Responsibility for Data Protection in a Networked World: On the Question of the Controller, 'Effective and Complete Protection' and its Application to Data Access Rights in Europe

Author:René Mahieu - Joris van Hoboken - Hadi Asghari
Position:René Mahieu, doctoral candidate at Interdisciplinary Research Group on Law Science Technology & Society (LSTS) at Vrije Universiteit Brussel (VUB), connected to the Chair ?Fundamental Rights and the Digital Transformation'; Joris van Hoboken, chair ?Fundamental Rights and Digital Transformation' at Vrije Universiteit Brussel (VUB) and Senior ...
Pages:84-104
SUMMARY

In the current networked world, almost no system in which personal data is processed stands on its own. For example, websites and mobile applications integrate third party services for behavioral targeting, user analytics, navigation, and many other functionalities. Governments build central infrastructures to share data efficiently between different branches of government and with other organisations. This paper analyses the current system in Europe ... (see full summary)

 
FREE EXCERPT
2019
René Mahieu, Joris van Hoboken and Hadi Asghari
84
1
Responsibility for Data Protection
in a Networked World
On the Question of the Controller, “Effective and Complete
Protection” and its Application to Data Access Rights in
Europe
by René Mahieu, Joris van Hoboken and Hadi Asghari*
© 2019 René Mahieu, Joris van Hoboken and Hadi A sghari
Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and
conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obtain ed at http://nbn-resolving.
de/urn:nbn:de:0009-dppl-v3-en8.
Recommended citation: René Mahi eu, Joris van Hoboken and Hadi Asghari, Responsibili ty for Data Protecti on in a Networked
World: On the Question of the Con troller, “Effective and Comp lete Protection” and it s Application to Data Access Rights in
Europe, 10 (2019) JIPITEC 84 para 1.
Keywords: GDPR; data controller; joint-control; right of access; C-210/16 Wirtschaftsakademie; principle of
“effective and complete protection”; access rights
of Justice. In this case, a Facebook fan page adminis-
trator was found to be a joint-controller and there-
fore jointly responsible, together with Facebook, for
observing data protection rules. Following this deci-
sion, there are many more situations of joint control
than previously thought. As a consequence, part of
the responsibility for compliance with data protec-
tion legislation and risk of enforcement measures
are moved to those who integrate external services.
This will change the incentive structure in such a way
that joint-controllers will place a much higher value
on data protection. To explore the practical implica-
tions of the legal framework, we analyse a number
of examples taken from our earlier empirical work on
the right of access to reflect on the newly emerging
data responsibility infrastructure. We show that the
coordination of responsibilities is complex in prac-
tice because many organisations do not have a clear
overview of data flows, there are power imbalances
between different actors, and personal data gover-
nance is often happening in separated specialised
units.
Abstract: In the current networked world, al-
most no system in which personal data is processed
stands on its own. For example, websites and mobile
applications integrate third party services for behav-
ioral targeting, user analytics, navigation, and many
other functionalities. Governments build central in-
frastructures to share data efficiently between dif-
ferent branches of government and with other or-
ganisations. This paper analyses the current system
in Europe for determining who is (or better, are) re-
sponsible for observing data protection obligations in
such networked service settings. In doing so we ad-
dress the following problems: (1) of ambiguity in ap-
plying the concept of data controller in networked
settings; and (2) of insufficiencies in the framework
for establishing the extent of the responsibilities in
situations of joint control. We look at how the law
and regulators address these problems and how the
European Court of Justice tackles these problems by
applying the principle of “effective and complete pro-
tection”. The issue of joint responsibility has gained
particular relevance in the wake of Wirtschaftsakad-
emie, a case recently decided by the European Court
Responsibility for Data Protection in a Networked World
2019
85
1
A. Introduction
1
European data protection law grants individuals
rights in relation to their personal data, such as the
right to transparency and the right to request access,
correction or erasure. Legally speaking, these rights
are granted in relation to the organisations that are
in charge of the processing of their data, vis-à-vis
the so-called data controllers. Therefore, for the
system of rights to function, it should be possible to
determine who counts as the data controller for the
processing of personal data in specic contexts. In
the end, it is the data controller who has obligations
towards the data subject. And it is towards the data
controller that the data subjects exercise their rights.
2
As others have noted, the legal framework for
determining responsibility under European data
protection law - which has its roots in the 1960s
- may not function well in the current socio-
technical environment.1 Nonetheless, the core of
this framework was retained as the basis of the
current General Data Protection Regulation (GDPR).2
In two recent high prole cases, Google Spain
3
and
Wirtschaftsakademie,4 national courts asked the
European Court of Justice (ECJ) questions regarding
how the framework of responsibility allocation
should be applied. In both cases the ECJ expands
the concept of data controller, arguing that these
broad interpretations are in line with the principle
of “effective and complete protection”, a principle
* By René Mahieu, doctoral candidate at Interdisciplinary
Research Group on Law Science Technology & Society
(LSTS) at Vrije Universiteit Brussel (VUB), connected to the
Chair ‘Fundamental Rights and the Digital Transformation’;
Joris van Hoboken, chair ‘Fundamental Rights and Digital
Transformation’ at Vrije Universiteit Brussel (VUB) and
Senior Researcher at the Institute for Information Law
(IViR) at the University of Amsterdam. The Chair at VUB is
established at the Interdisciplinary Research Group on Law
Science Technology & Society (LSTS), with the support of
Microsoft; Hadi Asghari, assistant professor department
Technology, Policy and Management (TPM) at Delft
University of Technology.
1 See for example Omer Tene, ‘Privacy Law’s Midlife Crisis:
A Critical Assessment of the Second Wave of Global
Privacy Laws’ (2013) 74 Ohio State Law Journal 1217; Paul
de Hert and Vagelis Papakonstantinou, ‘The New General
Data Protection Regulation: Still a Sound System for the
Protection of Individuals?’ (2016) 32 Computer Law &
Security Review 179.
2 Regulation (EU) 2016/ 679 of the European Parliament
and of the Council - of 27 April 2016 - on the protection of
natural persons with regard to the processing of personal
data and on the free movement of such data, and repealing
Directive 95/ 46/ EC (General Data Protection Regulation)
[2016] OJ L119/1.
3 Case C-131/12 Google Spain SL, Google Inc v Agencia Española
de Protección de Datos (AEPD) and Maria Costeja González [2014]
EU:C:2014:317.
4 Case C-210/16 Wirtschaftsakademie Schleswig-Holstein [2018]
EU:C:2018:388.
rst introduced by the Court in Google Spain.5
3
This paper analyses the current system for
determining who is (or better, are) responsible for
observing data protection obligations in networked
service settings.6 In doing so we address the following
problems: (1) of ambiguity in applying the concept
of data controller in networked settings; and (2) of
insufciencies in the framework for establishing the
extent of the responsibilities in situations of joint
control. Both the Article 29 Working Party (Working
Party) and the GDPR address these problems but
leave many questions unanswered. The ECJ has
now tackled the issues by applying the principle of
“effective and complete protection”.
4 In section B. of this paper, in order to answer these
questions, we analyse the relevant legal provisions of
the Data Protection Directive (DPD) (95/46/EC) and
the GDPR, the guidance of the Working Party,7 and the
recent ECJ judgment in the case Wirtschaftsakademie.
We nd that, following the interpretation of the
Court regarding the concept of data controller in
this case, many more actors in networked settings
could be considered data controllers than was
previously considered. We conclude that under the
ECJ’s interpretation, any actor who has a purpose
for a data processing operation, and can directly
inuence that processing, can be considered a data
controller. Moreover, we nd that, notwithstanding
5 A search of the CURIA database shows that the “effective
and complete protection” formulation was rst used
in Google Spain and since in the judgments on Weltimmo,
Schrems, Wirtschaftsakademie and Jehovan todistajat.
6 There has been academic work on the responsibility
in European data protection regulation in general (e.g.
Brendan Van Alsenoy, ‘Allocating Responsibility among
Controllers, Processors, and “Everything in between”:
The Denition of Actors and Roles in Directive 95/46/
EC’ (2012) 28 Computer Law & Security Review 25.) and in
specic cases such as intermediary publishers (David Erdos,
‘Intermediary Publishers and European Data Protection:
Delimiting the Ambit of Responsibility for Third-Party
Rights through a Synthetic Interpretation of the EU Acquis’
[2018] International Journal of Law and Information
Technology 1.) such as hosting providers, search engines,
blogging services and social media (Patrick Van Eecke and
Maarten Truyens, ‘Privacy and Social Networks’ (2010) 26
Computer Law & Security Review 535.) on which this paper
builds. However, the Wirtschaftsakademie judgement as well
as the introduction of the GDPR merit a new look at the
situation.
7 The Article 29 Working Party is an independent advisory
body comprising of members from the national Data
Protection Authorities, which writes opinions interpreting
specic elements of data protection law. while these
documents are not legally binding they do tend to have
impact (Christoper Kuner, European Data Protection Law:
Corporate Compliance and Regulation (2nd edn, Oxford
University Press 2007) , 9-10). To give an example of the
inuence of this opinion, see how it gures prominently in
the decision of the Administrative Court of Schleswig and
the opinion of Advocate General Bot on ECJ C-210/16 (2017).

To continue reading

REQUEST YOUR TRIAL