[MyData & Open Data] Data Subject = Data Controller - is it common?

Reuben Binns r at reubenbinns.com
Tue Mar 17 13:02:41 UTC 2015


Hi,

This is indeed a grey area. When I've raised the possibility with data
protection experts, most have expressed doubt that this would hold up in
court.

However, I seem to recall William Heath from Mydex saying that they see
their users as both data subject and data controller. I think he
mentioned that they had consulted with one of the big legal firms in the
UK who suggested that this arrangement could pass muster. Perhaps you
could enlighten us, William?

Personally, I think it should really depend on how the service is set up
at a technical level. If the individual's data is stored with the
service provider, but encrypted with the user's key in the cloud, such
that the provider can't decrypt it, then there is a case to be made that
the individual is the data controller. In this situation the individual
is essentially in the same position as any service built on top of a
cloud computing platform (pretty much everything these days) - they
would be considered the data controller, not the cloud provider.

Things get really tricky when you consider that some of the duties of
data controllers are impossible to fulfil in a scenario where they
cannot decrypt the data. How can the service provider ensure that the
data is accurate and up-to-date, or respond to subject access requests,
if it's just an encrypted blob? The regulations just weren't designed
for this kind of arrangement, and they begin to look like nonsense in
light of it.

In practice, this is unlikely to apply to the services you mention, as
they probably involve cloud *computing* (rather than simply cloud
storage), and this is very difficult (maybe impossible) on encrypted
data. Encryption only really protect data to and from the cloud - if you
want to do anything with it once it's in the cloud it will probably need
to be decrypted there, and at that point, I think the provider should be
considered a data controller.

I'd be interested to hear what others think.

-Reuben



> Message: 1
> Date: Mon, 16 Mar 2015 17:59:25 +0200
> From: Antti Jogi Poikola <antti.poikola at gmail.com>
> To: Mydata Open Data <mydata-open-data at lists.okfn.org>
> Cc: Nomi Bystr?m <nomi.bystrom at helsinki.fi>
> Subject: [MyData & Open Data] Data Subject = Data Controller - is it
> 	common?
> Message-ID:
> 	<CAPW_oUpWKY+qB2iTPi4r=AvjshW8-pMOH0q0OiU3h4BeVH8Jkg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> 
> recently I have learned about couple of Finnish digital services (one
> related to personal finances and other to personal consumption), where the
> juridical arrangement was such that the service provider was not considered
> data controller, but only data processor who worked on behalf of the
> individual who was at the same time data subject and data controller.
> 
> Is this common practice - do you know any cases?
> 
> How does this impact to individuals rights over his own data?
> 
> What are the implications, pros and cons?
> 
> -Jogi
> 
> 
> -- 
> +358 44 337 5439
> about.me/apoikola
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.okfn.org/pipermail/mydata-open-data/attachments/20150316/68cb63fe/attachment-0001.html>
> 
> ------------------------------




More information about the mydata-open-data mailing list