Liability of Joint Controllers in the Light of the CJEU Case Law
Czech legislators during implementation of Directive 95/46/EC did not utilize the possibility to extend the definition of the controller so it would encompass more entities. Czech Act No. 101/2000 Coll., on the Protection of Personal Data, as amended (APPD), which has not been replaced by a new GDPR-compliant legislation yet, defines the controller as “any entity that determines the purpose and means of personal data processing, carries out such processing and is responsible for such processing”. The definition was also interpreted and applied in a way that only one entity, individually, is a controller who is responsible for processing of personal data.
Since the GDPR entered into force it is necessary to give more attention to situations where two or more entities participate during processing of personal data. The basis of the definition of joint controllers pursuant to Article 26 of the GDPR lies in joint determination of the purposes and means of processing. However, the GDPR does not specify what could represent “joint determination”.
The Court of Justice of the European Union’s newest case-law related to the term “controller” may bring some answers to this interpretation uncertainty. Although all the cases deal primarily with the interpretation of the first part of Article 2 (d) of Directive 95/46/EC, which defines “controller” as “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”, such interpretation is highly relevant also for the application of the GDPR on European and national level.
In case Wirtschaftsakademie Schleswig-Holstein (C‑210/16) the Court addressed an issue of liability for processing of personal data of a person, who created a fan page hosted on Facebook in order to promote his/her/its offer. The Court paid attention to if and in what extent an administrator of Facebook fan page is participating on determination of purpose and means of the processing. Facebook’s terms of service are designed as an “opt-in” agreement, so there is no room for the other party to negotiate any changes.
Matters highlighted by the Court as substantial are the following:
- Use of a social network as Facebook does not constitute a liability of its user for processing of personal data per se;
- By creating a fan page, its administrator allows downloading of Facebook’s cookies on a visitor’s device;
- During creation of a fan page the administrator sets a target group of users and its aims of promotion which affect the processing of personal data by Facebook when creating statistical data therefore an administrator participates in processing of personal data of fan page’s visitors;
- The administrator of a fan page hosted on Facebook has an option to acquire data on shopping preferences, demographic data and other information about fan page’s visitors, which are relevant for targeting his/her/its offer, although these are disclosed as an anonymised data;
- The Directive 95/46/EC does not require for each person responsible for the processing of personal data to have access to such personal data.
The Court concluded that an administrator of a fan page hosted on Facebook is jointly responsible with Facebook Ireland Ltd, i.e. the term “controller” within the meaning of Article 2(d) of Directive 95/46/EC encompasses the administrator of a fan page hosted on a social network. The Court followed its previous ruling in Google Spain and Google (C-131/12), where it explained that concept of “controller” should be interpreted broadly to secure effective and complete protection of data subjects.
In another case, Jehovan Todistajat (C‑25/17), the Court assessed processing of personal data by a religious community (Jehovah Witnesses in Finland) and its members. Within the framework of broad interpretation of “controller” the Court concluded that a religious community and its members are in the course of their door-to-door preaching joint controllers. According to the Court, in order to fulfil the criteria of joint controllership it is enough that the religious community organizes, coordinates and supports the preaching. The fact that the religious community does not have access to data in question or that it does not instruct the preachers in writing is not substantial for the issue.
When we apply the abovementioned rulings on Article 26 of the GDPR we can conclude that “joint determination of purpose and means of processing” should be interpreted very broadly.
Position of a person as a (joint) controller is necessarily tied to one very important aspect – liability for infringement of legal obligations related to protection of personal data. Such infringement may lead to imposition of an administrative fine of a significant amount. At the same time, the (joint) controller is liable for the damage caused by processing which infringes the GDPR and other (national) laws.
In paragraph 43 of judgment Wirtschaftsakademie Schleswig-Holstein, the Court states “the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.” Unfortunately, the Court did not elaborate on this line of thought further and so it is not clear what can be considered as relevant circumstances for national courts and supervisory authorities. The Court underlined this conclusion also in Jehovan Todistajat however it did not develop the argumentation.
Article 26 of the GDPR sets down that joint controllers shall duly reflect the respective roles and relationships under the GDPR especially with respect to the exercise of rights of data subjects. The controllers shall duly reflect their respective roles and relationships vis-à-vis the data subjects and inform the data subjects of the essence of their arrangement.
Supervisory authority shall when deciding about imposing an administrative fine take into consideration circumstances of each individual case as specified in Article 83 (a) – (k) of the GDPR. Respective roles and relationships of joint controllers are not explicitly mentioned amongst these circumstances nevertheless we may consider it to be “any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.”
With respect to liability for damage, the GDPR explicitly states that each controller (or processor) shall be held liable for the entire damage in order to ensure effective compensation of the data subject. Furthermore, controller or processor who paid the whole compensation shall be entitled to claim back from the other controllers or processors involved in the same processing the part of the compensation corresponding to their part of responsibility for the damage. In other words, they are liable jointly and severally.
The GDPR envisages that liability will be dependent on distribution of roles and the relationship to data subjects. This premise is not illogical, whereas one of the controllers may be in direct contact with the data subjects, the other may only be participating at a certain stage of provision of whole package of services (which include processing of personal data).
However, Article 26 (3) of the GDPR clearly states that irrespective of the terms of the arrangement between the joint controllers the data subject may exercise his or her rights under the GDPR in respect of and against each of the controllers.
Article 26 works with a presumption that individual entities will be aware of their role as a joint controller and based on that they will determine their roles and responsibilities. Unfortunately, this is very problematic in practice. Liable entities experiences difficulties with self-assessment related to processing of personal data even when they are acting alone. Determination of their mutual position related to certain processing of personal data is even more difficult. The concerned entities mainly consider whether they are in a position of a processor of the other party. However, there are various scenarios of relationships within the framework of data protection – relationships of controller – controller (individual), joint controllers, controller – processor, processor – another processor etc. A broad interpretation of the concept of (joint) controller(s) as presented by the Court is not going to be helpful in practice.
Regardless, assignment of tasks and determination of roles of joint controllers may be significant for the question of their liability. Article 82 of the GDPR specifies that a controller (or processor) shall be exempt from liability under paragraph 2 thereof if it proves that it is not in any way responsible for the event giving rise to the damage.
The issue of a broad interpretation of the concept of controller and its subsequent impact in the area of liability has been opened by the Advocate General, Michal Bobek, in his Opinions delivered in case Fashion ID, C-40/17 (Note: at the time of the preparation of this article the judgment of the Court has not been delivered yet).
The main question to be addressed by the Court is the following: may the company Fashion ID GmbH & Co. KG be considered a joint controller with Facebook Ireland Limited, in a situation, when it embedded a plug-in Facebook’s ‘Like’ button in its website. According to a description in the Opinion, “when a user lands on Fashion ID’s website, information about that user’s IP address and browser string is transferred to Facebook. That transfer occurs automatically when Fashion ID’s website has loaded, irrespective of whether the user has clicked on the ‘Like’ button and whether or not he has a Facebook account.”
In the Opinion, Bobek comments on the abovementioned judgements and concludes that in the light of the decisions Fashion ID should be deemed as a joint controller together with Facebook Ireland Limited. At the same time, he addresses questions not yet opened by the Court itself. He especially pays attention to consequences of broad interpretation of the definition of a controller in the area of controllers’ liability. In paragraph 75 of the Opinion he states “The problem is that the delineation of responsibility so far does not follow from the broad definition of a controller. The danger of that definition being too broad is that it results in a number of persons being co-responsible for the processing of personal data.”
He also points out the practical problem of the broad interpretation particularly the conclusion that it is not necessary for each of the controllers to have access to personal data. On one hand, the controller without access is liable for the processing, on the other hand such controller cannot practically provide the data subject with access to such personal data (or enable other exercise of the data subject’s rights).
Even though the Opinion interprets Directive 95/46/EC, the Advocate General refers to the fact that its interpretation will have an impact on the interpretation of Article 26 of the GDPR. He specifically refers to par. 3 of the Article which leads to joint and several liability of joint controllers and may exclude the Court’s conclusion that the controllers do not necessarily have an equal responsibility.
He sees solution in the interpretation of “processing” which is based on “operations” or “set of operations”. According to Bobek, the controllership should be interpreted with respect to operations of processing not in relation to “processing” in general (globally to all operations). With regard to controllers’ liability he states in paragraph 101 that “It is the combination of these two definitions that ought, from my point of view, to determine the obligations and potential liability of joint controllers. A (joint) controller is responsible for that operation or set of operations for which it shares or co-determines the purposes and means as far as a given processing operation is concerned. By contrast, that person cannot be held liable for either the preceding stages or subsequent stages of the overall chain of processing, for which it was not in a position to determine either the purposes or means of that stage of processing.”
At this point, I fully agree with the Advocate General. Implications of broad interpretation of the concept of joint controllers may lead to liability for another entity or for the activities beyond a controller’s control.
Protection of personal data is an important part of progress in the area of information technologies. However, it cannot lead to unlimited set of obligations imposed on stakeholders, resulting not only as an obstacle for them but also for data subjects themselves. Let’s hope the Court considers issues opened by the Advocate General Bobek and the upcoming decision will bring us clearer guidelines to interpretation of Article 26 of the GDPR in the lines of liability of joint controllers.
Article provided by: Ivana Nemčeková (NIELSEN MEINL, advokátní kancelář, s.r.o.)