Computers and Society 8 JAN, 2016

The control over personal data: True remedy or fairy tale ?

The control over personal data: True remedy or fairy tale ?

This research report undertakes an interdisciplinary review of the concept of “control” (i.e. the idea that people should have greater “control” over their data), proposing an analysis of this con-cept in the field of law and computer science. Despite the omnipresence of the notion of control in the EU policy documents, scholarly literature and in the press, the very meaning of this concept remains surprisingly vague and under-studied in the face of contemporary socio-technical environments and practices. Beyond the current fashionable rhetoric of empowerment of the data subject, this report attempts to reorient the scholarly debates towards a more comprehensive and refined understanding of the concept of control by questioning its legal and technical implications on data subject^as agency.

💡 Research Summary

The paper undertakes a comprehensive interdisciplinary review of the notion of “control” over personal data, focusing on its legal and technical dimensions. It begins by noting the prevalence of the control rhetoric in EU policy documents, academic literature, and media, while highlighting the conceptual vagueness that persists despite its frequent use. The authors then dissect the legal framework, primarily the General Data Protection Regulation (GDPR), to show that although the regulation grants data subjects a suite of rights—access, rectification, erasure, portability, and objection—the actual exercise of these rights is hampered by procedural complexity, ambiguous implementation guidelines, and the discretionary power of data controllers. The paper argues that the law often assumes a level of technical transparency and user agency that does not exist in practice.

Turning to computer science, the authors map the full data lifecycle—collection, storage, processing, and deletion—and illustrate how technical architectures impede genuine control. They discuss how log files, cookies, and sensor data are automatically harvested and stored in ways that make retroactive deletion difficult. Machine‑learning models further complicate matters because personal data embedded in model parameters cannot be simply “forgotten” without retraining. The authors also examine emerging technologies such as blockchain, noting that while they increase transparency, their immutable nature creates a paradox for the right to be forgotten.

To bridge the gap between law and technology, the paper revisits the principle of Privacy‑by‑Design (PbD). Rather than treating PbD as a high‑level policy statement, the authors propose concrete architectural components: (1) a Data Subject Interface that visualises data flows and offers granular consent controls; (2) an Automated Rights‑Enforcement Engine that detects user requests in real time and propagates them across all subsystems; and (3) a Transparency Log that records every processing activity and rights‑exercise event for audit by regulators and civil‑society watchdogs. These tools aim to operationalise the abstract legal rights, making them enforceable at the system level.

Nevertheless, the authors caution that such technical solutions are not universally applicable. In large‑scale data ecosystems, multiple controllers and processors are bound by complex contractual and economic relationships. Implementing a uniform control mechanism may clash with existing service‑level agreements, competition pressures, or cross‑border data transfer constraints. Consequently, the paper advocates for a “feasibility‑based” regulatory approach that incorporates technical constraints into the drafting of legal norms, encouraging iterative feedback loops between legislators, technologists, and industry stakeholders.

In its conclusion, the paper asserts that the current discourse on data control is overly idealistic and neglects the intertwined legal, technical, and economic realities. It calls for sustained interdisciplinary research, real‑world pilots, and policy‑tech co‑design to move beyond rhetorical empowerment toward genuine agency for data subjects. Only through such coordinated effort can the promise of “control” evolve from a fairy‑tale narrative into a practical remedy.