The key conclusion in the Article 29 Working Party’s Opinion is that a data controller must determine the ‘purpose’ and ‘essential means’ of the processing but can delegate ‘technical and organisational means’ to the data processor. This is helpful and should provide more legal certainty for businesses. However, as the examples in this article demonstrate, applying it to some real life service agreements and outsourcings may still be a challenge.
Why has the Opinion been issued?
The Directive defines a data controller as someone who determines the ‘purpose and means’ of processing and a data processor as someone who processes personal data ‘on behalf of’ a data controller. The distinction has a number of practical implications:
· data processors are not responsible for the processing nor are they generally subject to data protection legislation (though at least 11 Member States impose some limited obligations directly on data processors, mainly relating to data security);
· data controllers must have a written contract with data processors, flowing down a limited set of data protection obligations through the use of processing clauses – these clauses must oblige the data processor to act only on behalf of, and under the instructions of, the data controller; and
· disclosures of personal data to a data controller can be more difficult to justify than disclosures to a processor – in certain countries an additional consent from, or notice to, the data subjects may be required if the disclosure is to a data controller.
Despite the fairly fundamental issues raised by this distinction, there has been considerable doubt about how this classification operates in practice, especially for increasingly sophisticated vendor services and outsourcing relationships. This was demonstrated by the various and sometimes contradictory opinions rendered in relation to the US Treasury’s access to financial messages transported by SWIFT on behalf of their customers in the framework of the Terrorist Finance Tracking Program.
Data processors and ‘essential means’
The Opinion on the concepts of ‘controller’ and ‘processor’ (WP 169) addresses these issues. The main point in the Opinion is that, so long as the data controller continues to determine the ‘purpose’ and ‘essential means’ of the processing, it can still delegate ‘technical and organisational means’ to the data processor. The Opinion defines the ‘essential means’ to be:
‘elements which are traditionally and inherently reserved to the determination of the controller, such as “which data shall be processed?’” “for how long shall they be processed?”, “who shall have access to them?”, and so on’
This position is broadly similar to that taken by the UK Information Commissioner, whose Guide to Data Protection states:
‘the data controller is the person who decides how and why personal data is processed. However, we take the view that having some discretion about the smaller details of implementing data processing (i.e. the manner of processing) does not make a person a data controller.’
The Opinion also suggests other criteria to consider when making this assessment, such as the visibility of the processor to the data subject (see the call centre example below), the level of supervision by the controller and the margin of manoeuvre open to the processor. Importantly, the Opinion states that a supplier can provide standardised services on the basis of standard terms and conditions and still be a data processor. The customer will make itself a controller by voluntarily taking a decision to instruct the supplier on the basis of those terms and conditions.
The Opinion further states that while contractual provisions stating that a party is to act as data controller or data processor (or both!) will affect the analysis, they are not determinative and it is important to consider the underlying factual circumstances.
Application to sourcing arrangements
While this provides a useful framework for any analysis, it can still be difficult to come to any firm conclusions in any particular case. It is therefore helpful to look at how this analysis applies to some common sourcing relationships:
· Payroll processing companies – These will clearly be data processors. The Opinion recognises the payroll processor may have some discretion about the technical equipment they use to provide their services but their tasks will be clearly and tightly defined and they will be bound to follow the relevant employer’s instructions.
· Call centres and helpdesks – The position here is less certain and will depend on the way in which the call centre proposes its services and the degree of control the customer retains over its supplier’s operations – which will normally be determinable by analysing the level of detail in the (service level) agreement. For example, the Opinion considers that a supplier who provides call centres under a tightly defined offering and presents itself using the data controller’s identity will normally be a data processor. In contrast, if the supplier has a large degree of discretion over how it provides the service and can use information from the services for its own purposes such as training or problem identification for other clients (as may be the case where a common helpdesk is provided to many customers), this may point to the supplier acting as data controller. The fact that different types of call centre services may lead to different conclusions, emphasises the fact sensitive nature of the analysis.
· Telecommunication services – In accordance with Recital 47 of the Directive, a telecommunications operator will be a processor in respect of any data being transmitted over its network but a controller in respect of traffic and billing data generated by that network. This example demonstrates the possibility that a supplier may act as both controller and processor in a sourcing relationship.
Controllers – joint or independent?
Even if data is passed to a party acting as data controller, that is not the end of the analysis. The Opinion goes on to consider if that party ought to be considered independent or joint controller with the disclosing party. This distinction also has practical implications as joint controllers may be jointly and severally liable for any data protection breaches.
The Opinion again stresses the need for a substantive and functional approach; while contractual allocation of responsibilities can be useful in assessing this issue, it is not determinative of the result. Instead, the main question is whether the two data controllers share a common purpose or means. For example, where a travel agent simply forwards its client’s details to an airline and hotel chain to make the appropriate reservation, each will act as independent data controller in respect of that information. In contrast, if the travel agency, hotel and airline jointly set up an internet-based portal and share the data generated by that portal they are likely to act as joint controllers.
An important point made by the Opinion is that these relationships ought to be structured in a way that clearly sets out each party’s responsibilities and allocates data protection obligations in a sensible manner. Absent this, the Opinion suggests there should be joint and several liability between all parties involved in that processing.
Cloud computing
Finally, no computing article is complete these days without a reference to cloud computing. It is therefore fortunate that this topic is also considered briefly in the Opinion. It recognises that cloud computing can be carried out in compliance with data protection rules and that processing tasks can be split between a number of processors or even sub-processors, as is likely in some cloud deployments.
However, where there is a complex or diffuse set of processors it is important to clearly allocate data protection obligations and not dilute control over the processing. Moreover, while the controller need not agree on all the means used to process the data, it should still be informed of the main elements of the processing (such as security measures and the steps take to protect data if it is transferred outside of the EEA).
Conclusions
The Opinion provides some useful clarifications but in some cases it will still be difficult to come to any firm conclusion on whether a party acts as a data processor, joint controller or independent data controller in a sourcing relationship. While the Opinion considers that it ‘has not found any reason to think that the current distinction between controllers and processors would no longer be relevant and workable in that perspective’, questions about the need for the data controller/data processor concepts, as evidenced by the responses to the Commission’s consultation on the Data Protection Directive, may continue.
The Opinion is available here.
Tanguy Van Overstraeten is Global Head of Linklaters’ Privacy and Data Protection Practice, Co-leader of Linklaters’ Global Telecommunications Sector Team and Head of the Technology, Media & Telecommunications (TMT) practice in Brussels.
Richard Cumbley is a Partner at Linklaters LLP, based in their London office.