Important Concepts - Week 1

Question 1

When are privacy and personal data protection different terms?

Answer 1

In some legal systems, such as in the USA, privacy is used to indicate also data protection (sometimes this latter is referred to as ‘informational privacy’ or ‘data privacy’).
In the European Union (EU) however, privacy and data protection are not the same thing. They
indicate two different fundamental rights.

Question 2

What are the differences between privacy and personal data protection?

Answer 2

see figure 1 in Docs

Question 3

What was privacy when it historically emerged first?

Answer 3

Historically, privacy emerged first: it was a right to protect the private life, the relationships (family), the home, and the correspondence, from the intrusions of the state. The right to privacy was also used to protect citizens against those cases of surveillance (tapping the phone, bugging a room, intercepting letters or emails) that did not respect minimum safeguards and
protections

Question 4

What happened with the evolution of computers and the internet?

Answer 4

the digitalization of information made it easier and cheaper to collect, store, transfer, share, and analyze information concerning an individual: in the 1990s, the idea emerged at international level and in the EU, that personal
data needed protection too

Question 5

What was the right to privacy used to protect intially?

Answer 5

Initially, the right to privacy was used to protect personal data too: after all, those were data concerning the private lives of individuals

Question 6

What were the legal tools at that time?

Answer 6

national constitutions (in each Member State of the EU), and art. 8 of the European Convention for Human Rights (ECHR)

Question 7

What happened when the EU reformed its structure?

Answer 7

Around 2009 (the dates are not important, you don’t have to memorize them) the EU reformed its structure and created new treaties regulating the Union. One of these is the Charter of
Fundamental Rights of the EU (EU Charter)

Among these there is the right to privacy (at article 7) and, FOR THE FIRST TIME EVER, the right to personal data protection (at article 8). It is the first time that
personal data are recognized as fundamental rights, in the world

Question 8

What is the EU Charter?

Answer 8

The EU Charter contains the fundamental rights recognized in the EU

Question 9

Under which juridiction is the application of the EU Charter?

Answer 9

The application of the EU Charter is under the jurisdiction of the Court of Justice of the EU (CJEU)

Question 10

How do the two rights often overlap?

Answer 10

Sometimes, applying personal data protection also protects the privacy of individuals (many times). Sometimes you can have a processing that is in compliance with personal data protection, but still violates the privacy of individuals. The two rights (privacy and data
protection) often overlap, intertwine, touch, and build upon each other.

Question 11

How are sources in law organized in a hierarchy?

Answer 11

see docs
In law, generally, sources are organized in a hierarchy: on top there are the fundamental principles, for example the constitutions of a nation, and some international treaties, especially those protecting fundamental rights. Then there are laws (constitutional laws and, a step lower, ordinary laws), and finally all those administrative acts issued by ministers and other public
entities.

Question 12

How must each source be compliant with the source above?

Answer 12

Each source must be compliant with the source above them: laws cannot disobey the constitution, and if they do, they will be declared unconstitutional and will no longer apply. A ministerial guideline must obey the rules established by a certain law, and must also obey the
constitution.

Question 13

What is the hierarchy
of sources in the EU?

Answer 13

In the EU there is also a hierarchy of sources: on top there are the constitutions of each Member States and the treaties establishing and regulating the EU, including the EU Charter.

Question 14

What are under the primary legaslative tools

Answer 14

These are called ‘primary legislative tools’: they are on top of the hierarchy, and all the sources below
them cannot contradict them. They prevail on the sources below them

Question 15

What are the secondary legislative tools?

Answer 15

Under the primary legislative tools, there are the secondary legislative tools: EU Directives and EU Regulations. The GDPR is an EU Regulation: as such, it derives from the primary legislative sources and must comply with them. In particular, the GDPR has been created to comply with article 8 of the EU Charter, the right to data protection (but it also helps protecting
article 7 of the EU Charter, the right to privacy

Under the secondary legislative tools, there are the national laws created to implement them in each Member State. Sometimes this is necessary because the Directives or Regulations leave
room to Member States to decide on some details. The GDPR for example establishes that the
age for minors to consent to data processing is between 13 and 16: each Member State can decide which one exactly (and to do so, they issue a national law).

Question 16

What are the various sources at the lower level?

Answer 16

Finally, at the lower level there are various sources: the guidelines and opinions issued by the EDPB, the guidelines issued by national ministers or national Data Protection Authorities, the case-law of the ECtHR and the CJEU, the case-law of national courts (especially supreme
courts and constitutional courts

Question 17

What do these sources do together?

Answer 17

Primary sources, secondary sources, national legislation, and guidelines and case-law are all sources applicable to privacy and data protection, and they all work together to create the
system of privacy and the system of data protection in the EU and in each Member State.

Question 18

What is the ECHR?

Answer 18

The ECHR is an international convention managed by the Council of Europe (an international body NOT connected to the EU). The application of the ECHR is under the jurisdiction of the
European Court for Human Rights (ECtHR)

Question 19

What is the ECtHR?

Answer 19

The ECtHR is NOT part of the EU, it is an international court specialized in human rights violations and in the application of the ECHR. As you can see below, the Council of Europe (and the states that joined the ECHR) are 46:
among the 46 states there are all the single Member States of the EU (27 now)

Question 20

How is the ECHR system independent from the EU?

Answer 20

The ECHR is a system independent from the EU: it developed separately, and works by itself, even though the EU and its Member States are part of it.
To understand how independent they are, consider this: the ECHR applies to the EU Member States (like Italy, France, Germany, The Netherlands, Poland, etc), but it also applies to Turkey, Georgia, Armenia, Azerbaijan. These states are not part of the European Union! On the contrary, the EU Charter, being a tool of the European Union exclusively, does not apply to
Turkey, Georgia, Armenia, nor Azerbaijan.

Question 21

What was there up until 2009?

Answer 21

Up until 2009, the EU did not have any power to make rules concerning human rights, so at that time the ECHR was the only legislative tool (together with national constitutions) to protect human rights in the EU. And the ECtHR was the only court (besides national courts) that could decide on cases of human rights violations.

Question 22

What happened after 2009?

Answer 22

After 2009, the EU and its member states had their own legislative tool concerning human rights: the EU Charter. And the CJEU is the court that can decide on cases of human rights
violations in the EU, since then

Question 23

What happens since the text of the EU charter and the ECHR are very similar to one another?

Answer 23

The text of the EU Charter is very similar to that of the ECHR: many articles of the two tools are considered substantially compatible. For this reason, the CJEU also looks at the cases decided by the ECtHR to solve its own cases. The old case-law created by the ECtHR is still very valuable and important to interpret the EU Charter too. This is why in class we might look
at case-law by the ECtHR, sometimes alone, sometimes together with case-law from the CJEU.

Question 24

What must you do when answering a question regarding privacy and data protection?

Answer 24

whenever you want to answer a question about privacy or data protection as fundamental rights, you must specify if you your answer is based on the ECHR (and on the jurisprudence of the ECtHR) or on the EU Charter (and on the jurisprudence of the CJEU), or
if you will use both

Question 25

Why does the ECHR and EU have to be independent while they include both privacy and data protection?

Answer 25

Because the ECHR and the EU are two independent systems, they both include privacy and data protection: it seems redundant, but since the provisions are similar, there is no conflict, and the redundancy does not create too many problems. It just needs some coordination.

Question 26

How are the two texts of the ECHR and the EU Charter similar when talking about privacy?

Answer 26

see figure 3 docs

Question 27

How is the right to privacy not absolute?

Answer 27

The right to privacy is not absolute: it means that privacy must be balanced with other fundamental rights (for example the freedom of expression and information, or the right to a good and transparent administration) or other interests of the state (for instance public security, public health, economic stability) and, depending on the factual circumstances, it might not prevail.

Question 28

What is the core component of the right to privacy?

Answer 28

The core content of the right to privacy is that every individual has the right to not suffer interferences with their private life, family life, home, and communications.

Question 29

What does the CJEU look at the law of ECtHR?

Answer 29

The CJEU looks at the pre-existing case-law of the ECtHR to see how it interpreted ‘private life, family life, home and correspondence’. These terms indicate concepts that can change over time, or that can manifest differently in different cultures. For instance: What is considered a family now (2022) includes couples living together without being married, same-sex marriages or partnerships, parents with adopted children, parents with children out of wedlock. These might not have been considered a family 50 years ago in many European countries. The case-law of the ECtHR reflects many of these cultural changes, and recognizes that all those listed above are protected by the right to privacy as ‘family life’

Question 30

What can we discover based on the case-law of the ECtHR?

Answer 30

Based on the case-law of the ECtHR we can discover that some business relations fall within private life (because work is an important part of the life of an individual and close relationships can develop on the workplace too). Or that a home is protected under the right to privacy even if the inhabitants have not lived in it for a long time, as long as there is an emotional connection to it (and it can be proved). We have also discovered that there are expectations of privacy: each place and activity is connected to certain social norms, regulating what is the expected behaviour. Some of these social norms also regulate privacy: individuals can expect a certain degree of privacy, that changes based on the place where they are, the circumstances, and/or the kind of actions they are performing.

Question 31

How is privacy in public helped by anonymity?

Answer 31

with anonymity, we are not afraid of expressing our opinions, joining a demonstration, dress in any way we prefer, etc. Without anonymity, we might change our behaviours to avoid unpleasant consequences. In general, the act of changing a behaviour for the fear of being observed, surveilled, or for the fear of unpleasant consequences is called “chilling effect”. It can happen both online and offline

Question 32

What is important to remember that is stated in the EU charter?

Answer 32

- Privacy and data protection are connected concepts, but they are not exactly the same; - As a consequence, sometimes, a certain action can be compliant with the right to privacy, but not with the right to data protection: for instance, if a CCTV camera in the street is filming people walking by for security reasons, if certain requirements and safeguards apply (those highlighted in yellow in the image in paragraph 5) it can be compatible with privacy. If, however, that CCTV is equipped with Face Recognition Technology, it means that the people walking by are being identified: this means that the personal data protection also applies, in the form of Article 8 EU Charter and also of the GDPR. As we will discover in Lectures 3 and 4, the GDPR establishes that if there isn’t a proper legal basis, and the principles of lawfulness, fairness, purpose limitation, data minimisation, accuracy, and security, are not respected, then there is a breach of data protection. That breach of data protection exists even if the CCTV camera with FRT were compatible with the right to privacy. - Viceversa: sometimes an action is compatible with data protection, but it is still a problem for privacy: for instance, users of Alexa, Siri, and Google Home bought the products and consented to their privacy policy. However, at some points in 2019 it was discovered that Amazon, Apple, and Google employees were listening to short snippets of the recordings of Alexa/Siri/Google Assistant to solve conflicts and fix problems. This is a common practice in the sector: sometimes the software does not understand what the users were saying, so humans are used to understand the words and teach the software to recognize them. However, average users didn’t know it could happen, and that it is a common practice in the sector, and lamented that they felt their privacy violated at the idea that a human was listening to short snippets of their conversations. - This has an implication for data analytics: when data analysts works with datasets, it might be a good idea to ask themselves: “where were the data collected from? What are the expectations of privacy of individuals, based on the origin of the data? Are there privacy implications?”

Question 33

What does article 8 of the EU charter protect?

Answer 33

Article 8 of the EU Charter protects personal data of individuals from unlawful and unfair processing. The EU Charter is the only case in which data protection is codified as a fundamental right in and of itself.

Question 34

What does the ECHR state in article 7? What is Convention 8

Answer 34

n the system of the ECHR, personal data are protected as part of privacy, by Article 7 ECHR and by an international convention called “Convention 108”, managed by the Council of Europe (the one with 46 states, remember? See paragraph 3 above!). Convention 108 was created first in the 1980s and contains many terms and concepts that were used subsequently by the European Union to create the GDPR.

Question 35

What does Article 8 not prohibit?

Answer 35

Article 8 EU Charter does not prohibit to process personal data: it simply establishes rules to carry out that processing. This is because personal data are important for the economy in the internal European market (and globally too).

Question 36

How is the right to data protection not absolute?

Answer 36

it means that data protection must be balanced with other fundamental rights (for example the freedom of expression and information, or the right to a good and transparent administration) or other interests of the state (for instance public security, public health, economic stability) and, depending on the factual circumstances, it might not prevail

Question 37

The right to privacy (article 8 ECHR, article 7 EU Charter) and the right to data protection (article 8 EU Charter) contain a negative obligation and also a positive obligation, for the states. What does this mean?

Answer 37

- The states (and the EU) are the addresses of the EU Charter and the ECHR: not individuals or companies, but states (and the EU). - Negative obligation means that the states must abstain from interfering with, compressing, or limiting fundamental rights. It means that states (their institutions, the governments, the ministries, the municipalities, other public bodies) cannot act in a way that infringes fundamental right, in our case in particular the right to privacy and the right to data protection. The negative obligation applies to the so-called ‘vertical relationship’: the relationship between a citizen and the state. - Positive obligations means that the states also must ensure that the fundamental rights are not infringed by other individuals, companies, or other third parties. States have the duty to create all the conditions necessary for fundamental rights, and in our case in particular privacy and data protection, to be upheld and respected among private citizens and companies. Positive obligations apply to the so-called ‘horizontal relationships’: the relationship among citizens, or between citizens and companies.

Question 38

Why is the GDPR created?

Answer 38

To comply with the positive obligation created by the right to data protection (Art. 8 EU Charter), the European Union has created the GDPR, General Data Protection Regulation.

Question 39

How does the hierarchy apply to these articles?

Answer 39

Remember the hierarchy of the sources from paragraph 2: articles 7 and 8 of the EU Charter are primary legislative tools, they are on top of the hierarchy, and all the sources below them cannot contradict them. The GDPR is an EU Regulation, so it is part of the secondary legislative tools. The GDPR respects and implements more in details the provisions of Article 8 EU Charter: if you look at the basic rules and principles established in the GDPR (articles 5, 6, and 7 of the GDPR), they mirror the words of Article 8 paragraph 2 EU Charter

Question 40

What is article 52 about?

Answer 40

In paragraphs 5 and 8 above, it has been mentioned that infringements or limitations to the right to privacy and the right to data protection are considered legitimate if they meet certain conditions and safeguards. In the system of the EU Charter these limitations and safeguards are established by article 52. See figure 5 in Docs

Question 41

How does the CJEU use article 52 as a test?

Answer 41

The CJEU uses article 52 as a test: an action, law, decision, or omission of a Member State is analyzed to see: - If the action, law, decision, or omission is a limitation of a certain fundamental right (for instance in our case the right to privacy and/or the right to data protection); - Whether it is provided by the law (law can be interpreted in many ways: is a guideline issued by a minister a law? It depends, especially based on how much discretional power it gives the public authority). - Whether it goes against the ‘essence of the right’ (interpreting what the essence of the right to privacy and the essence of the right to data protection are is proving to be very difficult, too difficult to be discussed during this course). - Whether the limitation is necessary (often times this is interpreted as a proportionality requirement, by answering the question: “is there a less intrusive way that the state can use to obtain the same result?”). - Whether the limitation genuinely (without hiding a second purpose) meets an ‘objective of general interest’ of the EU or a Member State (for example the economy of the internal market, public safety and security, public health), or the protection of another fundamental right or interest (for example it is necessary to limit the privacy of certain people so that the news can talk about a crime that happened: information is a general interest and is part of the freedom of expression and information).

Question 42

How is in the system of ECHR article 8 similar set of conditions and safeguards?

Answer 42

The system of the ECHR has a similar set of conditions and safeguards in Article 8 ECHR, paragraph 2 (in yellow in the image below): See figure 6 in Docs Some words used are different, leading to some differences in how the ECtHR tests the actions of a state to check whether they are an infringement of the right to privacy, and whether they can be accepted. This is not relevant now for this course, as it is also very long and complex.