Responsibility for Data Protection in a Networked World – On the Question of the Controller, ‘Effective and Complete Protection’ and Its Application to Data Access Rights in Europe

33 Pages Posted: 22 Oct 2018 Last revised: 5 Feb 2019

See all articles by Rene Mahieu

Rene Mahieu

Vrije Universiteit Brussel (VUB), LSTS, Interdisciplinary Research Group on Law Science Technology & Society

Joris van Hoboken

University of Amsterdam - Institute for Information Law (IViR)

Hadi Asghari

Delft University of Technology

Date Written: January 30, 2019

Abstract

In the current networked world almost no system in which personal data is processed stands on its own. For example: Websites and mobile applications integrate third party services for behavioral targeting, user analytics, navigation and many others functionalities. Governments build central infrastructures to share data efficiently between different branches of government and with other organizations.

This paper analyses the current system in Europe for determining who is (or better: are) responsible for observing data protection obligations in such networked service settings. In doing so we address the problems (1) of ambiguity in applying the concept of data controller in networked settings, and (2) of insufficiencies in the framework for establishing the extent of the responsibilities in situations of joint control. We look at how the law and regulators address these problems and how the European Court of Justice tackles these problems by applying the principle of “effective and complete protection”.

The issue of joint responsibility has gained particular relevance in the wake of Wirtschaftsakademie, a case recently decided by the European Court of Justice. In this case, a Facebook fan page administrator was found to be a joint-controller and therefore jointly responsible together with Facebook for observing data protection rules. Following this decision, there are many more situations of joint control than previously thought. As a consequence part of the responsibility for compliance with data protection legislation and risk of enforcement measures is moved to those who integrate external services. This will change the incentive structure in such a way that joint-controllers will place a much higher value on data protection.

To explore the practical implications of the legal framework, we analyse a number of examples taken from our earlier empirical work on the right of access to reflect on the newly emerging data
responsibility infrastructure. We show that the coordination of responsibilities is complex in practice, because many organizations do not have a clear overview of data flows, because of power
imbalances between different actors, and because personal data governance is often happening in separated specialised units.

Keywords: GDPR, Data Controller, Responsibility

Suggested Citation

Mahieu, Rene and van Hoboken, Joris and Asghari, Hadi, Responsibility for Data Protection in a Networked World – On the Question of the Controller, ‘Effective and Complete Protection’ and Its Application to Data Access Rights in Europe (January 30, 2019). Available at SSRN: https://ssrn.com/abstract=3256743 or http://dx.doi.org/10.2139/ssrn.3256743

Rene Mahieu (Contact Author)

Vrije Universiteit Brussel (VUB), LSTS, Interdisciplinary Research Group on Law Science Technology & Society ( email )

Pleinlaan 2
http://www.vub.ac.be/
Brussels, 1050
Belgium

Joris Van Hoboken

University of Amsterdam - Institute for Information Law (IViR)

Rokin 84
Amsterdam, 1012 KX
Netherlands

Hadi Asghari

Delft University of Technology ( email )

P.O. Box 5015
2600 GB Delft
Netherlands

Register to save articles to
your library

Register

Paper statistics

Downloads
90
rank
272,425
Abstract Views
624
PlumX Metrics