A risk-based approach and safeguarding the fundamental right to data protection: a role for accountability?

(1)

A risk-based approach and safeguarding

the fundamental right to data protection: a

role for accountability?

Nathalie Bersan McNabb | 10509011| Master’s thesis

LL.M. International & European Law: European Union Law University of Amsterdam, the Netherlands

Supervisor: Maria Weimer

Word count: 12,170 (excl. title page, abstract, table of contents and bibliography) Date of submission: Thursday, 28 July 2016

(2)

Abstract

In 2012 the European Commission put forward a draft General Data Protection Regulation (‘GDPR’) to amend the current legal framework for data protection. The GDPR aims to protect the fundamental rights and freedoms of natural persons with regard to their right to the protection of personal data (the fundamental right to data protection). The GDPR, as adopted in April 2016, embraces a risk-based approach whereby a number of legal obligations only come into effect where the data processing represents a high risk to the rights and freedoms of the individuals. The fundamental right to data protection is thereby closely linked to the concept of risk. The GDPR furthermore introduces a principle of accountability, which essentially requires data controllers to implement appropriate and effective measures to put the principles and obligations of the Regulation into effect, and to demonstrate this on request. The levels of accountability obligations may vary depending on the risk posed by the processing in question.

This thesis discusses the dynamic of risk and a fundamental right in the context of the principle of accountability and the extent to which this dynamic helps to safeguard the fundamental right to data protection. The thesis concludes that a risk-based approach is flexible enough to evolve with modern technologies but stringent enough to address potential malicious infringements or transgressions of the fundamental right to data protection. A risk-based approach is able to offer universal protection of the fundamental right to data protection but simply places a more onerous obligation on entities seeking to engage in processing activities that have a higher risk profile, thereby threatening to lower the level of guarantee of protection thus displacing the European idea of a fundamental right.

The role for accountability in this dynamic relies on stringent enforcement measures, both from within the entity as well from the supervisory authorities. The ultimate role for accountability is therefore to be seen by the extent to which the principle is enforced.

(3)

1 Introduction

In 2012 the European Commission put forward a draft General Data Protection Regulation (‘GDPR’) to amend the current legal framework for data protection and to make Europe “fit for the digital age”.1_{The GDPR aims to protect the fundamental rights and freedoms of natural} persons with regard to their right to the protection of personal data (the fundamental right to data protection).2 It sets out rules related to the protection of natural persons with regard to the processing of personal data3 and the free movement of personal data.4 It is the first time in European history that the application of a fundamental right is to be regulated by a directly applicable EU regulation.5 The GDPR will enter into force in 2018.6

In the Council’s first reading of the GDPR in 2014, it highlighted the need to reduce the administrative burden and compliance costs associated with the Regulation. The Council envisaged a central role for a risk-based approach in this regard.7 The final text of the GDPR, as adopted in April 2016, embraces such a risk-based approach whereby a number of legal obligations only come into effect where the data processing represents a high risk to the rights and freedoms of the individual.8 The fundamental right to data protection is thereby closely linked to the concept of risk.9

1_{European Commission, 'Reform of EU data protection rules' (2016)}

<http://ec.europa.eu/justice/data-protection/reform/index_en.htm> accessed 1 May 2016

2_{Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection}

of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] L 119/1, Article 1(2)

3_{Ibid, Article 4(1); ‘‘personal data’ means any information relating to an identified or identifiable natural}

person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’

4_{Ibid, Article 1(1)}

5_{Jan Philipp Albrecht, 'Conclusion: EU Data Protection Reform, Plenary Speech, 13.4.2016, Part 1' (2016)}

<https://www.youtube.com/watch?v=Oz8-itX5kVU> accessed 1 May 2016; European Commission, 'EU Charter of Fundamental Rights' (<http://ec.europa.eu/justice/fundamental-rights/charter/index_en.htm> accessed 12 June 2016, Article 8; Reg 2016/679 GDPR, Preamble (1): ‘The protection of natural persons in relation to the processing of personal data is a fundamental right’

6_{Reg 2016/679 GDPR, Article 99 stating that ‘It shall apply from 25 May 2018.’}

7_{Council of the European Union, 'Proposal for a Regulation of the European Parliament and of the Council on}

the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [First reading]' (2014)

<http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2013772%202014%20INIT> accessed 18 July 2016

8_{Richard Beaumont, 'What is High Risk Data Processing?' (2014)}

<http://www.eudataprotectionlaw.com/what-is-high-risk-data-processing/> accessed 18 July 2016, emphasis added

(5)

A risk-based approach has been seen in other fields of law, such as legislation aimed at the minimisation of risks to health, the environment and financial well-being.10_{Academic debate} on the role of risk in data protection is mixed however. The Chair of the Article 29 Working Party (WP29),11 Isabelle Falque-Pierrotin, has criticised the GDPR’s scope of applicability in the sense that some legal obligations only apply to “risky” processing activities. Instead, she supports a system in which all forms of processing fall within the scope of the regulation.12 Quelle furthermore argues that risk regulation makes the protection of fundamental rights dependent on the likelihood and severity of a potential interference, thereby questioning whether the GDPR can offer a “full rights” protection, where the risk of processing is considered too low.13 The dynamic of a risk-based approach in the protection of a fundamental right is therefore distinct and worthy of further attention.

This thesis aims to explore the extent to which the GDPR ensures the fundamental right to data protection. The European Data Protection Supervisor (EDPS), Giovanni Butarelli, highlighted an important concept in this regard. Butarelli stated that ‘in order to effectively respect the fundamental right to data protection (…) EU institutions and bodies must ensure

accountability.’14 The principle of accountability essentially requires data controllers to implement appropriate and effective measures to put the principles and obligations of the Regulation into effect, and to demonstrate this on request.15 A risk-based approach also plays a central role here. The levels of accountability obligations may vary depending on the risk posed by the processing in question.16

10_{Julia Black, 'The Role of Risk in Regulatory Processes' in Robert Baldwin, Martin Cave and Martin Lodge}

(eds), The Oxford Handbook of Regulation (Oxford University Press 2010), 305

11_{A group of representatives of the national data protection authorities (DPAs), the EDPS and the European}

Commission

12_{Winston Maxwell, 'EU Regulation: Article 29 Chief Criticizes Risk-Based Approach' (Hogan Lovells, 2014)}

<http://www.hldataprotection.com/2014/12/articles/international-eu-privacy/article-29-chief-criticizes-risk-based-approach/> accessed 15 June 2016

13_{Claudia Quelle, 'Does the risk-based approach to data protection conflict with the protection of fundamental}

rights on a conceptual level?' <http://ssrn.com/abstract=2726073> accessed 10 June 2016, 2

14_{European Data Protection Supervisor, 'Press Release - EDPS: greater accountability of EU institutions and}

bodies and involvement of DPOs for better data protection' (EDPS/12/16, 2012) <http://bit.ly/1pPXg9s> accessed 1 May 2016, emphasis added

15_{Reg 2016/679 GDPR, Article 5(2)}

16_{Article 29 Data Protection Working Party, 'Statement on the role of a risk-based approach in data protection}

legal frameworks' (14/EN WP 218, 2014) <http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp218_en.pdf> accessed 29 April 2016, 3

(6)

This thesis therefore contributes to academic debate on the GDPR by discussing the dynamic of risk and a fundamental right in the context of the principle of accountability and the extent to which this dynamic helps to safeguard the fundamental right to data protection. The research question is therefore the following:

To what extent does the introduction of the principle of accountability help safeguard the fundamental right to data protection?

2 Methodology

This research is conducted on the basis of the review of academic literature and the study of legal texts where the Data Protection Directive and the GDPR play a central role. In order to better understand the role to be played by accountability in safeguarding the fundamental right to data protection, Chapter 3 first provides an overview of the regulatory approaches to data protection and the approach taken in the EU. Chapter 4 introduces the main actors, the division of tasks and the main principles of the GDPR whereby the principle of accountability is presented in further detail. In order to develop a normative view of the concept of risk in data protection and fundamental rights in the EU, Chapter 5 looks into the theory of a risk and a (fundamental) right, including guidance from other fields such as the ethical theory of a right. The dynamic of a risk and a right is then brought together in Chapter 6 where the theoretical background, as presented in Chapter 5, is looked at as it is to be applied under the GDPR. The role, if any, to be played be accountability is analysed here. A summary and conclusion to the research is presented in Chapter 7.

(7)

3 Regulatory Approaches to Data Protection

3.1 Relevance of Data Protection Legislation

“…are consumers beginning to understand that data is like cash, a unit of transaction?”1

Personal data is valuable. The European Commission has estimated the value of European citizens’ personal data to grow to nearly €1 trillion annually by 2020.2 The aggregation of personal data allows organisations to detect patterns and correlations,3_{which leads to new} insights on ‘how individuals live, work, travel, study, eat, or sleep, and how and what they consume.’4 In turn, this can be used to identify trends that enhance direct targeting of specific groups of people or individuals,5 particularly for advertising means.6 In 2015, for example, Facebook announced that its users would be able to link a debit card to their Facebook account, in order to send payments to their Facebook friends for free.7 While the provision of such free services is often taken for granted by online consumers,8 the “free” service is typically based on an income model that is centred on the collection and utilisation of personal data and the sale thereof to third parties. The value of data provided by Facebook’s users meant that Facebook was initially valued at over $100 billion dollars at its initial public offering (IPO) in May 2012.9

1_{'Platforms, is there a need to regulate?' (#Digital4EU Stakeholders Conference, Brussels, Belgium, 23}

February 2016)

2_{European Commission European Commission, 'The EU Data Protection Reform and Big Data: Factsheet'}

(2016) <http://ec.europa.eu/justice/data-protection/files/data-protection-big-data_factsheet_web_en.pdf> accessed 18 July 2016, 1

3_{Franziska Boehm, Information Sharing and Data Protection in the Area of Freedom, Security and Justice:}

Towards Harmonised Data Protection Principles for Information Exchange at EU-level (Springer 2012) 19

4_{European Parliament, 'Big Data and smart devices and their impact on privacy: Study for the LIBE Committee'}

(2015)

<http://www.europarl.europa.eu/RegData/etudes/STUD/2015/536455/IPOL_STU(2015)536455_EN.pdf> accessed 5 May 2016, 8

5_{Ibid, 7}

6_{Stuart Summer, You: For Sale. Protecting Your Personal Data and Privacy Online (Elsevier 2016), 4} 7_{Hannah Kuchler, 'Facebook enters money transfer market' (Financial Times, 2015)}

<https://next.ft.com/content/00423da0-ccdc-11e4-b252-00144feab7de> accessed 18 July 2016, emphasis added

8_{Summer, You: For Sale. Protecting Your Personal Data and Privacy Online, 4}

(8)

The aggregation of personal data has raised concerns regarding a data subject’s rights and the need for transparency in the processing of such data.10_{Examples of voiced concerns include:} too much data being collected, data being used for other purposes than serving the customer, mistakes in the data, unauthorized access and usage of the data, insufficient control and lack of information on data policies.11 This is particularly alarming in the field of Big Data, which is concerned with extensive digital datasets held by corporations, governments and organisations, that are analysed through computer algorithms.12 National and international laws have had to and are having to respond to such technological developments.

3.2 First Response

The first response to concerns for the protection of personal data at the international level came from the Organisation for Economic Cooperation and Development (OECD) in 1980 regarding the Guidelines governing the protection of privacy and trans-border flows of personal data13 (OECD Guidelines). This was followed by the Convention of the Council of Europe of 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data14 (Convention No. 108).15 At national level, the German federal state of Hesse was the first to enact a Data Protection Act in 1970, the Datenschutzgesetz, which applied to public bodies of the state. The German federal legislator adopted a national data protection act in 1977, the

Bundesdatenschutzgesetz.16 Sweden was quick to follow suit as it introduced the Swedish Data Act in May 1973, the Datalag.17_{The Datalag applied to both the public and private sector,}

10_{European Parliament, 'Big Data and smart devices and their impact on privacy: Study for the LIBE}

Committee' (2015), 9

11_{Peter Verhoef, Edwin Kooge and Natasha Walk, Creating Value with Big Data Analytics: Making Smarter}

Marketing Decisions (Routledge 2016), 106

12_{European Parliament, 'Big Data and smart devices and their impact on privacy: Study for the LIBE}

Committee' (2015), 5

13_{OECD, 'OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data' (1980)}

<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata. htm> accessed 12 May 2016

14_{Council of Europe, 'Convention for the Protection of Individuals with regard to Automatic Processing of}

Personal Data' (European Treaty Series - No. 108, 1981)

<https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=090000168007 8b37> accessed 12 May 2016

15_{Boehm, Information Sharing and Data Protection in the Area of Freedom, Security and Justice: Towards}

Harmonised Data Protection Principles for Information Exchange at EU-level, 4-5

16_{Ibid, 21}

17_{Gloria Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU (Issues in}

(9)

which has been qualified as an “omnibus approach” in which ‘general binding rules regulate the legal relations in the public as well as in the private sector.’18

The scope of regulatory approaches to data protection is much wider however. Literature on regulatory approaches generally distinguishes between three approaches: 1) a top-down approach; 2) a co-regulatory approach; and 3) a self-regulatory approach.19 To better understand the regulatory environment in which the GDPR and the principle of accountability is to operate in, the following section provides a brief overview of these regulatory approaches.

3.3 Top-down approach

The top-down approach is said to be based on the elements of an omnibus regime,20 in which data protection laws lay down common standards for the processing of personal information applicable to most public and private activities.21 Lynskey qualifies an omnibus regime through the following three characteristics: 1) the application of data protection rules to public and private actors; 2) the sector-neutral nature of data protection rules; and 3) the enforcement of data protection rules by independent supervisory authorities.22 A top-down approach is similarly defined as a means of regulating whereby ‘general laws govern the collection and use of personal information by public and private sectors’, which is then supervised by a national supervisory or regulatory authority.23

3.4 Co-regulatory approach

A co-regulatory approach relies on a shared responsibility between the regulatory authority and private parties.24 Some co-regulatory approaches appear to overlap with a top-down approach in the sense that public actors are presumed to be directly involved in the regulatory process

18_{Boehm, Information Sharing and Data Protection in the Area of Freedom, Security and Justice: Towards}

Harmonised Data Protection Principles for Information Exchange at EU-level

19_{See for example United Nations Conference on Trade and Development, 'E-commerce and Development}

Report' (UNCTAD/SDTE/ECB/2004/1, 2004) <http://unctad.org/en/Docs/ecdr2004_en.pdf> accessed 3 June 2016, 163-164. The report considers a co-regulatory approach to be within the same category as a self-regulatory approach however; Terrence Craig and Mary Ludloff, Privacy & Big Data (O'Reilly 2011) 27-28

20_{OECD, 'OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data' (1980), 163} 21_{Robert Gellman and Pam Dixon, Online Privacy: A Reference Handbook (ABC-CLIO LLC 2011), 75} 22_{Orla Lynskey, The Foundations of EU Data Protection Law (Oxford University Press 2015), 15} 23_{Craig and Ludloff, Privacy & Big Data, 27}

24_{Dennis Hirsch, 'The Law and Policy of Online Privacy: Regulation, Self-Regulation, or Co-Regulation?'}

(10)

(particularly concerning enforcement).25_{The similarity comes from the fact that the regulatory} authority is responsible for the enactment and enforcement of general legislation.26_{The core} principle of co-regulation is nevertheless a shared responsibility.

Arguments in favour of a co-regulatory approach highlight that implementation and enforcement of the general rules is to be ensured by the individual industries/organisations engaged in the processing of personal data.27 Data subjects are thereby given a minimum level of protection to rely on but may enjoy higher levels of protection in the sectors or industries where the codes of conduct/rules for compliance provide for stricter enforcement.28 Those in favour furthermore argue that the hybrid nature of the legislation enables a rigorous approach to protect the fundamental right to data protection but remains flexible enough to meet the needs of the rapid technological developments.29 Critics of co-regulation on the other hand tend to argue that co-regulation lacks transparency and accountability in the sense that shared responsibilities may result in negotiations in favour of an industry rather than the public interest.30

3.5 Self-regulatory approach

A regulatory approach is based on market-oriented thinking, that markets are apt to self-regulate. Hirsch defines self-regulation as ‘a regulation in which business representatives define and enforce standards for their sector with little or no government involvement.’31_Since self-regulation generally takes place in the absence of (any form of) top-down regulation, which is generally not applicable to EU data protection,32_{it falls outside the scope of this} research.

25_{Tatiana Tropina and Cormac Callanan, Self- and Co-regulation in Cybercrime, Cybersecurity and National}

Security (Springer 2015), 17

26_{Hirsch, 'The Law and Policy of Online Privacy: Regulation, Self-Regulation, or Co-Regulation?', 442} 27_{United Nations Conference on Trade and Development, 'E-commerce and Development Report' (2004), 164} 28_{Ibid, 164}

29_{Hirsch, 'The Law and Policy of Online Privacy: Regulation, Self-Regulation, or Co-Regulation?', 441} 30_{Ibid, 442}

31_{Ibid, 458}

(11)

3.6 The EU approach to data protection

The EU approach to data protection has, from the outset, been categorised as an omnibus approach.33 Lynskey qualifies the EU approach as omnibus for the following reasons: 1) the public or private legal status of the data controller does not affect the level of protection offered to individuals (although there is a nuance regarding exceptions for the public sector); 2) the Data Protection Directive and the GDPR apply to all sectors where only a few sectors are governed by further sector-specific legislation; and lastly 3) the data protection rules are overseen by supervisory authorities such as the national Data Protection Authorities (DPA’s).34 Hustinx furthermore considers the EU approach to be an omnibus approach in the sense that data protection is considered ‘as an issue of general and structural importance for modern society’, whereby the legal framework is particularly wide and covers all relevant areas of society.35

The following section provides an overview of the GDPR’s legal framework with a focus on the relevant actors and the role played by accountability therein.

4 The General Data Protection Regulation (GDPR)

4.1 Actors

4.1.1 Data subjects and processing

The GDPR applies specifically to the processing of ‘personal data’ of a data subject, whereby personal data is considered to be any information relating to an identified or identified natural person.36_{A data subject, an identifiable natural person, is ‘one who can be identified, directly} or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’37

33_{See for example Mads Andenas and Stefan Zleptnig, 'Surveillance and Data Protection: Regulatory}

Approaches in the EU and Member States' (2003) 14 European Business Law Review 765, 766: ‘US data protection legislation relies more on sectoral laws (reacting to specific problems) rather than on omnibus laws (creating a comprehensive regime governing the processing of personal data).’

34_{Lynskey, The Foundations of EU Data Protection Law, 15-28}

35_{Peter Hustinx, 'The Role of Data Protection Authorities' in Serge Gutwirth and others (eds), Reinventing Data}

Protection? (Springer 2009), 133

36_{Reg 2016/679 GDPR, Article 4(1)} 37_{Ibid, Article 4(1)}

(12)

The GDPR considers the ‘processing’ of personal data to be ‘any operation or set of operations which is performed on personal data (…) such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.’38

4.1.2 Data Controller

A data controller is the natural or legal person that determines the purpose and means of processing personal data.39 In identifying the controller the Article 29 Working Party (WP29) considers that the concept of a controller is ‘autonomous (…) and functional in the sense that it is intended to allocate responsibilities where the factual influence is’.40 The controller plays a central role in the enforcement of the GDPR. The WP29 considers the role of the controller to be a means of determining ‘who shall be responsible for compliance with data protection rules, and how data subjects can exercise the rights in practice.’ 41 Examples of a data controller include a charity organisation that processes membership data and subscriber lists or a corporate entity with employees that processes the personal data of its employees.42

Article 24 GDPR stipulates the data controller’s responsibilities. The controller is under an obligation, for example, to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance’ with the Regulation.43 Article 25(1) GDPR lays down the obligation for controllers to apply data protection by design and by default. This should be implemented at the time of the determination of the means of processing as well as during the processing. Controllers must also maintain certain documentation of processing, an example of which can be found in Article 7 GDPR. Article 7 stipulates that where data processing is based on the principle of consent, the data controller must be able to demonstrate that the data subject has consented to

39_{Ibid, Article 4(7): ‘‘controller’ means the natural or legal person, public authority, agency or other body}

which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;’

40_{Article 29 Data Protection Working Party, 'Opinion 1/2010 on the concepts of "controller" and "processor"'}

(00264/10/EN WP 169, 2010) <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf> accessed 29 April 2016, 1

41_{Ibid, 4}

42_{Mandy Webster, Data Protection in the Financial Services Industry (Gower 2006), 90} 43_{Reg 2016/679 GDPR, Article 24(1).}

(13)

the processing of his or her personal data.44_{Article 11 furthermore requires the controller to be} able to demonstrate that it is not in a position to identify the data subject, where the processing does not require the identification of a data subject by the controller.45 Article 30 further states that the controller must ‘maintain a record of processing activities under its responsibility’ and sets out a minimum level of information that must be provided in this documentation.46

Article 26 GDPR further builds upon the concept of the controller by introducing a separate provision for “joint controllers”. This applies ‘where two or more controllers jointly determine the purposes and means of processing.’47

4.1.3 Data Processor

The data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.48 The WP29 notes that the distinction between controller and processor ‘mostly serves to distinguish between those involved that are responsible as controller(s) and those that are only acting on their behalf.’ It is essentially a matter of allocating responsibility.49 The GDPR imposes more extensive obligations on the processor than under the Data Protection Directive, in the sense that the processor becomes subject to a number of compliance responsibilities and fines for breaches of these obligations.50 The GDPR requires the processor to, for example, maintain records of personal data and processing activities, and make this information available to the supervisory authority on request.51 The processor is also under an obligation to notify the controller of personal data breaches, which must contain certain elements as stipulated in Article 33(3) GDPR.52 In some situations, the processor is also under an obligation to designate a Data Protection Officer (DPO), for example, where processing takes place on a large scale.53

44_{Ibid, Article 7(1)} 45_{Ibid, Article 11(2)} 46_{Ibid, Article 30} 47_{Ibid, Article 26} 48_{Ibid, Article 4(8)}

49_{Article 29 Data Protection Working Party, 'Opinion 1/2010 on the concepts of "controller" and "processor"'}

(2010), 5

50_{Victoria Hordern, 'The EU General Data Protection Regulation: A Brave New World for Processors' (Hogan}

Lovells, 2016) <http://www.hldataprotection.com/2016/03/articles/international-eu-privacy/the-eu-general-data-protection-regulation-a-brave-new-world-for-processors/> accessed 20 July 2016

51_{Reg 2016/679 GDPR, Article 30(2) and (4)}

52_{This includes a description of the personal data breach and the likely consequences of the breach.} 53_{Reg 2016/679 GDPR, Article 37(1)}

(14)

4.1.4 Data Protection Officer

The Data Protection Officer is to inform and advise the controller or the processor of their obligations pursuant to the Regulation. The DPO is also to monitor compliance, provide advice where requested regarding Impact Assessments and to cooperate with the supervisory authority.54

4.1.5 Authorities

In accordance with the principle of conferral, as specified in Article 4(1) jo. Article 5 TEU, competences not conferred on the Union within the Treaties remain with the Member States. In the field of data protection, Article 16 TFEU confers wide powers on the Union to act and lays down a number of tasks for the Union in this regard.55 Firstly, the Court of Justice is entrusted with the task of ensuring the interpretation and application of the Treaties56 and thereby the right to data protection under Article 16(1) TFEU.57 The choice to legislate at Union level is furthermore specified in Article 16(2), in which the Council and European Parliament ‘shall lay down rules relating to the protection of individuals with regard to the processing of personal data.’ These rules are to be ‘subject to the control of independent authorities.’58 While there is a clear policy choice to regulate data protection at Union level, the role of national authorities remains important.

The majority of data processing takes place within the Member States, either by the authorities themselves or in the private sector.59 Given the direct effect of the Regulation, there is no specific provision requiring Member States to pass national laws to comply with the Regulation but Member States must give effect to the Regulation’s provisions.60 Member States must furthermore provide for at least one independent public authority to be responsible for monitoring the application of the GDPR (the ‘supervisory authority’ or ‘DPA’). According to

55_{Hielke Hijmans, 'What the European Union does and should do to make Article 16 TFEU work, by means of}

judicial review, legislation, supervision by independent authorities, cooperation of the authorities and external action' (PhD thesis, University of Amsterdam 2016), 117 and 120

56_{Consolidated version of the Treaty on the Functioning of the European Union (TFEU) [2012] C 326/47,}

Article 19(1)

57_{Ibid, Article 16(1): ‘Everyone has the right to the protection of personal data concerning them.’} 58_{Ibid, Article 16(2)}

59_{Hijmans, 'What the European Union does and should do to make Article 16 TFEU work', 122}

60_{Case 6/64 Flaminio Costa v Enel [1964] ECR 585: ‘The precedence of Community law (…) whereby a}

regulation ‘shall be binding’ and ‘directly applicable in all Member States’ (…) would be quite meaningless if a State could unilaterally nullify its effects by means of a legislative measure which could prevail over

(15)

Article 52 GDPR, the national supervisory authority is to be completely independent.61_The Court considers the establishment of these supervisory authorities as ‘an essential component of the protection of individuals with regard to the processing of personal data.’62 DPA’s are entrusted with a monitoring task in their own territory; they must ensure compliance with the rules on the processing of personal data. The Court emphasised and essentially extended this task in the landmark Schrems judgment, whereby national supervisory authorities must be able to examine whether ‘a transfer of personal data from its own Member State to a third country complies with the requirements laid down by Directive 95/46.’63 In this respect DPA’s are under an obligation to examine complaints, to bring cases before the national court and to suspend the transfer of personal information to other countries, within their discretion.64 The GDPR furthermore introduces the concept of a ‘one stop shop’ in the sense that ‘the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor.’65 The purpose of this being to reduce the administrative burden for organisations operating on a cross-border basis. The GDPR further establishes a European Data Protection Board (the ‘Board’), which is composed of the head of one national supervisory authority and the European Data Protection Supervisor (EDPS).66 The Board is also to ensure consistent application of the Regulation.67

4.1.6 National courts

The courts of the Member States play a central role in the enforcement of the GDPR. Article 79(1) states that each data subject shall have the right to an effective judicial remedy against a controller or processor where he/she considers that his/her rights have been infringed as a result of the processing of his/her personal data in non-compliance with the GDPR. According to Article 79(2), these proceedings are to be brought before the national court of the Member State where the controller/processor is established. The proceedings can, alternatively, be brought before the national court of the Member State where the data subject has his/her

61_{Reg 2016/679 GDPR, Article 52(1): ‘Each supervisory authority shall act with complete independence in}

performing its tasks and exercising its powers in accordance with this Regulation.’

62_{C-288/12 Commission v Hungary [2014] ECLI:EU:C:2014:237, para 51}

63_{Case C-362/14 Maximillian Schrems v Data Protection Commissioner (CJEU, 6 October 2015), para 47} 64_{Marina Škrinjar Vidović, 'Schrems v Data Protection Commissioner (Case C-362/14): Empowering National}

Data Protection Authorities' (2015) 11 Croatian Yearbook of European Law and Policy 259, 265

(16)

habitual residence unless the controller or processor is a public entity acting in the exercise of its public powers. Moreover, Article 82 on the right to compensation and liability, states that proceedings in the exercise of this right are to be brought before the competent courts, as defined in Article 79(2). With regards to administrative fines, Article 83 stipulates that the national supervisory authority is to ensures that the imposition of fines is effective, proportionate and dissuasive. Therefore, where controllers are to be held accountable for their tasks, this will take place in national courts. Couderts calls attention to the fact that while data subjects may have the right to an effective judicial remedy against a controller, data subjects do not hold any authority against controllers over the ‘suitability of their policies, procedures and practices to comply with the data protection framework.’68 In this respect, Coudert argues that the principle of accountability was merely introduced as a means of improving and encouraging compliance while control is in fact entrusted to the national authorities rather than the data subjects.69 What does the principle of accountability entail for data controllers therefore and how does this reflect in the protection of data subjects? The following section looks into the principle of accountability under the GDPR.

4.2 The Principle of Accountability

The introduction of the principle of accountability was recommended by the Article 29 Working Party and was proposed as a means to encourage data controllers to implement practical tools for effective data protection, thereby moving data protection from ‘theory to practice.’70_{Accountability is seen as a means of preventing “patchy”}71_{and insufficient} compliance with data protection rules.72

68_{Fany Coudert, 'Accountable Surveillance Practices: Is the EU Moving in the Right Direction?' in Bert Preneel}

and Demosthenes Ikonomou (eds), Privacy Technologies and Policy: Second Annual Privacy Forum (Springer 2014), 76

69_{Ibid, 76}

70_{Article 29 Data Protection Working Party, 'Opinion 3/2010 on the principle of accountability' (00062/10/EN}

WP 173, 2010) <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp173_en.pdf> accessed 29 April 2016, para 1

71_{European Commission, 'First report on the implementation of the Data Protection Directive (95/46/EC)'}

(Report) COM(2003) 265 final, 12-13 referring to compliance by data controllers as ‘very patchy’ and that this is likely the result of reluctance by controllers to ‘undertake changes in their existing practices to comply with what may seem complex and burdensome rules’ especially where ‘risks of getting caught seem low’

72_{Joseph Alhadeff, Brendan Van Alsenoy and Jos Dumortier, 'The Accountability Principle in Data Protection}

Regulation: Origin, Development and Future Directions' in Daniel Guagnin and others (eds), Managing Privacy through Accountability (Palgrave Macmillan 2012), 64: ‘‘A common theme throughout the various iterations of the accountability principle, however, is its role as a fundamental principle of compliance. Its primary role is to ensure that entities responsible for the processing of personal information abide by the substantive principles of data protection regulation, and shall be answerable (‘may be called to account’) for the implementation of appropriate safeguards.’

(17)

Article 5(1) of the GDPR lays down the six main principles related to the processing of personal data: 1) lawfulness, fairness and transparency; 2) purpose limitation; 3) data minimisation; 4) accuracy; 5) storage limitation; and 6) integrity and confidentiality. The principle of accountability essentially requires data controllers to implement appropriate and effective measures to put the principles and obligations of the Regulation into effect, and to demonstrate this on request.73 Accountability in the sense of the GDPR therefore refers to the protection afforded by data controllers, namely that organisations and entities are responsible for the processing of personal data and must adhere to the principles of the GDPR. These entities can be called to account for the implementation of appropriate safeguards.74

The GDPR furthermore embraces a risk-based approach with regards to accountability in the sense that the level of accountability obligations may vary depending on the risk posed by the processing in question.75 The following subsection provides a brief overview of some of these obligations.

4.2.1 Obligations

Article 24 sets out a clear compliance obligation with regard to risky processing activities. Depending on the risk of the processing the controller must implement a compliance programme to monitor compliance in the organisation and must be able to demonstrate this.76 In the case of a personal data breach, the controller is to notify the competent supervisory authority unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.77 The primary example of a risk-based approach under the GDPR is the introduction of Data Protection Impact Assessments (DPIA’s). Article 35 requires the controller to review the impact of an envisaged processing operation regarding the protection

73_{Reg 2016/679 GDPR, Article 5(2): ‘The controller shall be responsible for, and be able to demonstrate}

compliance with, paragraph 1 (‘accountability’).’

74_{Alhadeff, Alsenoy and Dumortier, 'The Accountability Principle in Data Protection Regulation: Origin,}

Development and Future Directions', 63

75_{Article 29 Data Protection Working Party, 'Statement on the role of a risk-based approach in data protection}

legal frameworks' (2014), 3

76_{Reg 2016/679 GDPR, Article 24(1): ‘Taking into account the nature, scope, context and purposes of}

processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.’, emphasis added

(18)

of personal data. This obligation applies where it is likely that the processing results in a high risk to the rights and freedoms of natural persons.78_{Article 36 requires the controller to consult} the supervisory authority, prior to processing, where the impact assessment highlights a high risk. The controller is exempt from this obligation where it has taken measures to mitigate the risk.79 Article 35 provides limited guidance on the qualification of a risky activity but recommends a DPIA in the case of ‘a systematic and extensive evaluation of personal aspects relating to natural persons’, ‘processing on a large scale of special categories of data’ and ‘a systematic monitoring of a publicly accessible area on a large scale.’80 Article 35 provides a list of minimum elements that must be included in the DPIA. This includes, for example, an assessment of the risks to the rights and freedoms of data subjects and the measures envisaged to address the risks.81 Dijk notes that the DPIA’s should be seen as part of the process, rather than merely a tool for risk management. The assessments must be conducted throughout the lifecycle of processing activities and should be updated accordingly.82

4.2.2 Enforcement

For non-compliance with certain obligations of the GDPR, including the aforementioned obligations, the GDPR introduces significantly steep administrative fines.83 In the case of undertakings, infringements of the obligations of the controller (and the processor) pursuant to Articles 8, 11, 25-39, 42 and 43 can result in a fine of up to €10 million or 2% of its total worldwide annual turnover of the preceding financial year, whichever is higher.84 The fines related to the basic principles for personal data processing (Articles, 5, 6, 7 and 9) are even higher. Infringements by undertakings in this category can amount to up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.85 This higher penalty also applies to a number of other provisions namely, infringements of the

78_{Ibid, Article 35(1), emphasis added: ‘Where a type of processing in particular using new technologies, and}

taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.’

79_{Gabriel Maldoff IAPP, 'The Risk-Based Approach in the GDPR: Interpretation and Implications'}

<https://iapp.org/media/pdf/resource_center/GDPR_Study_Maldoff.pdf> accessed 6 May 2016, 3

82_{Niels van Dijk, Raphaël Gellert and Kjetil Rommetveit, 'A risk to a right? Beyond data protection risk}

assessments' (2016) 32 Computer Law & Security Review 286, 288

83_{Reg 2016/679 GDPR, Article 83} 84_{Ibid, Article 83(4)(a)}

(19)

data subjects’ rights under Articles 12-22; infringements of the transfer of personal data under Article 44 to 49; infringements of obligations under national law adopted under Chapter IX; and non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).86

Compliance with the GDPR must be taken seriously therefore and businesses must prepare for the legally binding rules to take effect in 2018. This is particularly the case given that a data controllers’ obligations may vary, depending on the level of risk posed by the processing activity.

The following section looks into the theory behind a risk-based approach and the dynamic thereof when taken in combination with the underlying goal of the GDPR to safeguard the fundamental right to data protection.

5 A risk-based approach to ensuring the fundamental right to

data protection

5.1 Risks

5.1.1 Risk regulation

Rothstein and Baldwin consider risk regulation to be ‘governmental interference with market or social processes to control potential adverse consequences.’87 They highlight that risk regulation is an attempt to control risk by setting and enforcing product or behavioural standards. They consider this a ‘control-system’88 and argue that risk regulation thereby consists of ‘standard-setting’, ‘information-gathering’ and ‘behaviour-modification’.89 This is essentially a means of reducing risks to a level deemed tolerable by society.90 The Impact Assessments under the GDPR are seen to be an attempt at moving data protection towards risk

86_{Ibid, Article 83(5)(b)-(e)}

87_{Christopher Hood, Henry Rothstein and Robert Baldwin, The Government of Risk: Understanding Risk}

Regulation Regimes (Oxford University Press 2001), 3

88_{Ibid, 3 and 21}

89_{Ibid, 22 not identical to the original table}

(20)

management approaches.91_{These risk assessments are implemented to analyse risks on the} basis of ‘probability in dealing with the possibilities of future events.’92_{Can risks be} (theoretically) defined though? Is there a normative understanding of a risk?

5.1.2 Concept of risk

Literature offers a number of (technical) definitions on the concept of a risk, each of which must be understood within a given context.93 The International Organisation for Standardisation (ISO), a non-governmental organisation that standardises many activities in both the private and public sector, defines risks in a particularly general manner. ISO considers risk to be the ‘effect of uncertainty on objectives’.94 Other sources offer a more elaborate definition of risks however. A risk may, for example, be considered as the possibility that ‘something undesirable will occur, whether as a result of natural events or human activities, or some combination of the two.’95 Literature also offers a definition of risks as the chance (likelihood) that a danger (an event with harmful consequences) will happen,96 or as ‘an objective measurable entity combining the probability of an adverse event and the magnitude of its consequences.’97 The context-specific nature of a risk implies that regulation on the matter must be apt to regulate the characteristics of the specific field of law at hand. Dijk highlights, for example, that risk assessment models in data protection law are fundamentally different in nature.98_{Risk assessments in environmental law are typically based on the concept} of physical consequences and tangible harm. The very (intangible) nature of data processing however clouds an understanding of the actual consequences of harm in data protection and the risks that impact assessments aim to address.99 The ambiguity in understanding the risks at hand in data protection is further escalated when considering that threats or risks currently at stake are subject to fast-paced technological developments.100 The threats of today may evolve

91_{Christopher Kuner and others, 'Risk management in data protection' (2015) 5 International Data Privacy Law}

95, 95

92_{Dijk, Gellert and Rommetveit, 'A risk to a right? Beyond data protection risk assessments', 289}

93_{Katja Khardikova, 'Risk-based Approach to Corporate Human Rights Responsibility' (Master of Philosophy,}

University of Oslo 2012), 40: highlighting categories of risks that are business-related, financial, social, environmental, political, military and health and safety risks

94_{Ibid, 42-43}

95_{Black, 'The Role of Risk in Regulatory Processes', 310}

97_{Raphaël Gellert, 'Data protection: a risk regulation? Between the risk management of everything and the}

precautionary alternative' (2015) 5 International Data Privacy Law 3, 7

98_{Dijk, Gellert and Rommetveit, 'A risk to a right? Beyond data protection risk assessments', 289} 99_{Kuner and others, 'Risk management in data protection', 97}

(21)

with these developments and may no longer be the threats of tomorrow. What are data subjects being protected from? What harms? What risks?101_{Is it the harm as a result of the incorrect or} insufficient protection of the fundamental right to data protection? In the latter understanding, the substance of a right relies on the perception of the right being at risk. Dijk labels this view as ‘rights at risk’ in the sense that the rights are primarily under threat as a result of ‘perceptions and concerns on the part of the specific individuals and communities’ regarding something that they value102 i.e. the right to data protection. How is the risk-based approach in EU data protection to be understood therefore? The following section looks into the theoretical underpinnings of a right and the way in which fundamental rights are understood in the EU as guaranteed by the Charter. This in order to provide a better understanding of the legal landscape and dynamic in which the risk-based approach of accountability is to play a role in safeguarding the fundamental right to data protection.

5.2 Rights

5.2.1 Theory of a right

In an article titled ‘Fundamental Legal Conceptions as Applied in Judicial Reasoning’,103 Wesley Newcomb Hohfeld sought to provide guidance on juridical relationships. Hohfeld considered a right to denote ‘any sort of legal advantage, whether claim, privilege, power, or immunity.’ He presented eight classifications of rights:104

1) Rights or claims 2) Privileges or liberties 3) Powers 4) Immunities 5) ‘No-rights’ or ‘no-claims’ 6) Duties or ‘no-liberties’ 7) Disabilities or ‘no-powers’

101_{Centre for Information Policy Leadership, '“A Risk-based Approach to Privacy?” An Initial Issues Paper for}

Privacy Risk Framework and Risk-based Approach to Privacy Project'

<https://www.informationpolicycentre.com/files/Uploads/Documents/Centre/Centres_Privacy_Risk_Framewor k_Workshop_I_Initial_Issues_Paper.pdf> accessed 7 May 2016; Kuner and others, 'Risk management in data protection', 97

103_{Wesley Newcomb Hohfeld, 'Fundamental Legal Conceptions as Applied in Judicial Reasoning' (1917) 23}

Yale Law Journal 710, 717

(22)

8) Liabilities or ‘no-immunities’

Hohfeld’s analysis considered that these legal rights, when placed in the context of legal relations between two subjects, these rights (advantages) must be seen to correlate to a vulnerability. For example, where the state confers advantages on citizens, this advantage should be seen together with vulnerability on the part of others.105 The example being that ‘if X has a right against Y, he shall stay off the former’s land’, ‘the correlative (and equivalent) is that Y is under a duty toward X to stay off the place’.106 Singer summarises this as that ‘rights are nothing but duties placed on others to act in a certain manner’,107 that rights are simply legal notions ‘accompanied by a claim against another.’108 The example of a right correlating to a duty is one of four juxtapositions presented by Hohfeld:109

Party A Party B

1) Claim / Right ß à Duty / ‘No-liberty’

2) Liberty / Privilege ß à No-claim / ‘No-right’

3) Power ß à Liability / ‘No-immunity’

4) Immunity ß à Disability / ‘No-power’

Bengoetxea places Hohfeld’s claim in the context of a judicial proceeding, where ‘for a judge or a court, the notion of a right always entails the perspective of a binary relation between the parties to the dispute’.110 He looks at the second juxtaposition specifically concerning a liberty against a no-claim. In accordance with this theory, the protection of A’s liberty relies on B’s position as a holder of no-claims. B is therefore in no position to invoke a claim against A.111 He considers that where the juxtaposition of a liberty and a no-claim ‘is extended to all actors within a jurisdiction’, ‘the liberty acquires a universal dimension’ and ‘we enter the domain of

fundamental liberties’.112

105_{Joseph William Singer, 'The Legal Rights Debate in Analytical Jurisprudence From Bentham to Hohfeld'}

(1982) 1982 Wisconsin Law Review 975, 986

106_{Ibid, 987; Hohfeld, 'Fundamental Legal Conceptions as Applied in Judicial Reasoning', 769} 107_{Singer, 'The Legal Rights Debate in Analytical Jurisprudence From Bentham to Hohfeld'}

108_{Quelle, 'Does the risk-based approach to data protection conflict with the protection of fundamental rights on}

a conceptual level?', 3

109_{Joxerramon Bengoetxea, 'Rights (And Obligations) in EU Law' in Erik Jones, Anand Menon and Stephen}

Weatherill (eds), The Oxford Handbook of the European Union (Oxford University Press 2012), 743

110_{Ibid, 743} 111_{Ibid, 743}

(23)

Hohfeld’s publication led to great debate in academic literature and stirred further discussion on the moral and ethical theory of a right. Harnel, for example, builds on the discussion by looking into the substance of rights and the goal of rights specifically. He highlights two theories of rights: a choice theory and an interest theory.113 The choice theory regards rights as protecting the exercise as choice whereas the interest theory seeks to protect and promote (some of) the right-holders’ interests.114 The interest theory is typically linked to Hohfeld’s concept of a right and a corresponding duty. Harel highlights developments in the literature on this matter, for example, that a right can also be considered as merely providing grounds for the imposition of duties.115 This ultimately resulted in a “hybrid theory” whereby X is only considered a right-holder ‘if the question of who has some measure of control over a corresponding duty (…) is determined by the balance of X’s interests.’ Therefore, ‘if Y has control over a duty, Y is the right-holder if and only if Y was given control in order to promote Y’s balance of interests.’ ‘X is the right-holder if and only if Y’s control over the duty is aimed at promoting X’s balance of interests.’116 In accordance with the hybrid theory, a right is considered in the context of a balancing test, the balancing of interests.

Bengoetxea looks at the concept of a right in a broader concept. He looks at rights in the context of their role in a specific (legal) order and states that a right can be considered as a claim to the protection of a person’s interests under any given (institutional) normative order, whether it national law, international law or the regulations of a social society.117_{Legal rights are thereby} claims made within a given legal order that are protected institutionally by its legal norms and the officials enforcing them.118 Bengoetxea argues that rights and obligations are meaningless if taken out of the context of social normative networks and relationships in which they occur. These networks include the institutional structures and officials that guarantee their enforcement.119 Legal rights are considered to be relative to the legal orders that recognise them, with the result that the actors concerned with the rights and the enforcement thereof are

113_{Alon Harel, 'Theories of Rights' in Martin Golding and William Edmundson (eds), The Blackwell Guide to}

the Philosophy of Law and Legal Theory (Blackwell Publishing 2006), 193-194

114_{Ibid, 194-195} 115_{Ibid, 196} 116_{Ibid, 196}

117_{Bengoetxea, 'Rights (And Obligations) in EU Law', 737} 118_{Ibid, 737}

(24)

easily identifiable.120_{Legal rights must be recognised in some manner however. This may be} through sources of law that set out the legal rights to be respected. In the EU legal order this includes the Charter of Fundamental Rights (‘Charter’), the founding Treaties or secondary legislation adopted as a result thereof.121 Bernal furthermore considers that a right must be considered as something of ‘fundamental importance, something that is practically possible and something that isn’t held in balance in its basic form.’122 Bernal’s argument appears to contrast with hybrid theory in that a right should be placed in the context of a balancing of interests. The argument can also be understood from the perspective that any balancing must respect the essence of the right,123 in the sense that the right can be limited but should protect at least protect the underlying objective of the right. How does the European Union approach the concept of a right?

5.2.2 Fundamental rights in the European Union

‘EU law follows a tradition (…) [which] integrates three elements: a collective way of life, a means of ordering this way of life and an ethos for socialising individuals into this way of life

and disposing them to follow the system of order in place. (…) The ethos is one in which through following EU law individuals can live better their lives. Fundamental rights are an

integral part of this vision as they incorporate the individual into this order and allow her position to be asserted within it by establishing autonomy for her there, setting out

dimensions to this autonomy and securing a value for this autonomy.’124

The protection of (fundamental) rights in Europe is characterised by a multi-level system in which protection is offered at the national, supranational and international (universal and regional) level.125_{The reference to a ‘fundamental’ right in the EU context generally refers to}

120_{Ibid, 739} 121_{Ibid, 745}

122_{Paul Bernal, 'The EU, the US and Right to be Forgotten' in Serge Gutwirth, Ronald Leenes and Paul de Hert}

(eds), Reloading Data Protection: Multidisciplinary Insights and Contemporary Challenges (Springer 2014), 70

123_{See for example Charter of Fundamental Rights of the European Union [2000] C 364/1, Article 52(1) which}

refers to limitations to EU fundamental rights that must ‘respect the essence of those rights and freedoms’

124_{Damian Chalmers and Sarah Trotter, 'Fundamental Rights and Legal Wrongs: The Two Sides of the Same}

EU Coin' (2016) 22 European Law Journal 9, 10

125_{Giacomo Di Federico, 'Fundamental Rights in the EU: Legal Pluralism and Multi-Level Protection After the}

Lisbon Treaty' in Giacomo Di Federico (ed), The EU Charter of Fundamental Rights: From Declaration to Binding Instrument (Springer 2011), 15

(25)

rights that are protected by EU law.126_{The original EEC Treaties contained no reference to} fundamental rights however.127_{Fundamental rights were initially recognised via the Court of} Justice and through the constitutional traditions of the Member States. This ultimately culminated in the codification of fundamental rights in one legal instrument applicable: the Charter of Fundamental Rights, which since the Treaty of Lisbon amendments in 2009, is legally binding within the EU legal order.128 The Charter has the same status as the Treaties.129 Fundamental rights are therefore relative to the EU legal order and reflect certain values in EU society.130 While, from the outset, the relationship between fundamental rights and the EU legal order may appear to be of an institutional nature, Chalmers and Trotter advocate the view that the value and distinctiveness of EU fundamental rights, in comparison to other moral claims, is a result of ‘their reliance on the wider legal order.’ If fundamental rights are seen to be relative to the EU legal, ‘that legal order acts as the relay through which their meaning and implications are elaborated.’131 In this view, the fundamental right to data protection, translated into the GDPR for example, relies on a wider legal order – that of EU law as a whole.132 The argument that fundamental rights rely on the wider legal order of the EU corresponds well with the notion that fundamental rights are not absolute. Article 52(1) of the Charter states, for example, that fundamental rights may be limited, given that the limitation is provided for by law and that the limitation respects the essence of the right. Limitations are furthermore subject to the principles of necessity and proportionality. Article 52(1) thereby indicates that fundamental rights are not be absolute in nature.133_{Fundamental rights can be balanced against} other rights or considerations whereby the notion and role of a fundamental right is placed within the broader EU legal order.

The Charter is addressed to the EU institutions, bodies, offices and agencies as well as the Member States when implementing EU law.134 The Charter therefore only applies within the

126_{Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU, 166} 127_{Fisnik Korenica, The EU Accession to the ECHR (Springer 2015), 37}

128_{Kristina Irion, 'A Special Regard: The Court of Justice and the Fundamental Rights to Privacy and Data}

Protection' (Baden-Baden) <http://www.ivir.nl/publicaties/download/1734> accessed 9 May 2016

129_{Consolidated version of the Treaty on European Union (TEU) [2012] C 326/13, Article 6} 130_{Hijmans, 'What the European Union does and should do to make Article 16 TFEU work', 191}

131_{Chalmers and Trotter, 'Fundamental Rights and Legal Wrongs: The Two Sides of the Same EU Coin', 11} 132_{Ibid, 11}

133_{Sybe de Vries, 'Balancing Fundamental Rights with Economic Freedoms According to the European Court of}

Justice' (2013) 9 Utrecht Law Review 169, 170

(26)

context of EU law, whereby the Court of Justice is to ensure compliance with the Treaties (and thereby the Charter considering its treaty-level status).135_{Member States are furthermore under} a duty to provide remedies sufficient to ensure effective legal protection in the fields covered by Union law.136 The Charter may help in the interpretation of secondary law or national law that falls within the scope of EU law. The interpretative function is a result of the fact that, according to the Court, legislation must be ‘assessed in the light of the provisions of the Charter.’137 The Charter can, in this regard, be relied on as grounds for judicial review.138 In

Schecke, for example, the Court invalidated certain provisions of a Regulation on the basis of

a breach with Articles 7 and 8 of the Charter exclusively.139 Moreover, claims concerning the implementation of EU law and violations of a fundamental right in this regard, can be heard before a national court. It is believed that the Charter therefore provides for better access to legal institutions when asserting ones rights.140 The status of a fundamental right may therefore have far-reaching consequences.

5.2.3 Data protection as a fundamental right

The right to data protection finds its roots in an article written by Louis Brandeis and Samuel Warren in 1890.141 The authors introduced the idea of “the right to be let alone”142 and that man ‘has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual.143_{It wasn’t until the 20}th_{century however that privacy was} recognised at the international level. Both the Universal Declaration of Human Rights (UNDHR) and the ECHR established a “right to privacy”.144 These instruments are generally

135_{TEU, Article 19(1) jo. 6(1)}

136_{Ibid, Article 19(1) jo. Article 291 TFEU}

137_{C-92/09 Volker und Markus Schecke and Eifert [2010] ECR II-11063, paras 45-47}

138_{Koen Lenaerts, 'Exploring the Limits of the EU Charter of Fundamental Rights' (2012) 8 European}

Constitutional Law Review 375, 376

139_{C-92/09 Volker und Markus Schecke, para 89}

140_{Caoimhe McElduff, 'The Right Answer? An assessment of the Charter of Fundamental Rights and its}

necessity in Europe' (2012) 1 Manchester Student Law Review 19, 22

141_{Samuel Warren and Louis Brandeis, 'The Right to Privacy' (1890) IV Harvard Law Review 193} 142_{Russell Weaver, David Partlett and Mark Cole, 'Protecting Privacy in a Digital Age' in Dieter Dörr and}

Russell Weaver (eds), The Right to Privacy in the Light of Media Convergence: Perspectives from Three Continents (De Gruyter 2012), 13

143_{Warren and Brandeis, 'The Right to Privacy', 196}

144_{Article 12 UNDHR: ‘No one shall be subjected to arbitrary interference with his privacy, family, home or}

correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.’; Article 8 ECHR: ‘(1) 1. Everyone has the right to respect for his private and family life, his home and his correspondence. (2) There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the

A risk-based approach and safeguarding the fundamental right to data protection: a role for accountability?