Controllers and processors – know where you stand
GDPR brought into focus the importance of knowing who is a controller, processor or joint controller with another organisation. Controllers and processors need to incorporate specific clauses into their contracts. Processors are now directly responsible for data security and record keeping, among other things. Joint controllers need to document the allocation of responsibilities between them and communicate this to data subjects.
This has led to some organisations that have historically been viewed as processors now asserting that they are controllers in their own right. Discussions on the status of the parties and the allocation of responsibilities are now a regular part of negotiating any data processing relationship.
In addition to that, a series of cases in the European Court of Justice have broadened (at least in the eyes of many UK practitioners) the concept of joint controllership. This started with the Facebook Fan Pages decision last summer and has continued through to an Advocate General’s opinion earlier this year stating that organisations that incorporate social sharing buttons on their websites, or other third party embedded content, are jointly responsible for the collection and processing of personal data.
While these decisions relate to the online world, they raise practical questions for all organisations – whether in relation to the data collected through their websites or to processing in the offline world, where processing by one organisation is interlinked with the acts of another. For example, if a hospital allows a TV production crew to come in and film, are the hospital and the production company joint controllers?
Consent and transparency
In the UK, the ICO has taken enforcement action for failures in relation to transparency, with fines issued to parenting club Bounty and another organisation called Emma’s Diary. In both cases (which relate to failures prior to GDPR) the organisations failed to properly explain how the data they collected was shared with other organisations.
But the big story of the year is the €50m fine issued by the French privacy regulator, CNIL, to Google. While enforcement action against a global technology business may not seem relevant to most organisations, looking beyond the headlines there are some key learnings for all organisations that process personal data.
Firstly, on consent, CNIL’s decision emphasises that organisations should not use pre-ticked boxes, even if there is a subsequent action to accept or create a user account. CNIL also took issue with the bundling of consent. In this case, the consent related to personal advertising, but it was not made clear that consent applied to the use of data across multiple Google platforms.
Secondly, on transparency, CNIL’s decision provides some helpful guidance for drafting privacy notices:
- Avoid spreading information across multiple documents in different places.
- Avoid generic descriptions and ambiguities. Don’t use words like “may” or “might” or “for example”. Be precise.
- Ensure that a user can clearly understand the legal basis that applies to each processing activity. Avoid using separate lists and consider instead using a tabular layout in your privacy notice.
Cookies and ePrivacy
We are still awaiting a finalised text of the proposed ePrivacy Regulation, which is stuck in a political logjam until EU member states can reach a common position on what the new Regulation should say.
Despite this, there have been a number of developments in the last year that are relevant to ePrivacy. The Google case has given a clear steer in relation to bundling of consent for personalised advertising across different platforms. That, together with another case in the European Court of Justice (Planet 49), also has implications for the use of cookies, particularly where cookie control tools are used to allow users to “accept all” cookies. Practical guidance from regulators is essential.
We have also received an indication on the direction that the ECJ is likely to take on responsibility for social sharing buttons and other embedded content on websites and mobile apps, where IP addresses and other user information is shared with that third party. A preliminary opinion from January this year in the Fashion ID case proposes that website operators are jointly responsible with social media networks and the providers of embedded content.
While this decision is consistent with the Facebook Fan Pages decision, it again raises practical issues for operators of websites and apps in relation to how they can obtain effective consent for cookies and provide adequate information on how user data will be used when they do not have any control or insight into that processing.
Personal data breaches
Most organisations are likely to have experienced at least one personal data breach since GDPR came into force. While GDPR introduced mandatory breach reporting obligations, they do not apply where there is unlikely to be any risk to the individuals affected.
While the European Commission says that over 89,000 breaches were notified in the first year of GDPR, the ICO has said that organisations are over-reporting, perhaps because they are unclear how to make an assessment on risk. Others are reporting general breaches of data protection law, when the breach reporting obligation only applies to breaches of security.
It’s therefore important that organisations have in place a proper procedure for dealing with suspected breaches, so that these can be promptly investigated and a decision made on the facts.
Indeed, in my experience, many cyber breaches tend to be less severe than initially suspected. Once log files have been retrieved and analysed, it is often the case that attempts to copy out a database have been unsuccessful. Ensuring that you have forensic specialists is essential and it’s well worth following the guidance from the UK’s National Cyber Security Centre.
Data subject access requests
Finally, many organisations will be grappling with a substantial increase in the number of data subject access requests that they are receiving from individuals. We are yet to receive any regulatory guidance on exactly what is meant by a request being “manifestly unfounded” or “excessive”, but the courts have continued to provide some guidance to controllers when handling data subject access requests. While these decisions are all based on pre-GDPR law, the principles discussed remain valid.
For example, in Miller v ICO the courts held that when considering the identifiability of individuals from statistical data, the ICO’s “motivated intruder” test needs to be applied on the facts of the case. Look at the age of the data being disclosed and how likely it is that individuals could actually be identified, rather than applying a rigid test based on the size of the dataset.
In DB v GMC, the courts have also emphasised that controllers have wide discretion when it comes to deciding whether or not to disclose personal data relating to third parties when responding to a data subject access request. There is no presumption against disclosure. Instead, controllers need to carry out a balancing test and decide whether it is reasonable to disclose.
As GDPR continues to bed in, we can expect to see more guidance emerge from regulators and the courts. Organisations with a presence in the United States will also need to contend with the new California Consumer Privacy Act. For data protection practitioners, the next 12 months is looking just as busy as the last 12!
Martin Sloan is a member of Brodies’ Technology, Information and Outsourcing Group and specialises in advising clients on technology procurement and IT and business process outsourcing projects.