Device Manufacturers as Controllers: Expanding the Concept of ‘Controllership’ in the GDPR

Research output: Contribution to journalJournal articlepeer-review

Standard

Device Manufacturers as Controllers : Expanding the Concept of ‘Controllership’ in the GDPR . / Dahi, Alan; Corrales Compagnucci, Marcelo.

In: Computer Law and Security Review, Vol. 47, 105762, 2022.

Research output: Contribution to journalJournal articlepeer-review

Harvard

Dahi, A & Corrales Compagnucci, M 2022, 'Device Manufacturers as Controllers: Expanding the Concept of ‘Controllership’ in the GDPR ', Computer Law and Security Review, vol. 47, 105762. https://doi.org/10.1016/j.clsr.2022.105762

APA

Dahi, A., & Corrales Compagnucci, M. (2022). Device Manufacturers as Controllers: Expanding the Concept of ‘Controllership’ in the GDPR . Computer Law and Security Review, 47, [105762]. https://doi.org/10.1016/j.clsr.2022.105762

Vancouver

Dahi A, Corrales Compagnucci M. Device Manufacturers as Controllers: Expanding the Concept of ‘Controllership’ in the GDPR . Computer Law and Security Review. 2022;47. 105762. https://doi.org/10.1016/j.clsr.2022.105762

Author

Dahi, Alan ; Corrales Compagnucci, Marcelo. / Device Manufacturers as Controllers : Expanding the Concept of ‘Controllership’ in the GDPR . In: Computer Law and Security Review. 2022 ; Vol. 47.

Bibtex

@article{be90ed76c7ee4430ba420bd6fc8d657d,
title = "Device Manufacturers as Controllers: Expanding the Concept of {\textquoteleft}Controllership{\textquoteright} in the GDPR ",
abstract = "In the past, AI-devices offloaded their processing to the cloud, clearly implicating the provider of the cloud as either a controller or a processor under the General Data Protection Regulation (GDPR). Increasingly, however, AI-driven processing is moving away from the cloud. Dedicated AI chipsets embedded in mobile clients and various edge devices now provide on-device predictions. A smart phone can screen for skin melanomas without sending any data to the cloud or app developer, and a bedside patient monitoring system can process locally in the hospital without sending any personal data to the device manufacturer. Such localised processing reveals underlying problems of how responsibility within data protection is allocated. For example, device manufacturers are typically deemed to fall outside the scope of the GDPR. This paper argues that the current understanding of the controller/processor framework is too narrow in scope and calls for a revised understanding of the framework. This is demonstrated through various processing scenarios and a teleological interpretation of the GDPR and CJEU decisions.",
author = "Alan Dahi and {Corrales Compagnucci}, Marcelo",
year = "2022",
doi = "10.1016/j.clsr.2022.105762",
language = "English",
volume = "47",
journal = "Computer Law and Security Review",
issn = "0267-3649",
publisher = "Elsevier Advanced Technology",

}

RIS

TY - JOUR

T1 - Device Manufacturers as Controllers

T2 - Expanding the Concept of ‘Controllership’ in the GDPR

AU - Dahi, Alan

AU - Corrales Compagnucci, Marcelo

PY - 2022

Y1 - 2022

N2 - In the past, AI-devices offloaded their processing to the cloud, clearly implicating the provider of the cloud as either a controller or a processor under the General Data Protection Regulation (GDPR). Increasingly, however, AI-driven processing is moving away from the cloud. Dedicated AI chipsets embedded in mobile clients and various edge devices now provide on-device predictions. A smart phone can screen for skin melanomas without sending any data to the cloud or app developer, and a bedside patient monitoring system can process locally in the hospital without sending any personal data to the device manufacturer. Such localised processing reveals underlying problems of how responsibility within data protection is allocated. For example, device manufacturers are typically deemed to fall outside the scope of the GDPR. This paper argues that the current understanding of the controller/processor framework is too narrow in scope and calls for a revised understanding of the framework. This is demonstrated through various processing scenarios and a teleological interpretation of the GDPR and CJEU decisions.

AB - In the past, AI-devices offloaded their processing to the cloud, clearly implicating the provider of the cloud as either a controller or a processor under the General Data Protection Regulation (GDPR). Increasingly, however, AI-driven processing is moving away from the cloud. Dedicated AI chipsets embedded in mobile clients and various edge devices now provide on-device predictions. A smart phone can screen for skin melanomas without sending any data to the cloud or app developer, and a bedside patient monitoring system can process locally in the hospital without sending any personal data to the device manufacturer. Such localised processing reveals underlying problems of how responsibility within data protection is allocated. For example, device manufacturers are typically deemed to fall outside the scope of the GDPR. This paper argues that the current understanding of the controller/processor framework is too narrow in scope and calls for a revised understanding of the framework. This is demonstrated through various processing scenarios and a teleological interpretation of the GDPR and CJEU decisions.

U2 - 10.1016/j.clsr.2022.105762

DO - 10.1016/j.clsr.2022.105762

M3 - Journal article

VL - 47

JO - Computer Law and Security Review

JF - Computer Law and Security Review

SN - 0267-3649

M1 - 105762

ER -

ID: 287694036