It is not clear at this point whether joint and several liability attaches to the actions of joint controllers.
The GDPR states that a data subject “may exercise his or her rights under this Regulation in respect of and against each of the controllers.”1 While that provision hints that the joint controllers may be jointly and severally liable vis-a-vis actions brought by data subjects, it does not state so explicitly. It is worth noting that prior to the passage of the GDPR the Article 29 Working Party argued that joint controllers should have joint and several liability unless the controllers effectively allocated obligations:
. . . it can be argued that joint and several liability for all parties involved should be considered as a means of eliminating uncertainties, and therefore assumed only in so far as an alternative, clear and equally effective allocation of obligations and responsibilities has not been established by the parties involved or does not clearly stem from factual circumstances.2
The fact that the GDPR is silent on the issue could be indicative of a rejection of the Article 29 Working Party’s recommendation.
Furthermore, while the GDPR states that data subjects may exercise their rights “against each of the controllers,” it does not state that a supervisory authority may recover administrative fines against one controller for the actions of a second controller. As a result, even if joint and several liability exists vis-a-vis an action initiated by a data subject it may not for an action initiated by a regulator. The European Court of Justice provided another hint that joint and several liability may not attach to violations committed by joint controllers in Unabhangiges Landeszentrum fur Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH. While a monetary penalty was not at issue in that case, the court evaluated the level of “joint responsibility” that might exist between joint controllers and held that “the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.” The implication being that joint and several (i.e., equal) responsibility is not a foregone conclusion when one controller violates the regulation.3
As joint controllers are permitted to contractually distribute the obligations imposed by the GDPR, and, in fact, may have an affirmative obligation to demarcate by contract their “respective roles and relationships,” when drafting a contract allocating responsibilities, joint controllers should consider also whether to include indemnification provisions in the event that one is found to be jointly and severally liable for the actions of the other.4
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. GDPR, Article 26(2).
2. WP169, Opinion 1/2010 on the concepts of “controller” and “processor,” at 24.
3. Unabhangiges Landeszentrum fur Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, Case No. C-210/16 at para. 43 (June 5, 2018).
4. GDPR, Article 26(2).