All Talk, No Action? The Effect of the GDPR Accountability Principle on the EU Data Protection Paradigm

Abstract

The General Data Protection Regulation (679/2016, ’GDPR’) introduced the accountability principle to the field of EU data protection law. The principle aims to increase the controller’s responsibility for its personal data processing and to promote a risk-based approach to data protection. However, accountability, as implemented in the GDPR, fails to meet these ob-jectives. Accountability is sometimes seen as a significant paradigm shift – as a move away from transparency and choice-based data subject control towards company liability. How-ever, the principle does not truly replace the requirements-based approach in the GDPR. Nev-ertheless, accountability can effectively contribute to EU data protection law by reinforcing other GDPR obligations. This article analyses the contribution of the GDPR accountability principle to the EU data protection law, and the effectiveness of the principle in the light of its objectives. Although accountability does not radically change the European data protection paradigm, the principle does contribute to increasing controllers’ responsibility and fa-cilitating enforcement.