Organizations outside the EU have been managing the EU General Data Protection Regulation's obligation to appoint an EU-based representative since 2018 even though it may not be as well known as other components of the law, such as the data protection officer and cross-border transfer limitations. With a number of new EU laws requiring a representative, such as the Digital Services Act, as well as those to come in next few years, such as the Artificial Intelligence Act, now is the time for organizations outside the EU and their advisors to reengage with EU representative obligations.

The beginning: GDPR data protection representative

Article 27 of the GDPR requires organizations outside the EU to appoint a representative within the EU to act as their point of contact so data subjects and EU authorities can reach them with concerns about data processing and — for the individuals — exercise the rights regarding their personal data provided under GDPR.

Unfortunately, when the GDPR became enforceable in 2018, this requirement was a hidden obligation. It was not discussed with particular enthusiasm in the EU simply because it was not relevant. At the time, privacy professionals in Europe focused on ensuring their EU-based clients met the other obligations the GDPR placed upon them, and appointing a representative was not one of them.

The effect kept the representative obligation out of the discussion elsewhere; if the EU was not discussing this requirement, why would anyone outside the EU? It was not on their radar, possibly because more attention was focused on the DPO, cross-border transfers and data protection impact assessments under the GDPR. This is not to suggest those fundamental parts of GDPR are unimportant, but rather to note the representative obligation remained hidden for large numbers of the organizations to which it was intended.

This was not the case with everyone, but compliance was certainly not universal.

Brexit caused another issue by adding a separate obligation to appoint a U.K. representative for organizations without a U.K. establishment. Perhaps due to a lack of knowledge about the representative role, few EU companies sought a U.K. representative. A number of U.K. companies targeting sales in the EU — now established solely as a "third country" from the EU GDPR's perspective — did appoint an EU GDPR representative, but not all.

While the representative obligation has been enforced, this has been sporadic. A few big names, most significantly ClearView AI, received orders to appoint a GDPR representative; however, the main focus of the EU authorities during the first five years of GDPR enforceability has been within its borders.

However, the representative role gradually emerged from the shadows in the early 2020s, as more EU-based organizations — concerned by greater scrutiny and enforcement of international data transfers — began to apply greater due diligence to their partners and suppliers outside the EU. This led to an increased focus on the compliance of those external organizations and a vigorous approach to vendor management, partly caused by the increased use of privacy platforms to manage compliance. The resurgence of the representative was not directly driven by EU enforcement activities but by the commercial requirement to show GDPR compliance.

The representative renaissance

By including a representative obligation in a raft of new regulations and directives, the EU made it clear the representative obligation is not going anywhere. Some of these are already enforceable and some have been brought into effect but have not yet reached the deadline by which enforcement can commence as of February 2024. In the case of the Network and Information Security Directive, enforcement has been an option since 9 May 2018 — before the GDPR — although the number of organizations it applied to outside the EU is potentially much smaller than under the NIS2, which will replace it later this year.

Some specifics of the obligations under new EU laws are set out below. Each obligation only applies to organizations providing services in the EU and they must be made in writing, e.g., under contract, rather than via an informal arrangement. A summary table explaining which types of service each of these regulations and directives apply to is available here.

Digital Services Act legal representative

Currently, the most discussed example of these new laws is the DSA. Applying to "providers of intermediary services" — a wide definition covering almost any organization that provides a service digitally — the DSA places obligations to ensure illegal online content can be removed, illegal products and services are made unavailable, and online traders can be identified, among others.

To ensure the effectiveness of these expectations, against a backdrop of reluctance from providers across the globe to impose additional gatekeeping to their services, Article 13 of the DSA anticipates providers with no EU establishment targeting their services to the EU will appoint a legal representative in the EU.

The representative will be appointed in the most relevant EU member state identified by the service provider and will act as the point of contact to remove illegal content, make illegal products unavailable and provide information about online traders. One of the most significant aspects, when compared to the GDPR representative obligation, is the need to notify the details of that representative to the digital services coordinator in their respective EU country. This prevents a wait-and-see approach to compliance, where some elements are only added when the specific need arises, e.g., only appointing a representative if and when someone asks who their DSA legal representative is. It will be clear to the EU authorities when a representative is appointed, as the DSC will have a specific record of when it was notified of the appointment.

Network and Information Security Directive legal representative

The current NIS Directive — enacted in each EU member state, rather than having direct effect as is the case for the other laws described here — applies primarily to providers of critical infrastructure-type services such as water, energy, transport, etc. and requires them to have minimum cybersecurity standards to ensure uninterrupted public services.

However, it also applies to online marketplaces that allow the creation of contracts between two external parties, online search engines and cloud computing service providers. When these companies have no EU establishment, they are expected to appoint an EU representative.

The NIS2 Directive, which replaces the NIS on 18 Oct. 2024, applies to a much wider group of organizations, taking in many additional providers of services delivered online, which the DSA will also cover. These include domain-registration services and domain name system service providers. Where the organization is at least medium-sized — meaning it has either 250 employees, an annual turnover of 50 million euros or an annual balance sheet of 43 million euros — is the sole provider in the country or their disruption would have a significant impact, these organizations include data centers, content delivery networks, social networks and IT managed services, including security managed services.

Under the NIS2, regulated organizations outside the EU, and their representatives, will also need to be registered with the relevant authority in the most relevant EU member state. The EU Agency for Cybersecurity will prepare an EU-wide list of these organizations from the information provided to each member state.

Terrorist Content Online Regulation legal representative

The Terrorist Content Online Regulation is a relatively brief document compared to the others and deals with a single issue. However, it does so in a manner that is likely to be challenging for those to whom it applies.

Essentially, the TCO requires a hosting service provider — any organization that makes information provided by a user publicly available — to remove terrorist content, meaning material which incites, solicits or instructs terrorist activity, within one hour of receiving an order to do so from a competent authority. The hosting service provider will receive a 12-hour warning before it receives its first order. It will not receive advance warning for subsequent orders.

Many privacy pros have found the GDPR timelines challenging, particularly the 72-hour breach notification and requirement to provide a formal response to some data requests within one month. With the TCO timeline being so much shorter, they may find it even more difficult to achieve. Hopefully the competent authorities will apply a degree of reasonableness in their enforcement of the time limit, considering relevant factors.

This one-hour time limit also applies to organizations outside the EU that are likely in entirely different time zones and with different primary languages. There is an argument that this requirement is anticompetitive, as only the largest platforms could apply the resources necessary to meet the one-hour deadline, preventing smaller organizations from operating in the EU.

Although the one-hour clock only starts when the hosting provider itself receives the request, the organization's EU legal representative will be expected to receive and identify the removal order and forward it to their client quickly. If the representative takes three days to forward the request, their client's compliance with the one-hour timescale is unlikely to be viewed as an overall success. This does at least prevent any delay by the representative from hampering the compliance of their clients, but it may be difficult to argue before the Court of Justice of the EU that any delay was the fault of their representative.

There is another interpretation of the representative's obligation. The TCO expects the high service provider to grant its representative "the necessary powers and resources to comply with those removal orders," which might be interpreted as giving the representative access to the client's hosting service and the powers to take down material themselves. This has clear issues under the  GDPR and NIS/NIS2, including protecting the personal data processed by those clients and ensuring the security of their networks. It's hard to imagine this was the intent, but it is possible, given the TCO's strong desire to have that material taken down as an immediate priority.

The relevant competent authority in the designated member state must be notified of the legal representative's details.

Data Governance Act legal representative

The Data Governance Act applies to significantly fewer organizations than the laws listed above. It is intended only to cover organizations facilitating voluntary data sharing, either for commercial benefit, such as with data intermediation service providers, or charitable purposes, such as with data altruism organizations. The DGA aims to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data. To achieve this, it facilitates data sharing for appropriate purposes and protects the data being shared.

The legal representative role for organizations outside the EU is largely limited to the usual representative activity: receiving communications on behalf of their clients within the EU. A curious additional obligation has been added under the DGA: the legal representative is expected to "comprehensively demonstrate to the competent authorities … upon request, the actions taken, and provisions put in place … to ensure compliance with this Regulation."

The competent authority in the relevant EU member state is to be notified of the legal representative's details as part of a wider obligation on data intermediation service providers and data altruism organizations to register.

Federal Act on Data Protection legal representative

For the sake of completeness, it's also worth noting the obligation under Switzerland's Federal Act on Data Protection to appoint a data protection representative when an organization lacks a Swiss location. This requirement became enforceable in September 2023.

The obligation arises in fewer circumstances than the EU or UK equivalents, as it only applies to organizations acting in the role of data controller, not data processors as is the case with the GDPR, which undertake the processing of Swiss personal data regularly and on a large scale.

Conclusion

Although these additional EU representative obligations place additional requirements onto the already substantial compliance burden for organizations outside the EU, the purpose and benefits are clear: without an EU point of contact, the effectiveness of EU laws — and therefore the protections of the individuals based in the EU — would be hindered in a very real way.

The challenge now is meeting these obligations in an affordable and operationally achievable manner. Time will tell how many organizations fail to do so, and the implications of those failures for them.