To examine the business and legal implications of this question, the ICC Task Force on Privacy and the Protection of Personal Data invited approximately 40 representatives of international companies, data protection authorities, EU institutions, other governmental authorities, and law firms to a workshop on 25 October 2007.
Data protection law, in Europe, the Americas and Asia, generally makes a distinction between companies that process personal data as “data controllers”, and those that do so as “data processors”; data processors generally have reduced rights and obligations regarding data processing compared to those of data controllers. The distinction can have critical implications, since contracting practices in such areas as outsourcing and third party data processing may have to be structured differently depending on the whether the company doing the data processing is a data controller or a data processor.
ICC hosted the workshop at its headquarters in Paris following input from companies that a lack of clarity in distinguishing between these concepts is creating significant difficulties for business.
Christopher Kuner, Chair of the ICC Task Force on Privacy and the Protection of Personal Data, who also chaired the workshop, explained why the issue has become of crucial business importance. In an outsourcing transaction, the parties may have structured their contracts under the assumption that the outsourcing company is a data processor, not realizing that a data protection authority may consider them a data controller. In such a case, the parties may be subject to greater liability and other risks, which put the entire transaction in danger. It is thus critical for business to gain more clarity about the conditions under which a company may be qualified as a data controller.
Participants at the workshop discussed the legal issues involved in the distinction between data controllers and data processors, and considered three fictional case studies to apply the law to real-world business situations. According to Mr Kuner, “The workshop was the first of its kind to consider this important issue, and showed that there are major differences between companies and data protection regulators as to what criteria should be used to qualify a company as a data controller.”
He noted that ICC will continue to follow this important issue and provide guidance to the business community.
The meeting was informal and off the record with participants speaking in their personal capacity and not on behalf of the institutions for which they work – a point participants hailed as valuable in ensuring frank and substantive discussion. ICC has published a summary of the workshop, available online here.