Document Actions

Citation and metadata

Back to the article.

Recommended citation

René Mahieu, Joris van Hoboken, Hadi Asghari, Responsibility for Data Protection in a Networked World: On the Question of the Controller, “Effective and Complete Protection” and its Application to Data Access Rights in Europe, 10 (2019) JIPITEC 84 para 1.

Download Citation

Endnote

%0 Journal Article
%T Responsibility for Data Protection in a Networked World: On the Question of the Controller, “Effective and Complete Protection” and its Application to Data Access Rights in Europe
%A Mahieu, René
%A van Hoboken, Joris
%A Asghari, Hadi
%J JIPITEC
%D 2019
%V 10
%N 1
%@ 2190-3387
%F mahieu2019
%X In the current networked world, almost no system in which personal data is processed stands on its own. For example, websites and mobile applications integrate third party services for behavioral targeting, user analytics, navigation, and many other functionalities. Governments build central infrastructures to share data efficiently between different branches of government and with other organisations. This paper analyses the current system in Europe for determining who is (or better, are) responsible for observing data protection obligations in such networked service settings. In doing so we address the following problems: (1) of ambiguity in applying the concept of data controller in networked settings; and (2) of insufficiencies in the framework for establishing the extent of the responsibilities in situations of joint control. We look at how the law and regulators address these problems and how the European Court of Justice tackles these problems by applying the principle of “effective and complete protection”. The issue of joint responsibility has gained particular relevance in the wake of Wirtschaftsakademie, a case recently decided by the European Court of Justice. In this case, a Facebook fan page administrator was found to be a joint-controller and therefore jointly responsible, together with Facebook, for observing data protection rules. Following this decision, there are many more situations of joint control than previously thought. As a consequence, part of the responsibility for compliance with data protection legislation and risk of enforcement measures are moved to those who integrate external services. This will change the incentive structure in such a way that joint-controllers will place a much higher value on data protection. To explore the practical implications of the legal framework, we analyse a number of examples taken from our earlier empirical work on the right of access to reflect on the newly emerging data responsibility infrastructure. We show that the coordination of responsibilities is complex in practice because many organisations do not have a clear overview of data flows, there are power imbalances between different actors, and personal data governance is often happening in separated specialised units.
%L 340
%K C-210/16 Wirtschaftsakademie
%K GDPR
%K access rights
%K data controller
%K joint-control
%K principle of “effective and complete protection”
%K right of access
%U http://nbn-resolving.de/urn:nbn:de:0009-29-48796
%P 84-104
Download

Bibtex

@Article{mahieu2019,
  author = 	"Mahieu, Ren{\'e}
		and van Hoboken, Joris
		and Asghari, Hadi",
  title = 	"Responsibility for Data Protection in a Networked World: On the Question of the Controller, ``Effective and Complete Protection'' and its Application to Data Access Rights in Europe",
  journal = 	"JIPITEC",
  year = 	"2019",
  volume = 	"10",
  number = 	"1",
  pages = 	"84--104",
  keywords = 	"C-210/16 Wirtschaftsakademie; GDPR; access rights; data controller; joint-control; principle of ``effective and complete protection''; right of access",
  abstract = 	"In the current networked world, almost no system in which personal data is processed stands on its own. For example, websites and mobile applications integrate third party services for behavioral targeting, user analytics, navigation, and many other functionalities. Governments build central infrastructures to share data efficiently between different branches of government and with other organisations. This paper analyses the current system in Europe for determining who is (or better, are) responsible for observing data protection obligations in such networked service settings. In doing so we address the following problems: (1) of ambiguity in applying the concept of data controller in networked settings; and (2) of insufficiencies in the framework for establishing the extent of the responsibilities in situations of joint control. We look at how the law and regulators address these problems and how the European Court of Justice tackles these problems by applying the principle of ``effective and complete protection''. The issue of joint responsibility has gained particular relevance in the wake of Wirtschaftsakademie, a case recently decided by the European Court of Justice. In this case, a Facebook fan page administrator was found to be a joint-controller and therefore jointly responsible, together with Facebook, for observing data protection rules. Following this decision, there are many more situations of joint control than previously thought. As a consequence, part of the responsibility for compliance with data protection legislation and risk of enforcement measures are moved to those who integrate external services. This will change the incentive structure in such a way that joint-controllers will place a much higher value on data protection. To explore the practical implications of the legal framework, we analyse a number of examples taken from our earlier empirical work on the right of access to reflect on the newly emerging data responsibility infrastructure. We show that the coordination of responsibilities is complex in practice because many organisations do not have a clear overview of data flows, there are power imbalances between different actors, and personal data governance is often happening in separated specialised units.",
  issn = 	"2190-3387",
  url = 	"http://nbn-resolving.de/urn:nbn:de:0009-29-48796"
}
Download

RIS

TY  - JOUR
AU  - Mahieu, René
AU  - van Hoboken, Joris
AU  - Asghari, Hadi
PY  - 2019
DA  - 2019//
TI  - Responsibility for Data Protection in a Networked World: On the Question of the Controller, “Effective and Complete Protection” and its Application to Data Access Rights in Europe
JO  - JIPITEC
SP  - 84
EP  - 104
VL  - 10
IS  - 1
KW  - C-210/16 Wirtschaftsakademie
KW  - GDPR
KW  - access rights
KW  - data controller
KW  - joint-control
KW  - principle of “effective and complete protection”
KW  - right of access
AB  - In the current networked world, almost no system in which personal data is processed stands on its own. For example, websites and mobile applications integrate third party services for behavioral targeting, user analytics, navigation, and many other functionalities. Governments build central infrastructures to share data efficiently between different branches of government and with other organisations. This paper analyses the current system in Europe for determining who is (or better, are) responsible for observing data protection obligations in such networked service settings. In doing so we address the following problems: (1) of ambiguity in applying the concept of data controller in networked settings; and (2) of insufficiencies in the framework for establishing the extent of the responsibilities in situations of joint control. We look at how the law and regulators address these problems and how the European Court of Justice tackles these problems by applying the principle of “effective and complete protection”. The issue of joint responsibility has gained particular relevance in the wake of Wirtschaftsakademie, a case recently decided by the European Court of Justice. In this case, a Facebook fan page administrator was found to be a joint-controller and therefore jointly responsible, together with Facebook, for observing data protection rules. Following this decision, there are many more situations of joint control than previously thought. As a consequence, part of the responsibility for compliance with data protection legislation and risk of enforcement measures are moved to those who integrate external services. This will change the incentive structure in such a way that joint-controllers will place a much higher value on data protection. To explore the practical implications of the legal framework, we analyse a number of examples taken from our earlier empirical work on the right of access to reflect on the newly emerging data responsibility infrastructure. We show that the coordination of responsibilities is complex in practice because many organisations do not have a clear overview of data flows, there are power imbalances between different actors, and personal data governance is often happening in separated specialised units.
SN  - 2190-3387
UR  - http://nbn-resolving.de/urn:nbn:de:0009-29-48796
ID  - mahieu2019
ER  -
Download

Wordbib

<?xml version="1.0" encoding="UTF-8"?>
<b:Sources SelectedStyle="" xmlns:b="http://schemas.openxmlformats.org/officeDocument/2006/bibliography"  xmlns="http://schemas.openxmlformats.org/officeDocument/2006/bibliography" >
<b:Source>
<b:Tag>mahieu2019</b:Tag>
<b:SourceType>ArticleInAPeriodical</b:SourceType>
<b:Year>2019</b:Year>
<b:PeriodicalTitle>JIPITEC</b:PeriodicalTitle>
<b:Volume>10</b:Volume>
<b:Issue>1</b:Issue>
<b:Url>http://nbn-resolving.de/urn:nbn:de:0009-29-48796</b:Url>
<b:Pages>84-104</b:Pages>
<b:Author>
<b:Author><b:NameList>
<b:Person><b:Last>Mahieu</b:Last><b:First>René</b:First></b:Person>
<b:Person><b:Last>van Hoboken</b:Last><b:First>Joris</b:First></b:Person>
<b:Person><b:Last>Asghari</b:Last><b:First>Hadi</b:First></b:Person>
</b:NameList></b:Author>
</b:Author>
<b:Title>Responsibility for Data Protection in a Networked World: On the Question of the Controller, “Effective and Complete Protection” and its Application to Data Access Rights in Europe</b:Title>
<b:Comments>In the current networked world, almost no system in which personal data is processed stands on its own. For example, websites and mobile applications integrate third party services for behavioral targeting, user analytics, navigation, and many other functionalities. Governments build central infrastructures to share data efficiently between different branches of government and with other organisations. This paper analyses the current system in Europe for determining who is (or better, are) responsible for observing data protection obligations in such networked service settings. In doing so we address the following problems: (1) of ambiguity in applying the concept of data controller in networked settings; and (2) of insufficiencies in the framework for establishing the extent of the responsibilities in situations of joint control. We look at how the law and regulators address these problems and how the European Court of Justice tackles these problems by applying the principle of “effective and complete protection”. The issue of joint responsibility has gained particular relevance in the wake of Wirtschaftsakademie, a case recently decided by the European Court of Justice. In this case, a Facebook fan page administrator was found to be a joint-controller and therefore jointly responsible, together with Facebook, for observing data protection rules. Following this decision, there are many more situations of joint control than previously thought. As a consequence, part of the responsibility for compliance with data protection legislation and risk of enforcement measures are moved to those who integrate external services. This will change the incentive structure in such a way that joint-controllers will place a much higher value on data protection. To explore the practical implications of the legal framework, we analyse a number of examples taken from our earlier empirical work on the right of access to reflect on the newly emerging data responsibility infrastructure. We show that the coordination of responsibilities is complex in practice because many organisations do not have a clear overview of data flows, there are power imbalances between different actors, and personal data governance is often happening in separated specialised units.</b:Comments>
</b:Source>
</b:Sources>
Download

ISI

PT Journal
AU Mahieu, R
   van Hoboken, J
   Asghari, H
TI Responsibility for Data Protection in a Networked World: On the Question of the Controller, “Effective and Complete Protection” and its Application to Data Access Rights in Europe
SO JIPITEC
PY 2019
BP 84
EP 104
VL 10
IS 1
DE C-210/16 Wirtschaftsakademie; GDPR; access rights; data controller; joint-control; principle of “effective and complete protection”; right of access
AB In the current networked world, almost no system in which personal data is processed stands on its own. For example, websites and mobile applications integrate third party services for behavioral targeting, user analytics, navigation, and many other functionalities. Governments build central infrastructures to share data efficiently between different branches of government and with other organisations. This paper analyses the current system in Europe for determining who is (or better, are) responsible for observing data protection obligations in such networked service settings. In doing so we address the following problems: (1) of ambiguity in applying the concept of data controller in networked settings; and (2) of insufficiencies in the framework for establishing the extent of the responsibilities in situations of joint control. We look at how the law and regulators address these problems and how the European Court of Justice tackles these problems by applying the principle of “effective and complete protection”. The issue of joint responsibility has gained particular relevance in the wake of Wirtschaftsakademie, a case recently decided by the European Court of Justice. In this case, a Facebook fan page administrator was found to be a joint-controller and therefore jointly responsible, together with Facebook, for observing data protection rules. Following this decision, there are many more situations of joint control than previously thought. As a consequence, part of the responsibility for compliance with data protection legislation and risk of enforcement measures are moved to those who integrate external services. This will change the incentive structure in such a way that joint-controllers will place a much higher value on data protection. To explore the practical implications of the legal framework, we analyse a number of examples taken from our earlier empirical work on the right of access to reflect on the newly emerging data responsibility infrastructure. We show that the coordination of responsibilities is complex in practice because many organisations do not have a clear overview of data flows, there are power imbalances between different actors, and personal data governance is often happening in separated specialised units.
ER
Download

Mods

<mods>
  <titleInfo>
    <title>Responsibility for Data Protection in a Networked World: On the Question of the Controller, “Effective and Complete Protection” and its Application to Data Access Rights in Europe</title>
  </titleInfo>
  <name type="personal">
    <namePart type="family">Mahieu</namePart>
    <namePart type="given">René</namePart>
  </name>
  <name type="personal">
    <namePart type="family">van Hoboken</namePart>
    <namePart type="given">Joris</namePart>
  </name>
  <name type="personal">
    <namePart type="family">Asghari</namePart>
    <namePart type="given">Hadi</namePart>
  </name>
  <abstract>In the current networked world, almost no system in which personal data is processed stands on its own. For example, websites and mobile applications integrate third party services for behavioral targeting, user analytics, navigation, and many other functionalities. Governments build central infrastructures to share data efficiently between different branches of government and with other organisations. This paper analyses the current system in Europe for determining who is (or better, are) responsible for observing data protection obligations in such networked service settings. In doing so we address the following problems: (1) of ambiguity in applying the concept of data controller in networked settings; and (2) of insufficiencies in the framework for establishing the extent of the responsibilities in situations of joint control. We look at how the law and regulators address these problems and how the European Court of Justice tackles these problems by applying the principle of “effective and complete protection”. The issue of joint responsibility has gained particular relevance in the wake of Wirtschaftsakademie, a case recently decided by the European Court of Justice. In this case, a Facebook fan page administrator was found to be a joint-controller and therefore jointly responsible, together with Facebook, for observing data protection rules. Following this decision, there are many more situations of joint control than previously thought. As a consequence, part of the responsibility for compliance with data protection legislation and risk of enforcement measures are moved to those who integrate external services. This will change the incentive structure in such a way that joint-controllers will place a much higher value on data protection. To explore the practical implications of the legal framework, we analyse a number of examples taken from our earlier empirical work on the right of access to reflect on the newly emerging data responsibility infrastructure. We show that the coordination of responsibilities is complex in practice because many organisations do not have a clear overview of data flows, there are power imbalances between different actors, and personal data governance is often happening in separated specialised units.</abstract>
  <subject>
    <topic>C-210/16 Wirtschaftsakademie</topic>
    <topic>GDPR</topic>
    <topic>access rights</topic>
    <topic>data controller</topic>
    <topic>joint-control</topic>
    <topic>principle of “effective and complete protection”</topic>
    <topic>right of access</topic>
  </subject>
  <classification authority="ddc">340</classification>
  <relatedItem type="host">
    <genre authority="marcgt">periodical</genre>
    <genre>academic journal</genre>
    <titleInfo>
      <title>JIPITEC</title>
    </titleInfo>
    <part>
      <detail type="volume">
        <number>10</number>
      </detail>
      <detail type="issue">
        <number>1</number>
      </detail>
      <date>2019</date>
      <extent unit="page">
        <start>84</start>
        <end>104</end>
      </extent>
    </part>
  </relatedItem>
  <identifier type="issn">2190-3387</identifier>
  <identifier type="urn">urn:nbn:de:0009-29-48796</identifier>
  <identifier type="uri">http://nbn-resolving.de/urn:nbn:de:0009-29-48796</identifier>
  <identifier type="citekey">mahieu2019</identifier>
</mods>
Download

Full Metadata

Bibliographic Citation Journal of intellectual property, information technology and electronic commerce law 10 (2019) 1
Title

Responsibility for Data Protection in a Networked World: On the Question of the Controller, “Effective and Complete Protection” and its Application to Data Access Rights in Europe (eng)
Author René Mahieu, Joris van Hoboken, Hadi Asghari
Language eng
Abstract In the current networked world, almost no system in which personal data is processed stands on its own. For example, websites and mobile applications integrate third party services for behavioral targeting, user analytics, navigation, and many other functionalities. Governments build central infrastructures to share data efficiently between different branches of government and with other organisations. This paper analyses the current system in Europe for determining who is (or better, are) responsible for observing data protection obligations in such networked service settings. In doing so we address the following problems: (1) of ambiguity in applying the concept of data controller in networked settings; and (2) of insufficiencies in the framework for establishing the extent of the responsibilities in situations of joint control. We look at how the law and regulators address these problems and how the European Court of Justice tackles these problems by applying the principle of “effective and complete protection”. The issue of joint responsibility has gained particular relevance in the wake of Wirtschaftsakademie, a case recently decided by the European Court of Justice. In this case, a Facebook fan page administrator was found to be a joint-controller and therefore jointly responsible, together with Facebook, for observing data protection rules. Following this decision, there are many more situations of joint control than previously thought. As a consequence, part of the responsibility for compliance with data protection legislation and risk of enforcement measures are moved to those who integrate external services. This will change the incentive structure in such a way that joint-controllers will place a much higher value on data protection. To explore the practical implications of the legal framework, we analyse a number of examples taken from our earlier empirical work on the right of access to reflect on the newly emerging data responsibility infrastructure. We show that the coordination of responsibilities is complex in practice because many organisations do not have a clear overview of data flows, there are power imbalances between different actors, and personal data governance is often happening in separated specialised units.
Subject C-210/16 Wirtschaftsakademie, GDPR, access rights, data controller, joint-control, principle of “effective and complete protection”, right of access
DDC 340
Rights DPPL
URN: urn:nbn:de:0009-29-48796
JIPITEC – Journal of Intellectual Property, Information Technology and E-Commerce Law
Article search
Extended article search
Newsletter
Subscribe to our newsletter
Follow Us
twitter
 
Navigation