• Responsibility for Data Protection in a Networked World: On the Question of the Controller, Effective and Complete Protection and Its Application to Data Access Rights in Europe

    Author(s):
    Hadi Asghari, René Louis Pierre Mahieu (see profile) , Joris van Hoboken
    Date:
    2019
    Subject(s):
    Privacy
    Item Type:
    Article
    Tag(s):
    GDPR, data c, joint-control, right of access to personal data, ; C-210/16 Wirtschaftsakademie
    Permanent URL:
    http://dx.doi.org/10.17613/xhe4-an21
    Abstract:
    This paper analyses the current system in Europe for determining who is (or better, are) responsible for observing data protection obligations in networked service settings. In doing so we address the following problems: (1) of ambiguity in applying the concept of data controller in networked settings; and (2) of insufficiencies in the framework for establishing the extent of the responsibilities in situations of joint control. We look at how the law and regulators address these problems and how the European Court of Justice tackles these problems by applying the principle of “effective and complete protection”. The issue of joint responsibility has gained particular relevance in the wake of Wirtschaftsakademie, a case recently decided by the European Court of Justice. In this case, a Facebook fan page administrator was found to be a joint-controller and therefore jointly responsible, together with Facebook, for observing data protection rules. Following this decision, there are many more situations of joint control than previously thought. As a consequence, part of the responsibility for compliance with data protection legislation and risk of enforcement measures are moved to those who integrate external services. This will change the incentive structure in such a way that joint-controllers will place a much higher value on data protection. To explore the practical implications of the legal framework, we analyse a number of examples taken from our earlier empirical work on the right of access to reflect on the newly emerging data responsibility infrastructure. We show that the coordination of responsibilities is complex in practice because many organisations do not have a clear overview of data flows, there are power imbalances between different actors, and personal data governance is often happening in separated specialised units.
    Metadata:
    Published as:
    Journal article    
    Status:
    Published
    Last Updated:
    4 years ago
    License:
    Attribution
    Share this:

    Downloads

    Item Name: pdf mahieu-et-al.-2018-responsibility-for-data-protection-in-a-networked-.pdf
      Download View in browser
    Activity: Downloads: 532