News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Open Season on Service Providers? The General Data Protection Regulation Cometh… Related reading: Cloud Computing: The Case for Logical Control over Physical Control

rss_feed

""

Service providers, be afraid. Be very afraid. Especially (but not only) if you're an IaaS/PaaS cloud provider.

Data controllers, be prepared. Your service providers (if well-advised) will want to negotiate or renegotiate your contracts.

Why? The General Data Protection Regulation (GDPR). This would make service providers and other data processors directly liable, across the European Economic Area (EEA), for security and certain other data protection-related matters. The EU institutions, each with their own version of the text and currently in horse-trading trilogue negotiations, aim to agree and adopt the GDPR by the end of 2015. That's not far off, in the scheme of things, although there should be a two-year lead time before the GDPR takes effect (directly) in all EEA Member States. 

What's the big difference? Under the current Data Protection Directive, only data controllers—not processors—have obligations and liabilities under data protection laws in most member states (although in a few, such as Ireland, processors do have direct liabilities under national implementing laws).

When you think about what processors do, it seems like this would mean just a few new obligations, right? Not necessarily. Thing is, there are major differences between the European Parliament's and Council of Ministers' texts—including regarding Article 77, compensation for any person who's suffered damage as a result of processing that's not compliant with the GDPR (Council's version) or unlawful processing or “action incompatible with” the GDPR (Parliament).

Under Parliament's text, that person has the right to claim compensation from the processor for the damage suffered, if they wish. If more than one “controller or processor” is “involved,” each is jointly and severally liable for the entire amount of the damage, unless they have an “appropriate written agreement” determining responsibilities “pursuant to Article 24.”

So there are two points here. Firstly, a processor could get sued—even if the damage was the controller's fault—and the processor would then have to try to claim from the controller. There's no allocation of liability based on fault at all; indeed, the Commission, which proposed the original GDPR, intended liability to be strict because the policy aim was to ensure that the affected individual can get compensation in full, from whoever.

Secondly, Article 24 applies only to joint controllers, so what's a poor processor to do? Become a controller, so that it can negotiate an Article 24 agreement with the “real” controller to allocate responsibilities according to fault? That doesn't seem right to me, and I'd suggest this is a drafting glitch on the part of Parliament.

What about the Council's text? It would certainly be better for processors. But here's where you'll have to indulge me (or look away now). Some heavy lifting on Chapter VIII (remedies, liabilities and sanctions) happened within the Council internally in late 2013, see here, here and here.

Then nothing for ages. The 16 March 2015 version of Article 77 was identical to the one in the December 2014 version of the Council's draft text (which echoed Parliament's in imposing joint and several liability, but at least “without prejudice to recourse claims between controllers and processors”). However, there was then a sudden flurry of Council activity on Chapter VIII in late March-May 2015. (I'd like to think that maybe my talk of 9 March in Brussels on cloud providers and GDPR might have played a small part in triggering another look at Chapter VIII, who knows...)

Whatever the reason for the Council's revisiting of Chapter VIII, its (internally-agreed) version is now much more measured as regards processors. A processor would be liable only where “it has not complied with obligations of this regulation specifically directed to processors or acted outside or contrary to lawful instructions of the controller” (Article 77(2))—in which case it could still be sued for the entire damage. A controller or processor would be able to escape liability on proving that it's 'not in any way responsible for the event giving rise to the damage' (Article 77(3)). This is still a big ask, as even partial responsibility for the event could land a processor with the full bill, responsibility for the event isn't always the same as responsibility for the damage, and Article 77(2) doesn't require any causation.

At least a processor which has paid “full compensation” for the damage would be entitled to claim back a share from other controllers and processors involved, “corresponding to their part of responsibility for the damage” (Article 77(5)). But working out who's responsible for what part of the damage won't be easy. We don't know yet whose approach will prevail in trilogue. But processors will certainly want detailed liability allocation and indemnity provisions in their contracts with controllers. 

Thanks to @mcanning for a hint on the title.

Image credit: 'Cities Desiring to Merge" by Tadashi Moriyama

Editor's Note:

Read about specific issues and requirements related to jurisdiction, processor obligations and liabilities, use of sub-processors, grandfathering as well as the potential effect this will have on cloud computing, in Hon’s full report here.

Author
Headshot W. Kuan Hon IAPP Member Contributor
Tags
Europe
Cloud Computing
Privacy Law
1 Comment

If you want to comment on this post, you need to login.

  • comment MABEL • Aug 27, 2015 
    Hello Kuan, I'm writing from Spain, and I have to say that with our actual Regulation (Royal Decree 1720/2007, Dicembre 21) with regard to the responsibility of the "Processors" and "Controllers" the Article 20 established a two ways of responsibility between them. First, the Controller has the responsibility to ensure that the processor fulfilled all the legal requirements, in case that the processor at the beginning do not accomplished all that, the controller is responsable for signing the contract knowing the gap, and Second, if the processor has used the data out of the agreement with the controller, the processor will be responsable. The processor has responsibilities. 

Article 20 said: Relations between the controller and the processor.
2. When the controller contracted the provision of a service that entails the processing of personal data under the provisions of this chapter shall ensure that the processor meets the guarantees for compliance with the provisions of this Regulation.
3. In the event that the processor uses the data for other purposes, communicate or use in breach of the terms of the contract referred to in paragraph 2 of Article 12 of Law 15/1999, of December 13 concerns It will be considered, too, controller, answering for any infringements it incurred personally.
Best regards
Related Stories
Related Stories
Tags
Europe
Cloud Computing
Privacy Law
Recent Comments