Ed. NoteThis is the fifth installment in a year-long series the WLF Legal Pulse is hosting of “frequently asked questions” on two California laws aimed at protecting the privacy of digital personal data. The author of the posts, David Zetoony of Greenberg Traurig LLP, authored a book on the laws for the American Bar Association from which this and future FAQs are excerpted. We thank the American Bar Association for granting us permission to share them with our readers.

Data privacy has become one of the greatest areas of risk and concern for business.  It is also quickly becoming a heavily regulated field with the adoption in Europe of the General Data Protection Regulation (GDPR) in 2016 and the adoption in California of the California Consumer Privacy Act (CCPA) in 2018 and the California Privacy Rights Act (CPRA) in 2020.  Some states, such as Colorado and Virginia, have already followed California in enacting data privacy regulation; many others are considering it.

The American Bar Association (ABA) recently published a Desk Reference Companion to the CCPA and the CPRA, a book authored by David Zetoony the Co-Chair of the United States data privacy and security practice at Greenberg Traurig LLP.  The book is designed to help in-house counsel understand the intricacies of California’s complex privacy regulations by providing answers to 516 of the most frequently asked questions from business.  The following excerpt was reproduced with the permission of the ABA. 

***

Is a service provider the same thing as a processor?

No.

The European GDPR does not use the term “service provider” and, instead, refers to “processors.”  While processors within the GDPR are defined in a similar manner to service providers under the CCPA, the GDPR is far more proscriptive regarding the contractual terms that must be present in a processor agreement.  Specifically, the GDPR requires that a controller and a processor clearly set forth the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data involved, the categories of data subjects involved, the obligations and the rights of the controller, and the following substantive provisions:

  1. Documented instructions. The processor will only process personal data consistent with the controller’s documented instructions.1
  1. The processor must ensure that persons authorized to process personal data have committed themselves to confidentiality.2
  1. Processor security. The processor must implement appropriate technical and organizational measures to secure the personal data that it will be processing.3
  1. Subcontracting authorization. The processor must obtain written authorization before subcontracting and must inform its client before making any change to its subcontractors.4
  1. Subcontracting flow down obligations. The processor must flow down its contractual obligations to its sub-processors.5
  1. Subcontracting liability. The processor must remain fully liable to the controller for the performance of its sub-processor’s obligations.6
  1. Responding to data subjects. The processor must assist its client to respond to requests by a data subject.7
  1. Assisting controller in responding to data breach. The processor must cooperate with its client in the event of a personal data breach.8
  1. Assisting controller in creating DPIA. The processor must cooperate with its client in the event the client initiates a data protection impact assessment (DPIA).9
  1. Delete or return data. The processor must delete or return data at the end of the engagement.10
  1. Audit right. The processor must allow its client to conduct audits or inspections for compliance to these obligations.11
  1. Cross-border transfers. The processor must not transfer data outside of the European Union without permission from the controller (“unless required . . .  by Union or Member State law”).12

In comparison, in order to be considered a service provider under the CCPA, a legal entity must process personal information “on behalf of a business”13 and only be prohibited by contract from:

  1. Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”14
  2. Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”15 or
  3. Disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”16

Note that the CPRA incorporated some, but not all of the additional processor requirements mandated by the GDPR.  For example, the CPRA requires that a service provider must flow down its contractual obligations to subcontractors.17

Notes

  1. GDPR, Article 28(3)(a).
  2. GDPR, Article 28(3)(b).
  3. GDPR, Article 28(1), (3)(c); GDPR, Article 32(1).
  4. GDPR, Article 28(2), (3)(d).
  5. GDPR, Article 28(3)(d), (4).
  6. GDPR, Article 28(3)(d).
  7. GDPR, Article 28(3)(e); GDPR, Articles 12-23.
  8. GDPR, Article 28(3)(f); GDPR, Article 33-34.
  9. GDPR, Article 28(3)(f); GDPR, Articles 35-36.
  10. GDPR, Article 28(3)(g).
  11. GDPR, Article 28(3)(h).
  12. GDPR, Article 28(3)(a); GDPR, Article 46.
  13. Cal. Civ. Code § 1798.140(v) (West 2020).
  14. Cal. Civ. Code § 1798.140(ag)(1)(B) (West 2021).
  15. Cal. Civ. Code § 1798.140(ag)(1)(B) (West 2021).
  16. Cal. Civ. Code § 1798.140(ag)(1)(B) (West 2021).
  17. Cal. Civ. Code § 1798.140(ag)(2) (West 2021).