Third Party Aspects of Data Activities

• Principles 28 to 31 deal with the protection of others against data activities.
• Principles 32 to 34 include rules regarding effects of onward supply on the protection of others.
• Principles 35 to 37 refer to effects of other data activities, such as processing, on the protection of third parties.

Relation to other Parts of the Principles

Parts II and III of the Principles mostly deal with legal relationships between contractual parties and the relationship between a party exercising a data right and the controller against whom the right is exercised. While rights of third parties do, to a certain extent, play a role in those Parts (e.g. regarding due diligence obligations), third party aspects are not directly addressed.

Part IV is thus needed to provide guidance as to when data activities should be considered wrongful vis à vis another party (e.g. vis à vis a data subject or against the initial supplier of data in a chain of downstream transactions). Data activities can be any activity with regard to data, i.e. acquisition, control, processing and other activities including the onward supply of data.

Chapter A – Protection of others against data activities

While Chapters B and C look at certain data activities in detail, Chapter A sets out general grounds for wrongfulness, including:

1. interference with any right of the protected party that has third party effect per se, like intellectual property or data privacy/data protection rights;
2. non-compliance with contractual limitations on data activities, enforceable by the protected party;
3. the fact that access to the data has been obtained from the protected party by unauthorized means.

As already laid out in Part I on General Provisions, the Principles in Part IV on Third Party Aspects are not intended to amend existing data privacy or data protection law, intellectual property law, or trade secret law.

Another issue that the Principles deal with are the effects of wrongfulness of the supplier (following Chapter A) vis à vis downstream recipients. This could be the case, for example, where a supplier has accessed a protected third party's data by unauthorised means ('data theft') and then passes data on to a downstream recipient. While the supplier's action would of course be wrongful (under Chapter A), Principle 34 defines conditions under which the downstream recipient could be made liable vis à vis third parties. Data activities by downstream recipients are wrongful, if they

• have notice of the wrongfulness on the part of the supplier
• or failed to make investigations that could reasonably be expected.

As this rule may entail a rather high risk for downstream recipients, it is limited in a number of cases (e.g. the downstream recipient is not liable if the wrongfulness on the part of the supplier (of which the recipient has notice) is not material and could not reasonably be expected to cause material harm to protected third parties).

Data can be subject to a wide range of processing activities, like the combination of different data sets or the derivation of new data from existing data. Controllers that intend to engage in the processing of data must not act wrongfully (e.g. by not complying with contractual limitations on data activities). The level of diligence required depends, once more, on a risk-based assessment (i.e. higher risk for protected parties leads to higher due-diligence obligations). Wrongful processing may also lead to an obligation to undo the processing.