This article is written by Gannat Juneja, pursuing Diploma in International Data Protection and Privacy Laws from Lawsikho. The article has been edited by Zigishu Singh (Associate, LawSikho) and Ruchika Mohapatra (Associate, LawSikho).
Nowadays issues related to the protection of personal data are popping up daily and feature a strikingly contradictory approach. Data collected for a given purpose is made available for different purposes justifying them as equally important. Data processed by a given agency is made available to different agencies. Thus, it exposes an individual’s information to the maximum extent leaving no room for privacy. It implies a new distribution of political and social powers.
Integration of the knowledge with the awareness of rights and the huge amount of information available on the internet has increased awareness for data protection. The importance of Data protection is necessary for upholding the privacy of and most importantly, the freedom of individuals. Data protection is recognized as a fundamental and autonomous right under the Charter of Fundamental Rights of the European Union.
Difference between various types of rights
But at first, we need to understand human rights vis-à-vis fundamental rights and constitutional rights?
To understand the difference between rights, constitutional rights and human rights, we need to understand what is a right. Rights are those which are morally correct, just, or honourable like legal claims people have against others granted by the law or evolve out of relationships or status or designation.
Constitutional rights regulate the relationship between citizen and state and provide citizens with freedom from governmental interference. Human rights are independent of nationality or citizenship as compared to constitutional rights that are granted to the citizens of a state. Human rights are granted to all human beings establishing the essential values to make their life worth living. European data protection law has its deep roots in a state-level law rather than from national law or from any directive, when the world’s first comprehensive information privacy statute was enacted by the Hessian Parliament in Wiesbaden, Germany, on September 30, 1970.
History of data protection laws in Europe
Other European Union (EU) states like Sweden, Austria, Denmark, France, and Norway followed the footprints of Germany. From 1973 to 1978, these states also enacted data protection statutes as well as with a unanimous resolution to enact Fair Information Practices (FIPs) and simultaneously EU Data Protection Directive of 1995 followed by the privacy agreements.
The EU established FRA (European Union Agency for Fundamental Rights) as an independent body in 2007 based in Vienna to help safeguard the rights, values and freedoms as mentioned in the European Union’s Charter of Fundamental Rights.
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981 by the Council of Europe laid down the object and purpose of the instrument under Article 1. The convention specifically referred to the right to privacy establishing the objective to secure the privacy rights of every individual along with other rights (be it fundamental rights/constitutional rights or human rights) as well as freedom in the European Union irrespective of citizenship, nationality, residential status or place of birth. The right to privacy along with data protection is most importantly recognized and granted by the convention along with other freedoms to enjoy a peaceful life.
The Schrems decisions
The cherry on the cake was placed when the European Court of Justice came out with the landmark decisions on SCHREMS-I and SCHREMS-II.
In the case of Schrems I, the Court held that ‘Article 25(6) of Directive 95/46 (Data Protection Directive of EU, enacted in October 1995) implements the express obligation laid down in Article 8(1) of the Charter to protect personal data and is intended to ensure that the high level of that protection continues where personal data is transferred to a third country.
When the European Court of Human Rights confirmed that data protection is partly covered under Article 8 of the European Convention of Human rights, data protection came under the umbrella of fundamental rights as per the Charter of Fundamental Rights of the European Union. Right to data protection is one of the sensational issues for legal as well as political dialogue and shall remain for the next decade across the globe.
Article 7 of the Charter of Fundamental Rights of the European Union : Respect for private and family life
Everyone has the right to have his or her private and family life, home and communications respected.
Article 8 of the Charter of Fundamental Rights of the European Union : Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and based on the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right to access data that has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
Article 7 guarantees the right to privacy and most importantly Article 8 emphasizes the right to the protection of personal data. Further Article 8 segregates the right to privacy and provides the protection of personal data the status of fundamental rights separately.
It is interesting to note that the European Union has directly used the concept of fundamental rights in its texts and communications instead of incorporating natural rights and human rights. Thus by incorporating the fundamental rights in its documents, the EU has raised the standards of data protection and privacy framework and has brought them at par with the other ‘fundamental rights’ laid down. Moreover, the data protection concepts have been substantially expanded over time exponentially.
The situation after the adoption of GDPR
Thus, the EU Charter of Fundamental Rights has granted the basic fundamental rights along with the data protection and freedoms granted to everyone in the European Union irrespective of nationality, domicile, religion, caste or any other ground. It is worth mentioning here that the right to data protection is in the limelight due to the applicability of the General Data Protection Regulation (GDPR) since 2018 with heavy fines and penalties for violations.
The paramount aspect is that GDPR has cross-border implications and framing down the concepts of data processing, ironing out the creases at the national level of data protection within different countries of the EU. The Regulation has granted the authorities with sharp teeth and wider powers with a leading supervisory authority investigating EU-wide data protection and processing activities related to personal and sensitive data.
Further, The Working Party has been replaced by a European Data Protection Board, which has been bestowed with wider powers. Certain articles/ directives and texts have been included amongst the General Data Protection Regulations to clarify in detail and plugging the ambiguities on the way of interpretation of the fundamental rights. Further, this aspect has led to increased harmonization and a better data protection framework under the purview of fundamental rights.
The right to data protection has been further granted the status of a fundamental right is further enshrined in Article 16 of the Treaty on the Functioning of the European Union.
It lays down that:
1. Everyone has the right to the protection of personal data concerning them.
2. The European Parliament and the Council, acting per the ordinary legislative procedure, shall lay down the rules related to the protection of individuals concerning the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.
The rules adopted based on this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.’
The Charter and the Treaty alongside the latest GDPR regime grants the protection to the right of data protection. It ensures that GDPR must be read and interpreted under the light of the Charter and the Treaty. Directive 95/46 in consonance with the Charter provides a high level of protection but that could easily be deceived by transferring personal data for processing to third countries from the European Union.
Thus data protection is now protected on the highest level in the EU and is rightly established as a fundamental right. Further, the EU has an explicit mandate in terms of GDPR to regulate the field of data protection, which is unique compared to other fundamental rights as well as in terms of the treaty.
The General Data Protection Regulation has further substantiated the right to data protection in detail on the highest level possible of the fundamental rights in the EU. But there are certain aspects that make it impossible to digest that data protection is fully a fundamental right. This is because internal and international security requirements require the sharing of data making it vulnerable and piercing the protection granted under fundamental rights. Furthermore, government organizations, public agencies, competition amongst the rivals, race to control the market share and social websites are leading to penetration of implemented safeguards and making data more vulnerable to hack and making the mockery of fundamental right status granted to the data protection.
There are certain deviations that are highlighted as the processing of certain sensitive personal data which fall under Article 9 of GDPR such as political orientation, medical conditions or race, which might be essential to establish law and order in a democratic society. Similarly, in certain matters like in the case of Digital Rights Ireland, the Court regarded the legality of the Data Retention Directive as protection to fundamental (human) rights.
But as in the case of data protection rules which already seems to be a dilemma between the fundamental right of the protection of personal data as compared to the free flow of information creating the biggest hindrance in the very fundamental right itself.
The new GDPR regime establishes the transparent processes of data protection by introducing the concepts of adjudicating authority, data controllers, data processors, rules regarding the transfer of personal and sensitive data, keeping data up-to-date as well as return or delete of data securely and confidently, so that the privacy is maintained and data is protected on a priority basis. But the protection of data protection as a fundamental right is in jeopardy as the meaning and precinct of ‘personal data’ is expanding daily leading to every type of data being termed as personal data.
The concept of data protection as EU-wide harmonization of data protection rules through GDPR is more akin to market regulation instruments than to human rights documents. Further, the fines to the tune of 20 million Euros of 4% of total global turnover make it more of a market regulation instrument rather than qualifying data protection as fundamental protection laws.
Some provisions of data protection satisfy the idea of fundamental human rights, whereas the majority of the data protection qualifies as a market regulator.
Further to qualify the data protection as the fundamental right, the law scholars have defined certain approaches to compare the same with traditional features of the fundamental right.
First is the classical approach of fundamental (human) rights which is not qualified by the Right to data protection in the literal sense. However, modern interpretation with widened scope must be accepted to digest the data protection as a fundamental right granted to an individual.
Secondly, multi-faceted aspects of data protection can be categorized under the fundamental right, market regulations and as the protection of consumer rights.
Data protection framework has been enacted to undergo data processing activities fairly and transparently that can be carried out in compliance with the law of the land without attracting any penalties prescribed thereunder GDPR or any other relevant regulations in contrast to violation of human rights of data protection and privacy and to live with dignity.
Finally, we can conclude that rules and regulations regarding data privacy and protection are more of regulating personal data in the market scenario rather than to protect human rights or acquiring the status of fundamental rights or more precisely to treat data protection laws as an ordinary consumer (data subject) protection rights. Thus, it seems that the term for data protection rights must be coined as a data protection consumer right, rather than a purely fundamental right.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: