When writing the "DPO Handbook," the author tried to think of everything relevant to the data protection officer role to be as comprehensive as possible, but in authoring a book in just four weeks, some useful topics get overlooked. A few such topics have since come to mind that would be useful to share (others will be included in the upcoming second edition). The first topic addresses the types of circumstances that would lead a DPO to decide it was appropriate to exit a DPO services contract before its stated termination date. The second topic concerns the often-confused difference between data protection and privacy and why this should matter to a DPO.
Exiting a DPO contract
There are different reasons that a DPO would choose to exit their services contract with a controller or processor. Many are similar to the reasons that any party would terminate an agreement, that is, due to the anticipated or actual breach of the agreement by the other party or when performance becomes impossible. These are not unique to DPO services contracts but DPOs, especially those who are performing the role based on an outsourcing agreement, may find themselves in a difficult situation.
For example, when the controller is not paying the DPO’s invoices, either timely or at all, the DPO faces a difficult choice. This contractual breach could be dealt with through the usual breach mechanisms of giving notice to the controller and allowing them a reasonable time to resolve the issue and begin paying the DPO’s invoices. If the situation does not improve, and with the understanding that a DPO as a creditor would likely be viewed as possibly now having a conflict of interest, then the DPO would need to provide notice of termination of the services agreement, with the applicable termination provisions such as return of personal data invoked.
Another possible reason for a DPO to exit a services contract is when they realize that they have taken on too much legal exposure. As explained in the "DPO Handbook," chapter two, while a DPO cannot be legally liable under the EU General Data Protection Regulation to controllers or data subjects for competently performing their role, they can certainly be liable to the controllers, processors, data subjects, or other third parties for negligently performing their role.
Depending upon the situation, the DPO may find themselves with more legal exposure than their outsourcing agreement’s provisions, their insurance cover, and, if used, their corporate limited liability shield can withstand. In such a situation, there is no easy manner to deal with this short of having an amenable controller who agrees to take on more risk. If this is not likely to happen, the DPO may be best advised to exercise their right to terminate the agreement while ensuring the controller or processor has a successor DPO ready to take over.
DPOs may also have a dispute with a controller or processor over a material data protection issue. Although it is best to have a dispute resolution process clearly defined in the agreement, it could be that the issue is such that the controller and the DPO cannot find a sufficient middle ground. This could be even more intractable if the DPO is supported by an opinion of independent external counsel contrary to what the position of controller and their internal counsel.
Whether it is a disagreement based on differing views of a legal issue related to the GDPR and related laws or a business issue related to the amount of funding and priority given to certain data protection activities, the DPO’s position could become untenable, and so it could be best to exercise their right to terminate the agreement. This should (hopefully) be a rare case and likely may be viewed as a failure on the part of the DPO if they have not properly utilized all their powers of analysis, insight, and persuasion to resolve the matter.
Data protection versus privacy
The terms “data protection” and “privacy” are, more or less, used interchangeably in the EU, even though these speak to related but disparate rights. The EU Charter of Fundamental Rights specifies these as two separate rights, Article 7 for the right to privacy (of all kinds, including family life) and Article 8 for the right to data protection, including the basic principles listed in the Data Protection Directive and the GDPR. The Council of Europe's Convention on Human Rights explicitly has only privacy rights, but the CoE’s Convention on Automatic Processing came later, and the European Court of Human Rights' caselaw has interpreted the right to privacy to include the right to data protection, as well. So, if these are two different rights under both the charter and the convention, why are they so frequently conflated, and what does this mean to the DPO?
The confusion is easy to understand. The Organisation for Economic Co-operation and Development privacy principles match the data protection principles under the GDPR. In the Data Protection Directive, privacy is mentioned numerous times, such as that “principles set out in this Directive regarding the protection of the rights and freedoms of individuals, notably their right to privacy, with regard to the processing of personal data.” The CJEU did not help clarify matters in the case of Stadt Bochum by stating in reference to charter Articles 7 and 8, “It follows from a joint reading of those articles that, as a general rule, any processing of personal data by a third party may constitute a threat to those rights … From the outset, it should be borne in mind that the right to respect for private life with regard to the processing of personal data concerns any information relating to an identified or identifiable individual.”
The WP29 though has tried to make it clear that these are two distinct rights in the EU by pointing out that advances in technology have brought a need to supplement the long-established right to privacy, providing “further protection for individuals from third parties (particularly the state) in addition to ‘defensive’ rights recognised under Art. 8 of the ECHR by ensuring that the individual had the right to control his/her own personal data.” So, privacy rights are more passive in that they may require no action by a data subject while enjoying data protection rights may require action by the data subject.
If the rights are distinct, then the laws should treat these are disparate, though related, rights. The most obvious place to look is the latest examples of the leading laws protecting users in the use of the internet in the EU, the GPDR and the ePrivacy Directive/Regulation. In the former, there is no mention of privacy, and in the latter, there is no mention of data protection. So, at least the titles seem to line up correctly, with the GDPR moving on from the notion of explicitly including the right of privacy as the DPD did.
The difference between the two rights was revisited when the rewrite of the ePrivacy Directive was undertaken. The Regulatory Fitness and Performance Programme evaluation for the ePrivacy Directive looked at whether the directive was needed anymore, considering the expanded coverage of the GDPR. However, because the GDPR addresses data protection for individuals, the directive was still necessary as it “also covers aspects related to the protection of privacy (as opposed to 'data protection'), consumer issues and the protection of legal persons.” But REFIT also noted the overlap between the directive and the GDPR, such as in the information security and data breach notification requirements but not in areas such as the confidentiality of communications or access to terminal equipment (i.e., mobile devices).
Why does all this matter? The GDPR states that a DPO is required under Article 39 to monitor for compliance with the GPDR and other EU and member state “data protection law.” It does not state that this includes privacy law, which again is not mentioned in the GDPR. As such, while a DPO is required to monitor compliance with the GDPR and local GDPR implementing acts and if applicable, the local implementation of the police and Criminal Justice Directive, is a DPO required to monitor compliance with wider privacy law, such as the directive? The strict answer would seem to be “no,” but given the overlap in the privacy and data protection principles, it is not that clear.
Because of this lack of clarity, a discussion with the Irish DPC did acknowledge that while there are data protection aspects to the directive, they did not believe it within their remit to definitely answer the question whether all of the directive (i.e., those parts dealing with privacy instead of data protection) was within the scope of a DPO’s role to monitor for other EU and member state “data protection law.”
So, a DPO may be best advised to err on the side of caution and perform their duties addressing all data protection and privacy laws relevant to their controller or processor and ensure that the tasks defined in their contract or role description include both types of laws.
photo credit: jeffdjevdet via photopin