Am I My Brother’s Keeper?
Companies’ requirement to take appropriate measures to prevent any breaches of GDPR obligations is a part of the accountability principle of Article 5(2) of the GDPR - says the CJEU. This clarifies the data protection compliance obligations that companies must fulfill and extends them to processing chains.
- If multiple controllers rely on a shared global legal basis, losing the legal basis for one controller results in the loss of legal basis for all controllers (referred to as the "All for one and one for all" principle).
- Controllers are required to establish technical and organizational measures to inform other controllers when data subjects exercise their rights ("Controller's right to know").
- Controllers must inform third parties, such as search engine operators, to remove information based on personal data that is no longer allowed to be processed by the controller ("general clean up").
Facts of the decision:
The plaintiff is a Belgian telecommunications provider. They operate publicly accessible phone directories, in which the names, addresses, and phone numbers of users are listed. The plaintiff received some of this data from third-party providers based on consent, which was also the basis for the sharing of the data. The plaintiff also shared the data with third-party phone directory providers.
The complainant is a subscriber of a telephone service provider that does not offer phone directories. However, this provider regularly transmitted data of its subscribers to the plaintiff.
In the disputed case, the complainant requested the plaintiff not to list their data in the directory. Initially, the plaintiff complied. However, due to a technical error, the data was again listed as non-confidential in the next update of their records and accordingly appeared in their public directories.
Upon further request for deletion by the complainant, the plaintiff deleted the entry. However, the complainant still complained to the Belgian data protection authority, which imposed a fine of €20,000 on the plaintiff for violating Art. 6 in conjunction with Art. 7 GDPR and Art. 5 (2) in conjunction with Art. 24 GDPR. The authority also requested that the plaintiff take further remedial measures.
The plaintiff appealed this decision to the Brussels Court of Appeal, which referred several questions to the CJEU for the interpretation of Art. 5, 17, and 24 GDPR.
With its third question, the referring court essentially seeks to clarify whether a national supervisory authority can decide, under Article 5(2) of the EU General Data Protection Regulation (GDPR) and Article 24 of the GDPR, that the data controller must take appropriate technical and organizational measures to inform third-party controllers, namely the telecommunications provider and other providers of subscriber directories, who have received data from this primary controller, about the revocation of the data subject's consent in accordance with Article 6 of the GDPR in conjunction with Article 7 of the GDPR.
CJEU: New Accountability and Compliance Obligations
On the third referral question, the Advocate General and the Court have recently emphasized that they take the terms "control" and "accountability" literally. Let's take a step back and take a closer look at a decision from last year.
1. The GDPR game changer: How C-175/20 shifted the burden of proof in IT system design
In the case of C-175/20 - "S" SIA/Valsts ieņēmumu dienests (until today not available in English on the official website of the CJEU), the court made an important determination. They concluded that Article 5(2) of the GDPR involves a procedural shift in the burden of proof. This shift extends not only to the actual operation but also to the design phase of information technology systems. This means that when it comes to compliance with data protection principles outlined in Article 5 of the GDPR, as well as their specifications like Article 25 ("Privacy by Design, Privacy by Default"), the onus is on the developers and organizations involved.
Since the decision has not been published in English on the CJEU's website to date, here is a translation from the French version provided independently.
Para. 77
In this context, it should be noted that, according to the principle of accountability enshrined in Article 5(2) of Regulation 2016/679, the data controller must be able to demonstrate compliance with the principles for the processing of personal data as set out in paragraph 1 of that article.
Para. 78
Consequently, it is the responsibility of the Latvian tax administration to prove that, in accordance with Article 25(2) of this regulation, it has made efforts to minimize the amount of personal data collected as much as possible.
Para. 81
As derived from Para. 77 above, the burden of proof in this regard lies with the Latvian tax administration.
The German Federal Administrative Court (Bundesverwaltungsgericht, highest administrative court in Germany) immediately applied the CJEU's case law to national cases (judgment of 2 March 2022 - 6 C 7/20, para. 50):
This provision not only establishes accountability and reporting obligations of the data controller to the supervisory authority, but also regulates, according to the case law of the Court of Justice of the European Union, the burden of proof in cases where compliance with the principles of Article 5(1) of the GDPR is in dispute between the controller and the data subject in a legal proceeding.
It is not an exaggeration to say that the CJEU's decision will have a lasting impact on procedural laws in all jurisdictions.
For example, when creating a new social media platform, the designers must ensure that user privacy is embedded within the system's architecture from the very beginning, rather than as an afterthought. To achieve this, designers, developers, and organizations involved must adhere to several technical and organizational strategies. To give an example:
- Firstly, adopting secure development practices, such as regular security audits and vulnerability assessments, contributes to the platform's overall security and reduces the risk of data breaches. This approach aligns with the GDPR's emphasis on proactive security measures.
- Secondly, do not underestimate the importance of integrating privacy-aware APIs and third-party services. This involves carefully evaluating the data protection policies of third-party providers and minimizing data sharing to protect user privacy.
- Thirdly, implement clear privacy settings and user consent mechanisms, giving users control over their data.
All of the requirements of Art. 5 GDPR (including Art. 25 GDPR et al.) must be provable by the data controller in court, using documents, witnesses, or expert testimony. The effort that controllers must undertake to provide legally admissible evidence of compliant behavior has significantly increased due to this decision. Assistance in this regard could be provided by the instrument of a Data Protection Impact Assessment (DPIA), if it is applied correctly and, most importantly, in a timely manner. DPIAs can play a crucial role in the early-stage application of Privacy by Design. By conducting a DPIA at the beginning of a project or system development, organizations can identify potential privacy risks and address them proactively. This early assessment allows for the integration of privacy-enhancing measures into the design and development process, ensuring that data protection principles are embedded throughout the system's lifecycle.
2. Shifting gears in compliance management: How the CJEU's C-129/21 decision reinforces data controllers' obligations
Article 5(1)(a) and (2) of the GDPR stipulate that processing of personal data is lawful only if the data controller can demonstrate that it is being done lawfully and in good faith. Additionally, Article 24 of the GDPR mandates that the data controller must adopt suitable technical and organizational measures to both ensure and demonstrate that their data processing adheres to the requirements of the regulation. In the current case, the CJEU goes beyond previous rulings and places an additional responsibility on the data controller to notify all parties involved in the processing chain (in this instance, the data recipients) when data subject rights are exercised, specifically in the context of revoking consent. This is intended to enhance the effectiveness of data subject rights.
If there is a group of controllers who obtain their permission to process data from the same "global" consent, then by exercising data subject rights (such as "revocation of consent") against one of the controllers, the consent for all controllers is revoked. The basic concept can be summarized as follows: if the legal basis (the "global" consent) is withdrawn from one controller, it is automatically invalidated for all controllers.
Although there is no explicit obligation, the CJEU concludes that enforcing data subject rights across multiple controllers processing data requires, at a minimum, an obligation to provide information about the exercised data subject rights between the controllers (as stated in paragraph 85 of the “Proximus” decision). To avoid time-consuming debates between the contracting parties about the interpretation of this decision, it is advisable to revise existing data processing agreements and include this obligation explicitly.
The court correctly points out that these technical and organizational measures are not limited to the immediate parties involved, but also encompass third parties who have indirectly benefited from the original data processing (paragraph 91 of the “Proximus” decision):
Other recipients, including search engine operators, should also be notified of requests for data erasure by data subjects, so that they can take appropriate action and remove personal data from their search results.
It is worth highlighting that the CJEU regards these obligations not as an interpretation of the provisions on joint controllership under Article 26 of the GDPR, but rather as an inherent obligation of each data controller under Article 24 of the GDPR. This provides a glimpse of how rigorous courts may become in the future when dealing with any diffusion of responsibility in processing chains. This will be the case even if there is controversy and potentially unresolved questions about whether and to what extent joint responsibility for certain processing operations exists, which may need to be referred to the CJEU for clarification.
Lawyers, management consultants, auditors, and certification service providers will have a significant amount of work to do as a result of this decision.
This is crucial because evading liability for compliance violations, including the direct liability of directors and officers, can only be achieved by establishing and vigilantly monitoring appropriate structures, such as a robust information security and data protection management system. Implementing a "Plan-Do-Check-Act" (PDCA) process is essential for maintaining these structures. For example, a company might create a comprehensive data protection management system, execute the necessary policies and procedures, routinely assess their effectiveness, and make adjustments as needed to ensure ongoing compliance with relevant regulations. This proactive approach not only mitigates potential risks but also safeguards the organization and its leadership from legal repercussions.
Furthermore, the reversal of the burden of proof under data protection law concerning the fulfillment of these compliance obligations poses a substantial challenge in terms of resource allocation for data protection officers, data protection coordinators, operational data protection teams, and in-house legal and IT experts. This shift means that these professionals must now proactively demonstrate their organization's compliance, rather than merely react to potential violations. For example, data protection teams and officers may need to invest more time in training employees, conducting regular audits, and preparing thorough documentation to prove adherence to regulations.
As a result, organizations must be prepared to allocate additional resources to ensure that their data protection and compliance teams and officers have the necessary support to meet these heightened expectations and successfully navigate this new legal landscape.
Article provided by INPLP member: Peter Hense (Spirit Legal)
Co-Author: Tea Mustać
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)