Exploring the limits of joint control: the case of COVID-19 digital proximity tracing solutions

ABSTRACT

Referring to the judgment of the CJEU in Fashion-ID, some scholars have anticipated that, “at this rate everyone will be a [joint] controller of personal data”. This contribution follows this arguably provocative, but not entirely implausible, line of thinking. In the first part of the article, we highlight the ambiguities inherent to the concept of “joint control” and confront them with those pertaining to the notion of “identifiability”. In the second part, we investigate the effects of the broad legal test for joint control on the role of the individual user of BLE-based COVID-19 digital proximity tracing solutions. This offers the possibility to examine, at a theoretical level, whether the impact of the broad notion of joint control differs depending on the architecture of the system (i.e. centralized or decentralized). We found out that the strict application of the joint controllership test could lead to unexpected and, most likely, unintended results. First, an app user could, in theory, qualify as a joint controller with a national health authority regardless of the protocol’s architecture. Second, an actor could, again in theory, be considered as a joint controller of data that is not personal from that actor’s perspective. © 2021 Stephanie Rossello and Pierre Dewitte.