Are networks data processors?

As the GDPR approaches, several customer organisations have asked us if the Janet network will be offering a data processor contract. Presumably the idea is that the organisation that creates an IP packet is the data controller for the source IP address and that all the other networks that handle the packet on its journey are (sub-)processors.

The law isn't clear on whether networks process personal data when they forward packets. But if you assume it does and that the relationship between originator and networks is a data controller-data processor one, then the law would also require the existence of a chain of sub-processor contracts, first with every network to whom we pass your packets on, then on all the way to the destination organisation. Similarly, we'd need a data sub-sub-(...)-processor contract with every customer organisation that receives packets from us, to make sure that the responding organisation also satisifed its data controller obligations. I hope it's obvious why - at least unless and until there's a clear statemement from data protection authorities - we favour interpretations that don't require that immense mesh of contracts to be in place before we can send and receive packets for you!

When processing packets for security - to protect our networks and those of connected customers - we are clearly data controllers, because we decide the purpose and means of that processing. As Recital 49 of the Regulation requires, we do that in ways that minimise the risk to users of the network and ensure that those risks are far outweighed by network and information security benefits that we all rely on.