Who is a Data Controller? 2nd International Conference on Internet Science : Brussels, 29.05.2015 Assistant Professor of Law Faculty of Law, The University of Hong Kong virtue of intermediate courses Proposition Normative expectations directed at a Data Controller, as much as the notion of control itself, should: -‐ reflect a reasonable best efforts approach to the problem of liability; and -‐ vary in accordance with the technological and, because of it, economic possibilities of the Data Controller. 1. Liability & Accountability in Data Protection Law purposes and means of processing determines the any operation performed upon personal data definition of the concept of ‘controller’ complete protection broad loading personal data on an internet page processing Lindqvist Liability IF unlawful processing or any act incompatible with national provisions / Directive THEN victim is entitled to compensation by the controller Exemption if controller not responsible • Comprehensive responsibility and liability of the controller • Controller should ensure and be able to demonstrate the compliance of each processing operation Semantic Indeterminacy strict liability as the exception legitimate adequate relevant not excessive • sensitivity • interest of the public • if • public conduct improper ensure and be able to demonstrate in a transparent manner that the processing of personal data is performed in compliance with this Regulation having regard to the state of the art at the time of the determination at the time of the processing OECD Revised Guidelines Accountability Principle give effect to the principles Implementing Accountability Proposition Normative expectations directed at a Data Controller, as much as the notion of control itself, should: -‐ reflect a reasonable best efforts approach to the problem of liability; and -‐ vary in accordance with the technological and, because of it, economic possibilities of the Data Controller. 2. Effort, Correlativity & Technology Correlativity & Effort normative community • Normative commitments and expectations subjects private relationships with data coherent whole made sense of network of conceptual interdependencies right equality law of freedom universal • Normative correlativity normative loss rectify normative gain • Difficulty of remedial measures cannot serve as an excuse normative loss wrongful infringement The theoretical case for basing tort liability on the causation of harm without fault is inconsistent with the equality and correlativity of corrective justice and with the concept of agency that underlies Kantian right Technological Possibilities • Variation in accordance with the technological and, because of it, economic possibilities of the Data Controller • John Gardner: obligation to try v obligation to succeed abilities” at the limits of the defendant’s particular technological possibilities not point out of the curve what lies beyond our nature, expanding it, should also be taken into account granularly normative focus 3. Privacy and Normativity Self-‐Centred Understanding of Privacy auto v Norms-‐Centred Understanding of Privacy nomy point of autonomy disengage deeper relationships” but not to enhance one’s ability to form new and restrictions on access that privacy protects enable associations that serve personal and group goals UK | Breach of Confidence Campbell v MGN [2004] UKHL 22 • Right to protection of private information – tort of misuse of private information • ECHR defines court's obligation to respect private life. • Being private or not should not depend merely on geographical factors. • Information itself must be of a private nature – person must have a reasonable expectation of privacy UK| Breach of Confidence Campbell v MGN [2004] UKHL 22 • "Objective test of what a reasonable person of ordinary sensibilities would feel if she were placed in the same position as the claimant” • or (which was the case) information obviously of a private nature. • Public interest met by disclosed information not proportionate to the harm inflicted to Campbell. UK | Breach of Confidence Campbell v MGN Limited [2004] UKHL 22 Reality of reasonableness of one’s expectation of privacy: objective duty of good faith; transcends inter-‐subjective boundaries of a previous relationship of confidence Grounded on “contemporary standards of morals and behaviour” to determine activities which were meant to be unobserved. UK | Breach of Confidence Campbell v MGN Limited [2004] UKHL 22 • Relates to: • the “mind” and “development” of the subject (reasonableness assessed in her context) – duty to put oneself into the shoes of a reasonable other (here, a reasonable person needing treatment) • to an objective duty of good faith of the Media, which involves accuracy and reliability in following the ethics of journalism (Fressoz v France). • Technological dependence: normative context is sensitive to the kind of media • Importance of any relevant privacy code • Duty of putting the record straight in matters concerning the public interest (truth) Canada | Reasonable Expectation of Privacy descriptive standard normative rather than a Biographical core of personal information Canada | Reasonable Expectation of Privacy accepts positively society 4. Functional Propriety technological artefacts normative role played by the designers technological design functions of physical plan ‘use plans’ artefacts teleological objects evaluated in normative terms action-‐theoretical physical capacities series of considered actions exist within a normative framework functions justified play a role within manipulations of goal ascription of communicating • Knowledge of a proper function source of normativity with “privileged status” privilege ways proper ones must answer to standards of rationality • Reasons provided by a use plan are embedded in a normative network social role strive Controllers determined by design conditions of normative propriety Data purposes and means of data processing normatively reflecting upon privacy in the use plans of technological artefacts Privacy by Design 5. Conclusion “Don’t worry about the vase” What vase? Hercules Neo • What we can demand from them is normative commitment, not perfection • We may place the threshold high • We may establish cases of strict liability when the nature of the processing so requires – e.g. Big Data • But strict liability cannot become the ordinary life of data protection law • Nor the curse of those who labour to innovate in a universe of ever growing complexity Thank you Assistant Professor of Law Faculty of Law, The University of Hong Kong [email protected]
© Copyright 2024