Personal data controllers and device producers: Mind the gap

IF 3.3 3区社会学 Q1 LAW

Computer Law & Security Review Pub Date : 2025-07-25 DOI:10.1016/j.clsr.2025.106172

Efstratios Koulierakis

{"title":"Personal data controllers and device producers: Mind the gap","authors":"Efstratios Koulierakis","doi":"10.1016/j.clsr.2025.106172","DOIUrl":null,"url":null,"abstract":"<div><div>It seemed well established that producing a smart device could not, by itself, render someone a personal data controller in the absence of subsequent influence over the processing operations (the influence thesis). In contrast, legal scholars have introduced a new interpretation of European data protection law that seeks to apply the General Data Protection Regulation (GDPR) to the processing operations of smart devices even if no entity influences the processing remotely after the release of the product. This approach classifies producers as personal data controllers for device-based processing (producer-controller thesis). The proponents of the producer-controller thesis highlight the increasing importance of smart devices that store data locally and the need for protecting consumers’ rights in that context. However, as this paper claims, the GDPR is not the proper legal instrument for addressing the safety standards of smart products that process data locally. These considerations relate to legislative texts that prescribe product requirements, such as the AI Act and the Cyber Resilience Act. On those grounds, the present work criticises the producer-controller thesis. As this paper concludes, expanding the concept of ‘controller’ to encompass producers of smart devices does not enhance the protection of the data subjects and does not fit within the current data protection framework of the European Union.</div></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"58 ","pages":"Article 106172"},"PeriodicalIF":3.3000,"publicationDate":"2025-07-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Law & Security Review","FirstCategoryId":"90","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2212473X25000458","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}

引用次数: 0

Abstract

It seemed well established that producing a smart device could not, by itself, render someone a personal data controller in the absence of subsequent influence over the processing operations (the influence thesis). In contrast, legal scholars have introduced a new interpretation of European data protection law that seeks to apply the General Data Protection Regulation (GDPR) to the processing operations of smart devices even if no entity influences the processing remotely after the release of the product. This approach classifies producers as personal data controllers for device-based processing (producer-controller thesis). The proponents of the producer-controller thesis highlight the increasing importance of smart devices that store data locally and the need for protecting consumers’ rights in that context. However, as this paper claims, the GDPR is not the proper legal instrument for addressing the safety standards of smart products that process data locally. These considerations relate to legislative texts that prescribe product requirements, such as the AI Act and the Cyber Resilience Act. On those grounds, the present work criticises the producer-controller thesis. As this paper concludes, expanding the concept of ‘controller’ to encompass producers of smart devices does not enhance the protection of the data subjects and does not fit within the current data protection framework of the European Union.

查看原文本刊更多论文

个人数据控制者和设备生产商：注意差距

似乎已经确定的是，在没有对处理操作产生后续影响的情况下，生产智能设备本身不能使某人成为个人数据控制者（影响论点）。相比之下，法律学者对欧洲数据保护法提出了一种新的解释，试图将《通用数据保护条例》（GDPR）适用于智能设备的处理操作，即使产品发布后没有实体远程影响处理。这种方法将生产者分类为基于设备的处理的个人数据控制器（生产者-控制器论文）。生产者-控制者理论的支持者强调了在本地存储数据的智能设备的日益重要性，以及在这种情况下保护消费者权利的必要性。然而，正如本文所述，GDPR并不是解决本地处理数据的智能产品安全标准的适当法律工具。这些考虑与规定产品要求的立法文本有关，例如《人工智能法案》和《网络弹性法案》。基于这些理由，本文对生产者-控制者理论提出了批评。正如本文所总结的那样，将“控制者”的概念扩展到智能设备的生产者并不能增强对数据主体的保护，也不适合欧盟当前的数据保护框架。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Law & Security Review LAW-

CiteScore

5.60

自引率

10.30%

发文量

审稿时长

67 days

期刊介绍： CLSR publishes refereed academic and practitioner papers on topics such as Web 2.0, IT security, Identity management, ID cards, RFID, interference with privacy, Internet law, telecoms regulation, online broadcasting, intellectual property, software law, e-commerce, outsourcing, data protection, EU policy, freedom of information, computer security and many other topics. In addition it provides a regular update on European Union developments, national news from more than 20 jurisdictions in both Europe and the Pacific Rim. It is looking for papers within the subject area that display good quality legal analysis and new lines of legal thought or policy development that go beyond mere description of the subject area, however accurate that may be.