Privacy and Data Protection based on the GDPR. Leo Besemer
ICCPR Article 17
The amendment changes the concept of the right to privacy in the sense that governments have the right to intrude on a person’s privacy for reasons explicitly laid down by law.
1.1.1.2 European Convention on Human Rights
In the aftermath of World War II, a strong need was felt for European co-operation. Many pro-European movements actively promoted the establishment of an organization that would prevent a return to totalitarian regimes and would defend fundamental freedoms, peace and democracy. On 5 May 1949, the Council of Europe was founded in London. Its aim, according to Article 1 of its statute, is “to achieve a greater unity between its Members for the purpose of safeguarding and realizing the ideals and principles which are their common heritage and facilitating their economic and social progress”. An important role of the Council of Europe is to promote human rights through international conventions. One of the first of these was the Convention for the Protection of Human Rights and Fundamental Freedoms, better known as the European Convention on Human Rights (ECHR), which entered into force on 3 September 1953.
Figure 1.1 COE logo
From the original ten members in 1949, today the Council has grown to 47 members, including all members of the European Union. The map in Figure 1.2 shows the current Member States of the Council of Europe.
Figure 1.2 Council of Europe Member States.
Note that Belarus is not a member, because the country does not meet the human rights and democratic standards of the Council. In particular, it will have to abolish the death penalty if it wants to join.
The ECHR is important because of the scope of fundamental freedoms it protects. These include the right to life, prohibition of torture, prohibition of slavery and forced labor, the right to liberty and security, the right to a fair trial, no punishment without law, the right to respect for private and family life, freedom of thought, conscience and religion, freedom of expression, freedom of assembly and association, the right to marry, the right to an effective remedy and the prohibition of discrimination.
With regard to privacy and data protection, the ECHR includes the text of the UDHR:
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
ECHR Article 8
In the ECHR, just as in the ICCPR, this protection of the rights of individuals is not absolute. There may be lawful reasons of public interest for governments to breach an individual’s right to privacy. Just as the UDHR does, the ECHR recognizes that there is a need to balance the rights of individuals with justifiable interferences with these rights.
The importance of this text as a part the European Convention is that it is now part of a treaty to uphold human rights throughout the Member States of the Council of Europe. New members of the Council are expected to ratify the ECHR and other Council of Europe treaties at their earliest opportunity. The ECHR is also a significant and powerful legal instrument because it is enforced by the European Court of Human Rights. The rulings of the Court are binding on the Member States concerned.
1.1.1.3 OECD Guidelines and the Treaty of Strasbourg
In the 1970s, the progress in data processing and the increased possibilities in the use of telecommunications lead to concerns that Article 8 of EHCR was no longer sufficient to protect “the right to respect for his private and family life, his home and his correspondence”. Large mainframes were introduced allowing big companies and public administrations to improve the collection, processing and sharing of the personal data of millions of people, using large databases. As a result, a need was felt for new standards that would allow individuals to exercise more control over their personal information. At the same time, international trade required the free international flow of information. The challenge was once again to find a balance between these aims.
A new effort to reconcile the protection of privacy and the need for free international flow of personal data came from the Organization for Economic Co-operation and Development (OECD). This organization, founded on 30 September 1961, aims to promote policies designed to achieve the highest sustainable economic growth and employment, and a rising standard of living in member as well as non-member countries, while maintaining financial stability, and thus to contribute to the development of the world economy.
Figure 1.3 OECD logo
In 1980, the OECD developed the “Guidelines on the Protection of Privacy and Trans-border flows of Personal Data”, providing basic rules concerning the protection of personal data and privacy and on cross-border data flow. The aim was to help harmonize the data protection laws between countries. The Guidelines were not legally binding, but intended as a basic framework for national data protection law worldwide, introducing the set of data protection principles that we find today in GDPR Article 5. These principles will be discussed in detail in Part II of this book.
1.1.1.4 Council of Europe (CoE) Convention 108
The OECD guidelines were formalized in 1981 in Council of Europe Convention 108, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which made it the first legally binding international instrument to set standards for the protection of personal data, whilst at the same time again aiming for a balance with the need for a free flow of personal data for international trade purposes. Convention 108 is also known as “the Treaty of Strasbourg”, but due to the place of Strasbourg in European history there are many treaties by that name. Convention 108 came into force on 10 October 1985, after the required five Member States had ratified it. By today, 55 countries have ratified the treaty, among them eight non-members of the Council of Europe.
A weakness in Convention 108 proved to be that it did not provide for transfers of personal data to countries that had not signed Convention 108. This was addressed in 2001 with the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows. (CETS 181). This additional protocol introduced independent supervisory authorities in each country that signed it, and included the concept of an ‘adequate’ (in contrast to equivalent) level of protection for cross-border personal data transfers to non-EU countries.
It should be noted that CoE Convention 108 is still binding for states that have ratified it. Over the years, the European Court of Human Rights (ECtHR) has ruled that personal data protection is an important part of the right to respect for private life (EHCR Article 8), and has been guided by the principles of Convention 108 in determining whether or not there has been an interference with this fundamental right.
In 2012 Convention 108 was modernized after public consultations, including reinforcements to the protection of privacy in the digital arena. The modernization process was completed with the adoption of a protocol amending Convention 108 (Protocol CETS No. 223).
The Schengen