Hungary’s data protection authority, the National Authority for Data Protection and Freedom of Information (NAIH), recently issued a decision fining PepsiCo €5,000 for a data breach. The decision has, however, had wider repercussions, reclassifying the concept of data controllers and data processors.
In October 2012, it was exposed that a Turkish hacker group had been able to hack into PepsiCo’s Hungarian domain, resulting in a data breach which caused 50,000 data subjects, including names, birth dates, telephone numbers and email addresses to be publicised across the Internet over a period of nine months. This data that had been collected by an agency, Createam, in connection with a promotional game ‘See the World in 3D’. Reacting to complaints, PepsiCo deleted all the data and implemented notice and remediation procedures to mitigate the breach. Through the Internet Corporation for Assigned Names and Numbers (ICANN), PepsiCo was able to locate the hacker and instigate criminal proceedings against the group. Despite the proactive steps PepsiCo had taken, NAIH instigated an investigation. NAIH argued PepsiCo was in breach of Section 7 of the Hungarian data protection law Act No. CXII of 2011 on the self-determination of information and freedom of information, which requires a data controller to carry out data processing operations in compliance with the Act, including the implementation of adequate safeguards and security measures to protect that data against unauthorized access, alteration, deletion, accidental loss or public exposure.
PepsiCo attempted to argue that, based on the definitions in the contract with Createam and the fact that all processing activities were outsourced to the agency, Createam was the data controller liable for the breach. To reinforce the argument, PepsiCo relied upon the provisions of the EU Directive 95/46/EC, which defines a data controller as ‘the natural or legal person, public authority or agency or any other body which alone or jointly with others determines the purposes and meaning of the processing of personal data.’ Following this interpretation, PepsiCo argued Createam was the entity collecting all data, to which PepsiCo had no access, and should be considered the data controller on this basis. Createam successfully rebutted that PepsiCo was the data controller considering the agency received all instructions in relation to the processing from PepsiCo, and the breach itself was of a website hosted by PepsiCo’s hosting provider that had no legal relationship with the agency.
The case therefore prompted reconsideration of the definitions of data controller and data processor. NAIH turned to the Article 29 Data Protection Working Party’s Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’, and found that being a data controller is defined by the factual circumstances that an entity has chosen to process personal data for its own purposes and, irrespective of the contract between the parties, PepsiCo was deemed the data controller. Similarly, NAIH reinforced that Createam was the data processor on the basis that it was a separate legal entity processing data on a controller’s behalf. Consequently, PepsiCo was found liable for the breach of Article 7 of the Hungarian law due to lack of security measures, resulting in a fine of €50,000.
The significance of this decision lies in the fact that when deciding where liability fell between the parties, NAIH, while adopting the recognised definitions of controller and processor under EU law, went further in reserving the right to reclassify the roles considering the context and purposes of data processing to decide the role of the parties, regardless of definitions of the parties under contractual agreement.