Tải bản đầy đủ - 0 (trang)
12 Data Protection as ‘Rules of the Game’ or ‘a System of Checks and Balances’

12 Data Protection as ‘Rules of the Game’ or ‘a System of Checks and Balances’

Tải bản đầy đủ - 0trang

60



2  Privacy and Data Protection as Values of the EU That Matter, Also…



This book disagrees with González Fuster on this particular point, in line with

the view that the right to data protection must not be interpreted in line with the right

to self-determination. The book concurs with the position that data protection must

be seen as ‘rules of the game’ or ‘a system of checks and balances’, which finds its

basis in the wording of Article 8(2) Charter, as well as Directive 95/46 and other EU

instruments for data protection. Under EU law, an individual has a claim vis-à-vis

governments and private actors that his or her data are processed in an appropriate

manner in a system of checks and balances, which is specified in the Charter as

“fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law”.256 In Schecke, the Court

stated that Article 8(2) “thus authorises the processing of personal data if certain

conditions are satisfied.”257

However, we must admit that the case law of the Court of Justice does not fully

reflect this position. First, in Schecke, the Court was not entirely consistent. Even

though this case relates to a situation where there is a legitimate basis laid down by

law, the Court nevertheless asked additionally for consent. This additional requirement may be seen as positive in that it gives an individual an additional safeguard

where processing takes place on another legal basis, but it is not in line with the text

of the Charter.258 Second, the Court stated, in Digital Rights Ireland and Seitlinger,259

that an EU directive constitutes an interference with the right to data protection,

precisely because it provides for the processing of personal data. Possibly, the Court

needed this statement in order to be able to examine the directive under Article

52(1) Charter.260 In any event, it is not in line with the position that data protection

does not prevent processing.

A final remark relates to the application of EU data protection law in horizontal

situations. In general, an individual has a claim vis-à-vis governments and private

actors. In addition, Article 16(2) TFEU and Article 8(3) Charter provide that data

processing is subject to the control of an independent authority. As reiterated by the

Court, this is an essential component of the right to data protection.261 As part of the

256



 Article 8(2) Charter, first sentence.

 Joined Cases C-92/09 and C-93/09, Schecke (C-92/09) and Eifert (C-93/09) v Land Hessen,

EU:C:2010:662, at 49.

258

 Para. 64 of the ruling, as discussed in Peter Hustinx, “EU Data Protection Law: The Review of

Directive 95/46/EC and the Proposed General Data Protection Regulation”, published in the

“Collected Courses of the European University Institute’s Academy of European Law, 24th

Session on European Union Law, 1–12 July 2013”, at 4D. See also: Christopher Docksey, “Articles

7 and 8 of the EU Charter: two distinct fundamental rights”, in in: Alain Grosjean (ed.), Enjeux

européens et mondiaux de la protection des données personelles (Éd. Larcier, 2015), at 4b.

259

 Joined Cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger

(C-594/12), at 36.

260

 If the right to data protection did not entail any prohibition, but instead provided for checks and

balances, how would it be possible to examine limitations of the right in the way foreseen in

Article 52 Charter?

261

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 23; Case C-614/10, Commission v

Austria, EU:C:2012:63, at 37; Case C-288/12, Commission v Hungary, EU:C:2014:237, at 48. The



257



2.12  Data Protection as ‘Rules of the Game’ or ‘a System of Checks and Balances’



61



claim that individuals have that their data are processed in an appropriate manner in

a system of checks and balances they are entitled to control by an independent

authority.262 Obviously this is a claim they have against governments, not against

private actors.



2.12.2  S

 umming Up: The EU and the Member States Must

Establish Checks and Balances

As stated before, the right to data protection not only protects against a government,

but also requires active legislative intervention by the same government. However,

this does not necessarily mean that the right to data protection – despite its wording

(“everyone has the right”) – does not have direct effect.263 Although this may be a

purely hypothetical question under current EU law,264 an answer to this question

would clarify the nature of the right to data protection. This may also be of relevance in situations with an extraterritorial effect or in external EU action.265

The doctrine of direct effect, as developed by the European Court of Justice since

Van Gend and Loos,266 means that provisions of binding EU law that are sufficiently

clear, precise and unconditional can be invoked and relied upon before national

courts.267 It is arguable that, in the absence of any legislative instrument implementing or specifying Article 16 TFEU and Article 8 Charter and thus in the absence of

any other legitimate basis laid down by law, an individual can claim that his or her

data can be processed fairly only for specified purposes and with his or her consent.

This would also mean, in this hypothesis, that the state should refrain from processing in the absence of consent. Furthermore, it would mean that, under the Charter



CJEU refers to recital 62 in the preamble to Directive 95/46, and in the two latter cases also explicitly to Article 8(3) Charter (and Article 16 TFEU).

262

 This is one of the most fundamental differences with the legal system of the United States, as

will be elaborated in Chap. 7 of this book.

263

 On this, see: H. Hijmans and A. Scirocco, “Shortcomings in EU data protection in the Third and

the Second Pillars. Can the Lisbon Treaty be expected to help?”, CMLR, 46: 1485–1525.

264

 Member States have implemented Directive 95/46/EC and Council Framework Decision

2008/977/JHA, while outside the scope of these instruments they are bound by Convention 108.

The EU institutions are bound by Regulation (EC) No 45/2001 of the European Parliament and of

the Council of 18 December 2000 on the protection of individuals with regard to the processing of

personal data by the Community institutions and bodies and on the free movement of such data, OJ

L 8/1.

265

 As will be developed in Chap. 9 of this book.

266

 Case 26/62, Van Gend and Loos, EU:C:1963:1.

267

 See also: Paul Craig and Gráinne de Búrca, EU Law, Text, Cases and Material (Fifth Edition),

Oxford University Press, 2011, Chapter 7.



62



2  Privacy and Data Protection as Values of the EU That Matter, Also…



and in the absence of consent, any processing operation lacking a legitimate basis

laid down in law would, by definition, be illegal.268

Possibly, the right to data protection would indeed have direct effect, in the

absence of a legislative instrument. However, this possibility only makes more evident that EU law requires the European Union (and, where relevant, the Member

States) to establish checks and balances in legislative instruments. Direct effect

does, in substance, not mean much within the hypothesis that the right to data protection does not entail a right to prevent data processing.

Summing up, the position that data protection must be seen as ‘rules of the game’

or ‘a system of checks and balances’ for data processing means that processing of

personal data cannot be seen as interference with a fundamental right under Article

52(1) Charter. The right to data protection is respected insofar as the conditions of

Article 8(2) Charter are fulfilled, and this requires scrutiny of notions such as fairness and legitimacy. In substance, there is similarity with the proportionality test

under Article 52(1) Charter, although this latter test does not serve to determine

whether the conditions for data processing are fulfilled, but whether there is interference with a fundamental right. This implies the application of a different and

much stricter test of appropriateness in an information society. To summarise, the

test under Article 52(1) Charter is not appropriate, in our view, for data protection.269

We find support for this view in the explanation on Article 52(1) Charter by Peers,

who states that Article 52(1) sets out rules that apply if fundamental rights are limited. Article 8(2) Charter does not contain a limitation of the right to data protection,

but only defines the essential conditions for data processing. Hence, Article 52(1)

Charter does not apply to the conditions set under Article 8(2) Charter.270



2.13  P

 rivacy and Data Protection: Two Sides

of the Same Coin

Although not identical, the rights to privacy and data protection – two different

rights in the Charter – are closely connected. They can be seen as civil and political

rights and as reflecting human dignity. As Hustinx underlines, they are “expressions

of a universal idea with quite strong ethical dimensions: the dignity, autonomy and

unique value of every human being”.271

268



 Article 52(1) would not change this since it applies only to “any limitation on the exercise of the

rights and freedoms recognised by this Charter” (underlining by author).

269

 See also Chap. 5, Sects. 5.6 and 5.7 of this book and Gloria González Fuster, “Curtailing a right

in flux: restrictions of the right to personal data protection”, in: Artemi Rallo Lombarte, Rosario

García Mahamut (eds), Hacia un Nuevo derecho europea de protección de datos, Towards a new

European Data Protection Regime (Tirant lo Blanch, 2015).

270

 Peers and Prechal in: Steve Peers, Tamara Hervey, Jeff Kenner and Angela Ward (eds.), The EU

Charter of Fundamental Rights, A Commentary, Hart Publishing, 2014, at 52.34. This statement is

attributable to Peers.

271

 Peter Hustinx, “EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed

General Data Protection Regulation”, published in the “Collected Courses of the European



2.13  Privacy and Data Protection: Two Sides of the Same Coin



63



It was not obvious that the Charter would introduce a fundamental right to data

protection in addition to the right to privacy.272 Data protection does not appear as a

separate fundamental right in other jurisdictions. Even within the Council of Europe,

which adopted Convention 108 on data protection, the main protection of personal

data is provided by the European Court of Human Rights in its case law on Article

8 of the European Convention on Human Rights on the right to private life.273

Moreover, the Explanation on Article 8 of the Charter of Fundamental Rights itself

refers not only to instruments of data protection such as Directive 95/46 and Council

of Europe Convention 108, but also explicitly to Article 8 ECHR.

A common argument for the introduction of data protection as a separate fundamental right is that it is broader than privacy protection since it also relates to other

rights and freedoms274 and protects data regardless of their relationship with privacy.275 However, the question as to whether data protection is merely a subset of privacy, or delivers additional protection, is open to discussion.276 To make it even

more ambiguous, the term used in international contexts, and especially in the

United States, is data privacy.277



University Institute’s Academy of European Law, 24th Session on European Union Law, 1–12 July

2013”, at 1.

272

 On this, see: Orla Lynskey, “Deconstructing Data Protection: The ‘added-value’ of a right to

data protection in the EU legal order”, International and Comparative Law Quarterly, Volume 63,

Issue 03, July 2014, pp. 569–597.

273

 This fairly cautious wording has been chosen since the ECtHR is not used to referring directly

to Convention 108. See: G. González Fuster, “The Emergence of Personal Data Protection as a

Fundamental Right of the EU”, Law, Governance and Technology Series 16, 2014, at 4.3.

274

 The preamble of Convention 108 states: “Considering that it is desirable to extend the safeguards for everyone’s rights and fundamental freedoms, and in particular the right to the respect

for privacy” (underlining by author). Similar wording can be found in all EU instruments on data

protection.

275

 Peter Hustinx, “EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed

General Data Protection Regulation”, published in the “Collected Courses of the European

University Institute’s Academy of European Law, 24th Session on European Union Law, 1–12 July

2013”, at 2B.

276

 Kokott and Sobotta in: Hielke Hijmans and Herke Kranenborg (eds), Data Protection Anno

2014: How to Restore Trust? Contributions in honour of Peter Hustinx, European Data Protection

Supervisor (2004–2014) (Antwerp: Intersentia, 2014), at 83. See also: Orla Lynskey,

“Deconstructing Data Protection: The ‘added–value’ of a right to data protection in the EU legal

order”, International and Comparative Law Quarterly, Volume 63, Issue 03, July 2014, pp 569–

597; Lynskey points to the failure to provide a convincing rationale for including the right to data

protection in the Charter.

277

 In addition, the leading legal journal in the area (UK-based) is called International Data Privacy

Law.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

12 Data Protection as ‘Rules of the Game’ or ‘a System of Checks and Balances’

Tải bản đầy đủ ngay(0 tr)

×