In December 2020, the Personal Data Authority ("AP") fined LocateFamiliy.com ("LocateFamily") over 5 tons for failing to appoint a representative in the European Union ("EU"). This is the first time an EU regulator has enforced this requirement. At first glance, this seems like a good thing: having a representative makes it easier for EU citizens to sue an organization outside the EU (which processes their data) and thus exercise their rights under the AVG against that organization. There has been much discussion about the implications of this fine decision and to what extent this obligation to appoint a European representative will be enforced by other European regulators. However, before this obligation exists, the AVG must of course apply. Organizations outside the EU can also fall under the AVG based on Art. 3(2) AVG. The AP justifies this very summarily here which raises the question: does almost every company outside the EU fall under the AVG? And what is the AP's discretion in this regard?
LocateFamily provides a platform through its website for anyone looking for acquaintances they have lost track of. It publishes contact details of individuals, such as name and address, name, address, place of residence and sometimes a phone number on its platform. The website is open to the public both inside and outside the EU free of charge, and one does not have to become a member or create an account. The public is generally unaware that their data is made available here by LocateFamily. Anyone who Googles the website for a moment quickly discovers that several forums are raising concerns about how LocateFamily makes personal data available to the general public. (1)
From May 28, 2018 to July 25, 2019, the AP received 19 complaints from the Netherlands about LocateFamily, due to its failure to respond (adequately) to deletion requests from Dutch citizens regarding personal data and its lack of an EU representative. They therefore asked LocateFamily where it is located and whether it has appointed a representative. LocateFamily sufficed by stating that it is not based in the EU and has not appointed a representative because it has no business relations in the EU and does not offer any goods or services there. Other European regulators have also received complaints about their resident websites. After technical investigation by the AP, it was found that the website's web host was located in Canada, leading the AP to suspect that it is based there. The AP has not been idle in this regard: it has entered into international cooperation with Enforcement subgroup of European Data Protection Board (hereafter, EDPB) and has been in contact with the Office of the Privacy Commissioner of Canada (the Canadian privacy regulator). Meanwhile, LocateFamily partially honored the personal data deletion request for a number of countries (Ireland, France and the Netherlands), but still did not appoint a representative. When LocateFamily did not respond to the intent to enforce, the AP imposed the fine on it. This amounted to €525,000, due to the fact that LocateFamily had not appointed a representative in the EU from May 25, 2018 to December 10, 2020 and had thus violated Art. 27(1) jo Art. 3(2) AVG. It also imposed an order under penalty: if it did not appoint a representative within 12 weeks from the date, it must pay 20,000 euros for every 2 weeks up to a max of 120,000 euros.
So LocateFamily stated that it did not appoint a representative because it does not provide goods or services in the EU. This earned it a fine of more than 5 tons. The AP has ruled that it does process personal data under the AVG. But does the AVG apply here?
In principle, the AVG is only valid in the European Union. Because data processing often takes place internationally, the AVG may also apply if the controller or processor is based outside the European Union but targets data subjects in the EU. (2)
Pursuant to Art. 3(2) AVG, this is the case if it: a) offers goods and services to data subjects in the EU, regardless of whether they have to be paid for or b) when the behavior of data subjects is monitored, insofar as this takes place in the EU). The latter is the case, for example, if people are monitored on the Internet by profiling. (3)
This determination is also referred to by the EDPB as the two-step test: first, it must be assessed whether there is "targeting": the processing of personal data must target data subjects in the EU. (4) Next, it must be judged whether it involves offering goods or services or monitoring data subjects.
Offering goods to data subjects in the EU occurs if the controller or processor 'evidently intended' to do so. Recital 23 of the AVG lists the following indicators: the accessibility of a website in the EU, the language of communication with the data subject, the use of the euro as currency in transactions, and the mention of customers in the EU. The fact that a controller's website is accessible to EU data subjects or a language in common use is not in itself sufficient to establish that intention.
According to the EDPB, the above elements are consistent with the case law of the Court of Justice of the EU (5) in determining which court has jurisdiction in EU consumer cases. (6) In order to determine whether a trader directs his commercial activities to a member state where the consumer resides, the trader must have expressed an intention to establish commercial relations with these consumers. In addition, the EDPB distills nine other circumstances, including naming at least one EU member state, paying for a search engine to provide EU citizens with easy access to the website, creating marketing and advertising campaigns directed at a member state, or using a language or currency other than that of the entrepreneur's country. All the factors listed should be taken into account. In addition, these must be activities that are deliberately - i.e., not unintentionally or incidentally - directed at persons in the EU. (7)
The penalty decision shows that the AP took the following into account for the purposes of the AVG: that "Locatefamily.com offered its services both in the Netherlands and in eight other EU countries. Multiple EU regulators have confirmed that complaints have been filed by data subjects from the relevant countries regarding Locatefamily.com." (8) In addition, it states that "with the registration, digital storage and provision of this personal data through its website Locatefamily.com, there is automated processing of personal data." (9)
LocateFamily itself has stated that it is not located in the EU AND that it does not offer goods or services to EU citizens. The question is whether the AP's summary substantiation provided above is sufficient to rebut this defense. The AP does not address whether LocateFamily "evidently intended" to offer its services in the EU. The mere fact that EU citizens can access the website, or that EU citizens have filed complaints, is not enough. Indicators that the AVG itself thus mentions in the legal text and recital are not present here because of the service in question, but were also not mentioned by the AP. The website is free, so nothing can be derived from the euro as the currency used, the language seems secondary here (English), since that is also spoken in Canada. In addition, the AP also does not refer to or address the factors listed by the EDPB. Now when one consults the website itself, the home page indicates that an individual from a particular country is looking for someone, e.g., "Julia Janssen from the Netherlands is looking for Femke Schemkes. In addition, there are also a number of other circumstances such as those listed by the EDPB that might trigger the applicability of the AVG, such as naming a member state. However, these circumstances are not apparent from the penalty decision. Here, the AP rather easily assumes that LocateFamily is covered by the AVG.
The AP in this case rather easily assumes that services are offered in the EU and thus the AVG applies. The simple fact that an EU citizen can "access" a foreign website does not mean that the AVG applies, nor does the fact that the AP receives complaints from Dutch citizens. It would have provided more guidance for practice had the AP in its fining decision addressed more when the AVG applies to the provision of free services by an organization outside the EU. Especially when the company in question itself states that it does not. Not every organization outside the EU is covered by the AVG. It would give business owners more guidance with stronger substantiation when a free service offered outside the EU falls under the scope of the AVG.
(1) locatefamily.com got my personal information without asking for permissions - advice : privacy (reddit.com), How can we protect our identity from locatefamily.com? This website is publishing the sensitive personal data without any consent. - Quora, LocateFamily.com - what is this? - On the web (whirlpool.net.au)
(2) Guidelines 3/2018 on the territorial scope of the AVG (Article 3) Version 2.0 November 12, 2019, p. 15
(3) Ministry of Justice and Security, General Data Protection Regulation Manual and General Data Protection Regulation Implementation Act, p. 30.
(4) In addition, only the activities to which the processing is related. This may mean that some processing activities of controller or processor are covered by the AVG, and others are not.
(5) Guidelines 3/2018 on the territorial scope of application of the AVG (Article 3) Version 2.0 12 November 2019, p. 20. CJEU, 7 December 201, Nos. C-585/08 and c-144/09, ECLI:EU:C:2010:740)
(6) Council Regulation (EC) No. 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, in particular Article 15(1)(c).
(7) Guidelines 3/2018 on the territorial scope of the AVG (Article 3) Version 2.0 November 12, 2019 p. 19-21.
(8) Fine decision p.4 and report (Internal Market Information System) requesting EU regulators and responses, Appendices 3 and 4 to the investigation report. Complaints other EU regulators regarding Locatefamily.com, Annex 11 to the investigation report
(9) Fine decision p. 8.
Want to gain more knowledge on AVG? Come to the Knowledge Market of Data&Privacyweb on December 7, 2021 where the lessons, developments and opportunities of the AVG will take center stage.