WORKSHOP

SUMMARY

WORKSHOP • 20 SEPTEMBER 2017

MEET THE AUTHOR SERIES

“The EU as Guardian of Internet Privacy”

by Laura Drechsler, Brussels Privacy Hub, LSTS, VUB

SUMMARY

On 20 September 2017, the Brussels Privacy Hub organized its first “Meet the Author” lunchtime debate. It attracted a wide variety of participants ranging from civil society representatives and academics to representatives of the European Parliament, the Council, the Commission and the EDPS. 

Aim of the debate was to present the book “The EU as Guardian of Internet Privacy” by Dr Hielke Hijmans published with Springer in 2016, discuss its main concepts and present feedback of data protection experts on its main propositions. The lively debate was led by Professor Christopher Kuner (Brussels Privacy Hub, LSTS, VUB) and involved contributions by Dr Orla Lynskey (London School of Economics) and Christopher Docksey (former Director of the EDPS).

The discussions were opened by Dr Orla Lynskey who praised the new perspective on data protection the book provided, especially concerning the position and role of data protection authorities. She then pointed out three areas where she thought the views in the book should be further developed.

Firstly, the sections on the rationale of data protection in the book were based on the view that data protection is essentially a subset of privacy protection and that the concepts of privacy and data protection are interchangeable. Dr Lynskey argued that this stance required further debate, also considering the cross-border differences in the data protection regimes in the various regions of the world. She noted that the book promotes the view that the data protection rules provide checks and balances for data processing which contrast to the notions of informational self-determination or data ownership, even stating that these two concepts are contradictory. Dr Lynskey expressly disagreed with this line of thought and argued for compatibility of both concepts as informational self-determination sets the default entitlement and provides direction. The compatibility of these concepts is for her also reflected within the General Data Protection Regulation (GDPR).

Secondly, Dr Lynskey praised the chapter of the book on the case-law of the Court of Justice of the European Union (CJEU) and wondered about its possible future role especially in the area of security law and data retention. She noted that the CJEU has recently established a kind of hierarchy of fundamental rights placing data protection as a priority which puts its consistency with the Charter of Fundamental Rights of the EU (CFREU) into question. She also questioned the role of the “free flow of data principle” and asked for further clarification whether in the view of the author the fundamental rights aspect of data protection trumps its economic side.

Thirdly, she elaborated on the role of the national data protection authorities (DPA) that according to the book is far reaching. Dr Lynskey asked the author why until now this far reaching role has not been fully used by the national DPAs. Additionally, she remarked that the establishment of a European Data Protection Board (EDPB) with the GDPR essentially supervising all national DPAs with the aim of harmonising their decisions could undermine their guaranteed independence. This could lead to legal challenges at the CJEU.

For Christopher Docksey the conclusion of the book that Article 16 Treaty on the Functioning of the European Union (TFEU) enshrining the right to data protection could be interpreted as posing an obligation on the Member States was in his own words “mind-boggling”. For him this conclusion supports the argument that the European data protection regime provides real value to the European citizen, therefore enhancing the EUs legitimacy. It was these values that were missing in the pre-Brexit debate. The intention of the UK government post-Brexit to keep European data protection rules was not based on values, but on an economic rationale.

The area of data protection is also a prime example for the importance of the CJEU, since the CJEU developed most of its major aspects. With an equal amount of praise Docksey highlighted the explanation of the role of Article 52 CFREU (Scope and interpretation of rights and principles) in connection with Article 7 (right to privacy) and Article 8 (data protection) CFREU. While in an Article 7 case Article 52 is directly applied to check the unlawfulness of an established interference, an Article 8 case first checks the conditions of Article 8 para 2 for legal data processing and only in a next possible step turns to Article 52.

Docksey noted that for him there was a chapter missing that deals with the situation before the adoption of the Lisbon Treaty to illustrate how far the CJEU has come in their understanding of data protection. Moreover, he wished for a more detailed discussion of the other fundamental rights that are connected with data protection, particularly the right to information and freedom of expression.

After these two initial keynotes Professor Christopher Kuner gave the author Dr Hielke Hijmans a possibility to react to the questions raised. Dr Hijmans admitted that most comments on the book he received circled around the sections discussing the rationale of data protection. He argued that while the concepts of privacy and data protection might have different scopes in some cases, from a practical viewpoint it made more sense to see them as one.

The current discussions surrounding the e-Privacy-Regulation show that too often politicians use this delicate difference between privacy and data protection in an abusive manner, so a practical approach offers more protection. Dr Hijmans liked the idea of reflecting more on the role of the CJEU pre-Lisbon and also acknowledged the role data protection will play in the Brexit debate, since it is connected to free movement of workers, goods and services. In response to Dr Lynskey’s question about the relationship between the economic and fundamental rights aspect of data protection Dr Hijmans proposed that the fundamental rights aspect is more important also in the case-law of the CJEU.

He did not agree with Dr Lynskey’s opinion that the introduction of the EDPB will infringe the independence of the national DPAs; rather he sees it as a hierarchy that is badly needed. For example, it does not make sense from a European perspective that only the Irish DPA is going against Facebook, when the infringements actually affect individuals all over the EU. The consistency procedure with a key role of the EDPB could be an opportunity to coordinate the national DPAs, pool their resources and expertise across the EU, and to achieve more consistency in how infringements are being treated. Regarding the non-use of the wide powers vested in the national DPAs he remarked that this can be explained by the lack of powers, but also of confidence of the national DPAs under present law. An issue where hopefully the one stop shop mechanism and the EDPB can offer some relief.

The initial presentations were followed by a lively debate with the participants on issues such as the essence of data protection, the role of evidence in the proceedings of the CJEU, and the legal basis and legitimacy of the EDPB.