Is Data Protection a Fundamental Right Protecting the Individual? Bart van der Sloot Tilburg Institute for Law, Technology, and Society (TILT) Tilburg University, Netherlands www.bartvandersloot.com

Reference B. van der Sloot, ‘Do data protection rules protect the individual and should they? An assessment of the proposed General Data Protection Regulation’, International Data Privacy Law, 2014-3, p. 307-325. B. van der Sloot, ‘Legal fundamentalism: is data protection really a fundamental right?’, In: R. Leenes, S. Gutwirth, P. De Hert & R. van Brakel, (eds.), ‘Data Protection and Privacy: (In)visibilities and Infrastructure’, Springer, Dordrecht, 2017.

Documents Council of Europe. Committee of Ministers, Resolution (73) 22 On the Protection of the privacy of individuals vis-à-vis electronic data banks in the private sector. (Adopted by the Committee of Ministers on 26 September 1973 at the 224th meeting of the Ministers' Deputies). Council of Europe. Committee of Ministers, Resolution (74) 29 On the Protection of the privacy of individuals vis-à-vis electronic data banks in the public sector. (Adopted by the Committee of Ministers on 20 September 1974 at the 236th meeting of the Ministers' Deputies). Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, 28 January 1981. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Personal data 1973/74: Information relating to individuals (physical persons) 1981: ‘Information relating to an identified or identifiable individual’ 1995: Information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; 2016: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Obligations 1973/1974: (1) Transparency (Pub. Sec) & (2) Principles of fairness 1981: (1) - (2) Principles of fairness 1995: (1) Information to the data subject & Notification DPA; (2) Principles of fairness;(3) Grounds for legitimate data processing 2016: (1) Notification in case of data breach, (2) Principles of fairness & (3) Grounds for legitimate data processing, (4) many specific obligations (in essence becoming primarily responsible for enforcing the gdpr)

Rights 1973/1974: (1) Access right 1981: (1) Access to and communication of personal data and (2) Marginal rights on rectification and erasur 1995: (1) Access to and communication of personal data, (2) Marginal rights on rectification and objection & (3) Marginal right against automatic decision making 2016: (1) Access to personal data (scope broadened), (2) Right to data portability, (3) Rights to rectification and objection, (4) Right to be forgotten & (5) Right against profiling

Length The two Resolutions from 1973 and 1974 contained 8 and 10 articles respectively. The Convention (1981) contained 27 provisions The Directive (1995) 72 recitals and 34 articles The Regulation 173 recitals and 99 articles

Enforcement 1973/1974: Recommends governments to take all steps necessary 1981: (1) Parties shall establish sanctions and remedies, (2) Cooperation states & DPAs & role CoM & (3) Remedy of data subject if data controller denies request 1995: (1) Parties shall establish sanctions and remedies, (2) Cooperation states & DPAs + harmonization through Directive and WP 29 & (3) Marginal subjective right to remedy and compensation 2016: (1) High sanctions, (2) Total harmonization trough Regulation; increased powers Commission and EDPB; one-stop shop system & (3) Several subjective rights to remedy and compensation

Seperation The Resolution from (1974) explicitly held: ‘Bearing in mind Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, Recommends the governments of member states: a. to take all steps which they consider necessary to give effect to the principles set out in the annex to the present resolution’. The Convention (1981) explicitly stressed that its aim was to provide protection to the right to privacy in automatic data processes. Article 1 of the Directive (1995), mapping out the object of the document, holds: ‘In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data’. The Directive refers to the right to privacy some dozen times. The Regulation (2016) holds: ‘This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.’ The well known terms have been replaced (DPBD/DPIA/DPO/etc)

Fundamentalisation Article 7 Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications. Article 8 Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.

Fundamentalisation Article 16 (ex Article 286 TEC) Treaty functioning EU 1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.

Terms Natural rights Human rights Fundamental rights (what is that?)

Do data protection rules protect the individual and should they? No

Is data protection a fundamental right? NO