The issue of liability is not new under the EU privacy law. It is present in the current Data Protection Directive, but it has been substantially overhauled in the General Data Protection Regulation.
A research article by Mr Brendan Van Alsenoy shed some light on the issue.
The Data Protection Directive
Under the current set of rules, the controllers are liable for damages unless they can prove that the damage is not due to their irresponsibility. Processors are not explicitly covered by these liabilities, not even when they disregard the orders from the controllers.
Additionally, controllers are generally responsible to data subjects in any case where unlawful processing was performed, either by the controller or by someone else.
Even if a processor is responsible for an unlawful action, the controller is the one who has to assume responsibility. The DPD views processors merely as passive participants in data operation processes. Since this responsibility cannot be ‘passed on’, it is called ‘non-delegable duty of care’.
Controllers are generally not protected against processors not doing their allotted share of work, i.e. when they fail to adhere to the instructions for processing. National laws, however, may have certain provisions that can hold processors accountable. In most cases though, controllers will be footed with the bill, and they will have to seek damages from the processor based on their mutual contract.
On the other hand, not all processors’ actions are similarly ‘protected’. Processors that mishandle data provided by the controller and use it for their own purposes, contrary to contractual provisions, are treated as data controllers in their own right. These ‘rogue processors’ can then be sued for damages by the affected individuals, but the original controllers are also ‘on the hook’, since the principle of strict liability still applies.
Luckily for dishonest data processors and controllers, it can be very difficult for data subjects to prove any wrongdoing, since the data subject is the one to prove that data was processed unlawfully, that damage occurred as a result of processing and establish that the defendant indeed is a pertinent data controller.
The GDPR and Liability
The GDPR technically mandates unlimited liability for all damages incurred as a result of wrongful processing that is the result of the controller’s or the processor’s gross negligence and/or bad faith.
Article 5(2) states that it is the controller who ultimately bears the accountability for data they have on hand. Still, they can be absolved of the responsibility if they can prove they are not “in any way responsible for the event giving rise to the damage” (Article 82).
Obviously, these liability provisions fall upon the shoulders of data controllers. As a result, they have led to controllers drafting up contracts with their data processors containing unlimited liability clauses. In theory, that looks fine, but of course most processors would be unable to make good on their promise.
However, compared with the DPD, the GDPR allows for ‘cumulative liability’, which means that data processors can also shoulder the blame. But that is a Pyrrhic victory for data processors, since both can now be prosecuted for their part of the blame (technically, they could both be liable for the full damages).
Cyber insurance could emerge as a budding industry, as the companies will seek to reduce their risk by paying nominal sums of money for a relative peace of mind.
All in all, the GDPR does not deviate much from the basic principle of strict liability, as outlined in the DPD.
Burden of Proof
Liability of the controller depends on the evaluation of risk for their processing activities. Controllers do have to take reasonable steps in order to notify other controllers of data subjects’ requests to be forgotten, for example.
Controllers must be able to prove their compliance with the GDPR, and once the data subject provides evidence that unlawful processing occurred, the burden of proof shifts to the data controller.
There is generally a very narrow range of conditions where a data controller would be able to defend oneself against liability. These are force majeure and error on behalf of the data subject.
The GDPR codifies an important right for data subjects. They can now seek compensation both for material and non-material (non-pecuniary) damages.
It should be noted that internet intermediaries, such as Google and hosting services, generally do not have the responsibility of ensuring that processing done on their servers is lawful. In fact, such monitoring could be unlawful in and of itself.
The exemption depends on the degree of processing operations that is offered and performed. If the online service is not a mere passive host, but offers more involved processing operations, the service could be considered a processor with all the responsibilities that brings.
This is the area with most changes. Whereas the responsibilities of data controllers have largely been left the same, data processors now must be more accountable. This should leave data controllers with less to worry about, since now data processors have ‘skin in the game’ as well.
Data controllers still hold the most responsibilities, i.e. they are responsible both for their and their data processor’s actions, but data processors are still responsible for their share of processing. In other words, processors do not have to care about their data controllers’ actions as long as the instructions they receive are lawful.
There is a caveat: processors are encouraged to report to data controllers if they believe that processing activities ordered by the data controller are unlawful.
However, if processors process data unlawfully or outside the scope of their contract with data controllers, then they can be held liable for their infringements. This is a step back from the initial draft proposal of the GDPR, in which both the processors and the controllers shared responsibility and were held liable in tandem.
Still, processors are not explicitly required to demonstrate compliance with the GDPR, but they should provide evidence that they are working to meet the expectations of the data controllers. They will have to prove their compliance, however, if they are presented with evidence of wrongdoing against data subjects.
If data processors engage in subcontracting of their processing duties, they are liable for that part of processing, just like a controller is liable for their processor’s actions. It is customary that sub-processing is not performed unless express permission by the data controller is obtained.
Recourse for Data Subjects
Technically, data subjects now have the option to sue both the data controller and the data processor for unlawful actions of the processor, whereas the processor is ‘off the hook’ if the controller is at fault. Only the controller can be held liable then.
Liability Control in Practice
As mentioned earlier, well-made contracts are essential for data controllers to protect their interests. The fines are huge in case of wrongful processing, and they are not capped in absolute amounts (up to 4% of the company’s global turnover or EUR20 million are huge sums).
A paper trail is therefore mandatory. Whenever a controller seeks services from a processor, the scope and the data being processed must be listed and determined in advance. Potentially, in the future, supervisory authorities could provide model contracts that can be used that satisfy the provisions of the GDPR.
Existing contracts between controllers and processors should be reviewed to determine whether they adequately cover the changes that come with the GDPR.
All contracts should clearly detail the scope, nature, obligations, and purposes for data processing. Types of data processed should also be included. Processors can only process data based on controllers’ written instructions, unless required otherwise by law.
There are mandatory clauses requiring processors to take appropriate security measures and assist controllers in ensuring the data subjects’ rights are protected. All processing activities should be confidential.
At the end of the contract, all personal data must be either deleted or returned to the data controllers. Regular audits are allowed and encouraged. Sub-processing is allowed only with controllers’ written permission.
Overall, the GDPR does introduce certain significant changes to the liability landscape. As Mr Alsenoy summarised nicely, processors now have more responsibilities towards data subjects, which means that controllers will not necessarily foot the bill for their oversights anymore.
Additionally, both the controllers and the processors can now be liable for damages, depending on their level of involvement.
Finally, the exemptions for ‘mere conduits’, i.e. passive hosts and other service providers, as listed in the Directive on Electronic Commerce, have been reconfirmed. They have no obligation to monitor passing traffic nor assume liability for it.
Companies should ensure that their contracts are updated prior to 25 May 2018, otherwise they open themselves to lawsuits and regulatory penalties.