Who is a Data Controller? Effort, accountability and indeterminacy

Abstract

As data protection frameworks have been designed throughout the last decades, allocation of responsibility has taken two remarkably simple ideas as a point of departure, namely: i) that one who is a Data Controller is, by definition, bound by the rules of the framework; and ii) that, as a corollary of being in control, a Data Controller responds strictly for the violation of such rules. Problems of proportionality, as translated through the lenses of data protection, have been dealt with typically via exceptions to the framework. At the same time, those problems have been rendered largely subject to open textured, sweeping categories that bring as much adaptability to data protection as they bring uncertainty. Open/close, public/private, anonymous/identifiable, data/metadata, legitimate/illegitimate, relevant/irrelevant and so on, have all been part of this porous categorical universe on which data protection’s twin presiding ideas are grounded. The result is that Data Controllers, beyond the already formidable challenge of innovating technologically, are also expected to live up to the responsibility of getting the vague strictures of data protection law right. On top of all that, the twin original foundations of data protection law are now taken to an entirely new dimension with the adoption of a strengthened principle of accountability by data protection regimes around the world – from the OECD and the APEC to, soon, Europe and the United States. Such a principle calls on Data Controllers to move from the sheer abidance by rules towards giving practical effect to principles founded on the same indeterminate categories on which Data Controllers’ liability rests. Debates on design, standards, codes of practice, are all at the heart of debates on accountability, which in the end are debates on the limitations (and the future) of law itself. While the adoption of a principle of accountability is surely not to be regretted – rather the opposite – the building of an ever-growing castle of strict liability upon categorical quicksand, is. That Data Controllers not only need to shoulder the limitations and the future of law but need to do so under the Sword of Damocles, that is something to be feared for it undermines that basic liberal commitment we came to know as the rule of law. What is needed is pause for thinking, and the return to one very basic question: Who is a Data Controller?, this figure of contemporary Internet mythology to whom we suddenly seem to direct all our frustrations with an increasingly alienating infosphere (which is not so without being also, at least in part, a product of our own making). In answering that basic question, this paper puts forward a suggestion that replaces paradigms of determination (EU) and competence (OECD), with one of best efforts by Data Controllers, a paradigm founded upon an obligation of trying and seeking the best interpretation possible of one’s own technical and normative commitments.