Even though the General Data Protection Regulation (GDPR) doesn’t come into effect until May 2018, the 1995 European Union (EU) Data Protection Directive remains in place – and Data Protection Authorities (DPA) expect compliance with the requirement for local representation. The Data Protection Directive 95/46/EC requires EU member states to impose data protection obligations only on companies that process personal data via an establishment within member state borders; however, data controllers not established in the EU that make use of equipment in the territory of an EU member state for the purpose of collecting personal data should be concerned. WhatsApp is just one example of an agency that faced a DPA-imposed penalty after it failed to appoint a representative in the Netherlands. Because the cross-platform mobile messaging app allows users to share contact information, the DPA considered WhatsApp a “controller” under the Directive and imposed a 10,000-euro penalty for each day WhatsApp failed to comply with its regulation to appoint representatives in each and every member state where users have downloaded the app.
