44 results
Chapter 5 - Internet Search Engines
- from PART IV - USE CASES
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 511-552
-
- Chapter
- Export citation
-
Summary
INTRODUCTION
1077. INFORMATION LOCATION TOOLS – Internet search engines facilitate the location and retrieval of information. Specifically, they help their users to find relevant content amidst the abundance of content that is available online. Without these services, locating relevant information on the web would often be a challenge. With the help of search engines, however, information on just about any topic can be retrieved with considerable ease.
1078. BENEFITS – The societal benefits of internet search engines are tremendous. On a daily basis, people all over the world use search engine services for various activities, such as shopping, research and entertainment. People also use search engines to get in touch with new ideas or to stay abreast of global developments. It is fair to say that search engines play a pivotal role in today's information society. They also promote fundamental values such as freedom of expression and access to information. As observed by the Committee of Ministers of the Council of Europe:
“Search engines enable a worldwide public to seek, receive and impart information and ideas and other content in particular to acquire knowledge, engage in debate and participate in democratic processes.”
1079. PRIVACY IMPACT – At the same time, internet search engines have also raised numerous privacy concerns. A distinction can be made between two sets of concerns: those relating to (1) the users of search engine services and those relating to (2) search targets. The first set focuses on the privacy interests of people who use internet search engines. Individuals reveal a lot of information about themselves when searching for information online: about their personal interests, their travel plans, their political beliefs, their sexual preferences, their medical conditions, etc. In fact, the data contained in a search-query log can be far more revealing than the contents of a private email or telephone conversation. The second set of concerns focuses on the privacy interests of “search targets”. Internet search engines have made it relatively easy to find out information about just about anyone. By using a search engine, one can easily aggregate personal data which would otherwise remain dispersed across company websites, newspaper articles, social networking pages, blogs, etc. Internet search engines have, in other words, significantly reduced the transaction costs of compiling a comprehensive profile about a specific person. As a result, people have become increasingly concerned with the information to which search engines refer.
Chapter 1 - Introduction
- from PART IV - USE CASES
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 343-346
-
- Chapter
- Export citation
-
Summary
“A functional theory does not necessarily translate into a successful practice”.
Jonathan Zittrain
716. PREFACE – For more than 20 years, the controller-processor model has provided the analytical template for the allocation of responsibility and liability among actors involved in the processing of personal data. While the model itself appears conceptually sound, its application in practice has not always been straightforward. The research objective of this Part of the book is to identify the main issues that surround the practical application of the controller-processor model. To this end, a number of real-life use cases will be examined.
717. SELECTION CRITERIA – Needless to say, it is impossible to document and analyse every possible use case. A selection needs to be made. In social science research, case selection is generally driven by two objectives, namely (1) representativeness (i.e. ensuring that the selected cases are sufficiently representative in light of the research question) and (2) variety (i.e. ensuring useful variation on the dimensions of theoretical interest). A third, sometimes implicit, objective is relevancy (i.e. ensuring that the selected use cases are likely to yield insights which can assist in answering the research question).
718. RELEVANCY – As the research objective of this Part of the book is to document the issues that arise when applying the controller-processor model in practice, the pool of potentially relevant use cases is limited to instances in which such issues occur. In the first phase of selection, a preliminary literature study was undertaken to identify eligible use cases. The threshold for eligibility was the existence of some indication, either in regulatory guidance or doctrine, that the use case in question challenges either the application of the controller and processor concepts or the associated allocation of responsibility and liability. Each of the retained use cases has been cited by scholars and/or regulators as instances where the application of the controller-processor concepts can be challenging, or where the effective allocation of responsibilities and liability may be undermined.
719. VARIETY – Once the initial screening for relevancy was completed, a further selection was made with the aim of ensuring a sufficient degree of variety. In practice, the control capabilities of actors involved in the processing of personal data are shaped by the social context in which they operate (e.g. public sector, business-to-business, business-to-consumer, consumer-to-consumer).
Note to the Readers
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp vii-viii
-
- Chapter
- Export citation
PART III - HISTORICAL-COMPARATIVE ANALYSIS
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 149-150
-
- Chapter
- Export citation
Chapter 5 - Conclusion
- from PART V - RECOMMENDATIONS
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 651-654
-
- Chapter
- Export citation
-
Summary
1368. MAIN RESEARCH QUESTION – The distinction between controllers and processors is central to EU data protection law. Unfortunately, certain technological and social developments have rendered it increasingly difficult to apply this model in practice, thereby leading to legal uncertainty. The main research question this book set out to answer is whether the allocation of responsibility and liability among actors involved in the processing of personal data could be revised in a manner which increases legal certainty while maintaining at least an equivalent level of data protection. In order to answer this question, four sub-questions helped guide the research, namely:
What is the nature and role of the controller and processor concepts under European data protection law?
What is the origin of the controller-processor model and how has it evolved over time?
What are the types of issues that arise when applying the controllerprocessor model in practice?
Which solutions have been proposed to address the issues that arise in practice and to what extent are they capable of addressing the issues?
1369. NATURE AND ROLE OF CONCEPTS – The concept of a controller is a functional concept: it enumerates a set of criteria with a view of allocating responsibilities upon those actors who exercise significant factual influence over the processing. The processor concept likewise serves to allocate responsibility, but is dependent primarily on a decision of a controller to enlist a separate actor to process personal data on its behalf. The primary role of both the controller and processor concepts is to allocate responsibility. In addition, both the controller and processor concepts play an important role in the determination of which law(s) applies (apply) to the processing, and in the determination of what is required in order to comply with certain substantive provisions of European data protection law.
1370. ORIGIN AND DEVELOPMENT – Before the term “controller” became a term of art, those responsible for ensuring compliance with data protection laws went by many names. Despite notable differences in terminology, two recurring elements can be distinguished. The first element is the element of mastery: the actor designated as being responsible for compliance had the ability to exercise power over the processing, in one form or another.
Chapter 4 - Allocation of Responsibility
- from PART II - STATE OF THE ART
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 47-82
-
- Chapter
- Export citation
-
Summary
69. OUTLINE – EU data protection law assigns primary responsibility for compliance with its provisions to the controller(s) of the processing. It also assigns responsibility to the processor(s), as a means to address the situation where a controller enlists another actor to process personal data on its behalf. Given the central importance of these concepts to the research question of this book, it is necessary to analyse the meaning of these concepts in some detail. The following subsections will analyse
the key elements of the controller and processor concepts;
the legal relationship between controllers and processors; and
the legal relationship between joint controllers.
KEY ELEMENTS OF THE “CONTROLLER” AND “PROCESSOR” CONCEPTS
70. PRELIMINARY REMARKS – With the adoption of Directive 95/46, the key principles for allocating responsibility and liability among controllers and processors were established. How these principles were to be applied in practice would be determined by a steadily growing body of materials (opinions, recommendations, enforcement actions) developed by national data protection authorities. For quite some time, only limited EU-wide guidance existed on how to apply the concepts of “controller” and “processor” practice. While the Article 29 Working Party was called upon to interpret these concepts in relation to specific cases, the resulting guidance was generally closely tied to the specific issue at hand.
71. OPINION 1/2010 – In 2010, the Article 29 Working Party published an Opinion on the concepts of “controller” and “processor”. The main motivation for the Opinion was a desire to promote a consistent and harmonized approach in the interpretation of these concepts among the Member States. Opinion 1/2010 of the Article 29 Working Party represents the most comprehensive attempt to clarify the meaning of the “controller” and “processor” concepts to date. Given the authority enjoyed by WP29 opinions, as well as their strategic importance, Opinion 1/2010 will serve as the main source of reference when analysing the key elements of the controller and processor concepts over the following sections.
72. CJEU CASE LAW – Since the adoption Opinion 1/2010, the CJEU has been called upon to clarify to interpret the concepts of controller, joint controller and processor in a number of cases. The most important of those cases are Google Spain, Wirtschaft sakademie (or “Fan pages”), Jehovah's witnesses and Fashion ID. Where relevant, reference shall also be made to those judgments of the CJEU and the accompanying AG Opinions.
Chapter 3 - Basic Protections
- from PART II - STATE OF THE ART
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 33-46
-
- Chapter
- Export citation
-
Summary
47. OUTLINE – EU data protection law seeks to protect individuals with regard to the processing of their personal data by (1) requiring compliance with a number of key principles; (2) providing individuals with a right to information as well as other data subject rights; (3) imposing an obligation to ensure the confidentiality and security of processing; (4) requiring the establishment, at national level, of supervisory authorities dedicated to monitoring compliance with the substantive provisions of EU data protection law; and (5) requiring controllers to able to demonstrate compliance with these principles.
KEY PRINCIPLES
48. LAWFULNESS, FAIRNESS & TRANSPARENCY – Article 5(1)a of the GDPR provides that personal data must be processed “lawfully, fairly and in a transparent manner”. Fairness of processing is considered an overarching principle of data protection law. It is a generic principle which has provided the foundation for other data protection requirements. As such, the fairness principle provides a “lens” through which the other provisions in the Directive should be interpreted. The principle of lawfulness of processing reaffirms that data controllers must stay in line with other legal obligations, even outside of the GDPR, regardless of whether these obligations are general, specific, statutory or contractual. The principle of transparency is in many ways a logical extension of the requirement that personal data shall be processed “fairly and lawfully”. It is based on the idea that even if one doesn't have a say in the matter, an individual should generally at least be informed when his personal data are being processed and/or be in a position to acquire additional information. The transparency principle is given further substance within the context of the data subject's right to information and right of access.
49. FINALITY – Article 5(1)b of the GDPR dictates that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” This provision embodies the so-called “principle of finality”, which comprises two basic rules. First, it requires controllers to clearly articulate the purposes for which personal data are being collected (purpose specification). Second, it requires controllers to limit their subsequent use of this information to practices compatible with the purposes defined at the moment of collection (use limitation).
Chapter 2 - Problem Statement
- from PART I - INTRODUCTION
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 7-12
-
- Chapter
- Export citation
-
Summary
7. OUTLINE – Given the fundamental importance of both the controller and processor concepts, it is essential to be able to determine which role an actor has assumed towards a particular processing operation. Unfortunately, it can be quite difficult to apply the distinction between controller and processors in practice. Over time, data protection authorities and courts have provided guidance to inform the practical application of the controller and processor concepts. Notwithstanding the guidance, however, certain scholars have continued to question the utility of the controller-processor model. The following sections outline three perceived vulnerabilities of the current framework.
A BROKEN “BINARY”
8. OVERSIMPLIFICATION? – Perhaps the most common critique of the controller-processor model is that the “binary” distinction between controllers and processors is too simplistic. While the model may be readily applied in certain situations, the complexity of today's processing operations is such that a clear-cut distinction between controllers and processors is seldom possible. As a result, the binary distinction is considered inadequate to accommodate the increasingly collaborative manner in which businesses operate. Nowadays, control relationships are more complex than the “either/or” approach of the controller-processor model; whereby one party (or group of parties) exercises complete control over the processing, and another party (or group of parties) simply executes the tasks it has been given, without exercising any substantial influence as to either the purposes or means of the processing.
9. EVOLVING PROCESSING PRACTICES – At the time Directive 95/46 was adopted, the distinction between parties who control the processing of personal data (data controllers) and those who simply process the data on behalf of someone else (data processors) was considered to be relatively clear. Today we are confronted with a “growing tendency towards organisational differentiation”. In both the public and private sector
“there is a growing emphasis on the development of delivery chains or service delivery across organisations and on the use of subcontracting or outsourcing of services in order to benefit from specialisation and possible economies of scale. As a result, there is a growth in various services, offered by service providers, who do not always consider themselves responsible or accountable […].”
Foreword
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp v-vi
-
- Chapter
- Export citation
-
Summary
Have you ever considered the discussion on responsibilities and liabilities in the field of the European data protection law as a journey? You should. Brendan Van Alsenoy is inviting you take a trip through the whole history of data protection law in Europe and around the world, as well as through current practice to better understand the roles of different actors in what is a fiendishly complicated environment. You will find him to be a guide who effortlessly offers fresh perspectives on the subject: a relatively young scholar leveraging a surprisingly extensive and intensive practical experience in a national data protection authority as well as playing a key role in the Working Party Article 29 / European Data Protection Board.
This is a guide to the places that you know and new ones you never thought exist. At times it may explain concepts that you heard about dozens of times before. But Van Alsenoy's explanations are slightly different to the others. He is able to filter his academic knowledge through the lens of the regulatory authorities and their current disputes with other institutional and business players around the world.
One of the first problems the author addresses is the binary concepts of controller and processor. Is this division as clear-cut as when it was first postulated decades ago in European law, or it is rather a case that control is now distributed and should be regulated and applied accordingly? Has the concept of controller evolved to the degree that the explanations proposed in ‘80s and ’90s are no longer useful? How does this model work in practice?
One may say that these are the questions posed over and over again. Be that as it may, this book will nonetheless give you a valuable historical background. It offers use cases illustrating how to understand and interpret the system which the GDPR has inherited from previous European legislation. What will be the effect of different forms of joint controllership on the level of responsibility of each of the players?
It is sometimes surprisingly difficult to distinguish the joint controllership of the GDPR from the exchanges between individual controllers who co-operate with each other using shared resources for different purposes or using different means.
Chapter 8 - Conclusion
- from PART III - HISTORICAL-COMPARATIVE ANALYSIS
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 325-340
-
- Chapter
- Export citation
-
Summary
INTRODUCTION
682. OUTLINE – The objective of this Chapter is to synthesize how the controller and processor and processor concepts developed over time. While tracing the origin and development of both concepts, special consideration will be given to how the concepts have been used to determine the allocation of responsibility and liability. Three questions in particular shall serve as a guide:
(a) Does the instrument formally define who is responsible for compliance?
(b) How does the instrument deal with situations of outsourcing? Is there a formal recognition of agents “acting on behalf of” the entity responsible for compliance?
(c) How are responsibility and liability allocated? Is every actor subject to its own independent obligations? Or is a contractual approach adopted?
DEVELOPMENT OF THE CONTROLLER CONCEPT
THE MEANING OF “CONTROL”
683. ETYMOLOGY – According to Sjöblom, the term “control” was brought into the English language in the late middle ages from the French “contre-rôle”, which meant “duplicate register”. The original meaning of “control” was thus “to take and keep a copy of a roll of accounts and to look for errors theirein” or “to check or verify, and hence to regulate”. By the 17th century, “control” also referred to the nature of the relationship between the verifier and the verified, signifying “mastery” over something or someone.
684. CONTROL IN THE CONTEXT OF COMPUTING – During the 1940s, computers were seen (and often designated) as “control systems”. For example, computers were deployed for purposes of “gunfire control” or “inventory control”. During the late 1950s, the term “control” became increasingly associated with “management control” in the context of organisational theory. In this context, the concept of “control” has been associated with the generic management process. The generic management process comprises different elements, such as
“(1) setting objectives;
(2) deciding on preferred strategies for achieving those objectives, and then
(3) implementing those strategies while
(4) making sure that nothing, or as little as possible, goes wrong”.
Both meanings of “control” also found their application in the context of computing and, eventually, in the context of data protection law. As Sjöblom observes:
“[C]ontrol suggests agency – that someone is using computer-based systems to control something and achieve a certain objective […] With its undertone of domination, control helps highlight issues of power relations inherent in computer use […].”
Data Protection Law in the EU: Roles, Responsibilities and Liability
- Volume 6
- Brendan Van Alsenoy
-
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019
-
EU data protection law imposes a series of requirements designed to protect individuals against the risks that result from the processing of their data. It also distinguishes among different types of actors involved in the processing, setting out different obligations for each actor. The most important distinction in this regard is the distinction between "controllers" and "processors". Together, these concepts provide the very basis upon which responsibility for compliance with EU data protection law is allocated. As a result, both concepts play a decisive role in determining the potential liability of an organisation under EU data protection law, including the General Data Protection Regulation (GDPR). Technological and societal developments have made it increasingly difficult to apply the controller-processor model in practice. The main factors are the growing complexity of processing operations, the diversification of processing, services and the sheer number of actors that can be involved. Against this background, this book seeks to determine whether EU data protection law should continue to maintain the controller-processor model as the main basis for allocating responsibility and liability. This book provides its readers with the analytical framework to help them navigate the intricate relationship of roles, responsibility and liability under EU data protection law. The book begins with an in-depth analysis of the nature and role of the controller and processor concepts. The key elements of each are examined in detail, as is the associated allocation of responsibility and liability. The next part contains a historical-comparative analysis, which traces the origin and development of the controller-processor model over time. To identify the main problems that occur when applying the controller-processor model in practice, a number of real-life use cases are examined (cloud computing, social media, identity management and search engines). In the final part, a critical evaluation is made of the choices made by the European legislature in the context of the GDPR. It is clear that the GDPR has introduced considerable improvements in comparison to EU Directive 95/46. In the long run, however, further changes may well be necessary. By way of conclusion, a number of avenues for possible improvements are presented. Dr Brendan Van Alsenoy is a Legal Advisor at the Belgian Data Protection Authority and a senior affiliated researcher at the KU Leuven Centre for IT & IP Law, and co-editor of Privacy & Persoonsgegevens. He has previously worked as a legal researcher at the KU Leuven Centre for IT & IP Law, with a focus on data protection and privacy, intermediary liability and trust services. In 2012, he worked at the Organisation for Economic Co-operation and Development (OECD) to assist in the revision of the 1980 OECD Privacy Guidelines.
Chapter 6 - irective 95/46/EC
- from PART III - HISTORICAL-COMPARATIVE ANALYSIS
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 261-278
-
- Chapter
- Export citation
-
Summary
ORIGIN AND DEVELOPMENT
543. ECONOMIC RELEVANCE – On 21 November 1973, the European Commission issued a Communication regarding a “Community Policy on Data Processing”. The Communication stressed the importance of having a flourishing European data processing industry and proposed several measures designed to promote its development. Although the Communication focused primarily on economic aspects of data processing, it also noted a need to establish “common measures” to protect citizens.
544. PARLIAMENTARY MOTIONS – In 1975, the Legal Affairs Committee of the European Parliament prepared an “own initiative” report, which contained a draft Resolution calling for a Directive on “individual freedom and data processing”. A Directive was deemed necessary not only for the protection of citizens, but also to avoid the development of conflicting legislation. The Resolution was passed, but the European Commission did not put forth any legislative proposals. The call for legislative action was repeated in 1976, 1979 and 1982. The Commission, however, preferred to await the completion of Convention 108 and then to urge Member States to ratify it.
545. THE PUSH FOR HARMONISATION – As the 1980s progressed, it soon became clear that not all Member States were rushing to ratify Convention 108. In 1985, the European Commission published a White Paper entitled “Completing the Internal Market”, which contained a timetable of completion by 1992. The continued fragmentation of national approaches to data protection presented a clear risk to the European vision of further integration. The political push for greater harmonisation provided optimal conditions for further Community action. In September 1990, the European Commission announced a series of proposed data protection measures, one of which was a proposal for a Council Directive concerning the protection of individuals in relation to the processing of personal data.
546. LEGISLATIVE DEVELOPMENT – The Commission proposal was met with mixed reviews. After almost two years of debate, the European Parliament published its first reading of the proposal, which contained more than 100 amendments. The Commission responded swiftly, releasing an amended proposal for the Directive six months later. The text was then transmitted to the Council, where the further progression of the document was delayed for more than two years due to a blocking minority.
Chapter 3 - Online Social Networks
- from PART IV - USE CASES
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 395-466
-
- Chapter
- Export citation
-
Summary
INTRODUCTION
836. THE RISE OF OSNS – One of the most significant developments in the online environment over the past decade has been the rise of social media. More and more individuals are making use of online social networks (OSNs) to stay in touch with family and friends, to engage in professional networking or to connect around shared interests and ideas. But users are not the only ones who are interested in OSNs. OSNs have come to attract a wide range of actors, which include application developers, web trackers, third-party websites, data brokers and other observers.
837. OUTLINE – The objective of this chapter is to analyse how EU data protection law applies in the context of OSNs. To this end, it will begin by describing the various actors engaging with OSNs and the interactions between them. Next, it will analyse the legal status (“role”) of each actor, as interpreted by courts, regulators and scholars. After that, it will describe the main responsibilities assigned to each actor. Once this analysis has been completed, this chapter will critically evaluate the relationship between the current framing of roles and responsibilities in the context of online social networking.
ACTORS
838. OVERVIEW – The following eight actors may be considered as being particularly relevant to online social networks from a data protection and privacy perspective:
OSN users;
OSN providers;
Page administrators;
(Third-party) Application providers;
(Third-party) Trackers;
(Third-party) Data brokers;
(Third-party) Website operators;
Other observers; and
Infrastructure service providers.
839. VISUAL REPRESENTATION – The aforementioned actors interact with each other in a variety of ways. The following figure provides a – highly simplified – representation of how these actors typically interact with OSNs and OSN-related data. It is intended to be conceptual rather than factual.
840. LEGEND – The arrows in Figure 4 indicate that an exchange of personal data is taking place. This exchange can be either uni- or bi-directional. Solid black arrows signify exchanges of personal data which occur primarily “in the foreground”, meaning that they can easily be observed or inferred by OSN users. They often imply some form of active involvement by OSN users (e.g. granting a permission, manually entering data, use of an application).
Chapter 3 - Research Questions
- from PART I - INTRODUCTION
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 13-16
-
- Chapter
- Export citation
-
Summary
15. MAIN QUESTION – The main research question of this book is the following:
Can the allocation of responsibility and liability among actors involved in the processing of personal data, as set forth by EU data protection law, be revised in a manner which increases legal certainty while maintaining at least an equivalent level of data protection?
16. ALLOCATION OF RESPONSIBILITY AND LIABILITY – “Allocation of responsibility” can be described as the process whereby the legislature, through one or more statutory provisions, imposes legal obligations upon a specific actor. “Allocation of liability”, on the other hand, can be described as the process whereby the legislature, through one or more statutory provisions, imputes liability or sanctions to an actor where certain prescriptions or restrictions have not been observed.
17. ACTORS INVOLVED IN THE PROCESSING – The research question is limited to actors involved in the processing of personal data. An actor may be “involved” in the processing of personal data either by processing data for themselves, on behalf of others, or by causing others to process personal data on their behalf. The research question does not extend to other stakeholders who might influence the level of data protection, such as system developers, technology designers, standardisation bodies, policymakers, etc.
18. LEGAL CERTAINTY – Legal certainty is a general principle of EU law. It expresses the fundamental premise that those subject to the law must be able to ascertain what the law is so as to be able to plan their actions accordingly. One of the reasons why European data protection law introduced the distinction between controllers and processors was to clarify their respective responsibilities under data protection law, thereby increasing legal certainty. Many stakeholders consider, however, that the distinction reflects an outdated paradigm, which is overly simplistic and has become increasingly difficult to apply. Some even suggested that, because of its decreased relevance and applicability, the distinction actually creates legal uncertainty. The main objective of this book is to explore ways in which legal certainty might be increased, without diminishing the legal protections currently enjoyed by data subjects.
19. AT LEAST EQUIVALENT – The reference, in the research question above, to “an equivalent level of data protection”, refers to the protection offered EU data protection law. Within the context of this book, the substantive requirements and principles of EU data protection law (e.g. finality, proportionality, transparency) are taken as a given.
Miscellaneous Endmatter
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 695-695
-
- Chapter
- Export citation
Chapter 3 - Typology of Solutions
- from PART V - RECOMMENDATIONS
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 589-638
-
- Chapter
- Export citation
-
Summary
INTRODUCTION
1250. PREFACE – Over the past decade, a number of solutions have been put forward to remedy the issues that surround the application of the controllerprocessor model. The aim of this Chapter is to introduce and discuss the proposed solutions in light of the issues identified in the previous chapter. Where appropriate, additional solutions, not previously put forward, will be discussed as well.
1251. CATEGORISATION – In order to facilitate the comparison of possible solutions in relation to the issues identified in Chapter 2, the solutions will be categorized in the same manner as the typology issues presented in the previous chapter:
Grammatical solutions: proposals that involve changing the words chosen to define the concepts of controller and processor;
Teleological solutions: proposals that present alternative ways in which the policy objectives underlying the controller and processor concepts might be realized;
Systemic solutions: proposals that involve modifying the implications associated with the concepts of controller and processor;
Historical solutions: proposals that seek to confine the scope of application of the controller and processor concepts to actors and situations envisaged by the legislature.
1252. INTERDEPENDENCIES – While maintaining the categorisation above promotes consistency in presentation, it is obvious that a proposed solution might seek to address multiple issues. It is equally possible that a solution seeking to address one issue may indirectly ameliorate or exacerbate other issues, without deliberately seeking to do so. With this in mind, the potential solutions will be categorized according to the type of issue that is the focal point of the proposed solution. Where interdependencies exist, the discussion of each solution will involve an assessment of whether the solution is likely to improve or aggravate other issues.
1253. METHODOLOGY – The solutions analysed in this Chapter have been sourced from literature concerning the application controller and processor concepts, as well as from the stakeholder responses and legislative proposals put forward in the context of the review of Directive 95/46 and run-up to the GDPR. Not every issue identified in Chapter 2, however, has been explicitly addressed by scholars or stakeholders. Where no remedy has been put forward, possible solutions will be developed in light of the lessons learned from historicalcomparative analysis and by drawing inspirations from approaches adopted by other national and international privacy frameworks.
Chapter 4 - Structure and Methodology
- from PART I - INTRODUCTION
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 17-20
-
- Chapter
- Export citation
-
Summary
21. OUTLINE – This book is divided into five parts, whereby each part aims to answer one or more of the research sub-questions identified in the previous chapter. The following sections will briefly elaborate upon the main topics that are covered by each part, as well as their methodological approach. Further details regarding scope and methodology can be found in the introductory chapter of each part.
STATE OF THE ART
22. AIM – Part II of the book will analyse the nature and role of the controller and processor concepts under current EU data protection law. The aim is to obtain a better understanding of the meaning of the concepts, as well as the functions they fulfil within EU protection law. To this end, an analysis shall be made of the regulatory scheme of EU data protection law, with special attention to (a) the definitions of controller and processor; (b) the allocation of responsibility and liability; and (c) the additional functions fulfilled by the controller and processor concepts.
23. SCOPE – Even though the GDPR has repealed Directive 95/46, Part II still contains multiple references to the provisions of Directive 95/46. There are several reasons for doing so. First, the definitions of controller and processor contained in Directive 95/46 were incorporated by the GDPR without substantive modification. Second, most of the literature, guidance and case law interpreting the concepts of controller and processor has been developed in the context of Directive 95/46. Third, Directive 95/46 forms the backdrop against which the GDPR was developed. To properly understand the nature and role of the controller and processor concepts under the GDPR, it is necessary to understand the meaning and role of these concepts under Directive 95/46.
24. METHODOLOGY – Part II of the book will follow an internal approach. The primary sources of analysis shall be the text of the GDPR and of Directive 95/46, their preparatory works, the case law of the CJEU and the guidance issued by the Article 29 Working Party and European Data Protection Board. Where appropriate, reference shall also be made to the preparatory works of national implementations of Directive 95/46 (e.g. the Netherlands, Belgium), as a means to clarify and supplement the insights offered by the primary sources.
Chapter 1 - Background
- from PART I - INTRODUCTION
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 3-6
-
- Chapter
- Export citation
-
Summary
1. THE ORIGINS OF DATA PROTECTION LAW – Automated processing of personal information has always been a topic of controversy. As soon as computers became visible to the general public, reflections on how computers might impact the privacy of individuals began to enter the political arena. The first data protection laws emerged during the 1970s, with the aim of protecting individuals against risks resulting from the automated processing of personal data.2 Regulatory initiatives at the international level soon followed. The first international organisation to formally adopt a normative stance in relation to the processing of personal data was the Council of Europe in 1973. In 1980, the OECD adopted its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. In 1981, the Council of Europe promulgated the Convention for the protection of individuals with regard to automatic processing of personal data (Convention 108).
2. INITIATIVES AT EU LEVEL – Even after Convention 108 came into effect, notable differences in national data protection laws remained. As the European Union developed, these differences were perceived as potential obstacles towards the development of the Internal Market. In 1990, the European Commission put forth a draft for a Council Directive on the Protection of Individuals with regard to the processing of personal data and on the free movement of such data. This proposal eventually led to the adoption of Directive 95/46/EC on the protection of individuals with regards to the processing of personal data and on the free movement of such data. In 2016, the Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) was adopted. This Regulation replaced Directive 95/46 and entered into application on 25 May 2018.
3. THE IMPORTANCE OF ROLES AND RESPONSIBILITIES – As with any legal instrument, it is essential to establish not only the substantive provisions of regulation, but also to identify which actors shall be responsible for ensuring compliance. Data protection law is no different in this regard. Already in 1975, Hondius observed:
“for an effective system of data protection it is of great importance that the role, rights, and responsibilities of the various persons and parties involved be stated unambiguously”.
Chapter 6 - Specific Issues
- from PART II - STATE OF THE ART
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 117-140
-
- Chapter
- Export citation
-
Summary
217. PROBLEM STATEMENT – Article 4(7) GDPR defines a controller as being a “natural person, legal person, public authority, agency or other body”. The definition thus refers to a broad range of subjects, ranging from natural to legal persons and including any “other body”. In practice, the question may arise whether an individual within an organisation should be considered as the “controller”, or whether instead this role should be attributed to the organisation of which he or she is a part. According to the Article 29 Working Party,
“preference should be given to consider as controller the company or body as such rather than a specific person within the company or the body. It is the company or the body which shall be considered ultimately responsible for data processing and the obligations stemming from data protection legislation, unless there are clear elements indicating that a natural person shall be responsible. In general, it should be assumed that a company or public body is responsible as such for the processing activities taking place within its realm of activities and risks.”
218. RELATIONSHIP WITH OTHER AREAS OF LAW – In Opinion 1/2010, the Working Party emphasizes that it is important to stick as closely as possible to the rules established by other areas of law, such as civil, administrative and criminal law. These rules indicate to what extent individuals, organisations or other bodies may be held responsible and will in principle help to determine which actor should be labelled as the “controller”. The following paragraphs will briefly look at the civil and criminal liability of organisations – and the individuals working on their behalf – from the perspective of Belgian law.
219. LIABILITY FOR AUXILIARIES AND AGENTS – Article 1384, subsection 3 of the Belgian Civil Code (C.C.) provides that masters and principals are liable for damage caused by their servants and appointees (“auxiliaries”). For Article 1384, subs. 3 to apply, the following three conditions must be met:
a) there must be a relationship of subordination between the principal and the auxiliary;
b) the auxiliary must have committed a fault (i.e. negligence or unlawful act); and
c) the fault must have been committed in the course of the service for which the auxiliary has been enlisted.
Article 1384, subs. 3 C.C. is generally applied to hold employers (and legal persons more generally) vicariously liable for actions of their employees and other subordinates.
Chapter 2 - Typology of Issues
- from PART V - RECOMMENDATIONS
- Brendan Van Alsenoy
-
- Book:
- Data Protection Law in the EU: Roles, Responsibilities and Liability
- Published by:
- Intersentia
- Published online:
- 26 June 2019
- Print publication:
- 29 March 2019, pp 557-588
-
- Chapter
- Export citation
-
Summary
INTRODUCTION
1174. PREFACE – Part IV of this book demonstrated that applying the concepts of controller and processor can be difficult in practice. Practitioners often disagree as to whether an entity should be considered a controller or processor, or struggle to make an unambiguous determination. The objective of this Chapter is to provide a structured overview of the main issues that emerge in practice. To this end, a typology of issues shall be developed which categorizes the issues identified in Part IV and presents them in a structured manner.
1175. CATEGORISATION – The typology of issues shall be structured according to four traditional methods of legal interpretation, namely: (1) grammatical; (2) teleological; (3) systemic; and (4) historical. The chosen methods were retained simply because they are the methods of legal interpretation that have been relied upon – either explicitly or implicitly – by scholars, regulators and courts when evaluating the use cases documented in Part IV. Applying this categorisation, the following typology of issues can be developed:
Grammatical issues: issues that concern the words chosen to define the concepts of controller and processor;
Teleological issues: issues that concern the policy objectives that underlie the allocation of responsibility and liability between controllers and processors;
Systemic issues: issues that arise in light of the functions fulfilled by the controller and processor concepts within the regulatory scheme of EU data protection law; and
Historical issues: issues that arise when applying the regulatory framework of EU data protection law to situations which were not envisaged by the European legislature.
1176. JUSTIFICATION – The development of a typology of issues according to traditional methods of legal interpretation is motivated by the assumption that conflicts of interpretation, as well as interpretative guidelines provided by courts and regulators, can help to uncover the main issues at stake.
1177. LIMITATIONS – The utility of the exercise undertaken over the following sections is predicated on the assumption that the selection of use cases analysed in Part IV offers a sufficiently representative account of the main issues that arise when applying the controller and processor concepts in practice. In other words, there can be no pretence at being exhaustive. Be that as it may, the analysis of proposals put forward by different stakeholders suggests that the typology of issues presented here is rather comprehensive.