Hunton Andrews Kurth LLP
  October 1, 2012 - Virginia

Challenging Times Ahead for Data Processors
  by Bridget Treacy, Partner at Hunton & Williams

Much has already been written on the proposed EU Data Protection Regulation, but there has been very little focus on the fundamental changes to the responsibilities and liabilities that the Regulation seeks to impose on data processors.  Currently, a processor
has no direct responsibility or liability under the Data Protection Directive (although processors do have direct obligations under Irish implementing legislation); the new Regulation introduces a raft of direct obligations and subjects processors to the same enforcement mechanisms as a data controller, including the possibility of substantial administrative fines of up to 2 to 4% of their worldwide turnover.

The essence of aprocessor’s role

Determining whether a party is a ‘processor’ or a ‘controller’ is a fundamental distinction in European data protection law, not
least because the Directive imposes direct responsibility (and liability) on a controller, not on a processor. The controller will usually allocate responsibility to a processor as a matter of contract.

Whether a party is a controller or processor can be a difficult assessment, frequently involving fine distinctions. In February 2010,
the Article 29 Working Party published a widely anticipated ‘Opinion on the Concepts of Controller and Processor’ (www.pdp.ie/docs/10008). The Opinion’s focus is on the role of the controller in ensuring data protection and therefore much of it is evoted to explaining how to determine controllership. The Working Party characterises the role of the processor as subsidiary to that of a controller, and emphasises that the existence of a processor is wholly dependant on a decision taken by a controller to delegate data processing activities to a third party. Thus, a processor needs to be a separate legal
entity, and to undertake data processing activities on behalf of another, the controller. The Opinion is clear that whether or not a party is a processor is fact specific and depends on ‘concrete activities in a specific context’.

Given the level of debate over the years as to the roles and responsibilities  of a data controller versus a data processor, there was speculation that, in reforming data protection law, EU law-makers might remove the distinction altogether and
instead impose responsibility on parties for the data processing activities they conduct. This has happened in many of the jurisdictions that form the Asia-Pacific Economic Cooperation. However, the current draft of the Regulation does not do this.
Instead, it seeks to require the parties to establish the limits of their authority and authorisation, and to adhere to them.

Obligations imposed on processors

Chapter IV of the draft Regulation sets out the obligations imposed on both controllers and processors. 
Article 26 sets out the specific requirements where a controller seeks to delegate  processing to a processor. These
requirements, which must be imposed contractually, are similar to, but extend beyond, what is currently required under the Directive. Unsurprisingly, a key focus is on data security and a controller must chose a processor that provides sufficient guarantees to implement appropriate technical and organisational measures and procedures.

However, the security objective is expanded with the requirement that guarantees must be given ‘in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject’. This amendment apparently seeks to ensure that processors are able to deliver compliance across a broader range of rights, which are set out in further detail in Article 26(2). Yet the role of a processor is different to that of a controller and clearly there are aspects of the Regulation that processors cannot generally be expected to  comply with. This provision is just one of several in which the role and responsibility of the processor require further consideration.


Contractual requirements

Article 26 also sets out requirements that must be reflected in the contract between the controller and processor. These are more extensive that those currently required by the Directive.

There is a subtle difference between the wording of the draft Regulation and the Directive on the subject of whether a contract need be entered into between a controller and processor. The regulation states (at Article 26(2)) that “the carrying out of processing by a processor shall be governed by a contract” (italics added); this can be contrasted with the requirement under the Directive that all  data controllers must put in place processing contracts with their ‘data processors’.

The significance of this distinction becomes apparent when you consider that processors can be penalised  directly by data protection authorities for failure to comply with Article 26. The administrative sanctions in Article 79(6) impose the highest level of fine (up to 2% of annual worldwide turnover) for breach of the provision. These fines may be imposed on those who carry out processing, which includes the processor. Specifically, Article 79(6) permits the imposition of a fine not just on a controller but on anyone who, intentionally or negligently processes…personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26…’. Therefore, a processor could be subject to a sanction of the highest level if the controller fails to enter into a contract with it.

The specific requirements listed in Article 26 require that the processor will:

·       act only on the instructions of the controller, in particular where the transfer of personal data used is prohibited;

·       employ only staff  who have committed themselves to confidentiality or are under a statutory obligation of confidentiality;

·       take all measures required in relation to the security of processing, as set out in Article 30;

·       enlist another processor only with the prior permission of the controller;

·       create, in agreement with the controller, the necessary technical and organisational requirements to enable the controller to comply with individuals rights set out in Chapter III (which deal with transparency, information, rights of access, rectification, the right to be forgotten, erasure, portability, the right to object and profiling);

·        assist the controller in complying with Articles 30 to 34 (which deal with data breach notification, data protection impact assessments (‘DPIAs’) and prior authorisation);

·        hand over results at the end of processing and not to process data otherwise; and

·        make available to the controller and supervisory authority all information necessary to control compliance with the obligations laid down in Article 26 (see further below).

In addition, the controller and processor must document the controller’s instructions and processor’s obligations. If the processor processes personal data other than as instructed, the processor shall be considered a controller and subject to the rules on joint controllers, set out in Article 24.

Article 24 simply provides that where a controller determines the purposes, conditions and means of the processing jointly with others, the joint controllers shall determine their respective responsibilities for compliance under the  regulation.  Thus, if a controller failed to give proper processing instructions, Article 26(4) may have the effect of transforming a processor into a controller. This may also occur where a processor inadvertently processes personal data, for example, because the processor does not realise that data contain personal data elements. It seems difficult to imagine that these consequences were intended.

The meaning of the last subsection of Article 26(2)(h), which refers to making available ‘all information necessary to control compliance’, is unclear. It appears to extend far beyond a general obligation to provide information, which sits awkwardly with the separate obligations in the Regulation that require the parties to maintain documentation recording processing operations, and permitting the supervisory authority to require information.

Overall, the Regulation envisages very detailed contractual provisions which would create a significant additional burden in many cases. A number of the issues listed in Article 26 are issues that will be covered by

due diligence investigations between the parties in most cases, but which seem inappropriate as detailed contractual terms. Further, where data processing arrangements are complex, the relevant level of specificity may not be available at the time the contract is entered into, so that these provisions will need to be supplemented as the contract evolves.

At a practical level, the Regulation does not address the position of existing contracts, or make specific arrangements for transition. There are many hundreds of thousands of services agreements and outsourcing contracts in the EU, most of which are unlikely to comply with the enhanced contractual requirements set out in the Regulation.

Renegotiating such contracts to ensure  compliance would take a lengthy period, certainly longer than the two year implementation period envisaged for the Regulation generally. Further, as inevitably happens, once an agreement is re-opened, one or other of the parties will invariably seek to negotiate other terms; a process which could be very expensive for  organisations. It is hoped that, at the very least, existing contracts will remain valid until the data processing activities changed, at which point new provisions could be negotiated.

Maintain documentation Both controllers and processors are obliged to maintain documentation of  all processing operations for which they are responsible (Article 28(1)).  In particular, the Regulation sets out the following minimum requirements:

      ·       name and contact details of the controller/joint controller/processor/representative;

·       name and contact details of the Data Protection Officer (‘DPO’);

·       purposes of the processing (including the legitimate interests pursued by the controller, where the processing is based on legitimate interests);

·       description of categories of data subjects and categories of personal data relating to them;

·       recipients or categories of recipients of the personal data;

·       transfers of data to a third country or international organisation;

·       general indication of the time limits for erasure of different categories of data; and

·       description of the mechanisms referred to in Article 22(3), namely, the mechanisms that the controller uses to verify compliance with its obligations set out at Articles 22(1) and (2). In particular, these include documentation required under Article 28, data security requirements (Article 30)), DPIAs (Article 33), prior authorisation/prior consultations with supervisory authorities (Article 34) and designated DPO (Article 35).

There is also a general obligation on both the controller and processor to make the documentation available on request to the supervisory authority. There is an exemption to complying with this obligation for organisations with fewer than 250 employees whose data processing activities are ancillary to its main activities, and for natural persons processing data without a commercial interest.

A key difficulty here is that much of the information listed in Article 28(2) will be commercial information of the controller, not the processor, yet the obligation to maintain the information rests with both parties. Further, supervisory authorities may impose a fine of up to 1% of an enterprise’s annual worldwide turnover where it intentionally or negligently fails sufficiently to maintain the documentation required by Article 28.

 Processors’ obligations unclear

The key obligations under the Regulation — i.e. the ‘principles relating to personal data processing’ listed in Article 5 — are clearly responsibilities of a controller.  The grounds for processing (Articles 6 —10) also make clear that any basis for processing must be attributed to the data controller and not to the processor. The obligations of transparency (Articles 11—13) are imposed on the controller alone. The rights to information, access to data, rectification and erasure and other individual rights (Articles 14 — 21) are only exercisable against the controller. Yet, processors (as well as controllers and representatives, if any) are required to cooperate with the supervisory authority (Article 29(1)), in particular, in connection with alleged breaches of the Regulation reported to the supervisory authority and the exercise of data subject rights.

Both processors and controllers are obliged to reply to requests of the supervisory authority relating to the exercise of data subjects’ rights within a ‘reasonable period’ (to be specified by the supervisory authority) (Article 29(2)).

Thus, as a general observation, the Regulation does not clearly set out which provisions are applicable to controllers, which apply to processors, and which apply to both. The position is confused because some obligations are not attributed to either controller or processor, some are attributed to the controller, but then the supervisory authority can serve notices in respect of them on the processor, and others are referred to as being exercised by the processor ‘on behalf of’ the controller. Clarity around which responsibilities are attributable to the processor would assist.

An example of this confusion may be seen in the context of subject access. Supervisory authorities may serve notices on processors where controllers fail to provide subject access. Yet none of the individual rights are exercisable directly against the processor, and the processor can have no liability for failing to comply with them. Allowing the supervisory authority to proceed against a processor may be appropriate as a secondary remedy where the controller has been required to deal with an access request but has failed to do so properly, but the processor should not be the primary recipient of such a notice.

Processor as joint controller

The provisions on joint controllership set out in Articles 24 and 26(4) do not sit well together. Article 24 contains the following wording: ‘where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers…’. This implies that ‘joint controllers’ are controllers where two (or more) controllers jointly decide the purposes, conditions and means of the data processing.

Further, joint controllers must determine their respective responsibilities for compliance with the Regulation by means of an arrangement between them.

This should be contrasted with the position of a processor which exceeds its authority or strays into controllership. Article 26(4) provides that ‘if a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.’ Here, the processor is not a ‘joint controller’ with the original controller, because the two have not decided the purposes, conditions and means of the data processing together. Nevertheless,

Article 26(4) provides that the processor-turned-controller would be subject to the Article 24 requirement to allocate controllership responsibilities with the original controller.

Taken together, Articles 24 and 26(4) appear to mean that a processor which carries out relatively minor processing outside the scope of its instructions becomes subject to the obligations of a joint controller under Article 24. The outcome has unintended consequences as, presumably, the processor-turned-controller may approach the original controller and demand that the original controller agree with it the exercise of their ‘respective responsibilities’. It may give unscrupulous processors a basis to put pressure on controllers by acting outside their remit. In most cases, this would be a breach of contract and it is not at all clear how a regulator would be able to enforce something that amounted to a contractual breach by the processor.

Conclusion

The Regulation is ambitious, seeking to implement wide-ranging reform across many aspects of data protection law. Some themes are relatively self-contained, but others, such as the role of the data processor, are nuanced and complex. It is only with careful reading and analysis of the proposed Regulation that the significance of the changes proposed for data processors becomes apparent.

The responsibilities and liabilities of processors will change fundamentally if the current proposal is enacted. Many processors will not have focused on these issues yet. It is to be hoped that they do so soon.