Who takes the pain if something goes wrong?
Where processing is carried out within an organisation, that organisation must develop and follow its own policies and procedures. But as with any information-based activity, it often makes sense to outsource areas of data processing to a specialist – a payroll service provider, for example, or a customer database manager. And other types of engagement with commercial partners often involves an element of personal data sharing and exchange. This could include a collaboration between two universities, or engagement of temporary workers through an agency. Any kind of relationship involving the exchange of personal data will need a contractual record to ensure that data privacy responsibilities are recognised and allocated. In this article, we focus on the relationship between a controller of personal data (the organisation that decides what data is to be collected and how it will be used, eg the customer of data processing services) and a processor (the organisation carrying out the controller’s instructions, eg the service provider).
Article 28 of the GDPR lists matters that must be covered off in an agreement between a supplier of processing services and a customer acting as data controller. But of course, agreements between processors and controllers normally extend well beyond this core list of requirements. They address the wider relationship between the parties detailing the services to be provided and payment terms. One area which parties usually wish to deal with in their relationship is the allocation of financial risk between them if the other party fails in its duties.
Bear in mind that the GDPR, unlike its predecessor, can impose liability directly both on the data controller and the processor if they fail in compliance.
Under attack on two fronts
Two different kinds of financial risk flow from GDPR non-compliance, fines or penalties for compliance failures and damages claimed by data subjects.
The potential for fines for non-compliance received most attention as the GDPR was being developed given the eye-watering sums that could be demanded. Fines can reach €20m or 4% of an organisation’s global annual turnover, although in reality they will be much lower than this in most cases.
The second source of financial risk flowing from the GDPR is damages claims by individuals whose data has been mishandled. The GDPR arms individuals with stronger rights and greater options for bringing claims against those holding and processing their information. We increasingly see law firms looking at GDPR class actions as a source of new business. The potential exposure is less certain, with no figures in the legislation to indicate how much might be awarded. The court would have to assess in a particular case what sums would be appropriate to compensate the data subjects bringing the complaint.
There has so far been relatively little litigation to show what kinds of sums courts are likely to award. But the growing prospect of major class actions, where large numbers of individuals are each awarded compensation, has the potential to expose organisations to cumulative damages payments in the millions. Ongoing litigation involving a data breach by an employee of Morrison’s Supermarkets sees over 5,000 claimants seeking damages for a wrongful disclosure. A modest award to each would quickly mount up.
Can a controller be fined or sued for a processor’s failings?
A data controller who has appointed a processor may feel that they are “off the hook” in terms of the processing activity itself. But even if the controller is acting appropriately, failures by the processor could expose the controller to financial risk.
The GDPR says that any controller involved in processing which causes damage to an individual can be sued for compensation. If the controller was not at fault, or only partly to blame, it can defend itself, and can try to share the blame with any other controllers or processors who were involved. But this means engaging in litigation, with detailed evidence to prove where the fault lay.
Although fines are now possible for both controller and processor, it is possible that a controller could be sanctioned for poor due diligence in selecting a processor, or a perceived failure to supervise their activity appropriately.
The controller may therefore wish to take steps to ensure that failures on the processor’s part will fall to their account. A clause in the contract clearly allocating the risk for specified types of failure on the data processor’s part is likely to provide a quicker and easier solution than relying on court proceedings after the event. But will this approach always be effective?
Evolving market practice
With the possible exposure to GDPR financial risk now much greater than before 25 May 2018, we have seen changes in approach to risk allocation. Before the adoption of the GDPR, these financial risks were less of an issue, and data processors often accepted high or uncapped liability for losses caused by their failures.
Initially we saw customers (data controllers) asking their data processors for higher caps or uncapped protection for GDPR risk given the greater financial risk they faced. This has faced increasing resistance from processors. And over the last year we have seen a trend towards caps on this type of liability. Processors may ask for a cap at a low multiple of the annual fees they receive, for example.
Under the GDPR, processors attract liability for their own failings. If a processor falls short they can themselves be subject to enforcement action and fines. They can also be sued for damages by affected individuals. They are therefore often reluctant to shoulder additional financial risk.
Is it possible to offload risk onto your commercial partners?
The “illegality defence” in English law means that some contractual claims are not enforceable in the courts. Why? If you are suing based on a term of your contract, but the claim is based on your own seriously illegal or immoral activity the courts will not help you. Unfortunately, although the principle has a long heritage, the borderline of what the courts will and will not countenance is unclear. Earlier examples indicate that deliberate and conscious illegal activity will not receive the courts’ support. But if an organisation is sanctioned for a negligent failure, or one that requires no mental element at all, a more sympathetic response is likely.
Some compliance regimes rule out the option of indemnifying those at fault. Company law, for example, disallows direct shielding of directors from negligent and wrongful discharge of their duties. The Financial Conduct Authority is clear that its fines cannot be covered by insurance. But this is not the case for data protection law, and the Information Commissioner’s Office has indicated that there is no rule against insurability of fines. In fact, the question of whether cyber insurance covers fines for data breaches is currently under review at international level. The Global Federation of Insurance Associations recently asked the Organisation for Economic Cooperation and Development (OECD) to address the question in its ongoing review of the cyber insurance market.
It seems likely then, that damages and enforcement penalties issued in situations where a genuine mistake was made or the data controller attracts blame for a failure entirely the fault of the service provider, will be recoverable under contract. Indeed, many take the view that damages claims can always be the subject of risk allocation through contract. For regulatory penalties there is more doubt – some argue that a penalty should always be borne by an organisation found to be non-compliant by the relevant authorities.
Without more specific guidance and court rulings we cannot be certain. As a practical matter, when you provide for risk allocation in a data sharing contract, it is possible to include both damages and enforcement penalties, but with a note of caution that this may come unravelled if relied on in court.
What does it mean for me?
Parties involved in outsourcing processing services will want to consider allocating financial risk arising from data breaches. How effective this is remains uncertain. However, it makes sense to attempt allocation, bearing in mind that this may not work for more serious breaches. Including detailed provisions on the types of non-compliance that will trigger a contractual claim is likely to help with recovery later on.
Market practice is evolving towards limited exposure on the part of the service provider, with many seeking caps at a low multiple of annual contract price.
Cyber insurance is increasingly seen as part of the picture. International efforts are under way to increase consistency of cover and improve understanding of what risks can be insured.