EU Article 29 Working Party Clarifies Definitions of "Data Controller" and "Data Processor"

Posted on March 29, 2010 by Kevin Khurana

On February 16, 2010, the EU Article 29 Working Party published Opinion 1/2010, in which it clarified the definitions of “data controller” and “data processor” as those designations are used within the European Data Protection Directive (the “Directive”). The Working Party’s opinion is welcome guidance, not only because the designations determine who is responsible for compliance with data protection rules and how data subjects can exercise their rights, but also because the European Commission recently updated its Standard Contractual Clauses (which we blogged about here). Additionally, such designations are often difficult to apply in practice, especially given the increasing complexity of globalization, organizational differentiation, and information and communication technologies.

Data Controller:

The definition of data controller, under Article 2(d) of the Directive, is “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data . . . .”

In clarifying the definition of controller, the Working Party analyzed its constituent parts. 

  • In its discussion of “joint control,” the Working Party stated that parties who act jointly have certain flexibility with respect to the allocation of obligations and responsibilities under the Directive. In its assessment, the Working Party said that the factual circumstances relating to the relationship must be considered.  It warned that joint control among multiple controllers may lead to a lack of clarity in the allocation of responsibilities, which could potentially result in a violation of the principle of fair processing.
  • In its discussion of “determines,” the Working Party advised that such an analysis should be factual, and should begin with the questions “why is this processing taking place? Who initiated it?” “[A] body which has neither legal nor factual influence to determine how personal data are processed cannot be considered as a controller.”
  • In its discussion of “purposes and means of processing,” the Working Party advised that the key questions that should be asked when analyzing purposes of processing are “why the processing is happening and what is the role of possible connected actors like outsourcing companies: would the outsourced company have processed data if it were not asked by the controller, and at what conditions?” It also stated that the key questions that should be asked when analyzing the means of processing include technical questions, like “which hardware or software will be used?” and organizational questions, like “which data shall be processed? For how long shall they be processed?” The Working Party went on to state that determining the purpose of processing is reserved solely to the controller, while determining the means of processing may be delegated by the controller to a processor. 

Data Processor:

Data processor, under Article 2(e) of the Directive, is defined as “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.” The processor must be a separate legal entity with respect to the controller. In its assessment, the Working Party focused on the meaning of “on behalf of the controller.”  It called upon the legal concept of “delegation,” in that the processor is only permitted to perform data processing within the bounds of the mandate given by the controller. The Working Party stressed that should a processor exceed such bounds and begin to acquire a role in determining the purposes and means of processing, it may become a controller rather than a processor under the Directive. 
Tags: , , , , ,

European Commission Seeks to Balance Data Protection and Business Globalization with Updated Standard Contractual Clauses

Posted on March 2, 2010 by Kevin Khurana

After years of negotiations, on February 5, 2010, the European Commission (EC) updated its Standard Contractual Clauses (SCCs), which set forth contract terms that govern the protection of personal data transferred from data exporters within the European Union (EU) to data processors outside the EU.  On June 8, 2009, we wrote that the EC was considering implementing new SCCs.  On May 15, 2010, the new SCCs, promulgated under 2010/87/EU, will go into effect, replacing the old SCCs, promulgated under 2002/16/EC.     

Under Directive 95/46/EC, personal data may only be transferred by EC Member States to a third country if that country ensures an adequate level of data protection.  EC Member States may circumvent this relatively high standard by incorporating SCCs covering data protection into their agreements with personal data processors in countries that lack adequate data protections.  The SCCs are intended to ensure that personal data is appropriately safe guarded when transferred to a data processor in a third country that does not otherwise provide an adequate level of data protection.

Unlike the old SCCs that did not consider sub-processors of personal data, the new SCCs permit a data processor in a country outside the EU to transfer data to a data sub-processor so long as the data exporter provides its prior written consent.  Additionally, the sub-processor must agree to the same terms agreed to by the data processor, including the SCCs governing personal data.  One interesting effect of the new SCCs relates to liability in the event of an information security breach; even if a data sub-processor is solely responsible for a breach, the original data-processor remains fully liable to the data exporter for such breach.   
 
The new SCCs, like the old SCCs, are enforceable not only by the entities which are parties to the agreements incorporating them, but also by data subjects who are third-party beneficiaries of these agreements.  While both the old and new SCCs allow for recovery by data subjects from data processors, the new SCCs, in specific instances, allow for recovery by data subjects from data sub-processors.
 
One other change worth noting is that the new SCCs have no arbitration clause.  In the old SCCs, a data processor had to agree that certain disputes with data subjects were permitted to be resolved by arbitration.  The new SCCs eliminate this option, offering mediation or litigation as a means to resolve disputes between a data processor and data subjects.  
 
With the new SCCs, the EC has attempted to balance the need to protect sensitive personal information and the need for efficient and increasingly global business operations.  It remains to be seen whether the new SCCs will provide a medium where both needs are adequately addressed.  
Tags: , , , ,

A New Solution for Global Outsourcing? The EU Commission Considers New SCCs For Cross-Border Data Transfers

Posted on June 8, 2009 by Cecile Martin

The European Commission is considering modifying the standard contractual clauses (hereafter “SCCs”) established on December 27, 2001 and used by data controllers to transfer personal data to data processors located outside the EU. The new SCCs may introduce more flexibility in processing services and better reflect new business practices.

Although the European Commission has not yet released the new SCCs, the Working Party adopted an opinion on this topic on March 5, 2009.

As our readers know, the EU Directive of 1995 prohibits the transfer of personal data outside the EU/EEA, in countries which do not offer an adequate level of protection of the data. In the judgment of the EU Commission, the United States does not have an adequate level of protection of personal data for purposes of the EU Directive.

As a consequence, controllers that want to transfer personal data to processors located outside the EU/EEA must use one or more of the following compliance mechanisms: 

  • Safe Harbor (which only applies if the processor is located in the US);
  • Binding Corporate Rules;
  • SCCs. 

Many have pointed out that SCCs may no longer be manageable for the complex onward transfers made not only from controllers to processors (as envisaged by the current SCCs) but also from processors to sub-processors or subsequent sub-sub-processors. This is the reason why the European Commission is considering a new set of SCCs.

The new SCCs are designed to: 

  • regulate sub-processing;
  • allow multi-layered sub-contracting;
  • allow the local Data Protection Authorities to inspect the full chain of sub-processing and make binding decisions;
  • function as the law of the Member State in which the data exporter is established. (According to some, such a process would be against normal commercial practices as it would have for effect to apply a foreign law to a sub-processor);
  • repeal the current SCCs.

In its opinion about the new SCCs, the Working Party outlines three main issues:

 

1.      First of all, it draws attention to the fact that the transfer of data between a processor established in the EU/EEA to a sub-processor outside the EU/EEA is not envisaged by the SCCs while it is, in practice, a common processing nowadays. It underlines that there is a discrepancy on the rules applicable depending on the place where the processor is located.

The Working Party urges the European Commission to develop a new set of SCCs that would allow international sub-processing by processors located in the EU/EEA. However, given the time that the development of such a new set may take, the Working Party recommends that national Data Protection Authorities consider as an adequate guarantee the fact that the controller authorizes the transfer by a processor located in the EU/EEA to a sub-processor located outside the EU/EEA as long as it applies by analogy the same guarantees and principles in the SCCs.

 

2.      Second, the Working Party agrees that multi-layered sub-contracting must be taken into account and that a multi-layered sub-processing clause must be included in the new SCCs. However, it draws the attention of the European Commission to the fact that data transferred in such a case, especially if they contain sensitive data, must be processed in compliance with the EU Directive requirements. Indeed, the Working Party emphasizes that given the various number of sub-contractors that may be involved in the sub-contracting process, the liability of a processor that would not have complied with the controller’s instructions may be difficult to establish. This is the reason why the Working Party recommends that the data exporter keep an updated list of the various processors and sub-processors.

 

The Working Party also considers that applying new SCCs to all different layers of sub-processing is a good solution provided that the data exporter implements organizational solutions to facilitate the exercise of the data subjects’ rights (for instance putting in place a single corporate contact point for data subjects’ claims).

 

3.      Third, the Working Party recommends that transitional provisions be included in the new SCCs providing that the previous transfers authorized under the “old” SCCs remain in force as long as the transfer described has not changed. It is only if a change is made to the transfer that the parties would have to comply with the new SCCs.

Tags: , , , ,