Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

The new law, an addition to the state’s breach notification statute, provides that if a processor or business fails to take reasonable care to guard against unauthorized access to payment card account information in its possession or control, and that failure is the cause of the breach, the processor or business is liable to the relevant financial institution for reasonable actual costs related to the reissuance of payment cards to Washington residents to mitigate “potential current or future damages” to them.  Similarly, a vendor will be liable to the financial institution for these costs to the extent the damages were caused by the vendor’s negligence.

The law contains a number of safe harbors.  For example, there is no liability if the account information was encrypted at the time of the breach.  Also, an entity is not liable if its compliance with the Payment Card Industry Data Security Standard  (“PCI DSS”) was validated by an annual security assessment that took place no more than one year prior to the breach, even if that security assessment is subsequently revoked.

The interaction between data controllers and data processors is essential in the application of Directive 95/46/EC, not least because the concepts determine who will be responsible for compliance with data protection rules and how data subjects can exercise their rights.  However, the increasing complexity of the environment in which these concepts are used has given rise to new and difficult issues.  The Opinion emphasizes the need to allocate responsibility between data controllers and data processors so that compliance with data protection rules are upheld sufficiently.  Despite the impact of information and communication technologies and globalization, the Working Party concluded that the current distinction between data controllers and data processors remains relevant and workable.  The following points are of particular importance:

Regarding Data Controllers

• first and foremost, the role of the concept of a data controller is to determine who will be responsible for compliance with data protection rules (i.e., allocation of responsibility) and how data subjects can exercise their rights in practice;
• the concept of a data controller also is essential in determining which national law is applicable to a processing operation/ set of processing operations;
• the concept of a data controller is autonomous, (i.e., it should be interpreted mainly in accordance with Directive 95/46/EC), and functional (i.e., it is based on a factual rather than formal analysis);
• determining the “purpose” of processing triggers the qualification of (de facto) data controller;
• determining the “means” of processing can be delegated by the data controller (as far as technical or organizational questions are concerned), however, substantial questions that are essential to the core of lawfulness of processing (e.g., type of data to be processed, length of storage, access, etc) are to be determined by the data controller.

Regarding Data Processors

• the qualification of a data processor depends on the decision of the data controller, who may decide to process the data within his organization, or to delegate all or part of the processing activities to an external organization;
• two basic conditions arise for qualifying as a data processor: (a) being a separate legal entity with respect to the data controller; and (b) processing personal data on behalf of the data controller;
• the role of a data processor stems from its core activities in a specific context and with regard to specific sets of data or operations.

Despite the growing popularity of other mechanisms that provide a legal basis for complying with the EU legal restrictions for transferring personal data outside the EU (such as binding corporate rules), the use of SCCs remains indispensable.  In many situations SCCs are the only “off the shelf” data transfer solution that can be used and implemented on short notice.  The Commission already published a set of SCCs for transfers to data processors that were approved in 2001, but companies have found that they do not always take business realities into account.  The SCCs can be burdensome to use in practice, in particular for the following reasons:

• The existing SCCs do not contemplate the possibility that a data processor outside the EU may need to transfer personal data to another data processor, which happens very often in practice.
• The SCCs can require the application of data security requirements from multiple EU Member States.
• Many Member States impose bureaucratic formalities (notarization of signatures, annual updates, etc.) on use of the clauses.
• There can be practical problems when using the clauses with multiple parties.
• The SCCs contain a mandatory arbitration clause to which many companies have objected.

Although the Commission did not adopt many of the suggestions made by the business associations, thus diluting the value of the new clauses, the new SCCs do have some important advantages over the existing controller-to-processor clauses.  For example:

• For the first time in EU data protection law, the new clauses provide a legal basis for processor-to-processor transfers.  Under the clauses, such transfers may be carried out when (1) the original data controller consents in writing, and (2) the same data protection obligations are imposed on the subprocessor as are imposed on the original data importer.  The original data importer remains liable for any data protection violations by the subprocessor.
• The arbitration clause has been deleted.

There are two further important points with regard to the new clauses:

• The new clauses must be used for new or changed transfers to data processors; i.e., the existing SCCs for controller-to-processor transfers may no longer be used for such transfers (but existing SCCs remain in effect).
• The SCCs cover transfers from the EU to a data processor outside the EU, but not transfers from a data processor in the EU to a subprocessor outside the EU, although data protection authorities “may” allow use of the new clauses in such situations as well.

The full text of the new SCCs has been published in the Official Journal of the European Union.  Hunton & Williams has prepared a redline version showing the changes from the previous SCCs. Christopher Kuner will provide a detailed analysis in the near future. 

The clauses are quite important for business, as they provide a legal basis for transferring personal data from the EU to data processors in other countries, and are often used in, for example, outsourcing contexts. Among the changes proposed by the three business groups was a new clause that for the first time would provide a legal framework for data transfers from one processor to another. This situation can occur, for example, when a data controller in the EU outsources the processing of personal data to a data processing company in the US, which in turn outsources the processing to a company in India. So far, European data protection law has lacked any discussion of the conditions under which such a transfer could be made between data processors. It is a significant development that the Working Party Opinion recognized this possibility.
 
Some of the other clauses proposed by the Working Party seem unrealistic and unworkable, such as requiring audits by data protection authorities in countries outside the EU, or requiring that the contract between the data processor and the subprocessor, be governed by the law of the country of the data exporter in the EU. ICC and the other business groups will work with the European Commission with the goal of ensuring that the final clauses approved by the Commission are drafted in a way that makes them useable in the real world. The final Commission decision on the clauses is not expected for a few months.