Is the role of an EU representative primarily to provide an enforcement hook?
I don’t necessarily see the role in that way. I think that the primary role of representative is to provide data subjects, and supervisory authorities in the EU, with a source of contact for the non EU based controller or processor in the business.
And so if you think about it, I would look at it the other way around. Ultimately, at the moment, if a data subject who is based in the EU wants to exercise their GDPR rights, the GDPR states that they should not have to go outside of the EU to exercise a right that ultimately they’re entitled to do so locally. And that’s why the representative is required to be there.
Ultimately, an appointed representative will be one of the ways in which a controller or processer would ensure that it is not exposing itself to fines or to sanctions by the supervisory authority because the requirement to appoint a representative is one of the obligations that a controller is obliged to comply with the GDPR.
There is a reference in the GDPR to the representative being amenable to sanction or to being capable of being enforced against on behalf of the non EU based business and the representative will then ordinarily, in its appointment agreement with the business that is located outside the EU, presumably have arrangements in place to ensure that if it’s found liable for anything that will ultimately be indemnified by the business that’s appointing it. I guess the main purpose of it is to give EU data subjects and data supervisory authorities an ability to communicate and be able to follow up with a local and accountable representative.