In July, I told the short version of the story of Mario Costeja González. His crusade to have an 11 year old embarrassing newspaper report removed from search results on his name brought him up against Google and into the European Court of Justice. It resulted in the landmark “Right to be Forgotten” ruling and ironically ensures that Senor Costeja González will forever top google search results! The court case highlighted some of the difficulties that European data subjects could encounter when attempting to exercise their rights to access, rectification and objection under the current law. Google attempted to argue it was not established in Spain as a data controller since its data processing was not carried out in Spain. In the Max Schrems Vs Facebook case Vienna-based Mr Schrems was required to complain to the Irish Data Protection Commissioner and when he received what he interpreted as an unsatisfactory response he had to appeal in the Irish Courts before having the case transferred to the European Court of Justice. These cases highlight some of the new rules governing the establishment of Data Controllers and Data Processors in the EU.
What is a data controller and a data processor?
A data controller is defined as the entity who determines the purpose and methods of processing data. A data processor is the entity who carries out the processing on behalf of the controller. A simple test to determine if you are a processor or controller is to ask whether the data would be processed if you didn’t exist(controller) or if someone giving you instructions didn’t exist(processor). It’s possible to be a processor and controller for the same data. A data processor may undertake one set of actions on data on behalf of a controller and a different set of actions by their own choice. Since they determine the second set of actions they are a controller in this instance. These definitions are unchanged from the existing EU Directive 95/46. What has changed is some of the rules around “Establishment” of the controller and processor. Establishment here means how it is determined under which EU member state’s jurisdiction a company operates for the purposes of data protection.
Why is Establishment important?
Establishment affects where data subjects can exercise their rights under data protection law, which supervising authority deals with the company in carrying out their enforcement activities, and where court proceedings are carried out. Companies have a single establishment when they operate in only one EU member state. Companies can have multiple establishments in the EU when they have operations in multiple member states. This has led to the creation of the concept of a “Main Establishment” in the GDPR. The main establishment of a data controller is the member state where the controller’s central administrative functions are located. Alternatively, it is the member state where the decisions about processing personal data are taken as long as the operation also has the power to have these decisions implemented. There is a requirement for the controller to identify their place of establishment to data subjects at the time that personal data is being collected. The main establishment of a data processor is the member state where the processor’s central administrative functions are located. Alternatively it is the member state where the main data processing activities take place. Cross-border processing is data processing by controllers or processors who are established in more than one EU member state. It is also processing by controllers or processors who have a single establishment (remember, located in only one EU member state) but their data subjects are located in multiple member states. I would have assumed that cross-border processing is very common. Most companies have an online presence and would deal with data subjects in multiple member states. But actually, the number of SME companies who fall into this category is smaller than you would expect. According to the European Digital Single Market initiative only 7% of SMEs sell cross-border in the EU.
What this means when dealing with data subjects.
Data subjects have right to access their personal data, right to rectify inaccuracies, right to request erasure, right to the restriction of processing, right to data portability and right to object to the processing of their personal data. It is the responsibility of the data controller to ensure the rights of the data subject are observed. Prior to the GDPR, the data subject had to exercise their rights in the member state where the data controller was established. GDPR changes this. Apart from clarifying the rules of establishment for the data controller, GDPR also clarifies where the data subject can exercise their rights. That can be either in the member state that is the main establishment of the controller or in the member state where the data subject lives or works or in a member state where the (alleged) infringement took place. In practice what this means is if a data subject needs to raise a concern about the handling of their personal data by a data controller they can choose to raise it with the supervising authority in the member state where they work, where they live, where their data was processed or where the data controller is established. This decision is up to the data subject. However, the supervisory authorities may choose to refer the case onto the supervisory authority in the member state where the data controller is established.
… and for Supervisory Authorities(SAs)?
GDPR introduces some very complex rules for SAs. For the most part, only SAs need to be concerned about these. In a nutshell, they must cooperate and communicate and they must do so in a timely manner. For data controllers and data processors, the GDPR defines a Lead Supervisory authority who is responsible for supervising cross-border processing. The lead SA is the SA based in the EU member state where the data controller (or processor) is established. If a data subject makes a complaint to the SA in the member state where they live, then that complaint may be dealt with by the originating SA or by the lead SA. The originating SA must inform the lead SA about the case. The decision about which SA handles the case rests with the Lead SA. The significant change for companies who are operating in the EU is that they may be required to deal with SAs from a number of member states. Depending on where the data subject lives or works they could end up dealing with many different European data protection authorities. However, the one-stop-shop mechanism kicks in where there is an issue in member states where they are not established. In this case, the data controller should expect to deal with their own SA(the lead SA). Also, in the spirit the Digital Single Market aim facilitate cross-border trade the regulation allows the Lead SA to choose to deal with all cases that come up across EU member states regarding a data controller established in their member state. It also states in Article 57.6 “The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.” The burden for coordination, communication and investigation of cross-border data protection issues does appear to sit with the European Supervisory Authorities. Its going to be important for data controllers to clearly identify their country of establishment in the EU. They will need to clearly communicate this information to data subjects. Companies will need to ensure that they have a reasonable level of awareness and competency in data protection in every EU member state where they are established in order to avoid dealing with multiple supervisory authorities in the case of cross-border data requests. Data controllers and processors would benefit from adopting similar procedures and time frames to those laid down in the GDPR for intra-member state supervisory authority cooperation.
What if it all goes wrong and you end up in court?
Not something any individual or company sets out to do – end up in court – but it does happen. Under article 79 of the GDPR court proceedings can be initiated in the member state where the data subject lives or in the member state where the controller or processor has “an establishment”. Interestingly Article 79 doesn’t refer to the “main establishment” of the controller or processor. But it clearly empowers the data subject to choose the location of the court proceedings in the first instance. Now, this is where it gets tricky, if there are court proceedings in train on one EU member state involving a controller or processor and a similar case is taken in a different state involving the same controller or processor, then the proceedings in the second state can be suspended by the second (and any subsequent courts). The second court (and any subsequent courts) can also decline jurisdiction.
So, what does it all mean for EU based companies?
Most larger companies can expect to engage in some form of cross-border data processing – either they will be established in multiple member states or they will be dealing with data subjects in multiple member states.
- Figure out (and by that I mean clearly document!) the full list of member states where your company does business.
- Next, determine your place of “main establishment”.
- Communicate the contact details for your data controller clearly to data subjects when the data is being collected.
- There are rules around Establishment. You cannot simply choose a benign data protection supervisory regime and nominate that member state as their main establishment. The main establishment is where the key decisions about personal data are taken or where the main European administrative function of the company is located (the EUHQ).
- Be prepared to respond to data subject requests from any member state where your data subjects reside. Ensure you have a responsible and trained staff member in every EU state where you do business.
- Be prepared. You may end up dealing with supervisory authorities in your state of main establishment, in the state where the data subject lives or works, or in the state where data processing took place.
- Be aware that you may be subject to court proceedings in whichever state a data subject resides.
My best advice for companies – data processors or data controllers – who carry out cross-border data processing is to examine the rules under which the EU Supervisory Authorities will operate. Put in place a similar set of procedures for your company that will ensure you can work effectively across member states.