The European Data Protection Board (EDPB) adopted on September 2, 2020, its revised guidelines on the concepts of controller and processor under the GDPR (the Guidelines). "If knowing yourself is the beginning of all wisdom" (Aristotle), the EDPB is taking a philosophical route with the summa divisio under the GDPR, namely the one between controller and processor.
The Guidelines, if adopted in their current version, might require organizations to re-think the way they operationalized privacy compliance since the entry into force of the GDPR. As philosophical essays are not the preferred read for most, we highlighted what we think you should know about the Guidelines to test your appetite for a full read (or at least pique your interest in commenting on them). The Guidelines are under public consultation until October 19, 2020.
More of the Same, Controller or Processor
"Knowing yourself is the beginning of all wisdom" (Aristotle)
The Guidelines build on the previous Working Party 29 Opinion 1/2010 and reiterates the importance of a factual and pragmatic approach when assessing if one is a controller, i.e., when it determines the purposes and means of processing. The Guidelines provide additional flavors on how to differentiate between “essential” (e.g., types of data processed, duration of the processing, categories of recipients) and “non-essential” (such as what type of software should be used) means of processing.
“Essential” means puts you in the controller zone, “non-essential” can be left to the processor to decide on. The supporting examples provided by the Guidelines shouldn’t be controversial; one might, however, question whether this layer does not create more grey zones than legal certainties, knowing the variability of use in cases.
Challenging Existing Practices
"To every action there is always opposed an equal reaction" (Isaac Newton)
The Guidelines give practical requirements under Article 28 GDPR, i.e., on actual drafting and practices in data processing agreements (DPAs). The outcome might be challenging for existing practices. For example, the Guidelines suggest that changes to privacy terms cannot be done by a mere update of a website holding them; actual notification of the changes should take place. Similarly, the Guidelines question the admissibility of sub-processors lists, updated from time to time, with only an option for the controller to access it; according to the Guidelines, actual involvement when new sub-processors are added is necessary.
Whilst admittedly accountability and transparency are key pillars of GDPR, one could think they best protect data subjects (e.g., ensuring fair disclosure in privacy notices); in a B2B context, one might question the actual benefit such requirements would achieve. They will for sure be disruptive if adopted.
Outside of Comfort Zone, Joint Controllership
"Chaos is the score upon which reality is written" (Henry Miller)
The Guidelines capitalize on recent cases of the Court of Justice of the European Union (CJEU) (e.g., the FashionID) and provide for a broad interpretation of the concept of joint controllership. Controllers do not necessarily have to share the same purpose of processing for their relations to qualify as joint-controllers; joint controllership might be established when purposes are different but “closely linked and complementary.” Obtaining mutual benefit (when all of the parties have a say on determining purposes and means) would be enough according to the Guidelines.
The Guidelines also suggest that even if joint controllers enjoy a certain degree of flexibility in allocating responsibility (allowing even for imbalances), not all of them can be distributed. Considering the potential for liabilities that joint-controllership situations triggers, it is worth trying to identify adverse consequences now that the Guidelines are still in draft.
If you want to write your own philosophical essay or give a score to the one of the EDPB, access the public consultation, and enter the debate. You can access the consultation through an online form here.