Beyond the GDPR, above the GDPR

As the adoption of the General Data Protection Regulation (GDPR) by the European Council and the European Parliament seems to be approaching fast, there are some good news to report: the Court of Justice of the European Union (CJEU) has in the meantime taken advantage of the lengthy discussions surrounding it to firmly assert the fundamental rights dimension of EU personal data protection law. And it has done so in a clear and compelling manner. Well, almost.

EFFECTIVE, COMPLETE AND STRONG

To ensure ‘effective and complete protection’. This is not a random commercial slogan about an unspecified product, but the formal objective of the Directive 95/46/EC (the ‘Data Protection Directive’), according to the EU’s Court of Justice emerging case law. More concretely, the Data Protection Directive must be regarded as seeking to ensure ‘effective and complete protection’ of all the fundamental rights and freedoms of natural persons, and actually not just any protection, but ‘a high level of protection’ of these rights and freedoms.1 Three rights stand out among those to be protected strongly, effectively and completely by the Data Protection Directive: the right to respect for private life, as enshrined by Article 7 of the EU Charter of Fundamental Rights, the right to the protection of personal data, established by the Charter’s Article 8, and the right to an effective remedy and to a fair trial, set out in Article 47.

The CJEU has not always looked at EU personal data protection law from this perspective. Traditionally it favoured the view that the Data Protection Directive’s ‘principal aim’ was to ensure the free movement of personal data, also acknowledging, however, that its provisions had to be interpreted, to a certain extent, in light of fundamental rights.2 Originally, the fundamental rights considered were de facto only the right to respect for private life as established by Article 8 of the European Convention on Human Rights (ECHR). The entry into force of the Lisbon Treaty in 2009, which granted legally binding force to the EU Charter, gave the Court the impetus to renew its position and redefine the criteria to be applied when reading EU personal data protection instruments.

THE EU CHARTER IS THE PLACE TO START (NOW)

It was actually in the 2014 Google Spain and Google3 judgment where this shift took place. In that ruling, the CJEU was confronted with a request from a national court that explicitly asked the Luxembourg Court to interpret the Data Protection Directive in light of Article 8 of the EU Charter. Until then, the CJEU had been cautious in considering the relevance of the Charter for the interpretation of an instrument adopted five years before the Charter’s proclamation, and more than 14 years prior to its entering into force. In Google Spain and Google, however, this reluctance was put aside. Here, the Court openly noted that Directive 95/46/EC referred to fundamental rights, and pointed out that these ‘are now [that is, since 2009] set out in the Charter’.4 From there, it even went on to declare that some provisions of the Directive actually implement requirements directly derived from the EU Charter’s Article8, despite the fact that, chronologically, the former saw the light first.

This has serious consequences for the future of EU personal data protection law. It entails that whatever the CJEU tells us about Directive 95/46/EC, insofar as it describes requirements that derive from the fundamental rights enshrined in the EU Charter, will have to be remembered once the Data Protection Directive disappears and is replaced by the GDPR. Then, all provisions of GDPR will have to be interpreted in the light of such requirements, as described by the CJEU in its rapidly growing case law. If, for any reason, that interpretation happens to be just impossible, the problematic GDPR provisions will have to be annulled.5

With the adoption of the GDPR drawing closer, the Court’s position is particularly welcome. The new Regulation is indeed expected to present itself as giving substance to the EU right to the protection of personal data, as set out by Article 8 of the EU Charter, but also by Article 16 of the Treaty on the Functioning of the EU (TFEU). These provisions, despite being placed at the highest level of EU law, are subject to a series of vague clauses generating uncertainty regarding their exact meaning, with the Explanations accompanying the Charter seemingly obliging to read Article 8 in light of EU secondary law.6 The replacement of the Data Protection Directive with a flawed or weak GDPR could have thus potentially negatively impacted the very interpretation of this EU fundamental right, in what might sound as a heresy to constitutional lawyers, but is nevertheless the reality of current EU fundamental rights protection. The CJEU’s recent case law is therefore timely.

THIS CLEARLY MEANS ‘BROAD SCOPE’

Various examples of what it means in practice to approach the Data Protection Directive under the motto that it pursues complete, effective and strong protection of fundamental rights as enshrined in the EU Charter can be found already in the Google Spain and Google judgment. The CJEU relied for instance on such idea to argue that data subjects must be able to request search engines to stop displaying certain results about them without conditioning this to an obligation to obtain, before or in parallel, the erasure of the problematic information by the original publishers: imposing such an obligation, indeed, would be incompatible with ensuring ‘effective and complete’ protection of individuals, the Court stated, proclaiming it should thus be discarded.7

More generally, the CJEU made recourse to the idea that the Data Protection Directive needs to ensure ‘effective and complete’ protection of individuals to favour a wide interpretation of its scope. In this sense, the Court declared that a broad definition of the concept of ‘controller’ is instrumental to ensuring such ‘effective and complete’ protection of data subjects,8 that the words ‘carried out in the context of the activities’ [of the establishment of a data controller] cannot be interpreted restrictively as to exclude data processing activities in a way that would compromise such ‘effective and complete’ protection,9 or that this effective and complete protection obliges to make sure that the processing of personal data by search engines falls under personal data protection law.10

IT PROBABLY MEANS MUCH MORE

For all its insistence on this idea that EU personal data protection law serves the complete, effective and strong protection of fundamental rights as enshrined in the EU Charter, and despite the affirmation that some Data Protection Directive provisions de facto implement the fundamental right to personal data protection, the CJEU is still to provide a detailed account of the exact content of this right. In reality the Luxembourg Court has struggled to draw a clear distinction between the traditional, broad European Charter of Human Rights inspired ‘right to privacy’ and the EU’s own, novel right to the protection of personal data, two rights nevertheless patently put forward as separate rights in the EU Charter, in Article 7 and 8 respectively.

Yet, the CJEU is trying. In the 2014 Digital Rights Ireland judgment, the Court attempted to analyse the measures brought about by the Data Retention Directive as constituting interferences with the right to respect for private life of Article 7 of the EU Charter, on the one hand, and with the right to respect for the protection of personal data of the EU Charter’s Article 8, on the other.11 As a matter of fact, the Court even tried to review the possible justification of such interferences12 taking seriously the specificity of each right. It did so, however, purporting two extremely unfortunate assertions: first, that measures that do not provide access to the content of communications do not adversely affect the essence of the rights enshrined under Article 7,13 and second, that the essence of the right to the protection of personal data would not be affected whenever measures involving the processing of personal data include some data security safeguards.

The fact that even the CJEU is uncomfortable with the latter idea became visible in the Schrems judgment. This ruling concerned a request for the interpretation of the Data Protection Directive in light of Articles 7, 8 and 47 of the Charter, three provisions that the CJEU considered in detail, except when coming to the point of reviewing whether the measures at stake constituted a legitimate limitation of the rights at stake. In this regard, the CJEU declared that legislation granting public authorities access ‘on a generalised basis’ to the content of electronic communications compromises the essence of the right to respect for private life, as guaranteed by Article 7 of the Charter,14 but then immediately jumped to proclaim that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the right to effective judicial protection enshrined in Article 47 of the Charter.15 Between these two assertions, nothing was said about what could constitute (or not) an interference with the essence of the right to the protection of personal data of the Charter’s Article 8. Silence.

A RIGHT THAT IS A TRIANGLE

In the absence of consolidated case law on the essence of the right to the protection of personal data - the safeguarding of which, nevertheless, will have to be ensured by the GDPR in a complete, effective and strong manner, we are left with the possibility to keep on reading (and re-reading) Article 8 of the EU Charter, now taking into account the numerous CJEU judgments that have been throwing light on its content and on the provisions of the Data Protection Directive, which, as we know thanks to Google Spain and Google, at least partially implement the EU Charter’s Article 8.

Doing so, it becomes apparent that the EU right to the protection of personal data has a triangular structure. It brings together three different elements: the obligations of data controllers, the rights of data subjects, and the monitoring activities of independent data protection authorities. These three vertices are inseparably connected to each other. The data controller’s obligations must be respected to allow for the exercise of the data subject’s rights, which in their turn are actually granted to individuals to help them keep track of the compliance by data controllers with their obligations, while all this is submitted to control by an authority that must be attentive to both. Despite being connected, these three elements are also relatively autonomous, and should all be cumulatively respected. This vision of the fundamental right to the protection of personal data should prevent us from falling into over-simplifications of its role in EU law.

LET’S JUST CALL IT ‘THE RIGHT TO REMIND THEM’

This perspective also allows us to understand better the genuine significance of the CJEU’s Google Spain and Google judgment. The issue at stake in that case concerned the right for data subjects to ask search engines to stop displaying certain results when online searches are carried out using their name. To judge the scope and functioning of such a right, the Court looked into the Directive 95/46/EC’s provisions on the data subjects’ right to access16 and right to object,17 and examined how these provisions are connected with those establishing the obligations of data controllers, both in terms of data quality18 and regarding the need to process personal data on the basis of a legitimate ground.19 After this analysis, the Court concluded that data subjects have indeed the right to request search engines to stop displaying certain results, which also means search engines have some specific obligations connected to the respect of this specific ‘right to delist’.20

All this does not mean, however, that these are the only obligations of data controllers such as search engines. It does not mean that data controllers, and thus also search engines, only need to comply with their data protection obligations related to data quality and to the need to process personal data on the basis of a legitimate ground when, and only if, data subjects make use of their ‘right to be delisted’. This ‘right to be delisted’, and more generally the right of access to personal data and to object to personal data processing, are actually mirrors that data subjects can, when they wish, place in front of data controllers so the latter are forced to examine their own compliance (or lack of) with data protection obligations. Responsibility for such compliance had always fallen on their shoulders, irrespective of whether somebody was looking, or whether somebody complains.

In other terms, it is not because there exists a judgment on the ‘right to be forgotten’ that a company like Google can process personal data for its own interest only if this interest is not overridden by the interests of the data subject which require protection. Google is generally bound by such rule, and has always been. What the Google Spain and Google judgment did was clarify that this is even truer when the search engine is displaying results following a search made using somebody’s name.

In any case, and regardless of the shape that such a right to be delisted might adopt in the future GDPR, the main concern of data controllers, including search engines and, especially, of search engines that process massive amounts of personal data falling under EU law, should be to comply with the obligations that the EU fundamental right to personal data protection already imposes on them - rather than the possibility that one, two, or even a few thousand individuals among the millions concerned occasionally raise their hand to point out they disagree with the way in which the data controller is dealing with their personal data. Hopefully, this idea will one day no longer come to them as a big surprise, but rather as a kind reminder.