Tải bản đầy đủ - 0trang
40



2  Privacy and Data Protection as Values of the EU That Matter, Also…



In accordance with their text, these articles protect privacy and three other fundamental rights.123 However, apart from what was mentioned in relation to family

life, the distinction between privacy and these other rights is not always fully clear.

This is exemplified by the right to respect of correspondence (in Article 7 Charter:

communications), which is a specific aspect of privacy, as demonstrated by the case

law of the European Court of Human Rights on secret surveillance. This case law

takes the respect of privacy and correspondence together.124

A specific element of the concept of privacy – of relevance for the purpose of this

book – is the concept of informational privacy, as originally developed in the work

of Westin.125 On the internet, the right to privacy, by definition, concerns information, and does not touch upon more spatial concepts of privacy, such as the protection of a person’s home. In any event, technological developments meant that

informational privacy became a central element of privacy protection.126 This book,

with its focus on the internet, obviously deals mainly with this informational privacy. Finally, informational privacy should not be confused with ‘data privacy’, a

term used outside the EU context for a concept that also includes data

protection.127



2.8.2  H

 uman Dignity and Personal Autonomy as Underlying

Values and the Broad Scope of Privacy

The ECHR and the Charter do not refer to any underlying values in relation to privacy.128 One can argue that the right to privacy, as described by Warren and Brandeis,

reflects a value in itself. This right reflects individuality or personal freedom129 and



123



 Further explained by Paul De Hert, Art. 8 E.V.R.M. en het Belgisch Recht, Bescherming van

privacy, woonst, gezin en communicatie (Mys en Breesch, 1998).

124

 See, e.g., Klass and Others v Germany, 1978, Application No. 5029/71, at 41.

125

 Alan F. Westin, Privacy and Freedom, New York: Atheneum, 1967. See also: J.C. Buitelaar,

“Privacy: Back to the Roots”, 13 German Law Journal 171–202 (2012), at 187–188; G. González

Fuster, “The Emergence of Personal Data Protection as a Fundamental Right of the EU”, Law,

Governance and Technology Series 16, 2014, at 2.1.2.2.

126

 Additional reading in Dutch: L.F.M. Verhey, Horizontale werking van grondrechten, in het bijzonder op het recht van privacy, W.E.J. Tjeenk Willink, 1992, at 192–198.

127

 As explained later, the distinction between privacy and data protection is a typically European

distinction. See, e.g.: Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford

University Press, 2013), at 21, where he deals with data privacy law in a global context, encompassing privacy and data protection.

128

 P. De Hert and S. Gutwirth, “Data Protection in the Case Law of Strasbourg and Luxemburg:

Constitutionalisation in Action”, in: S. Gutwirth, et al. (eds), Reinventing data protection?,

Springer, 2009, at II.1.

129

 G. González Fuster, “The Emergence of Personal Data Protection as a Fundamental Right of the

EU”, Law, Governance and Technology Series 16, 2014, referring to a source mentioning the fortress of personal freedom.



2.8  The Right to Privacy, a Broad and Dynamic Concept on the Internet Extending…



41



may even be opposed to societal needs.130 The arguments of Greenwald, referred to

in Sect. 2.3 of this chapter, illustrate that privacy itself reflects a value, namely the

value of doing things in private. In addition, one can argue – also illustrated by what

Greenwald said – that the right to privacy is a representation of other core ethical

values in society,131 particularly human dignity and autonomy.

Privacy is explained as a representation of human dignity. Privacy is not unique

in this respect, as confirmed by the Explanations to the Charter with reference to the

Universal Declaration of Human Rights: human dignity constitutes the real basis of

fundamental rights.132 Where, however, dignity is understood as the freedom to

shape one’s life, there is a specific association with privacy.133

Privacy is also described as a right to personal autonomy,134 which implies that

an individual must be in control of his or her life.135 Fabre argues that autonomy

reflects a value underlying all fundamental rights.136 Autonomy in connection with

the right to privacy is more limited and relates to an autonomous personal sphere;

this does not mean a limitation to intimacy, but, as explained below, also extends to

wider social relations. As González Fuster explains, privacy is sometimes, but not

always, construed as being the opposite of what is public.137 In this widely understood autonomous personal sphere individuals must have some control138 over how

information about them is used.139

As to the scope of privacy: according to the ECtHR the concept of ‘private life’

is a broad term, which is not susceptible to exhaustive definition.140 Privacy is a



130



 Lee A. Bygrave, “Privacy and Data Protection in an International Perspective”, Stockholm

Institute for Scandinavian Law & Lee A. Bygrave 2010, at 171.

131

 Wording by P. De Hert and S. Gutwirth, “Data Protection in the Case Law of Strasbourg and

Luxembourg: Constitutionalisation in Action”, in: S. Gutwirth, et al. (eds), Reinventing data protection? Springer, 2009, at II.1.

132

 Explanations relating to the Charter of Fundamental Rights, on Article 1.

133

 Cathérine Dupré on Article 1, in: Steve Peers, Tamara Hervey, Jeff Kenner and Angela Ward

(eds), The EU Charter of Fundamental Rights, A Commentary, Hart Publishing, 2014, e.g., at

01.06.

134

 P. Oliver, “The protection of privacy in the economic sphere before the European Court of

Justice”, CMLR, 46, Issue No (Oct), 2009 at 1443. In the same sense, P. Bernal, Internet Privacy

Rights, Rights to Protect Autonomy, Cambridge University Press, 2014, at 2. He defends the belief

that privacy is mainly important as a crucial protector of autonomy.

135

 In this sense, it is close to the right to data protection, as developed below.

136

 C. Fabre, “Constitutionalising Social Rights”, The Journal of Political Philosophy, Volume 6,

No 3, pp. 264–265, 1998.

137

 G. González Fuster, “The Emergence of Personal Data Protection as a Fundamental Right of the

EU”, Law, Governance and Technology Series 16, 2014, at 2.1.1.

138

 As will be explained in relation to data protection, this does not necessarily mean full control.

139

 Alan F. Westin, Privacy and Freedom, New York: Atheneum, 1967, as explained by G. González

Fuster, “The Emergence of Personal Data Protection as a Fundamental Right of the EU”, Law,

Governance and Technology Series 16, 2014, at 31.

140

 E.g., Pretty v UK, Application No 2346/02, at 61.



42



2  Privacy and Data Protection as Values of the EU That Matter, Also…



notoriously difficult legal concept.141 In the case law, the notion of privacy or private

life has been given a broad scope and also extends to professional and business

activities.142 More generally, privacy includes the right to establish and develop

relationships with other human beings and the outside world.143 Equally, the ECtHR

ruled in Rotaru v Romania that public information, too, can fall within the scope of

private life, but only if it is systematically collected and stored in files held by the

authorities.144 Finally, all modern means of communications are brought under the

scope of privacy of Article 8 ECHR.145 As De Hert and Gutwirth confirm, a broad

and dynamic interpretation was assigned to the right to privacy under Article 8

ECHR. This approach also determines the interpretation of the corresponding right

of Article 7 Charter since the meaning and scope of this corresponding right must

be the same and must not prevent more extensive protection under EU law.146

However, this broad and dynamic interpretation does not necessarily mean that the

ECtHR includes all use of personal information within the scope of privacy.147 It is

this limitation to the scope of privacy that is challenged in Sects. 2.13 and 2.14

below.

The internet also presents challenges to another limitation to the scope of the

right to privacy, at least insofar as privacy is limited to what is not public. More

specifically, the difference between shared, exposed and common activities, which

are open to others, and activities belonging to the closed space or realm148 – or, more

generally, the distinctions between the public sphere and the private sphere – are

becoming blurred, with Web 2.0 and exposure on social media being obvious examples.149 These developments are not strictly linked to the internet, as the Court’s

ruling in Ryneš150 illustrates. This ruling concerns the use of a CCTV camera by a

private person in order to protect his private home that involved capturing images

from a public space near his home151

141



 This was said about the right to human dignity in Article 1 Charter by Cathérine Dupré in: Steve

Peers, Tamara Hervey, Jeff Kenner and Angela Ward (eds), The EU Charter of Fundamental

Rights, A Commentary, Hart Publishing, 2014 at, e.g., 01.26.

142

 Niemietz v Germany, ECHR (1992), A-251-B, at 29.

143

 E.g., Pretty v UK, Application No 2346/02, at 61.

144

 Rotaru v Romania, Application No 28341/95, at 43.

145

 P. De Hert and S. Gutwirth, “Data Protection in the Case Law of Strasbourg and Luxemburg:

Constitutionalisation in Action”, in: S. Gutwirth, et al. (eds), Reinventing data protection?,

Springer, 2009, at II.1.

146

 As stated in Article 52(3) Charter.

147

 An overview of the case law on the collection, storage and use of personal data under Article 8

ECHR can be found in: Bernadette Rainey, Elizabeth Wicks, Clare Ovey, 2014, Jacobs, White &

Ovey, The European Convention on Human Rights (sixth edition), Oxford University Press, 2014,

at 377–381.

148

 G. González Fuster, “The Emergence of Personal Data Protection as a Fundamental Right of the

EU”, Law, Governance and Technology Series 16, 2014, at 2.1.1.

149

 See also Chap. 3 of this book.

150

 Case C-212/13, Ryneš, EU:C:2014:2428.

151

 Case note Hielke Hijmans, “On Private Persons Monitoring the Public Space”, EDPL (2015) 2.



2.9  Understanding the Nature of the Right to Privacy Through Four Types…



43



This all makes privacy an even more difficult legal concept than before, because

it also further widens the area where claims are made based on the right to privacy

beyond the already broad scope of privacy recognised in the case law of the ECtHR.



2.9  U

 nderstanding the Nature of the Right to Privacy

Through Four Types of Qualified Interests: Information

Use by Governments, Health, Vulnerable Groups

and Reputation

The right to privacy is a ‘first-generation’ right that imposes a negative duty to

refrain from interfering with the exercise of the right by the individual.152 Privacy, as

a legal notion, protects the private sphere of the citizen, primarily against intervention by the state.153 The fact that privacy is primarily a duty for governments to

abstain explains why, at an EU level, no general legal instrument comparable to the

general instruments for data protection, such as Directive 95/46, has been adopted

for the protection of the right to privacy. However, there is more to it than that. The

state also has a positive duty to ensure that the right to privacy is respected in horizontal situations between private actors.154 This has led to legislative provisions in a

wide area of government intervention, thus specifying privacy protection in various

sectors of society.155 Moreover, as we have seen in Digital Rights Ireland and

Seitlinger,156 where the legislature imposes interference on the right to privacy, it

should also ensure that appropriate safeguards are foreseen.

As explained above, privacy must be seen as a normative value representing the

human dignity and autonomy of an individual. It is a broad concept that – to a certain extent – encompasses the public sphere. Privacy must be interpreted in a broad

and dynamic way. This is further illustrated by the Court of Justice’s case law, which

emphasises that non-sensitive information may also amount to interference with the



152



 J.H. Gerards, “Fundamental rights and other interests – should it really make a difference?”, in:

E. Brems (ed.), Conflicts between Fundamental Rights, Antwerp: Intersentia, 2008, at 657.

153

 This is more complicated, but a general theory of privacy is not necessary for this book. See

also: G. González Fuster, “The Emergence of Personal Data Protection as a Fundamental Right of

the EU”, Law, Governance and Technology Series 16, 2014, Chapter 2 and the literature mentioned there.

154

 According to the case law of the ECtHR: “… in addition to this primarily negative undertaking,

there may be positive obligations inherent in an effective respect for private or family life. These

obligations may involve the adoption of measures designed to secure respect for private life even

in the sphere of the relations of individuals between themselves”. See, e.g., Von Hannover v

Germany, 2004, Application No 59320/00, at 57.

155

 Older examples can be found in L.F.M. Verhey, Horizontale werking van grondrechten, in het

bijzonder op het recht van privacy, W.E.J. Tjeenk Willink, 1992, Chapter 9.

156

 Joined Cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger

(C-594/12).



44



2  Privacy and Data Protection as Values of the EU That Matter, Also…



right to privacy and, too, that adverse consequences are not required for such

interference.157

In Digital Rights Ireland and Seitlinger,158 the Court of Justice referred to the

essence of the right to privacy in relation to personal information. The Court considered that the essence of the right to privacy – a notion defined under Article 52(1)

Charter in respect of all fundamental rights – was not affected by Directive 2006/24

on data retention159 since this directive “does not permit the acquisition of knowledge of the content” of communications. Schrems, by contrast, concerned access to

the content, i.e., the inverse situation. According to the Court, generalised access to

the content of electronic communications compromises the essence of the right to

privacy.160

One can argue whether the Court’s specific understanding of this concept of the

essence of privacy makes sense in a developing information society, where traffic

and location data reveal a great deal of the privacy of individuals.161 In any event, the

Court determined that there is an area where there can be serious interference with

the right to privacy, but that is outside its essence, while there is also an area where

such interference compromises the essence.162



2.9.1  F

 our Types of Qualified Interests: Information Use

by Governments, Health, Vulnerable Groups

and Reputation

In order to provide a better understanding of informational privacy this book

explores various types of interference. In the case law there are various qualified

interests that may create an interference with privacy. This book considers four

types of qualified interests163: storing, monitoring and interception of information

 See, most recently, Case C-362/14, Schrems, EU:C:2015:650, at 87.

 Joined Cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger

(C-594/12), at 39.

159

 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the

retention of data generated or processed in connection with the provision of publicly available

electronic communications services or of public communications networks and amending

Directive 2002/58/EC, OJ L 105/54.

160

 Case C-362/14, Schrems, EU:C:2015:650, at 94.

161

 In the era of big data, as explained by Bruce Schneier, Data and Goliath (W.W. Norton &

Company, 2015), mainly in the first part of the book.

162

 In a paper of 2013 Gellert and Gutwirth dismissed the assumption that there is an ‘essence’ of

the right to privacy. This dismissal is useful in the sense that it illustrates the complicated nature of

the right to privacy. In view, however, of the recent case law, the statement as such is no longer

valid. Raphael Gellert and Serge Gutwirth, “The legal construction of privacy and data protection”, Computer Law & Security Review 29 (2013), pp. 522–530.

163

 The listing in this book is meant to be illustrative, not exhaustive. A similar listing is given by

Christopher Docksey, “Articles 7 and 8 of the EU Charter: two distinct fundamental rights”, in:

157

158