Privacy Lawls with Donata

Ep. 8 | Data Processors & Data Controllers, What Are They? (Guest: Odia Kagan)

Who are Data Controllers and Data Processors and what exactly do they do?

We sit down with Odia Kagan, Chair of GDPR Compliance and International Privacy at Fox Rothschild LLP to figure it out.

Show Transcript

[00:00:00] Hello, and welcome to the eighth episode of Privacy Lawls, a podcast where I talk with the most well known experts in the field of privacy and have some laughs along the way. I’m your host, Donata Stroink- Skillrud, and today we’ll be talking about data controllers and data processors, what those are, how to determine which one you are, and what your obligations are as a controller or a processor.

So that you can comply with the requirements of the privacy laws that apply to you. My guest today is Odia Kagan, who is a licensed attorney and partner and chair of GDPR Compliance and International Privacy at Fox Rothschild LLP. She’s the chapter chair of OneTrust Privacy Connect in Philadelphia and an advisory board member at the International Association of Privacy Professionals.

Odia is a certified data protection officer, certified information privacy manager, and a certified information privacy professional. She’s also fellow of information privacy at the International Association of Privacy [00:01:00] Professionals. Thank you so much for joining us today. Can you tell us a bit more about your career and what got you interested in privacy?

I started a long time ago and 1 of the things was back when it was very rare and difficult to do a remote LLM in kind of a specialized subject.

I did an LLM and basically European privacy. And kind of learned all of the data data protection directive, the privacy directive, all of the relevant case law and found it interesting. And then generally speaking, what I really like about this area that kind of drew me into it is sort of basically and I tell people this.

It’s kind of the pros and the cons are the same time. It’s a, something that’s, it’s ever changing. It’s fast paced, it’s really complex and it’s very tech oriented. And so I think, you know, I’ve been told that I have a good ability to kind of break down very complex [00:02:00] things into kind of simple, digestible actionable.

Pieces, and I think that’s part of the piece that draws me to it is kind of, you know, simplifying the complex. I get that a lot. I obviously follow you on social media and you just talked about, you know, the difficulties and keeping things up to date. You know, what are your tips for keeping up to date with privacy news?

It’s basically being persistent about it. I mean, I think you have to really like it. And you have to really be persistent. I just recommended to my son, kind of strongly to read a book called Bounce. And it talks about what you need to gain mastery in your chosen area and it talks about people like David Beckham and Mozart and, you know, other people who were achieved mastery in their area at a very early age.[00:03:00]

And it seems like they are just kind of naturally talented. But actually they put in a ton of time, except they just started it, you know, age three or something or age two or whatever. And so, basically that’s kind of the way to do it is that you have to keep doing it. It is a great time investment. It is a greater time investment than your counterparts who are doing other.

Subjects like, you know wealth management or tax or corporate or M and a it’s, it’s just more time investment. And but it’s interesting and it’s exciting. So that’s something that you have to keep in mind. It’s just like, you know, it’s kind of like, like, how do you keep up with a moving treadmill?

You got to keep moving. So it’s kind of the same thing. That’s very true. One of the main parts of my job is. Staying up to date with new legislation. And I spend so much time doing that, but it’s kind of fun. I like it. I like comparing the different bills and what they mean and who [00:04:00] they affect. And yeah, you do have to find a way to enjoy it.

I’m not sure if you saw the latest clips from the Victoria Beckham and David Beckham, they’re doing some kind of documentary and there’s a clip. I saw the whole documentary. Okay. Well, there’s a clip where Victoria tries to convince. Her husband that that she grew up for, and then he kept on asking what kind of car did her dad drive?

And it turns out as a Rolls Royce. Oh, yeah, I saw that. It’s really, I mean, I really liked it. So I told you that I, that I already read about David Beckham in that book. But, and so I was kind of, I’m not a soccer person at all, but I did respect him for, you know, what I read, but then after the documentary, now I want to be friends with him because he seems like such a, like an approachable person and kind of, it was a good, it’s a, it’s a really interesting documentary.

I liked it. Very cool. So where can people find you on social media so they can watch all the news that you post every day? [00:05:00] So I do a lot on LinkedIn and I try to also port it over to X as well. So that’s a good place to do is to follow me on LinkedIn. And X we have our marketing team also puts up some content on my firm website.

And if you are interested also, you can like, direct message me or contact me, and I can add you to a little mailing list of updates as well. Oh, nice. I’m definitely going to need to be added to that too. So you have a lot of really great certifications and for somebody listening in who’s interested in getting into privacy, what is your recommendation for the first certification that they should get?

I mean, I think that the thing that’s most important is to figure out what your direction is and what you are interested in, right? I mean, there’s privacy certification. IAPP has some and there are others. That are more kind of information security related. Some of them are more implementation and management related.

I think it really depends on what you are, like, what your direction is and the [00:06:00] easiest thing to do is kind of, you know, it is like, do your research first, right? Like, either I don’t know, buy the book or ask people before and figure out if that’s the topic that interests you. And then, you know, dig deeper into it.

There are a bunch of, it really depends. Like, we have, you know, the, the sort of lawyer bias and kind of the legal privacy stuff. But there’s a bunch of really interesting things now with, like, your, the, the, your private, the, your privacy implementation with like ISO implementation, the risk management flame Framework DPO courses, privacy technology.

So there’s a lot of stuff available. It really depends what you’re interested in. Yeah, definitely talk to privacy lawyers or people in the privacy space of what they’re doing. I work with a lot of law students at the ABA and they seem to find a lot of help with that too. So let’s get into the main topic of today, which is data controllers versus data processors.

So let’s [00:07:00] kind of start off with a quick. Overview. So what is a data controller? So basically, a data controller is something that determines the purposes and means of the processing and sort of really, basically is the in charge of the processing, right? And sets the course for the processing the processing is done on its behalf.

Now, I’m saying it in a lot of different ways, because there are a lot of kind of real life. Implementations that makes this make this more complicated than just that, right? You have like classic use cases where I don’t know. I am a company and I engage somebody to do something for I do something. I collect information.

I collect names of individuals to market to. I have employees and I process their information, right? So I am. An entity that does [00:08:00] stuff with personal information, information of people and I do that for my own purposes. That’s kind of the general there are nuances there where 1, I don’t always have to be seeing the information.

Sometimes I don’t even have access to the information. Sometimes the information is encrypted. But there are things that are done for me, even though I have, you know, plausible deniability, but I still instructed people to do it, and therefore I can be the controller. The other piece is by itself or jointly with others.

Which is this other term where in the European legislation, we have an actual joint controllership term in the US laws. We don’t have it kind of per se, but you have a situation where you have a number of entities that are determining the purpose together processing the information for a joint purpose.[00:09:00]

You also have controllers that are doing things kind of alongside one another and they are with the same information and they can be independent controllers, right? It’s like, you know, the toddlers playing around each other are independent controllers and like, you know, the children playing together are the joint controllers.

So that’s kind of, you know, generally on controllers. Nice. And what is the data processor? So the data processor is basically somebody who processes information pursuant to the controller’s instructions, and they are processing it basically on behalf of the controller. And so that is a situation, the classic situation of a processor would be where I.

Basically outsource a piece of processing, right? So the necessary elements are that it’s data processing and I am basically, you know, the information is [00:10:00] processed, you know, is instructed by me on my behalf. Right? And so the classic is. I could have done it myself, but I outsourced it in order to, I don’t know, make it easier, cheaper, faster, more efficient.

So I you know, instead of sending emails, I engage a third party to facilitate the sending of the emails instead of like this is like my dream, right? Instead of like posting all my posts on LinkedIn, there’s something magical. I probably, there are things like that. I just need to set them up. Or outsource the setting up.

But anyway, there’s a third party that does it. I could have done it. They’re doing it for me. The way that I usually try to think about it or explain it is that, you know, processors are for data processing, you know, like LLCs are for like tax treatment, right? They’re see through. They’re like an actual entity, but for the purpose of the tax, right, you go up to the owner and for the purpose of the processing and [00:11:00] liability you go up to the controller.

So the processor does stuff, but they don’t do it for themselves. They do it for me. And so their involvement is supposed to be see through. That means that they don’t, the processing by the processor doesn’t have under GDPR. Does not have or need to have its own legal basis because the legal basis is mine, the controllers, and I just do something to help.

Right? So that’s kind of the way that I, that I usually think about it. So if I’m like a construction company and I hire a marketing agency to send email newsletters on my behalf to my customers, I’m the controller and the marketing agency is the processor. So the marketing agency concept is a little more bit more complicated because there depends on what the market marketing agencies do it could differ.

So, so the answer is this, I am a company and I engage another entity to [00:12:00] send emails on my behalf. I give them the email addresses. And they send out emails. They are not allowed to use the emails for any other purpose other than sending the emails on my behalf. There are services like that. That would be a processor.

If, however, this company, as part of this deal, Right in a lot of cases, the telltale sign of this processing is you need to enter into an agreement to, like, open another account and enter into, like, you know, log into an account that could be a hint. But basically, the difference is, if you have a party.

That while providing you with the sending of the emails also uses the emails for themselves. They enrich their like, in similar situations, right? Like, they enrich their lists. They use these people and start marketing it to themselves to their own list. They use it to market other clients list. They share it with other third parties and give [00:13:00] that information.

That’s where it starts getting take getting out. Of control of the, of the process or realm and starts being controller. Got it. So why is it important to figure out if you’re a data controller or a processor? Like, what’s, why is it important to make that distinction? So that’s an interesting question because like in Germany, they started like, you know, developing an allergy to processors and everybody’s either a controller or joint controller.

I think the answer is that. It basically 1st of all, I think that you shouldn’t really try to jump through hoops. In order to not be a controller, if that’s what you are, there was a trend at the beginning of GDPR and there was also a trend in the beginning of CCPA where companies started trying to, you know, push a square a square controller into a round process or whole and like, just really [00:14:00] needed to be a service provider in order for this not to be a sale under CCPA.

And that’s not super helpful because in the interim, right? And this was sort of clear from the beginning, but has become clearer under CPRA and also pursuant to GDPR enforcement data processors can and have been directly enforced against by regulators. Right? Service providers can be enforced against by the California authority.

This was in the final statement of reasons under the C. C. P. A. the California stated that and then it’s kind of, you know, pretty explicit and C. P. R. A. that there are obligations. That service providers are subject to, right? And if you do not have the DPA or the relevant contract with the service provider, that can implicate the legality of the processing.

So, 1st of all, [00:15:00] from a 1, sort of, maybe reason why not. Like, another reason why not to try to figure it out is that, oh, if you’re 1, then you’re out of scope, or you’re out of liability, or you can’t be enforced against. That’s not true. The technically speaking, the universe of obligations of a controller or a business under CPRA is broader than the, the number of obligations.

The scope of allegations is broader than that of a processor slash service provider in the general universe. However, in real life, right, if you’re not writing, if you’re writing a law school exam or bar exam, you should probably say that in real life. There may not be a much big, much of a difference. Why?

If you are a service provider and you provide some sort of service or platform, right? The liability and the obligations that you have with [00:16:00] respect to that platform and service, they are not smaller than that of the controller. Right? Under GDPR, the controller is not even allowed to engage you unless they are certain that you would be able, that in using you, they would be sure to comply with GDPR.

So you are, your service is, is supposed to be such. That they would comply with GDPR. That’s the whole point. Remember the C through LLC thing, it like goes right up to them. They’re subject to GDPR. They need to comply. Therefore, visa VU, they need to comply. Therefore you need to enable this compliance. And so what does that mean?

It means that with the obvious things, right? Information security, that’s on you. The DSARS, right, the, the data subject requests, the consumer requests under the U. S. laws. That’s [00:17:00] usually on you, not necessarily the interface with the end user, that can be the controllers, but all of the stuff in the background that needs to happen in order for this to happen legally, that’s on you.

Transparency, that the controller needs to give, yeah, the controller needs to give it. But the controller is not going to know what’s happening if you don’t tell them. So you need to tell them that’s actually become much more relevant now when there are automated decision making and things that are like the processes are more complex.

DPIA. Okay. Maybe you don’t need to do a DPIA as a data processor, but your controller needs to do a DPIA. So you need to make it happen and help them do a right. And so if you look at article 28 and all of those and GPR and all of the requirements of the data processor to assist the controller, they need to assist the controller.

Can they be enforced against directly by the regulator? Yes. Is it less likely [00:18:00] that they will get enforced against by the regulator? Probably. Is it more likely and very likely that they will either get enforced against by their controller client, meaning they will sue them if something goes wrong.

Definitely, and increasingly, they will also not be able to get the controllers business. If they are not compliant demonstrate compliance are able to set the controllers mind at ease. So, like, in practice, with respect to your core service that you are providing, there may not be a big difference.

So you, the data processor. Okay. You don’t have to come up with a legal basis. Okay, but if your service that you’re providing is something that’s impossible for your client to use, because I don’t know, let’s say remote real time facial recognition is no longer allowed in Europe, because, you know, the act is going to go a certain way.

Right? [00:19:00] Okay. Well, then you will have developed a product, the legal basis for which is impossible to accomplish. Okay. Well, it’s not on you, but you won’t get any business, right? So, yes, there is a delta because as with respect to some of your own stuff, right? Like your landing page or your own employees or things like that, right?

You are not maybe subject to GDPR as a data controller. And if you were, you would need to do all of these other bits too. But as with respect to the core service, there may not be that big a difference. It’s really interesting that you mentioned losing business. So as a business ourselves, we’re subject to GDPR, we’re a data controller.

So we need to make sure that any data processors that we use are compliant. And sometimes our team will bring me a list of 10 different services that they want to use for a particular purpose. And then my job is to check compliance and do vendor due diligence and sometimes we’re left with zero or one you know, or sometimes we’re left with, [00:20:00] okay, well, they’re close, but I have a question about their privacy policy or their DPA or something like that.

And then I email them and they give me a nonsensical answer. And all of a sudden, okay, well. Now you didn’t even present me with all the information that I needed. You didn’t answer my questions. You’re automatically not going to be a vendor. And that, I think that nix is a lot of companies from the list.

I think it does. And I think it will increasingly do that because under GDPR, right. This is, you know, we’re not new here and it’s increasingly. Happening under the privacy laws of the U. S. I think we’re going to see it as soon as the enforcement kicks in. I think we’re going to see it in 2 aspects.

1. we’re already seeing it from the FTC enforcement perspective, right? Better help. Good. Rx the FTC is being very explicit about you’re using 3rd parties. Yeah, but, you know, they’re very ubiquitous or 3rd [00:21:00] parties. They’re like the leaders in the market. That’s like my favorite 1 that I hear from companies, right?

Do you know what it is that the agreement says? Oh, they wouldn’t be. So they wouldn’t be. So that’s something that isn’t permitted by law. Now. It’s not not permitted by law. It’s permitted by law. But the, the, the fact that it’s permitted puts on requirements on you to do things. Do you know what they are?

Have you vetted them? And all that I think. So one, this kind of puts the onus. Much more so on the company, there used to be on the procuring company, right? There used to be all these like, you know, spreadsheets and like vendor management processes, et cetera, that companies that are financial institutions and subject to, you know, Grammage Bliley, fair credit reporting act, all of that stuff, right?

Those were the ones that were taking it seriously. Maybe HIPAA all of these quote non regulated entities, which was, you know, a euphemism for FTC weren’t really worried about it. Now, the FTC is looking at it very closely [00:22:00] under CPRA. There is there are specific provisions that basically say they’re, they’re like a carve out or a carve in.

However, you want to look at it that the company, the business. Will be liable for a violation by the service provider for, or third party for violating the law unless they knew if they knew or had reason to believe now, it’s the company’s responsibility to show that they didn’t know or have reason to believe.

And the reason to believe that we had in the original law has now, as we had, I predicted that until clients this before the regs came out, but now it’s conclusively had reason to believe is. Do you have a C. P. R. A. compliant service provider agreement or third party agreement with all of the provisions and all of the stuff that you need to do.

And if you can’t show that. Then you could be liable and so I think that part is only going to get more more obvious [00:23:00] as we see more enforcement quick tangent. I absolutely love vendor due diligence because it’s kind of like trying to dig up dirt on somebody. And I remember years ago, I was doing due diligence on a very, very popular company that would shred documents won’t name names, but it’s like 1 of the top 3.

And there was a lawsuit that they lost a couple years back where basically they would take the documents that were to be shredded and dump them in a public park in the trash cans in the public park and not shred any of them. Obviously, they didn’t pass vendor due diligence because that was their main job was to shred the documents and dispose of them properly.

Like, that was the entire point of this vendor. And they would dump them in, in a public park. I’m shredded. So, yeah, they’re kind of fun, but talking about you know Processors and sub processors and all those things. There was a case in 2021 where Camille find data controller and it’s subcontractor [00:24:00] 150, 000 euros and 75, 000 euros for failing to take security measures to deal with credential stuffing attacks.

So can you talk a little bit more about, you know, how the requirements of the processors and the subprocessors and the controllers, how does that tie into security as well? Not just, you know, not selling the data or not using it in certain ways. So, I think there’s a couple of interesting things here.

First of all there is, as I mentioned in the beginning, right? Usually when the provider is touching the data or hosting the data the provider is the main kind of point of responsibility for the information security, meaning. So, I’ll clarify 1st of all, what’s the obligation? The obligation is under article 32.

you need to have adequate technical and organizational measures to protect the information article. 32 is kind of, you know, doesn’t really specify a lot. There are a lot of standards. Like, if [00:25:00] you open, you know things, if you speak German, You can read things for thousands and thousands of pages of what article 32 means with standards.

There are, you know, industry standards, like, you know, the NIST CSF or ISO 27001 or, you know, for smaller companies, there are. You know, kind of more basic compliance, but basically it needs to be the, the information. And if you want to look at, like, much more basic stuff and kind of for simpler information, there is FTC enforcement cases.

There’s the start with security blog to stick with security blog. They had a bunch of things on what are what’s adequate security. Obviously, it needs to be commensurate with the. The amount of information, the sophistication of the information sensitivity of the information, et cetera, the obligation needs to be is.

So that’s kind of the, what’s the obligation the buck stops with the controller always, right? The [00:26:00] controller is at the front of the line all the time. And therefore, even if the control the sub, the processor messes up, even if the sub processor messes up, there was a recent CJU case where a processor engaged a sub processor without the adequate permission, et cetera, the sub processor messed up.

The controller was held liable. Now, the controller is always liable. However, and this is the piece where I said, it’s not that important to classify. Sure. The controller is the 1 that got sued. Sure. The controller is the 1 that gets enforced against if the controller is an EU controller and you are a non EU provider, you know, safely here in the US and, you know, can you can’t get to you?

Right? But what do you think’s going to happen? Pursuant to all of the undertakings that you made in the that you executed with them, because you have to execute it with them, or the, or all of that. Right? Like, you made contractual provisions and 1 of the key [00:27:00] attributes to providing a service is to adequately protect the information.

And you didn’t do it, or the sub processor that you engaged didn’t do it, and you are liable fully downstream. So, of course, you’re liable and they’re going to sue you. Right? So, so that ends up being your responsibility. The interesting piece there is that, and it reminds me of something more recent is that.

The way that the European data protection authorities kind of look at things is they are kind of looking at it, not just with respect to kind of the immediate things that you have to do. Right? Like, oh, you don’t want, you know, this needs to be encrypted, or there needs to be multi factor authentication, et cetera.

There also needs to be like, how are you securing the infrastructure in order to. Like, 3 steps down the line, prevent something from happening, right? Because credential stuffing is kind of more of a sophisticated, like, kind of multi step issue. And that [00:28:00] reminded me that guarantee the Italian data protection authority, like, a week ago, maybe, or maybe less it started an investigation.

With respect to not web scraping by a, I, it’s not the liability of the scraper, which we’ve seen a lot of discussion in the EU and even in the U. S. about. It’s the liability of the scrapey, right? Like, what are your responsibilities? In protecting your digital properties from a tech perspective, from a contractual perspective, et cetera.

Like, what are your liabilities? To prevent the data from being scraped, not the scraping without permission, but actually the scraping of publicly available information. Right? And so that kind of is the same concept of the breadth of you of your you, the controllers liability. And in that aspect, right?

That breadth is. Bigger, right? You have more obligations because you’re [00:29:00] sort of looking at the bigger picture and then you’re supposed to fit in these data processors that handle specific pieces of that of that processing adequately. Yeah, you can really go down the line forever with this with the data processors and the sub processors, because everybody, whenever you look at their, there’s always a list of of 100 processors.

And then, if you look them up, and then they have their own processors, and then you look, and then it just goes round and round around forever. It’s it’s, you know, the, the transfer impact assessment that everybody wants that that we need to do that that we’re, you know, even more critical before the right.

But the transfer impact assessments, when that came out and the guidance came out, but from the, it was like, I was, I was saying, it’s basically, you know, you have to keep going until middle earth, right? You can go into the processor and sub processor until you hit, you know, you get to the end. So so, yeah, [00:30:00] so 1 of the obligations of controllers is providing instructions for processing the personal data.

What does that mean to, to provide those instructions? So, basically, this is a situation where I always tell both the controller clients and processor clients that vagueness is not your friend and specificity is your friend. Right? I used to listen to when she had podcasts and I read all of Renee Brown’s books and she has a quote that she taught when she talks about.

Managing your team, actually, and like leadership and managing your team, she has a statement that says, you know paint done for me, like, what does done look like? What does the assignment look like? And then she says that clear is kind and unclear is unkind, right? And this is the situation here, because the instructions are actually helpful for both parties.

It’s basically what are the [00:31:00] parameters? What are you allowed to do? What are you supposed to do? What are the actions you’re supposed to take? When you don’t have a specificity here and something goes wrong, right? If nothing goes wrong, nothing goes wrong. But then again, if nothing goes wrong, then, you know, you didn’t need a contract in the 1st place, right?

If something goes wrong, then you start looking at, okay, well, what was breached? Did you, for example, if you go beyond your instructions. You become a controller and also if you want to use a an agency metaphor, right? You exceeded the scope of your agency. This is a problem vis a vis the controller, right?

It could be the third party could still the individual could still be bound, right? But you exceeded your authority. That’s not allowed, you are going to be responsible for that. The controller is not going to be responsible for that because that was not part of the deal. The more clear it is that what you’re supposed to do, the [00:32:00] easier it is to say, did you meet with your requirements or did you not meet with your requirements?

So for a lot of these really, really large companies that act as data processors, what I’ve seen is that in their data processing agreements and their documentation, You know, all it says is that processing will occur in accordance with the instructions from the controller, but there’s no actual instructions that are attached.

Like, what do companies do in that sense when you’re a small company trying to engage with a large data processor? Like, do you send them instructions and ask them to agree to them? So, I think the issue is here. 1st of all, I can say that some of these big companies are under investigation by European DPAs for not actually being a data processor.

Right? Like, the Danish data protection authority has been vocal about it basically saying. If you get a set a set menu or whatever of things, and there’s [00:33:00] information being shared, et cetera, and you don’t have any control over it. Because it’s basically like, take it or leave it. Is that really a service provider?

Is that really a data processor or not? There is very little control that you can do with respect to, you know 1st of all, just generally amending these agreements. I think what needs to happen is this 1st of all, actually, with the bigger companies. Sometimes there is more detail than in other places, it kind of depends the instructions, the, the referring back to whatever the agreement, the statement of work, the whatever, that is not kind of forbidden by itself.

If it is clear from the statement of work, or the purchase order, or that, whatever, what the actual processing is. Right. If you say, Ooh, the instructions are for the perfor performance of the services. Okay, well, I have no idea. But if the per, if the, if the, if the specs of the service are specific, then that’s okay.

The other thing [00:34:00] with big companies. I mean, you know, you do what you can and we all live in the real world. I think the main issue is, and, and, you know, like, European regulators would tell you, well, don’t use that. And don’t don’t use that. Okay. Well, if you have the option to not use, that’s really good.

The minimum that you can do, and you have to do is you have to actually go through and understand what is the service being provided. What is the data processing as part of the service, which is being provided and this was actually handled in, you know, both, I think, in the DPC Ireland cases with meta as well as with the Danish data protection authority, I think, with health, the Gore case, and some of the others that you need to look at the toggles look at all the options.

Figure out what is actually going on, right? Like you need to, you know, click or unclick and what are the defaults and that somebody actually needs to deep dive into it. [00:35:00] Same by the way with the FTC. That’s basically what the FTC said. They’re like, you’ve got to understand. What are these? What’s going on?

What is the data being processed? What is the data being shared? So, first of all, you need to know what it is. Then you need to figure out. Is this a problem or is this not a problem? Okay. And then you need to figure out what is it that you can do, right? Either at minimum, right? You provide the information to the end users.

You provide the opt outs or whatever to the end users. You need to do something, but the minimum is you need to understand it. If you are not able to understand it, you probably need to ask them. In my experience with big companies, even though sometimes it’s not included, like, what’s included in the set documents is holy, but there are like numerous.

Like side white papers that they will give you that actually, you know, reflect it. And so that’s not ideal, but if it actually reflects the truth, then that is, you know, a step, a step in the right direction. Right. I would love for somebody to analyze [00:36:00] the Facebook ad settings and, you know, kind of walk through what data is being collected, where it’s being stored, who it’s being shared with, what’s what is being done with it, all of that kind of stuff.

I think that would be. A really cool project for somebody that’s not me. So where can controllers find more information about what’s included in contracts with their processors? Well, it usually needs to be somewhere in the contract or somewhere in the specs, right? It needs to be. I mean, normally, it would either be ideally it should be an exhibit.

The data processing exhibit and if not, it should be in the, you know, either in the services agreement, or in the purchase order, or in the statement of work, or in the specifications. Yeah, so it could be a lot of different documents that it could come from. So what happens like in a hypothetical scenario, obviously, you know, what happens if a controller asks the processor to do something illegal?

So for example, like they ask them to [00:37:00] continue to email people who have unsubscribed, what happens then? So under both of the under both laws, both in the US and the EU, you’re one, not allowed to do it to your need to, you need to tell the controller that this isn’t happening and then usually. Like you either stop that piece of the processing or you stop the processing.

You’re not, you’re not supposed to do illegal. I mean, it’s like, I don’t know this, that, that today’s world is just, everything is this sort of kooky, weird dystopia. Maybe it, it, maybe it needs to be said that, you know, you shouldn’t be doing illegal things. Right. Yeah. Very nice. So thank you so much for for sharing your insights and your knowledge into data controllers and processors for our last segment for privacy news.

I’d like to ask you about the latest finds from the UK Information Commissioner’s office totaling 170, 000 GBP for allegedly illegal marketing. So the largest fine was issued to Argentum Data [00:38:00] Solutions for sending 2. 3 million marketing text messages without consent. Do you think that those fines are enough of a determinant?

What can we learn from the U. K. in curbing the spread of these spam text messages that are plaguing all of us in the U. S.? Right, so generally speaking about this topic, as opposed to a specific case. So first of all, the ICO, the U. K. ICO is very, very. Proactive with respect to its enforcement of the.

The and, you know, the unlawful kind of emails calls situation. They are very you know, persistent and consistent. I think that, you know, the email without consent situation. Is something to really take seriously both specifically in the UK and generally in Europe. And I think that the other thing, which is interesting, and this came up in a client conversation, notably the ICO in a different case, actually kind of [00:39:00] really strongly enforced a an unlawful emails that were sent to unconsented to some unconsented users.

Where it was like a 1 time email, and it was like something with respect to a charity initiative that the company had initiated. And so the fact that this is for a good cause and for charity, et cetera, is sort of not, you know, an impediment to enforcement. And I think that it sort of seems like it’s not innovative, right?

Like, you know, the, the calling or the emailing or whatever, but like, this kind of back to basics situation, these enforcements are ongoing. And they’re definitely something to be, you know, to pay attention to. We, I definitely think we need this here because I get at least 10, 15 text messages and calls per day that are just purely spam.

It’s infuriating. So it’s interesting because that enforcement in the U. S. is also pretty robust. And that can spam obviously is an opt out law, [00:40:00] which is kind of centered around misleading and ease of unsubscribing. But there has been enforcement on these issues, including significant enforcement and with respect to the text messaging, right?

The T. C. P. A. is pretty strict. And has a private right of action, and I have seen, I mean, there have been a bunch of like, really serious enforcement. So I think in the US, obviously, there’s always more human companies going under the radar, but like, this is definitely something that the US also takes very seriously.

Yeah, well, thank you so much for joining us today. And for those listening, please make sure to subscribe to privacy law so that you do not miss our next episode.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates
Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates