While only 179 words long, the three clauses in Article 26 GDPR on joint controllership have generated much discussion and created much uncertainty for organisations.
While the concept of joint controllership is not particularly new, its post-GDPR application is complex in the modern data processing ecosystem. The importance of understanding how parties are deemed joint controllers is particularly relevant both to clarify their respective compliance responsibilities and their shared liability in respect of individuals and data protection authorities.
When does "joint controllership" exist?
Article 26 states that, where parties "jointly determine the purposes and means of processing", they shall be deemed joint controllers. The GDPR does not provide any further advice or guidance on this process, and only briefly touches upon joint controllers in Articles 30 and 36.
The ICO has provided guidance on joint controllers, noting that parties will not be joint controllers where they process the same data but for different purposes. It has provided a checklist that offers potential indicators that a joint controllership exists such as when:
- the parties have a common objective and the same purpose in relation to the processing;
- the same set of personal data (or database) is used with the other party (and for the same purpose);
- the parties have jointly designed the process; or
- the parties have "common information management rules" with one another
The existence of joint 'decision-making' is therefore of particular importance when examining whether a joint controllership exists between two parties processing data.
Three judgements of the Court of Justice of the European Union ("CJEU") have provided some further guidance on how the concept of joint controllership is to be interpreted.
The CJEU approach
Facebook Fan Pages
The CJEU adopted a relatively broad scope of joint controllership in Facebook Fan Pages case (C-210/16) when it held that administrators of Facebook fan pages are joint controllers with Facebook. Although the administrators only had access to anonymised reports and not to any personal data, by creating the fan page and making it possible for Facebook to collect the visitors' data, the CJEU was satisfied that the administrators were a joint controller with Facebook. It was further noted that "joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data".
This broad interpretation was also adopted in Jehovah's Witnesses case (C-25/17), where the CJEU held that the Jehovah's Witness community was jointly responsible with its members for collecting personal data in the course of door-to-door preaching. The CJEU considered it sufficient for the establishment of joint controllership that the community organised, coordinated and encouraged the preaching, despite not receiving all the data that was collected.
The Fashion ID case (C-40/17) was the latest in the series of cases dealing with the issue of joint controllership and involved a challenge by a consumer protection group in Germany to the placement of Facebook plug-ins on Fashion ID's website. THE CJEU held that a controller is a party who determines the "purposes and means of processing", either alone or jointly with others. Controllers have heightened responsibilities and obligations towards data subjects, and if found to be a joint controller with another party, may be jointly liable for any breaches of data protection law.
In a similar fact pattern to the Fan Pages decision, the CJEU noted that both parties were gaining benefit from the processing. Both Facebook and Fashion ID were processing personal data for their own economic interests, and so they jointly determined the purposes of the operations.
However, the CJEU held that parties would not be joint controllers for operations that precede or are subsequent to these joint operations in the overall chain of processing. Furthermore liability does not extend to the preceding or subsequent stages of processing in the overall chain of operations.
European Data Protection Supervisor ("EDPS") Guidance
The EDPS has recently published their "Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725". Although Regulation 2018/1725 relates specifically to EU institutions, it contains a near identical provision on joint controllers focused on the crucial element of parties needing to "jointly determine the purposes and means of processing". The EDPS guidelines provide some useful guidance. The EDPS notes that the concept of joint determination may arise where each controller has a chance to determine "purposes and essential elements" for the processing operations, which could be for example, just by entering into an agreement dealing with such elements. However, for joint controllership to arise, both the purposes and means of the processing operations must be jointly determined. The EDPS also drew from the reasoning of the Fan Pages case, noting that although only having access to anonymised data will not influence the joint controllership situation, it will matter when establishing the degree of responsibility.
Required actions for Joint Controller
Article 26(1) provides that joint controllers should enter into an "arrangement" to deal with the respective responsibilities of each party for compliance with their GDPR obligations in the joint controllership. This arrangement does not necessarily need to be in the form of a written contract. While this provides a degree of flexibility for joint controllers, a written contract would serve as a good base for documenting decision-making powers and the responsibilities and liabilities of each controller.
The EDPS, in its guidelines on Regulation 2018/1725, provides a number of recommendations for the potential subject matter of joint controller arrangements including:
- the respective duties in relation to the transparency obligations (under Articles 13 and 14 of the GDPR);
- responsibilities for dealing with data subject requests including contact points;
- responsibility for data breach reporting obligations;
- the process for conducting Data Protection Impact Assessments; and
- provisions in relation to engaging data processors.
As the joint controllers are obliged to ensure the data subject may access the "essence" of the arrangement, it is recommended to ensure that either each respective joint controller has an appropriate data protection notice or both joint controllers display an agreed data protection notice.
It is also important to note that, pursuant to Article 26(3), a data subject may exercise his/her Chapter III GDPR rights in respect of and against each of the joint controllers irrespective of the arrangement in place. This may create complexities for the respective joint controllers facilitating the data subjects' rights. On this topic, the EDPS recommends defining cooperation obligations for dealing with data subject requests in a written agreement between the joint controllers and including a specific responsibility for those who will deal with such requests.
Takeaway from EDPS guidance and CJEU decisions
The case law of the CJEU illustrates that the threshold for the existence of a joint controllership is low and there is no requirement for the parties to share responsibility equally, or even for both parties to have access to the data at issue. With a broader scope being applied for joint controllership by the CJEU and with limited guidance to be gleaned from the text of the GDPR, it is now becoming more important than ever to ensure that the relationships between controllers are clearly identified by both parties, and appropriate measures are put in place, whether through data processing agreements, joint controller arrangements or through standard practices in the course of processing.
Next steps in ensuring compliance with rules relating to joint controllerships may include:
- reviewing all processing arrangement that are in place in the business;
- identifying any processing arrangements in respect of which a party may be a joint controller;
- assessing the lawful basis for such processing;
- reviewing the contractual relationships with any party identified to be a joint controller.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.