The monthly law journal which covers all aspects of data protection and data privacy: data transfer & outsourcing, marketing and e-marketing, freedom of information (FOI), employee monitoring, privacy compliance, online data acquisition and consent, personal data, website compliance and emerging technologies such as behavioural advertising, cloud computing and smart grids. / read more
You know a matter is serious when a top international tribunal takes upon itself to change the course of society. This year, three rulings of the Court of Justice of the European Union (‘the Court’), the highest judicial authority of the EU, show its grave concern for the data-hungry world in which we live and its desire to change it. Each of these rulings targets a different audience – the state, the corporate world and the citizen – but all of them uphold the role of privacy as a right that is threatened by our tech-driven existence. The effects of these decisions go beyond the pure legal technicalities of interpreting European data protection law because their consistent message is that society as a whole, in the EU and elsewhere, should be less tolerant of and more concerned about our dependence on data.
In April 2014, the Court went so far as to invalidate a European Directive ordering the retention of communications data for law enforcement purposes. This was a Directive that had taken several years to negotiate and was finally agreed by the European Parliament and the Council of the EU – the two legislative bodies of the European Union – in 2006. The purpose of the Directive was to formally order the retention of communications' traffic and location data – but not the content of communications – by service providers for the prevention, investigation, detection and prosecution of serious crime. The adoption process was entirely above board and later praised as an example of legislative rigour by many critics of the mass data collection practices undertaken by the US intelligence services. However, the legality of the Directive had been questioned from day one and ultimately the Court took the view that by requiring the retention of data and by allowing its access, the Directive interfered in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.
A month later, the much-publicised 'right to be forgotten' decision against Google confirmed the prevailing role of privacy over commercial interests. This was a controversial decision because of its negative impact on freedom of expression and the right of access to information, but once again, the Court wanted to make a bold statement. In this case, an ordinary citizen's right to control what information about him was accessible through a search engine prevailed over the technological wonder that makes the entire Internet accessible in micro-seconds. But this was not just about search engines and Google. The Court's message was that in that high-stakes balance between the right to privacy and the ever pervasive information society, the former should not be compromised for the sake of technological progress.
More recently, the Court has targeted all of us as technoaddicts. CCTV systems have become part of our lives and a routine landmark in urban public spaces. In this particular case, a basic CCTV camera had been installed by a home owner for the purpose of protecting the property, health and life of those living there. The camera had been effective in identifying the perpetrators of an attack to that property but its use was found to be subject to the legal requirements imposed by data protection law. This has now been confirmed by the Court, which ruled out the applicability of the so-called 'household exemption' in this case because the camera partially monitored a public space, even though it was installed in a private dwelling. Once again, this should be seen as a warning that irrespective of how honourable the purpose, indiscriminate data collection – even in a personal capacity – deserves to be tightly scrutinised.
Ultimately and whilst unrelated, these decisions must be interpreted as a concerted attempt by the judiciary to stop the relentless march of the surveillance society. No matter how controversial, they merit careful and respectful consideration. Fighting serious crime, disseminating information freely and protecting our families are not frivolous ends. However, the judiciary has been firm and unflappable in its reasoning. Collecting data en masse should be approached with utmost care. No one is off the hook. Governments, business pioneers and even humble citizens are all expected to act responsibly and proportionally. The debate is far from over but we should reflect about the intentions of the Court and consider how every activity involving personal information affects people's privacy, regardless of how reasonable or necessary the purposes of that activity may be. In almost every case, it will be a matter of finding the right balance and accepting that the rights to privacy and data protection are still important and indeed essential in a digitally connected society. Otherwise, as we have seen, the judiciary is prepared to take a very active role in addressing that balance.
Eduardo Ustaran Partner
Hogan Lovells, London