Properly identifying roles in processing personal data: the latest from the EU Court of Justice
Since the EU General Data Protection Regulation (GDPR) became applicable in May 2018, properly defining the roles of different parties processing personal data has become very topical in practice, too. Are you a controller? A processor? A joint-controller? Should you sign that data processing agreement under Article 28 of the GDPR as a processor or should you sign the required arrangement with the other joint controller under Article 26 of the GDPR? Should you or someone else notify the data subject of the processing?
The roles themselves are not a novelty of the GDPR. However, since the spotlight is brighter under the GDPR, the parties have become more interested in properly defining the roles and signing the appropriate agreements. All of these questions may seem simple but properly defining the roles has proven to be quite difficult in practice, especially because they are highly dependent on the actual data processing practices of each individual case.
The aim of this article is to briefly go over the relevant definitions and why it is important to make sure the roles have been defined properly, as well as give an overview of the most recent guidance on the matter given by the EU Court of Justice.
The definitions of a “controller” and a “processor” are the same under, both, the GDPR and the previously applicable Data Protection Directive.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers.
“Processor” means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller.
Why is it necessary to properly define the roles?
Recital 79 of the GDPR states that the protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
Simply put – the responsibilities and liabilities of an organisation depend on the role the organisation is processing personal data in. And, as everyone knows by now, not meeting your obligations under the GDPR might become costly (more specifically, under Article 83(4)(a) of the GDPR, infringement of the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43 shall be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher).
Guidance by the supervisory authorities
The European Data Protection Board (EDPB) has not yet provided specific guidance on how to define the roles of different parties processing personal data under the GDPR. However, its predecessor, the Article 29 Working Party (WP29) has done so in its Opinion 1/2010 on the concepts of "controller" and "processor", which is still relevant. Some national supervisory authorities (e.g. the Information Commissioner’s Office in the UK) have also provided their guidance. Although the guidance usually (rightfully) stresses that the allocation of roles depends on the specific data processing practices, they may still offer help.
Guidance by the EU Court of Justice
Defining the roles of different parties processing personal data has not been very actual in the EU Court of Justice in the past. Maybe most remarkably, in 2014, in Case C-131/12 (Google Spain), the court said that the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as processing of personal data when that information contains personal data and that the operator of the search engine must be regarded as the controller in respect of that processing.
The last 6 months, however, have brought about several judgements and opinions as to the roles of different parties involved in data processing. A brief summary is provided below. Although all cases mentioned are based on the previously applicable Data Protection Directive, the interpretation can surely be used for defining the roles under the GDPR as well as the notions have not changed.
The Facebook fan page administrator
On 5 June 2018, the EU Court of Justice rendered its judgment in Case C-210/16 (Wirtschaftsakademie Schleswig-Holstein), which concerned the role and responsibility of a Facebook fan page administrator in processing personal data.
It was not challenged that Facebook Inc. and, for the European Union, Facebook Ireland must be regarded as primarily determining the purposes and means of processing the personal data of users of Facebook and persons visiting the fan pages hosted on Facebook, and therefore fall within the concept of controller within the meaning of the Data Protection Directive. The question was whether and to what extent the administrator of a fan page hosted on Facebook contributes in the context of that fan page to determining, jointly with Facebook Ireland and Facebook Inc., the purposes and means of processing the personal data of the visitors to the fan page and may therefore also be regarded as a controller within the meaning of the Data Protection Directive.
Based on the considerations specified in the judgement itself, including that the administrator can define the criteria in accordance with which the statistics are to be drawn up and even designate the categories of persons whose personal data is to be made use of by Facebook, the EU Court of Justice concluded that the administrator of a fan page hosted on Facebook must be regarded as taking part, by its definition of parameters depending in particular on its target audience and the objectives of managing and promoting its activities, in the determination of the purposes and means of processing the personal data of the visitors to its fan page, and is therefore also a controller in the meaning of the Data Protection Directive. The court noted however that the existence of joint responsibility does not necessarily imply equal responsibility.
On 10 July 2018, the EU Court of Justice rendered its judgement in Case C‑25/17 (Jehovan todistajat). In this case, the referring court in Finland asked essentially whether a religious community may be regarded as a controller, jointly with its members who engage in preaching, with regard to the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community, and whether it is necessary for that purpose for the community to have access to those data, or whether it must be established that the religious community has given its members written guidelines or instructions in relation to that processing. Only the responsibility of that community was challenged and the responsibility of the members who engage in preaching was not called into question.
The EU Court of Justice found that a religious community is a controller, jointly with its members who engage in preaching, of the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community, without it being necessary that the community has access to those data, or to establish that that community has given its members written guidelines or instructions in relation to the data processing.
The Facebook like button
And most recently, only a few weeks ago, on 19 December 2018, Advocate General (AG) Bobek, in its opinion in case C-40/17 (Fashion ID), suggested that the operator of a website embedding a third party plugin, such as the Facebook like button, which causes the collection and transmission of the user’s personal data, is jointly responsible for that stage of the data processing (a joint controller). The AG suggests that the joint responsibility of the operator of the website should be limited to those operations for which it effectively co-decides on the means and purposes of processing of the personal data; in the present case – the collection and transmission of the personal data. The AG also proposes to rule that the consent of the website user, where required, has to be given to the operator of the website that has embedded the content of a third party. In addition, the obligation to provide the website user with the required minimum information applies to the operator of the website.
The opinion of the AG does not bind the EU Court of Justice and the ruling of the court itself will be given at a later date.
As is obvious from court practice, as well as discussions and problems in practice, properly understanding and defining the roles of the parties processing personal data is essential and should not be overlooked. So next time you are about to sign a data processing agreement or defining yourself as the sole controller, take your time to properly define your role in the processing situation and understand the responsibilities and liabilities that come along with it in order to take all necessary actions and precautions.
Article provided by: Mari-Liis Orav, Attorney-at-law, PwC Legal, Estonia