CHAPTER II – PRIVACY AND DATA PROTECTION
The ‘right to privacy’ and the ‘right to data protection’ have been given equal importance by the Charter of Fundamental Rights of the European Union (‘the Charter’) and yet the relationship between privacy and data protection is not straightforward. Prior to the incorporation of the Charter into Union law as part of the Treaty of Lisbon in 2009, the CJEU cited the provisions of the European Convention on Human Rights (‘the Convention’) when interpreting the Data Protection Directive in relation to fundamental rights.
Article 7 of the Charter, ‘Respect for Private and Family Life’, provides that ‘everyone has the right to respect for his or her private and family life, home and communications’. The wording reflects, in part, Article 8 of the Convention, which is as follows:
‘1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.’
The close connection between Article 7 of the Charter and Article 8 of the Convention was highlighted by the CJEU in Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen.1However, it is important to note that there are differences in the way that private life is interpreted by the European Court of Human Rights (‘ECtHR’) and the CJEU in respect to data protection, in part because of the requirement of finding ‘necessity’ in Article 8(2) of the Convention. The ECtHR has also held that data protection is capable of engaging both Article 8 of the Convention and Article 10 of the Convention (‘the right to freedom of expression’),2 whilst Article 7 and 8 in the Charter are distinct rights.
Article 8 of the Charter, ‘Protection of Personal Data’, provides as follows:
‘8(1): Everyone has the right to the protection of personal data concerning him or her.
8(2): Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
8(3): Compliance with these rules shall be subject to control by an independent authority.’
There is a growing body of case law in the CJEU referring to the right to data protection provided by Article 8 of the Charter. Examples include:
- Fingerprints and passports – Michael Schwarz v Stadt Bochum, Case C-291/12, 17 October 2013.3
- Electronic communications – Digital Rights Ireland Ltd v Ireland, Case C-293/12 and Case C-594-12, 8 April 2014.4
- Social media data – Maximillian Schrems v Data Protection Commissioner Case C-362/14, 6 October 20155; Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems Case C-311/18, 16 July 2020.6
- Door-to-door data collection – Tietosuojavaltuutettu v Jehovan todistajat – uskonnollinen yhdyskunta, Case C-25/17, 10 July 2018.7
- ‘YouTube’ postings – Sergejs Buivids v. Datu valsts inspekcija, Case C-345/17, 14 February 2019.8
- Directories – Deutsche Telekom AG v Bundesrepublik Deutschland, Case C-543/09, 5 May 2011.9
Despite the fact that privacy and data protection are defined as two separate rights in the Charter, the jurisprudence of Europe’s highest courts has considered there to be an interrelationship between privacy and data protection. The CJEU has interpreted the scope of private life as including the protection of personal data: ‘it must be considered that the right to respect for private life with regard to the processing of personal data, recognised by Articles 7 and 8 of the Charter, concerns any information relating to an identified or identifiable individual and the limitations which may lawfully be imposed on the right to the protection of personal data correspond to those tolerated in relation to Article 8 of the Convention’.10
The ECtHR has, in a number of cases, similarly found a connection between personal data and the right to private life, finding that the storing of personal data falls within the ambit of Article 8 of the Convention.11 A broad range of data has been considered by the ECtHR in the context of private life, including: telecommunications data,12 personal information in public files,13 analysis of internet and telephone usage,14 DNA and fingerprint records,15 personal information placed in an online advertisement,16 and a record of a spent conviction.17
However, it is unclear how privacy as defined by the Convention will influence the interpretation of the fundamental rights and freedoms referred to in the GDPR. The GDPR has expanded the approach to data protection so that all rights and freedoms that are affected by data processing are now relevant. It incorporates all fundamental rights and freedoms recognised in the Charter:
‘This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity’.18
These fundamental rights and freedoms go beyond that of privacy and data protection, such that it must therefore be borne in mind that the GDPR can be applied by individuals to safeguard a variety of interests, albeit that the starting point will need to be some sort of interference with their personal data. Accordingly, it will be important to be aware of the jurisprudence in relation to other rights, which have been affected by the processing of personal data, and that has caused undesirable outcomes or differential treatment. This may also include the impact on a fundamental right as a result of a data subject enforcing a data protection right. In Volker und Markus Scheke GbR, the court described the right to data protection under the Charter as one which is not absolute, and which must be considered in relation to its function in society.19
Discrimination – Huber v Germany, Case C-524/06, 16 December 2008.20
- The right to an effective remedy – Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems Case C-311/18, 16 July 2020.21
Freedom of expression – Bodil Lindqvist v Åklagarkammaren i Jönköping, Case C-101/01, 6 November 2003.22
Protection of property – Promusicae v Telefónica de España SAU, Case C-275/06, 29 January 2008,23Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), Case C-70/10, 24 November 2011.24
Access to documents – Egan & Hackett v European Parliament, Case T-190/10, 28 March 2012.25
1CJEU Cases C-468/10 and C-469/10, 9 November 2010, ECLI:EU:C:2010:662, at paragraph 47.
10Volker und Markus Schecke GbR, ibid., paragraph 52.
11Leander v Sweden, 26 March 1987, Series A no. 116; Amann v Switzerland, Application No. 27798/95, 16 February 2000; Rotaru v Romania, Application No. 28341/95, 4 May 2000; Segerstedt- Wiberg and Others v. Sweden, no. 62332/00, 6 June 2006.
12Liberty & Others v United Kingdom, Application No. 58234/00, 1 July 2008.
13Volker und Markus Schecke GbR, ibid.
14Copland v. United Kingdom, Application No. 62617/00, 3 April 2007.
15S&Marper v UK, Application Nos. 30562/04 and 30566/04, 4 December 2008.
16K.U. v. Finland, Application No. 2872/02, 2 December 2.
17MM v U.K. Application No. 24029/07 (13 November 2012).
18Recital 4 of the GDPR. ‘Fundamental rights and freedoms’ are referred to throughout the GDPR, see recitals 2, 10, 16, 47, 51, 69, and 113.
19Volker und Markus Schecke GbR, ibid., paragraph 48.
21Ibid., footnote 6.