A Controller Without Control. Embedded Artificial Intelligence – A Catalyst to Reconsider the Controller/Processor Relationship of the GDPR

Research output: Chapter in Book/Report/Conference proceedingBook chapterResearchpeer-review


In the past, AI-devices offloaded their processing to the cloud, clearly implicating the provider of the cloud as either a controller or a processor under the GDPR. Increasingly, however, AI-driven processing is moving away from the cloud. Dedicated AI chipsets embedded in mobile clients and various edge devices now provide on-device predictions. A smart phone can screen for skin melanomas without sending any data to the cloud or app developer, and a bedside patient monitoring system can process locally in the hospital without sending any personal data to the device manufacturer. Such localized processing reveals underlying problems of how responsibility within data protection is allocated. For example, device manufacturers are typically deemed to fall outside the scope of the GDPR. This chapter argues that the current understanding of the controller/processor framework is too narrow. This is demonstrated through various processing scenarios.
Original languageEnglish
Title of host publicationAI in eHealth : Human Autonomy, Data Governance & Privacy in Healthcare
EditorsMarcelo Corrales Compagnucci, Michael L. Wilson, Mark Fenwick, Nikolaus Forgó, Till Bärnighausen
Number of pages14
Place of PublicationCambridge
PublisherCambridge University Press
Publication statusAccepted/In press - 2021
SeriesCambridge Bioethics and Law

Number of downloads are based on statistics from Google Scholar and www.ku.dk

No data available

ID: 241213981