Myth #47: Data protection law is about controlling data.
Maximilian von Grafenstein

Myth: Data protection law is about controlling personal data. This is already suggested in the notion of ‘data protection’ law and in the famous sentence that individuals shall have “a right to determine the disclosure and usage of ‘their’ data”. A prominent example of this is the view that each kind of personal data may be processed only if individuals (to which the data relate) have given their consent.


Busted: The myth that individuals have a right to control ‘their’ personal data (instead of the risks caused by data processing) sources its power from a very intuitive understanding: If I can control the data that relate to me in one or another way, then I can also control the risk that the data is abused. However, both in daily life and in theoretical reflections, the focus on the data per se often leads to the situation that the actual problem, i.e. the risk of abuse, gets overseen. This leads to a protection that is both excessive and ineffective. A tragic result. Two examples may illustrate this observation:

In data protection law, a person’s consent is often seen as the central normative tool for individual self-determination in a digitized world. However, most people will also agree that consent, in its current form applied in practice, does not achieve this aim. Instead of enabling individuals to make a self-determined decision, they are trying to find their daily way through a myriad of consent forms clicking them away (unread). There are many reasons for this so-called consent fatigue. However, one key reason is that individuals consent to everything and nothing: Consents are required everywhere while the consequences of giving the consent (i.e. the actual risks) remain unclear.

Tightly connected to this phenomenon is the overload of information given to individuals on the basis of transparency requirements in data protection frameworks. Often, such information focuses on the data collected from the individuals, while the consequences of its processing remain vague. Further, there is so much collected data that individuals do not see the forest for the trees and ask themselves the question: What kind of information is relevant to me? Thus, focusing on data instead of risks that are caused by data processing to the individual distracts normal users and shifts theoretical concepts of protection away from what is relevant.

In recent discussions, this point of view even runs the risk to be applied to new progressive approaches that aim to solve the problem on a more structural level: Data fiduciaries, for instance, may enforce data protection rights on behalf of individuals; even more far-reaching is the idea that individuals shall have a property right on “their data” so that they can better profit from the data (e.g. by data sale). These new approaches will fail as long as the actual problem is lost out of sight: the risk that data may be misused.


Truth: Data protection law controls the risks to individuals that are caused by the processing of data (not data as such). This difference may seem subtle, but it has far-reaching effects on the reach and limitations of protection. To effectively implement data protection instruments, such as an individual’s consent and measures of transparency, one must focus on the consequences of the data processing.


Source: Maximilian von Grafenstein, The Principle of Purpose Limitation in Data Protection Laws: The Risk-Based Approach, Principles, and Private Standards as Elements for Regulating Innovation (Baden-Baden: Nomos, 2018).