In 1970, the state of Hesse enacted the world’s first data protection law. An area of law that has evolved over the past 50 years from a rather exotic subject to a central issue of setting the limits of sovereign powers from private freedom and social autonomy, and perhaps even first and foremost between economic operators and consumers.
The objectives pursued with the submission of that bill were, firstly to protect the privacy of the citizen, secondly to protect the data files from unauthorized access and thirdly to grant parliaments access to the stored information despite this protection, still seem as relevant today as they did 52 years ago.
As early as 1970 the Hessian Data Protection Act provided for a number of provisions that are still part of the core of data protection today. These include data secrecy and an individual right to data protection that can be directed toward correction, restitution or omission, depending on the situation. Equally exemplary in this law has been the right of anyone to appeal to the data protection commissioner. Above all, however, Hesse’s data protection law has proved to be a catalyst for other German states, namely Rhineland-Palatinate, North Rhine-Westphalia and Hamburg, as well as for the Federal Data Protection Act and the data protection laws in Sweden and France, which were still being enacted in the 1970s. Hesse has not neglected its pioneering role in data protection in the subsequent period.
For example, the Hessian Data Protection Act of 1978 already contained a specific regulation according to which such data collection is only permissible if the law or another legal provision allows it or if the data subject has given his consent beforehand. Equally groundbreaking was the further elaboration of the rights of data subjects, who were granted, in particular, the right to information and correction, blocking and deletion of data stored about them. From today’s perspective, the most important innovations of the 1986 Hessian Data Protection Act undoubtedly include the principle of linking data processing to the purpose for which it was collected or stored, the provision on automated retrieval procedures and the right of data subjects to compensation for damages, and finally the detailed regulations on the legal position and powers of the data protection officer – right down to his staffing and material resources.
With the completion of the EU’s internal market, European regulation of data protection became a practical necessity, especially since the digitalization of the economy that began in the 1990s freed data protection from a primarily sovereign regulatory perspective and made it a concern that also had to be taken into account in private economic transactions. As already emphasized in the second recital of Directive 95/46 from December 1995, data processing systems are “at the service of people” and must in particular “respect privacy and contribute to economic and social progress, to the development of trade, and to human welfare”. The approximation of laws aimed by this Directive must not – as the Unions legislator programmatically put it – lead to a reduction of the protection already guaranteed, “but must, on the contrary, aim at ensuring a high level of protection in the Community”. Following the 1995 directive, the Union enacted – to name only the most important legal acts – the e-commerce directive, the e-privacy directive and the data retention directive in the 2000s. This was followed in 2016 by the new General Data Protection Regulation (GDPR), the so-called Police Directive and the so-called PNR Directive on the use of air passenger data in a second regulatory package.
Case law in the Union
Against this backdrop, the Union legislature can hardly be accused of being barren in the area of data protection, that these legal acts were nevertheless able to have only a minor impact on Member State law and, in particular, on the business practices of the expanding Internet industry over many years. For example, it took until 2017 – 22 years after the enactment of Directive 95/46 – before the Court of Justice was first asked about the requirements that must be met for consent to be legally valid. The initially low legal practical impact can initially be explained by the lack of competition supervision of the innovative business practices of new technologies. In addition, the Data Protection Directive of 1995 was transposed into national law only hesitantly and inadequately in some places. Moreover, insufficient sanction risks for violations of the provisions of this directive and inadequate human resources of data protection officers in certain Member States are pointed out. It is therefore not surprising that the 2014 judgment of the Court of Justice in the Digital Rights Ireland case and the invalidity of the Data Retention Directive was understood by some not only as a wake-up call not to neglect European data protection law, but also as a true turning point for the importance and binding nature of this law and, moreover, for the institutional role of the Court of Justice as the constitutional court of the European Union. In its case law since 2014, the Court of Justice has indeed been able to make both fundamental and far-reaching findings on European fundamental rights protection in the field of data protection in close succession.
A common thread running through this jurisprudence is the need for effective respect of the fundamental rights at stake, through a balancing of the conflicting concerns. However, the Court has not undertaken this task on its own merits, but on the basis of the relevant provisions of primary and secondary law, from which it follows that the Union ensures a high level of protection for the respect for private and family life – which is another fundamental right – including their communications, and more generally to the protection of personal data, granted by Articles 7 and 8 of the Charter.
The Charter of Fundamental Rights, which entered into force with the Lisbon Treaty, was put in place with the aim of visibly consecrating the importance of fundamental rights and their scope for the citizens of the Union. In this context, the preamble to the Charter emphasizes the need to strengthen the protection of fundamental rights in the light of the evolution of society, social progress and scientific and technological developments. This initial finding in primary law is further confirmed by the relevant secondary law. Thus, it is clear from the genesis of the E-Privacy Directive that the EU legislator aimed for a high level of protection of personal data and privacy. Accordingly, this Directive explicitly provides that measures to protect public security must be strictly proportionate to the purpose pursued. Above all, it articulates a fundamental prohibition on the retention of traffic and location data from electronic communications devices without the consent of the user.
Considering the particular importance of such data, the right to communicate confidentiality and freedom of expression, which in turn is constitutive of a democratic society, the narrow interpretation given by the Court to this directive does not appear at all surprising.
The Passenger Name Record Directive for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
The case law assessing the so-called EU-US Privacy Shield and the PNR agreement with Canada, as well as the recently announced decision on the validity and interpretation of the PNR Directive, are based on normative foundations that lead to comparable assessments. Given the repeated references, in the recitals of the Directive, of respect for fundamental rights, the right to privacy, and the principle of proportionality, the Court of Justice has found a significant limitation of the powers justified by the PNR Directive to be required by fundamental rights. Thus, internal EU flights can be subjected to the PNR system only in terrorist threat situations; otherwise, the application of this system exceeds what is strictly necessary. Furthermore, the Court has placed strict limitations on the analysis of PNR data in terms of matching with other databases and, in particular, has limited criteria-based analysis to pre-determined criteria, excluding self-learning systems. In addition, Member States must establish precise rules to ensure non-discriminatory application of the system and, in particular, must care for the consistency of individual verifications. In order to ensure the adequacy of the system, the Court – following the rules of the Directive – has limited the retention of PNR data of all passengers to 6 months in principle.
It is true that such considerations are entirely in line with what was already formulated 50 years ago in Hesse as a data protection concern. However, three additional factors explain the modern nature of data privacy law. First, the Europeanization of data protection law naturally means that the values underlying the GDPR, for example, reflect the pan-European context and the special operating conditions of the European Union.
This is by no means accompanied by a rejection of national peculiarities, but it does mean that the necessity or the degree of protection required, any risks of abuse and independence requirements, and generally the existence of dangers for democratic society must be assessed in an overarching European context. In this sense, the GDPR provides for a European Data Protection Board in whose work the independent data protection authorities of the Member States are involved and which has its own decision-making powers, in particular to ensure the uniform application of European data protection law.
In addition, the volumes of data collected and their processing have grown exponentially in recent decades, giving rise to possibilities for data linking and data mining that seemed mere science fiction a few years ago. Such possibilities, such as self-learning systems of artificial intelligence, may often be useful today for the effective fulfillment of sovereign tasks, but they trigger elementary needs for the protection of human dignity, communication freedom in a democratic society and effective legal protection in a mirror image, as it were. The search for the right way therefore testifies to the Court’s serious responsibility to ensure compliance with the values set forth in Article 2 TEU, and by no means to a hypertrophied demand for fundamental rights. Finally, another fundamental difference from the data protection perspective of the early 1970s follows from the economic development that has led to personal data becoming a commodity on a large scale. Hardly any company – even in the so-called real economy – operates today without sustained evaluation of personal data. In addition, a readjustment of supply and demand has been observed for some time, a development that the U.S. economist Shoshana Zuboff has described as “surveillance capitalism”. An overall view of these developments has prompted the Court of Justice to act quickly and to interpret European data protection law in accordance with the textual provisions of the norm, in keeping with the tradition of high-quality data protection that has characterized this area of law since its beginnings in the German state of Hesse. Act quickly, because the EU let itself get run over by major companies that were playing with the gaps and lacks of previous data protection legislation.
Data protection in the future
As a result of the new regulations proposed by the EU Commission in a whole series of specific areas of data protection and the data economy, let’s hope there will be greater differentiation of protection needs and processing possibilities in the future, as the proposed regulations on artificial intelligence on the one hand and for processing health data on the other hand indicate. Therefore, the discussion of the future cannot be reduced to the oversimplified equation of more or less data protection. Discussion of these issues, should take caution considering an overly excited exchange driven by interests, which easily runs the risk of losing sight of the fundamental importance of data protection for a pluralistic society, as a glance at the way personal data is handled in non-democratic states as other regions of the world already shows.
Therefore, we should not be distracted in the constantly renewed search for practical concordance between the conflicting interests of data protection and data use. A democratic society that takes its population seriously as citizens and – as the Charter of Fundamental Rights states in its preamble – “places the individual at the center of its actions” can be achieved in the age of digitization and above all through high-quality data protection that enables citizens to encounter state institutions and commercial enterprises on an equal footing in free self-determination.
By The European Institute for International Law and International Relations.
