The Dutch Data Protection Authority has imposed a fine of € 525,000 on Locatefamily.com, a popular data website originally from the US. According to the privacy watchdog, LocateFamily failed to adhere to the General Data Protection Regulation (GDPR). This regulation stipulates that companies must have a local representative if they collect personal data directly from persons living in the EU.
Easily Locate a Family Member
Locatefamily.com is a platform where people can easily search for the contact information of family members, friends or classmates with whom they have lost touch. According to the website, 350 million people are registered on their site, including hundreds of thousands of European citizens. All their personal details are freely available to anyone.
The platform publishes extensive lists, sorted on last names and/or location. Data subjects don’t have to be members of the platform. What’s more, people don’t even need to log on to view other people’s information. The site publishes addresses and telephone numbers of people around the world. Apparently, this sometimes happens without their knowledge.
Getting personal information deleted from the website is not easy. First of all, the family search site does not have a representative in the EU. This means that people need to call a US phone number. Or leave a message via the form on the website. This is a breach of the GDPR and, therefore, a fine was imposed.
People Unaware Their Details Are Exposed
The Dutch Data Protection Authority (AP) has received dozens of complaints about Locatefamily.com. People have seen their full addresses and sometimes phone numbers on the website and have no clue as to how their details got there.
This could potentially lead to unwanted situations for people whose details appear on Locatefamily.com. Individuals who are unaware that their contact details have been made public could find themselves surprised by uninvited visitors at their door, for example. They might also have a very good reason for no longer being in touch.
“For a website to publish your phone number and address without your knowledge is unacceptable. Private information must remain private. Wrongdoers could use this type of information to commit identity fraud, for example, or harass you at your home or by phone or email,” said DPA deputy chair Monique Verdier. “You can certainly share this information if you want to, but this should be your choice to make. With Locatefamily.com, many people aren’t given that choice.”
Half A Million Euro Fine
According to the GDPR, organizations that offer goods or services in the EU must have a local representative. EU citizens can then turn to this person for information or to exercise their privacy rights. Locatefamily.com has no such representative in any EU country.
“If your address and phone number do end up on this site, there must be an easy way to have that information removed. That’s not possible here, partly because Locatefamily.com does not have a representative in the EU. That’s why we issued the website with a fine.”
To force LocateFamily to have a representative in the EU, the Dutch Data Protection Authority has given the company a deadline. The company was required to appoint a representative by March 18, 2021. Until today, LocateFamily has not confirmed to the regulator whether they appointed a representative. LocateFamily has to pay € 20,000 for every two weeks that this requirement has not been met, with a maximum of € 120,000.
Apparently, other European regulators have also received complaints. Some about the company’s lack of local representation. Others about the difficulties people have experienced when they wanted to remove their details from the site. Therefore, the Dutch Data Protection Authority worked with nine other European privacy regulators and with the Office of the Privacy Commissioner of Canada to investigate the website.
Brexit is adding an extra layer of complexity to this problem. In the UK, companies have similar obligations. However, at the moment there’s no reciprocity between the EU and the UK. So, it remains unclear if a company should have a representative in both country’s or only needs to appoint a local representative in either the EU or the UK.