In this blog-post we discuss the ECJ’s decision in the Fashion-ID case. In particular, we analyze the the Court’s development of a new approach for allocating responsibilities in situations of joint-control in this case. In this ‘Phase oriented-approach’, joint-controllers are only responsible for the phases of the processing in which they are directly involved. We consider that the legal framework of the GDPR does not include a phase-oriented analysis and, perhaps more importantly, that limiting responsibility to individual processing phases of complex processing systems (like Facebook) is incompatible with core principles of the GDPR such as transparency and fairness.
Mahieu, Rene and van Hoboken, Joris VJ, Fashion-ID: Introducing a Phase-Oriented Approach to Data Protection? (2019). European Law Blog, 2019.