Service providers, be afraid. Be very afraid. Especially (but not only) if you're an IaaS/PaaS cloud provider.

Data controllers, be prepared. Your service providers (if well-advised) will want to negotiate or renegotiate your contracts.

Why? The General Data Protection Regulation (GDPR). This would make service providers and other data processors directly liable, across the European Economic Area (EEA), for security and certain other data protection-related matters. The EU institutions, each with their own version of the text and currently in horse-trading trilogue negotiations, aim to agree and adopt the GDPR by the end of 2015. That's not far off, in the scheme of things, although there should be a two-year lead time before the GDPR takes effect (directly) in all EEA Member States. 

What's the big difference? Under the current Data Protection Directive, only data controllers—not processors—have obligations and liabilities under data protection laws in most member states (although in a few, such as Ireland, processors do have direct liabilities under national implementing laws).

When you think about what processors do, it seems like this would mean just a few new obligations, right? Not necessarily. Thing is, there are major differences between the European Parliament's and Council of Ministers' texts—including regarding Article 77, compensation for any person who's suffered damage as a result of processing that's not compliant with the GDPR (Council's version) or unlawful processing or “action incompatible with” the GDPR (Parliament).

Under Parliament's text, that person has the right to claim compensation from the processor for the damage suffered, if they wish. If more than one “controller or processor” is “involved,” each is jointly and severally liable for the entire amount of the damage, unless they have an “appropriate written agreement” determining responsibilities “pursuant to Article 24.”

So there are two points here. Firstly, a processor could get sued—even if the damage was the controller's fault—and the processor would then have to try to claim from the controller. There's no allocation of liability based on fault at all; indeed, the Commission, which proposed the original GDPR, intended liability to be strict because the policy aim was to ensure that the affected individual can get compensation in full, from whoever.

Secondly, Article 24 applies only to joint controllers, so what's a poor processor to do? Become a controller, so that it can negotiate an Article 24 agreement with the “real” controller to allocate responsibilities according to fault? That doesn't seem right to me, and I'd suggest this is a drafting glitch on the part of Parliament.

What about the Council's text? It would certainly be better for processors. But here's where you'll have to indulge me (or look away now). Some heavy lifting on Chapter VIII (remedies, liabilities and sanctions) happened within the Council internally in late 2013, see here, here and here.

Then nothing for ages. The 16 March 2015 version of Article 77 was identical to the one in the December 2014 version of the Council's draft text (which echoed Parliament's in imposing joint and several liability, but at least “without prejudice to recourse claims between controllers and processors”). However, there was then a sudden flurry of Council activity on Chapter VIII in late March-May 2015. (I'd like to think that maybe my talk of 9 March in Brussels on cloud providers and GDPR might have played a small part in triggering another look at Chapter VIII, who knows...)

Whatever the reason for the Council's revisiting of Chapter VIII, its (internally-agreed) version is now much more measured as regards processors. A processor would be liable only where “it has not complied with obligations of this regulation specifically directed to processors or acted outside or contrary to lawful instructions of the controller” (Article 77(2))—in which case it could still be sued for the entire damage. A controller or processor would be able to escape liability on proving that it's 'not in any way responsible for the event giving rise to the damage' (Article 77(3)). This is still a big ask, as even partial responsibility for the event could land a processor with the full bill, responsibility for the event isn't always the same as responsibility for the damage, and Article 77(2) doesn't require any causation.

At least a processor which has paid “full compensation” for the damage would be entitled to claim back a share from other controllers and processors involved, “corresponding to their part of responsibility for the damage” (Article 77(5)). But working out who's responsible for what part of the damage won't be easy. We don't know yet whose approach will prevail in trilogue. But processors will certainly want detailed liability allocation and indemnity provisions in their contracts with controllers. 

Thanks to @mcanning for a hint on the title.

Image credit: 'Cities Desiring to Merge" by Tadashi Moriyama