4_4_SCRIPT-ed_318 A Private Law Approach to Privacy; Mandatory Law ( C Cuijpers) (2007) 4:4 SCRIPT-ed 318 (2007)


BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

United Kingdom Journals


You are here: BAILII >> Databases >> United Kingdom Journals >> A Private Law Approach to Privacy; Mandatory Law ( C Cuijpers) (2007) 4:4 SCRIPT-ed 318 (2007)
URL: http://www.bailii.org/uk/other/journals/Script-ed/2007/4_4_SCRIPT-ed_318.html

[New search] [Printable PDF version] [Help]


A Private Law Approach to Privacy; Mandatory Law Obliged?

Colette Cuijpers*

 

Table of Contents:

Cite as: C Cuijpers, "A Private Law Approach to Privacy; Mandatory Law", (2007) 4:4 SCRIPT-ed 318 @: http://www.law.ed.ac.uk/ahrc/script-ed/vol4-4/cuijpers.asp 
 

Download  options

DOI: 10.2966/scrip.040407.304
© Colette Cuijpers 2007.
Creative Commons License
This work is licenced under a Creative Commons Licence. Please click on the link to read the terms and conditions.
 


1. Introduction

The virtualisation of our world has lead to a new trend, known as commodification.1 This concept can be defined as the transformation of what is normally a non-commodity into a commodity, to assign economic value to something that traditionally would not be considered in economic terms.2 An example of commodification is personal data. Direct marketing business shows without a doubt that personal data and profiles based on personal data are a booming business. The revelation that personal data has economic value has lead me to question whether an individual can profit from this value, even if this entails waiving some privacy. The answer depends on the mandatory or regulatory nature of Directive 95/46/EC.3

In 1981 the Treaty of Strasbourg was introduced to create a level of harmonisation of national laws regarding the processing of personal data.4 After it became clear that the Treaty was not effective in this respect, the European Commission introduced Directive 95/46/EC concerning the protection of individuals with regard to the processing of personal data and the free movement of such data. The title of the directive shows that it is based upon two pillars. The first pillar concerns the protection of natural persons with regard to the processing of personal data. The second pillar concerns the free movement of such data. The general principles regarding the processing of personal data laid down in the Treaty of Strasbourg are taken to a higher level in Directive 95/46/EC, resulting in a legal framework prescribing how, and under what circumstances, personal data can be processed.5

Directive 95/46/EC is often referred to as being a privacy directive because the processing of personal data is closely related to the right to privacy.6 However, this only holds true in case the processing infringes upon someone’s private life. Section four will elaborate upon this and will demonstrate the difference between privacy and data protection, especially in view of the qualification of these concepts as fundamental rights. Because of this difference, this article will refrain from using the term “privacy directive.”

As a general assumption, but also explicitly referred upon in literature, Directive 95/46/EC is viewed as containing rules of mandatory law.7 By this I mean that it is assumed that the directive does not leave room for contractual deviation of the rules laid down in it. In this article I would like to question this assumption. In my opinion, Directive 95/46/EC does not require implementation into mandatory rules of law. Instead, the directive offers a framework on how to process personal data when there is no contractual relationship, or when the contract does not concern the processing of personal data, even though processing of these data forms part of the relationship. Therefore, it is possible to deviate from the rules laid down in Directive 95/46/EC on the basis of a contract. The question as to whether this directive imposes mandatory rules of law is important as it determines the character of rights over data in relation to the principle of freedom of contract. Moreover, it touches upon some core issues regarding European law such as the protection of our fundamental rights and freedoms; the scope of these rights, and freedoms and the correlation between them; as well as the scope of the European Union’s authority to harmonise rules concerning data protection.

In view of the foregoing it is interesting to broaden the discussion by indicating in this article the arguments supporting my opposing opinion regarding the mandatory nature of Directive 95/46/EC. Furthermore, the assumption that Directive 95/46/EC requires implementation into mandatory rules of law is the main point of resistance against a private law approach to the right to data protection. If this assumption is successfully disproved, it will clear the way for a wide-ranging discussion as to whether a private law approach to the right to data protection will lead to a more effective system of privacy protection in practice.

The perspective taken in this article is that of Dutch law. However, with a view to the similar manner of implementation being introduced throughout the European Union, the outcome might be relevant in a much broader European context and could lead to an evaluation from different national perspectives.

In my opinion, several arguments support the theory that Directive 95/46/EC does not require implementation into mandatory rules of law. First of all, section two of this article will deal with the basis of Directive 95/46/EC and the authority vested herein to harmonise data protection laws within the European Community. The absence of a specific clause within Directive 95/46/EC requiring a mandatory character of the contents of this directive is discussed in the section three. The most commonly used argument in favour of implementation into mandatory rules of law is the protection of a human right: privacy. The fourth section examines the validity of this argument. This examination will start with the question raised in Blok’s thesis, whether it is justified that data protection is framed as a human right.8 The decision of the European Court of Justice in the cases Österreichischer Rundfunk and Lindqvist demonstrate no contradiction to the viewpoint of data protection not necessarily being a human right.9 The fifth section argues that their should be some room for parties within a contractual relationship to make their own decisions regarding the right to data protection as not only immaterial, but also material interests can be protected on the basis of this right. That the same level of data protection can be reached on the basis of existing law, even without implementation, let alone into mandatory rules of law, is described in section six. Section seven addresses the question whether it is fair to deny private parties a certain level of autonomy regarding the use of their personal data, when the Dutch government creates, in a rather frightening pace, exceptions to the rights and duties granted in Directive 95/46/EC. The article ends with the conclusion that implementation of Directive 95/46/EC into mandatory rules of law is neither required, nor desired.

2. The competence to harmonise data protection

As mentioned, Directive 95/46/EC is vested upon two pillars. The first pillar concerns the protection of natural persons with regard to the processing of personal data. The second pillar concerns the free movement of such data. The legal basis for this directive can be found in article 100A of the EC Treaty. According to this article, the power of the European Community to harmonise the rules regarding the processing of personal data lies in the functioning of the internal market. It must be prevented that the free movement of personal data (and thereby trade) between the Member States of the European Union is restricted on the basis of fundamental human rights and freedoms. So, with regard to its basis, the power to enact Directive 95/46/EC is entirely based upon the second pillar, being the free movement of personal data. From this perspective, implementation of the directive into mandatory rules of law cannot be required. After all, the processing of personal data on the basis of contractual agreement will by no means hamper the free movement of such data and therefore will certainly not come into conflict with the basis of the directive. Harmonisation of the rules is only necessary for those instances in which nothing is agreed amongst the data controller and the data subject themselves, and, because of this lack of agreement, the respective national laws governing the processing of personal data interfere with the desired transaction.

This being said with regard to the question of mandatory law, I stress that Directive 95/46/EC is founded upon two equal pillars. After all, in exercising its powers, the European Community is bound to the fundamental human rights and freedoms which are laid down in the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) and in the Protocols that are attached to this Convention, and flow from the different legal principles that the Member States of the European Union have in common. So it is only possible to issue a prohibition on trade barriers when fundamental human rights and freedoms are guaranteed.10

The judgement of the European Court of Justice in the case Lindqvist does not contradict the point of view that harmonisation is only possible on the basis of the free movement of data. With regard to article 100A as the legal basis for Directive 95/46/EC the court has concluded that

recourse to that legal basis does not presuppose the existence of an actual link with free movement between Member States in every situation referred to by the measure founded on that basis. A contrary interpretation could make the limits of the field of application of the directive particularly unsure and uncertain, which would be contrary to its essential objective of approximating the laws, regulations and administrative provisions of the Member States in order to eliminate obstacles to the functioning of the internal market deriving precisely from disparities between national legislations.11

Even though this judgement broadens the authority to harmonise on the basis of article 100A to a large extent, it also reveals that harmonisation is only possible in view of the free movement of data, and not (solely) in view of the protection of a fundamental right.12

3. No clause requiring mandatory law

Article 249 of the EC Treaty obliges Member States to implement directives into national law. In addition, article 10 of the EC Treaty requires the Member States to take all measures necessary to guarantee the application and effectiveness of Community law. From these general articles the European Court of Justice derived several requirements regarding implementing directives into national law. For example, mention can be made of the requirements that implementation legislation needs to be in accordance with existing primary and secondary European Community law; provisions of a directive must be implemented with indisputable binding force; and individuals must be made fully aware of their rights.13 However, the obligation to implement does not apply to directives as a whole. Some provisions are generally exempt from the obligation to implement. Other provisions need no implementation on the basis of existing national law which already complies with the aims of the directive. A third category of provisions leaves Member States an option whether or not to implement. The ‘room of manoeuvre’ left to the Member States within the implementation process is referred to as the ‘margin of appreciation’. With regard to the scope of this margin not only the European requirements regarding implementation are of importance, but also the basis of a directive and the intended measure of harmonisation. As mentioned, Directive 95/46/EC is based on Article 100A of the EC Treaty. This article has been revised in Article 95 of the EC Treaty as a result of the Treaty of Amsterdam. Owing to the lack of transitional law, Article 100A must be interpreted in the light of Article 95 as of the date the Treaty of Amsterdam came into force. The possibility of deviating from this article under the fourth paragraph is, certainly with a view to Directive 95/46/EC, extremely limited. Even though the exhaustiveness of a directive and the measure of harmonisation envisaged must be evaluated within the context of a specific situation, with regard to Directive 95/46/EC it can be concluded that it is so exhaustive that almost every provision is directed towards complete harmonisation. In general, in view of these requirements as well as the objective and the basis of Directive 95/46/EC, the possibility to deviate from the contents of this directive is very limited. In other words, the margin of appreciation with regard to implementing this directive is very small. Therefore, the Member States are very much bound to what the directive prescribes. Some room of manoeuvre can be found in article 13 of Directive 95/46/EC. This article states that Member States can adopt legislative measures to restrict the scope of the obligations and rights laid down in some of the provisions of the Directive when such a restriction constitutes a necessary measure to safeguard pressing national interests such as security and defence.14

However, in view of the question regarding the obligation to implement Directive 95/46/EC into mandatory rules of law, the margin of appreciation as well as article 13 are not that relevant, as the obligations, exemptions and restrictions embedded herein concern the Member States. They are obliged to implement the rules laid down in Directive 95/46/EC in a concise manner, within the boundaries set by European law and within the directive itself. But this does not contain an obligation to implement the provisions of the directive into mandatory rules of law. Even though governments cannot implement rules that deviate from the provisions laid down in the directive, this does not mean that data controllers and data subjects cannot deviate from the implemented rules. The situation is different if a directive explicitly requires implementation into mandatory rules of national law. In this respect two remarks can be made.

First of all, Directive 95/46/EC does not contain a clause requiring the mandatory character of one or more of its provisions. The use of such clauses is quite common; for example in directives concerning consumer protection such as article 12 of Directive 97/7/EC; article 7 (2) of Directive 1999/44/EC; and article 10 and 11 of Directive 2000/31/EC.15 All these articles explicitly state that deviation from the rules on the basis of a contract is not allowed. Also article 9 of Directive 91/250/EEC and article 15 of Directive 96/6/EC can be mentioned in this respect.16 In these articles not the consumer, but the designer of software and the copyright holders are protected by mandatory rules of law. Another argument can be drawn from Directive 2001/29/EG, also concerning copyright.17 This directive leaves the choice for mandatory law explicitly to the Member States. With regard to this directive the Dutch government has explicitly chosen not to implement mandatory rules of law because this would hamper the development of agreements fit to a specific situation, which are seen as the best solution in this field. Because of the resemblance between copyright and data protection, this reasoning should in my view also be followed regarding the implementation of Directive 95/46/EC. Therefore, the absence of a clause requiring the mandatory character of one or more of the provisions laid down in Directive 95/46/EC, supports the view that the directive does not require implementation law with a mandatory character.

The second remark concerns article 7 of Directive 95/46/EC. This article explicitly leaves room to process personal data on a contractual basis, or with the consent of the data subject.18 Moreover, the directive expressly states the advantages of self-regulation.19 The possibility for data controllers and data subjects to draw up data protection regulations according to the needs of a specific legal relationship must be seen as an advantage that should not be limited by mandatory rules of law. Considering the above, I am of the opinion that the directive does not require implementation into mandatory rules of law.

The counter reasoning, that the directive does require implementation into national rules with a mandatory character, is often based on the argument that the weaker party in the processing relationship should be protected. The great importance of privacy as a human right justifies government interference to protect data subjects against data controllers and against themselves in giving up their privacy. In the following sections I will question the relevance and value of this argument. In this respect reference can be made to the discussion regarding privacy as property right:

It could be argued that to deny individuals a property right in privacy for the reason that such an approach sits uneasily with human rights, would violate these very same rights: why should we prevent free individuals from using what means they have to strengthen their position, even if this does involve being exploited by others. Denying individuals a property right would leave them less able to bargain for their interests, and thus less empowered. In this respect reference can be made to the European Court of Human Rights which allows individuals to waive the protection of their fundamental rights if they have consented to this waiver in an explicit manner.20

The case referred to regards Deweer vs. Belgium.21 In this respect mention can also be made of the case Colozza v. Italy.22 In consideration 28 of this case the court stated:

In the instant case, the Court does not have to determine whether and under what conditions an accused can waive exercise of his right to appear at the hearing since in any event, according to the Court’s established case-law, waiver of the exercise of a right guaranteed by the Convention must be established in an unequivocal manner.

In the cases mentioned, the waiver concerned article 6 ECHR. However, no reservations are made with regard to the possibility to waive other rights embedded in the Convention. Though interesting, the subject of waiving fundamental rights will not be dealt with in depth as section four will demonstrate a difference between data protection and privacy. This will shed a different light on the fundamental character of the right to data protection which will influence the need for discussion concerning the possibility to waive fundamental rights.

In this respect another interesting point can be raised. Arguments against the possibility to waive fundamental rights are based on the principle that weaker parties need strong legal protection. With regard to data processing the question is justified as to whether the data subject always qualifies as the weaker party. If not, this also would be an argument against implementation of Directive 95/46/EC into mandatory rules of law. However, research into this issue requires a proper examination in a much broader context which would go beyond the scope of this article. Therefore, it will be left out of the discussion.

4. Privacy and data protection

As already mentioned, this section will discuss the qualification of data protection as a fundamental right. In this respect the first question that needs to be raised is whether the right to data protection is the same as the right to privacy. In his thesis, Peter Blok challenges the constitutional character of the right to data protection as opposed to the right to privacy.23 I agree with Blok that data protection and privacy are not the same. In Blok’s words privacy can be defined as follows:

The individual right to privacy both safeguards an undisturbed private life and offers the individual control over intrusions into his private sphere. Given this definition, the boundaries of the private sphere are central to the meaning of privacy. The right to privacy guarantees individual freedom within the home, within the intimate sphere of family life, and within confidential communication channels. In combination with physical integrity, these ‘privacies’ form the core of the legally protected private sphere.24

As the protection of the individual with regard to the processing of personal data is in no way restricted to data concerning the private sphere of the individual, Blok comes to the conclusion that the choice to link data protection to the right to privacy is unjustly made.25

This point of view leads to the question whether the argument to protect the right to privacy by mandatory rules of law is valid when the rules are not aimed at privacy, but at the processing of personal data. Even though in Europe the choice has been made to lift the rules concerning data protection to the constitutional level,26 the fact remains that the processing of personal data in a lot of cases will not enter into the private sphere of an individual. Therefore it often will not touch upon the individual’s right to privacy. This leads to the question whether it is necessary and even desirable to have mandatory rules of law governing the processing of personal data as not always privacy, but also less fundamental interests can be at stake. In my opinion this constitutes another argument why the fundamental rights approach towards privacy cannot support the conclusion that the right to privacy is non-waivable.27

Case law of the European Court of Justice does not contradict this view. Even though the cases Österreichischer Rundfunk and Lindqvist, which concern the interpretation of Directive 95/46/EC, clearly display that the roots of Directive 95/46/EC are embedded in article 8 ECHR, they also explicitly refer to the criterion ‘private’ as being a core element of this article. The European Court of Justice is of the opinion that ‘private’ must be interpreted extensively: “the expression private life must not be interpreted restrictively and there is no reason of principle to justify excluding activities of a professional nature from the notion of private life.” However, this also supports the view that the fundamental character of article 8 strongly relates to, or even depends on, an invasion into what is ‘private’.28 So the case law regarding Directive 95/46/EC, even though starting form the assumption that this Directive is based upon a fundamental right, leaves enough room for the opinion that data protection, without a connection to the private sphere of individuals, does not qualify as such.

In this respect it is interesting to point to the considerations 85, 86 and 87 in the case of Lindqvist.29 These considerations concern the question as to whether the provisions of Directive 95/46/EC can be regarded as bringing about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the EU. The question in this case relates to article 10 ECHR, but could just as well be directed towards another (fundamental) value such as freedom of contract.

85. Thus, it is, rather, at the stage of the application at national level of the legislation implementing Directive 95/46 in individual cases that a balance must be found between the rights and interests involved.

86. In that context, fundamental rights have a particular importance, as demonstrated by the case in the main proceedings, in which, in essence, Mrs Lindqvist's freedom of expression in her work preparing people for Communion and her freedom to carry out activities contributing to religious life have to be weighed against the protection of the private life of the individuals about whom Mrs Lindqvist has placed data on her internet site.

87. Consequently, it is for the authorities and courts of the Member States not only to interpret their national law in a manner consistent with Directive 95/46 but also to make sure they do not rely on an interpretation of it which would be in conflict with the fundamental rights protected by the Community legal order or with the other general principles of Community law, such as inter alia the principle of proportionality.

From these considerations it becomes clear that fundamental rights are deemed important, but that they still need to be balanced against other fundamental rights as well as other general principles of Community law. In consideration 76 of Lindqvist a reference is made regarding the absence of any hierarchy between the various fundamental rights. Whether or not freedom of contract needs to be qualified as a fundamental right is an open debate. Even though the European Convention of Human Rights does not expressly mention freedom of contract, it is closely connected and even essential to the protection of property as laid down in Protocol No. 1 to this Convention.30 Moreover, the catalogues of fundamental rights of many Member States include rights which correspond to the principle of contractual freedom.31 Article 6 of the Treaty on European Union explicitly states that these rights shall also be respected by the Union.

To conclude, the qualification of data protection as a fundamental right is questionable. Without this qualification, the edge is taken off the main argument regarding implementation of Directive 95/46/EC into mandatory rules of law. Even if the right is considered to be rooted in a fundamental right, there still is no solid argument to hierarchically place data protection above the principle of freedom of contract, leaving room for implementation of Directive 95/46/EC into rules of a regulatory nature.

5. Material interests

As opposed to the right to privacy that guarantees the protection of immaterial values, the right to data protection can also protect the material value attached to personal data and the right to process this data. In other words, the right to data protection covers personal rights (i.e. rights which a person has as the object of protection and which relate to immaterial interests) and rights of use (the object of these rights is the protection of personal data and the economic value thereof). The economic value of personal data becomes clear from the standard practice of granting some kind of advantage in exchange for the right to use personal data, for example client cards and ‘free’ access to the Internet. In this respect it can be argued that although mandatory rules of law protect the immaterial right to privacy, they diminish the possibilities for data subjects to negotiate terms and conditions under which, in return for economic gain, they can consent to the processing of their personal data. From an economic perspective, the desirability of mandatory rules of law concerning the processing of personal data is therefore doubtful.

6. Private law offers similar level of protection

This section is written on the basis of Dutch private law. In view of similarities between civil codes of different European Member States, it might hold true for other countries as well. The argument presented in this section concerns the fact that implementation law of a mandatory character is by no means necessary to achieve the level of data protection required by Directive 95/46/EC. Analysis of the law and case law shows that a level of data protection, equal to that of the directive, can be achieved on the basis of a combination of the OECD privacy guidelines, the Treaty of Strasbourg, Article 8 ECHR and the Dutch Civil Code.32 An action arising from an unlawful act, Article 6:162 of the Dutch Civil Code, makes it possible to appeal against a breach of Article 8 ECHR.33 With regard to the processing of personal data, the contents of article 8 ECHR can more precisely be filled in on the basis of the guidelines and the Treaty of Strasbourg.

From the former sections I conclude that the directive does not in itself stand in the way of implementation law of a regulatory character. In my opinion, an act of law establishing a certain kind of waiver of the rights implemented according to this directive can therefore be valid. However, this does not mean that such an act of law is never exposed to nullity or nullification. After all, the freedom of contract is not unlimited. First of all the directive uses a very strict definition for the data subject’s consent to the processing of personal data. 34 Also the Dutch Civil Code acknowledges several restrictions to the freedom of contract. Requirements regarding the formation of a contract and several other (private) law values can hinder the validity of contractual clauses. In this respect, the following can be referred to: the general and specific standards of due care; the duties to warn and inform; the general principles of proper administration; the requirements of reasonableness and fairness; and the doctrine of general terms and conditions.

The norms limiting the freedom of contract mentioned above all lead to the conclusion that, on the basis of Dutch law of obligations, the same result will often be reached as specifically prescribed by Directive 95/46/EC for the processing of personal data. Analysis of this law shows that it only seldom permits deviation from the rules that are laid down by the directive.35 Thus, also in practice there is no need for implementation of Directive 95/46/EC into mandatory rules of law.

Even though I am of the opinion that in a lot of situations the level of data protection required by the directive can be reached on the basis of Dutch Civil Law, this does not mean that I am blind to the critique that the Dutch Civil Code does not sufficiently protect weak contracting parties. However, if this view is taken, it should lead to a general tightening up of the balance of power provided by the Dutch Civil Code. The rules concerning contractual relations, especially those concerning general terms and conditions, should be reviewed, instead of requiring mandatory rules of law for specific relationships with a possible unbalanced power division. As the Dutch rules concerning consumer protection are often derived from European Directives, this exercise would best be performed at a European level. Thus, the question as to whether in Dutch private law the weaker party receives enough protection is an interesting topic for another article, which fits perfectly into the current European Review of the Consumer Acquis.36 However, as this question transgresses the scope of this article, it will not be further elaborated upon. Just for the sake of the argument I would like to mention the following. From the viewpoint of legal certainty it is, in my view, desirable to extend the annex of Directive 93/13/EEC on unfair terms in consumer contracts in such a sense that it indicates as unfair a clause stating that the controller is allowed to process the data subject’s personal data. After all, such a clause cannot comply with the strict requirements regarding the data subject’s consent.37

7. Government protection or protection against government?

Starting from the opinion that European law does not require implementation into mandatory rules of law, I wonder whether it would from a Dutch law perspective be fair to choose for this kind of implementation. Should government exclude all possibilities for private parties to agree to a certain waiver of privacy as far as this is economically advantageous for them, when it is the Dutch government who, in a raving pace, is creating competences to process personal data?38 The possibility to deviate from the rules laid down by the laws that implement the directive can offer controllers in the private sphere the same flexibility to process personal data as the Dutch government creates for itself under the cloak of national security. As pointed out above, private law can offer enough safeguards regarding the contractual waiver of privacy. However, private law does not protect data subjects against government competences to process personal data that have their basis in the law. In this respect, the question raises the issue of whether it is justified to regulate the right to data protection, which exceeds the distinction between private and public law, in a mandatory fashion. Should government protect our privacy in private relationships, or should we be more concerned about protection against government invasion of our privacy?

8. Conclusion

From the foregoing the conclusion can be drawn that national rules based on Directive 95/46/EC are of a binding nature to the data controller until the moment that he, on a contractual basis, explicitly agrees otherwise with the data subject. In my view it is a step too far to denounce judicial effect to all contracts between data controllers and data subjects in which the data subject willingly gives up part of the rights granted to him on the basis of this directive. In my opinion, this would breach the principle of freedom of contract. Not only privacy, but also freedom of contract is a fundamental value that should only be limited under very strict conditions. As pointed out in paragraph five, the data subject’s consent to the processing of his personal data is surrounded by several private law requirements that protect the data subject against nimble decisions to give up his privacy.

The arguments listed above lead me to the conclusion that implementation of the directive into mandatory rules of law is not required. Moreover, privacy is a subjectively coloured concept. It is pre-eminently the data subject who must indicate what in his view concerns his privacy and against what processing activities he wishes to be protected. From this perspective, and from the points raised in section five and seven, it is questionable whether it is desirable that government already makes binding choices regarding our privacy.39

 


* Assistant Professor at TILT, Tilburg Institute for Law, Technology, and Society, The Netherlands.

1 See in this respect the interesting article of Corien Prins, ‘Property and Privacy: European Perspectives and the Commodification of our Identity’, at

http://www.ivir.nl/agenda/iter/PapersCommodification/commodification-prins-workingdocument-version21.doc.

2 Bernt Hugenholtz Commodification of Information: The Future of the Public Domain, Amsterdam, January 2004, p. 1
http://www.ivir.nl/agenda/iter/PapersCommodification/Final%20Background%20Paper1.doc.
He refers for his inspiration for this definition to: N. Elkin-Koren and N. Weinstock Netanel (eds.), The Commodification of Information, The Hague, London, Boston, Kluwer Law International, 2002, Information Law Series No. 11.

3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal 1995, L 281/31.

4 Convention for the protection of individuals with regard to automatic processing of personal data. Ets no. 108. http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm.

5 Article 6 of Directive 95/46/EC specifies the principles relating to data quality:

“ 1. Member States shall provide that personal data must be:

(a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

2. It shall be for the controller to ensure that paragraph 1 is complied with.” Article 7 contains the legal grounds on which data can be processed legitimately, article 8 concerns sensitive data – categories of data that need special protection because of their sensitive nature -, article 9 balances data protection against freedom of speech, article 10 and 11 contain information duties; article 12 and 14 concern data subject’s right of access and a right to object; articles 16 and 17 deal with confidentiality and security. Article 13 gives Member States possibilities to exempt and restrict certain provisions if deemed necessary measures to protect (the states) vital interests. Furthermore the directive contains provisions concerning notification obligations; judicial remedies, liability and sanctions; transfer of data to third countries; codes of conduct; and supervisory authorities.

6 If you search for ‘privacy directive’ in Google you will find Directive 95/46/EC as well as Directive 2002/58/EC which is also referred to as the E-privacy directive as it concerns the processing of personal data and the protection of privacy in the electronic communications sector.

7 For example Lucas Bergkamp, European Community Law for the New Economy (Antwerp: Intersentia, 2003), p. 123. See also Eric Schreuders, Data mining, de toetsing van beslisregels en privacy. Een juridische Odyssee naar en procedure om het toepassen van beslisregels te kunnen toetsen (diss. Tilburg), Tilburg Katholieke Univeristeit Brabant, Centrum voor Recht, Bestuur en Informatisering 2001.

8 Peter Blok, Het recht op privacy. Een onderzoek naar de betekenis van het begrip ‘privacy’ in het Nederlandse en het Amerikaanse recht, Boom Juridische Uitgevers, 2002.

9 European Court of Justice, 6 November 2003, Case C-101/01, (Lindqvist) European Court reports 2003 Page I-12971. European Court of Justice, 20 May 2003, joined cases C-465/00, C-138/01 and C-139/01 (Österreichischer Rundfunk) European Court reports 2003 Page I-04989.

10 “Directive 95/46 itself, while having as its principal aim to ensure the free movement of personal data, provides in Article 1(1) that Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. Several recitals in its preamble, in particular recitals 10 and 11, also express that requirement.” European Court of Justice, 20 May 2003, joined cases C-465/00, C-138/01 and C-139/01 (Österreichischer Rundfunk) European Court reports 2003 Page I-04989, consideration 70.

11 Referring to Joined Cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others [2003] ECR I-4989, paragraph 41, and the case law cited therein.

12 Whether or not the ruling of the court stretches the authority to harmonise on the basis of article 100A of the EC Treaty too far is in itself an interesting topic for debate. However, this falls outside the scope of this article.

13 A complete overview of the requirements can be found in Colette Cuijpers, Privacyrecht of privaatrecht? Een privaatrechtelijk alternatief voor de implementatie van de Europese privacyrichtlijn, ITeR-reeks nummer 71, Den Haag: Sdu uitgevers 2004 (Thesis, University of Tilburg), § 3.3.

14 Article 13: “1. Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6 (1), 10, 11 (1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard: (a) national security; (b) defence; (c) public security; (d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions; (e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters; (f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e); (g) the protection of the data subject or of the rights and freedoms of others. 2. Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States may, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics.”

15 Directive 97/7/EC, Official Journal 1997 L 144/19. Directive 1999/44/EC, Official Journal 1999 L 171/12. Directive 2000/31/EC, Official Journal 2000 L178/1.

16 Directive 91/250/EEC, Official Journal 1991 L 122/42. Directive 96/6/EC, Official Journal 1996 L 077/20.

17 Directive 2001/29/EG, Official Journal 2001 L 167/10.

18 For the differences and similarities between contract and consent under Directive 95/46/EC and in the Dutch Civil Code see Cuijpers 2004, § 6.5.

19 Recital 61 and article 27 of Directive 95/46/EC explicitly encourage the drawing up of Codes of Conduct.

20 J E J Prins, “The Propertization of Personal Data and Identities”, (2004) EJCL, Vol. 8(3).

21 ECHR 27 February 1980, A 35 § 48-54 (Deweer/Belgium).

22 Colozza v. Italy (Application no. 9024/80) 12 February 1985. In consideration 28 reference is made to the Neumeister judgment of 7 May 1974, Series A no. 17, p. 16, para. 36; the Le Compte, Van Leuven and De Meyere judgment of 23 June 1981, Series A no. 43, pp. 25-26, para. 59; the Albert and Le Compte judgment of 10 February 1983, Series A no. 58, p. 19, para. 35.

23 Blok 2002.

24 Blok 2002, p. 323.

25 For a sound motivation of this view see chapters 3 and 5 of Blok 2002. In this article the concept of ‘informational privacy’, meaning the right of individuals to control access to, and the use of, information about themselves, is not used as it can be argued that one can only speak of informational privacy in case the processing of personal data relates to the private sphere of the individual. If not, one should refer to the right to data protection.

26 See article 7 and 8 of the Charter of Fundamental Rights of the European Union. This Charter is embedded into the Treaty establishing a Constitution for Europe, Part II, article 67 and 68. Also in the Netherlands data protection and privacy are both addressed in article 10 of the Dutch Constitution.

27 The only argument of Lucas Bergkamp for the statement that “Even if an individual wants to give up some or all of his privacy rights (e.g. to obtain a lower price for a product or service), EU law will not let him do so. The EU privacy rights cannot be waived in any matter. Consequently, any agreement pursuant to which a data subject waives some or all of his rights under Directive 95/46/EC is void and unenforceable, even if the agreement otherwise meets al the validity requirements and is in the data subject's interest” seems to be the qualification of privacy as a fundamental right. Lucas Bergkamp, European Community Law for the New Economy (Antwerp: Intersentia, 2003), p. 123. As described in paragraph 3 of this article, even if this opinion can be doubted in view of the judgement of the European Court of Human Rights in the case Deweer vs. Belgium.

28 Consideration 73 of the judgement in the case Österreichischer Rundfunk. European Court of Justice, 20 May 2003, joined cases C-465/00, C-138/01 and C-139/01.

29 European Court of Justice, 6 November 2003, Case C-101/01, (Lindqvist) European Court reports 2003 Page I-12971.

30 Norbert Reich, Understanding EU Law: Objectives, Principles and Methods of Community Law, Intersentia nv 2003, p. 277-278.

31 Brigitta Lurger, “The Future of European Contract Law between Freedom of Contract, Social Justice, and Market Rationality”, (2005) European Review of Contract Law, 4 at p. 448.

32 Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data: http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html. European Convention for the Protection of Human Rights and Fundamental Freedoms: http://www.echr.coe.int/Convention/webConvenENG.pdf.

The Dutch Civil Code contains private law. It deals with the rights of individuals (Book 1), legal entities (Book 2), the rights of property (Book 3) and succession (Book 4). It also sets out the law of obligations (Book 5) and of contracts (Books 6-7A) and transport law (Book 8). The Dutch Civil Code can be found at www.wetten.nl. Peter Haanappel has written several English translations of (parts) of the Dutch Civil Code, such as New Netherlands Civil Code (Series Legislation in Translation), Kluwer Law International 1996.

33 Unofficial translation of article 6:162 of the Dutch Civil Code: A person, who commits an unlawful act against another person which can be imputed to him, must repair the damage which the other person suffers as a consequence thereof.

34 In Article 2 (h) of Directive 95/46/EC the data subject’s consent is defined as: “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

35 Cuijpers 2004, § 6.6.3. However, in this respect, it is useful to point to the position of the Dutch Data Protection Authority (College Bescherming Persoonsgegevens). This authority must, in principle, respect contracts between data subjects and controllers that deviate from the directive, but which are legitimate according to Dutch private law. Contractual clauses between controllers and data subjects that differ from obligations regarding the legal relationship between controllers and the supervisory authority can be ignored by this authority. Cuijpers 2004, § 6.6.5.

36 See in this respect: http://ec.europa.eu/consumers/cons_int/safe_shop/acquis/index_en.htm

37 Even without considering the requirement of ‘freely given’ consent, the prescribed clause does in any case not meet the requirement of ‘specific’ consent.

38 With regard to the extension of government competences with a view to national security at the cost of privacy, the following examples can be mentioned: extended obligation to identify oneself (Kamerstukken 29 218); extended possibilities to claim (telecommunication) data (Kamerstukken II 2001-2002, 28 059, nr. 1-2 and Kamerstukken 29 441); preventive search (Kamerstukken 26 865); extended duration of the obligation to store data under the Judicial Data Act (Wet justitiële gegevens). There is also draft legislation to replace the Law on Police Registries (Wet politieregisters) to give police more elbow-room regarding the processing of personal data (NJB 2004-15, p. 817).

39 Still not convinced that the rules implementing Directive 95/46/EC can be of a regulatory nature? Fortunately for me, this does not influence the central conclusion of my thesis that implementation of these rules into the Dutch Civil Code is possible, and not prima facie undesirable. After all, the Dutch Civil Code is not restricted to rules with a regulatory nature. For example, several articles of the Dutch Civil Code concerning consumer protection and labour law are of a mandatory nature. Cuijpers 2004.

 


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/uk/other/journals/Script-ed/2007/4_4_SCRIPT-ed_318.html