On May 4, 2023, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued its opinion in case C-683/21, which examines the GDPR concepts of “controller”, “joint controller”, and “processor”, as well as the GDPR’s liability system.
The case arises from a dispute between the Lithuanian National Public Health Centre (“NVSC”) and the Lithuanian Supervisory Authority (“SA”) concerning the NVSC’s development of a mobile application for tracking Covid-19 contacts (“App”). The NSVC engaged the company ITSS to develop the App with the view of acquiring it at a later stage. The App was then developed and made available on different digital stores, mentioning both ITSS and NSVC as separate controllers, even though NVSC never “officially approved” the App. A public procurement procedure was initiated to proceed with NVSC’s acquisition of the App, but the acquisition never materialized. NVSC never processed personal data and did not formally authorize ITSS’ processing operations, but provided instructions regarding the App’s development. NVSC and ITSS did not enter into any formal agreement regarding the purposes and means of personal data processing.
Following an investigation, the SA imposed administrative fines on the NVSC and ITSS as “joint controllers” for infringing Articles 5, 13, 14, 24, 32, and 35 of the GDPR. NSVC appealed the decision to the Vilnius Regional Administrative Court, which referred six questions to the CJEU.
Questions and Answers
The Lithuanian court’s questions, and the AG’s answers, can be summarized as follows:
(1) Is the NVSC a “controller” under Article 4(7) GDPR?
The NVSC will be a controller if it expressly or implicitly agreed on the App being made available to the public, which initiates the processing of personal data. This is for the national court to determine. The mere fact that an entity initiates the development of data collection tools, such as an app, or defines the parameters of these tools does not make it a “controller”. In order for the entity to be a controller, the influence exercised “must relate to the processing of personal data itself”.
(2) Does the fact that two controllers have not come to any formal arrangement as to the purposes and means of the personal data processing (and/or do not appear to have otherwise coordinated their actions in respect of the determination of the purpose and means of the data processing) preclude them from being considered “joint controllers” under Articles 4(7) and 26 GDPR?
No. Two controllers will be joint controllers if their “influence over the processing [is] exercised jointly”. The absence of any agreement, arrangement, common decision, or even coordination cannot exclude the existence of a joint controllership. Joint participation in the processing can exist in different forms and does not even have to result from a common decision of the controllers. What matters is that both controllers have a “tangible impact” on the determination of the purposes and means of personal data processing to the extent that, without both controller’s participation, the processing would not be possible. This is consistent with what the EDPB stated in its guidance on the concepts of controller and processor (para. 53).
(3) Does the definition of “processing” provided in Article 4(2) GDPR cover a situation where personal data are used during the test phase of a mobile application?
The definition of “processing” covers using personal data to test a mobile application. The purpose for which the personal data are used has no bearing on the question of whether an operation qualifies as “processing”.
(4) May an administrative fine be imposed on a controller that did not intentionally or negligently breach the GDPR? Can the controller be fined for the processor’s (in this case, if ITSS were a processor instead of a controller) breach of the GDPR (even though the controller itself did not process the personal data)?
An administrative fine presupposes an “intentional or negligent” breach of the GDPR (as was already stated in the AG opinion in the other CJEU case C-807/21). A controller can be fined if a processor, which by definition processes personal data on the controller’s behalf, breaches the GDPR intentionally or negligently, irrespective of whether the controller itself processed the personal data and provided the processor acts in accordance with the instructions of the controller.
* * *
The AG’s opinion is not binding on the CJEU. The Covington Privacy and Cyber team will report back once the CJEU renders its judgment.
(This blog post was written with the contributions of Alberto Vogel.)