#5282 - Data Protection - EU Integration Law

EU Data Protection

LLM EU Integration Notes

Notes

Introduction 3

Preliminary Considerations 3

Conceptual Issues 3

Warren and Brandeis 3

European Conception 3

Simitis 4

Overview of Data Protection Law 4

Introduction to The Directive 4

Directive 95/46 5

Privacy and Data Protection 5

Data Protection in EU Law 6

Introduction 6

EU Law Issues 6

Article 95 and the Treaty of Amsterdam 6

Direct Effect 6

The Lisbon Treaty 6

Case Law 7

Fundamental Rights and Data Protection 8

European Convention on Human Rights 8

CFR 8

The Revision of the EU Legal Framework 9

The Data Protection Regulation 9

Consent 9

Right to be Forgotten 9

Data Portability and Access 9

Introduction

The protection will resist civil law import into the UK, though protection of privacy has a long history. As a result, it’s a bit of a transplant, which can cause problems when attempting to apply the law to novel situations. In the UK, we have a 1998 act implementing directive 95/46, but we will focus on EU law with only a small comparative perspective. However it is important to note that this is a directive, and therefore will be implemented slightly differently in each member state.

Warren and Brandeis’s article on the protection of privacy is very well known, important, foundational, and influential. Some argue it might be the most influential legal article ever written. It is important with respect to the distinction between privacy and data protection. Data protection in the UK is somewhat of a misnomer, and it’s in fact about protecting individuals and their interests, not the data itself. Privacy has got mixed up in this. While there is overlap, and they may be the same in some areas, they are very different in others, and it’s important not to use these terms too loosely and interchangeably.

The article shows of the technological dependence of this area of the la. Six years before the article, instant photography was invented. For the first time, you could take a photo of someone, or something, without anyone noticing or knowing. This could be compared to the minutes of posing required up to this point. Also, this was written in the era when yellow journalism was first coming to the fore. Tabloids were springing up, so this issue was very current. There was no right to privacy in the US Constitution, which we can contrast with the EU, but the courts, through the common law, had used some provisions to create these rights. The regime covers everyone, but the American provisions are not as broad, and focus mainly on the public sphere. There is no constitutional basis to bring an action against a private actor.

Warren and Brandeis show how an interpretation of the law does lead to a right to privacy. They draw on French and British cases to support these principles. The role is not about property, they argue, as such, more of a subset, rather, which is about “personality" (though not in the Continental sense). The reason for this has many routes: the Freedom of Speech is a very high (close to absolute) value in the USA, and the Supreme Court has found in favour of Freedom of Speech in many privacy cases. There is no constitutional duty on the state to protect any private parties, moreover, so this makes privacy harder to enforce.

There is a very famous case in US law concerning whether phone tapping is covered by the fourth Amendment. Brandeis said of course it did. This was a dissenting opinion at the time, but was later adopted, and has been used as the basis for a judgement.

The background of the directive in order to better understand it. The ridges in a German case on privacy, which is documented in Hornung and Schnabel. The important thing to remember is that the EU and the USA have totally different starting points; they are quite incommensurable. While the EU starts from the starting point of privacy, the United States starts with a presumption in favour of freedom of speech.

A population centres in Germany was implicated in a battle to privacy. The German Constitutional Court held that because the data was to be used to correct registers from and could be used to create an atmosphere of surveillance (note that this is in the aftermath of the Nazi and Stasi regime), this is unacceptable. Informational self-determination is different to the right to be left alone, and it's important for people to be allowed to engage meaningfully in society. If people are worried about being watched or being put under surveillance, they will be unable to act meaningfully in discourse, and prevented from becoming a member of the polity.

Importantly, data protection is a relative right. Often it needs to be balanced against other rights, such as freedom of speech, or protection of society. However discretion is unacceptable; there needs to be a legislative basis to each of these rights, and in the way that they are balanced. Profiling especially is very restricted, but this is economic lucrative, and very useful. In this situation, the economic and legal imperatives are at odds with each other. There is a Kantian approach to the court's thinking. This is very continental, and rarely seen in common law.

There are also barriers to data sharing between government agencies. Post 9/11, it was discovered that some people had slipped through the net because of these barriers. While we obviously don't want this to happen, there is clearly a tension with data protection law, and it is up to the courts to resolve this tension.

Intel

There are serial numbers on many computer chips, though these could not be used in surveillance under the status quo.

Because there was a risk that these could be used in the future, it was important that they complied with data protection regulations.

The Whitman article is now classic, entertaining but controversial. It is a good piece of comparative scholarship it argues that the common law is about liberty but the Continental law is about human dignity, but maybe it goes too far in tying it to the Civil law protection of honour. Human dignity is a fundamental rights concept is not the same as honour as a social construct.

What is “private" is very much a cultural, and even a regional phenomenon. Privacy is a universal right, but its perception differs between cultures. China, for example, regards privacy with suspicion, especially in rural areas, but people are still bothered by constant phone calls, or targeted advertising.

It may be best to think of the right as a negative one. Thus, it provides a barrier to others infringing on your right. However, the counterargument runs the data protection is now becoming more proactive, and needs involvement at the design stage of policies and products. There is no magic definition of data protection, nor a magic distinction between data protection and privacy, and it's hard to define and so limit, and uphold, it.

The first legislation on this production came about in 1970s, which is crucially before the Internet. However, the Internet has magnified its production issues, which makes them more important and recognised around the world, and particularly in Europe. The Council of Europe Convention on data protection was legally binding, much like a directive. However it was very general, and was no way for people to derive rights from the convention.

In the case of Fiat, it was found that the difference between French and Italian data protection laws would harm the single market and, and so the Commission probe the directive into effect. It is now part of the Communis Acquis, and the regime has been exported overseas.

The margin of implementation has led to diversions between member states, and there has been a clamour for wholesale reform. For example, Dutch implementation of the law is substantially different from that in the rest of Europe, which leads to problems with Europe wide businesses.

Article 1 of the directive gives justification is the data protection law, and paragraph 2 remove the barriers as long as both member states have data protection law. However, in cases like employment law, there may still be restrictions on employment law bases, but this is not harmonised, and not as a result of data protection law.

Article 2 is definitions. Article 3 shows the large lacuna in the directive. One of the reasons why data protection law arose in the first place was because of concerns about government, but is largely excluded. This is clearly problematic, and is one of the reasons behind the calls for regulatory reform. The Lisbon Treaty did close this gap somewhat, by introducing a horizontal right, and the right is strengthened, but there are still ambiguity over how effective this will be. Article 3(2) provide a restriction on personal data. This was originally about diaries or address books, which would invade your personal space, has taken on a new meaning in the light of social networking websites like Facebook. Sweden wants a broad exemption for this type of data, but Portugal doesn't like freedom of expression as much, because it makes Facebook too exempt. The regulation talks about gainful user activity, which is clearly all about the economic motive for the use of the data, but it's hard to get a good solution.

Article 4 is about national law. The law controlling the data is the law in the state of the establishment of the data controller, of whom the data processor is an agent. This is one of the areas...