[MyData & Open Data] Data Subject = Data Controller - is it common?

Tue Mar 17 17:35:23 UTC 2015

Hi William, 

Good to see you a response from you. 

Its very interesting how Data Control is so obfuscated in this day and age.  Legally it may be easy to differentiate, but, personal data control is a different compliance paradigm than data protection.  Have you considered compliance issues in this context? 

Mark 

> On 17 Mar 2015, at 13:11, William Heath <william.heath at mydex.org> wrote:
> 
> Hi Jogi & Reuben
> 
> Yes, Mydex is set up so the individual ("data subject") is the data controller, and can also be data processor. This is because they and only they have the key which decrypts the data and provides access. Mydex CIC cannot see the data. In due course we anticipate the individual can be processor also, but that depends on the emergence of apps that emerge for use under the control of the individual. The legal work was done by Pinsent Masons. 
> 
> 
> William 
> 
> On 17 March 2015 at 13:02, Reuben Binns <r at reubenbinns.com <mailto:r at reubenbinns.com>> wrote:
> Hi,
> 
> This is indeed a grey area. When I've raised the possibility with data
> protection experts, most have expressed doubt that this would hold up in
> court.
> 
> However, I seem to recall William Heath from Mydex saying that they see
> their users as both data subject and data controller. I think he
> mentioned that they had consulted with one of the big legal firms in the
> UK who suggested that this arrangement could pass muster. Perhaps you
> could enlighten us, William?
> 
> Personally, I think it should really depend on how the service is set up
> at a technical level. If the individual's data is stored with the
> service provider, but encrypted with the user's key in the cloud, such
> that the provider can't decrypt it, then there is a case to be made that
> the individual is the data controller. In this situation the individual
> is essentially in the same position as any service built on top of a
> cloud computing platform (pretty much everything these days) - they
> would be considered the data controller, not the cloud provider.
> 
> Things get really tricky when you consider that some of the duties of
> data controllers are impossible to fulfil in a scenario where they
> cannot decrypt the data. How can the service provider ensure that the
> data is accurate and up-to-date, or respond to subject access requests,
> if it's just an encrypted blob? The regulations just weren't designed
> for this kind of arrangement, and they begin to look like nonsense in
> light of it.
> 
> In practice, this is unlikely to apply to the services you mention, as
> they probably involve cloud *computing* (rather than simply cloud
> storage), and this is very difficult (maybe impossible) on encrypted
> data. Encryption only really protect data to and from the cloud - if you
> want to do anything with it once it's in the cloud it will probably need
> to be decrypted there, and at that point, I think the provider should be
> considered a data controller.
> 
> I'd be interested to hear what others think.
> 
> -Reuben
> 
> 
> 
> > Message: 1
> > Date: Mon, 16 Mar 2015 17:59:25 +0200
> > From: Antti Jogi Poikola <antti.poikola at gmail.com <mailto:antti.poikola at gmail.com>>
> > To: Mydata Open Data <mydata-open-data at lists.okfn.org <mailto:mydata-open-data at lists.okfn.org>>
> > Cc: Nomi Bystr?m <nomi.bystrom at helsinki.fi <mailto:nomi.bystrom at helsinki.fi>>
> > Subject: [MyData & Open Data] Data Subject = Data Controller - is it
> >       common?
> > Message-ID:
> >       <CAPW_oUpWKY+qB2iTPi4r=AvjshW8-pMOH0q0OiU3h4BeVH8Jkg at mail.gmail.com <mailto:AvjshW8-pMOH0q0OiU3h4BeVH8Jkg at mail.gmail.com>>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi,
> >
> > recently I have learned about couple of Finnish digital services (one
> > related to personal finances and other to personal consumption), where the
> > juridical arrangement was such that the service provider was not considered
> > data controller, but only data processor who worked on behalf of the
> > individual who was at the same time data subject and data controller.
> >
> > Is this common practice - do you know any cases?
> >
> > How does this impact to individuals rights over his own data?
> >
> > What are the implications, pros and cons?
> >
> > -Jogi
> >
> >
> > --
> > +358 44 337 5439
> > about.me/apoikola <http://about.me/apoikola>
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <http://lists.okfn.org/pipermail/mydata-open-data/attachments/20150316/68cb63fe/attachment-0001.html <http://lists.okfn.org/pipermail/mydata-open-data/attachments/20150316/68cb63fe/attachment-0001.html>>
> >
> > ------------------------------
> 
> 
> _______________________________________________
> mydata-open-data mailing list
> mydata-open-data at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/mydata-open-data

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/mydata-open-data/attachments/20150317/3c175c15/attachment-0003.html>