The Right to Data Protection

This chapter introduces the issue of data processing and the need for data protection. It lays down the foundational terminology that will be used throughout this book and provides an overview of the individual chapters. The chapters cover an introduction to and analysis of the primary EU law on data protection as well as the secondary EU data protection legislation. The book then considers the case law of the CJEU, before turning to the current approaches to data protection in the literature. In the final chapter, the dualistic approach to data protection is introduced and used to conceptualize the right to data protection as an independent fundamental right of EU law.

This chapter introduces the EU data protection legislation. EU law regulates data protection both on the level of the primary law in Articles 8 CFR and Article 16 TFEU, and on the level of the secondary law with the second generation of EU data protection legislation, i.e. the GDPR, DPR-EU, LED and ePD. The primary law has been reverse-engineered from the provisions of the first generation of secondary EU data protection legislation. The current secondary EU data protection legislation meanwhile is an evolution of the first generation. It introduces some new principles and instruments and further substantiates others that were previously established. This is particularly true for the principles of the EU data protection legislation, which form its basis. However, the principles expressly included in the relevant provisions are not representative of all of the general rules of the legislation and will therefore have to be enhanced, which will be achieved in Chap. 5.

This chapter considers the evolution of the case law of the CJEU with regard to the right to data protection. While the Court already realised the fundamental rights dimension of data protection in the Stauder case, it did not initially engage with the Charter or the relevant secondary EU legislation. The chapter traces how the Court, partly driven by the Opinions of its AGs, developed its own line of jurisprudence. However, while the Court has consistently strengthened the supervisory authorities and the rights of individuals with regard to complaints according to Article 8(1) and (3) CFR, it has not yet arrived at a coherent line of reasoning with regard to the right to data protection under Article 8(1) and (2) CFR.

This chapter considers the current doctrinal discourse on the right to data protection in the EU. I analyse seven distinct approaches considering data protection law from various different perspectives: The transparency-focused approach considers data protection as a means to protect privacy, but also highlights the procedural safeguards data protection provides. The narrow self-determination approach understands data protection as an intermediate value to further privacy, but provides an early analysis of the power structures entailed by data processing practices. In opposition to this approach, the commodification approach aims to enable data subjects to market and monetize their data subject rights, while failing to consider the very power structures at work. According to the privacy approach, the right to data protection can only be applied in individual cases in conjunction with the right to privacy and otherwise merely obliges the legislator to create some form of data protection provisions. The individualistic approach considers privacy as the core of the right to data protection and finds that the EU data protection legislation aims to guarantee data subjects’ control over their data, while the top-down approach argues for the separate interpretation of the EU data protection legislation on the level of the primary and secondary law and restricts the scope of the former by focusing exclusively on the verbatim of Article 8 CFR. Lastly, the checks and balances approach considers the structural implications of the data protection rules and places an emphasis on the technical and organisational measures.

This final chapter introduces the dualistic approach to data protection. The framework for this approach builds on a historic debate, which emancipated data protection from privacy and will be introduced in the first part of this chapter. The discourse at the time had already identified many of the issues of modern data processing and can be transferred to the provisions of EU data protection law, as will be achieved in the second part of the chapter. Firstly, the dualistic approach will be applied to the secondary EU data protection law by considering the dual rationale of data protection: addressing the risks to the rights of individuals as well as mitigating the power imbalance inherent in data processing. Secondly, by reference to this frame, the fundamental principles of EU data protection law will be derived, which reflect the entirety of the rules of the secondary EU data protection law. These fundamental principles are comprised of lawfulness, separation, integrity, availability, confidentiality, transparency and control. Particular regard will be paid to the structural dimension of data protection law, which extends beyond its individual dimension and considers the democratic society as a whole. Thirdly, the dualistic approach is applied to the primary EU data protection law in order to define the rationale and content of the right to data protection. This right of EU law also includes the structural dimension of data protection law and both dimensions as well as the fundamental principles of EU data protection law inform its interpretation. Lastly, this chapter considers how the right to privacy can be differentiated clearly from the right to data protection, with the distinct rationales, scopes and essences of these rights.