Data Protection in EU Law: An Analysis of the EU Legal Framework and the ECJ Jurisprudence

1. Introduction

The recent rapid developments of information and communication technologies have raised serious concerns regarding our control over personal information. Not only do we have to face what has been described as the emergence of ‘the National Surveillance State’ (Balkin & Levinson, 2006, p. 131), but we also have to deal with the numerous private ‘Big Brothers’ that are watching us (Andenas & Zleptnig, 2003, p. 765). Police, public bodies and national security forces process, collate, analyze and store vast amounts of conversations, e-mails, and Internet traffic between individuals in order to detect possible terrorist or criminal activities. This information can be further manipulated through computer matching and profiling (Bennett, 1992, p. 19). At the same time, private companies and individuals record, store and process huge amounts of data for various reasons, such as the surveillance of the business premises or of the employees in the context of the employment relationship, or the storing of consumer data for commercial purposes (Bolman, 2002, p. 3).

The challenge of protecting personal data is universal, and countries as well as international organizations have attempted to address it by developing different legal responses according to their economic, political and ideological priorities. One cannot speak of a universal standard of data protection, but rather of a fragmented picture of different personal data protection legal regimes. In this picture, the EU data protection regime figures prominently. Europeans tend to see privacy as a fundamental right closely tied to the protection of dignity that deserves rigorous and comprehensive legislative safeguards (Bygrave, 2008, p. 16).

Of all the human rights, privacy is perhaps the most difficult to define (Banishar, 2000, p. 1; Michael, 1994, p. 1), because its meaning varies widely according to context and environment (Webb, 2003, p. 2). Privacy protection is normally seen as a way of drawing the line at how far society can intrude into a person’s affairs (Davies, 1996, p. 23). The right to privacy is enshrined in the most important international human rights instruments such as the Universal Declaration of Human Rights (Article 12), the International Covenant on Civil and Political Rights (Article 17), the American Declaration of the Rights and Duties of Man (Article V), the American Convention on Human Rights (Article 11) and the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). In particular, Article 8 (1) ECHR reads as follows: ‘Everyone has the right to respect for his private and family life, his home and his correspondence’.

The present study will focus its attention on data protection, which refers to the management of personal information or ‘the information privacy.’ Privacy and data protection are not identical rights. While data protection is generally considered as an aspect of the right to privacy, it is however to be distinguished from it, since it applies to all personal data and is not limited to data related to the private or the family life of a person. This scope is illustrated by the European Court of Justice judgment in Österreichischer Rundfunk, where the Court held that data relating to remuneration received by an employee constitute personal data (para 64).

In this context, the present contribution presents an analysis of the data protection rules in EU law. It examines the jurisprudence of the European Court of Justice on data protection issues, and discusses the possibilities and limitations of the EU to provide for effective and comprehensive data protection.