Policy and Business Practices
Scroll left
Scroll right
What do we do?
How does it work?
Become a member
Leadership
Task Forces
Contact us
Topics
Internet & Telecoms infrastructure & services
Privacy & Personal Data Protection
Security and Authentication
ICC Tools for e-business
Procuring ICTs
Securing your business
Telecoms liberalization
Putting it right
Resolving disputes online
Privacy toolkit
Information security assurance for executives
Resource guide
Archives
Jurisdiction & Applicable Law
Telecoms
Internet & IT Services
Consumer Policy for E-Business
Electronic Contracting
EBITT opportunities
Internships
Policy Statements, Rules & Codes
Full list
Intranet sign-in
Login:
Password:
Loading...

ICC Task Force on Privacy and the Protection of Personal Data

Summary of the Workshop on the Distinction between Data Controllers and Data Processors

Paris, Thursday 25 October, 2007

Introduction

The ICC Task Force on Privacy and the Protection of Personal Data invited approximately 40 representatives of international companies, data protection authorities, EU institutions, other governmental authorities (such as central banks), and law firms to the workshop, which was held at ICC headquarters in Paris under the leadership of Task Force chairman Christopher Kuner. The workshop was organized following input from companies that a lack of clarity in distinguishing between the concept of “data controller” and “data processor” is currently creating significant difficulties for business.

 

The meeting was informal and off the record, and all participants spoke in their personal capacity and not on behalf of the institutions for which they work. The following summary reflects issues and themes which were brought up during the discussion, and which deserve further consideration and investigation.

 

General Points

The workshop demonstrated that there is considerable diversity in understanding the criteria for determining when a party acts as a “data controller” or “data processor”, and that such diversity creates difficulties in practice. Participants made the following general points concerning the distinction between the concepts of data controller and data processor:

 

· Legal flexibility vs. legal rigidity: Some participants stated that the European legal framework for distinguishing between data controllers and data processors is too rigid, since it requires that parties be classified in either one category or the other. Other participants felt that the framework is founded on general concepts which are flexible enough to cope with most situations.

 

· Key elements of the distinction: Some participants stated that, as soon as a service provider which processes data for a customer makes any decision regarding the most appropriate way to provide its services (including choices relating to technology and those dictated by economic reasons), it no longer acts upon instructions and should be considered a data controller. Other participants found that the choice of the most appropriate means of providing services is inherent in the activity of any data processor, and that, as long as such parties do not decide on purposes going beyond those contained in the instructions provided to them by the data controller, they should be considered to be data processors.

 

· Importance of the controller/processor distinction: Some participants stated that the distinction between whether a party is a data controller or a data processor has profound practical consequences. Other participants noted that the law allows enough flexibility so that the distinction should not have major negative consequences for business transactions.

 

· Dealing with complexity: It was recognized that data processing is becoming ever more complex, and that the legal framework must be able to cope with such complexity. Some participants stated that, in complex data processing operations, the party that is closest to the individual is the best placed to comply with the obligations of a data controller (such as providing information about data processing).

 

· Role of contracts and party autonomy: It was stated that the characterization in a contract of a party as a data controller or a data processor is relevant, but not determinative, in determining such party’s status, and that it is necessary to examine the facts of each case to reach a definitive conclusion. Participants stated that there is a need for a default rule to determine whether a party is a data controller or a data processor in cases where there are no contractual arrangements between them.

 

· Abolition of the distinction between controller and processor: Some participants stated that the distinction between data controller and data processor is artificial, and it would be preferable to have a single category of party processing personal data whose rights and obligations are determined under the facts in each case and in accordance with general legal principles; other participants disagreed with this proposal. In addition, some participants complained that a kind of default position has emerged whereby a party which cannot be easily classified as a data controller or a data processor is automatically considered to be a data controller.

 

· Controller/processor distinction is left too late in the day: Some participants stated that in business situations, parties often structure transactions without considering soon enough whether the entities processing personal data are data controllers or data processors. Other participants added that companies need clear rules for making this distinction.

 

· Interpretation of the conditions for being a data controller: Article 2(d) of the EU Data Protection Directive 95/46/EC defines a data controller as a party which “alone or jointly with others determines the purposes and means of the processing of personal data”. Some participants pointed out that this means that a party should only be considered to be a data controller if it determines both the purposes and means of data processing. Other participants thought that in certain cases, a party could be a data controller if it determined either the purposes or the means of data processing. It was further stated that the most important element is determination of the purposes of processing. Some participants felt that the purposes could be determined by one party and the means by another, and that both should be qualified as data controllers to avoid a situation where there is no data controller. Others felt that the decision to select a service provider is in effect a decision on the means of processing, hence always ensuring that a single party determines both purposes and means.

 

· Level of detail in analyzing the purposes and means of processing: Some participants indicated that decisions on the purposes and means of processing should be evaluated at each stage of the data processing chain, while others found that the overall picture of a data processing situation should be examined to determine whether a party was a data controller or a data processor.

 

· Role of joint controllers: There was discussion of the rights and liabilities of parties who may be considered to be joint data controllers. Some participants stated that it is possible to apportion responsibility between joint controllers so as to minimize the legal risks for any individual controller. Others pointed out that any such apportionment is still subject to mandatory legal rules, so that the legal risks for joint controllers are difficult to determine. It was further stated that many countries do not even seem to recognize the concept of joint data controllers in their national law, and that there is a lack of experience and precedent as to the practical consequences of being a joint controller.

 

Case Studies

Participants discussed the following three case studies, which were drafted to cover legal issues that often arise in practice, but were not intended to reflect actual cases. It is recognized that the facts for each case are incomplete and may give rise to different interpretations. Participants were invited to consider the following questions for each case study:

- Which parties should be considered to be data controllers and which ones should be considered to be data processors?

- For the parties that you consider to be data controllers, how do they determine the purposes and means of processing personal data? For the parties that you consider to be data processors, which factual elements lead you to this conclusion?

- Consider also whether each data controller determines the purposes and means of processing personal data alone, or jointly with others. To what extent may data protection responsibilities be allocated by agreement between joint controllers or joint processors?

- What are the practical implications for each party in being a data controller, data processor, joint controller or joint processor? What steps does each party need to take to ensure that it complies with the law?

 

The discussion points reflect issues and questions that were raised during discussion of each case study.

 

Case Study 1

Outsourcing Company provides outsourcing services to multinational companies, including to Global Corporate Inc. In particular, Outsourcing Co. provides the following services:

 

- Outsourcing Co. hosts the employee database of Global Corporate on Outsourcing Co.’s servers inside the EU. In order to ensure service around the clock, Outsourcing Co.’s technicians located in services centers in India, Singapore, Australia and the US have access to the database after business hours in Europe, in case any technical problems arise.

- The companies have also contracted for Outsourcing Co. to prepare certain reports based on the employee data for the benefit of Global Corporate. Outsourcing Co. prepares the reports based on detailed instructions from Global Corporate contained in an Annex to the commercial agreement between the Companies.

 

- The commercial agreement between the parties contains the following clause: “Outsourcing Co. shall be a data processor for Global Corporate, and Global Corporate shall be the data controller. Outsourcing Co. shall process the data only as it is instructed by Global Corporate. Outsourcing Co. shall also use industry-standard security measures to safeguard such data”.

 

- Outsourcing Co. has contracted with Data Processing Co. to operate certain of its data centers. The two companies have provided in their commercial agreement that Data Processing Co. must observe all legal and contractual protections for data processing that Outsourcing Co. is itself obligated to observe. Outsourcing Co. has informed Global Corporate of its use of Data Processing Co.’s services, and Global Corporate has consented to this arrangement.

 

Discussion points

 

· It was stated that at first glance, it might seem that Global Corporate is a data controller, while Outsourcing Co. and Data Processing Co. are both data processors. However, it was added that it would be necessary to look more closely at the facts to confirm this analysis, and that this might result in one or both of them being reclassified as data controllers.

 

· It was generally agreed that Global Corporate should be considered to be a data controller for the data of its employees, and the local subsidiaries of Global Corporate should be considered data controllers for the personal data of their employees.

 

· There was discussion of what importance the fact that a party provides an “added value service” should have in deciding whether to classify it as a data controller or a data processor. Some argued that the fact that a party carries out an added function, or one which the original data controller could not do itself, should mean that such party should be considered to be a data controller as well. Others disagreed, stating that this criterion was not contained in the legal definition of data controller, and that providing “added value” is in fact the only way for a party to differentiate its services from others and thus stay in business, so that using this criterion would mean that no party would ever be considered to be a data processor.

 

· It was stated that it would be crucial to investigate whether Global Corporate had provided detailed data processing instructions to Outsourcing Co., and that doing so would increase the chances that Outsourcing Co. should be considered to be a data processor rather.

 

· It was also stated that it would be crucial to determine whether the outsourcing of the database had been decided upon solely by Global Corporate, by the subsidiaries of Global Corporate, or by all of them.

 

· Some participants stated that the confusion about which parties are data controllers and which are data processors makes it more difficult to deal with data transfer issues (e.g., whether the parties should use the controller-to-controller standard contractual clauses or the controller-to-processor clauses), as well as with issues of applicable law.

 

· Questions were raised as to whether the technicians located outside the EU who access the database of Global Corporate should be considered to be data controllers or data processors. Some participants stated that such technicians are only a means to achieve the purposes of data processing as defined by Global Corporate.

 

· It was stated that the operation of the data processing centers of Outsourcing Co. by Data Processing Co. means that a data transfer has taken place to Data Processing Co. Differing views were expressed as to what steps should be taken to provide a legal basis for such a transfer between two data processors. Some participants expressed the view that the original data controller(s) would have to conclude contractual clauses with Data Processing Co., while others stated that it would be sufficient to have Outsourcing Co. conclude them with Data Processing Co. Some participants expressed the need for recognition of model clauses for processor to processor transfers and of multi-party agreements based on the model clauses.

 

Case Study 2

Interlink Co. is a service provider to the travel industry, and has contracts with thousands of travel agents and hotels around the world, who are all connected to Interlink’s network. Interlink serves as a go-between so that its customers that do not have direct contractual relationships can exchange messages among each other. The following are the relevant facts:

 

- Individuals, who have contractual relationships solely with their respective travel agents, book hotel rooms via their travel agents. Interlink has contractual relationships solely with the hotels and travel agents, but not with individuals.

 

- A travel agent receives instructions from an individual to book a hotel room, which it then transmits to the hotel via Interlink’s network; the hotel may also communicate with the travel agent via Interlink. Interlink merely transmits the messages without changing them, but does automatically scan them by a computerized procedure to ensure that they meet certain standardized parameters (e.g., that the correct date format and hotel codes are used).

 

- Interlink’s contracts with its hotel and travel agent customers contain the following clause: “In forwarding messages, Interlink shall act as a data processor, and the customer is the data controller. Interlink shall forward messages solely as instructed by the customer. Interlink shall review the messages on an automated basis solely to ensure that certain standardized parameters agreed with the customer are followed.”

 

Discussion points

 

· Some participants stated that Interlink should be considered to be a data processor, since it merely forwards messages between parties and is operating under the instructions of its customers. Others stated that Interlink should be considered to be a data controller, since it probably makes decisions about data processing, and classifying it as a data processor would mean that there would be no party that could take legal responsibility for its data processing.

 

· Comments were made that if Interlink were considered to be a data controller, it would be difficult to determine a clear legal basis for its processing of personal data.

 

· It was remarked that Interlink might have established an archive or backup service which would store messages for a substantial time period, and that if this was the case, then Interlink should be considered to be a data controller with regard to such archive. However, some participants stated that Interlink might not be a data controller if the archive was established and run based on instructions and standards imposed by Interlink’s customers.

 

· Questions were raised as to which other parties might be considered to be data controllers (e.g.,hotels, travel agents, etc.).

 

Case Study 3

Global Telco is a multinational telecommunications service provider with offices around the world that provides services to large multinational companies. The following are the relevant facts:

 

- Global Telco runs and operates the telecommunications lines on which the communications of its clients are carried in major markets around the world, and does not process their data in any other way (except for the processing of traffic data for billing purposes). Its services include providing backbone lines of its own, leasing lines from third parties, and running the technical infrastructure necessary to keep such lines operational.

 

- Global Telco’s contracts with its customers contain the following clause: “In operating the telecommunications lines over which the Customer’s communications are carried, Global Telco acts solely as a data processor, and the Customer is the data controller. Global Telco may not access the communications except as is necessary to maintain the technical functionality of the lines or to comply with legal obligations. Global Telco shall also use industry-standard security measures to safeguard the confidentiality of such data”.

 

- A law enforcement agency in Country X (where Global Telco operates) has recently ordered Global Telco to allow it to scan through e-mails and other messages that are transmitted via its lines in order to search for terrorist communications. Country X is located outside the EEA and its law does not provide an “adequate level of data protection” under EU standards. After satisfying itself that the order is in accordance with the law of Country X and that it would have little chance to successfully challenge it in court, Global Telco has complied with this order. It has not informed its clients in Country X and other countries about the order, because it was expressly asked by the law enforcement agency to keep it confidential.

 

Discussion points

· It was stated that in carrying out its normal business, Global Telco should be considered to be a data processor, but some participants stated that turning over personal data to the law enforcement agency might make it a data controller.

 

· It was pointed out that requests to reveal data to law enforcement are a common occurrence not just in the telecommunications industry, but in all sectors. Some participants pointed out that in such cases, the law enforcement agency determines the purposes of data processing.

 

· Some participants stated that revealing the existence of a law enforcement subpoena may constitute “tipping off”, which is a criminal offense that carries severe penalties.

 

· It was stated that the apparent conflict between data protection law and the duty to reveal personal data to the law enforcement agency is a political issue that Global Telco cannot resolve by legal means. Some participants stated that companies have to live with being caught between conflicting legal requirements since they also reap the benefits of operating internationally, while others said that it is intolerable for a company to be caught in such a position and solutions to being caught between conflicting laws (such as via international treaties) have to be found.

----------------------------------------------------------------------------


Bookmark and Share
EBITT News Archives ICC News Archives
Court of Arbitration Bookstore Policy Events Institute WCF ATA CCS
 
Copyright 2012 International Chamber of Commerce
Copyright, trademark and privacy notice
ICC Copyright

RSS

  
ICC Home E-mail Print Search