Device manufacturers as controllers – Expanding the concept of ‘controllership’ in the GDPR

Abstract

The current understanding of ‘controllership’ in the GDPR typically excludes device manufacturers from this role where processing of personal data occurs locally only, ie on the device without any access to the data by the manufacturer. The ‘user’ of such a device is deemed to be the only possible controller, regardless of whether the processing falls under the household exemption or not. This is because the concept is understood more narrowly than its actual definition permits. However, in particular the development of ‘smart’ devices with ‘local’ or ‘edge’ computing upends the assumption that device manufacturers automatically fall outside the scope of the GDPR. Device manufacturers may often have sufficient influence on the processing to be deemed ‘controllers’, even where personal data is processed on-device only without any direct processing by the manufacturer. This is because device manufacturers may in certain cases ‘determine the means and purposes of the processing’. This expanded understanding of the concept of controllership is supported by CJEU and Supervisory Authority case law and an interpretation of the GDPR which should be adopted by practitioners, authorities, and courts. Doing so would address the mischief that comes from categorically excluding device manufacturers from the scope of the GDPR.