Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Addressing the Responsibility Gap in Data Protection by Design: Towards a More Future-oriented, Relational, and Distributed Approach
Stockholm University, Faculty of Law, Department of Law, The Swedish Law and Informatics Research Institute.
2022 (English)In: Tilburg Law Review, ISSN 2211-0046, Vol. 27, no 1, p. 1-21Article in journal (Refereed) Published
Abstract [en]

This paper explores the extent to which technology providers are responsible to end users for embedding data protection rules in the AI systems they design and develop, so as to safeguard the fundamental rights to privacy and data protection. The main argument set forth is that a relational rationale, requiring a broader range of actors in the supply chain to share legal responsibility for Data Protection by Design (DPbD) is better suited to address infringements to these fundamental rights than the current model that assigns responsibility mainly to the data controller or data processor. Reconceptualizing the law in a more future-oriented, relational, and distributed way would make it possible to adapt legal rules – including those within the GDPR and the continuously evolving EU acquis – to the complex reality of technology development, at least partly addressing the responsibility gap in DPbD.

A future-oriented conception of responsibility would require technology providers to adopt more proactive approaches to DPbD, even where they are unlikely to qualify as a controller. A relational approach to DPbD would require technology providers to bear greater responsibilities to those individuals or groups that are affected by their design choices. A distributed approach to DPbD would allow for downstream actors in the supply chain to bear part of the legal responsibility for DPbD by relying on legal requirements that are applicable to various actors in the supply chain supporting DPbD such as those found in contract law, liability law, and the emerging EU acquis governing AI, data, and information security.

Place, publisher, year, edition, pages
2022. Vol. 27, no 1, p. 1-21
Keywords [en]
Data Protection by Design, technology providers, GDPR, AI Act, responsibility
National Category
Law (excluding Law and Society)
Identifiers
URN: urn:nbn:se:su:diva-215106DOI: 10.5334/tilr.274ISI: 001000908400001Scopus ID: 2-s2.0-85151292444OAI: oai:DiVA.org:su-215106DiVA, id: diva2:1740034
Available from: 2023-02-28 Created: 2023-02-28 Last updated: 2024-05-24Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Colonna, Liane

Search in DiVA

By author/editor
Colonna, Liane
By organisation
The Swedish Law and Informatics Research Institute
In the same journal
Tilburg Law Review
Law (excluding Law and Society)

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 73 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf