DATA PROTECTION AS AN INDEPENDENT FUNDAMENTAL RIGHTRIGHT

It is clear from the outset that data protection has a very intimate relationship with privacy. As previously discussed, it was long considered a part of privacy in the field of fundamental rights. Sometimes it is even referred to as data privacy.⁴¹¹ In other words, heavy weight on the protection of one’s privacy has been given when data protection has been balanced with other fundamental rights.⁴¹²

Data protection has become an individual fundamental right very recently.

This transformation stems from the different developments in the EU’s legislative framework and also from Court practice. Thereby, it has now gained the necessary institutional recognition.⁴¹³

In Europe the recognition of data protection as a fundamental right took place at the latest when the Charter of Fundamental Rights of the European Union entered into force 1 December 2009.⁴¹⁴ The Charter clearly distinguishes the protection of personal data from the right to privacy. In other words, the right to the protection of personal data is now clearly laid down in Article 8 of the Charter and the right to privacy in its separate Article 7. This is a significant step forward, as the Charter clearly stipulates that personal data has an independent value in the field of fundamental rights. Article 8 states that “

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.”

411 S.Greenstein, Our Humanity Exposed – Predictive Modelling in a Legal Context, (Stockholm University, 2017) 258–263.

412 See for example case C-28/08P, Bavarian Lager, ECLI:EU:C:2010:378.

413 Article 8 of the Charter of Fundamental Rights; for institutional support, see Chapter I section 1.1. and in particular Dworkin, Taking Rights Seriously, (Duckworth 1977) 39–45, 64–68.

414 See for example EU Charter of Fundamental Rights, How the Charter became part of the EU Treaties, available on the internet < http://ec.europa.eu/justice/fundamental-rights/charter/index_en.htm> [last visited 20.3.2017]. See also comments on the reluctance for using the term privacy in the data protection legislation, I.Lloyd, “From ugly duckling to Swan. The rise of data protection and its limits”, in Computer Law and Security Review 34 (2018), 780. See also O. Lynskey, The Foundations of EU Data Protection Law, (Oxford, 2015) 89–129.

As data protection has grown from the privacy right, it is natural that earlier case-law and also academic literature has underlined this aspect of data protection and often examined data protection from this angle. The umbilical cord is strong in this case, and more recent case-law is still very closely attached to this relationship.⁴¹⁵ Although the CJEU treats data protection as an individual fundamental right, it has not spelled out the distinctive features of data protection as Gloria González Fuster notes.⁴¹⁶ The CJEU has left the essence of data protection obscure and has often treated it together with the right to privacy. For example, in the so-called Data Retention judgment, the court does indeed give an independent status to data protection. It specifically states that retention of the said data has to be in line with Article 8 of the Charter. However, the Court’s argument throughout the case keeps privacy and the protection of personal data very much hand in hand. The Court underlines that the content of the communication was not to be retained, but rather the information covered by the Data Retention Directive related to, for example, the source of the communication. Such data as date, time duration, calling telephone number and IP address had to be retained. The Court stressed in its reasoning that by combining this information, a very detailed information of a person’s private life might be revealed. Thus, in the end, the CJEU’s reasoning sets a heavy weight on the interference with one’s privacy.⁴¹⁷ Privacy and data protection might have been treated together, but the CJEU did give data protection a specific and independent recognition. In earlier case-law the CJEU would only underline the right to privacy in the context of reconciling fundamental rights, even when the focus of the case was on the processing of personal data.⁴¹⁸ Finally, the Court concludes that the Data Retention Directive is invalid because it “does not lay down clear and precise rules

415 For an analysis of the CJEU’s case-law on the concepts of privacy and data protection, see also M. Brkan, The Court of Justice of the EU, privacy and data protection: Judge-made law as a leitmotif in fundamental rights protection, in Brkan, M. & E. Psychogiopoulou (ed.) Courts, Privacy and Data Protection in the Digital Environment, (Edward Elgar, 2017), 10–31; G. González Fuster, “Fighting For Your Right to What Exactly? The Convoluted Case Law of the EU Court of Justice on Privacy and/or Personal Data Protection”

in Birbeck Law Review, 2(2) (2014), 263–278; G. González Fuster & R. Gellert, “The fundamental right of data protection in the European Union: in search of an uncharted rights“ in International Review of Law, Computers & Technology 1(2012), 73–81. See also O. Lynskey, The Foundations of EU Data Protection Law, (Oxford, 2015) 132–135.

416 G. González Fuster, “Fighting For Your Right to What Exactly? The Convoluted Case Law of the EU Court of Justice on Privacy and/or Personal Data Protection” in Birbeck Law Review, 2(2) (2014), 263–278; G.

González Fuster & R. Gellert, “The fundamental right of data protection in the European Union: in search of an uncharted rights“ in International Review of Law, Computers & Technology 1(2012), 73–81.

417 Joined cases C-293/12 and C-594/12 Digital Rights Ireland and Kärtner Landesregierung, ECLI:EU:C:2014:238, paras 26–30, 65. See also T. Ojanen, “Privacy Is More Than Just a Seven-Letter Word: The Court of Justice of the European Union Sets Constitutional Limits on Mass Surveillance: Court of Justice of the European Union, Decision of 8 April 2014 in Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others, Participation and Democracy” in European Law and Polity 3 (2014), 528–541 and M. Brkan, The Court of Justice of the EU, privacy and data protection: Judge-made law as a leitmotif in fundamental rights protection, in Brkan, M. & E. Psychogiopoulou (ed.) Courts, Privacy and Data Protection in the Digital Environment, (Edward Elgar, 2017), 14–15.

418 Case C-275/06, Promusicae, ECLI:EU:C:2008:5, para 65.

governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter”. In other words, the interference should be justified from both the data protection and privacy perspective. This judgment pushed many national stakeholders to give further interpretation on how this is to be interpreted in the national context.⁴¹⁹ For example in Finland, the Constitutional Committee in the Parliament developed its earlier approach further by stating that the type of data which was previously considered to be on the outskirts of the right to data protection (location data) was now coming closer to the hard core of the said right.⁴²⁰

Even if privacy is still very apparent when assessing data protection, some authors have underlined that data protection is not simply a question of informational privacy, but also of informational autonomy.⁴²¹ This is an issue which will be examined in more detail later in this chapter when self-determination is discussed.

In this context, it suffices to note that I see that informational autonomy cannot be lightly separated from privacy rights. Therefore, this thesis does not try to entirely separate data protection from privacy. The aim is rather to underline the specific features of the protection of personal data and elaborate further the said relationship by distinguishing underlying principles, aims and objectives, which are characteristic to the protection of personal data.

Besides dissatisfaction with the CJEU’s way of treating the rights together even when underlying the status of data protection as fundamental right⁴²², the separation of data protection from privacy rights has been considered somewhat unsatisfying for other reasons. These concerns are drawn from the fear that once removed from the sphere of the privacy, the underlying values of dignity and autonomy might fade out with time.⁴²³ It might well be that practical lawyers who work with data protection issues and solve very technical questions would not speculate on these values on a daily basis. For instance, the Data Protection Directive refers to the aim of the protection of privacy while values of dignity and autonomy are not

419 See for example in Denmark 2.6.2014, “Justitsministeren ophæver reglerne om sessionslogning”, available on the internet < http://justitsministeriet.dk/nyt-og-presse/pressemeddelelser/2014/justitsministeren-oph%C3%A6ver-reglerne-om-sessionslogning> [last visited 3.11.2015]; For legality of the Data Retention Directive, see also, L. Feiler, “The Legality of the Data Retention Directive in Light of the fundamental Rights to Privacy and Data Protection ” in European Journal of Law and Technology 3 (2010).

420 PeVL18/2014 vp, p. 6.

421 See M. Tzanou, The Added Value of Data Protection as a Fundamental Right in the EU Legal Order in the Context of Law Enforcement, (EUI, 2012) 22.

422 G. González Fuster, “Fighting For Your Right to What Exactly? The Convoluted Case Law of the EU Court of Justice on Privacy and/or Personal Data Protection” in Birbeck Law Review, 2(2) (2014), 263–278; G.

González Fuster & R. Gellert, “The fundamental right of data protection in the European Union: in search of an uncharted rights“ in International Review of Law, Computers & Technology 1(2012), 73–81.

423 See for instance A. Rouvroy & Y. Poullet, “The Right to Informational Self-Determination and the Value of Self-Development: Reassessing the importance of Privacy for Democracy”, in S. Gutwith; Y. Poullet; P. De Hert; C. de Terwangne & S. Nouwt, Reinventing Data Protection (Springen, 2009), 45–76. For an analysis of protection of personal data turning into a fundamental right, see also M. Brkan, “The Unstoppable Expansion of the EU Fundamental Right to Data Protection: Little Shop of Horrors?” in Maastricht Journal of European and Comparative Law, 23 (2016).

mentioned. Furthermore, Rodotà questioned whether this general assumption is convincing as there are clearly increasing demands for data disclosure due to several different factors. These are, for example, security requirements, market interests and reorganization of the public sector⁴²⁴. Nevertheless, Rodotà does conclude, that “the strong protection of personal data continues to be a ‘necessary utopia’”.

Regardless, I see that the status as an independent fundamental right is rather a victory than a loss for the protection of personal data, and in particular for the underlying values of data protection. Clearly, this progress should have an effect when balancing data protection with other fundamental rights. Previously, data protection has been balanced with other fundamental rights as an element of privacy.

This has led to situation where the focus in the reconciliation has been on ensuring that data subject’s privacy is not infringed. This is still an essential aspect of data protection and it cannot be overlooked. However, there are also other aims and underlying principles for data protection. These other aims and principles should be given more weight and should now become more significant in the balancing exercise. An example of such an underlying principle would be good governance.

To conclude, the balancing should not be based solely on the assessment of whether there is an infringement of privacy rights, as it has been previously.

1.2.1 PRIVACY AS A PART OF DATA PROTECTION OR DATA PROTECTION AS A PART OF PRIVACY

It has now been established that data protection originated and diverged from privacy rights. Yet, the question of whether data protection should be considered a part of privacy, or privacy a part data protection, is still stimulating interesting discussions.⁴²⁵

The origin of data protection, the aim to protect individual’s privacy, is strongly present in the early European data protection instruments. They stress the importance of the protection of privacy when processing personal data.⁴²⁶ Even

424 S. Rodotà, “Data Protection as a Fundamental Right” in S. Gutwith; Y. Poullet; P. De Hert; C. de Terwangne

& S. Nouwt, Reinventing Data Protection (Springen, 2009), 77–82.

425 See for example P. De Hert & S. Gutwirth, “Data Protection in the Case Law of Strasbourg and Luxembourg:

Constitutionalisation in Action”, in S. Gutwith; Y. Poullet; P. De Hert; C. de Terwangne & S. Nouwt, Reinventing Data Protection (Springen, 2009), 6; D. Manolescu, “Data Protection Enforcement: The European Experience – Case Law”, in N. Ismail & E.L. Yong Cieh (eds.), Beyond Data Protection (Springer, 2013), 217–220. See also G. González Fuster, “Fighting For Your Right to What Exactly? The Convoluted Case Law of the EU Court of Justice on Privacy and/or Personal Data Protection” in Birbeck Law Review, 2(2) (2014), 263–278;

G. González Fuster & R. Gellert, “The fundamental right of data protection in the European Union: in search of an uncharted rights“ in International Review of Law, Computers & Technology 1(2012), 73–81.

426 For instance, according to Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data, Article 1, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. Also Regulation 45/2001 on the protection of individuals with regard to the processing of

though this is the case, it has been quite correctly noted that data protection is not merely an angle of the protection of privacy. The scope of data protection can also be seen as wider than the one of privacy, and at the same time more specific. The scope can be seen as wider, because data protection also relates to other fundamental rights besides privacy. And it can be considered more specific, because it is limited to the processing of personal data. While more specific, at the same time, the scope is also considered broader as all processing of personal data is under its scope,⁴²⁷ not only personal data relating to one’s privacy. Next, these statements will be examined further.

It is correctly said, that data protection covers all processing of personal data, not only processing that is assumed to interfere with one’s privacy. This is strongly related with one of the differences between these two concepts, namely the more specific nature of data protection. It has been noted⁴²⁸ that data protection is more specific as it only relates to processing of personal data. If this argument is taken on a more concrete level, it is rather facile to observe that data protection regulation is more detailed and therefore more specific. The European data protection framework consists of several different sets of rules, such as the GDPR and the EU Institutions’ Data Protection Regulation while privacy legislation consists of some clear statements, which could be considered principles as well. While data protection rules have initially been drawn up to safeguard individuals’ privacy when processing their personal data, individuals’ privacy is not necessarily in danger in all circumstances covered by these rules. While it is fairly safe to conclude that European data protection regulation is precisely what Dworkin and Alexy intend with rules, this is not as clear in terms of privacy regulation. The statements defining the right to privacy could be considered principles as well.

It was previously established that contrary to principles, rules apply in all-or-nothing manner. Once officials have identified which rules are to be applied in the said case, those rules will be applied. The public authority applying these rules is not entitled to discretion, unless there is a particular reason for it. Thus, the official applying data protection regulation is not supposed to balance the rules and consider whether there is actual danger of interference with someone’s privacy, if the rule clearly applies and there are no specific reasons to derogate from this. The specific reasons could be, for instance, competing rules or an exception to the main rule.

personal data by the Community institutions and bodies and on the free movement of such data contains corresponding article as does the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

427 See for instance P. De Hert & S. Gutwirth, “Data Protection in the Case Law of Strasbourg and Luxembourg:

Constitutionalisation in Action”, in S. Gutwith; Y. Poullet; P. De Hert; C. de Terwangne & S. Nouwt, Reinventing Data Protection (Springen, 2009), 4,11.

428 P. De Hert & S. Gutwirth, “Data Protection in the Case Law of Strasbourg and Luxembourg: Constitutionalisation in Action”, in S. Gutwith; Y. Poullet; P. De Hert; C. de Terwangne & S. Nouwt, Reinventing Data Protection (Springen, 2009), 6.

However, it should not be assumed that these rules are depart entirely from privacy. Instead, privacy should be considered an underlying principle for these rules. It follows that as long as these rules are applied, and no contradictions arise, the question of the protection of one’s privacy does not seem to have an effect on how the rules are applied. However, once hard cases arise and a solution must be sought from the underlying levels of law, privacy becomes relevant and it must be balanced with other underlying principles. Thereby, it appears that even if data protection regulation also seemingly covers such processing of personal data where one’s privacy is not directly at stake, the connection to privacy still exists in the underlying layers of law.

Furthermore, even if the scope of data protection can be considered wider than privacy in a certain respect, the protection of one’s privacy does cover sectors that are not covered by data protection. Nevertheless, it is fruitless to continue this discussion further. I suggested that privacy is one of the underlying principles of data protection.

In this context, it is essential to note that as an independent fundamental right, data protection might also have other underlying principles or aims and objectives which create the circumstances of the case. I argue that these other elements should gain increasing importance when balancing the right to protection of personal data with other rights, precisely because of data protection’s nature as an independent fundamental right. While privacy is still a highly significant element in the data protection regime, data protection is slowly and firmly departing from its roots. In this context, it should be borne in mind that detailed data protection regulation does have aims and objectives. In other words, there would be no reason to make detailed data protection legislation just for the sake of it.

1.2.2 PERSONAL DATA AS AN ECONOMIC ASSET

The discussion of privacy, personal data and self-determination, which will be shortly analyzed in more detail, would not be complete without some remarks related to the economic value of personal data. This is particularly interesting as personal data is turning into an extremely valuable asset in economic terms and, in many ways, the development of modern society seems to be clearly linked with the ways in which personal data can or may be processed.

It has been suggested that individuals would have the right to their own personal

It has been suggested that individuals would have the right to their own personal