Tải bản đầy đủ - 0 (trang)
10 Historical Development of the Right to Data Protection, Starting as a Response to Technological Developments

10 Historical Development of the Right to Data Protection, Starting as a Response to Technological Developments

Tải bản đầy đủ - 0trang

2.10  Historical Development of the Right to Data Protection, Starting…



49



2.10.1  T

 he Council of Europe’s Role in Developing

Instruments on Data Protection

The Council of Europe’s Convention 108 of 1981 was the first binding international

instrument on data protection.187 This Convention was adopted shortly after the non-­

binding OECD Guidelines on the Protection of Privacy and Transborder Flows of

Personal Data (1980)188 and illustrates the different approach followed in Europe

compared to the United States. The OECD Guidelines, to which both the US and

EU Member States adhere, underline privacy and the free flow of information,189

whereas Council of Europe Convention 108 has data protection as its sole purpose.

Data protection is defined as the right to secure for every individual “respect for his

rights and fundamental freedoms, and in particular his right to privacy, with regard

to automatic processing of personal data relating to him”.190

Council of Europe Convention 108191 lists the basic principles of data protection,

including the quality of data and the special protection for sensitive data. These

principles were later introduced and specified in EU law. One element plays a specific role in the sequel of this section. Whereas, normally, personal data may be

obtained and processed fairly and lawfully,192 the Convention contains a prohibition

on the processing of sensitive data, subject to certain exceptions.193



2.10.2  T

 he EU: Growing Emphasis on Respecting

Constitutional Values in Addition to the Objective

of Market Integration

In the context of the European Union, the right to data protection was first introduced in secondary law in 1995, in Directive 95/46.194 The recitals of this directive

provide a good insight into its rationale. The processing of personal data had become

187



 Earlier laws existed at the national and sub-national levels. The first law on data protection was

adopted in 1970, in the German State of Hessen (see: http://de.wikipedia.org/wiki/Hessisches_

Datenschutzgesetz). Sweden followed in 1972. Another early landmark was the French Loi n°78–

17 relative à l’informatique, aux fichiers et aux libertés du 6 janvier 1978.

188

 The guidelines were amended on 11 July 2013 by C(2013)79, published on the OECD

website.

189

 OECD Council Recommendation concerning Guidelines on the Protection of Privacy and

Transborder Flows of Personal Data (23 September 1980), published on the OECD website.

190

 Article 1 of the Convention.

191

 See also Convention 108: G. González Fuster, “The Emergence of Personal Data Protection as

a Fundamental Right of the EU”, Law, Governance and Technology Series 16, 2014, at 4.2.

192

 Article 5 of the Convention.

193

 Article 6 of the Convention on “Special categories of data”.

194

 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the

protection of individuals with regard to the processing of personal data and on the free movement

of such data, OJ L 281/31.



50



2  Privacy and Data Protection as Values of the EU That Matter, Also…



more important in the various spheres of economic and social activity, and the progress made in information technology made the processing and exchange of such

data considerably easier.195 The recitals also note a difference in levels of protection

due to the existence of a wide variety of national laws, regulations and administrative provisions.196 Apparently, Convention 108 failed to ensure sufficient

consistency.197

Directive 95/46 on data protection, adopted under the internal market legal basis

of the EU Treaties (now: Article 114 TFEU), harmonised the level of protection and

aimed to ensure that this level was high. It thus had a double objective in that it

promoted an internal market of personal data through the free flow of information

on the one hand and protected the individual on the other hand.198 Interestingly, this

directive, with its double objective, became one of the main sources of the

­fundamental right to data protection included in both TFEU and Charter.199 This

double objective was confirmed by the Court of Justice in Commission v Germany200

and should be understood to mean that data protection requires a balance between

the protection of the right to private life and the free movement of personal data.

The Treaty of Amsterdam first introduced data protection into EU primary law in

Article 286 of the EC Treaty, a provision aimed at ensuring data protection within

the institutions and bodies of the European Union itself and that led to the setting up

of the European Data Protection Supervisor. The entry into force of the Lisbon

Treaty (2009) marked a further step in EU data protection law by its inclusion of the

right to protection of personal data in Article 16(1) TFEU and in Article 8 Charter.

This has a consequence for the scope of the right to data protection as, within the

scope of EU law, data protection now has to be ensured. This scope now includes

the former third and second pillars of the EU Treaty,201 which are outside the scope

of both Directive 95/46 and Article 286 of the EC Treaty.

Article 16(1) TFEU and Article 8(1) Charter determine the scope of data protection at the level of the Treaties.202 The notion of personal data is broadly understood



195



 Recital 7.

 Equally, recital 7.

197

 Peter Hustinx, “EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed

General Data Protection Regulation”, published in the “Collected Courses of the European

University Institute’s Academy of European Law, 24th Session on European Union Law, 1–12 July

2013”, at 3A.

198

 In relation to this particular aspect, it resembles the OECD Guidelines on the Protection of

Privacy and Transborder Flows of Personal Data.

199

 Explanations relating to the Charter of Fundamental Rights, Explanation on Article 8.

200

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 30. See also Chap. 7.

201

 Police and judicial cooperation in criminal matters, respectively the common foreign and security policy.

202

 See also: Herke Kranenborg, in: Steve Peers, Tamara Hervey, Jeff Kenner and Angela Ward

(eds), The EU Charter of Fundamental Rights, A Commentary, Hart Publishing, 2014, at II. See

also Chap. 6, Sect. 6.5.

196



2.10  Historical Development of the Right to Data Protection, Starting…



51



to mean “any information relating to an identified or identifiable natural person”.203

The scope ratione personae is also broad as the directive applies to wide categories

of addressees of the data protection obligations (the ‘controllers’), as confirmed by

the Court of Justice in Google Spain and Google Inc.204 The Court ruled that internet

search engines may qualify as controllers. By doing so, it sought to ensure “the

effective and complete protection of the fundamental rights and freedoms of natural

persons”, in practice meaning all individuals within the scope of EU law, irrespective of their nationality or permanent residence.205

The inclusion of data protection in Article 16(1) TFEU and Article 8 Charter suggests that the centre of gravity of the right has changed to give more importance to

the objective of protection and less to the free movement of data. In Deutsche

Telekom,206 in 2011, the Court ruled that Directive 95/46 on data protection is

designed to ensure the observance of the right to data protection. In its recent case

law, the Court has also interpreted Directive 95/46 more or less207 systematically in

the light of the fundamental rights.208 Hence, the change of the legal context has

given a more authoritative foundation to data protection as a fundamental right,

rather than as an off-shoot of the internal market. There is a parallel in this respect

with the developments in the field of non-discrimination, which developed from a

condition for the functioning of the internal market into a constitutional norm.209

This also reflects the developing role of the European Union itself, with a growing

emphasis on the respect for constitutional values in addition to market integration.



2.10.3  A

 Separate Development in the Area of Freedom,

Security and Justice, Leading to a Patchwork

The instruments in the area of freedom, security and justice have developed along

different lines.210 Over the past decades, objectives of security led to the adoption –

inside and outside the framework of the EU – of a number of legal instruments

203



 Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October

1995 on the protection of individuals with regard to the processing of personal data and on the free

movement of such data, OJ L 281/31, as explained in Article 29 Data Protection Working Party,

Opinion 4/2007 on the concept of personal data, WP 136.

204

 Case C-131/12, Google Spain and Google Inc., EU:C:2014:317, at 58.

205

 See, e.g., Chap. 4, Sect. 4.9 of this book, which will also address the connection with EU

citizenship.

206

 Case C-543/09, Deutsche Telekom, EU:C:2011:279, at 50.

207

 Exceptions are the rulings in cases C-201/14, Bara, ECLI:EU:C:2015:638 and C-230/14,

Weltimmo, ECLI:EU:C:2015:639.

208

 See Sect. 2.13 below.

209

 As explained by Bell in: Paul Craig and Gráinne de Búrca (eds), The evolution of EU Law

(Second Edition), Oxford University Press, 2011, at 611–640.

210

 On this area, see also: Fundamental Rights Agency, Handbook on European data protection law

(2nd edition, 2014), at 7.2, available on http://fra.europa.eu/sites/default/files/fra-2014-hand-



52



2  Privacy and Data Protection as Values of the EU That Matter, Also…



facilitating the use of information, including personal data, and requiring the collection and storage of and access to huge volumes of personal data for police and

judicial cooperation in criminal matters and for the purposes of border checks, asylum and immigration. Although the policies in these latter fields are not primarily

motivated by the objective of security,211 in reality external border management is

closely linked to security.212 Some of these instruments included the setting up of

European agencies and information systems. These instruments are now part of the

EU legal framework, as are the European actors they established.

These instruments apply to national authorities and also to the actors at the EU

level, currently Europol,213 Eurojust,214 the second-generation Schengen Information

System (SIS II),215 the Visa Information System (VIS)216 and Eurodac.217 The

book-data-protection-law-2nd-ed_en.pdf; Franziska Boehm, Information Sharing and Data

Protection in the Area of Freedom, Security and Justice, Towards Harmonised Data Protection

Principles for Information Exchange at EU-level, (Springer, 2012); H. Hijmans and A. Scirocco,

“Shortcomings in EU data protection in the Third and the Second Pillars. Can the Lisbon Treaty be

expected to help?”, CMLR 46 (2009), Issue 4, pp. 1485–1525.

211

 For the objectives of EU policies in these areas, see Articles 77(1), 78(1) and 79(1) TFEU. The

objective most closely linked to security is the effort to combat illegal immigration and human

trafficking.

212

 E.g., Communication from the Commission to the European Parliament and the Council,

Overview of information management in the area of freedom, security and justice, COM(2010)

385 final, which closely links external border management to the prevention and combating of

crime. This link does not mean that police authorities always have access to data collected for

immigration or asylum purposes. This access is a recurring issue in relation to large-scale information systems on border management. See, Opinion of 18 July 2013 of the European Data Protection

Supervisor on the Proposals for a Regulation establishing an Entry/Exit System (EES) and a

Regulation establishing a Registered Traveller Programme (RTP), at III.2.

213

 Council Decision of 6 April 2009 establishing the European Police Office (Europol) (2009/371/

JHA), OJ L 121/37.

214

 Council Decision on the strengthening of Eurojust and amending Decision 2002/187/JHA, OJ

(2009), L 138/14.

215

 SIS II has a dual purpose. Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II), OJ L

205/63, covers SIS II, as far as it concerns police cooperation. The other purpose of SIS II – external border control – is covered by Regulation (EC) No 1987/2006 of the European Parliament and

of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II), OJ L 381/4.

216

 Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008

concerning the Visa Information System (VIS) and the exchange of data between Member States

on short-stay visas (VIS Regulation), OJ L 218/60.

217

 Regulation (EU) No 603/2013 of the European Parliament and of the Council of 26 June 2013

on the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application

of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the

Member State responsible for examining an application for international protection lodged in one

of the Member States by a third-country national or a stateless person and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law

enforcement purposes, and amending Regulation (EU) No 1077/2011 establishing a European

Agency for the operational management of large-scale IT systems in the area of freedom, security

and justice (recast), OJ L 180/1.



2.10  Historical Development of the Right to Data Protection, Starting…



53



instruments firstly reflect the increased need for the use of information for the purposes of safety and security, and secondly the expanded possibilities of use.218 In

the context of police and judicial cooperation,219 the police has a greater need for

use of electronic information because evidence is less likely to be found in physical

documents than in abstract places ‘in the cloud’,220 and also because of the growing

expectations of society, in particular since 9/11. As a result of developing technologies, there are now, for instance, more possibilities for using biometric data on a

large scale.221

Many of these instruments have a specific data protection regime, which was

complemented only more recently by general EU rules on data protection, in

Council Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.222

This general regime applies only where personal data are exchanged between

authorities of more than one Member State, not when there is no cross-border element. Where the Council Framework Decision is not applicable,223 the general

regime of Council of Europe Convention 108 applies. For border checks, asylum

and immigration, the specific rules are complemented by the general regime of the

Directive 95/46 on data protection. Declaration (21) on the protection of personal

data in the fields of judicial cooperation in criminal matters and police cooperation

annexed to the Lisbon Treaty confirms the special nature of this area. The said

Declaration (21) was used as justification for adopting a directive with specific rules

on the law enforcement sector,224 and thus excluding this sector from the scope of

the General Data Protection Regulation.225

218



 H. Hijmans and A. Scirocco, “Shortcomings in EU data protection in the Third and the Second

Pillars. Can the Lisbon Treaty be expected to help?”, CMLR, 46, Issue 4, pp. 1485–1525, 2009 at

2.2 and 2.3.

219

 The policies on border checks, asylum and immigration (Title V, Chapter 2 TFEU) are not mentioned here since, strictly speaking, those policies do not fall within the remit of security; in other

words, this is not the main objective of these policies.

220

 Erin Murphy, “The Politics of Privacy in the Criminal Justice System: Information Disclosure,

The Fourth Amendment, and Statutory Law Enforcement Exemptions”, Michigan Law Review,

Vol. 111, No 4, pp. 485–546, 2013 Introduction.

221

 E.g., the ambition to fully use new technology and to create access rights to automated DNA

analysis files and automated dactyloscopic identification (fingerprints) systems is an important

rationale behind Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of crossborder cooperation, particularly in combating terrorism and cross-border crime, OJ L 210/1 (‘Prüm

Decision’), recitals 7 and 10.

222

 OJ L 350/60.

223

 Because of the limitations in the scope of application in its Article 1(2) or because of the precedence given in Article 28 to previously adopted acts of the Union.

224

 Recital (10) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27

April 2016 on the protection of natural persons with regard to the processing of personal data by

competent authorities for the purposes of the prevention, investigation, detection or prosecution of

criminal offences or the execution of criminal penalties, and the free movement of such data, and

repealing Council Framework Decision 2008/977/JHA, OJ L 119/89.

225

 Article 2(2)(d) of the GDPR.



54



2  Privacy and Data Protection as Values of the EU That Matter, Also…



In short, EU law encompasses a developed data protection regime that provides

for balancing the value of a high level of security with the rights to privacy and data

protection. However, this regime is not comprehensive. The term patchwork is quite

regularly used to describe it.226 Despite this non-comprehensive nature, the legislative developments in the area of freedom, security and justice confirm the growing

importance of data protection, independently of the internal market.



2.11  T

 he Right to Data Protection: A Claim Based

on Fairness Providing Safeguards Where Personal Data

Are Processed

The inclusion of data protection in the Charter as a right separate from the right to

privacy is related to the right to informational self-determination, as developed by

the German constitutional court [Bundesverfassungsgericht] in 1983.227 Earlier

drafts of what is now Article 8 Charter were even similar to informational self-­

determination, and mentioned that an individual has a right to determine the disclosure and use of his or her personal data.228 However, the wording in the final text of

the Charter is different.

Whereas it seems evident that the inclusion in the Charter of a separate right to

data protection was inspired by developments in Germany, controversy exists as to

whether the final text must be interpreted in the light of the right to informational

self-determination.229 This controversy is relevant because it provides insight into

the rationale of the right to data protection: does it serve to give an individual control



226



 E.g., Franziska Boehm, Information Sharing and Data Protection in the Area of Freedom,

Security and Justice, Towards Harmonised Data Protection Principles for Information Exchange at

EU-level, Springer, 2012, at 171.

227

 Gerrit Hornung and Christoph Schnabel, “Data protection in Germany I: The population census

decision and the right to informational self-determination”, Computer Law & Security Report,

Volume 25, Issue 1, pp. 84–88, 2009.

228

 See also: G. González Fuster, “The Emergence of Personal Data Protection as a Fundamental

Right of the EU”, Law, Governance and Technology Series 16, 2014, at 6.4.1.

229

 This is argued in an affirmative sense by Orla Lynskey in “Deconstructing Data Protection: The

‘added-value’ of a right to data protection in the EU legal order”, International and Comparative

Law Quarterly, Volume 63, Issue 03, July 2014, pp. 569–597. An opposite view is taken by Peter

Hustinx in “EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General

Data Protection Regulation”, published in the “Collected Courses of the European University

Institute’s Academy of European Law, 24th Session on European Union Law, 1–12 July 2013”; by

Herke Kranenborg in his contribution in Steve Peers, Tamara Hervey, Jeff Kenner and Angela

Ward (eds), The EU Charter of Fundamental Rights, A Commentary (Hart Publishing, 2014),

pp. 228–229; and by Christopher Docksey in “Articles 7 and 8 of the EU Charter: two distinct

fundamental rights”, in: Alain Grosjean (ed.), Enjeux européens et mondiaux de la protection des

données personelles (Éd. Larcier, 2015).



2.11  The Right to Data Protection: A Claim Based on Fairness Providing Safeguards…



55



over his or her personal information, or is it a claim based on fairness, providing

safeguards when personal data are processed?230



2.11.1  D

 oes the Right to Data Protection Serve to Give

an Individual Control Over Personal Information?

In the first hypothesis, based on the right to informational self-determination, the

individual (‘data subject’) has a right to prevent the processing of personal data. The

individual has a right that is comparable to ownership of his personal data,231 and

processing of such data always requires the consent of the individual.232 In this

hypothesis, data protection is essentially a right aimed at reducing information and

power asymmetries in an information society233 by giving the data subject control

over the processing. An argument in support of this hypothesis is that Article 8(1)

Charter is formulated as a positive right to data protection. If this right created only

a claim of fairness, this would not do justice to the unconditional wording of Article

16(1) TFEU and Article 8(1) Charter.234 One could also argue that the presumption

of a prohibition on the processing of sensitive data, stemming from Council of

Europe Convention 108 and included in Article 8 of Directive 95/46 on data

protection,235 is based on this hypothesis. However, arguments against this hypothesis can be found in the broad exceptions to the prohibition in Article 8(2) of

Directive 95/46 and in the fact that the prohibition is not mentioned in Article 8

Charter.



230



 González Fuster and Gutwirth distinguish between a prohibitive and a permissive (or regulatory) notion of data protection in: Gloria González Fuster and Serge Gutwirth, “Opening up personal data protection: a conceptual controversy”, Computer Law & Security Review (CLSR), 29,

pp. 531–539, 2013 at 1–2.

231

 As explained by Nadezhda Purtova, “Property Rights in Personal Data: Learning from the

American Discourse”, Computer Law & Security Review, Vol. 25, No 6, pp. 507–521, 2009.

232

 See: Christopher Docksey, “Articles 7 and 8 of the EU Charter: two distinct fundamental rights”,

in: Alain Grosjean (ed.), Enjeux européens et mondiaux de la protection des données personelles,

Éd. Larcier, 2015.

233

 Orla Lynskey, “Deconstructing Data Protection: The ‘added-value’ of a right to data protection

in the EU legal order”, International and Comparative Law Quarterly, Volume 63, Issue 03, July

2014, notably at 592–597 and literature mentioned there.

234

 This view can be based on a reading where Article 8(2) and Article 8(3) Charter are seen as limitations of the right; see: Gloria Gonzalez Fuster and Serge Gutwirth, “Opening up personal data

protection: a conceptual controversy”, Computer Law & Security Review (CLSR), 29, pp. 531–

539, 2013 at 2.

235

 The system with a prohibition with wide exceptions is retained in Article 9 of the GDPR.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

10 Historical Development of the Right to Data Protection, Starting as a Response to Technological Developments

Tải bản đầy đủ ngay(0 tr)

×