One of the most tricky questions for data protection practitioners advising clients in commercial deals which involve the transfer of personal data can be identifying whether the receiving entity is a joint “data controller” or a mere “data processor” in a given scenario.
In complex 21st century transactions, involving technology platforms not envisaged by the late 20th century legislators, the line between a controller and processor may not be as clear cut as it was when the legislation was conceived.
However, as Datonomy readers will know, the distinction is of critical practical importance; it will determine what contractual obligations the transferring entity needs to impose on the recipient, in the case of transfers outside the EEA it will determine which set of model contracts should be used, and in liability terms, the buck will always stop with the data controller, as a processor has no obligations under the legislation.
The concepts and characteristics of controller and processor are set out – in very broad terms – in Directive 95/46/EC but until now there has been a dearth of guidance to help practitioners apply the concepts to concrete scenarios. For example, even the ICO’s recently updated Guide To Data Protection (see pages 27-29) only ventures a couple of simple scenarios by way of illustration.
So, the publication last month of the Article 29 Working Party’s Opinion 1/2010 on the concepts of “controller” and “processor” is, despite its rather arid title, pretty exciting news in the data protection world.
Because of its practical importance, the issue made its way on to the experts’ work programme for 2008-9; the Opinion aims to clear up some of the confusion, and iron out potential inconsistences in the way regulators in different Member States interpret the concepts.
Datonomy is still working its way through the detail of the 33 page opinion, but from a cursory reading is heartened to see that the gurus of the Article 29 WP (whose opinions are in theory non binding but in practice very influential) have risen to the challenge and analysed the concepts of controller and processor by reference to no fewer than 26 different real-life commercial scenarios. These include data transfers in the context of call centres, social networks, financial transactions, CCTV, employee monitoring, behavioural advertising, health data platforms and clinical drug trials.
One conclusion is that, inevitably, identifying who is a controller (or joint controller) and who is a processor will always depend on the particular facts; however the Opinion stresses that a “functional” approach should be taken to determining who is a controller – i.e. who has factual influence over the purposes for which and means by which personal data is processed.
Interestingly, the Opinion also concludes that the technologically-neutral concepts of controller and processor do stand the test of time. Datonomy would love to know if its readers agree.