Skip to main content Accessibility help
×
Home

The Essence of the Fundamental Rights to Privacy and Data Protection: Finding the Way Through the Maze of the CJEU’s Constitutional Reasoning

  • Maja Brkan

Abstract

In the constitutional shaping of the concept of essence of fundamental rights, the case law of the Court of Justice of the EU (“CJEU” or “the Court”) in the field of privacy and data protection plays a crucial role. The Court’s interpretation of this notion had a considerable impact not only jon perception of the essence in other fields of law, but also on the constitutional doctrine more generally. This Article focuses on specificities of the notion of essence of fundamental rights to privacy and the protection of personal data from Articles 7 and 8 of the Charter of Fundamental Rights of the EU. After a general analysis, situating this notion into the framework of multi-level protection of fundamental rights in Europe, the Article addresses further interpretative challenges relating to the essence in the Court’s case law. At the core of the analysis are the Schrems and Digital Rights Ireland cases, where the CJEU developed, for the first time, the modalities of the breach of essence of fundamental rights to privacy and data protection and laid down constitutional foundations for interpretation of this notion. Further jurisprudence, including the Tele2 Sverige and Opinion 1/15 cases, is analyzed as an example of fine-tuning of the CJEU’s approach towards the normative understanding of this concept. Against this backdrop, the Article elaborates on the importance of insights in the fields of privacy and data protection for the general constitutional understanding of the concept of essence and proposes a generalized method for determination of infringement of essence in fundamental rights jurisprudence.

  • View HTML
    • Send article to Kindle

      To send this article to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle. Find out more about sending to your Kindle.

      Note you can select to send to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

      Find out more about the Kindle Personal Document Service.

      The Essence of the Fundamental Rights to Privacy and Data Protection: Finding the Way Through the Maze of the CJEU’s Constitutional Reasoning
      Available formats
      ×

      Send article to Dropbox

      To send this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Dropbox.

      The Essence of the Fundamental Rights to Privacy and Data Protection: Finding the Way Through the Maze of the CJEU’s Constitutional Reasoning
      Available formats
      ×

      Send article to Google Drive

      To send this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Google Drive.

      The Essence of the Fundamental Rights to Privacy and Data Protection: Finding the Way Through the Maze of the CJEU’s Constitutional Reasoning
      Available formats
      ×

Copyright

This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by-nc/4.0/), which permits unrestricted re-use, distribution, and reproduction in any medium, provided the original work is properly cited.

Footnotes

Hide All
*

Associate Professor, Faculty of Law, Maastricht University. The author is grateful to Christopher Docksey, Christopher Kuner, and Hielke Hijmans for their comments during the “meet the author” event titled “In search of the concept of essence of EU fundamental rights through the prism of data privacy,” organized by the Brussels Privacy Hub on April 20, 2018. Furthermore, the author would like to thank the organizers—Mark Dawson, Orla Lynskey, and Elise Muir—and participants of the conference “The Essence of Fundamental Rights in EU Law,” held on May 17-18, 2018 in Leuven, for their observations on an earlier draft of this paper.

Footnotes

References

Hide All

1 Charter of Fundamental Rights of the European Union, Oct. 26, 2012, 2012 O.J. (C 326) 391 [hereinafter Charter].

2 Hereinafter “CJEU” or “the Court.”

3 See ECJ, Case C-362/14, Schrems v. Data Protection Commissioner, ECLI:EU:C:2015:650, Judgment of 6 October 2015.

4 The analysis of the distinction between the two fundamental rights exceeds the scope of this chapter. For discussion in the doctrine, see Orla Lynskey, The Foundations of EU Data Protection Law 91, et seq., (2015); Maria Tzanou, Data protection as a fundamental right next to privacy? ‘Reconstructing’ a not so new right, 3 Int’l Data Privacy L. 88–99 (2013); Gloria González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU 268 et seq. (2014); Aidan Forde, The Conceptual Relationship Between Privacy and Data Protection, 1 Cambridge L. Rev. 135–49 (2016); Maja Brkan, Courts, Privacy and Data Protection in the Digital Environment 13–17 (Maja Brkan & Evangelia Psychogiopoulou eds., 2017).

5 ECJ, Joined Cases 293 & 594/12, Digital Rights Ireland v. Minister for Commc’n, ECLI:EU:C:2014:238, Judgment of 8 April 2014.

6 Schrems, Case C-362/14.

7 ECJ, Case C-203/15 Tele2 Sverige AB v. Post-och telestyrelsen et al., ECLI:EU:C:2016:970, Judgment of 21 December 2016.

8 Case Opinion 1/15, ECLI:EU:C:2017:592, Judgment of 26 July 2017.

9 This section draws inspiration from and builds upon the author’s previous work on the concept of essence of fundamental rights. See Maja Brkan, The Concept of Essence of Fundamental Rights in the EU Legal Order: Peeling the Onion to its Core, 14 Eur. Const. L. Rev. 332–68 (2018).

10 See generally Takis Tridimas & Giulia Gentile, The Essence of Rights: An Unreliable Boundary?, 20 German L.J. 794 (2019).

11 Eike von Hippel, Grenzen und Wesensgehalt der Grundrechte (1965); Christoph Enders, BeckOK Grundgesetz 36 (Volker Epping & Christian Hillgruber eds., 2018), paras. 19 et seq.; Barbara Remmert, Grundgesetz-Kommentar, 81 (Theodor Maunz & Günther Dürig eds., 2017), paras. 1 et seq.

12 M.E. Casas Baamonde et. al., Comentarios a la Constitución Española, 1167–68 (2008).

13 J.J. Gomes Canotilho & V. Moreira, Constituição da República Portuguesa Anotada, 394–95 (4th ed. 2007).

14 H. Küpper, Die ungarische Verfassung nach zwei Jahrzehnten des Übergangs, 92 (2007).

15 J. Drgonec, Ústava Slovenskej Republiky: Komentár, 291–92 (3d ed. 2012).

16 See, e.g., Eesti Vabariigi põhiseadus [Constitution] June 28, 1992, art. 17(2) (Est.); Grundegesetz [GG] [Basic Law], art. 19(2) (Ger.), translation at http://www.gesetze-im-internet.de/englisch_gg/englisch_gg.html; Magyarország Alaptörvénye [The Fundamental Law of Hungary], Alaptörvény, art. I(3); Konstytucja Rzeczypospolitej Polskiej [Constitution] Apr. 2, 1997, art. 31(3) (Pol.); Constitution of the Portuguese Republic, Apr. 25, 1974, art. 18; Constitutia României [Constitution] Dec. 8, 1991, art. 53(2) (Rom.); Ústava Slovenskej republiky [Constitution] Oct. 1, 1992, art. 13(4) (Slovk.); C.E., B.O.E. n. 311, Dec. 29, 1978, art. 53.1 (Spain). For third countries, see notably Art. 28, Constitución Nacional [Const. Nac.] (Arg.); Constitution of the Republic of Namibia, Feb. 9, 1990, art. 22(a); Bundesverfassung [BV] [Constitution] Apr. 18, 1999, SR 101, art. 36 (Switz.); Türkiye Cumhuriyeti Anayasası [Constitution] Nov. 7, 1982, art. 13 (Turk.).

17 See J. Kokott, Handbuch der Grundrechte in Deutschland und Europa, 891 (D. Merten & H. J. Papier eds., Müller, 2004) (pointing out that the notion of essence of constitutional rights in the Austrian constitutional order was recognized by the Austrian constitutional court); Hutten-Czapska v. Poland, App. No. 35014/97, para. 12 (June 19, 2006) (referencing the judgment of Polish Constitutional Court of 12 January 2000); S.T.C., Nov. 7, 2007 (No. 236) (Spain). See also S.T.C., Apr. 8, 1981 (No. 11) (Spain); Tribunal Constitucional Portugal, Oct. 22, 2011, No. 460/2011 (2011); Tribunal Constitucional Portugal, May 4, 1999, No. 254/99 (1999).

18 Robert Alexy, A Theory of Constitutional Rights, 193 (2004) (advocating this approach).

19 See, e.g., Walter Leisner, Grundrechte und Privatrecht 155 (1960); H. J. Papier, Grundgesetz-Kommentar 81 (Theodor Maunz & Günther Dürig eds., 2017), paras. 332 et seq.

20 Brkan, supra note 9, at 336–37.

21 See J. Rivers, Proportionality and Variable Intensity of Review, 65 Cambridge L.J. 174, 187 (2006) (explaining this theory further); Aharon Barak, Proportionality: Constitutional Rights and their Limitations 498 (2016); G. Van der Schyff, Conflicts Between Fundamental Rights 135 (E. Brems ed., 2008).

22 Rivers, supra note 21, at 184.

23 See J. Jiménez Campo, Derechos fundamentales: conceptos y garantías 22 (1999) (supporting this theory); Walter Leisner, Grundrechte und Privatrecht 155 (1960) (same); J. Kokott, Handbuch der Grundrechte in Deutschland und Europa 892 (D. Merten & H. J. Papier eds., 2004) (same).

24 Alexy, supra note 18, at 196.

25 Aharon Barak, Proportionality: Constitutional Rights and their Limitations (2016).

26 Emphasis added.

27 Brkan, supra note 9, at 337–38, 359.

28 Brkan, supra note 9, at 360, 368.

29 Brkan, supra note 9, at 360.

30 A scale of different types of interferences with a fundamental right can be established—namely: a particularly serious unjustified interference; an unjustified interference; a justified interference; and no interference.

31 Brkan, supra note 9, at 360.

32 For cases using this concept, see, e.g., ECJ, Case C-4/73, Nold KG v. Comm’n, ECLI:EU:C:1974:51, Judgment of 14 May 1974, para. 14; ECJ, Case C-44/79, Hauer v. Land Rheinland-Pfalz, ECLI:EU:C:1979:290, Judgment of 13 Dec. 1979, paras. 23, 30; ECJ, Case C-265/87, Schräder v. Hauptzollamt Gronau, ECLI:EU:C:1989:303, Judgment of 11 July 1989, para. 15; ECJ, Case C-292/97, Karlsson, ECLI:EU:C:2000:202, Judgment of 13 Apr. 2000, para. 45; ECJ, Case C-274/99 P, Connolly v. Comm’n, ECLI:EU:C:2001:127, Judgment of 6 Mar. 2001, para. 111.

33 See Explanations relating to the Charter of Fundamental Rights, 2007 O.J (C 303) 17, 32 (citing Karlsson, Case C-292/97 at para. 45).

34 Brkan, supra note 9, at 337. It is to be noted, however, that the notion of “very substance” also persists in the post-Charter case law. See, e.g., ECJ, Case C-383/13 PPU, G. & R., ECLI:EU:C:2013:533, Judgment of 10 Sept. 2013, paras. 32–33 (reference to the notion of very substance); Case C-418/11, Texdata Software, ECLI:EU:C:2013:588, paras. 71–77, 84 (same); Case C-416/10, Križan, ECLI:EU:C:2013:8, paras. 111–116 (same); Case C-314/12, UPC Telekabel Wien, ECLI:EU:C:2014:192, paras. 47, 51 (same). See ECJ, Case C-190/16, Fries, ECLI:EU:C:2017:513, Judgment of 5 July 2017, para. 75 (using the wording “actual substance”). See also id. at para. 73 (using the very substance formulation while citing previous cases). The use of “actual substance“ seems to be the consequence of a somewhat imprecise translation of the French “substance même,” given that the CJEU judgments are drafted in French. The version of the judgment in the language of the procedure—German—uses the notion of essence—Wesensgehalt. On interchangeability of “essence” and “very substance,” see also Koen Lenaerts, Limits on Limitations: The Essence of Fundamental Rights in the EU, 20 German L.J. 779 (2019).

35 Digital Rights Ireland, Joined Cases 293 & 594/12.

36 Schrems, Case C-362/14.

37 ECJ, Case C-426/11, Alemo-Herron v. Parkwood Leisure Ltd., ECLI:EU:C:2013:521, Judgment of 18 July, 2013, paras. 35–36.

38 See ECJ, Case C-555/07, Kücükdeveci v. Swedex GmbH & Co. KG, ECLI:EU:C:2010:21, Judgment of 19 Jan. 2010, paras. 21, 27, 32, 43, 50, 51, 53, 55, 56 (using the notion of secondary law giving expression to the principle of non-discrimination on grounds of age); Elise Muir, The Fundamental Rights Implications of EU Legislation: Some Constitutional Challenges, 51 Common Mkt. L. Rev. 219, 223–26 (2014). See also id. at 232 (viewing EU data protection legislation as an “interesting test-case” of such expression); Lynskey, supra note 4, at 36.

39 Admittedly, it could potentially be argued that the EU citizen could still rely on this fundamental right as a general principle of EU law.

40 Schrems, Case C-362/14 at para. 95.

41 ECJ, Case C-207/16, Ministerio Fiscal, ECLI:EU:C:2018:788, Judgment of 2 Oct. 2018, paras. 51–62.

42 Id. at paras. 52–53. A core issue in the case was whether the interference with Articles 7 and 8 of the Charter was sufficiently serious for the access of public authorities to be limited.

43 Brkan, supra note 9, at 363.

44 I am grateful to Christopher Docksey for the useful insight on using the wording “makes it impossible to exercise.”

45 ECJ, Case C-258/14, Florescu v. Casa Judeţeană de Pensii Sibiu, ECLI:EU:C:2017:448, Judgment of 13 June 2017, para. 55; ECJ, Case C-129/14 PPU, Germany v. Spasic, ECLI:EU:C:2014:586, Judgment of 27 May 2014, para. 58; ECJ, Case C-73/16, Puškár v. Finančné riaditeľstvo Slovenskej republiky, ECLI:EU:C:2017:725, Judgment of 27 September 2017, para. 64.

46 Brkan, supra note 9, at 363.

47 The argument is built on the assumption that the Charter applies. Given the existence of EU legislation in the field of asylum, it is possible to fulfil the requirement of ”implementing Union law”—under Article 51(1) of the Charter—and to establish the applicability of the Charter. See, e.g., Directive 2013/32/EU of the European Parliament and of the Council of 26 June 2013 on Common Procedures for Granting and Withdrawing International Protection, 2013 O.J (L 180) 1, 60.

48 See The Right to Asylum is not a Right to Global Social Health Care, Center for Fundamental Rights (Sept. 28, 2016), http://alapjogokert.hu/en/2016/09/28/the-right-to-asylum-is-not-a-right-to-global-social-health-care-2/ (last visited July 5, 2019).

49 It is somewhat surprising that the values enshrined in Article 2 TEU—democracy being one of them—is not among the provisions expressly mentioned by the Explanations to the notion of “objectives of general interests” in Article 52(1) of the Charter. But—as Peers and Prechal correctly point out—the list of Treaty articles referred to in the Explanations is not exhaustive. See Steve Peers & Sacha Prechal, The EU Charter of Fundamental Rights: A Commentary 1475 (Steve Peers et al. eds., 2014).

50 Hereinafter “ECtHR.”

51 Brkan, supra note 9, at 361–62: Kart v. Turkey, App No. 8917/05, para. 93–111 (Dec. 3, 2009), http://hudoc.echr.coe.int/eng?i=001-96007; Cudak v. Lithuania, App No. 15869/02, paras. 60–74 (Mar. 23, 2010), http://hudoc.echr.coe.int/eng?i=001-97879; Leyla Sahin v. Turkey, App. No. 44774/98 (Nov. 10, 2005), http://hudoc.echr.coe.int/eng?i=001-70956.

52 Brkan, supra note 9, at 361:; Al-Dulimi and Montana Management Inc. v. Switzerland, App. No. 5809/08, paras. 37, 151 (June 21, 2016), http://hudoc.echr.coe.int/eng?i=001-164515; Baka v. Hungary, App No. 20261/12, para. 121 (July 23, 2016), http://hudoc.echr.coe.int/eng?i=001-163113; Matthews v. United Kingdom, App. No. 24833/94, para. 65. (Feb. 18, 1999), http://hudoc.echr.coe.int/eng?i=001-58910.

53 Big Brother Watch and Others v. United Kingdom, App. Nos. 58170/13, 62322/14, 24960/15 (Sept. 13, 2018), http://hudoc.echr.coe.int/eng?i=001-186048.

54 Id. at paras 224–28, 463.

55 There is an abundant doctrine commenting upon this decision of the CJEU. See, e.g., Marie-Pierre Granger & Kristina Irion, The Court of Justice and the Data Retention Directive in Digital Rights Ireland: Telling Off the EU Legislator and Teaching a Lesson in Privacy and Data Protection, 39 Eur. L. Rev. 835 (2014); Alessandro Spina, Risk Regulation of Big Data: Has the Time Arrived for a Paradigm Shift in EU Data Protection Law?, 5 Eur. J. Risk Reg. 248 (2014); Jürgen Kühling, Der Fall der Vorratsdatenspeicherungsrichtlinie und der Aufstieg des EuGH zum Grundrechtsgericht, 31 Neue Zeitschrift für Verwaltungsrecht 681 (2014); Alexandre Cassart & Jean-François Henrotte, L’invalidation de la directive 2006/24 sur la conservation des données de communication électronique ou la chronique d’une mort annoncée, 20 Revue de jurisprudence de Liège, Mons et Bruxelles 954 (2014); Reinhard Priebe, Reform der Vorratsdatenspeicherung—strenge Maßstäbe des EuGH, Europäische Zeitschrift für Wirtschaftsrecht 456 (2014); Igor Kolar, Sodišče EU odpravilo retencijsko direktivo, 15 Pravna praksa 21 (2014). For the analysis of decisions of national courts on data retention, see Eleni Kosta, The Way to Luxemburg: National Court Decisions on the Compatibility of the Data Retention Directive with the Rights to Privacy and Data Protection 10 script-ed 339 (2013).

56 Directive 2006/24, of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, 2006 O.J. (L 105) 54.

57 The CJEU’s interpretation of the concept of essence within the framework of the fundamental right to data protection is addressed infra in Section D.

58 Digital Rights Ireland, Joined Cases 293 & 594/12 at para. 26.

59 Id. at paras. 69, 73.

60 Id. at para. 37.

61 Id. at para. 65, 69. The doctrine points out that the disproportionate nature of the interference gives a clear signal to the European legislator on deficiencies of the Data Retention Directive. See, e.g., Spiros Simitis, Die Vorratsspeicherung—ein unverändert zweifelhaftes Privileg, 67 Neue juristische Wochenschrift 2158, 2159 (2014); Priebe, supra note 55, at 458.

62 See also Orla Lynskey, The Data Retention Directive Is Incompatible With the Rights to Privacy and Data Protection and Is Invalid in Its Entirety: Digital Rights Ireland, 51 Common Mkt. L. Rev. 1789, 1803 (2014). In Paragraph 107, the Advocate General seems to see the analysis of whether the interference with the right to privacy respects the essence of this right as a separate element—on the basis of Article 52(1) of the Charter—but does not address the issue in his further examination. See ECJ, Case C-293/12, Opinion of Advocate General Cruz Villalón at para. 107, Digital Rights Ireland v. Minister for Commc’n, ECLI:EU:C:2013:845, Judgment of 12 Dec. 2013.

63 Digital Rights Ireland, Joined Cases 293 & 594/12 at para. 39 (emphasis added). Claus Dieter Classen is of the view that, even though the Court makes it clear that the essence seeks to protect the core of a fundamental right, it does not clarify on the basis of which criteria the essence should be determined. Claus Dieter Classen, Datenschutz ja—aber wie? Anmerkung zum Urteil des EuGH vom 8.4.2014, verb. Rs. C-293/12 und C-594/12 (Digital Rights Ireland u. a.), Europarecht 441, 443 (2014).

64 Granger & Irion, supra note 55, at 847, (pointing out that the Court “reverts to an outdated perspective, according to which the collection of metadata is less sensitive simply because it does not concern the content of communications,” a perception that is agreeably “increasingly contested”). See, e.g., Kühling, supra note 55, at 682 (opining less critically that the Court’s conclusion on absence of interference with the essence is correct, without touching upon the question of distinction of content- and metadata). See also Spina, supra note 55, at 252 (placing the Court’s conclusion on essence within “the narrative of risks for the individual autonomy”).

65 Tele2 Sverige, Case C-203/15.

66 Granger & Irion, supra note 55, at 847; Kolar, supra note 55, at 21 (claiming similarly that metadata allows for a rather precise description of data subject’s everyday life, which is for police often even more useful than the content data). See also Gemma Galdon Clavell, Exploring the Boundaries of Big Data 109 (Bart van der Sloot et al. eds., 2016) (pointing out that telecommunication metadata “can still reveal a great deal of personal information about a specific individual” which should not be considered as “a minor infringement of a data subject’s privacy”).

67 More precisely, the Court was prompted to answer the question of whether Article 15(1) of the ePrivacy Directive—which allowed for the retention of traffic and location data with regard to electronic communication for the purpose of fight against crime—precludes Member State legislation that allows for general and indiscriminate retention of such data. In its judgment, the Court interpreted Article 15(1) in the light of Articles 7 and 8 and answered the question in the affirmative. See Tele2 Sverige, Case C-203/15 at paras. 125, 134.

68 ECJ, Case C-203/1, Opinion of Advocate General Saugmandsgaard Øe at paras. 256–59, Tele2 Sverige AB v. Post- och telestyrelsen, ECLI:EU:C:2016:572, Judgment of 19 July 2016. For a commentary of the opinion, see Caroline Calomme, Strict Safeguards to Restrict General Data Retention Obligations Imposed by the Member States, 2 Eur. Data Protection L. Rev. 590 (2016).

69 Id. at para. 258.

70 Id. at para. 257.

71 See also Bjorn Carey, Stanford computer scientists show telephone metadata can reveal surprisingly sensitive personal information, Stanford News (May 16, 2016), https://news.stanford.edu/2016/05/16/stanford-computer-scientists-show-telephone-metadata-can-reveal-surprisingly-sensitive-personal-information/ (last visited July 5, 2019).

72 Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 [hereinafter GDPR].

73 Id. at art. 9.

74 Iain Cameron, A. Court of Justice Balancing Data Protection and Law Enforcement Needs: Tele2 Sverige and Watson, 54 Common Mkt L. Rev. 1467, 1469 (2017).

75 Tuomas Ojanen, Privacy Is More Than Just a Seven-Letter Word: The Court of Justice of the European Union Sets Constitutional Limits on Mass Surveillance. Court of Justice of the European Union, Decision of 8 April 2014 in Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others, 10 Eur. Const. L. Rev. 528, 537 (2014).

76 Tele2 Sverige, Case C-203/15 at para. 99.

77 Tele2 Sverige, Case C-203/15 at paras. 155–57.

78 Id. at paras. 256 et seq.

79 Tele2 Sverige, Case C-203/15 at paras 99, 101.

80 See Alexander Roßnagel, Vorratsdatenspeicherung rechtlich vor dem Aus?, Neue juristische Wochenschrift 696, 697–98 (2017) (focusing on the consequences of the judgment for Germany); Reinhard Priebe, Vorratsdatenspeicherung und kein Ende, Europäische Zeitschrift für Wirtschaftsrecht 136, 139 (2017) (calling for a new regulation of data retention on the EU level after the judgment). See also Will R. Mbioh, Post-och Telestyrelsen and Watson and the Investigatory Powers Act 2016, 3 Eur. Data Protection L. Rev. 273 (2017); Xavier Tracol, The Judgment of the Grand Chamber Dated 21 December 2016 in the Two Joint Tele2 Sverige and Watson Cases: The need for a Harmonized Legal Framework on the Retention of Data at EU level, Comput. L. Rev. Int’l 1 (2017); Cameron, supra note 74, at 1467–95.

81 Orla Lynskey, Tele2 Sverige AB and Watson et al: Continuity and Radical Change, Eur. L. Blog (Jan. 12, 2017), https://europeanlawblog.eu/2017/01/12/tele2-sverige-ab-and-watson-et-al-continuity-and-radical-change/; Gunnar Beck, Case Comment: C-203/15 Tele2 Sverige AB v. Post-och telestyrelsen and C-698/15 SSHD v. Tom Watson & Others, eutopia l. (Jan. 13, 2017), https://eutopialaw.com/2017/01/13/; Joined Cases Tele2 Sverige AB v. Post- och telestyrelsen and Secretary of State for the Home Department v. Watson, Colum. Global Freedom Expression, https://globalfreedomofexpression.columbia.edu/cases/joined-cases-tele2-sverige-ab-v-post-och-telestyrelsen-c-20315-secretary-state-home-department-v-watson/. See also Jenny Weinand, Case Note on Joined Cases C-203/15 Tele2 Sverige AB and C-698/15 Tom Watson a.o., Eur. Broadcasting Union 1, 4 (Feb. 1, 2017) (observing that the Court did not find a breach of essence and that, “[i]n terms of the seriousness of the breach, the [Tele2] judgment is just one step below Schrems”).

82 E.g., Roland Derksen, Unionsrechtskonforme Spielräume für anlasslose Speicherung von Verkehrsdaten?, Neue Zeitschrift für Verwaltungsrecht 1005, 1009 (2017). Derksen mentions the notion of essence in the framework of analysis of the consequences of the Tele2 Sverige judgment for Germany and points out that, given that the national legislations at issue in this case did not interfere with the essence, but were considered as disproportionate, it is the CJEU that would have the final word on the compatibility of the German legislation with the requirements from the judgment.

83 Schrems, Case C-362/14 at para. 94.

84 Commission Decision 2000/520, of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, 2000 O.J. (L 215) 7.

85 Schrems, Case C-362/14 at para. 1.

86 Schrems, Case C-362/14 at paras. 84–87. See also ECJ, Case C-362/14, Opinion of Advocate General Bot at para. 177, Schrems v. Data Protection Comm’r, ECLI:EU:C:2015:627, Judgment of 23 Sept. 2015 (considering that these derogations from Safe Harbor “compromise the essence of the fundamental right to protection of personal data”).

87 Schrems, Case C-362/14 at para. 94.

88 Opinion of Advocate General Bot, supra note 86, at para. 177. See also Digital Rights Ireland, Joined Cases 293 & 594/12, at para. 39.

89 Schrems, Case C-362/14 at paras. 92–93.

90 Schrems, Case C-362/14 at para. 93.

91 Brkan, supra note 9, at 354–55.

92 Schrems, Case C-362/14 at para. 93 (emphasis added).

93 Schrems, Case C-362/14 at para. 84.

94 Loïc Azoulai & Marijn van der Sluis, Institutionalizing Personal Data Protection in Times of Global Institutional Distrust: Schrems, 53 Common Mkt L. Rev. 1343, 1365–66 (2016), (correctly observing that the Court referred to the essence “to avoid getting into the need of balancing between privacy and security”). See also Brkan, supra note 9, at 354–55.

95 Schrems, Case C-362/14 at para. 93.

96 Commission Implementing Decision 2016/1250, of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (notified under document C (2016) 4176), 2016 O.J. (L 207) 1 [hereinafter Commission Decision 2016/1250].

97 This conclusion stems from paragraph 90 of the Commission Decision 2016/1250, where the Commission does not refer explicitly to the Court’s conclusion in paragraph 94 of Schrems that the Safe Harbor interferes with the essence of fundamental rights to privacy. To the contrary, the adequacy decision does specifically cite paragraph 95 of Schrems, in which the CJEU found that the legislation at stake does not respect the essence of the fundamental right to effective judicial protection. In its adequacy decision, the Commission concludes that this interference with the essence is eliminated by the fact that the U.S. provides for legal remedies to the data subjects, notably through the introduction of the Ombudsperson mechanism. See Commission Decision 2016/1250, supra note 96, at para. 124.

98 Commission Decision 2016/1250, supra note 96, at para. 90. The Commission refers to paragraph 93 in Schrems where the CJEU found the interference with the fundamental right to privacy as not strictly necessary.

99 Commission Decision 2016/1250, supra note 96, at para. 90 (emphasis added).

100 Commission Decision 2016/1250, supra note 96 (“Sec. 702 FISA allows US Intelligence Community elements to seek access to information, including the content of internet communications, from within the United States, but targeting certain non-U.S. persons outside the United States.”).

101 See, e.g., William C. Banks, Responses to the Ten Questions, 35 WM. Mitchell L. Rev. 5007, 5013–14 (2009); Laura K. Donohue, Section 702 and the Collection of International Telephone and Internet Content 38 Harv. J. L. & Pub. 117, 153–59 (2015).

102 See Edward C. Liu et al., Overview of Constitutional Challenges to NSA Collection Activities and Recent Developments, Cong. Res. Serv. (Apr. 1, 2014), http://www.dtic.mil/dtic/tr/fulltext/u2/a601651.pdf (providing an overview). See, e.g., Clapper v. Amnesty Int’l, 133 S. Ct. 1138 (2013); United States v. Hasbajrami, No. 11-CR-623, 2016 WL 1029500 (E.D.N.Y. Feb. 18, 2016) (currently under appeal at U.S. Court of Appeals for the Second Circuit, Case No. 17-2669); United States v. Mohamud, 834 F.3d 420 (9th Cir. 2016).

103 See Patrick Walsh, Losing Tools in the Intelligence Toolbox: Predicting Future Changes to FISA to Protect Future National Security Prosecutions, Norwich Rev. Int’l and Transnat’l Crime (2015); William C. Banks, Next Generation Foreign Intelligence Surveillance Law: Renewing, 51 U. Rich. L. Rev. 671, 702 (2016–2017); Peter Margulies, Reauthorizing the FISA Amendments Act: A Blueprint for Enhancing Privacy Protections and Preserving Foreign Intelligence Capabilities, 12 J. Bus. & Tech. L. 23 (2016–2017).

104 USA Liberty Act of 2017, H.R. 3989, 115th Cong.

105 See Gregory Voss, The Future of Transatlantic Data Flows: Privacy Shield or Bust?, 19 J. Internet L. 1 (2016) (announcing challenges against the Privacy Shield). See, e.g., Jan-Philipp Albrecht & Max Schrems, Privacy Shield: The new EU rules on transatlantic data sharing will not protect you, Irish Times (July 12, 2016), https://www.irishtimes.com/opinion/privacy-shield-the-new-eu-rules-on-transatlantic-data-sharing-will-not-protect-you-1.2719018.

106 Case T-738/16, La Quadrature du Net v Comm’n, pending, http://curia.europa.eu/juris/liste.jsf?num=T-738/16. See also GC, Case T-670/16, Digital Rights Ireland v Comm’n, ECLI:EU:T:2017:838 (declaring inadmissible another legal action against the Commission Decision 2016/1250); Case C-311/18, Facebook Ireland and Schrems, pending, http://curia.europa.eu/juris/fiche.jsf?id=C%3B311%3B18%3BRP%3B1%3BP%3B1%3BC2018%2F0311%2FP (providing a distinct question of the relevance of Privacy Shield in the assessment of adequacy in the framework of transfers of data on the basis of Standard Contractual Clauses).

107 Agreement between the European Community and the Government of Canada on the Processing of Advance Passenger Information and Passenger Name Record Data, March 21, 2006, 2006 O.J. (L 82) 15 [hereinafter EU-Canada PNR Agreement].

108 Id. art. 2(b).

109 Id. annex.

110 Id. art. 3(1).

111 Id. arts. 3(4), 5.

112 Opinion 1/15, supra note 8, para 148.

113 See Hielke Hijmans, PNR Agreement EU-Canada Scrutinised: CJEU Gives Very Precise Guidance to Negotiators, 3 Eur. Data Protection L. Rev. 406, 410 (2017) (arguing that the CJEU, due to its precise analysis and instructions to the legislator, (almost) acquires the role of the legislator itself). See also Christopher Kuner, Data Protection, Data Transfers, and International Agreements: the CJEU’s Opinion 1/15, Verfassungsblog, July 26, 2017, https://verfassungsblog.de/data-protection-data-transfers-and-international-agreements-the-cjeus-opinion-115/, (last visited July 6, 2019) (discussing the detailed nature of the Court’s analysis); Christopher Docksey, Opinion 1/15: Privacy and security, finding the balance, 24 Maastricht J. Eur. & Comp. L. 768, 771 (2017) (opining less critically that the Court “provides valuable support for European negotiators”).

114 See, e.g., Opinion 1/15, supra note 8, at paras. 181, 203, 211, 215, 217.

115 Id. at para. 150.

116 ECJ, Case Opinion 1/15, Opinion of Advocate General Mengozzi at para. 186, ECLI:EU:C:2016:656, Judgment of 8 Sept. 2016.

117 Hijmans, supra note 113, at 410–11.

118 Nevertheless, its findings do seem to imply that a particularly serious interference with privacy does not suffice for interference with its essence. In paragraph 36, the Court points out that the agreement in question “entails wide-ranging and particularly serious interferences” with the fundamental rights to privacy and data protection. See Opinion 1/15, supra note 8, para 36.

119 Christopher Kuner, International Agreements, Data Protection, and EU fundamental rights on the international stage: Opinion 1/15, EU-Canada PNR, 55 Common Mkt. L. Rev. 857, 876 (2018).

120 Digital Rights Ireland, Joined Cases 293 & 594/12 at para. 40.

121 Id.

122 Lynskey, supra note 4, at 172.

123 Compare id. (pointing out that designating data security measures as being the essence of the fundamental right to data protection “may further fuel debate regarding the propriety of labelling such a right a ‘fundamental right’”).

124 If the challenged Directive contained other safeguards—for example, the requirement of consent prior to bulk collection of data—the Court might have considered this safeguard as sufficient to protect the essence of data protection.

125 Tele2 Sverige, Case C-203/15.

126 Id. at para. 101 (emphasis added).

127 Id. at para. 99. On the artificial nature of distinction between content data and metadata, see supra notes 64, 66, 71, 74, 75.

128 Opinion 1/15, supra note 8, at para. 150.

129 GDPR, supra note 72, at arts. 5(1)(f), 32–34 (encompassing measures to ensure security of personal data). See also id. art. 32(1) (stating that these measures encompass, inter alia, pseudonymization, encryption, ensuring confidentiality and resilience of processing systems and regular testing of measures deployed for data security).

130 Charter, supra note 1, at art. 8(2) (“[D]ata must be processed … for specified purposes.”).

131 Fuster, supra note 4, at 205.

132 Charter, supra note 1, at art. 8(2).

133 See GDPR, supra note 72, at arts. 5(1)(a)–(b).

134 See GDPR, supra note 72, at art. 5(1)(c).

135 Directive 95/46, of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 O.J. (L 281) 31.

136 See Explanations relating to the Charter of Fundamental Rights, supra note 33, at 20 (expressly stating that this provision has been based on the Directive 95/46 and other sources).

137 See Directive 95/46, supra note 135, at art. 6.

138 GDPR, supra note 72, at art. 15.

139 GDPR, supra note 72, at art. 16.

140 Charter, supra note 1, at art. 8(3).

141 Fuster, supra note 4, at 204.

142 That is, according to Article 9(1) GDPR, data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” GDPR, supra note 72, at art. 9(1).

143 See GDPR, supra note 72, at art. 9(2)(g).

144 See GDPR, supra note 72, at art. 9(2)(j).

145 See GDPR, supra note 72, at art. 23(1).

146 For all justificatory grounds, see GDPR, supra note 72, at art. 23(1)(a)–(j).

147 Directive 2016/680, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and on the Free Movement of Such Data, and Repealing Council Framework Decision 2008/977/JHA, 2016 O.J. (L 119) 89.

148 Id. at recital 46.

149 EJC, Case C-496/17, Opinion of Advocate General Campos Sánchez-Bordona at para. 68, Deutsche Post AG v. Hauptzollamt Köln, ECLI:EU:C:2018:838, Judgment of 17 Oct. 2018.

150 ECJ, Case C-496/17, Deutsche Post AG v. Hauptzollamt Köln, ECLI:EU:C:2019:26, Judgment of 16 Jan. 2019.

151 Charter, supra note 1, at art. 21.

152 Charter, supra note 1, at art. 47.

153 Schrems, Case C-362/14 at para. 73.

154 I am grateful to Christopher Kuner for attracting my attention to this question.

155 Schrems, Case C-362/14 at para. 73 (pointing out particularly that the standard of essentially equivalent protection refers to “that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter”).

156 In Schrems—where the data subjects did not have any legal remedies for access or rectification of the personal data relating to them—the Court rightly came to the conclusion that the essence of her fundamental right to effective judicial protection was adversely affected. Schrems, Case C-362/14 at para. 75.

157 See Tuomas Ojanen, Making the Essence of Fundamental Rights Real: The Court of Justice of the European Union Clarifies the Structure of Fundamental Rights under the Charter: ECJ 6 October 2015, Case C-362/14, Maximillian Schrems v. Data Protection Commissioner, 12 Eur. Const. L. Rev. 318, 326 (2016).

158 Ministerio Fiscal, Case C-207/16 at paras. 51 et seq. (referring not to essence in its judgment, but proceeding immediately to the justification of the interference.

159 Kuner, supra note 119, at 876.

* Associate Professor, Faculty of Law, Maastricht University. The author is grateful to Christopher Docksey, Christopher Kuner, and Hielke Hijmans for their comments during the “meet the author” event titled “In search of the concept of essence of EU fundamental rights through the prism of data privacy,” organized by the Brussels Privacy Hub on April 20, 2018. Furthermore, the author would like to thank the organizers—Mark Dawson, Orla Lynskey, and Elise Muir—and participants of the conference “The Essence of Fundamental Rights in EU Law,” held on May 17-18, 2018 in Leuven, for their observations on an earlier draft of this paper.

Keywords

Metrics

Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Abstract views

Total abstract views: 0 *
Loading metrics...

* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.

Usage data cannot currently be displayed