Third Party Aspects of Data Activities

The fourth Part of the Principles deals with scenarios in which transactions can interfere with rights of third parties (e.g. intellectual property rights, rights derived from data privacy/data protection law).

  • Principles 28 to 31 deal with the protection of others against data activities.
  • Principles 32 to 34 include rules regarding effects of onward supply on the protection of others.
  • Principles 35 to 37 refer to effects of other data activities, such as processing, on the protection of third parties.

Relation to other Parts of the Principles

Parts II and III of the Principles mostly deal with legal relationships between contractual parties and the relationship between a party exercising a data right and the controller against whom the right is exercised. While rights of third parties do, to a certain extent, play a role in those Parts (e.g. regarding due diligence obligations), third party aspects are not directly addressed.

Part IV is thus needed to provide guidance as to when data activities should be considered wrongful vis à vis another party (e.g. vis à vis a data subject or against the initial supplier of data in a chain of downstream transactions). Data activities can be any activity with regard to data, i.e. acquisition, control, processing and other activities including the onward supply of data.

Chapter A – Protection of others against data activities

While Chapters B and C look at certain data activities in detail, Chapter A sets out general grounds for wrongfulness, including:

  1. interference with any right of the protected party that has third party effect per se, like intellectual property or data privacy/data protection rights;
  2. non-compliance with contractual limitations on data activities, enforceable by the protected party;
  3. the fact that access to the data has been obtained from the protected party by unauthorized means.

As already laid out in Part I on General Provisions, the Principles in Part IV on Third Party Aspects are not intended to amend existing data privacy or data protection law, intellectual property law, or trade secret law.

Chapter B – Effects of onward supply on the protection of others

Duties of a supplier in the context of onward supply

'Direct action against downstream recipient'

The more controllers there are in a chain of data transactions, the more difficult it can be for protected parties to enforce their rights. At the same time, data recipients face a lot of uncertainty regarding the extent to which the data received is protected by third party rights. This Chapter deals specifically with third party effects of the onward supply of data and aims to strike a balance between third party protection on the one hand, and the desire to encourage data sharing and interests of data recipients on the other.

Principle 32 includes certain obligations that data recipients need to comply with if they wish to pass data on to others, including the obligation to pass on to the (downstream) recipient all the duties and restrictions which they had to comply with themselves for the benefit of a protected party (e.g. data may only be used for certain purposes). The Principle also requires them to carry out due-diligence assessments of the (downstream) recipient ('risk-based approach'). If (immediate) recipients comply with these obligations (and despite their effort, a downstream recipient engages in wrongful activities), they are typically not liable vis à vis protected third parties.

Where the (immediate) recipient fulfilled all duties under Principle 32, but the downstream recipient is non-compliant, the initial supplier can take direct action against the downstream recipient (Principle 33).

Wrongfulness taking effect vis-à-vis downstream recipient

Another issue that the Principles deal with are the effects of wrongfulness of the supplier (following Chapter A) vis à vis downstream recipients. This could be the case, for example, where a supplier has accessed a protected third party's data by unauthorised means ('data theft') and then passes data on to a downstream recipient. While the supplier's action would of course be wrongful (under Chapter A), Principle 34 defines conditions under which the downstream recipient could be made liable vis à vis third parties. Data activities by downstream recipients are wrongful, if they

  • have notice of the wrongfulness on the part of the supplier
  • or failed to make investigations that could reasonably be expected.

As this rule may entail a rather high risk for downstream recipients, it is limited in a number of cases (e.g. the downstream recipient is not liable if the wrongfulness on the part of the supplier (of which the recipient has notice) is not material and could not reasonably be expected to cause material harm to protected third parties).

Chapter C – Effects of other data activities on the protection of third parties

Data can be subject to a wide range of processing activities, like the combination of different data sets or the derivation of new data from existing data. Controllers that intend to engage in the processing of data must not act wrongfully (e.g. by not complying with contractual limitations on data activities). The level of diligence required depends, once more, on a risk-based assessment (i.e. higher risk for protected parties leads to higher due-diligence obligations). Wrongful processing may also lead to an obligation to undo the processing.

If a controller engages in data activities with respect to a large data set, and the data activities  do not comply with duties and restrictions with regard to some of the data, such activities are not wrongful with regard to the whole data set, if 

  • the non-compliance is not material in the circumstances;
  • the controller has made the efforts that could reasonably be expected to comply with the duties and restrictions; and
  • the data activities are not related to the purpose for which duties or restrictions under Chapter A are imposed and could not reasonably be expected to cause material harm to a protected party.

Affected parties may nevertheless request the controller to remove the affected data set for future processing unless removal would be unreasonable in the circumstances.

'Data protected by third party rights in large data sets'