Standard

Responsibility for Data Protection in a Networked World : On the Question of the Controller, ‘Effective and Complete Protection’ and Its Application to Data Access Rights in Europe. / Mahieu, René; Van Hoboken, Joris; Asghari, Hadi.

In: Social Science Research Network (online), 10.2018.

Research output: Contribution to journalArticleScientific

Harvard

APA

Vancouver

Author

BibTeX

@article{f470eeb7e8c84cfd95105544f5077074,
title = "Responsibility for Data Protection in a Networked World: On the Question of the Controller, ‘Effective and Complete Protection’ and Its Application to Data Access Rights in Europe",
abstract = "In the current networked world almost no system in which personal data is processed stands on its own. For example: Websites and mobile applications integrate third party services for behavioral targeting, user analytics, maps integration and many others functionalities. Governments build central infrastructures to share data efficiently between different branches of government and with other organizations. This paper analyses the current system in Europe for determining who is (or better: are) responsible for observing data protection obligations in such networked service settings. In doing so we address the problems (1) of ambiguity in applying the concept of data controller in networked settings, and (2) of insufficiencies in the framework for establishing the extent of the responsibilities in situations of joint control. We look at how both the Working Party and the GDPR address these problems, but fall short of addressing them completely. And how the ECJ tries to circumvent these problems by applying the principle of “effective and complete protection”.We analyse joint responsibility in the wake of​ Wirtschaftsakademie, a case recently decided by the European Court of Justice, in which a Facebook fan page administrator is found to be a joint-controller and therefore jointly responsible together with Facebook. Following this decision, there are many more situations of joint control than previously thought and part of the responsibility for compliance with data protection legislation and risk of enforcement measures is moved to those who integrate external services. This will change the incentive structure in such a way that joint-controllers will place a much higher value on data protection. Based on examples taken from our earlier empirical work on the right of access, we analyze some of the practical implications of the newly emerging data responsibility infrastructure.",
keywords = "GDPR, Data Controller, Responsibility",
author = "Ren{\'e} Mahieu and {Van Hoboken}, Joris and Hadi Asghari",
year = "2018",
month = "10",
doi = "10.2139/ssrn.3256743",
language = "English",
journal = "Social Science Research Network (online)",

}

RIS

TY - JOUR

T1 - Responsibility for Data Protection in a Networked World

T2 - Social Science Research Network (online)

AU - Mahieu, René

AU - Van Hoboken, Joris

AU - Asghari, Hadi

PY - 2018/10

Y1 - 2018/10

N2 - In the current networked world almost no system in which personal data is processed stands on its own. For example: Websites and mobile applications integrate third party services for behavioral targeting, user analytics, maps integration and many others functionalities. Governments build central infrastructures to share data efficiently between different branches of government and with other organizations. This paper analyses the current system in Europe for determining who is (or better: are) responsible for observing data protection obligations in such networked service settings. In doing so we address the problems (1) of ambiguity in applying the concept of data controller in networked settings, and (2) of insufficiencies in the framework for establishing the extent of the responsibilities in situations of joint control. We look at how both the Working Party and the GDPR address these problems, but fall short of addressing them completely. And how the ECJ tries to circumvent these problems by applying the principle of “effective and complete protection”.We analyse joint responsibility in the wake of​ Wirtschaftsakademie, a case recently decided by the European Court of Justice, in which a Facebook fan page administrator is found to be a joint-controller and therefore jointly responsible together with Facebook. Following this decision, there are many more situations of joint control than previously thought and part of the responsibility for compliance with data protection legislation and risk of enforcement measures is moved to those who integrate external services. This will change the incentive structure in such a way that joint-controllers will place a much higher value on data protection. Based on examples taken from our earlier empirical work on the right of access, we analyze some of the practical implications of the newly emerging data responsibility infrastructure.

AB - In the current networked world almost no system in which personal data is processed stands on its own. For example: Websites and mobile applications integrate third party services for behavioral targeting, user analytics, maps integration and many others functionalities. Governments build central infrastructures to share data efficiently between different branches of government and with other organizations. This paper analyses the current system in Europe for determining who is (or better: are) responsible for observing data protection obligations in such networked service settings. In doing so we address the problems (1) of ambiguity in applying the concept of data controller in networked settings, and (2) of insufficiencies in the framework for establishing the extent of the responsibilities in situations of joint control. We look at how both the Working Party and the GDPR address these problems, but fall short of addressing them completely. And how the ECJ tries to circumvent these problems by applying the principle of “effective and complete protection”.We analyse joint responsibility in the wake of​ Wirtschaftsakademie, a case recently decided by the European Court of Justice, in which a Facebook fan page administrator is found to be a joint-controller and therefore jointly responsible together with Facebook. Following this decision, there are many more situations of joint control than previously thought and part of the responsibility for compliance with data protection legislation and risk of enforcement measures is moved to those who integrate external services. This will change the incentive structure in such a way that joint-controllers will place a much higher value on data protection. Based on examples taken from our earlier empirical work on the right of access, we analyze some of the practical implications of the newly emerging data responsibility infrastructure.

KW - GDPR

KW - Data Controller

KW - Responsibility

U2 - 10.2139/ssrn.3256743

DO - 10.2139/ssrn.3256743

M3 - Article

JO - Social Science Research Network (online)

JF - Social Science Research Network (online)

ER -

ID: 47963938