What is the role of 'joint controllership' in data privacy?

"Joint controllership" is more common than many think. Access is not a prerequisite for a joint controller of personal data, nor is involvement in determining the means of processing; people can be joint as well as independent controllers and processors in relation to the same activity. But each data processing activity needs to assessed closely – and, as always, contract terms are crucial for complying with UK and EU data protection laws and allocating risk and liability.

Those were some of the main observations and takeaways from the opening webinar, given by Daisy Jones, Senior Associate in Osborne Clarke's data team, of a new "Dipping into Data" series, which explores the legal, regulatory and commercial considerations around the use of data (whether personal data or otherwise), including intellectual property rights, data privacy, contractual considerations, competition law and sector-specific regulation. So what are five crucial aspects to know about and explore when considering joint controllership?

1. Joint controllership is more common than you might think

Joint controllership is defined in Article 26 of the UK and EU General Data Protection Regulation (GDPR) as arising when two or more controllers jointly determine the purpose and means of processing. The concept has been interpreted in pre-GDPR case law from the Court of Justice of the EU (CJEU) and in draft guidelines from the European Data Protection Board (EDPB), both of which suggest that it is a much broader concept than many might assume.

The draft guidelines from the EDPB seem to go further, in parts, in their interpretation of joint controllership than what has been described by the CJEU, particularly in the EDPB's description of how joint control can arise where two or more parties make "converging decisions" and the concepts with which these are described by the EDPB.

According to the EDPB, decisions are converging decisions if they complement each other and are necessary for the processing to take place in such manner that they have a "tangible impact". An important consideration in assessing converging decisions is whether the processing would not be possible without both parties' participation, in the sense that the processing by each party is inseparable or "inextricably linked". The EDPB provides examples of these "converging decisions" in its draft guidelines.

Data protection authorities and the courts are most likely to seek to find joint controllership where, without it, there are gaps in the protection of personal data (indeed, that was the case in the pre-GDPR case law from the CJEU).

2. You don't need access to personal data to be a joint controller of it, and you don't need to be involved in deciding the means of processing

When determining whether two or more parties are joint controllers of personal data for a particular processing activity, both CJEU case law and the EDPB's draft guidelines make clear that it is irrelevant whether each of those parties has access to that personal data. Even without access, a party can still be a joint controller.

Similarly, it doesn't matter if only one party is deciding the means of processing and the other is making use of those means. Those parties can still be joint controllers; for example, where a plug-in or widget (the means for collection of personal data) is provided by one party and used by another on their website.

3. You can 'wear several hats' in relation to the same activity – an independent controller, joint controller and a processor

What looks like a single processing activity – for example, collection and use of personal data for the purposes of targeted advertising – can usually be broken down into different stages, and, when they are, it is perfectly possible for two parties to "wear different hats" in relation to the same personal data for each of those stages.

A good example of that is where a website owner embeds a third party plug-in or widget on its website. The website owner and the owner of the plug-in or widget will usually be joint controllers in relation to the collection of personal data via that plug-in or widget, even if not for each party's subsequent use of that personal data (although even that is likely to be an over-simplification!).

4. The devil is in the detail and its assessment

It is important to closely assess each data processing activity where more than one party is involved in the processing of personal data.

Can that activity be broken down into different stages? In relation to each of those stages, what is happening with personal data, and what is each party doing with it (or potentially doing with it)? What, therefore, is the role of the parties? Finally, what does that then mean for each party's obligations, liability and the contract terms between you (more on this below)?

That assessment will usually form part of a data protection impact assessment.

5. Contract terms are crucial (but won't change the analysis)

Why does it really matter whether you are an independent controller, joint controller or processor in relation to the processing of personal data for a particular activity (or part of it)?
In short, your role in relation to personal data will determine: your obligations under UK and EU data protection laws; what clauses you are required to include in the contract between you and the other party; and, potentially, your liability to pay compensation for damage caused to data subjects.

Only some of the obligations of the UK and EU GDPR apply to processors, and the clauses that are required to be included in contracts between controllers and processors are very different to those that are included in contracts between two or more controllers (whether joint or otherwise). A comprehensive contract between two independent controllers may look quite similar to a contract between two joint controllers, but there will still be some differences: for example, around how the parties are required to make the "essence of the arrangement" available to data subjects (something that is required in relation to joint controllers but not necessarily in relation to independent controllers).

In relation to liability to data subjects, Article 82 of the UK and EU GDPR provides that where there is more than one controller or processor, or both a controller and a processor involved in the same processing (so that could be joint controllers, independent controllers or a controller and a processor) and, where they are responsible for any damage caused by the processing, each controller or processor shall be liable for the entire damage. The liability of each joint controller is, therefore, joint and several and the full amount of compensation may be recovered by the data subject from either of the joint controllers. However, Article 82 does not prevent a separate contractual allocation of liability and risk between two joint controllers themselves.

Contract terms are crucial for complying with UK and EU data protection laws, for clearly allocating responsibility for compliance with the various requirements and for determining the contractual liability of the parties to each other in the event of non-compliance. However, it is the facts of the processing (that is, what is actually happening) that will determine the roles of the parties, not the contract; there's no easy way out of undertaking that analysis.

If you'd like access to the recording of the webinar, or if you'd like to discuss any of the issues relating to joint controllership in more detail, please get in touch with one of our experts or your usual Osborne Clarke contact.