A recent opinion from the Advocate General in the NVSC case (Opinion) underscores that controllership is a broad concept and highlights the importance of carefully considering any engagements with third parties on projects involving data processing. Our data privacy team consider a recent opinion from the Advocate General considering the concept of controllership that will be relevant to anyone engaging third parties to develop apps or provide other services such as market research surveys or clinical trials.
Background to the case
The case related to an app called “Karantinas” that was designed to collect and monitor the personal data of individuals who had been in contact with COVID-19-infected patients. The Lithuanian Ministry of Health had instructed the National Public Health Centre (NVSC) to arrange for development of the app through a public tender process. NVSC in turn told a company called “IT sprendimai sékmei’ UAB” (ITSS) it has been selected to do the development.
The app was developed, and without authorisation, by NVSC. It was made available publicly including on the Google Play Store mentioning both NVSC and ITSS as controllers. This took place before NVSC had acquired it from ITSS as initially planned as part of the official tender process and without any agreement between the parties.
The negotiations for the acquisition of the app by NVSC ultimately fell through due to lack of funding at which point NVSC notified ITSS to not refer to NVSC publicly in respect of the app, which continued to be publicly available.
The Lithuanian supervisory authority ultimately ordered the app to be suspended and started an investigation into both NVSC and ITSS for infringements of GDPR as joint controllers in respect of their processing of data of the thousands of users who had used the app. NVSC had never processed any of this data and objected to this on grounds it was not a controller.
What the Advocate General said about controllership
The Lithuanian courts referred several questions to the Court of Justice of the European Union (CJEU). Those relevant to the concept of controllership were:
First, was NVSC a controller?
Yes - subject to the Lithuanian court verifying the facts. The AG looked at factual rather than formal indicators. The fact NVSC was formally identified as controller on Google Play Store and publicly was relevant but not conclusive nor was the fact NVSC wasn’t the legal owner and didn’t formally approve the launch.
The key factor was whether NVSC had factually influenced the actual data processing and consented (express or implied) to the release
of the app.
In this case, the AG considered the fact NVSC had commissioned the design of the app was not in and of itself sufficient. However, the AG noted that NVSC had also been involved in determining the “means” of processing by determining the data categories to be collected, from which the data subjects and other keys aspects of the processing were determined. NVSC had also determined the “purpose” by setting the objective of the app, ie collection of COVID data, and regularly modifying its functionality. Subject to the national court verifying these facts, the AG considered NVSC was a controller.
Second, did the lack of formal agreement mean there was no joint controllership?
No. The AG said this was not a pre-requisite for joint controllerships nor is a common decision between the parties.
The AG said there are only two requirements. First, each entity must satisfy the criteria of controller under Article 4 GDPR. Second, there must be “a certain relationship” between them such that they influence the processing jointly ie they must jointly participate. The AG noted this was a substantive and functional assessment not a formalistic one.
Here the AG noted that whether the parties had a formal agreement or had coordinated in respect of the development and release of the app was not relevant to determining this point.
The test in this regard was whether “the processing would not be possible without the participation of both parties because both have a tangible impact on the determination of the purposes and means of that processing”.
What’s the impact of the Opinion?
The key takeaways from the Opinion are:
- Assessing whether you are a controller is a substantive and functional assessment, not a formal one. Whether you are named in a set of terms or a privacy policy is not determinative.
- This means it is extremely difficult to contract out of controllership obligations where you want to retain influence over the underlying processing. Even if a contract states you are not a controller or making any decisions on purposes and means of processing, if in practice you have an influence on this, you may be found to be a controller.
- Involvement in the prior steps of a project before decisions are made on the purposes and means of processing is not enough to make you a controller. For example if NVSC had simply commissioned the app but had no role in determining the data categories and data subjects affected it may not have been found to be a controller.
- Joint controllership can arise inadvertently and organically through parties collaborating in a way that jointly influences processing. The fact you have no formal agreement – or a formal agreement that states you are not acting as joint controllers - will not be determinative.
With this in mind, it is critical that companies identify all the parties involved in the project at the outset, determine which parties are controllers, joint controllers and processors carefully and take the necessary steps to ensure compliance.
For companies that are controllers – even where they are not handling any actual data – this will be discharging obligations such as providing transparency and ensuring there is a valid legal basis. For joint controllers this will mean ensuring there is a joint controllership agreement in place and obligations are allocated appropriately. For companies engaging processors this will mean ensuring there are appropriate data processing agreements in place from the outset.
For more information, contact a member of our Privacy and Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
