The Global Reach of the Right to Data Protection

Abstract

The internet as a technology not only revolutionized communication, it also enabled new forms of trade. Digital trade often involves personal data. Information about individuals now travels around the world on an unprecedented and rapidly growing scale. The key to understanding the implications of data protection in the EU for trade with the wider world is the Charter of Fundamental Rights of the EU (Charter, CFR). The Charter has the status of primary Union law and data protection is enshrined as a fundamental right in Article 8 CFR. The first section of this chapter traces the development of the right to data protection from the early data protection laws in Europe to the inclusion of Article 8 into the Charter. It identifies the driving forces behind this development and offers insights into the origins of this new fundamental right (Sect. 2.1). The second section addresses the substance of the right to data protection. It explains the underlying values for the interpretation of the new fundamental right and analyzes the six written constituent parts of Article 8 CFR. It shows that the right to data protection must be distinguished from the right to private life in Article 7 CFR. The second section also explains what counts as an interference with the right to data protection and addresses lawful limitations on the exercise of this new fundamental right (Sect. 2.2). The third section focuses on the extraterritorial dimension of the right to data protection. The jurisprudence of the ECJ reveals an unwritten constituent part of the new fundamental right: the right to continuous protection of personal data. Personal data cannot be exported to third states that do not provide a level of protection for the transferred personal data that is essentially equivalent to that guaranteed within the EU (Sect. 2.3). Certain practices in third states are of particular relevance for the extraterritorial dimension of Article 8 CFR. Foreign internet surveillance often targets personal data that is transferred from the EU to a third country. The fourth section analyzes the requirements for foreign internet surveillance practices emanating from the right to data protection in Article 8 CFR (Sect. 2.4).

The internet as a technology not only revolutionized communication, it also enabled new forms of trade. Digital trade often involves personal data. Information about individuals now travels around the world on an unprecedented and rapidly growing scale. The key to understanding the implications of data protection in the EU for trade with the wider world is the Charter of Fundamental Rights of the EU (Charter, CFR). The Charter has the status of primary Union law and data protection is enshrined as a fundamental right in Article 8 CFR. The first section of this chapter traces the development of the right to data protection from the early data protection laws in Europe to the inclusion of Article 8 into the Charter. It identifies the driving forces behind this development and offers insights into the origins of this new fundamental right (Sect. 2.1). The second section addresses the substance of the right to data protection. It explains the underlying values for the interpretation of the new fundamental right and analyzes the six written constituent parts of Article 8 CFR. It shows that the right to data protection must be distinguished from the right to private life in Article 7 CFR. The second section also explains what counts as an interference with the right to data protection and addresses lawful limitations on the exercise of this new fundamental right (Sect. 2.2). The third section focuses on the extraterritorial dimension of the right to data protection. The jurisprudence of the ECJ reveals an unwritten constituent part of the new fundamental right: the right to continuous protection of personal data. Personal data cannot be exported to third states that do not provide a level of protection for the transferred personal data that is essentially equivalent to that guaranteed within the EU (Sect. 2.3). Certain practices in third states are of particular relevance for the extraterritorial dimension of Article 8 CFR. Foreign internet surveillance often targets personal data that is transferred from the EU to a third country. The fourth section analyzes the requirements for foreign internet surveillance practices emanating from the right to data protection in Article 8 CFR (Sect. 2.4).

1 Development of the Right to Data Protection

The development of the right to data protection in Article 8 CFR is based on, and fueled by, technological progress and the associated new powers of the state. The origins of the right to data protection are important in understanding this relatively new fundamental right. The first data protection rules emerged in Europe in the 1970s (Sect. 2.1.1). These rules inspired international organizations such as the Organization for Economic Cooperation and Development (OECD) and the Council of Europe to dedicate attention to the increasingly important subject of data protection in the 1980s (Sect. 2.1.2). Diverging data protection rules in the member states of the EC created problems for the common market and led to a communitywide harmonization of data protection rules in the 1990s (Sect. 2.1.3). The constitutionalizing process in the EU finally led to the codification of a fundamental rights catalogue that included a new fundamental right to data protection in the 2000s (Sect. 2.1.4).

1.1 Early Data Protection Laws

Rules on the processing of personal data first surfaced in European countries during the second part of the last century. The German federal state of Hesse adopted the first legal act concerning the use of information about individuals stored on public authorities’ files in 1970 (Hessisches Datenschutzgesetz).¹ Sweden approved the first national law regulating automated processing of personal information in the public and private sector in 1973 (Datalag).² Germany was the first member of the EC to pass a national law protecting individuals against the misuse of personal data through data processing operations in 1977 (Bundesdatenschutzgesetz, BDSG).³ France endorsed a law on computers, files and freedoms addressing the collection and processing of personal data in 1978 (loi relative à l’informatique, aux fichiers et aux libertés).⁴ These four early laws constitute the first period of regulatory activities related to data protection. They all have a similar background. The law in the German federal state of Hesse followed the official setting up of public data processing facilities in Hesse, where the public authorities were particularly active in promoting the automated processing of information on individuals for administrative purposes.⁵ The Datalag in Sweden was the direct outcome of public concern generated by a population census that gathered personal data to facilitate automated processing of information on Swedish citizens.⁶ Sweden had also been developing a system of identification through personal identification numbers since the 1940s. The comparatively early and progressive computerization of the Swedish public administration and its capacity to integrate and connect decentralized information added to the public concern responsible for the adoption of the Datalag. In France, a journalism article about a government project named SAFARI (Système Automatisé pour les Fichiers administratifs et le Répertoire des Individus) caused great public alarm and spurred legislative action on data protection. SAFARI entailed the linkage of disparate information on French citizens stored by different public authorities.⁷ Accordingly, the computerization of public authorities and the collecting and connecting of information about individuals in centralized data banks triggered the first regulatory activities related to data protection in Europe.

Trade concerns did not play a role and human rights played only a minor role in the early development of these data protection rules. The right to private life enshrined in Article 8 ECHR was not mentioned in these laws. In Germany, neither the Hessische Datenschutzgesetz nor the BDSG was associated with human rights.⁸ The Swedish Datalag was advanced to protect the personal integrity of individuals. Only the French law stated in Article 1 that information technology must not infringe human identity, human rights, private life and individual or public freedoms. Thus, it cannot be said that the early data protection laws in Europe were (strongly) associated with human rights.

While these developments unfolded in Germany, Sweden and France, some other European countries were choosing a different path to address the processing of information about individuals: they established constitutional provisions. The Portuguese Constitution of 1976 addressed the use of data processing under the title “Rights, Freedoms and Guarantees”.⁹ Article 35 of the 1976 Portuguese Constitution granted all citizens a right to information on the content of all data banks concerning them and a right to access and rectify that data. It prohibited automatic processing of data concerning a person’s political convictions, religious beliefs or private life, except if the data was in non-identifiable form. It also made unconstitutional any attempt to give all Portuguese citizens all-purpose national identification numbers.¹⁰ The Spanish Constitution of 1977 addressed data processing indirectly.¹¹ Article 18 of the 1977 Spanish Constitution enshrined a right to honor, personal privacy, and family privacy (intimidad personal y familiar). It also guaranteed the secrecy of communications. Moreover, it mandated that the law shall limit the use of information technology in order to guarantee the honor, personal privacy, and family privacy of citizens and the full exercise of their rights. Neither the 1976 Portuguese Constitution nor the 1977 Spanish Constitution established a fundamental right to data protection, but they addressed the use of computers and certain data processing operations at the highest level in order to protect citizens. There was no link made to trade in these provisions.

Austria was the first country with a constitutionally protected right to data protection. The federal act on the protection of personal data was adopted in 1978 (Datenschutzgesetz, DSG).¹² Article 1 DSG declares that the right to data protection is a fundamental right enjoying constitutional rank and that it may only be restricted under the conditions of Article 8 ECHR.¹³ Article 1 DSG further established that everyone is entitled to have personal data kept secret, but only insofar as they have an interest in that data deserving protection, particularly with regard to respect for their private and family life. Even though data protection formally became a fundamental right in Austria, it was not a self-standing right but intrinsically linked to the right to private life.

1.2 Materialization in International Instruments

The development of the right to data protection entered a new phase by the beginning of the 1980s, when the OECD and the Council of Europe adopted instruments for the processing of personal information. Two key international instruments were elaborated at this time. First, the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data of the OECD (OECD Privacy Guidelines) and second the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe (Convention 108).

The OECD is an international economic organization established in 1961 as the successor of the Organization for European Economic Cooperation to promote economic development and world trade. The OECD brings together European and non-European countries including the US. During the 1970s, more than a third of the 24 OECD member countries had already enacted laws with elements regulating the processing of information about individuals. The OECD was concerned that differing national laws, superimposed on interconnecting information and communication technology, would result in serious inefficiencies and economic costs, obstacles to the attainment of its institutional objectives, and even divide the global community of free market economies.¹⁴ The US in particular feared that with the advent of automatic data processing, European countries (and their regional institutions such as the EC) might erect legal and economic barriers for privacy reasons. US officials suspected some sort of data protectionism in so far as “legislation, nominally for the purpose of data protection, could actually have such objectives as the protection of domestic employment, local technology and expertise, home industries, national culture, language, and sovereignty.”¹⁵ European countries stressed the intrinsic value of their data protection rules and the need to protect their citizens from automatic data processing.¹⁶

Given the different perspectives, especially on each side of the Atlantic, the OECD tried to resolve this quandary with general principles regulating the processing of personal data. The introduction of these general principles into domestic law, it was hoped, would reduce economic inefficiencies and strengthen citizens’ rights regarding their personal information. The OECD Privacy Guidelines thus set minimum standards for data privacy in order to reduce differences between OECD member states and to avoid undue interference with cross-border flows of personal data. The OECD wanted to eliminate reasons that might induce member states to restrict such data flows.¹⁷ The OECD Privacy Guidelines did not explicitly refer to data protection and used instead the words “protection of privacy” and “individual liberties.” The Explanatory Memorandum accompanying the OECD Privacy Guidelines conceded that it is common practice in continental Europe to refer to privacy protection laws as data laws, or even as data protection laws.¹⁸

Not long after the adoption of the OECD Privacy Guidelines, the Council of Europe finalized Convention 108.¹⁹ The Council of Europe is an international organization that was established in 1949 to uphold human rights, democracy, and the rule of law in Europe. The Parliamentary Assembly of the Council of Europe issued a recommendation in 1968 that pointed out the need to study and report on the question of whether national legislation in the member states adequately protected the right to privacy—enshrined in Article 8 ECHR—against violations enabled by the use of modern scientific and technical methods.²⁰ Subsequent resolutions of the Council of Europe covered data banks in the private sector (1973)²¹ and in the public sector (1974).²² Convention 108 (adopted in 1981) was drafted because there were still problematic disparities between data protection regimes across Europe after the adoption of the two resolutions. Unlike the OECD, the Council of Europe was primarily concerned with the protection of human rights. The purpose of Convention 108 was to secure respect for every individual’s rights and fundamental freedoms, and in particular the right to privacy, with regard to automatic processing of personal data in the territory of each party.²³

Shortly before the adoption of Convention 108, the Parliamentary Assembly of the Council of Europe issued a recommendation to examine the desirability of including in the ECHR a provision on the protection of personal data.²⁴ The reply of the Committee of Ministers, which came after the adoption of Convention 108, referred to the Steering Committee for Human Rights and the European Committee for Legal Cooperation who, in their respective opinions, agreed that it was not appropriate at the time to draft a provision on the protection of personal data for incorporation in the ECHR.²⁵ They suggested that it was preferable to first acquire more experience with Convention 108. They also highlighted that the ECtHR recently confirmed in Marckx v. Belgium that states had positive obligations under the right to private life in Article 8 ECHR and that this possibly implied provisions for the safeguarding of private data from automatic processing.²⁶ The political discussion did not resume, and the ECtHR expanded its jurisprudence on data protection issues based on Article 8 ECHR.

These two international instruments from the 1980s, put data protection on the global agenda. They shared the ambition to enable cross-border flows of personal data on the basis of common data protection standards. Especially the OECD Privacy Guidelines tried to address allegations of data protectionism in Europe raised by the US. The OECD Privacy Guideline intended to bridge the Atlantic divide to guarantee frictionless flows of personal data. At the same time, Convention 108 associated data protection heavily with human rights protection in Europe.

1.3 Harmonization in Community Law

The European Commission stressed in a communication from 1973 the need to become more competitive with the data processing industry in the US.²⁷ The Commission underlined that common measures for the protection of citizens in the field of data protection are necessary to support the effective application of computer systems on the single market.²⁸ It seems therefore, that the Commission began to address data protection in the context of economic competition. However, it did so not for protectionist reasons but to prevent inefficiencies on the common market. The Commission also underlined that rules on access to information about individuals in data banks were of constitutional importance despite the fact that in 1973 there were no constitutional provisions on data processing in any European country. The Commission thus warned that it would be better to seek genuine political consensus on this matter than to be obliged to harmonize conflicting national legislation later on.²⁹

The European Parliament agreed and stressed that national provisions to protect privacy have a direct influence on the establishment and operation of the common market. It called on the Commission to prepare a proposal for a directive on the harmonization of legislation on data protection that would also provide citizens of the EC with maximum protection.³⁰ The Commission instead recommended the EC member states to ratify Convention 108 in 1981. It considered this international instrument an appropriate tool to create a harmonized level of data protection in Europe.³¹ Despite being reluctant to propose EC legislation on data protection, this recommendation was quite progressive because it also stated that data protection had the quality of a fundamental right.³²

Nine years later, the Commission concluded that Convention 108 had failed to reduce the differences between national data protection rules. There was too much leeway in the implementation of the basic principles of Convention 108 and not all EC member states had ratified the international instrument.³³ Moreover, practical experience showed that the differences between national data protection rules endangered the common market. For example, the French national data protection authority blocked the transfer of employee data between the Fiat corporate offices in France and Italy in 1989 arguing that Italy did not have adequate data protection regulation.³⁴

The Commission adopted a proposal for a directive concerning the protection of individuals in relation to the processing of personal data in 1990. The first objective in Article 1(1) of the 1990 proposal was the protection of the privacy of individuals in relation to the processing of personal data contained in data files. Privacy was portrayed in Recital (7) of the 1990 proposal as being protected in Article 8 ECHR and in the general principles of Community law. The second objective in Article 1(2) of the 1990 proposal was to prevent restrictions to the free flow of personal data between EC member states. The Commission argued that ensuring a high level of fundamental rights protection within the Community system would remove obstacles to the establishment of the common market based on the approximation of laws rule in Article 100a EC Treaty.³⁵ Directive 95/46/EC was adopted in 1995. The directive did not formally endorse the notion of data protection although it was widely known as the Data Protection Directive (DPD). The directive referred to the protection of the fundamental rights and freedoms of natural persons, and in particular, their right to privacy with respect to the processing of personal data. Directives are designed to harmonize public policy throughout the EU by expressing an agreed set of goals and principles while granting member states some room to choose the ways to meet those goals and principles. Data protection thus became an obligation under Community law through Directive 95/46/EC.³⁶

The Lisbon Treaty of 2009 marked another step for the harmonization of data protection in Europe.³⁷ The treaty introduced Article 16 TFEU on data protection into EU primary law and officially gave the EU the competence to enact consistent data protection legislation.³⁸ The Commission subsequently initiated a review process of Directive 95/46/EC. The review process identified three key problems of the framework:³⁹

• Insufficient protection of the rights of individuals with regard to modern data processing technologies.

• Inadequate level of harmonization of data protection laws in the EU.

• Continuing challenges in the handling of increasing global data flows.

The Commission went on to present a proposal for a GDPR in 2012.⁴⁰ Regulations are meant to implement public policy in the EU without granting the member states room to choose the ways to meet the formulated goals and principles. They are directly applicable in all EU member states.⁴¹ The Commission had promised a clear and uniform legislative framework at EU level that would do away with the patchwork of legal regimes across the EU member states and remove barriers for easier trade relations.⁴² The GDPR was adopted in 2016.⁴³ Consequently, data protection is now harmonized and consolidated on the level of the EU.⁴⁴ In contrast to earlier legislation, the GDPR does not refer to privacy. Instead, the GDPR sets out in Article 1(2) to protect fundamental rights and freedoms of natural persons and in particular the right to data protection.

1.4 Inclusion in the Charter of Fundamental Rights

While developing rules on data processing, the EU was also concerned with its approach to fundamental rights. EU institutions discussed possible paths to reinforce their formal commitment to fundamental rights for many decades. After the conclusion of the Amsterdam Treaty in 1997, the European Commission entrusted a group of experts to analyze the possibility of explicitly recognizing a catalogue of fundamental rights in EU law. The Commission was particularly interested in the possibility of including new rights that mirror the challenges of the modern information society.⁴⁵ The group of experts was chaired by Spiros Simitis, a renowned specialist in the field of data protection.⁴⁶ It was thus no surprise that the group of expert underlined their critique of the state of fundamental rights protection in EU law with the example of data protection.⁴⁷ Their report recommended the explicit recognition of fundamental rights in the EU, including all rights provided in Articles 2 to 13 ECHR, but also the addition of new rights such as the right to determine the use of personal data.⁴⁸

Inspired by the report of the expert group, the European Council decided in 1999 that a charter of fundamental rights should be adopted in order to make the overriding importance and relevance of fundamental rights more visible to the citizens of the Union.⁴⁹ The Council formally entrusted the drafting of this charter to a special body composed of representatives of the EU member states’ heads of state and government, the President of the European Commission, members of the European Parliament, and members of national parliaments. The body called itself the Convention.⁵⁰ The Convention’s job was marked by a tension between its mandate to make existing fundamental rights more visible and the possibility to innovate within this mandate. In order to render existing rights more visible, it was necessary to identify rights that were not particularly visible, and there is only a thin line between an invisible right and a non-existing right.⁵¹ The tentative list of rights distributed by the Convention’s bureau (called the Praesidium) in January 2000 invited reflection on the possibility of a right to data protection in addition to the right to respect for private life.⁵² This list was preceded by a recommendation from the Article 29 WP in 1999 to include a fundamental right to data protection in the charter.⁵³

The first draft of Articles 10 to 19 of the charter in February 2000 offered a separate article on data protection: “Every natural person shall have a right to protection for his personal data.”⁵⁴ This was not an infringement of the prohibition to innovate because the accompanying comments of the draft claimed that data protection was in any case already an aspect of privacy.⁵⁵ The same draft provided an alternative, more comprehensive wording for the article on data protection with additional constituents: “The information must be processed fairly and for specified purposes, and subject to the data subject’s consent or to any other legitimate basis specified by law.”⁵⁶ The draft also raised the question of whether oversight by an independent body should be included.⁵⁷ It is remarkable that, with the exception of the right of access to personal data and the right to have personal data rectified, this first draft (in its alternative wording) already contained all the constituent parts of the final version.

At some point of the amendment stage, members of the Convention suggested to delete the entire article on data protection and to incorporate instead a reference to data protection under the right to respect for private life.⁵⁸ These amendments were ignored in the final draft of the charter in October 2000. The final draft included both Article 7 entailing respect for private and family life and Article 8 enshrining the protection of personal data.⁵⁹

Article 7 Respect for Private and Family Life

Everyone has the right to respect for his or her private and family life, home and communications.

Article 8 Protection of personal data

1. 1.

   Everyone has the right to the protection of personal data concerning him or her.

2. 2.

   Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. 3.

   Compliance with these rules shall be subject to control by an independent authority.

The comments elaborated under the authority of the Praesidium accompanying the Charter of Fundamental Rights specified that Article 8 was based on Article 286 EC Treaty, Directive 95/46/EC, Article 8 ECHR, and Convention 108.⁶⁰ Moreover, the assertion in the comments that data protection was an aspect of privacy disappeared. However, the reference to the right to private life in Article 8 ECHR still constitutes a weak link between the new right to data protection and privacy. The same is true for the references to Directive 95/46/EC and Convention 108 because they also refer to privacy. The preamble to the Charter declares that it reaffirms rights as they are found in particular constitutional traditions and international obligations common to the EU member states, the TEU, the Community Treaties, the ECHR, the Social Charters adopted by the Community and by the Council of Europe, and the case law of the ECJ and of the ECtHR. The Convention stretched its mandate to render existing rights more visible with the inclusion of data protection in the charter in so far as it was not a self-standing right that could be reaffirmed from the indicated sources.⁶¹ The coexistence of the right to private life and the right to data protection in the Charter might be described as the outcome of an unresolved friction between an established approach and a novel one.⁶² This is why some scholars argue that the Convention had manifestly not respected the prohibition to innovate with respect to data protection.⁶³

The new fundamental right to data protection established that the protection afforded in the Charter is not exclusively granted to individuals and their personal data in relation to their privacy, but generally whenever their personal data is processed. Ultimately, the inclusion of data protection as a fundamental right in the Charter goes along with another part of the Preamble of the Charter expressing the necessity to strengthen the protection of fundamental rights in light of changes in society, social progress, and scientific and technological developments.⁶⁴ The Charter was formally proclaimed by the European Parliament, the Council, and the European Commission on 7 December 2000 in Nice.⁶⁵ It came into force on 1 December 2009 and is referenced in Article 6(1) TEU as an independent document, which has the same legal value as the EU Treaties.

1.5 Summary

The right to data protection has its roots in European data protection laws of the early 1970s, which addressed the computerization of public authorities, the collecting and connecting of information about individuals in centralized data banks, and the associated new powers of the state. These laws were not motivated by trade concerns and were not (strongly) associated with human or fundamental rights either. The first constitutional provisions in Europe containing data protection rules in the late 1970s started to connect data protection with the protection of privacy. Two international instruments from the 1980s established a link between data protection and the protection of trade. Similarly, the EC started to regulate data protection because of privacy and trade concerns on the common market. The adoption of Directive 95/46/EC coincided with discussions about a formal commitment to fundamental rights in the EU. It was decided that a charter of fundamental rights should make existing rights more visible in the EU. While it was forbidden to innovate and create new rights, a new right to data protection that is independent from the right to private life was nevertheless included in the Charter. It drew its support from the Preamble of the Charter expressing the necessity to strengthen the protection of fundamental rights in the light of changes in society, social progress, and scientific and technological developments. Protectionism was never a motive for the development of the right to data protection.

2 Substance of the Right to Data Protection

The underlying values of data protection are essential for the interpretation of the new fundamental right in Article 8 CFR (Sect. 2.2.1). The right to data protection has six written constituents that provide an indication its scope of protection (Sect. 2.2.2). The new fundamental right comes directly after the right to private life in Article 7 CFR in the order of the Charter. The two rights are distinct, but they share significant overlaps. Moreover, there is an added value of having both rights in the Charter (Sect. 2.2.3). The right to data protection is not absolute and limitations are possible. These limitations are especially relevant in the context of foreign internet surveillance, which is a major problem for cross-border flows of personal data (Sect. 2.2.4).

2.1 Foundational Values

Data protection is a catch-all term for a series of rules concerned with the processing of personal data.⁶⁶ A plethora of values underpin these rules. The foundational values of the right to data protection are an essential starting point to interpret this new fundamental right. These values also provide guidance to determine lawful limitations on the exercise of the right to data protection. The most important values are privacy (Sect. 2.2.1.1), informational self-determination (Sect. 2.2.1.2), transparency (Sect. 2.2.1.3), and democracy (Sect. 2.2.1.4).

2.1.1 Privacy

There is no direct link between the right to data protection and privacy in the final version of the Charter but it is clear that privacy is a major value that data protection aims to safeguard.⁶⁷ Despite its importance, the notion of privacy remains somewhat nebulous and difficult to describe with precision.⁶⁸ Privacy is not one thing but a cluster of many distinct yet related things.⁶⁹

Samuel Warren and Louis Brandeis argued in their seminal article from 1890 for the creation of new and explicit legal protection for personal privacy.⁷⁰ They sought a legal remedy to balance technological progress:

Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops’.⁷¹

There is a striking parallelism between their argument for the creation of privacy protection laws and the later development of data protection, which was focused on technological progress and the associated new powers of the state. Warren and Brandeis described privacy as being part of a more general right of the individual “to be let alone.”⁷² The right to be let alone conceives privacy in terms of non-interference. According to the influential definition of privacy adopted at the Nordic Conference of Jurists convened in 1967, privacy can be understood as “the right to be let alone to live one’s own life with the minimum of interference.”⁷³ This includes, among other things, protection against interference with private, family, and home life; the disclosure of irrelevant embarrassing facts relating to private life; the use of the name, identity or likeness; spying; interference with correspondence; misuse of private communications, written or oral; and disclosure of information given or received in circumstances of professional confidence.

Other theorists have also conceived privacy in terms of degree of access to a person. Ruth Gavison defined privacy as a condition of “limited accessibility.”⁷⁴ According to Gavison, the condition of limited accessibility consists of three separate elements: secrecy (the extent to which we are known to others), solitude (the extent to which others have physical access to us), and anonymity (the extent to which we are the subject of others’ attention). In addition, Sissela Bok underlines that privacy requires protection from unwanted access by others, either physical, mental, or informational.⁷⁵ Anita Allen summarizes that privacy denotes a degree of inaccessibility of persons, their mental states, and information about them to the senses and surveillance devices of others.⁷⁶

Technological developments highlight the importance of privacy. The advent of big data enabled surveillance practices on unprecedented scales.⁷⁷ Edward Snowden revealed in 2013 the extent of global mass surveillance. He showed how governments were secretly collecting huge quantities of personal data in our communications, including private e-mails, phone locations, web histories, and much more—all of it without consent and grounded on a thin legal basis.⁷⁸ The right to be let alone and the concept of limited accessibility establish a sphere for the individual where the state and private parties cannot interfere without justification, including but not limited to surveillance practices. In this regard, the Grand Chamber of the ECJ found that legislation permitting public authorities access to personal data on a generalized basis through the content of electronic communications must be regarded as compromising the essence of the right to private life (privacy).⁷⁹

Data protection rules usually do not prohibit the processing of personal data. Data protection rules regulate, and sometimes limit, the ways in which personal data can legally be processed. Notable exceptions are prohibitions in the GDPR for the processing of sensitive data in order to safeguard the private sphere of individuals.⁸⁰ Principles such as purpose limitation, data minimization, storage limitation, and confidentiality in the GDPR are examples of how privacy and its formulations both as a right to be let alone and as limited accessibility of the person are embedded in data protection rules.⁸¹

2.1.2 Informational Self-Determination

Informational self-determination is another value that data protection aims to safeguard.⁸² The notion of informational self-determination is deeply rooted in concepts of human dignity, personal liberty, and autonomy. Lewis Hinchman has observed that in contemporary philosophy, the main requirement of autonomy is “that the choices [one makes] be truly one’s own, that one must not have been manipulated, gulled, brainwashed, or conditioned into making them.”⁸³ Personal liberty and autonomy are affected when the quantity and quality of personal data offer opportunities for the use and manipulation of individual characteristics.

The German Constitutional Court (Bundesverfassungsgericht) noted in a landmark decision from 1984 on the constitutionality of a population census that modern methods of storing information about a person combined with automatic data processing enable the creation of partial or virtually complete personality profiles, the accuracy and application of which the concerned individuals have no sufficient means to control.⁸⁴ Today, algorithms can even hold individuals accountable for whatever the combination of their personal data reveals. Such profiles raise concerns about personal liberty and autonomous agency. The German Constitutional Court reflected that the lack of opportunities to control the accuracy and use of these constructed profiles can influence individuals’ behavior through the psychological pressure exerted on them.⁸⁵ This influence could have a “chilling effect” and impair individuals in the exercise of their personal liberty to make decisions that are truly their own.⁸⁶ In reaction, the Constitutional Court developed a right to informational self-determination as an expression of the general right of personality, which, in turn, is based on the general protection of personal liberty and human dignity.⁸⁷ The notion of informational self-determination implies that individuals’ control over their personal data is a necessary precondition for a life that is governed by free choices.⁸⁸ The right to informational self-determination guarantees the ability of individuals to determine for themselves the disclosure and use of their personal data.⁸⁹

Data protection rules empower individuals as data subjects with a bundle of rights.⁹⁰ The consent of individuals to the processing of their personal data is one of the important mechanisms in the GDPR to determine when personal data can legally be used.⁹¹ These include rights for individuals to access information about themselves and to have this information rectified.⁹² The Grand Chamber of the ECJ has even decided that there must be a right to be forgotten in the case Google Spain regarding a Spanish citizen’s claim to delete information about him found on Google searches.⁹³ These rights are examples of how informational self-determination is embedded in data protection rules.

Furthermore, AG Pedro Cruz Villalón explicitly mentioned informational self-determination in relation to data protection in his opinion on Digital Right Ireland. He wrote that Directive 2006/24/EC (Data Retention Directive, DRD) applied to personal data necessary to identify users of publicly available electronic communication services or public communications networks and that this data falls within the category of data the disclosure of which is subject to the express authorization of each individual based on the right to informational self-determination.⁹⁴

2.1.3 Transparency

Transparency is a third value that data protection aims to safeguard.⁹⁵ The processing of personal data bears inherent imbalances. These imbalances are manifest in the asymmetries between the two sides of data processing operations.⁹⁶ There is, on the one side, the data subjects whose personal data is processed, and, on the other side, the data controllers who determine the purposes and means of such processing. Helen Nissenbaum describes the situation of data subjects as one in which, “a) there is virtually no limit to the amount of information that can be recorded, b) there is virtually no limit to the scope of analysis that can be done – bounded only by human ingenuity, and c) the information may be stored virtually forever.”⁹⁷ Herbert Burkert argues that data protection rules are, in essence, about the (transparent) distribution of power.⁹⁸ Paul De Hert and Serge Gutwirth define data protection as a tool of transparency that channels the exercise of power over data subjects.⁹⁹ Data protection rules strive to enhance the transparency of data processing operations in order to bring balance between data subjects and data controllers. This is why data protection rules often require that personal data is processed fairly.¹⁰⁰ Fairness is an ambiguous notion. In the context of data protection, it is regularly associated with transparency and implies that the processing of personal data must be clear to the data subject.¹⁰¹ Recital (38) Directive 95/46/EC was very explicit in this regard:

Whereas, if the processing of data is to be fair, the data subject must be in a position to learn of the existence of a processing operation and, where data are collected from him, must be given accurate and full information, bearing in mind the circumstances of the collection.

In order to achieve such transparency, the GDPR requires that organizations which process personal data must provide individuals whose data is processed with various kinds of information, such as the identity of the processing organization, the type of data involved, the extent and the purposes of the processing operations, the risks, rules, and safeguards attached to these operations, and the time limit for erasure or periodic review of the data involved.¹⁰² This is a reflection of the attempt to achieve procedural fairness for data processing operations.¹⁰³ Transparency ultimately enables individuals to know who knows what about them, as well as when and on what occasions, and, therefore, allows them to act accordingly.

2.1.4 Democracy

Democracy is the last value discussed here that data protection aims to safeguard.¹⁰⁴ Priscilla Regan claims that data protection rules serve purposes beyond those that they perform for a particular individual. She distinguishes between the private purpose of these rules and their public purpose in which they are instrumentally valuable to a democratic political system, securing, for examples, things like freedom of speech and association.¹⁰⁵ Similarly, the ECJ has acknowledged that the retention of traffic and location data as well as data pertaining to mobile communication of individuals is not compatible with the right to data protection and moreover has an effect on the exercise of the freedom of expression, which constitutes one of the essential foundations of a pluralist democratic society.¹⁰⁶

The German Constitutional Court noted in its 1984 population census decision with regard to the power of modern data processing technology that informational self-determination is essential for the common good because democratic societies rely on individuals that can act and collaborate freely.¹⁰⁷ James Flemming further argues that the integrity of a democratic society rests on individuals’ capacity for free decision making and the collective’s capacity for free discourse.¹⁰⁸ The power resting in the accumulation, aggregation, and application of personal data has the potential to seriously distort these processes.¹⁰⁹ If individuals cannot oversee and control what information about them is openly accessible in their social environment, and if they cannot appraise the knowledge of possible communication partners about them, then they may be inhibited in their capacity for free decision making.¹¹⁰ Furthermore, if individuals are unsure whether dissenting behavior is noticed and information is being permanently stored, used, and passed on, they will try to avoid it so as not to attract attention.¹¹¹

Data protection rules thus foster the capacity of individuals for free decision making and secure the conditions that are necessary for sustaining an open collective discourse by shielding participants against intrusive data processing operations, enabling them to control their personal data, and making data processing operations more transparent. Consequently, data protection is a tool for the preservation and promotion of political participation and therefore plays a vital societal role in a functioning democracy.

2.2 Written Constituents of the Right to Data Protection

The right to data protection in Article 8 CFR is not designed like other fundamental rights. The first paragraph introduces the right to data protection and the two following paragraphs contain six written constituent parts of the fundamental right. The general principle in Article 8(1) CFR includes the concept of personal data and defines the scope of the fundamental right (Sect. 2.2.2.1). The six constituent parts of the right to data protection can be divided into three groups.¹¹² The first group includes the constituent parts that resemble data protection principles in Article 5 GDPR: fairness, purpose specification, and legitimate basis for a data processing operation (Sect. 2.2.2.2). The second group includes the constituent parts that contain additional rights: the right of access to personal data and the right to have personal data rectified (Sect. 2.2.2.3). Lastly, the constituent part requiring independent supervision constitutes the third group (Sect. 2.2.2.4).

2.2.1 General Principle

The first paragraph of Article 8 CFR introduces the general principle of the fundamental right. Everyone has the right to the protection of personal data concerning him or her. The notion of personal data is crucial to the understanding of the right to data protection. Article 4(1) GDPR defines personal data as

any information relating to an identified or identifiable natural person (the data subject), whereas an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.¹¹³

For example, IP addresses are personal data because they allow for the identification of a natural person (the internet user).¹¹⁴ The definition of personal data is intended to be very broad. Since information can relate to a person in content, purpose or result, the information relating to a person is broader than just the information about that person.¹¹⁵ Information relates to a person in purpose, for example, when the data is used or is likely to be used with the purpose to evaluate or influence the status or behavior of that person.¹¹⁶ An identified person is a person who is known or distinguished in a group whereas an identifiable person is a person who is not yet identified but his or her identification is possible.¹¹⁷ To determine whether a person is identifiable, account needs to be taken of all the means reasonably likely to be used.¹¹⁸ To ascertain whether the means are reasonably likely to be used, all objective factors such as the costs and amount of time required for identification as well as the available technology at the time of the processing and technological developments are relevant. As data processing technologies advance and the pool of data which can be combined grows (combining databases has becomes a daily practice of intelligence agencies), the possibility of linking information to a person increases.¹¹⁹

The right in Article 8 CFR protects individuals from the processing of their personal data. The processing of personal data is any operation which is performed on personal data such as collection, recording, organization, structuring, storage, use, combination, sharing, or transfer to another country.¹²⁰ Any data processing operation involving personal data of individuals in the EU falls under the scope of the right to data protection and must respect its constituent parts.

2.2.2 Fairness, Purpose Specification, and Basis for the Processing of Personal Data

Three constituent parts of the right to data protection can be found in the first sentence of Article 8(2) CFR. They require that personal data is processed fairly, for specified purposes, and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. These constituent parts are linked with transparency.¹²¹

For processing operations to be fair, the data subject must be in a position to learn of their existence. Secret processing of personal data without a legitimate basis defined by law is considered to interfere with the right to data protection. The French Council of States (Conseil d’État) provided an illustrative example in the Les Pages Jaunes case. In this case, the French Council of States found that the collection and aggregation of information about individuals from their public social media profiles for the online directory services of the Les Pages Jaunes was unfair because data subjects were not sufficiently informed that their public profiles would be collected.¹²²

Purpose specification reflects the idea that data processing operations should be foreseeable for the data subject and should not go beyond the reasonable expectations of the individuals concerned.¹²³ This prohibits aimless data collection. The purpose of data processing operations must be specified prior to the collection. Any processing of personal data for purposes that are incompatible with the initially specified purpose must be considered to interfere with the right to data protection.

Data processing operations always require a legal basis. Article 8(2) CRF identifies the consent of the person concerned as a broadly applicable basis for the lawful processing of personal data. The prominent role of consent in data protection is an expression of informational self-determination.¹²⁴ Article 4(11) GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”¹²⁵ The consent of the person concerned cannot be valid as a legal basis for data processing operations when power and information asymmetries jeopardize effective informational self-determination.¹²⁶ In such circumstances, consent is neither informed nor freely given. The ECJ addressed an illustrative example in the Schwarz v. Stadt Bochum case. The ECJ observed that persons are not free to object to the processing of their fingerprints for a passport and that persons applying for passports cannot therefore be deemed to have consented to the processing of their personal data.¹²⁷ According to Article 8(2) CFR, other legitimate bases for the processing of personal data can be laid down by law.

2.2.3 Right of Access and Right to Rectify

The second sentence of Article 8(2) CFR contains two constituent parts of the right to data protection. Each of the two constituent parts contain a separate right for data subjects: the right of access to personal data that has been collected and the right to rectify that data. These two constituent parts provide further safeguards for the informational self-determination of individuals and the transparency of data processing operations. The right of access to personal data enables data subjects to follow data processing operations, to verify the accuracy of their personal data, and to check the lawfulness of data processing operations.¹²⁸ The right of access to personal data must relate to past data processing operations.¹²⁹ Article 15 GDPR specifies that the data subject has the right to receive an array of information about processing operations involving their personal data including the purpose of the processing, the recipients to whom the data has been or will be disclosed, in particular recipients in third countries, and the envisaged period for which the data will be stored. The right to rectify personal data requires the data controller to rectify inaccurate personal data concerning the data subject. Article 16 GDPR demands that the rectification happens without undue delay. These rights have been framed as enabling the emancipatory engagement of individuals and as a legally supported variation of sousveillance.¹³⁰

2.2.4 Independent Supervision

The last constituent part of the right to protection of personal data can be found in Article 8(3) CFR. This last constituent part provides that compliance with the rules in Article 8 CFR must be subject to control by an independent authority. The ECJ has repeatedly held that independent supervision is an essential component of the protection of individuals with regard to the processing of personal data.¹³¹ The power asymmetries between data controllers and data subjects require a carefully crafted system of checks-and-balances.¹³² The requirement of independent supervision over data protection rules is a safeguard that addresses accountability of informational power in a democratic society. Article 8(3) CFR guarantees individuals a right to lodge claims suing for the protection of their personal data.¹³³ The authority tasked with supervision must be independent. Article 52 GDPR requires that the independence of this authority must be secured legally and administratively. Article 8(3) CFR precludes that the supervisory authority is subject to directions or any other external influence, which could call the performance of its task into question.¹³⁴ The guarantee of independence is intended to ensure the effectiveness and reliability of the monitoring of compliance with data protection rules.¹³⁵

The ECJ held in Schrems that the powers of the national supervisory authorities in the EU member states concern the processing of personal data carried out on their own territories.¹³⁶ With regard to the transfer of personal data from the EU to a third country, the ECJ concluded that it constitutes processing of personal data in an EU member state, and so in accordance with Article 8(3) CFR, the national supervisory authorities are responsible for the monitoring of compliance with data protection rules.¹³⁷

2.3 Relationship with the Right to Private Life

The fundamental right to data protection in Article 8 CFR exists alongside and in addition to the right to private life in Article 7 CFR (Sect. 2.2.3.1). The two rights are distinct but share significant overlaps (Sect. 2.2.3.2). The ECJ still struggles to approach the two rights independently (Sect. 2.2.3.3). Nevertheless, the existence of the right to private life provides added value to the right to data protection (Sect. 2.2.3.4).

2.3.1 The Right to Private Life

The right to private life enshrined in Article 7 CFR provides that everyone has the right to respect for his or her private and family life, home, and communications.¹³⁸ It is first and foremost a defensive right to protect individuals against arbitrary interference by public authorities.¹³⁹ The explanations relating to the Charter underline that Article 7 CFR corresponds to Article 8 ECHR.¹⁴⁰ The meaning and scope of the right to private life in Article 7 CFR should therefore be read as the same as the right to private life in Article 8 ECHR according to Article 52(3) CFR. The ECtHR found interferences with Article 8 ECHR in cases concerning the interception and recording of telephone calls,¹⁴¹ the storing of information relating to the private life of individuals,¹⁴² and the examination of personal data from bulk interception of personal data.¹⁴³ The right to private life in Article 8 ECHR has a long history of protecting individuals against the processing of their personal data, especially concerning the surveillance practices of European countries.¹⁴⁴

2.3.2 Distinct But Overlapping Rights

The Charter does not explain the difference or the relationship between the right to private life in Article 7 CFR and the right to data protection in Article 8 CFR. There is a lively debate among scholars regarding the nature of the relationship between these two rights in the Charter. Bart van der Sloot denies a separate function of the right to data protection and argues that data protection rules deserve protection under a fundamental rights framework already covered by the right to private life.¹⁴⁵ Orla Lynskey argues that the right to data protection grants individuals more rights over more personal data than the right to private life alone.¹⁴⁶ Paul de Hert and Serge Gutwirth portray the two rights as having separate functions. They see the right to private life as a tool of opacity that limits the illegitimate and excessive use of power, and have argued that the right to data protection is a tool of transparency directed toward channeling the legitimate use of power.¹⁴⁷ Maria Tzanou, for her part, criticizes this theory because it implies that data protection is not indispensable as a separate fundamental right.¹⁴⁸

It is important not to lose sight of the systematic reality in this debate. The right to data protection has been enshrined as an independent fundamental right in the Charter. In this context, the right to data protection is considered, or expected, to add something new to the protection of fundamental rights. This was also recognized by the ECJ:

It should be added, finally, that Article 8 of the Charter concerns a fundamental right which is distinct from that enshrined in Article 7 of the Charter and which has no equivalent in the ECHR.¹⁴⁹

Orla Lynskey’s model for the relationship between Articles 7 and 8 CFR seems to be the most convincing. She argues that the right to data protection overlaps considerably with the right to private life because they both ensure the privacy of individuals concerning their personal data, but that the right to data protection embodies a number of values that the right to private life does not include and vice versa.¹⁵⁰ Informational self-determination and transparency are important values that data protection rules aim to safeguard and which may distinguish the right to data protection from the right to private life.¹⁵¹ Such an understanding is respectful of the development of data protection in Europe where privacy was not always the driving force. The two rights should be understood as distinct but overlapping.¹⁵² The overlapping part of the two rights concerns data privacy. Nevertheless, the two rights construe data privacy differently based on their underlying values.

Almost all forms of processing of personal data fall under the scope of the right to data protection, regardless of any interference with the right to private life. In contrast, whether or not the processing of personal data also falls under the scope of the right to private life depends on the nature of the data and the context of the processing.¹⁵³ If a measure falls under the scope of both rights then each right should be independently applied based on their underlying values.

2.3.3 Combined Reading of the Two Rights

The jurisprudence of the ECJ does not (entirely) reflect the distinctive character of the right to data protection. The ECJ mentioned the right to data protection for the first time in 2008 in the case Promusicae.¹⁵⁴ This was before the Charter became legally binding. The ECJ referred to Article 8 CFR as “the right that guarantees protection of personal data and hence of private life.”¹⁵⁵ The right to data protection was essentially perceived as a subset of the right to private life.¹⁵⁶ This perception was cemented in 2009 in the case Rijkeboer when the ECJ held that several constituent parts of the right to data protection formed part of the right to private life including the fair and lawful processing of personal data as well as the right of access to personal data and the right to rectify personal data.¹⁵⁷

After the Charter became legally binding on 1 December 2009, Schecke was the first case in which the ECJ had to assess the validity of a secondary EU law in light of the right to data protection. The referring Administrative Court Wiesbaden (Verwaltungsgericht Wiesbaden) found that an obligation to publish the personal data of farmers who received agricultural funds on the internet constituted an unjustified interference with the right to data protection without mentioning the right to private life.¹⁵⁸ The ECJ, however, invented a formula expressing the two rights as one “right to respect for private life with regard to the processing of personal data, recognized by Articles 7 and 8 CFR.”¹⁵⁹ The ECJ added that the limitations which may lawfully be imposed on the right to data protection correspond to those tolerated in relation to the right to private life enshrined in Article 8 ECHR.¹⁶⁰ These findings created the impression that the right to data protection cannot operate alone without the right to private life.¹⁶¹

The ECJ took an important step in 2011 with the case Scarlet concerning an injunction requiring internet service providers to install a filtering system that actively monitors all electronic communications on their network in order to prevent infringements of intellectual property rights. The ECJ found that such an injunction may infringe the right to data protection in Article 8 CFR and the freedom to receive or impart information in Article 11 CFR.¹⁶² The ECJ thus abandoned the Schecke formula and recognized an independent character of the right to data protection. The Grand Chamber of the ECJ took another step in 2014 with the case Digital Rights Ireland concerning the validity of Directive 2006/24/EC (Data Retention Directive, DRD) which obliged providers of publicly available electronic communications services or public communications networks to retain certain types of data and make them available to national authorities for the purposes of fighting serious crime. The ECJ found that Directive 2006/24/EC raised questions relating to the right to private life in Article 7 CFR, the right to data protection in Article 8 CFR, and the right to freedom of expression in Article 11 CFR, and subsequently explained why the retention of traffic and location data under Directive 2006/24/EC affected these three rights.¹⁶³ However, the explanations concerning the right to data protection were not very extensive. The ECJ simply stated that Directive 2006/24/EC interfered with the right to data protection because it provided for the processing of personal data without further clarifying which constituents of Article 8 CFR were affected.¹⁶⁴

The Grand Chamber of the ECJ consolidated that approach in Tele2/Watson concerning the compatibility of Swedish and British data retention requirements and in Opinion 1/15 concerning the PNR agreement between the EU and Canada.¹⁶⁵ Contrary to the interferences with Articles 7 and 8 CFR, lawful limitations on the two rights were assessed together. This consolidated approach shows that the ECJ prefers a combined reading of Articles 7 and 8 CFR.¹⁶⁶ The combined reading reflects the fact that there are overlaps between the two distinct fundamental rights. However, Maria Tzanou argues that this is an unnecessary circumvention of the Charter.¹⁶⁷ In order to validate the constitutional reality as it is found in the Charter, the two rights should be independently applied based on their underlying values. This is also underlined by the fact that the GDPR only refers to the right to data protection.

2.3.4 The Added Value of Having Two Fundamental Rights

There is an added value of having both fundamental rights, the right to private life and the right to data protection, recognized in the Charter. From the perspective of the right to data protection, much can be gained from the right to private life. If data processing operations are fair; conducted for the purpose initially specified; have a legitimate basis; and when access to the data is granted, rectification of the data is possible, and independent supervision is in place – in short, when all constituent parts of the right to data protection are respected – the right to private life in Article 7 CFR offers additional protection to individuals in the field of data privacy.

The ECJ specifically determined that the protection of the right to private life in Article 7 CFR requires that derogations from and limitations on the protection of personal data must apply only in so far as is strictly necessary.¹⁶⁸ The strict necessity test superimposed on the protection of personal data by Article 7 CFR offers additional safeguards for data subjects. The jurisprudence of the ECtHR on limitations of the right to private life in Article 8 ECHR is a rich source of inspiration in this regard. The ECJ has found analogies to previous cases of the ECtHR:

• EU legislation must impose minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against the risk of abuse and against any unlawful access and use of that data;¹⁶⁹

• the need for such safeguards is all the greater where personal data are subjected to automatic processing and where there is a significant risk of unlawful access to those data;¹⁷⁰

• access, as a general rule, can only be granted to secure the objective of fighting crime if the individual whose data is being processed is suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime;¹⁷¹ and

• that, except for cases of validly established urgency, such access has to be subject to a prior review carried out either by a court or by an independent administrative body, and that the decision of that court or body must be made following a reasoned request by the authorities.¹⁷²

The combined reading of Articles 7 and 8 CFR has allowed the ECJ to take the standards of the right to private life into account when deciding cases in the field of data privacy. However, the same result could be achieved when both rights are addressed independently.

2.4 Limitations on the Right to Data Protection

The fundamental right to data protection is not absolute. Limitations on the exercise of the right to data protection are possible when they meet certain conditions. There is some confusion as to when an interference with the right to data protection actually takes place (Sect. 2.2.4.1). Any limitation on a fundamental right must respect the essence of the right. The essence of the right to private life (Sect. 2.2.4.2) and the right to data protection (Sect. 2.2.4.3) should be assessed independently. The remaining conditions for lawful limitations on fundamental rights will be addressed afterwards (Sect. 2.2.4.4).

2.4.1 Interference with the Right to Data Protection

There is some confusion as to when an interference with the right to data protection actually takes place. It is necessary to first determine whether the right to data protection is enshrined in the first paragraph of Article 8 CFR or in Article 8 CFR taken as a whole. If we consider that the first paragraph entails the right to data protection, any processing of personal data will automatically interfere with the fundamental right in Article 8 CFR. If we accept, however, that the right to data protection is not confined to the first paragraph, but established by all three paragraphs taken together, an interference can only occur when the processing of personal data does not respect one or more of the constituent parts of the fundamental right in Article 8 CFR.

The ECJ has so far followed the former approach.¹⁷³ The ECJ seems to assume that there is a tension between the first and the subsequent paragraphs of Article 8 CFR. The Court’s approach seems to be that the general principle in the first paragraph contains a prohibition on data processing operations and the other paragraphs contain the conditions for exceptions to this prohibition. For example, the ECJ found in Opinion 1/15 an interference with Article 8(1) CFR because the measure in question involved the processing of personal data.¹⁷⁴ The ECJ concluded that the requirements for a justification of the interference according to Article 52(1) CFR are not fulfilled. Only afterwards did the ECJ address some of the constituent parts of the right to data protection in Article 8(2) and (3) CFR.¹⁷⁵

The scope of Article 8 CFR—involving all processing of personal data—should not be confused with the question of whether the right to data protection has been interfered with.¹⁷⁶ There are significant reasons to follow the latter approach, which establishes the right to data protection in Article 8 CFR taken as a whole.¹⁷⁷ For example, the approach of the ECJ ends up inflating the right to data protection. Any transfer of personal data outside the EU would constitute an interference with the right to data protection. Such an interpretation is not reconcilable with the development of the right to data protection, which must be seen in light of changes in society, social progress, and scientific and technological developments. Data processing operations are part of everyday life. It would thus undermine the concept of fundamental rights if every data processing operation was viewed as an interference with the right to data protection. Data protection enables data processing operations according to certain rules rather than impeding them. The presumption of the right to data protection should be that data processing operations are allowed and necessary in the digital age.¹⁷⁸ AG Siegbert Alber wrote that “there would be no need for data protection if there were a general prohibition of information disclosure.”¹⁷⁹

I thus argue that an interference with the right to data protection enshrined in Article 8 CFR only takes place if a data processing operation is not fair, is not conducted for the purpose initially specified, does not have a legitimate basis, and when the data subject cannot access or rectify his or her data, or if there is no independent supervision controlling the implementation of these rules. An interference with the right to data protection is thus an interference with one or more of its constituent parts. There are indications that this point of view has slowly begun to influence jurisprudence. AG Henrik Saugmandsgaard Øe wrote in a footnote of his opinion in Schrems 2 that “[i]nfringement of that right assumes that personal data have been processed in breach of those requirements” by which he referred to the written constituents of the right to data protection.¹⁸⁰ Similarly, the ECJ stated in Schrems 2 that access to personal data falls within the scope of Article 8 CFR because it constitutes the processing of personal data and, accordingly, must satisfy the requirements laid down in that article.¹⁸¹ The Court did not automatically find an interference here.

2.4.2 The Essence of the Right to Private Life

Any limitation on the exercise of the rights recognized by the Charter must respect the essence of those rights according to Article 52(1) CFR.¹⁸² The essence—sometimes referred to as the minimum, essential, or absolute core of a right—represents the untouchable part of a fundamental right that cannot be limited, diminished, restricted or interfered with. Any interference with the essence of a fundamental right would make the right lose its value for the right holder and for society as a whole.¹⁸³ The essence is the absolute barrier for limitations of a fundamental right and affords protection against the most extreme and blatant forms of interference with fundamental rights for which justifications do not exist.¹⁸⁴ This is why interferences with the essence should be identified independently from the assessment of proportionality.¹⁸⁵ The application of the essence is reserved for rare cases in which the assessment of proportionality does not have a grip. The essence of a fundamental right cannot usually be determined in light of the formulation in the Charter.¹⁸⁶ Instead, the identification of the essence is a matter of interpretation and should also reflect the underlying values of a fundamental right. The starting point should be the question of whether the interference with a fundamental right makes it impossible to exercise this right.¹⁸⁷ It then needs to be verified whether the interference calls into question the fundamental right as such.¹⁸⁸

The ECJ found in Digital Rights Ireland that the retention of data required by Directive 2006/24/EC (Data Retention Directive, DRD) was a particularly serious interference but did not adversely affect the essence of Article 7 CFR because the DRD “not permit the acquisition of knowledge of the content of the electronic communications as such.”¹⁸⁹ The DRD only obliged telecommunication and internet service providers to retain data relating to their users, notably their names and addresses, date, time, duration and type of communication as well as IP addresses (so-called “metadata” referring to the who, when, and where of a communication). The ECJ added in Schrems that

legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter.¹⁹⁰

The distinction between the metadata and content of electronic communications has been widely criticized.¹⁹¹ Thomas Ojanen points out that the difference in value for surveillance proposes between metadata and the content of electronic communications is rapidly fading away in a modern network environment.¹⁹² Maja Brkan reproaches the ECJ for apprehending interferences with the essence of Article 7 CFR as a matter of degree rather than type.¹⁹³ Although the ECJ recognized that metadata “is no less sensitive, having regard to the right to privacy, than the actual content of communications” in Tele2/Watson, the Court still found that access to such data does not adversely affect the essence of Article 7 CFR.¹⁹⁴ The ECJ added new elements to the interpretation of the essence of the right to private life in Opinion 1/15. The Court found that even though passenger name data may reveal very specific information concerning the private life of a person, the nature of that information is limited to certain aspects of private life (information relating to air travel between Canada and the EU).¹⁹⁵ The ECJ again used a gradual benchmark regarding the number of aspects of the private life covered in order to determine whether an interference with the essence of the right to private life occurred.¹⁹⁶

2.4.3 The Essence of the Right to Data Protection

It is (even) less clear what constitutes an interference with the essence of the right to data protection in Article 8 CFR. The ECJ found in Digital Rights Ireland that the retention of data does not adversely affect the essence of Article 8 CFR because the DRD required that “certain principles of data protection and data security must be respected.”¹⁹⁷ The ECJ required EU member states to ensure that “appropriate technical and organisational measures are adopted against accidental or unlawful destruction, accidental loss or alteration of the data.”¹⁹⁸ From this, it seems that the ECJ adopted a technological approach to the essence of Article 8 CFR. The absence of any data security measures certainly constitutes a violation of the GDPR but it is difficult to imagine that this would also adversely affect the essence of the right to data protection or even interfere with the right to data protection at all.¹⁹⁹ Orla Lynskey observes that data security is not even a constituent part of Article 8 CFR.²⁰⁰ The simple absence of data security measures do not call the whole right to data protection with its constituents into question.

The ECJ changed course in Tele2/Watson and seemed to suggest that Article 7 and Article 8 CFR share a common essence. The ECJ found that the data retention legislation in Sweden and the UK “does not permit retention of the content of a communication and is not, therefore, such as to affect adversely the essence of those rights.”²⁰¹ It is unclear if the use of the plural concerning rights was actually intended. The ECJ again distinguished between the essence of Articles 7 and 8 CFR in Opinion 1/15. The Court found that the draft PNR agreement does not adversely affect the essence of Article 8 CFR because the purposes for which PNR data may be processed are limited and because rules exist to ensure, inter alia, the security, confidentiality and integrity of that data, and to protect it against unlawful access and processing.²⁰² The ECJ continued in Opinion 1/15 to reduce the essence of the right to data protection to security measures.²⁰³ At the same time, the ECJ also introduced the principle of purpose limitation from Article 6(1)(b) Directive 95/46/EC to the essence of Article 8 CFR. Contrary to data security, purpose limitation is partly reflected in the constituent part focused on purpose specification in Article 8(2) CFR. It is questionable that any limitations to the constituent part on purpose specification would automatically affect the core of data protection. It would also be contrary to the wording of Article 52(1) CFR that allows lawful limitations on purpose specification in Article 8(2) CFR. Maria Tzanou thus suggests that the purpose limitation principle found in the constituent part on purpose specification needs to be understood as itself having a core which cannot be limited.²⁰⁴ This also applies to the other constituent parts of Article 8 CFR.

The essence of the right to data protection should be interpreted in such a way that the underlying values of data protection are not made obsolete. Damian Clifford and Jef Ausloos agree that data protection’s underlying rationales should be used to interpret the essence of Article 8 CFR.²⁰⁵ They submit that a “robust architecture of control” aimed at individual autonomy should be the essence of the right to data protection.²⁰⁶ Such an understanding resonates well with the ECJ’s finding that an interference with the essence of a fundamental right would call into question the fundamental right as such. If informational self-determination or any other value of data protection is undermined to the point of becoming obsolete, the right to data protection loses its value for the right holder and for society as a whole.

2.4.4 Lawful Limitations

According to Article 52(1) CFR, any limitation on fundamental rights must be provided for by law (Sect. 2.2.4.4.1), genuinely meet objectives of general interest recognized by the EU or the need to protect the rights and freedoms of others (Sect. 2.2.4.4.2) and satisfy the requirement of proportionality (Sect. 2.2.4.4.3).

2.4.4.1 Legal Basis

The requirement that any limitation on the exercise of fundamental rights must be provided for by law implies that the legal basis which permits a limitation must itself already define the scope of the limitation.²⁰⁷ The legal basis must indicate in what circumstances and under which conditions data processing operations take place and impose minimum safeguards providing sufficient guarantees for individuals to effectively protect their personal data against the risk of abuse.²⁰⁸ These safeguards are particularly important where personal data is subject to automated processing and involves sensitive data.²⁰⁹

2.4.4.2 Objectives of General Interest and Protection of the Rights of Others

Any limitation on the exercise of fundamental rights must genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others.

The reference to general interests recognized by the Union covers primarily the objectives mentioned in Article 3 TEU.²¹⁰ The jurisprudence of the ECJ is quite generous in this regard and has acknowledged a wide range of interests as being recognized by the EU so far.²¹¹ For example, the fight against international terrorism²¹² and serious crime,²¹³ transparency,²¹⁴ and public health²¹⁵ to name but a few. However, purely economic objectives are not accepted as general interests for introducing a limitation to a fundamental right.²¹⁶ The ECJ determined with regard to the processing of personal data carried out in the context of an online search engine that an interference with Article 8 CFR “cannot be justified by merely the economic interest which the operator of such an engine has in that processing.”²¹⁷

The reference to the rights and freedoms of others covers the rights and freedoms guaranteed in the Charter. Recital (4) GDPR underlines that the right to data protection is not absolute and must be balanced against other fundamental rights. It mentions specifically the freedom of thought, conscience, and religion in Article 10 CFR, the freedom of expression and information in Article 11 CFR, and the freedom to conduct a business in Article 16 CFR.

2.4.4.3 Proportionality

The right to data protection must be considered in relation to its function in society.²¹⁸ The ECJ never clarified what the function of the right to data protection in society exactly is. Its function thus must be interpreted on the basis of its underlying values.²¹⁹ The right to data protection recognizes the inevitability and benefits of data processing operations, but also seeks to prevent disproportionate negative impacts on the individual and society.²²⁰ This is the balance that proportionality for limitations on the right to data protection must achieve. Measures must be appropriate in light of the objective pursued and limited to what is strictly necessary.²²¹ The ECJ examines if there are other measures which affect less adversely the fundamental rights in question and still contribute effectively to the objectives of general interest recognized by the EU or the protection of the rights and freedoms of others.

In 2005, AG Philippe Léger limited the scope of judicial control for the proportionality assessment of the PNR regime with the US based on the wide discretion of the European Commission and the Council in the field of public security.²²² In contrast, in 2017, the ECJ almost acquired the role of legislator itself due to its precise analysis and instructions in the proportionality assessment of the PNR regime with Canada.²²³ Detailed safeguards have become very important for limitations on the exercise of the right to data protection in Article 8 CFR.

2.5 Summary

The right to data protection in Article 8 CFR protects individuals by structuring and limiting the legal use of their personal data. The right to data protection in Article 8 CFR exists alongside and in addition to the right to private life in Article 7 CFR. The two rights are distinct but share significant overlaps. Each right should be independently applied based on their underlying values. However, the ECJ continues to struggle to apply the right to data protection independently and prefers a combined reading of the two rights. The scope of Article 8 CFR extends to all data processing operation involving personal data of individuals located in the EU. The scope should not be confused with the question of whether the right to data protection has been interfered with. The right to data protection is enshrined in Article 8 CFR taken as a whole including all three paragraphs. The six written constituent parts of the right to data protection are fairness, purpose specification, legitimate basis, the right of access to personal data, the right to rectify personal data, and independent supervision. An interference with Article 8 CFR is an interference with one or more of its constituent parts. Whether such an interference is lawful needs to be examined according to Article 52 CFR. The development of the right to data protection is focused on technological progress and the associated new powers of the state and does not relate to trade concerns.²²⁴ The foundational values of data protection are privacy, informational self-determination, transparency, and democracy. The origin of the right to data protection and these values are useful both for the interpretation of the right itself and the determination of its lawful limitations.

3 The Extraterritorial Dimension of the Right to Data Protection

The extraterritorial dimension of the right to data protection describes the influence of the fundamental right outside the EU. The jurisprudence of the ECJ on transfers of personal data to third countries reveals an unwritten constituent part of the right to data protection. I argue that the right to data protection, in addition to the six written constituent parts outlined before, contains a right to continuous protection of personal data that is transferred to a third country, which is essentially equivalent to the protection guaranteed within the EU (Sect. 2.3.1). The literature suggests that the assertion of extraterritorial jurisdiction can be categorized either as extraterritoriality (as such) or as territorial extension. The distinction of these two categories is important because extraterritorial jurisdiction has a potential to clash with the prohibition of interfering with the internal affairs of another state or of violating the right to territorial integrity and political independence of another state and must therefore be considered a matter of international law. The right to continuous protection of personal data in Article 8 CFR is a form of territorial extension of Union law because data transfers have a strong territorial connection with the EU (Sect. 2.3.2). Justification of the territorial extension can be found in the EU Treaties, in the Charter and the values of data protection (Sect. 2.3.3). The extraterritorial dimension of the right to data protection operates with the standard of protection that is essential equivalent to the level of protection that is guaranteed within the EU. In order to apply the standard of essential equivalence, it must be clear what its comparison, meaning, level of protection, and limitations are (Sect. 2.3.4).

3.1 The Right to Continuous Protection of Personal Data

The jurisprudence of the ECJ on the transfer of personal data to third countries reveals an unwritten constituent of the right to data protection. The judgment Schrems (Sect. 2.3.1.1), Opinion 1/15 (Sect. 2.3.1.2), the opinion of AG Henrik Saugmandsgaard Øe on Schrems 2 (Sect. 2.3.1.3), and the judgment Schrems 2 (Sect. 2.3.1.4) highlight the development of the right to continuous protection of personal data that is transferred to a third country.

3.1.1 Continuous Protection of Personal Data in Schrems

The Schrems case involved a dispute between a private citizen and Facebook user Maximilian Schrems and the Irish Data Protection Commissioner (DPC). Decision 2000/520, the Safe Harbor adequacy decision, allowed transfers of personal data from the EU to companies in the US if the companies in the US subscribed to the Safe Harbor framework. The Safe Harbor framework entailed data protection principles for US companies. Schrems made a complaint to the DPC in which he asked the DPC to prohibit Facebook Ireland Ldt. to transfer his personal data to Facebook Inc. in the US. Schrems was of the opinion that the law and practice in the US did not ensure adequate protection for his personal data against the surveillance practices of US public authorities.²²⁵ The DPC saw no evidence that Schrems’ personal data had been accessed by US public authorities and rejected his complaint. The DPC explained that the European Commission had found in Decision 2000/520 that the US ensures an adequate level of protection for personal data.²²⁶ Schrems challenged the rejection of his complaint before the Irish High Court (IHC) who considered that there are serious doubts as to whether the US really ensures an adequate level of protection for personal data and that the DPC should have investigated the complaint.²²⁷ The IHC stated that Decision 2000/520 did not satisfy the requirements of Articles 7 and 8 CFR and referred the case to the ECJ. The Grand Chamber of the ECJ decided in 2015 that the issue demanded an examination of the validity of Decision 2000/520 in light of the Charter.²²⁸ The legal basis of the contested Decision 2000/520 was Article 25(6) Directive 46/95/EC. The ECJ noted that Article 25(6) Directive 46/95/EC required that a third country ensures an adequate level of protection for personal data.²²⁹

[It] implements the express obligation laid down in Article 8(1) of the Charter to protect personal data and […] is intended to ensure that the high level of that protection continues where personal data is transferred to a third country.²³⁰

The ECJ also defined the term adequate level of protection in Article 25(6) Directive 46/95/EC.

[It] must be understood as requiring the third country in fact to ensure […] a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the [EU] by virtue of Directive 95/46 read in the light of the Charter.²³¹

The ECJ noted that Decision 2000/520 did not require US public authorities to comply with the data protection principles set out therein and that US national security, public interest or law enforcement requirements had primacy over those principles.²³² Decision 2000/520 thus enabled interference with EU fundamental rights by US public authorities based on US interests or on US legislation.²³³ The ECJ also addressed limitations on fundamental rights, although without explicitly referring to US legislation. The ECJ explained in which instances legislation concerning the storage of and access to personal data is not limited to what is strictly necessary and specified that legislation permitting public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the right to private life.²³⁴ The ECJ formally invalidated Decision 2000/520 because the Commission did not state that the US in fact ensures an adequate level of data protection.²³⁵

Several points highlight how the ECJ started to develop the extraterritorial dimension of the right to data protection as an unwritten constituent part of the right to data protection in Schrems:

• The ECJ underlined that the legal mechanism for data transfers in Article 25(6) DPD implements the express obligation laid down in Article 8(1) CFR to protect personal data.

• The ECJ clarified that adequate protection for personal data in a third country in Article 25(6) DPD means protection that is essentially equivalent to the protection guaranteed in Directive 95/46/EC in light of the Charter. The ECJ thus created a standard of protection in a third country, which is essentially equivalent to that guaranteed within the EU.

• The ECJ stressed that the content of the standard of essential equivalence in Article 25(6) DPD is apparent in Schrems itself and referred to the explanations regarding the limitations on fundamental rights in the preceding paragraphs of the judgment.²³⁶ The standard of essential equivalence entails the same limitations on fundamental rights as are in force in the EU.²³⁷

• Even though the ECJ did not invalidate Decision 2000/520 based on concrete interferences of US legislation with EU fundamental rights, the Schrems judgment indicates that data transfers based on Decision 2000/520 enable interferences with EU fundamental rights by US public authorities for purposes of US national security and public interest requirements or on US legislation.²³⁸ This shows that the ECJ is willing to assess interferences of non-EU public authorities outside the EU with EU fundamental rights.

The ECJ started to develop a right to continuous protection for personal data in Schrems based on secondary EU law on transfers of personal data to third countries. This is similar to the written constituent parts of the right to data protection. The written constituent parts were also secondary EU law before their integration into the right to data protection.

3.1.2 Continuous Protection of Personal Data in Opinion 1/15

Opinion 1/15 was requested by the European Parliament in order to clarify inter alia whether or not the draft agreement between Canada and the EU on the transfer of passenger name record data (draft PNR agreement) is compatible with the Charter.²³⁹ Air carriers are under an obligation in Canada to provide the Canada Border Services Agency with access to certain PNR data to the extent it is collected and contained in the air carrier’s automated reservation and departure control systems.²⁴⁰ The PNR data includes the name of an air passenger, information necessary to the reservation such as the dates of intended travel and the travel itinerary, information relating to tickets, groups of persons checked-in under the same reservation number, passenger contact information, information relating to the means of payment or billing, information concerning baggage, and other general remarks regarding a passenger. This information constitutes personal data.²⁴¹ Data protection rules in the EU do not allow European and other carriers operating flights from the EU to transmit the PNR data of their passengers to third countries which do not ensure an adequate level of protection of personal data without adding appropriate safeguards for such transfers.²⁴² Article 5 of the draft PNR agreement noted that subject to compliance with the draft PNR agreement, the Canadian authority responsible for receiving and processing the PNR data was deemed to provide an adequate level of protection.²⁴³ This is why the draft PNR agreement mainly contained provisions regulating and limiting the processing of PNR data from the EU in Canada.

The ECJ found in Opinion 1/15 from 2016 that the transfer of PNR data from the EU to Canadian authorities and the framework negotiated by the EU with Canada for the conditions concerning the retention of that data, its use, and its subsequent transfer from Canadian authorities to other Canadian authorities, Europol, Eurojust, judicial or police authorities of the EU member states or authorities of third countries constitute interferences with Article 7 and Article 8 CFR.²⁴⁴ The ECJ went on to examine the justification for the interferences and found that the aim of the draft PNR agreement—namely, the fight against terrorist offences and serious transnational crime—constitutes an objective of general interest of the EU that is capable of justifying even serious interferences with the fundamental rights enshrined in Article 7 and Article 8 CFR.²⁴⁵ The ECJ also found that the transfer of PNR data to Canada and the subsequent processing is appropriate for the purpose of ensuring public security.²⁴⁶ However, some provisions in the draft PNR agreement regulating and restricting the processing of PNR data from the EU by Canadian authorities were not limited to what is strictly necessary.²⁴⁷ The ECJ thus concluded that the draft PNR agreement was not compatible with Article 7 and Article 8 CFR.²⁴⁸

The ECJ continued to develop the extraterritorial dimension of the right to data protection as an unwritten constituent of the right to data protection in Opinion 1/15. Previously, the ECJ found that Article 25(6) Directive 95/46/EC implements the express obligation laid down in Article 8(1) CFR to protect personal data and that the provision is intended to ensure that the high level of that protection continues whenever personal data is transferred to a third country.²⁴⁹ In Opinion 1/15, however, the ECJ clarified that it is the express obligation laid down in Article 8(1) CFR itself that contains the requirement that the high level of protection of fundamental rights and freedoms conferred by EU law continues when personal data is transferred from the EU to a third country:

That right to the protection of personal data requires, inter alia, that the high level of protection of fundamental rights and freedoms conferred by EU law continues where personal data is transferred from the European Union to a non-member country.²⁵⁰

The ECJ did not stop there. In the same paragraph, the ECJ also included the standard of essential equivalence in Article 8(1) CFR:

Even though the means intended to ensure such a level of protection may differ from those employed within the European Union in order to ensure that the requirements stemming from EU law are complied with, those means must nevertheless prove, in practice, effective in order to ensure protection essentially equivalent to that guaranteed within the European Union.²⁵¹

The ECJ elevated the requirement of continuous protection and the standard of essential equivalence that it previously found in Article 25(6) Directive 95/46/EC to the level of the Charter. In Schrems, the ECJ interpreted EU secondary law on transfers of personal data in light of the Charter, while in Opinion 1/15, the ECJ used this interpretation as a standard of the Charter itself. The ECJ explained this elevation with a reference to the Preamble of the Charter, which underlines the necessity to strengthen the protection of fundamental rights in light of changes in society, social progress, and scientific and technological developments.²⁵²

The ECJ found therefore, that there is a right to continuous protection of personal data that is transferred to a third country, and that this right requires protection in the third country that is essentially equivalent to the protection guaranteed within the EU. The right to continuous protection of personal data is an unwritten constituent part of the right to data protection in Article 8(1) CFR. This right thus manifests the extraterritorial dimension of the right to data protection.

3.1.3 Continuous Protection of Personal Data in the AG Opinion on Schrems 2

Following the Schrems judgment, the IHC annulled the decision whereby the Irish DPC had rejected the complaint of Maximilian Schrems and referred the case back to the DPC for assessment.²⁵³ The DPC opened a new investigation and requested Schrems to reformulate his complaint with regard to the invalidation of Decision 2000/520, the Safe Harbor adequacy decision.²⁵⁴

In his reformulated complaint, Schrems claimed that the standard data protection clauses, on which Facebook relied after the Schrems judgment for their data transfers, could not justify such transfers to the US because of the ongoing interference with the exercise of his rights guaranteed in Article 8 CFR.²⁵⁵ Schrems requested the DPC to issue a prohibition notice suspending all transfers of personal data from Facebook Ireland Ldt. to Facebook Inc. in the US.²⁵⁶ The DPC concluded that it was impossible to adjudicate Schrems’ complaint unless the IHC examined the validity of Decision 2010/87 approving the standard data protection clauses in question.²⁵⁷ In accordance with the Schrems judgment, the DPC brought proceedings before the IHC so that it could request the ECJ to make a preliminary ruling on the validity of Decision 2010/87.²⁵⁸ The IHC found that the US carries out mass and indiscriminate processing of personal data that might potentially expose data subjects to violations of the rights which they derive from Article 7 and Article 8 CFR.²⁵⁹ Accordingly, the IHC questioned whether the standard data protection clauses provided for in Decision 2010/87 ensured the protection of the data subjects’ fundamental rights.²⁶⁰ The IHC shared the doubts as to the validity of Decision 2010/87.²⁶¹ The IHC thus decided to refer the issue to the ECJ for a preliminary ruling.²⁶²

AG Henrik Saugmandsgaard Øe stated in his opinion on Schrems 2 that in the absence of common personal data protection safeguards at the global level, cross-border flows of personal data entail a risk of a breach in the protection guaranteed in the EU.²⁶³ He agreed with Schrems and the Irish DPC that standard data protection clauses must also guarantee that the individuals whose personal data is transferred to a third country benefit from a level of protection of their personal data which is essentially equivalent to that guaranteed within the EU.²⁶⁴ He underlined that the requirements for the protection of fundamental rights guaranteed by the Charter do not differ according to the legal mechanisms for a specific transfer in the GDPR.²⁶⁵ He further explained that the legal mechanisms for data transfers are aimed at ensuring the continuity of the high level of protection for personal data even outside the EU.²⁶⁶ He stressed that the continuity of the level of protection is designed to avoid circumvention of the standards applicable within the Union.²⁶⁷

With regard to Decision 2010/87, AG Saugmandsgaard Øe found that the standard data protection clauses are valid even though they represent a legal mechanism applicable to data transfers irrespective of the third country and the level of protection guaranteed there.²⁶⁸ He suggested that the compatibility of Decision 2010/87 with the Charter depends on whether there are sufficiently sound mechanisms in place to ensure that data transfers based on the standard contractual clauses are suspended or prohibited in the event that those clauses are breached or impossible to honor.²⁶⁹ He thus argued that the burden of responsibility lies with the data exporter and insisted that supervisory authorities must examine whether the laws of the third country constitute an obstacle to the implementation of the standard data protection clauses and, therefore, a violation of fundamental rights.²⁷⁰

Ultimately, AG Saugmandsgaard Øe continued the implementation the extraterritorial dimension of the right to data protection as an unwritten constituent part of the right to data protection in his opinion on Schrems 2. He did not however explicitly state that the right to data protection requires that the high level of protection of fundamental rights and freedoms conferred by Union law continues where personal data is transferred from the EU to a third country.²⁷¹ Instead, he referred to the second sentence of Article 44 GDPR that requires legal mechanisms be in place for data transfers to third countries to ensure that the level of protection guaranteed by the GDPR is not undermined.²⁷² This second sentence was added to Article 44 GDPR during the trilogue negotiations and refers to the extraterritorial dimension of the right to data protection.²⁷³ It implies that the “requirements of protection of fundamental rights guaranteed by the Charter do not differ according to the legal basis for a specific transfer.”²⁷⁴ This is why standard data protection clauses must also guarantee that the rights of individuals whose personal data is transferred to a third country benefit from a level of protection essentially equivalent to that which follows from the GDPR read in the light of the Charter.²⁷⁵ The opinion of AG Saugmandsgaard Øe on Schrems 2 confirms that individuals have a right to continuous protection for personal data.

3.1.4 Continuous Protection of Personal Data in Schrems 2

The ECJ largely followed the opinion of AG Henrik Saugmandsgaard Øe in Schrems 2. The ECJ explicitly referred to the AG’s opinion and confirmed that all the provisions in Chapter V of the GDPR are intended to ensure the continuity of the high level of protection for personal data in the EU.²⁷⁶ The Court held that data subjects must be afforded a level of protection essentially equivalent to that which is guaranteed within the EU whenever their personal data is transferred to a third country.²⁷⁷

Similarly to the AG, the ECJ did not explicitly state that the right to data protection in Article 8 CFR requires that the high level of protection of fundamental rights and freedoms conferred by Union law continues where personal data is transferred from the EU to a third country.²⁷⁸ Rather, the Court underlined that Article 44 GDPR requires that the level of protection for personal data, essentially equivalent to that guaranteed within the EU, must be guaranteed irrespective of the legal mechanism on which a transfer of personal data to a third country is carried out.²⁷⁹ The ECJ added that Article 44 GDPR must be interpreted in light of the Charter to guarantee that the protection of personal data is not undermined.²⁸⁰ Article 44 GDPR is the vehicle that carries the necessary level of protection for personal data that is transferred from the EU to a third country from the Charter into the GDPR. In the end, the ECJ confirmed that individuals have a right to continuous protection for personal data by subjecting data transfers based on standard data protection clauses to the same standard of protection like data transfers based on adequacy decisions.²⁸¹

3.2 Theory of Territorial Extension of Union Law

Extraterritorial jurisdiction can be described as “the exercise of jurisdiction by a State over activities occurring outside its borders.”²⁸² Joanne Scott distinguishes between extraterritoriality (as such) and the territorial extension of Union law.²⁸³ She argues that in the case of extraterritoriality (as such) the application of a measure to activities outside the EU is triggered by something other than a territorial connection with the EU, whereas, in the case of territorial extension, the application of a measure to activities outside the EU is triggered by a territorial connection, but in applying the measure the EU is required, as a matter of law, to take into account circumstances abroad.²⁸⁴ Distinguishing between extraterritoriality (as such) and territorial extension thus requires an analysis of the triggers.

The right to continuous protection for personal data is an unwritten constituent part of the right to data protection. It applies to the transfer of personal data from the EU to third countries. An interference with the right to continuous protection for personal data takes place if the transferred data is not subject to protection which is essentially equivalent to that guaranteed within the EU. The application of the right to continuous protection for personal data depends on the transfer of personal data. This application does not constitute an instance of extraterritoriality (as such) but an instance of territorial extension. The concept of data transfers has a strong territorial connection with the EU because data transfers work with a geographical element that involves the EU.²⁸⁵

This observation is important from the perspective of international law. Any form of extraterritorial jurisdiction has the potential to clash with the prohibition on interfering with the internal affairs of another state or the right to territorial integrity and political independence of another state and must therefore be considered as a matter of international law.²⁸⁶ The Permanent Court of International Justice held in S.S. Lotus (France v. Turkey) that the exercise of extraterritorial enforcement jurisdiction is forbidden but that “[i]t does not, however, follow that international law prohibits a State from exercising jurisdiction in its own territory, in respect of any case which relates to acts which have taken place abroad.”²⁸⁷ It is a matter of debate whether this finding in S.S. Lotus (France v. Turkey) allows the exercise of legislative or prescriptive extraterritorial jurisdiction. The International Court of Justice (ICJ) stated in Barcelona Traction (Belgium v. Spain) that international law

involve[s] for every State an obligation to exercise moderation and restraint as to the extent of the jurisdiction assumed by its courts in cases having a foreign element, and to avoid undue encroachment on a jurisdiction more properly appertaining to, or more appropriately exercisable by, another State.²⁸⁸

I argue that the territorial extension of EU law with a strong territorial nexus such as the transfer of personal data from the EU to a third country respects the principle in S.S. Lotus and the statement in Barcelona Traction.²⁸⁹

3.3 Justification

The right to continuous protection of personal data has an impact on third countries. Their ability to import personal data from the EU depends on the level of protection they afford to that personal data. The impact of the right to continuous protection for personal data on third countries can be justified in EU law. Article 16(2) TFEU offers a legal basis for the territorial extension of Union law in the field of data protection (Sect. 2.3.3.1), Article 8 CFR requires effective protection that does not end at the borders of the EU member states (Sect. 2.3.3.2), and the foundational values of the right to data protection are also relevant in transborder contexts (Sect. 2.3.3.3). However, the suggestion of Marko Milanovich that states have a territorially unlimited negative obligation to refrain from conduct that would assist third parties in violating the right to data protection in analogy with the ECtHR’s judgment in Soering v. United Kingdom is not convincing (Sect. 2.3.3.4).

3.3.1 Legal Basis in the Treaties

The field of application of the Charter in Article 51 CFR must be interpreted on the basis of EU competences (Sect. 2.3.3.1.1). Article 16 TFEU empowers the EU to define standards for the protection of individuals in the EU with regard to the processing of their personal data in third countries when it is transferred from the EU (Sect. 2.3.3.1.2). This argument finds support from other provisions on external relations in the EU Treaties (Sect. 2.3.3.1.3).

3.3.1.1 Field of Application of the Charter

It is necessary to address the field of application of the Charter in order to justify the extraterritorial dimension of the right to data protection. The Charter does not have a territorial jurisdiction clause to determine (and limit) its field of application, in contrast to human rights treaties like the ECHR (in Article 1) or the International Covenant on Civil and Political Rights (ICCPR)²⁹⁰ (in Article 2).²⁹¹ The Charter follows a different approach to determine its field of application.²⁹² Article 51(1) CFR states that the provisions of the Charter are addressed to the institutions and bodies of the EU (and to the EU member states when they are implementing EU law). The addressees have to respect the rights, observe the principles, and promote the application of the provisions in the Charter in accordance with their respective powers and the limits of these powers conferred on them in the EU Treaties. The Charter seems to apply to a particular situation once EU law governs it. In the words of the ECJ: “The applicability of European Union law entails applicability of the fundamental rights guaranteed by the Charter.”²⁹³ In that regard, the General Court of the EU (EGC) found in the Front Polisario case that implications for fundamental rights in third countries must be examined when the EU concludes international agreements.²⁹⁴

Article 51(2) CFR further clarifies that the Charter does not extend the field of application of EU law beyond the powers of the EU, establish any new power or task for the EU, or modify powers and tasks as defined in the EU Treaties. Violeta Moreno-Lax and Cathryn Costello have observed that the language used in Article 51 CFR is that of competence, allocation of powers, and their application within the realm of the EU legal order, irrespective of the geographical space within which these powers are exercised.²⁹⁵ They emphasize the need to rid the discussion on the extraterritorial jurisdiction of the Charter from the debate on borders and territory and bring it to the less-static space of EU competences and legality.²⁹⁶ They submit that fundamental rights apply as a matter of EU constitutional obligation.²⁹⁷ Based on the principle of conferral in Article 5(2) TEU, the EU can only act within the limits of the competences conferred upon it by the EU member states in the EU Treaties for the purpose of attaining the objectives set out therein. Within these limits, the EU can act and must, at the same time, respect, observe, and promote the fundamental rights in the Charter.

This interpretation of the field of application of the Charter in Article 51 CFR based on EU competences is convincing and compatible with the jurisprudence of the ECJ. It is the basis for the assertion of EU extraterritorial jurisdiction regarding the fundamental rights in the Charter within the limits of EU competences. The Charter’s field of application and its extraterritorial dimension must be explored based on EU competences.

The alternative, more static, and border-oriented interpretation of the Charter’s field of application follows the territorial scope of the EU Treaties as laid down in Article 52 TEU and Article 355 TFEU.²⁹⁸ This interpretation ignores the language of competence and allocation of powers in Article 51 CFR and uses the territorial jurisdiction clauses of the EU Treaties as the jurisdictional basis of the Charter. Even such an interpretation would not, however, exclude the possibility of the assertion of extraterritorial jurisdiction regarding the fundamental rights in the Charter. While Article 52 TEU and Article 355 TFEU determine (and limit) the application of the EU Treaties (and thus of the Charter) based on territory, the ECJ specifically pointed out in Boukhalfa, a case involving the prohibition of discrimination based on nationality, that “[t]he geographical application of the Treaty defined in Article 227 […] does not, however, preclude Community rules from having effects outside the territory of the Community.”²⁹⁹

3.3.1.2 The Right to Data Protection in the EU Treaties

In order to establish the Charter’s field of application with respect to the right to data protection, it is necessary to look at the EU competences in the area of data protection. The Lisbon Treaty introduced a provision on data protection into the EU Treaties. Article 16(1) TFEU guarantees that everyone has the right to the protection of personal data concerning them. The first paragraph of Article 16 TFEU almost exactly mirrors the wording of the first paragraph of Article 8 CFR. Article 16(2) TFEU empowers the European Parliament and the Council to establish rules relating to the protection of individuals with regard to the processing of personal data by EU institutions, bodies, offices and agencies, and the member states when they carry out activities which fall within the scope of EU law. Based on Article 16 TFEU, the EU has an explicit mandate and positive obligation to regulate the field of data protection, which is rather unique in comparison to other fundamental rights.³⁰⁰ The second paragraph of Article 16 TFEU, however, contains ambiguities with regard to the addressees for whom the data protection rules should be laid down.³⁰¹ It is generally accepted that Article 16(2) TFEU also empowers the EU to lay down data protection rules with regard to the processing of personal data by the private sector.³⁰²

I would argue that Article 16(2) TFEU also empowers the EU to define standards for the protection of individuals in the EU with regard to the processing of their personal data in third countries when it is transferred from the EU. There are two indications to support this argument. First, Article 16 TFEU was the legal basis in the EU Treaties for adequacy decisions such as Decision (EU) 2016/1250, the Privacy Shield adequacy decision. Decision (EU) 2016/1250 contained the so-called “privacy principles” that US companies had to comply with in the US as part of their self-certification under the EU-US Privacy Shield to import personal data from the EU.³⁰³ Second, the ECJ decided in Opinion 1/15 that Article 16 TFEU is the correct legal basis for the draft agreement on the transfer and processing of PNR data between the EU and Canada.³⁰⁴ The draft PNR agreement consisted of detailed rules relating to the protection of individuals in the EU with regard to the processing of their PNR data by Canadian authorities when it is transferred from EU to Canada.³⁰⁵

Article 16 TFEU empowers the EU to define standards for the protection of individuals in the EU with regard to the processing of their personal data in third countries when it is transferred from the EU. The standard of essential equivalence is an example.³⁰⁶ Article 16 TFEU also constitutes the basis for the extraterritorial dimension of the right to data protection because the Charter applies based on EU competences and Article 51(1) CFR requires the EU to promote the application of fundamental rights within the powers conferred on it in the Treaties.

3.3.1.3 External Relations of the European Union

Article 3(5) TEU states that “[i]n its relations with the wider world, the Union shall uphold and promote its values and interests and contribute to the protection of its citizens.”³⁰⁷ This implies that the values of the EU defined in Article 2 TEU such as respect for human dignity, freedom, democracy, equality, the rule of law, and human rights are not confined to the geographical application of the Treaties, but that the EU has to actively pursue them abroad to protect its citizens. The requirements for external action of the EU in Article 21(1) TEU are formulated in the same spirit:

The Union’s action on the international scene shall be guided by the principles which have inspired its own creation, development and enlargement, and which it seeks to advance in the wider world: democracy, the rule of law, the universality and indivisibility of human rights and fundamental freedoms, respect for human dignity, the principles of equality and solidarity, and respect for the principles of the United Nations Charter and international law.

Human dignity and democracy are of particular importance for the right to data protection as guiding principles of the EU’s action on the international scene. Human dignity is enshrined in Article 1 CFR and constitutes “the real basis of fundamental rights” according to the explanations relating to the Charter.³⁰⁸ Human dignity is also often considered the ultimate foundation of data protection.³⁰⁹ Similarly, democracy is one of the underlying values of data protection.³¹⁰

Article 21(3)(1) TEU supplements the requirements for the EU’s external action. The EU shall respect the guiding principles, such as human dignity and democracy, not only in the different areas of its external action, but also in the development and implementation “of the external aspects of its other policies.” Lorand Bartels observes that this addition in Article 21(3)(1) TEU carries normative force “insofar as it requires the EU to ‘respect’ the principles previously described.”³¹¹ Data protection must be considered a domestic policy with external aspects because of the legal mechanisms for the transfer of personal data in Chapter V GDPR. Article 21 TEU thus supports the extraterritorial dimension of the right to data protection.

3.3.2 Effective Protection of Fundamental Rights

It is also necessary to address effective protection of fundamental rights in the digital sphere to justify the extraterritorial dimension of the right to data protection. The internet is a worldwide network of networks.³¹² An individual’s presence as data subject in the physical world is often separated from the interferences with his or her right to data protection in the digital sphere.³¹³ Every action of a data importer located outside the EU on personal data transferred from the EU may have an impact on individuals inside the EU.

It is generally accepted that individuals are entitled to the protection of their personal data on the internet.³¹⁴ Effective protection of personal data on the internet can only be guaranteed, however, if the protection of personal data does not end when personal data crosses territorial borders. It would be easy to bypass data protection if this were not the case. Hielke Hijmans notes that protection is thus needed whenever personal data moves outside the EU even if the individuals do not actively move outside the EU.³¹⁵ He also argues that the extraterritorial dimension of Article 8 CFR is apparent from the fact that in an internet environment “data are ubiquitously available and not only present in one jurisdiction.”³¹⁶ Effective protection of personal data in an internet environment necessarily involves protection from acts in third countries whenever personal data is transferred abroad. Such a technological justification of the extraterritorial dimension of the right to data protection is also reflected in the Charter. The Preamble of the Charter acknowledges that it is necessary “to strengthen the protection of fundamental rights in the light of changes in society, social progress and scientific and technological developments.”³¹⁷

3.3.3 Foundational Values of the Right to Data Protection

Furthermore, it is necessary to address the foundational values of the right to data protection to justify the extraterritorial dimension of the right to data protection. These values are just as relevant in a transborder context as they are within the EU.

The value of privacy limits the ways that personal data can be processed legally. Conceptions of privacy such as the right to be let alone or limited accessibility to a person illustrate the need to limit the ways that personal data can be processed legally. These conceptions do not differentiate between privacy intrusions that take place within the EU or abroad. Privacy-intrusive practices harm the individual’s right to be let alone and the inaccessibility of persons irrespective of the location where personal data is processed. The same is true for informational self-determination. The value of informational self-determination requires that individuals are able to determine for themselves the disclosure and use of their personal data. This applies regardless of the place where personal data is disclosed or used. The value of transparency addresses power imbalances between data controllers and data subjects and requires that the latter are in a position to learn of the existence of data processing operations that concern them. Such power imbalances do not stop at territorial borders either, especially not in the digital sphere.

The value of democracy may seem less relevant in a transborder context. The value of democracy expresses the need to safeguard the ability of individuals to freely participate in society and its political discourse. The absence of rules on data protection can hamper the ability of individuals to do so. There can be chilling effects on the behavior of individuals when they are aware of excessive data processing, especially in the form of surveillance.³¹⁸ This may cause individuals to suppress their autonomy in order to appear less obtrusive to government surveillance.³¹⁹ These chilling effects can affect individuals in their exercise of rights that are of the utmost importance for democracy such as freedom of speech and association.³²⁰ This is particularly relevant in the domestic context.³²¹ However, it can also be relevant in a transborder context in light of intelligence sharing networks such as the Five Eyes. There are also more specific situations where the lack of rules on data protection and excessive data processing abroad, especially in the form of surveillance, is relevant for the value of democracy in the EU. For example, political refugees seeking asylum in an EU member state may stop communicating for their cause via the internet because they fear reprisals for their loved ones back home when they know that the data they generate is transferred to and accessed in their home country.

3.3.4 No Analogy with Soering v. United Kingdom

Marko Milanovic offers an additional justification for the extraterritorial dimension of the right to data protection.³²² He suggests that “states [could] have a territorially unlimited negative obligation to refrain from conduct that would assist third parties in violating the right to privacy, e.g. by analogy to the nonrefoulement rule in cases such as Soering v. United Kingdom.”³²³ In this particular case, the ECtHR decided that the extradition of Mr. Soering to the US, where he potentially faced the death penalty, incurred the liability of the extraditing state. The ECtHR based the decision on the absolute nature of the prohibition of torture in Article 3 ECHR, the existence of a specific prohibition in Article 3 Convention Against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment³²⁴ to extradite a person to another state where there are substantial grounds for believing that he or she would be in danger of being subjected to torture, and the irreparable nature of the suffering caused by the inhumane and degrading treatment prohibited in Article 3 ECHR.³²⁵ The ECtHR established that the extraditing state has a territorially unlimited negative obligation to refrain from conduct that would assist third parties in violating the prohibition of torture in Article 3 ECHR.

The suggestion of a territorially unlimited negative obligation to refrain from conduct that would assist third parties in violating the right to data protection by analogy to Soering v. United Kingdom is not convincing. The right to data protection in Article 8 CFR is not absolute, there is no international agreement prohibiting transfers of personal data of an individual to countries where there are substantial grounds for believing that the individual would be in danger of being subjected to data processing operations with adverse consequences, and such consequences cannot be compared to the irreparable nature of the suffering caused by the inhumane and degrading treatment prohibited in Article 3 ECHR.

3.4 Essential Equivalence

The extraterritorial dimension of the right to data protection entails a standard for the protection of personal data that is transferred to a third country. The protection must be essentially equivalent to that guaranteed within the EU. The standard of essential equivalence uses the protection within the EU as a comparison (Sect. 2.3.4.1). Moreover, the meaning of essential equivalence is not entirely clear. The ECJ only stated that the standard of essential equivalence does not require that the level of protection in a third country must be identical to that in the Union (Sect. 2.3.4.2). The ECJ indicated that the level of protection in the Union itself must be assessed with recourse to the lawful limitations on Article 7 and Article 8 CFR (Sect. 2.3.4.3). However, the right to continuous protection of personal data is not absolute. Limitations on the basis of Article 52(1) CFR are possible (Sect. 2.3.4.4).

3.4.1 Comparison

The right to continuous protection of personal data uses the standard of protection that is essentially equivalent to that guaranteed within the EU. Essential equivalence requires a comparison between the rules and practices prevailing in a third country, on the one hand, and the standards of protection in the EU, on the other hand.³²⁶ The comparison is also a question of competence and coverage under Union law. The EU has a competence in the domain of data protection based on Article 16 TFEU. However, there is a reservation of competence in relation to the protection of national security for EU member states in Article 4(2) TEU. The reservation in Article 4(2) TEU states that national security remains the sole responsibility of each member state.³²⁷

At first sight, it seems that there cannot be any comparison with the level of protection of personal data in the EU for measures protecting national security because the EU has no competence in that field. This would imply that measures for the protection of national security in third countries would be excluded from the standard of essential equivalence. However, AG Yves Bot found in his opinion in Schrems that the processing by US authorities for national security purposes of personal data that was transferred from the EU to the US was not excluded from the standard of essential equivalence.³²⁸ The ECJ confirmed this finding.³²⁹ More specifically, AG Henrik Saugmandsgaard Øe stated in his opinion in Schrems 2 that an assessment of the level of protection of personal data in a third country

cannot ignore any interference with the exercise of the fundamental rights of the persons concerned that would result from State measures, notably in the field of national security, which, if they were adopted by a Member State, would fall outside the scope of EU law.³³⁰

The Article 29 WP explained that Article 4(2) TEU defines the competence of the Union vis-à-vis the EU member states, and that the reservation of national security must be understood in light of this relationship.³³¹

From a legal perspective, a distinction needs to be made between surveillance programmes run by intelligence services of the Member States and those carried out by intelligence services of third countries making use of data of EU citizens. […] In fact, the national security exemption [in Article 4(2) TEU] only applies to the national security of an EU Member State, and not to the national security of a third country.³³²

Furthermore, Article 45(2)(a) GDPR explicitly requires that the rules on national security in force in a third country need to be taken into account for an adequacy assessment without any restriction whatsoever.³³³ Thus, the rules and measures of third countries in the field of national security cannot fall outside of the assessment of essential equivalence. This is even true when surveillance practices take place outside the territory of the state in question and during the stage in which the respective data is in transit from the EU to the third country.³³⁴

However, should the rules and measures of third countries in the field of national security fall outside the scope of EU law, if they were adopted by EU member states, they need other standards for comparison. I would argue that this should be the level of protection required within the Union under the law of the EU member states, including their commitments under the ECHR, which constitute a common denominator among all the EU member states.³³⁵ The ECHR is a privileged source of legal interpretation and inspiration of Union law. This status has been codified in Article 6(3) TEU. Including the requirements of the ECHR in the assessment of essential equivalence is not an extraordinary exercise. The ECJ regularly refers to the jurisprudence of the ECtHR in surveillance cases.

The ECHR does not contain an exemption for national security measures.³³⁶ Instead, national security is mentioned as the first legitimate aim for derogations from the right to private life in Article 8(2) ECHR. Any national security measure that encroaches on the right to private life must be in accordance with law and necessary in a democratic society. Nevertheless, the contracting states of the ECHR have a certain—arguably even a large—margin of appreciation when evaluating threats to national security and when deciding how to combat these.³³⁷ The ECtHR applies a deferential approach vis-à-vis national security measures. The ECtHR has even found that “the judgment by the national authorities in any particular case in which national security considerations are involved is one which [the Court] is not well equipped to challenge.”³³⁸

3.4.2 Meaning

The standard of essential equivalence was invented by AG Yves Bot and the ECJ in Schrems as a way to interpret the term adequate protection in Article 25(6) Directive 95/46/EC.³³⁹ However, they did not define what essential equivalence exactly means. The ECJ only indicated that the standard of essential equivalence does not require that the level of protection in a third country is identical to that in the EU.³⁴⁰

The GDPR also uses the term “equivalent.” According to Recital (10) GDPR, an objective of the GDPR is that “the level of protection of the rights and freedoms of natural persons with regard to the processing of [personal] data should be equivalent in all Member States.”³⁴¹ The GDPR aims at establishing equivalent protection for personal data in all EU member states. The right to continuous protection of personal data does not require that the protection for the transferred data in the third country is equivalent to the level of protection guaranteed within the EU, but that the protection is essentially equivalent to that guaranteed within the EU.

The Oxford English Dictionary (OED) defines the term essentially as “in respect of the essential points, materially, substantially.”³⁴² The OED further defines materially as “to a material or important extent” and substantially as “to a great extent.”³⁴³ A literal interpretation thus suggests that the level of protection for personal data in a third country must, to an important or great extent, be the same as that guaranteed within the EU. Consequently, any discrepancies between the protection for personal data in the EU and a third country must not be significant enough to result in a different level of protection. AG Henrik Saugmandsgaard Øe explained in his opinion in Schrems 2 that a third country may still reflect its own scale of values according to which the respective weight of the various interests involved may diverge from that attributed to them in the EU legal order.³⁴⁴ The standard of essential equivalence should therefore “be applied in such a way as to preserve a certain flexibility in order to take the various legal and cultural traditions into account.”³⁴⁵ AG Saugmandsgaard Øe underlined, however, that the standard of essential equivalence requires that the minimum safeguards and general requirements for the protection of fundamental rights that follow from the Charter and the ECHR must have an equivalent in the legal order of the third state.³⁴⁶ The Article 29 WP also emphasizes that the “objective is not to mirror point by point the European legislation, but to establish the essential – core requirements of that legislation.”³⁴⁷

3.4.3 Level of Protection

The ECJ stressed in Schrems that a level of protection, which is essentially equivalent to that guaranteed in the EU, can partly be found in the judgment itself.³⁴⁸

[A] level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order, [is] a level that is apparent in particular from the preceding paragraphs of the present judgment.³⁴⁹

The preceding paragraphs referred to in this excerpt contain the following:

Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail.³⁵⁰

In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter.³⁵¹

These paragraphs generalize the previous findings of unlawful limitations on Article 7 and Article 8 CFR in the jurisprudence of the ECJ on specific surveillance issues.³⁵² The ECJ underlined that a level of protection, which is essentially equivalent to that guaranteed in the EU, is apparent in particular from these findings. There will undoubtedly be more findings on unlawful limitations on Article 7 and Article 8 CFR and Article 8 ECHR that can be generalized as the jurisprudence of the ECJ and the ECtHR on specific surveillance issues advances.³⁵³ These findings are relevant to define the level of protection sought with the standard of essential equivalence.

3.4.4 Limitations

An interference with Article 8 CFR is an interference with one or more of its constituent parts. Only the essence of a fundamental right cannot be limited, diminished, restricted, or interfered with. The standard of essential equivalence is embedded in the right to continuous protection of personal data that is transferred to a third country, which is an unwritten constituent part of Article 8 CFR. This extraterritorial dimension of the right to data protection is not part of its essence. Limitations on the right to continuous protection for personal data are possible if they satisfy the requirements of Article 52(1) CFR. However, the right to continuous protection of personal data already embraces the lawful limitations on Article 8 CFR because it operates with the standard of essential equivalence. Any additional limitations on the right to continuous protection for personal data would lead to more generous limitations on Article 8 CFR for third countries than would be allowed in the EU. These limitations must therefore be subject to a strict proportionality assessment.

3.5 Summary

I argue that the right to data protection in Article 8 CFR has an extraterritorial dimension. The jurisprudence of the ECJ has revealed an unwritten constituent of the right to data protection in relation to transfers of personal data to third countries. This right to continuous protection of personal data requires that the protection for personal data that is transferred to a third country is essentially equivalent to that guaranteed within the EU. It can be categorized as a territorial extension of Union law because data transfers have a strong territorial connection with the EU. This extraterritorial dimension of the right to data protection can be justified. It is necessary to effectively protect fundamental rights in the digital sphere. Effective protection on the internet cannot be guaranteed if the protection ends at the borders of the EU member states. It would be easy to bypass the protection of personal data in the EU if that were the case. The Preamble of the Charter underlines the necessity of strengthening the protection of fundamental rights in the light of changes in society, social progress, and scientific and technological developments. The foundational values of the right to data protection are also relevant in a transborder context. They support the extraterritorial dimension of the right to data protection. Article 16(2) TFEU offers a legal basis in the Treaties. However, the right to data protection is not absolute. As an unwritten constituent part of Article 8 CFR, the right to continuous protection for personal data and the standard of essential equivalence are both open to lawful limitations according to Article 52(1) CFR.

4 The Extraterritorial Dimension of the Right to Data Protection and Foreign Surveillance

This section is dedicated to foreign surveillance as a focal point of the extraterritorial dimension of the right to data protection. There is a triangular interface between data protection, surveillance, and trade.³⁵⁴ Personal data that is transferred from the EU to a third country can become subject to foreign internet surveillance practices. If the protection for personal data from these practices is not essentially equivalent to that guaranteed within the EU, then the necessary restrictions imposed on these cross-border flows of personal data will influence trade relations. Two internet surveillance practices are particularly important: government access to personal data held by private companies and government interception of data flows from the internet (Sect. 2.4.1). The extraterritorial dimension of the right to data protection can easily come into conflict with these practices. The right to continuous protection of personal data implies that personal data cannot be exported from the EU to a third state that does not guarantee a level of protection for personal data that satisfies the standard of essential equivalence with regard to internet surveillance practices. The requirements for essential equivalence of protection from foreign internet surveillance practices can be found in the jurisprudence of the ECJ and the ECtHR (Sect. 2.4.2). Contrary to what some scholars argue, the EU does not maintain double standards for foreign internet surveillance practices (Sect. 2.4.3). Furthermore, the extraterritorial dimension of the right to data protection is complementary to the obligations of states in the field of internet surveillance under international human rights law such as the ICCPR (Sect. 2.4.4).

4.1 Foreign Internet Surveillance

Foreign internet surveillance has an impact on the activities of individuals in the EU on the internet. Police, secret services, immigration control, and intelligence agencies around the world are increasingly using personal data generated by individuals for their work. When the personal data of individuals in the EU is transferred to a third country, that data can become subject to foreign internet surveillance practices. These institutions either access personal data held by private companies (Sect. 2.4.1.1) or they directly intercept data flows from the internet (Sect. 2.4.1.2).

4.1.1 Access to Personal Data Held by Private Companies

After introducing the surveillance practice of access to personal data held by private companies (Sect. 2.4.1.1.1), the standards for the comparison of essential equivalence with the protection of personal data guaranteed within the EU are analyzed (Sect. 2.4.1.1.2).

4.1.1.1 Surveillance Practice

Servers of private companies often store the personal data of their users, clients, and employees. This data is of interest to governments, the police, and intelligence agencies. Consequently, these institutions seek access to personal data held by private companies. Access to this personal data is sometimes mediated by the entity holding the data and sometimes direct. Access to personal data held by private companies in third countries also concerns individuals in the EU whose personal data has been transferred to a third country and stored on the servers of a private company.

The most famous example for systematic access to personal data held by private companies is the PRISM program in the US. It was revealed through the leaks of classified information by former NSA contractor Edward Snowden in 2013.³⁵⁵ Through the PRISM program, the NSA claimed to have direct access to the servers of nine of the big online business operators: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple. Access to these servers enabled US officials to collect information about individuals including their search histories, the content of their e-mails, file transfers, live chats, etc.³⁵⁶ The PRISM program operated under the scope of Section 702 Foreign Intelligence Surveillance Act (FISA) which only allows the surveillance of persons who are not US citizens and who are reasonably believed to be located outside the US.³⁵⁷ The PRISM program also targeted individuals in the EU. All the companies involved in the PRISM program were certified under the Safe Harbor scheme of Decision 2000/520, the Safe Harbor adequacy decision.³⁵⁸ This made Decision 2000/520 one of the conduits through which US intelligence agencies were able to access and collect personal data that has been transferred from the EU to the US.³⁵⁹

The US is not the only state where the government, the police, and intelligence agencies have systematic access to personal data held by private companies. Ira S. Rubinstein, Gregory T. Nojeim, and Ronald D. Lee found in their comparative analysis of different states in Asia, Australia, Europe, and the Americas that governments are increasingly turning to the private sector for information that they see as critical in countering criminal activity, terrorism, and threats to national security.³⁶⁰ These scholars go on to identify common themes regarding systematic access to personal data held by private companies in different states. They found that systematic access is often not foreseeable from the text of the law.³⁶¹ In many states, the law appears to say something different from what governments are reportedly doing. This calls into question whether those states afford protection that is essentially equivalent to that guaranteed within the EU for individuals whose personal data is transferred from the EU to a third country. Rubinstein, Nojeim, and Lee write that oversight mechanisms are either absent or limited in scope and that they generally do not include voluntary data sharing arrangements between private companies and intelligence agencies, which, again, is troublesome in the light of the right to continuous protection of personal data.³⁶² They also underline that in many states, even in those with otherwise comprehensive data protection laws, access to personal data for law enforcement and/or national security purposes are often excluded, or treated as accepted purposes for which access is authorized under separate laws that may or may not provide safeguards against possible abuses.³⁶³ China and India stand out when it comes to access to personal data held by (private) companies because of an almost total lack of protection and oversight concerning access for law enforcement and/or national security purposes.³⁶⁴

4.1.1.2 Standards for Comparison of Essential Equivalence

The determination of the applicable standards for the comparison of essential equivalence for government access to personal data held by private companies depends on whether the surveillance practice would—if it emanated from an EU member state—fall within the limitations placed on the scope of Union law in the field of national security. Should the surveillance practice fall within the limitations placed on the scope of Union law, the applicable standards for the comparison of essential equivalence can be found under the law of the EU member states, including their commitments under the ECHR. Should the surveillance practice be covered under Union law, the applicable standards for the comparison of essential equivalence can be found in the Charter, the GDPR, and other relevant instruments of EU secondary law.

The ECJ stated multiple times that the exclusion from EU data protection law for activities of EU member states protecting national security only concerns activities of the state or of state authorities that are unrelated to fields in which individuals are active. For example, the ECJ decided in Tele2/Watson that national provisions requiring providers of electronic communications services to retain traffic and location data as well as to grant public authorities access to the data for law enforcement and national security purposes are not excluded from the scope of Directive 2002/58/EC because they concern the processing of personal data by those providers and thus relate to fields in which individuals are active.³⁶⁵ The ECJ confirmed this in Ministerio Fiscal and found that national provisions that require providers of electronic communications services to make personal data available to the police are not excluded from the scope of Directive 2002/58/EC because they concern the processing of personal data by those providers and thus relate to fields in which individuals are active.³⁶⁶ The ECJ also followed this practice in Privacy International and in La Quadrature du Net concerning national legislative measures on the basis of which competent authorities may give the providers of electronic communications services a direction to disclose bulk data to security and intelligence agencies.³⁶⁷ The ECJ stressed that according to settled case law, the allocation of competence in Article 4(2) TEU cannot invalidate this conclusion.

[A]lthough it is for the Member States to define their essential security interests and to adopt appropriate measures to ensure their internal and external security, the mere fact that a national measure has been taken for the purpose of protecting national security cannot render EU law inapplicable and exempt the Members States from their obligation to comply with that law.³⁶⁸

However, the ECJ also specifically mentioned that in cases in which national provisions derogate from the rule guaranteeing the confidentiality of electronic communications without imposing processing obligations on providers, the protection of the data of the persons concerned is not covered by Directive 2002/58, but only by national law subject to the application of Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.³⁶⁹ Consequently, the measures in question must comply with, inter alia, national constitutional law and the requirements of the ECHR.³⁷⁰

As long as government access to personal data held by private companies requires the processing of personal data by the respective companies, it is covered by EU data protection law. Accordingly, the standard for comparison of essential equivalence for such surveillance practices must be found in the Charter, the GDPR, and other relevant instruments of EU secondary law. However, once the data are in the possession of state authorities, the retention and subsequent use of those data by those authorities for national security purposes fall within the limitations placed on the scope of Union law in the light of Article 4(2) TEU and the applicable standards for the comparison of essential equivalence must here be found under the law of the EU member states, including their commitments under the ECHR.³⁷¹ The same is true when governmental access to personal data held by private companies does not require the processing of personal data by the respective companies.

4.1.2 Interception of Data Flows from the Internet

After introducing the surveillance practice of interception of data flows from the internet (Sect. 2.4.1.2.1), the standards for the comparison of essential equivalence with the protection of personal data guaranteed within the EU are analyzed (Sect. 2.4.1.2.2).

4.1.2.1 Surveillance Practice

The internet is a worldwide network of networks.³⁷² Large submarine and overland fiber-optic cables connect these networks (internet backbone). Data travels in tiny packages separately and possibly on different routes (packet switching) through multiple internet exchange points (peering) to its destination. Some of that data can be interesting for governments, the police, and intelligence agencies. Some of these institutions tap directly into the infrastructure of the internet. Data is copied from interceptors placed on the submarine and overland fiber-optic cables connecting the different networks at landing points where the submarine cables make landfall and from central exchanges which switch internet traffic between the major carriers.³⁷³ This practice is also called “upstreaming” because the collection of data does not occur at a local private company but in real-time in the flow of data.³⁷⁴ Access to data flows is either secret, negotiated with the operating companies, or enforced with a legal order served on the operating companies. It can take place either inside or outside the territory of the state accessing the data flows, for example in the open sea. This surveillance practice may also concern personal data that has been transferred from the EU to a third country. Once gathered, the data is usually retained for a certain period of time and organized through platforms of integration to make it intelligible.³⁷⁵

4.1.2.2 Standards for Comparison of Essential Equivalence

The determination of the applicable standards for the comparison of essential equivalence for the interception of data flows from the internet depends on whether the internet surveillance practice would—if it emanated from an EU member state—fall within the limitations placed on the scope of Union law in the field of national security. Should the surveillance practice fall within the limitations placed on the scope of Union law, the applicable standards for the comparison of essential equivalence can be found under the law of the EU member states, including their commitments under the ECHR. Should the surveillance practice be covered under Union law, the applicable standards for the comparison of essential equivalence can be found in the Charter, the GDPR, and other relevant instruments of EU secondary law.

The ECJ stated multiple times that the exclusion from EU data protection law for the national security activities of EU member states only applies to activities of the state or of state authorities that are unrelated to fields in which individuals are active.³⁷⁶ Government interception of data flows from the internet may, but does not necessarily have to, relate to fields in which individuals are active. The surveillance practice does not relate to fields in which individuals are active if a national measure authorizes direct interception of data flows from the internet infrastructure by its intelligence agencies without any cooperation of the companies operating the internet infrastructure.³⁷⁷ Such a measure falls within the limitations placed on the scope of Union law in the light of Article 4(2) TEU. The applicable standards for the comparison of essential equivalence can be found under the law of the EU member states, including their commitments under the ECHR. The surveillance practice relates to fields in which individuals are active only if a national measure requires companies operating the internet infrastructure to grant the authorities responsible for national security access to the data flows on the infrastructure they operate.³⁷⁸ Such a measure does not fall within the limitations placed on the scope of Union law in the light of Article 4(2) TEU. Accordingly, the standards for comparison of essential equivalence must be found in the level of protection accorded by Union law defined in the Charter, the GDPR, and other relevant instruments of secondary legislation.

4.2 Requirements for Essential Equivalence of Protection from Internet Surveillance

Foreign internet surveillance is a focal point of the extraterritorial dimension of the right to data protection. The requirements for essential equivalence of protection of personal data from internet surveillance practices can be found in the Charter, the GDPR, and other relevant instruments of secondary Union law, on the one hand, and in the law of the EU member states, including their commitments under the ECHR, on the other hand. In 2016, after the ECJ handed down the Schrems judgment, the Article 29 WP screened the jurisprudence of the ECJ and the ECtHR and defined four “European Essential Guarantees” in order to group the requirements for essential equivalence of protection from internet surveillance practices.³⁷⁹ The EDPB updated the European Essential Guarantees in 2020 after the ECJ handed down the Schrems 2 judgment.³⁸⁰ These requirements have to be seriously taken into account for all transfers of personal data to third countries.³⁸¹ They prescribe data processing based on clear, precise and accessible rules (Sect. 2.4.2.1), necessity and proportionality of data processing with regard to a legitimate objective (Sect. 2.4.2.2), the existence of an independent oversight mechanism (Sect. 2.4.2.3), and the availability of effective remedies (Sect. 2.4.2.4).

4.2.1 Clear, Precise and Accessible Rules

Guarantee A requires that the processing of personal data for surveillance purposes should be based on clear, precise and accessible rules.³⁸² This guarantee corresponds to the requirements in Article 52 CFR that any limitation on the exercise of fundamental rights must be provided for by law, and in Article 8(2) ECHR that any interference with the right to private life must be in accordance with the law. Limitations must be foreseeable as to their effect for the individual in order to give him or her adequate protection against arbitrary interferences.³⁸³ The reference to foreseeability in the surveillance context cannot be the same as in many other fields.³⁸⁴ Nonetheless, domestic law must be sufficiently clear to give individuals an adequate indication as to the circumstances and conditions which empower public authorities to resort to such measures.³⁸⁵ It would be against the rule of law for the discretion of the implementation of surveillance legislation to be expressed in terms of unfettered power because that implementation is not open to public scrutiny.³⁸⁶

The two internet surveillance practices discussed above can be used for targeted and untargeted surveillance. Mireille Delmas-Marty has summarized the distinction between targeted and untargeted surveillance: “Au lieu de partir de la cible pour trouver les données, on part des données pour trouver la cible.”³⁸⁷ The Dutch Review Committee for Intelligence and Security Services (CTIVD) provides a useful definition for targeted and untargeted surveillance regarding the interception of data flows from the internet.³⁸⁸ Targeted interception is a form of interception where the person, organization or technical characteristic at whom/which the data collection is targeted can be specified in advance. Untargeted interception is a form of interception where the person, organization or technical characteristic at whom/which the data collection is targeted cannot be specified in advance. The two types of surveillance are often treated differently when it comes to the requirements for protection of human rights and fundamental rights from surveillance practices. This is also the case for requirement of clear, precise and accessible rules:

Regarding targeted surveillance, the ECtHR developed minimum safeguards that should be set out in law in order to avoid abuses of power:³⁸⁹

• the nature of the offences which may give rise to an interception or surveillance order;

• a definition of the categories of people that might be subject to surveillance;

• a limit on the duration of the measure;

• the procedure to be followed for examining, using and storing the data obtained;

• the precautions to be taken when communicating the data to other parties;

• the circumstances in which the data must be destroyed.

Regarding untargeted surveillance, the ECtHR held in Big Brother Watch and others v. United Kingdom and Centrum för rättvisa v. Sweden that these safeguards for targeted surveillance have to be adapted to reflect the specific features of a bulk interception regime.³⁹⁰ The ECtHR found that the first two of the six minimum safeguards are not readily applicable to a bulk interception regime but that the other safeguards are still relevant.³⁹¹ Nevertheless, the ECtHR suggested a new set of criteria that domestic legal frameworks need to define when it comes to untargeted surveillance:³⁹²

• the grounds on which bulk interception may be authorised;

• the circumstances in which an individual’s communications may be intercepted;

• the procedure to be followed for granting authorisation;

• the procedures to be followed for selecting, examining and using intercept material;

• the precautions to be taken when communicating the material to other parties;

• the limits on the duration of interception, the storage of intercept material and the circumstances in which such material must be erased and destroyed;

• the procedures and modalities for supervision by an independent authority of compliance with the above safeguards and its powers to address non-compliance;

• the procedures for independent ex post facto review of such compliance and the powers vested in the competent body in addressing instances of non-compliance.

4.2.2 Necessity and Proportionality

Guarantee B requires that any interference with fundamental rights must be necessary and proportional with regard to the legitimate objectives pursued.³⁹³ This guarantee corresponds to the requirement in Article 52 CFR that subject to the principle of proportionality, limitations on the exercise of fundamental rights are possible if they are necessary and genuinely meet objectives of general interest recognized by the EU, and the requirement in Article 8(2) ECHR that an interference with the right to private life must be necessary in a democratic society. It is settled case law of the ECJ that “derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary.”³⁹⁴ Targeted surveillance and untargeted surveillance are again treated differently when it comes to necessity and proportionality:

Regarding targeted surveillance, the ECtHR held in Zakharov v. Russia that there must be a “reasonable suspicion” against a person for surveillance measures to be authorized.³⁹⁵ The authorization for the interception of telephone communication must clearly identify a specific person or premises to be placed under surveillance. The identification may be made by name, address, telephone number, or other relevant information.³⁹⁶

The ECJ used the standard of reasonable suspicion developed in Zakharov v. Russia to address government access to personal data retained by providers of electronic communications services in Tele2/Watson:

In that regard, access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime.³⁹⁷

The ECJ showed that access to the retained data must be targeted for the objective of fighting crime. The ECJ relaxed the standard of reasonable suspicion in Tele2/Watson when the retained data is accessed for the objective of national security:

However, in particular situations, where for example vital national security, defence or public security interests are threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be deduced that that data might, in a specific case, make an effective contribution to combating such activities.³⁹⁸

It seems that in order to comply with this standard, access to retained data must still be targeted, but there does not have to be a “reasonable suspicion” against the person whose data is accessed.³⁹⁹

Regarding untargeted surveillance, the Article 29 WP elaborated in 2016 that the standards of reasonable suspicion and identification suggest that only targeted surveillance is justifiable because untargeted surveillance would, by definition, not comply with these requirements.⁴⁰⁰ The EDPB did not specifically address the issue of reasonable suspicion and untargeted surveillance in the update of the European Essential Guarantees in 2020. The ECtHR clarified in Big Brother Watch and others v. United Kingdom and Centrum för rättvisa v. Sweden that the requirement of reasonable suspicion is less germane in the bulk interception context, the purpose of which is in principle preventive, rather than for the investigation of a specific target and/or an identifiable criminal offence.⁴⁰¹ The Accordingly, ECtHR did not use the standard of reasonable suspicion from its case-law on targeted surveillance in these two cases on bulk interception.

Furthermore, the ECJ ruled on a series of untargeted data retention cases. The ECJ decided in Tele2/Watson that national legislation providing for the untargeted retention of traffic and location data for the purpose of combating serious crime exceeds the limits of what is strictly necessary and cannot be considered justified within a democratic society.⁴⁰² The ECJ already explained in Digital Rights Ireland that this is because such legislation is not restricted to retention of data pertaining to a time period and/or geographical area and/or a group of persons likely to be involved in a serious crime, or to persons who could contribute, through their data being retained, to the combating of a serious crime.⁴⁰³ Nevertheless, the ECJ underlined in La Quadrature du Net that the objective of safeguarding national security is capable of justifying measures that entail more serious interferences with fundamental rights than those which might be justified by other objectives.⁴⁰⁴ Accordingly, the ECJ decided that even the untargeted, general, and indiscriminate retention of traffic and location data of all persons using electronic communications systems can be justified, as long as there are sufficiently solid grounds for considering that the member state concerned is confronted with a serious threat to national security that is both genuine and present or foreseeable.⁴⁰⁵ This retention must be limited in time to what is strictly necessary, but it can be renewed.⁴⁰⁶

In contrast, and with regard to transmission and not retention, the ECJ decided in Privacy International that the untargeted, general, and indiscriminate transmission of traffic data and location data of all persons using electronic communications services to security and intelligence agencies for the purpose of safeguarding national security cannot be justified.⁴⁰⁷ The ECJ explained that legislation which permits the untargeted, general, and indiscriminate transmission of data to public authorities also entails general access and is prohibited.⁴⁰⁸ In accordance, the ECJ held that general access to all retained data, regardless of whether there is any link, at least indirect, with the aim pursued, cannot be regarded as limited to what is strictly necessary.⁴⁰⁹

4.2.3 Independent Oversight Mechanism

Guarantee C requires an independent oversight mechanism for surveillance activities of the state.⁴¹⁰ This guarantee is reflected in Article 8(3) CFR. Independent oversight is also relevant for the assessment of lawful limitations of surveillance measures according to Article 52 CFR and Article 8(2) ECHR.

The ECtHR found it essential that the oversight mechanisms should themselves provide adequate and effective safeguards to keep the interference to what is necessary in a democratic society.⁴¹¹ The ECtHR stressed that in a field such as secret surveillance, where abuse in individual cases is easy and could have harmful consequences for a democratic society as a whole, it is desirable to entrust supervisory control to a judge because judicial control offers the best guarantees of independence, impartiality, and proper procedure.⁴¹² A non-judicial authority may be compatible with the Convention provided that the authority is sufficiently independent from the executive.⁴¹³

An interference with the right to private life and the right to data protection can occur at different states of the surveillance process; for example, at the time of collection of the personal data and at the time the data is accessed by intelligence agencies for further processing.⁴¹⁴ Consequently, the ECtHR considers that independent oversight should also take place at different stages: when the surveillance is first ordered, while it is being carried out, and/or after it has been terminated.⁴¹⁵

For a long time, the ECtHR did not find prior authorization of secret surveillance measures to be an absolute requirement. Only with regard to targeted surveillance measures concerning the media, has the ECtHR ruled that prior authorization is indispensable.⁴¹⁶ In Zakharov v. Russia, the ECtHR hinted that prior judicial authorization of secret surveillance measures is an important safeguard against arbitrariness of secret surveillance and serves to limit the authorities’ discretion in interpreting the scope of mandating and performing surveillance. ⁴¹⁷ In Big Brother Watch and others v. United Kingdom and Centrum för rättvisa v. Sweden, the ECtHR underlined that in the context of untargeted surveillance (bulk interception), the importance of supervision and review will be amplified because of the risk of abuse and because the legitimate need for secrecy will mean that, for national security reasons, states will often not be able to disclose information concerning their surveillance operations.⁴¹⁸ The ECtHR then held that in order to minimize the risk of the bulk interception being abused, the process must be subject to “end-to-end safeguards”, meaning that an assessment should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorization at the outset, when the object and scope of the bulk operation are being defined; and that the operation should be subject to supervision and independent ex post facto review.⁴¹⁹ Prior authorization has therefore become a new standard in the jurisprudence of the ECtHR. Regarding the objective and the scope of the bulk operation that needs to be subject to independent authorization, the ECtHR further clarified that the information––next to the purpose of the interception and the bearers or communication routes––must include at the very least the types or categories of selectors to be used.⁴²⁰ In case of hard selectors such as e-mail addresses or names, every such selector must be justified––with regard to the principles of necessity and proportionality––by the intelligence services and that justification should be scrupulously recorded and be subject to a process of prior internal authorization providing for separate and objective verification of whether the justification meets these principles.⁴²¹

The ECJ made it clear in its jurisprudence on data retention that prior authorization is necessary. The ECJ held that access to retained personal data should be made dependent on a prior review carried out by a court or by an independent administrative body, whose decision seeks to limit access to the data and their use to what is strictly necessary for the purpose of attaining the objective pursued.⁴²²

4.2.4 Effective Remedies

Guarantee D requires that effective remedies are available to individuals who are (or suspect to be) subject to surveillance activities.⁴²³ This guarantee is reflected in Article 47 CFR but it is also relevant under Article 8(2) ECHR. The first paragraph of Article 47 CFR states that everyone, whose rights guaranteed by EU law are violated, needs to have an effective remedy before a tribunal.⁴²⁴

The ECtHR recalled in Zahkarov v. Russia that there are two ways of addressing the issue of remedies: either by notifying concerned individuals of the surveillance measures taken and, thus, enabling a challenge to their legality retrospectively, or, by enabling individuals who suspect to be subject to surveillance measures to apply to a court or tribunal whose jurisdiction does not depend on any notification.⁴²⁵ Such a court must be independent and impartial, adopt its own rules of procedure, consist of members that hold or have held high judicial office or be experienced lawyers, and, in undertaking its examination of complaints, the court should have access to all relevant information, including closed materials, and it should have the powers to remedy non-compliance.⁴²⁶

The ECJ relied heavily on notification of concerned individuals in Tele2/Watson for the targeted access to retained data as soon as notification would no longer jeopardize the surveillance measure.⁴²⁷ The ECJ found that the “notification is, in fact, necessary to enable the persons affected to exercise, inter alia, their right to a legal remedy.”⁴²⁸ With regard to the notification required for an automated and untargeted analysis of traffic and location data of all persons using electronic communications systems, the ECJ found that the competent national authority is obliged to publish information of a general nature relating to that analysis without having to notify the persons concerned individually. However, if the data matches the parameters specified in the measure authorizing the automated analysis and that authority identifies the person concerned in order to further analyze the data concerning him or her, it is necessary to notify that person individually, as soon as notification would no longer jeopardize the surveillance measure.⁴²⁹

In contrast, the ECtHR did say in Big Brother Watch and others v. United Kingdom and Centrum för rättvisa v. Sweden that it has repeatedly found the subsequent notification of surveillance measures to be a relevant factor in assessing the effectiveness of remedies before the courts, but it acknowledges that notification is not necessary if the system of domestic remedies permits any person who suspects that his or her communications are being or have been intercepted to apply to the courts.⁴³⁰ In the absence of a notification requirement, the ECtHR found it imperative that the remedy should be before a body which, while not necessarily judicial, is independent of the executive and ensures the fairness of the proceedings, offering, in so far as possible, an adversarial process.⁴³¹ The decisions of such authority shall be reasoned and legally binding with regard, inter alia, to the cessation of unlawful interception and the destruction of unlawfully obtained and/or stored intercept material.⁴³²

4.3 No Double Standards for Foreign Internet Surveillance

Some commentators alleged that it is hypocritical for EU policymakers and the ECJ to concern themselves with foreign surveillance practices when the EU does not seem to discipline surveillance practices at home.⁴³³ They criticize that the EU maintains double standards between EU member states and third states when it comes to data protection. These allegations are nurtured by the fact that many EU member states (continue to) employ large-scale surveillance programs. Scholars inform that

[i]n the UK, the GCHQ’s Tempora program is reported to have placed 200 interceptors on cables running from the British Isles to Western Europe and the United States. The French DGSE has allegedly placed similar interceptors on underwater cables out of its military base in Djibouti. Among other activities, the German BND has been said to tap directly into the largest Internet Hub in Europe, the Frankfurt-based DE-CIX. Sweden’s FRA taps the underwater cables that connect to the Baltic countries and Russia. The different intelligence services work more or less together in networks to gather information and extend a global reach, covering the Internet.⁴³⁴

Six EU member states have detailed legislation on surveillance of data flows: France, Germany, the Netherlands, Sweden, the UK and Finland.⁴³⁵ Other EU member states allow for general surveillance of data flows, but do not regulate it in detail. Italy is an example.⁴³⁶

The allegations of double standards do not prove true. The determination of the applicable standards for the comparison of essential equivalence for foreign surveillance practices depends on whether a surveillance practice would, if it emanated from an EU member state, fall within the limitations placed on the scope of Union law in the light of Article 4(2) TEU. Should a surveillance practice be covered under Union law, the applicable standards for the comparison of essential equivalence can be found in the Charter, the GDPR, and other relevant instruments of EU secondary law. Should a surveillance practice fall within the limitations placed on the scope of Union law, the applicable standards for the comparison of essential equivalence can be found under the law of the EU member states, including their commitments under the ECHR. Either way, the same standards apply for EU member states and third states.

The Article 29 WP noted that the European Essential Guarantees are based on what is required by the law and not necessarily on what is the current practice in EU member states.⁴³⁷ The current practice in EU member states might not live-up to the requirements of Union law or to their commitments under the ECHR. However, that practice can always be challenged before the respective judicial authorities.

4.4 International Human Rights Law and Internet Surveillance

The right to continuous protection of personal data has an impact on third countries. Their ability to import personal data from the EU depends on the level of protection they afford to personal data that is transferred from the EU. The extraterritorial dimension of the right to data protection requires protection of personal data that is essentially equivalent to that guaranteed within the EU. This also includes protection from internet surveillance. The right to continuous protection of personal data therefore restrains the ability of states to apply surveillance practices if they want to import personal data from the EU. However, international human rights law also restrains the ability of states to apply surveillance practices. Article 17 ICCPR contains a right to privacy that covers data protection issues (Sect. 2.4.4.1). That right applies regardless of nationality (Sect. 2.4.4.2), and it also protects individuals located outside the territory of the surveilling state (Sect. 2.4.4.3). The standard of protection from internet surveillance of the right to privacy in Article 17 ICCPR is similar to the extraterritorial dimension of the right to data protection (Sect. 2.4.4.4).

4.4.1 Data Protection in the ICCPR

Privacy is widely recognized as a fundamental human right.⁴³⁸ Article 17 ICCPR determines that no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation, and that everyone has the right to the protection of the law against such interference or attacks. The Human Rights Committee (HRC) already concluded in its General Comment No. 16 of 1988 that data protection is part of Article 17 ICCPR:

The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law. Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, Whether, and if so, What personal data is stored in automatic data files, and for What purposes. Every individual should also be able to, ascertain which public authorizes or private individuals or bodies control or may control their files. If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.⁴³⁹

The HRC was willing to adapt Article 17 ICCPR to the potential dangers that new or uncontrolled forms of data processing create for the liberties of individuals and the life of democratic societies. The words used in General Comment No. 16 were inspired by the body of legal instruments on data protection found nationally and internationally at the time.⁴⁴⁰ Developments at the UN confirm that data protection can be anchored in international human rights law.⁴⁴¹ The UN General Assembly and the Human Rights Council both underlined that Article 17 ICCPR is implicated by the online gathering and processing of personal data.⁴⁴² The UN General Assembly specifically called upon states to review their surveillance practices “with a view to upholding the right to privacy by ensuring the full and effective implementation of all their obligations under international human rights law.”⁴⁴³

4.4.2 Application of the ICCPR

4.4.2.1 Nationality

Laws regulating surveillance practices in many states have traditionally distinguished between insiders (citizens and permanent residents) and outsiders (all others) and have protected the privacy and data protection rights of the insiders far more assiduously than those of the outsiders.⁴⁴⁴ The threshold question of whether individuals enjoy human rights should in principle not depend on whether they have a state’s nationality.⁴⁴⁵ The distinction between insiders and outsiders can be criticized. The rights under the ICCPR (and the ECHR) apply to everyone within a state’s jurisdiction. The UN Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism remarked that asymmetrical protection regimes for nationals and non-nationals are incompatible with the principle of non-discrimination in Article 26 ICCPR.⁴⁴⁶ The High Commissioner for Human Rights stated that Article 17 ICCPR has to be read together with Article 26 ICCPR.⁴⁴⁷ No one shall be subjected to arbitrary interference with his privacy and everyone has the right to the protection of the law against such interference or attacks. The Venice Commission similarly concluded that all individuals have privacy rights vis-à-vis states party to the ICCPR.⁴⁴⁸

4.4.2.2 Territory

If citizenship is normatively irrelevant for the threshold question of whether the ICCPR applies to a particular surveillance practice, the truly critical question becomes the territorial scope of the ICCPR on the basis of the location of the individual and/or the interference with his or her rights.⁴⁴⁹ Article 2(1) ICCPR defines the territorial scope the Covenant and obliges every state party to ensure the rights recognized in the Covenant to all individuals within its territory and subject to its jurisdiction. The provision is somewhat awkwardly formulated.⁴⁵⁰ It is disputed whether the provision’s seemingly conjunctive reference to territory admits of any extraterritorial application, i.e. whether an individual who is subject to the jurisdiction but not within the territory of the (surveilling) state is protected by Article 17 ICCPR.⁴⁵¹ The US minority position is that the ICCPR applies only to individuals who are both within the state’s territory and subject to the state’s jurisdiction.⁴⁵² This interpretation does not cover communications involving individuals abroad under Article 17 ICCPR. The US position has been criticized by other states, human rights experts, and treaty bodies as fundamentally flawed.⁴⁵³

According to the general rule of interpretation in Article 31(1) VCLT, the ICCPR must be interpreted in good faith in accordance with the ordinary meaning to be given to the terms of the Covenant in their context and in the light of its object and purpose. This means, at the very least, that when there are several plausible readings of the territorial scope in Article 2(1) ICCPR, the one that more accords with the treaty’s object and purpose should be preferred. The HRC determined in General Comment No. 31 that the object and purpose of the ICCPR is to extend human rights comprehensively around the globe and leave as few gaps as possible in that protection.⁴⁵⁴ The HRC concluded that “a State party must respect and ensure the rights laid down in the Covenant to anyone within the power or effective control of that State Party, even if not situated within the territory of the State Party.”⁴⁵⁵ According to the supplementary means of interpretation in Article 32(a) VCLT, recourse may be had to the preparatory work of the ICCPR to determine the meaning of a provision when the interpretation according to Article 31 VCLT leaves the meaning ambiguous. The ICJ confirmed the conclusion of the HRC in the Wall case:

The travaux préparatoires of the Covenant confirm the Committee’s interpretation of Article 2 of that instrument. These show that, in adopting the wording chosen, the drafters of the Covenant did not intend to allow States to escape from their obligations when they exercise jurisdiction outside their national territory. They only intended to prevent persons residing abroad from asserting, vis-à-vis their State of origin, rights that do not fal1within the competence of that State, but of that of the State of residence.⁴⁵⁶

It is now widely held that Article 2(1) ICCPR guarantees the Covenant rights to all individuals within a state’s territory and, equally, to all individuals subject to its jurisdiction.⁴⁵⁷ Even Harold Koh, former legal advisor to the US State Department, agreed in an internal memorandum on the extraterritorial application of the ICCPR (leaked in 2014 and published by the New York Times) with the critics of the US minority position that the language of the ICCPR is not clear and that reading Article 2(1) ICCPR to categorically disallow extraterritorial application would be contrary to the Covenant’s object and purpose.⁴⁵⁸

It is therefore necessary to consider whether a state exercises effective control regarding internet surveillance practices in order to establish the jurisdiction of the ICCPR. It is clear that a state exercises effective control in the case of government access to personal data held by private companies in the territory of that state.⁴⁵⁹ However, on the basis of a narrow interpretation of the effective control test, it is unclear whether the application of the ICCPR can be triggered by practices of a purely incorporeal character, such as the interception of data flows from the internet outside the territory of a state.⁴⁶⁰ Many scholars argue that the effective control test should be applied flexibly in order to cope with the challenges arising from technological advances.⁴⁶¹ Conventional modes of exercising control such as police searches of physical premises are rarely employed in the realm of the internet and online communications. Technology enables massive intrusions into the privacy of individuals abroad. The effective control test must also be tailored to the specific character of the right at issue.⁴⁶² The test of effective control could be interpreted as meaning that either the right of an individual outside state territory⁴⁶³ or his or her correspondence and communication⁴⁶⁴ is under the effective control of the supervising state.⁴⁶⁵ Whenever a state collects personal data, it is indirectly exercising control over those individuals that generated the data.⁴⁶⁶

Human rights bodies have confirmed an expansive interpretation of the effective control test in the area of internet surveillance. The HRC urged the US to take “all necessary measures to ensure that its surveillance activities, both within and outside the United States, conform to its obligations under the Covenant, including article 17.”⁴⁶⁷ The UN High Commissioner for Human Rights similarly took the position that internet surveillance

may engage a State’s human rights obligations if that surveillance involves the State’s exercise of power or effective control in relation to digital communications infrastructure, wherever found, for example, through direct tapping or penetration of that infrastructure. Equally, where the State exercises regulatory jurisdiction over a third party that physically controls the data, that State also would have obligations under the Covenant.⁴⁶⁸

And the UN Rapporteur on the Right to Privacy underlined the universal nature of privacy in the digital age:

Surveillance activities, regardless of whether they are directed towards foreigners or citizens, must only be carried out in compliance with fundamental human rights such as privacy. Any national laws or international agreements disregarding this fact, must be considered outdated and incompatible with the universal nature of privacy and fundamental rights in the digital age.⁴⁶⁹

I thus conclude that internet surveillance practices, including those applied abroad, fall within the scope of the ICCPR and individuals subject to such practices should be entitled to the protection of their privacy according to Article 17 ICCPR.⁴⁷⁰ This includes individuals in the EU whose personal data is transferred from the EU to a third country.

4.4.3 Standards of the Right to Privacy

Article 17 ICCPR prohibits unlawful or arbitrary interferences with privacy.⁴⁷¹ The HRC has cautioned a number of states that their legal arrangements on surveillance were insufficiently clear and precise in order to satisfy the standard in Article 17 ICCPR.⁴⁷²

The HRC explained that the standard of non-arbitrariness is intended to guarantee that even interference provided for by law should be in accordance with the provisions, aims and objectives of the Covenant and should be, in any event, reasonable for the particular circumstances.⁴⁷³ The standard of non-arbitrariness in the ICCPR appears to be more lenient than the standard of necessity in a democratic society in the ECHR. However, the HRC has never read the term arbitrary in Article 17 ICCPR, or in other provisions of the Covenant, by its literal meaning, as referring to unrestrained decisions made purely by discretion or on whim without any rational reason behind it—which would be a standard so low that it could be easily satisfied by almost any rule allowing for the interference.⁴⁷⁴ The HRC observed in Canepa v. Canada that the standard of non-arbitrariness includes “compatibility [of an interference] with the purpose, aim and objectives of the Covenant.”⁴⁷⁵ The HRC defined the term arbitrary (albeit in a different context, with relation to arbitrary detention) in the following manner:

“The notion of “arbitrariness” is not to be equated with “against the law”, but must be interpreted more broadly to include elements of inappropriateness, injustice, lack of predictability and due process of law, as well as elements of reasonableness, necessity and proportionality.”⁴⁷⁶

The HRC used proportionality in Canepa v. Canada to assess the relationship between the legitimate objective of an interference and its impact on the individual.⁴⁷⁷ The HRC has considered in its concluding observations regarding (internet) surveillance practices in states subject to periodic human rights review that independent, especially judicial, supervision of surveillance practices and effective remedies are crucial safeguards for preventing arbitrary interferences with the right to privacy.⁴⁷⁸

4.4.4 Violation of the ICCPR

Whether or not internet surveillance practices violate the right to privacy in Article 17 ICCPR has been subject to scholarly debate. Ilina Georgieva raises serious doubts about the legality of mass surveillance practices. She argues that the bulk collection of personal data and the indiscriminate interception of data flows constitute a disproportionate restriction of the right to privacy under Article 17 ICCPR.⁴⁷⁹ Anne Peters observes that “dragnet searches and stock data retention of the entire population or large groups without concrete indications founding a suspicion that terrorist or criminal acts are being planned seems prima facie disproportionate.”⁴⁸⁰ Marko Milanovich does not offer a definitive position on the compatibility of internet surveillance practices with the ICCPR.⁴⁸¹ He contends instead that a more restrictive position on domestic internet surveillance practices than on practices outside the territory of the surveilling state is justified. He argues that the state has alternative tools at its disposal in the domestic context. This would need to be considered in a proportionality analysis for internet surveillance practices outside the territory of the surveilling state.

In contrast, Jordan J. Paust argues that these practices cannot be considered unlawful according to Article 17 ICCPR.⁴⁸² He interprets the term unlawful so as to give primacy to international law, and especially to competences of states under the law of self-defense and the laws of war when they are applicable. According to him, war and state surveillance for the purposes of self-defense can “buttress claims that particular forms of privacy intrusion are rational, reasonable, and not arbitrary under the circumstances, and that should inform the legal meaning of the word unlawful in the ICCPR.”⁴⁸³ Peter Margulies is of the opinion that most surveillance programs carried out by the NSA outside the US cannot be considered arbitrary under Article 17 ICCPR because they target “terrorists, national security threats, and espionage in a tailored fashion.”⁴⁸⁴ He reads Article 17 ICCPR in tandem with the law of armed conflict and UN Security Council resolutions on counterterrorism and advances a “model of procedural pluralism that gives states flexibility in creating protections if they honor core principles such as notice, oversight, and minimization.”⁴⁸⁵ However, the arguments of Paust and Margulies are not as convincing considering that the EU, its member states, or militant groups in the EU are not engaging in military actions against a surveilling state and/or when they are not actively harboring terrorists planning attacks against a surveilling state.

It is neither necessary nor possible within this context to make a definitive judgment on the violation of Article 17 ICCPR as a result of foreign internet surveillance practices. However, I would argue that the standards for internet surveillance, including outside the territory of the surveilling state, under Article 17 ICCPR are similar to the standards of the EU.⁴⁸⁶ There is a high probability that internet surveillance practices also interfere with Article 17 ICCPR if they interfere with the right to continuous protection of personal data that is transferred from the EU to third countries in Article 8 CFR. The obligations of states under the ICCPR are complementary to the extraterritorial dimension of the right to data protection.

4.5 Summary

The extraterritorial dimension of the right to data protection requires continuous protection of personal data that is transferred from the EU to third countries. This protection must be essentially equivalent to that guaranteed within the EU. Foreign internet surveillance is a focal point of the right to continuous protection of personal data. Foreign internet surveillance is an obstacle to trade if the protection of personal data is not essentially equivalent to that guaranteed within the EU. Four Essential European Guarantees entail the relevant requirements for essential equivalence of protection from internet surveillance. However, there are still uncertainties as to what kind of surveillance measures are lawful under the Charter and the ECHR because the jurisprudence in the field is still developing. This is problematic because the EU cannot communicate in sufficient details what kind of internet surveillance practices would be compatible with the right to continuous protection of personal data. Nevertheless, allegations of double standards for third states regarding the required standards for surveillance practices cannot be substantiated. This is important for the analysis in international trade law. In addition, the obligations of states under international human rights law regarding the standards for surveillance practices are complementary to the extraterritorial dimension of the right to data protection.

5 Conclusion

From the very beginning, the development of data protection was focused on technological progress and the associated new powers of the state. Connections with the protection of privacy emerged in European constitutions and connections with the protection of trade emerged through international instruments. The inclusion in the Charter of a right to data protection, in addition to the right to private life, expressed the necessity of strengthening protections for fundamental rights in light of changes in society, social progress, and scientific and technological developments enshrined in the Preamble of the Charter. The right to data protection in Article 8 CFR consists of six written constituent parts. The jurisprudence of the ECJ reveals an unwritten constituent part of Article 8 CFR, which is connected to cross-border flows of personal data. The right to continuous protection of personal data that is transferred from the EU to a third country represents the extraterritorial dimension of the right to data protection. Individuals in the EU are entitled to receive protection that is essentially equivalent to that guaranteed within the EU, when their personal data is transferred from the EU to a third country. This protection has a strong legal basis in the Treaties and is supported by the foundational values of the right to data protection. Effective protection for fundamental rights in the digital sphere cannot be guaranteed if the protection ends at the borders of the EU member states. The extraterritorial dimension of the right to data protection also mirrors the necessity of strengthening protections for fundamental rights in light of changes in society, social progress, and scientific and technological developments enshrined in the Preamble of the Charter.

Since the development of data protection is focused on technological progress and the associated new powers of the state, it is evident that foreign internet surveillance practices are the focal point of the extraterritorial dimension of the right to data protection. The internet has not only revolutionized communication, it has also enabled new forms of trade. Digital trade often involves personal data. Information about individuals now travels around the world on an unprecedented and rapidly growing scale. This information is valuable for governments and their intelligence agencies. They seek access to personal data held by private companies or directly intercept data flows from the internet. When personal data is exported from the EU to a third country, the right to continuous protection of personal data demands that the protection for the exported data in the third country must be essentially equivalent to that guaranteed within the EU. Any third country that wants to import personal data from the EU must align their internet surveillance practices with the standards of the Charter and the ECHR. This is how the right to data protection has unfolded its reach globally.