Can the GDPR's Main Players still fulfil their Roles Effectively in an Era Characterised by Developments such as the Blockchain and the Internet of Things?
This series provides more detailed insight into the General Data Protection Regulation, which was published on 4 May 2016 and must be complied with by 25 May 2018.
This issue focuses on the main players under the GDPR, namely (joint) data controllers, processors and subjects as well as representatives, recipients and third parties. Skip to the end for a quick overview of the main takeaways and to do's.
The main players: data controllers, processors and subjects
Data controllers and processors
Like under Directive 95/46, data controllers and processors remain the main players.
The definitions of these terms are unchanged. A controller is still defined as "a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data", while a data processor is defined as "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".
The main difference with Directive 95/46 is that data processors now have more obligations. Under Directive 95/46, controllers were almost solely responsible for ensuring data protection compliance, while the processor's obligations were limited to implementing appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, and unauthorized disclosure or access. More information on the processor's obligations under the GDPR will be provided in a later issue of this newsletter.
The GDRP contains specific provisions on joint controllers. It indeed follows from the definition of controller that this activity may be exercised jointly. In other words, various entities may determine the purposes and means of the processing, in which case they are obliged to determine their respective responsibility for compliance with the GDPR by means of an arrangement. While the GDPR does not expressly state that the controllers' agreement must be in writing, a written agreement would appear indispensable pursuant to the accountability principle.
Retention of outdated concepts
Unfortunately, the European legislature decided not to change the fundamental functions of data controllers and processors, despite the fact that these roles have not kept pace with processing practice and new technological developments. When data processing was limited to basic situations (e.g. company X asked company Y to send an email to consumers on its behalf), the concepts were useful as the roles were clear (X was the controller and Y the processor). However, it goes without saying that this is no longer the case in complex situations involving new technologies such as the blockchain, the Internet of Things (IoT), big data and the like.
For example, the blockchain, a public ledger, is characterized by the absence of a single controlling entity. All participants in the blockchain can exercise control over the technology. Under these circumstances, each individual participant could be considered a data controller, but it is immediately clear that such a presumption is untenable in practice.
Similar problems arise with regard to the IoT. Who is the controller when data processing is performed by a smart fridge - the manufacturer, the software provider, or the family that bought the appliance? This question is even more difficult to answer when it comes to large IoT structures such as smart cities.
With regard to big data, the roles of processor and controller cannot be clearly defined either. Who controls the data - the entity collecting it, the data analyst or the entity that ordered the analysis?
Given the foregoing, we believe a pragmatic solution would be to consider many data processing activities to be subject to joint controllership. However, it should be noted that in scenarios with a large number of possible controllers, this will not be a workable solution either.
The GDPR was conceived to protect individuals whose personal data are being processed. Like under Directive 95/46, these individuals are referred to as data subjects. The GDPR offers protection to living identified or identifiable natural persons. In other words, deceased persons and legal entities are not eligible for protection.
The stand-ins: representatives
As indicated in the first issue of this newsletter, non EU/EEA-based controllers and processors that are caught by the GDPR must appoint a representative in the EU/EEA. This obligation does not apply if (i) the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing, or (ii) the controller is a public authority or body.
The representative must be designated in writing and must be established in an EU/EEA member state where the subjects whose behaviour is monitored, or whose personal data are processed in relation to the offering of goods or services to them, are located.
In addition, the representative must be mandated by the controller or processor to be addressed in addition to or instead of the controller or processor, in particular by supervisory authorities and data subjects, on all issues related to processing for the purpose of compliance with the GDPR. This includes a duty for the representative to cooperate with the competent supervisory authorities, which have the power to order the representative to provide any information they may require in order to perform their tasks effectively.
Supporting players: recipients and third parties
A recipient is defined as "the natural or legal person, public authority, agency or another body, to which the personal data are disclosed whether a third party or not". Public authorities receiving personal data in the context of a particular inquiry in accordance with EU or member state law are not regarded as recipients. This refers to public authorities, such as tax and customs authorities and financial market authorities, receiving personal data necessary to carry out a particular inquiry in the general interest, in accordance with EU or member state law.
Recipients do not play per se an active role under the GDPR. However, they are nonetheless an important player as the controller and processor have duties to inform data subjects about the recipients to which their data are disclosed. In addition, the controller may need to inform the recipient of any rectification to or erasure of personal data or restrictions on processing. Therefore, the controller must be able to identify all recipients of the personal data it processes.
Of course, depending on the circumstances, the recipient may itself be a data controller or processor, in which case it may be caught by the GDPR if it falls under the Regulation's territorial scope.
A third party is defined as "a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data."
In principle, a third party is a person with no specific legitimate grounds or authorization to process personal data stemming, for example from its role as a controller or processor. In other words, a third party is a person that was originally not supposed to process personal data. However, a third party that receives personal data - either lawfully or unlawfully - will in principle be a new controller (provided it falls under the GDPR).
Takeaways and to do's
Controller: a person determining, alone or jointly, the purposes and means of the processing and having the most obligations under the GDPR.
Processor: a person processing personal data on behalf of a controller and having a number of obligations under the GDPR.
Data subject: an identifiable or identified living natural person whose personal data are processed and who enjoys protection under the GDPR.
Representative: a person appointed by a non-EU/EEA-based controller or processor that is required to comply with the GDPR. The appointment of a representative is mandatory in certain cases.
Recipient: any person to which personal data are disclosed (including within an organisation). Depending on the circumstances, the recipient may also be a controller or processor.
Third party: any party to which personal data are disclosed other than the data subjects, controller, processor and persons who, under the direct authority of the controller or processor are authorised to process personal data. Upon receipt of personal data, the third party will in principle be considered a new controller (provided it falls under the GDPR).
Relevant articles and recitals
Definitions: Article 4 (1), (7), (8), (9) and (10)
Recipient: Recital 22 and Articles 13, 14, 15, 19 and 30
Joint controller: Article 26
Representative: Recitals 80 and 139 and Articles 27, 31 and 58.