One significant change under the General Data Protection Regulation is to place direct regulatory obligations on processors. This change, added to the significant sanctions under the Regulation, has led some processors to ask for an indemnity from their controller. How should you respond to this request and are those indemnities enforceable?
Obligations on processors
The General Data Protection Regulation splits the world into controllers (who decide what is done with personal data) and processors (who must act on the controller’s instructions). Processors only have very limited discretion over their use of personal data, and so only have limited regulatory obligations.
Those limited obligations can be broadly grouped as follows:
- Internal compliance requirements under the processor’s control; e.g. the obligation to keep proper records, appoint a data protection officer, co-operate with supervisory authorities, get the controller’s consent to subcontracting and notify breaches to the controller.
- A requirement to have a contract with controllers containing mandatory data processor obligations.
- Security obligations. Security is, by and large, under the processor’s control. However, there may be situations in which there is a shared responsibility with the controller – e.g. if the controller transfers personal data to the processor without appropriate security measures.
- Transborder dataflow. Under the Regulation, processors are directly liable for complying with the rules on transborder dataflow. This is potentially challenging, given the limited compliance mechanisms available to them.
However, the processor is not responsible for the core obligations under the Regulation. For example, it has no responsibility for ensuring that the processing satisfies processing conditions or that individuals are provided with privacy notices.
Private rights of action
There are two principal sources of liability under the Regulation. The first is private claims by individuals. These claims can be made against both controllers and processors. Importantly, where the controller and processor are both involved in the same processing of personal data, they can be jointly liable.
While this appears, on the face of it, to be a significant new risk:
- the processor is only liable where it is “responsible for any damage caused by the processing”, i.e. it has not complied with specific obligations placed on it under the Regulation. As set out above, those obligations are limited and largely under the processor’s control; and
- if a claim were to be made against the processor, it could simply join the controller in accordance with national laws (e.g. using a Part 20 claim in England) and/or rely on the express provisions in the Regulation that allow the court to apportion any liability between the controller and processor. In other words, this process should naturally result in each party bearing a fair proportion of the loss.
Regulatory enforcement
The second source of liability is regulatory sanctions. These are potentially significant. Supervisory authorities can issue administrative fines of up to EUR 20m or 4% of annual worldwide turnover (though for processors most breaches are subject to a lower tier of fines of up to EUR 10m or 2% of annual worldwide turnover). Whether this level of fine will be imposed in the short to medium term, other than for the most serious breaches, remains to be seen.
In any event, the following factors are important:
- a processor can only receive an administrative fine for breach of its obligations under the General Data Protection Regulation. It cannot, for example, be fined because the controller on behalf of whom it acts does not have lawful grounds to process that personal data or has not provided appropriate privacy notices; and
- even where the controller and processor are both liable for the breach, the supervisory authority will likely, as a matter of practice and human rights law, impose sanctions in a manner that reflects the relative fault of each party.
Costs and expenses
While not an area of liability as such, processors might also be concerned about the cost and expenses of dealing with private claims or with regulatory enforcement. These could be considerable regardless of the underlying merits.
An indemnity is likely to be effective in recovering those costs and expenses under English law (see for example, Global Draw v IGT-UK Group Limited [2014] EWHC 2973). Whether a processor can reasonably expect this protection is primarily a commercial issue. However, there is some justification for the argument this is a cost of business that the processor is best placed to manage and mitigate.
Asymmetric risks
The analysis so far assumes the position of the controller and processor is largely similar. It is worth noting there could be asymmetric risks. For example, the position might change if there is a significant difference in the turnover of the controller and processor. If the processor has a much larger turnover, it might be exposed to a much larger fine than the controller.
Similarly, additional considerations apply if the controller and processor are not in the same jurisdiction. For example, if the processor is based in the EU and the controller in the US, the processor might become the focus for any enforcement action due to the practical difficulties in enforcing against the US controller.
Is the indemnity enforceable?
The general position on illegality under English law was recently considered by the Supreme Court in Patel v Mirza. The court decided a claim should not be enforced if it is harmful to the integrity of the legal system. In assessing whether the public interest would be harmed in that way, it is necessary:
- to consider the underlying purpose of the prohibition which has been transgressed and whether that purpose will be enhanced by denial of the claim;
- to consider any other relevant public policy on which the denial of the claim may have an impact; and
- to consider whether denial of the claim would be a proportionate response to the illegality, bearing in mind that punishment is a matter for the criminal courts.
How these considerations apply to an indemnity under the Regulation will depend on the facts. At one extreme, the indemnity is unlikely to be enforceable if the controller and processor intended at the outset to breach data protection laws (Transport for London v Griffin). At the other, it is highly likely to be enforceable if the liability arises due to innocent or negligent conduct, or if it relates to the costs and expenses of defending an action (Coulson v NGN).
Should you provide an indemnity?
Putting these factors together, there are grounds to resist such an indemnity. Processors are, generally, only liable if they breach the limited obligations placed on them. Even where they are liable, liability should be apportioned by the courts or the supervisory authority. It is not clear why an indemnity should be included to rebalance that liability. However, this is all a question of commercial leverage.