Double Dutch with Jonathan Armstrong of Cordery UK – Part 1: The LocateFamily.com Enforcement Action

In Part 1 of Double Dutch with Jonathan Armstrong, we unpack some survival tips from the Dutch AP’s enforcement action against LocateFamily.com.

SUMMARY – Locatefamily.com, a free online service that helps individuals locate “family, long lost friends, old flames, neighbors…for FREE!” was investigated by the Dutch Data Protection Authority (the Autoriteit Persoonsgegevens (AP)), following various complaints.  Ultimately, LocateFamily.com was fined €525,000 for their failure to appoint an EU Data Protection Representative in violation of GDPR Article 27.  In addition, the Dutch AP imposed a further penalty of €20,000 for every two weeks that Locatefamily.com fails to comply with appointing a DPR past March 18, 2021, up to a maximum of €120,000 euros.

SURVIVAL TIP FOR UK ENTITIES!  Under GDPR Article 27, if you’re a UK entity, and you’re caught by the EU GDPR extraterritoriality provisions, then you’ll most likely have to appoint a DPR within the EU. 

SURVIVAL TIP FOR EU ENTITIES!  Under UK GDPR, if you’re an EU entity, and you’re caught by the UK GDPR extraterritoriality provisions, then you most likely have to appoint a DPR in the UK.  

SURVIVAL TIP FOR OTHER ENTITIES!  And if you’re neither of those two, so let’s say you’re a U.S. corporation, and you’re caught by the extraterritoriality provisions of UK GDPR and EU GDPR, then you probably have to appoint a DPR in both the EU and the UK. 

SURVIVAL TIP!  It is important to know that you appoint data protection representatives on a per entity basis, not a group basis.

ESI-SG: Let begin at the beginning.  What is LocateFamily.com? 

Matt: Locatefamily.com is essentially a people search site.  They post names, addresses and numbers for, as they claim on the site, over 350 million people globally.  Their tagline specifically says, “Find family long lost friends, old flames, neighbors…for FREE!”.  The site also contains options for folks that are looking for class reunions and biological family members, and there are different ways that users can post search announcements and exchange public facing messages.  

They have received numerous complaints with the Better Business Bureau.  In response to those complaints, Locatefamily.com has responded that they are a “free service intended to bring people together in a positive way. not intended to inconvenience anyone.”  Well, it seems a few folks are, in fact, inconvenienced. 

Now, I don’t want to judge, but I do have to say, that though I am from an era when websites were created using Frontpage, this is one of the sketchier sites I have seen.  Just my humble opinion.  I don’t even know if I would recommend that our readers/viewers even go check out that area of the electronic  wilderness.  Then again, I am wary of all online data brokers, and these people search sites.  Now I am not saying that many of them are not reputable, or that Locatefamily.com itself is not legit.  However, LocateFamily.com specifically have not done themselves many favors with the AP.  Just to list a few checks marks in the “iffy” column:

  • – It isn’t exactly clear where LocateFamily.com is headquartered (though some new information in the ICANN registration leads us to think it’s Iceland).
  • – They did not readily cooperate with the Dutch AP’s action in terms of giving information about where they’re located.
    • – It seems to be based in Canada, but again – unclear.
    • – Their contact number has a Delaware area code.
    • – When I did an initial ICANN domain look up, it’s registered to EpiK Inc., and the registrant, the administrative contact, and the technical contact, they’re all (or were) located in Bellevue, WA listed under Anonymize Inc, which is essentially a full service, domain name registrar. A registrar, I might add, that calls themselves the “Swiss bank of domains.”  Now, I don’t know if that’s a good thing or a bad thing, but I feel obligated to say that domain masking services are legitimate services used by legitimate businesses for legitimate purposes.
    •  
    • UPDATE: Since Jonathan and I discussed the LocateFamily.com enforcement action, the information on the ICANN domain name registration data lookup site has since changed.  The Registrar is now NAMECHEAP INC. and all other information has been “redacted for privacy” – EXCEPT – we now have an Icelandic mailing address!  Does the veil of secrecy raise up a bit?     
    •  
  • Locatefamily2 
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    • Screenshot 2021 07 06 003347
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    • Matt: Once you visit Locatefamily.com, you land in what looks like this chat board style interface that lists people’s names, addresses, phone numbers, background reports and the messages that they send to each other.  “Where does this data come from?” you ask, well, as Locatefamily.com states in their FAQ, they don’t disclose the exact source of the data that they post, because they consider their methods proprietary and trade secret.  And the vail of secrecy lowers back down.    
    •  

They further state that they will not currently add or modify any information on the site, because they have difficulty verifying the identity of requesters.  Fair enough; I know that can be a challenge.  However, for those brave souls out there, there is a removal form to request that information be taken down.   I did a deep dive into some Reddit chats about Locatefamily.com and apparently, when you go through this process, you are required to supply photo ID.  I guess this is somewhat understandable for a legitimate verification process, but the consensus from end users seems to be that the removal process is a tad bit more arduous that it would seems on its face.  They also oddly post a list of the denied requests for removal with names, dates and other info.

ESI-SG: NOW THE KICKER FOR ALL YOUR PRIVACY PROFESSIONALS: When you look at the fine print, it says under their privacy policy, that they do not redistribute information, email addresses or information obtained from communications on the site to any third parties.  However, if you check out their Twitter feed, everything that is on the Locatefamily.com site is basically redistributed there.  Oddly enough, I noticed that after this Dutch action happened, there seemed to be an odd amount of folks from the Netherlands and Dutch citizens that were listed in the Twitter feed, which I thought was rather interesting, if not borderline nose-thumbing.  That said, for all the potential GDPR violations that you can easily just pick out of your hat, this one still ends up being fairly unique.

Matt: How did LocateFamily.com violate the GDPR in the eyes of the Dutch AP? 

Jonathan: The Dutch AP had several complaints already against this outfit, and they began to compare notes with other EU data protection. 

Now as many of your readers/viewers know, there is sort of a “one-stop-shop” process under EU GDPR.  However, if you’re an organization that doesn’t have any ties to the EU, and you’re only under GDPR because of the extraterritoriality provisions, such as monitoring the behaviors of individuals within the EU, then you don’t qualify for the one-stop-shop, and any Data Protection Authority can put its hand up and say, “We’ll be the lead!”  That is effectively what has happened here.  The Dutch AP investigated this on behalf of the DPAs in the EU, and they have decided that Locatefamily.com did not appropriately nominate a data protection representative.

This requirement is from a semi-obscure provision in Article 27 of GDPR.  Effectively, it says that if you’re caught by the extraterritoriality provisions, but you don’t have a presence in the EU, then you have to appoint a data protection representative who’s effectively going to step into your shoes when people seek to exercise their GDPR rights, as they have here.  Interestingly, the AP seem to have limited their investigation to this issue.  I think that perhaps they should have investigated whether the information provided under GDPR Article 14 was adequate.  To me it wasn’t.  Another issue ripe for investigation was whether the transparency obligations under GDPR Article 5 were also met.  Because again, I have concerns that an organization can crop up with no physical address and no real contact details – how is that transparent?  How is that dealing with data subjects fairly? 

The AP have fined Locatefamily.com €525,000 for their failure to appoint a DPR.  And in addition, they imposed a further penalty of an additional €20,000 for every two weeks that Locatefamily.com fail to comply, up to a maximum of €120,00.

Matt: Was there any precedent for this type of penalty? Is this the first enforcement action of its kind to impose that type of ongoing penalty?

Jonathan Armstrong: We’ve had ongoing penalty cases before in France and Italy, where the fines can roll up on a weekly, twice weekly or monthly basis.  And normally, that comes with a list of remedial actions.  So normally, a DPA would say, “You shall do the following six things.  And if you do not, then the fines will be X.”  It’s almost like a rental fee.  It isn’t new on an EU level, but I think it’s relatively cutting edge for the Netherlands.  I don’t believe that they have done that in the past, though there may be a hospital case.  In any event, it’s a relatively new approach, and I think we’re going to see more of it.

The slightly puzzling thing is that the AP do not seem able to say whether Locatefamily.com have now complied with the order.  Now to be sympathetic to the AP, that might be because LocateFamily.com could have complied by appointing a DPR in any of the 28 EU jurisdictions.  So maybe the AP haven’t heard back from some of those countries to see if a nomination has been made.

It is an interesting case, and I think it does show that data protection authorities continue to have the extraterritoriality provisions of GDPR on their mind.  It’s a real warning for businesses that aren’t based in the EEA that you still have to comply with GDPR.  Of course, the big unanswered question is, “How is the AP going to enforce this fine?”  There’s some track record here with a pre-GDPR case where the AP, or its predecessor, were involved in fining Google, where they looked at assets that Google had within the jurisdiction, and in particular advertising revenue that was coming through the Netherlands.  So, there’s possibly a “follow the money” type way of enforcing this fine, but it’s not immediately obvious to see how the extraterritoriality provisions in GDPR can be enforced, in particular regarding Article 27.  That will be an interesting debate to see what progress we have on that front.

Matt: In the UK prior to Brexit, as an organization, I didn’t necessarily have to comply with Article 27.  Now that there’s still no adequacy decision, even if we are making headway for the UK to have that designation.  What do I do if I’m a UK company?  Do I now have to designate an Article 27 representative for any data processing that I’m doing in the EU?

UPDATE: AS OF JUNE 28, 2021, THE EUROPEAN COMMISSION HAD ADOPTED TWO UK ADEQUACY DECISIONS (one under the GDPR and one pursuant to the Law Enforcement Directive)!  SEE MORE COMMENTARY BELOW.

Jonathan: That’s true.  And the same in reverse:  

  1. If you’re a UK entity, and you’re caught by the EU GDPR extraterritoriality provisions, then you’ll most likely have to appoint a DPR within the EU.
  2. if you’re an EU entity, and you’re caught by the UK GDPR extraterritoriality provisions, then you most likely have to appoint a DPR in the UK.
  3. And if you’re neither of those two, so let’s say you’re a U.S. corporation, and you’re caught by the extraterritoriality provisions of UK GDPR and EU GDPR, then you probably have to appoint a DPR in both the EU and the UK.

UPDATE: Pursuant to the abovementioned adequacy decisions, the Survival Tips herein, Jonathan’s commentary and our discussion regarding UK companies having to appoint Article 27 DPRs and EU companies having to select representatives under UK GDPR ALL STILL FULLY APPLY!

These are quite complex provisions, and I think the fact that we’re starting to see some enforcement will remind people to scurry away and take a good look who an appropriate DPR might be.  

It is important to know that you appoint on a per entity basis, not a group basis.  So, if you’re the Acme Corporation in the U.S., but you’ve got Acme UK and Acme Luxembourg, Ltd.  Acme U.S. probably still needs to appoint a DPR.  Although they probably can appoint Acme UK as its UK DPR and Acme Luxembourg as its EU DPR.  There is some complexity to it, but it’s important to get it right, because this is one of the areas where we can expect data subjects, individuals, to use as a basis for their objection to fair processing.  That issue has a whole host of other GDPR consequences.

Matt: Other than the importance of appointing an Article 27 DPR, are there any other takeaways that you can provide our viewers from the LocateFamily.com enforcement action?

Jonathan: The other one, and you mentioned it already, is the notion that “scraping isn’t processing” is not a defense.  That defense will not work in a court.  Saying that just because personal data is in the public domain, that it isn’t personal data, or it isn’t subject to GDPR, is just nonsense.  We have had cases on that already.  One of our favorite matters is a case over the rival methods of the operation of tow bars to tow caravans and trailers.  It’s a hugely exciting case for the towing community, but also for the data protection community as well, as a looks at just that point – “If I gather data from the public domain, is it mine to use as I want?”  And the UK courts say, “No, it isn’t. You still have to follow proper data protection principles.”

Matt: And we can on that point.  As we noted, in their FAQ, LocateFamily.com relies heavily on the fact that a lot of this information is publicly available.  In the U.S., if something is in the public sphere, we essentially say that there are no enforceable privacy rights.  That, of course, is not necessarily the case in the EU, which is a very important distinction.

UPDATE: There are new, interesting developments on the data scraping front, so stay tuned.  In the light of the ruling in Van Buren v. U.S. narrowing of the Computer Fraud and Abuse Act, the SCOTUS sent the controversial LinkedIn Corporation v. hiQ Labs web scraping matter back to the Ninth Circuit Court of Appeals for review.  We shall follow that one closely here on The Guide.    

Matt: Thank you, Jonathan!  Now in the second half of Double Dutch with Jonathan Armstrong, we turn to another Dutch DPA enforcement action – Booking.com.

ESI-SG: And to all of our viewers and readers, whether you watched the full video, viewed the snippets or read the blog, we cannot thank you enough for your support and interest!

This is Matt from ESI Survival Guide telling you to please…Stay safe out there in the electronic wilderness.  See you next time!

Written by Matthew Knouff

Matthew F. Knouff, Esq., CIPP/US, CEDS, RCSP, VP & eDiscovery Counsel, CDS New York Matthew has been navigating the ESI and data law wilderness for over fifteen years as an attorney, consultant and academic. He currently serves as VP & eDiscovery Counsel with Complete Discovery Source, Inc., an award-winning global provider of eDiscovery and data management services and technology. He is an expert in eDiscovery law and process, global data privacy and the movement of data across borders. In addition to contributing to and holding leadership positions with several organizations dedicated to supporting the legal profession, he has developed numerous CLE programs and assessment tools, and frequently speaks and writes on various topics related to the intersection of data, law and technology. He holds the CIPP/US, CEDS and RCSP certifications, is an avid distance runner, an active board member with Education Through Music, a Tarheel through and through, and a life-long musician. Matthew lives with his son in New York City’s Lower East Side.

All author posts   |   LinkedIn