1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Data processors under the GDPR

In our monthly GDPR Updates we discuss various key issues of the General Data Protection Regulation, (EU) 2016/679 (the GDPR), which applies from 25 May 2018. With the introduction of the GDPR, the existing Directive 95/46/EC and its implementation in the local laws of the various EU Member States will be repealed. The GDPR will bring significant and substantial changes with respect to the processing of personal data. It introduces several new concepts, such as Privacy by Design, Privacy by Default and Data Portability. As the GDPR contains several onerous obligations that require significant preparation time, organisations are recommended to timely commence the implementation process.

We notice that personal data protection is becoming more and more topical within organisations, and that the first steps towards compliance with the GDPR are undertaken. Our GDPR Updates illustrate the relevant changes resulting from the GDPR and provide readers with practical recommendations on the implementation of the GDPR within their organisations.

In the August edition of our GDPR Updates we address the position of the data processor. Under the GDPR the data processor is given certain specific responsibilities, meaning that it will no longer be only the data controller who is responsible for compliance with the privacy regulations. From 25 May 2018 also the data processor can be held liable for not complying with the GDPR requirements and additional legislation relating thereto.

If the data processor falls within the territorial scope of the GDPR (data processors will be confronted with an expansion of the territorial scope of the European privacy regulations), the data processor could face the following obligations:

  • the obligation to designate a representative in the EU if the data processor is not established in the EU but its processing is related to (i) offering of goods and/or services to data subjects in the EU; or  (ii) monitoring of data subjects in the EU;
  • complying with the mandatory requirements with regard to the content of the processing agreement as set out in Article 28 GDPR;
  • the obligation to maintain a written record of processing activities. Note that this obligation is not applicable to organisations employing fewer than 250 employees, unless (i) the processing is likely to result in a risk to the rights and freedoms of data subjects, (ii) the processing is not occasional, or (iii) the processing includes special categories of data. Data processors that provide services whereby the processing of personal data is standard practice are not likely to fall within the scope of the exceptions and will therefore be obliged to maintain a written record of processing activities (e.g. SaaS, hosting and other cloud service providers);
  • the obligation to designate a data protection officer if (i) the data processor is a public authority or body; (ii) its core activities consist of processing on a large scale of special categories of personal data or data relating to criminal convictions; or (iii) its core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; and
  • the obligation to notify the data controller (without undue delay) after becoming aware of a breach of the processed personal data and assist the data controller in ensuring compliance with its subsequent obligations towards the competent supervisory authorities and (where necessary) the data subjects.

Instead of only being contractually liable on the basis of a processing agreement with a data controller, under the GDPR data processors will also be subject to administrative liability in case of non-compliance. Administrative fines can increase up to EUR 20 million or (if higher) 4% of the total worldwide annual turnover of the organisation concerned. In addition to administrative liability and contractual liability towards the data controller, a data processor can be held liable towards data subjects who have suffered damages as a result of a breach of the GDPR by the data processor.

Organisations are recommended to carefully examine their positions within the various data processing activities and to make a very clear assessment on the associated responsibilities and obligations. A careful inventory should be made of the parties involved in the various personal data processing activities within an organisation and their roles (data controller/co or joint data controller/data processor/sub-processor, et cetera). This is particularly relevant as the division of roles directly influences the responsibilities a party has in the personal data processing activity, as well as the corresponding liability.

Please click here to read the entire August GDPR Update.

, , ,

Data processors under the GDPR

Freedom of Expression and Privacy in Labour Disputes: Amendments to Alberta’s Personal Information Protection Act in Force

Alberta’s Personal Information Protection Act (PIPA) entered 2015 with a (slightly) new look. Amendments set out in Bill 3, the Personal Information Protection Amendment Act, 2014, came into force on December 17, 2014. Bill 3 was tabled to address the Supreme Court of Canada’s (SCC) declaration of sections of PIPA to be unconstitutional in Alberta (Information and Privacy Commissioner) v. United Foods and Commercial Workers, Local 401. The case is outlined in more detail in a previous post; in brief, the SCC held that PIPA restricted the union’s ability to communicate its cause during a lawful strike, and is an unreasonable interference with the section 2(b) right to freedom of expression under the Charter of Rights and Freedoms.

The amendments to PIPA directly address the constitutional issue in the context of the expressive activities of unions in relation to a labour relations dispute. The collection, use, and disclosure of personal information by trade unions remain subject to PIPA, but certain exemptions to consent now apply in that context. PIPA now permits a trade union to collect, use and disclose personal information about an individual without consent where, subject to any additional requirements that may be imposed by regulation:

  1. The purpose is to inform or persuade the public about a “matter of significant public interest or importance relating to a labour relations dispute” involving the trade union;
  2. The collection, use or disclosure is reasonably necessary for that purpose; and
  3. It is reasonable to collect the personal information without consent for that purpose, taking into consideration all relevant circumstances, including the nature and sensitivity of the information.

Going forward, interpretation by the courts of what is considered a “matter of significant public interest or importance” and the weight afforded to the “nature and sensitivity” of personal information will be closely watched.

The amendments to PIPA are narrowly prescribed to trade unions, and do not attempt to tackle broader considerations of how freedom of expression should be balanced against the privacy interests of individuals in other contexts. In terms of their broader effect, they are more a tweak to PIPA rather than a revamp. However, 2015 is to see the first step towards what may result in broader changes, with PIPA due for a comprehensive review by a special committee of the Legislative Assembly that must commence by July 1, 2015. A final report to the Legislative Assembly, due within 18 months following the start of the review, may include recommendations for amendments to PIPA or any other enactment.

This review provides an opportunity for lawmakers to reflect further upon how the constitutional right to freedom of expression should be balanced against privacy interests even outside the labour disputes context. Broader changes to PIPA to consider these constitutional protections may still be seen in the future.

, , , ,

Freedom of Expression and Privacy in Labour Disputes: Amendments to Alberta’s Personal Information Protection Act in Force

Who’s Minding The Store?

Late last week, the office of the Privacy Commissioner of Canada announced a major breach within its own office with the loss of an unencrypted hard drive containing sensitive personal information relating to over 800 of its current and past employees.  The loss provides a test to Interim Privacy Commissioner Chantal Bernier, who recently took over the top job on an interim basis from departing Commissioner Jennifer Stoddart.

The Privacy Commissioner’s office announced that the information first went missing in mid-February during an office move, and that the breach was discovered in mid-March.  It was not until early April that it was determined that the hard drive contained sensitive financial information, including salaries.  Adding insult to injury, some of the missing personal information dated back 12 years. It is not clear what retention period should have applied to the data. Under Privacy Act regulations, the Commissioner would be required to retain the personal information for at least 2 years. Indefinite retention would be contrary to best practices; however, the Privacy Commissioner may be constrained by the provisions of the Library and Archives of Canada Act from destruction of the information without permission of the Librarian and Archivist depending on the exact nature of the records.   Likewise, the Office of the Information and Privacy Commissioner of Ontario has different obligations.  In any event, this lengthy retention raises questions about appropriate retention periods and whether the information ought to have been securely destroyed after an applicable retention period expired.

In fairness to the Commissioner’s office, it is believed that the missing information is not accessible without specialized software and technical knowledge, and that the information taken cannot result in identity theft.  But it may be a concern to Canadian entities bound by the Personal Information Protection and Electronic Documents Act as well as the Privacy Act to know that not only did the breach occur, but the Commissioner’s office did not notify employees or the media immediately, and did not file a police report.  On the good news front, Commissioner Bernier has stated that the breach gives her better insight as to what amount of time is reasonable for an organization to investigate a possible breach prior to taking action.

, ,

Who’s Minding The Store?

Supreme Court’s CAFA Ruling May Open Door To Increased State Attorney General Privacy-Related Lawsuits

The Supreme Court’s recent rejection of Class Action Fairness Act (“CAFA”) jurisdiction in parens patriae suits (suits brought by state attorneys general on behalf of the state or state’s citizens in general) will likely increase the filing of such suits asserting claims and rights of individual citizens of the state, including for monetary damages.  Such lawsuits—which are often prosecuted by private class counsel pursuant to contingency fee retainer agreements with the state attorney general—are becoming a more and more common method to avoid the impact of CAFA and recent pro-defendant class action rulings by the Supreme Court under the federal class action rule.

The Mississippi v. AU Optronics Corp. case decided by the Supreme Court involved claims filed by the state attorney general (through private retained counsel pursuant to a contingency-fee agreement) alleging price fixing in the liquid crystal display (LCD) market.  Those claims largely mirrored the claims made in a private class action that was settled by the defendants in a series of agreements for a total of approximately $1.1 billion (a settlement reached after more than 100 putative private class actions were filed asserting essentially the same claims against various groups of defendants).  The Mississippi suit sought money damages in the form of restitution based on the same purchases that would have been covered (and released) by the private class action settlements.

Given the increase of high-profile data breaches, it is likely that these “parens patriae” suits will expand into the privacy realm.  A coalition of state attorneys general have already formed to investigate the recent Target breach.  Additionally, the parens patriae loophole to CAFA may ultimately allow private class attorneys to bring data breach damages claims in state court thus not only allowing the litigation to remain in what class counsel may view as a more plaintiff-friendly jurisdiction, but also potentially avoiding the biggest obstacle to such suits thus far—federal decisions dismissing such cases based on a lack of an injury-in-fact as required for Article III standing.  Indeed, most legal analysts to discuss customer private class actions against Target have made this very point, a point that may be moot if state attorney generals simply file essentially the same claims as part of a “parens patriae” action.

, ,

Supreme Court’s CAFA Ruling May Open Door To Increased State Attorney General Privacy-Related Lawsuits

A Cautionary Tale on Slow Data-Breach Response

California Attorney General Kamala Harris has sued Kaiser Foundation Health Plan over what it considers a too-slow data breach notification.  California’s breach notification law requires notification of affected individuals “in the most expedient time possible and without unreasonable delay.”  Kaiser notified individuals of the breach in March, 2012, but California alleges in its complaint that Kaiser had sufficient information to notify between December 2011 and February 2012.

Story here

,

A Cautionary Tale on Slow Data-Breach Response