Not Just User Control in the General Data Protection Regulation. On the Problems with Choice and Paternalism, and on the Point of Data Protection
C. Quelle, ‘Not Just User Control in the General Data Protection Regulation’ in A. Lehmann et al (eds), Privacy and Identity Management – Facing up to Next Steps, IFIP AICT 498 (2017)
26 Pages Posted: 6 Mar 2017
Date Written: February 28, 2017
User control is increasingly prominent in the discourse surrounding the General Data Protection Regulation (GDPR). However, alongside user control, the GDPR also tries to achieve what will be called controller responsibility. Is this unjust paternalism or does it correctly place the responsibility for data protection with the controller and its supervisory authority? This paper argues that the question of responsibility should be evaluated in light of the overarching objective of the GDPR to protect the fundamental rights of natural persons. It describes the problems of a focus on the “choice” of data subjects, but also takes seriously the charge of paternalism which more protective data protection laws are faced with, tying the resulting dilemma to the objectives of data protection and ultimately to the debate on the nature of rights. Does data protection law seek to protect certain interests, such as secrecy and seclusion, or does it seek to give data subjects control over their data, and thereby political power regarding the substance of their fundamental rights? The paper concludes that a further exploration of will theories and interest theories of rights would shed light on the appropriate roles for user control and controller responsibility.
Keywords: data protection, controller responsibility, informational self-determination, consent, paternalism, fundamental rights
Suggested Citation: Suggested Citation