PRIVACY AND DATA PROTECTION LAW 2020-2021
Part A: Setting the scene
1. Practical:
→ basic information on the course can be found on ‘syllabus’ canvas.
→ Goals? Learn about privacy an data protection law, focusing on EU law, think critically, practical
exercises.
→ Structure: part A: setting the scene; part B: The GDPR; part C: beyond the GDRP and looking
forward.
→ study material: handbook on European data protection la (2018 edition!!), the GDPR, the
slides.
You can order the handbook for free on the European union website.
The handbook is a good base to study but be careful because handbook covers the
data protection law of the council of EU and of the EU union and they are not the same
so it might be confusing. You also have to study the slides and the lessons.
You can find the GDPR in canvas or consult it online on eurlex (also the consolidated
version but this one doesn’t cover the preamble and the recitals).
Tip: study lesson notes and read handbook as background cause exam is based on
both, but you don’t have to study the handbook by heart.
Evaluation: Final written exam (on campus) : multiple choice on theory and essay question
where u have to prove what you learned and your knowledge. Open book exam: you can bring
your notes and the GDPR!! (this is an update, so maybe you will sometimes read in the notes
that you can’t bring the GDPR, but you can!)
FYI: Table of content of these lesson notes can be found at the end!
2. Privacy and/or data protection?
Is privacy the same as data protection? Are those things related? In principle yes because they have a
lot to do with each other, but it depends.
→ In the legal framework of the European Union there are 2 distinct rights:
The right to respect private life/privacy
The right to personal data protection.
→ In the legal framework of the council of Europe only the right to respect private life is explicitly
recognised: data protection safeguards are a dimension of this right.
The distinction between these 2 frameworks is important in theory and in practice because they
coexist and apply at the same time.
In some cases we use “privacy” to refer to the exact same thing as data protection, so we can see an
evolution in the meaning of the term privacy due to new technology, which makes it confusing to
understand when to use which meaning. To understand this we will have to talk about history including
US history.
3. Some key provisions
3.1 Universal declaration of human rights 1948 (UDHR):
1
, → This text says that “Privacy is a human right” (article 12 UDHR) : protection from interference
with your privacy, your family, home, correspondence, honour and reputation.
→ Why was the UDHR needed in the context of 1948? There had been a lot of authoritarian
regimes (nazi’s for example) in the period of time before this and it was important to settle
boundaries for the future to protect human rights.
→ Some people connect the right of privacy with the right of free opinion: having the right to
think what you want in your private sphere.
3.2 European convention on Human Rights 1950 (ECHR):
→ Document made by the council of Europe. It can be enforced to more countries than the UHDR
because more countries are part of the council of Europe than part of the European union.
→ Article B contains the right to respect for private and family life.
→ Why do we say private life here and not privacy? Because of the influence of 2 important
languages in the Council of Europe : English and French (vie privé). In this document there’s no
definition of the word “privacy” or “private life”. This protects your thoughts, your inner life,
etc, but also some things that happen in public, so we can conclude that it covers a lot of things
even if there’s no exhaustive definition.
→ There’s no reference to data protection in this text, because in 1950 these technologies didn’t
exist yet.
3.3 Charter of fundamental rights of the EU 2000/2009:
→ Important framework of the European Union
→ Article 7: respect for private and family life
→ Article 8: Protection of personal data !!
This is new because new technologies existed and it was very important at that time to
settle rights and special protection concerning these technologies.
Literal article: “1. Everyone has the right to the protection of personal data concerning him
or her. 2.Such data must be processed fairly for specified purposes and on the basis of the
consent of the person concerned or some other legitimate basis laid down by law.
Everyone has the right of access to data which has been collected concerning him or her,
and the right to have it rectified. 3.Compliance with these rules shall be subject to control
by an independent authority.”
4. The origins of privacy and data protection law
In principle, the origin of privacy depends on what you think privacy is.
Symbolically the origin of privacy is an old article of the Harvard law review called “the right to privacy”
(1890).
→ It’s an important article written in the US by 2 writers who thought it was important to describe
the right to privacy, because at that time it wasn’t recognized. The writers of the article were
victims of paparazzi’s and wanted something to protect them from these technics.
→ They talk about “the right to be left alone” by what they mean the right to live your own life
and decide about your own life.
→ The right to be left alone can be difficult in our society with all the new technologies such as
photographs, paparazzi’s, newspapers, social media etc.
2
, → Illustration: at the time the article was written new technologies of cameras were invented.
the commercial of the kodak of 1889 says that it’s a ‘detective camera’ which shows the first
nuance to an invasive tool. The writers of the article said that the law needed to respond to
this.
→ In other countries this problem also occurred. In France for example there had already been a
few cases where they concluded to an invasion of privacy. There’s for example an important
footnote that refers to the article of the Harvard law reviews saying that there was already
ongoing litigation about the right to privacy. Marion Manola was photographed without her
consent and the photographer made money from the picture. She sued him for this.
The question was not just about if the picture could be taken, but the most important
question in this case was to know how a person could control what happened with a
picture of them.
After “the right to privacy article” there were 2 developments in the recognition of the right of privacy:
→ Privacy & constitutional protection: the recognition of the right of privacy was integrated in
the constitution of the US. The right of privacy isn’t literally written in the bill of rights or the
amendments but during the history a lot of caselaw situated the right to privacy between the
lines of the amendments.
Important cases:
➢ Olmstead v. United States, 277 U.S. 438 (1928) (including a dissenting opinion
by Brandeis), overturned by Katz v. United States 389 U.S. 347 (1967): this
case was about the 4th Amendment which gives some protection against
searchers of the public authorities when they search into your belongings,
property etc. It was difficult to construct this right, but progressively the US
recognised a right to privacy through this amendment. Eventually the right to
privacy in the US became very broad and today it covers many things.
➢ Roe v. Wade, 410 U.S. 113 (1973) : the right to privacy as protecting a
pregnant woman's right to choose. The right to abortion was a part of the
right of privacy in the US. This was very controversial.
→ Privacy & torts : people can sue under civil law for personal wrongs allegedly done to them.
This was also developed slowly. Privacy was developed in many ways and so were the
torts concerning privacy.
There are 4 types of torts based on W. Prosser’s ‘Privacy’:
➢ Intrusion
➢ Public disclosure of private facts
➢ False light in the public eye
➢ Appropriation
3
,5. In the meantime, technology…
The new technologies kept evolving and were of many types, examples (illustrations on the slides):
→ Cover of the “life magazine” from 1966 illustrates an invasion of privacy with a picture of a
woman with an electric chip. This illustrates the fear that existed in the 60’s concerning
technology and how far it could go. This fear was increasingly linked to the right to privacy.
(the chips did not really exist but were imagination).
→ During the cold war the authoritarian regimes were a threat to privacy. In the illustration we
can see a decoration piece given by the soviets to an ambassy of the US, but there was a tiny
microphone inside to allow them to hear the discussions. People were shocked in that time
because they didn’t know it was possible.
→ Camera’s with a new function ‘the zoom’: being able to get close images of people without
them seeing you.
→ The radio: people made money with radio programs and advertising. Therefore, radio
companies wanted to know more about their audience to sell that information to their
advertisers.
→ Movie “shadow of a doubt” is about the surveys that were taken to know more about the
average families: this was common in the US at that time. A lot of surveys about families for
political or economical reasons, but people where not happy because it was invasive.
→ Book “creditworthy”: about how credits work and how you get a score when you get a credit.
Score: information for future loaners to know if they want to give u a credit or not, if you are
a good payer etc.
There later was the introduction of the fair credit reporting act in 1970 : regulates
collection of consumers' credit information and access to their credit reports.
→ The invention of the computer (information storage, database, databanks, etc) included
keeping data and information about a lot of people for a lot of reasons: political, financial, etc.
the use of the computer by the federal authorities: they thought about keeping all the
information about people in a database to use these information when making
decisions.
Book “privacy and freedom 1967”: claims that the right to privacy also contains a right
to control this information that is kept about us in databanks.
Records, computer and the rights of citizens 1973: report about how the right of
privacy has to be protected during the development of the technologies and the
possibility to control our information. They proposed important principles in this
document called ‘fair information practice”:
4
, → The tape recorder: this tool was used by Nixon in his Watergate scandal: he was involved in
controlling messages but at the same time he claimed to care a lot about privacy.
→ 1974: privacy act was created
6. First interactive session on the right of access
6.1 Why the right of access?
The right of access means that everyone has a right to know which information is kept about you and
what is done with this information. This right was important due to the increasing amount of new
technologies that collected and kept information about people.
→ This was also one of the principles stated in the report “Records, computer and the rights of
citizens 1973”: “there must be a way for an individual to find out what information about him
is in a record and how it is used”.
→ Article 8 of the charter of fundamental rights of the EU also cites the right of access: “everyone
has the right of access to data which has been collected concerning him or her, and the right
to have it rectified”
Research has shown that a lot of EU citizens don’t know they have a right of access or don’t know what
it implies. One of the goals of the GDPR was to obligate people who collect information about you to
inform you that you have a right of access on this information.
6.2 ACTIVITIES
6.2.1 ideas on data controllers
Can you think of examples of data controllers/keepers?
→ Google, Apple, your bank: they collect a lot of data of you and they process and sell this data.
You can use your right of access to ask what data they have about you and what they do with
it.
→ Spotify: follows your movement to suggest you music. If you move fast, are in the car, etc.
Guy on slide 26: Austrian guy who had an opportunity to work at silicon valley where he went to a
conference given by a Facebook worker and started a discussion about data protection and privacy.
Book “l’amour sous algorithme”: writer created a tinder account and started thinking a lot a bot all the
information tinder had on her and how they used that to create a match.
5
,6.2.2 how to exercise the right of access
6.3 Applicable rules
→ Article 15 of the GDPR on the right of access by the data subject: this is a very important article
and you should read/know in big lines what’s written in it since you can’t bring the GDPR to
the exam!
→ Article 11 (identification) 12 (transparency) ,13(which data they have to show u) , 14 and 23
GDPR
→ Belgium: 30 Juli 2018. - Wet betreffende de bescherming van natuurlijke personen met
betrekking tot de verwerking van persoonsgegevens.
7. Historical overview of data protection in Europe
Short overview of important evolutions in the European data protection history:
→ 1970: Pioneering laws on the processing of data
→ 1980: OECD guidelines
→ 1981: council of Europe convention 108
→ 1995: Data protection directive 95/46/EC
6
, → 2000: EU charter of fundamental rights
7.1. The period of 1970
As we have already seen, there had been lot of things that triggered the interest in human rights and
protection of private life: authoritarian regimes, new technologies, the convention of human rights,
etc.
In the 70’s one of the biggest and most important new technologies was the computer which obliged
the lawyers and the legislator to think about the consequences of the use of these new technologies.
A lot of countries in Europe (E.g.: Brittain and Germany) were investing a lot in these developments
and even the authorities started to use the computer and other technologies for their work.
The most important question was: do we need to update our legislation in order to protect the society
from the risks that these developments imply? There came a variety of national developments in
different countries:
→ Land of Hesse 1970 : region in Germany where the first data protection law saw the light. They
started working a lot with computers and came to the realisation that this was a good thing
but only if they had a “data security”. They later came to the conclusion that this data security
wasn’t broad enough and they needed not only protection but also rights for individuals to
access the data that is kept. They then changed the name to “data protection”
→ Sweden 1973 “the act on data”: this was the first national law on data protection.
→ Portugal 1975: in 1976 they implemented the right of data protection in the constitution “all
citizens have the right to know that they are registered, the right to know what is the purpose
of that information and the right to rectify that information.”
→ Germany : 1977 and 1983: at some point there was also a federal law on data protection in
Germany. The German federal constitutional court (=Bundesverfassungsgericht) recognized a
right on data protection even if it wasn’t mentioned in the German constitution = “the right to
information self-determination”. This goes further than just a right on protection of your data.
You have a right to self-determine your personality and self-determine which information
about you is disclosed.
→ France 1978: authorities used computers to keep all the information they had about their
residents. They created the “safari” system for this. A journalist of “le monde” then wrote an
article about this describing it as a chase after french people. This article created a lot of
concerns by the population. A commission was then created to discuss all these problems and
concerns “la commission nationale de l’informatique et des libertés” (=CNIL). This commission
created a law to protect the privacy and the processing of data. They later had to update this
law to be in line with the GDPR, but they refused to repeal this 1978 law because it has a strong
symbolic meaning.
→ Belgium was quite late in adopting data protection law, because for many years they believed
that Belgians were protected enough by article 8 of the convention of human rights. Only at a
later point they came to the realisation that more specific laws would be necessary. The first
laws on data protection were only adopted in the 90’s.
→ Austria and Spain 1978: they had a different approach and directly gave a constitutional
recognition to this right.
→ None of these countries actually “invented” data protection: it’s the result of a fragmented
history of new legislation following new technologies and societal problems. The term “data
protection” was also not equally embraced in all the countries and the notion of privacy also
played different roles in all those countries.
7
,The key points you have to remember well about the period of 1970 are the following:
→ Not all national initiative were centred around the notion of “privacy”.
→ In some countries, the issued were framed as having “constitutional relevance.
→ In some countries, there were discussions about the issue, but they didn’t immediately lead to
the adoption of legal instruments.
→ Many of these laws were encompassing both the public & private sector.
Different from in the US: in 1974 there was an act but it only applied to some federal
authorities. There were different laws for the public and private sector.
→ An European specificity was the establishment in some countries of independent authorities,
inspired by the ombudsman model, acting in a sort of arbiter between those processing the
data and the individuals whose information was processed.
→ They were often considering possible special rules for data transfers (=sending data from one
computer to another, from one place to another).
What is also important to know is that in the 1970’s discussions at international level started regarding
this topic in different organisations or institutions. The question is: why were all this organisation
involved with data protection issues? What did it had to do with them?
→ The Council of Europe : Main organisation in Europe dealing with human rights. They created
as a major instrument the convention of human rights where you can find article 8 “right of
privacy”. They were logically concerned by this new form of privacy threat brought by the new
technologies. They quickly started to have meetings, communities, to write reports, etc. about
this issue. They decided not to change the convention on human right, but to create a new
convention specifically on data protection.
→ The Organisation for Economic Co-operation and Development (OECD): This organisation is
involved in all different kinds of economic matters. They are located in Paris and they were
quickly concerned about this data protection matter partly because of the article about the
safari system that was created in France. Their concern was the restrictions that were made
about data transfer was not about data protection but about data protectionism, they said it
was a restriction to free trade and they were concerned about this because they are against
protectionism. They said it was only an illusion that this was about human rights.
→ The European Economic Community (EEC= later European union) : this organisation was
originally not about human rights, but only about economic integration. From this economic
perspective they were concerned about these data processing matters and computers. They
wanted to encourage the use of computers and data processing to stimulate the European
companies, but they saw that in many European countries there were rules about data
protection. They realised that if they wanted to promote this data processing methods, they
also had to create protection for it, and this is why they created the data protection directive.
7.2 The period of 1980
7.2.1 The OECD
Already at the end of the 1970s, there were concerns (especially in the US) about the possible impact
of the emerging European rules on global commercial exchanges.
In 1980, the Organisation for Economic Co-operation and Development (OECD) adopted Guidelines on
the Protection of Privacy and Transborder Flows of Personal Data, taking the form of a
‘Recommendation’ and aiming at contributing to the global free flow of personal data. They wanted
8
,to give protection in exchange for the possibility for data to be transferred because that is good for the
growth of the economy.
→ The OECD council reccommends:
This is only a recommendation, it’s not an obligation!
7.2.2 Council of Europe: convention of 108
This convention was adopted by the Council of Europe in the light of their purpose which was
protecting human rights, but they also said that the protection you give should not stop the free flow
of data.
When the Convention opened for signature on 28 January 1981, it was the first legally binding
international instrument in the data protection field. This is still applicable today and is one of the
most important data protection laws in Europe.
The convention is not a self-executing instrument: The parties are required to take the necessary steps
in their domestic legislation to apply the principles it lays down in order to ensure respect in their
territory for the fundamental human rights of all individuals with regard to processing of personal data.
This is not a recommendation, but an obligation. The countries have to create legislation that is in line
with the convention, but it’s possible that the countries do this differently from each other.
It's not an “European convention” it’s open for signature by every county, even countries outside
Europe. This is the main difference with the legal framework of the European union, which is only
targeted at member states.
7.2.3 What also happened…
As we have seen there had been a first wave of national laws where a lot of countries in Europe had
already created legislation about data protection before the convention 108 and the OECD. They were
willing to ratify these agreements, but therefore they had to revise their existing laws in order to fit
the new legislation which created a second wave of new (updated) national laws.
7.3 The period of 1990
In the beginning the legal framework of the EU was not committed to protection of human rights but
they started interfering more and more with legislation on national level of the member states and
this created concerns in the constitutional courts of the member states. Also the European parliament
called out that they had to give a clear signal that the European Union was respecting and involved
with human rights. Eventually the court of justice in Luxembourg judged that the EU was also
committed to protecting fundamental human rights.
The European Union was, already in the 80’s, concerned about data processing and in the 90’s they
got involved in the data protection issue. Discussions started on how to support the processing of data
9
, and they created the directive 95/46/EC. This directive doesn’t exist anymore because it was repealed
by the GDPR, but for a long time it was an important directive. It was created as a single market
instrument and they wanted to stimulate the flow of data.
The states had to implement this directive in their legislation. This once again stimulated waves of new
legislation in the countries that had to update their laws again.
→ important article:
7.4 Conclusion: global privacy and data protection laws?
A lot is happening in a lot of countries about privacy and data protection and this matter is still evolving.
It’s impossible to cover everything about data protection in this course. But one interesting question
is the following: should we say that over the years (60’s – now) there has evolved a convergence or
divergence in approaches over the different countries?
Over the years we have seen that there was a lot of dialogue and similarities regarding the data
protection issue. A lot of legislative developments inspired other ones and also the important influence
of the EU institutions and international organisations created a bit of harmony and improvement in
the legislation of different countries, but it’s important to know that this doesn’t mean that the
legislations are always convergent! There still are major differences. For example: the difference in
countries in how they apply the data protection law on private and public sector (same for both sectors
or different?)
Also important to know: there is much more to privacy protection than just what happened in the US
and Europe, which can also be divergent, but it’s difficult to cover the global situation.
Professor Graham Greenleaf keeps track and writes about everything that’s happening regarding data
protection. His message is that there are many privacy laws being adopted in many places. The
question is: is there something happening universally? Is something developing that could be an
universally applied law on data protection? The answer is no, there’s no equivalent to the EU GDPR or
the convention 108 that applies internationally and generally.
But there are some international instruments and developments, but they stay quite weak:
→ 1990 United Nations Guidelines for the Regulation of Computerized Personal Data Files
→ 1980 (revised in 2013) Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data of the Organisation for Economic Cooperation and Development (OECD)
→ Asia-Pacific Economic Cooperation Privacy framework (2004)
→ 2009 International Standards on the Protection of Privacy with regard to the processing of
Personal Data
A lot of people think it’s really necessary to develop an universal and general set of standard to deal
with the issue that is developing on global level. Until this day they haven’t succeeded in realising this.
On international level for now there’s coexistence of 2 main models:
10
