The European Union data protection regulation namely the EU GDPR which has attracted global attention due to the twin provisions of “Applicable to a controller or processor not established in the union” (ed: in some circumstances) and the obnoxiously huge administrative fine set at 4% of global turnover of an undertaking, has naturally caused a stir even in India where many IT companies are facing the demand from their international business partners to be “GDPR Compliant”. The regulations will kick in from 25th May 2018 and there is a mad rush to understand and implement the compliance measures as otherwise, business organizations need to suspend acceptance of any GDPR Sensitive personal data until they are ready.
Everyone is a Data Processor
In the process of application of GDPR regulations, one dilemma which organizations both in India and abroad face is to determine if they are “Data Controllers” or “Data Processors” under GDPR?
The regulation places the main responsibility for compliance with the Data Controller and though Data Processors may also be liable under the regulation, they are under the contractual operational control of the Data Controller. Their main responsibility is to abide by the instructions of the Data Controller in terms of “Privacy by Design”, incorporating the necessary organizational and technical controls for compliance.
In any practical situation, data processing is not as simple as GDPR presumes while drafting these regulations. It is not as if there is a data subject who gives his personal data to a Company and the company keeps it with itself, processes it and uses it, and takes responsibility for its security during its life cycle until it is destroyed. In such a scenario, the use of a “Informed consent” before collecting the data and adherence to its terms is feasible as envisaged under the GDPR.
However the personal data processing that happens in the industry which includes the IoT, the Social Media, Big Data Analytics etc is not as simple as the above scenario where there is only one business entity which has a direct relationship with the data subject and therefore can assume the personal data responsibilities envisaged under GDPR.
As a rule, Data is collected by a “Data Collector”, “Processed by one or more data processing companies some of whom are spread across different countries” and processed data is “Consumed” by a “Data Consumer”.
“Personal Data” itself is not a single electronic file such as abc.doc. It consists of multiple data elements such as name, age, social security number, email address, IP address, phone number, etc., and is one element in a data base row and column. Within this data element it is a sequence of bits of zero and one and if we want we can split the data element to byte level or even bit level.
The presence of multiple handlers of personal data, their geographical spread and the nature of data as an aggregation of data elements in a data base introduce certain complications which creates conflicts when a company is genuinely trying to be compliant with the “Spirit of GDPR” which is to “Protect the fundamental right of the EU citizen for protection of his Privacy Rights”.
GDPR has failed to provide the necessary clarity and caused a huge confusion in the market.
GDPR has defined a “Data Controller” under Article 4(7) as follows:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
On the other hand,
a ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller and
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processor” under Article 28 is the person who carries on “Processing” on behalf of a controller, providing sufficient guarantees to implement technical and organizational measures in such a manner that processing will meet the requirements of GDPR.
Since “Processing” by definition includes every IT operation that can be done on data, every person who deals with the data is a “Processor”. The Data Collector as well as the Data Consumer is also a “Data Processor”.
Under the circumstances, it is difficult to find out who is the “Data Controller” who is the principle entity which is responsible for determining how the personal data has to be processed? and obtains assurances from another “Processor”.?
If there is an “Intermediary” who only transmits the data in a network, there is clarity that he would be neither the Data Controller or the Data Processor provided he does not chose the data subject from whom the data is collected or how it is collected. Any other entity which deals with the data could be considered as “Processors”. Hence there will be many processors of data in the data processing chain within the life cycle of a data set which qualifies to be called “Personal Data of XYZ”.
This personal data takes birth at the time of its collection by the data collector and survives through processing and consumption until it is no longer required and is deleted from all the systems where it left traces during its life cycle. Such life cycle may extend from a few days to several years until the data is useful.
For example, if a health data manager (say an insurer) has collected the health of a just born baby, such data is relevant at least until the baby leaves the world as an old person after 90-100 years. (Under GDPR the data ceases to be sensitive after death while HIPAA may carry it forward for another 50 years).
Through out this 100 years of data processing, GDPR expects that the data subject should have control on the data. When collected, the Data Controller should tell him who will all be processing the data, (apart from why and how etc). If there is any change in the processing then the Data controller has to go back to the data subject and obtain a re-permission to change the data processor stating why such a change is required, who will be the new processor etc.
Contractually similar obligations will have to be carried through by the Processors with their sub-contractors.
If any of the processors or sub contractors are using manpower who are not employees but are under individual work contracts, each one of those work contractors would be a sub contractor and if there is any addition (or deletion) of a single work contract entity, then the information has to be carried through back to the data subject for his “Explicit Consent”.
Well, let us assume that EU considers all this is an obligation that the industry has to undertake because the individual’s right to Privacy is supreme.
So Who amongst the Data Processors is the Data Controller?
Our immediate problem is to have a clarity on which of the data processors amongst the many involved in a given context is to be considered as a “Data Controller”?
If we go by the definition, the person who determines the purposes and means of the processing of personal data is the controller.
In a commercial world, “Consumer is the King” and he determines what product or service he wants to buy. If he is a “Data Consumer”, then will it be the “Data Consumer” who will be the Controller?
Though “Consumer is the King”, his rights are limited to the choices made available by a manufacturer and facilitated by a distributor or a retailer.
Then, is the “Consumer the real king”?.. Is it not the Manufacturer?… Is it not the powerful sole distributor in a region?… Is it not the powerful retailer who is offering tempting discounts?… who is really the person who determines which product needs to be supplied to the market?… are questions that we need to ask ourselves.
Beyond all these supply chain managers, what is the role of an “Advertiser” and the “Publishing Media” in determining which product is good for the consumer and which he should consume?…. Is he not the real “Controller” who determines which product is consumed by whom and why?…
If there is a similar situation where Data is being consumed by one entity but is produced by another entity, distributed and retailed by other entities, and there are Data Science experts who determine which data is reliable, which is to be consumed etc., then in this complex scenario, who is the “Data Controller”?
This is the dilemma which is now confronting the data industry.
Since GDPR expects the Data Controller to determine the processing details, whoever assumes that he is the Data Controller is demanding that all other processors share with him the identity of his sub processors, the details of processing strategies adopted, right to audit etc.
In the process the IPR of the down stream processors is seriously compromised.
If a processor shares the identity of all his sub processor to his upstream Controller, why should the Controller not short change the processor and go directly to the sub processor?. In fact he will definitely do so at the earliest opportunity.
As a result, the business of intermediary processors is seriously threatened unless they are able to justify their existence with a value addition commensurate with the price they charge. May be this may reduce the end consumer price of a commodity or degrade the quality.
I am sure that this consumer protection was not the objective of GDPR and hence it is only an undesirable off shoot of the empowerment that GDPR had to give to the “Data Controller” so that he will be in complete charge of the down stream processing.
Why the Data Consumer should not be the Data Controller
The Data consumer is a business entity which is concerned about its business for which data is a raw material. We cannot expect the Data Consumer to be able to protect the “Fundamental Democratic Right of the Citizen”. He has direct relationship with the consumer of his product and not the data subject.
Can we expect a Car dealer to worry about the person who is supplying some component to the manufacturer and take care of his interest?.
Similarly, there is a distance between the data consumer and the data collector which makes it impossible to place the responsibility for data subject’s rights protection with the data consumer. For example, if the data subject wants to revoke his permission and withdraw the consent, will the data consumer be interested in dismantling the product he has built up and return the data? He will some how justify his legitimate interest and say that the data subject’s right to deletion or rectification cannot be protected.
Hence it is in principle in-correct to make the data consumer responsible as a Data Controller under GDPR. It is also inconceivable that the copy of the consent provided by the data subject is shared by all processors and the Data Consumer and that every body refers to it and abides by it.
Data Collector should be the Data Controller
The immediate relationship of the data subject is with the Data Collector. It is the Data Collector who provides the consent request and based on the trust that the data subject places on the data collector (or any benefit he receives in return) that the data subject provides his consent.
Hence if there is any future requirement of rectification, portability, access, or erasure, the data subject can contact the consent collector who is also the data collector and no body else.
Hence the Privacy Right protection of an individual data subject can only be handled by the data collector.
Hence the Data Collector should be the person who should be recognized as the “Data Controller”.
The Data buyers like the Data consumers place their request for data with a category specification and donot say which data subject’s data they require to be collected. It is the Data collector who based on the demand for a particular type of data goes to the market collects data of different data subjects, sifts it to the requirements of different consumers, puts it in different buckets like in the case of a “Whole sale market” and the data consumer picks up the bucket he wants.
In this kind of a scenario the data consumer is not the “Data Controller” and it is the “Data Collector” who is the controller.
Except in the case where a Data Consumer appoints a contractual data collector to collect specified individual data subject’s data, in all other cases, it is fair to consider that the data collector is the data controller.
This approach will be practically feasible for implementation. Accordingly, where there are multiple processors involved, the Data Consumer may specify the type of data he is looking for and leave it to the next person in the data chain to determine where he will hunt for the data.
As long as the sub processors retain the data subject’s requirement definition to generic description of the type of the data subject who needs to be targetted and donot specify the exact living natural person whose data is to be collected, they will remain to be only processors and not controllers.
The final processor who is also the data collector who goes to the living natural person from whom he collects the personal data is the only person who should be considered as the “Data Controller”. He identifies himself to the data subject and the data subject identifies himself to this data collector and they exchange the Privacy Notice and acceptance so that a contractual relationship gets established.
Any other inference would create insurmountable difficulties in implementing the GDPR provisions in toto. It will also lead to wrongful data disclosures where the data processors release data subject’s information not being able to properly identify the data subject thinking that it is a genuine request.
Though GDPR provides for “Joint Controllers” and therefore every processor can be defined as a “Controller”, such approach may create a chaotic situation when a crisis of a data breach occurs where every one will be blaming every one else and every processor across the globe has to set up representative offices in EU etc.
I wish the above view is acceptable to the community. Please feel free to give me your feedback through a comment here in or through email