Privacy and Data Protection in Europe
The Council of Europe Framework
The CoE is an international organization based in Strasbourg (France) and comprises 47 countries as of today. It was founded in 1949 in order to promote democracy and protect human rights and the rule of law in Europe. The CoE adopted the European Convention on Human Rights (ECHR) in 1950, and the latter entered into force in
1953. The European Court of Human Rights (ECtHR), which was founded in 1959, ensures that the Parties to the Convention observe their conventional obligations.
The right to respect one's private and family life, home, and correspondence is enshrined in Article 8 ECHR. The ECtHR has interpreted this right as encompassing also a right to personal data protection in its case law [27, p. 38]. Specifically, the processing of information relating to an individual’s private life may amount to an interference within the meaning of Article 8. The rulings of the ECtHR are binding for the legal systems of the Member States and set precedents for the interpretation of their national law.
Article 8 ECHR reads:
- 1. Everyone has the right to respect for his private and family life, his home and his correspondence.
- 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country’, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
In 1981, CoE opened for signature a legal instrument specifically concerning personal data protection, the Convention for the protection of individuals with regard to the automatic processing of personal data (Convention 108).2 The Convention 108+ which underwent modernization in parallel with the EU reform of the data protection framework, in order to ensure consistency, applies both to the private and the public sector, as well as the judiciary and law enforcement matters, unless a Member State explicitly opts outs. The significance of the Convention 108+ lies on the fact that up to today, it remains the only international legally binding document for the protection of personal data and its principles have been taken into consideration by the ECtHR, even though the Convention is not under its judicial supervision. The CoE has also issued and adopted several nonbinding recommendations.
This is the case of the CoE framework, where Article 8 (right to private life) encompasses the right to data protection as well. At the EU level, however, the two rights are distinct, as we will see below.
The EU Framework
First, some considerations to guide the nonlegal reader through the discussion to follow. The EU is a separate organization from the CoE. even though all EU Member States participate at the CoE as well. EU is based on the rule of law, meaning that every action taken is founded on the adopted Treaties. Treaties, i.e., binding agreements among EU Member States, set out the EU objectives and principles as well as rules for the EU institutions, and define the relationship between the EU and its Member States. Those treaties constitute primary EU law and the basis for the secondary law. Regulations, directives, decisions, recommendations, and opinions belong to secondary law.
Further, according to Article 288 of the Treaty on the Functioning of the European Union (TFEU), the secondary law instruments are divided into soft law and hard law, depending on their binding nature. Specifically:
A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States. A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods. A decision shall be binding in its entirety. A decision which specifies those to whom it is addressed shall be binding only on them. Recommendations and opinions shall have no binding force.
The entry into force of the Lisbon Treaty in 2009, amending the Treaty of the European Union and the TFEU, is a significant moment in the history of the EU data protection law. First, the Lisbon Treaty introduced Article 16 TFEU which established the principle that everyone has the right to the protection of personal data concerning him or her and a specific legal basis for the adoption of rules on the protection of personal data. Second, the Lisbon Treaty elevated the 2000 Charter of the Fundamental Rights of the European Union (EUCFR) at the level of primary law, making its provisions binding. The Charter provides for two separate fundamental rights, the right to private and family life (Article 7 EUCFR) and the right to the protection of personal data (Article 8 EUCFR), as they read below:
Article 7 EUCFR—Respect for private and family life
Everyone has the right to respect for his or her private and family life, home, and communications.
Article 8 EUCFR—Protection of personal data
- 1. Everyone has the right to the protection of personal data concerning him other.
- 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- 3. Compliance with these rules shall be subject to control by an independent authority. On the other hand, the Lisbon Treatу provided for the right to the protection of personal data. Article 16 of the TFEU introduces the right explicitly and creates a new independent legal basis, for the adoption of comprehensive EU data protection legislation.
Concerning the relation between the EU and the CoE framework, it is important to note that Article 52(3) EUCFR states that the meaning of the rights guaranteed in the Charter is the same as in the European Convention on Human Rights (ECHR). Moreover, for any limitation on the exercise of the fundamental rights protected by the Charter to be lawful, it must comply with the following criteria, laid down in the first paragraph of Article 52 EUCFR: (a) it must be provided for by law; (b) it must respect the essence of the rights, (c) it must genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others, (d) it must be necessary, and (e) it must be proportional.
The first condition is very straightforward and refers to the existence of an accessible and foreseeable law. Respect for the essence of the right means that the limitation should not go so far as to void the exercise of the right. If the essence of the right is nullified, the measure is unlawful, and no further examination is necessary. If not, then the objectives of the intended measure will be assessed and will have to be explained in detail, since they will serve as the basis for the assessment of necessity.
The test of necessity assesses whether a measure is indeed necessary, based on a strict necessity criterion: “derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary’"; moreover, "the measure should be effective and the least intrusive" [28, pp. 16-17]. If the test of necessity is not satisfied, the measure will be considered unlawful and the assessment ends; if on the other hand, it is satisfied, the test of proportionality will take place next. Both the necessity and the appropriateness are engulfed in proportionality in broad sense. The advantages of this measure should not be outweighed by the disadvantages for the exercise of the right and a balance should be achieved between the means and the cause [28, p. 9].