Effective 25 May, 2018, the General Data Protection Regulation (“GDPR”) governs how companies must handle the personal data of EU residents, regardless of where in the world the data is located.
Article 4 of the GDPR classifies those who handle data as ”data controllers” or “data processors”. A data controller is “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while a data processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller.” “Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Broadly speaking, controllers are obligated to “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with” the GDPR, and processors must provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of [the GDPR] and ensure the protection of the rights of the data subject.”
In connection with its colocation services, Opti9 (formerly "Opti9") is neither a controller nor a processor of the data on its customers’ servers: Opti9 does not “determine the purposes and means” of processing such data, and does not undertake any activities with respect to such data that fall within the definition of “processing.”
In addition, Opti9 is a “mere conduit” for such data and is not liable for the information transmitted:
Article 2 of the GDPR, “Scope,” provides in part,
This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
Articles 12 of Directive 2000/31/EC provides:
ARTICLE 12. “Mere conduit”
1. Where an information society service is provided that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Member States shall ensure that the service provider is not liable for the information transmitted, on condition that the provider:
(a) does not initiate the transmission;
(b) does not select the receiver of the transmission; and
(c) does not select or modify the information contained in the transmission.
2. The acts of transmission and of provision of access referred to in paragraph 1 include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission.
3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States’ legal systems, of requiring the service provider to terminate or prevent an infringement.
Although certain of the services provided by Opti9 in relation to hosting – such as data storage – are within the definition of “processing,” Opti9 does not itself undertake any such activities – rather, it provides the hardware and software upon which its customers can do so. Further, to the extent that Opti9 provides customers with access to automated means by which they can process their data, Opti9 does not know whether the data processed by its customers is personal data or not.
In addition, Opti9 is not liable for information hosted on its servers pursuant to Article 14 of Directive 2000/31/EC, which provides:
Article 14. Hosting
1. Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that:
(a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or
(b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information.
2. Paragraph 1 shall not apply when the recipient of the service is acting under the authority or the control of the provider.
3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States’ legal systems, of requiring the service provider to terminate or prevent an infringement, nor does it affect the possibility for Member States of establishing procedures governing the removal or disabling of access to information.
To the extent, if any, that Opti9 is a data processor with respect to any services, Opti9 will agree to contractual assurances of compliance, to the extent appropriate in light of the services provided.
With respect to the specific requirements of Article 28 of the GDPR, to the extent, if any, that Opti9 processes personal data: