The word compliance entered our daily vocabulary, pervading the regulatory strategy and discourse in the European Union law. But what does it mean? What is its role in the legal system? Can it be performed in an automated way?
On 29 June, PhD researcher Tatiana Duarte presented a proposed answer to these questions in the context of data protection law from a legal theory point of view, at the Zentrum für interdisziplinäre Forschung (ZIF) workshop (27-29 June at the University of Bielefeld).
In the contemporary use of the word, compliance seems to be connoted with obedience. However, data protection norms provided for in the GDPR cannot simply be obeyed. They must, rather, be constructed by data controllers (and processors) under the constraints provided for by law. This process of construction implies a discontinuity the authoritative authorship of norms, as it hands over to companies the regulatory task initiated by the legislator.
From a legal point of view, compliance must reflect a commitment of the data controller (and processor) to the protection of fundamental rights, which implies that each decision must be preceded and followed by a recursive assessment in light of the rights at stake. However, the constraints that companies are subjected to are different than the ones that the authoritative legislator is when creating norms. Therefore, such a mandate opens legal protection of fundamental rights to a diversity of discourses and approaches beyond law. This circumstance might compromise legal protection by making it depend on the epistemological permeability of data controllers to fundamental rights protection.
Can compliance be automated? Tatiana evoked a category of technologies that advertise themselves as providing a tool for companies to respond to data subject requests. She concluded that by themselves technologies do not provide compliance as such. They might support or undermine it, depending on whether their implementation is focused on the protection of fundamental rights.