The concept of a data ‘controller’ is central to the operation of the GDPR because it allocates responsibility for compliance with data protection rules. The GDPR also foresees joint data controllers, who have the additional challenge of coordinating their respective responsibilities, in particular towards data subjects. In the genomics context, determining who is a joint data controller can be complicated.
In recent Guidelines 07/2020 on the concepts of controller and processor in the GDPR, the European Data Protection Board (EDPB) emphasises that joint controllers must have ‘decisive influence’ over both the purposes and ‘essential means’ of processing. Essential means include: the type(s) of data to be processed, the duration of processing and categories of people who may access the data. This may be apparent from a formal common decision. However, as a series of decisions by the Court of Justice of the European Union (CJEU) demonstrated, joint controllership can occur in much less obviously connected scenarios. This has included situations where actors did not have access to any personal data themselves and where they merely created an ‘opportunity’ for, ‘made it possible’ for, or ‘organised, coordinated and encouraged’ processing by others.
The EDPB rationalise these as ‘converging decisions’, whereby the processing is inextricably linked and would not be possible without both parties’ participation. Importantly, this doesn’t require complete agreement about the purposes and means. Having different purposes may suffice if they are complementary and different entities may determine the means of processing at different stages to different degrees.
How does this apply in practice?
In a genomics research collaboration, where each institution inputs personal data into a common platform and agrees how they should be processed, all institutions will be joint controllers. In other scenarios, where the parties have different but sufficiently closely linked or complementary purposes for processing, joint control could also arise. For example, if a genomic data platform allows users to set their own parameters for analysis (such as which variants should be investigated) but requires them to share the results of their analysis with the platform, both the platform owner and users may be considered joint controllers of that processing.
However, not all linked activity will lead to joint controllership. In some cases a party will instead be merely a ‘processor’, with more limited responsibilities (e.g., to keep data secure). For example, if they help to determine technical aspects of processing (for example, how data should be aggregated or safeguarded) but they have no influence over the research question, the people who can access the data, or, any other essential means, they will be considered a processor not a joint controller. In other cases, parties may be joint controllers but only for specific aspects of the overall processing. For example, a healthcare institution that provides genomic data to a central research database but has no influence over subsequent research nor receives any results in return, will be a joint controller for the transfer and storage of uploaded personal data but not for the subsequent research.
An assessment of joint controllership is likely to be influenced by the context. In the case law described above, the CJEU has taken a broad approach to joint controllership to ensure adequate protection of data subjects’ fundamental rights in contexts where there is inadequate transparency and responsibility for processing of personal data. By contrast, genomics collaborations are not generally characterised by an absence of responsibility for, or, transparency about the processing of personal data, and many will be supported by formal arrangements as recommended by the EDPB.
It is important that genomics actors appreciate that:
- Access to personal data itself is not a prerequisite for joint controllership.
- Jointly made agreements between parties that set out the objectives and essential means of processing will trigger a situation of joint control.
- Different purposes may nevertheless lead to joint controllership in cases where the purposes are sufficiently closely linked or complementary.
- Joint controllers need to work together to determine their respective responsibilities for compliance with the GDPR in relation to their specific processing operations, and to make the essence of this arrangement available to data subjects (Art 26).
Colin Mitchell, Johan Ordish, and Alison Hall work for the PHG Foundation, a think tank with a special focus on genomics and personalised medicine that is a part of the University of Cambridge.