Privacy obligations might be harder for technology suppliers with the new regime for data processors provided by the EU Data Protection Regulation.Under the current regime prescribed by the EU Data Protection Directive 95/46, data controllers have acted as a kind of defence for processors against claims and liabilities towards individuals whose personal data is processed which could be addressed only against controllers.
But the quiet time for suppliers,
including cloud providers, Internet of Things suppliers and gaming suppliers is over!
What new risks for suppliers under the EU Privacy Regulation?
The main changes introduced are:
- individuals can file direct claims for damages against both data controllers and data processors (i.e. suppliers);
- data processors’ liability arises only if they did not comply with the obligations imposed specifically on data processors by the Regulation or did not act within the scope of the lawful instructions of the data controller;
- the burden of proof of not having caused damages is on the processor which shall prove that it was not liable;
- in case of more than one data controller or data processor, each controller/processor is liable for the refund of the whole damages;
- data processors are liable for the misconducts of the sub-processors appointed by them.
And the risks above are even more concerning if is considered that the applicable fines are now massive as previously discussed in this post.
Freedom of operation is a risk for suppliers
Suppliers have been traditionally quite reluctant in accepting privacy obligations. And indeed, privacy clauses in standard supply/outsourcing agreements are just a few lines if drafted by suppliers. This scenario is expected to change
- not only because the Regulation provides for a detailed list of information/instructions that have to be contained in the agreements through which data processors/suppliers are appointed;
- but also because the Regulation expressly states that if a processor infringes the Regulation by determining the purposes and means of processing, the data processor shall be considered a data controller in respect to that processing.
And obviously in case of requalification of the processor as data controller, the potential risk exposure will become even higher.
New compliance obligations
Data controllers rely on their suppliers in ensuring compliance with privacy regulations with reference to the services supplied by means of the provided technologies. This means that obligations such as
- the performance of a privacy impact assessment;
- the implementation of a privacy by design and a privacy by default approach; and
- the adoption of a security by design methodology
will be on the supplier. And customers might require even independent certifications of compliance as provided by the provisions of the Regulation relating to the privacy by design. In any case this is no fully bad news given that such measures can act as protections in case of disputes.
Suppliers might not be aware of their processing of personal data
There is some uncertainty in suppliers as to what can be deemed to be personal data triggering the obligations to comply with privacy regulations.
I have already discussed about the strict position of the Article 29 Working Party on the definition of anonymous data. The Regulation provides that personal data includes also data can be linked to an individual taking into account
all reasonable means likely to be used,
taking into account the potential costs and the amount of time required for identification.
And in relation to the above, the Regulation expressly extends the definition of personal data to identification numbers and online identifiers as well as to cases of pseudoymisation. What we are trying to do with some clients is to identify organization and technical measures that make quite difficult and time consuming the identification of the individuals behind the data.
It is likely that we will see the renegotiations of data processing agreements and the risks and the threshold of compliance is now much higher.
You may find also interesting