Tải bản đầy đủ - 0 (trang)
11 The Right to Data Protection: A Claim Based on Fairness Providing Safeguards Where Personal Data Are Processed

11 The Right to Data Protection: A Claim Based on Fairness Providing Safeguards Where Personal Data Are Processed

Tải bản đầy đủ - 0trang

2.11  The Right to Data Protection: A Claim Based on Fairness Providing Safeguards…



55



over his or her personal information, or is it a claim based on fairness, providing

safeguards when personal data are processed?230



2.11.1  D

 oes the Right to Data Protection Serve to Give

an Individual Control Over Personal Information?

In the first hypothesis, based on the right to informational self-determination, the

individual (‘data subject’) has a right to prevent the processing of personal data. The

individual has a right that is comparable to ownership of his personal data,231 and

processing of such data always requires the consent of the individual.232 In this

hypothesis, data protection is essentially a right aimed at reducing information and

power asymmetries in an information society233 by giving the data subject control

over the processing. An argument in support of this hypothesis is that Article 8(1)

Charter is formulated as a positive right to data protection. If this right created only

a claim of fairness, this would not do justice to the unconditional wording of Article

16(1) TFEU and Article 8(1) Charter.234 One could also argue that the presumption

of a prohibition on the processing of sensitive data, stemming from Council of

Europe Convention 108 and included in Article 8 of Directive 95/46 on data

protection,235 is based on this hypothesis. However, arguments against this hypothesis can be found in the broad exceptions to the prohibition in Article 8(2) of

Directive 95/46 and in the fact that the prohibition is not mentioned in Article 8

Charter.



230



 González Fuster and Gutwirth distinguish between a prohibitive and a permissive (or regulatory) notion of data protection in: Gloria González Fuster and Serge Gutwirth, “Opening up personal data protection: a conceptual controversy”, Computer Law & Security Review (CLSR), 29,

pp. 531–539, 2013 at 1–2.

231

 As explained by Nadezhda Purtova, “Property Rights in Personal Data: Learning from the

American Discourse”, Computer Law & Security Review, Vol. 25, No 6, pp. 507–521, 2009.

232

 See: Christopher Docksey, “Articles 7 and 8 of the EU Charter: two distinct fundamental rights”,

in: Alain Grosjean (ed.), Enjeux européens et mondiaux de la protection des données personelles,

Éd. Larcier, 2015.

233

 Orla Lynskey, “Deconstructing Data Protection: The ‘added-value’ of a right to data protection

in the EU legal order”, International and Comparative Law Quarterly, Volume 63, Issue 03, July

2014, notably at 592–597 and literature mentioned there.

234

 This view can be based on a reading where Article 8(2) and Article 8(3) Charter are seen as limitations of the right; see: Gloria Gonzalez Fuster and Serge Gutwirth, “Opening up personal data

protection: a conceptual controversy”, Computer Law & Security Review (CLSR), 29, pp. 531–

539, 2013 at 2.

235

 The system with a prohibition with wide exceptions is retained in Article 9 of the GDPR.



56



2  Privacy and Data Protection as Values of the EU That Matter, Also…



2.11.2  I s the Right to Data Protection a Claim Based

on Fairness, Providing Safeguards Where Personal

Data Are Processed?

In the second hypothesis, a right to prevent processing does not exist. In the words

of Hustinx, data protection “was not designed to prevent the processing of such

information or to limit the use of information technology per se”.236 In this

­hypothesis, Article 8(2) contains the substantive elements of the right to data protection itself.237 The key criteria can be found in the first sentence of Article 8(2)

Charter, which requires personal data to be “processed fairly for specified purposes

and on the basis of the consent of the person concerned or some other legitimate

basis laid down by law”. Fairness and purpose limitation are the determining factors, and consent of the individual is only one of a number of legitimate bases for

processing.238

The second hypothesis is further supported by Article 7(f) of Directive 95/46 on

data protection, which, subject to a balancing test, allows processing “necessary for

the purposes of the legitimate interests pursued by the controller or by the third

party or parties to whom the data are disclosed”.239 As explained above, Directive

95/46 was at the basis of Article 8 Charter. In ASNEF and FECEMD,240 the Court of

Justice accepted that Article 7(f) of Directive 95/46 necessitated a balancing of the

opposing rights and interests, provided that the significance of Articles 7 and 8

Charter was taken into account. In Google Spain and Google Inc.,241 the Court also

emphasised that Article 7(f) necessitates a balancing of the opposing rights and

interests concerned. Article 7(f) is the basis for the processing of personal data by a

search engine.

In our view, the second hypothesis prevails.242 This is the result of the way the

Court of Justice deals with data protection, which emphasises the balancing of



236



 Peter Hustinx, “EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed

General Data Protection Regulation”, published in the “Collected Courses of the European

University Institute’s Academy of European Law, 24th Session on European Union Law, 1–12 July

2013”, at 1. See also: Raphael Gellert and Serge Gutwirth, in “The legal construction of privacy

and data protection”, Computer Law & Security Review (CLSR) 29 (2013), pp. 522–530, where

they state that data protection by default accepts data processing.

237

 Gloria González Fuster and Serge Gutwirth, “Opening up personal data protection: a conceptual

controversy”, Computer Law & Security Review (CLSR), 29, pp. 531–539, 2013 at 2.

238

 Herke Kranenborg in: Steve Peers, Tamara Hervey, Jeff Kenner and Angela Ward (eds), The EU

Charter of Fundamental Rights, A Commentary, Hart Publishing, 2014, at 249–251.

239

 See also: Article 29 Data Protection Working Party, Opinion 06/2014 of 9 April 2014 on the

“Notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC”, WP

217.

240

 Joined Cases C-468/10 and C-469/10, ASNEF and FECEMD, EU:C:2011:777, at 39–40.

241

 Case C-131/12, Google Spain and Google Inc., EU:C:2014:317, at 74–76.

242

 Deborah Hurley explains that privacy supports autonomy, self-determination and dignity, in:

Marc Rotenberg, Julia Horwitz, Jeramie Scott (eds), Privacy in the Modern Age, The Search for



2.11  The Right to Data Protection: A Claim Based on Fairness Providing Safeguards…



57



various interests. The balancing of interests is an elaboration of the notion of fairness and would not fit within a hypothesis where an individual is in control. We

explain this view as follows. Suppose the first hypothesis were to be followed and

there was a positive right to data protection under Article 16(1) TFEU and Article

8(1) Charter, based on control by the individual and with his consent as the rule.

This would, in principle, mean that consent would be necessary under all circumstances and that processing on any other grounds would be impossible. Processing

on a ground other than consent would be considered an exception to the right to

data protection and would be subject to the strict proportionality test under Article

52(1) Charter.243 It is difficult to imagine how a balancing of various interests, as

foreseen in Article 7(f) of Directive 95/46, could comply with this strict proportionality test for exceptions to fundamental rights.

In view of internet developments, the second hypothesis is also the realistic

hypothesis, with big data being the clearest example. The issue at stake in Google

Spain and Google Inc.244 provides a perfect illustration of this. Processing of personal data without consent of the data subject is a core activity of search engines. If

the data subject had control over data processing, this would mean that search

engines would not be able to process personal data, unless the data subject had given

his consent or unless a specific legal basis were to be given for the search engines’

processing activities in accordance with Article 52(1) Charter.



2.11.3  T

 he Right to Data Protection Provides for a System

of Checks and Balances Based on Fairness

In Digital Rights Ireland and Seitlinger, the Court of Justice placed emphasis on a

concept of data protection, which was not mentioned yet: it closely linked data protection and data security. Data security was even referred to as an element of the

essence of the fundamental right to data protection245 that, pursuant to Article 52(1)

Charter, should always be respected.

The Court of Justice considers that Directive 2006/24 on data retention does not

adversely affect the essence of the right to data protection because the directive



Solutions, The New Press, 2015, at 70. The position taken in this book means that autonomy and

dignity, but not self-determination, are the underlying values of data protection.

243

 As explained in Section 6.

244

 Case C-131/12, Google Spain and Google Inc., EU:C:2014:317.

245

 In a paper of 2013 Gellert and Gutwirth dismissed the assumption that there is an ‘essence’ of

the right to data protection (in the same way as they dismissed the essence of privacy, see footnote

241 above). This dismissal illustrates the complicated nature of the right to data protection. In

view, however, of the recent case law, the statement as such is no longer valid. See: Raphael Gellert

and Serge Gutwirth, “The legal construction of privacy and data protection”, Computer Law &

Security Review (CLSR), 29, pp. 522–530, 2013.



58



2  Privacy and Data Protection as Values of the EU That Matter, Also…



requires certain principles of data protection and data security to be respected.246

Respect for these principles must entail the adoption of appropriate technical and

organisational measures to avoid accidental or unlawful destruction, accidental loss

or alteration of the data.247 Although this explanation of the essence may not be fully

clear,248 it does confirm the view that the right to data protection does not prevent

data processing, but instead provides for a system of checks and balances based on

fairness. The appropriate technical and organisational measures mentioned by the

Court are an example of checks and balances.

However, the emphasis on fairness must not result in weak protection of a fundamental right under primary EU law.249 Taking fairness as a constitutive element of

data protection does not imply that the scope of protection should be limited to situations where there is evidence of harm or risks for the data subject. It has nothing to

do with the debate surrounding a risk-based approach or the accountability of data

controllers and processors.250 Similarly, it also does not relate to discussions on the

meaning of the consent of data subjects, in particular in the online environment.

Consent as an indication of the wishes of the data subject can either be understood

as ‘opt-in’ or ‘opt-out’. The first interpretation gives the individual a claim that data

can only be processed if the individual has given permission (opt-in), while the latter interpretation means that the data subject must be able to object to processing

(opt-out).251



246



 Article 7 of Directive 2006/24/EC of the European Parliament and of the Council of 15 March

2006 on the retention of data generated or processed in connection with the provision of publicly

available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ L 105/54.

247

 Joined Cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger

(C-594/12), at 40.

248

 It is uncertain, for instance, whether the element the CJEU mentions is the only constitutive

element of the essence; see: Gloria González Fuster, “Curtailing a right in flux: restrictions of the

right to personal data protection”, in: Artemi Rallo Lombarte, Rosario García Mahamut (eds),

Hacia un Nuevo derecho europea de protección de datos, Towards a new European Data Protection

Regime (Tirant lo Blanch, 2015), at 516.

249

 Ferretti concludes that the balancing under Article 7(f) of Directive 95/46 weakens the protection; see: Federico Ferretti, “Data protection and the legitimate interest of data controllers: Much

ado about nothing or the winter of rights?”, CMLR 51 (2014), Issue 3, pp. 843–868.

250

 See Chap. 6, Sect. 6.14 of this book.

251

 See also: Eleni Kosta, “Construing the Meaning of ‘Opt-Out’ – An Analysis of the European,

U.K. and German Data Protection Legislation”, European Data Protection Law Review, 1,

pp. 16–31, 2015.



2.12  Data Protection as ‘Rules of the Game’ or ‘a System of Checks and Balances’



59



2.12  D

 ata Protection as ‘Rules of the Game’ or ‘a System

of Checks and Balances’

Authors argue that the right to data protection is of a different nature than the right

to privacy (or other first-generation fundamental rights) since its main objective is

not to protect against interference by government, but to ensure that when personal

data are processed, certain legal conditions are observed.252 In other words, the right

does not entail that the government (or any other party) refrains from interfering

with the right by abstaining from processing.



2.12.1  D

 iverging Views on the Legitimacy of Processing

Personal Data

As Docksey explains,253 the processing of personal data is a condition for the application of Article 8 Charter, not an interference with it. He defines Article 8 Charter

as rules of the game for processing, or “a sort of Digital Highway Code”. Hustinx

asserts that the right to data protection as laid down in EU law is “intended as a

system of ‘checks and balances’ to provide a structural protection to individuals in

a wide range of situations”,254 irrespective of whether any normative value in a concrete situation is affected.

González Fuster takes a different position255 by explaining that any processing of

personal data constitutes a limitation of the right to data protection under Article

8(1) Charter. The conditions for the lawfulness of limitations are laid down in

Article 8(2) Charter, which should be read in conjunction with Article 52(1) Charter,

the general provision on limitations of fundamental rights.



252



 Peter Hustinx, “EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed

General Data Protection Regulation”, published in the “Collected Courses of the European

University Institute’s Academy of European Law, 24th Session on European Union Law, 1–12 July

2013”; Christopher Docksey, “Articles 7 and 8 of the EU Charter: two distinct fundamental rights”,

in: Alain Grosjean (ed.), Enjeux européens et mondiaux de la protection des données personelles,

Éd. Larcier, 2015.

253

 Christopher Docksey, “Articles 7 and 8 of the EU Charter: two distinct fundamental rights”, in:

Alain Grosjean (ed.), Enjeux européens et mondiaux de la protection des données personelles, Éd.

Larcier, 2015, at 3.

254

 Peter Hustinx, “EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed

General Data Protection Regulation”, published in the “Collected Courses of the European

University Institute’s Academy of European Law, 24th Session on European Union Law, 1–12 July

2013”, at 2C.

255

 Gloria González Fuster, “Curtailing a right in flux: restrictions of the right to personal data protection”, in: Artemi Rallo Lombarte, Rosario García Mahamut (eds), Hacia un Nuevo derecho

europea de protección de datos, Towards a new European Data Protection Regime, Tirant lo

Blanch, 2015, e.g. at 527–528.



60



2  Privacy and Data Protection as Values of the EU That Matter, Also…



This book disagrees with González Fuster on this particular point, in line with

the view that the right to data protection must not be interpreted in line with the right

to self-determination. The book concurs with the position that data protection must

be seen as ‘rules of the game’ or ‘a system of checks and balances’, which finds its

basis in the wording of Article 8(2) Charter, as well as Directive 95/46 and other EU

instruments for data protection. Under EU law, an individual has a claim vis-à-vis

governments and private actors that his or her data are processed in an appropriate

manner in a system of checks and balances, which is specified in the Charter as

“fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law”.256 In Schecke, the Court

stated that Article 8(2) “thus authorises the processing of personal data if certain

conditions are satisfied.”257

However, we must admit that the case law of the Court of Justice does not fully

reflect this position. First, in Schecke, the Court was not entirely consistent. Even

though this case relates to a situation where there is a legitimate basis laid down by

law, the Court nevertheless asked additionally for consent. This additional requirement may be seen as positive in that it gives an individual an additional safeguard

where processing takes place on another legal basis, but it is not in line with the text

of the Charter.258 Second, the Court stated, in Digital Rights Ireland and Seitlinger,259

that an EU directive constitutes an interference with the right to data protection,

precisely because it provides for the processing of personal data. Possibly, the Court

needed this statement in order to be able to examine the directive under Article

52(1) Charter.260 In any event, it is not in line with the position that data protection

does not prevent processing.

A final remark relates to the application of EU data protection law in horizontal

situations. In general, an individual has a claim vis-à-vis governments and private

actors. In addition, Article 16(2) TFEU and Article 8(3) Charter provide that data

processing is subject to the control of an independent authority. As reiterated by the

Court, this is an essential component of the right to data protection.261 As part of the

256



 Article 8(2) Charter, first sentence.

 Joined Cases C-92/09 and C-93/09, Schecke (C-92/09) and Eifert (C-93/09) v Land Hessen,

EU:C:2010:662, at 49.

258

 Para. 64 of the ruling, as discussed in Peter Hustinx, “EU Data Protection Law: The Review of

Directive 95/46/EC and the Proposed General Data Protection Regulation”, published in the

“Collected Courses of the European University Institute’s Academy of European Law, 24th

Session on European Union Law, 1–12 July 2013”, at 4D. See also: Christopher Docksey, “Articles

7 and 8 of the EU Charter: two distinct fundamental rights”, in in: Alain Grosjean (ed.), Enjeux

européens et mondiaux de la protection des données personelles (Éd. Larcier, 2015), at 4b.

259

 Joined Cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger

(C-594/12), at 36.

260

 If the right to data protection did not entail any prohibition, but instead provided for checks and

balances, how would it be possible to examine limitations of the right in the way foreseen in

Article 52 Charter?

261

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 23; Case C-614/10, Commission v

Austria, EU:C:2012:63, at 37; Case C-288/12, Commission v Hungary, EU:C:2014:237, at 48. The



257



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

11 The Right to Data Protection: A Claim Based on Fairness Providing Safeguards Where Personal Data Are Processed

Tải bản đầy đủ ngay(0 tr)

×