Organizations that sell personal data processing services to other businesses and their customers typically prefer the vendor act as a service provider under the California Consumer Privacy Act and as a processor under the EU General Data Protection Regulation and similar laws.
As competitive pressure for companies to find additional sources of data on which to train artificial intelligence mounts, the parameters of what constitutes a processor under data privacy and protection laws are increasingly subject to scrutiny.
Processors follow instructions
Although the business community's focus on AI is relatively new, the distinction between entities that determine the means and purposes of processing personal data — controllers — and entities that process data on controllers' behalf — processors — has existed for decades, including under the EU Data Protection Directive 95/46/EC. Similarly, the distinction between covered entities and their business associates — for example, processors — has existed under the under the U.S. Health Insurance Portability and Accountability Act of 1996.
Whether an entity acts as a processor for another entity is a question of fact, and controllers are generally required to impose certain data processing clauses on their processors, including contractual prohibitions against using personal data for unauthorized purposes. Processors must only process personal data on behalf of the controller, or they could face regulatory sanctions and private claims under breach of contract and other theories of liability.
So, what can processors do with the personal data they receive?
Processors can and should use data to perform services. In practice, processors specify their services and what processing operations can and will be performed as part of those services, such as in a standardized services description or technical specifications document. Controllers decide if they want to purchase the service and instruct the processor to perform the specified processing operations on the data provided or generated by the customer.
Processors may wish to aggregate customer data, or otherwise render it into data that does not constitute personal data under applicable laws, and use the nonpersonal data to improve and build their services, including AI offerings. But the aggregation or anonymization step must be instructed by, and benefit, the customer.
If a vendor seeks a customer's permission, consent or authorization to use data for its own purposes — not specifically contemplated by a statute such as the CCPA or HIPAA — the data processing undermines the vendor's status as a processor and may oblige the customer to discharge various obligations before disclosing personal data to the vendor, such as obtaining data subjects' specific consent.
If a customer grants the vendor a license to use personal data for their own purposes, that could also suggest the customer is selling data to the vendor, triggering compliance obligations under U.S. state privacy laws that would not apply to processors.
Controllers and processors should, therefore, be clear on whether and to what extent the controller instructs the processor to render personal data into data that is no longer subject to data privacy and protection laws and can be used to improve the processor's own products and services.
CCPA
The CCPA and its regulations list particular business purposes that service providers and contractors — that is, processors — can perform within their role. Business purposes expressly permitted to be performed by service providers under the CCPA include building or improving the quality of the services provided to the business and retaining, using or disclosing personal information for fraud prevention purposes.
Interestingly, the CCPA regulations indicate service providers and contractors can pursue these purposes "even if (they are) not specified in the written contract" between the parties. However, parties should be clear about what service providers and contractors are or are not allowed to do in the contract because the CCPA does not override contractual restrictions.
GDPR
The European Data Protection Board's guidance on controllers and processors makes it clear that the controller's instructions and interests are paramount. On page three it states:
"The processor must not process the data otherwise than according to the controller's instructions. The controller's instructions may still leave a certain degree of discretion about how to best serve the controller's interests, allowing the processor to choose the most suitable technical and organisational means. A processor infringes the GDPR, however, if it goes beyond the controller's instructions and starts to determine its own purposes and means of the processing. The processor will then be considered a controller in respect of that processing and may be subject to sanctions for going beyond the controller's instructions."
Thus, as noted, controllers and processors should focus on ensuring the processor's instructions are clear and any personal data processing is done in the interests of the controller.
HIPAA
HIPAA requires covered entities — such as health care providers, health plans and health care clearinghouses — to impose certain contractual clauses on their business associates with respect to the processing of protected health information.
The covered entity itself will be restricted on how and for what purposes it can use protected health information, and it must flow these restrictions through to its business associates. Interestingly, HIPAA contemplates that a covered entity may, but does not have to, permit a business associate to use protected health information for the purposes of providing data aggregation services or for the proper management and administration of the business associate.
This level of specificity in the regulations suggests the absence of such contractual permissions could be construed to mean the business associate may not use protected health information for any purpose related to the improvement or development of its own services.
Five key considerations:
- Customers and vendors benefit if vendor data use is limited within the confines of statutorily defined processor or service provider roles. Each data processing contract should be limited to the statutorily required restrictions and be kept separate from commercial terms.
- Vendors should generally seek and contractually document instructions, not permissions or licenses. Instructions could leverage statutory permissions, such as in the CCPA regulations or HIPAA, and could be kept separate from legally required data processing/service provider terms.
- Vendors should describe services and data processing activities in detail to obtain meaningful instructions and keep customers in control.
- Companies that rely on vendors for data processing services should also consider whether the disclosures of personal data are excessive. Various laws in the U.S. and around the world impose data minimization requirements on controllers and covered entities.
- Truly anonymized data is not subject to privacy law restrictions. No one owns data.
Helena Engfeldt, CIPP/E, CIPP/US, and Jonathan Tam, CIPP/C, CIPP/US, are partners at Baker McKenzie.