PART I | Privacy and data protection history and scope

In this first part of the book we look into the history of privacy and data protection law. The need for privacy has increased tremendously over the past century, fueled by advancements in technology that offer ever more opportunities to collect information about individuals. The concept of privacy as a fundamental right was only established after, and undoubtedly also as a result of, the Second World War. Chapter 1 describes how the right to privacy was incorporated in treaties and later in law, and how this ultimately led to the General Data Protection Regulation (GDPR) which is applicable law in the EU and the Member States of the European Economic Area.

We then move on to the context in which the GDPR interacts with other European law and with national law in the Member States. We sometimes tend to forget how much legislative power we have given to the EU. Based on the Treaty on the Functioning of the European Union (TFEU), however, the GDPR as a European regulation not only interacts with national law, it supersedes it.

The GDPR is very important for anyone who processes personal data on European residents in any way, but the scope of the law is not unlimited. That is what the rest of Chapter 1 is devoted to. Questions like can we still send season’s greetings and what about the rowing club’s list of members are answered there.

1History and context

Key subjects

In this chapter we will cover:

Illustration    The history of privacy as a concept;

Illustration    Privacy and data protection from a legal viewpoint;

Illustration    Applicable European and national law regarding privacy and data protection;

Illustration    The scope of the General Data Protection Regulation.

1.1 The history of privacy and data protection

At the time our distant ancestors lived as nomads, privacy was not an issue. In fact, it was in the group’s interest to stay close at all times, to hunt together, to look out for the group and help defend it, to share food, shelter and indeed body warmth. Knowing each other intimately was important, both because of the need to trust each other’s skills and to be aware of hostile intentions, such as the continuous struggle for leadership of the group. In those circumstances, seeking isolation would be seeking danger and being banned from the group would almost certainly lead to death.

This lack of personal privacy did not really change in the ages thereafter. Poor people had little or no privacy, either because they were not free (slaves, serfs, servants, etc.) or because they lived closely together in settlements or neighborhoods where the same need for mutual help and support still existed. But the rich had hardly any privacy either, because the habits and the necessity of security required the continuous presence of many staff. Seclusion was seen as abnormal behavior. The view was that you would only seek it if you had something to hide. Only if you wanted to do something that could not bear the light of day.

The need for privacy as we know it today came up for the first time at the end of the 19th century, when newspapers appeared with extensive society pages, taking gossip to a new level. The announcement on 22 October 1882 of the engagement of Mr. Samuel D. Warren Jr. and Miss. Mabel Bayard, was a kind of starting point. Samuel Warren was a young lawyer from Boston, USA, and as such not used to being the subject of newspaper headlines. His fiancée, however, was a daughter of Senator Bayard and what we today would call a celebrity. Over the following decade, more than sixty newspaper articles appeared, describing down to the smallest detail their social life, their marriage, their family’s highlights and sad events. (Gaida 2008).

The continuing intrusive press coverage ultimately lead to an article in Harvard Law Review, written by Louis D. Brandeis and Samuel D. Warren Jr. (Brandeis 1890), which is widely regarded as the first publication in the United States to advocate a right to privacy.

The press is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers. To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle. (…)

Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right ‘to be let alone.’

Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that what is whispered in the closet shall be proclaimed from the house-tops. (…)

Source: (Brandeis, 1890)

In the article Warren and Brandeis advocate the necessity of law enforcing this right to be let alone and describe its boundaries as an extension of the then existing common law. At that time privacy was thought of as a relational matter, only existing in the context of home and family. At first, however, this desire to control personal information and social image, and the plea for a legal system to protect these rights, did not get much attention.

Up to and directly after World War II, state constitutions protected only aspects of privacy. Such guarantees concerned, for example, the inviolability of the home and of correspondence and the classical problem of unreasonable searches of the body. No state constitution, however, contained a general guarantee of the right to privacy. An integral guarantee protecting the more specific aspects of privacy and private life in their entirety, was unknown at the time.

1.1.1 Human rights law

1.1.1.1 Universal Declaration of Human Rights

After World War II, the UN Commission of Human Rights (UNCHR) started working on what was initially intended as an International Bill of Rights. It was one of the first attempts to make globally enforceable agreements. EU history literature (Diggelman, 2014) describes the tedious discussions between the members of the Committee, representants with very different legal and cultural backgrounds from all regions of the world. This was a time when the right of women to be treated as equals to men was hardly accepted anywhere, a time when governments all over the world had come to regard torture and inhuman treatment as acceptable means to an end.

The Universal Declaration of Human Rights (UDHR) is a milestone document in the history of human rights. The UDHR was proclaimed by the United Nations General Assembly in Paris on December 10, 1948 (General Assembly resolution 217A) as a common standard of achievements for all peoples and all nations. It sets out, for the first time, fundamental human rights to be universally protected. In its preamble the UDHR recognizes that "the inherent dignity and (…) the equal and inalienable rights of all members of the human family is the foundation of freedom, justice and peace in the world."

The declaration explicitly defines the right to a private life and the freedoms associated with this:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation.

Everyone has the right to the protection of the law against such interference or attacks.

UDHR Article 12

However, the declaration also defines the right to freedom of information and expression:

Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

UDHR Article 19

These provisions may seem at odds, in particular where the exercise of the rights defined in Article 19 might result in an invasion of privacy, violating Article 12. This potential conflict, however, is reconciled later:

In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society.

UDHR Article 29(2)

Keeping the balance between the right to information and the rights and freedoms of individuals, however, is a challenge. A thread through the history of privacy law up to the current day.

It took another eighteen years before the United Nations in UN Assembly Resolution 217 (III) agreed upon the International Bill of Human Rights, consisting of the UDHR, the International Covenant on Civil and Political Rights (ICCPR, 1966) and the International Covenant on Economic, Social and Cultural Rights (ICESCR, 1966). The two covenants entered into force in 1976, after a sufficient number of countries had ratified them. The covenants require countries ratifying it to include the principles described in them into their national legislation.

The provision of ICCPR Article 17 of is almost identical to Article 12 of UDHR, but the word unlawful has been added twice:

No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks upon his honor and reputation.

ICCPR Article 17

The amendment changes the concept of the right to privacy in the sense that governments have the right to intrude on a person’s privacy for reasons explicitly laid down by law.

1.1.1.2 European Convention on Human Rights

In the aftermath of World War II, a strong need was felt for European co-operation. Many pro-European movements actively promoted the establishment of an organization that would prevent a return to totalitarian regimes and would defend fundamental freedoms, peace and democracy. On 5 May 1949, the Council of Europe was founded in London. Its aim, according to Article 1 of its statute, is "to achieve a greater unity between its Members for the purpose of safeguarding and realizing the ideals and principles which are their common heritage and facilitating their economic and social progress". An important role of the Council of Europe is to promote human rights through international conventions. One of the first of these was the Convention for the Protection of Human Rights and Fundamental Freedoms, better known as the European Convention on Human Rights (ECHR), which entered into force on 3 September 1953.

Figure 1.1  COE logo

From the original ten members in 1949, today the Council has grown to 47 members, including all members of the European Union. The map in Figure 1.2 shows the current Member States of the Council of Europe.

Figure 1.2  Council of Europe Member States.

Note that Belarus is not a member, because the country does not meet the human rights and democratic standards of the Council. In particular, it will have to abolish the death penalty if it wants to join.

The ECHR is important because of the scope of fundamental freedoms it protects. These include the right to life, prohibition of torture, prohibition of slavery and forced labor, the right to liberty and security, the right to a fair trial, no punishment without law, the right to respect for private and family life, freedom of thought, conscience and religion, freedom of expression, freedom of assembly and association, the right to marry, the right to an effective remedy and the prohibition of discrimination.

With regard to privacy and data protection, the ECHR includes the text of the UDHR:

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

ECHR Article 8

In the ECHR, just as in the ICCPR, this protection of the rights of individuals is not absolute. There may be lawful reasons of public interest for governments to breach an individual’s right to privacy. Just as the UDHR does, the ECHR recognizes that there is a need to balance the rights of individuals with justifiable interferences with these rights.

The importance of this text as a part the European Convention is that it is now part of a treaty to uphold human rights throughout the Member States of the Council of Europe. New members of the Council are expected to ratify the ECHR and other Council of Europe treaties at their earliest opportunity. The ECHR is also a significant and powerful legal instrument because it is enforced by the European Court of Human Rights. The rulings of the Court are binding on the Member States concerned.

1.1.1.3 OECD Guidelines and the Treaty of Strasbourg

In the 1970s, the progress in data processing and the increased possibilities in the use of telecommunications lead to concerns that Article 8 of EHCR was no longer sufficient to protect "the right to respect for his private and family life, his home and his correspondence". Large mainframes were introduced allowing big companies and public administrations to improve the collection, processing and sharing of the personal data of millions of people, using large databases. As a result, a need was felt for new standards that would allow individuals to exercise more control over their personal information. At the same time, international trade required the free international flow of information. The challenge was once again to find a balance between these aims.

A new effort to reconcile the protection of privacy and the need for free international flow of personal data came from the Organization for Economic Co-operation and Development (OECD). This organization, founded on 30 September 1961, aims to promote policies designed to achieve the highest sustainable economic growth and employment, and a rising standard of living in member as well as non-member countries, while maintaining financial stability, and thus to contribute to the development of the world economy.

Figure 1.3  OECD logo

In 1980, the OECD developed the Guidelines on the Protection of Privacy and Trans-border flows of Personal Data, providing basic rules concerning the protection of personal data and privacy and on cross-border data flow. The aim was to help harmonize the data protection laws between countries. The Guidelines were not legally binding, but intended as a basic framework for national data protection law worldwide, introducing the set of data protection principles that we find today in GDPR Article 5. These principles will be discussed in detail in Part II of this book.

1.1.1.4 Council of Europe (CoE) Convention 108

The OECD guidelines were formalized in 1981 in Council of Europe Convention 108, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which made it the first legally binding international instrument to set standards for the protection of personal data, whilst at the same time again aiming for a balance with the need for a free flow of personal data for international trade purposes. Convention 108 is also known as the Treaty of Strasbourg, but due to the place of Strasbourg in European history there are many treaties by that name. Convention 108 came into force on 10 October 1985, after the required five Member States had ratified it. By today, 55 countries have ratified the treaty, among them eight non-members of the Council of Europe.

A weakness in Convention 108 proved to be that it did not provide for transfers of personal data to countries that had not signed Convention 108. This was addressed in 2001 with the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows. (CETS 181). This additional protocol introduced independent supervisory authorities in each country that signed it, and included the concept of an ‘adequate’ (in contrast to equivalent) level of protection for cross-border personal data transfers to non-EU countries.

It should be noted that CoE Convention 108 is still binding for states that have ratified it. Over the years, the European Court of Human Rights (ECtHR) has ruled that personal data protection is an important part of the right to respect for private life (EHCR Article 8), and has been guided by the principles of Convention 108 in determining whether or not there has been an interference with this fundamental right.

In 2012 Convention 108 was modernized after public consultations, including reinforcements to the protection of privacy in the digital arena. The modernization process was completed with the adoption of a protocol amending Convention 108 (Protocol CETS No. 223).

The Schengen Agreement abolishing internal borders between most EEC Member States and the political changes in Europe in the 1980s lead to the ‘Single European Act’ (SEA), which came into force on 1 July 1987. An important aim of this Act was to establish a single European market by 31 December 1992. It was the first major revision of the 1957 Treaty of Rome1. The SEA reformed the legislative processes of the European Community, particularly with regard to the decision-making procedure within the Council, the powers of the European Commission and the powers of the European Parliament, changing it into a formal legislative body. The SEA was intended to remove barriers and to increase harmonization and competitiveness among European countries.

Figure 1.4  EU logo.

A next step in the development of an ever-closer union among the peoples of Europe was the Maastricht Treaty, which entered into force on 1 November 1993. The Treaty merged the European Economic Community (EEC), the European Coal and Steel Community (ECSC) and the European Atomic Energy Community (Euratom) into a single institutional structure, the European Union (EU). The EU consists of the Council, the European Parliament, the European Commission, the Court of Justice and the Court of Auditors which exercise their powers in accordance with the Treaties.

1.1.1.5 Data Protection Directive 95/46/EC

Though the objective of Convention 108 was to introduce a harmonized approach, even among the few countries that adopted national laws based on the principles described in it, the implementation was quite diverse. Growing concerns about this fragmented approach lead to a proposal for a Council directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, generally known as Data Protection Directive 95/46/EC. As the title indicates, the directive aims to reconcile the free flow of data between Member States and the protection of the fundamental rights of individuals, at the same time complying with articles 8 and 10 of the ECHR. It is based on the same protection principles as CoE Convention 108, but now as an EU directive binding to the Member States, forcing them to create national law in line with the framework.

1.1.1.6 Charter of Fundamental Rights

The rights of every individual in the EU were established at different times, in different ways and in different forms. At the beginning of the new millennium the EU decided to include all of those fundamental rights in a single document. The Charter of Fundamental Rights of the European Union (the ‘Charter’, proclaimed in December 2002) included the general principles set out in the ECHR. The Charter also covers all the rights found in the case law of the Court of Justice of the EU and other rights and principles resulting from the common constitutional traditions of EU countries.

The Charter explicitly refers to both the protection of privacy and the protection of personal data as a fundamental right:

Article 7 – Respect for private and family life

Everyone has the right to respect for his or her private and family life, home and communications.

Article 8 – Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority

Charter of the Fundamental Rights of the European Union (2000/C 364/01).

After 2000 the European Union grew even more rapidly, both in terms of the number of countries and in political power. From 1 January 2002 the Euro becomes the currency in twelve EU countries. In May 2004 ten countries joined the EU, in 2007 followed by Bulgaria and Romania, bringing the number of Member States to 27 and effectively expanding its area over a 1.000 km eastward. The only addition since 2007 has been Croatia, which joined the EU in July 2013.

Figure 1.5  Between 2004 and 2007 ten countries joined the EU

1.1.1.7 Treaty of Lisbon

On 1 December 2009, the Treaty of Lisbon became effective. Its main aim was to strengthen the structures of the enlarged European Union. The Lisbon Treaty amended the Treaty establishing the European Community again and renamed it to "Treaty on the Functioning of the European Union" (TFEU).

The Lisbon Treaty for the first time clarifies the powers of the Union. It distinguishes three types of competences: exclusive competence, where the Union alone can legislate, and Member States only implement; shared competence, where the Member States can legislate and adopt legally binding measures if the Union has not done so; and supporting competence, where the EU adopts measures to support or complement Member States’ policies. Union competences can now be handed back to the Member States in the course of a treaty revision.

The Lisbon Treaty gives the EU full legal personality. Therefore, the Union obtains the ability to sign international treaties in the areas of its attributed powers or to join an international organization. Member States may only sign international agreements that are compatible with EU law.

(Sokolska 2019)

One of the main objectives of the Lisbon Treaty is to constitute an area of freedom, security and justice with respect for fundamental rights and the different legal systems and traditions of the Member States (Article 67(1)).

The amended TFEU provides that:

The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

Treaty on the Functioning of the European Union (TFEU) Article 16(2)

This article requires all EU institutions to protect individuals when processing their personal data. The European Data Protection Supervisor (EDPS) sees to compliance with data protection law within the EU institutions. The reference to independent authorities implies that, depending on the circumstances, national data protection authorities may also have jurisdiction.

In the following years, the possibilities of computers and computer networks developed at lightning speed. Millions of computers are connected worldwide via the internet. Personal data is processed in countless places, often with cross-border data traffic. International trade is also growing fast. Multinationals are becoming a normal form of business and mergers of companies to better serve the European market are the order of the day. Since then, the development of automatic computers and the internet have accelerated even more.

However, the rules and regulations in the Member States, although based on Directive 95/46/EC, were still quite diverse, requiring international companies and organizations to deal with a different set of laws in each of the countries where they had establishments.

1.1.1.8 General Data Protection Regulation (EU) 2016/679

After years of discussion, the GDPR was published on 25 May 2016. The GDPR applies as law in all countries of the EEA as of 25 May 2018. At the same time Directive 95/46/EC is repealed. This means that all national law based on this directive is replaced by the GDPR:

References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Board established by (the GDPR).

GDPR Article 94(2)

Article 94 makes clear that, even when Member States need more time to update national law that somehow complements law based on Directive 95/46/EC, there can be no confusion on which law applies. As an EU regulation, the GDPR takes precedence.

As mentioned before, the principles described in Article 5 of the GDPR are not new. They were already expressed by the Council of Europe in Convention 108 as early as 1981, and again in the Data Protection Directive 95/46/EC. The definition of processing, the need for a legitimate purpose for processing and most of the other requirements of the GDPR were also requirements of Directive 95/46/EC, so processes to meet these requirements should have been in place in business and organizations for over twenty years.

Following the adoption of the GDPR by the European Parliament and the European Council in April 2016, and its subsequent publication in the Official Journal of the European Union, there was initially little reaction, except for some careful written analysis from large legal firms, setting out the most important changes in legal English (usually with an invitation to hire them for a more detailed and bespoke solution). However, about a year before the new regulation would come into force and after newspapers had given it considerable attention, a storm of protest arose. Reports claimed that companies and organizations would not be able to become compliant within the two-year period before the regulation would apply. In addition, horrendous fines would cripple companies and lead to bankruptcy all over Europe. And, worst of all, the legal text was unclear and left a lot of