Informational privacy post GDPR – end of the road or the start of a long journey?

ABSTRACT

The General Data Protection Regulation (GDPR) is a far-reaching legal instrument that regulates the collection and use of personal data by private actors, individuals and by governments. In this respect, the GDPR is indeed a key legal instrument for protecting informational privacy. This article will analyse and discuss the impact of the GDPR on the right to privacy particularly in the context of data protection. It also explores whether the GDPR in itself is adequate to ensure the right to privacy in the European Union (EU) and whether the protection provided by the GDPR can be supplemented by other means. The article finds that while the GDPR is a significant step in the right direction to protect informational privacy, it is certainly not the end of the journey. It argues that on its own, the GDPR cannot fully address the imbalance of power between data subjects and data controllers. Hence, it needs to be complemented by other regulatory tools such as the ePrivacy Regulation, EU competition law and Consumer Protection rules. Furthermore, some provisions in the GDPR must be revisited in the near future to ensure they do not become obsolete.

KEYWORDS:

• European Union
• GDPR
• privacy
• ePrivacy Regulation
• human rights
• right to privacy

Disclosure statement

No potential conflict of interest was reported by the author(s).

Notes on contributor

Aysem Diker Vanberg is a Senior Lecturer at the School of Law & Criminology at the University of Greenwich specialising in EU Competition Law and IT Law. Prior to joining the University of Greenwich, she worked at Anglia Ruskin University as a Senior Lecturer and at the University of Essex as an Associate Lecturer and as a research associate. Before moving to the UK, she qualified as a lawyer in Turkey and worked as a lead In-House Counsel for multinational companies including MAN Nutzfahzeuge AG and Cimpor Cimentos de Portugal.

Notes

1 This article will concentrate on informational privacy. In this article, the term ‘informational privacy’ is used to describe the relationship between the collection and dissemination of data, technology, the public expectation of privacy, legal and political issues surrounding them.

2 Özgür H. Çinar, ‘The Right to Privacy in International Human Rights Law’, Journal of Information Systems & Operations Management 13, no. 1 (2019): 33.

3 International Covenant on Civil and Political Rights adopted 16 December 1966 entered into force 23 March 1976 999 UNTS 171, Art 17.

4 Robert C. Post, ‘Three Concepts of Privacy’, The Georgetown Law Journal 89, no. 6 (2001): 2087–98.

5 See for instance, Post, ‘Three Concepts of Privacy’, 2087–98; Samuel Warren and Louis Brandeis, ‘ Right to Privacy’, Harvard Law Review 4, no. 5 (1890): 193–220.

6 Samuel Warren and Louis Brandeis, ‘ Right to Privacy’, Harvard Law Review 4, no. 5 (1890): 193–220.

7 Anna Jonsson Cornel, ‘Right to Privacy’ Oxford Constitutional Law (2015), https://oxcon.ouplaw.com/view/10.1093/law:mpeccol/law-mpeccol-e156?print=pdf (accessed June 15, 2020).

8 J. Solove, ‘Understanding Privacy’, Harvard University Press GWU Legal Studies Research Paper GWU Law School Public Law Research Paper, no. 420 (2008), https://ssrn.com/abstract=1127888 (accessed June 15, 2020).

9 See for instance; Case T-194/04 the Bavarian Lager Co Ltd v Commission [2007] ECR II-04523, where the General Court expressly makes reference to ECHR Article 8.

10 Opinion 2/313 pursuant to Article 218(11) TFEU 18 December 2014 ECLI: EU: C: 2014:2454.

11 Ibid.

12 Ibid.

13 European Parliament Briefing ‘ EU Accession to the European Convention on Human Rights (2017) https://www.europarl.europa.eu/RegData/etudes/BRIE/2017/607298/EPRS_BRI(2017)607298_EN.pdf (accessed June 15, 2020).

14 Charter of Fundamental Rights of the European Union OJ C 326, 26.10.2012 :391–407.

15 Hielke Hijmans, and Alfonso Scirocco, ‘Shortcomings in EU Data Protection in the Third and the Second Pillars. Can the Lisbon Treaty be Expected to Help?’ Common Market Law Review 46 (2009): 1485–525.

16 Orla Lynskey, The Foundations of EU Data Protection Law (Oxford: Oxford University Press, 2015), 106.

17 Gaskin v United Kingdom (1989) 12 EHRR 36.

18 Perry v United Kingdom (2004) 39 EHHR 3.

19 Copland v United Kingdom (2007) 45 EHRR 37.

20 Leander v Sweden (1987) 9 EHRR 433.

21 S. and Marper v. the United Kingdom (2009) 48 EHRR 50 para 121.

22 Perry v United Kingdom (2004) 39 EHRR 3, para 42.

23 Bohlen v Germany [2015] ECHR 194.

24 For example, see Von Hannover v Germany (59320/00) [2004] E.M.L.R. 21; (2005) 40 E.H.R.R. 1 and Editions Plon v France (58148/00) (2006) 42 E.H.R.R. 36.

25 European Court of Human Rights, Guide on Article 8 of the European Convention on Human Rights Right to respect for private and family life, home and correspondence (2019) para 115, https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf (accessed June 15, 2020).

26 Juliane Kokott and Christoph Sobotta, ‘The Distinction between Privacy and Data Protection in the Jurisprudence of the CJEU and the ECtHR’, International Data Privacy Law 3, no. 4 (2013): 222.

27 See for instance; Case C-62/90 Commission v Germany [1992] ECR I-2575, para 23.

28 Case C-139/01 Oesterreicher Rundfunk and Others [2003] ECR I- 4989.

29 Case T-194/04 the Bavarian Lager Co Ltd v Commission [2007] ECR II-04523.

30 Ibid., para 15–17.

31 Ibid., para 23–36.

32 Ibid., para 123.

33 Ibid., para 124.

34 Ibid., para 125.

35 Ibid., para 63.

36 Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke GbR (C-92/09) and Hartmut Eifert (C-93/09) v Land Hessen [2010] ECR I-11063.

37 Joined Cases C-293/12 and C- 594/12 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others [2014].

38 Ibid., para 69.

39 Ibid, para 64 and 65.

40 Joined Cases C-293/12 and C- 594/12 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others [2014] para 47.

41 Ibid., para 52.

42 International Covenant on Civil and Political Rights adopted 16 December 1966 entered into force 23 March 1976 999 UNTS 171 (ICCPR).

43 See, e.g., Amann v Switzerland, no 27798/95, ECHR 2000-II, para 65 and Rotaru v Romania [GC] App no 28341/95, ECHR 200-V, para 43.

44 S. and Marper v. the United Kingdom (2009) 48 EHRR 50.

45 For example Westin describes privacy as ‘ the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is shared with others’ Alan Westin, Privacy and Freedom (Athenaeum, 1967), 158; Daniel Solove, The Digital Person: Technology and Privacy in the Information Age (New York : New York University Press, 2004); Yves Poullet, ‘ Data Protection Legislation: What is at Stake for our Society and Democracy) Computer Law and Security Review 25, no. 3 (2009): 211–26.

46 For instance in the American context Solove argues that ‘ the right to information privacy has emerged in the courts as a spin-off of the regular constitutional right to privacy’. Daniel Solove, The Digital Person: Technology and Privacy in the Information Age (New York : New York University Press, 2004), 75.

47 Solove, The Digital Person, 8.

48 See e.g.; Juliane Kokott and Christoph Sobotta ‘ The Distinction between Privacy and Data Protection in the Jurisprudence of the CJEU and the ECtHR’, International Data Privacy Law 3, no. 4 (2013): 223; Maria Tzanou, ‘Data Protection as Fundamental Right Next to Privacy? “ Reconstructing” a Not So New Right’, International Data Privacy Law 3 (2013): 88; Orla Lynskey, The Foundations of EU Data Protection Law (Oxford: Oxford University Press, 2015), 104.

49 Kokott and Sobotta, 223.

50 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119/1.

51 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to processing of personal data and on the free movement of such data [1995] OJ L 281/31.

52 For example see; Amy Kristin Sanders, ‘The GDPR One Year Later: Protecting Privacy or Preventing Access to Information’, Tulane Law Review 93, no. 5 (May 2019): 1229–54; Simon Davies, ‘The Data Protection Regulation: A Triumph of Pragmatism over Principle’, European Data Protection Law Review 2, no. 3 (2016): 290–6.

53 See for instance, Tal Z. Zarsky, ‘Incompatible: The GDPR in the Age of Big Data’, Seton Hall Law Review 47, no. 4 (2017): 995–1020; Eduardo Ustaran, ‘EU General Data Protection Regulation: Things You Should Know’, Privacy and Data Protection Journal 16, no. 3 (2016): 3; and see also Francoise Gilbert, ‘European Data Protection 2.0: New Compliance Requirements in Sight – What the Proposed EU Data Protection Regulation Means for U.S. Companies’, 28 Santa Clara Computer & High Tech. Law Journal 815 (2012): 848–49.

54 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to processing of personal data and on the free movement of such data [1995] OJ L 281/31.

55 It is worth noting that different member states have different legal traditions, which has an influence on their data protection law. For instance, German data protection law is anchored to the notion of human dignity; French data protection prioritises the concept of individual liberty; whilst Belgian data protection law places emphasis on privacy. On this see Evelien Brouwer, Digital Border and Real Rights: Effective Remedies for Their Country Nationals in the Schengen Information System (The Hague: Martinius Nijhoff Publishers, 2008), 198.

56 Ronald Hes and John Borking ‘Privacy-Enhancing Technologies: The Path to Anonymity Volume 1 (1995), https://collections.ola.org/mon/10000/184530.pdf (accessed June 15, 2020).

57 Anna Romanou, ‘The Necessity of the Implementation of Privacy by Design in Sectors Where Data Protection Concerns Arise’, Computer Law & Security Review 34 (2018): 99–110.

58 Ibid.

59 Jeffrey Rosen, ‘The Right to Be Forgotten’ Stanford Law Review 64 (2012) https://www.stanfordlawreview.org/online/privacy-paradox-the-right-to-be-forgotten/ (accessed June 15, 2020).

60 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, Case C- 131/12, ECLI: EU: C:2014:317, ILEC 060 (CJEU 2014) 13,05.2014.

61 Ibid.

62 Case C-507/17 Judgment of the Court (Grand Chamber) of 24 September 2019. Google LLC, successor in law to Google Inc. v Commission Nationale De L'informatique Et Des Libertés (CNIL) ECLI: EU: C: 2019: 772

63 Ibid, para 30.

64 Ibid, para 31.

65 Ibid, para 32.

66 Ibid, para 33.

67 Ibid, para 6 and 65.

68 Gabriela Zanfir, ‘The Right to Data Portability in the Context of Data Protection Reform’, International Data Privacy Law 2, no. 3 (2012): 149.

69 For a comprehensive discussion of the right to data portability see Aysem Diker Vanberg and Mehmet Bilal Ünver, ‘The Right to Data Portability in the GDPR and EU Competition Law: Odd Couple or Dynamic Duo? European Journal of Law and Technology 8, no. 1 (2017), http://ejlt.org/article/view/546/727 (accessed June 15, 2020).

70 It is worth noting that there have been several cases prior to the GDPR that concerns the right to access such as the Bavarian Lager C-28-08P and Egan& Hackett v Parliament T-190/10. Bavarian Lager case has been discussed in this article.

71 Regulation of The European Parliament and of the Council concerning the Respect for Private Life and for the Protection of Personal Data in Electronic Communications within the European Union.

72 Directive 2002/58/EC e European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201, 31.7.2002, p. 37–47.

73 European Commission, Proposal for an Eprivacy Regulation, https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation (accessed June 15,2020).

74 W Gregory Voss, ‘First the GDPR Now the Proposed ePrivacy Regulation’, Journal of Internet Law 21, no. 1 (2017): 3–11.

75 The CNIL’s restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC, https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc (accessed June 15, 2020).

76 Ibid.

77 Ibid.

78 European Data Protection Board ‘BfDI imposes fines on telecommunications service providers’ (20, https://edpb.europa.eu/news/national-news/2019/bfdi-imposes-fines-telecommunications-service-providers_en (accessed June 15, 2020).

79 Ibid.

80 Ibid.

81 Information Commissioner’s Office, ‘Intention to fine British Airways £183.39m under GDPR for data breach’ (2019) https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/ (accessed May 2, 2020).

82 Ibid.

83 DLA Piper Data Breach Survey, January 2020, https://sweden.dlapiper.com/sites/default/files/node/field_download/DLA%20Piper_Data%20Breach%20Report%202020.pdf (accessed June 15, 2020).

84 Ibid.

85 It should be noted that as of 25 May 2018, the Article 29 Working Party ceased to exist and it has been replaced by the European Data Protection Board (EDPB).

86 Guidelines on the right to data portability, Article 29 Working Party, [2017] 16/EN WP 242 rev. 01 adopted on April 5, 2017.

87 Orla Lynskey, The Foundations of EU Data Protection Law (Oxford: Oxford University Press, 2015), 189.

88 Europe v Facebook, ‘ Response to the Audit’ by the Irish Office of Data Protection Commissioner on “Facebook Ireland Ltd”’, Vienna, 4 December 2012, 42: < http://www.europe-v-facebook.org/report.pdf> (accessed June 15, 2020).

89 Article 29 Data Protection Working Party, Opinion 15/2011 on the definition of consent 01197/11/EN WP187 adopted on 13 July 2011 available < https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp187_en.pdf> (accessed June 15, 2020).

90 Case summary, “Facebook, Exploitative business terms pursuant to Section 19(1) GWB for inadequate data processing” 2019, https://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.pdf?__blob=publicationFile&v=3> p. 5, 2019 (accessed June 15, 2020).

91 Ibid.

92 Guiseppe Colangelo, ‘ Facebook and the Bundeskartellamt’s; Winter of Discontent’ (2019) https://www.competitionpolicyinternational.com/facebook-and-bundeskartellamts-winter-of-discontent/ (accessed June 10, 2020).

93 OLG Düsseldorf, August 26, 2019, Case VI-Kart 1/19 (V).

94 Counterfactuals in competition law analysis can be used to assess the effects of an event and how the situation would have developed in the absence of that event.

95 OLG Düsseldorf, para 27 and 47.

96 Colangelo, supra note 92.

97 OLG Düsseldorf, para 32.

98 Ibid, para 71, 76 and 77.

99 Ibid, para 44, 46 and 71.

100 Thomas Linden et al., ‘The Privacy Policy Landscape after the GDPR, Proceedings on Privacy Enhancing Technologies’, Proceedings on Privacy Enhancing Technologies 1 (2020): 47–64.

101 Danilo Bruschi, ‘Information Privacy: Not just GDPR’, in Computer Ethics - Philosophical Enquiry (CEPE) Proceedings, ed. D. Wittkower (2019), 9 https://digitalcommons.odu.edu/cepe_proceedings/vol2019/iss1/9 (accessed June 15, 2020).

102 Jim Isaak and Mina J. Hanna, ‘User Data Privacy: Facebook, Cambridge Analytica, and Privacy Protection’, Computer 51, no. 8 (2018): 56–9.

103 John Thornhill, ‘GDPR is a Start but not Enough to Protect Privacy on its Own’, Financial Times https://www.ft.com/content/624f813e-5f5e-11e8-9334-2218e7146b04 (accessed June 15, 2020).

104 Opinion 5/2018 Preliminary Opinion on Privacy by Design by European Data Protection Supervisor, para 22, p. 5 https://edps.europa.eu/sites/edp/files/publication/18-05-31_preliminary_opinion_on_privacy_by_design_en_0.pdf (accessed June 15, 2020).

105 Ibid., p. 21.

106 Ibid., p. 5.