Member Article

Previous European data protection laws only covered controllers of personal data. From 2018 processors can be fined and pay compensation for data breaches in their own right. Is this happening, and what can we learn about managing data processing risks?

Looking at GDPR enforcement in the UK and EU, you would be forgiven for thinking that new liabilities for data processors since the advent of the General Data Protection Regulation in 2018 has not made much difference. Only around 2% of the total number of fines are of processors, even though processor system design and management can play a significant role in data breaches.

By way of reminder, controllers are the key decision-makers of processing activities: they determine the purposes and means of the processing. In contrast, processors process data “on behalf of” controllers and work under instruction. Typically, processors are IT service suppliers of some sort.

Controllers bear more responsibility and may carry liability for unlawful processor activities and a lot more besides, so enforcement action against a controller is usually the preferred target for regulators. A classic example: a decision from the Irish DPC in January 2022 as a result of which a credit union was fined as a controller despite its reliance on a processor which was clearly at fault. As the regulator put it, “Processors cannot be used by controllers as a legislative safety net”.

Second, controllers incur bigger fines. GDPR fines are structured so that processor obligations carry a maximum penalty of €10m/£8.7m or 2% of turnover if greater, where controller-only obligations go up to €20m/£17.5m or 4% of turnover if greater. 

But that is not the whole story. Regulators are increasingly resorting to processor fines, and some big ones. So when do regulators choose to go after processors instead? 

Pure processing activities

Fines may attach to “pure” processor activities which are nothing to do with controllers. A 2022 fine from the Romanian regulator resulted from a processor appointing a sub-processor without controller authorisation, in breach of Article 28(2).  There is also risk for processors where there is a fundamental flaw in the design of the processing activity, as in this example from Italy where a processor was fined for producing faulty QR codes on parking permits which leaked personal data, against controller design instructions.

It's important to remember that processors have to co-operate with the regulator, and where necessary appoint a data protection officer (DPO). Processors and controllers have been fined for these types of infringements alone.

Going rogue

Other examples show the processor beginning to go rogue. See for example the fine of a supplier acting for a bank where the processor breached its duty to act on controller instructions by destroying credit scores rather than handing them to the controller. Or a security agency which leaked mobile footage of a security incident leading to breaches by the processor of Articles 32 (security) and Article 33 (failure to notify controller).  

In theory, processors which act outside controller instructions become controllers of that activity (Article 28(10)). For example the Greek regulator has determined that a processor operating a digital platform became an independent controller when it carried out an unauthorised data transfer.  But the infringing activity will still fall within the lower fining tier so re-classification of roles may make little difference in practice to the outcome. 

Pairing up

Sometimes, controllers and processors are fined concurrently. A neat example from Poland in 2022 saw fines of both the controller and processor, following a data breach caused by the “gross negligence” of the processor. Who pays more? Well in this case the controller was fined €1.14m, and the processor €58k. But in the eyes of the regulator the processor suffered a “more severe” fine (1.19% of annual turnover, as opposed to 0.18% of turnover).

The Cypriot data protection regulator sent the same message where a data breach of an insurance company's customers' personal data took place on the premises of a processor, in this case, a printing company which programmed a printer incorrectly. The processor received the larger fine, while the controller was liable for failures in due diligence and also the general requirement to safeguard processing activities (Articles 24(1) and 28(1)). 

The CNIL had no time for a controller and processor each blaming the other for security failings, when it fined a controller running an e-commerce platform and its web services processor €150,000 and €75,000 respectively for breaching Article 32 GDPR.

The US problem

All that said, these fines are generally small and rare. Influential processors with deep pockets are located far away from European shores, generally in the US, and extra-territorial enforcement is more of a headache for regulators, assuming the long arm of the law can even reach that far. Perhaps for this reason, there is a preference for compliance to be driven through the controller: we have seen a slew of fining activity where regulators will fine a controller based in the EEA, generally for inadequate transfer mechanisms, in order to discourage use of “problematic” US processors. See for example the fines of Swedish telecoms companies using Google Analytics, the Portuguese National Institute of Statistics using Cloudflare, and an Italian university using US exam surveillance software during the pandemic. 

Where a US processor has a group company in the EEA, then there are rich pickings, with a clear example being the €1.2bn fine of Meta Ireland as controller for unlawful transfers to its US processor. We suspect that this controller is not entirely in charge of its US parent, and the analysis of the relationship may be driven by factors other than a dispassionate look at purposes and means. Given the near impossibility of enforcing fines on US controllers (see Clearview), it’s a pragmatic solution.

Future gazing

It seems unfair that in a world of powerful processors, controllers still take the majority of risk while often still being unable to negotiate bespoke terms with suppliers. But the increasing power and responsibility of processors, as well as increasing European localisation, means that more processors will surely be on the hook in the future. 

Regulators agree. For example the Brandenburg supervisory authority in its 2022 report says it is looking at “more intensive scrutiny of service providers and, if necessary, the penalisation of unlawful behaviour”. 

They are aware that powerful processors can affect more than one processing activity, and several controllers. The Croatian regulator fined a processor in its own right in 2021 following a system hack, partly on the grounds that it “provides IT services to other mobile operators, banks and state institutions in the Republic of Croatia, as well as to companies abroad” so should be brought to book. 

Is this the shape of things to come? We saw the imposition of a €1.5m fine on a French software supplier in 2022 following a major leak of sensitive information. Part of the fine related to the inadequacy of its terms of sale, as well as security failings and careless migration. A good example of a processor in the driving seat, and therefore in the firing line. We are likely to see more. 

Key takeaways

• Controllers still carry the lion’s share of the enforcement risk, so tight processor oversight is indispensable.
• Using an EEA processor, at least in Europe, may mitigate some risks to controllers by making it less challenging to enforce and recover fines from the processor.
• Using larger processors in the right jurisdiction may increasingly deflect risk, although this should be balanced against reduced negotiating power.
• Very careful contractual allocation of liabilities - including for fines - is vital for controllers and processors.

 

Link to article