Over the past few years an overhaul of the European data protection edifice has been under way. Practically all basic data protection regulating documents in effect until today have either already been replaced or are in the process of being thoroughly amended. This is probably a development that was long overdue, given that all of them have an age of several decades while none of them has been released taking the internet into account. The OECD is the first international organisation that issued any data protection regulations at all: it did so in 1980,1 and its Guidelines remained unchanged until 2013, when their amendment process was completed.2 The Council of Europe released its own data protection regulations, formulated in Convention 108,3 only a few weeks after the OECD; they too remained in effect unchanged over the decades that passed, admittedly complemented by rich secondary legislation, and are now in the process of being amended.4 However, most of the data protection work undoubtedly takes place within the EU which chose to dominate the international field since it became involved in it, through the EU Data Protection Directive in 1994.5 The Directive set the EU and international, through its “adequacy” criterion, data protection standard. However, it remained hopelessly outdated, because it was released before the advent of the Internet (although the Court of Justice through its recent Google Spain case6 showed that there is still some life left in it). The European Commission seized the opportunity presented by the Treaty of Lisbon, and its Article 16 TFEU, and took upon itself the herculean task of reconstructing the whole EU data protection edifice, both from an architectural and from a substantive law point of view.
While the outcome of the intensive law-making effort witnessed since 2012 is yet to be seen, a couple of observations are already possible. After all, one must not lose perspective and bury his or her head in trivial or less trivial details of the legislative arrangements that are currently being negotiated, but instead should pay attention to the greater picture. That picture unavoidably includes Article 16 TFEU and the draft EU General Data Protection Regulation7 that constituted the main legislative response to it. We recall the text of Article 16 TFEU:
- Everyone has the right to the protection of personal data concerning them.
- The European Parliament and the Council, acting in accordance with the ordinary
legislative procedure, shall lay down the rules relating to the protection
of individuals with regard to the processing of personal data by Union
institutions, bodies, offices and agencies, and by the Member States when
carrying out activities which fall within the scope of Union law, and the rules
relating to the free movement of such data. Compliance with these rules shall be
subject to the control of independent authorities.
The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.
Entire books still need to be written about Article 16 TFEU, what it does for data protection and what it does not for other fundamental rights recognized in the EU Charter of Fundamental Rights. It is a difficult provision, not only because of its unique standing in EU primary law, its rather vague wordings and its limitations in other provisions and declarations.8 It seemingly suggests more freedom for the Union to pursue a full or more full fundamental rights policy beyond the traditional limits of Union law and this for all data processing in public and private matters, including the area of security and law enforcement.
Article 16 TFEU also signalled the emancipation of the right to data protection from the right to privacy, a development in itself that was probably also long overdue, and included it independently in the fundamental EU human rights list. However, this is not the end of a process that began in some European countries some fifty years ago. Far from it; the individual right to data protection is not among these human rights that contend themselves into a declaration in a human rights document. Instead, it is to be complemented by auxiliary legislation. This legislation will most likely be the EU General Data Protection Regulation – and also the Police and Criminal Justice Data Protection Directive9 for its own subject matter. Given the current wording of both these instruments, it is to be expected that this auxiliary legislation will be of a detailed, technical and thorough type. The choice of instruments, a Regulation replacing a Directive and a Directive replacing a Framework Decision, ought also not be overlooked. These new legal instruments will replace their counterparts but they will also take advantage of some twenty years of very rich secondary legislation law-making, in practically all fields of human activity.10 All this accumulated know-how will most likely be codified under the new legal environment. What we are likely to end up with is a data protection code with detailed provisions; EU data protection is in effect becoming a locus of regulation of very concrete things rather than a principle-driven human rights system.
Is the right to data protection to be perceived as a “technical” right, in need of “technical” executing provisions? Incapable of standing by itself, as a simple and straightforward declaration in the basic EU constituting documents? Perhaps this is unavoidable, given the “long arm” of data protection: after all, some type of personal data processing takes place in all human activities. This leads to sector-specific regulations that complement general legislation that implements Article 16 TFEU. However, if this is the case, is that a success or a failure from a human rights point of view?
The articles that follow highlight the multitude of sectors in need of, or in trouble with, data protection regulation – the effect of this comprehensive and detailed legal intervention upon the individual level of data protection remains to be assessed. Of course, one journal issue cannot cover all possible or pending data protection issues,11 but looking at what has been included issues such as the perceived tensions between the EU and U.S. privacy law systems, government surveillance and big data are perfectly addressed.
The latter promises important societal benefits, but trigger concerns about data protection, privacy and discriminatory impacts. Rhoen in his contribution (‘Big Data and consumer contracts: Deciding who decides on privacy’) sees no real solutions in existing and upcoming data protection law. Too much is given away by consumers with or without their consent. The way forward, Rhoen suggest, is to enhance consumer participation and lower obstacles to access to justice. More collective approaches to protect individual rights also stand central in Van der Sloot’s contribution (‘Privacy as Personality Right: Why the ECtHR’s Focus on Ulterior Interests Might Prove Indispensable in the Age of “Big Data”’). This author’s reading of the privacy case law produced by the European Court on Human Rights contains daring new interpretations and understandings of that case law. A challenge to all those that are studying Strasbourg.
The other European Court, the Court of Justice of the European Union, stands central in Spahiu’s contribution (‘Courts: An Effective Venue to Promote Government Transparency? The Case Of The Court of Justice of the European Union’). The contribution is interesting in the light of what has been said higher about data protection as a fundamental right and data protection as a regulatory set of technical legal rules. In EU law access to justice has been organized and build up accordingly with, as Spahiu shows, the Court of Justice as a driver of the development towards the recognition of access to justice as a fundamental rights and as a driver of expanding and defining the secondary law. Spahiu borrows the notion of eurolegalism from Kelemen.12 It denotes a process of judicialization: a regulatory policy where power and work is shifted from the officials to judges. If one wants to have a flavour of what the future could bring for case law from Luxembourg on data protection, this contribution could be an eye-opener.
More on the work of the two European courts regarding data protection is to be found in the Conference Report produced by Mistale Taylor (‘Safeguarding the Right to Data Protection in the EU’).
Other contributions touch issues such as security, law enforcement and surveillance. Yael Ronen (‘Big Brother’s Little Helpers: The Right to Privacy and the Responsibility of Internet Service Providers’) looks at the responsibility of internet service providers (ISPs) forced to cooperate with government authorities and to disclose personal data. The author looks at this growing practice by reference to the developing, non-binding standards applied to businesses under the Protect, Respect and Remedy Framework. The article examines the manner in which the Framework applies to ISPs and looks at measures that ISPs can take to fulfil their responsibility to respect the right to privacy. It is more than time to take these studies serious and apply the ‘soft law’ UN framework on business and human rights to new situations of human rights violations.
A reading of international hard law is given by Ilina Georgieva (‘The Right to Privacy under Fire – Foreign Surveillance under the NSA and the GCHQ and its Compatibility with Art. 17 ICCPR and Art. 8 ECHR’). This author leaves no doubt about the applicability of the ICCPR human rights obligations to NSA activities and calls for re-shaping recently established surveillance programs guided by the norms developed under the International Covenant on Civil and Political Rights and the European Convention on Human Rights. The contribution is a good in-your-face-demonstration of norms that decent societies cannot pretend to ignore.
Maria Tzanou (‘The War Against Terror and Transatlantic Information Sharing: Spillovers of Privacy or Spillovers of Security?’) looks at the EU-US Passenger Name Record (PNR) agreement and at plans in the EU to realize similar surveillance schemes for internal EU purposes. This rather difficult study contains a brilliant message: the EU’s claim of being a moral leader in respecting human rights does not always show. In the case at hand, there is no added value in the EU proposals, on the contrary. Why are we trying to teach lessons to the Americans if we do not show that we do better?
Shane Darcy (‘Battling for the Right to Privacy and Data Protection in the Irish Courts’) is doing more than giving us a country report. Ireland is positioning itself as the technology hub in Europe for US ICT firms and some of the more interesting case law has been coming out of the Irish courts. One of the cases discussed is that of the Austrian student Max Schrem that is supposed to be followed by a judgment of the Court of Justice of the European Union soon. Fun!
This special issue, finally, also contains a book review by Aernout Nieuwenhuis (‘S. Stalla-Bourdillon, J. Philips and Mark. D. Ryan, Privacy vs. Security, Springer Briefs in Cybersecurity 2014’) and an interview with MEP Sophie In ‘t Veld, one of our most outspoken political voices on privacy. In the interview In ‘t Veld elaborates on how the EU protects its citizens’ rights to privacy and data protection. With these political visionary leaders, with this Court of Justice, one cannot but give way to feelings of hope and optimism. The right to protection of personal data has rightly made it into primary EU law, and is safeguarded by people and professionals who care. Let us await more results.