The European Data Protection Board has published new guidance on the concepts of controllers, processors and joint controllers. While the definitions of these terms did not change under the General Data Protection Regulation, this is the first update to the guidance since a series of European Court of Justice decisions last year broadening the scope of joint controllership.

The Guidance also covers the consequences of attributing different roles and contracts between controllers and processors. This blogpost looks at the section dealing with joint controllers.

Background

The ECJ cases considered three scenarios:

  • a business including a Facebook "like" button on its website
  • an organisation creating a Facebook Fan Page (ie a Facebook page for a business or other organisation that people can like and follow)
  • organised door to door preaching by Jehovah's witnesses, and the interplay between the central Jehovah's Witnesses community and local groups

In each case, the ECJ held that the relationship was one of joint controllership. In the case of a business including a Facebook like button on its website or creating a Facebook Fan Page, the business is a joint controller with Facebook.

Similarly, in the Jehovah's Witnesses case, the ECJ held that the local group and the community were jointly responsible for the collection of personal data in relation to door to door visits, even though that personal data was never shared outwith the local group.

Each of these cases arguably applied a broader interpretation than was previously understood.

Prior to GDPR, there were no formal requirements in relation to joint controller arrangements. However, under Article 26 of GDPR, joint controllers have to determine their respective roles and responsibilities in relation to compliance with data protection law and the relationship with the data subject. The arrangements should be explained to the data subject.

It is therefore important that organisations know when a relationship is one of joint controllership.

What does the new guidance say?

Firstly, the guidance notes that it is not necessary for an entity to have access to personal data in order for it to be a joint controller. In the Jehovah's Witnesses case, the religious community did not have access to the personal data collected by members, but had participated in the determination of the purposes and means of processing, through the organisation and cooperation of activities to achieve the community's overarching objectives.

Secondly, the guidance emphasises that joint responsibility does not equate to equal responsibility. While entities can be joint controllers, they are only joint controllers in respect of the processing that is jointly determined.

As an example, a website operator that incorporates a social media network's sharing button on its website is jointly responsible for the collection and transmission of a user's personal data to Facebook, but it is not jointly responsible for what that social media network then does with that personal data.

Clearly, this will create some tensions, as it is the website operator's responsibility to provide a privacy notice in respect of the sharing of personal data, and to collect valid consent where consent is being relied upon, but the website operator may have limited information on the processing that is then carried out.

When does joint controllership arise?

Joint controllership can arise in two scenarios:

  • firstly, where the parties are involved in the same processing operation for jointly determined purposes
  • secondly, where there is no single processing purpose, but the purposes are closely linked or complementary.

In this section of the guidance, the EDPB again references the Fashion ID case in relation to social plug-ins on websites. The purpose of using the plug-in is to "optimize the publicity" of the website operator's goods through making it easier to share them on the social media network. The processing is therefore in the economic interests of both the website operator and the social media network.

Following on from this, selecting a platform can make you a joint controller with the operator of the platform, even if you do not know what the platform is doing with the personal data that they receive. If a business creates a page on a social media network, then by defining the parameters of the target audience and promoting its activities, then the business will be taking part in the determination and means of processing of personal data of visitors to that page, even though the business may not have direct access to that personal data.

Up until this point, the guidance essentially repeats what the ECJ has said.

However, the EDPB goes on to state that just because you use a common system or dataset does not mean you will always be a joint controller.

Practical examples of joint controllers

If the processing is separable and could be carried out by one party without the other, then the parties may not be joint controllers.

On this point, the EDPB gives the example, of a travel agent. It will send personal data to airlines and hotels to enable reservations to be made. However, each entity is processing for its own purpose and uses its own means. Each is a controller in its own right and there is no joint controllership.

Similarly, if a service provider has no purpose of its own for carrying out the processing (other than the commercial benefit of fulfilling the contract), then it is likely to be a processor.

In another example, if a group of companies use a common marketing database, then they will be independent controllers, provided that the data is ringfenced for each entity and they each exercise control over the data that they store in the database. There is no common purpose.

On the other hand, if the travel agency, hotel chain and airline were to jointly create a common platform to provide the sames deals and agree to share data on their customers, then they will be jointly determining the processing and will be joint controllers.