Joint Controllers Under the GDPROctober 24, 2018 By: As many organizations have learned, on May 25, 2018, the EU implemented the General Data Protection Regulation (“GDPR”), which imposes obligations and liability on U.S. organizations that have control over EU residents’ personal data (“Controllers”) or that process EU residents’ personal data on behalf of other companies (“Processors”). The GDPR regulates how companies collect, use, and transfer the personal data of individuals located in the EU. The GDPR also imposes obligations on U.S. Controllers and Processors that either do business in the EU through local establishments or otherwise offer products and services to individuals in the EU. Among these obligations, Controllers and Processors are required to set forth certain provisions, procedures, and allocation of responsibilities in a written agreement between the Controller and Processor. See Article 28, GDPR. If your association acts as a Controller or Processor under the GDPR, then you have likely seen or participated in the execution of “Data Protection Addendums” that address these GDPR-related contractual requirements. According to the GDPR and supported by recent EU court decisions, there are also instances where two or more organizations may be acting as “Joint Controllers,” i.e., instances “[w]here two or more controllers jointly determine the purposes and means of processing.” Article 26, GDPR. In these situations, the GDPR requires Joint Controllers to “determine their respective responsibilities for compliance under [the GDPR] . . . by means of an arrangement between them.” Article 26(1), GDPR. This arrangement should “reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects.” Article 26(2), GDPR. For associations subject to the GDPR, this issue may arise in a number of circumstances, including, among others: social media pages, events or projects organized by multiple parties, or projects undertaken on another party’s behalf. The primary test is whether two or more organizations jointly determine the purposes and means of processing subject to the GDPR. Social Media Pages and the Recent Facebook Fan Page DecisionOn June 5, 2018, the Court of Justice of the European Union (“CJEU”) upheld a lower court ruling that a German company with a fan page hosted on Facebook was a joint controller with Facebook regarding page-visitor’s personal data processed by Facebook. Both this and the initial ruling by the German supervisory authority, Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany (the “Supervisory Authority”), in November 3, 2011, were pursuant to Directive 95/46/EC (the “Directive”), the precursor to the GDPR. As the Directive had already imposed many obligations similar to the GDPR’s on Controllers and Processors located in the EU, authoritative interpretations of the Directive are applicable to the GDPR where, in cases such as this one, the underlying obligations are the same. The most relevant difference between the GDPR and Directive for U.S. associations is that the GDPR now includes some non-EU organizations within its scope. In this case, the German company hosted a fan page on Facebook. As part of the terms of service with Facebook, the German company agreed for Facebook to use cookies that track and collect personal data from fan-page visitors. While the German company did not have access to this raw personal data, Facebook was required to provide to the German company, upon request, aggregate anonymized data on visitors “including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organise events, and more generally enable it to target best the information it offers.” Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, para. 37 (CJEU June 8, 2018). Incidentally, Facebook’s practices at the time for collecting this data (even from visitors without Facebook accounts) were found to violate the Directive’s data privacy rules. The German company argued that Facebook was the sole Controller of the personal data collected by Facebook’s cookies. Ultimately, the Supervisory Authority and the CJEU found that the German company was a Joint Controller because its contractual right to request demographic data was tantamount to taking part in the determination of the purposes and means of processing visitors’ personal data. Id. at para. 75(1). Put differently, as the German company could ask for Facebook to process the visitors’ data in certain ways, the German company had some joint control over the data processing. Parenthetically, it appears that the Supervisory Authority’s real target was Facebook, but the Supervisory Authority in Germany was not clear on whether it could proceed against Facebook’s Ireland office. While Facebook had an office in Germany, Facebook’s Germany office apparently was not involved in collecting data from the fan page’s visitors. Facebook’s Ireland office was the culprit, in the Supervisory Authority’s eyes, but also possibly outside the Supervisory Authority’s jurisdiction under the Directive. Accordingly, the EUCJ also held that the Supervisory Authority could proceed in a case directly against Facebook in Ireland, notwithstanding the fact that Facebook Ireland is regulated under Ireland’s data privacy agency. Since 2011, Facebook and other social media companies have changed their data privacy practices, particularly in light of the GDPR. Nonetheless, U.S. associations may be deemed to be Joint Controllers of personal data collected by social media companies where:
This decision also has applicability to how associations may be treated as Joint Controllers in other contexts, such as events and joint projects. Joint Controllers in the Context of EventsWhen EU-based event attendees provide information for an event hosted by multiple organizations, the hosting organizations may be treated as Joint Controllers. For example, assuming that the data collection is subject to the GDPR, which is an issue unto itself:
Joint Controllers in the Context of Non-event ProjectsFirst, the rules for Joint Controllers in non-event projects would be analogous to the examples for events above. If two or more organizations are jointly collecting and sharing personal data for their respective benefits and use, then they would likely be deemed Joint Controllers under the GDPR. Second, if an association engages in a project that involves the processing of personal data subject to the GDPR, it may be deemed a Joint Controller with sponsors or inactive partners of the project. For example: An association engages in a project involving research, surveys, or other collection and processing of Personal Data. The association is supported or sponsored by an organization that takes no active role in the project. As part of the agreement between the association and the organization, the organization has the right to request for the association to process project participants’ personal data to generate aggregate anonymized statistics. Based on the EUCJ decision summarized above, the organization may be deemed to take part in determining how and why the association processes the project participants’ data. Accordingly, the organization and association may be deemed Joint Controllers. Properly Addressing Joint Controller IssuesThe GDPR does not explicitly require Joint Controllers to enter into a written agreement addressing Joint Controller responsibilities. Instead, the GDPR requires Joint Controllers to clearly allocate their respective responsibilities “by means of an arrangement between them.” Article 26(1), GDPR; see also Recital 79, GDPR. The GDPR also requires the Joint Controllers to make “[t]he essence of the arrangement . . . available to the data subject.” Article 26(2), GDPR. Nonetheless, under the GDPR’s general principle of “Accountability,” Controllers must be able to demonstrate compliance with the GDPR. See Article 5(2), GDPR. Accordingly, Joint Controllers must be able to demonstrate to supervisory authorities that they entered into an arrangement clearly allocating their respective Controller responsibilities. Controller responsibilities would include, inter alia, communicating data breaches to supervisory authorities and affected data subjects, responding to data privacy requests, maintaining compliant arrangements with Processors, disclosing appropriate data privacy information to data subjects, and ensuring adequate safeguards for the transfer of data outside the European Economic Area (“EEA”). In light of this burden to demonstrate compliance, it may be prudent for Joint Controllers to address the allocation of responsibilities in writing. If the Joint Controllers do not allocate their respective controller responsibilities, this may constitute noncompliance with the GDPR. Furthermore, in the event that one Joint Controller violates the GDPR, other Joint Controllers may be subject to the full range of obligations and liabilities. If the Joint Controllers maintain a clear written arrangement of their respective responsibilities, then it is more likely that a supervisory authority would address a particular issue of noncompliance with the responsible Joint Controller rather other Joint Controllers who may not have been involved. Remember, in the Facebook fan page decision discussed above, the Supervisory Authority was ultimately seeking approval to proceed against Facebook’s Ireland office. With respect to communicating the “essence of the arrangement,” information on the joint controllers involved and their general level of involvement could be included in privacy policies or project/event-specific materials distributed to data subjects. If you have any questions regarding Joint Controller responsibilities or GDPR compliance, please feel free to contact GKG Law at (202) 342-5266 or okrischik@gkglaw.com. |
Related Practice Areas |
© 2024 GKG Law, P.C. All Rights Reserved.