Data Protection Report - Norton Rose Fulbright

This is Part 2 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In this Part we examine the concept of main establishment and the position of entities without an EU establishment.

Main Establishment

The operation of the One Stop Shop depends on being able to determine the ‘main establishment’ of a business. This dictates which supervisory authority (SA) will be the lead SA where the controller or processor processes personal data across EU Member States.

‘Main establishment’ is defined under Article 4 of the European Commission’s proposal for the new Regulation (Commission 2012 Proposal) to mean:

  • in relation to a data controller: the place of its establishment in the EU where its main decisions in relation to the purposes, conditions and means of processing of personal data are taken. Where no such decisions are taken within the EU, the main establishment is the place where the main processing activities take place; and
  • in relation to a data processor: the place of its central administration within the EU.

The ‘Partial Agreement’ reached between members of the Council on 13 March 2015 (the Council March 2015 Position) makes clear that, in instances where both a data controller and data processor are involved, the main establishment is that of the data controller.

The Commission 2012 Proposal appeared only to apply to either single legal entities with multiple establishments across the EU (e.g. branch offices or agencies) or groups of separate entities which were willing and able to operate on the basis that one of those entities was in fact the data controller in respect of the other EU group entities (that is, one entity makes all the processing decisions which are then followed by the others as its processors.  This is a difficult and unattractive position for most corporate groups, who typically seek to ring fence operating and tax liabilities within each company).

Both the European Parliament’s adopted text of 12 March 2014 (the Parliament March 2014 Position) and the Council March 2015 Position (in the recitals) expressly try to cater for groups of undertakings in the definition of ‘main establishment’. They contemplate that it has to be the main establishment of the controlling undertaking, except where the purposes and means of processing are determined by another undertaking.  However, neither proposal reflects the commercial reality that few corporate groups would wish to make one company the controller of the processing of another company just to achieve simplified data protection compliance.

There are a number of potential issues raised by these various proposals, as well as a few alternative solutions:

  • allow distributed controller groups to take advantage of the One Stop Shop: it is important that it is sufficiently clear that a corporate group can retain distributed control of data processing and still take advantage of the One Stop Shop. In relation to such a model:
  • while the group would elect that the ‘main establishment’ entity accepts liability for (and, by implication, the duty to correct) the failings of other controller entities in its group, it should be made clear that the main establishment entity would not then be characterised as the controller of the activities in the local country (so as to avoid suggestions that it would be in direct control of what an entity in a local country does); and
  • a data protection liability model which achieves this already exists in relation to binding corporate rules structures. Under that model, one EU group entity accepts data protection liability for any non-compliant acts of non-EU entities using personal data collected by EU entities, without having to become the data controller of data processed by those non-EU entities;
  • determine in advance where the main establishment is and who the lead SA is: the Commission 2012 Proposal does not provide a solution where it is difficult to determine which establishment is the main establishment for some multinationals. Both the Parliament March 2014 Position and the Council March 2015 Position seek to address this:
  • the Parliament suggests resolving the issue through a referral to the European Data Protection Board (EDPB), which would then make a determination;
  • an earlier draft of the Council position required the main establishment controller to: (1) list which countries and other establishments in respect of which it is the controller, and the purposes and means of the processing undertaken; and (2) submit this information to the lead SA, which would verify it and pass the classification to the EDPB (which would in turn maintain the confirmed information on a public register). This would have reduced some of the uncertainty (at least as to which SA will be the lead SA) to a debate at the commencement of processing operations in the EU (rather than leaving it to a point in time where complaints or investigations are being raised against the corporate). Deciding such issues at the outset has much to commend it;
  • have as objective as possible definition of main establishment: the definition of ‘main establishment’ has been harmonised for controllers and processors in both the Parliament March 2014 Position and the Council March 2015 Position, but in different ways:
  • the Parliament 2014 Position focuses on ‘where the main decisions as to the purposes, conditions and means of the processing of personal data are taken’, coupled with some criteria which would help determine this (such as the location of the headquarters);
  • the Council March 2015 Position is more practical – it picks as default ‘the place of its central administration in the [European] Union’ as the main establishment (unless decisions on purposes and means of processing personal data are undertaken in another EU Member State). The Council March 2015 Position is also more comprehensive, clarifying that in cases involving both the controller and the processor, it will be the SA of the data controller’s main establishment that remains the lead SA, and the SA of the processor’s main establishment becomes a concerned SA.

Of the alternatives outlined above, we consider that the Council March 2015 Position gives the greatest legal predictability and certainty, because ‘the place of its central administration in the [European] Union’ is a test that can be readily ascertained and proved.

  • SAs must be prepared to classify the main establishment of a large number of businesses before the Regulation comes into force: none of the position drafts make the One Stop Shop optional, so it is not open for a multinational to opt for the existing system of regulation by local SAs for operations in each EU Member State if the criteria for a ‘main establishment’ are met. Because of the legal uncertainty around the concept of ‘main establishment’, there is a risk that there could be a jurisdictional debate around whether a complaint should be dealt with by the local SA or the main establishment SA (as an unwelcome part of every complaint to a multinational with headquarters in the EU). While the Council March 2015 Position makes it possible for a local SA to handle local matters, its ability to do so relies on: (1) the consent of the lead SA; and (2) determinative criteria for hand off which may not be straightforward to apply.

Entities without an EU establishment

Overseas entities offering goods and services into the EU or carrying out monitoring within the EU but without an EU base will be subject to the Regulation. In such circumstances, the law of every EU Member State applies and the SA in each EU Member State will have the power to supervise the entity’s processing that takes place in its territory.

Under the Commission 2012 Position a controller with no establishment within the EU (unless it has fewer than 250 employees or only occasionally offers goods and services to data subjects in the EU) is obliged to designate a representative in one of the EU Member States in which it offers goods and services or carries out monitoring activities. The Regulation fails to provide for the exact role of the representative.

An earlier Council agreed position, which the Council March 2015 Position builds on:

  • states that the representative can be addressed in addition to or instead of the controller by (in particular) SAs and data subjects on all issues relating to the processing of personal data to ensure compliance with the Regulation. Appointment of a representative in a particular EU Member State does not mean, however, that a non-EU multinational could avail itself of One Stop Shop coordinated regulatory interaction; and
  • offers a solution for effectively controlling the activities of non-EU multinationals accessing the EU market. The designation of a representative creates a single point of contact that could simplify the compliance burden on companies and create a channel of liability that SAs can rely on when problems arise.

The regime is likely to enhance the engagement of non-EU multinationals. This in turn improves the chances that SAs will be able to successfully enforce sanctions against such organisations when they breach data protection laws. However, we anticipate difficulties in determining which SA should act as lead SA in these cases – it certainly should not be left to the non-EU multinationals themselves to decide.

Check back tomorrow for Part 3 of the “One Stop Shop” series, which will consider the supervisory authorities, the cooperation obligations in relation to SAs and the functions of the European Data Protection Board.