What happened?
Shortly after the GDPR entered into force, the Court of Justice of the European Union (CJEU) rendered judgments on the concept of "joint controllership".
- In its first decision on 5 June 2018 (Wirtschaftsakademie Schleswig-Holstein, C‑210/16), the CJEU stated that administrators of facebook fanpages are – jointly with facebook – responsible for processing facebook visitors' data in order to compile usage statistics – even considering that the fanpage administrator did not have access to any personal usage data, but anonymised reports.
- In its second decision on 10 July 2018 (Tietosuojavaltuutettu, C-25/17) the CJEU found that a religious community may be – jointly with members of its congregations – responsible for collecting personal data in course of door-to-door preaching activities, by which members of the congregations who engage in preaching spread the faith of their community. Although the personal data gathered is never shared with the religious community, the CJEU considers it being sufficient for the establishment of joint controllership that the community organised, coordinated and encouraged the preaching activities of its congregations.
Clearly these examples indicate that the CJEU applies a very broad "interpretation" when considering someone as a joint controller; even if the data processing activity is carried out only by one of the parties and there is no transfer of data to the other party, provided that the other ("non-processing") controller somehow (directly or indirectly) benefits from the respective data processing activity or exerts influence over the processing of personal data for his own purposes.
What is joint controllership under the GDPR?
The GDPR speaks of joint controllership when two or more controllers jointly determine the purposes and means of processing. The joint decision-making process is central to determine joint controllership and requires that each controller must actually have a say in the collection and processing of data. A mere contractual agreement on one party processing personal data and other parties benefiting from such processing does not suffice for the establishment of joint controllership. For example in the Facebook case, the fanpage administrator has neither got a say, nor has he got insights on how Facebook is processing visitors' data. Otherwise any agreement on processing personal data would constitute joint controllership. In other words: The test for joint controllership is thus a practical one rather than – in the first place – one based on mere contractual analysis.
Is an extensive interpretation of joint controllership required under the GDPR?
Pre-GDPR data protection regulation (on which these recent decisions are based) did not contain any specific rules for joint controllership, nor did it impose any direct responsibilities on companies that process data on behalf of a controller (such companies referred to as "processors"). Thus, it is somehow understandable that the CJEU aims for a "broad understanding" of the term "controller" in order to ensure effective and comprehensive protection of data subjects, in short: to keep as many parties as possible responsible and liable under the previous data protection regime. In our view, the CJEU's "interpretation" goes way beyond the letter of the law, as well as the intention of the law, for that matter, when speaking of "jointly determining the purposes and means of processing" just because the fanpage administrator enters into a contract with Facebook on receiving anonymised usage reports. Under the GDPR there is no need to over-extensively constructing the concept of the controller, hardly allowing room for processors: The GDPR also imposes direct obligations on processors, e.g. to maintain a record of processing activities, to conclude a data processing agreement, or to implement appropriate technical and organisational measures to ensure a level of security. Thus, also "mere" processors are responsible and liable for violating their respective obligations. In addition, under the GDPR data subjects have the right to directly claim processors for violating GDPR obligations. Apparently, the GDPR does not call for an extensive interpretation of joint controllership.
So … is joint controllership a bad thing?
Joint controllership entails a suite of responsibilities and liabilities for joint controllers, both, vis-à-vis the data subject and national data protection authorities, e.g. the GDPR does impose specific obligations for joint controllers to conclude a "joint controller agreement", an arrangement specifying their respective responsibilities for compliance with the obligations under the GDPR, and pro-actively making the essence of the agreement available to the data subjects. From a data subject’s perspective, joint controllership per se is clearly not a bad thing. Yet, joint controllership and the entailing additional obligations for joint controllers must be restricted to cases where data processing activity indeed goes beyond a standard controller-processor arrangement or a mere data transfer from one controller to the other (i.e. a separate controller – separate controller relation). Otherwise joint controllership can lead to responsibilities beyond a (joint) data controller’s reach (like in the Facebook case). This does not seem to be the intention under the GDPR.
What are the consequences of the rulings?
At first glance, one might take the view that the CJEU rulings based on pre-GDPR laws have no effect under the GDPR. The definition of "controller", however, has basically stayed the same. Although the concept of joint controllership and respective joint controller obligation have been firmed up in the GDPR, it can be expected that – following the data-subject-friendly approach taken on by the CJEU – similar decisions will be rendered in the future. Yet, this raises the question, whether the function of a processor (i.e. someone who processes data on behalf of a controller) still has any scope of application. In practice, it will hardly be possible to distinguish whether two parties have agreed on one party doing the processing and the other party profiting from this processing (= joint controllership according to the CJEU) or the processing party processing personal data on behalf of the non-processing party (= processor-controller relationship). As the CJEU seems to favour joint-controller relations over processor-controller relations (or over separate controller – separate controller relations), the scope for processors seems to have narrowed. By default, joint controllers are each responsible for compliance with all GDPR obligations, even if they are not involved in the processing of personal data. In contrast, in a processor-controller relationship, both, the processor and the controller, would only be responsible and liable for violations of their respective "own" obligations. Albeit the CJEU's over-extensive construction of controllership, both judgments state that the level of responsibility and liability of each of the controllers can vary in a particular case pursuant to their actual involvement at different stages of that processing of personal data and to different degrees. This, however, does in its entirety only apply pre-GDPR. Although joint controllers now may specify their respective responsibilities in the mandatory joint controller agreement and the national data protection authorities are (mostly) bound by such allocation, this does not hold vis-à-vis data subjects: Under the GDPR, data subjects may exercise their rights in respect of and against each of the joint controllers.
And … what are the takeaways for companies?
Provided that the CJEU continues its broad interpretation of the concept of a controller also under the GDPR, companies have to be aware that already in simple cooperation constellations they might be considered joint controllers if the collaboration involves processing personal data. Hence, whenever the facts command joint controllership, involved companies should not ignore the following when setting up a cooperation:
- Clearly define and limit the scope of the mandatory joint controller agreement, i.e. the processing activities for which joint controllership is given.
- Set out in the mandatory joint controller agreement which party is responsible for compliance with which obligations under the GDPR. In particular, joint controllers who are not involved in the day-to-day processing should, in the joint controller agreement, avoid to assume any responsibility for compliance with GDPR-obligations (this should be assumed by the joint controllers actually carrying out such processing).
- Include explicit contractual exemptions of their liability vis-à-vis the other joint controllers for violations not in their assigned scope of obligations.
- Ensure that each party is at all able to deal with and respond to data subject requests within the timeframes set out in the GDPR, even the non-processing parties, e.g. through (i) designating a contact point for data subjects to channel their requests with the party best suited to respond, (ii) obligations for the party involved in the day-to-day processing to assist other joint controllers in giving a timely response to the data subject, and/or (iii) including explicit contractual exemptions of their liability vis-à-vis the other joint controllers for violations of such obligation to assist.
What does the future bring?
It remains to be seen how national data protection authorities and courts will react to these rulings and how the CJEU will decide on similar constellations under the GDPR. Meanwhile it is of utmost importance to spend time on examining the data privacy roles more closely when more than one party is processing personal data or benefitting from such processing conducted by another company. The result of such "role-check" should be well-documented so that such documentation can be presented vis-á-vis a national data protection authority in case of an inquiry or investigation. We will closely observe developments on this matter and keep you posted.