Responsibility for Data Protection in a Networked World: On the Question of the Controller, 'Effective and Complete Protection' and its Application to Data Access Rights in Europe

• Author: René Mahieu - Joris van Hoboken - Hadi Asghari
• Position: René Mahieu, doctoral candidate at Interdisciplinary Research Group on Law Science Technology & Society (LSTS) at Vrije Universiteit Brussel (VUB), connected to the Chair ?Fundamental Rights and the Digital Transformation'; Joris van Hoboken, chair ?Fundamental Rights and Digital Transformation' at Vrije Universiteit Brussel (VUB) and Senior ...
• Pages: 84-104

2019

René Mahieu, Joris van Hoboken and Hadi Asghari

84

1

Responsibility for Data Protection

in a Networked World

On the Question of the Controller, “Effective and Complete

Protection” and its Application to Data Access Rights in

Europe

by René Mahieu, Joris van Hoboken and Hadi Asghari*

© 2019 René Mahieu, Joris van Hoboken and Hadi A sghari

Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and

conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obtain ed at http://nbn-resolving.

de/urn:nbn:de:0009-dppl-v3-en8.

Recommended citation: René Mahi eu, Joris van Hoboken and Hadi Asghari, Responsibili ty for Data Protecti on in a Networked

World: On the Question of the Con troller, “Effective and Comp lete Protection” and it s Application to Data Access Rights in

Europe, 10 (2019) JIPITEC 84 para 1.

Keywords: GDPR; data controller; joint-control; right of access; C-210/16 Wirtschaftsakademie; principle of

“effective and complete protection”; access rights

of Justice. In this case, a Facebook fan page adminis-

trator was found to be a joint-controller and there-

fore jointly responsible, together with Facebook, for

observing data protection rules. Following this deci-

sion, there are many more situations of joint control

than previously thought. As a consequence, part of

the responsibility for compliance with data protec-

tion legislation and risk of enforcement measures

are moved to those who integrate external services.

This will change the incentive structure in such a way

that joint-controllers will place a much higher value

on data protection. To explore the practical implica-

tions of the legal framework, we analyse a number

of examples taken from our earlier empirical work on

the right of access to reflect on the newly emerging

data responsibility infrastructure. We show that the

coordination of responsibilities is complex in prac-

tice because many organisations do not have a clear

overview of data flows, there are power imbalances

between different actors, and personal data gover-

nance is often happening in separated specialised

units.

Abstract: In the current networked world, al-

most no system in which personal data is processed

stands on its own. For example, websites and mobile

applications integrate third party services for behav-

ioral targeting, user analytics, navigation, and many

other functionalities. Governments build central in-

frastructures to share data efficiently between dif-

ferent branches of government and with other or-

ganisations. This paper analyses the current system

in Europe for determining who is (or better, are) re-

sponsible for observing data protection obligations in

such networked service settings. In doing so we ad-

dress the following problems: (1) of ambiguity in ap-

plying the concept of data controller in networked

settings; and (2) of insufficiencies in the framework

for establishing the extent of the responsibilities in

situations of joint control. We look at how the law

and regulators address these problems and how the

European Court of Justice tackles these problems by

applying the principle of “effective and complete pro-

tection”. The issue of joint responsibility has gained

particular relevance in the wake of Wirtschaftsakad-

emie, a case recently decided by the European Court

Responsibility for Data Protection in a Networked World

2019

85

1

A. Introduction

1

European data protection law grants individuals

rights in relation to their personal data, such as the

right to transparency and the right to request access,

correction or erasure. Legally speaking, these rights

are granted in relation to the organisations that are

in charge of the processing of their data, vis-à-vis

the so-called data controllers. Therefore, for the

system of rights to function, it should be possible to

determine who counts as the data controller for the

processing of personal data in specic contexts. In

the end, it is the data controller who has obligations

towards the data subject. And it is towards the data

controller that the data subjects exercise their rights.

2

As others have noted, the legal framework for

determining responsibility under European data

protection law - which has its roots in the 1960s

- may not function well in the current socio-

technical environment.1 Nonetheless, the core of

this framework was retained as the basis of the

current General Data Protection Regulation (GDPR).2

In two recent high prole cases, Google Spain

3

and

Wirtschaftsakademie,4 national courts asked the

European Court of Justice (ECJ) questions regarding

how the framework of responsibility allocation

should be applied. In both cases the ECJ expands

the concept of data controller, arguing that these

broad interpretations are in line with the principle

of “effective and complete protection”, a principle

* By René Mahieu, doctoral candidate at Interdisciplinary

Research Group on Law Science Technology & Society

(LSTS) at Vrije Universiteit Brussel (VUB), connected to the

Chair ‘Fundamental Rights and the Digital Transformation’;

Joris van Hoboken, chair ‘Fundamental Rights and Digital

Transformation’ at Vrije Universiteit Brussel (VUB) and

Senior Researcher at the Institute for Information Law

(IViR) at the University of Amsterdam. The Chair at VUB is

established at the Interdisciplinary Research Group on Law

Science Technology & Society (LSTS), with the support of

Microsoft; Hadi Asghari, assistant professor department

Technology, Policy and Management (TPM) at Delft

University of Technology.

1 See for example Omer Tene, ‘Privacy Law’s Midlife Crisis:

A Critical Assessment of the Second Wave of Global

Privacy Laws’ (2013) 74 Ohio State Law Journal 1217; Paul

de Hert and Vagelis Papakonstantinou, ‘The New General

Data Protection Regulation: Still a Sound System for the

Protection of Individuals?’ (2016) 32 Computer Law &

Security Review 179.

2 Regulation (EU) 2016/ 679 of the European Parliament

and of the Council - of 27 April 2016 - on the protection of

natural persons with regard to the processing of personal

data and on the free movement of such data, and repealing

Directive 95/ 46/ EC (General Data Protection Regulation)

[2016] OJ L119/1.

3 Case C-131/12 Google Spain SL, Google Inc v Agencia Española

de Protección de Datos (AEPD) and Maria Costeja González [2014]

EU:C:2014:317.

4 Case C-210/16 Wirtschaftsakademie Schleswig-Holstein [2018]

EU:C:2018:388.

rst introduced by the Court in Google Spain.5

3

This paper analyses the current system for

determining who is (or better, are) responsible for

observing data protection obligations in networked

service settings.6 In doing so we address the following

problems: (1) of ambiguity in applying the concept

of data controller in networked settings; and (2) of

insufciencies in the framework for establishing the

extent of the responsibilities in situations of joint

control. Both the Article 29 Working Party (Working

Party) and the GDPR address these problems but

leave many questions unanswered. The ECJ has

now tackled the issues by applying the principle of

“effective and complete protection”.

4 In section B. of this paper, in order to answer these

questions, we analyse the relevant legal provisions of

the Data Protection Directive (DPD) (95/46/EC) and

the GDPR, the guidance of the Working Party,7 and the

recent ECJ judgment in the case Wirtschaftsakademie.

We nd that, following the interpretation of the

Court regarding the concept of data controller in

this case, many more actors in networked settings

could be considered data controllers than was

previously considered. We conclude that under the

ECJ’s interpretation, any actor who has a purpose

for a data processing operation, and can directly

inuence that processing, can be considered a data

controller. Moreover, we nd that, notwithstanding

5 A search of the CURIA database shows that the “effective

and complete protection” formulation was rst used

in Google Spain and since in the judgments on Weltimmo,

Schrems, Wirtschaftsakademie and Jehovan todistajat.

6 There has been academic work on the responsibility

in European data protection regulation in general (e.g.

Brendan Van Alsenoy, ‘Allocating Responsibility among

Controllers, Processors, and “Everything in between”:

The Denition of Actors and Roles in Directive 95/46/

EC’ (2012) 28 Computer Law & Security Review 25.) and in

specic cases such as intermediary publishers (David Erdos,

‘Intermediary Publishers and European Data Protection:

Delimiting the Ambit of Responsibility for Third-Party

Rights through a Synthetic Interpretation of the EU Acquis’

[2018] International Journal of Law and Information

Technology 1.) such as hosting providers, search engines,

blogging services and social media (Patrick Van Eecke and

Maarten Truyens, ‘Privacy and Social Networks’ (2010) 26

Computer Law & Security Review 535.) on which this paper

builds. However, the Wirtschaftsakademie judgement as well

as the introduction of the GDPR merit a new look at the

situation.

7 The Article 29 Working Party is an independent advisory

body comprising of members from the national Data

Protection Authorities, which writes opinions interpreting

specic elements of data protection law. while these

documents are not legally binding they do tend to have

impact (Christoper Kuner, European Data Protection Law:

Corporate Compliance and Regulation (2nd edn, Oxford

University Press 2007) , 9-10). To give an example of the

inuence of this opinion, see how it gures prominently in

the decision of the Administrative Court of Schleswig and

the opinion of Advocate General Bot on ECJ C-210/16 (2017).