On 26 July 2021, the French Data Protection Authority (“CNIL“) issued a fine of EUR 400,000 against Monsanto, leading company in the field of agricultural biotechnologies. The decision elucidates the criteria for differentiating between a data controller and a data processor and validates a strict approach to interpreting the obligation of data controllers to inform individuals about the processing of their personal data.
In 2013, Monsanto entered into an agreement with Fleishman-Hillard, a public relations company. In the performance of the agreement, Fleishman-Hillard created a file containing the personal data of more than 200 French and European individuals involved in a debate about the renewal of approval by the European Commission of use of glyphosate (an herbicide) in Europe. The purpose of creating the file was to facilitate Monsanto’s lobbying for renewal of the approval.
The individuals whose data were included in the file were political figures and members of civil society, including journalists, activists, scientists, and farmers. The file contained their names, contact details, and a ranking (1–5) based on the individual’s influence, credibility and support for Monsanto. The file also contained a comment area where additional information about the data subjects could be entered (the events that the data subjects attended or organised, the persons with whom they worked, the articles that they have published, etc.).
The data subjects first became aware of the processing of their personal data in 2019, three years after the processing had started. The company Bayer, who acquired Monsanto, informed the data subjects of the processing in mid-2019. In September 2019, CNIL received several complaints against Monsanto, in which the complainants claimed that Monsanto had not informed them about the processing of their personal data.
Monsanto’s active participation deprived Fleishman-Hillard of the autonomy normally enjoyed by a data controller
Monsanto argued that Fleishman-Hillard was the data controller and exclusively responsible for the data processing. According to Monsanto, Fleishman-Hillard created the file autonomously, using its own methodology. Monsanto claimed that it never gave instructions to Fleishman-Hillard on the ways to carry out the processing, that Fleishman-Hillard had expertise in providing the services, and that Fleishman-Hillard presented itself on its website as the data controller for the data processed in the performance of its services. Monsanto added that it never actually used the personal data contained in the file.
CNIL, however, identified Monsanto as the data controller, and Fleishman-Hillard as the processor. CNIL pointed out that Monsanto determined the purpose of the processing (promoting and obtaining the renewal of the approval of glyphosate), as well as the means of the processing (launching a lobbying campaign, which required identifying the individuals involved in the debate on glyphosate).
CNIL examined email communication between the two companies and determined that Monsanto participated in the identification of the individuals and the creation of the file. Monsanto had very specific requests about the factors which Fleishman-Hillard should consider in the performance of the services. CNIL found that Fleishman-Hillard reported to Monsanto on the progress of its work and the actions that it had taken. Monsanto managed the activities of Fleishman-Hillard, thus depriving it of the autonomy normally enjoyed by a data controller.
CNIL considered that the fact that Fleishman-Hillard offered to Monsanto a strategy for identifying the individuals involved in the debate on glyphosate did not result in Fleishman-Hillard acquiring the role of the data controller. A subject (Monsanto) may be regarded as the data controller even when the data processing is partially or completely designed by another subject (Fleishman-Hillard), CNIL concluded.
Informing the data subjects is necessary regardless of whether the personal data are public and whether the data subjects can reasonably expect the processing
As to the three-year delay in informing the data subjects about the processing, Monsanto argued that Fleishman-Hillard, as the data controller, was responsible for providing the information. Additionally, Monsanto claimed that informing the data subjects would be of little interest to them in any case, considering that the data in question were public, that the data subjects could reasonably expect the processing, and that Monsanto never actually used the file.
CNIL pointed out that Monsanto, as the data controller, should have informed the data subjects about the processing. CNIL further analysed the potential applicability of the exceptions to the obligation to inform the data subjects. Under Article 14(5)(b) of the GDPR, the information obligation does not apply when the provision of information proves impossible, or would involve a disproportionate effort, or in so far as the obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing.
According to the decision, none of the exemptions were applicable. Informing the data subjects would not require disproportionate efforts on the part of Monsanto, because the file contained contact details of all the data subjects. Considering that the data subjects were finally informed of the processing in 2019, informing the data subjects was definitely possible. Informing the data subjects would not jeopardize the achievement of the objectives of the processing.
Finally, CNIL found that Monsanto’s allegations that the personal data in question were public, that the data subjects could reasonably expect the data processing, and that Monsanto never actually used the file, were of no significance for the assessment of whether an exemption from the obligation to inform the data subjects could apply.
The data controller is responsible for implementing the data processing agreement
Several agreements between Monsanto and Fleishman-Hillard referred to the processing of personal data, but none contained the mandatory elements under Article 28 of the GDPR. Because CNIL found that Monsanto was the data controller, the supervisory authority concluded that the lack of a processing agreement amounted to a violation of the GDPR.
The decision demonstrates how a factual relationship of subordinance between the persons involved in the processing can be decisive in determining their roles as data controllers or data processors.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]