Changes brought about by GDPR: increasing liability for data processors

The General Data Protection Regulation (GDPR) has increased the liability of data processors, imposing direct regulatory obligations and leading to a more complex and accountable data protection regime for both controllers and processors.

?Background

A data processor is an entity that processes data on behalf of a data controller, who actually determines the purposes and means of processing personal data. Typically, a data controller is an organisation or business, while a data processor is often a third-party company providing a specific service on the instructions of the controller.

Previously under early data protection laws, only data controllers were held accountable for data breaches. However, since 2018, data processors face direct regulatory obligations under GDPR and can be fined or required to pay compensation for data breaches either on their own right or concurrently with data controllers.

What is the status and evolution under GDPR?

Under GDPR, a data controller may be fined for unlawful processing carried out by its processor. The controller is responsible for processing conducted on its behalf. However, the processor is liable for damages caused by processing when it has acted outside or contrary to the lawful instructions of the controller, or when it has not complied with obligations specifically directed at processors under GDPR.

Data processors are liable when they breach their duty to act on controller instructions and when they process any of the controller's personal data without written permission. In fact, processing personal data outside of a Data Processing Agreement effectively means becoming a data controller for such processing activity. For instance, if the processor starts gathering additional personal data that it has not been instructed to collect or processes personal data in a way that has not been instructed, in accordance with GDPR, it will be considered a data controller.

On the other hand, while the core obligations under GDPR apply to controllers, it also imposes several legal obligations directly on data processors, including informing the data controller about any data breaches, processing personal data securely, cooperating with Data Protection Authorities, employing a Data Protection Officer and/or EU Representative if appropriate, keeping records of data processing activities and conducting due diligence when hiring subprocessors. Failing to fulfill these obligations could result in a data processor being liable to pay compensation to data subjects or fines to a Data Protection Authority.

An additional issue concerns influential processors with substantial resources located outside Europe, generally in the US, where extraterritorial enforcement is more complex. GDPR states that it applies to the processing of personal data in the context of the activities of “an establishment of a controller or a processor” in the EU. Accordingly, it is easier for regulators to fine a controller based in the EEA for inadequate transfer mechanisms to discourage the use of these “problematic” third-country processors. Examples include fines against Swedish telecom companies using Google Analytics, the Portuguese National Institute of Statistics using Cloudflare, and an Italian university using US exam surveillance software during the pandemic.

Initially, only a few fines were imposed on processors. However, this trend is rapidly changing, with regulators increasingly targeting processors for compliance failures, leading to more significant fines and enforcement actions against them.

What is the relevance of this change?

The importance of this change, which will eventually lead to a complex regime where both the controller and the processor have distinct obligations regarding the data they handle, cannot be overstated.

It is often seen as unjust that powerful processors leave data controllers bearing most of the risk, particularly when controllers have limited ability to negotiate contractual terms with providers. For instance, in 2022, a €1.5 million fine was imposed on a French software provider following a major leak of sensitive information, partly due to the inadequacy of the processor's terms and conditions of sale.

Additionally, some powerful data processors engage in multiple processing activities involving various data controllers. In this context, applying fines directly to processors can be more effective in holding significant players accountable.

There are, however, drawbacks to consider. Service providers in sectors such as outsourcing or data warehousing will need to carefully assess the impact of their specific obligations under GDPR. This will inevitably lead to higher administrative and internal costs for processors, which are likely to be passed on to their customers. Data controllers who contract these services will face increased costs. Therefore, a very careful contractual allocation of responsibilities is essential for controllers and processors. This ensures that both parties are clear on their obligations and the potential consequences of non-compliance, leading to a more balanced and fair data protection landscape.

Conclusion?

As GDPR enforcement continues to evolve, both data controllers and processors must remain vigilant in understanding and fulfilling their respective obligations. Controllers should exercise due diligence when selecting and contracting with processors, ensuring that data processing agreements clearly define responsibilities and include robust safeguards. Processors, on the other hand, must be meticulous in adhering to instructions and complying with GDPR requirements to avoid the risk of substantial fines. Entities should invest in continuous monitoring, compliance training, and thorough contractual arrangements to mitigate risks and maintain a balanced, and compliant data protection framework.

For more information, please visit our website microsite on?Data Protection & Cyber Law ?or send your queries to?[email protected]