"

4 8. Data Protection as a Fundamental Right

Outline of this chapter 

In this chapter we will focus on the development of the right to data protection in the European Union. The protection of personal data emerged as a fundamental right which is closely linked to but distinct from the right to privacy. Where the right to privacy encompasses a broad range of protections in the realm of personal autonomy and freedom from intrusive measures, data protection under EU law has a rather specialised role. The right to data protection focuses on the control, processing and security of personal information, and by extension – the natural persons to whom this information refers.

We will, firstly, focus our attention to the similarities and differences between human rights and fundamental rights. Such analysis will be useful for us to better understand the nature of data protection and privacy, as well as the emerging challenges within the scope of these rights.

The main goal of this chapter is to give the reader insight into the growing importance of data protection – not only as a right on its own accord, but also as an instrument for upholding other fundamental rights. Maintaining stability and balance in the digital world is challenging, and it begins with a clear recognition of the core principles of the right to data protection.

Human Rights v. Fundamental Rights  

Human rights can be found in international law and are considered inherent to all human beings. They should be universally applied irrespective of nationality, race, ethnicity, religion, gender, sexual orientation, etc. Often human rights are enshrined in international treaties – such as, for example, the UDHR, the ICCPR and the ICESCR. Human rights can also be found in customary international law and general principles of international law.

Fundamental rights are those used in constitutional context. They could be specific to a domestic legal order and therefore be subject to varying approaches and protections depending on the State’s law. Often when a State ratifies a treaty and becomes party to it, it will transpose international law human rights into domestic law fundamental rights. In this sense, fundamental rights are not universal, applicable to individuals belonging to a national/regional legal framework. The European Union has chosen to use the term “fundamental rights” to describe the obligations of Member States toward persons residing in the Union.

Historical Highlights 

After World War II, human rights frameworks were established without considering data protection. The emphasis was placed on the right to privacy. An example of this development is the European Convention on Human Rights (ECHR), adopted in 1950 by the Council of Europe. Art. 8 ECHR was adopted as a classic negative right, meant to protect citizens from arbitrary interference into their personal “sphere”. Due to the dynamic nature of the ECHR, the personal sphere is capable of encompassing multiple elements – private and family life; one’s body, property and home; secrecy of correspondence and protection for confidential matters.

The right to privacy emerged well before the rise of the information society. The latter subsequently introduced new risks to privacy, particularly in the realm of “informational privacy”. This necessitated a development of specific and proactive rules governing the collection and use of personal information. It is also in this context that the right to data protection emerged as an independent such.

Right to Privacy v. Right to Data Protection

The right to privacy is a widely recognised human right – one that has received recognition at the international level and is included in multiple international human rights treaties. As already mentioned, the right to privacy is contained in art. 8 ECHR and art. 7 EU CFR. However, such obligations are also present in art. 7 of the American Convention on Human Rights; notably an explicit right to privacy is not mentioned in the African Charter on Human and People’s Rights. However, arguments have been made that such a right can be read into the text of the African Charter through the right to respect for life and integrity of the person (art. 4). Nonetheless, the right to privacy has also been deemed a standard of public international law, as one of the modern pillars of democracy, safeguarding autonomy and dignity.

Alongside the right to privacy, a more considerably recent right has been the one to data protection. The right to data protection is not internationally recognised as a human right. It is rather a fundamental right established within inter alia the EU legal framework, art. 8 EU CFR. This means that the right to data protection is not a universal international one – it is only applicable insofar as Member States of the Union have implemented the Charter within their domestic legal systems. Therefore, the right to data protection is a fundamental right in certain States. It is worth mentioning that certain States had introduced legal frameworks for data protection before the EU established its own recognition of the right. Notable examples are the 1970 Data Protection Statute (Hesse, Germany) and the 1973 Data Protection Act  (Sweden, information in English available here).

At an international level the protection of personal data was first introduced in the Council of Europe Convention 108. The Convention introduced various principles for the processing of personal data. Until this day, it is the only legally binding international instrument in the field of personal data protection.

Presently, fundamental rights, included in the EU Charter, as for example: the right to life, prohibition of torture, the right to private life, etc. are not directly reflected in the EU Treaties, the protection of personal data makes an exception. The right is reflected in the Treaties (art. 16 TFEU) and secondary legislation (GDPR, etc.) because of the economic value that personal data have. The right to data protection is viewed as naturally belonging to the field of competencies of the EU.

 

The data protection reform package which entered into force in May 2016 and became applicable as of May 2018 includes the General Data Protection Regulation (GDPR) and the “Law Enforcement Directive” (LED) for the police and criminal justice sector. The reform package was presented as an essential step to strengthening citizens’ fundamental rights in the digital age and to facilitate business by simplifying rules for companies in the Digital Single Market. 

As a result of these legislative developments, the right to data protection has been, at least formally, separated from the right to privacy. This can be noted also in the change of legal wording of the laws. The Data Protection Directive of 1995 made a direct link between privacy and data protection in its art. 1, while the GDPR, does not mention the right to privacy in any of the articles. The right is only mentioned in the Preamble of the GDPR, together with other fundamental rights listed in the EU CFR.

 

GDPR, Recital 4: The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

Other Protected Aspects

Being a fundamental right, data protection does not just protect data, but it protects individuals – the natural persons, to whom the data belongs. As such, it results in a broader protection of values such as dignity and personality, and serves as an“essential prerequisite” for the exercise of other human or fundamental rights. In today’s data driven world, protecting data increasingly determines to what aspect other rights can be ensured and enjoyed.

 

Lawful Limitation

The right to data protection within the Union is enshrined in art. 16 TFEU and art. 8 EU CFR. Both of these instruments are primary law of the European Union codifying the existence of the right to data protection. The EU Charter, which is largely influenced by the ECHR, is the legal instrument which  identifies fundamental rights across the Union and prescribes rules for lawful interference. Most fundamental rights are, indeed, not absolute and subject to limitation. Such limitation, however, cannot be arbitrary and has to abide by art. 52(1) EU CFR.

1. Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
2. Rights recognised by this Charter for which provision is made in the Treaties shall be exercised under the conditions and within the limits defined by those Treaties.
3. In so far as this Charter contains rights which correspond to rights guaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, the meaning and scope of those rights shall be the same as those laid down by the said Convention. This provision shall not prevent Union law providing more extensive protection.
4. In so far as this Charter recognises fundamental rights as they result from the constitutional traditions common to the Member States, those rights shall be interpreted in harmony with those traditions.
5. The provisions of this Charter which contain principles may be implemented by legislative and executive acts taken by institutions, bodies, offices and agencies of the Union, and by acts of Member States when they are implementing Union law, in the exercise of their respective powers. They shall be judicially cognisable only in the interpretation of such acts and in the ruling on their legality.
6. Full account shall be taken of national laws and practices as specified in this Charter.
7. The explanations drawn up as a way of providing guidance in the interpretation of this Charter shall be given due regard by the courts of the Union and of the Member States.

Art. 52 EU CFR generally deals with the scope and interpretation of the rights contained in the EU Charter. In its first paragraph, the CFR codifies established jurisprudential practice – namely, that fundamental rights can, under specific circumstances, be interfered with.[1] The article’s unique position within the Charter serves as a general limitation clause and is thus applicable to art. 8 – the right to data protection. So long as a limitation complies with art. 52(1) EU CFR and its requirements, it is to be considered lawful.

Should the EU CFR be applicable in accordance with art. 51(1) CFR, violations and complaints for these violations must A) fall within the scope of a right (ratione personae, materiae, and tempore); B) prove an interference has occurred; C) analyse whether the interference can be justified in the meaning of art. 52(1) CFR.

The test for lawful limitation in art. 52(1) CFR contains the following cumulative conditions:

  1. The limitation must be provided for by law;
  2. The limitation must respect the essence of the right;
  3. The limitation must be proportionate;
  4. The limitation must have the objective of a general interest recognized by the Union or the protection of the rights and freedoms of others (and genuinely meet this objective).

Condition 1: provided for by law

This condition is an essential feature of the rule of law and is similar to the “prescribed by law” requirement contained in provisions of the ECHR. Within the Union legal framework, the concept of “law” can be interpreted broadly, encompassing primary and secondary EU legislation, national legislation – written and unwritten, so long as these legal rules are adequately accessible, formulated with sufficient precision and foreseeable. The law serving as basis for interference must be in force and legal in itself.[2]

 Condition 2: respect for the essence of the right 

This criteria is undoubtedly the most difficult to define and thus apply. While it is clear from the wording of art. 52(1) CFR that affecting the essence of a right is unlawful, not much more is provided in terms of defining the concept of “essence”. Essence is the inalienable core of a right, but what forms the core? It is subject to scholarly debate whether the notion carries independent absolute weight or whether it should/could also be subjected to a balancing exercise with, e.g., other fundamental rights.[3]

The CJEU has also not been too clear about what defines and constitutes “essence” of a fundamental right. In joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Others, the CJEU ruled that Directive 2006/24/EC on data retention violated fundamental rights under the EU CFR. The Directive required telecommunications providers to retain metadata (e.g., call logs, location data) for up to 24 months, which the Court found to be a disproportionate and generalized interference with privacy and data protection rights (arts.  7 and 8 EU CFR). The concept of “essence” was mentioned and considered, however not in depth. The Court highlighted the lack of safeguards to protect data and ensure proportionality. As a result, the Directive was declared invalid.

Joined Cases C‑293/12 and C‑594/12 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others [2014] ECLI:EU:C:2014:238

Relevant paragraphs:

  • [38] Article 52(1) of the Charter provides that any limitation on the exercise of the rights and freedoms laid down by the Charter must be provided for by law, respect their essence and, subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
  • [39] So far as concerns the essence of the fundamental right to privacy and the other rights laid down in Article 7 of the Charter, it must be held that, even though the retention of data required by Directive 2006/24 constitutes a particularly serious interference with those rights, it is not such as to adversely affect the essence of those rights given that, as follows from Article 1(2) of the directive, the directive does not permit the acquisition of knowledge of the content of the electronic co munications as such.
  • [40] Nor is that retention of data such as to adversely affect the essence of the fundamental right to the protection of personal data enshrined in Article 8 of the Charter, because Article 7 of Directive 2006/24 provides, in relation to data protection and data security, that, without prejudice to the provisions adopted pursuant to Directives 95/46 and 2002/58, certain principles of data protection and data security must be respected by providers of publicly available electronic communications services or of public communications networks. According to those principles, Member States are to ensure that appropriate technical and organisational mesures are adopted against accidental or unlawful destruction, accidental loss or alteration of the data.
  • [59] Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.
  • [60] Secondly, not only is there a general absence of limits in Directive 2006/24 but Directive 2006/24 also fails to lay down any objective criterion by which to determine the limits of the access of the competent national authorities to the data and their subsequent use for the purposes of prevention, detection or criminal prosecutions concerning offences that, in view of the extent and seriousness of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, may be considered to be sufficiently serious to justify such an interference. On the contrary, Directive 2006/24 simply refers, in Article 1(1), in a general manner to serious crime, as defined by each Member State in its national law.
  • [61] Furthermore, Directive 2006/24 does not contain substantive and procedural conditions relating to the access of the competent national authorities to the data and to their subsequent use (…)
  • [62] In particular, Directive 2006/24 does not lay down any objective criterion by which the number of persons authorised to access and subsequently use the data retained is limited to what is strictly necessary in the light of the objective pursued (…) 
  • [63] Thirdly, so far as concerns the data retention period, Article 6 of Directive 2006/24 requires that those data be retained for a period of at least six months, without any distinction being made between the categories of data set out in Artcle 5 of that directive on the basis of their possible usefulness for the purposes of the objective pursued or according to the persons concerned.
  • [65] It follows from the above that Directive 2006/24 does not lay down clear and precise rules governing the extent of the interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter. It must therefore be held that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.
  • [66] Moreover, as far as concerns the rules relating to the security and protection of data retained by providers of publicly available electronic communications services or of public communications networks, it must be held that Directive 2006/24 does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data. In the first place, Article 7 of Directive 2006/24 does not lay down rules which are specific and adapted to (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data and (iii) the risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality. Furthermore, a specific obligation on Member States to establish such rules has also not been laid down. 
  • [69] Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.
  • [73] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC is invalid.

Condition 3: proportionate 

The principle of proportionality is a general principle of EU law. An assessment of proportionality with reference to human rights often aims to achieve and rationalize legal discourse. Proportionality is assessed through its own set of steps.

Stage 1 Legitimate goal 

A measure interfering with a fundamental right can only be justified if it pursues a legitimate goal, an objective of a general interest recognized by EU law. Such objectives, broadly speaking, are contained in art. 3 TEU, art. 4(1) TEU, art. 35(3) TFEU, art. 36 TFEU, art. 346 TFEU. In the context of the right to data protection, more details about objectives of general interest will be provided in Condition 4 below. Generally, so long as the measure is not arbitrarily applied, it usually passes the legitimate purpose stage.

Stage 2 Suitability 

A measure is suitable if there is a rational connection, a real contribution it brings about toward achieving the legitimate goal. In practice, this stage is also not problematic to pass. Actions which interfere with fundamental rights are rarely taken without a logical pursuit of an objective, therefore, the suitability requirement is rather straightforward.

Stage 3 Necessity

The necessity requirement usually is twofold in itself. On the one hand, analysis by the CJEU will be conducted to establish whether there were less intrusive measures which could have been taken. The “intruder” of the fundamental right has to substantiate the choice of action. This threshold is much higher to achieve. On the other hand, necessity also encompasses proportionality stricto sensu, which requires a balancing exercise of competing interests. This balancing is especially complex as it supposes that a comparison must be made between, e.g., two fundamental rights. How does one weigh one fundamental right against another?

Condition 4: objectives of general interest & rights of others 

Restrictions to the right of data protection are further specified in art. 23 GDPR. The article serves as a lex specialis by providing specific grounds under which Union or Member State law may restrict certain data protection rights and obligations to safeguard important objectives of general public interest.

Article 23 GDPR

1.   Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a)

national security;

(b)

defence;

(c)

public security;

(d)

the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e)

other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

(f)

the protection of judicial independence and judicial proceedings;

(g)

the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(h)

a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i)

the protection of the data subject or the rights and freedoms of others;

(j)

the enforcement of civil law claims.

Conclusion

The right to data protection in Union law, enshrined in art. 8 of the EU CFR and art. 16 TFEU, is a distinct fundamental right that ensures individuals have control over their personal data and the way it is processed. While closely related to the right to privacy under art. EU 7 CFR and art. 8 ECHR, data protection is broader, focusing on lawful processing, transparency, and accountability rather than just freedom from interference. Unlike privacy, which protects against unjustified intrusions, data protection establishes proactive safeguards/positive obligations for handling personal data. This right, however, is not absolute – it can be lawfully restricted under, specifically, art. 23 GDPR, provided such limitations are necessary, proportionate, and respect the essence of fundamental rights. Its significance extends beyond individual autonomy, playing a crucial role in democratic governance, digital economy regulation and fundamental rights protection in an era of mass data collection and AI-driven decision-making.

  1. Case C-292/97 Kjell Karlsson and Others [2000] ECLI:EU:C:2000:202, para 45.
  2. Tobias Lock, 'Article 52 CFR', in Manuel Kellerbauer, Marcus Klamert and Jonathan Tomkin (eds), The EU Treaties and the Charter of Fundamental Rights: A Commentary (online edn, OUP 2019) 2249-2250 <https://doi-org.proxy-ub.rug.nl/10.1093/oso/9780198759393.003.577>accessed 23 March 2025.
  3. Lock (n 2), 2251; Maja Brkan, 'The Concept of Essence of Fundamental Rights in the EU Legal Order: Peeling the Onion to its Core' (2018) 14(2) European Constitutional Law Review 332, 335-338 <https://doi.org/10.1017/S1574019618000159> accessed 23 March 2025.

License

Icon for the Creative Commons Attribution 4.0 International License

Data Protection and Digital Human Rights Copyright © by Mando Rachovitsa, Jonida Milaj-Weishaar is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book

Feedback/Errata

Comments are closed.