of judgment.  It is little wonder why the GDPR and the EDPB are silent on how the concept of the designated representative enforces the regulations on the company.  Such a Rube Goldberg contraption would not instill confidence in the enforceability of the GDPR.

                                                   Circumventing the Representative

            With the constant threat of liability for breaches of the GDPR that the representative has no power to prevent, plus the contortions the representative would have to perform to recoup its losses from fines, it is a wonder that anyone would ever take the job.  The view from the company’s side is not much better.  The prospect of having to negotiate indemnification contracts with several representatives from different EU countries, as well as the possibility of fighting lawsuits from each of them, would make any company wonder what benefit accrues to it by designating representatives.  Since their scapegoat function is a liability, the only beneficial function of representatives is to facilitate communication.  The company may well conclude that sending an email would be safer and less costly. 

            On the other hand, what would be the disadvantages to the company of not designating a representative?  While failing to designate a representative is an immediate breach of the GDPR,[18] is that more than a hollow threat?  Without a representative the GDPR’s enforcement mechanism falls apart.  Supervisory authorities cannot impose a fine on a representative that does not exist.  Without a representative to take liability for fines, they are left without an option to enforce this or any other breach by the foreign company.

            Consequently, not designating a representative is not only cost saving, but it eliminates the need to be compliant with the GDPR.  Without a representative, the company is free to process the personal data of EU civilians any way it wants.  

                                                                   Private Action

            Since supervisory authorities cannot award specific damages to individuals[19], the GDPR allows individuals to bring private actions against companies that have caused them damages or infringed on their privacy rights.  An individual can bring a private action in a court of the county where it resides.[20]  The right to a private action is the only way the GDPR provides to compensate the victims of noncompliance.

            The right to private action against a company is also an indirect method of enforcing compliance.  A company that is compliant with the GDPR is less likely to be the target of legal action, therefore, the threat of private actions pushes companies to be compliant.  In cases involving of Article 3(2), a citizen of the EU can bring an action against a U.S. company in a EU court.  While winning a judgment may be simple, collecting the judgment is a different matter.

             As mentioned above, a foreign-country money judgment has to be recognized by a U.S. state court before it can be enforced.  According to the UFMJRA, a foreign-country money judgement “may not” be recognized if the foreign court did not have personal jurisdiction on the U.S. company.[21]  The UFMJRA lists a number of ways a foreign court can assert personal jurisdiction, such as personal process service in the foreign country, the defendant appearing before the court, the defendant agreeing to submit to the jurisdiction of the court, and a company having its principal place of business or a business office in the country.[22]

            In cases where the U.S. company does not have a physical presence in the EU,  establishing the foreign court’s personal jurisdiction would be difficult.  There would be no one on which to serve process, no one who could appear in court, and no place of business or business office.  Of course the company could agree to submit to the court’s jurisdiction, but why would it?

            The lack of personal jurisdiction would stop the customer from receiving any compensation from the U.S. company.  This, in turn, reduces the enforcement effect of a private action on th U.S. company.  However, the UFMJRA allows the U.S. state court to find a foreign court had personal jurisdiction in ways not listed in the act.[23]

            One possible way to establish personal jurisdiction for the foreign court is through the U.S. company’s internet commerce with the customer.  However, U.S. courts are not in agreement on this issue.  At least some of these courts have held that personal jurisdiction can be established through internet commerce. For example in, Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F. Supp. 1119, (W.D. Pa. 1997), the U.S. district court held it had personal jurisdiction over the company because of its “purposeful availment of doing business in Pennsylvania” over the internet.[24]

            To come under the jurisdiction of GDPR Article 3(2), a U.S. company must also purposefully attempt to do business with EU customers over the internet.[25]  While Zippo deals with personal jurisdiction between U.S. states, its standard could be used to establish a foreign court’s personal jurisdiction over a U.S. company.  This would allow the EU customer to enforce the judgment against the U.S. company and receive compensation.

            However, like the path to indemnification for a representative, a private action against a U.S. company is a difficult road to travel.  The EU customer would need the time and money to bring an action in the court of its native country, win the judgment, and then make a transatlantic trip to bring another action in a country foreign to it.  On top of this, the EU customer may be denied judgment because its court lacks personal jurisdiction over the U.S. company.

                                                            The Hole Gapes Open

            Currently, there is a hole in the GDPR wall that protects European Union personal data.   Even with extraterritorial jurisdiction over U.S. companies with only an internet presence in the EU, the GDPR gives little in the way of tools to enforce it.  Fines from supervisory authorities would be stopped by the prohibition on enforcing foreign fines.  The company can evade enforcement through a representative simply by not designating one.  Finally, private actions may  be stalled on issues of personal jurisdiction.  If a U.S. company completely disregards the GDPR while targeting customers in the EU, it can use the personal data of EU citizens without much fear of the consequences.  While the extraterritorial jurisdiction created by Article 3(2) may have seemed like a good way to solve the problem of foreign companies who do not have a physical presence in the EU, it turns out to be practically useless.

[1].“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

            (a)        the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

                        (b)                    the monitoring of their behaviour as far as their behaviour takes place within the Union.”

GDPR, Art. 3(2)

[2]. Under the GDPR, companies that process personal data are designated as “controllers” and “processors” while their customers who provide them with personal data are called “data subjects.”

[3]. GDPR, Article 58(2), Article 83.

[4]. In the United States, state law governs the recognition and enforcement of foreign money judgments.  Some of these cases end up in federal courts under the diversity rule.

[5]. The UFMJRA has been enacted by the majority of the states and the rest follow common law rules similar to those codified by the UFMJRA. See, UFMJRA 2005, Prefatory Note,  p. 1.

[6]. UFMJRA, section 3(b)(b) (the act does not apply to “a fine or other penalty”).

[7]. De Fontbrune v. Wofsy, 838 F. 3d 992 (9th Cir. 2016) at 1000, quoting The Antelope, 23 U.S. (10 Wheat.) 66, 123 (1825)  (Marshall, C.J.); see also UFMJRA 2005, Section 3, Comment 4,  p. 6. (“Foreign-country judgments that . . .  constitute fines or penalties traditionally have not been recognized and enforced in U.S. courts.”)

[8]. See  UFMJRA 2005, Section 3, Comment 4,  p. 6 (“courts remain free to consider whether such judgments should be recognized and enforced under comity”); Section 11, p. 20.

[9]. A representative may be an individual or a business entity.  See European Data Protection Board, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for Public Consultation, adopted 16 November 2018, p. 20. (“Guidelines 3/2018”). 

[10]. GDPR, Art. 27(1), (3), (4).

[11]. See Guidelines 3/2018, p. 23.

[12]. Ibid.

[13]. The European Data Protection Board is an independent body that promotes consistent application of the GDPR and cooperation between supervisory authorities.

[14]. Guidelines 3/2018, p. 23

[15]. See GDPR, Recital 80, (“The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.”)

[16]. Guidelines 3/2018, p. 23. (emphasis added)

[17]. De Fontbrune v Wofsy, 838 F at 1002, quoting Hyundai Sec. Co. v. Lee, 182 Cal. Rptr. 3d 264 (Cal. Ct. App. 2015).

[18]. Guidelines 3/2018, p. 19.

[19]. See Article 29 Working Party, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, Adopted 3 October 2017, p .11.

[20]. GDPR, Article 79.

[21]. UFMJRA, Section 4(b)(2).

[22]. UFMJRA, section (5)(a)(1-5)

[23]. UFMJRA, section (5)(b)

[24]. Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F. Supp. at 1125-26.

[25]. GDPR, Rectial 23 (the company “envisages offering goods or services” E.U. customers.