Data Protection
Sometimes the half of the page is just discussion of the provisions of GDPR or the Council of EU
Convention, then you don’t have to study the full page by heart but you just observe and compare
with the legal text. It is a handbook on EU Data Protection Laws and when you know the laws, it is
easier to learn everything that the handbook clarifies or adds.
First chapter
First capsule - First 35 pages
Handbook tries to cover two Europes: Council of Europe and European Union.
2 Europes and 2 rights: Privacy and Data Protection
Differences between two rights:
- Privacy: prohibition on interference, Data: you can have data but also respect the rules on the
game. Data protection does not ask the question whether there is privacy issue in a case. Is there
personal data —-> then, rules on the personal data applies. Even open data on the internet falls
under this.
Digital Rights Ireland:
Switch from ne right to another
Eu Law obliging providers to keep and to store data about consumers up to two years. The Court
said that both rights are applicable: right to privacy and the right to personal data. The Directive was
declared invalid, unconstitutional. Very strong judgement.
The CJEU deemed the directive an interference with the fundamental right to personal data
protection “because it provides for the processing of personal data”. It also found that the directive
interfered with the right to respect of private life.
Personal data is not recognized as a separate human rights but privacy is. with Soft Law, UN tries to
expand the notion, the book discusses resolutions on right to privacy on digital age. Not legally
binding.
Council of Europe Convention
- Many non-EU countries are signing up for it.
- Council of Europe realized that Convention of HR didn’t speak about data protection.
- 1981. The only legally binding international instrument in the data protection field.
Data protection in primary EU Law before 2000
- The original treaties of the European Communities did not contain any reference to human rights
or their protection (the European Economic Community was initially envisaged as a regional
organization focused on economic integration and the establishment of a common market).
- In 2000, the EU proclaimed the Charter of Fundamental Rights of the European Union
(Charter). It incorporates the whole range of civil, political, economic and social rights of
European citizens, by synthesizing the constitutional traditions and international obligations
common to the Member States. The rights described in the Charter are divided into six sections:
dignity, freedoms, equality, solidarity, citizens’ rights and justice.
, Data Protection
Fascinating features
- Article 7 of the Charter (Respect for private and family life)
- Article 8 of the Charter (Protection of personal data)
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of
the person concerned or some other legitimate basis laid down by law. Everyone has the right
of access to data which has been collected concerning him or her, and the right to have it
rectified.
- Compliance with these rules shall be subject to control by an independent authority.
Primary EU Law
- Article 16 TFEU: Article 16 also creates a new legal basis, granting the EU the competence to
legislate on data protection matters. Therefore, whereas the Data Protection Directive from 1995
was based on the internal market legal basis, Article 16 of the TFEU allows for a comprehensive
approach to data protection, which led to the adoption of the General Data Protection Regulation
and the Data Protection Directive for Police and Criminal Justice Authorities.
Secondary EU Law
- 2016 - GDPR
- GDPR is strong and very detailed.
- After GDPR there were more secondary law on data protection.
- There are so much litigation about data protection. CJEU and ECHR has a lot of cases dealing
with detailed cases.
Second capsule - Limitations on the right to personal data protection 35-42
How to limit the right to privacy and the right to personal data protection?
- The right to privacy and to personal data protection are not absolute rights
- Both the ECHR and the Charter recognize that limitations may be imposed, respectively in
Article 8 of the ECHR and Article 52 (1) of the Charter
- These limitations have been developed and interpreted through the case law of the ECtHR and
the CJEU.
For Art 8 ECHR to be triggered, it first has to be determined whether a private interest, or a person’s
private life, have been compromised (= applicability of Art. 8 §1).
If this is the case, then the 3 requirements of Art. 8 §2 are checked
- 1) In accordance with the law (p 37-39) Is there a legal basis? (Accessibility & foreseeability)
- An interference is in accordance with the law if it is based on a provision of domestic law
that is “accessible to the persons concerned and foreseeable as to its effects”.
- A rule is foreseeable “if it is formulated with sufficient precision to enable any individual
– if need be with appropriate advice – to regulate his conduct”
- “The degree of precision required of ‘the law’ in this connection will depend on the
particular subject-matter”.
, Data Protection
- Rotaru v Romania case:
- While the domestic law allowed for the gathering, recording and archiving in secret files
of information affecting national security, it did not lay down any limits on the exercise of
those powers, which remained at the discretion of the authorities. When one of the
requirements fail, there is a violation.
- The Court therefore concluded that the domestic law did not comply with the requirement
of foreseeability under Article 8 of the ECHR.
- Taylor Sabori v The United Kingdom
- The police intercepted messages sent to the applicant using a clone of the applicant’s
pager.
- However, at the time there was no provision in British law governing the interception of
communications transmitted via a private telecommunications system.
- The interference with his rights had therefore not been “in accordance with the law”.
- The ECtHR concluded that this violated Article 8 of the ECHR.
- Vukota-Bojic v. Switzerland
- A private insurance company commissioned private investigators to perform surveillance
against a social insurance claimant.
- That company had been given the right by the State to provide benefits arising from
compulsory medical insurance and to collect insurance premiums.
- The Court concluded that there had been a violation of Article 8 of the ECHR because
domestic law had failed to indicate with sufficient clarity the scope and manner of
exercise of the discretion conferred on insurance companies acting as public authorities in
insurance disputes to conduct secret surveillance of an insured person. In particular, it did
not include sufficient safeguards against abuse.
- If you have a very detailed legislation, Strasbourg won’t find lacunes.
- 2) Pursuing a legitimate aim (p 39)
- Legitimate aims that could justify an interference are, pursuant to Article 8 (2) of the
ECHR, the interests of national security, public safety or the economic well-being of a
country, the prevention of disorder or crime, the protection of health or morals, and the
protection of rights and freedoms of other persons.
- Very vague.
- Peck vs. the United Kingdom
- The applicant attempted suicide on the street by cutting his wrists, unaware that a CCTV
camera was filming him.
- The police, who were watching the CCTV cameras, rescued him and subsequently passed
the CCTV footage to the media, which published it without masking the applicant’s face.
To advertise their CCTV system on public television.
- There were no relevant or sufficient reasons that would justify the direct disclosure of the
footage by the authorities to the public without having obtained the applicant’s consent or
masking his identity. And thus, violation of Article 8
- Thus, there were no legitimate interests.
- 3) Necessary in a democratic society (p 40-42):
- Political
- Something that States don’t want to hear. “What you want is not necessary for
democracy”
- Khelili c Switzerland
, Data Protection
- During a police check the police found the applicant to be carrying calling cards which
read: “Nice, pretty woman, late thirties, would like to meet a man to have a drink together
or go out from time to time. Tel. no. [...]”.
- The applicant alleged that the police entered her name in their records as a prostitute, an
occupation she denied.
- S and Marper v. United Kingdom
- The police took their fingerprints and DNA samples, as provided for under the Police and
Criminal Evidence Act.
- Their fingerprints, DNA profiles and cellular samples were kept and stored by the police
in a database, and national legislation authorized their retention without an applicable
time limit.
- The Court considered the interference with the applicants’ right to respect for private life
to be unjustified: fingerprints and samples could be retained indefinitely, even for minor
offences not punishable by imprisonment.
- The Court held, unanimously, that the retention constituted a disproportionate
interference with the right to private life that could not be regarded as necessary in a
democratic society.
- Its unnecessary to keep these data from people who had minor offences there are not
punishable.
- Leonder vs Sweden
- In Sweden, a secret scrutiny was performed on people applying for employment in posts
of importance for national security.
- Sweden was entitled to consider that in the applicant’s case the interests of national
security prevailed over the individual ones. So no violation.
- The structure and wording of the charter is different that that of the ECHR.
- To be lawful, the interference has to comply with all the conditions listed in Article 52(1) of the
Charter.
- Article 52(1): Any limitation on the exercise of the rights and freedoms recognised by this
Charter must be provided for by law and respect the essence of those rights and freedoms.
Subject to the principle of proportionality, limitations may be made only if they are necessary
and genuinely meet objectives of general interest recognised by the Union or the need to protect
the rights and freedoms of others.”
Charter requirement n1: Provided by law
- Similar to first requirement under COE
- Limitations must be based on a legal basis that is adequately accessible and foreseeable and
formulated with sufficient precision to enable individuals to understand their obligations and
regulate their conduct.
- The legal basis must also clearly define the scope and manner of the exercise of the power by the
competent authorities to protect individuals against arbitrary interference.
Charter requirement n2: Respect the essence of the right
- In the EU legal order, any limitation on the fundamental rights protected under the Charter must
respect the essence of those rights.
- If the essence of the right is compromised, the limitation must be considered unlawful.
- Maximillian Schrems v Data Protection Commissioner
