Data security rules for data processors fail stated aim of EU data protection reforms, says expert

Most data protection obligations fall on data controllers, who must ensure that data is treated in line with the law. They may hire other organisations to handle data on their behalf but these data processors have a reduced burden of responsibility.

Giving these processors increased responsibility for data security seems to make sense, but in practice it will result in confusing legal wrangling between processors and controllers and will create a blame culture that will be of no help to consumers.

Data security is an important subject and it is vital that the outsourcing of personal data processing activities does not result in a weakening of the protection of consumers' data and better opportunities for criminal hackers. However, persisting with the rules as currently drafted would create more problems than the rules would solve.

The way the new regime would be implemented would lead to a blurring of the responsibilities of data controllers and processors, difficulties in establishing liability for breaches of personal data and confusion for data protection authorities - all whilst delivering no benefit for consumers.

On the face of it you can understand why EU law makers would be keen to write data processors' data security obligations into law. It would set into statute processors' responsibilities to protect personal data from theft, loss or unauthorised access and, potentially, drive up standards of data security as a result, particularly since punitive penalties could be issued by regulators for non-compliance.

The existing Data Protection Directive puts no such statutory obligation on data processors. Instead, the data controllers - the organisations ultimately responsible for handling personal data in accordance with the Directive - are required to ensure that when they outsource data processing activities, they put in place a contract that holds the processors to the same standards of data security as them.

A new leaked document setting out the current thinking on the proposed new General Data Protection Regulation (305-page / 1.45MB PDF) suggests that European governments will support the European Commission proposals to place processors subject to statutory data security requirements. MEPs also back that approach.

Under the proposals, data controllers and processors would be handed a joint duty to implement a level of security appropriate to the risks of the processing. A contract would still be required to govern the relationship between the two parties. Because processors would be on the hook for data breaches, they are going to be more motivated to specify exactly the limits of their remit.

In practice this will mean that outsourcing agreements between data controllers and processors will become prescriptive and much more technical in detail on data security arrangements. There could be gaps in expectations and in the willingness of data controllers and processors to take on certain data security responsibilities. This could lead to a complete breakdown in the negotiation of contracts.

Where agreements are forged, the technical language could make their interpretation difficult. Disputes could arise over where respective liabilities lie, and where a breach occurs data protection authorities could find it difficult to identify which party in the agreement is at fault or how to otherwise apportion blame, making it difficult for them to follow through with enforcement action.

Currently the legal position is clear. Data controllers are ultimately liable for non-compliance with data security rules under EU data protection laws even if the problem stems from activities carried out by data processors.

The proposed changes would not lead to better protection of personal data and so would not benefit consumers and help build trust in digital services, as the reforms aim to achieve. However, these reforms are coming and businesses should be seeking to understand the steps they can take to address the challenges they will bring.

Kathryn Wynn is a data protection expert at Pinsent Masons, the law firm behind Out-Law.com