[MyData & Open Data] Data Subject = Data Controller - is it common?
William Heath
william.heath at mydex.org
Tue Mar 17 18:28:55 UTC 2015
What we do is to add a contractual layer to existing legal/compliance
regime such as it is. When push comes to shove we have an enforceable
contract. But that's some way away; all present focus is on establishing
contracts, activating connections and achieving viability.
William
On 17 March 2015 at 17:35, Mark Lizar <mark.lizar at gmail.com> wrote:
> Hi William,
>
> Good to see you a response from you.
>
> Its very interesting how Data Control is so obfuscated in this day and
> age. Legally it may be easy to differentiate, but, personal data control
> is a different compliance paradigm than data protection. Have you
> considered compliance issues in this context?
>
>
> Mark
>
> On 17 Mar 2015, at 13:11, William Heath <william.heath at mydex.org> wrote:
>
> Hi Jogi & Reuben
>
> Yes, Mydex is set up so the individual ("data subject") is the data
> controller, and can also be data processor. This is because they and only
> they have the key which decrypts the data and provides access. Mydex CIC
> cannot see the data. In due course we anticipate the individual can be
> processor also, but that depends on the emergence of apps that emerge for
> use under the control of the individual. The legal work was done by Pinsent
> Masons.
>
>
> William
>
> On 17 March 2015 at 13:02, Reuben Binns <r at reubenbinns.com> wrote:
>
>> Hi,
>>
>> This is indeed a grey area. When I've raised the possibility with data
>> protection experts, most have expressed doubt that this would hold up in
>> court.
>>
>> However, I seem to recall William Heath from Mydex saying that they see
>> their users as both data subject and data controller. I think he
>> mentioned that they had consulted with one of the big legal firms in the
>> UK who suggested that this arrangement could pass muster. Perhaps you
>> could enlighten us, William?
>>
>> Personally, I think it should really depend on how the service is set up
>> at a technical level. If the individual's data is stored with the
>> service provider, but encrypted with the user's key in the cloud, such
>> that the provider can't decrypt it, then there is a case to be made that
>> the individual is the data controller. In this situation the individual
>> is essentially in the same position as any service built on top of a
>> cloud computing platform (pretty much everything these days) - they
>> would be considered the data controller, not the cloud provider.
>>
>> Things get really tricky when you consider that some of the duties of
>> data controllers are impossible to fulfil in a scenario where they
>> cannot decrypt the data. How can the service provider ensure that the
>> data is accurate and up-to-date, or respond to subject access requests,
>> if it's just an encrypted blob? The regulations just weren't designed
>> for this kind of arrangement, and they begin to look like nonsense in
>> light of it.
>>
>> In practice, this is unlikely to apply to the services you mention, as
>> they probably involve cloud *computing* (rather than simply cloud
>> storage), and this is very difficult (maybe impossible) on encrypted
>> data. Encryption only really protect data to and from the cloud - if you
>> want to do anything with it once it's in the cloud it will probably need
>> to be decrypted there, and at that point, I think the provider should be
>> considered a data controller.
>>
>> I'd be interested to hear what others think.
>>
>> -Reuben
>>
>>
>>
>> > Message: 1
>> > Date: Mon, 16 Mar 2015 17:59:25 +0200
>> > From: Antti Jogi Poikola <antti.poikola at gmail.com>
>> > To: Mydata Open Data <mydata-open-data at lists.okfn.org>
>> > Cc: Nomi Bystr?m <nomi.bystrom at helsinki.fi>
>> > Subject: [MyData & Open Data] Data Subject = Data Controller - is it
>> > common?
>> > Message-ID:
>> > <CAPW_oUpWKY+qB2iTPi4r=
>> AvjshW8-pMOH0q0OiU3h4BeVH8Jkg at mail.gmail.com>
>> > Content-Type: text/plain; charset="utf-8"
>> >
>> > Hi,
>> >
>> > recently I have learned about couple of Finnish digital services (one
>> > related to personal finances and other to personal consumption), where
>> the
>> > juridical arrangement was such that the service provider was not
>> considered
>> > data controller, but only data processor who worked on behalf of the
>> > individual who was at the same time data subject and data controller.
>> >
>> > Is this common practice - do you know any cases?
>> >
>> > How does this impact to individuals rights over his own data?
>> >
>> > What are the implications, pros and cons?
>> >
>> > -Jogi
>> >
>> >
>> > --
>> > +358 44 337 5439
>> > about.me/apoikola
>> > -------------- next part --------------
>> > An HTML attachment was scrubbed...
>> > URL: <
>> http://lists.okfn.org/pipermail/mydata-open-data/attachments/20150316/68cb63fe/attachment-0001.html
>> >
>> >
>> > ------------------------------
>>
>>
> _______________________________________________
> mydata-open-data mailing list
> mydata-open-data at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/mydata-open-data
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/mydata-open-data/attachments/20150317/f9aea813/attachment-0003.html>
More information about the mydata-open-data
mailing list