Summary Privacy and Data Protection law
Contents
Part I- Data Protection.................................................................................................................................2
Chapter 1- Context and background of European data protection law....................................................2
Chapter 2- Data protection terminology..................................................................................................3
Chapter 3- The Key principles of European data protection law..............................................................5
Chapter 4- Rules of European data protection law..................................................................................6
Chapter 5- The data subject’s rights and their enforcement....................................................................9
Chapter 6- Transborder data flows.........................................................................................................11
Chapter 7- Data protection in the context of police and criminal justice...............................................13
Chapter 8- Other specific European data protection laws.....................................................................17
Part II- Privacy............................................................................................................................................20
Lecture 9- art. 8 ECHR and the principle of Rationae Personae.............................................................20
Ratione personae...............................................................................................................................21
Ratione Loci.......................................................................................................................................23
Ratione Temporis...............................................................................................................................24
Ratione Materiae...............................................................................................................................24
Case-Law....................................................................................................................................................26
Freedom of Expression..........................................................................................................................26
Access to Documents.............................................................................................................................27
Freedom of Arts and Sciences................................................................................................................28
Protection of Property...........................................................................................................................28
Personal Data.........................................................................................................................................28
Joint Controllership................................................................................................................................28
Consent..................................................................................................................................................29
Principle of lawful processing................................................................................................................29
Transparency..........................................................................................................................................29
Public Interest........................................................................................................................................30
Rules on Security of Processing.............................................................................................................30
Right to Access.......................................................................................................................................30
Independent Supervision.......................................................................................................................31
, Transborder Data-Flows.........................................................................................................................32
Matters of Criminal Justice.....................................................................................................................32
Employment Data..................................................................................................................................33
Medical Data..........................................................................................................................................33
Financial Data........................................................................................................................................33
Part I- Data Protection
Chapter 1- Context and background of European data protection law
ECHR Framework
The ECHR, inspired by the Universal Declaration on Human Rights came into force in 1953 to bring
together the states of Europe to promote the rule of law, democracy, human rights and social
development. All states have an international obligation to comply with the ECHR. This position has been
strengthened by the creation of the ECtHR in Strasbourg. The ECHR has 47 MS including all EU members.
The right to protection of personal data is protected under art. 8 ECHR which guarantees the right to
respect for private and family life, home and correspondence, laying down the conditions under which
restrictions are permitted. The ECtHR has had numerous cases on art. 8 ECHR with regard to data
protection including interception of communication, surveillance and data storage. According to the
ECtHR, art. 8 comprises of two obligations towards its MS:
- Negative obligations- states are refrained from actions
- Positive obligations- under certain circumstances, the state must actively secure effective respect
for private and family life
Council of Europe Convention 108
With the rise of information technology, a growing need developed for more detailed rules to safeguard
individuals by protecting their data. This was concluded in Council of Europe Convention 108 for the
Protection of Individuals with regard to Automatic Processing of Personal Data. It is still the only legally
binding international instrument in the field of data protection. All EU members and the EU itself are
parties. Furthermore it is open for accession to non-member states of the Council of Europe to
potentially serve as a universal standard. Uruguay has done so in 2013 and Morocco is still in the process
of accession.
Rights under the Convention
Both private and public sector fall under the application of Convention 108, protecting the individual
against abuses, which may accompany the collection and processing of personal data and seeks to
regulate the trans-border flow of personal data. Regarding the collection of personal data, the principles
laid down are for a fair and lawful collection and automatic processing of data, stored for specific
purposes, not kept longer than necessary and that the data itself must be adequate, relevant and not
excessive (proportional) as well as accurate. The convention outlaws the processing of sensitive data
with regard to race, politics, health, religion, sexual life or criminal record.
The individual has a right to know that information of him is stored and may if necessary request
correction. Overriding interests like state security or defence can deter this.
EU data protection law
The EU has competence in data protection ex art. 16 TFEU. The main legal instrument on data protection
in the EU is the Data Protection Directive (95/46/EC). It was created to ensure data protection in the light
,of the internal market, harmonizing national laws. Even though this is a directive, the amount of
harmonization is generally complete. MS only have limited freedom when implementing the directive. As
the directive is based primarily on Convention 108, much is the same. However, the EU ex art. 11 of
Convention 108 extended its protection by implementing an independent supervision. Both EU member
states and members of the EEA (Iceland, Liechtenstein and Norway are bound by the directive. Exempted
from the applicability of the directive is the household exemption (processing personal data by private
individuals for merely personal or household purposes as this is seen as part of the individual freedoms.
Extra legislation was created for specific sectors like directive 2002/58/EC for telecommunications and
Regulation 45/2001 for the EU institutions themselves. Additionally, the Charter has strengthened data
protection as an individual right in art. 8 Charter.
General Data Protection Regulation aims modernizing and thus replacing the Data Protection Directive. It
has been adopted in April 2016 but will only take effect on the 25 th of May 2018. Additionally, the
General Data Protection Directive aims at focusing on matters regarding data protection in the areas of
police and judicial cooperation. This one is still in the legislative process.
Authentication
Procedure where a person is able to prove that he or she possesses a certain identity to enter a secured
area. Numerous methods of authentication like biometric data, fingerprints, password, PIN-code,
personal questions, special chip in your card, (electronic) signatures, ec.
Chapter 2- Data protection terminology
- Personal data- information relating to an identified or identifiable natural person, that is
information about a person whose identity is either manifestly clear or can at least be
established by obtaining additional information. Data protection law is therefore only applicable
to natural living persons. Legal persons thus cannot profit from the private life provisions of art.
8 ECHR. Instead, the Court has deemed this to fall under the right to respect for home and
correspondence.
- Processing- any operation or set of operations which is performed upon personal data or sets of
personal data, whether or not by automated means.
- Controller- natural or legal person, public authority, agency or any other body which alone or
jointly with others determines the purposes and means of the processing of personal data
- Processor- natural or legal person, public authority, agency or any body which processes
personal data on behalf of the controller
- Third party- any natural or legal person, public authority, agency or any other body other than
the data subject, the controller, the processor and the persons who, under the direct authority
of the controller or the processor, are authorized to process the data
- Supervisory authority- an independent public authority which is established by a Member State
pursuant to Article 46
- Recipient- anybody who receives data from a controller
- Consent- any freely given specific and informed indication of the data subject’s wishes
Pseudonymisation- the processing of personal data in such a way that the data can no longer be
attributed to a specific data subject without the use of additional information, as long as such additional
information is kept separately and subject to technical and organizational measures to ensure non-
attribution to an identified or identifiable person.
, Special categories of personal data
There are special categories of personal data which by their nature may pose a risk to the data subjects
when processed and need enhanced protection. This is regarded to be sensitive information and
therefore requires specific safeguards. According to art. 8 Directive these are:
- Personal data revealing racial or ethnic origin
- Personal data revealing political opinion, religious or other beliefs and
- Personal data concerning health or sexual life
Consent
EU law sets out three elements for consent to be valid, aiming to guarantee that data subjects are
truly meant to agree to the use of their data:
- The data subject must have been under no pressure when consenting
- The data subject must have been duly informed about the object and consequences of
consenting
- Scope of consent must be reasonably concrete
The Convention contains no definition of the word ‘consent’, therefore it is left to the MS. Consent
however is of vital importance: invalid consent of persons who do not have legal capacity will result in
the absence of a legal basis for processing data about such persons. Consent can be given in two ways:
- Explicitly- can be done orally or in writing, (must be given for sensitive data)
- Non-explicitly- depends on the circumstances
However both kinds of consent need to be given in an unambiguous way.
Free consent
Free consent is only valid if the data subject is able to exercise a real choice and there is no risk of
deception, intimidation, coercion or significant negative consequences if he/she doesn’t consent. This
does not mean that consent can never be valid in circumstances where not consenting would have
negative consequences. (e.g. registering for a supermarket for discounts. If you don’t register, you won’t
get the discount. Though a negative consequence, these consequences are not serious enough for the
data subject to prevent free choice.
Informed consent
The data subject must have sufficient information before taking a decision. When this is done, is
determined on a case-by-case basis. Mostly informed consent comprises a precise and easily
understandable description of the subject matter requiring consent and outline the consequences of not
consenting.
Specific consent
The consent needs to be specific. The reasonable expectations of an average data subject will be
relevant. The data subject must be asked again if processing operations are added or changed which the
data subject could not reasonably have foreseen when the consent was given.
Right to withdraw consent
Though not specifically stipulated on within the directive, it is widely presumed that one can withdraw
consent. This must be acceptable without having to give reasons or risk of negative consequences.
Contents
Part I- Data Protection.................................................................................................................................2
Chapter 1- Context and background of European data protection law....................................................2
Chapter 2- Data protection terminology..................................................................................................3
Chapter 3- The Key principles of European data protection law..............................................................5
Chapter 4- Rules of European data protection law..................................................................................6
Chapter 5- The data subject’s rights and their enforcement....................................................................9
Chapter 6- Transborder data flows.........................................................................................................11
Chapter 7- Data protection in the context of police and criminal justice...............................................13
Chapter 8- Other specific European data protection laws.....................................................................17
Part II- Privacy............................................................................................................................................20
Lecture 9- art. 8 ECHR and the principle of Rationae Personae.............................................................20
Ratione personae...............................................................................................................................21
Ratione Loci.......................................................................................................................................23
Ratione Temporis...............................................................................................................................24
Ratione Materiae...............................................................................................................................24
Case-Law....................................................................................................................................................26
Freedom of Expression..........................................................................................................................26
Access to Documents.............................................................................................................................27
Freedom of Arts and Sciences................................................................................................................28
Protection of Property...........................................................................................................................28
Personal Data.........................................................................................................................................28
Joint Controllership................................................................................................................................28
Consent..................................................................................................................................................29
Principle of lawful processing................................................................................................................29
Transparency..........................................................................................................................................29
Public Interest........................................................................................................................................30
Rules on Security of Processing.............................................................................................................30
Right to Access.......................................................................................................................................30
Independent Supervision.......................................................................................................................31
, Transborder Data-Flows.........................................................................................................................32
Matters of Criminal Justice.....................................................................................................................32
Employment Data..................................................................................................................................33
Medical Data..........................................................................................................................................33
Financial Data........................................................................................................................................33
Part I- Data Protection
Chapter 1- Context and background of European data protection law
ECHR Framework
The ECHR, inspired by the Universal Declaration on Human Rights came into force in 1953 to bring
together the states of Europe to promote the rule of law, democracy, human rights and social
development. All states have an international obligation to comply with the ECHR. This position has been
strengthened by the creation of the ECtHR in Strasbourg. The ECHR has 47 MS including all EU members.
The right to protection of personal data is protected under art. 8 ECHR which guarantees the right to
respect for private and family life, home and correspondence, laying down the conditions under which
restrictions are permitted. The ECtHR has had numerous cases on art. 8 ECHR with regard to data
protection including interception of communication, surveillance and data storage. According to the
ECtHR, art. 8 comprises of two obligations towards its MS:
- Negative obligations- states are refrained from actions
- Positive obligations- under certain circumstances, the state must actively secure effective respect
for private and family life
Council of Europe Convention 108
With the rise of information technology, a growing need developed for more detailed rules to safeguard
individuals by protecting their data. This was concluded in Council of Europe Convention 108 for the
Protection of Individuals with regard to Automatic Processing of Personal Data. It is still the only legally
binding international instrument in the field of data protection. All EU members and the EU itself are
parties. Furthermore it is open for accession to non-member states of the Council of Europe to
potentially serve as a universal standard. Uruguay has done so in 2013 and Morocco is still in the process
of accession.
Rights under the Convention
Both private and public sector fall under the application of Convention 108, protecting the individual
against abuses, which may accompany the collection and processing of personal data and seeks to
regulate the trans-border flow of personal data. Regarding the collection of personal data, the principles
laid down are for a fair and lawful collection and automatic processing of data, stored for specific
purposes, not kept longer than necessary and that the data itself must be adequate, relevant and not
excessive (proportional) as well as accurate. The convention outlaws the processing of sensitive data
with regard to race, politics, health, religion, sexual life or criminal record.
The individual has a right to know that information of him is stored and may if necessary request
correction. Overriding interests like state security or defence can deter this.
EU data protection law
The EU has competence in data protection ex art. 16 TFEU. The main legal instrument on data protection
in the EU is the Data Protection Directive (95/46/EC). It was created to ensure data protection in the light
,of the internal market, harmonizing national laws. Even though this is a directive, the amount of
harmonization is generally complete. MS only have limited freedom when implementing the directive. As
the directive is based primarily on Convention 108, much is the same. However, the EU ex art. 11 of
Convention 108 extended its protection by implementing an independent supervision. Both EU member
states and members of the EEA (Iceland, Liechtenstein and Norway are bound by the directive. Exempted
from the applicability of the directive is the household exemption (processing personal data by private
individuals for merely personal or household purposes as this is seen as part of the individual freedoms.
Extra legislation was created for specific sectors like directive 2002/58/EC for telecommunications and
Regulation 45/2001 for the EU institutions themselves. Additionally, the Charter has strengthened data
protection as an individual right in art. 8 Charter.
General Data Protection Regulation aims modernizing and thus replacing the Data Protection Directive. It
has been adopted in April 2016 but will only take effect on the 25 th of May 2018. Additionally, the
General Data Protection Directive aims at focusing on matters regarding data protection in the areas of
police and judicial cooperation. This one is still in the legislative process.
Authentication
Procedure where a person is able to prove that he or she possesses a certain identity to enter a secured
area. Numerous methods of authentication like biometric data, fingerprints, password, PIN-code,
personal questions, special chip in your card, (electronic) signatures, ec.
Chapter 2- Data protection terminology
- Personal data- information relating to an identified or identifiable natural person, that is
information about a person whose identity is either manifestly clear or can at least be
established by obtaining additional information. Data protection law is therefore only applicable
to natural living persons. Legal persons thus cannot profit from the private life provisions of art.
8 ECHR. Instead, the Court has deemed this to fall under the right to respect for home and
correspondence.
- Processing- any operation or set of operations which is performed upon personal data or sets of
personal data, whether or not by automated means.
- Controller- natural or legal person, public authority, agency or any other body which alone or
jointly with others determines the purposes and means of the processing of personal data
- Processor- natural or legal person, public authority, agency or any body which processes
personal data on behalf of the controller
- Third party- any natural or legal person, public authority, agency or any other body other than
the data subject, the controller, the processor and the persons who, under the direct authority
of the controller or the processor, are authorized to process the data
- Supervisory authority- an independent public authority which is established by a Member State
pursuant to Article 46
- Recipient- anybody who receives data from a controller
- Consent- any freely given specific and informed indication of the data subject’s wishes
Pseudonymisation- the processing of personal data in such a way that the data can no longer be
attributed to a specific data subject without the use of additional information, as long as such additional
information is kept separately and subject to technical and organizational measures to ensure non-
attribution to an identified or identifiable person.
, Special categories of personal data
There are special categories of personal data which by their nature may pose a risk to the data subjects
when processed and need enhanced protection. This is regarded to be sensitive information and
therefore requires specific safeguards. According to art. 8 Directive these are:
- Personal data revealing racial or ethnic origin
- Personal data revealing political opinion, religious or other beliefs and
- Personal data concerning health or sexual life
Consent
EU law sets out three elements for consent to be valid, aiming to guarantee that data subjects are
truly meant to agree to the use of their data:
- The data subject must have been under no pressure when consenting
- The data subject must have been duly informed about the object and consequences of
consenting
- Scope of consent must be reasonably concrete
The Convention contains no definition of the word ‘consent’, therefore it is left to the MS. Consent
however is of vital importance: invalid consent of persons who do not have legal capacity will result in
the absence of a legal basis for processing data about such persons. Consent can be given in two ways:
- Explicitly- can be done orally or in writing, (must be given for sensitive data)
- Non-explicitly- depends on the circumstances
However both kinds of consent need to be given in an unambiguous way.
Free consent
Free consent is only valid if the data subject is able to exercise a real choice and there is no risk of
deception, intimidation, coercion or significant negative consequences if he/she doesn’t consent. This
does not mean that consent can never be valid in circumstances where not consenting would have
negative consequences. (e.g. registering for a supermarket for discounts. If you don’t register, you won’t
get the discount. Though a negative consequence, these consequences are not serious enough for the
data subject to prevent free choice.
Informed consent
The data subject must have sufficient information before taking a decision. When this is done, is
determined on a case-by-case basis. Mostly informed consent comprises a precise and easily
understandable description of the subject matter requiring consent and outline the consequences of not
consenting.
Specific consent
The consent needs to be specific. The reasonable expectations of an average data subject will be
relevant. The data subject must be asked again if processing operations are added or changed which the
data subject could not reasonably have foreseen when the consent was given.
Right to withdraw consent
Though not specifically stipulated on within the directive, it is widely presumed that one can withdraw
consent. This must be acceptable without having to give reasons or risk of negative consequences.
