Case C‑683/​21 – Nacionalinis visuo­menės svei­ka­tos centras prie Sveikatos apsau­gos minis­te­ri­jos vs Valstybinė duomenų apsau­gos inspek­cija, Request for a preli­mi­nary ruling, Opinion of the Advocate General Emiliou (May 4, 2023)

Introduction

The concrete appli­ca­tion of the GDPR is still raising ques­tions, and the case before the Regional Administrative Court of Vilnius, Lithuania (Vilniaus apygar­dos admi­nis­tra­ci­nis teis­mas, “Court”), is no excep­tion. By reques­ting a preli­mi­nary ruling on different articles of the GDPR, the Court is giving the European Court of Justice an oppor­tu­nity to bring more clarity on the inter­pre­ta­tion of the notions of proces­sing, control­ler and proces­sor, as well as the appli­ca­tion of certaine fines. As such, the opinion rende­red by the advo­cate gene­ral Emiliou is a gold­mine for any data protec­tion professional

First, we need to explain the facts leading to this preli­mi­nary ruling, which takes us back to the first months of Covid in Europe. In 2020, the Lithuanian autho­ri­ties, as in many other coun­tries, deci­ded to deve­lop a mobile appli­ca­tion to allow contact tracing. The facts take place within only two months.

The National Public Health Centre (Nacionalinis visuo­menės svei­ka­tos centras prie Sveikatos apsau­gos minis­te­ri­jos, “NVSC”) is appoin­ted by the Ministry of Health on March 24, 2020, to orga­nise the deve­lop­ment and acqui­si­tion of such an appli­ca­tion, named “Karantinas”. A private company, IT spren­di­mai sėkmeim (“ITSS”), is selec­ted on March 27 2020, by the NVSC, which commu­ni­cates the scope of the assi­gn­ment. Only a confi­den­tia­lity agree­ment is then drawn up, and no deve­lop­ment contract is made.

Karantinas is relea­sed for Android on April 4 2020 and for iOS on April 6 2020 and from then remains avai­lable for down­load and use. The users can see both ITSS and the NVSC mentio­ned as control­lers in the docu­men­ta­tion of the appli­ca­tion, despite the lack of contract and the absence of acqui­si­tion of the application.

By deci­sion of April 10, 2020, the Ministry of Health instruc­ted the NVSC to proceed with the acqui­si­tion of Karantinas. The proce­dure is initia­ted but failed, and by deci­sion of May 15, 2020, the NVSC request ITSS to stop using or refer­ring to the NVSC in the privacy policy avai­lable in the application.

This could have been the story of a failed colla­bo­ra­tion if the State Data Protection Inspectorate (“Inspectorate”) had not opened an inves­ti­ga­tion about Karantinas, against both the NVSC and ITSS, on May 18, 2020. This inves­ti­ga­tion led to the suspen­sion of the appli­ca­tion on May 26, 2020, and a deci­sion on May 24, 2021, esta­bli­shing the infrin­ge­ment of art. 5, 13, 24, 32 and 35 GDPR, and impo­sing an admi­nis­tra­tive fine against the NVSC and the ITSS as joint controllers.

The NVSC has chal­len­ged the deci­sion before the Regional Administrative Court of Vilnius, which reques­ted a preli­mi­nary ruling on different aspects of the GDPR :

• The first three ques­tions concern the concept of control­ler as defi­ned by 4 par. 7 GDPR, to deter­mine if, respec­ti­vely, the fact that a procu­re­ment proce­dure has not been conclu­ded, the fact that the entity has not appro­ved or acqui­red the rights on an appli­ca­tion, and the fact that the entity has not perfor­med the proces­sing itself, are rele­vant for the quali­fi­ca­tion of controller.
• The fourth ques­tion is about the concept of control­ler and the concept of proces­sing, as defi­ned by 4 par 2 GDPR, and to know if the fact that a proces­sing is limi­ted to test opera­tions has an impact or not on the quali­fi­ca­tion of a proces­sing and inci­den­tally on the quali­fi­ca­tion of a controller.
• The fifth ques­tion is to clarify the scope of the joint control­ler­ship, as per 4 par. 7 and 26 par. 1 GDPR, and to deter­mine which kind of elements are requi­red for such a qualification.
• Finally, the sixth ques­tion is impor­tant, and regards whether the element of fault is requi­red or not for the appli­ca­tion of the admi­nis­tra­tive fine as provi­ded by 83 par. 1 GDPR, and if a local regu­la­tor is allo­wed to add this requi­re­ment or not in the law.

On May 4, 2023, the opinion of the advo­cate gene­ral is relea­sed, shed­ding light on these topics. More than detai­ling the six sub-ques­tions raised, we noted two inter­es­ting prin­ciples arising from these ques­tions. These prin­ciples will be used to struc­ture the present commen­tary : the analy­sis of the situa­tion for the appli­ca­bi­lity of the GDPR must be factual (I), and an impor­tant clari­fi­ca­tion on the scope of the admi­nis­tra­tive fines as fore­seen by art. 83 par. 1 GDPR (II).

1. The factual analy­sis as a requi­re­ment for the appli­ca­tion of the GDPR

The answers to the fifth first ques­tions clarify the method to qualify what is a control­ler (A) and a proces­sing (B) accor­ding to the GDPR.

A. Qualification of a control­ler and joint controller

Through the facts presen­ted above, we can see that if the NVSC had the impul­sion of the project, and defi­ned the main lines, no formal colla­bo­ra­tion had been esta­bli­shed, as no agree­ment had been signed between the parties. Furthermore, the appli­ca­tion had never been acqui­red and the NVSC even expressly asked not to be mentio­ned anymore in the asso­cia­ted docu­men­ta­tion, inclu­ding the privacy policy.

Though the answer of the advo­cate gene­ral is clear : the absence of a contract or forma­li­za­tion is not an obstacle at the quali­fi­ca­tion of a control­ler. What matters accor­ding to the GDPR and the guide­lines of the European Data Protection Board (EDPB) on the ques­tion are the reality of the facts : if an entity has had an effec­tive role in the defi­ni­tion of the purposes and the means of the proces­sing, this person should be quali­fied as a control­ler and bear the asso­cia­ted respon­si­bi­li­ties. The advo­cate gene­ral refers the case back to the Court to assess the facts in order to deduce the appro­priate quali­fi­ca­tion. We perso­nally share the view of the advo­cate gene­ral, and, in our opinion, any other direc­tion would have led to disas­trous prac­ti­cal conse­quences. If a control­ler could escape the quali­fi­ca­tion by not contrac­ting or termi­na­ting an agree­ment, the entire ecosys­tem would have been at risk, with actors disap­pea­ring to elude their responsibility.

The same logic applies to the concept of joint control­ler, though the current opinion does clarify an addi­tio­nal element. To be consi­de­red joint control­lers, two enti­ties must both have this effec­tive role in the defi­ni­tion of the means and purposes and exer­cise these roles “jointly”. Based on the above­men­tio­ned guide­lines 07/​2020, the opinion states, “such joint parti­ci­pa­tion can exist in different forms. It can result from a common deci­sion taken by two or more enti­ties or it can merely result from conver­ging deci­sions of those enti­ties. Where the latter is the case, it only matters that the deci­sions comple­ment each other and are neces­sary for the proces­sing to take place in such a manner that they have a tangible impact on the deter­mi­na­tion of the purposes and means of the proces­sing – meaning, in essence, that the proces­sing would not be possible without the parti­ci­pa­tion of both parties”.

In prac­tice, we can imagine that the inter­pre­ta­tion of “jointly” may raise diffi­cul­ties, as this opinion would go in the direc­tion of an effec­tive joint control, in a rather restric­tive inter­pre­ta­tion. The opinion does quote the pre-GDPR deci­sion Fashion ID GmbH of July 29, 2019, concer­ning the inser­tion of the Facebook module on a website. In this deci­sion, the ECJ had quali­fied the inser­tion and the asso­cia­ted trans­fer of data as a joint control­ler­ship, without asses­sing if the user of the widget had any actual power on the deter­mi­na­tion of the means and purposes rela­ting to Facebook’s acti­vi­ties, aside from the provi­sion of perso­nal data. Considering the imba­lance between the actors in this confi­gu­ra­tion, we wonder if this acti­vity would still be quali­fied as a joint control­ler­ship, or a control­ler-to-control­ler trans­fer, due to the inde­pen­dence of the two proces­sing acti­vi­ties, and the absence of influence of each control­ler on the proces­sing of the other. Future deci­sions will surely bring new elements on this open reflection.

In any case, this factual inter­pre­ta­tion is not limi­ted to the quali­fi­ca­tion of the parties and also applies to the proces­sing per se.

B. The irre­le­vance of the purpose for the quali­fi­ca­tion of a processing

In the elements presen­ted to the court, the NVSC contests the quali­fi­ca­tion of proces­sing, and the quali­fi­ca­tion of control­ler, arguing that the opera­tions were for test purposes. This raises the ques­tion of the rele­vance of the purpose to qualify a proces­sing : does a proces­sing need to be public, turned toward the outside to be quali­fied as such ? From a certain pers­pec­tive, the ques­tion may be raised : in a test envi­ron­ment, the risks for privacy should be miti­ga­ted, as the accesses from third parties should be more limi­ted, the data is not refre­shed, and the opera­tions do not reflect any reality.

The opinion quotes the defi­ni­tion of a proces­sing accor­ding to the GDPR : “any opera­tion or set of opera­tions which is perfor­med on perso­nal data or on sets of perso­nal data, whether or not by auto­ma­ted means […]”. The advo­cate gene­ral empha­sizes that the word “any” leads to only one inter­pre­ta­tion, which is that all opera­tions on perso­nal data should be consi­de­red, regard­less of the factual purpose. Though an impor­tant clari­fi­ca­tion is made, rela­ting to the scope of such proces­sing, the testing acti­vi­ties and the “live” opera­tions consti­tute two different proces­sing, with different scopes, reci­pients, purposes and so on. As such, the factual purpose of the proces­sing does not matter for the quali­fi­ca­tion, but might be rele­vant for the consti­tu­tion of the records of proces­sing acti­vi­ties , as provi­ded by art. 30 GDPR.

In our opinion, this inter­pre­ta­tion makes abso­lute sense in view of the prac­tice. Indeed, testing acti­vi­ties will rarely be perfor­med in a purely inter­nal infra­struc­ture, and different actors and reci­pients will be invol­ved. Furthermore, this extra­neity leads to poten­tial risks, and even if the data are not rela­ted to any reality, mixing real data to fake data might create an even bigger risks for the privacy of rela­ted indi­vi­duals. We cannot empha­size enough the need to create proper test data­sets, that can be based on real data, but properly anony­mi­sed. We remind here that anony­mi­za­tion for such a purpose is a proces­sing acti­vity, which can be justi­fied by the legi­ti­mate inter­est of the control­ler. Though, this opera­tion may not be solely deci­ded and conduc­ted by a processor.

Further in this opinion, the impor­tance of the analy­sis of the facts for the proper enfor­ce­ment of the GDPR is not limi­ted to quali­fi­ca­tion, but also for the appli­ca­tion of the admi­nis­tra­tive fines under the GDPR.

II. The clari­fied scope of the admi­nis­tra­tive fines as per art. 83 par. 1

The advo­cate gene­ral inter­prets the sixth ques­tion of the court as dual, first to deter­mine if an element of fault is neces­sary to impose such a fine (A), and second if a control­ler may be sanc­tio­ned even if the infrin­ge­ment was tech­ni­cally commit­ted by its proces­sor (B).

A. The requi­re­ment of an element of fault

The opinion reminds the context around the “new” fine mecha­nism. Before the GDPR, sanc­tions were left to the discre­tion of Member States. The new regu­la­tion harmo­nises and defines through its art. 83 the condi­tions for the impo­si­tion of admi­nis­tra­tive fines. This article defines the prin­ciple, a fine if the regu­la­tion is infrin­ged, and the condi­tions of impo­si­tion, inclu­ding the elements to be taken into account by the local autho­rity to deter­mine its amount (cf. www​.swiss​pri​vacy​.law/​162). In this context the ques­tion of the fault is raised.

The advo­cate gene­ral examines all the possible aspects, but concludes with two impor­tant elements : the fault is requi­red, and this requi­re­ment is not left to the discre­tion of the natio­nal regu­la­tors. The opinion states that such a mecha­nism could be consi­de­red of crimi­nal nature, consi­de­ring its dissua­sive purpose, and, as such, falls in the scope of the art. 49 of the Charter of Fundamental Rights of the European Union (“Charter”). Then, based on this Charter as well as the juris­pru­dence of the European Court of Human Rights, the element of fault appears as a requi­re­ment to impose such a fine. Despite the under­lying logic, this inter­pre­ta­tion could have been quite puzz­ling if the advo­cate gene­ral had not clari­fied the degree of fault necessary.

If a fault is neces­sary to impose a fine, the opinion states that the requi­re­ment is a fault or a negli­gence of such a low degree of seve­rity that the cases where the fault would not be present seem rather virtual. Literature, as quoted in the deci­sion, had already taken posi­tion in this direc­tion, consi­de­ring a failure to take action already consti­tutes not only negli­gence but gross negli­gence. Then, this will be on the local autho­rity for data protec­tion and the courts to qualify the fault accor­ding to the facts in order to impose an admi­nis­tra­tive fine for infrin­ge­ment of the GDPR.

Based on our expe­rience, consi­de­ring the number of points of control and the possi­bi­li­ties for a control­ler to impose tech­ni­cal and contrac­tual measures to ensure the secu­rity of a proces­sing and the compliance with the GDPR, we agree that such thre­shold must be low, but that a thre­shold must exist. For example, a case of extreme social engi­nee­ring, violence and physi­cal coer­cion, where all the best measures would not have preven­ted much, it would seem unfair to impose a fine for a factual breach. Then, on the contrary, a higher thre­shold to qualify the negli­gence could lead to elude the respon­si­bi­lity of the control­ler for the actions of its proces­sor, which is also a point of clari­fi­ca­tion in this opinion.

B. The possible fine of the control­ler for the actions of its processor

In the case, the NVSC could have argued that only ITSS tech­ni­cally proces­sed the data, and that NVSC did not take part in the actual proces­sing. On this point, the opinion states that a control­ler does not need to process any data to be quali­fied as a control­ler, as long as this entity has an actual control on the defi­ni­tion of the purposes and means on processing.

The advo­cate gene­ral clearly states that, as long as the proces­sor is acting within the mandate given by the control­ler, and accor­ding to the lawful instruc­tions given by the control­ler, the respon­si­bi­lity is ulti­ma­tely on the control­ler. On the contrary, if the proces­sor is excee­ding the scope of its mandate, then it should be consi­de­red as the control­ler for these acti­vi­ties, and the origi­nal control­ler could not be sanc­tio­ned by a fine as pursuing the art. 83 GDPR. It is up to the local autho­rity for data protec­tion as well as the courts to qualify the facts and deter­mine if the proces­sor acted within its mandate or beyond.

This part of the opinion appears more confu­sing to us. From the one hand, if we consi­der that these admi­nis­tra­tive fines are of a crimi­nal nature, only the one who has commit­ted a fault may be sanc­tio­ned because of it, and then the proces­sor who went rogue is not under the respon­si­bi­lity of the control­ler. Nevertheless, from the other hand, the control­ler has the power to instruct as well as to audit the proces­sor, as provi­ded by art. 28 par. 3 let. h GDPR. A proces­sor excee­ding its mandate could then consti­tute a negli­gence of the control­ler, not paying suffi­cient atten­tion to its proces­sor accor­ding to the above development.

Combining this consi­de­ra­tion and the factual inter­pre­ta­tion for the enfor­ce­ment of the GDPR, we see two cases in practices.

In the first, the control­ler has the main econo­mi­cal power and the proces­sor is dependent from the control­ler, e.g. a small company acting accor­ding to the instruc­tions of a multi­na­tio­nal. Here the control­ler has the means to ensure the proces­sor will only operate accor­ding to its mandate, and the proces­sor cannot afford any liabi­lity due to a care­less activity.

A second scena­rio, where the proces­sor has the econo­mic advan­tage over its control­ler, e.g., a giant IT versus a small company acting as control­ler, is not as straight­for­ward. Indeed, if the control­ler has legal possi­bi­li­ties to ensure the proces­sor is not overs­tep­ping, this econo­mic imba­lance may lead to restric­ting the rights of the control­ler by impo­sing certain clauses in a contract. A glance at the contracts of different IT giants is insight­ful in this regard : the control­ler has to contrac­tually limit certain rights, such as limi­ting the addi­tio­nal instruc­tions or aban­don the right to proceed with on-site audits, or the proces­sor allows itself to process data for its own legi­ti­mate inter­ests regard­less of the instruc­tions of the controller.

To us, the advo­cate gene­ral does cover these two cases with the present opinion. The detai­led analy­sis of the facts would both avoid that any party would elude its respon­si­bi­lity thanks to a canny contrac­tual struc­ture, and the situa­tion where a party could be fined due to an econo­mic impos­si­bi­lity to enforce its rights.

This opinion is insight­ful at many regards and brings clari­fi­ca­tion around criti­cal notions of the GDPR, and we have no doubt that the asso­cia­ted deci­sion will be of a strong value.