On the surface, the similarities between Facebook and Jehovah’s Witnesses are not obvious. The European Court of Justice (ECJ) has, however found one: they are both “joint controllers” of processing activities on personal data.
The most pressing issue in data protection is no longer the right to be forgotten, which in reality doesn’t exist in a digital world. The issue on everyone’s mind now is who is liable and, more specifically, how far their liability extends, with regards to compliance with data protection requirements.
Companies, public authorities and associations are considered as “joint controllers” when jointly determining both the purposes and the means of any personal data processing. The Article 29 Working Party, which comprises representatives of all EU data protection authorities, the European Data Protection
Supervisor, and a representative of the EU Commission, has attempted to pin down exactly what constitutes a data controller, acting either independently or jointly. In both cases, this is determined by the answer to two questions: why and how data processing takes place.
LEGAL, FINANCIAL AND STRATEGIC IMPACT
In two significant decisions rendered since the implementation of the General Data Protection Regulation (GDPR) in May 2018, the ECJ has ruled on who and what constitutes joint controllers. Until now, this had only been raised incidentally in a case involving Google in Spain.
The ECJ’s decisions will affect the overwhelming majority of EU Member States’ domestic legislation on data protection. Other than in a small handful of instances, most Member States’ national data protection authorities have never addressed, and some of them, including France, still do not provide for, express joint controllership of data, despite the GDPR specifically requiring them to have provisions in place.
Interestingly, the ECJ ruled that it is not “the mere fact of making use of a social network”, or being a member of a religious community, that makes an individual a joint controller who is partly responsible for the data processing carried out by that network or community.
Social networks become a joint controller, according to the ECJ’s June 2018 decision in GDPA v Wirtschaftsakademie, when an entity creates a fan page, which allows the social network to access via cookies the personal data of any visitor to that fan page, whether or not that visitor has an account with the social network.
"The entire online ecosystem is going to be affected."
For religious associations, according to the ECJ’s July 2018 decision in Tietosuojavaltuutettu / Jehovan todistajat Uskonnollinen, their operating procedures or even their relationships with their members, particularly when organising services, make themselves and the entity a joint controller, regardless of the existence of written instructions.
The determining factor is simple: a religious association or social network becomes a joint controller with a member or user when that member or user creates, for commercial or charitable purposes, an online public space that, in parallel, enables the association or network to collect third party data.
This is not entirely new information. In 2003, the ECJ ruled in Bodil Lindqvist v Åklagarkammaren i Jönköping that any online reference made by a religious association to their members’ private lives, in particular to their health, constituted the processing of personal data and was, therefore, subject to EU data protection requirements. Religious associations may have thought they are exempt from secular law, but they are not.
For technical service providers, the impact of the ECJ decisions is even greater. Their usual qualification as data controllers has been seriously challenged. By developing any tool, in particular one that is integrated and used on behalf of both their customers and themselves, they determine, or at the very least participate in, the purposes and means of data processing, even if they only intended to improve their services. In this situation, they will now be regarded as joint controllers, especially if they benefit from a wider audience thanks to the traffic generated to them from customers using their tools.
It’s clear that the opportunity to receive more traffic is the prerequisite for being defined as a joint controller. It is not the ability to access personal data, which the ECJ expressly rejected in Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH. It does not matter whether the data is processed as statistics, or even anonymously; it is enough that the aggregated data is transmitted between the service provider and the “customer.”
The entire online ecosystem is going to be affected, from cloud computing to fintech, biotech, medtech and intermediation platforms to targetedadvertising businesses. This shift is being confirmed by recent decisions of EU Member States’ domestic authorities. For example, the French Supreme Administrative Court ruled in June 2018 that online publishers that install cookies on their visitors’ terminals on behalf of advertisers are joint controllers. In July, the French Data Protection Authority, the CNIL, issued two formal notices requiring start-up companies, in their capacities of data controllers, to stop using further geolocation data for their own purposes without prior consent. But, where there is disruption, there is opportunity.
Although it’s not immediately obvious, joint controllership situations may also create several interesting opportunities.
Companies, public authorities, and associations should start to consider themselves not as data processors, but as joint controllers, and adjust their compliance to fit the requirements of this role. This will first strengthen the approach initiated by the GDPR, which focuses on the receipt and use of data and, accordingly, determine what role is undertaken by each party involved in this flow of data. It will also mean that entities have better control of risk by avoiding crisis-based requalification and sanctions that are not been adequately anticipated. All room for confusion and danger of noncompliance can therefore be removed from the outset.
"The opportunity to receive more traffic is a major element for being defined as a joint controller."
Under the GDPR, the times of the data controller being the sole offender are now over. The status of “data processor” is no longer a guarantee for service providers; they can now face fines and/ or damages. Under these circumstances, acting as a joint controller can provide significant protection, especially since situations involving joint controllers rarelycover all processing activities. Far more often they apply only to a few aspects, such as the common use of a database, with the parties being independent data controllers for any further use of the data for their own purposes. Joint controllership situations do not, according to the Wirtschaftsakademie decision, “Necessarily imply equal responsibility for the various operators involved in the processing of personal data,” but instead imply that “Operators may be involved at different stages of that processing of personal data, and to different degrees.” Joint responsibility can therefore be variable and modulated accordingly, more or less dependent on the management of the tool, but not necessarily on subsequent reuses of data, as each operator can remain independent data controllers for their respective processing.
The most significant opportunity is financial. Unlike the status of data processor, the status of joint controller allows service providers to reuse on their own behalf the personal data that is processed through their tools, without having to obtain the unilateral approval of their clients or users.