Problem 4 - Fundamental rights, law enforcement, surveillance and the institutionalization
(agencification) of the AFSJ
Part A: Data processing/protection and the AFSJ (Every Breath You
Take, Every Search You Make)
1. What is the EU legal framework on data protection?
Primary law (legal basis)
art. 16 TFEU art. 7 and 8 CFR
Art. 16 TFEU and art. 8 CFR refer to the protection of personal data. Such data must be
processed fairly for specified purposes and based on the consent of the person concerned
Art. 8.1 Charter of Fundamental Rights: The GDPR has been adopted to replace the Data
Protection Directive. The Regulation directly applies (direct effect) to its addressees.
Secondary law
GDPR (articles 2, 4, 5, 12-15, 16-18, 44, 45, 49)
The GDPR replaces Data Protection Directive
The General Data Protection Regulation (GDPR) provides rules regarding the digital age. It’s
applicable since 2018.
it changed from directive to regulation (now it is immediately applicable to al MS, a
directive would lead to differences and as a result the data will not be equally
protected, and
it needed updating because of new technologies and increasing rights
,Problem 4 - Fundamental rights, law enforcement, surveillance and the institutionalization
(agencification) of the AFSJ
2. When and to whom do the EU-rules on data protection apply?
General Data Protection Regulation (2016/679/EU)
(to whom)
Art. 1(1) GDPR: aim: to lay down rules relating to the protection of natural persons (so no
legal entities/‘rechtspersonen’) with regard to the processing of personal data and rules
relating to the free movement of personal data.
The General Data Protection Regulation (GDPR) applies to individuals and member
states.
Lex specialis: a special law prevails a regular law
material scope of the Regulation (when)
Art. 2.1 GDPR: this regulation applies to the processing of personal data wholly or partly by
(non)automated means.
Art. 2.2 GDPR: the regulation does not apply to the processing of personal data:
1. In the course on an activity which falls outside the scope of Union law
2. By the member states when carrying out activities which fall within the scope of
chapter 2 TEU
3. By a natural person in the course of a purely personal or household activity
4. By competent authorities for the purposes of criminal justice
The GDPR applies to anyone processing or controlling the processing of personal data.
interpretation: in a very broad manner in order to ensure a high level of protection.
Art. 3 GDPR: Territorial scope of the Regulation (not super relevant)
although the GDPR is EU legislation, its territorial scope does not stop at EU
boundaries
the GDPR applies in the following two situations:
Processing of personal data takes place in the context of the activities of an
establishment of the controller or processor within the EU. Or
The processing of the data of individuals within the EU takes place by a controller or
processor not established in the EU.
, Problem 4 - Fundamental rights, law enforcement, surveillance and the institutionalization
(agencification) of the AFSJ
Art. 4 GDRP: definitions
Art. 4.1: personal data
Data: stored information, signs or indications.
Data has to be personal in order to fall within said scope of application of the
Regulation.
Art. 4(1) GDPR: data is personal if the information relates to an identified or
identifiable individual.
Data is therefore personal if the identification of a person is possible based on the
available data, meaning if a person can be detected, directly or indirectly, by reference
to an identifier.
Regulation does not apply to personal data of a deceased person.
However, data can be personal data of a relative or a descendant of the deceased.
Identifiability of the data subject
Identification is made possible by combining different information that by themselves would
not have traced back to the person but does so in combination. The wording of art. 4(1) GDPR
does not state who needs to be able to identify the data subject, suggesting that the additional
information does not necessarily have to be in possession of the data controller/processor.
Relative criteria
Controversially discussed whether relative or absolute criteria had to be discussed to
establish reasonable likeliness of identifiability.
o Using absolute criteria would mean that the definition of ‘personal data’ is
being met as soon as anyone would have the possibility to connect the
processed data to an individual
o October 2016, ECJ ruled that the risk of identification appears insignificant in
reality if it requires a disproportionate effort in terms of time, cost
and manpower: relative criteria.
o If the identification of the data subject would be possible for the
controller/processor based on its chance to access additional information
without disproportionate effort, the data is deemed ‘personal data’.
o A person can be considered as identifiable if the missing information that
would allow identification is (easily) accessible.
Circumstances of the individual case
In order to affirm identifiability, the circumstances of the individual case have to be
taken into account. This includes:
o The costs and time required for identification.
o The technology available at the time of the processing and technological
developments.
o The purpose of the processing
(agencification) of the AFSJ
Part A: Data processing/protection and the AFSJ (Every Breath You
Take, Every Search You Make)
1. What is the EU legal framework on data protection?
Primary law (legal basis)
art. 16 TFEU art. 7 and 8 CFR
Art. 16 TFEU and art. 8 CFR refer to the protection of personal data. Such data must be
processed fairly for specified purposes and based on the consent of the person concerned
Art. 8.1 Charter of Fundamental Rights: The GDPR has been adopted to replace the Data
Protection Directive. The Regulation directly applies (direct effect) to its addressees.
Secondary law
GDPR (articles 2, 4, 5, 12-15, 16-18, 44, 45, 49)
The GDPR replaces Data Protection Directive
The General Data Protection Regulation (GDPR) provides rules regarding the digital age. It’s
applicable since 2018.
it changed from directive to regulation (now it is immediately applicable to al MS, a
directive would lead to differences and as a result the data will not be equally
protected, and
it needed updating because of new technologies and increasing rights
,Problem 4 - Fundamental rights, law enforcement, surveillance and the institutionalization
(agencification) of the AFSJ
2. When and to whom do the EU-rules on data protection apply?
General Data Protection Regulation (2016/679/EU)
(to whom)
Art. 1(1) GDPR: aim: to lay down rules relating to the protection of natural persons (so no
legal entities/‘rechtspersonen’) with regard to the processing of personal data and rules
relating to the free movement of personal data.
The General Data Protection Regulation (GDPR) applies to individuals and member
states.
Lex specialis: a special law prevails a regular law
material scope of the Regulation (when)
Art. 2.1 GDPR: this regulation applies to the processing of personal data wholly or partly by
(non)automated means.
Art. 2.2 GDPR: the regulation does not apply to the processing of personal data:
1. In the course on an activity which falls outside the scope of Union law
2. By the member states when carrying out activities which fall within the scope of
chapter 2 TEU
3. By a natural person in the course of a purely personal or household activity
4. By competent authorities for the purposes of criminal justice
The GDPR applies to anyone processing or controlling the processing of personal data.
interpretation: in a very broad manner in order to ensure a high level of protection.
Art. 3 GDPR: Territorial scope of the Regulation (not super relevant)
although the GDPR is EU legislation, its territorial scope does not stop at EU
boundaries
the GDPR applies in the following two situations:
Processing of personal data takes place in the context of the activities of an
establishment of the controller or processor within the EU. Or
The processing of the data of individuals within the EU takes place by a controller or
processor not established in the EU.
, Problem 4 - Fundamental rights, law enforcement, surveillance and the institutionalization
(agencification) of the AFSJ
Art. 4 GDRP: definitions
Art. 4.1: personal data
Data: stored information, signs or indications.
Data has to be personal in order to fall within said scope of application of the
Regulation.
Art. 4(1) GDPR: data is personal if the information relates to an identified or
identifiable individual.
Data is therefore personal if the identification of a person is possible based on the
available data, meaning if a person can be detected, directly or indirectly, by reference
to an identifier.
Regulation does not apply to personal data of a deceased person.
However, data can be personal data of a relative or a descendant of the deceased.
Identifiability of the data subject
Identification is made possible by combining different information that by themselves would
not have traced back to the person but does so in combination. The wording of art. 4(1) GDPR
does not state who needs to be able to identify the data subject, suggesting that the additional
information does not necessarily have to be in possession of the data controller/processor.
Relative criteria
Controversially discussed whether relative or absolute criteria had to be discussed to
establish reasonable likeliness of identifiability.
o Using absolute criteria would mean that the definition of ‘personal data’ is
being met as soon as anyone would have the possibility to connect the
processed data to an individual
o October 2016, ECJ ruled that the risk of identification appears insignificant in
reality if it requires a disproportionate effort in terms of time, cost
and manpower: relative criteria.
o If the identification of the data subject would be possible for the
controller/processor based on its chance to access additional information
without disproportionate effort, the data is deemed ‘personal data’.
o A person can be considered as identifiable if the missing information that
would allow identification is (easily) accessible.
Circumstances of the individual case
In order to affirm identifiability, the circumstances of the individual case have to be
taken into account. This includes:
o The costs and time required for identification.
o The technology available at the time of the processing and technological
developments.
o The purpose of the processing
