Allocating responsibility among controllers, processors, and "everything in between": The definition of actors and roles in Directive 95/46/EC

Computer Law and Security Review

Volumn 28, Issue 1, 2012, Pages 25-43

  Van Alsenoy, Brendan ^a  

^a UNIVERSITY OF LEUVEN   (Belgium)

Author keywords

Accountability; Actors and roles; Article 29 Working Party; Compliance; Controllers and processors; Data Protection; Directive 95 46 EC

Indexed keywords

CONTROLLERS; DATA HANDLING; DATA PRIVACY;

ACCOUNTABILITY; ACTORS AND ROLES; COMPLIANCE; DIRECTIVE 95/46/EC; WORKING PARTIES;

LAWS AND LEGISLATION;

EID: 84856477345     PISSN: 02673649     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.clsr.2011.11.006     Document Type: Article

References (139)

1. Directive 95/46/EC on the protection of individuals with regards to the processing of personal data and on the free movement of such data, Official Journal of the European Union, no L 281, 23 November 1995, 31-50. Hereafter also referred to as Directive 95/46/EC or simply the Directive.
2. B. Van Alsenoy, J. Ballet, A. Kuczerawy and J. Dumortier, Social networks and web 2.0: are users also bound by data protection regulations?, Identity in the information society 2009, Vol. 2, no1, 68 (available at http://www. springerlink.com/content/u11161037506t68n/fulltext.pdf, last accessed 24 November 2010).
3. See also J. Alhadeff and B. Van Alsenoy (eds.), D6.2 Contractual framework, Trusted Architecture for Securely Shared Services (TAS3), second iteration, December 2009, 31, available at http://vds1628.sivit.org/tas3/ content/deliverables/TAS3-D6p2-v2-TContractual-Framework.pdf (last accessed 1 August 2011).
4. C. Kuner, European Data Protection Law e Corporate Compliance and Regulation, second edition, Oxford University Press, NewYork, 2007, 71-72.
5. See also Th. Leonard, Data processor and Data controllers Are these concepts still adequate?, presentation held at the conference: Reinventing data protection, Brussels, 12-13 October 2007, available at http://www. cpdpconferences.org/Resources/Leonard.pdf (last accessed 20 Augustus 2010)
6. and J. Alhadeff and B. Van Alsenoy (eds.), D6.2 Contractual framework, l.c., 31.
7. C. Kuner, o.c., 72.
8. Hereafter also referred to as "the Article 29 Working Party" or simply "the Working Party".
9. Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of "controller" and "processor", WP169, 16 February 2010, available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/ wp169-en.pdf. Hereafter referred to as "Opinion 1/2010". The Working Party had been called upon to deal with the question of legal control several times in the past, but the guidance provided in these opinions was often closely tied to the specific issues at hand.
10. See e.g. Working Document on online authentication services, WP68, 29 January 2003 (available at http://ec.europa.eu/justice/policies/privacy/docs/ wpdocs/2003/wp68-en.pdf);
11. Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), WP128, 22 November 2006 (available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/ wp128-en.pdf);
12. Opinion 7/2007 on data protection issues related to the Internal Market Information System (IMI), WP140, 20 September 2007 (available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp140-en.pdf);
13. Opinion 5/2009 on online social networking, WP163, 12 June 2009 (available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/ wp163-en.pdf). The cited urls were last accessed on 20 November 2010.
14. See J. Zittrain, Privacy 2.0, University of Chicago Legal Forum 2008, vol. 65, 65-119;
15. M. Burdon, Privacy Invasive Geo-Mashups: Privacy 2.0 and the Limits of First Generation Information Privacy Laws University of Illinois Journal of Law, Technology and Policy 2010, vol. 1, 1-50 In other words, this paper only focuses on the controller-processor dichotomy, not on the controller-data subject dichotomy, which has been subject to its own set of criticisms.
16. See e.g. R. Wong, Data protection: The future of privacy, Computer Law & Security Review 2011, Volume 27, Issue 1, 57;
17. P. Van Eecke and M. Truyens, Privacy and social networks, Computer, Law & Security Review 2010, Vol. 26, no 5, 538-539.
18. For a comprehensive description of the catalysts contributing to the enactment of data protection law see C.J. Bennet, Regulating privacy. Data Protection and Public Policy in Europe and the United States, Cornell University Press, Ithaca, 1992, 45 et seq.
19. P. De Hert and S. Gutwirth, Privacy, data protection and law enforcement. Opacity of the individual and transparency of power, in E. Claes, A. Duff and S. Gutwirth (eds.), Privacy and the Criminal Law, Antwerpen/Oxford, Intersentia, 2006, 76.
20. P. De Hert and S. Gutwirth, Data Protection and the Case Law of Strasbourg and Luxemburg: Constitutionalism in Action, in S. Gutwirth, Y. Poullet, P. De Hert, J. Nouwt and C. De Terwangne (eds.), Reinventing data protection?, Springer Science, Dordrecht, 2009, 9 (highlighting that data protection and privacy are by no means interchangeable).
21. Organisation for Economic Co-operation and Development (OECD), Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 23 September 1980.
22. Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28 January 1981.
23. F.H. Cate, The EU Data Protection Directive, Information Privacy, and the Public Interest, l.c., 432.
24. Directive 95/46/EC on the protection of individuals with regards to the processing of personal data and on the free movement of such data, Official Journal of the European Union, no L 281, 23 November 1995, 31-50. Hereafter also referred to as Directive 95/46/EC or simply the Directive.
25. See also J. Alhadeff and B. Van Alsenoy (eds.), D6.2 Contractual Framework, l.c., 31.
26. C. Reed, The Law of Unintended Consequences - Embedded Business Models in IT Regulation, Journal of Information Law and Technology, 2007, vol. 2, paragraph 33, available at http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2007- 2/reed/reed.pdf (last accessed 4 December 2010).
27. M. Burdon, Privacy Invasive Geo-Mashups: Privacy 2.0 and the Limits of First Generation Information Privacy Laws, University of Illinois Journal of Law, Technology and Policy 2010, 31.
28. C. Reed, The Law of Unintended Consequences - Embedded Business Models in IT Regulation, l.c., paragraph 33.
29. See also V. Mayer-Schönberger, Generational Development of Data Protection in Europe, in P.E. Agre and M. Rotenberg (eds.), Technology and Privacy: The New Landscape, 1998, The MIT Press, Cambridge, Massachusetts, 221-224.
30. This situation is seemingly reflected in the Explanatory for compliance with the Directives substantive provisions is Memorandum to Convention 108. See in particular paragraph 30, concerning the definition of an automated data file: The definition covers not only data files consisting of compact sets of data, but also sets of data which are geographically distributed and are brought together via computer links for purposes of processing.) In a sense, we still live in an era of (virtualized) mainframe computing; as evidenced by processing models such as grid and cloud computing. However, it is also clear that, congruent with Moores law, the processing capabilities of individual electronic devices are much more powerful than they were at the time these instruments were adopted. See also J. Zittrain, Privacy 2.0, l.c. in particular 72-91.
31. C. Reed, The Law of Unintended Consequences - Embedded Business Models in IT Regulation, l.c., paragraph 35.
32. P. Van Eecke, M. Truyens et al. (eds.), The future of online privacy and data protection, EU study on the Legal analysis of a Single Market for the Information Society - New rules for a new age?, DLA Piper, November 2009, 8 available at http://ec.europa.eu/information-society/newsroom/cf/itemlongdetail. cfm?item-id=7022(last accessed 3 June 2011).
33. Opinion 1/2010, l.c., 4.
34. (referring to Commission of the European Communities, Proposal for a Council Directive concerning the protection of individuals in relation to the processing of personal data, SYN 287, Explanatory Memorandum, 40). The decision to incorporate a separate definition of processors was not included in the Commissions initial proposal, but was later introduced pursuant to an amendment proposed by the Committee on Legal Affairs and Citizens Rights (see Committee on Legal Affairs and Citizens Rights, Report concerning the proposal by the Commission to the Council for a Directive concerning the protection of individuals in relation to the processing of personal data, European Parliament Session Documents, A3-0010-92, 15 January 1992, 11, amendment nr. 18).
35. Although neither Convention 108 nor the OECD Guidelines formally defined the concept of a processor, it is worth observing that the Explanatory Memorandum to the OECD Guidelines did already stipulate that a data controller should not be relieved of its obligations merely because the processing of data is carried out on his behalf by another party, such as a service bureau (see the ExplanatoryMemorandumto theOECDGuidelines, at paragraph 62, available at http://www.oecd.org/document/18/0,3343,en-2649-34255-1815186-1-1-1-1,00. html#memorandum, (last accessed 30 November 2010).
36. For an overview of the most significant changes since the enactment of the Directive see O. Tene, Privacy: The new generations, International Data Privacy Law 2011, Vol. 1, No. 1, 15-27.
37. See also J. Zittrain, Privacy 2.0, l.c., 65-99.
38. Opinion 1/2010, l.c., 4.
39. Opinion 1/2010, l.c., 5.
40. See also Opinion 1/2010, l.c., 4.
41. See also J. Alhadeff and B. Van Alsenoy (eds.), D6.2 Contractual Framework, l.c., second iteration, 31;
42. T. Olsen and T. Mahler, Identity management and data protection law: Risk, responsibility and compliance in Circles of Trust - Part II, Computer, Law & Security Review 2007, Vol. 23, no 5, 418.
43. See also Opinion 1/2010, l.c., 26.
44. See Opinion 1/2010, l.c., 5.
45. For more information see Article 29 Data Protection Working Party, Opinion 8/2010 on applicable law, WP179, 16 December 2010.
46. See also infra; Section 3.3.2. The qualification of an actor as either a controller or processor may also have practical implications in the context of an international data transfer, when determining what type of EU model contract should be used. (P. Van Eecke, M. Truyens et al. (eds.), The future of online privacy and data protection, l.c., 32 at note 162).
47. Opinion 1/2010, l.c., 9.
48. See also D. Bainbridge, o.c., 45.
49. Opinion 1/2010, l.c., 13.
50. See also P. Van Eecke and M. Truyens, Privacy and social networks, l.c., 539. The tendency to emphasize the purpose over the means of the processing can also be found in earlier doctrine (see e.g. D. De Bot, Verwerking van persoonsgegevens, 2001, Antwerpen, Kluwer, 46)
51. and in guidance issued by regulatory authorities (see e.g. Office of the Information Commissioner, Data Protection Act, 1998 e Legal Guidance, Version 1, not dated, 16, available at http://www.ico.gov.uk/upload/documents/library/ data-protection/detailed-specialist-guides/data-protection-act-legal-guidance. pdf) (last accessed 26 November 2010).
52. Bainbridge has even raised the question as to whether it might have been better to identify the controller based on who determines the purposes alone (See Bainbridge, o.c., 128.). This tendency can in part be attributed to considerations of pragmatism (to accommodate the fact that entities that process personal data on behalf of other entities often substantially influence the means of the processing). A more compelling justification for this approach is the fact that the finality pursued by (a set of) processing operations fulfills a fundamental role in determining the scope of the controllers obligations, as well as when assessing the overall legitimacy and/or proportionality of the processing (see in particular article 6, 1 (b) through (e) and article 7 (b) through (f) of the Directive). For a comprehensive analysis of the fundamental role that the finality principle plays within data protection regulation see S. Gutwirth, De toepassing van het finaliteitsbeginsel van de Privacywet van 8 december 1992 tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens [The application of the purpose specification principle in the Belgian data protection act of 8 December 1992], Tijdschrift voor Privaatrecht 1993, vol. 4, p. 1409-1477.
53. Opinion 1/2010, l.c., 15.
54. P. Van Eecke and M. Truyens, Privacy and social networks, l.c., 539.
55. B. Van Alsenoy, J. Ballet, A. Kuczerawy and J. Dumortier, Social networks and web 2.0: are users also bound by data protection regulations?, l.c., 70.
56. See e.g. Opinion 1/2010, l.c., 26.
57. See also T. Olsen and T. Mahler, Identity management and data protection law: Risk, responsibility and compliance in Circles of Trust - Part II, l.c., 419.
58. Opinion 1/2010, l.c., 18.
59. Opinion 1/2010, l.c., 18.
60. Olsen and Mahler have developed an interesting visual representation of the different degrees of collaboration among (co-)controllers. See T. Olsen and T. Mahler, Identity management and data protection law: Risk, responsibility and compliance in Circles of Trust e Part II, l.c., 419-420.
61. See also J. Alhadeff and B. Van Alsenoy (eds.), D6.2 Contractual Framework, l.c., 33 et seq.
62. See also A. Joint and E. Baker, Knowing the past to understand the present - issues in the contracting for cloud based services, Computer Law & Security Review 2011, Vol. 24, Issue 4, 408.
63. See O. Lando and H. Beale (eds.), Principles of European Contract Law e Parts I and II, prepared by the Commission on European Contract Law, Kluwer Law International, The Hague (Netherlands), 2000, 197 et seq. The full text of the Principles of European Contract Law is also available at http://frontpage.cbs. dk/law/commission-on-european-contract-law/PECL%20engelsk/engelsk-partI-og-II. htm (last accessed 28 November 2008).
64. Even where the agent exceeds his authority, his actions might still be attributed to the principal under the theory of apparent authority. For more information see also B. Van Alsenoy, D. De Cock, K. Simoens, J. Dumortier and B. Preneel, Delegation and digital mandates: Legal requirements and security objectives, Computer, Law and Security Review 2009, Vol. 25, no 5, 415-420.
65. Opinion 1/2010, l.c., 25.
66. See Opinion 1/2010, l.c., 25. See also supra; Section 3.2.1.2).
67. D. Bainbridge, o.c., 45-46
68. and T. Olsen and T. Mahler, Identity management and data protection law: Risk, responsibility and compliance in Circles of Trust - Part II, l.c., 419.)
69. Opinion 1/2010, l.c., 26. See also supra; Section 2.
70. See also C. Kuner, o.c., 70;
71. T. Olsen and T. Mahler, Identity management and data protection law: Risk, responsibility and compliance in Circles of Trust e Part II, l.c., 420;
72. B. Van Alsenoy, J. Ballet, A. Kuczerawy and J. Dumortier, Social networks and web 2.0: are users also bound by data protection regulations?, l.c., 72.
73. Opinion 1/2010, l.c., 25.
74. See articles 25-26 of the Directive. Article 26 (2) has provided the basis for the use of contractual clauses as a means to enable transfers to jurisdictions not providing an adequate level of protection. Pursuant to the powers conferred by article 26 (4), the Commission has developed standard contractual clauses for transfers to both data controllers and data processors established outside the EU/EEA. See http://ec.europa.eu/justice/policies/ privacy/modelcontracts/index-en.htm.
75. For more information on the regulation of transborder data flows see C. Kuner, Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present, and Future, TILT (Tilburg Institute for Law, Technology and Society) Law & Technology Working Paper Series, 90p., available at http://www.tilburguniversity.edu/research/institutes-and-research-groups/tilt/ publications/workingpapers/ckuner16.pdf (last accessed 1 August 2011).
76. Opinion 1/2010, l.c., 19. Olsen and Mahler have qualified such modes of collaboration as being one among collaborating single controllers. See T. Olsen and T. Mahler, Identity management and data protection law: Risk, responsibility and compliance in Circles of Trust - Part II, l.c., 419.
77. See Opinion 1/2010, p. 18-19. See also supra; Section 3.2.1.
78. Opinion 1/2010, l.c., 24.
79. Opinion 1/2010, l.c., 24.
80. See e.g. C. Kuner, o.c., 72;
81. Th. Leonard, Data processor and Data controller - Are these concepts still adequate?, l.c., slides 10-15;
82. N. Robinson, H. Graux, M. Botterman, L. Valeri, Review of the European Data Protection Directive, RAND Europe, 2009, 36, available at http://www.ico.gov.uk/upload/documents/library/data-protection/ detailed-specialist-guides/review-of-eu-dp-directive.pdf (last accessed 10 January 2011);
83. The European Privacy Officers Forum (EPOF), Comments on the Review of European Data Protection Framework, December 2009, 1, available at http://ec.europa.eu/justice/news/consulting-public/0003/contributions/ organisations-not-registered/epof-en.pdf (last accessed 1 August 2011);
84. P. Van Eecke, M. Truyens et al. (eds.), The future of online privacy and data protection, l.c., 32.
85. See e.g. P. Van Eecke and M. Truyens, Privacy and social networks, l.c., 537-539;
86. W. Kuan Hon, C. Millard and I. Walden, Who is Responsible for Personal Data in Cloud Computing? The Cloud of Unknowing, Part 2, Queen Mary University of London, School of Law, Legal Studies Research Paper No. 77/2011, in particular p. 10-11 and 24;
87. O. Tene, Privacy: The new generations, l.c., 26;
88. J.M. Van Gyseghem, Cloud computing et protection des données àcaractère personnel: mise en ménage possible?, Revue du Droit des Technologies de lInformation 2011, vol. 42, in particular p. 40 et seq.;
89. Information Commissioners Office (ICO), The Information Commissioners (United Kingdom) response to the European Commissions consultation on the legal framework for the fundamental right to protection of personal data in the European Union. A Communication from the European Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions on 4 November 2010, 14 January 2011, 9, available at http://www.ico.gov.uk/w/media/documents/library/Data-Protection/ Detailed-specialist-guides/european-commission-dp
90. See in particular P. Van Eecke and M. Truyens, Privacy and social networks, l.c., 537;
91. W. Kuan Hon, C. Millard and I. Walden, Who is Responsible for Personal Data in Cloud Computing? The Cloud of Unknowing, Part 2, l.c., 24.
92. See in particular C. Kuner, o.c., 72;
93. P. Van Eecke, M. Truyens et al. (eds.), The future of online privacy and data protection, l.c., 32;
94. J.M. Van Gyseghem, Cloud computing et protection des donné es àcaractère personnel: mise en ménage possible ?, l.c., 40.
95. O. Tene, Privacy: The new generations, l.c., 26; Information Commissioners Office (ICO), The Information Commissioners (United Kingdom) response to the European Commissions consultation on the legal framework for the fundamental right to protection of personal data in the European Union, l.c., 9.
96. Opinion 1/2010, l.c., 6.
97. A prime example in this regard is identity federation. See T. Olsen and T. Mahler, Identity management and data protection law: Risk, responsibility and compliance in Circles of Trust - Part II, l.c., 417-420.
98. P. Van Eecke and M. Truyens, Privacy and social networks, l.c., 538 (in relation to the role of users of social networks as data controllers within social networks). While the cited authors refer to the decision-making power of individual social network users, similar considerations apply in relation to the interaction among organisations.
99. See C. Reed, The Law of Unintended Consequences - Embedded Business Models in IT Regulation, l.c., in particular paragraphs 26 through 39.
100. See also B. Van Alsenoy, J. Ballet, A. Kuczerawy and J. Dumortier, Social networks and web 2.0: are users also bound by data protection regulations?, l.c., 69.
101. See also J. Alhadeff and B. Van Alsenoy (eds.), D6.2 Contractual Framework, l.c., 44.
102. See Opinion 1/2010, l.c., 19 and 22.
103. Opinion 1/2010, l.c., in particular 13 and 25.
104. See also Th. Leonard, Data processor and Data controller - Are these concepts still adequate?, l.c., slides 9-11.
105. See also J. Alhadeff and B. Van Alsenoy (eds.), D6.2 Contractual Framework, l.c., 32.
106. See also P. Van Eecke and M. Truyens, Privacy and social networks, l.c., 537.
107. This is for instance the case for so-called integrated services, where the final service delivered to the end-user is the result of a complex value chain, which may involve any number of intermediary processing operations (e.g., authentication, authorization, discovery, retrieval, enrichment, etc.). See also J. Alhadeff and B. Van Alsenoy (eds.), D6.2 Contractual Framework, l.c., 31-32.
108. For an example see also the recent report issued by the Biometrics & eGovernment Subgroup of the Working Party in relation to the STORK project (acknowledging that the subgroup was not able to come to a concordant conclusion as to whether or not a pan European proxy service (PEPS) should be considered as a (co-)controller or processor; despite the guidance provided by the Article 29 Working Party in Opinion 1/2010. (Article 29 Data Protection Working Party, Biometrics & eGovernment Subgroup, Written Report concerning the STORK Project, Ref.Ares(2011) 424406, 15 April 2011, 6-7, available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/others/ 2011-04-15-letter-artwp-atos-origin-annex-en.pdf, last accessed 1 August 2011).
109. See also J. Alhadeff and B. Van Alsenoy (eds.), D6.2 Contractual Framework, l.c., 32;
110. T. Olsen and T. Mahler, Identity management and data protection law: Risk, responsibility and compliance in Circles of Trust - Part II, l.c., 419;
111. C. Kuner, o.c., 70.
112. See Opinion 1/2010, l.c., 17-22.
113. Th. Leonard, Data processor and Data controller - Are these concepts still adequate?, l.c., slide 9.
114. See also P. Van Eecke, M. Truyens et al. (eds.), The future of online privacy and data protection, l.c., 33.
115. This issue is also implicitly acknowledged by the Working Party itself in Opinion 1/2010, in relation to the choice of security measures: in some legal systems decisions taken on security measures are particularly important, since security measures are explicitly considered as an essential characteristic to be defined by the controller. This raises the issue of which decisions on security may entail the qualification of controller for a company to which processing has been outsourced. See also W. Kuan Hon, C. Millard and I. Walden, Who is Responsible for Personal Data in Cloud Computing? The Cloud of Unknowing, Part 2, l.c., 10-11.
116. See also P. Van Eecke and M. Truyens, Privacy and social networks, l.c., 539 (criticizing WP169 for reading the definition of a controller as an entity which determines the purpose or essential means of the processing).
117. See also European Court of Justice, Göta hovrä tt (Sweden) v. Bodil Lindqvist, C-101/01, 6 November 2003, at paragraph 86: As regards Directive 95/46 itself, its provisions are necessarily relatively general since it has to be applied to a large number of very different situations.
118. See also C. Kuner, o.c., 72.
119. See also Opinion 1/2010, l.c., 24.
120. Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising, WP171, 22 June 2010, 11-12, available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp171-en.pdf (last accessed 12 December 2010). This excerpt concerns the practice whereby publishers, who rent out advertising spaces on their websites, may redirect users to the webpage of an ad network provider, thereby enabling a transfer of personal information (see also Opinion 1/2010, l.c., 23). Although Opinion 2/2010 makes clear that the obligation to inform may also stem from other legal provisions, the language of this opinion strongly suggests that the publisher may often be considered to act as a (joint) controller with regard to the redirection of the user to the webpage of the ad network provider (and the transfer of the users IP-address which takes place as a result of this re-direction).
121. Given the contractual flexibility that is afforded to joint controllers, an alternative resolution to this situation would be to say that the publisher should bind the ad network to accommodate those data subject rights which it cannot accommodate itself (but for which it is nevertheless legally responsible). At most, insofar as the publisher does not (and has never) maintain(ed) any records of these processing operations for which it is considered to act as a joint controller, the publisher could initially respond to an access request by explaining the manner in which the users data has been processed (i.e. in order to facilitate behavioural advertising), and by providing additional information as to the recipients to whom the data has been disclosed. However, the publisher would still need to ensure that it is in a position to obtain access to said data if it is explicitly requested by the data subject. Regarding the duration of time during which a controller must be able to respond to an access request by data subjects and the contents of this response see European Court of Justice, College van burgemeester en wethouders van Rotterdam v. M.E.E. Rijkeboer, C-553/07, 7 May 2009, available at http://curia.europa.eu/).
122. See also the case commentary provided by C. Deterwangne, Létendue dans le temps du droit daccès aux informations sur les destinataires de données àcaractère personnel, Revue du Droit des Technologies de lInformation 2011, vol. 43, 73-81.
123. Opinion 1/2010, l.c., 4.
124. Opinion 1/2010, l.c., 7. See also C. Kuner, o.c., 72.
125. As was for instance the case with SWIFT. See Article 29 Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), l.c., 10.
126. See W. Kuan Hon, C. Millard and I. Walden, Who is Responsible for Personal Data in Cloud Computing? The Cloud of Unknowing, Part 2, l.c., 28.
127. See Opinion 1/2010, l.c., 22.
128. Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, available at http://laws.justice.gc.ca/PDF/Statute/P/ P-8.6.pdf (last accessed 30 November 2010).
129. See also W. Kuan Hon, C. Millard and I. Walden, Who is Responsible for Personal Data in Cloud Computing? The Cloud of Unknowing, Part 2, l.c., 28.
130. The principle of accountability has received considerable attention in recent policy discourses concerning the future regulation of data protection in the EU (see e.g. Article 29 Data Protection Working Party, Opinion 3/2010 on the principle of accountability, WP 173, 13 July 2010, 3, available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp173-en.pdf, last accessed 8 February 2011;
131. European Commission, Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, November 2010, Brussels, COM(2010) 609 final, 12, available at http://ec.europa.eu/justice/news/consulting-public/0006/com-2010-609-en.pdf, last accessed 8 February 2011).
132. Readers familiar with these discussions shall be aware that accountability is a relatively amorphous concept, which can mean different things to different people (see also A. Sinclair, The Chameleon of Accountability: Forms and Discourses, Accounting, Organizations and Society 1995, vol. 20, no 2/3, 219;
133. M. Bovens, Analysing and Assessing Accountability: A conceptual Framework, European Law Journal 2007, vol. 13, no. 4, 448).
134. For more information on the different meanings associated with accountability, as well as the role that the accountability principle has played in various instruments of data protection over time see J. Alhadeff, B. Van Alsenoy and J. Dumortier, The accountability principle in data protection regulation: origin, development and future directions, paper presented at the Privacy and Accountability conference organized by the PATS project in Berlin, 5-6 April 2011 (proceedings pending), draft version available at http://papers.ssrn.com/sol3/papers.cfm?abstract-id=1933731.
135. Office of the Privacy Commissioner of Canada, PIPEDA - Processing Personal Data Across Borders Guidelines, 2009, 8, available at http://www.priv.gc.ca/information/guide/2009/gl-dab-090127-e.pdf (last accessed 1 December 2010).
136. J. Alhadeff, B. Van Alsenoy and J. Dumortier, The accountability principle in data protection regulation: origin, development and future directions, l.c., 9.
137. One should however note that the accountability chain-approach (which underlies both PIPEDA as well as Directive 95/46/EC) is also subject to criticism. See M. Burdon, Privacy Invasive Geo-Mashups: Privacy 2.0 and the Limits of First Generation Information Privacy Laws University of Illinois Journal of Law, Technology and Policy 2010, vol. 1, 1-50 (in particular p. 32-35)
138. and M. Burdon, Contextualizing the tensions and weaknesses of information privacy and data breach notification laws, Santa Clara Computer & High Technology Law Review 2011, vol. 27, 63-129 (in particular at p. 98, 103 and 118).
139. While a detailed analysis into these criticisms is beyond the scope of this paper, it would seem that the main criticism set forth by this author pertains to the reductionist scope of information privacy law, which due to its overt focus on processes rather than substantive privacy issues fails to provide an appropriate regulatory response to many privacy concerns. (For an extensive analysis of the differences in scope, goals and type of protection by data protection regulation and the fundamental right to privacy respectively, see P. De Hert and S. Gutwirth, Data Protection and the Case Law of Strasbourg and Luxemburg: Constitutionalism in Action, in S. Gutwirth, Y. Poullet, P. De Hert, J. Nouwt and C. De Terwangne (eds.), Reinventing data protection?, Springer Science, Dordrecht, 2009, 3-44). The aim of this paper is not, as indicated in the introduction, to discuss the limits of data protection regulation as such. Rather, its objective is to evaluate the extent to which the current definitions of roles and responsibilities under Directive 95/46/EC (and the distinction between controllers and processors in particular) may still be considered useful and adequate in achieving the Directives core objectives.