data protection conference 2009 personal data – more use, more protection? european commission,...

Data Protection Conference 2009“Personal data – more use, more protection?”

European Commission, Brussels, 19-20 May 2009

PRESENTATION BY DOUWE KORFFProfessor of International Law

London Metropolitan University, London (UK)[email protected]

WHAT DOES IT MEAN WHEN WE SAY THAT PROCESSING OF PERSONAL DATA MUST BE:

“IN ACCORDANCE WITH THE LAW, NECESSARY, PROPORTIONATE, AND APPROPRIATE IN A DEMOCRATIC

SOCIETY”?

mailto:[email protected]



Presentation by Douwe Korff: “In accordance with law, necessary, proportionate and appropriate in a democratic society”

European Convention on Human Rights

Article 8Right to respect for private and family life

1 Everyone has the right to respect for his private and family life, his home and his correspondence.

2There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well‑being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

This is a “typical” Convention right.NB: In “typical” rights, the rights in the first paragraphs must be broadly construed, and the restrictions in the second paragraph narrowly.Thus, concepts such as “private life” and “personal data” must be given a wide meaning (this was not done in the Durant case in the UK)




EU Charter Of Fundamental Rights

Article 7Respect for private and family life

Everyone has the right to respect for his or her private and family life, home and communications.

Article 8Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.3. Compliance with these rules shall be subject to control by an independent authority.




EU Charter Of Fundamental Rights

Article 52

Scope of guaranteed rights

1. Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

I.e., the rights in the Charter follow the “typical” structure of ECHR rights




“IN ACCORDANCE WITH LAW” - European case-law (I):

The word “law” encompasses not only primary legislation, but also subsidiary rules and judicial case-law etc. - BUT one must also examine the “quality of the law”. Any legal rule that allows an interference with an individual right must be “compatible with the rule of law” and, in particular, accessible (that usually means, published) and sufficiently clear and precise to be “foreseeable” in its application.

Laws cannot always be phrased with absolute precision, but they must protect against “arbitrary interferences by public authorities” with the right in question. To the extent that the law grants certain bodies a certain discretion it must therefore also provide procedural protection against arbitrary use of that discretion.

ECHR Cases: Sunday Times v UK (Judgment of 26 April 1979, para. 49); recently: Copland v UK (Judgement of 3 April 2007)




“IN ACCORDANCE WITH LAW” - European case-law (II):

“The Court reiterates that it is as essential, in this context [taking and retaining of DNA], as in telephone tapping, secret surveillance and covert intelligence-gathering, to have clear, detailed rules governing the scope and application of [such] measures, as well as minimum safeguards concerning, inter alia, duration, storage, usage, access of third parties, procedures for preserving the integrity and confidentiality of data and procedures for its destruction, thus providing sufficient guarantees against the risk of abuse and arbitrariness.”

S & Marper v UK (Judgement of 4 December 2008), para. 99.




“NECESSARY AND PROPORTIONATE” - European case-law (I):

Whilst the adjective "necessary“ is not synonymous with "indispensable", neither has it the flexibility of such expressions as "admissible", "ordinary", "useful", "reasonable" or "desirable“; it implies the existence of a "pressing social need“, and any interference must be proportionate to such a need.

ECHR cases: Handyside v UK (Judgment of 7 December 1976, para. 48)




“NECESSARY AND PROPORTIONATE” - European case-law (II):

About the rules on the retention of DNA data by the police in the UK:

“[T]he Court is struck by the blanket and indiscriminate nature of the power of retention in England and Wales. The material may be retained irrespective of the nature or gravity of the offence with which the individual was originally suspected or of the age of the suspected offender; fingerprints and samples may be taken – and retained – from a person of any age, arrested in connection with a recordable offence, which includes minor or non-imprisonable offences. The retention is not time-limited; the material is retained indefinitely whatever the nature or seriousness of the offence of which the person was suspected. Moreover, there exist only limited possibilities for an acquitted individual to have the data removed from the nationwide database or the materials destroyed; in particular, there is no provision for independent review of the justification for the retention according to defined criteria, including such factors as the seriousness of the offence, previous arrests, the strength of the suspicion against the person and any other special circumstances.”

The DNA data retention regime in the UK was therefore not proportionate and failed to strike a “fair balance” between the competing public and private interests.

(S. & Marper v. UK, Judgment [GC] of 8 December 2008, para. 119, emphases added)




“IN A DEMOCRATIC SOCIETY” - European case-law (I):

The words “in a democratic society” allow the Court to examine the interference in a particular country in the light of what such a society requires. The Court takes the standards set by the Council of Europe and its Member States as the main measure. In practice, this means that the Court can look at COE Conventions other than the ECHR (such as the Oviedo Convention on Bio-Ethics), at COE PACE and COM Recommentations, and at law and practice in the Member States. If there is a large measure of agreement on an issue, as reflected in such other Conventions, Recommendations and/or State practice, this will be a strong indication of what a “democratic society” requires.

The existence of and wide adherence to COE Convention 108, and the wide application of the EC Directives on data protection, imply that compliance with the standards set in these instruments is required in all “democratic states”.




“IN A DEMOCRATIC SOCIETY” - European case-law (II):

The question of necessity “in a democratic society” ties in with the question of the so-called “margin of appreciation” accorded to States. If there is a large measure of agreement on an issue, States will have a narrow margin of appreciation, and the necessity of the interference will be strictly assessed with reference to the common approach in the COE States.

For data protection, such agreement or commonality can be shown by the adoption of common standards or guidelines by such bodies as the Article 29 Working Party, or the COE Steering Committee on Data Protection, etc.

The standards set by such bodies thus help to define how the general data protection principles in the Directives (and the COE Convention) must be applied; indeed failure to follow them suggests a violation of the ECHR.




Overall:In spite of serious challenges:

• Data protection is increasingly recognised as a fundamental human right – both in its own terms (EU Charter of FR) and, under the ECHR, in the case-law of the Eur Court HR and of the ECJ;

• There is increasing clarification of the application of the vague, general standards in the COE Convention and the EC Directives (WP29);

• The common interpretations and guidance makes these more precise standards also more binding.




Further reading:

• Conference handout on “The standard approach under Articles 8-11 ECHR”

• D Korff, The need to apply UK data protection law in accordance with European law, Data Protection Law & Policy, May 2008

• D Korff, Data protection law in practice in the EU, FEDMA/US-DMA, 2005, in particular chapter 1, section iii: Aims and Purposes: The Directives’ ‘Constitutional’ Status.

• Privacy and Law Enforcement (with Ian Brown), study for the UK Information Commissioner, released on the Commissioner’s website in September 2004 as “Striking the Right Balance: Respecting the Privacy of Individuals and Protecting the Public from Crime”:

http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/legal_framework.pdf



data protection conference 2009 personal data – more use, more protection? european commission,...

Documents