"

9. Data Protection as a Fundamental Right

Outline of this chapter 

In this chapter we will focus on the development of the right to data protection in the European Union. The protection of personal data emerged as a fundamental right which is closely linked to but distinct from the right to privacy. Where the right to privacy encompasses a broad range of protections in the realm of personal autonomy and freedom from intrusive measures, data protection under EU law has a rather specialised role. The right to data protection focuses on the control, processing and security of personal information, and by extension – the natural persons to whom this information refers.

We will first focus our attention on similarities and differences between human rights and fundamental rights. Such analysis will be useful to better understand the nature of data protection and privacy, as well as the emerging challenges within the scope of these rights.

The main goal of this chapter is to give the reader insight into the growing importance of data protection – not only as an independent right, but also as an instrument for upholding other fundamental rights. Maintaining stability and balance in the digital world is challenging, and it begins with a clear recognition of the core principles of the right to data protection.

The topics covered are:

  • Human Rights and Fundamental Rights (9.1)  
  • Some historical highlights (9.2)
  • Right to Privacy v. Right to Data Protection (9.3)
  • Lawful limitation of the right to data protection (9.4)

9.1 Human Rights and Fundamental Rights  

As already discussed in the first part of this book, human rights can be found in international law and are considered inherent to all human beings. They should be universally applied irrespective of nationality, race, ethnicity, religion, gender, sexual orientation, etc. Often human rights are enshrined in international treaties – such as, for example, the UDHR, the ICCPR, the ICESCR and the ECHR. Human rights can also be found in customary international law and general principles of international law.

Fundamental rights are those used in constitutional context. They could be specific to a domestic legal order and therefore be subject to varying approaches and protections depending on the State’s law. Often when a State ratifies an international treaty and becomes party to it, it will transpose international law human rights into domestic law fundamental rights. In this sense, fundamental rights are not universal, but they are applicable to individuals belonging to a national/regional legal framework. The European Union has chosen to use the term “fundamental rights” to describe the obligations of Member States toward persons residing in the Union.

9.2 Some historical highlights 

After World War II, human rights frameworks were established without considering data protection. The emphasis was placed on the right to privacy. An example of this development is the European Convention on Human Rights (ECHR), adopted in 1950 by the Council of Europe. Art. 8 ECHR was adopted as a classic negative right, meant to protect citizens from arbitrary interference into their personal “sphere”. Due to the dynamic nature of the ECHR, the personal sphere is capable of encompassing multiple aspects – private and family life, home and correspondence. Nowadays, the aspects of privacy that might be interfered by surveillance as well as the separation of subcategories have increased due to the development of technology. For example, one could think of: (i) privacy of the person concerned with the privacy of an individual’s body; (ii) privacy of personal behaviour; (iii) privacy of personal communication; (iv) privacy of personal data; (v) privacy of location and space; (vi) privacy of association; and (vii) privacy of thoughts and feelings. Chile, is the first country in the world to have included the protection of neurorights in their Constitution.

However, the right to privacy emerged well before the rise of the information society. The latter subsequently introduced new risks to privacy, particularly in the realm of “informational privacy”. This necessitated a development of specific and proactive rules governing the collection and use of personal information. It is also in this context that the right to data protection emerged as an independent such.

9.3 Right to Privacy v. Right to Data Protection

The right to privacy is a widely recognised human right – one that has received recognition at the international level and is included in multiple international human rights treaties. As already mentioned, the right to privacy is contained in art. 8 ECHR and art. 7 EU CFR. The right is also present in art. 7 of the American Convention on Human Rights. Interestingly, an explicit right to privacy is not mentioned in the African Charter on Human and People’s Rights. However, it can be argued that such a right can be read into the text of the African Charter through the right to respect for life and integrity of the person (art. 4). Nonetheless, the right to privacy has also been deemed a standard of public international law, as one of the modern pillars of democracy, safeguarding autonomy and dignity.

Alongside the right to privacy, a more considerably recent right is the one to data protection. The right to data protection is not internationally recognised as a human right. It is rather a fundamental right established within inter alia the EU legal framework, art. 8 EU CFR. This means that the right to data protection is not a universal right – it is only applicable as a separate right insofar as countries have introduced it in their domestic legal systems. In order to understand the historical development of the right, it is worth mentioning that some jurisdictions had introduced legal frameworks on data protection even before the Council of Europe or the EU established its own recognition of the right. Notable examples are the 1970 Data Protection Statute introduced by the State of Hesse (at the time in the Western part of Germany) and the 1973 Data Protection Act  introduced in Sweden (information in English available here).

At an international level the protection of personal data was first introduced in 1981 in the Council of Europe Convention 108. The Convention introduced various principles for the processing of personal data. It only entered into force in 2004 and until this day, it is the only legally binding international instrument in the field of personal data protection ratified by 44 countries (including 8 countries that are not members of the Council of Europe).

Presently, fundamental rights, included in the EU Charter of Fundamental Rights, as for example: the right to life, prohibition of torture, the right to private life, etc. are not directly reflected in the EU Treaties and secondary laws. The right to protection of personal data makes an exception. The right is reflected in the Treaty on the Functioning of the European Union (art. 16) and in secondary legislation (eg. GDPR, LED, etc.). This is linked historically with the nature of the European Union as an economic organisation, not a strictly speaking an organisation created for safeguarding human rights or fundamental rights. Thus, because personal data have intrensic eonomic value in the data economy, the right to data protection is viewed as naturally belonging to the field of competencies of the EU and has obtained more attention in the EU than other fundamental rights in the Charter.

 

The current data protection secondary law in the Europen Union, was adopted in 2016 and became applicable and enforcable as of 25 May 2018. It includes, among other laws, the ‘General Data Protection Regulation’ (GDPR) and the ‘Law Enforcement Directive’ (LED) for the police and criminal justice sector. The data protection laws were adopted as an essential step to strengthening citizens’ fundamental rights in the digital age and to facilitate business by simplifying rules for companies in the Digital Single Market. At the time of writing, a reform of the GDPR has been initiated by the European Commission. The reform will touch upon two aspects of the GDPR: (i) procedural rules relating to the enforcement of the GDPR; (ii) changes to record-keeping obligations

As a result of all these legislative developments, the right to data protection has been separated from the right to privacy in the EU. This can be noted also in the wording of the law itself. While the pre-decesor of the GDPR, the Data Protection Directive (1995) made a direct link between the right to privacy and data protection in its art. 1, the GDPR does not mention the right to privacy in any of the articles. The right to privacy is only mentioned once in the Preamble of the GDPR (recital 4), together with other fundamental rights listed in the EU CFR.

 

GDPR, Recital 4: The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

Being a fundamental right, data protection does not just protect personal data. It protects individuals – the natural leaving persons, to whom the personal data belong. As such, it results in a broader protection of values such as dignity, personality, non discrimination and democracy and it serves as an “essential prerequisite” for the exercise of other human or fundamental rights. In today’s data driven world, protecting personal data increasingly determines to what extent other rights can be protected and enjoyed by individuals.

 

9.4 Lawful limitation of the right to data protection

The right to data protection within the EU is enshrined in art. 8 EU CFR and in art. 16 TFEU. Both of these instruments are primary law of the European Union codifying the existence of the right to data protection. The EU Charter, is the legal instrument which establishes the protection of fundamental rights across the Union and prescribes also the conditions for lawful interference with these rights. Most fundamental rights are, indeed, not absolute and subject to limitation. Such limitation, however, cannot be arbitrary and has to abide by art. 52(1) EU CFR.

1. Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
2. Rights recognised by this Charter for which provision is made in the Treaties shall be exercised under the conditions and within the limits defined by those Treaties.
3. In so far as this Charter contains rights which correspond to rights guaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, the meaning and scope of those rights shall be the same as those laid down by the said Convention. This provision shall not prevent Union law providing more extensive protection.
4. In so far as this Charter recognises fundamental rights as they result from the constitutional traditions common to the Member States, those rights shall be interpreted in harmony with those traditions.
5. The provisions of this Charter which contain principles may be implemented by legislative and executive acts taken by institutions, bodies, offices and agencies of the Union, and by acts of Member States when they are implementing Union law, in the exercise of their respective powers. They shall be judicially cognisable only in the interpretation of such acts and in the ruling on their legality.
6. Full account shall be taken of national laws and practices as specified in this Charter.
7. The explanations drawn up as a way of providing guidance in the interpretation of this Charter shall be given due regard by the courts of the Union and of the Member States.

Art. 52 EU CFR generally deals with the limitation and interpretation of the rights contained in the EU Charter. In its first paragraph, the article codifies established jurisprudential practice – namely, that fundamental rights can, under specific circumstances, be interfered with.[1] The article’s unique position within the Charter serves as a general limitation clause and is thus applicable to art. 8 – the right to data protection. So long as a limitation complies with art. 52(1) EU CFR and its requirements, it is to be considered lawful.

Should the EU CFR be applicable in accordance with art. 51(1) CFR, violations and complaints for these violations must A) fall within the scope of a right (ratione personae, materiae, and tempore); B) prove an interference has occurred; C) analyse whether the interference can be justified in the meaning of art. 52(1) CFR.

The test for lawful limitation in art. 52(1) CFR contains the following cumulative conditions:

  1. The limitation must be provided for by law;
  2. The limitation must respect the essence of the right;
  3. The limitation must be proportionate;
  4. The limitation must have the objective of a general interest recognized by the Union or the protection of the rights and freedoms of others (and genuinely meet this objective).

Condition 1: provided for by law

This condition is an essential feature of the rule of law and is similar to the “prescribed by law” requirement contained in provisions of the ECHR. Within the Union legal framework, the concept of “law” can be interpreted broadly, encompassing primary and secondary EU legislation, national legislation – written and unwritten, so long as these legal rules are adequately accessible, formulated with sufficient precision and foreseeable. The law serving as basis for interference must be in force and legal in itself.[2]

 Condition 2: respect for the essence of the right 

This criteria is undoubtedly the most difficult to define and thus apply. While it is clear from the wording of art. 52(1) CFR that affecting the essence of a right is unlawful, not much more is provided in terms of defining the concept of “essence”. Essence is the inalienable core of a right, but what forms the core? It is subject to scholarly debate whether the notion carries independent absolute weight or whether it should/could also be subjected to a balancing exercise with, e.g., other fundamental rights.[3]

The CJEU has also not been too clear about what defines and constitutes “essence” of a fundamental right. In joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Others, the CJEU ruled that Directive 2006/24/EC on data retention violated fundamental rights under the EU CFR. The Directive required telecommunications providers to retain metadata (e.g., call logs, location data) for up to 24 months, which the Court found to be a disproportionate and generalized interference with privacy and data protection rights (arts.  7 and 8 EU CFR). The concept of “essence” was mentioned and considered, however it was decided that it was not infringed, eventhough the Directive was declared invalid.

Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others  EU:C:2014:238

Relevant paragraphs:

  • [38] Article 52(1) of the Charter provides that any limitation on the exercise of the rights and freedoms laid down by the Charter must be provided for by law, respect their essence and, subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
  • [39] So far as concerns the essence of the fundamental right to privacy and the other rights laid down in Article 7 of the Charter, it must be held that, even though the retention of data required by Directive 2006/24 constitutes a particularly serious interference with those rights, it is not such as to adversely affect the essence of those rights given that, as follows from Article 1(2) of the directive, the directive does not permit the acquisition of knowledge of the content of the electronic co munications as such.
  • [40] Nor is that retention of data such as to adversely affect the essence of the fundamental right to the protection of personal data enshrined in Article 8 of the Charter, because Article 7 of Directive 2006/24 provides, in relation to data protection and data security, that, without prejudice to the provisions adopted pursuant to Directives 95/46 and 2002/58, certain principles of data protection and data security must be respected by providers of publicly available electronic communications services or of public communications networks. According to those principles, Member States are to ensure that appropriate technical and organisational mesures are adopted against accidental or unlawful destruction, accidental loss or alteration of the data.
  • [59] Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.
  • [60] Secondly, not only is there a general absence of limits in Directive 2006/24 but Directive 2006/24 also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, may be considered to be sufficiently serious to justify such an interference. On the contrary, Directive 2006/24 simply refers, in Article 1(1), in a general manner to serious crime, as defined by each Member State in its national law.
  • [61] Furthermore, Directive 2006/24 does not contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use (…)
  • [62] In particular, Directive 2006/24 does not lay down any objective criterion by which the number of persons authorised to access and subsequently use the data retained is limited to what is strictly necessary in the light of the objective pursued (…) 
  • [63] Thirdly, so far as concerns the data retention period, Article 6 of Directive 2006/24 requires that those data be retained for a period of at least six months, without any distinction being made between the categories of data set out in Artcle 5 of that directive on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned.
  • [65] It follows from the above that Directive 2006/24 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. It must therefore be held that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.
  • [66] Moreover, as far as concerns the rules relating to the security and protection of data retained by providers of publicly available electronic communications services or of public communications networks, it must be held that Directive 2006/24 does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data. In the first place, Article 7 of Directive 2006/24 does not lay down rules which are specific and adapted to (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data and (iii) the risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality. Furthermore, a specific obligation on Member States to establish such rules has also not been laid down. 
  • [69] Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.
  • [73] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is invalid.

In another judgement, Schrems I, the CJEU ruled on the violation of the condition of ‘essence of the right’. A comparison of the CJEU reasoning in both cases shows that the Court links the essence of the right to the existence or the lack thereof of the possibility for an individual to pursue legal remedies for the protection of the right.

Case C-362/14 Maximillian Schrems v Data Protection Commissioner  EU:C:2015:650

  •  [94] In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (see, to this effect, judgment in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 39).

  • [95]Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter. The first paragraph of Article 47 of the Charter requires everyone whose rights and freedoms guaranteed by the law of the European Union are violated to have the right to an effective remedy before a tribunal in compliance with the conditions laid down in that article. The very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law (see, to this effect, judgments in Les Verts v Parliament, 294/83, EU:C:1986:166, paragraph 23; Johnston, 222/84, EU:C:1986:206, paragraphs 18 and 19; Heylens and Others, 222/86, EU:C:1987:442, paragraph 14; and UGT-Rioja and Others, C‑428/06 to C‑434/06, EU:C:2008:488, paragraph 80).

Condition 3: Proportionality 

The principle of proportionality is a general principle of EU law. An assessment of proportionality with reference to human rights often aims to achieve and rationalize legal discourse. Proportionality is assessed through its own set of steps.

Stage 1 Does the interferring measure follow a legitimate goal ?

A measure interfering with a fundamental right can only be justified if it pursues a legitimate goal, an objective of a general interest recognized by EU law. Such objectives, broadly speaking, are contained in art. 3 TEU, art. 4(1) TEU, art. 35(3) TFEU, art. 36 TFEU, art. 346 TFEU. In the context of the right to data protection, more details about objectives of general interest will be provided in Condition 4 below. Generally, so long as the measure is not arbitrarily applied, it usually passes the legitimate purpose stage.

Stage 2 Is the interferring measure appropriate and suitable for reaching the legitimate goal? 

Any measure restricting fundamental rights must be first of all appropriate or suitable to protect the interests that require protection. A measure is considered as appropriate and suitable for reaching a goal if there is a rational connection, a real contribution towards achieving the legitimate goal.

Stage 3 Is the interferring measure necessary for reaching the legitimate goal?

The necessity requirement usually is twofold in itself. On the one hand, analysis by the CJEU will be conducted to establish whether there were less intrusive measures which could have been taken. The “intruder” of the fundamental right has to substantiate the choice of action. This threshold is much higher to achieve. On the other hand, necessity also encompasses proportionality stricto sensu, which requires a balancing exercise of competing interests. This balancing is especially complex as it supposes that a comparison must be made between, e.g., two fundamental rights. How does one weigh one fundamental right against another?

It needs to be kept in mind though, that the CJEU does not always distinguish between the second and the third step of the test. Sutability and necessity are often discussed together within the umbrella of proportionality.

Condition 4: Objectives of general interest & rights of others 

Restrictions to the right of data protection are further specified in art. 23 GDPR. The article serves as a lex specialis by providing specific grounds under which Union or Member State law may restrict certain data protection rights and obligations to safeguard important objectives of general public interest.

Article 23 GDPR

1.   Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

a. national security;

b. defence;

c. public security;

d. the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

e. other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

f. the protection of judicial independence and judicial proceedings;

g. the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

h. a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

i. the protection of the data subject or the rights and freedoms of others;

j. the enforcement of civil law claims.

9.5 Conclusion

The right to data protection in Union law, enshrined in art. 8 of the EU CFR and art. 16 TFEU, is a distinct fundamental right that ensures that natural living persons have control over their personal data and the way the data is processed. While closely related to the right to privacy under art. EU 7 CFR and art. 8 ECHR, the right to data protection in the EU has a number of characteristics that make it distinguished.  The right focuses primarly on the lawful processing of personal data, the transparency of such processing as well as on the accountability of controllers rather than just providing the conditions for non interference. Unlike privacy, which protects against unjustified intrusions, data protection establishes proactive safeguards and positive obligations when handling personal data. Similarly to the right to privacy, data protection is not an absolute right – it can be lawfully restricted provided that any interference is in comliance with the conditions provided by the law. The importance of the right extends beyond individual autonomy, playing a crucial role in democratic governance, digital economy regulation and fundamental rights protection in an era of mass data collection and AI-driven decision-making.

Brainstorming Exercise

  • Can you think of potential situations where there is an interference with the right to privacy or with the right to data protection but not an interference with both rights at the same time?
  • Do you think the distinction between the right to privacy and the right to data protection in the EU has any merits, or it is just a legal complication?

Extra readings

 

Milaj, J. (2020). Safeguarding Privacy by Regulating the Processing of Personal Data – An EU Illusion? European Journal of Law and Technology, 11(2).

Brkan, M. (2018) The Concept of Essence of Fundamental Rights in the EU Legal Order: Peeling the Onion to its C ore European Constitutional Law Review, 14(2).

Lock, T. (2019) Article 52 CFR, in Kellerbauer, Klamert and Tomkin (eds), The EU Treaties and the Charter of Fundamental Rights: A Commentary

  1. Case C-292/97 Kjell Karlsson and Others [2000] ECLI:EU:C:2000:202, para 45.
  2. Tobias Lock, 'Article 52 CFR', in Manuel Kellerbauer, Marcus Klamert and Jonathan Tomkin (eds), The EU Treaties and the Charter of Fundamental Rights: A Commentary (online edn, OUP 2019) 2249-2250 <https://doi-org.proxy-ub.rug.nl/10.1093/oso/9780198759393.003.577>accessed 23 March 2025.
  3. Lock (n 2), 2251; Maja Brkan, 'The Concept of Essence of Fundamental Rights in the EU Legal Order: Peeling the Onion to its Core' (2018) 14(2) European Constitutional Law Review 332, 335-338 <https://doi.org/10.1017/S1574019618000159> accessed 23 March 2025.

License

Icon for the Creative Commons Attribution 4.0 International License

Texts and Materials in Data Protection and Digital Human Rights Copyright © by Mando Rachovitsa, Jonida Milaj is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book

Feedback/Errata

Comments are closed.