Joint data controllers: implications for principal firms and appointed representatives
To be fair, the GDPR does contain plenty of concepts which themselves require reams of supplementary guidance. For the concepts of controller/processor, it seems that firms are getting better at defining roles and, more specifically, recognising that partners whom they have previously called "processors" are in fact controllers in their own right. We might even say that the idea of a "controller in common" seems to makes some sense for firms that share the same data pool.
But then there is the "joint controller". The forgotten and rather unloved sibling to the determined controller and compliant processor. As it turns out the Attorney General to the European Court of Justice is on the cusp of breathing some life into the concept of joint controllers.
Well, "breathing life" is one way of putting it. AG Bot's recent opinion seems to miss a dose of common sense. In a nutshell, a training academy who used a Facebook fan page, Facebook Inc and Facebook Ireland (in the EU) were all held to be joint controllers because the page administrator got access to analytics data. Even though the academy didn't process the data directly, it 'determined the means' by choosing to use Facebook as a platform in the first place and opting to receive the page tracking info. Facebook is obviously struggling with a public relations battle at the moment - so you never know whether the AG's views will prevail.
Anyway, this article isn't about Germans and their approach to privacy on the internet: it is about GDPR and the relationship between principal firms and their appointed representatives, and that's way more interesting. I'm particularly focussing on umbrella firms as opposed to AR networks or introducer ARs, but take what parallels you may.
Before we start, the whole premise of appointed representative is that it allows the principal firm to conduct its business in conjunction with other firms. Some might think it was designed to allow FS firms with innovative models to take a quicker and cheaper route to market, but really that's missing the point. Still, let's play out a scenario:
AR firm: "I'm going to collect loads of data and do some data science wizardry to let me sell an investment product."
Principal firm: "Hold your horses, sonny. Are you aware that you can only use the data you collect on the basis of a lawful ground for processing as may legitimately be required to achieve the intended purpose?"
AR firm: "Of course, I have read the GDPR from cover to cover and I understand it completely"
Principal firm: "Great, what about the FCA Handbook"
AR firm: "What's that got to do with anything?"
Principal firm: "Well, I am responsible for ensuring the Conduct of Business rules and the record-keeping requirements in the FCA Handbook are complied with. In your proposed data set, you haven't included an investor classification - we need that to ensure the product is being sold properly. And you should collect a National Insurance number because HMRC will want to know. We want to ensure your infosec policy is adequate, so here are the standards we expect. And you need to keep these records for three years and these ones for five. And we want to see all your complaints as they come in so that we can work out how to reply. And we should talk about your outsourcing to AWS?"
AR firm: "Ok, that's cool. But other than that, I can do what I like?"
Principal firm: "Well, yes within reason. But all your files as they relate to your regulated business are really mine and either we can keep them or we must ensure we have full access to them at any time" (SUP 12.9.3(3), just in case you are wondering).
And then we have a look at the definition of "joint controller" which is helpfully joint controllers jointly determing the basis of processing
And that really is the crux. Together, the principal and the AR have jointly determined what data they will collect, how it will be processed, where it will be stored and how long it will be kept for. As the AG points out, the WP29 has said (in a great example of Euro-clarity):
‘the possibility of pluralistic control caters for the increasing number of situations where different parties act as controllers. The assessment of this joint control should mirror the assessment of “single” control, by taking a substantive and functional approach and focussing on whether the purposes and the essential elements of the means are determined by more than one party. The participation of parties ... does not need to be equally shared’
And you might think "so what if we have joint control?"
Joint and several responsibilities
Specifically, "the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers". (GDPR Article 26(3)). So, for example, a subject access request could be made to either. It is up to the controllers to "determine their respective responsibilities for compliance with the obligations" and make data subjects aware of the nature of this arrangement (Article 26(1) and (2)).
Joint and several liability
Article 82 provides that "any controller involved in processing shall be liable for the damage caused by processing which infringes GDPR" and "where more than one controller ... [is] involved in the same processing ... each controller ... shall be held liable for the entire damage in order to ensure effective compensation of the data subject" unless they can prove that they are not responsible in any way for the event. So, a principal firm is responsible for the data protection failings of their AR. One to add to the indemnity section of the AR agreement perhaps.
Talking of the AR agreement, where a controller determines the purposes and means of the processing jointly with other controllers, there must be a clear allocation between them of the responsibilities under GDPR (Recital 79). There is a suggestion that this means three pages of controller-controller clauses are not appropriate and so I have opted for a reductionist approach as a supplement to standard clauses.
Privacy notices are going to need a tweak to be transparent about these roles of AR and principal and a principal firm should specifically ensure that customers are aware that data may be transferred to the principal.
Privacy by design
Finally, a reminder that a right to access data does not equate to open access. Privacy by design still has a role to play. What info does the principal firm actually need from time to time? Does a principal need all new customer data or do they just want statistical data for quarterly reporting? Can a file audit be done with pseudonymised information?