nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

5. Privacy and Data Protection Regulation in Europe

verfasst von : Aurelia Tamò-Larrieux

Erschienen in: Designing for Privacy and its Legal Framework

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In Europe, everyone has a right to privacy and data protection. These rights are based on the rationales for informational privacy protection described in Chap. 3. Privacy and data protection legislation put why we protect privacy into concrete principles, which then become how we protect privacy. In the context of information, in particular, data protection legislation generates an enforceable framework for guarding against informational privacy harms. Therefore, the focus of this chapter will focus on data protection legislation. First we introduce both legal concepts and describe the evolution of data protection legislation in Europe. We then develop a taxonomy of the legal principles for privacy and data protection.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Privacy Protection in an Internet of Things Environment

Nächstes Kapitel Technical Tools and Designs for Data Protection

Gellert/Gutwirth, p. 522.

As also reflected in Art. 1(1) Directive 95/46/EC.

Cf. Art. 51 EUCFR; The EUCFR, proclaimed in 2000, has become legally binding to all EU member states with the entry into force of the Lisbon Treaty in 2009. Cf. also Art. 16 of the TFEU which incorporates the protection of personal data, and Art. 39 TEU.

Unlike the ECHR (inspired by the UNHR) which in Art. 8 only addresses the right to privacy.

Bygrave, p. 162; Gutwirth/De Hert, p. 279; cf. also Handbook on EU data protection law, pp. 21 et seqq.

Burkert, Changing Patterns, p. 4.

Cf. Bygrave, Data Privacy, pp. 84-85.

Cf. for the status of ratification the UN Treaties Collection website <http://indicators.ohchr.org/> (last visited April 2018).

Cf. Art. 8(2) ECHR; cf. Bygrave, Data Privacy, p. 86 stating that while “ICCPR Article 17 is framed essentially in terms of a prohibition on ‘interference with privacy’, ECHR Article 8 is framed in terms of a right to, inter alia, ‘respect for private life’ flowed by an enumartion of criteria permitting interference with that right.”

Bygrave, Data Privacy, pp. 82-83.

The meaning of privacy also draws upon the jurisprudence developed in other related domains such as the legal protection of personality. The rights associated to an individual’s personality (known as “Persönlichkeitsrecht” and “Persönlichkeitsschutz” in the German and Swiss jurisprudence) fundamentally influence the interpretation privacy and data protection rights. Cf. Bygrave, Data Privacy, p. 26; Tamò/George, pp. 72 et seqq.

Cf. e.g., Tamò/George, pp. 72 et seqq. elaborating on such case law with focus on erasure and rectification demands.

Gutwirth/De Hert, pp. 279-281.

Cf. here in particular case law of the ECtHR in this respect, e.g., on government interception of correspondence in ECtHR, Amann v. Switzerland or ECtHR, Liberty and Others v. the United Kingdom; or on government surveillance in ECtHR, Uzun v. Germany, or ECtHR, Vetter v. France; cf. also Gutwirth/De Hert, pp. 279 et seqq.

Gutwirth/De Hert, pp. 279-281.

Benn, pp. 223 et seqq.; cf. also Whitman, pp. 1161 et seqq.

Whitman, p. 1161.

Cf. Bygrave, Data Privacy, pp. 11-15 elaborating on how prior laws shaped data privacy laws. Cf. also Tamò/George, pp. 74 et seqq. on how still in recent case law such norms outside data protection law remain a dominant foundation for data protection and privacy claims.

Burkert, Privacy, p. 46; Bygrave, Data Privacy, p. 28; Mayer-Schönberger, p. 219; Simitis/Simitis, Introduction, marginal No. 2; Weniger, p. 175.

Bennett/Raab, p. 11; Burkert, Privacy, p. 46; Bygrave, Data Privacy, p. 28; Mayer-Schönberger, p. 219.

Bygrave, Data Privacy, p. 31; cf. also Greenleaf, pp. 233-235; Savin, p. 195.

Cf. CoE, Resolution 73; cf. also CoE, Resolution 74; Kosta, pp. 24 et seqq. Note that in 1933 the Fair Information Practices (FIPs) were also enacted by the US Department of Health, Education and Welfare (DHEW), which have influenced the objectives of data protection laws and international agreements. Cf. Bygrave, Data Privacy, p. 13; cf. also Iachello/Hong, p. 11 stating that Westin’s work (see Chap. 3) influenced the creation of FIPs.

Cf. Para. 38 of the Convention 108 Explanatory Report; cf. also Art. 4(1) of the Convention 108 which merely obliges the contracting states to incorporate the principles laid out into national law. Note that not all the EU member states did ratify the Convention 108, cf. Savin, p. 195; cf. also Bygrave, pp. 33-34.

Kosta, p. 24 with reference to Hondius, pp. 63 et seqq.; cf. also González Fuster, pp. 92 et seqq.; Weniger, pp. 352 et seqq.

WP 29 and WPPJ, Future of Privacy, 2009; cf. also González Fuster, pp. 147 et seqq.; Greenleaf, pp. 233-235; Gutwirth/De Hert, pp. 281-284.

Bygrave, pp. 31-33; Bygrave, Data Privacy, pp. 50-51.

Bygrave, Data Privacy, p. 44; Kuner, pp. 35-36; Weniger, p. 351.

Savin, pp. 195-196. Cf. below Sect. 5.2.

Cf. Art. 1 Directive 2009/13/EC.

Cf. Art. 1 on the subject matter and scope, Art. 5 on the categories of data retained, and Art. 6 on the retention period Data Retention Directive 2006/24/EC.

CJEU, C-293/12 and C-594/12.

Cf. Bygrave, p. 2; González Fuster, pp. 136-139; Gutwirth/De Hert, pp. 281-284; Gellert/Gutwirth, p. 525; cf. also Art. 2 and Art. 4(2) GDPR; Art. 2(b) and Art. 3 Directive 95/46/EC.

The Convention 108, the Directive 95/46/EC and GDPR refer in various articles and recitals to fundamental rights and freedoms and link thereby data protection to human rights law. Cf. Bygrave, p. 38.

Data is either personal data or not; therefore, either the law applies or not. Cf. Spindler/Schmechel, p. 165.

Cf. Art. 4(1) GDPR; Art. 2(a) Directive 95/46/EC; CJEU dwells upon the term “personal data” in numerous instances such as C-582/14 (dynamic IP addresses combined with other data stored by ISPs), C-101/01 (name and telephone number), C-70/10 (IP address), C-291/12 (fingerprints), C-342-12 (working time of every worker) and the term “processing” in C-101/10 (uploading on a website), C-28/08 (access to documents), C-131/12 (loading personal data on a website), or C-291/12 (taking and storing fingerprints); cf. also Bygrave, p. 2, pp. 41-50 on the relevant factors for determining “personal information”; Spindler/Schmechel, pp. 165-166 on the absolute and relative approaches to establishing a link between a natural person and the data (answering the question of “what effort are required to identify a person” (p. 165)); WP 29, Opinion on personal data, 2007, p. 15 stating that a mere “hypothetical possibility to single out the individual is not enough to consider the person identifiable.”

Spindler/Schmechel, p. 169.

Cf. Art 4(1)(a) Directive 95/46/EC as well as case law, e.g., CJEU, C-131/12; Art. 3(1) GDPR stating that it “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

CJEU, C-543/09, recital 51 with reference to CJEU, C-92/09 and C-93/09.

Brown/Marsden, p. 48; Burkert, Privacy, pp. 44-52; Bygrave, p. 30; González Fuster, p. 55; Kuner, pp. 26-27; Kosta et al., p. 75; Mayer-Schönberger, p. 219 et seqq.

Cf. Mayer-Schönberger, pp. 219-236 and Mayer-Schönberger, Information, pp. 113-129 describing the evolution of data protection until 2000. Mayer-Schönberger specifies that the classification in generations is not perfect and that the boundaries between the generations are floating (cf. Mayer-Schönberger, Information, p. 128). Nevertheless, the depiction of the evolution of data protection is helpful to understand the rationales and concepts behind data protection law. Other attempts to classify the evolution are found i.a. in Bygrave, pp. 93 et seqq. (who categorizes the catalysts for the emergence of data protection laws and groups them into three main categories: (1) the technological developments, (2) the public fears towards those developments, and (3) legal factors) or Bennett, pp. 56 et seqq. (defining the evolution stages by the problems defined and solutions legislator came up with to confront those issues).

Cf. Hesse Data Protection Act; Sweden enacted their national Data Protection Act (1973) and discussions over the proposals for the Austrian Data Protection Act (1974) as well as proposals for the German Federal Data Protection Act (1977) emerged. Burkert, Privacy, p. 44; González Fuster, p. 56; Hondius, pp. 17 et seqq.; Kosta, p. 35; Mayer-Schönberger, p. 221; Mayer-Schönberger, Information, p. 113; Simitis/Simitis, Introduction, marginal No. 1 et seqq.; Weniger, p. 163; cf. for an in-depth discussion of Hesse’s and Sweden’s first data protection acts Kosta, pp. 34-54.

Bygrave, pp. 93-95; Bygrave, Data Privacy, pp. 10-11; Kosta, pp. 36-39; Mayer-Schönberger, p. 221.

Burkert, Privacy, p. 45; cf. also Burkert, Changing Patterns, pp. 5-8; Simitis/Simitis, Introduction, marginal No. 5 et seqq.

Bygrave, pp. 95-96; Bygrave, Data Privacy, pp. 10-11; Mayer-Schönberger, p. 222; cf. also Mayer-Schönberger, Information, pp. 113-119; Simitis/Simitis, Introduction, marginal No. 5 et seqq.; Weniger, pp. 171 et seqq.

Bygrave, pp. 95-97; cf. also Kosta, pp. 38-39.

Bennett, pp. 55-57 calling it the “Technology Control Approach.”

Mayer-Schönberger, p. 224; Mayer-Schönberger, Information, p. 118.

The resistance against the data processing and linking of data was predominately directed towards the government as well as large corporations. The increasing involvement of the private sector in the digital processing of data and growing surveillance capabilities explain why data protection laws regulate both the public and private sector. At the time a more or less defined and manageable number of data processors existed. The established enforcement mechanisms, namely the creation of a separate institution that supervised data processing, seemed sufficient to ensure compliance with data protection law. Cf. the Hesse Data Protection Act who also laid the ground for the establishment of a data protection authority and commissioner; Burkert, Privacy, pp. 42-47; cf. also Simitis/Simitis, Introduction, marginal No. 18 et seqq.

Mayer-Schönberger, p. 224; Mayer-Schönberger, Information, pp. 117-119.

Mayer-Schönberger, p. 223; cf. also Burkert, Privacy, p. 45; Hondius, pp. 182 et seqq., 199 et seqq.

In particular the French, Austrian, and to some extent Danish and Norwegian data protection laws laid the ground for stronger protection individual rights. Cf. Mayer-Schönberger, pp. 226-229; Mayer-Schönberger, Information, pp. 121-122.

Mayer-Schönberger, p. 226 et seq.

Bygrave, pp. 111-112; Mayer-Schönberger, p. 227 stating that in Norway, for instance, individuals were granted the right to refuse the processing of personal data for direct marketing purposes.

I.e., as rights that were merely supporting the guarantee of the accuracy of the processed data and providing data subjects with an option to rectify inaccurate or misleading personal data.

Cf. González Fuster, pp. 66-70; Mayer-Schönberger, pp. 226-229; Mayer-Schönberger, Information, pp. 121-122.

The constitutions of Portugal in 1976 and Austria and Spain in 1978 introduced a right of informational privacy. Cf. Art. 35 of the Portuguese Constitution of 1976, 1^st Constitutional Provision of the Austrian Data Protection Act of 1978, Art. 18 of the Spanish Constitution of 1978, González Fuster, pp. 66-70; Mayer-Schönberger, pp. 226-229; Mayer-Schönberger, Information, pp. 121-122.

Mayer-Schönberger, p. 228.

Mayer-Schönberger, p. 288.

BVerfGE 65,1, 1983; Simitis/Simitis, Introduction, marginal No. 27 et seqq.

BVerfGE 65,1, 1983, C, II, pp. 45 et seqq.; cf. also Rouvroy/Poullet, 2009, pp. 45 et seqq.

Mayer-Schönberger, pp. 229-230.

Mayer-Schönberger, pp. 229-232; Mayer-Schönberger, Information, pp. 122-125.

Mayer-Schönberger, pp. 232-235; Mayer-Schönberger, Information, pp. 125-129.

For instance, data protection acts of Norway, Finland, Denmark, Belgium, France, and the UK prohibited the processing of sensitive information, while Switzerland and Germany restricted the possibility to contractually restrict individual’s rights. Cf. Mayer-Schönberger, p. 233.

Cf. Art. 8 Directive 95/46/EC banning the processing of sensitive data except in few enumerated scenarios; cf. Ehmann/Helfrich, Art. 8, marginal No. 5 et seqq.

Bygrave, pp. 30-31 stating that the Directive 95/46/EC has influenced—on a political and legal level—the data protection regimes both inside and outside the EU; cf. also CJEU C-465/00, C-138/01, and C-139/01 that strengthens harmonization efforts; CJEU, C-101/01 in particular recital 95 et seqq.; Ehmann/Helfrich, Introduction, marginal No. 1 et seqq.; González Fuster, p. 125; Kosta et al., p. 76; Savin, p. 196; Simitis/Simitis, Introduction, marginal No. 203 et seqq.; Weniger, pp. 361 et seqq.; Handbook on EU data protection law, p. 18.

Ehmann/Helfrich, Introduction, marginal No. 4; González Fuster, pp. 125-130; Kosta et al., p. 76; Savin, pp. 196 et seqq.; EC, Proposal for Directive, 1990.

Cf. Recital 10 and 11 Directive 95/46/EC; cf. also González Fuster, p. 125; Savin, p. 196; cf. also CJEU C-465/00, CJEU C-138/01, and CJEU C-139/01; CJEU, C-101/01; CJEU, C-524/06 recital 50 in particular.

Bygrave, Data Privacy, pp. 59-60 states as an example the introduction of DPAs in Art. 28 Directive 95/46/EC (elaborating also on the attributes of DPAs which must be observed under EU law); cf. also CJEU C-465/00, C-138/01, and C-139/01; CJEU, C-101/01; CJEU, C-524/06 recital 50 in particular; cf. also Savin, pp. 195-196.

Mayer-Schönberger, p. 233.

Art. 27(1) and Recital 22 and 23 Directive 95/46/EC.

Mayer-Schönberger, p. 233 et seq.

Mayer-Schönberger, pp. 232-235; Mayer-Schönberger, Information, pp. 125-129; Weniger, pp. 388-389.

Mayer-Schönberger, p. 234.

Cf. speech of former Vice-President of the EC Viviane Reding entitled “Towards a true Single Market of Data Protection,” Brussels, 14 July 2010 (SPEECH/10/386, 14/07/2010); cf. also Albrecht/Jotzo, p. 38; Communication on Personal Data Protection, 2010; WP 29 and WPPJ, Future of Privacy, 2009; EC, Impact Assessment, 2012.

Cf. Art. 288 TFEU stating that a regulation “shall have general application. It shall be binding in its entirety and directly applicable in all Member States.”; cf. also Albrecht/Jotzo, p. 38; Burri/Schär, p. 12; Savin, p. 206.

According to the Communication on Safeguarding Privacy, 2012, p. 8 it was estimated that the GDPR could save companies about 2.3 billion Euros a year by reducing the administrative burden of complying with different national data protection acts. Cf. also EC, Impact Assessment, 2012.

Cf. speech of former Vice-President of the EC Viviane Reding entitled “Towards a true Single Market of Data Protection,” Brussels, 14 July 2010 (SPEECH/10/386, 14/07/2010); Communication on Personal Data Protection, 2010; EC, Impact Assessment, 2012; cf. also Burri/Schär, pp. 2 et seqq.

The right to withdraw consent at any time and demand the erasure of personal data already processed—also referred to as the right to be forgotten—especially led to heated discussions among politicians and (tech) industry leaders. Cf. i.a. Ambrose/Ausloos, pp. 1 et seqq.; Tamò/George, pp. 72 et seqq.

Cf. below Sect. 5.3 and Chap. 8.

WP 29 and WPPJ, Future of Privacy, 2009, p. 12 et seqq.; cf. also Communication on Personal Data Protection, 2010; Communication on Digital Agenda, 2010; WP 29, Opinion on reform proposals, 2012, p. 11; Opinion EDPS, 2010; ENISA Report, 2014, pp. in particular 50-52.

Cf. already Burkert, Changing Patterns, pp. 3-4 subsuming this approach under the “engineer approach” (as referred to in Chap. 1); Bygrave, Data Protection by Design, pp. 108-109. Note that privacy by design has been acknowledged on an international level as well, cf. e.g., Jerusalem Resolution, 2010.

Cf. Brinhack/Toch/Hadar, pp. 55 et seqq.; Ehmann/Helfrich, Art. 17, marginal No. 1 et seqq.

WP 29 and WPPJ, Future of Privacy, 2009, pp. 12 et seq.

WP 29 and WPPJ, Future of Privacy, 2009, p. 13. This strive is in line with earlier attempts by the EC to promote the use of PETs yet goes beyond the mere implementation of PETs. Cf. EC, Communication on PETs, 2007; Hötzendorfer, pp. 139-142; Niemann/Scholz, pp. 109-112.

WP 29 and WPPJ, Future of Privacy, 2009, pp. 14-15.

Hildebrandt/Tielemans, p. 517; cf. also Bygrave, Data Protection by Design, p. 114; Niemann/Scholz, pp. 109-112; Paal/Pauly/Martini, Art. 25, marginal No. 25.

Hildebrandt/Tielemans, p. 517; Burri/Schär, p. 18; cf. also Chap. 8.

Brinhack/Toch/Hadar, pp. 55 et seqq.; time component found in “at the time of determination (….) and at the time of processing,” scope component found in “in order to meet the requirements of this Regulation,” and the subject matter found in “by default.” Cf. also Bygrave, Data Protection by Design, pp. 114-115 who elaborates on the changes in wording among the previous drafts of Art. 25 (originally Art. 23) GDPR.

Early versions of the GDPR included the term life cycle in various recitals and articles, cf. European Parliament, Position on GDPR 2014; Hötzendorfer, pp. 139-140; Paal/Pauly/Martini, Art. 25, marginal No. 16 et seqq.

Cf. below Sect. 5.3; cf. also Hötzendorfer, pp. 145-146; Paal/Pauly/Martini, Art. 25, marginal No. 16 et seqq.

Brinhack/Toch/Hadar, pp. 55 et seqq.; Hötzendorfer, pp. 142-143, pp. 146-147.

Tall, pp. 40-41.

Since many principles from the Directive 95/46/EC have not been fundamentally altered within the GDPR the literature and commentaries on the Directive 95/46/EC elaborating on specific aspects of these principles are still applicable.

Cf. Art. 5(1)(a) GDPR; Art. 6(1)(a) Directive 95/46/EC; Art. 5(a) Convention. In the OECD Guidelines the principle of fair and lawful processing is linked to the means for collection and the collection limitation principle, cf. Para. 7 OECD Guidelines.

Bygrave, p. 58; Bygrave, Data Privacy, pp. 146-147; cf. also Kosta et al., p. 80.

100

Bygrave, p. 58, cf. also Bygrave, Data Privacy, pp. 146-147; cf. below sub-section on the purpose limitation principle.

101

Bygrave, pp. 58-59 stating that few data protection instruments are dedicated to this issue, such as the German Teleservices Data Protection Act of 1997; cf. also Bygrave, Data Privacy, pp. 146-147.

102

Cf. Art. 4(11) GDPR; Art. 2(h) Directive 95/46/EC.

103

Recital 38 Directive 95/46/EC; cf. also Recital 39 GDPR stating that: “It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed.”; Bygrave, Data Privacy, p. 147.

104

OECD Privacy 1980 and 2013 Guidelines para. 12.

105

Note that the Convention 108 does not mention a consent requirement as a basic principle for data protection. The OECD 1980 and 2013 Guidelines require consent when data is disclosed for other purposes than originally specified (Para. 10). The Directive 95/46/EC stipulates in Recital 30 that in order to be lawful, the data processing must be carried out with the consent of the data subject, cf. also Art. 7, 8 and 2 Directive 95/46/EC and Art. 6 GDPR.

106

Art. 4(11) GDPR; Art. 7(a) Directive 95/46/EC; Bygrave, Data Privacy, p. 160; Ehmann/Helfrich, Art. 7, marginal No. 7; Paal/Pauly/Ernst, Art. 4, marginal No. 61 et seqq.; Plath/Schreiber, Art. 4, marginal No. 35 et seqq.; cf. also Kosta for the legislative history on consent, in particular pp. 88-98; WP 29, Opinion on consent, 2011 urging regulators to clarify the meaning of “unambiguous consent” but the term remains undefined in Art. 4(11) or Recital 32 of the GDPR.

107

Cf. also Recital 30 Directive 95/46/EC; note that the concept of consent has been implemented in different ways by the EU member states, cf. Kosta, pp. 147-148; cf. also the WP 29, Opinion on Consent, 2011, pp. 12 et seqq.

108

Cf. in particular Recital 32, 42, and 43 GDPR.

109

Kosta, pp. 169-171 stating that the German wording of the Directive uses the term “ohne Zwang” literally meaning “without force.” Thus the German text refers to a negative requirement, while the English terminology “freely given” expresses a positive requirement.

110

WP 29, Future of Privacy, 2009. The ability to consent freely to certain data processing would be impaired if the data subject is confronted to strong external forces (positive such as inducement) or negative forces (such as a threat). Cf. Kosta, pp. 172-175; Hanbook on EU data protection law, pp. 57-58.

111

WP 29, Opinion on Harmonised Information Provisions, 2004, pp. 6 et seqq.

112

Art. 7(1) GDPR; cf. also Cuijpers/Purtova/Kosta, p. 549.

113

Cuijpers/Purtova/Kosta, p. 549; cf. also Paal/Pauly/Ernst, Art. 4, marginal No. 76.

114

Cf. Art. 7(2) and 7(3) GDPR in particular.

115

Listed in Art. 6(b)-(f) GDPR and Art. 7(b)-(f) Directive 95/46/EC; cf. Bygrave, p. 66; cf. also Bygrave, Data Privacy, pp. 160-161.

116

Art. 6(b) and (c) GDPR; Art. 7(b) and (c) Directive 95/46/EC.

117

Art. 6(d) and (e) GDPR; Art. 7(d) and (e) Directive 95/46/EC.

118

Cf. Art. 5(b) Convention 108; Art. 6 (1)(b) Directive 95/46/EC; Art. 5(1)(b) GDPR; Principle 3 UN Guidelines; Para. 9 OECD Guidelines; cf. also WP 29, Opinion on purpose limitation, 2013, pp. 4 et seqq. The principle of purpose limitation is sometimes referred to as the principle of finality or purpose specification, cf. i.a. Kosta et al., p. 80.

119

Purtova/Kosta/Koops, p. 54.

120

Bygrave, p. 61; Bygrave, Data Privacy, p. 155; Cuijpers/Purtova/Kosta, pp. 552-553; Ehmann/Helfrich, Art. 6, marginal No. 13; Häusermann, pp. 126-128; Kosta et al., p. 80; WP 29, Opinion on purpose limitation, 2013, pp. 11 et seqq.

121

Bygrave, Data Privacy, p. 155; cf. also Kosta et al., p. 80; WP 29, Opinion on purpose limitation, 2013, pp. 11 et seqq.

122

Cf. Bygrave, Data Privacy, pp. 155-156; Tamò/George, p. 83. Nevertheless, DPAs have the power to “apply a relatively wide-ranging test of social justification, particularly in connection with the licensing of certain data-processing operations” states Bygrave, Data Privacy, pp. 155-156.

123

The double negative (“not (..) incompatible”) is argued to denote a less severe standard than would the wording “must be compatible.” Cf. Art. 6 (1)(b) Directive 95/46/EC and Art. 5 (1)(b) GDPR. The secondary purposes must be objectively similar to the primary ones. In other words, the data subject can reasonably expect that the primary purposes (naturally) entail the secondary ones. Cf. Bygrave, Data Privacy, p. 156; WP 29, Opinion on purpose limitation, 2013, pp. 21 et seqq.; cf. also Paal/Pauly/Frenzel, Art. 5, marginal No. 23 et seqq.; Plath/Plath, Art. 5, marginal No. 6 et seqq.

124

Cf. Art. 5(1)(c) GDPR; Art. 6(1)(c) Directive 95/46/EC; Art. 5(e) Convention; cf. also Art. 7 and Art. 8 Directive 95/46/EC which implicitly repeat the data minimization requirement, Bygrave, Data Privacy, p. 151; Kosta et al., p. 81.

125

Bygrave, pp. 59-60; cf. also Bygrave, Data Privacy, pp. 151-152; The German Federal Data Protection Act employs the term “Datensparsamkeit” meaning data frugality. Cf. Simitis/Scholz, § 3a, marginal No. 31 in particular. Note that the criterion of “necessity” relates to the criteria of “proportionality”, cf. Art. 7, 8, 13 Directive 95/46/EC.

126

CJEU has weighed the proportionate use of data in different cases, cf. i.a. C-524/06 on the concept of necessity in Art. 7(e) Directive 95/46/EC; C-101/01 on inappropriate use of filling system to identify copyright infringement; C-291/12 on the proportionate use of fingerprints and storing thereof for passports.

127

Bygrave, Data Privacy, p. 151.

128

Cf. e.g., German Federal Data Protection Act and literature thereof (“Datenschutzfreundliche Technik” or “Datenschutz durch Technik”), cf. Simitis/Scholz, § 3a, marginal No. 1 et seqq.

129

Cf. Para. 10 OECD 2013 Guidelines.

130

Cf. Paal/Pauly/Frenzel, Art. 5, marginal No. 5 et seqq.

131

Albrecht/Jotzo, p. 52.

132

Cf. Art. 7 Convention 108; Art. 5 (1)(b) and Art. 32 GDPR; Art. 17 Directive 95/46/EC; Art. 4 Directive 2002/58/EC; cf. also Para. 11 OECD 1980 and 2013 Guidelines.

133

Cf. Art. 32 GDPR; Art. 17 Directive 95/46/EC.

134

Cf. Art. 32 GDPR; Art. 17 Directive 95/46/EC.

135

Cf. Art. 33 and 34 GDPR; cf. also Chap. 8.

136

Cf. Art. 4(1) and GDPR; Art. 3(1) Directive 95/46/EC; cf. also Ehmann/Helfrich, Art. 2, marginal No. 22 et seqq.; WP 29, Opinion on personal data, in particular p. 18 and p. 21 on pseudonymized and anonymous data; Handbook on EU data protection law, pp. 44 et seqq.; cf. also Chap. 8.

137

WP 29, Opinion on Anonymisation Techniques, p. 11 listening as an example Article 5(3) of the e-Privacy Directive which prevents the storage of and access to “information” of any type on terminal devices without the user’s consent.

138

Various anonymization techniques can be used, since there “no prescriptive standard in EU legislation.” Cf. WP 29, Opinion on Anonymisation Techniques, p. 6 (citation).

139

WP 29, Opinion on Anonymisation Techniques, p. 3, pp. 11 et seqq.

140

Cf. Oxford Dictionary of Law Enforcement 2007.

141

WP 29, Opinion on Anonymisation Techniques, p. 10.

142

Cf. Art. Art. 5(1)(d) GDPR; 5(d) Convention 108; Art. 6(1)(d) Directive 95/46/EC.

143

Cf. Para. 8 OECD 1980 and 2013 Guidelines.

144

Cf. Art. 5(1)(d) GDPR; Art. 6(1)(d) Directive 95/46/EC; Para. 8 OECD 1980 and 2013 Guidelines supplementing the criterion of accuracy with completeness; cf. also Bygrave, pp. 62-63; cf. also Bygrave, Data Privacy, pp. 163-164.

145

Bygrave, Data Privacy, p. 52; cf. also Bygrave, Data Privacy, pp. 163-164; Paal/Pauly/Frenzel, Art. 5, marginal No. 39-41 on the time component of “accuracy.”

146

Both enumerate rules of the “Individual Participation Principle”, cf. Para. 13 OECD 1980 and 2013 Guidelines.

147

As provided in Art. 12 to 22 GDPR or Art. 10 to 15 Directive 95/46/EC which grant data subjects information, access, reaction, and objection rights. Some rights are subject to certain exemptions and restrictions (cf. Art. 23 GDPR or Art. 13 Directive 95/46/EC). Cf. also CJEU, C-201/14.

148

Art. 13(1) GDPR and Art. 10 Directive 95/46/EC related to information collected directly from the data subject, and Art. 11 Directive 95/46/EC for information where the data have not been obtained from the data subject. Both articles differ negligibly from each others with respect to the rights of the data subject. Cf. also Recital 39 GDPR and Recital 38 Directive 95/46/EC.

149

Art. 13(1) and (2) GDPR; Art. 10 Directive 95/46/EC. Similarly in scenarios where the data has not been obtained from the data subject directly, subjects have, in addition the right to receive information about the categories of data concerned, cf. Art. 14 GDPR and Art. 11 Directive 95/46/EC.

150

Art. 13(2)(f) GDPR; cf. Recital 60 GDPR; Paal/Pauly/Paal, Art. 13 marginal No. 31.

151

Paal/Pauly/Paal, Art. 13 marginal No. 31.

152

Cf. for instance on the discourse of “explanations” in an artificial intelligence setting, the Berkman Klein Center Working Paper, The Role of Explanation, 2017, which states that an explanation should be able to answer three related questions: “what were the main factors in a decision?”, “would changing certain factor have changed the decision?”, and “why did two similar-looking cases get different decisions, or vice versa?”

153

Cf. CJEU, C-553/07 on balancing the right to have access with the burden put on data controllers to store the data.

154

Art. 15(1) GDPR; Art. 12(a) Directive 95/46/EC; cf. also Savin, p. 200; in relation to governments the ECtHR argued in Haralambie v. Romania that a delay of five years to grant an individual access to the files stored by the security agencies violated Art. 8 ECHR and the individual’s right to access.

155

Art. 12(1) GDPR.

156

Rectification includes i.a. spelling a name correctly or changing an address. While the data controller can demand a proof for the alleged inaccuracy, the burden of proof cannot be unreasonable. Cf. Handbook on EU data protection law, p. 110.

157

Art. 15 to 19 GDPR and Art. 12(b)-(c) Directive 95/46/EC; cf. also CJEU, C-553/07; Savin, p. 200.

158

CJEU, C-131/12 defining under the Directive 95/46/EC that removing a link from search results falls under the term “erasure” of Art. 12 Directive 95/46/EC.

159

Art. 17 GDPR.

160

Cf. Art. 18 and 20 GDPR.

161

Art. 18 and 20 GDPR. Cf. also Recital 68, 73, 156 and Art. 13(2)(b), Art. 14(2)(c) GDPR; cf. also Chap. 8.

162

Art. 22 GDPR; Art. 15 Directive 95/46/EC. Exceptions to this right are listed in paragraphs 2 of the respecting articles. The CoE has also issued a right to object to automated decision-making in Art. 5(5) Recommendation on Profiling, 2010. Cf. also Handbook on EU data protection law, pp. 112-113.

163

Art. 21 GDPR; Art. 14 Directive 95/46/EC; cf. also Savin, p. 200.

164

Cf. Art 21 GDPR; Art. 14(b) Directive 95/46/EC; cf. also Paal/Pauly/Martini, Art. 21, marginal No. 47-53; Plath/Kamlah, Art. 21, marginal No. 10; Savin, p. 200; Handbook on EU data protection law, p. 114.

165

Under the Directive 95/46/EC the data controllers (i.e., the one determining the purpose and means of processing), is accountable to the data subject. The data processor (i.e., the one executing the operations on behalf of the controllers), is not. Thus, data processors can avoid accountability for their processing operations under the current framework. The distinction in Directive 95/46/EC and the GDPR among data controller and data processors has been criticized, since such a distinction is not always clear. Cf. Cuijpers/Purtova/Kosta, p. 550 with further references. The GDPR addresses these issues by introducing data subject’s rights against both, data controllers and processors and recognizes the possibility of multiple or joint-controllers. Cf. in particular Art. 26 to 28 GDPR.

166

Cf. i.a. Recital 74, Art. 5(2), or Art. 77 to 84 GDPR.

167

Cf. Art. 28 GDPR; Art. 17 Directive 95/46/EC.

168

Art. 32(2) GDPR; Art. 7(1) Directive 95/46/EC.

169

Note that the OECD Privacy Guidelines 1980 and 2013 nor the Convention 108 stipulate the obligatory establishment of DPAs. Thus it is not surprising that the OECD 1980 and 2013 Guidelines do not dwell upon the specific powers DPAs should be granted with. Yet, reading Para. 19 of the Explanatory Memorandum of the OECD Privacy 1980 and 2013 Guidelines in light with Para. 11 of the OECD, Enforcement, 2007 sheds light into the empowerment of national DPAs. Para. 11 urges the OECD member states to empower DPAs with “the necessary authority to (a) deter and sanction violations of data privacy law, (b) carry out effective investigations, and (c) permit corrective action to be taken against data controllers engaged in such violations.” The Additional Protocol to the Convention 108, adopted in 2011, however replicated the basic thrust of Art. 28 Directive 95/46/EC, cf. Bygrave, pp. 72-73.

170

See here also CJEU, C-362/14 stating that DPA’s power also include monitoring data that is being transferred to third countries.

171

Cf. Art 51 and 52 GDPR; Art. 28 Directive 95/46/EC; cf. also Bygrave, p. 70; Bygrave, Data Privacy, pp. 170-172; Paal/Pauly/Körffer, Art. 52, marginal No. 1; Plath/Hullen, Art. 52, marginal No. 3-6; CJEU, C-518/07.

172

CJEU, C-518/07; cf. also Bygrave, Data Privacy, p. 170.

173

Cf. Art. 57 GDPR; Art. 28 Directive 95/46/EC; cf. also Bygrave, p. 70.

174

Cf. Art 58(1)-(3) GDPR; cf. also Paal/Pauly/Körffer, Art. 58, marginal No. 2 et seqq.; Plath/Hullen, Art. 58, marginal No. 7 et seqq.

175

Cf. Art. 29 Directive 95/46/EC; cf. also Bygrave, Data Privacy, p. 174.

176

Bygrave, pp. 73-74.

177

Cf. Art. 83(4)(a) GDPR; cf. also Paal/Pauly/Frenzel, Art. 83, marginal No. 16 et seqq.

178

Cf. Art. 83(5)(a) GDPR.

179

Cf. Art. 83 and 84 GDPR.

Albrecht, J.P. & Jotzo, F. (2017). Das neue Datenschutzrecht der EU. Baden-Baden: Nomos.

Ambrose, M.L. & Ausloos, J. (2013). The Right to be Forgotten Across the Pond. Journal of Information Policy, 3, 1-23.CrossRef

Benn, S. (1984). Privacy, freedom and respect for persons. In A. Schoeman (Ed.), Philosophical Dimensions of Privacy: An Anthology (223-244). Cambridge: University Press.CrossRef

Bennett, C. & Raab, C. (2006). The Governance of Privacy—Policy Instruments in Global Perspective. Cambridge: MIT Press.

Bennett, C. (1991). Computers, Personal Data, and Theories of Technology: Comparative Approaches to Privacy Protection in the 1990s. Science, Technology & Human Values, 16(1), 51-69.CrossRef

Birnhack, M., Toch, E. & Hadar, I. (2014). Privacy Mindset, Technological Mindset. Jurimetrics: Journal of Law, Science & Technology, 55, 55-114.

Brown, I. & Marsden, C. (2013). Regulating Code—Good Governance and Better Regulation in the Information Age. Cambridge: MIT Press.

Burkert, H. (2005). Changing Patterns—Supplementary Approaches to Improving Data Protection a European Perspective. Presentation at CIAJ 2005 Annual Conference on Technology, Privacy and Justice, Toronto, Canada. (cited: Changing Patterns)

———— (2000). Privacy—Data Protection: A German/European Perspective. In C. Engel & K. Keller (Eds.), Governance of global networks in the light of differing local values (pp. 43-70). Baden-Baden: Nomos. (cited: Privacy)

Burri, M. & Schär, R. (2016). The Reform of the EU Data Protection Framework: Outlining Key Changes and Assessing Their Fitness for a Data-Driven Economy. Journal of Information Policy, 6. Retrieved from <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2792222>CrossRef

Bygrave, L. (2017). Data Protection by Design and Default: Deciphering the EU’s Legislative Requirements. Oslo Law Review, 4(2), 109-120. (cited: Data Protection by Design)

———— (2014). Data Privacy Law—An International Perspective. Oxford: University Press. (cited: Data Privacy)

———— (2002). Data Protection Law—Approaching Its Rationale, Logic and Limits. The Hague: Kluwer Law International.

Cuijpers, C., Purtova, N. & Kosta, E. (2014). Data protection reform and the Internet: the draft Data Protection Regulation. In A. Savin & J. Trzaskowski (Eds.), Research Handbook on EU Internet Law (pp. 543-568). Cheltenham: Edward Elgar.

Ehmann, E. & Helfrich, M. (1999). EG-Datenschutzrichtlinie. Köln: Otto Schmidt Verlag.

Gellert, R. & Gutwirth, S. (2013). The legal construction of privacy and data protection. Computer Law & Security Review, 29, 522-530.CrossRef

González Fuster, G. (2014). The Emergence of Personal Data Protection as a Fundamental Right of the EU. Law, Governance and Technologies Series, 16. Heidelberg: Springer.CrossRef

Greenleaf, G. (2013). Data protection in a globalised network. In I. Brown (Ed.), Research Handbook on Governance of the Internet (pp. 221-259). Cheltenham: Edward Elgar.CrossRef

Gutwirth, S. & De Hert, P. (2008). Regulating Profiling in a Democratic Constitutional State. In M. Hildebrandt & S. Gutwirth (Eds.), Profiling the European Citizen: Cross-Disciplinary Perspectives (pp. 271-291). Heidelberg: Springer.CrossRef

Häusermann, D. (2009). Vertraulichkeit als Schranke von Informationsansprüchen. Dissertation, Universität St. Gallen, Nr. 3546. St. Gallen: Dike.

Hildebrandt, M. & Tielemans, L. (2013). Data Protection by Design and Technology Neutral Law. Computer Law & Security Review, 29, 509-521.CrossRef

Hötzendorfer, W. (2016). Privacy by Design and Default. In R. Knyrim (Ed.), Datenschutz-Grundverordnung Praxishandbuch (pp. 137-151). Wien: Manz’sche Verlag.

Hondius, F. (1975). Emerging data protection in Europe. Amsterdam: Elsevier.

Iachello, G. & Hong, J. (2007). End-User Privacy in Human-Computer Interaction. Foundation and Trends in Human-Computer Interaction, 1(1), 1-137.CrossRef

Kosta, E. (2013). Consent in European Data Protection Law. Nijhoff Studies in EU Law, Vol. 3, Martinus Nijhoff Publischers.

Kuner, C. (2013). Transborder Data Flows and Data Privacy Law. Oxford: University Press.CrossRef

Mayer-Schönberger, V. (2001). Information und Recht: Vom Datenschutz bis zum Urheberrecht. Heidelberg: Springer. (cited: Information)CrossRef

———— (1997). Generational Development of Data Protection in Europe. In P. Agre & M. Rotenberg (Eds.), Technology and privacy: the new landscape (pp. 219-236). Cambridge: MIT Press.

Niemann, F. & Scholz, P. (2012). Privacy by Design and Privacy by Default—Wege zu einem funktionierenden Datenschutz in Sozialen Netzwerken. In F. Peters, H. Kersten & K.D. Wolfenstetter (Eds.), Innovativer Datenschutz (pp. 109-145). Berlin: Duncker & Humbolt.

Paal, B. & Pauly, D. (2017). Datenschutz-Grundverordnung. (Published already in 2016) München: Beck. (cited: Author, article, marginal No.)

Plath, K.U. (2016). Kommentar zum BDSG und zur DSGVO sowie den Datenschutzbestimmungen des TMG und TKG (2nd edition). Köln: Otto Schmidt Verlag (cited: Author, article, marginal No.)

Purtova, N., Kosta, E. & Koops, B.J. (2015). Laws and Regulations for Digital Health. In S. Fricker, C. Thümmler & A. Gavras (Eds.), Requirements Engineering for Digital Health (pp. 47-74). Heidelberg: Springer.

Rouvroy, A. & Poullet, Y. (2009). The Right to Informational Self-Determination and the Value of Self-Development: Reassessing the Importance of Privacy for Democracy. In S. Gutwirth, Y. Poullet, P. De Hert, C. de Terwangne & S. Nouwt, Reinventing Data Protection? (pp. 45-76). Heidelberg: Springer.CrossRef

Savin, A. (2013). EU Internet Law. Cheltenham: Edward Elgar.CrossRef

Simitis, S. (2014). Bundesdatenschutzgesetz Kommentar (8. Auflage). Baden-Baden: Nomos. (cited: Author, article, marginal No.)

Spindler, G. & Schmechel, P. (2016). Personal Data and Encryption in the European Data Protection Regulation. Journal of Intellectual Property, Information Technology and E-Commerce Law, 7(2), 163-177.

Tall, I. (2015). Le renforcement de la loi fédérale sur la protection des données: le cas de la protection de la vie privée dès la conception (privacy by design). Travail de mémoire, Cahier de L’IDHEAP 289/2015.

Tamò, A. & George, D. (2014). Oblivion, Erasure and Forgetting in the Digital Age. Journal of Intellectual Property, Information Technology and E-Commerce Law, 5(2), 71-87.

Weniger, R. (2005). Grenzüberschreitende Datenübermittlungen international tätiger Unternehmen: Nach Massgabe der Datenschutzrichtlinie 95/46/EC. Schriftenreihe Studie zum Völker- und Europarecht, Band 13. Hamburg: Verlag Dr. Kovač.

Westin A (1970). Privacy and Freedom. Atheneum.

Whitman, J. (2004). The Two Western Cultures of Privacy: Dignity versus Liberty. Yale Law Journal, 113, 1151-1221.CrossRef

Titel: Privacy and Data Protection Regulation in Europe
verfasst von: Aurelia Tamò-Larrieux
Verlag: Springer International Publishing
Buch: Designing for Privacy and its Legal Framework
Print ISBN: 978-3-319-98623-4

Electronic ISBN: 978-3-319-98624-1

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-3-319-98624-1_5

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner