Who is a Data Controller?
2nd International Conference on Internet Science : Brussels, 29.05.2015 Assistant Professor of Law Faculty of Law, The University of Hong Kong virtue of intermediate courses Proposition Normative expectations directed at a Data Controller, as much as the notion of control itself, should: -‐  reﬂect a reasonable best eﬀorts approach to the problem of liability; and -‐  vary in accordance with the technological and, because of it, economic possibilities of the Data Controller. 1. Liability & Accountability in Data Protection Law purposes and means of
processing
determines the any operation performed upon personal data
deﬁnition of the concept of ‘controller’
complete protection
broad loading personal data on an internet page processing
Lindqvist
Liability IF
unlawful processing or any act incompatible with national provisions / Directive THEN victim is entitled to compensation by the controller
Exemption if controller not responsible
• Comprehensive responsibility and liability of the controller
• Controller should ensure and be able to demonstrate the compliance of each processing operation Semantic Indeterminacy strict liability as the exception
legitimate
adequate relevant
not excessive
• 
sensitivity
• interest of the public • if
• 
public
conduct improper ensure and be able to demonstrate in a transparent manner that the processing of personal data is performed in compliance with this Regulation having regard to the state of the art
at the time of the determination
at the time of the processing
OECD Revised Guidelines Accountability Principle
give eﬀect to the principles
Implementing Accountability Proposition Normative expectations directed at a Data Controller, as much as the notion of control itself, should: -‐  reﬂect a reasonable best eﬀorts approach to the problem of liability; and -‐  vary in accordance with the technological and, because of it, economic possibilities of the Data Controller. 2. Eﬀort, Correlativity & Technology Correlativity & Eﬀort normative community
•  Normative commitments and expectations
subjects private relationships with data coherent whole
made sense of network of conceptual interdependencies
right
equality
law of freedom universal •  Normative correlativity
normative loss
rectify
normative gain
•  Diﬃculty of remedial measures cannot serve as an excuse normative loss
wrongful infringement
The theoretical case for basing tort liability on the causation of harm without fault is inconsistent with the equality and correlativity of corrective justice and with the concept of agency that underlies Kantian right
Technological Possibilities •  Variation in accordance with the technological and, because of it, economic possibilities of the Data Controller
•  John Gardner: obligation to try v obligation to succeed
abilities”
at the limits of the defendant’s particular technological possibilities
not
point out of the curve what lies beyond our nature, expanding it, should also be taken into account
granularly normative focus
3. Privacy and Normativity Self-‐Centred Understanding of Privacy auto
v Norms-‐Centred Understanding of Privacy nomy point of autonomy
disengage
deeper relationships”
but
not to enhance one’s ability to form new and restrictions on access that privacy protects
enable
associations that serve
personal and group goals
UK | Breach of Conﬁdence Campbell v MGN [2004] UKHL 22 •  Right to protection of private information – tort of misuse of private information •  ECHR deﬁnes court's obligation to respect private life. •  Being private or not should not depend merely on geographical factors. •  Information itself must be of a private nature – person must have a reasonable expectation of privacy UK| Breach of Conﬁdence Campbell v MGN [2004] UKHL 22 • "Objective test of what a reasonable person of ordinary sensibilities would feel if she were placed in the same position as the claimant” • or (which was the case) information obviously of a private nature. • Public interest met by disclosed information not proportionate to the harm inﬂicted to Campbell. UK | Breach of Conﬁdence Campbell v MGN Limited [2004] UKHL 22 Reality of reasonableness of one’s expectation of privacy: objective duty of good faith; transcends inter-‐subjective boundaries of a previous relationship of conﬁdence Grounded on “contemporary standards of morals and behaviour” to determine activities which were meant to be unobserved. UK | Breach of Conﬁdence Campbell v MGN Limited [2004] UKHL 22 •  Relates to: •  the “mind” and “development” of the subject (reasonableness assessed in her context) – duty to put oneself into the shoes of a reasonable other (here, a reasonable person needing treatment) •  to an objective duty of good faith of the Media, which involves accuracy and reliability in following the ethics of journalism (Fressoz v France). •  Technological dependence: normative context is sensitive to the kind of media •  Importance of any relevant privacy code •  Duty of putting the record straight in matters concerning the public interest (truth) Canada | Reasonable Expectation of Privacy descriptive standard
normative rather than a   Biographical core of personal information Canada | Reasonable Expectation of Privacy accepts positively
society 4. Functional Propriety technological artefacts
normative role played by the designers
technological design functions of physical
plan
‘use plans’
artefacts
teleological objects evaluated in normative terms
action-‐theoretical physical capacities
series of considered actions
exist within a normative framework
functions
justiﬁed
play a role within manipulations of goal
ascription of communicating
•  Knowledge of a proper function
source of normativity
with “privileged status”
privilege ways
proper ones
must answer to standards of rationality
•  Reasons provided by a use plan are embedded in a normative network
social role
strive
Controllers
determined by design conditions of normative propriety
Data purposes and means of data processing
normatively reﬂecting upon privacy in the use plans of technological artefacts
Privacy by Design
5. Conclusion “Don’t worry about the vase” What vase? Hercules
Neo • What we can demand from them is normative commitment, not perfection • We may place the threshold high • We may establish cases of strict liability when the nature of the processing so requires – e.g. Big Data • But strict liability cannot become the ordinary life of data protection law • Nor the curse of those who labour to innovate in a universe of ever growing complexity Thank you
Assistant Professor of Law Faculty of Law, The University of Hong Kong [email protected]