Catching the headlines
In the last years privacy has increasingly caught the headlines in the European Union (EU) and worldwide. The revelations of Edward Snowden on the activities of the NSA, the activities of large international technology companies and spectacular decisions by the Court of Justice of the European Union (CJEU) have caught the interest of large parts of the population.
This text is aiming to make the legal background of such judgments more understandable. Issues such as the “Right to be Forgotten”, the decision on Max Schrems vs Facebook (which lead to the annulment of the Safe Harbor agreement and Privacy Shield) or data retention (such as the recently published Tele2 Sweden judgment) require an understanding of the basic framework of privacy as a human right in the EU and the global Internet.
Background: Human Rights in the Legal System of the EU
While these and similar judgments mostly refer to concrete European Laws or National Laws enacted on the basis of them, there is a set of principle rules they all have in common.
To understand this better, one can imagine the legal system as being built like a pyramid. At the top of the pyramid are common principle rules. These are, for example, the democratic character of political decision making, the rule of law or fundamental human rights.
These principles are at the top of the pyramid, because they overarch the rest of the laws. In other words, all of the laws beneath the level of the principles incorporate them in a less pure form. When all simple provisions “carry the principles” in the best way, the top will be steady and sturdy and the principles will be strong.
Furthermore, the different layers are supposed to reinforce each other. This is not only important in the national system, but also in the European and the Global context. Hence, mechanisms such as meaningful external review procedures are very useful.
Since the mission of the EU was originally limited to economic cooperation, human rights were not part of the common principles. It was believed that this was not necessary for economic cooperation. However, in the late 1960ies first cases were brought to the ECJ which made it obvious that there was a need for human rights. Ironically, the first of these cases had to do with the disclosure of a name in order to be granted benefits. Therefore, it had a clear connection to privacy.
National courts did not want to act in such cases, because the basis for the act was clearly the law of the EU. The judges at the CJEU had the problem that they would have liked to act, but could not since their “toolbox”, the legal system of the EU at the time, did not incorporate human rights.
In order to perceive the common application of common law, the judges at the CJEU needed to find a solution.
Elegantly, the Luxembourg court referred to the human rights catalogues in the member states of the EU. Additionally, it also used an international human rights treaty that all of the member states had already signed, the European Convention of Human Rights of the Council of Europe in Strasbourg (ECHR). With this “quasi-adopted” catalogue of common human rights, the CJEU solved cases where it needed human rights on an ad-hoc basis. This was a pragmatic and sufficient solution for the problem for quite some time.
With the adoption of the treaty of Maastricht in the early 1990ies, the fundamental freedoms of the internal market thrived. While it gave the CJEU a concrete legal basis to decide in cases where the freedom of movement for goods, services, people and capital was concerned, it was less clear how to strike a balance between these four fundamental freedoms and questions of human rights.
To overcome this there was the intention to make the relationship between human rights and fundamental freedoms clearer and to strengthen human rights in general. Since the policy domains of the EU were increasingly going beyond intense economic cooperation, a catalogue of Human Rights, the Charter of Fundamental Rights of the EU (CFREU), seemed appropriate and was adopted in the early 2000s.
As a consequence, Article (Art) 6 of the Treaty of the European Union in the current form contains three layers of Human Rights protection: The CFREU (par. 1), the constitutional traditions common to the member states and the ECHR (par. 3).
Since the ECHR could potentially be interpreted by the CJEU as well as the court which actually was intended to have jurisdiction over it, the European Court of Human Rights (ECtHR), it was intended (with the Treaty of Lisbon) for the EU to become a member of the ECHR system (Art. 6 par.2 TEU). This process is not finished yet, but would ultimately unify the protection system for human rights in Europe.
The status of privacy as a Fundamental Human Right
While privacy exists as a human right in every culture we know off, it is different to other rights in the aspect that it depends essentially on time, space and place. In other words, while the right not to be subjected to torture is universal and absolute for a human being, rights like freedom of expression and privacy depend much more on the context they find themselves embedded in society.
Privacy is not an absolute right. The quality it has in a certain jurisdiction depend essentially on the safeguards in place to avoid arbitrary, illegitimate and/or disproportionate limitation of it.
In the EU privacy is protected through Art 7 and Art 8 of the CFREU. Art 7 chooses the traditional path to put privacy in context, by linking it to private and family life. This is similar to Art 12 of the United Nations Universal Declaration of Human Rights from 1948, Art 17 of the International Covenant of Civil and Political Rights from 1966 and Art 8 of the ECHR.
Art 8 CFREU is more innovative, since it refers to the abstract “protection of personal data”. The difference is fundamental, since this provision entitles the individual to a right to control personal data “concerning him or her” regardless of the context.
However, both, Art 7 and 8 CFREU, must be read in connection with their limitations. Of course, it is allowed to process personal data in the EU. However, a concrete purpose and consent or some other legitimate basis must be the reason for it. Additionally, every individual is entitled to access “its” data. Furthermore, there is the right to have data rectified in cases where it is wrong, not precise or if circumstances have changed.
Sometimes it is being criticized that there are two articles on privacy in the CFREU. The relationship between Art 7 and 8 seems dubious, since Art 8 does not necessarily add protection apart from an abstract and hypothetical description. However, the CJEU emphasizes that the two rights are separate. It will have to be discussed in another text whether this is distinction is convincing or not.
To understand the global context of privacy as a human right in the EU, one has to consider how the Internet looks like currently. Since it evolved into a system which allows for the exchange of information on a global level it makes sense to consider it from a global perspective.
However, the activities carried out on the Internet today are far more important than they used to be ten or fifteen years ago. Hence, there is a need for more regulation and safety. Where does this leave the EU and its human right to privacy?
The legal system of human rights protection in the EU fits the Internet generally very well. It is based on a global approach (the Universal Declaration of Human Rights and the International Covenant of Civil and Political Rights) which gets reinforced by regional (CFREU and ECHR) and national human rights provisions and enforcement (catalogue of human rights national constitutions or traditions).
Generally, it is acknowledged that Europe has developed the most sophisticated and effective system of Human Rights Protection on the planet since the end of the second world war. A similar approach can be found in Southern and Latin America, where the regional system works with a charter of rights and a court similar to Europe.
However, while this approach might be one of the reasons why the EU has become such an important actor in the area of human rights in the Digital Age, it is clearly the exception when compared to North America, Asia or other parts of the planet. Most states are facing the dilemma of reconciling national with international approaches, without having the possibility to rely on closer regional cooperation to bridge the gap between the two.
As long as it is unlikely that a comprehensive global regime can evolve to govern the Internet as such – the best solution for the global network we call Internet – regional organizations like the EU remain crucial in aligning national and international perspectives on Internet Governance. Hence, the EU and the Council of Europe will remain Europe’s main actors in Internet Governance on a global scale. The stronger they will be, the stronger European influence in the Digital Age will remain.
However, this important position must not be abused to try to impose illegitimate extraterritorial constraints on corporations and actors that do not origin from Europe. In other words, the EU must not use its unique position and rich heritage in the area of human rights protection to discriminate against actors from other regions.
Decisions and limitations must be based on merits and substance, particularly legal provisions which entail fundamental human rights. External review mechanisms and close cooperation on a regional level will be of utmost importance to enforce those principles.
The EU will only remain a valid and important actor in the Digital Age, if its institutions stick to this approach and remain open for new developments.
 ECJ, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, ECLI:EU:C:2014:317.
 ECJ, Maximillian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650.
 ECJ, Tele2 Sverige AB v Postoch telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others, ECLI:EU:C:2016:970.
 Such as the Data Protection Directive 95/46/EC of the EU from 1995 which will be replaced by the General Data Protection Regulation (EU) 2016/679 on the 25th of May 2018.
 Particularly, if the mechanisms entitle individuals to check the system. For example, Article 13 of the ECHR entitles every individual to check national decisions in cases where local remedies have been exhausted.
 ECJ, Stauder v City of Ulm – Sozialamt, ECLI:EU:C:1969:57; J. Nold, Kohlen- und Baustoffgroßhandlung v Commission of the European Communities,
 Polakiewicz, Accession to the ECHR – An Insider’s view addressing one by one the CJEU’s objections in opinion 2/13, Human Rights Law Journal, p. 10 – 22.
 Cf. Cannataci, 1st Report of the UN Special Rapporteur on the right to privacy, A/HRC/31/64, par. 22.
 ECJ, Tele2 Sverige AB v Postoch telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others, ECLI:EU:C:2016:970, par. 129: “It should be added, finally, that Article 8 of the Charter concerns a fundamental right which is distinct from that enshrined in Article 7 of the Charter and which has no equivalent in the ECHR.”
 For others see Gstrein, The EU and its Reidentification as a Guardian of Human Rights, Saar Blueprints, available via http://jean-monnet-saar.eu/wp-content/uploads/2014/06/EU_Reident_MR_EN.pdf - accessed on 30.01.2017.