The European Commission has introduced in the proposals of the Data Protection Reform Package, a principle according to which personal data shall be processed under the responsibility and liability of the controller, who shall ensure compliance with the provisions adopted pursuant to these instruments. While not termed expressly, this principle is expected to introduce an accountability-based approach within the European data protection framework.
The principle of accountability has gained importance in the privacy debates since the Opinion of Article 29 Working Party on the principle of accountability (2010). Accountability is approached as a way to put data protection into practice, in which the data controller could be required to demonstrate compliance with the data protection framework to supervisory authorities.
The principle of accountability is however not new to data protection. The fourteen Guideline the Organisation for Economic Co-operation and Development (OECD) Guidelines of 1981, one of the first data protection instruments, entitled “the Accountability principle” was already stating that “a data controller should be accountable for complying with measures which give effect to the principles stated above”. As detailed in the Explanatory paragraph, the introduction of this principle was motivated by the fact that “it is for his benefit that the processing of data is carried out”. Accordingly, it was seen as essential that under domestic law, accountability for complying with privacy protection rules and decisions should be placed on the data controller who should not be relieved of this obligation merely because the processing of data is carried out on his behalf by another party.
The meaning of the term “accountability” is however not always clear and needs to be further refined. Understanding what the concept of accountability entitles and how it can be articulated with other close concepts such as the ones of liability, responsibility and answerability seems however an unavoidable task in the context of PARIS project. The field of political sciences has produced abundant literature in order to grasp the different meanings of accountability. To that end, a review of the most important pieces of the literature will allow us to clarify the concepts and the different elements that should be taken into account when designing accountability mechanisms.
In a second part, this Chapter will focus on how such concept is being approached and introduced within the data protection framework. As mentioned above, the principle of accountability is there closely linked to the ones of responsibility and liability. This will allow us to identify the issues linked to the introduction of an accountability-based approach into the data protection framework, as well as a first list of elements that should be integrated into accountability mechanisms. The findings of this Chapter are also expected to base the definitive list of requirements for the design of accountable policies, procedures and practices in surveillance systems that should integrate the SALT framework, which will be dealt with in Deliverable D.2.2.