Summary
In this article it is argued that the distinction between controllers and processors is problematic, particularly in the complex processing environment created by new technologies. The trend is towards regulators and the courts finding that parties are controllers rather than processors in order to ensure protection of individuals.
Organisations which fail to carefully consider whether they are a controller or a processor may be taking on legal risk and the potential for reputational damage.
Completing meticulous and realistic analysis and accepting controller responsibilities where appropriate may bring significant advantages. Organisations accepting controller responsibilities can use the processes and tools set out in data protection law to demonstrate that their technologies operate in ways that protect individuals’ fundamental rights (but also constitute, where appropriate, a proportionate interference in those rights). This can bring commercial advantages, promote trust and effectively manage legal risk.
The distinction between controllers and processors
The designations of controller[1] and processor[2] in data protection law are crucial. The central question for any processing of personal data is the impact of the processing on the individual and whether that impact can be justified on the basis of a number of criteria including in the public interest, the commercial interests of the organisation undertaking the processing, or the interests of third parties whose rights are also affected by the processing.[3] In data protection law this central determination is generally made by the controller. [4] The processor, by contrast, simply acts on the controllers’ instructions and has no interest in the data itself.[5] Once the contract between the controller and the processor has run its course the processor must return the personal data to the controller or destroy the personal data processed on the controller’s behalf.[6]
The controller and processor distinction is not simply a matter of choice. The parties must undertake a careful analysis of their roles in practice. [7] The designation of a party in a contract as a controller or a processor is therefore not determinative. Processors who overstep the mark and are perceived to be making choices about the use of the data may be deemed to be controllers.[8] Failure to correctly designate a controller as such represents a breach of the framework. It may also result in a loss of trust and consequent reputational damage, as well as liability under the UK GDPR’s administrative fines regime.[9]
Joint controllership
Where a number of entities work together to process personal data such that the processing is linked, the courts have found that they operate as joint controllers.[10] This is expressed by the courts as entities taking “common decision[s]” or “converging decisions”. [11] Where there are converging decisions these must “complement each other in such a manner that they each have a tangible impact on the determination of the purposes and means of the processing”.[12] The courts have found that entities were joint controllers where one organisation makes decisions about how personal data is used by developing guidelines or protocols for other organisations to follow.[13]Joint controllership has been established even where a party has no access to the personal data concerned.[14] However, a finding of joint controllership does not mean that all the parties bear the same responsibility for the processing. Instead, the level of responsibility must be assessed in light of all the relevant circumstances of the particular case. [15]
The processor designation – judgments of the courts
The courts have interpreted the concepts of controller and processor under data protection law in such a way as to ensure that individuals’ fundamental rights are properly protected.[16]An early example is the case of Google Spain.[17] The question before the Court of Justice of the European Union (“CJEU”) was whether a search engine was a controller or a processor. Google argued that it was just a processor: it had no knowledge of the data, and therefore did not exercise control over the data.[18]
The CJEU disagreed with Google’s arguments and found that Google was a controller of personal data. The CJEU reasoned that the activity of search engines played a “decisive role” in the “dissemination of the data” which would not otherwise have been possible without those tools. [19] The way in which the search engine made the relevant personal data available was ‘liable to affect significantly…the fundamental rights to privacy and the protection of personal data”.[20] In other words the search engine was a controller because of the significant effect which the technology had on the rights of individuals. The CJEU stated that a broad definition of the concept of a controller was consistent with the object of data protection rules which were to “ensure, through a broad definition of the concept of ‘controller’, effective and complete protection of data subjects”.[21]
More recent cases have expressed the concept of the controller as the entity which “exerts influence” over the processing for its own purposes, such that that entity is participating in decisions about the means and the purposes of the processing. [22]
The case law suggests that a court may find that where the tools used to process individuals’ personal data have a profound effect on fundamental rights, a court may designate the entity that makes that tool available as a controller in order to protect the rights of data subjects. This line of reasoning has the potential to diminish the ability of providers of new technologies to claim that they are processors where the effect of that technology on individuals is profound.
The role of controllers and processors – the view of the Information Commissioner’s Office (“ICO”)
The ICO (the UK’s data protection regulator) considered the controller/processor issue in the course of consulting on guidance on controllership in generative AI models. The ICO found that there was a risk that organisations deploying closed access AI models did not have meaningful control and influence over the processing. In those circumstances the ICO found that it was likely that the developer and deployer were joint controllers of the personal data processed within the models. [23] In taking this position the ICO rejected the argument from both trade membership bodies and the technology sector that developers would be processors at the deployment stage. It is likely that the ICO would take the same view in relation to other forms of new technologies.
The way forward
Those developing new technologies or partnering with others to deliver innovations should carefully consider the level of influence they have over the way in which personal data is processed. It may be preferrable from a legal and reputational risk perspective to accept the position of being a joint controller. Being a controller of personal data should not be a bar to innovation. Rather, it simply involves a process of considering the impact of the new technology on people’s rights and whether it is proportionate and justifiable. This process is often not as difficult as might first be thought. Data protection law concerns issues which are relatively easily understood such as the question of whether the processing is fair and transparent and whether people’s rights and interests have been properly considered. Organisations which demonstrate that their processing meets these requirements are likely to find that their careful work gives them a commercial advantage. It will also help to build a brand that consumers and business customers trust.
Source: Eleonor Duhs, Partner at Marks & Clerk