FREE CHAPTER from ‘Biometric Data and New Technologies – The Law and Practical Issues on Technologies Such as CCTV, Facial Recognition and Drones’ by Melissa Stock


There is an overlapping relationship between data protection and privacy law, although the interrelationship between the two can often be complex. As an area of law which is still developing it is not always clear how the relationship will change over time. Added to this complexity is Brexit, which has removed the UK from the European Union (‘EU’) while retaining the majority of the legislation that was enacted while still part of Europe.

The ‘right to privacy’ and the ‘right to data protection’ have been given equal importance by the Charter of Fundamental Rights of the EU (‘the Charter’) and yet the relationship between privacy and data protection is not straightforward. Prior to the incorporation of the Charter into EU law as part of the Treaty of Lisbon in 2009, the Court of Justice of the European Union (‘CJEU’) cited the provisions of the European Convention on Human Rights (‘the Convention’) when interpreting the Data Protection Directive in relation to fundamental rights.

Article 7 of the Charter, ‘Respect for Private and Family Life’, provides that ‘everyone has the right to respect for his or her private and family life, home and communications’. The wording reflects, in part, Article 8 of the Convention, which is as follows:

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.’

The close connection between Article 7 of the Charter and Article 8 of the Convention was highlighted by the CJEU in Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen.1However, it is important to note that there are differences in the way that private life is interpreted by the European Court of Human Rights (‘ECtHR’) and the CJEU in respect to data protection, in part because of the requirement of finding ‘necessity’ in Article 8(2) of the Convention. The ECtHR has also held that data protection is capable of engaging both Article 8 of the Convention and Article 10 of the Convention (‘the right to freedom of expression’),2 while Article 7 and 8 in the Charter are distinct rights.

Article 8 of the Charter, ‘Protection of Personal Data’, provides as follows:

8(1): Everyone has the right to the protection of personal data concerning him or her.

8(2): Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

8(3): Compliance with these rules shall be subject to control by an independent authority.’

There is a growing body of case law in the CJEU referring to the right to data protection provided by Article 8 of the Charter. Examples include:

  • Fingerprints and passports – Michael Schwarz v Stadt Bochum, Case C-291/12, 17 October 2013.3
  • Electronic communications – Digital Rights Ireland Ltd v Ireland, Case C-293/12 and Case C-594-12, 8 April 2014.4
  • Social media data – Maximillian Schrems v Data Protection Commissioner Case C-362/14, 6 October 20155; Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems Case C-311/18, 16 July 2020.6
  • Door-to-door data collection – Tietosuojavaltuutettu v Jehovan todistajat – uskonnollinen yhdyskunta, Case C-25/17, 10 July 2018.7
  • YouTube’ postings – Sergejs Buivids v. Datu valsts inspekcija, Case C-345/17, 14 February 2019.8
  • Directories – Deutsche Telekom AG v Bundesrepublik Deutschland, Case C-543/09, 5 May 2011.9

Despite the fact that privacy and data protection are defined as two separate rights in the Charter, the jurisprudence of Europe’s highest courts has considered there to be an interrelationship between privacy and data protection. The CJEU has interpreted the scope of private life as including the protection of personal data: ‘it must be considered that the right to respect for private life with regard to the processing of personal data, recognised by Articles 7 and 8 of the Charter, concerns any information relating to an identified or identifiable individual and the limitations which may lawfully be imposed on the right to the protection of personal data correspond to those tolerated in relation to Article 8 of the Convention’.10

The ECtHR has, in a number of cases, similarly found a connection between personal data and the right to private life, finding that the storing of personal data falls within the ambit of Article 8 of the Convention.11 A broad range of data has been considered by the ECtHR in the context of private life, including: telecommunications data,12 personal information in public files,13 analysis of internet and telephone usage,14 DNA and fingerprint records,15 personal information placed in an online advertisement,16 and a record of a spent conviction.17

However, it is unclear how privacy as defined by the Convention will influence the interpretation of the fundamental rights and freedoms referred to in the GDPR. The GDPR has expanded the approach to data protection so that all rights and freedoms that are affected by data processing are now relevant. It incorporates all fundamental rights and freedoms recognised in the Charter:

This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity’.18

These fundamental rights and freedoms go beyond that of privacy and data protection, such that it must therefore be borne in mind that the GDPR can be applied by individuals to safeguard a variety of interests, albeit that the starting point will need to be some sort of interference with their personal data. Accordingly, it will be important to be aware of the jurisprudence in relation to other rights, which have been affected by the processing of personal data, and that has caused undesirable outcomes or differential treatment. This may also include the impact on a fundamental right as a result of a data subject enforcing a data protection right. In Volker und Markus Scheke GbR, the court described the right to data protection under the Charter as one which is not absolute, and which must be considered in relation to its function in society.19


  • Discrimination – Huber v Germany, Case C-524/06, 16 December 2008.20

  • The right to an effective remedy – Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems Case C-311/18, 16 July 2020.21
  • Freedom of expression – Bodil Lindqvist v Åklagarkammaren i Jönköping, Case C-101/01, 6 November 2003.22

  • Protection of property – Promusicae v Telefónica de España SAU, Case C-275/06, 29 January 2008,23Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), Case C-70/10, 24 November 2011.24

  • Access to documents – Egan & Hackett v European Parliament, Case T-190/10, 28 March 2012.25

Privacy law claims in the UK are usually brought under the cause of action of ‘misuse of private information’. This is a relatively new tort that emerged in the common law to give effect to Article 8 of the Convention so that an individual could protect their right to privacy where there was no pre-existing relationship of confidence. The tort was first realised in the case of Campbell v Mirror Group Newspapers Ltd [2004] UKHL, which extended the law of confidence to protect individuals from unlawful disclosure of information in which they have ‘a reasonable expectation of privacy’.

There is a two-stage test to establish the cause of action. The first stage is to establish whether the claimant has a reasonable expectation of privacy in relation to the information that forms the subject of the claim. This involves an objective assessment of the circumstances in the case, including: the attributes of the claimant, the nature and purpose of the use of the information, the effect the use has on the claimant, and the circumstances in which the information came into the possession of the discloser (see Murray v Express Newspapers Plc [2008] Civ 466). There is no presumption that a reasonable expectation of privacy is lost if the information is in the public domain, but the degree to which it undermines the right must be assessed by the court.

If the first stage is established, then the second stage is to determine whether in all the circumstances, the privacy rights of the claimant is outweighed by the other party’s countervailing interests. In most cases to date, this has been the right to freedom of expression, although there may be other legitimate interests of the discloser that could be considered. Misuse of private information is a more attractive claim to pursue by claimants because it has received much higher awards in damages than in data protection claims.26


1 CJEU Cases C-468/10 and C-469/10, 9 November 2010, ECLI:EU:C:2010:662, at paragraph 47.

2 See the cases McMichael v UK (1995) 20 EHRR 205 and Társaság a Szabadságjogokért v. Hungary, application no. 37374/05, 14 April 2009.

3 ECLI:EU:C:2013:670.

4 ECLI:EU:C:2014:238.

5 ECLI:EU:C:2015:650.

6 ECLI:EU:C:2020:559.

7 ECLI:EU:C:2018:551.

8 ECLI:EU:C:2019:122.

9 ECLI:EU:C:2011:279.

10Volker und Markus Schecke GbR, ibid., paragraph 52.

11Leander v Sweden, 26 March 1987, Series A no. 116; Amann v Switzerland, Application No. 27798/95, 16 February 2000; Rotaru v Romania, Application No. 28341/95, 4 May 2000; Segerstedt- Wiberg and Others v. Sweden, no. 62332/00, 6 June 2006.

12Liberty & Others v United Kingdom, Application No. 58234/00, 1 July 2008.

13Volker und Markus Schecke GbR, ibid.

14 Copland v. United Kingdom, Application No. 62617/00, 3 April 2007.

15 S&Marper v UK, Application Nos. 30562/04 and 30566/04, 4 December 2008.

16K.U. v. Finland, Application No. 2872/02, 2 December 2.

17 MM v U.K. Application No. 24029/07 (13 November 2012).

18 Recital 4 of the GDPR. ‘Fundamental rights and freedoms’ are referred to throughout the GDPR, see recitals 2, 10, 16, 47, 51, 69, and 113.

19 Volker und Markus Schecke GbR, ibid., paragraph 48.

20 ECLI:EU:C:2008:724.

21 Ibid., footnote 6.

22 ECLI:EU:C:2003:596.

23 ECLI:EU:C:2008:54.

24 ECLI:EU:C:2011:771.

25 ECLI:EU:T:2012:165.

26 The case of Gulati v MGN Ltd [2015] EWHC 1482 (Ch) established the methodology for awards in misuse of private information claims.