“The Data Protection Directive doesn’t apply to processors”. You may have heard that statement many times and, if you are a processor, it may be music to your ears as you realise that you only have to think about contractual obligations and not what the stuffy old DP Directive requires. However, all that seems likely to change under the draft new Data Protection Regulation. In the first few Articles of the Regulation it is clear that a processor (as well as a controller) is subject to the Regulation when they process personal data in the EU.
A number of the obligations that processors face under the Regulation reflect the existing data protection framework. For instance, processors as well as controllers are required to document the relationship they have with controllers in writing – similar to the obligation currently on controllers under Article 17 (4) of the EU Data Protection Directive. But there are also new obligations that affect both controllers and processors. For example, both parties must maintain documentation of all processing operations under their responsibility. This could potentially be quite a burden for a processor. The documentation that must be maintained includes details such as the purposes of the processing, a description of categories of individuals and a general indication of retention limits for the data. This may be all very well if a processor is performing a straightforward outsourcing for one single controller and such details are readily accessible. But what about a processor that is a cloud computing provider? Is such a processor really required to keep in documentary form all necessary details about every single one of its potentially thousands of customers? Or is the processor only required to maintain this documentation for information within its reasonable control?
Under the Regulation, processors are required to cooperate with data protection authorities which won’t be surprising in view of the greater role regulators play in the new framework. However, significantly there is no direct requirement on processors to notify a security breach to the regulator. Instead the processor’s role is to alert and inform the controller after it establishes that there has been a data breach and it is for the controller to notify the breach to the regulator. Although the tenor of the Regulation emphasises that controllers bear ultimate responsibility for compliance with data protection principles, there are certain aspects which seem to cut across this. So, a data protection authority has the power to order a processor to comply with an individual’s request to exercise their rights under the Regulation even though a processor is not, for instance, required to provide an individual with access to their personal data in the first place under the Regulation since the responsibility falls to a controller only.
In several areas the Regulation allows a controller to delegate certain activities to a processor. So, a processor may act on behalf of a controller in carrying out a data protection impact assessment. Or a processor may be instructed by a controller to consult with a regulator before commencing processing that presents a high degree of risk. Although such flexibility is welcome, processors and controllers will need to ensure that their contractual arrangements set out all the necessary mechanisms and procedures for when the processor acts on behalf of the controller in such circumstances. Additionally it’s not necessarily clear from the Regulation who would be ultimately responsible to the regulator where a processor acts on behalf of a controller in carrying out a PIA or consulting with a regulator. The question of who bears the liability as between the controller and processor and in what circumstances as well as what indemnities are appropriate are all matters that will need to be addressed in the contract.
If the Regulation is implemented as drafted, processors will also have to get used to covering their backs from individuals and regulators. The Regulation envisages that processors can be sued by individuals in court as well as be subject to fines from data protection authorities. Ultimately, a processor could be liable for a fine of up to 2% of its annual worldwide turnover. So, for instance, if a processor intentionally or negligently fails to maintain the documentation that the Regulation specifies, it could receive a fine. If a processor intentionally or negligently processes personal data in violation of its obligations to process data on behalf of a controller, it could receive a fine. The prospect of receiving a fine for the processing it carries out is likely to focus the mind of a processor during its contractual negotiations with a controller. In any event, the days of a processor being able to, in one sense, ignore the impact of data protection rules on its processing when carried out on behalf of controllers are unlikely to return.