The Court of Justice of the European Union rules on joint controllers’ liability

In case C-683/21, handed down on December 5, 2023, the Court of Justice of the European Union clarified the concept and scope of joint controllers’ liability.

I.          Facts

In March 2020, the National Public Health Center at the Lithuanian Ministry of Health (NVSC) had commissioned a company with the task of developing a traceability application for people affected by COVID-19. Several exchanges then took place between the parties concerning the NVSC’s expectations and requirements.

This app was released to the Google Playstore and App Store between April 4 and May 20, 2020.

In the absence of sufficient financial resources, however, on May 15, 2020 the NVSC informed the mandated company that it was no longer in a position to acquire the application, and invited the company to make no further mention of it in any way in the application in question.

As the Lithuanian data protection authority considered that the operation of this application led to the processing of personal data that did not meet the requirements laid down by the GDPR, it ordered the NVSC to pay a fine of 12,000 euros.

The NVSC challenged this decision before the Vilnius Regional Administrative Court, arguing that the development company alone had to be considered as the data controller. The development company, for its part, considered that it had only acted as a subcontractor, on the instructions of the NVSC.

The referring court found the following facts:

• the NVSC had advised the development company on the questions to be asked to users in order to implement the objectives it was seeking to achieve through the development of the application;
• the NVSC had not consented to or authorized the availability of the application on the above-mentioned online stores;
• There was no public procurement contract between the NVSC and the development company, the procedure having been terminated for lack of funding.

The question submitted to the ECJ was whether the NVSC should be considered a controller despite this context.

II.          Recitals

Unsurprisingly, the Court found that :

• the mere designation of the NVSC as “controller” in the mobile application’s privacy policy is obviously not binding on the judge;
• the fact that the NVSC has not itself processed personal data, and that this processing has taken place through the development company, does not mean that it cannot be a data controller;
• it is irrelevant that there was no contract between these entities, as such a contract is not a mandatory requirement to qualify as joint data controllers and has no constitutive effect;
• Finally, it is irrelevant that the NVSC did not acquire the mobile application in question and did not authorize its release on the aforementioned stores.
• All that matters is that the NVSC commissioned a company to develop a mobile application, clearly participated in determining the purpose and means of the processing, and did not expressly object to its being put online and to the resulting processing (which, according to the Court, took place through the development company on behalf of the NVSC).

The Court concluded that the NVSC was indeed a joint data controller (the development company having also carried out certain processing operations for its own purposes).

In this respect, the Court notes that joint liability does not necessarily mean equivalent liability for the various operators involved in a personal data processing operation. These operators may be involved at different stages of processing and to different degrees, entailing different levels of responsibility.

In this way, the data controller can be held liable not only for the processing operations he carries out himself, but also for those carried out by a third party on his behalf, as in the case of a subcontractor.

III.          Comment

All in all, the ECJ’s decision comes as no surprise. A Swiss court hearing the same case would, in my view, reach the same conclusions under the Federal Data Protection Act.

Anyone who mandates an IT company to carry out a specific development for a specific purpose is therefore considered a data controller, even if the company is then entitled to exploit the development itself, or to process the resulting data on behalf of the company that has mandated it to do so.

A contract clearly delineating roles and responsibilities is therefore all the more important in cases of joint responsibility.

It should also be emphasized that any renunciation to the said development by the principal, particularly in the case of a public entity, is not sufficient to exclude its qualification as a controller if it tolerates the commercialization of the development, the purpose and means of which it has determined. In such cases, it is important that it clearly dissociates itself from the development by prohibiting its commercialization.