The Problem of Control in Data Protection Law

Abstract

Introduced in 2016, the General Data Protection Regulation ('GDPR') marked a significant shift in the balance between individual privacy on one side and the increasingly entwined forces of multinational tech commerce and government surveillance on the other. Yet, the GDPR's aims are often lost amidst complex data flows and a marked asymmetry in power and knowledge. In order to ensure 'complete and effective' protection of individuals , the GDPR places obligations upon the different actors within data processing relationships. Specifically, the GDPR employs a 'controller-based responsibility system' wherein the chief onus for fulfilling its obligations falls upon 'controllers'. This model of accountability traces its origins to the first data protection laws of the 1970s and 1980s. However, data processing relationships are often elaborate, featuring numerous parties and data transfers. Our concern surrounds the difficulty in defining these relationships and the parties within them. This challenge has been heightened through a series of recent CJEU judgments which have stretched the definition of controllership to new limits. Moreover, the rapid development and deployment of AI systems raise foundational concerns regarding the adequacy of this paradigm. This thesis contributes to EU Data Protection Regime by exploring the uncertain nature of control and controllership. To this end a theoretical and comparative historical analysis of the development of Data Protection Law is undertaken. Thereafter the CJEU's rulings on controllership are examined with key consequences identified. Here attention is given to the impact on data subjects as well as controllers, regulators, and the general public. Finally, this thesis outlines potential solutions to the challenges outlined. One such solution is developed in the form of a taxonomy of accountability in data processing relationships. It is believed that this may serve as one mechanism for mitigating the Problem of Control in EU Data Protection Law.