Tải bản đầy đủ - 0 (trang)
9 Understanding the Nature of the Right to Privacy Through Four Types of Qualified Interests: Information Use by Governments, Health, Vulnerable Groups and Reputation

9 Understanding the Nature of the Right to Privacy Through Four Types of Qualified Interests: Information Use by Governments, Health, Vulnerable Groups and Reputation

Tải bản đầy đủ - 0trang

44



2  Privacy and Data Protection as Values of the EU That Matter, Also…



right to privacy and, too, that adverse consequences are not required for such

interference.157

In Digital Rights Ireland and Seitlinger,158 the Court of Justice referred to the

essence of the right to privacy in relation to personal information. The Court considered that the essence of the right to privacy – a notion defined under Article 52(1)

Charter in respect of all fundamental rights – was not affected by Directive 2006/24

on data retention159 since this directive “does not permit the acquisition of knowledge of the content” of communications. Schrems, by contrast, concerned access to

the content, i.e., the inverse situation. According to the Court, generalised access to

the content of electronic communications compromises the essence of the right to

privacy.160

One can argue whether the Court’s specific understanding of this concept of the

essence of privacy makes sense in a developing information society, where traffic

and location data reveal a great deal of the privacy of individuals.161 In any event, the

Court determined that there is an area where there can be serious interference with

the right to privacy, but that is outside its essence, while there is also an area where

such interference compromises the essence.162



2.9.1  F

 our Types of Qualified Interests: Information Use

by Governments, Health, Vulnerable Groups

and Reputation

In order to provide a better understanding of informational privacy this book

explores various types of interference. In the case law there are various qualified

interests that may create an interference with privacy. This book considers four

types of qualified interests163: storing, monitoring and interception of information

 See, most recently, Case C-362/14, Schrems, EU:C:2015:650, at 87.

 Joined Cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger

(C-594/12), at 39.

159

 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the

retention of data generated or processed in connection with the provision of publicly available

electronic communications services or of public communications networks and amending

Directive 2002/58/EC, OJ L 105/54.

160

 Case C-362/14, Schrems, EU:C:2015:650, at 94.

161

 In the era of big data, as explained by Bruce Schneier, Data and Goliath (W.W. Norton &

Company, 2015), mainly in the first part of the book.

162

 In a paper of 2013 Gellert and Gutwirth dismissed the assumption that there is an ‘essence’ of

the right to privacy. This dismissal is useful in the sense that it illustrates the complicated nature of

the right to privacy. In view, however, of the recent case law, the statement as such is no longer

valid. Raphael Gellert and Serge Gutwirth, “The legal construction of privacy and data protection”, Computer Law & Security Review 29 (2013), pp. 522–530.

163

 The listing in this book is meant to be illustrative, not exhaustive. A similar listing is given by

Christopher Docksey, “Articles 7 and 8 of the EU Charter: two distinct fundamental rights”, in:

157

158



2.9  Understanding the Nature of the Right to Privacy Through Four Types…



45



by governments for law enforcement; health-related information; the protection of

vulnerable groups such as children, and the reputation of people in relation to

publications.164

Firstly, governments’ access to and use of information for policing or wider law

enforcement purposes. The storing, monitoring and interception of information by

governments obviously have implications for privacy. In Malone v UK,165 the

European Court of Human Rights held that a telephone operator may obtain records

of the ‘metering’ of its clients, but that releasing that information to the police interferes with privacy. In Leander v Sweden,166 the ECtHR ruled that the storing and

release of information from a secret police file amounted to interference with privacy. More recently, the ECtHR decided in S. and Marper v UK that the retention

for police purposes of “the fingerprints, cellular samples and DNA profiles of

­persons suspected but not convicted of offences” constituted a violation of Article 8

ECHR.167

The Court of Justice stated in Digital Rights Ireland and Seitlinger,168 with reference to the case law of the ECtHR, that the access by law enforcement authorities

to communications data retained by private companies under Directive 2006/24

constituted a “further interference with the right to privacy”.169 Likewise, the law

must effectively protect individuals’ personal data against the risk of abuse and

against any unlawful access and use of that data, based on the assumption that there

is a significant risk of these effects occurring.170

Secondly, the processing of health-related information may have a serious impact

on the right to privacy. In Z v Finland,171 in which the applicant was HIV-infected,

the ECtHR underlined that “respecting the confidentiality of health data is a vital

principle in the legal systems [..], not only to respect the sense of privacy of a patient

but also to preserve his or her confidence in the medical profession and in the health

services in general.” This need for confidentiality is even stronger in the case of a

transmissible disease such as HIV.

Thirdly, special protection of privacy is given to vulnerable groups such as children. This was a constitutive element in establishing the violation of Article 8 ECHR

in K.U. v Finland, where the applicant was the subject of an advertisement of a

Alain Grosjean (ed.), Enjeux européens et mondiaux de la protection des données personelles (Éd.

Larcier, 2015), at 4a.

164

 There is a parallel between this listing and the interests qualified as “risk”, in recital 75 of the

GDPR.

165

 Malone v UK, 1984, Application No 8691/79, at 84. Metering is the use of a device that registers

the numbers dialled on a particular telephone and the time and duration of each call.

166

 Leander v Sweden, 1987, Application No 9248/81, at 48.

167

 S. and Marper v UK, Applications Nos 30562/04 and 30566/04, 4 December 2008, at 125.

168

 Joined Cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger

(C-594/12), as will be discussed in Chap. 5.

169

 Para. 35 of the ruling.

170

 Paras 54–55 of the ruling, with reference to case law of the ECtHR.

171

 Z v Finland, 1997, Application No 22009/93, paras 95–96.



46



2  Privacy and Data Protection as Values of the EU That Matter, Also…



sexual nature on an internet dating site when he was only 12 years old.172 This special protection also played a role in S. and Marper v UK in relation to the retention

of biometric data, which was considered especially harmful in the case of minors.173

Fourthly, the reputation of individuals is an issue that affects human dignity and

relates closely to the right to privacy. Reputations may be harmed by a journalistic

publication or by disclosure of information to the public in any other way.

Reputational issues give a good insight into the protection of privacy on the internet

and play a role in the balancing between privacy (and data protection), on the one

hand, and freedom of expression and public access to documents, on the other

hand.174

The most famous ECtHR cases are the two Von Hannover v Germany,175 in

which Princess Caroline of Monaco was the main applicant. In the second case she

was joined by her husband. As the Court considered, reputation takes on particular

importance in the context of Article 8 ECHR,176 also where famous persons are

concerned.

In Google Spain and Google Inc.,177 a case that is relevant to this book for a

number of reasons, the right to privacy under Article 7 Charter plays an essential

role in relation to reputation. The ruling of the Court of Justice in this case was the

result of a complaint by a Spanish resident, Mr Costeja González, that relatively old

pages from a Spanish newspaper came up when his name was entered in Google

Search. These pages mentioned his name in relation to the recovery of social security debts. Mr Costeja González claimed that the issue had been resolved for a number of years and that the data were now entirely irrelevant. These data were neither

illegal nor inaccurate, but, as Peers underlines,178 simply embarrassing.



 K.U. v Finland, 2008, Application No 2872/02, at 40–41.

 S. and Marper v UK, Applications Nos 30562/04 and 30566/04, 4 December 2008, at 124.

174

 See also Chap. 5, Sect. 5.14 of this book.

175

 Von Hannover v Germany, 2004, Application No 59320/00 and Von Hannover v Germany (No

2), 2012, Applications Nos 40660/08 and 60641/08.

176

 Para. 59 of the first Von Hannover case.

177

 Case C-131/12, Google Spain and Google Inc., EU:C:2014:317.

178

 S. Peers, “The CJEU’s Google Spain judgment: failing to balance privacy and freedom of

expression”, EU Law Analysis (2014), available on http://eulawanalysis.blogspot.be/2014/05/thecjeus-google-spain-judgment-failing.html.

172

173



2.9  Understanding the Nature of the Right to Privacy Through Four Types…



47



2.9.2  S

 umming Up: All Use of Personal Information Falls

Within the Scope of the Right to Privacy Under Article 7

Charter

As explained above, the notion of privacy is a normative value. Interference with the

right to privacy is assessed in a contextual manner.179 The four types of qualified

interests illustrate how the use of personal information may constitute an interference with the right to privacy and how this interference is assessed. However, this

does not answer the fundamental question of whether all use of personal information – or, in the terminology of data protection law, all processing of personal data –

falls within the scope of the right to privacy and creates interference with this right.

This question can also be formulated differently: are qualified interests a condition

for bringing the use of personal information within the scope of the right to privacy,

or are they merely relevant for assessing an interference with this right?

In Österreichischer Rundfunk and others,180 a case adjudicated before the entry

into force of the Lisbon Treaty, the Court of Justice distinguished between data

processing within the scope of the right to privacy under Article 8 ECHR and processing outside this scope, with reference to the case law of the European Court of

Human Rights. More generally, privacy is said to encompass data that are essentially private, and other data only if additional conditions relating to the processing

apply.181 According to De Hert and Gutwirth in a 2009 paper, hence also before the

entry into force of the Lisbon Treaty, this justifies the claim that “the old distinction

between data that merits protection and data that does not still works”.182

The question to be answered in this book is whether this conclusion still holds

true, or whether the relevant issue is that the qualified interests merely determine the

assessment of a breach of the right to privacy. For two reasons, this book takes the

latter point of view. First, as explained below, since the entry into force of the Lisbon

Treaty, the Court of Justice no longer makes a systematic distinction between the

right to privacy and the right to data protection (data protection encompasses all use

of personal information). Second, as a result of the features of the internet and

developments of communications on the internet – with big data and mass surveillance as obvious examples – all processing of personal data has a potentially adverse

effect on the right to privacy under Article 7 Charter, if only because one cannot



179



 Orla Lynskey, “Deconstructing Data Protection: The ‘added-value’ of a right to data protection

in the EU legal order”, International and Comparative Law Quarterly, Volume 63, Issue 03, July

2014, p 583.

180

 Case C-465/00, Österreichischer Rundfunk and others, EU:C:2003:294, at 73–74.

181

 Raphael Gellert and Serge Gutwirth, “The legal construction of privacy and data protection”.

Computer Law & Security Review (CLSR) 29 (2013), pp. 522–530. Systematic storage of data is

such an additional condition.

182

 P. De Hert and S. Gutwirth, “Data Protection in the Case Law of Strasbourg and Luxemburg:

Constitutionalisation in Action”, in: S. Gutwirth, et al. (eds), Reinventing data protection? Springer,

2009, at II.1.



48



2  Privacy and Data Protection as Values of the EU That Matter, Also…



know in advance the purposes for which personal information that is available in

electronic databases will subsequently be used.183



2.10  H

 istorical Development of the Right to Data Protection,

Starting as a Response to Technological Developments

The right to data protection, included in Article 16 TFEU and in Article 8 Charter,

has its origin in the 1970s and was a response to technological developments. It has

also been recognised in primary EU law since the Treaty of Amsterdam (1997, entry

into force 1999). Data protection is a right that not only protects against the government, but also requires active legislative intervention, as evidenced by Article 16(2)

TFEU. Additionally and pursuant to Article 16(2) TFEU and Article 8(3) Charter,

data protection requires control by an independent data protection authority.

There is a parallel between the origin of the right to privacy and the origin of the

right to data protection. At the end of the nineteenth century, Warren and Brandeis

found that, in the light of political, social and economic changes, the existing legal

notions did not sufficiently protect individuals. In 1981, the Council of Europe

adopted Convention 108 on data protection – after long preparations184 – since it

considered that, in view of new technologies, the national legislations at the time

provided insufficient protection of individual privacy.185

There is also, however, an important difference between the origins of these two

rights, a difference that still plays a role in today’s debate on privacy and data protection. Whereas the right to privacy originates from the needs of individuals to be

left alone, the right to data protection stems from an era in which individuals were

losing control over the use of information about them, also because of the great

asymmetry in knowledge and power between various players. This new reality was

initially connected to the right to privacy, widening its rationale with more emphasis

on informational privacy. This is still the situation in the United States, whereas in

Europe the new reality has led to the development of the right to data protection.186



183



 See also Chap. 3 of this book.

 Based on resolutions of the Committee of Ministers of the Council of Europe, from 1973 to

1974.

185

 Convention for the Protection of Individuals with regard to Automatic Processing of Personal

Data, ETS No 108 – Explanatory Report, pts. 1–4.

186

 Alan F. Westin, Privacy and Freedom, New York: Atheneum, 1967, as put into context by

G. González Fuster, “The Emergence of Personal Data Protection as a Fundamental Right of the

EU”, Law, Governance and Technology Series 16, 2014, at 31. Idem: S. Rodota in: S. Gutwirth,

et al. (eds), Reinventing data protection? Springer, 2009, at 78.

184



2.10  Historical Development of the Right to Data Protection, Starting…



49



2.10.1  T

 he Council of Europe’s Role in Developing

Instruments on Data Protection

The Council of Europe’s Convention 108 of 1981 was the first binding international

instrument on data protection.187 This Convention was adopted shortly after the non-­

binding OECD Guidelines on the Protection of Privacy and Transborder Flows of

Personal Data (1980)188 and illustrates the different approach followed in Europe

compared to the United States. The OECD Guidelines, to which both the US and

EU Member States adhere, underline privacy and the free flow of information,189

whereas Council of Europe Convention 108 has data protection as its sole purpose.

Data protection is defined as the right to secure for every individual “respect for his

rights and fundamental freedoms, and in particular his right to privacy, with regard

to automatic processing of personal data relating to him”.190

Council of Europe Convention 108191 lists the basic principles of data protection,

including the quality of data and the special protection for sensitive data. These

principles were later introduced and specified in EU law. One element plays a specific role in the sequel of this section. Whereas, normally, personal data may be

obtained and processed fairly and lawfully,192 the Convention contains a prohibition

on the processing of sensitive data, subject to certain exceptions.193



2.10.2  T

 he EU: Growing Emphasis on Respecting

Constitutional Values in Addition to the Objective

of Market Integration

In the context of the European Union, the right to data protection was first introduced in secondary law in 1995, in Directive 95/46.194 The recitals of this directive

provide a good insight into its rationale. The processing of personal data had become

187



 Earlier laws existed at the national and sub-national levels. The first law on data protection was

adopted in 1970, in the German State of Hessen (see: http://de.wikipedia.org/wiki/Hessisches_

Datenschutzgesetz). Sweden followed in 1972. Another early landmark was the French Loi n°78–

17 relative à l’informatique, aux fichiers et aux libertés du 6 janvier 1978.

188

 The guidelines were amended on 11 July 2013 by C(2013)79, published on the OECD

website.

189

 OECD Council Recommendation concerning Guidelines on the Protection of Privacy and

Transborder Flows of Personal Data (23 September 1980), published on the OECD website.

190

 Article 1 of the Convention.

191

 See also Convention 108: G. González Fuster, “The Emergence of Personal Data Protection as

a Fundamental Right of the EU”, Law, Governance and Technology Series 16, 2014, at 4.2.

192

 Article 5 of the Convention.

193

 Article 6 of the Convention on “Special categories of data”.

194

 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the

protection of individuals with regard to the processing of personal data and on the free movement

of such data, OJ L 281/31.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

9 Understanding the Nature of the Right to Privacy Through Four Types of Qualified Interests: Information Use by Governments, Health, Vulnerable Groups and Reputation

Tải bản đầy đủ ngay(0 tr)

×