Skip to content

All Talk, No Action? The Effect of the GDPR Accountability Principle on the EU Data Protection Paradigm


Tuulia Karjalainen


This work is distributed under the Creative Commons Licence Attribution 4.0 International (CC BY 4.0).

The General Data Protection Regulation (679/2016, ’GDPR’) introduced the accountability principle to the field of EU data protection law. The principle aims to increase the controller’s responsibility for its personal data processing and to promote a risk-based approach to data protection. However, accountability, as implemented in the GDPR, fails to meet these objectives. Accountability is sometimes seen as a significant paradigm shift – as a move away from transparency and choice-based data subject control towards company liability. However, the principle does not truly replace the requirements-based approach in the GDPR. Nevertheless, accountability can effectively contribute to EU data protection law by reinforcing other GDPR obligations. This article analyses the contribution of the GDPR accountability principle to the EU data protection law, and the effectiveness of the principle in the light of its objectives. Although accountability does not radically change the European data protection paradigm, the principle does contribute to increasing controllers’ responsibility and facilitating enforcement.
keywords: Accountability | GDPR | Article 5(2) | Risk-based Approach | Big Data

Tuulia Karjalainen, Doctoral Researcher, University of Helsinki. This research was funded by the Academy of Finland research project 'POP – Is this Public or Private? A Study on the Philosophical Foundations of European Privacy Regulation'. For Correspondence: <>


Lx-Number Search

(e.g. A | 000123 | 01)

Export Citation