The Privacy and Data Protection Journal has published an article by Duc Tran (Senior Associate) and Laura Adde (Associate) of our Digital TMT, Sourcing & Data and Cyber Security teams. The article examines the concept of "joint controllership" in light of recent case law and existing legislative guidance. Please click here to access the full article for further details.
Since the General Data Protection Regulation ("GDPR") has been in effect, organisations have tended to characterise their data relationships with other parties as either controller-processor, or independent controller-controller, avoiding the joint controller construct.
Article 26 of the GDPR states "where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers". Market practice to date has seen organisations interpreting this contract in a relatively narrow fashion. However, recent judgement by the Court of Justice of the EU ("CJEU") in the German case of "Fashion ID" suggests that joint controller relationships may be far more prevalent than previously thought and understood.
The CJEU in the Fashion ID case held where a website operator embeds third party plugins such as a Facebook "Like" button, the operator can be deemed as a joint controller with the third party, despite the fact that the operator has no control over what data was transferred or how the third party processes such data.
The Fashion ID judgement illustrates the seemingly widened definition of joint controllership adopted by the CJEU and the considerable degree of uncertainty now associated with this construct.
The article also seeks to further explore this ambiguity by referencing existing case law and legislative guidance, including:
- "official" examples in various guidelines given by the European Commission, the UK Information Commissioner's Office ("ICO") and the former Article 29 Working Party that support a narrower interpretation of Article 26;
- an ICO "official" example that seemingly undermines a narrower interpretation of Article 26; and
- the two 2018 cases of the "Facebook Fan Page" case (C-210/16) and the Jehovah's Witness Community case (C-25/17), which appeared to widen the scope of the definition of joint controllership.
Given the seemingly widened definition of joint controllership and the lack of consistent case law or guidance, there is now a considerable degree of uncertainty associated with categorising data-related arrangements as independent controller or joint controller relationships.
However, it is also worth noting, in particular for UK organisations that all three cases cited in the article are European: there has not yet been a UK case which addresses this issue explicitly. Given the uncertainty surrounding the definition of joint controllership, we may reasonably expect guidance to be issued in due course.