Judge Thomas von Danwitz of the European Court of Justice (ECJ) was right to emphasize the important contribution of the Luxembourg judiciary to the creation of effective data protection. Not least of all, the courageous judgments on the fundamental right to data protection – for example, with the rejection of the Data Retention Directive – have helped establish the ECJ as an important fundamental rights court. At the same time, the rulings on the interpretation of simple statutory law, specifically for example on the “right to be forgotten” (meaning being able to delete personal information online), also ensure effective enforcement against big tech companies. In a show of force in 2016, the legislature established the General Data Protection Regulation (GDPR) and thus a set of rules that is as comprehensive as it is fundamental. In the USA and elsewhere, the Brussels Effect is spoken of with awe. What is meant by this is that the Brussels requirements have ensured, if not global standards, then a widespread reception of the core elements of data protection law beyond the European Union. Other important rulings on this set of rules are pending that are relevant for powerful data protection. The reference proceedings of the Düsseldorf Higher Regional Court in the Meta Platforms case against the German Federal Cartel Office (Germany’s national competition regulatory agency) from the 20th of September deserve special mention. Among other things, this case is about the requirements and limits of consent under data protection law vis-à-vis a market-dominant company. The ECJ will rule on central questions of the business model of Facebook & Co.
Protecting interests
It is nevertheless a matter of great concern whether the ECJ will actually take sufficient account of conflicting interests of protection. For example, it is striking that the Von Danwitz article does not go into further detail on the fact that the GDPR pursues the goal of promoting the free movement of data on an equal footing with data protection. Advocate General Campos Sánchez-Bordona most recently emphasized this in his opinion of October 6th, in a case also touching on important questions of principle (UI v. Österreichische Post AG). This case concerns the scope of claims for damages without prejudice. The Advocate General rightly emphasizes the importance of free movement of data for the economic growth and competitiveness of the European Union. Even further, it can be said that data processing is of crucial importance for the future of the economy, society and for securing a state that is capable of acting. The Corona crisis demonstrated the importance of data ; at the same time, the lack of available data has resulted in otherwise avoidable losses of fundamental rights. Most recently, the Gas Commission has had to admit that it is ultimately limited in its ability to develop meaningful proposals for compensation in the energy crisis to specifically empower those in need. This is because it simply lacks the necessary data. Injustice, windfall profits, wasted taxpayers’ money due to a lack of data or data usability.
Balancing interests is necessary
Data protection is not an unrestricted right, but must be brought into practical concordance with a variety of public interests. This obligation must not remain lip service if data protection is to serve humanity and the common good in a broader sense : data protection is by no means a super(fundamental) right. The extent to which European legislators are increasingly concerned with economic purposes under the DSGVO is made clear by the new data acts, from the Data Governance Act to the draft Data Act and AI Regulation. In this sense, the EU’s Digital Content Directive, implemented in the Civil Code, opens up the possibility of making personal data de facto contractual consideration. The Digital Content Directive is thus commercial law, admittedly with elements of consumer protection law. The so-called Schrems case law of the ECJ continues to cause serious damage. The problem lies in the fact that the ECJ negates the risk-based view of data processing in transatlantic data traffic as laid down in the GDPR. Content that reaches the sphere of influence of U.S. authorities may not be transferred as long as access to the sphere of influence is not made impossible for the U.S. authorities. This requirement applies regardless of how insignificant the content may be. As a result, all transatlantic data traffic is declared to be in violation of EU law, without any specific cases of access having become known. Even agreements on adequate data protection between the U.S. and the EU do not change this, as these have so far been reliably overturned by the ECJ. Such an interpretation of the GDPR effectively makes any use of non-European office software or video conferencing services illegal, for example. This is difficult for companies, public authorities and courts to implement. Either way, this leads to digital lockdown or legal chaos. In practice, therefore, the ECJ’s approach cannot have any meaningful effect at all. However, Europe’s economy is absolutely dependent on a fair and practically implementable legal framework that also imposes effective rules of conduct on big tech companies. 52 years after the first data protection law in Germany, the data-driven economy in Europe can no longer be regulated one-dimensionally by citizen protection and defense. Rather, data (protection) law must be understood as multidimensional economic law that, with the GDPR, focuses on enabling business models. The means to be used for this are transparency, purpose limitation, anonymization and pseudonymization. The decision for more data economy of the European legislator in the new data economy acts also binds the ECJ. The fact that, under the new circumstances, people can be both subjects of protection and economic objects is largely a politically and socially desired fact. This development requires an adequate right to protection, not a right to prevent it. The practical concordance that is strived for on all sides must place greater emphasis on the conflicting needs for protection that have been identified.
ECJ on Data Retention
Question marks are also raised with regard to the case law on data retention. The strictness shown here by the ECJ may be understandable in terms of legal policy. But should such limits really be permanently set in stone in terms of fundamental rights, or should they not rather be left more to the political process ? It is questionable whether the image of deterrent effects on fundamental rights, including and especially on freedom of expression, is correct in the case of data retention if the data is analyzed according to the strict standards of a constitutional state. After all, the ECJ initially confirmed the conformity of the data retention directive with the law and thus ensured its continued existence for years. It is not evident that there were any corresponding deterrent effects during this period of validity. Even the options for action opened up in the subsequent case law, such as the storage of IP addresses or a quick freeze, are limited. Mobile phone data, which not infrequently provide clues for identifying the perpetrators of serious crimes, can then at best be used if they happen to still be stored by the provider and the police act very quickly. Here, too, it is clear that countervailing interests in protection should only be pushed back with great caution, and that the legislature should retain sufficient freedom. The German legislature does have leeway, but it is subject to very narrow limits.
All voices in the chorus of data protection interpreters – from the ECJ, to the national courts, to the supervisory authorities – should keep this ambivalence in mind when setting the legal framework for 21st century data processing that must meet the diverse needs of data subjects, businesses, the economy and society.
By The European Institute for International Law and International Relations.
