Raphaël Gellert

The fundamental right of data protection in the European Union: in search of an uncharted right

The entry into force of the EU Charter of Fundamental Rights and the ensuing introduction of the right to data protection as a new fundamental right in the legal order of the EU has raised some challenges. This article is an attempt to bring clarity on some of these questions. We will therefore try to address the issue of the place of the right to the protection of personal data within the global architecture of the Charter, but also the relationship between this new fundamental right and the already existing instruments. In doing so, we will analyse the most pertinent case law of the Court of Luxembourg, only to find out that it creates more confusion than clarity. The lesson we draw from this overview is that the reasoning of the Court is permeated by a ‘privacy thinking’, which consists not only in overly linking the rights to privacy and data protection, but also in applying the modus operandi of the former to the latter (which are different we contend). The same flawed reasoning seems to be at work in the EU Charter of Fundamental Rights. Therefore, it is crucial that the different modi operandi be acknowledged, and that any upcoming data protection instrument is accurately framed in relation with Article 8 of the Charter.

Minimizing Technology Ricks with PIAs, Precaution, and Participation

Privacy impact assessment can be a tool for responsible research and innovation (RRI). RRI can be defined as a transparent, interactive process by which societal actors and innovators become mutually responsive to each other. In order to allow a proper embedding of scientific and technological advances in society, actors and innovators keep in mind ethical acceptability, sustainability, and societal desirability of the innovation process and its marketable products. This definition of RRI is close to the definition of privacy impact assessment (PIA). PIA is a process of engaging stakeholders to consider the impact of a new technology, product, service, project, or policy on privacy, and what measures could be taken to avoid or mitigate unwanted effects. In this light, PIA is also an instrument of risk governance that should be understood and implemented within the framework of the precautionary principle. Precaution is a theoretical framework of action in the face of uncertain risks. After considering the precautionary principle from a conceptual point of view, we consider privacy impact assessment in practice. We conclude that by integrating PIA within risk governance, one can also address the problem of balancing privacy and other values.

A Comparative Analysis of Anti-Discrimination and Data Protection Legislations

Departing from the ECJ’s Huber case where Germany was condemned for discriminatory processing of personal data and which suggests that there is a strong kin between data protection and discrimination issues, this chapter is an attempt to further compare the two fundamental rights - non-discrimination, and data protection.

Beyond Accountability, the Return to Privacy?

There is great confusion as to the exact meaning of privacy. As Solove puts it, privacy is a concept in disarray. It is a sweeping concept and nobody can articulate what it means.2 In this respect,3 privacy has successively been conceptualised in terms of ‘right to be let alone’,4 control over personal information,5 the construction of one’s identity,6 informational self-determination,7 or contextual integrity.8 What clearly emerges from these attempted conceptualisations of privacy is that privacy is a multidimensional, multi-faceted concept, the complexity of which is therefore hard to grasp within a single conceptual setting. Some do argue that privacy should not be defined at all, since such definition would bear the risk of limiting and ‘freezing’ its meaning and effects (especially in the legal field).9 Indeed, as Solove points out, some theories are too narrow (solely focusing on information, or access to the self), others are too broad (e.g., the right to be let alone, which is an emanation of personhood), whereas others are both too broad and too narrow at times.10

Surveillance Impact Assessment Manual

The SAPIENT consortium initially developed a guide for conducting an full SIA based on the principles of risk assessment (Part I of this manual). The guide described a method for identifying, assessing (or evaluating) and prioritising for treatment risks arising from the development and deployment of surveillance technologies, systems and applications. A number of test case studies were under- taken in order to evaluate the SIA guide as a tool for the assessment of new surveillance systems and technologies, for use by organisa- tions. The objective was to test this methodology and revise it in light of feedback and the experience of implementing this methodology in a range of settings and with a number of case studies. The main result of the tests was that the full SIA process is not suitable for small companies or research projects. Consequently the SAPIENT developed a 10-page guide for a small-scale SIA to be used by this range of organisations (Part II of this manual).