I think it's interesting to see the differences in US-DPAs and EU-DPAs: Objection Right (US) vs. Notice and Approval Obligation (EU). - Objection Right is like saying "we can do what we want, but you have the right to object". - In EU, data controllers control the data, meaning they are the instance ultimately deciding what any processor is allowed to use the data for, saying "you have to ask for permission before doing whatever you like to". Approval of a new, changed or removed subprocessor is here handled either via general authorizations (the subprocessors on the DPA are authorized, and new one's too, unless the controller objects) or specific authorizations (every subprocessor has to be specifically approved by controller, and processor has to wait for controller to get back to processor). The key difference? The individual's protection of privacy is front and center in EU, while the business' interests are front in center in US. Problems with scalability, e.g. addressed in the video at minute 17:23, are not something that individuals have to respect in the EU. If one data controller says no to a new subprocessor, that subprocessor cannot process the respective data controller's data. In practice, objecting/not approving has the same outcome: you are kindly waved goodbye by the processor. In terms of liability though, in EU the processor is liable for the subprocessor, meaning that if the processor fails to notify and give the controller a >>reasonable
I think it's interesting to see the differences in US-DPAs and EU-DPAs:
Objection Right (US) vs. Notice and Approval Obligation (EU).
- Objection Right is like saying "we can do what we want, but you have the right to object".
- In EU, data controllers control the data, meaning they are the instance ultimately deciding what any processor is allowed to use the data for, saying "you have to ask for permission before doing whatever you like to". Approval of a new, changed or removed subprocessor is here handled either via general authorizations (the subprocessors on the DPA are authorized, and new one's too, unless the controller objects) or specific authorizations (every subprocessor has to be specifically approved by controller, and processor has to wait for controller to get back to processor).
The key difference? The individual's protection of privacy is front and center in EU, while the business' interests are front in center in US. Problems with scalability, e.g. addressed in the video at minute 17:23, are not something that individuals have to respect in the EU. If one data controller says no to a new subprocessor, that subprocessor cannot process the respective data controller's data.
In practice, objecting/not approving has the same outcome: you are kindly waved goodbye by the processor. In terms of liability though, in EU the processor is liable for the subprocessor, meaning that if the processor fails to notify and give the controller a >>reasonable
Great content. Well done Mike and Avishai!