The role of third parties in the Data Protection Directive
August 2014 | PROFESSIONAL INSIGHT | INTELLECTUAL PROPERTY
Financier Worldwide Magazine
The concepts of ‘data controller’ and ‘data processor’ in the Data Protection Directive (the Directive) are not exhaustive. The Directive defines them by excluding certain criteria (e.g., determining the means and purposes of the data processing, and carrying it out on behalf of the data controller). Thus, entities that do not fulfill these legal requirements when processing data are excluded from the scope of these concepts, constituting a third group of those who are processing data that should be differentiated from data controllers and data processors.
This occurs if an entity carries out its own processing, thus fulfilling its own interests, without determining the purposes and means of the data processing.
The Directive offers several provisions that, according to its literal wording, are applicable to data processing carried out by entities whose roles do not fall within the definitions of data controller or data processor, defining this data processing and the liabilities and conditions that may be required of this third category of entities that process personal data.
Delimiting the concept ‘a third party to whom data are disclosed’
Two articles in the Directive establish the principal rules that permit delimiting the concept of this third group of those processing personal data: Articles 2 (f) and 7 (f).
Article 2 (f) of the Directive defines third parties as those that are different to the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the data, mirroring the passive role of third parties that characterises the concept in civil law. Furthermore, Article 29 Working Party affirms that both meanings, Article 2 (f) of the Directive and the civil one, are the same in its “Opinion 1/2010 on the concepts of ‘data controller’ and ‘data processor’” (WP169).
However, the WP169 also recognises that the Directive establishes prohibitions, limitations and obligations for third parties that process data, recognising that these third parties have an active role processing data and must follow some prohibitions, obligations and limits.
Article 7 (f) recognises the legitimacy of data processing when it is “necessary for achieving the purposes of legitimated interests pursued by the…third parties to whom data are disclosed”.
This concept in Article 7 (f) of ‘third parties to whom data are disclosed’ is more limited than the concept in Article 2 (f). Third parties to whom data are disclosed carry out their own data processing, thus fulfilling their own interests. The phrase ‘third parties to whom the data are disclosed’ in Article 7 (f) refers to a qualified third party (the Pure Third Parties) which contrasts with the data controllers’ and data processors’ roles in different aspects.
First, Article 7 (f) grants Pure Third Parties its seal of approval, expressly recognising the possible existence of entities or individuals different from the data controller processing personal data determining their purposes and means. It is obvious that the phrase ‘third parties to whom the data are disclosed’ does not refer to the data controller, since both concepts are contrasted in this provision. Therefore, under Article 7 (f) of the Directive, Pure Third Parties process personal data without determining their purposes and means.
Determining the purposes and means for processing the personal data involves deciding how personal data are processed; that is, which physical and logical means are used to achieve the purpose sought through data processing and the decision as to why personal data are processed.
Second, under Article 7 (f), Pure Third Parties do not qualify as data processors, as this article expressly sets out that Pure Third Parties pursue a legitimate interest by processing the data. Those who act on behalf of controllers cannot have any personal interest in the outcome of the process they carry out (except the economic interest relating to the compensation agreed with the controller for the services provided, and their liability for the quality of these services).
Third, by establishing that, in these cases, Member State law must guarantee the legitimacy of personal data processing, the Directive gives prevalent importance to the self-interested pursuit of Pure Third Parties, which is only conditioned by the need to achieve a balance between the interest pursued and the interests, fundamental rights and freedom of the subject concerned and defines and legitimises the role of the Pure Third Party.
Therefore, under Article 7 (f), Pure Third Parties are entitled to process personal data to satisfy a legitimate, unique, and personal interest; however, they must adapt data processing to the purposes and means determined by another entity that controls that processing.
Legal status of pure third parties
The Directive contains several special provisions that apply to Pure Third Parties, as outlined below.
Article 7 (f) of the Directive entitles the Pure Third Party to process data if the data subject’s interests, rights or freedom do not prevail over the legitimate interest pursued.
This limitation encourages Pure Third Parties to assess the impact caused by the data processing carried out over the data subject’s interests and fundamental rights and freedom, which appears to be a precedent for the ‘data protection impact assessment’ regulated in Article 33 of the Proposal for a General Regulation on Data Protection, currently under discussion in the European Parliament.
Article 29 Working Party Opinion 6/2014 “On the notion of legitimate interest of the data controller under article 7 of Directive 95/46/EC” (WP217) analyses these impact assessments and proposes several solutions for different scenarios that confirm this opinion.
Duties and limits of pure third parties’ data processing
Pure Third Parties have no obligation to inform the data subjects about data processing and are not required to deal with any data subjects’ requests to cancel or rectify the data. Under Article 11 (1) and Article 12 (c) of the Directive, these are the data controller’s obligations. Only when the data controller reports data subjects’ requests to cancel or rectify the data, Pure Third Parties are obliged to fulfill them.
These articles contrast the concept of ‘controller’ with that of ‘third party to whom the data are disclosed’, consciously excluding Pure Third Parties from the obligations imposed only on controllers.
Regarding the right of opposition, Article 14 (a) of the Directive establishes that it is a right to demand the data processing being ceased.
Despite its vagueness, Article 14 (a) prohibits the data controller from continuing to process data after receiving the request. This proves that the opposition provided for in this first section can only be exercised against the controller and, therefore, the Pure Third Party would have to stop processing as soon as the notification provided for in Article 12 (c) of the Directive is received.
Article 14 (b) regulates data disclosures to third parties for the purpose of direct marketing, granting again this right of opposition before data controllers, when it establishes the right to receive a notification that can only be required of the controller before disclosing any data to the third party or, subsequently, when the third party intends to use this data for advertising, so an objection to the process can only be made to the controller.
Processing assumptions regarding pure third parties
Finally, reference is made to some data processing assumptions that have raised complex discussions on the role of the entity that processes data and whose cause lies in the fact that the entity carrying out data processing clearly does not fall within the concept of data controller and undoubtedly, they cannot be considered data processors. All these cases fit the concept of Pure Third Party.
Credit bureaus. The credit bureau processes data in accordance with the purpose (communication to third parties) and the means (the computer system used by the credit bureau) that the creditor has determined, to achieve the credit bureau’s interest; that is’ to carry out this data processing as the aim of its business.
List brokers. List brokers have a direct interest in the processing they carry out from the moment they obtain the results deriving from using the list developed, which makes it impossible to interpret whether they act on behalf of the controller. However, they cannot be considered data controllers, because the purposes and means of processing are determined by the company providing the data for commercial use.
Internet search engines. Despite having developed the infrastructure to provide their services, search engines follow the instructions determined by web editors (through robot.txt protocol or codes ‘noindex’ or ‘noarchive’). In this case, editors determine the means and purposes of processing the data indexed and, therefore, act as data controllers for this processing (as WP148 and the AG Jääskinen have declared in Google Case), while search engines process the data according to the editor’s specifications, but on their own behalf, carrying out a separate activity as Pure Third Parties.
However, contrary to this opinion, the ECJ has ruled out the Google Case, stating that search engines are data controllers when they index personal data published on websites.
The obligations and liability of these Pure Third Parties should be different while following the data controller’s instructions and conditions, because Pure Third Parties trust the data controller to grant them a legitimate licence to process the data, and they have no power of decision regarding the purposes and means of the data processing.
For this reason, we believe that the forthcoming General Regulation on Data Protection should regulate expressly the role of these Pure Third Parties, regulating their legal status with derogations similar to those established in the Directive.
J. Aparicio Salom is a partner and M. Serrano Navas is an associate at Cuatrecasas, Gonçalves Pereira. Mr Aparicio can be contacted on +34 915 247 717 or by email: firstname.lastname@example.org. Ms Serrano can be contacted on +34 915 247 717 or by email: email@example.com.
© Financier Worldwide
Javier Aparicio Salom and Marta Serrano Navas
Cuatrecasas, Gonçalves Pereira