Joint Controllers Under the GDPR
As many organizations have learned, on May 25, 2018, the EU implemented the General Data Protection Regulation (“GDPR”), which imposes obligations and liability on U.S. organizations that have control over EU residents’ personal data (“Controllers”) or that process EU residents’ personal data on behalf of other companies (“Processors”). The GDPR regulates how companies collect, use, and transfer the personal data of individuals located in the EU. The GDPR also imposes obligations on U.S. Controllers and Processors that either do business in the EU through local establishments or otherwise offer products and services to individuals in the EU.
Among these obligations, Controllers and Processors are required to set forth certain provisions, procedures, and allocation of responsibilities in a written agreement between the Controller and Processor. See Article 28, GDPR. If your association acts as a Controller or Processor under the GDPR, then you have likely seen or participated in the execution of “Data Protection Addendums” that address these GDPR-related contractual requirements.
According to the GDPR and supported by recent EU court decisions, there are also instances where two or more organizations may be acting as “Joint Controllers,” i.e., instances “[w]here two or more controllers jointly determine the purposes and means of processing.” Article 26, GDPR. In these situations, the GDPR requires Joint Controllers to “determine their respective responsibilities for compliance under [the GDPR] . . . by means of an arrangement between them.” Article 26(1), GDPR. This arrangement should “reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects.” Article 26(2), GDPR.
For associations subject to the GDPR, this issue may arise in a number of circumstances, including, among others: social media pages, events or projects organized by multiple parties, or projects undertaken on another party’s behalf. The primary test is whether two or more organizations jointly determine the purposes and means of processing subject to the GDPR.
Social Media Pages and the Recent Facebook Fan Page Decision
On June 5, 2018, the Court of Justice of the European Union (“CJEU”) upheld a lower court ruling that a German company with a fan page hosted on Facebook was a joint controller with Facebook regarding page-visitor’s personal data processed by Facebook. Both this and the initial ruling by the German supervisory authority, Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany (the “Supervisory Authority”), in November 3, 2011, were pursuant to Directive 95/46/EC (the “Directive”), the precursor to the GDPR. As the Directive had already imposed many obligations similar to the GDPR’s on Controllers and Processors located in the EU, authoritative interpretations of the Directive are applicable to the GDPR where, in cases such as this one, the underlying obligations are the same. The most relevant difference between the GDPR and Directive for U.S. associations is that the GDPR now includes some non-EU organizations within its scope.
In this case, the German company hosted a fan page on Facebook. As part of the terms of service with Facebook, the German company agreed for Facebook to use cookies that track and collect personal data from fan-page visitors. While the German company did not have access to this raw personal data, Facebook was required to provide to the German company, upon request, aggregate anonymized data on visitors “including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organise events, and more generally enable it to target best the information it offers.” Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, para. 37 (CJEU June 8, 2018). Incidentally, Facebook’s practices at the time for collecting this data (even from visitors without Facebook accounts) were found to violate the Directive’s data privacy rules.
The German company argued that Facebook was the sole Controller of the personal data collected by Facebook’s cookies. Ultimately, the Supervisory Authority and the CJEU found that the German company was a Joint Controller because its contractual right to request demographic data was tantamount to taking part in the determination of the purposes and means of processing visitors’ personal data. Id. at para. 75(1). Put differently, as the German company could ask for Facebook to process the visitors’ data in certain ways, the German company had some joint control over the data processing.
Parenthetically, it appears that the Supervisory Authority’s real target was Facebook, but the Supervisory Authority in Germany was not clear on whether it could proceed against Facebook’s Ireland office. While Facebook had an office in Germany, Facebook’s Germany office apparently was not involved in collecting data from the fan page’s visitors. Facebook’s Ireland office was the culprit, in the Supervisory Authority’s eyes, but also possibly outside the Supervisory Authority’s jurisdiction under the Directive. Accordingly, the EUCJ also held that the Supervisory Authority could proceed in a case directly against Facebook in Ireland, notwithstanding the fact that Facebook Ireland is regulated under Ireland’s data privacy agency.
Since 2011, Facebook and other social media companies have changed their data privacy practices, particularly in light of the GDPR. Nonetheless, U.S. associations may be deemed to be Joint Controllers of personal data collected by social media companies where:
- (1) The association or data processing fall under the GDPR;
- (2) The association has an event, fan, or activity page on a social media company’s website; and
- (3) The association agrees to terms with a social media company that:
- (a) Allows the social media company to collect data on the association’s page visitors; and
- (b) Allows the association to obtain, request, or otherwise take part in determining the purposes and means of processing the data collected from page visitors.
This decision also has applicability to how associations may be treated as Joint Controllers in other contexts, such as events and joint projects.
Joint Controllers in the Context of Events
When EU-based event attendees provide information for an event hosted by multiple organizations, the hosting organizations may be treated as Joint Controllers. For example, assuming that the data collection is subject to the GDPR, which is an issue unto itself:
- (1) Two or more associations decide to co-organize an event and jointly select a Processor to electronically collect and process data from attendees and participants, such as event registration, scheduling, payment, attendee feedback, surveys, and providing website or mobile application accounts that distribute event materials to identifiable account-holders. The organizing associations may be deemed Joint Controllers.
- (2) An association will be hosting an activity at an event hosted by a different organization. The association and organization jointly determine how the association would collect, share, and process personal data gathered during the activity, such as non-anonymized feedback about the activity, contact information on sign-up sheets, or non-anonymized answers to activity-specific surveys. The association and organization may be deemed to be Joint Controllers of this data.
- (3) An association will be participating in an activity at an event hosted by a different organization. As part of the agreement between the parties, the organization agrees to provide the association with certain personal data collected from the attendees such as contact information or non-anonymized feedback about the association’s activity. The organization uses this information for its own benefit and has rights to this data, as well. Here, the association and organization may be deemed Joint Controllers.
Joint Controllers in the Context of Non-event Projects
First, the rules for Joint Controllers in non-event projects would be analogous to the examples for events above. If two or more organizations are jointly collecting and sharing personal data for their respective benefits and use, then they would likely be deemed Joint Controllers under the GDPR.
Second, if an association engages in a project that involves the processing of personal data subject to the GDPR, it may be deemed a Joint Controller with sponsors or inactive partners of the project. For example: An association engages in a project involving research, surveys, or other collection and processing of Personal Data. The association is supported or sponsored by an organization that takes no active role in the project. As part of the agreement between the association and the organization, the organization has the right to request for the association to process project participants’ personal data to generate aggregate anonymized statistics. Based on the EUCJ decision summarized above, the organization may be deemed to take part in determining how and why the association processes the project participants’ data. Accordingly, the organization and association may be deemed Joint Controllers.
Properly Addressing Joint Controller Issues
The GDPR does not explicitly require Joint Controllers to enter into a written agreement addressing Joint Controller responsibilities. Instead, the GDPR requires Joint Controllers to clearly allocate their respective responsibilities “by means of an arrangement between them.” Article 26(1), GDPR; see also Recital 79, GDPR. The GDPR also requires the Joint Controllers to make “[t]he essence of the arrangement . . . available to the data subject.” Article 26(2), GDPR.
Nonetheless, under the GDPR’s general principle of “Accountability,” Controllers must be able to demonstrate compliance with the GDPR. See Article 5(2), GDPR. Accordingly, Joint Controllers must be able to demonstrate to supervisory authorities that they entered into an arrangement clearly allocating their respective Controller responsibilities. Controller responsibilities would include, inter alia, communicating data breaches to supervisory authorities and affected data subjects, responding to data privacy requests, maintaining compliant arrangements with Processors, disclosing appropriate data privacy information to data subjects, and ensuring adequate safeguards for the transfer of data outside the European Economic Area (“EEA”). In light of this burden to demonstrate compliance, it may be prudent for Joint Controllers to address the allocation of responsibilities in writing.
If the Joint Controllers do not allocate their respective controller responsibilities, this may constitute noncompliance with the GDPR. Furthermore, in the event that one Joint Controller violates the GDPR, other Joint Controllers may be subject to the full range of obligations and liabilities. If the Joint Controllers maintain a clear written arrangement of their respective responsibilities, then it is more likely that a supervisory authority would address a particular issue of noncompliance with the responsible Joint Controller rather other Joint Controllers who may not have been involved. Remember, in the Facebook fan page decision discussed above, the Supervisory Authority was ultimately seeking approval to proceed against Facebook’s Ireland office.
With respect to communicating the “essence of the arrangement,” information on the joint controllers involved and their general level of involvement could be included in privacy policies or project/event-specific materials distributed to data subjects.
If you have any questions regarding Joint Controller responsibilities or GDPR compliance, please feel free to contact GKG Law at (202) 342-5266 or okrischik@gkglaw.com.