The impact of the proposed Data Protection Regulation on technology and outsourcing services providers
Tech Bytes contents
- How to run a successful cookie audit
- Dot brand applications
- App-based payments: UK regulator issues guidance
- The impact of the proposed Data Protection Regulation on technology and outsourcing services providers
- UK "Call for Evidence" on Common European Sales Law: have your say
- Injunction against social networking site is too wide, rules European Court
“The Data Protection Directive doesn’t apply to processors”. You may have heard that statement many times and, if you are a processor, it may be music to your ears as you realise that you only have to think about contractual obligations and not the detailed requirements of the Directive. However, all that seems likely to change under the draft new Data Protection Regulation, which will make processors (as well as controllers) subject to the Regulation when they process personal data in the EU.
If the current proposals for the new regime are adopted, processors will have to document the relationship they have with controllers. They will also have to maintain documentation of all processing operations under their responsibility, including details of the purposes of the processing, a description of categories of individuals and a general indication of retention limits for the data.
This is potentially a sizeable burden, particularly for providers of cloud services. Is such a processor really required to keep in documentary form all necessary details about every single one of its potentially thousands of customers? Or is the processor only required to maintain this documentation for information within its reasonable control?
The proposed new framework envisages a greater role for regulators, and in that context, it's not surprising that processors will also be called on to cooperate with data protection authorities. However, under the current proposals, there is no direct requirement on processors to notify a security breach to the regulator. Instead the processor’s role is to alert and inform the controller after it establishes that there has been a data breach and it is for the controller to notify the breach to the regulator.
Although the draft Regulation emphasises that controllers bear ultimate responsibility for compliance with data protection principles, there are certain aspects of the new regime which seem to cut across this. So, a data protection authority has the power to order a processor to comply with an individual’s request to exercise their rights under the Regulation even though a processor is not, for instance, required to provide an individual with access to their personal data in the first place under the Regulation since the responsibility falls to a controller only.
In several areas the draft Regulation allows a controller to delegate certain activities to a processor. So, a processor may act on behalf of a controller in carrying out a data protection impact assessment. Or a processor may be instructed by a controller to consult with a regulator before commencing processing that presents a high degree of risk. Although such flexibility is welcome, processors and controllers would need to ensure that their contractual arrangements set out all the necessary mechanisms and procedures for when the processor acts on behalf of the controller in such circumstances. Additionally it’s not necessarily clear from the draft Regulation who would be ultimately responsible to the regulator where a processor acts on behalf of a controller in carrying out a privacy impact assessment or consulting with a regulator. The question of who bears the liability as between the controller and processor and in what circumstances as well as what indemnities are appropriate are all matters that would need to be addressed in the contract.
If the Regulation is implemented as drafted, processors will also have to get used to covering their backs from individuals and regulators. The Regulation envisages that processors could be sued by individuals in court as well as be subject to fines from data protection authorities. Ultimately, a processor could be liable for a fine of up to 2% of its annual worldwide turnover. So, for instance, if a processor intentionally or negligently fails to maintain the documentation that the Regulation specifies, it could receive a fine. If a processor intentionally or negligently processes personal data in violation of its obligations to process data on behalf of a controller, it could receive a fine. The prospect of receiving a fine for the processing it carries out is likely to focus the mind of a processor during its contractual negotiations with a controller.
In any event, the days of a processor being able to, in one sense, ignore the impact of data protection rules on its processing when carried out on behalf of controllers are unlikely to return.