Because data protection is what? Fundamental! How the fundamental right to data protection has added value as an independently applicable right.

Because data protection is

what? Fundamental!

How the fundamental right to data protection

has added value as an independently

applicable right.

D.J.A. Wintermans

Master International and European Law: European Competition Law and Regulation E: daniel.wintermans@student.uva.nl / Student number: 11418575

Supervisor:

Prof. dr. C. (Christina) Eckes of the European Law department of the University of Amsterdam

Amsterdam, University of Amsterdam, 24 July 2019

2

ABSTRACT

Since 2009, data protection is an enforceable fundamental right in the EU through its inclusion in Article 8 of the EU Charter of Fundamental Rights. This thesis examines the consequences this elevation has for the data protection rights of individuals. It thereto researches what becoming a fundamental right means in general. It finds that first, the status of fundamental right means that that right is applicable to all possible policy areas without exclusion (horizontal applicability), and that second, the status of fundamental right means that it is a hierarchically supreme right, which can render invalid all inferior sources of law that do not comply with it and which is protected by constitutional safeguards from whimsical change. It also researches the more specific consequences this has for data protection rights and it asks in what situations individuals would benefit from the right in additional to their data protection rights ensured by secondary EU law such as the GDPR. This was assessed by delineating the scope of the secondary law instruments and to compare it with the scope of Article 8 of the Charter. Nine possible areas are found on which Article 8 could be applied independently. It is finally argued that such independent application of Article 8 should hold autonomous meaning and provide at least the same level of protection as provided by the GDPR.

3

CONTENTS

I List of Cases 4

II List of Legislation 6

III Because data protection is what? Fundamental! How the fundamental right to data protection has added value as an independently applicable right.

Chapter 1: Introduction 8

Chapter 2: Consequences of qualification as fundamental right

§2.1 What are human rights? 10

§2.2 Horizontality and supremacy 11

§2.3 Fundamental rights in the EU legal order 12

§2.4 Conclusions 16

Chapter 3: Chartering uncharted lands

§3.1 Added value of Article 8 17

§3.2 Scoping exercise 18

§3.3 Conclusions 20

Chapter 4: The right to data protection

§4.1 Article 8 21

§4.2 Testing the thesis 25

§4.3 Conclusions 27

Chapter 5: Conclusion 28

IV Literature 30

V Appendix: scoping exercise 36

4

I LIST OF CASES

Court of Justice

Case C-6/64 Costa/E.N.E.L. [1964], ECLI:EU:C:1964:66.

Case C-11/70 Internationale Handelsgesellschaft mbH v Einfuhr- und Vorratsstelle für

Getreide und Futtermittel [1970], ECLI:EU:C:1970:114.

Case C-4/73 Nold KG v Commission [1974], ECLI:EU:C:1974:51.

Case C-36/75 Rutili v Ministre de l'intérieur [1975], ECLI:EU:C:1975:137. Case C-43/75 Defrenne v SABENA [1976], ECLI:EU:C:1976:56.

C-106/77 Amministrazione delle finanze dello Stato/Simmenthal [1978], ECLI:EU:C:1978:49. Case 283/81 CILFIT/Ministero della Sanità [1982], ECLI:EU:C:1982:335.

Case 294/83 Les Verts v Parliament [1986], ECLI:EU:C:1986:166.

Case 314/85 Firma Foto-Frost v Hauptzollamt Lübeck-Ost [1987], ECLI:EU:C:1987:452. Case C-5/88 Wachauf v Bundesamt für Ernährung und Forstwirtschaft [1989],

ECLI:EU:C:1989:321.

Case C-260/89 ERT v DEP [1991], ECLI:EU:C:1991:254.

Joined Cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others [2003], ECLI:EU:C:2003:294.

Case C-101/01 Lindqvist [2003], ECLI:EU:C:2003:596.

Joined cases C-402/05 P and C-415/05 P Kadi and Al Barakaat International Foundation v

Council and Commission [2008], ECLI:EU:C:2008:461.

Case C-275/06 Promusicae [2008], ECLI:EU:C:2008:54.

Case C-73/07 Satakunnan Markkinapörssi and Satamedia [2008], ECLI:EU:C:2008:727. Case C-301/06 Ireland v Parliament and Council [2009], ECLI:EU:C:2009:68.

Case C-533/07 Rijkeboer, [2009], ECLI:EU:C:2009:293. Case C-555/07 Kücükdeveci [2010], ECLI:EU:C:2010:21.

Case C-92/09 Volker und Markus Schecke and Eifert [2010], ECLI:EU:C:2010:662. Case C-279/09 DEB [2010], ECLI:EU:C:2010:811.

Case C-70/10 Scarlet Extended [2011], ECLI:EU:C:2011:771.

Joined cases C-468/10 and C-469/10 Asociación Nacional de Establecimientos Financieros

de Crédito (ASNEF) (C-468/10) and Federación de Comercio Electrónico y Marketing Directo (FECEMD) (C-469/10) v Administración del Estado [2011], ECLI:EU:C:2011:777.

Case C-543/09 Deutsche Telekom [2011], ECLI:EU:C:2011:279.

Case C-360/10 Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA

(SABAM) v Netlog NV [2012], ECLI:EU:C:2012:85.

Joined cases C-584/10 P, C-593/10 P and C-595/10 P, Commission and Others v. Kadi [2013], ECLI:EU:C:2013:518.

Case C-348/12 P Council v Manufacturing Support & Procurement Kala Naft [2013], ECLI:EU:C:2013:776.

Case C-617/10 Åkerberg Fransson [2013], ECLI:EU:C:2013:105. Case C-399/11 Melloni [2013], ECLI:EU:C:2013:107.

Case C-127/12 Association de médiation sociale [2014], ECLI:EU:C:2014:2. Case C-131/12 Google Spain and Google [2014], ECLI:EU:C:2014:317. Case C-293/12 Digital Rights Ireland and Seitlinger and Others [2014], ECLI:EU:C:2014:238.

Case C-198/13 Julian Hernández and Others [2014], ECLI:EU:C:2014:2055. Case C-206/13 Siragusa [2014], ECLI:EU:C:2014:126.

Case C-212/13 Ryneš [2014], ECLI:EU:C:2014:2428.

Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015], ECLI:EU:C:2015:650.

5

Case C-414/16 Egenberger [2018], ECLI:EU:C:2018:257.

Joined Cases C-569/16 and C-570/16 Bauer [2018], ECLI:EU:C:2018:871. General Court

Case T-509/10 Manufacturing Support & Procurement Kala Naft v Council [2012], ECLI:EU:T:2012:201.

European Court of Human Rights

Judgment of the ECtHR of 13 June 1979, Marckx v. Belgium, App. No. 6833/74. Judgment of the ECtHR of 9 October 1979, Airey v. Ireland, App. No. 6289/73.

Judgment of the ECtHR of 26 March 1985, X. and Y. v. the Netherlands, App No. 8978/80. Decision of the ECtHR of 15 May 2006, Estate of Kresten Filtenborg Mortensen v. Denmark, App. No. 1338/03.

Judgment of the ECtHR of 13 July 2006, Jaggi v. Switzerland, App. No. 58757/00. Judgment of the ECtHR of 19 July 2012, Koch v. Germany, App. No. 497/09.

6

II LIST OF LEGISLATION

Primary European Union Legislation

EU, Consolidated Version of the Treaty on European Union [2016], OJ C202/01.

EU, Consolidated Version of the Treaty on the Functioning of the European Union [2016], OJ C202/01.

EU, Charter of Fundamental Rights of the European Union - Solemn Proclamation by the European Parliament, the Council and the Commission [2000], OJ C364/06.

EU, Charter of Fundamental Rights of the European Union [2016], OJ C202/02.

EU, Treaty of Lisbon amending the Treaty on European Union and the Treaty Establishing the European Community [2007], OJ C306/01.

Secondary European Union Legislation

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free

movement of such data (Data Protection Directive), OJ L 281, p. 31-50.

Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the

telecommunications sector, OJ 1998, L 024, p. 1-8.

Regulation 45/2001/EC of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the

Community institutions and bodies and on the free movement of such data (Personal Data Regulation), OJ L 8, p.1-22.

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, p. 37–47.

Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (Data Retention Directive), OJ 2006, L 105, p. 54-63. Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, OJ 2008, L 350, p. 60-71.

Regulation 223/2009/EC of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities, OJ L 87, p. 164–173.

7

Regulation 1060/2009/EC of the European Parliament and of the Council of 16 September 2009 on credit rating agencies, OJ L 302, p. 1–31.

Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation 2006/2004/EC on cooperation between national authorities responsible for the enforcement of consumer protection laws, OJ L 337, p. 11–36.

Regulation 648/2012/EU of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories, OJ L 201, p. 1–59.

Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU, OJ L 173, p. 349–496.

Directive 2015/2366/EU of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC,

2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, OJ L 337, p. 35–127.

Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection

Regulation), OJ 2016, L 119, p. 1-88.

Directive 2016/680/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ 2016, L 119, p. 89-131. Regulation 2018/1725/EU of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L 295, p. 39–98. Council of Europe

European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos. 11 and 14, ETS No 5, 4.XI.1950 (Rome).

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS No 108, 28.I.1981 (Strasbourg).

8

III Because data protection is what? Fundamental!

CHAPTER 1: INTRODUCTION

On the 12th of December last year, the Universal Declaration of Human Rights turned 70. That marks 70 years since the declaration of that milestone human rights document that changed the way we think about humans and humanity, 70 years of continuous striving for better human rights compliance, for better human rights understanding, for a more comprehensive human rights protection. A few months before that, in September 2018, the European Convention for the Protection of Human Rights and Fundamental Freedoms celebrated its 65th anniversary.1 In December this year, it will be ten years ago that the Lisbon Treaty entered into force, rendering legally binding force to the Charter of Fundamental Rights of the European Union.2 Dealing with the same topic, all three documents show a lot of similarities, but also striking differences. Besides obvious differences in legal value, scope of application and who drafted the documents, one of the differences that almost immediately catches the eye is the inclusion of a ‘new age’ right in the EU Charter, one that both the well-established human rights documents omit: a right to data protection.

This new right is remarkable and unique in the sense that, although over the years the amount of fundamental or human rights has continuously proliferated, it has not come to be recognised as a fundamental right because of judicial interpretation of existing rights, but has its roots in ‘ordinary’ legislation. It once was nothing more than just another policy area - important, but not fundamental. However, its importance has increased exponentially over the last year, especially with the introduction of internet and the ever-increasing digitalisation of all aspects of our lives. Though the benefits are undeniable, there are also downsides. Data protection has a firm role to play here; a world without it is imaginable, but bleak. In a world without it, we would not know privacy the way we know it now, we would not have control over what happens with our data the way we do now, we could be subject to automated decision making without knowing it, we could be profiled based on limited information, wrongful decisions could be made about us on the bases of inaccurate information, we could be discriminated against. Ultimately, data protection touches upon so many crucial aspects of our current lives that a world without it would erode our human dignity. Thankfully, the protection of this human dignity is now constitutionally anchored in the fundamental right to data protection.

Although the gradual process of recognition of the fundamental importance of data protection is interesting, this is not the topic of this thesis.3 This thesis researches the other side, namely the consequences of the addition or inclusion of a fundamental right to data protection in the EU Charter. It asks whether this addition of data protection as a fundamental right has had any added benefits for individuals, whether the addition has created areas in which the application of data protection norms is novel. To that end, it examines firstly the general consequences of the qualification as fundamental right: what is a fundamental right? What does it mean to be a fundamental right, legally? This will be the focus of Chapter 2.

1 _{Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as}

amended by Protocols Nos. 11 and 14, ETS No 5, 4.IX.1950 (Rome).

2 _{EU, Treaty of Lisbon amending the Treaty on European Union and the Treaty Establishing the European}

Community [2007], OJ C306/01; EU, Charter of Fundamental Rights of the European Union [2016], OJ C202/02.

9

Subsequently, the thesis will examine what the consequences were for data protection, specifically. What does a judicially enforceable right to data protection mean for individuals? In which cases do individuals benefit from this Charter right? What situations can be thought of in which individuals can or must seek recourse to their fundamental right to data protection, as opposed to their rights guaranteed by other, non-fundamental data protection rights that are included in, amongst others, national law or secondary EU law, such as the GDPR, the Law Enforcement directive and Regulation 2018/1725? This will be central to Chapter 3, in which to that end a ‘scoping exercise’ will expose the lacunas in the protection provided by the secondary data protection instruments, to find out where the fundamental right may come into play.

Lastly, in Chapter 4, the thesis will answer how this right should find application in the situations laid out in Chapter 3. It will propose an answer to the questions if Article 8 can or should be applied independently, and if so, what its scope should be, and how possible interferences with the right to data protection should be assessed. Hence, not part of this research will be the ‘other’ consequences that the elevation of data protection to fundamental right status might have had, such as the consequences in a social sense, i.e. the social awareness about data protection rights and the value that is attached to data protection. Closely connected to that, the consequences for the place that data protection takes on the political agenda and the influence it might have had on the drafting process of EU secondary legislation, especially that of the data protection reform package (which includes the GDPR) and the relation between that and other political events such as the revelations of Edward Snowden, will also not be assessed. Nor will the consequences of the EU data protection regime, including the fundamental right, (i.e. enforcement cooperation and the mechanism included in Article 46 GDPR can be thought of) be assessed on an international level, meaning consequences and effects that are felt outside of the borders of the EU.

10

CHAPTER 2: CONSEQUENCES OF QUALIFICATION AS A FUNDAMENTAL RIGHT

Before it can be analysed what happened to data protection in the EU now that it has become a fundamental right and how the CJEU should deal with this, the question needs to be answered what legal consequences the qualification as fundamental right has in general. What are fundamental rights? What makes a fundamental right fundamental? How do they differ from non-fundamental rights? How is this fundamentality ensured legally? These questions are central to this chapter.

§2.1 What are human rights?

The question what human rights are, is a big one, and one that typically belongs to the territory of philosophers of law and legal theorists. Many scholars have attempted to find an answer (or, more specifically, the answer) to this and related questions, by searching for the all-covering concept that explains what human rights are, why they exist, and why our current human rights catalogue consists of precisely those rights and not others. The research methods taken vary greatly, as do the doctrinal starting points of the authors and, of course, their conclusions. This makes this field of research especially complex and opaque, and it is not my intention to describe the discourse surrounding human rights in the philosophical or jurisprudential sphere.4

Historic notions about law and human rights are time-specific. The ideas and notions that we nowadays still consider part of the human rights debate were not written in a time where human rights had the same meaning, status and validity as they do now. Today, human rights are regarded as protecting human dignity: all humans, regardless of sex, skin colour, race, religious beliefs, etc. are entitled to the same, equal and universal protection. Notions about human rights are also place-bound. The more one tries to concretise what they entail in practice, the more their meaning proves to be elusive, and the more differing or even opposing views on the same human right emerge. For example, whether a right to life entails also a right to die differs considerably depending on whom you ask. For some, this right to die is an accessory right derived from the right to life and its connotations with autonomy and self-determination, but for others a right to die and a right to life are in direct conflict with each other. On the one hand, human rights claim to protect every single human being in the same way and with the same vigour. On the other hand, they can never truly fulfil this promise as every society and perhaps even every human being has their own interpretation of against what and the manner in which human rights should protect them.5

To answer the question what human rights are with ‘it depends’ (e.g. on time and place) is very juridical, and does not actually help us further understand what they are. Besides that, it is apparent that there is a big difference between human rights as theoretical/philosophical values and human rights as legal rights. So perhaps the more pertinent question to ask is not what they are – which remains a largely unanswered question to this day, and one I definitely cannot answer in this thesis –, but what they can be for individuals. The answer we find then is more of a legal nature, and pertains to the place human rights (should) take in the legal system. In this answer, we find how the fundamentality of human rights is ensured legally as opposed to focussing on the philosophical inquiry into what makes and justifies their

4 _{For an extensive overview of the historic and modern human rights discourse, detailing historical approaches}

such as the natural law and legal positivist theories, and modern theories such as the interest and will theory, see,

inter alia: Brugmans 2010, Mertens 2012, Fagan 2009, Griffin 2008, Ernst & Heilinger 2011. 5 _{Compare: Freeman 2011, p. 119 and beyond; Brugmans 2010; Griffin 2008, p. 212 and beyond.}

11

fundamentality. In this sense, human rights are an expression of what is valued most in a given polity, irrespective of its philosophical source or justification: whether this expression is a translation of higher source (such as a divine source, nature or some universal morality) or merely the outcome of a social negotiation does not matter in this perspective. Central is that they receive the highest level of protection.6 In order for human rights to become legally relevant (and thus enforceable by individuals), they have to be politically debated, legalised and institutionalised.7 This means that, in spite of their claim to universality, legally relevant fundamental rights differ depending on the people or polity that has politically debated them, found consensus and institutionalised them.8 The consequence of this is that giving an account that is both general and exhaustive of the way fundamental rights function as legal instruments is impossible, because they differ too greatly depending on the system in which they have been concretised.

§2.2 Horizontality and supremacy

There are, however, two aspects about fundamental rights that do stand out in this respect. The first aspect is that fundamental rights are a ‘horizontal policy’. This means that they are applicable to all policy fields and legal areas, and that their effect is felt across the board. Their substantive protection cannot, in any case, be excluded from any one area without hollowing out their very raison d’être. This is, however, not without qualifications. Even though substantively, fundamental rights are claimed to apply across the board, this is not always true for the institutional and jurisdictional components of fundamental rights protection. This is especially true for fundamental rights protection in the EU, where the Court’s jurisdiction is limited to cases that come within the scope of EU law. Fundamental rights cases that do not fall within the scope of EU law can thus be ruled differently than cases that do.9

The second aspect that stands out is that fundamental rights are, as Torres Pérez puts it, as hierarchically supreme norms. What makes ordinary rights different from fundamental rights is thus found in their supremacy. In a way, their fundamentality and their universally endorsed fundamental importance are thus anchored by being translated or transposed into legal supremacy. Without this inherent supremacy, fundamental rights would just be ‘normal’ rights, about nonetheless very important subject-matter. How this hierarchical supremacy takes shape depends to a large extent on the respective legal order. However, it is fairly safe to say that in most legal orders, this supremacy manifests itself in at least two ways. First, supremacy entails that fundamental rights are protected from change. This protection has as its purpose to ensure continuity and to safeguard from political whims. As such they function besides and are part of democratic principles such as the separation of powers, the rule of law or ‘rechtsstaat’ and equality before the law. Simply put, it means that changing fundamental rights is more difficult than amending ordinary legislation.

6 _{Torres Pérez 2009, p. 13.}

7 _{As from here on, I shall use the term ‘fundamental rights’ rather than ‘human rights’. The difference between}

these terms is a grey area, because some authors in the literature advocate a distinction where human rights are non-concretised ideas and fundamental rights are those which are concretised/legalised in a document. See, for this view: Palombella 2007. However, not everyone agrees as some find this distinction improper. See: Henrard 2008 and Smis 2011. In reality, the terms are most often used interchangeably. I shall employ ‘fundamental rights’ since this is the term more frequently used in the context of the EU.

8 _{Paradoxically, legalisation of human rights might simultaneously make them obsolete: in a naturalistic view,}

the function of human rights is to transcend laws that violate them; they become relevant the moment when legal instruments/institutions fail to recognise and enforce them. See Freeman 2011, p. 11.

12

Secondly, supremacy entails that fundamental rights are legally and judicially protected against encroachment by public authorities, including the legislature. This entails that the legislator, when drafting new legislation or amending existing legislation, is bound to comply with fundamental rights and is prohibited from legislating contra what is prescribed or forbidden by those fundamental rights. It means that administrative bodies and all other bodies or organs that wield public power must, when exercising public power, comply with fundamental rights. Moreover, this protection from encroachment usually reserves a role for the judiciary, empowered to exercise judicial review of legislation and measures based on public power for compatibility with fundamental rights, and, consequently, the possibility to annul such measures on grounds of incompatibility with the supreme norm.10 However, it is generally accepted that (some) fundamental rights are interfered with to a certain extent.11 That ‘certain extent’ is not a carte blanche to be filled in at will by the legislator or public bodies. On the contrary, that would defy their very purpose. Part of this aspect of supremacy is also that fundamental rights know a very specific system of limitation.

Additionally, a third manner in which this supremacy is apparent is also conceivable. In this construction, the supremacy of fundamental rights not only prohibits measures that violate fundamental rights, but also warrants or even requires active action on the part of the state. This concept of positive obligations has been developed, amongst others, in the jurisprudence of the ECtHR.12 As regards this third aspect, however, we see confirmation that it can depend per legal order how exactly supremacy takes shape. For the EU legal order, the question is how and whether positive obligations can come to play a role. Strong arguments can be thought of that suggest that there is not much scope to recognise and integrate this concept within EU law.13 To start, it has already been remarked that fundamental rights are horizontally applicable. However, the EU’s competences are limited by the principle of conferral laid down in Article 5(1) and 4(1) of the TEU. This means that the EU is not competent to undertake action unless such competence has been conferred upon the EU. As a consequence, the EU is not ‘horizontally’ competent and cannot thus be held responsible for fulfilling positive obligations on areas where it lacks competence.14

§2.3 Fundamental rights in the EU legal order

The discussion above centred on the concept of legal supremacy of fundamental rights. This paragraph will examine in more detail how all of the aspects of supremacy find application within the EU legal order. In order to fully understand how this supremacy takes shape in the EU legal order, it remains to be remarked that this legal supremacy is usually confined to one single legal order: supremacy of fundamental rights does not transcend the jurisdiction of that legal order.15 This is because the hierarchical supremacy of fundamental rights is often given

10 _{Torres Pérez 2009, p. 9; De Asís Roig 2013, p. 27.}

11 _{Compare Article 18 ECHR, which refers to ‘restrictions permitted under this Convention to the said rights and}

freedoms’.

12 _{See, e.g. Judgment of the ECtHR of 13 June 1979, Marckx v. Belgium, App. No. 6833/74; Judgment of the}

ECtHR of 9 October 1979, Airey v. Ireland, App. No. 6289/73; Judgment of the ECtHR of 26 March 1985, X.

and Y. v. the Netherlands, App No. 8978/80.

13 _{For an in-depth exploration of the limits to fundamental rights protection and positive obligations in the EU,}

see the notable dissertation of one of my favourite (former) teachers, Malu Beijer (Beijer 2017). See also: Fredman 2008.

14 _{For a more in detail analysis, see Beijer 2017. In some cases, the CJEU has accepted the existence of positive}

obligations within an EU context, but these instances have been sparse and the obligations concerned in every case procedural and not substantive obligations.

15 _{In contrast to their moral/philosophical counterparts. At least, so it is claimed by some. Adherents to a}

13

shape by encompassing them in a hierarchically supreme document, such as a constitution. The supremacy of such a document cannot transcend its own legal order. The EU legal order, however, does not have one single constitution and can perhaps not even be called a single legal order. The EU legal order consists of a complex interplay between three separate and autonomous but at the same time partially overlapping legal orders that mutually and reciprocally influence each other: national, Union and international.16 _{This interplay is,}

however, not a central aspect of this thesis and will therefore not be discussed further. §2.3.1 Supremacy within the EU

Within the EU itself, the supremacy of fundamental rights norms is ensured in the following manner. As to the first aspect of supremacy, respect for fundamental rights is a condition for

the legality of all EU measures, and EU laws must be interpreted and construed with a view to

respecting human rights.17 There are two ways in which this is assured. Firstly, Article 51(1) of the EU Charter of Fundamental Rights stipulates that “the provisions of this Charter are addressed to the institutions, bodies, offices and agencies of the Union” and that “[they] shall therefore respect the rights, observe the principles and promote the application thereof in accordance with their respective powers and respecting the limits of the powers of the Union as conferred on it in the Treaties.” Thus, all EU Institutions are bound to comply with the Charter in the execution of their powers and competences. Article 6(1) TEU establishes that the Charter has the same legal value as the TEU and the TFEU, thus granting it primary law status. Article 19 TEU on its turn establishes that the Court of Justice of the European Union has jurisdiction to review the legality of acts of the institutions against primary EU law. Article 6(3) TEU furthermore stipulates that fundamental rights, as guaranteed by the ECHR and as they result from the constitutional traditions common to the Member States, shall constitute general principles of EU law. Before the Charter acquired legally binding force and primary law status and became the main source for fundamental rights in the EU, the Court had already made clear that fundamental rights, i.e. the general principles of EU law deriving from the constitutional traditions common to the Member States and their international obligations concerning fundamental rights, with special significance for the ECHR, would take precedence over secondary EU law.18 Until quite recently, however, the supremacy of fundamental rights in the EU had not led to annulment of any EU measure on grounds of incompatibility with fundamental rights. It has only been in challenges against anti-terrorism measures and after the Charter became legally binding that the Court has shown more willingness to sanction fundamental rights violations, not in the least in the field of data protection, notable examples of which are Digital Rights Ireland and Schrems.19

In the field of anti-terrorism measures, the Court has given several judgments in which it alludes to the supremacy of fundamental rights norms over other sources of EU primary law. The most notable example of this is the Kadi I case.20 This case concerned Mr Yassin Kadi and the Al-Barakaat International Foundation, whose assets were frozen by way of a UN

any legal system. In their view, human rights come into play just the moment when all legal and political instruments fail to ensure their safeguarding. See Freeman 2011, p. 11.

16 _{See, for more on the pluralist nature of the EU legal order and its relationships with national law and}

international law, Besson 2009.

17 _{Craig & De Búrca 2015, p. 392, 408.}

18 _{Case C-4/73 Nold v Commission [1974], ECLI:EU:C:1974:51, §14.}

19 _{Craig & De Búrca 2015, p. 401-402; Case C-293/12 Digital Rights Ireland and Seitlinger and Others [2014],}

ECLI:EU:C:2014:238; Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015], ECLI:EU:C:2015:650.

20 _{Joined cases C-402/05 P and C-415/05 P Kadi and Al Barakaat International Foundation v Council and} Commission (Kadi I) [2008], ECLI:EU:C:2008:461.

14

Resolution that put them on a list of persons suspected to be associated with Osama bin Laden or Al-Qaida. Mr Kadi and the Foundation both challenged the EU measures giving effect to the UN Resolution on grounds of violation of their fundamental rights to property and fair trial. In appeal against the judgment of the General Court, the Court established that, even though what is currently Article 351 TFEU permits derogations from EU primary law in case of conflicting international obligations stemming from before 1 January 1958 (such as the UN Charter under which the Resolutions were adopted), this Article cannot “be understood to authorise any derogation from the principles of liberty, democracy and respect for human rights and fundamental freedoms enshrined in Article 6(1) EU as a foundation of the Union.”21 The Court thus established that respect for fundamental rights is part of the ‘foundations’ of the EU legal order, amongst the principles of liberty and democracy, suggesting that these foundations form a layer of law that is hierarchically superior to sources of ‘ordinary’ primary EU law.22

The second aspect of the supremacy of fundamental rights concerns the protection from change that fundamental rights enjoy. As just discussed, fundamental rights norms within the EU have several sources. First and foremost, there is the Charter, which, at the time of its adoption, was ‘merely’ a solemn proclamation affirming the EU’s commitment to safeguarding fundamental rights, but which is now legally binding and part of EU primary law. That means that its amendment procedure can be found and described relatively easily. Secondly and thirdly, fundamental rights in the EU also stem from the constitutional traditions common to the Member States, and their international obligations concerning fundamental rights with special significance for the ECHR.

Concerning the Charter, two types of amendments are conceivable. The first concerns the amendment of the text of the Charter itself. Since the text of the Charter does not provide for a revision clause itself, we have to look elsewhere. The Charter was originally adopted by the European Parliament, the Council and the Commission on 7 December 2000.23 It is thus not an international treaty the way the TEU and TFEU are. At first sight, this makes it questionable whether the ordinary revision procedure provided for in Article 48 paragraphs (2) to (5) of the TEU applies to the Charter. This Article speaks of amendments to the Treaties and to their Protocols. As just stated, the Charter is not a treaty and Article 48 TEU would then not be applicable to it. In this context, it would be defensible that the text of the Charter ought then to be amended by the bodies that have adopted it, being the Parliament, Council and Commission. This position finds support in the fact that the 2007 Strasbourg amendments were also conducted by these Institutions. However, Article 6(1) of the TEU provides expressly that only the version of the Charter as it was adapted at Strasbourg on 12 December 2007 has the same legal value as the Treaties. Thus, even though technically only the involvement of the three adopting Institutions is needed, any amendment to the text of the Charter is to be accompanied by an amendment of Article 6(1) of the TEU if it is to have any meaning. Such an amendment of Article 6(1) would follow the ordinary revision procedure provided for in Article 48(2)-(5) TEU. The Article 48-procedure would require, amongst others, a common accord to be reached by all Member States plus national ratification by all

21 _{Kadi I, §303.}

22 _{Kadi I, §304-305; Craig & De Búrca 2015, p. 402-406; Eckes 2017, p. 16. It can be contended, however, that}

the Court lacks the necessary jurisdiction to examine the compatibility of primary EU law with fundamental rights. The argument is that such judicial interpretation in light of fundamental rights would lead to an extrajudicial modification of the Treaties. See, Lenaerts & Gutiérrez-Fons 2014, paras. 55.36-37 and beyond.

23 _{Charter of Fundamental Rights of the European Union - Solemn Proclamation by the European Parliament, the}

15

Member States according to their own rules and procedures.24 In order for the Charter to be revised, involvement and agreement is hence needed from all Member States governments, all Member State parliaments, the European Parliament, the Council, and the Commission. It is not overstated to say then, that amending the Charter is not an easy task. The fundamental rights contained in the Charter are in that sense well protected against unwelcome changes. As to the other sources of fundamental rights in the EU, being general principles of EU law according to Article 6(3) TEU, we have already seen that compliance with them is a condition for the legality of EU law. It is, however, harder to indicate how their supremacy protects them from change. This is because formally, they are external sources of fundamental rights that are outside of the sphere of influence of the EU. This means that the EU cannot control when and how they are amended, because this happens in accordance with the rules and procedures of the legal order of the respective source, e.g. the Member States’ constitutional traditions and international fundamental rights agreements such as the ECHR. However, the EU does have a certain say in how amendments in these external fundamental rights sources are received within the EU legal order. This is because, even though the general principles are derived from the legal orders of the Member States, their scope and content as part of EU law is determined and has already, to a great extent, been determined by the Court.25 Should, thus, those national constitutional fundamental rights norms change somehow, it is the Court that determines if and how those changes are translated and incorporated into the EU legal order. §2.3.2 Supremacy of EU fundamental rights over national fundamental rights

So far we have discussed the supremacy of EU fundamental rights norms within the EU itself, i.e. over other types of EU law. EU fundamental rights norms are, however, in certain situations also applicable to national measures. Though I have mentioned before that this is interplay between legal orders is not central to the thesis, it is important to understand the applicability of the Charter to Member State action. It will be shortly addressed.

Before the Charter became binding, two situations could be discerned in which EU fundamental rights were applicable to national measures. Firstly, Member States were bound by the general principles of EU law when they were implementing or applying an EU measure, even where that measure was not directly or at all concerned with a fundamental right, and even if it left a certain margin of discretion to the Member States.26 Secondly, in

ERT the scope of EU fundamental rights application was extended to Member State measures

that derogate from EU law by the use of an express possibility, such as the possible Treaty justifications for the obstruction of the free movement provisions.27 _{This case law can be said}

to be codified in Article 51 of the Charter, albeit perhaps in a somewhat ambiguous and modified manner. It reads: “The provisions of this Charter are addressed to […] the Member States only when they are implementing Union law”.28 Even though this provision made it seem as if the Charter was no longer applicable to the situation in which Member States derogate from EU law, the Court, in its seminal judgment Åkerberg Fransson interpreted this provision so that EU fundamental rights are applicable whenever Member States are acting

within the scope of EU law. The Court clarified that this meant that wherever EU law is

24 _{De Witte 2012, p. 117, 119, 120; see also St C Bradley 2017, p. 136-139.} 25 _{Tridimas 2006, p. 6.}

26 _{Case C-36/75 Rutili v Ministre de l'intérieur [1975], ECLI:EU:C:1975:137; Case C-5/88 Wachauf v} Bundesamt für Ernährung und Forstwirtschaft [1989], ECLI:EU:C:1989:321, §17-19.

27 _{Case C-260/89 ERT v DEP [1991], ECLI:EU:C:1991:254, §42-45.} 28 _{Emphasis added.}

16

applicable, EU Charter rights are applicable and must be complied with.29 As of yet, though the Court has in multiple cases tried to further clarify this line of case law, there are no exact criteria to determine what precisely falls inside and outside the scope of EU law. However, it is clear that Article 51 naturally encompasses situations in which Member States apply and/or implement a measure of EU law, and that it also includes situations without such a direct link so long as there remains a degree of connection between the national measure and EU law which goes further than Member State action which merely comes within an area of competence of the EU.30

§2.4 Conclusions

In conclusion, the consequence of the elevation of a ‘normal’ right to fundamental right is that it 1) becomes applicable across the board of all policy areas, and 2) becomes a hierarchically supreme right. That means that all other acts of law have to respect that fundamental right and comply with it and that their legality can be reviewed on the grounds of incompatibility with that fundamental right. It also means that they are protected from (unwanted or impulsive) change and that they can sometimes involve positive obligations. The way this supremacy takes shape is different depending on the legal order. In the EU legal order, this involves effects within the EU itself as well as effects on the interplay between the EU and national legal orders. In the EU before 2009, fundamental rights were not codified but were recognised by the case law of the Court of Justice of the European Union as enjoying primary law status. In December 2009, some of the fundamental rights contained in this case law were codified in the Charter of Fundamental Rights of the European Union which, according to Article 6(1) of the TEU, enjoys primary law status and is thus supreme to all secondary EU law. Article 19(1) TEU stipulates that secondary EU law can be reviewed by the Court on its compatibility with primary law. Furthermore, the Court has alluded in Kadi I to the idea that fundamental rights form part of the foundations of the EU: a layer of law even superior to the Treaties. The takeaway is that being elevated to fundamental rights status within the EU thus entails horizontal applicability, i.e. over all policy fields, and it entails that EU fundamental rights take precedence over all conflicting norms of secondary EU law, arguably over the founding treaties of the EU, and all acts of Member States provided that they fall within the scope of EU law.

29 _{Case C-617/10 Åkerberg Fransson [2013], ECLI:EU:C:2013:105, §20-22.}

30 _{Case C-198/13 Julian Hernández and Others [2014], ECLI:EU:C:2014:2055, §34; Case C-206/13 Siragusa}

17

CHAPTER 3: CHARTERING UNCHARTED LANDS

So far, we have seen that in the EU, fundamental rights are different from ‘ordinary’ rights because they are horizontally applicable and hierarchically superior norms. This chapter will go a step further and assess what this means for data protection now that it is a fundamental right. Though data protection has been an area of national and international interest since the mid-1960s and early 1970s, it was at the time not regarded as fundamental. However, awareness about the importance of data protection increased over time, and in the mid to late 1990s important action was undertaken at EU level. In 1995, the Data Protection Directive (DPD) entered into force, being the first EU instrument to tackle the subject. Its main successor is the General Data Protection Regulation (GDPR), which entered into force last year. Secondly, in 2000 the Charter was adopted, in which data protection was recognised as being a fundamental right in Article 8. Since the Charter did not become binding until 2009, it was not until then that the fundamental right to data protection became judiciable.31 But what does that mean? In which cases do individuals benefit from this Charter right? What situations can be thought of in which individuals can or must seek recourse to their fundamental right to data protection, as opposed to their rights guaranteed by other, non-fundamental data protection rights that are included in, amongst others, national law or secondary EU law, such as the GDPR, the Law Enforcement directive and Regulation 2018/1725? Is the fundamental right encompassed in Article 8 broader in protection coverage? This will be assessed in this Chapter.32

§3.1 Added value of Article 8

In order to successfully find out where data protection as a fundamental right matters, it has to be mapped where it has added value besides the existing secondary EU instruments. This can be done by comparing the situation as it was before data protection became a fundamental right with the situation after. Generally, before data protection became fundamental, the EU knew three important secondary data protection instruments. First, there was the Data Protection Directive from 1995.33 Similar to preceding international data protection measures, the Directive had dual objectives: on the one hand the realisation of the internal market through the free movement of goods, services, persons, capital, and, importantly, of personal data; on the other, the protection of the fundamental rights and freedoms of individuals, in particular their right to privacy with respect to the processing of personal data. It aimed to establish a high-level data protection baseline in order to achieve equivalent protection in all Member States, which would (it was aimed) eliminate the reasons to obstruct transborder data flow. Secondly, there was Regulation 45/2001 which laid down similar rules on the

31 _{Arguably, data protection became judiciable before the Charter became binding in 2009, namely in 2008}

through the Court’s judgment in Case C-275/06 Promusicae [2008], ECLI:EU:C:2008:54, §63; see also Lynskey 2014, p. 570. However, I take the Charter as benchmark for the judiciability of data protection, because the wording of the Court in Promusicae about the status of data protection as a separate fundamental right is ambiguous at best, and no doubts exist as to the judiciability of the Charter. In either case, no data protection cases have been decided by the Court on the basis of the allusion to data protection being a separate fundamental right in Promusicae alone in the period between Promusicae and the Charter becoming binding, even though the Court had explicitly indicated to be open to such review; see case C-301/06 Ireland v Parliament and Council [2009], ECLI:EU:C:2009:68, para. 57, in which judgment the Court went out of its way to note that a reference to the rights to data protection and privacy in Ireland’s claims was absent.

32 _{When employing the term judicial review in this chapter, it shall entail more than only judicial review about}

the (in)validity of a measure with subsequent nullity (or not) as an immediate consequence, but also judicial review in the sense of establishing a (possible) conflict or breach without direct consequences as to the validity of the measure.

18

processing of personal data by the EU Institutions.34 Thirdly, in 2008 Council Framework Decision 2008/977/JHA was adopted, laying down rules on the processing of personal data in the context of police and judicial cooperation in criminal matters.35

The current data protection regime consists of several measures. First and foremost, the GDPR has taken the place of the DPD and the Law Enforcement Directive has taken the place of Framework Decision 977/JHA on the prevention, detection, investigation or prosecution of criminal offences and related judicial activities. These two have been adopted in 2016.36 The so-called skeleton of the GDPR is not substantially different from the DPD: the basic premises of the DPD and the scope of application remain valid and are left unchanged. The GDPR is, however, more fleshy and muscular: the basic principles of the DPD have been modernised, updated and significantly reinforced.37 More recently, Regulation 45/2001 has also been replaced by a new and stronger Regulation on the processing of personal data by the EU Institutions, following the instruction to do so in recital 17 of the preamble to the GDPR for a stronger and more coherent data protection framework in the EU.38

Novel in the data protection landscape is thus the fundamental right to data protection enshrined in Article 8. A curious situation presents itself in assessing the consequences that this elevation to a fundamental right has had for data protection rights. Because individuals derive a fundamental right to data protection from Article 8 of the Charter, they can now challenge the legality of any measure within the scope of Article 8 on ground of incompatibility with that Article. That includes measures that do not directly regulate processing of personal data but affect the personal data of individuals in other ways. It theoretically also includes measures that form a direct expression of the right to data protection, such as the GDPR and Regulation 2018/1725 (even though it is highly improbable that they will be found to be contrary to Article 8). Besides that, individuals’ rights concerning the processing of their personal data remain for a large part covered by those measures. There is a big overlap in scope between the GDPR and Regulation 2018/1725 on the one hand and Article 8 of the Charter on the other, because they are all about affording protection to individuals when their personal data is being processed. In most situations, this overlap does not make a difference. Article 8 of the Charter will only come into play when the challenged measures or activities cannot be reviewed in the light of the GDPR. This can occur in two situations. Firstly, in the event that secondary EU law is reviewed (such as the Data Retention Directive, or the unlikely assessment of the GDPR itself as described above), the GDPR cannot serve as framework for review because one measure of secondary EU law cannot be reviewed in light of another secondary EU law measure. Secondly and more notably, Article 8 can come into play in the review of measures and data processing activities that do fall in the scope of the Charter but do not fall within the scope of the GDPR.

§3.2 Scoping exercise

It is precisely here that the elevation of data protection to fundamental right has the most impact. This is because the secondary EU legislation on data protection excludes certain areas from its material scope of protection. Some of these data processing activities are eminent examples of measures which could affect individuals’ rights to personal data protection,

34 _{Regulation 45/2001/EC (Personal Data Regulation), OJ L 8, p. 1-22.} 35 _{Council Framework Decision 2008/977/JHA, OJ L 350, p. 60-71.}

36 _{Regulation 2016/679/EU (General Data Protection Regulation), OJ 2016, L 119, p. 1-88; Directive}

2016/680/EU, OJ 2016, L 119, p. 89-131.

37 _{See, for a detailed comparison and analysis of the reform: Krzysztofek 2019.} 38 _{Regulation 2018/1725/EU, OJ L 295, p. 39–98.}

19

which cannot be reviewed in the light of the GDPR but which are within the scope of the Charter. This I have assessed by performing a scoping exercise of the GDPR (see; V

Appendix). In the scoping exercise, I have mapped what kind of data processing activities or

measures fall outside of the scope of the Charter and assessed whether the Charter could be applied or applicable to those measures or activities. I have done this by first determining what exactly the limits of the scope of the GDPR are, taking into account the text of the GDPR, CJEU case law on the interpretation of the scope of the GDPR where available, and CJEU case law on the DPD. For each ‘excluded area’ it was subsequently determined whether it was not actually covered by other secondary instruments, such as Regulation 2018/1725 or the e-Privacy Directive 2002/58. As at times this was quite self-evident, this check was not in all cases mentioned explicitly. For all ‘excluded areas’ about which the conclusion was that they were not covered by secondary instruments, the applicability of the Charter was tested, using Article 51 of the Charter and the case law of the Court on this topic.

The conclusions of the scoping exercise are the following. Application of the Charter to the eight excluded areas is not a simple matter of yes or no, but it is often dependent on multiple factors, such as the nature of the activity, the actors involved, and the structure of applicable laws. This creates more of a sliding scale or spectrum when it comes to answering the question where the Charter is applicable. On the first end of the spectrum we find, of the total eight excluded areas, that two are fully excluded from protection by both the GDPR and the Charter, namely the exception relating to the scope of EU law contained in Articles 2(2)(a) and the exception relating to the processing of personal data relating to deceased persons following from the preamble. A little further along the scale, concerning the Law Enforcement exception ex Article 2(2)(d) GDPR, application of the Charter is theoretically possible but not very likely. Moving on a little further along the spectrum, where the conclusion was that application of the Charter was conceivable. To start, the CFSP exception ex Article 2(2)(b) GDPR. I take this area as falling within the ‘yes’ side of the spectrum, first because of the reasons set out in §V.4 that cast doubt about the practical reality of the EU individual sanctions regime, and secondly because it is an interesting thought experiment to find out how the EU sanctions regime relates to data protection notions. The EU Institutions exception ex Article 2(3) GDPR must be regarded in the same way: even though Regulation 2018/1725 provides strong protection, the Charter has to function as a backstop for situations that somehow still seem to escape the data protection safeguards, such as the CFSP. That leaves three other excluded areas, none of which are not a full ‘yes’ either, in the sense that application of the Charter is not entirely clear and unconditional, depending on the actors involved. These are the exception relating to manual processing (Article 2(1) and Recital 15 GDPR), the personal/household exception (Article 2(2)(c)) and the grey area relating to competing interests.

Application of the Charter to processing activities benefiting from one of these exceptions is unconditionally possible when carried out by the government or other public entities. As said, however, manual or household processing situations that negatively impact the right to data protection to a meaningful extent are scarce. On the other hand, however, when carried out by individuals, it was long time not clear whether Article 8, or any provision of the Charter, could actually be applied in a horizontal relation. The Court has before ruled that certain Treaty provisions and, in certain circumstances, general principles of EU law can be applied horizontally.39 In its judgment AMS, the Court dealt with the question whether Article 27 of

39 _{Case C-43/75 Defrenne v SABENA [1976], ECLI:EU:C:1976:56; Case C-144/04 Mangold [2005],}

ECLI:EU:C:2005:709; Case C-555/07 Kücükdeveci [2010], ECLI:EU:C:2010:21; Craig & De Búrca 2015, p. 419.

20

the Charter could be applied so, but it merely ruled that the provision in question was not sufficiently clear, precise and unconditional to be directly effective, thus leaving open the question whether, as a matter of principle, Charter provisions could be applied horizontally.40 In Egenberger and Bauer, the Court has brought more clarity in this respect. According to the Court in the recent cases, Article 51 of the Charter, though not addressing the effects of the Charter on individuals, cannot be interpreted so that it precludes such effects.41 _{The horizontal}

applicability of the Charter hence depends on the provision of the Charter in question and whether it is sufficiently clear, precise and unconditional. It cannot be said with certainty that Article 8 is or is not all that, and we shall have to wait for the Court to definitively rule on this matter. I expect, nonetheless, that it is, based on the following. First, as was reasoned in

Defrenne and mirrored in Bauer, Article 8 is phrased in mandatory and unconditional terms,

which the Court has used as a benchmark to determine horizontal applicability.42 Secondly, Article 8 is elaborated on and complemented in sufficient amount of secondary law instruments that further refine its scope and substance so as to provide any Court confronted with its horizontal application with sufficient indications to conclude that it is in fact, sufficiently clear, precise and unconditional. This will also be elaborated on in Chapter 4. §3.3 Conclusions

Before data protection became a fundamental right, there was no way for individuals to challenge all processing activities related to their personal data, not on grounds of unconformity with rights derived from the GDPR (because this was excluded), nor on grounds of infringement of their fundamental right to data protection (because it did not exist yet). The conclusion is thus that individuals have, considering the outcomes sketched above, gained an extra dimension in their possibilities for challenging data processing activities/measures that are not in conformity with their now fundamental rights to data protection.

40 _{Case C-127/12 Association de médiation sociale [2014], ECLI:EU:C:2014:2.}

41 _{Case C-414/16 Egenberger [2018], ECLI:EU:C:2018:257, paras. 76-80; Joined Cases C-569/16 and C-570/16} Bauer [2018], ECLI:EU:C:2018:871, para. 87 and beyond.

42 _{Case 43/75 Defrenne v SABENA [1976], ECLI:EU:C:1976:56, para. 39; Joined Cases 569/16 and}

C-570/16 Bauer [2018], ECLI:EU:C:2018:871, para. 84.

21

CHAPTER 4: THE RIGHT TO DATA PROTECTION

In the previous Chapter, we have seen that the fundamental right to data protection adds a new dimension in the possibilities for judicial review of data processing activities for individuals. Not only is secondary EU law now open to judicial review in light of the right to data protection, but in certain situations Article 8 of the Charter can form a ‘safety net’ to activities to which the protection offered by data protection legislation does not extend. It has to be determined, however, what such independent application of Article 8 looks like. In the previous chapter, the applicability of the Charter in general has been researched. In this Chapter, the applicability of Article 8 specifically and the consequences of application will be central. Can - or, where appropriate, should? - Article 8 be applied independently? If so, what should be its scope, and how should possible interferences with the right to data protection be assessed? That is to ask, what is the substantive content of this right and what is its substantive standard of assessment? These questions will be answered for the situations described in the previous Chapter, i.e. situations that fall outside of the scope of the secondary legislation.

§4.1 Article 8

“Article 8

Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.”

§4.1.1 A stand-alone right?

The first question that needs answering is whether data protection can and should be seen as an independent or autonomous right. This is due to the fact that data protection is a newly emerged fundamental right, and the interests it aims to protect were once protected through other means: the right to privacy in the first place, and secondary legislation in the second place.43 Historically, data protection has been closely tied to privacy, so close in fact, that even after the Charter (which includes data protection as a separate fundamental right) was adopted, the Court has not always honoured this distinction. On the contrary, the Court has delivered several judgments in which it views data protection explicitly through the lens of the right to privacy, and does not treat it as a stand-alone fundamental right. This is inter alia visible in the judgments of Österreichischer Rundfunk, Lindqvist, Schecke and ASNEF, in all of which the substantive standard of assessment employed by the Court was that of privacy, and not of data protection.44 Even though the Court’s judgments in Promusicae, Satamedia and Rijkeboer stand out in terms of language - the Court refers to a seperate data protection right -, substantively the Court’s assessment did not differ much from the data protection-

43 _{Though very interesting, it is beyond the scope of this thesis to examine in detail the relation between privacy}

and data protection. I refer to Tzanou 2016, p. 21 and beyond; Lynskey 2014.

44 _{Joined Cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others [2003],}

ECLI:EU:C:2003:294; paras. 68-74; Case 101/01 Lindqvist [2003], ECLI:EU:C:2003:596, para. 86; Case C-92/09 Volker und Markus Schecke and Eifert [2010], ECLI:EU:C:2010:662, paras. 47-52; Joined cases C-468/10 and C-469/10 Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) (C-468/10) and

Federación de Comercio Electrónico y Marketing Directo (FECEMD) (C-469/10) v Administración del Estado

22

through-privacy test that was employed in the earlier judgments.45 Later judgments do adhere to the distinction, first still rather hesitantly, such as is clear in cases Scarlet Extended, Netlog and Deutsche Telekom, later more affirmatively, with the latest case law being clear.46 The Court now (finally) views data protection as a stand-alone right, to which it accords great importance. This is the approach taken in the seminal judgments Google Spain, Digital Rights

Ireland and Schrems, and if the separate inclusion in the Charter of data protection as a

fundamental right is to have any meaning, this is the approach that should be followed.47 Secondly, and for this thesis more interestingly, the autonomy of the right to data protection depends on its relationship to secondary legislation. As may be clear by now, data protection emerged not as a fundamental right, but as secondary law instruments. It is thus not surprising that the fundamental right, it being inspired by that secondary legislation, has a close relationship to that legislation in terms of scope and content. This will be elaborated on below.

§4.1.2 The scope of Article 8

Though a separation from privacy is important for data protection to be able to stand on its own as a bonafide fundamental right, it must not be entirely disconnected: there is still a great overlap between them, and privacy is a key interest that data protection aims to protect.48 Similarly, data protection must be separated from secondary legislation, but not entirely disconnected. Kranenborg, as does AG Cruz Villalón in his Opinion on Digital Rights

Ireland, when discussing the scope of application of Article 8, discusses the scope of the DPD

and related data protection instruments instead. Thereby they tie the scope of application of the fundamental right to the secondary legislation in a definitive manner, and do not leave room for independent analysis of the scope of application of Article 8.49 This is problematic, because it makes the applicability of a fundamental right, which we have observed to be both supreme and of horizontal application (i.e. on all policy areas without exclusion or exception), dependent on the scope of application of secondary legislation. Such an interpretation undermines these very elements that make a fundamental right fundamental, and thereby it makes the elevation to fundamental right status of data protection obsolete. After all, secondary legislation is subject to change not protected by constitutional safeguards, and restrictive definitions in secondary legislation can exclude entire policy areas, as we have seen. Measures taken pursuant to such policy areas have far-reaching consequences in terms of the impact they can have on individuals (which is e.g. true for the CFSP), and, if an interpretation were accepted that definitively links the scope of Article 8 to secondary legislation, they would be devoid of fundamental rights protection.

The scope of application of Article 8 must hence be assessed autonomously. This does not mean, however, that in such assessment, inspiration cannot be drawn from the definitions

45 _{Case C-275/06 Promusicae [2008], ECLI:EU:C:2008:54, para. 63; Case C-533/07 Rijkeboer, [2009],}

ECLI:EU:C:2009:293, paras. 49 and 64; Case C-73/07 Satakunnan Markkinapörssi and Satamedia [2008], ECLI:EU:C:2008:727, paras. 52-54; Tzanou 2016, p. 52-53. See also notes 51 and 57 above.

46 _{Case C-70/10 Scarlet Extended [2011], ECLI:EU:C:2011:771, paras. 50-53; Case C-360/10 Belgische} Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v Netlog NV [2012], ECLI:EU:C:2012:85,

para. 48; Case C-543/09 Deutsche Telekom [2011], ECLI:EU:C:2011:279, paras. 49-53, 66.

47 _{Case C-131/12 Google Spain and Google [2014], ECLI:EU:C:2014:317; Case C-293/12 Digital Rights} Ireland and Seitlinger and Others [2014], ECLI:EU:C:2014:238; Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015], ECLI:EU:C:2015:650; Tzanou 2016, p. 35-37, 58 and beyond.

48 _{Others interests arguably include transparency, accountability and due process, data security and data quality,}

non-discrimination and, au fond, human dignity.

49 _{Kranenborg 2014, p. 241-247; Case C-293/12 Digital Rights Ireland and Seitlinger and Others [2014],}