https://orcid.org/0000-0002-8008-1191
-
PDF
- Split View
-
Views
-
Cite
Cite
Róisín Á Costello, Genetic Data and the Right to Privacy: Towards a Relational Theory of Privacy?, Human Rights Law Review, Volume 22, Issue 1, March 2022, ngab031, https://doi.org/10.1093/hrlr/ngab031
Close - Share Icon Share
Abstract
This article examines the lacunae in contemporary understandings of the right to privacy which genetic data exposes. In particular, the article argues that the nature of genetic data challenges modern, individualistic conceptions of privacy which have come to dominate human rights law in the twenty-first century. The article suggests that the seeds of a new understanding of privacy which integrates existing individualistic understanding with the need to acknowledge the relational nature of modern privacy can be located in the jurisprudence of the European Court of Human Rights and Court of Justice of the European Union. The article offers some initial thoughts on how a relational theory of privacy based on this jurisprudence would function, and argues that further engagement with how to reconcile the collective impacts of genetic data processing and individualistic understandings of privacy is needed.
1. INTRODUCTION
Human rights were historically understood as having a strong group aspect and the right to privacy, in particular, has long been seen as a mechanism for protecting group identities and interests.1 However, contemporaneous understandings of privacy as a human right have become increasingly individualistic and rooted in values of personal autonomy and self-control.2 Over time, however, the individualistic aspects of the right to privacy have blossomed whereas the broader, group aspects, of the right have withered. Thus, modern manifestations of privacy embodied in the decisions of the European Union’s Court of Justice (CJEU)3 and the European Court of Human Rights (ECtHR),4 as well as in rights-centred secondary laws within the European Union (EU), have emphasised narratives of personal autonomy and individual choice.5 This article focuses on genetic data and the right to privacy. It is submitted that advances in modern genetics have challenged privacy’s the emphasis on the individual. Sheila Jasanoff, in describing the rapid development of the capacity to collect and analyse genetic data since the completion of the Human Genome Project in 2003 has described the current landscape as one in which the study of genetics has reached a point of ‘textuality’ meaning that genetic data6 can be read, compared and shared at a previously unprecedented scale.7 As a result of this ‘textuality’ when an individual’s genetic data are interrogated the information produced can be read and combined with other information to produce a profile that is both highly revelatory about, and specific to, the individual from whom a biological sample is taken—revealing their unique, genetic characteristics with a level of particularity not provided by other forms of data. However, because revealing the genetic data of this consenting party necessarily means revealing portions of the genetic data of other individuals to whom they are genetically related, and from whom they descend, processing genetic data present fundamental risks not only to individual privacy but also presents broader questions about the viability of individualistic conceptions of the right to privacy in a post-genomic age.
In addition to the shared nature of the privacy impacts generated by genetic data such data also enable privacy harms which are more diffuse and enduring that exist with other forms of personal data. Unlike other data, genetic data remain not only available, but also relevant following the death of the consenting individual from whom they are collected. Other forms of biometric data,8 such as a fingerprint, have diminishing (and ultimately lose) their capacity to identify an individual post-mortem and can never identify more than the immediately implicated party. Genetic data, however, can be taken from an individual’s remains long after their death and can continue to identify that individual as well as an expanding pool of individuals to whom they were related and, crucially, who are still alive. Genetic data can thus reduce privacy on a long-term basis and can reveal the genetic characteristics and relationships of an expanding group of individuals over successive generations.
In light of these realities, a purely individualistic conception of privacy which permits decisions about genetic material to be taken by one individual, despite the consequences of that decision for a broader pool of people, is increasingly difficult to sustain. In seeking to assess how the right to privacy can be conceptualised in a manner consistent with international human rights law, and which also addresses the privacy impacts raised by genetic data this article advances two central propositions.
The first proposition, is that the right to privacy, in historical terms, has not been understood as exclusively individualistic. This is seen, in particular, in the birth of the right to privacy within the context of the European Convention on Human Rights (ECHR)9 but is also evident in earlier privacy torts and their emphasis on privacy as a right protecting familial interests. The second proposition is that this concern with group interests while long neglected in favour of narratives of individualism, endures within the jurisprudence of the ECtHR, with a similar concern discernible (albeit to a lesser extent) in the decisions of the CJEU. Both Courts have, to various extents, acknowledged or demonstrated a concern with the ‘relational’ impacts of privacy infringements. By ‘relational’ impacts the article refers to the impact which the infringement of an appellant’s privacy rights have for the privacy of those to whom they are genetically related (in the case of the decisions of the ECtHR) or with whom they share a social or communicative relationship (in the case of the decisions of the CJEU).10
The article argues that this idea of ‘relational’ privacy offers a means of understanding the nature of the privacy infringements which occur in cases involving genetic data and of reconciling the individualistic framing of the right with its objective of protecting group identities and the need to recognise that the reduction of one individual’s privacy may have contagious consequences for those around them—those to whom they are, in one way or another, related. In establishing these two propositions section three examines the competing origins of privacy as an individualistic right and a protection intended to vindicate group interests. Drawing on literature concerning the origins of privacy rights in international human rights law, and comparing these origins to modern human rights guarantees and privacy scholarship section three argues that within the ECHR there is evidence of a foundational concern with privacy as a right protecting group identities and interests.
Section four then turns to examine how genetic privacy is regulated in law, examining the individualistic approach employed in existing laws promulgated at an international level as well as under EU law, which is examined because it enjoys a disproportionate influence on privacy discourse worldwide. The article continues in section five to the article’s second proposition, turning to examine the decisions of the ECtHR and CJEU, examining the conceptualisation of relational privacy in evidence in the jurisprudence of those Courts before turning to consider, in section six, the challenges which face a model of privacy grounded in relational terms. In particular, part five addresses how any movement towards a new understanding of relational privacy must confront and overcome both conceptual hurdles in the form of objections to group rights as well as difficulties in terms of the feasibility of designing regulatory architectures in cases where potential rights bearers are members of a diffuse group. In conclusion the article argues that there is a need for further and deeper engagement with how to reconcile the diffuse impacts of genetic data processing and the individualistic understandings of privacy which are currently prevalent.
2. DEFINITIONS AND SCOPE
Before proceeding to the substantive arguments of the piece, it is necessary to define what is meant by ‘genetic data’ within the context of this article. Within this piece the term genetic data are used to refer to data which can be extracted from biological samples and which identifies an individual’s inherited or acquired genetic characteristics (including unique information about the physiology or the health of that individual). Crucially, these are data are not only unique—in its capacity to particularly identify one person—it is also inalienable, in as much as it cannot be transferred in total, or faked.11 Genetic data are also understood within the scope of this article, and in accordance with its definition in the texts and decisions examined, as one of a range of datatypes classified as biometric data. Biometric data are personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of individuals and which allows for or confirms the unique identification of an individual. Other common examples of biometric data include fingerprints and images which can be used for facial recognition.12 Finally in respect of terminology, while the rights to data protection and privacy are enshrined as distinct under the EU Charter of Fundamental Rights and are understood more generally as ‘distinct’ rights within the schema of human rights law, this article treats the right to data protection as derived from and thus to be considered as part of a broader right to privacy. This is in keeping with the acknowledged relationship between the rights as it exists in the jurisprudence of the ECtHR which has recognised data protection as an implied right under the protection of private and family life in Article 8 ECHR.13 It is also in keeping with the dominant understanding of the relationship between the rights as it emerges in the jurisprudence of the CJEU.14
The article affords particular focus in its analysis to how the right to privacy has been articulated before the ECtHR and CJEU rather than undertaking a consideration of the treatment of the various international human rights provisions protecting privacy as they have been interpreted by international tribunals, and national courts. This focus has been adopted for two reasons. First, because of the influence of both the CJEU and ECtHR in constructing how the right to privacy (and in turn the right to data protection) are conceptualised within the EU which has a consequent impact on privacy standards and discourse at an international level as a result of the Union’s regulatory influence in that area.15 Secondly, because the ECtHR’s jurisprudence has a direct influence on the CJEU’s interpretation of the Charter as a result of Article 52 of the Charter of Fundamental Rights of the European Union which provides that in so far as this Charter contains rights which correspond to rights guaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, the meaning and scope of those rights shall be the same as those laid down by the said Convention. Although Article 52 does not prevent Union law providing more extensive protection it does provide that international human rights norms, as laid down by the ECtHR provide a baseline level of the protection provided in EU law.
As such, how the right to privacy is conceptualised in the ECtHR and CJEU has, to date, had a disproportionate impact on how those rights come to be understood in human rights discourse more generally. The decisions of these Courts thus offer a particularly useful analytical prism through which to assess the potential of reconceptualising the right to privacy in order to address the challenges raised by genetic data, and the viability of any reconceptualisation on a broader basis.
3. THE RIGHT TO PRIVACY-FROM GROUP PROTECTION TO INDIVIDUAL RIGHT
The revelatory capacity of genetic data for the privacy interests of those beyond the immediately consenting party—the person who has relinquished the data at issue—has been recognised by the EU’s Article 29 Working Party,16 which stated in a 2004 working document that developments in genetics mean a new ‘legally relevant social group can be said to have come into existence—namely, the biological group’ composed of those individuals who are genetically related.17 Although the remit of the Working Party (now the European Data Protection Board) is limited to technical matters regarding the consistent application of EU data protection law, in identifying the existence of the biological group and the impacts of the collection of genetic data on the privacy interests of its members the Working Party gave institutional recognition to the challenges which genetic data pose to the structure of privacy as a human right.18 This is significant, not least given the dominant understanding of privacy in modern human rights law as a right which is exercised (and alienated) on an individual basis.19
Individualistic understandings of privacy presume that an individual can consent to the collection and processing of their personal information (and any resulting reduction in their privacy) because they enjoy an exclusive, and thus controlling, interest in that data and how it is shared and used.20 This conceptualisation of privacy as an individually managed right is seen in literature considering privacy as both a public and private law right. Thus, foundational writings on privacy as a private law right from Warren and Brandeis’ 1890 article onwards conceptualise privacy as a right based on control which can be exercised by a person over their surroundings, and the capacity to retreat from public scrutiny through exercising such control.21 Subsequent writing on privacy as a tort in common law jurisdictions sought to systematise privacy rights as discrete torts based on this exclusionary capacity and the normative value of individual personality22 and dignity.23 The privacy-as-control model is often seen as crystallising in the work of Alan Westin who understood the right to privacy as the right to control, edit, manage and delete information about them[selves] and decide when, how and to what extent information is communicated to others.24
Ideas of privacy as control have also leaked into thinking about privacy as a public law right. Within the modern international human rights framework, and looking particularly to the ECHR and Charter of Fundamental Rights, ideas of privacy as control premised on individual privacy remain strong. The ECtHR’s statement that ‘the very essence [of the ECHR] is respect for human dignity and human freedom’25 orients the Convention’s fundamental view of fundamental rights and their functions. The Charter of Fundamental rights, in addition to recognising dignity as a right in and of itself, in the explanations to the Charter emphasises a similar view of rights on the understanding that ‘the dignity of the human person … constitutes the real basis of fundamental rights’.26 In this respect, the right to privacy is conceptually understood as justified by, and oriented towards, securing the interests of the individual in as much as dignity is fundamentally linked to, and affirming of, personality-based theories rooted in self-ownership and individual development of self.27 This understanding is echoed in the language of Article 12 of the Universal Declaration of Human Rights (UDHR) and Article 17 of the International Covenant on Civil and Political Rights (ICCPR) both of which protect the ‘privacy, family, home and correspondence‘ and the ‘honour and reputation’ of individuals from arbitrary and unlawful interference. The provisions of both the UDHR and ICCPR are framed in individualistic terms that no person shall be subject to an infringement of the right protected and are situated within the broader frame of documents whose preambles situate their protections within a tradition premised on the ‘inherent dignity’ of the human person. In both documents, the few references which might be constructed as indicative of group concerns are the ICCPR’s reference in its preamble to the individual’s rights and duties as part of a community to ‘strive for the promotion and observance of the rights recognised in the Covenant’ and the broader guarantees of sovereignty granted to ‘all peoples’ in Article 1. The framing of privacy, however, remains steadfastly individualistic.28
The preamble of the Charter of Fundamental Rights is more explicitly individualistic—noting that the EU ‘places the individual at the heart of its activities’. As in the Charter, the Convention employs individualistic language—noting in Article 1, that signatory states ‘shall secure to everyone within their jurisdiction the rights and freedoms’ provided by the text. In the case of both documents, such guarantees are reducible to an atomistic understanding of a society composed of individual actions and actors equal in entitlement but not interdependent in their ability to achieve the actualisation of their rights. A similar emphasis is evident in the substantive text of Article 8 ECHR and Articles 7 and 9 of the Charter of Fundamental Rights of the European Union whose language endorses a view of rights as individually held entitlements and a presumption that their infringement can be redressed by individualistic instances of vindication. Thus, Article 8 ECHR provides that ‘everyone’ has the right to respect for his private and family life, his home and his correspondence. Article 8 also protects the family, and has located the right to family life as existing between diverse groups of individuals29 basing its analysis on the existence of close family ties as well as de facto family relationships where ‘sufficient constancy is present’.30 Although this might be read as indicating a less individualistic approach, the Court’s emphasis in these cases has been on the right of one individual as against an external or third party to have the family group recognised as such, or to be recognised in their family relationship vis a vis another individual. There does not appear, in the Court’s reasoning, to be a recognition of the group rights of the family as a singular unit, as opposed to as a grouping of atomistic individuals. In line with the ECtHR’s jurisprudence, the CJEU in considering Article 7 of the Charter has defined family broadly to include small units of two individuals as well as de facto family units31 but has placed a majority of its emphasis on freedom of movement in its decisions to date and thus seems, like the ECtHR, to view the family on an atomistic rather than group basis in as much as privacy is concerned. More generally, the jurisprudence of the CJEU in relation to privacy indicates that the normative underpinning of both Articles 7 and 8 is highly individualistic. In particular, the Court’s decisions appear to be premised on the need to protect individual control over personal data32 though the decisions of the Court fall short of the still more individualistic right to informational self-determination in the national constitutional traditions of some Member States.33
It is against this background that the EU’s current data protection architecture, premised on notice and consent and normatively grounded in the Union’s fundamental rights provisions,34 has developed. The relative desirability and coherence of consent-based approaches for the protection of privacy has been addressed elsewhere35 and the particular application of the General Data Protection Regulation (GDPR)36 to genetic data is dealt with in part three of this article. What must be noted at this point however, is that the GDPR itself repeatedly emphasises the centrality of individual control, importing the conceptual framing of Articles 7 and 8 of the Charter (and indeed of the ECHR) into its regulatory architecture.37 The notable feature of these documents, each assuming their appropriate position within the landscape of international human rights law, is that they are commonly committed to a vision of privacy as an individualistically conceptualised right, guaranteeing their protections to ‘everyone’ in atomistic language that views group concerns as reducible to violations of individual protections.38 Although the preambles of the ICCPR and UDHR may aver towards a broader context in which their guarantees serve an abstract social or human good, and while the documents themselves may include rights that are demonstrably aimed at the protection of distinct groups (notably the protection of religious conscience),39 the provisions themselves reduce any broad, socially defined objectives to a series of individually actionable rights provisions.
This determined focus on individualism is at odds with the origins of privacy as a right whose commitment to a singularly individualistic right is less certain that these various documents would suggest. As the right to privacy emerged in national law during the course of the nineteenth century40 was a right centrally concerned with ideas of securing the public good through the protection of the male-lead family unit.41 Although Anita Allen has critiqued this construction of privacy from a feminist perspective, the central concern for this article is that the right was not as purely individualistic as initial readings of Warren and Brandeis of other isolated commentaries would suggest.42 Looking beyond the nineteenth century the shift from a group-based understanding of privacy to an individualistic one can be characterised as part of the broader shift described by Lerner who has documented the shift within human rights from protections which were first understood as group-oriented protections and over time assumed their role as individualistic ones.43 Lerner articulates this shift as one in which human rights began as laws protecting ‘not the individual but groups of individuals’ largely based on religious affiliation.44 However, the inheritance of human rights as group rights is not entirely absent from the human rights documents codified following the Second World War. This is perhaps unsurprising, the protection of individuals through agreed human rights documents was seen as necessary to prevent persecution based on group identity in the context of the actions of the Axis powers during the Second World War and subsequent developments in the USSR which saw restrictions and denials of the rights of groups based on gender, religious, ethnic or political identity as well as sexuality and intellectual convictions.45 Against this background, it is perhaps surprising that more of the international human rights guarantees are not inclusive of a group-based conception of human rights, or do not aver to such concerns in their preparatory materials. Thus the records in relation to the drafting of both the ICCPR and UDHR are notable for the absence of any consideration similar to those highlighted in drawing-up the Teitgen Report which accompanied the development of the ECHR, focusing instead on the minutiae of drafting and leading to a ‘silent’ birth of the right—certainly in ideological terms.46 The drafting of the European Convention of Human Rights, however, does indicate such a concern, specifically in the context of the right to privacy. The Teitgen Report, compiled by the rapporteur on the drafting of the Convention, explicitly noted that regulation of the family and the erosion of familial privacy had been used for racial and religious discrimination in totalitarian regimes as well as to eliminate intellectual and political dissent.47 Bates similarly notes that the inclusion of rights of family groups within what would become Article 8 of the Convention was an express reaction to extreme group-based human rights abuses during the Second World War and in subsequently emergent communist regimes.48 The development of the right to privacy in the ECHR49 was thus motivated by an understanding of the need to vindicate those group rights which acted as counterbalances to State overreach. Indeed, the ECHR, and (more recently) the Charter of Fundamental Rights of the European Union which echoes much of the Convention’s content and language50 are notable for their inclusion of rights that are demonstrably aimed at group protection—most notably those protected under Chapter III of the Charter.51
Despite these group oriented protections, the text of ECHR, as in the case of the UDHR and the Charter, endorses a view of the right to privacy as an individually held entitlement which can be vindicated on this basis. Article 8 of the ECHR and Article 7 of the Charter, for example, view even the family group which is included under their auspices on an atomistic rather than group basis in as much as privacy is concerned.52
The result is that, although human rights may be considered historically group-based protections, as in Lerner’s account, and although the ECHR’s preparatory documents indicate a historical and foundational concern with group-based protections in as much as privacy should protect groups from discriminatory conduct or persecution, this concern has fallen away in modern rights documents and decisions. Yet, as part four examines, the jurisprudence of both the ECtHR and the CJEU indicate that historic concerns with the protection of groups continue to echo in contemporary privacy jurisprudence. Before moving to consider those decisions, however, it is necessary to complete the legal landscape in respect the right to privacy as it relates to genetic data in particular.
4. REGULATION OF GENETIC DATA IN INTERNATIONAL HUMAN RIGHTS LAW
The period following the complete sequencing of the human genome in 2003 has occasioned a transformation in both law and the life sciences.53 UNESCO has produced two international Declarations specifically concerned with the regulation of genetic technologies. The first was the 1997 Universal Declaration on the Human Genome and Human Rights (UDHG) and the second was the 2003 International Declaration on Human Genetic Data (IDHGD).54
A. Universal Declaration on the Human Genome and Human Rights
The UDHG was the first intergovernmental instrument specifically aimed at protecting human rights in the field of genetics and seeks to prevent the use of genetic information in ways that are contrary to human rights and human dignity. The Declaration prohibits discrimination based on genetic characteristics,55 recognises a right to know one’s genetic characteristics,56 and specifically stipulates that private personal genetic information should be treated as confidential and not communicated to others without the consent of the individual to whom it belongs.57 These provisions are framed as individually enforceable and divisible rights, premised on the consent of the individual and individualised control. However, the UDHG also has a more long-term objective—the preservation of the human genome from improper manipulations which could endanger the identity and integrity of future generations. Consistent with this aim the Declaration understands the human genome as part of the ‘heritage of humanity’, a term which seeks to emphasise, first, that research involving genetic data engages the responsibility of the whole of humanity and that its results should benefit present and future generations, and, second, that the human genome as such is not suitable for appropriation by any state or corporation.58 Although this characterisation within Article 1 remains symbolic and non-justiciable, it avers to deeper tensions between individualised understandings of rights and duties and the collective consequences which the use (and misuse) of certain resources can have for social groups (and indeed global populations) beyond the immediate rights-holder. Despite this, however, the UDHG is notable for its repeated emphasis on individual rights, and a failure to identify that the collective impacts for humanity which it identifies may not be capable of adequate redress through individualised mechanisms alone.
B. International Declaration on Human Genetic Data
The subsequent IDHGD is, in some respects, an extension of the UDHG, setting out in greater detail the rules governing the collection, use and storage of genetic data and providing a comprehensive ‘framework of principles and procedures to guide States in the formulation of their legislation, policies and other instruments in the field of bioethics’.59 The Declaration includes requirements for informed consent to genetic testing60 and confidentiality of genetic data,61 imposes a ban on genetic discrimination,62 provides for the right to know in respect of one’s genetic make-up,63 and advocates international solidarity in genetic research and benefit-sharing.64 Once more, however, the IDHGD views rights in respect of genetic data as individually held, imposing thresholds of individual consent for processing genetic data, and affording rights in respect of genetic data on an individual basis within its text. In this respect, the IDHG, as well as the UDHG both perpetuate the understanding of privacy as an individual right whose broader contribution to social goods is best achieved through individualised rights, and actions for infringement. As such, neither document offers a path either to recognising or indeed to reconciling the privacy impacts of genetic data, or historic conceptions of privacy as a group protection with modern understandings of privacy rights.
C. Council of Europe Convention
Elsewhere, the Council of Europe Convention on Human Rights and Biomedicine (the Oviedo Convention)65 also addresses human rights and genetic data. As in the case of the IDHGD, the Convention provides a requirement for informed consent for genetic testing,66 provides for rights to confidentiality and to be informed concerning a genetic status67 and imposes restrictions on the use of predictive genetic tests.68 Once more, however, the Convention provides for the central mechanism for regulating genetic data to be individual consent and frames its language in explicitly individualistic terms affording its rights and protections to persons on an individual basis. The Explanatory Report to the Oviedo Convention acknowledges that genetic developments create new concerns for both individuals and the human species69 and the text of the Convention acknowledges in its preamble that progress in biology and medicine should be used for the benefit of present and future generations. However, Article 1 specifically frames the obligations of parties to the Convention as being owed in respect of individuals and in service of protecting the ‘dignity and identity of all human beings’. Reinforcing this explicitly individualistic aim, and diminishing the capacity for a reading of the Convention sympathetic to a broader conception of privacy, is the text of Article 2. Article 2 provides that ‘[t]he interests and welfare of the human being shall prevail over the sole interest of society or science’. In contrast to the UN Declarations the Convention this wording explicitly excludes, rather than simply failing to acknowledge or conscience, an idea of the right to privacy as more than an explicitly individualistic right. Although Article 2 is likely intended to exclude the prioritisation of corporate or other interests over those of the individual, the Article seems particularly unusual given the ECHR’s historical understanding of privacy as specifically driven by concerns about the harms to groups which reductions in, or absences of, privacy rights could occasion.
Despite this contradiction, Article 2 is in keeping with the individualistic text of the ECHR, and the Council of Europe’s other flagship privacy law, Convention 108.70 Convention 108 specifically references genetic data in Article 6 as a ‘special category’ of personal data.71 Interestingly, the Explanatory Report to the Convention elaborates on the significance of genetic data in a third party context noting that processing the genetic data of one individual can reveal information on the health or filiation of that person, as well as of third parties. Convention 108 thus acknowledges the reality, averred to by the Article 29 Working Party, that the nature of genetic data challenges purely individualistic understandings of privacy. Yet, as in the framing of Article 1 of the UDHG, Convention 108 thus refers to the broader potential harms which genetic data pose to those beyond the immediately consenting individual while simultaneously failing to offer a means by which these group privacy impacts can be assuaged or addressed. Although these texts are, to various degrees, aware of the collective promise—and perils—of genetic data, the privacy rights afforded to individuals in respect of their genetic data under these Declarations and Conventions remain committed to a conception of privacy as an individualistic right, whose assurance is predicated largely on the exercise of individual consent.
D. The European Union’s General Data Protection Regulation
The jurisprudence of the ECtHR and CJEU, considering the ECHR and Charter respectively, are considered in section five. It is in light of the Charter’s guarantees of privacy (Article 7) and data protection (Article 8) that the final law governing genetic data considered here must be read. The EU’s influential data protection architecture has developed what may be considered the zenith of individualised conceptions of privacy in the form of the GDPR.72 Under the GDPR all information relating to an identified or identifiable natural person, who may be identified either directly or indirectly in particular by reference to a datapoint such as a name, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person, is considered personal data.73 Genetic data are thus, clearly, considered personal data within the Regulation but very much within the confines of an individualistic model of personal choice.74 Under the Regulation, personal data can be processed only in the presence of a ground for processing as provided under the terms of Article 6 GDPR. This is modified somewhat in the case of genetic data, which is classified as a special category of personal data by Article 9.75 Processing of Article 9 data is presumptively prohibited but can be processed based on the explicit consent of the data subject (under Article 9(a)) or on the basis of one of the alternate grounds listed with Article 9(b)–(j). It is important, in considering the viability of these alternative bases, to read Article 9 in light of Article 10 GDPR which provides that the processing of special categories of personal data including genetic and biometric data are permitted only where strictly necessary, subject to appropriate safeguards,76 and where authorised by Union or Member State law,77 to protect the vital interests of the data subject or of another natural person, or where such processing relates to data that are manifestly made public by the data subject. These provisions are individually drawn, focusing on individuals as data subjects whose choices about how to deal with their data are made on an individualistic basis. Moreover, the text of the GDPR as with the text of the Charter fails to include an explicit understanding, as in Convention 108, of genetic data as challenging individually oriented understandings of privacy—or the implicit understanding of genetic data as a shared resource as in the case of the UDHG.
Despite this, within the black letter law of the Regulation, and its definitions, there is space for an interpretation that captures the harms to non-consenting members of a biological group. Thus, Article 4 defines personal data as data relating to identified or identifiable individuals a definition supplemented by Recital 26 GDPR which provides that to determine whether an individual is ‘identifiable’ account should be taken of all the means which are likely ‘reasonably to be used either by the controller or by any other person to identify the said person’. If Article 4 is read in light of the Recital and the reference made in Article 4 to genetic data, the implication is that genetic data as it directly identifies the immediately consenting party is their data—but may also be considered the personal data of members of that consenting party’s biological group—those who are indirectly identifiable through its analysis either on its own or in combination with additional data. This reading, of course, relies on the adoption of a plain reading of the text of the Regulation which understands identifiable individuals as including within its definition those who are genetically identified by the collection of genetic data78 which identifies them as part of a biological group. In particular, such a reading would be necessarily required to be compatible with the Charter79 and the ECHR.80 Although both documents, as examined in section four, employ an individualistic conception of privacy and have been interpreted in this manner by their respective courts, certain decisions—considering genetic data in the case of the ECtHR and communications data in the case the CJEU—offer tentative indications that the historic conception of privacy as a right protecting groups, has endured within human rights law and could be brought to bear towards this end.
5. THE JURISPRUDENCE OF THE ECtHR AND CJEU
Although genetic data, as it falls within the scope of Article 8 ECHR, has been afforded some consideration by the ECtHR, the CJEU has not yet been confronted with the need to consider genetic data as an issue of privacy arising under the Charter. However, in the decisions of the CJEU as they relate to data retention, just as in the ECtHR decisions considering genetic privacy, there is an emergent conceptualisation of privacy as encompassing more than individualistic interests. Both Courts, as the following sections examine, have averred to the fact that the infringement of one individual’s privacy, may result in privacy harms not only for the immediate appellant appearing before them but also for those with whom they share a social or communicative relationship (in the case of the CJEU) or with whom they share a genetic relationship (in the decisions of the ECtHR).
A. The ECtHR and Article 8 ECHR
Although the body of precedent dealing with genetic data under Article 8 ECHR is limited, it has been established by the ECtHR that the extraction and use of genetic information poses a significant risk to privacy. The Court first considered the privacy impacts of the collection of genetic data in the application in Van Der Velden.81 In that case, the prospective appellant had been convicted of and served a prison sentence for, several bank theft offences. Under Dutch law and as a result of his convictions, Mr Van Der Velden was obliged to provide material for the creation of a DNA profile in a national police database.82 He challenged that requirement on the basis that his genetic data was not relevant to his crimes, could not serve a ‘useful purpose in the prevention, detection, prosecution, and trial of criminal offences’ under Article 8(2)83 and that the collection thus amounted to a breach of his rights to privacy and data protection under Article 8 ECHR.84
In considering the application, the Court noted that given the potential uses of genetic material, its retention and the retention of the genetic data derived from it was intrusive for Article 8 but acknowledged the measure was under national law.85 Moreover, the Court had no difficulty accepting that the compilation and retention of a DNA profile served the legitimate aims of preventing crime and protecting the rights and freedoms of others.86 The Court thus declined to find there had been a breach of the appellant’s rights sufficient to ground an appeal to the ECtHR. However, in coming to this conclusion, the Court specifically emphasised that the measures at issue were necessary for a democratic society noting the substantial contribution DNA records make to law enforcement.87
In the later decision in S & Marper v United Kingdom88 the applicants were arrested and genetic samples were taken from them and stored in a national database in accordance with national law. Under the law in the United Kingdom, these samples were retained indefinitely, including where the individual from whom the sample was taken was never charged or where they were later acquitted. The appellants in S & Marper, while they were arrested and charged (with attempted robbery and harassment of a partner respectively) were never convicted of those offences.89 Before the ECtHR, both individuals contended that the indefinite retention of their genetic data, in particular in circumstances in which they had not been found guilty of any crime, amounted to a violation of their Article 8 rights. The appellants emphasised that the violation was particularly acute given the wealth of private information permanently available through the genetic data that resulted from the analysis of their samples.90
In its judgment, the Court acknowledged and reiterated as correct the position adopted in its preliminary decision on admissibility in Van Der Velden that, given the use to which cellular material could be put, its retention was sufficiently intrusive to constitute a violation of Article 8.91 The Court found that the ‘intrinsically private character’92 of genetic data resulted in a prima facie privacy breach where it was collected, regardless of subsequent use and accepted that the retention of such data interfered with the appellant’s Article 8 rights. The Court founded this conclusion on the fact that the genetic data were crucially linked to the appellant’s individual identities and constituted a type of personal information they were entitled to keep within their control.93 Drawing on established jurisprudence under Article 8 the Court noted that, beyond a person’s name, his or her private and family life may include other means of personal identification and information that links an individual to a family group94 such as information that concerns a person’s health and their ethnic identity.95 In the Court’s assessment, these forms of information should all be considered to fall within the understanding of private life and could all be revealed through the analysis of an individual’s genetic material and the data generated by such analysis.96 Significantly for the present article, while the Court’s dicta appear at first blush to retrench an individualistic understanding, the Court emphasised twice in its judgment that genetic data could be used to trace family members and noted that the ‘highly sensitive nature of such searching’ and the capacity of genetic data ‘to provide a means of identifying genetic relationships between individuals was on its own sufficient to constitute a serious interference’ with the right to the private life under Article 8.97
The difference in approach between Van der Velden and Marper thus ultimately turned on the guilt of the individual whose Article 8 rights had been violated and the consequent proportionality of a limitation on their right to privacy under Article 8(2)—not on the absence of a violation of Article 8. Indeed, in both decisions, the Court accepted that collection of genetic material and its analysis to extract genetic data is, prima facie, a breach of Article 8 and that the impact of such collection on the right to privacy is significant. This line of reasoning was reinforced by the decision in Aycaguer v France.98 In that case, the Court held, unanimously, that there had been a violation of Article 8 in circumstances where the appellant had been obliged to provide a DNA sample for inclusion in a national database following his arrest for a minor offence. In its judgment, the Court reiterated its statements from Marper that, as a consequence of the quantity and sensitivity of the data contained in genetic material, storing such data amounted to an interference with the right to privacy within the meaning of Article 8 regardless of the subsequent use to which such data were put.99
The Court acknowledged the legitimate role of DNA databases as a means of protecting populations from crime and punishing or preventing certain offences100 but emphasised that such collection could become part of ‘an abusive drive to maximise the information stored … and the length of time for which [such information is] kept’.101 Indeed, in the Court’s assessment, absent the requisite proportionality regarding the legitimate aims assigned to such collection, the advantages of DNA databases would be rapidly overtaken by the seriousness of the breaches of Article 8 occasioned through their use.102 The Court considered that, as a result of the duration of the storage of the applicant’s genetic data and the lack of a deletion mechanism, the respondents had failed to strike an appropriate balance between the competing interests under Article 8(2) and had occasioned a breach of the appellant’s privacy rights.103
In Gaughran v The United Kingdom104 the ECtHR unanimously ruled that the indefinite retention of biometric data, which included a digital DNA profile as well as fingerprints and photographs of individuals convicted of an offence punishable by imprisonment, infringed Article 8 ECHR.105 This was because, under the retention scheme, the applicant’s personal data was to be retained indefinitely, without reference to the seriousness of the offence, whether it became a ‘spent conviction’, the need for indefinite retention and in the absence of any real possibility of review.106 The Court thus found that the regime failed to strike a fair balance between the competing public and private interests and constituted a disproportionate interference with the applicant’s right to respect for his private life and which could not be regarded as necessary in a democratic society.107 Mr Gaughran, was arrested for driving with excess alcohol contrary to the Road Traffic (Northern Ireland) Order 1995, and had his photograph, fingerprints and a DNA sample taken and recorded at a police station.108 The appellant subsequently pleaded guilty, and was sentenced. Five years later, the appellant’s conviction became spent, however, his DNA profile, fingerprints and photo were retained indefinitely by the police.109 The ECtHR noted, in differentiating between the impacts of DNA and other biometric data (in this case fingerprints and photographs), that these latter types of data could not be used to ‘identify relationships between individuals’ as DNA could.110 Invoking the decision in S & Marper the Court noted that a defined temporal limit on the retention of DNA was particularly necessary given DNA’s capacity to identify not only the individual but to ‘continue to impact on individuals biologically related to the data subject’ after the subject’s death.111
The Court went on to state that DNA profiles’ capacity to provide a means of identifying genetic relationships between individuals ‘is in itself sufficient to conclude that their retention interferes with the right to the private life of the individuals concerned’ and that the frequency of familial searches, the safeguards attached thereto and the likelihood of detriment in a particular case were immaterial in this respect.112 Two main points emerge from the decision. The first, is judicial recognition of the central concern around which this article is based and which is emphasised more strongly in Gaughran than in previous decisions—that the enduring and diffuse nature of DNA data makes it particularly problematic from a privacy perspective, and implicates the interests of a broader biological group whose privacy is impacted when DNA is retained and processed.113 Related to this is the Court’s acknowledgement of the particular interference which the processing and retention of genetic data poses simpliciter, its greater capacity to infringe privacy and its broader impacts—specifically stating that familial searching is a serious interference of privacy rights whether or not the original data subject is still alive invoking its decision in Marper and reaffirming its comments in that case is more strident, and explicit language.
In increasingly explicit terms the ECtHR has, through these decisions, acknowledged that the storage and analysis of genetic data is particularly damaging to privacy because such data can be used to identify and infer characteristics not only in respect of the individual immediately involved in its collection but also the wider networks of individuals to whom that person was genetically related. What causal connection, if any, is to be drawn between the negative privacy impacts of the collection of the genetic data of one individual and the privacy impacts of a biological group, has not been considered as a discrete issue by the Court to date and the comments in Van der Velden arguably remain obiter. However, the comments in Gaughran are less easily dismissed, forming as they do a central part of the Court’s reasoning in respect of the differential privacy impacts as between photograph and DNA data. Even were the comments in Gaughran to be considered obiter, they nevertheless retain a persuasive value along with the other decisions of the Court in the interpretation of Articles 7 and 8 of the Charter and their application in EU law to the GDPR subject to Article 52 of the Charter. This is particularly the case given the CJEU’s own endorsement of a similar view of privacy in its decisions regarding data retention.
6. THE CHARTER OF FUNDAMENTAL RIGHTS AND PRIVACY IN EU LAW
Unlike the ECtHR, the CJEU has not yet had occasion to consider genetic data in the context of the privacy guarantees of Articles 7 or 8 of the Charter. However, the existing case law of the Court does indicate an endorsement of the more general understanding, like that expressed in Van der Velden and Gaughran, that revelations of data concerning one individual may necessarily implicate privacy reductions for third parties with whom they share the relationship which is under scrutiny. In particular, the CJEU in its decisions concerning the interception and retention of communications data has evidenced a nascent understanding of the negative privacy impacts of the violation of one individual’s privacy rights for the network of individuals with whom they communicate.
In Digital Rights Ireland114 the appellant challenged national legislative and administrative measures on the retention of data concerning electronic communications and the validity of Directive 2006/24 on which the action was based.115 For this piece, the relevant dicta of the Court was its acknowledgment that the collection of communications data made it possible to ascertain not only the identity of the individual whose data were retained but also the identity and elements of the nature of the communications of those other parties with whom they communicated.116 Drawing on an established line of case law concerning retained data the Court noted that the retention of the data outlined in Articles 3 and 5 of the Directive made it ‘possible, in particular, to know the identity of the person with whom a subscriber or registered user has communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place. They also make it possible to know the frequency of the communications of the subscriber or registered user with certain persons during a given period’.117 The Court in its dicta acknowledged that data which appeared to be minimally revelatory enabled the imputation of precise conclusions relating to the private lives of the individuals whose data have been retained—as well as those they communicated with, revealing a network of relationships emanating from the central individual whose data were in question. The elements of these relationships which were revealed included ‘habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them’.118 Although the Court acknowledged the role of the retention of communications data in the prevention of offences and the detection of crime119 it noted that such objectives, however fundamental, could not justify this indiscriminate retention established by the Directive.120 At the heart of this observation on the part of the Court is an understanding that the infringement of one individual’s privacy reveals not only information about that individual but also those with whom they share social or communicative relationships. Pursuing this understanding of privacy infringements to its logical conclusion, it follows that the privacy of those with whom the immediately affected party enjoys such relationships must also be impacted. This is, in essence, a more general understanding of the idea that the ECtHR expounded in Marper and emphasised in Gaughran—that when the privacy of one individual is compromised it imports impacts not only for that person but also the broader social group who can be identified and whose information is revealed as a result of such infringements. Although the ECtHR case law has expounded this in a specific context in relation to genetic privacy, the underlying understanding of privacy impacts between the jurisprudence of both courts appears to be the same.
Following Digital Rights the individuals in the joined cases of Tele2 Sverige and Watson121 asked the CJEU to consider whether similar national legislation concerning data retention in Sweden and the United Kingdom (respectively) was also invalid as a matter of EU law.122 The Court emphasised it had identified similar shortcomings with the legislation to those enumerated in Digital Rights123 and again noted that the legislative schema constituted a violation of the privacy of the appellants by permitting precise conclusions to be drawn concerning their private lives124 including their quotidian habits and movements and their places of permanent and temporary residence. Crucially, the Court noted once again that the retention even of these data (which did not reveal the contents of the communications themselves) also permitted conclusions to be drawn about the social relationships of the appellants and those with whom they had communicated.125 Although the concern in the case was with the rights of the appellants whose data were retained and not the individuals with whom they communicated, as in Digital Rights, the logical conclusion—and indeed the apparently intended implication—of the Court’s dicta is that the retention of the appellant’s information allowed a portrait not only of the appellant but also a partial portrait of the individuals with whom they communicated to be compiled.
In articulating this understanding of privacy as a right shaped by relational patterns—and thus subject to infringements which can similarly spread from the immediately impacted party through their communicative relationships to other individuals—the CJEU opened a door to an understanding of privacy as a right whose infringement by one party may necessarily import privacy harms for a broader group of individuals connected to the immediate appellant. As such, and given the explicit application of similar reasoning to specifically genetic context by the ECtHR it is not unreasonable to expect that the GDPR could be interpreted in the manner examined in section four. More fundamentally, and in light of the EU’s influence in global privacy discourses it is equally reasonable to assume that this understanding of privacy as constructed through, and reduced as a result of, infringements within a relational structure could influence the interpretation of the right to privacy within a broader human rights context. But what conception of privacy, specifically, emerges from these decisions, grounded on individualistic provisions yet clearly alive to the broader impacts of one individual’s privacy for those with and to whom they are connected?
7. BETWEEN THE INDIVIDUAL AND THE GROUP-TOWARD A RELATIONAL THEORY OF PRIVACY
In examining the privacy issues raised by genetic data in light of the decisions of the ECtHR and CJEU two central points emerge. The first is the acknowledgment from the ECtHR that the collection of genetic data is prima facie an infringement of privacy—because it reveals such personally sensitive characteristics but also because it reveals familial relationships and allows them to be mapped. The CJEU appears to endorse a similar understanding (though not in the context of genetic data)—that privacy reductions for one individual may incur reductions in the privacy of others by revealing portions of their private information—as well as their relationship to the immediate rights holder. Within this acknowledgment, it is tempting to read an allegiance to the sociohistoric origins of human rights following the Second World War, and the particular context which the guarantees of privacy which the Convention (and more recently the Charter) vindicate. However, it may equally be that the ECtHR’s interpretations should be understood as merely a realist understanding of the character of genetic data and the contagious impacts of a genetic privacy infringement for the web of genetically related individuals which radiates from the appellant in any case. More fundamentally, however, what can be said is that the dicta of both Courts, when read against the broader human rights context, demonstrate an understanding that modern data collection and processing imports clear risks for the privacy of groups in a manner that challenges individualistic understandings of the right—whether those groups are connected by genetic relationships or social ones. In the context of generic data specifically, this harm may, as is acknowledged by the dicta of the ECtHR and the Explanatory Report to Convention 108 be limited to family members (though even this extends the reach of such harms several removes from the individual) but may also, as Article 1 of the UDHG suggests, import more universal harm.
The second point which is implicit in the dicta of both Courts, is that it is not necessary to re-conceptualise privacy rights as belonging to one of two distinct groups—as either individual rights or group ones. Rather, how the Courts speak about the right to privacy in the contexts under examination indicates a clear view that the right as it exists is sufficiently robust, or perhaps sufficiently capacious, to include both the accepted, individual focus and a broader, ‘relational’ component—which accommodates within the scope of the existing right a recognition of how privacy is diminished for many individuals by infringements directed at one.
It is, of course, necessary to explain what is meant by a ‘relational’ understanding of privacy given that that term has been used to describe various aspects or models of privacy. The term relational privacy has been used elsewhere to describe: the particular expectation interests which exist between individuals under the Fourth Amendment of the United States constitution,126 the need for informed consent from members of familial groups in certain medical contexts,127 and to describe broader conceptions of privacy which depart from purely individualistic, autonomy-based understandings.128 The alternative account offered by relational privacy in this, final, iteration is the broad umbrella under which the conceptualisation offered here finds its home. Such relational accounts of privacy do not abandon the idea of autonomy on which individualistic accounts are based129 but rather seek to augment the idea of autonomy to include a conception of that value as embedded within a broader social landscape.130 The foundational claim of relational accounts is thus that what is sought—privacy—can be secured only under ‘socially supportive’ conditions and by protecting the social contexts that enable the right at issue.131 This broad understanding of relational privacy has been used, in turn, to advance a number of conceptions of the right to privacy and its attendant scope. Conceptions of relational privacy can, as intended by Rachels and Shoeman among others, refer to models which seek the protection of a diversity of relationships and the spaces which permit them to develop.132 Such conceptions of privacy, although somewhat radical in a US context, would hardly be surprising in the context of the CJEU or ECtHR’s jurisprudence which have long adopted an approach which prioritises the development of individual personality in a manner inclusive of the spaces necessary for such development.
Relational privacy in the context of this article is understood as more than the development of this zone of personal development and in keeping with what Hargreaves refers to as, ‘a proper relational account’ which ‘attempts to gauge the severity of any claimed privacy violation by analysing the harm it does to the web of relationships any individual finds herself in’.133 Hargreaves account is particularly concerned with the assessment of damage in US tort law yet it is in this understanding of relational privacy as referring to a ‘web of relationships’ and the privacy harm which can spread through that web that the decisions of the ECtHR and CJEU can be appreciated as part of a broader conceptualisation of privacy. This conceptualisation is not at odds with the individualistic tone of existing privacy guarantees, or the Courts’ broader jurisprudence, rather it acknowledges that privacy has been enshrined as an individual rather than a group right. However, it nevertheless understands privacy as a right which is socially situated and whose infringement and the associated harm caused is mitigated—or compounded—by the extent to which the harm passes from the appellant to the web on individuals with whom he or she shares a relationship. Hargreaves, in his account, argues that understandings of privacy based on distinct zones of privacy defined through individualistic choice are flawed because they rely on courts locating the a priori boundary which can limit privacy claims in order to make them justiciable as rights claims. Yet, no less than individualistic conceptions of privacy, relational conceptions must also confront challenges to their justiciability in a human rights context. In particular, they must overcome a long-standing objection to collective rights.
The concept of group or collective rights is not unknown to law. Finnis has argued that collective rights exist based on the ‘general welfare’134 whereas Miller views collective rights as jointly held rights to collective goods justified (in part) by virtue of membership of a social group.135 The threads of these understandings are drawn together as part of the most prominent and influential account of collective rights, offered by Raz.136 Raz argues, as part of his interest theory of rights, that collective rights exist ‘because an aspect of the interest of human beings justifies holding some person(s) to be subject to a duty’.137 In Raz’s interest theory, just as in a traditional Hohfeldian schema, rights protect the interests of their holders through the imposition of duties on others. As part of his theory, however, the interests in question are those of individuals (as members of a group) in a public good and the right is a right to that public good138 on the basis that that good serves their interest as members of the group. Crucially what differentiates Raz’s understanding of collective rights from the understanding of relational privacy is that collective rights as understood by Raz exist where the interest of no single member of the group in the public good at issue is sufficient by itself to justify holding another person to be subject to duty.139 Ultimately, and partly based on insufficiently individualised interests, Raz concludes there can be no right to collective goods because the number of individuals burdened by the collective interest would be disproportionate to the ends sought. In this respect, Raz’s critique echoes Waldron’s analysis. Waldron argues that the essential character of a common or public good is that it cannot be enjoyed without its communal aspect and has the benefit of the common good cannot be individually captured, collective rights cannot subsist.140 Réaume has argued in response to Raz and Waldron that their accounts rely on an overly simplistic understanding of the collective interest involved.141 In particular, although Réaume concedes there is no right to some public goods she contends this is the case because of the character of public goods as participatory in as much as they require the involvement of many to produce the good but are valuable only because of this joined involvement—and, as a result, must be held by groups rather than individuals, thus resulting in their inability to endure. This is the most central conflict which a relational conception of privacy drawing on the dicta expressed in the decisions of the CJEU and ECtHR must face. The accounts of collective rights offered by Raz and others presume that a right must be either individually actionable or collective and can see no means of making a collective right predictably justiciable. This is particularly the case where these accounts do not conscience rights which, like privacy, can encompass both individually enforced entitlements and collectively oriented objectives and impacts.
This raises a central doctrinal challenge which a relational account of privacy must overcome, namely how (and whether) a collective ‘relational’ aspect of privacy can be incorporated within the jurisprudence of rights developed by the ECtHR and CJEU. Within the scheme of the ECHR this would most readily be accomplished through a formalised analytical approach similar to that already in use as part of which the relational impacts of a purported privacy infringement are considered in gauging the harm occasioned, and (in particular) the proportionality of a measure infringing privacy under Article 8(2). Such an analytical approach addresses the criticism raised by Raz et al. regarding the appropriate threshold for justiciability premised on a Hohfeldian identification of commensurate rights and burdens by acknowledging that the right to privacy encompasses an individual enforced privacy right which is held and vindicated as part of securing a broader, relational privacy within and among social groups. In a Hohfeldian schema the central privacy rights holder (the would be applicant) holds the right as against duty bearers in the form of the State actors. In a relational conception of privacy this central rights holder is also a duty bearer as against the privacy rights of those within his or her relational group. However, as the infringement of the applicant’s privacy which negatively impacts the privacy of his or her relational group results not from the applicant’s action but rather the action of the respondent, the privacy claim of the members of the applicant’s relational group is assessed as causally emanating from the respondent and not the applicant. In this relational conception of privacy the seriousness of the infringement of the applicant’s right to privacy is assessed on the basis of the ‘contagious’ capacity of an infringement to effect privacy reductions for other members of his or her relational group. As such, the applicant acts as a duty bearer ‘in trust’—the causal node through which the privacy infringement reaches the members of his or her relational group—an actor from whom the infringement itself does not emanate but rather through whom it is transferred.
Such an approach both recognises and formalises the model of analysis employed by the ECtHR in respect of genetic privacy and endorsed, albeit implicitly, by the CJEU in communications privacy cases while echoing the approach adopted by Hargreaves in a tortious context. Looking to Hargreaves it is clear that, in calculating quantum for data protection breaches under the GDPR, and indeed in assessing whose rights under the Regulation have been infringed, a concept of relational privacy may be the approach best equipped to deal with the privacy impacts of genetic data, and indeed the networked impacts of privacy infringements in the twenty-first century more generally. More fundamentally, this model of relational privacy recognises and reconciles the historical grounding of privacy within the ECHR as a right which specifically seeks to protect group identities, the established individualistic mechanisms for the achievement of such ends, and the formative social role which privacy plays in networked, modern society.142
This approach, however, still struggles to address two central, and practical concerns raised by genetic data in private context. The first concern is that, because the group of individuals indirectly identified by the analysis of one individual’s genetic material cannot be exhaustively accounted for, the capacity to obtain consent from that group’s members is equally challenging. Even were a proportionate approach adopted in which a certain percentage of shared genetic heritage was required to classify an individual as one from whom explicit consent was required in order for genetic data to be processed such an approach would still permit the recognition of a large biological group from whom it could be impracticable to acquire consent. This poses a central challenge to the viability of consent as a basis for processing of genetic data under the GDPR by non-state actors. A relational theory of privacy rights cannot remove or resolve this concern. However, it can offer a conceptual understanding of privacy within human rights law that, in turn, can offer a new framework for how we structure and think about consent—and the uses and processes to which particularly sensitive data, such as genetic data, can be put. A conservative translation of the relational model beyond a strict human rights setting might see it endorse an understanding that relational privacy impacts be taken into consideration in assessing damages in tortious or data protection claims (as in Hargreaves account) though once more, this fails to prevent the infringement and instead seeks to compensate for its breach placing the burden for ensuring compliance on the individual who privacy has been breached—hardly a desirable outcome.
This leads to the second challenge which is that the rights and duty bearer relationship outlined above while suitable in the context of State lead infringements, falters when faced with a context in which the privacy infringement results from the ‘applicant’s’ action. So, in the case of an individual who shares genetic data with a commercial genomics company without the consent of his or her relatives, the breach in many ways is attributable to the ‘applicant’ themselves. In such circumstances the reduction in the privacy of the members of the biological group a causal result of the applicant’s action and a model premised on a ‘duty bearer in trust’ no longer seems wholly appropriate. In such circumstances then, it may be that the relational conception governing claims under Articles 7 and 8 of the Charter and Article 8 ECHR must sit alongside an acknowledgement that a relational conception of privacy as brought to bear in private contexts takes a necessarily amended form. In the context of the GDPR, for example, a plain reading of the text as suggested in section four clearly echoes in its effect the conception given voice to in the jurisprudence discussed in section five. Thus a deployment of the relational model in support of current data protection law could lend support to a reading of the GDPR which sees Article 4 of the Regulation as including within its interpretation members of the relational group as identified data subjects subject to a threshold in relation established in law.
8. CONCLUSION
Within the existing scheme of human rights both at an international and European level, the threats which genetic data poses to privacy, and the privacy of non-consenting members of a biological group, are occasionally recognised but nowhere substantively addressed. Despite this, the dicta of the ECtHR in particular, but also of the jurisprudence of the CJEU in light of its inter-dependence with the Convention, offers a nascent conception of a relational model of privacy which is inclusive of more than merely individualistic privacy structures. This conception of relational privacy could permit us to reconcile the individualistic framing, and group impacts, of the right to privacy. In particular, a relational conception, while not always specifically driven by the privacy harms generated by genetic data, holds the seeds of an approach to thinking about privacy which can address the enduring, diffuse and cumulative privacy harms posed by genetic data to members of the biological group. More fundamentally, a relational model of privacy can also offer a means of addressing the networked privacy harms—alluded to in the decisions of the CJEU—which accompany a modern, inter-connected society. Such a conception of privacy is not without complications. Practical concerns about how to identify or delineate the membership of a biological group, and the extent to which such a conception can be accommodated within secondary laws such as the GDPR remain. However, by beginning to reflect on the foundations of privacy as a right aimed at group protection, and by considering how modern developments challenge individualistic understandings of the right, we may begin to identify the path towards a conception of privacy which is, at once, true to its origins and responsive to modern challenges.
Footnotes
Lerner, Group Rights And Discrimination In International Law (2nd edn, 2003), at 7; Floridi makes a similar point see, Floridi, ‘Group Privacy: A Defence and an Interpretation’ in Floridi et al. (eds), Group Privacy, (2017) at 83 as has Mantelero, see Mantelero, ‘From Group Privacy to Collective Privacy: Towards a New Dimension of Privacy and Data Protection in the Big Data Era’ in Floridi et al. (eds), Group Privacy, (2017) at 139. More generally see, Schaff, ‘The Development of Religious Freedom’ (1884) 138 North American Review 13.
Rosen, The unwanted gaze: The destruction of privacy in America (2011); Bloustein, ‘Privacy as an aspect of human dignity: An answer to Dean Prosser’ (1964) 39 NYU Law Review 962; Rouvroy and Poullet, ‘The Right to Informational Self-Determination and the Value of Self-Development: Reassessing the Importance of Privacy for Democracy’ in Poullet et al. (eds), Reinventing Data Protection? (2009), at 45; Begum and Zysset, ‘Personal autonomy and democratic society at the European Court of Human Rights: friends or foes?’ (2013) 2 UCL Journal of Law and Justice 230.
See the discussion below at section five B.
See the discussion below at section five A.
See, Edenberg and Jones, ‘Analysing the Legal Roots and Moral Core of Digital Consent’ (2019) 21 New Media & Society 1804; Article 29 Working Party, Guidelines on Consent under Regulation 2016/679, 2017); Richards and Hartzog, ‘The Pathologies of Digital Consent’ (2019) Forthcoming Washington University Law Review; Solove, ‘Privacy Self-Management and the Consent Dilemma’ (2013) 126 Harvard Law Review 1880; Wilkinson-Ryan, ‘A Psychological Account of Consent to Fine Print’ (2014) 99 Iowa Law Review 1725; Bohme and Kopsell, ‘Trained to Accept? A Field Experiment on Consent Dialogs’ (Proceedings of the SIGCHI Conference on Human Factors in Computing Systems). The notice and consent mechanisms embodied in the GDPR are illustrative of this understanding. More generally, however, see Westin, Privacy and Freedom (1967); Jehovah’s Witness of Moscow v Russia Application No 302/02 (10 June 2010); S & Marper v United Kingdom Application No 30562/04 and 30,566/04 (4 December 2008); Schabas, The European Convention on Human Rights: A Commentary (2015), at 375 et seq; The Charter of Fundamental Rights of the European Union, 26 October 2012, 2012/C 362/02. See, Article 52 on the interpretation of the Charter in accordance with the ECtHR’s jurisprudence. See also, Christine Goodwin v United Kingdom Application No 25957/95 (11 July 2002), at para 90.
The terms used in this article are defined below in section 2. On genetic data generally see, Urquhart et al. ‘Inferring ethnic origin by means of an STR profile’ (2001) 119 Forensic Science International 17; Shriver, ‘Forensic DNA Analysis’ in Shriver (eds) Molecular Photofitting (Academic Press 2008), at 7.
Jasanoff, ‘Making the Facts of Life’ in Jasanoff (ed), Reframing Rights: Bioconstitutionalism in the Genetic Age (2011) 59.
In relation to the differentiation to be drawn between the sensitivity of various biometric data see the discussion of the 2020 decision Gaughran v The United Kingdom Application no 45245/15 (13 June 2020) below in section five A.
Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos. 11 and 14, 4 November 1950.
See infra in section six.
Griffiths and Stotz, Genetics and Philosophy: An Introduction (2013).
See, Laurie, Genetic privacy: A challenge to medico-legal norms (2002).
Amann v Switzerland Application No 27798/95 (16 February 2002), at para 65.
See the discussion of the case law in, De Hert and Gutwirth, ‘Data Protection in the Case Law of Strasbourg and Luxemburg: Constitutionalisation in Action’ in Gutwirth et al. (eds), Reinventing Data Protection? (2009) at 45; Lynskey, ‘Deconstructing Data Protection: The “Added Value” of a Right to Data Protection in the EU Legal Order’ (2014) 63 International and Comparative Law Quarterly 569.
Bradford, The Brussels Effect: How the European Union Rules the World (Oxford University Press 2020); Róisín Á Costello, Does the European Union Set or Export Data Privacy Standards? The Regulatory Review, 13 April 2021, available at: https://www.theregreview.org/2021/04/13/costello-does-european-union-set-or-export-data-privacy-standards/ [last accessed 1 October 2021].
The Article 29 Working Party (Art. 29 WP) is the independent European working party that dealt with issues relating to the protection of privacy and personal data until 25 May 2018 (the final date for the entry into force of the GDPR).
Article 29 Data Protection Working Party, Working Document on Genetic Data, (2004), at 9. It is notable in this respect that individuals who are genetically male reveal more about their genetic families through their genetic profiles because they possess both X and Y chromosomes, permitting matrilineal and patrilineal genetic families to be mapped. See generally, Ayday et al., ‘Whole-genome sequencing: Revolutionary medicine or privacy nightmare?’ (2015) 48 Computer 58.
Ibid, at 8.
See, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
More generally the idea of privacy as control has been advanced by Westin, Privacy and Freedom (1967), Fried, An anatomy of values: Problems of personal and social choice (1970) and Parent, ‘Privacy, Morality and the Law’ (1983) 12 Philosophy and Public Affairs 269 an understanding more recently rebutted by Allen, ‘Privacy-as-Data Control: Conceptual, Practical and Moral Limits of the Paradigm’ (2000) 32 Connecticut Law Review 861 and Schwartz, ‘Internet Privacy and the State’ (2000) 32 Connecticut Law Review 815.
Warren and Brandeis, ‘The Right to Privacy’ (1890) 4 Harvard Law Review. See, in the United Kingdom, Prince Albert v Strange Ch D 8 Feb 1849. In the subsequent English case of Gee v Pritchard (1818) 36 ER 670 this idea developed further toward what could be read as an idea of sexual privacy, recognising a privacy interest in correspondence between a deceased father and his illegitimate son on the basis of the ‘personal conduct and morals in life’ of the deceased party. More generally see, Richardson, The Right to Privacy: Origins and Influence of a Nineteenth Century Idea (2017).
Prosser, ‘Privacy’ (1960) 48 California Law Review 383; Richards and Solove, ‘Prosser’s Privacy Law: A Mixed Legacy’ (2010) 98 California Law Review 1887.
See for example, Bloustein supra n 2.
Westin, Privacy and Freedom (1967).
SW v United Kingdom, Application No 20166/92 (22 November 1995). On the place of dignity within Europe’s constitutional schema see, Dupré, ‘Human Dignity in Europe: A Foundational Constitutional Principle’ (2013) 19 European Public Law 319, at 325–26.
‘Explanations to the Charter of Fundamental Rights’ (2007) OJ C 303 17.
Rao, ‘Three Concepts of Dignity in Constitutional Law’ (2011) 86 Notre Dame Law Review 183, at 222–23.
Although an broader consideration of the use of the ICCPR an UDHR in national and international courts is beyond the scope of this article the UN General Assembly in a series of Resolutions has reaffirmed its commitment to privacy in the face of the challenges posed, in particular, by state and commercial surveillance in digital spaces and has recognised that such violations ‘may affect all individuals’ see General Assembly Resolution 34/7 of 24 March 2017 on the right to privacy in the digital age, 4. See also, General Assembly resolutions 68/167 of 18 December 2013, 69/166 of 18 December 2014 and 71/199 of 19 December 2016 on the right to privacy in the digital age and Human Rights Council decision 25/117 of 27 March 2014 and Council resolution 28/16 of 26 March 2015 on the right to privacy in the digital age.
See, Marckx v Belgium Application No 6833/74 (13 June 1979); Negrepontis-Giannisis v Greece Application No. 56759/08 (3 May 2011), at para 55; Mallah v France Application No. 29681/08 (10 November 2011), at para 31; Moustaquim v Belgium Application No 12313/86 (18 February 1991), at para 36.
K and T v Finland Application No. 25702/94 (12 July 2001), at para 150; Krušković v Croatia Application No. 46185/08 (21 September 2011), at para 18; Kroon and Others v the Netherlands Application No. 18535/91 (20 September 1994), at para 30.
Case C-400/10 PPU McB v E ECLI:EU:C:2010:258; Case C-60/00 Carpenter ECLI:EU:C:2002:434.
Recital 7 Regulation (EU) 2016/679 GDPR; Lynskey, ‘Control over Personal Data in a Digital Age’ (2015) 78 Modern Law Review 522; Lynskey, ‘The Data Retention Directive is incompatible with the rights to privacy and data protection and is invalid in its entirety: Digital Rights Ireland’ (2015) 51 Common Market Law Review 1808.
This has been developed most notably by the German Federal Constitutional Court, BVerfG Beschl v 15.12.1983 BVerfGE 65 (census decision), at 1.
See, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), Recitals 1, 4, 73, 141, 148 and 153. On the interpretative force of the Charter in respect of the GDPR see the recent decision in Case C-311/18 Schrems II EU:C:2020:559.
Bietti, ‘Consent as a Free Pass: Platform Power and the Limits of the Informational Turn’ (2019) Forthcoming Pace Law Review; Hartzog, ‘The Pathologies of Digital Consent’ supra n 5; Jones, ‘Analysing the Legal Roots and Moral Core of Digital Consent’ supra n 5; Information Commissioner’s Office, Consent: Lawful basis for processing, (2018); Solove, ‘Privacy Self-Management and the Consent Dilemma’ supra n 5.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Recital 7 states that, ‘[n]atural persons should have control of their own personal data’ whereas Recitals 68 emphasises the need to ‘further strengthen the control over his or her own data’. These are, however, merely express instances of the articulation of the Regulations foundational emphasis on individual control over the interaction with and processing of personal data.
See generally, Bates, The Evolution of the European Convention on Human Rights: From its Inception to the Creation of a Permanent Court of Human Rights (2010), at 45 and 60–65. On the right to privacy specifically see, Teitgen, Establishment of a collective guarantee of essential freedoms and fundamental rights (1949), Vol I at 220, 272 and Vol II, at 90.
See within the ECHR the prohibitions on discrimination (Article 14), rights to freedom of thought, conscience, and religion (Article 9), and freedom of assembly and association (Article 11). In the Charter of Fundamental Rights see, Articles 10 (freedom of thought, conscience, and religion), 11 (freedom of expression and information), 13 (freedom of the arts and sciences), and Chapter III (which covers various forms of equality and non-discrimination rights) of the Charter while framed as individually exercisable rights all protect group activity or identification.
See, Richardson, The Right to Privacy: Origins and Influence of a Nineteenth Century Idea (2017).
Allen and Mack, ‘How Privacy Got Its Gender’ (1990) 10 Illinois University Law Review 441, at 451–453.
Danielle Citron, ‘Sexual Privacy’ (2019) 128 Yale Law Journal 1870, at 1880.
Lerner, Group Rights And Discrimination In International Law (2nd edn, 2003).
Ibid., at 7.
Bates, The Evolution of the European Convention of Human Rights (2010), at 45.
Digglemann and Cleis, ‘How the Right to Privacy Became a Human Right’ Human Rights Law Review 14 (2014) 441; Schabas, ‘UN International Covenant on Civil and Political Rights; Nowak’s CCPR Commentary’ (2019, 3rd edn).
Teitgen, Establishment of a collective guarantee of essential freedoms and fundamental rights (1949), Vol I at 220, 272.
Ibid., Vol II, at 90; Bates, The Evolution of the European Convention on Human Rights: From its Inception to the Creation of a Permanent Court of Human Rights (2010), at 60–65.
Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos. 11 and 14, 4 November 1950.
The Charter of Fundamental Rights of the European Union, 26 October 2012, 2012/C 362/02.
See within the ECHR the prohibitions on discrimination (Article 14), rights to freedom of thought, conscience, and religion (Article 9), and freedom of assembly and association (Article 11). In the Charter of Fundamental Rights see, Articles 10 (freedom of thought, conscience, and religion), 11 (freedom of expression and information), 13 (freedom of the arts and sciences) and Chapter III (which covers various forms of equality and non-discrimination rights) of the Charter while framed as individually exercisable rights all protect group activity or identification.
Case C-400/10 PPU McB v E ECLI:EU:C:2010:258; Case C-60/00 Carpenter ECLI:EU:C:2002:434. See, Recital 7 Regulation (EU) 2016/679 GDPR; Lynskey, ‘Control over Personal Data in a Digital Age’ supra n 32; Lynskey, ‘The Data Retention Directive is incompatible with the rights to privacy and data protection and is invalid in its entirety: Digital Rights Ireland’ supra n 32.
Jasanoff, ‘Making the Facts of Life’ supra n 7.
UN Educational, Scientific and Cultural Organisation UNESCO, I’d blush if I could: closing gender divides in digital skills through education), Universal Declaration on the Human Genome and Human Rights, 11 November 1997; UN Educational, Scientific and Cultural Organisation ibid, International Declaration on Human Genetic Data, 16 October 2003.
UDHG, Article 6.
Ibid., Article 5(c).
Ibid., Articles 5(b) and 7.
IDHGD, Article 1.
Ibid, Article 2(a).
Ibid, Articles 8 and 9.
Ibid, Article 14.
Ibid, Article 7.
Ibid, Article 10.
Ibid, Articles 18 and 19.
Treaty open for signature by the member States, the non-member States which have participated in its elaboration and by the European Union, and for accession by other non-member States (04 April 1997).
IDHGD Article 5 to 9.
IDHGD Article 10, 11.
IDHGD Article 12 to 14.
IDHGD Explanatory Memorandum, [14].
Council of Europe, Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data, 28 January 1981, ETS 108.
In a provision which mirrors Article 9 OF Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR). Other European regulations including Regulation 536/2014 on clinical trials and Regulation 2017/746 on in vitro medical devices also make discreet provision for the treatment of genetic material, and data the latter Regulation making particular provision for counselling in relation to counselling associated with genetic testing. Neither Regulation, however, addresses or clarifies the group privacy implications identified here. See, Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC OJ L 158, 27.5.2014, at 1–76, Article 90 provides for a prohibition on gene therapy clinical trials which result in modifications to the subject’s germ line genetic identity; Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU OJ L 117, 5.5.2017, at 176–332 in particular Recitals 9 and 10 and Article 4(1) and (2).
Article 4 GDPR.
Recital 34 GDPR notes that genetic data should be defined as ‘personal data relating to the … genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained’.
As well as under the terms of Recitals 35, 51 and 53 GDPR. Article 9 GDPR finds further and similar expression in Article 6 of Convention 108 which provides that personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards’. Article 6 was amended in the updated Convention 108 to include genetic and biometric data. See, Council of Europe, Convention for the Protection of Individuals with Regard to the Automatic Processing Individual Data, 28 January 1981, ETS 108.
In this respect safeguards include appropriate anonymisation techniques such as those detailed in a clinical context in Quinn and Quinn, ‘Big genetic data and its big data protection challenges’ (2018) 34 Computer Law & Security Review 1000; Rodgers et al., ‘Anonymising and sharing individual patient data’ (2015) 350 British Medical Journal 1139; Shabani and Borry, ‘Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation’ (2018) 26 European Journal of Human Genetics 149. Queries have been raised, however, as to whether health and specifically genetic data can ever be anonymised given its inherent connection to one discretely and genetically unique individual see, Ptitsyn et al., ‘The development of large-scale de-identified biomedical databases in the age of genomics—principles and challenges’ (2018) 12 Human Genomics 19; Cong et al., ‘Feasibility of Reidentifying Individuals in Large National Physical Activity Data Sets From Which Protected Health Information Has Been Removed With Use of Machine Learning’ (2018) 8 Health Policy 1.
As a practical matter, the Regulation affords a significant latitude to Member States in defining how genetic data may be regulated and, as has been noted elsewhere, there has been a resulting intra-EU conflicts of laws and divergence between Member States in terms of the standards and regulations provided in respect of genetic data. See, Pormeister, ‘Genetic research and applicable law: the intra-EU conflict of laws as a regulatory challenge to cross-border genetic research’ (2018) 5 Journal of Law and Biosciences 706.
In this respect it is worth noting that the CJEU has drawn the lines of what should be considered data which personally identifies an individual very broadly, see Case C-434/16 Nowak v Data Protection Commissioner EU:C:2017:994.
Following from the decision in Case C-311/18 Schrems II, supra n 34 In that decision, the CJEU clarified (and indeed repeatedly emphasised throughout its judgment) that the GDPR must be read in light of the CFREU and the fundamental rights contained therein (see, para 94, 98–99, 101 and 105). Moreover, the Court reiterated the application of the provisions of Article 52 of the Charter as providing that the rights contained in the CFREU that correspond to rights guaranteed by the ECHR are to have the same meaning and scope as those laid down by that Convention a position strengthened by the subsequent reliance on Article 8 ECHR jurisprudence in the decision in Case C-511/18 La Quadrature du Net EU:C:2020:791.
As a result of Article 52 of the Charter of Fundamental Rights of the European Union which provides that in so far as this Charter contains rights which correspond to rights guaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, the meaning and scope of those rights shall be the same as those laid down by the said Convention. This provision shall not prevent Union law providing more extensive protection.
Van der Velden v the Netherlands Application No 29514/05, (7 December 2006).
Ibid., at para 1.
Ibid.
Ibid., at para 2.
Ibid.
Ibid.
S & Marper v United Kingdom Application no 30562/04 and 30,566/04 (ECHR 4 December 2008), at para 104.
Ibid., at para 3–4.
Mr S was acquitted at trial and Mr Marper’s prosecution was discontinued by the Crown Prosecution Service. Ibid., at para 1.
Ibid., at para 60.
Ibid., at para 70–72.
Ibid., at para 104.
Ibid., at para 60.
Ibid., at para 66; Burghartz v Switzerland, Application No 16213/90 (22 February 1994); Ünal Tekeli v Turkey, Application No 29865/96 (16 November 2004).
S & Marper v United Kingdom, at para 30, 40 and 76. See also, Z v Finland, Application No 22009/93 (25 February 1997), at para 71.
S & Marper, at para 41.
S & Marper, at para 39 and 75.
Aycaguer v France Application no 8806/12 (22 September 2017).
Aycaguer, [33]; Marper, [75]; Leander v Sweden, Application No 9248/81 (26 March 1987), [48]; Amann v Switzerland, Application No 27798/95 (16 February 2000), [69].
Gardel, BB ad MB, Application No 5335/06, 16,428/05 and 2115/06 (17 December 2006), [62]–[63], [54].
Aycaguer (n.58), [34].
Ibid, [34]–[37], [43] citing MK v France Application No 19522/09 (April 2013), the Court found that in that case the interference in question had been in accordance with the law and pursued the legitimate aim of detecting and preventing disorder and crime and thus pursued the legitimate aim of detecting and preventing crime and despite the margin of appreciation the Court noted that no differentiation was made based on the nature or gravity of the offence committed.
Ibid., at para 45–46.
Gaughran v The United Kingdom Application no 45245/15 (13 June 2020).
Ibid., at para 87 et seq.
Ibid., at para 83–84 and 96.
Ibid., at para 96.
Ibid., at para 6.
Ibid., at para 7–9.
Ibid., at para 80.
Ibid., at para 81.
Ibid., citing S & Marper at para 75.
The Court’s recognition of the particular sensitivity of photographs and the finding that their retention amounted to a breach of Article 8 is a new development but is beyond the scope of this piece.
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger EU:C:2014:238, at para 36–37.
Similar issues were raised in Seitlinger to which the case was joined.
Joined Cases C-293/12 and C-594/12 at para 26. In its analysis, the Court was drawing on its previous decisions in Scarlet v SABAM and Breyer in which they found that dynamic IP addresses constituted personal data. Though such addresses did not directly reveal the identity of a specific individual, by combining them with additional data, an individual might be identified. See, Case C-70/10 Scarlett Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) EU:C:2011:771, at para 51; Case C-582/14 Breyer v Bundesrepublik Deutschland EU:C:2016:77, at para 16, 41–9 and more recently in the ECHR, Benedik v Slovenia, Application No 63257/14 (24 April 2018).
Joined Cases C-293/12 and C-594/12, at para 26.
Ibid., at para 27.
Ibid., at para 43–4.
Ibid., at para 51 and 59–68.
Joined Cases C-203/15 and C-698/15 Tele2 Sverige EU:C:2016:970, at para 45–7.
Ibid., at para 97.
Ibid., at para 98.
Ibid., at para 99.
Ibid.
Sacharoff, ‘The Relational Nature of Privacy’ (2012) 16 Lewis and Clark Law Review 1249.
Goldim and Gibbon, ‘Between personal and relational privacy: understanding the work of informed consent in cancer genetics in Brazil’ (2015) 6 Community Genetics 287.
Bannerman, ‘Relational privacy and the networked governance of the self’ (2019) 22 Information, Communication & Society 2187; Nissenbaum, ‘A contextual approach to privacy online’ (2011) 140 Daedelus 32.
Hargreaves, ‘Relational Privacy and Tort’ (2017) 23 William and Mary Journal of Race, Gender and Social Justice 433.
This conception of relational autonomy is perhaps best articulated by Nedelsky see, Nedelsky, ‘Reconceiving Autonomy: Sources, Thoughts and Possibilities’ (1989) 1 Yale Journal of Law and Feminism 7, at 8–10; Nedelsky, Law’s Relations: A Relational Theory of Self, Autonomy, and Law (2011), at 3. This account is one which very much aligns with Friedman’s views on the capacity of individuals to develop autonomy only through social interactions with other persons. See, Friedman, ‘Autonomy, Social Disruption, and Women’ in Mackenzie and Stoljar (eds), Relational Autonomy: Feminist Perspectives on Autonomy, Agency and the Social Self (2000) 37. More recent accounts have sought to ground relational privacy in distinct heritages which can reconcile Western understandings of privacy with indigenous or regional frameworks see, Reviglio and Alunge, ‘I Am Datafied Because we are Datafied: an Ubuntu Perspective on (Relational) Privacy’ (2020) 33 Philosophy & Technology 595; Ma, ‘Relational privacy: Where the East and the West could meet’(2019) 56 ASIS&T 196.
Hargreaves, ‘Relational Privacy and Tort’ supra n 130.
Rachels, ‘Why Privacy is Important’ in Ferdinand David Schoeman (ed), Philosophical Dimensions of Privacy: An Anthology (1984), at 292; Schoeman, ‘Privacy and Intimate Information’ in Schoeman (ed), Philosophical Dimensions of Privacy: An Anthology (1984), 404; Hargreaves, ‘Relational Privacy and Tort’ supra n 32, at 462. To some extent Schwartz supports an implicitly but de minimis relational view see, Schwartz, ‘Internet Privacy and the State’ (2000) 32 Connecticut Law Review 815 as does Allan in a critical account of both Schwartz and the broader notion of privacy as control only, see Allen, ‘Privacy-as-Data Control: Conceptual, Practical and Moral Limits of the Paradigm’ (2000) 32 Connecticut Law Review 861. Separately, Nissenbaum has conceived of a network privacy see, Nissenbaum, ‘A contextual approach to privacy online’ supra n 129.
Hargreaves, ‘Relational Privacy and Tort’, n 130 at 463. See also, Cohen, ‘Rethinking Privacy: The Abortion Controversy’ in Weintraub and Kumar (eds), Public and Private in Thought and Practice: Perspectives on a Grand Dichotomy (1997), at 153; Hargreaves, ‘Relational Privacy and Tort’, supra n 130 at 462–4; Anderson and Honneth, ‘Autonomy, Vulnerability, Recognition, and Justice’ in Christman and Anderson (eds), Autonomy and the Challenges to Liberalism: New Essays (2005), at 130.
Finnis, Natural Law and Natural Rights (2011), at 214–18. A view endorsed by Newman, ‘Collective Interests and Collective Rights’ (2004) 49 American Journal of Jurisprudence 127.
Miller, ‘Collective Rights’ (1999) 13 Public Affairs Quarterly 331.
Understood as aspects of the individuals’ well-being, Joseph Raz, The Morality of Freedom (1988), at 208.
Ibid.
In this respect, Regan has long argued that privacy (by analogy to water and other common resources) is a common good in social contexts see, Regan, Legislating Privacy: Technology, Social Values and Public Policy (1995); Regan, ‘Privacy as a Common Good in the Digital World’ (2010) 5 Information, Communication & Society 382.
Raz, The Morality of Freedom, at 210.
Waldron, ‘Can communal goods be human rights?’ (1987) 28 European Journal of Sociology 296; Réaume, ‘Individuals, Groups and Rights to Public Goods’ (1988) 38 University of Toronto Law Journal 1.
Réaume, ‘Individuals, Groups and Rights to Public Goods’, at 10. In accordance with this theory in cases involving goods whose production requires the actions of many and which are valuable only because of the joint involvement of many, and the good is thus the participation itself.
Nissenbaum, ‘A contextual approach to privacy online’; Nissenbaum, ‘Contextual Integrity Up and Down the Data Food Chain’ (2019) 20 Theoretical Inquiries in Law 221; Nissenbaum, Privacy in Context: Technology, Policy and the Integrity of Social Life (2010).
