GDPR: must controllers declare legal bases to processors?

Stuart Ritchie


There’s a rather fascinating debate going on (counterintuitively!) within the LI GDPR Technology group. I was invited to comment on this geeky point. As we’ll see it’s just a little more complex that can be answered inline. So I take the opportunity to blog my response.

Prima facie there is no formal obligation within the scope of Article 28 alone for the controller to declare the legal bases to the processor. That said, to adopt such a position might be seen, in hindsight, as a suicide note.

As EU law, the GDPR will be interpreted not only purposively but practically. If the controller refuses to declare its legal bases to the processor, then the processor constructively will be prevented from meeting various obligations under (in particular) Article 28(3)(e) and the final sentence of Article 28(3). For example, very few of the data subject rights can be exercised properly (even applying GDPR restrictions or Member State derogations in the controller’s own interest!!!) without such knowledge. Likewise breach notification might be a little vulnerable. Technically Article 28 seems to assign fault to both parties should they come to an ineffective agreement. Ironically however, in the circumstances described these things might put the processor in an advantageous position vis a vis both fines and private remedy, and pro tanto disadvantages the controller. I trust I do not need to explain why.

Then of course, strategically we have to consider satellite litigation: not just intra-party disputes, but others such those engaging cyber-insurance underwriters refusing to pay claims (which traditionally, at least in the USA, seems to lead to the most reliably comedic data protection case law), and the way Courts presiding over such disputes might construe the agreements. Simply put: if the proper law of the contract is that of a (probably Member State for reasons I will not address here) common law jurisdiction, the contract between the parties might become void(able), or suffer other unhappy consequences for whatever parties may be relying upon it, due to whatever doctrine of frustration is applied in the local system of law. I cannot answer for Member State civil law systems. (no surprises in this paragraph, this is just private international law 101)

All that said, one of the funniest aspects of this, which might play out in any of the above scenarios, is something which seems to have escaped everyone: a variant of the ancient maxim of equity “those who come to equity must come with clean hands”. The processor cannot simply sit back on its haunches in dreamily salivating contemplation of ambushing the controller in ex post facto litigation. Why? Because, should any processor genuinely be concerned to satisfy its own legal obligations, it effortlessly can perform an end-run around the controller and discover the legal bases through the Supervisors using other GDPR provisions (though, counter-intuitively but logically, Article 36 does not apply here). By definition, as night follows day, for large scale processing this will draw the attention of the Supervisors, everyone from the UK through France to the awesome(I jest not) Schleswig-Holstein. Which, again, the controller independently might come to regret even from the outset: yet again, under EU data protection law you can’t out-source legal risk, only multiply it, no matter what indemnity clauses in mere private contracts may purport to establish. And even that assumes the contract, together with all its supposedly binding indemnity clauses, is not void/voided for frustration or any of the other possibilities for voidability etc… (sorry, this last phrase is off-topic, but res ipsa loquitur, just licking my chops, down boy).

Generally, as a common interest between controllers and the Supervisors alike, it’s much better to let sleeping dogs lie. One thing I stress in my courses is the last thing you want is to become low-hanging fruit for the Supervisors. Or, if you prefer, fresh meat for Herr Schrems’ None Of Your Business Article 80 class action exploits, which I expect will expand geographically and financially what one of my professional friends once described so scathingly as a “cottage industry”. Or, if you’re an unhappily tasty morsel for litigators, both: under the GDPR the Supervisors and Herr Schrems or his imitators/lookalikes can follow each other serially or act in parallel.

(And no, for avoidance of doubt my notorious enterprise privacy architecture musings will not help you here! But I do apologize for stealing time from my Confessions of a GDPR Architect series, merely on the self-indulgent grounds that this digression was fun)

    All facts and opinions set out above, including but not limited to spoken content and attachments/links, are provided for informational purposes only as a non-legal service to the public, and do not constitute legal advice or a substitute for legal counsel, and do not create any lawyer-client relationship, nor do they constitute advertising or provision of a legal service, nor are they the opinion of this web site or of its owner. The author is a co-founder of GDPR360 but does not speak in that capacity or in the capacity of a lawyer.