On 1 June 2022, the Slovenian supervisory authority (Information Commissioner) rendered a decision (no. 0612-23/2019/19) ordering a cloud provider (CP) to enter into joint controllership arrangements with its clients. The decision is noteworthy as a rare instance in which a supervisory authority determined that a cloud provider is a joint data controller, rather than a data processor.
The Information Commissioner examined the role of the CP as an intermediary between clients who generate data queries and various data sources which supply personal data. The CP claimed that the clients requesting the data were data controllers and that the CP only processed the data on behalf of the clients. The Information Commissioner reached a different conclusion, that the CP was a data controller, because it had a significantly greater power to influence the processing of personal data than it would have as a mere processor.
The Information Commissioner determined that the basic feature of the CP’s business model was handling complex technical tasks to simplify the execution of the clients’ requests. The CP obtained data from various data sources and determining the time for the deletion of data. The CP’s clients had little to no influence on the technical and organizational measures employed by the CP in the managing of the data.
The double basis for the Information Commissioner’s classification of the cloud service provider as a joint controller with its clients
The Information Commissioner concluded that the CP was a data controller on two grounds: the CP participated in the determination of the purposes and the determination of the means of processing.
The joint determination of the purposes of processing is based on converging decisions, because the CP and the users of the service pursued interconnected or complementary purposes – quick and efficient execution of inquiries by clients and transmission of personal data by data sources.
It is not entirely clear from the available (redacted) version of the Slovenian Information Commissioner’s decision what the Information Commissioner considered as joint determination by the CP and its clients of the means of processing. The Information Commissioner wrote that the CP acted as a data controller because the CP did not process personal data based on the user’s documented instructions; users did not influence the provision of measures and procedures for securing personal data or the choice of processors; users did not have the possibility of controlling the implementation of instructions or security measures; and, the CP determined the storage time of personal data in the system.
GDPR and EDPB on “essential” vs “non-essential” means of processing
Before making the finding about the CP’s role as a data controller, the Information Commissioner summarized the state of the relevant EU law, applicable in Slovenia as an EU member state. In line with the definition of the controller in Article 4 (7) of the GDPR and further explanation provided in the Guidelines 07/2020 on the concepts of controller and processor in the GDPR of the European Data Protection Board, data controller alone or jointly with others determines the purposes and means of the processing of personal data, i.e. the why and how of the processing. The following basic rules determine whether an entity or person is a data controller or a data processor:
- decisions on the purpose of the processing are always for the controller to make;
- as regards the determination of means, a distinction must be made between essential and non-essential means:
- “essential means” are means that are closely linked to the purpose and the scope of the processing, such as the type of personal data which are processed (“which data shall be processed?”), the duration of the processing (“for how long shall they be processed?”), the categories of recipients (“who shall have access to them?”) and the categories of data subjects (“whose personal data are being processed?”); and
- “non-essential means” concern more practical aspects of implementation, such as the choice of a particular type of hard- or software or the detailed security measures which may be left to the processor to decide on.
Essential means are traditionally and inherently reserved to the controller, while non-essential means can also be determined by the processor. Importantly, the processor may choose the most suitable technical and organisational means of securing personal data without becoming a data controller for that reason.
The EDPB Guidelines 07/2020 also include an analysis of joint controllership through converging decisions, on which the Slovenian Information Commissioner relied. Joint controllership through converging decisions exists where “processing would not be possible without both parties’ participation in the purposes and means in the sense that the processing by each party is inseparably linked”.
Comment
Considering the importance of the issue and the fact that the decision of the Slovenian Information Commissioner is uncommon, it would have helped if the Commissioner further developed the arguments leading it to conclude that the CP was a joint controller.
To illustrate the uncommon nature of the decision, we may recall the stance of the UK’s Information Commissioner (ICO) from 2012 that, when a cloud customer “finds it difficult to exercise any meaningful control over the way a large (and perhaps global) cloud provider operates”, the customer nevertheless remains the (only) data controller. ICO did not entertain the possibility that a provider of public cloud services – the services shared among many users, pursuant to contracts of adhesion – could be a joint controller. The approach also permeates the guidance issued by the Spanish supervisory authority in 2018. The response to the challenge posed by the existence of providers of public cloud services is that the client “choose a cloud service which best suits its specific needs – including its need to comply with the [data protection legislation]” (ICO), rather than that the cloud provider is treated as a joint data controller.
On the other hand, the French regulator, CNIL, took a position in the Recommendations from 2012 that may have paved the way for the Slovenian regulator’s decision one decade later. In both instances, the supervisory authorities have reasoned that, when customers are unable to give instructions to a cloud provider and control the effectiveness of its measures to ensure the safety of the data, the cloud provider should be considered a data controller. CNIL briefly posited that such cloud providers participate in the determination of the purposes and means of the processing, however CNIL did not elaborate on that claim. Especially, CNIL did not probe into the distinction, which would become prominent eight years later with the adoption of the EDPB Guidelines 07/2020, between “essential” and “non-essential” means of processing. (Under the EDPB Guidelines, if a data processor decides only about “non-essential” means, that does not turn him into a data controller.)
Similarly, the Slovenian Information Commissioner offered a sketchy argument about the CP’s determination of the purposes of the processing and did not specify which processing decisions concerning “essential means” were made jointly by the CP and the client. Perhaps the Information Commissioner would state that the CP’s decisions on the duration of the processing and the sub-processors are jointly made decisions about “essential” means of processing. However, it might be possible to argue (along the lines of the ICO guidance from 2012) that, by accepting the data retention schedule and sub-processors used by the CP, it is the client who decides alone about the “essential” means. If the client fails to specify the retention period in the data processing agreement or does not give written authorisation to the CP concerning the choice of sub-processors, the CP and the client would be in breach of GDPR but arguably CP would not become a joint controller. This approach would be consistent with an earlier pronouncement of the Slovenian Information Commissioner (2012), according to which “circumstances today are such, that normally the cloud providers are the ones to set the terms, the level of data security and other important aspects of business relationship. Nonetheless, the clients are the ones with appropriate legal grounds for data processing, and have determined the purposes and means of data processing; that is why normally the clients are regarded as data controllers and the cloud providers as processors”.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU and EFTA member states may therefore serve as an instructive guidance for compliance with local regulations.]