This continues our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This blog focuses on the updates to the concept of “third parties” and “recipients” in the draft Guidelines. See our previous issue on the updates in the draft Guidelines on the concept of processor here, on controller here, and on joint controllers here. Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form. Continue Reading
Several important documents relating to the rules governing the transfer of EU personal data were published during the second week of November 2020 by the European Data Protection Board (EDPB) and the EU Commission. In addition, the EU Commission has also published new standard contractual clauses for use when transferring personal data between a controller and a processor within the EEA and to countries outside the EEA.
Transfers of Personal Data to Third Countries
In the aftermath of the landmark decision by the Court of Justice of the European Union (CJEU) on international data transfers – the so-called Schrems II judgment (see our post on this topic) – organizations have been awaiting additional guidance from EU authorities on measures that must be implemented to transfer personal data to third countries without being in breach of the Regulation (EU) 2016/679, i.e. the General European Data Protection Regulation (GDPR).
The following documents have been published in relation to implementation of Schrems II. Continue Reading
The United States is in the process of completing its 59th presidential election and electing its 46th president. A change in administrations is inevitably accompanied by a change in executive priorities. Assuming that Vice President Biden is sworn in as President on January 20, 2021, the area of data privacy will likely be of particular focus under the Biden Administration, with consequences for data privacy litigation. Lydia de La Torre, Glenn Brown, Kristin Bryan and Aaron Garavaglia offer their insights regarding the anticipated impact a Biden presidency may have in this area.
Broadly speaking, it is anticipated that a Biden Administration will likely focus on the passage of federal data privacy legislation, renegotiate conditions for EU data transfers to the US, reintroduce a cybersecurity coordinator to the White House, and increase FTC enforcement activity. Of course, several of these issues are contingent upon which party will come to control the Senate, a question that will not be answered until the two runoff elections in Georgia are completed in early January 2021. Their analysis is available on our sister blog, Consumer Privacy World.
With the end of the Brexit transition period fast approaching, we have examined the potential impact on data privacy compliance in the UK and the EU/EEA and prepared a guide which provides practical advice on how to prepare to ensure that your organization is in the best position possible to deal with the outcome of the current UK/EU negotiations on 31 December 2020.
Organisations are advised to identify personal data flows between the EEA and the UK and to devise a plan to ensure that these data transfers will be able to lawfully continue from 1 January 2021, in the event that the UK does not obtain an adequacy decision from the European Commission (and no alternative agreement is reached) in advance of that date. Priority should be given to business-critical data flows and transfers of large volumes of personal data, special category data or criminal data. Continue Reading
In a significant development impacting all developers of certified Health IT and health care providers, the Department of Health and Human Services (“HHS”) Office of the National Coordinator for Health Information Technology (“ONC”) announced an Interim Final Rule with Comment Period (“IFC”) delaying compliance dates and timeframes for information blocking and the health IT certification program. This delay will come as a welcome change for certain entities in the health care sector struggling to implement changes amid the COVID pandemic.” Read Kristin Bryan’s and Elliot Golding’s analysis on our sister blog, Triage Health Law,
On November 3, 2020, a majority of Californians voted to approve a new ballot initiative – Proposition 24, or the “California Privacy Rights Act of 2020” (“CPRA”). We previously issued alerts on the road to certification of this ballot initiative here. Below, we highlight the main points that businesses facing compliance with this new privacy law should bear in mind. We will provide further updates in the days and months to come, drilling down in detail on the provisions of CPRA and the new regulations when they are released for public comment. Continue Reading
Last month California Governor Gavin Newsom signed AB 713 into law, which more closely aligns CCPA to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other laws governing scientific research. Although these changes may help ease compliance challenges for the health care and life sciences industries, the changes only exempt from the CCPA certain types of data rather than exempt health companies entirely. Continue Reading
We continue our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” (“draft Guidelines”) issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This issue focuses on the updates to the concept of joint controller. See our previous issues on the draft Guidelines’ proposed updates to the concepts of processor here and on controller here. Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form.
Part 3: Focus on Joint Controllers
What is new in the draft Guidelines?
The draft Guidelines incorporate the holdings of recent judgments of the Court of Justice of the EU (“CJEU”) that expand and clarify the concepts of controller and joint controller.
What are the criteria for classification as joint controllers?
The California Attorney General (“AG”) proposed changes to the California Consumer Privacy Act (“CCPA”) regulations on October 12, 2020. Many of the proposed changes align with provisions that the AG withdrew over the summer during the California Office of Administrative Law (“OAL”) approval process. Although most businesses likely won’t need to materially alter current business practices if the changes are accepted, some adjustments may be required in specific situations. The proposed changes address the following topics:
- the requirements relating to providing a notice of the right to opt-out to offline consumers;
- the need for the opt-out of sale process to be easy and to not impair the opt-out process;
- what proof a business can request from an authorized agent and a consumer when a consumer makes an individual rights request through an authorized agent; and
- additional privacy notice requirements for certain circumstances when businesses process personal information of minors under the age of 16.
The proposed regulations are now in a 15-day public comment period, which will end at 5pm PST on October 28, 2020. If you have any questions about the proposed changes to the CCPA regulations, the existing regulations, or the CCPA, please reach out to your regular SPB contact or the author of this piece.
This is the second in our series of posts on the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) issued on 7 September 2020 by the European Data Protection Board (“EDPB”). This post focuses on the updates to the concept of controller. See our previous post regarding the concept of processors here. Upcoming posts will address joint controllers, “third parties” and “recipients.”
Please note that the EDPB has invited businesses to provide their feedback on the draft Guidelines by 19 October 2020.
Part II: Focus on Data Controllers
What is New in the Draft Guidelines?
Although the draft Guidelines provide some additional clarity on the distinction between controllers and processors, there remain various uncertainties in the application of the criteria for determining these roles under the GDPR. Evaluation continues to require a careful assessment of the relevant criteria and regulatory risks. It is important to keep in mind that not every “service provider” will qualify as a data processor. Indeed, the regulatory approach proposed by the EDPB appears to continue the trend towards limiting the scope of the “processor” classification and categorising data recipients that play a role in determining the purposes or essential means of the processing as joint controllers instead of processors. Joint controller status will be the focus of our third blog in this series.
Controller determines purposes and means of processing
The basic criteria for determining what makes an organisation a controller remains the same as under the previous guidelines issued by the EDPB’s predecessor in February 2010 (“Opinion 1/2010 on the concepts of controller and processor”). This is unsurprising, since the EU General Data Protection Regulation (“GDPR”) has not changed the definition of controller that was codified by the 1995 EU Data Protection Directive 95/46/EC. A data controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4(7) GDPR). The draft Guidelines reaffirm that the controller determines both the “purposes” and “means” of the processing of personal data. The purposes and means were interpreted as the “why” and the “how” of the processing in the 2010 Opinion. Control can be exercised over the entirety of a processing activity or only over a particular stage in the processing of the data.
Processors often have discretion as to the means of the processing, furnishing their own tools and technologies. The draft Guidelines suggest that this does not necessarily impact the role of the processors if such control is limited to non-essential means of the processing. As examples of such non-essential means, the draft Guidelines refer to “more practical aspects of implementation” – such as which hardware or software should be used. At the same time, controllers retain the sole control on the “essential means” of the processing, if they decide “which data shall be processed”, “which third parties shall have access to this data”, “when data shall data be deleted”, etc.
The draft Guidelines offer as an example the situation in which a company appoints a payroll administrator and notes that the “way in which the latter should carry out the processing is in essence clearly and tightly defined” even if the payroll processor may decide on certain matters “such as which software to use”.
The draft Guidelines observe that in some cases there is a thin line between the role of controller and processor, such as when companies appoint accountants. Often the accounting firm “decides itself, in accordance with legal provisions regulating the tasks of the auditing activities carried out by it that the data it collects will only be processed for the purpose of auditing the client and it determines what data it needs to have, which categories of persons that need to be registered, how long the data shall be kept and what technical means to use”. In such cases, the accounting firm acts as a controller. However,“[i]n a situation where the law does not lay down specific obligations for the accounting firm and the client company provides very detailed instructions on the processing, the accounting firm would indeed be acting as a processor.”
The controller role may stem from applicable legal provisions, that is, when the law determines the controller or establishes specific tasks for the organisation. The draft Guidelines provide as an example the processing activity of a municipality that has the obligation to provide social welfare benefits to citizens depending on their financial situation. Classification as a controller may also result from “factual influence.” The draft Guidelines also provide the example of a law firm that acts with a “significant degree of independence” when representing a client (noting also that the mandate is “not specifically targeted to personal data processing”). Factual influence includes amongst other things the terms of a contract or the “traditional roles and professional expertise that normally imply a certain responsibility” (as in the case of an employer with respect to the processing of personal data of its employees).
Access to personal data is irrelevant to be a controller
The draft Guidelines clarify, consistent with case law from the Court of Justice of the European Union (Facebook Fan page (C-201/16) and Jehovah’s Witnesses (C-25/17)), that organisations which do not have access to the personal data being processed on their behalf cannot exclude themselves from being a controller. So, for example, an organisation that engages a service provider to carry out a market study and only receives aggregated or statistical data will still be classified as a controller in relation to the personal data analysed in order to prepare the market study, if the organisation determines the means and the purposes for which personal data should be collected and the parameters of the study.
Control cannot be artificially allocated
As set out in the draft Guidelines, “it is not possible either to become a controller or to escape controller obligations simply by shaping the contract in a certain way,” or by appointing a natural person within one’s organisation to implement a processing activity and designate such person as the controller.
Continuous obligation to ensure processors and sub-processors provide “sufficient guarantees”
Controllers have the primary responsibility for compliance with the GDPR due to the accountability principle and other obligations imposed directly by the GDPR on controllers. The draft Guidelines stress the obligation of the controller to only engage processors that provide sufficient guarantees that the processing will meet the GDPR requirements. The EDPB clarifies that this obligation also applies to granting authorisation for processors to engage a sub-processor. In practical terms, this means that controllers should add an extra layer to their due diligence process for engaging service providers when the latter in turn engage sub-processors. Controllers should have contractual restrictions on the processor’s right to engage a sub-processor without the controller’s prior authorisation. There should be controls in place to check that the sub-processors provide “sufficient guarantees”. Where the controller grants a general authorisation, controllers should have the right to be informed of any changes to the list of approved sub-processors and an opportunity to object to any new sub-processors. The obligation to check that engaged processors and sub-processors provide sufficient guarantees is a “continuous obligation”, which requires regular verification that is ultimately the responsibility of the controller, even if the controller delegated the vetting of sub-processors to processors.
Emphasis on purpose limitation when sharing data with other controllers or joint controllers
The draft Guidelines also emphasise the duty of each controller to ensure that the personal data disclosed to another controller or a joint controller are not further processed in a manner that is incompatible with the purposes for which the data was originally collected by the controller disclosing the data. In case the personal data is intended to be used for additional purposes by the controllers or joint controllers receiving the personal data, they should contractually commit to have a legal basis for such processing.
The draft Guidelines also provide an interpretation of Article 28(3) GDPR reaffirming that written and binding agreements are necessary. The EDPB calls on controllers to add specific and concrete information on how processors are to comply with their GDPR obligations (additional detail may be found here). Specifically, the EDPB suggests adding procedures and template forms in contracts with processors to allow processors to assist controllers, where necessary (for example setting forth a detailed procedure that would apply in case the processor suffers a data breach or who does what in case the controller or the processor receives data subject requests, etc.) or to arrange for further instructions for such assistance.
A controller’s instructions should also cover international transfers of data outside the EEA. Where the processor is authorised to delegate some processing activities to other sub-processors, the contract must be clear on whether the controller allows for transfers to processors in third countries, including the processor’s own divisions or units in third countries.
The EDPB emphasises that the controller will not be able to escape responsibility in cases where it agrees to non-negotiable terms offered by large service providers acting as processors, and the terms violate the GDPR requirements. Consequently, controllers must assess their compliance risks and ensure that any such non-negotiable contracts do not impact their key processing activities involving personal data, key data subjects or major data flows.
How can we help?
We have assisted a number of organisations with the assessment of their role in relation to processing and in negotiating core business or high priority data sharing agreements between data controllers and data processing agreements between controllers and processors or a combination in a number of industries. Please contact the authors or your usual contact on the Squire Patton Boggs Data Privacy & Cybersecurity team for advice on documenting or negotiating these arrangements and roles.