There is a tendency to deal with the right to data protection as an expression of the right to privacy, but the distinction between both rights in the EU Charter of Fundamental Rights is not purely symbolic.
A closer appreciation of the jurisprudence of the European Court of Human Rights and the Court of Justice of the European Union shows that despite substantial overlaps there are also important differences, in particular with regard to the scope of both rights and their limitation.
The Court of Justice of the European Union in Luxembourg (the Luxembourg Court or CJEU) in the Bavarian Lager case reasoned that compared with the right to privacy, the EU rules on data protection create a specific and reinforced system of protection.1 This finding is based on EU secondary legislation and does not yet take into account the fundamental right to data protection enshrined in the Charter of Fundamental Rights of the European Union that has meanwhile become a binding part of EU primary law. Both legal developments raise the question of whether the fundamental right to data protection is only a subset of the right to privacy, or whether it also provides additional protection. This article discusses the relevant jurisprudence of Europe's two highest courts, the European Court of Human Rights in Strasbourg (the Strasbourg Court or ECtHR) and the CJEU, with regard to the differences between privacy and data protection. Though both courts tend to treat data protection as an expression of the right to privacy, the specifics of each right must be respected.
Before turning to the case law, it is necessary to address the two underlying systems of fundamental rights protection, as well as the specific provisions on privacy and data protection within these two systems. Afterwards we will examine the interpretation of the two rights by the two courts and highlight the differences between them. Finally, we will attempt to illustrate the differences and overlaps between privacy and data protection using the example of the pending Google and Google Spain case.
The Convention and the Charter
There are two distinct but related systems to ensure the protection of fundamental and human rights in Europe.
The first system is that of the European Convention on Human Rights, an international agreement between the 47 States of the Council of Europe. All member states of the EU are part of this organization, but it also includes third states such as Switzerland, Russia, and Turkey. While the accession of the European Union to the Convention is currently under negotiation,2 it dates back to 1950. The final arbiter on the Convention is the European Court of Human Rights, which hears complaints by individuals on alleged breaches of human rights by signatory states.
The second system is based on the jurisprudence of the Court of Justice of the European Union, which guarantees the protection of fundamental human rights within the EU. Respect of these rights is part of the constitutional principles of the EU.3 Initially the CJEU developed these rights as general principles of EU law in close alignment with the Convention system, but by now most guarantees are laid down in the Charter of Fundamental Rights of the European Union.4
Both systems are closely linked and already today interpretation of the Charter follows that of the Convention,5 even though the EU is not yet a party to the Convention. Moreover, the interpretation of the Convention by the Strasbourg Court is taken into account by the Luxembourg Court.6
The provisions on privacy and data protection
While the US Constitution does not explicitly mention privacy or data protection, protection of both rights is explicitly established at the constitutional level in Europe: in addition to national constitutions, both the European Convention and the Charter of Fundamental Rights have a provision on privacy. Article 8 of the Convention and similarly Article 7 of the Charter provide that everyone has the right to respect for his or her private and family life, home, and communications. In addition, the right to respect for private life had been and continues to be protected as a general principle of EU law.7
However, quite confusingly, another Article 8, namely Article 8 of the Charter, specifically addresses the fundamental right to the protection of personal data. There is no corresponding provision on data protection in the Convention, and another Convention of the Council of Europe, the Data Protection Convention or Convention 108,8 that specifically addresses the protection of personal data does not, in principle, fall under the jurisdiction of the Strasbourg Court. Nevertheless this Court has applied Article 8 of the European Convention on Human Rights (covering the right to privacy) to give rise to a right of data protection as well.9
In contrast, Article 8 of the Charter not only distinguishes data protection from privacy, but also lays down some specific guarantees in paragraphs 2 and 3, namely that personal data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or on some other legitimate basis laid down by law; that everyone has the right of access to data which have been collected concerning him or her, and the right to have it rectified; and that compliance with these rules shall be subject to control by an independent authority.
Already it can be seen from the provisions in the Charter dealing with privacy and data protection that these two rights are not completely synonymous.
Jurisprudence on privacy
In spite of the distinction between privacy and data protection laid down in the Charter, the jurisprudence has justifiably considered privacy to be at the core of data protection.
The scope of privacy
According to both Courts, the term ‘private life’ must not be interpreted restrictively. The Luxembourg Court interprets the jurisprudence from Strasbourg as meaning that ‘private life’ includes the protection of personal data, being defined as any information relating to an identified or identifiable individual.10 This is the very broad definition of personal data given by the EU Data Protection Directive11 and the Data Protection Convention of the Council of Europe.
At first glance this reading of the Strasbourg jurisprudence seems correct, in particular because the European Court of Human Rights has emphasized the correspondence of a broad interpretation of the term ‘privacy’ in the European Convention on Human Rights with the Council of Europe Data Protection Convention.12 However, on closer inspection, it appears that Strasbourg requires an additional element of privacy in order for personal information to be included in the scope of private life. In the Rotaru case the Strasbourg Court stressed that the personal information in question went back a long time and was systematically collected and stored.13 This case concerned files established by communist security services in Romania that were still used after the transition to democracy and the rule of law. In the recent M.M. case the same Court explained that information about a criminal conviction or caution becomes part of the person's private life as the event recedes into the past.14 This case concerned a caution issued by the police thirteen years before it was communicated to a prospective employer.
Can it be assumed, e contrario, that the information on the police caution was not protected under the right to privacy before the event had receded into the past? Or would a less systematic collection and storage of personal data by security services not affect private life under the Strasbourg system?
The Luxembourg Court has not yet added these potential qualifications to the definition of private life. But it expresses similar tendencies when it mentions that relevant information relating to the income of individuals demonstrates an interference with their private life,15 or that professional activities also fall within its scope.16
Interference with privacy and justification
The collection, storage, or disclosure of information relating to private life interferes with the right to privacy.17 Interference requires justification; that is, under Article 8 of the Convention on Human Rights it must be in accordance with the law, it must pursue one or more legitimate aims and, in addition, it must be ‘necessary in a democratic society’ to achieve those aims.
In accordance with the law
A key requirement for a sufficient legal basis is that the interference is foreseeable. Rules of a very general nature do not meet this standard.18 On the contrary, a legal basis for the collection, storage, and disclosure of personal information must lay down the limits of these powers, and in particular the necessary safeguards against abuse and disproportionate measures.19 In the M.M. case the Court of Human Rights summed this up as follows:
(T)he greater the scope of the recording system, and thus the greater the amount and sensitivity of data held and available for disclosure, the more important the content of the safeguards to be applied at the various crucial stages in the subsequent processing of the data.20
As regards the legitimate aim to be pursued by the interference with privacy, the Convention lays down a limited list of admissible grounds in Article 8(2), namely the interests of national security, public safety, the economic well-being of the country, the prevention of disorder or crime, the protection of health or morals, and the protection of the rights and freedoms of others.
The EU Charter is phrased more openly, and allows for objectives of general interest recognized by the Union and for the need to protect the rights and freedoms of others.21 Therefore, the Court of Justice has recognized the transparency of the use of public funds as a legitimate objective for the publication of agricultural subsidies to individual farmers, since it found that such publication contributes to the appropriate use of public funds, and enables citizens to participate more closely in the public debate about agricultural policy.22 Transparency as such is not mentioned as one of the legitimate aims that can justify interference with the right to privacy under the Convention on Human Rights, but it cannot be excluded that as a foundation of informed debate it will come within the scope of the freedom of expression of others.23
Necessary in a democratic society
The most difficult test of any justification is whether the interference is necessary in a democratic society. The Strasbourg Court maintains that any interference must be supported by relevant and sufficient reasons and must be proportionate to the legitimate aim or aims pursued. In this connection, it considers that the national authorities enjoy a margin of appreciation, the scope of which will depend not only on the nature of the legitimate aim pursued but also on the particular nature of the interference involved.24 The Strasbourg Court considered, for example, that it was disproportionate to keep information related to political activities that happened more than 30 years earlier in a secret police register.25 The same applies to information about being a member of a radical political party if this party has not employed illegal means in over 30 years of political activity.26
The EU Court of Justice recently took a more procedural approach. It did not exclude that the publication of agricultural subsidies to individual farmers might be proportionate, but stressed repeatedly that the legislator had not demonstrated that it sought to strike a fair balance between the interests of the farmers and the aim of transparency.27
Data protection in the relevant jurisprudence
We will now examine the right to data protection in the jurisprudence of the Court of Justice and the Court of Human Rights.
The scope of data protection
A first distinction between privacy and data protection lies in the scope of both rights.
This begins with the substantive scope, meaning the information covered by the respective right. We have seen that private life does not necessarily include all information on identified or identifiable persons. However, data protection covers exactly this information. This wider scope results from the definition of personal data in the Data Protection Convention and the Data Protection Directive. Both are mentioned in the official explanations to Article 8 of the Charter, and therefore must be taken into account in its interpretation.28 Consequently, in this regard the scope of data protection is broader than the scope of privacy.
However, as regards the personal scope, the European Court of Justice has excluded legal persons from data protection,29 though they can rely on the right to privacy.30 It is difficult to base this exclusion on the wording of the Charter, as both privacy and data protection are granted to ‘everyone’. However, the definition adopted by the Luxembourg Court results from Article 2(a) and Recital 2 of the Data Protection Directive, which limit data protection to natural persons. The Convention on Data Protection seems to be more ambiguous in this regard, as it refers to ‘individuals’ in Article 2(a). But the similarly binding French version of the Convention uses the clearer term ‘personne physique’ that also excludes legal persons.
Another aspect of the personal scope concerns the responsibilities of private parties. EU data protection law puts similar obligations with regard to the processing of personal information on public authorities and private parties. However, these obligations do not directly result from Articles 7 or 8 of the Charter, but from the Data Protection Directive. While the fundamental rights to privacy and data protection as set forth in the Charter are framed with sufficient openness to allow for the obligations of private parties, their context suggests that they only address public authorities. According to Article 51(1) of the Charter, its provisions are addressed to the institutions, bodies, offices, and agencies of the Union and to the Member States when they are implementing EU law.31 Thus it appears that in EU law neither the right to privacy nor the right to data protection as contained in the Charter directly create obligations of private parties.32
For the European Convention on Human Rights, the situation is even clearer, because under Article 1 the Contracting Parties, not individuals, are responsible. However, the European Court of Human Rights has recognized that positive obligations of these states are inherent in an effective respect of certain Convention rights, in particular with regard to the respect of private life, and that these obligations may involve the adoption of measures designed to secure respect for private life even in the sphere of the relations of individuals between themselves.33
In view of the extensive processing of personal data by private parties such as employers, service providers, and advertisers, this concept should also apply to data protection.34 Thus, in principle horizontal obligations under data protection law can be justified as a way to discharge these positive obligations.35 Consequently, in file sharing cases, the Luxembourg Court has underlined the need to find a fair balance between the protection of intellectual property and the protection of the personal data of Internet users.36 Nevertheless, from the perspective of human rights, it merits further discussion as to whether EU secondary data protection legislation imposes a similar obligation on public authorities and private parties. After all, fundamental human rights primarily aim to limit the actions of public authorities in order to protect the activities of private parties, including the processing of personal data, from state interference.37
Authorized processing and limitations on data protection
Another distinction between privacy and data protection can be found with regard to permissible interferences. The reader will remember that the first sentence of Article 8(2) of the Charter provides that personal data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or on some other legitimate basis laid down by law. If these conditions are met there is no interference with the right to data protection,38 though collection, storage, or disclosure of such data may still interfere with private life and therefore require justification.39 Obviously, in most cases such justification should be easy, if the conditions of authorized processing are met.
The application of the general limitations of fundamental rights under Article 52(1) of the Charter to data protection poses more interesting questions. According to this provision, limitations must be provided for by law, must respect the essence of the affected right and, subject to the principle of proportionality, must be necessary and genuinely meet the objectives of general interest recognized by the European Union or the need to protect the rights and freedoms of others. Can these limitations justify the unfair processing of personal data or the processing for purposes that are not covered by the legal basis for their collection?
Criminal investigations, mentioned in Article 13(1)(d) of the Data Protection Directive as grounds for exceptions, illustrate that such processing may be defensible. It is easy to imagine a genuine need for the collection of information under false premises in order to investigate certain crimes, even though this cannot be considered a fair processing of data. In other cases it may be necessary to rely on information that was not collected for the specified purpose of criminal investigations. It is also obvious that the right of access to personal data, as provided by the second sentence of Article 8(2) of the Charter, could seriously compromise on-going investigations, if it was not subject to justified limitations.
Therefore, there is room to apply the general limitations to data protection. However, in applying these general limitations the specific risks associated with the processing of personal data must be taken into account. In this regard it is useful to recall the yardstick of the M.M. case on privacy. In that case, the ECtHR explained that ‘the greater the amount and sensitivity of data held and available for disclosure, the more important [is] the content of the safeguards to be applied at the various crucial stages in the subsequent processing of the data’.40 Consequently, a general reference to public security is not sufficient to justify limitations on data protection. The limitations must be both clearly defined, and necessary and proportionate. Perhaps the Court of Justice will address some of these issues in a currently pending case on private detectives.41
Nevertheless, there is one guarantee associated with data protection where a limitation seems very difficult to justify, which is namely the control of compliance by an independent authority as foreseen by Article 8(3) of the Charter. The Court of Justice has repeatedly underlined the importance of such independence.42
Of course, there may be security concerns associated with certain instances of data processing, for example if they are related to the investigation of terrorism or espionage. In such cases the necessary access by independent authorities poses the risk that confidential data may be disclosed. However, even in such cases it should be possible to identify persons who can be entrusted with the independent control of data protection and the maintenance of confidentiality at the same time.43
The Google case—a practical example
The pending Google and Google Spain case44 can serve as an illustration to highlight the importance of the distinction between privacy and data protection. However, the following remarks should be taken with a great deal of caution concerning the actual Google case before the Court of Justice, since only some of its elements are relevant here, nor do we attempt to resolve the questions posed in that case.
To briefly describe first the facts of that case: as described in a Google blog post,45 the company was asked to remove links from its search results that refer to a legal notice published in a newspaper. The notice, announcing houses being auctioned off as part of a legal proceeding, is required under Spanish law and includes factually correct information, including the identity of the owner, that is publicly available on the newspaper's website. Reuters reported that the auction was because of non-payment of social security contributions.46 As this is a dispute between private parties, rights under the Charter are not directly applicable, but may influence interpretation of the Data Protection Directive that in turn is relevant for application of the Spanish implementing legislation.
If we analyse this dispute as a privacy matter, the first issue to resolve is whether personal information legally published on the Internet in the archive of a newspaper concerns the ‘private life’ of the persons concerned. In spite of its relationship to an identified person there is no legitimate expectation that it will not be accessed without consent.47 It would be in line with the Rotaru case and the M.M. case from the Court of Human Rights referred to earlier to exclude such information from the scope of ‘private life’. In this case, any potential interference with the right to privacy would not result from Google's service, but from publication of the information by the newspaper.
However, if it is assumed that ‘private life’ is affected, the discussion will turn to the question of whether the interference with privacy can be justified. This would involve an examination of the requirements of a democratic society, and whether the activities of a search engine fall under the freedom to impart information protected by Article 10 of the Convention and Article 11 of the Charter. In the end, the competing values would need to be balanced, taking into account the importance of the information in question48 and the legitimate expectations of privacy in this situation. This balancing exercise could reasonably lead to the conclusion that, in principle, search engines are entitled to catalogue the publicly accessible Internet and assist in finding any information available on it, while privacy concerns should be dealt with between the person concerned and the publisher of the information on the Internet.
By contrast, the rules on the protection of personal data highlight the interference with the rights of the individual. There is no doubt that the case falls within the scope of data protection: Google's search engine processes personal information when it provides a link to the newspaper archive and an excerpt of the information stored there. Therefore, Article 8(2) of the Charter raises the question of whether this processing is fair and in line with the specified purpose of the publication in the newspaper. Initially, the notice about the auction and its propagation (including that by search engines) seem to fall within a specific and legitimate purpose, namely the distribution of information about the auction to attract as many potential bidders as possible. It is less clear whether this purpose remains valid after the auction has been conducted.
However, it could be argued that any information that is put on the Internet comes with the specific purpose of being processed by search engines, in particular if the website does not block them.49 Under this reasoning, one would again arrive at the conclusion that any complaints should be directed towards the newspaper and not towards Google. Whether the relevant transposition of the Data Protection Directive applies to newspapers is another question. It cannot be excluded that in certain member states the exemptions or derogations for journalistic activities allowed under Article 9 of the Directive exclude actions based on data protection law for such cases, though this does not seem to pose a problem in Spain.50
These are considerations that could also be taken into account in the balancing exercise required under the right to privacy, but that are brought into particular relief in the context of the specific requirements of the right to data protection.
We would like to conclude by summing up the main points made in this article:
First, privacy and the protection of personal data are closely linked in the jurisprudence of the European Court of Human Rights and the Court of Justice of the European Union, but they should not be considered to be identical.
Secondly, there are considerable overlaps in the scope of both rights, but also some areas where their personal and substantive scope diverge.
Thirdly, the requirements that personal data must be processed fairly and for a specified purpose cover many instances where an interference with privacy would have to be justified. These specific requirements of data protection help to focus the debate on areas that are particularly susceptible to interference with fundamental rights.