Shifting Data Processing Roles: Is AI is Redefining the Controller-Processor Relationship?
How is AI changing data processing relationships between enterprise customers and vendors?
In a classic data processing model, the controller is in the driving seat - in "control", if you will. The processor has to follow the controller's instructions. If there is a data breach, the processor has to notify the controller, and the controller decides if and when to report the incident to regulators and to data subjects. Ultimate accountability remains with the controller.
The vesting of decision-making power solely in the controller noticeably shifted with the advent of cloud computing. While controllers still notionally "instruct" their cloud processors, the reality is that most customers are procuring commoditised services from their processors and have little real ability to instruct how their processors process data, especially with respect to the "means" (i.e. systems) used to process data.
The former Article 29 Working Party recognised this to some degree back in 2012 (in their Opinion 5/2012 on cloud computing), and reduced emphasis on who decides processing "means" to determine controllership continued in the EDPB's guidelines 7/2020 on the concepts of controller and processor). These guidelines distinguished between determining "essential means" of processing (a controller preserve) and "non-essential means" (which can be left to the processor), further blurring the line of control. These regulatory adaptations can be seen as shifts to accommodate a changing reality, namely that decision-making control over how (rather than why) data is processed was shifting from the hands of controllers to processors.
With the evolution from cloud computing to AI, these shifts in responsibility become even more pronounced. Consider again the traditional controller/processor relationship information flows I described above - the controller tells the processor what to do, and the processor tells it if/when something goes wrong. Even ignoring the use of customer data for training purposes, that relationship is reversed in the world of AI - at least to a degree.
In a typical AI procurement, the customer acts as both a controller (of input/output data) and as a deployer of the AI system. The vendor acts as a processor (of input/output data - ignore training data for now) and a provider. However, at least for high-risk AI systems under the AI Act, it is the vendor (provider) who must issue instructions for use to the customer (deployer) telling it how the AI system should and should not be used, and the customer (deployer) who must inform the vendor (provider) - and in some cases the regulators - if the AI system presents risks or suffers a serious incident.
Many customers and vendors describe their relationships as being a two-way "partnership" - and, in the age of AI, this will be more true than ever. The customer will need to issue processing instructions to its AI vendor, but will also need to follow its AI vendor's instructions for use. The vendor will need to inform its customer about personal data breaches it suffers, but the customer will need to inform the vendor of AI risks and serious incidents it identifies - and these customer notices may be the thing that causes the AI vendor to detect a personal data breach. In situations attracting liability, you can imagine how this may lead to finger-pointing between the parties - i.e. claims that one party didn't/couldn't fulfil its notification obligations, because the other hadn't fulfilled theirs. Arguably, some vendors may even need to monitor their customers' use of high-risk AI systems by collecting telemetry data as part of their post-market monitoring duties - adding a potentially interesting role reversal from the controller (customer) exercising oversight of its vendor (processor).
The importance of two-way information flow (and clear contractual terms) between AI customers and their vendors will only grow in the AI era. This, in turn, will necessitate further regulatory guidance to help organisations adapt to their evolving responsibilities under the AI Act, GDPR, and similarly-interconnected digital regulatory frameworks.
MD at ELIAS Partnership | Data rights | Data Stewardship | Innovator | Collaborator | Front Foot
4moGreat share Phil Lee - the deployment of facial recognition software is exactly where the shift you refer to is playing out.
Leveraging GC and Global Privacy Officer Experience as Legal Executive Search Consultant
4moVery thought provoking article as always! No wonder I struggled so much in drafting AI contract terms! This is a tangled web!
VP & Deputy Chief Privacy Officer
4moScared to open this can or worms but is there an argument for AI 'partnerships' falling into Joint Controllership? It seems to me that the partnerships involve the joint participation of two or more entities in the determination of the purposes and means of the processing operation, on a shared platform, where each party's decisions are converging and complementary, and where the processing would not be possible without both parties' involvement, which sort of meets the EDPB's guidelines?
Consultant Solicitor, Privacy and Data Protection
5moGreat article Phil! Thanks for sharing. You refer to a partnership. In certain AI instances might a provider/ enterprise vendor and deployer/ customer, have a controller to controller relationship with one another? Also would it not be more complete to add "albeit that GDPR imposes direct legal obligations and liabilities on processors" to your statement " Ultimate accountability remain with the controller."
Partner - Prettys Solicitors LLP
5moVery interesting article. There is still so much uncertainty around controller/processor status in many contract/supply situations that we see, and you have highlighted a further serious issue of some complexity.**puts cold flannel on head**