Data protection as a human right
Advanced technologies and innovative communications services have raised public concern regarding the protection of personal data and, more generally, the safeguarding of consumers’ privacy. A vast amount of personal information can be collected by service providers, putting consumers at risk of misuse.
Given the potentially serious consequences of personal information abuses, the right to privacy is protected at the human rights level. A right to privacy can be found both in Article 8 of the European Convention on Human Rights, and in Articles 7 and 8 of the Charter of Fundamental Rights. Moreover, Article 16 TFEU (ex Article 286 EC) guarantees that ‘(e)veryone has the right to the protection of personal data concerning them’.
Besides the above provisions, the right to privacy has been protected in a concrete manner in Directive 2002/58/EC, concerning the processing of personal data and the protection of privacy which complemented the Data Protection Directive 95/46/EC. Subsequently, the new ‘Citizens’ Rights’ Directive (2009) mentioned previously amended the former Directive 2002/58/EC and improved consumer protection in terms of privacy, placing important obligations on operators in this regard. The new directive, for example, changes Article 1(1), which now states that this Act ‘provides for the harmonization of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector’. Personal data here refers to any information that can be traced to an individual. In turn, ‘processing of personal data’ is defined as any operation which is performed upon personal data, such as collection, recording, organization, storage, use, or disclosure.
According to Article 3, the directive now applies ‘to the processing ofpersonal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices’. This covers the security of networks and services, the confidentiality of communications, access to stored data, processing of traffic, location of data, and unsolicited commercial communications.
Furthermore, Article 4, entitled ‘Security of processing’, obliges providers to take the appropriate technical and organizational measures to ensure that personal data can be accessed only by authorized personnel, for legally authorized purposes. Moreover, they have to protect personal data against destruction, accidental loss, or alteration, and unauthorized or unlawful storage, processing, access, or disclosure. Finally, providers need to ensure the implementation of a security policy with respect to the processing of personal data. Article 4(3) now includes an obligation on service providers to notify a personal data breach without undue delay to the competent national authority, and to individuals if the personal data breach is likely to adversely affect their privacy. In particular, providers have to describe the breach and provide a contact point for information, and recommend measures to mitigate the possible adverse effects of the personal data breach. This ensures that consumers are informed promptly about privacy threats resulting in their personal data being lost or otherwise compromised. They can thereby take precautions to minimize the possible economic loss or social harm that could result from such a security breach.
Article 5(1), a key provision on confidentiality, remains unchanged and requires Member States to ensure the confidentiality of communications and the related traffic data through appropriate legislation. In particular, they have to prohibit interception or surveillance of communications and the related traffic data by persons other than users. There are, however, a number of exceptions to the confidentiality obligation. For example, the storage of data is permitted with the consent of the affected person or where it is justified by national defence measures or for technical reasons, business practices, or billing purposes.
Article 13 concerns ‘unsolicited communications’, prohibiting automated calling and communication systems or electronic mail for direct marketing purposes, without the prior consent of subscribers or users. However, if a person obtains from its customers their contact emails, the person is allowed to use this contact for marketing purposes under specific conditions, in particular the consumer must be given the possibility to object to such publicity on the occasion of each message (Article 13(2)). Importantly, Article 13(6) stipulates that any ‘person adversely affected by infringements of national provisions adopted pursuant to this Article, may bring legal proceedings in respect of such infringements’. This provision thereby reinforces the application of legal actions against infringers of data protection, which might become an important tool in the fight against unsolicited commercial communications in the EU.
Finally, Article 15(a) of the new directive further improves enforcement mechanisms currently in place, requiring Member States to establish rules on dissuasive penalties applicable to infringements.
-  See e.g. the introductory note 5 of the Directive 2002/58/EC on privacy and electronic communication, of 12 July 2002.
-  For a detailed discussion on the role of fundamental rights in contract and e-commerce, seeC. Mak, ‘Fundamental Rights and the European Regulation of iConsumer Contracts’, (2008) 31J. Consumer Policy, pp. 425-39.
-  Directive 2009/136/EC, OJ L 337/11, 18.12. 2009.