Hostname: page-component-cd9895bd7-fscjk Total loading time: 0 Render date: 2024-12-23T04:40:28.123Z Has data issue: false hasContentIssue false

The Essence of the Fundamental Rights to Privacy and Data Protection: Finding the Way Through the Maze of the CJEU’s Constitutional Reasoning

Published online by Cambridge University Press:  04 September 2019

Abstract

In the constitutional shaping of the concept of essence of fundamental rights, the case law of the Court of Justice of the EU (“CJEU” or “the Court”) in the field of privacy and data protection plays a crucial role. The Court’s interpretation of this notion had a considerable impact not only jon perception of the essence in other fields of law, but also on the constitutional doctrine more generally. This Article focuses on specificities of the notion of essence of fundamental rights to privacy and the protection of personal data from Articles 7 and 8 of the Charter of Fundamental Rights of the EU. After a general analysis, situating this notion into the framework of multi-level protection of fundamental rights in Europe, the Article addresses further interpretative challenges relating to the essence in the Court’s case law. At the core of the analysis are the Schrems and Digital Rights Ireland cases, where the CJEU developed, for the first time, the modalities of the breach of essence of fundamental rights to privacy and data protection and laid down constitutional foundations for interpretation of this notion. Further jurisprudence, including the Tele2 Sverige and Opinion 1/15 cases, is analyzed as an example of fine-tuning of the CJEU’s approach towards the normative understanding of this concept. Against this backdrop, the Article elaborates on the importance of insights in the fields of privacy and data protection for the general constitutional understanding of the concept of essence and proposes a generalized method for determination of infringement of essence in fundamental rights jurisprudence.

Type
Article
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by-nc/4.0/), which permits unrestricted re-use, distribution, and reproduction in any medium, provided the original work is properly cited.
Copyright
© 2019 The Author. Published by Cambridge University Press on behalf of the German Law Journal

A. Introduction

This Article focuses on the specificities of the notion of essence of the fundamental right to privacy enshrined in Article 7 of the Charter of Fundamental Rights of the European UnionFootnote 1 and the fundamental right to protection of personal data epitomized in Article 8 of the Charter. Both fundamental rights play a pioneering role in the understanding of this concept, not only because the Court of Justice of the European UnionFootnote 2 established the interference with the essence of a fundamental right for the first time in its privacy and data protection jurisprudence,Footnote 3 but also because it subsequently developed an extensive case law around this notion precisely through interpretation of the two fundamental rights. In the landscape of protection of essence, privacy and data protection therefore play a prominent constitutional role, even though the methodology used by the Court and its conclusions on interference with the essence are contentious and can be subject to criticism. The Court’s case law on this issue can be depicted as a muddled maze where the final destination remains concealed due to reasoning that is full of meanders and unpredictable curves. Against this background, this Article aims to critically assess the findings of the Court regarding the essence in its rich case law on data protection and privacy and to propose a methodological approach that the Court should use when assessing whether the essence of a fundamental right has been interfered with.

The Article is based upon the following structure: After a general introduction, situating the notion of essence into the framework of multi-level protection of fundamental rights in Europe and proposing a test to determine the interference with the essence—Section B—it addresses further interpretative challenges relating to this notion in privacy and data protection case law of the CJEU. Section C therefore focuses specifically on the essence of the fundamental right to privacy, whereas Section D explores the specificities of this concept within the ambit of the fundamental right to protection of personal data.Footnote 4 In both parts, the cornerstone of the analysis focuses on cases Digital Rights Ireland Footnote 5 and Schrems Footnote 6 where the CJEU developed, for the first time, the modalities of the breach of essence of fundamental rights to privacy and data protection and laid down constitutional foundations for interpretation of this notion. Further relevant cases, including the Tele2 Sverige Footnote 7 and Opinion 1/15,Footnote 8 are equally examined in detail as an example of fine-tuning of the CJEU’s approach towards the understanding of this concept. The final part—Section E—delivers concluding observations on the importance of insights in the fields of privacy and data protection for the general constitutional conceptualization of the notion of essence.

B. The Theoretical Foundations of Essence in the EUFootnote 9

I. A Quick Look into Member States’ Constitutional Law

The notion of essence of fundamental rights cannot be analyzed in detachment from a broader constitutional context, notably the EU Member States’ constitutional law.Footnote 10 Indeed, this concept has long attracted vivid attention of scholars studying constitutional law of the EU Member States, notably in Germany,Footnote 11 Spain,Footnote 12 Portugal,Footnote 13 Hungary,Footnote 14 and Slovakia.Footnote 15 Certain Member States, as well as third countries, expressly prohibit interference with the essence of fundamental rights in their constitutions,Footnote 16 and constitutional courts of particular Member States have equally embraced this concept in their case law, sometimes even without a corresponding reference to the essence in national constitutions.Footnote 17 Despite different avenues of recognizing the essence in national constitutional orders of EU Member States, their main purpose remains the same: To prevent the holder of the fundamental right to be stripped of the inalienable core of her fundamental right.

Differently, other Member States, such as France, Italy, Slovenia, or Croatia, decided not to embed this concept into their constitutions. It is arguable whether this discrepancy between different constitutional approaches towards the essence should be seen as a simple semantic difference, or rather as reflecting a deeper conceptual disagreement on whether the existence of essence in a constitutional order is necessary in the fundamental rights protection landscape. In any event, the constitutional orders of various Member States seem to differ on the questions of whether every fundamental right possesses an untouchable core and whether a separate protection of such a core is necessary or even appropriate. In particular, in Germany, where the notion of essence (Wesensgehalt) originates from, scholars to this date disagree whether this concept should be seen as having a merely declaratory natureFootnote 18 or whether it also plays a more practical role, serving as a concrete test to determine interferences with the core of fundamental rights.Footnote 19 At the heart of the quest of (not) seeing essence as an independent concept lies its relationship with the principle of proportionality: If all interferences with fundamental rights, even the most blatant ones, can be identified in application of the proportionality balancing, does the notion of essence still retain an independent value? An intuitive answer to this question seems to be a negative one, but this answer leads to the next question: Can all interferences be determined in application of the principle of proportionality?

The academic responses of national constitutional doctrine and the practice of national constitutional courts to this question are diverse and can largely be classified into two approaches or theories.Footnote 20 According to the absolute theory, every fundamental right has an untouchable core, which brings it outside the scope of application of the principle of proportionality.Footnote 21 It has been asserted that the existence of essence can be justified only if it is “definable independently of proportionality and perform[s] a distinct role in preventing certain forms of state action….”Footnote 22 Differently, the relative approach constructs essence as a redundant concept, building upon the premise that all interferences with fundamental rights can be determined with the deployment of the principle of proportionality.Footnote 23 This latter approach questions the usefulness and added value of the concept of essenceFootnote 24 and designates it as a non-viable alternative to proportionality.Footnote 25 This dilemma, originating from the national constitutions and the related doctrine, came to light also with the binding nature of the Charter which, in Article 52(1), guarantees that “[a]ny limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms.”Footnote 26 Before addressing the question of interpretation of this notion within the framework of privacy and data protection, a more general question of whether the notion of essence should have an independent value in the system of EU fundamental rights protection must be addressed first.

II. Essence and Proportionality: A Relationship in Need of Clarification

It is submitted that the notion of essence, as enshrined in Article 52(1) of the Charter, should be interpreted as an independent constitutional concept that is not part of the principle of proportionality.Footnote 27 Such an approach allows for the possibility to identify interferences with the core of a fundamental right independently from proportionality balancing by distinguishing between interferences with the essence of fundamental rights and other interferences, including particularly serious ones.Footnote 28 The first argument in favor of this view lies in the textual interpretation of Article 52(1) of the Charter.Footnote 29 In the structure of this provision, the quest for respect of essence appears in the first sentence: “Any limitation on the exercise of the rights … must … respect the essence of those rights and freedoms,” whereas the requirement that the limitations must comply with the principle of proportionality can be found only in the second sentence. This separation seems to indicate that the determination of the interference with the essence and all other types of—justified or unjustified—interferencesFootnote 30 with a fundamental right are submitted to two different tests. The wording of Article 52(1) of the Charter, therefore, seems to confirm the practical value of essence.

The second reason supporting the claim that the essence should be seen as an independent concept is a jurisprudential one: It builds upon the case law of the CJEU where the essence was undeniably recognized as an independent concept.Footnote 31 On the one hand, this holds true for the case law on the “very substance” of fundamental rights in the pre-Charter era, which can be seen as a predecessor and a source for codification of essence into the Charter.Footnote 32 Indeed, despite the fact that the Explanations to the Charter do not explicitly recognize the notion of the “very substance” as being the source for the essence, they do expressly refer to the case law that prohibits “undermining the very substance” of fundamental rights,Footnote 33 which indicates that this case law remains relevant for the interpretation of the notion of essence in the post-Charter jurisprudence.Footnote 34 On the other hand, it is undeniable that the CJEU, in its post-Charter judgments, such as Digital Rights Ireland,Footnote 35 Schrems,Footnote 36 and Alemo-Herron,Footnote 37 acknowledges the independent value of the concept of essence by markedly verifying whether the essence of the fundamental rights has been interfered with.

The third argument in favor of independent value of essence is a purpose-based argument. The essence represents an additional safeguard for the protection against the most extreme and blatant interferences with fundamental rights for which justifications do not exist. If there is no possible justification for an interference, the proportionality balancing cannot be performed, which potentially leads to an impairment of essence of a fundamental right. An example of such an impairment is if a Member State offers absolutely no safeguards to protect data of its citizens and entirely disregards both Article 8 of the Charter and the EU secondary legislation that gives expressionFootnote 38 to this fundamental right. Another example of interference with the essence, say of the fundamental right not to be tried or punished twice in criminal proceedings—Article 50 of the Charter—would be if the EU institutions decided to repeal this fundamental right altogether.Footnote 39 The Schrems case offers another illustration of impairment of essence, namely of the right to effective judicial protection—Article 47 of the Charte). The circumstance that the data subject did not have any legal remedies whatsoever allowing her to gain access to data and rectification or erasure of data transferred to the United States under the Safe Harbor agreement led the Court rightly to the conclusion that the essence of this fundamental right is not respected.Footnote 40 To the contrary, when overriding reasons exist, the interference with a fundamental right should follow proportionality analysis. A good illustration is the Ministerio Fiscal case where the Court did not analyze the impairment of essence because there was no need to do so.Footnote 41 The access of public authorities to data helping to identify thieves of a mobile phone could be justified by the objective of prevention of criminal offenses.Footnote 42 These examples demonstrate that the application of and interference with the essence need to be reserved for rare cases on which the principle of proportionality does not have a grip. The inclusion of this notion into the Charter thus accentuates the inalienable nature of fundamental rights more generally and gives the addressees an additional safeguard of protection.

III. How to Establish an Impairment of Essence?

The approach proposed above prompts the question of the appropriate test for determining whether the essence of a fundamental right from the Charter has been impaired. It is submitted that this test should have two prongs.Footnote 43 The first step of analysis should consist of verifying whether the interference with a fundamental right makes it impossible to exercise this rightFootnote 44 or even undermines the sheer existence of this right. In the terminology of the CJEU, it needs to be verified whether the interference “calls into question”Footnote 45 the fundamental right as such. Second, the interference with the essence can be identified only if there are no legitimate reasons in public interest that can override such an interference.Footnote 46 The reasoning for this second prong of the test lies in the differentiation between the interferences that can be detected on the basis of the proportionality and the interferences of essence of a fundamental right. As soon as an overriding reason for interference can be identified, the CJEU should be prompted to apply the proportionality balancing, thus excluding the possibility of interference with the essence of this fundamental right.

Overriding reasons that cannot justify an interference are those that do not pursue “objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others,” as required by Article 52(1) of the Charter. As spelled out in the Explanations to this Charter provision, the general interests of the Union are, inter alia, promotion of peace, establishment of internal market, creation of an area of freedom, security, and justice, promotion of social justice and solidarity—Article 3 of the TEU—as well as observance of the principle of conferral—Article 4(1) of the TEU. Further, fundamental rights might be limited with the rights of others. It is quite possible to imagine grounds that do not meet these standards. Imagine an example where the state abolishes the right to vote for all women on the ground that women represent a threat to the state’s democracy. This would not only call into question the existence of this fundamental right for this particular group of people—first prong of the test—but the justification would also not meet a standard of a legitimate overriding interest—second prong of the test. The recent democracy and rule of law crisis in Hungary and Poland offers further examples. For instance, Hungary has notoriously denied the right to asylum, guaranteed by Article 18 of the Charter,Footnote 47 to refugees and asylum seekers with arguments that “these [migrants] are not refugees, because they arrive through safe countries into Europe” and that “migrants are terrorists.”Footnote 48 In a democratic society, which is one of the values on which the EU is founded, such arguments are devoid of quality of justifications for fundamental rights infringements.Footnote 49 In the absence of another legitimate justification, denying the right to asylum to those asylum seekers could interfere with the essence of their fundamental right of asylum.

Should the CJEU decide to follow the suggested approach, the question arises whether this may lead to tension with the jurisprudence of the European Court of Human RightsFootnote 50 which equally recognizes the possibility of impairment of essence, without always following a consistent test. Indeed, in certain cases, the ECtHR uses the principle of proportionality to determine whether an essence of a fundamental right was interfered with.Footnote 51 In other cases, the Strasbourg court distinguishes the proportionality test from the test for interference with the essence.Footnote 52 The main question that needs to be clarified in this regard is whether the CJEU needs to follow, on the one hand, the (inconsistent) Strasbourg approach or, on the other hand, the conclusion of this court on whether the essence of a fundamental right was impaired. In other words, if the ECtHR finds an interference with the essence of a particular fundamental right, can the CJEU, in the same factual circumstances, conclude that this is “merely” a disproportionate interference? Article 52(3) of the Charter namely requires that the Union has to guarantee either the same or “more extensive protection” of those fundamental rights “which correspond to rights” from the ECHR.

It is submitted that the CJEU should follow the approach of the ECtHR insofar as possible, however, only to the extent that the latter court actually considers the impairment of essence as a distinct test from proportionality. If the Strasbourg court’s conclusion on essence is de facto an application of the principle of proportionality, this should not prevent the CJEU from finding an interference disproportionate. In an inverse situation, where the Strasbourg court finds that a particular measure is disproportionate, the CJEU would not be precluded from applying the essence test. It is not excluded that the jurisprudence of both courts on this issue would gradually converge or that the CJEU approach would even have an impact on its Strasbourg counterpart. However, in Big Brother Watch v United Kingdom,Footnote 53 where the ECtHR extensively referred to Digital Rights Ireland,Footnote 54 it did not engage with the question of whether the secret surveillance schemes interfere with the essence of Article 8 ECHR.

Against this theoretical background, this Article further elaborates on the CJEU’s approach towards the essence of fundamental rights to privacy and protection of personal data. The focus lies on the critical examination of the case law of this court, in particular, on the meanders of constitutional reasoning and particularities of judicial construction of the notion of essence.

C. The Essence of the Fundamental Right to Privacy: Much Ado About Content

I. The Introduction of the Content Debate: Digital Rights Ireland

In the constitutional landscape of essence, the fundamental right to privacy enshrined in Article 7 of the Charter plays a prominent and distinctive role. Indeed, the discussion about what constitutes the essence of this fundamental right began with the CJEU’s seminal decision in Digital Rights Ireland, which is the first case where the Court interpreted this Charter notion.Footnote 55 The Court took the opportunity to give interpretative guidance on the notion of essence within the framework of the analysis of the compatibility of the contentious Data Retention DirectiveFootnote 56 with the fundamental rights to privacy and data protection from the Charter.Footnote 57 The aforementioned directive obliged telecommunication and internet service providers to retain a wide range of data relating to their users, notably their name and address, date, time, duration, and type of communication, as well as IP addresses of users of Internet services.Footnote 58 In its ruling, the CJEU invalidated the directive on the grounds that it violated the fundamental rights to privacy and data protection.Footnote 59 The Court, however, did not reach this conclusion on the account of the interference with the essence of those rights. Rather, the extensive retention of data was seen as a particularly serious interference with those rights,Footnote 60 which was not strictly necessary, and hence disproportionate, to attain the objective of the investigation, detection, and prosecution of serious crime.Footnote 61

In the Court’s reasoning, the analysis of the essence of the fundamental right to privacy is curiously placed within the part of the judgment on justification of the interference with both abovementioned fundamental rights. While the Opinion of Advocate General Cruz Villalón is entirely silent on the question of whether the controversial legislation impairs the essence of those rights,Footnote 62 the Court uses the scope and type of the data retained as a benchmark to assess whether the essence of the fundamental right to privacy has been affected. According to the Court, the retention of data prescribed by the directive “is not such as to adversely affect the essence” of the right to privacy because “the directive does not permit the acquisition of knowledge of the content of the electronic communications as such.”Footnote 63 This conclusion of the Court deserves critical observations from two perspectives: the constitutional and the factual.

The constitutional critique addresses the Court’s perception of essence as a quantitatively—and not qualitatively—different intrusion from the particularly serious interference. Indeed, while the Court seems to base its reasoning on a rather intuitive assumption that the access to the content of electronic communications constitutes a more serious interference than the vast collection of metadata about such communications, it does not flesh out in any way why it is precisely the access to content that would justify the leap in the designation of the type of interference.Footnote 64 The Court seems to perceive the intrusion into the essence as the most serious of all possible intrusions and access to content of the data as an expression of such an intrusion, but it unfortunately fails to explain why the acquisition of knowledge of content could equally not be qualified as a particularly serious interference.

Contrary to what the Court claims, however, the interference with the essence should be seen as a different type of infringement of a fundamental right, subjected to a different methodology for determination of infringement. Consequently, even if the Data Retention Directive allowed for access to the content of electronic communications, that would still constitute a particularly serious disproportionate interference with the fundamental right to privacy and not an interference with its essence. If the notion of essence is to be limited to the most extreme cases of interferences which call into question the existence of a particular fundamental right or prevent the addressee to exercise her right, and for which no overriding reasons exists, the conclusion such as the one of the Court would not be possible. Indeed, as long as the infringement of the fundamental right to privacy, even though through access to content of communication, can be potentially justified by the overriding reason of the fight against serious crime, there is no reason why such an interference could not be covered by a classic proportionality balancing, leading to the conclusion that the interference is (dis)proportionate.

II. A Ray of Hope: Tele2 Sverige

A further critique of Digital Rights Ireland is of a factual nature. As clarified in the later Tele2 Sverige case,Footnote 65 the distinction between the content data and metadata that the Court introduces in Digital Rights Ireland is not only somewhat artificial, but also based on an unconfirmed premise that access to content data necessarily constitutes a greater interference with privacy of users of electronic communications.Footnote 66 That premise might indeed hold true in an environment of limited amount of data collected, but is difficult to advocate in a big data setting of blanket and non-targeted retention of data. This issue was addressed by both the Advocate General and the Court in the Tele2 Sverige case, which raised the question of compatibility with EU law of national legislations that were adopted for the purposes of transposition of the Data Retention Directive and that remained in force after the invalidation of the latter.Footnote 67

As accurately demonstrated by Advocate General Saugmandsgaard Øe, access to metadata can sometimes have the same or an even greater impact on privacy of users of electronic communications compared to content data that might be more cumbersome to be analyzed given the vast amount of data collected.Footnote 68 The Advocate General gives an example of identification of citizens who oppose government policies; identifying them might be more difficult based on content of their communications rather than based on metadata, such as inclusion on anti-government mailing lists or participation in protests.Footnote 69 Other examples could include identification, through location metadata on visits of certain shops, of people who have recently acquired or wish to acquire a weapon; identification, through phone calls to particular medical practitioners, of patients with a particular disease;Footnote 70 identification, through calling or e-mailing of support organizations, of people with alcohol or drug addictions; or people with certain religious beliefs, through mailing lists or location data demonstrating visits of places of worship.Footnote 71

Metadata can thus reveal information about an individual’s sensitive data, whose processing is in principle prohibited by the General Data Protection Regulation,Footnote 72 unless one of the exceptions applies.Footnote 73 Moreover, the collection of metadata can be problematic because of the possibility of automated analysis.Footnote 74 As Ojanen correctly points out, “the distinction between the content … and metadata … is rapidly fading away in a modern network environment.”Footnote 75 In its judgment in Tele2 Sverige, the Court seemed to have embraced this idea by initially putting metadata and content data on an equal footing and recognizing that drawing up a profile of the users “is no less sensitive, having regard to the right to privacy, than the actual content of communications.”Footnote 76

Despite this initial finding, the mantra of interference with the essence of fundamental right to privacy whenever the measure allows access to content of electronic communications strangely persists in both the Court’s and Advocate General’s further reasoning in Tele2 Sverige. In the case of the opinion of the Advocate General, this could perhaps still be explained—but not justified—by the fact that the opinion analyzes the question of interference with the essence priorFootnote 77 to the analysis of the factual impact of generalized and non-targeted data collection.Footnote 78 To the contrary, in the Court’s analysis, the repetition of this reasoning seems contradictory, given that the conclusion on lack of interference with the essence of fundamental right to privacy comes just two paragraphs after the Court acknowledged that profiling of individuals is “no less sensitive” than acquisition of content of communications.Footnote 79 Even though the Court in Tele2 Sverige did not find an interference with the essence, but rather a particularly serious interference with the fundamental rights from Articles 7 and 8 of the Charter, there is still a tension in its reasoning. Despite the fact that the case generally resounded broadly in the doctrineFootnote 80 and online commentaries,Footnote 81 the issue of essence received little attention in the academic literature.Footnote 82

III. Generalized Access to Content as a Benchmark: Schrems

Deplorably, it is precisely the circumstance of access to content data that led the CJEU in Schrems—which preceded the Tele2 Sverige case—to the conclusion that mass surveillance measures compromise the essence of the fundamental right to privacy.Footnote 83 In Schrems, the Court was essentially called upon to adjudicate on the question of whether the Safe Harbor Privacy Principles guaranteed an adequate level of protection of personal data transferred from the EU to the U.S. and, consequently, whether the Commission DecisionFootnote 84 confirming that such an adequate level of protection is guaranteed by those principles, is valid.Footnote 85 The case was brought in the aftermath of Edward Snowden’s revelations that the U.S. National Security Agency gained access to the vast amount of data that was transferred to U.S. companies and organizations under the Safe Harbor Privacy Principles. The Principles namely legally allowed for derogation from its safeguards whenever the U.S. legislation imposed on those companies and organizations conflicting obligations in the interest of national security, public interest or law enforcement requirements.Footnote 86

In its analysis, the Court opined that the legislation that allows “public authorities to have access on a generalised basis to the content of electronic communications” compromises the essence of the fundamental right to privacy.Footnote 87 In adopting this approach, the Court seemed to follow the opinion of Advocate General Bot who, for his part, relies on a contrario reasoning to the one in Digital Rights Ireland: Access to the content of private data would automatically lead to the interference with the essence of the fundamental right to private life.Footnote 88 As argued above, however, access to the content of data should not automatically lead to the conclusion that the interference with the fundamental right to privacy adversely affects its essence. Even though it is understandable that the Court wanted to point out the gravity of the interference, it would have been doctrinally more appropriate to qualify it as a particularly serious interference.

Furthermore, the finding of interference with the essence in Schrems is problematic from a methodological perspective as well since the Court came to this conclusion after it already decided that the measure in question is not in accordance with the principle of proportionality.Footnote 89 In light of the methodology for determining the interference with the essence proposed above, the application of the principle of proportionality excludes the possibility of interference with the essence and only allows for a conclusion that the measure constitutes a justified or unjustified (dis)proportionate interference. Nevertheless, the Court first established that the legislation that authorizes generalized storage of the entirety of personal data transferred from the EU to the US, without differentiating the storage period on the basis of the objective pursued and without limiting the access to this data depending on objective criteria, is not limited to what is strictly necessary.Footnote 90

It is curious to note that the Court applied the necessity part of the proportionality test without precisely identifying the overriding reason in public interest that could potentially justify the generalized storage of personal data transferred from the EU to the US.Footnote 91 The Court merely concluded that a legislation that “authorises, on a generalised basis, storage” of such data, “without any differentiation, limitation or exception being made in the light of the objective pursued,” interferes with the essence of privacy,Footnote 92 but it remains unclear what exactly constitutes such an objective. From the Court’s judgment, it can only be speculated that the overriding reason equals the ones allowing for derogation from Safe Harbor Privacy Principles, that is, protection of (U.S.) national security (U.S.) public interest, or (U.S.) law enforcement requirements.Footnote 93 It cannot be excluded that the Court wanted to avoid proportionality balancing of a non-EU interest, such as U.S. national security or public interest, with the EU fundamental right to privacy, and hence reduced the proportionality analysis merely to the necessity test.Footnote 94 It is, however, undeniable that an overriding reason of public interest existed. Therefore, there was no need to proceed to the conclusion that this measure also interferes with the essence of the fundamental right to privacy. Regrettably, the Court seems to construct the interference with the essence as an example of a disproportionate measure: After concluding that the measure in question is not limited to what is strictly necessary,Footnote 95 the Court goes on to state that, “in particular,” this measure compromises the essence of the right to privacy.

In the Commission’s adequacy decision on Privacy Shield,Footnote 96 adopted in the aftermath of the Schrems case, the Commission does not expressly—but rather implicitly—come to the conclusion that the U.S. legislation no longer interferes with the essence of the fundamental right to privacy.Footnote 97 The Commission points out that the U.S. legislation now conforms to the standard set out in that judgment, which does not allow storage of personal data on a generalized basis.Footnote 98 It further points out that the U.S. intelligence activities “touch only a fraction of the communications traversing the internet” which excludes “that there would be access ‘on a generalised basis’ to the content of electronic communications….”Footnote 99 While this last finding seems to be sufficient to establish lack of interference with the essence, it appears that the Commission did not strictly require the U.S. authorities to forbid any type of access to the content of such communication. Non-generalized access to the content of communication still seems to be allowed under the Privacy Shield, while generalized access is prohibited. While the Commission considers the U.S. level of protection as appropriate, it is questionable whether this criterion is indeed met in practice. The contentious Section 702 of the U.S. Foreign Intelligence Surveillance Act (“FISA”) is described in the Privacy Shield as allowing access to content “targeting certain non-U.S. persons outside the United States….”Footnote 100 In the past, the requirement of “targeting” from Section 702 FISA did not seem to prevent mass surveillance or blanket collection of content data which raised not only academic concerns,Footnote 101 but also led to numerous challenges before U.S. courts against this section of FISA.Footnote 102 The full revision of this Section of FISAFootnote 103 and the scope of the new U.S. Liberty ActFootnote 104 go beyond the scope of this Article, but the question whether the U.S. legislation indeed does not allow for access to content on a generalized basis still remains open.Footnote 105 Indeed, incompatibility of the new Privacy Shield standards with the essence of this fundamental right due to the generalized access to data is one of the core arguments in the pending case La Quadrature du Net and Others v Commission.Footnote 106

IV. Turning to a Quantitative Benchmark: Opinion 1/15

Finally, it is crucial to analyze the findings of the Court in the Opinion 1/15 on the compatibility of the draft EU-Canada Passenger Name Record (PNR) AgreementFootnote 107 with the fundamental rights to privacy—and data protection—from the Charter. The envisaged agreement allowed for collection and sharing of the PNR data, that is data about “each journey booked by or on behalf of any passenger,”Footnote 108 for example the name of the passenger, dates of reservation and travel, information about frequent flyer membership, contact information, payment information, travel itinerary, baggage, seat information, and other data.Footnote 109 On the basis of the agreement, the Canadian authorities could receive PNR data of EU data subjects for the purposes of preventing, investigating or prosecuting terrorist offences or serious crime,Footnote 110 and for other purposes.Footnote 111 The objective of transferring the PNR data to Canada was therefore to ensure public security and the use of this data for prevention of terrorist offenses and serious transnational crime.Footnote 112 Given the panoply of data that could be transferred and processed on the basis of this agreement, the Court found that it was incompatible with Articles 7 and 8 of the Charter, but not on the account of the interference with the essence of these fundamental rights. After an extremely precise analysis,Footnote 113 the Court concluded, rather, that several provisions of the envisaged agreement exceeded what is strictly necessary to achieve the abovementioned objective and thus constitute disproportionate interferences with those fundamental rights.Footnote 114

Nevertheless, the Court made some constitutionally important observations about the essence of the fundamental right to privacy. It justified the lack of interference with the essence of this fundamental right by pointing out that even though “PNR data may, in some circumstances, reveal very specific information concerning the private life of a person,” this information is still limited only to “certain aspects of that private life, in particular, relating to air travel between Canada and the European Union.”Footnote 115 This reasoning essentially follows the reasoning from the opinion of Advocate General Mengozzi who stressed that the “data in question continues to be limited to the pattern of air travel between Canada and the Union.”Footnote 116 From the perspective of type of data collected compared to data collected in Schrems, it has been argued that this conclusion is logical.Footnote 117 From a constitutional perspective, however, the Court distances itself both from its case law where the benchmark was access to content data, as well as from its case law where the interference with the fundamental right should not call into question the existence of the fundamental right. Rather, it adopts a position that the interference with the essence of the right to privacy is a question of a degree of interference with the fundamental right, given that it takes as a benchmark the limited nature of the acquired and processed data.Footnote 118 In that sense, a parallel could perhaps be drawn with Digital Rights Ireland where access to content was also a manifestation of a higher degree of interference. Nevertheless, these divergent findings on essence make it difficult to define how exactly the Court conceptualizes the essence of fundamental rights.Footnote 119

D. The Essence of the Fundamental Right to Data Protection: Maximum Standard Becomes a Minimum One

I. Introduction of Minimum Standard: Digital Rights Ireland

The examination of the case law of the CJEU shows that the essence of the fundamental right to data protection is an even more elusive concept than the essence of the right to privacy. In its efforts to distinguish the two fundamental rights, the Court seems to struggle with the scope of the fundamental right to data protection, including instances of when its essence would be adversely affected. As a result of that struggle, the Court often perplexingly portrays data protection as a minimalistic right limited to security measures, in particular, in the context of blanket retention of data.

As an example of this approach, the judgment in Digital Rights Ireland can be put forward. In this case, the Court adopted an extremely restrictive and technical approach by considering that the essence of this fundamental right is not adversely affected because the contentious Data Retention Directive required the respect of “certain principles of data protection and data security….”Footnote 120 In specifying these principles, the Court specifically singled out the importance of adoption of “appropriate technical and organisational measures … against accidental or unlawful destruction, accidental loss or alteration of the data….”Footnote 121 As Lynskey correctly points out, data security, as well as technical and organizational measures, are mentioned nowhere in Article 8 of the Charter.Footnote 122 This leaves the reader wondering why these measures should have constitutional relevance at all and, even more so, why exactly they could prevent the adverse effect on essence of this fundamental right.Footnote 123 In its reasoning, the Court narrows down the core of the fundamental right to data protection to minimum safeguards of data protection and data security prescribed by the Data Retention Directive. In consequence, this approach makes the essence of this right a minimum standard rather than a maximum one and places the threshold for compliance with the essence rather low.Footnote 124

This conclusion of the Court deserves a critical reflection. Non-interference with the core of a right should not be not tantamount to observance of minimum safeguards for data protection. If compliance with these minimum standards was sufficient to not adversely affect the essence, how would it then still be possible to conclude that Data Retention Directive disproportionally interferes with the fundamental right to data protection at all? The way the test of compliance with the essence should be construed is exactly the opposite: Compliance with minimum standards of data protection and data security is not sufficient to prevent interference with the fundamental right to data protection, but the interference with this right is not of the kind to adversely affect the essence of this right. Seeing the essence of a fundamental right as a minimum standard devoids this concept of its purpose and misconstrues its role in the fundamental rights protection landscape.

II. The Mantra of Content Continues: Tele2 Sverige

A further case relevant for the interpretation of the notion of essence of the fundamental right to data protection is Tele2 Sverige.Footnote 125 In this case, the Court seemed to discontinue its minimalistic approach developed in Digital Rights Ireland. Differently, it applied the reasoning from this latter judgment on access to the content to electronic communications, developed in the framework of the right to privacy, to the right to protection of personal data. More precisely, the Court extended this finding to data protection by stating that the Member State legislation in question “does not permit retention of the content of a communication and is not, therefore, such as to affect adversely the essence of those rights,”Footnote 126 where “those” refers both to the fundamental right to privacy, as well as the fundamental right to data protection.

Purely methodologically speaking, this approach puts both fundamental rights on the same footing and demonstrates that the same interference can call into question the essence of both rights. While this seems indeed feasible and methodologically possible, the substance of the argument, as mentioned already above, contradicts the remainder of the Court’s reasoning in Tele2 Sverige. As analyzed above, the Court namely clearly states that establishing a profile on the basis of metadata is “no less sensitive” than access to content.Footnote 127 This finding begs a question: If the access to metadata is really to be treated equally as access to content data, why does the former not interfere with the essence of the fundamental rights as well? While the Court in Tele2 Sverige decidedly remedies the rather artificial distinction between content and metadata from the perspective of their practical impact, it fails to draw further constitutional consequences and acknowledge that this distinction is not an appropriate test for determination of interference with the essence of neither fundamental right to data protection nor the fundamental right to privacy.

III. Consolidation of Minimum Standard: Opinion 1/15

In Opinion 1/15, given the different nature of data collected, the Court moved away from its reasoning that couples the interference with the essence to the content of data. According to the Court, the envisaged PNR-Canada agreement did not adversely affect the essence of fundamental right to data protection because this agreement, first limited “the purposes for which PNR data may be processed,” and second laid down rules to ensure “the security, confidentiality and integrity of that data, and to protect it against unlawful access and processing….”Footnote 128 Below, this Article analyzes both prongs of this reasoning: Compliance with the purpose limitation principle and availability of data security measures.

The second prong relating to measures to ensure security, confidentiality, and integrity of data will be examined first. This part of the Court’s reasoning is a rather clear indication that the Court considers essence as a minimum requirement of fundamental rights compliance. The Court seems to commit a similar fallacy as in Digital Rights Ireland of treating the essence as a minimum standard of protection. In an a contrario reasoning, it seems difficult to imagine that absence of data security measures could lead to interference with the essence of the fundamental right to data protection or even, for that matter, interference with that fundamental right at all. Rather, the absence of these measures would simply be a violation of secondary legislation requiring data security measures to be put in place.Footnote 129

The first prong of the Court’s reasoning raises a broader constitutional question of whether an interference with an element of a fundamental right to data protection expressly provided by Article 8 of the Charter automatically leads to an interference with the essence of this fundamental right. Even though the Court in Opinion 1/15 does not make an express reference to the text of Article 8 of the Charter, its reasoning on limitation of purposes of processing could be understood from the perspective of compliance with purpose limitation principle integrated into Charter’s Article 8(2).Footnote 130 Given the wording of Article 8(2) of the Charter, could it be claimed that this principle is an essential element of the fundamental right to data protection, the non-observance of which leads to interference with the essence of this fundamental right?

Seen more generally, Article 8 of the Charter offers a much more precise regulation compared to the fundamental right to privacy—Article 7—in that it—in an innovative wayFootnote 131—takes over to the constitutional level certain safeguards that need to be guaranteed to the data subject. By virtue of Article 8, the principles of fairness of processing and purpose limitation gained constitutional status, together with the requirement that processing always needs a legitimate basis, such as consent.Footnote 132 It remains unclear why this right expressly includes fairness and purpose limitation principlesFootnote 133 and not also other principles, such as data minimization.Footnote 134 This is particularly interesting, given that the Directive 95/46,Footnote 135 which was, according to the Explanations to the Charter, one of the sources for drafting of this provision,Footnote 136 also regulated other principles beyond fairness and purpose limitation.Footnote 137 A plausible explanation is that the constitutional legislator had to draw a line between those elements that have a prime importance to protect data and other elements that can be sufficiently well protected with secondary legislation. Constitutional status is further given to the right of access to dataFootnote 138 and the right to rectification of data.Footnote 139 Finally, the Charter recognizes supervision of compliance with data protection rules by an independent supervisory authority to be an integral part of the fundamental right to data protection.Footnote 140 González Fuster points out that all of these elements stem from international data protection instruments.Footnote 141

The inclusion of these specific elements into the constitutional right to data protection evidently raises the question of whether the interference with any of these elements immediately leads to interference with the essence of the fundamental right to data protection. For example, if a data subject is denied access to her data or if data was processed without her consent, does that automatically adversely affect the essence of this fundamental right? This Article submits that this should not be the case. While the abovementioned elements are indeed constitutive of this fundamental right, in order for the essence to be impaired, the interference has to make it impossible to exercise this right or call into question the existence of this right. Unless this threshold is met, it does not seem that the interference with any of those elements would automatically go beyond an ordinary interference with this fundamental right. A different interpretation would mean that almost every interference with this fundamental right would lead to interference with its essence, a result that would be contrary to Article 52(1) of the Charter.

IV. Essence in EU Secondary Legislation on Data Protection

The requirement of respect of essence of fundamental right to data protection is not only embedded into the Charter, but also into the secondary legislation. The GDPR makes reference to the concept of essence on three occasions. The first two relate to lawful grounds of processing of special categories of data,Footnote 142 one on processing that is “necessary for reasons of substantial public interest”Footnote 143 and the other on processing for archiving, scientific or historical research, and statistic purposes.Footnote 144 In both cases, the GDPR requires that the processing has to be proportionate to the aim it pursues, that it has to “respect the essence of the right to data protection” and provide for suitable safeguards for protection of data subject’s fundamental rights. All of the fundamental rights safeguards from Article 52(1) of the Charter thus have to be respected when using these grounds of processing, including the standard of essence.

The third instance of the use of essence relates to the possibility of introducing legislative restrictions to data protection principles or data subjects’ rights.Footnote 145 Such a restriction has to be proportionate, respect the essence of fundamental rights, and be limited to one of the grounds enumerated in the GDPR, such as national security, defense, public security, prevention or prosecution of criminal offences, or the protection of judicial independence.Footnote 146 The Directive on Data Protection in Criminal MattersFootnote 147 similarly mentions the need to respect the essence of fundamental rights in the case of restriction of data subject’s rights, albeit only in the recital.Footnote 148 The reference to the protection of essence within the framework of Article 23 of the GDPR was briefly mentioned by Advocate General Campos Sánchez-Bordona in the recent Deutsche Post case.Footnote 149 Because the restriction of data subjects’ rights was not at stake in this case, however, the Court did not proceed with the analysis of impairment of essence.Footnote 150 It is perhaps important to note that Article 23 of the GDPR does not specifically refer to the essence of data protection, but to the fundamental rights more generally. Indeed, in case of restriction of rights, other fundamental rights might be relevant, such as the prohibition of discriminationFootnote 151 or the right to an effective remedy.Footnote 152

V. Does “Essentially Equivalent” Equal “Essence”? A Postscript to Schrems

The last point to be addressed is a specificity of the Schrems judgment, where the question of compatibility with the essence of fundamental right to data protection was not at issue. With regard to this judgment, it seems important to clarify whether the standard of essentially equivalent protection that a third country needs to offer to data transfersFootnote 153 equals the protection of essence of a fundamental right to protection of personal data.Footnote 154 This Article submits that the notion of essentially equivalent level of protection and the concept of essence of fundamental rights should not be equated. The standard of essentially equivalent protection namely refers not only to the fundamental rights standard, but also and even in particular to the level of protection provided by the EU secondary legislation.Footnote 155 This indicates that the essentially equivalent protection is a broader concept which can provide for a more detailed regime of data protection rights and safeguards. Obviously, this regime is required to respect the fundamental right to data protection, but not only its essence: Rather, the regime itself needs to be in compliance with all aspects of this, and other, fundamental rights. Interpreting an essentially equivalent standard as equalling essence would mean that foreign legislation needs to avoid only the most extreme cases of fundamental rights’ infringements, whereas it should, in fact, be seen as an obligation of a third country to provide for concrete measures to protect data of EU data subjects.

E. Conclusion

The present Article shows that the interference with the essence of the fundamental rights to privacy and data protection should be determined on a case by case basis, and that this examination needs to respect the distinction between (particularly serious) interferences that need to be examined within the framework of the principle of proportionality and interferences with the essence of those fundamental rights. The notion of essence of a fundamental right does not imply that certain parts of this right are more essential than others. Rather, the essence should be seen as interfered with whenever the fundamental right as such is called into question, such as through abolition by constitutional legislature, or whenever there is an impossibility to exercise this right, such as the interference with the fundamental right to effective judicial protection in Schrems.Footnote 156 In practice, this necessarily implies that interferences with the essence can occur in many different factual circumstances.Footnote 157

Purely doctrinally, however, it is important to keep in mind that the distinction between a (particularly serious) disproportionate interference and the interference with the essence is of a qualitative nature. In other words, as long as the interference can be subject to proportionality balancing, it falls within the category of a (dis)proportionate intrusion. An example of this approach is the recent Ministerio Fiscal case, where the Court omitted the analysis of essence in the presence of objectives that could justify the interference with the fundamental rights to privacy and data protection.Footnote 158

In consequence, cases where the essence of a fundamental right is adversely affected are limited to rare and exceptional circumstances where the application of the principle of proportionality is not possible due to the absence of overriding reasons in public interest. Regardless of the numerous meanders of the CJEU’s reasoning that sometimes comes across as a true maze, the Court developed the first contours of the notion of essence precisely through its rich jurisprudence in the field of privacy and data protection. A challenging task for the Court in the future is thus not only to develop a clearer normative framework on the essence,Footnote 159 but also to reach a higher degree of coherence in its jurisprudence, a goal that will probably be achieved hand in hand with the development of the normative framework itself.

Footnotes

*

Associate Professor, Faculty of Law, Maastricht University. The author is grateful to Christopher Docksey, Christopher Kuner, and Hielke Hijmans for their comments during the “meet the author” event titled “In search of the concept of essence of EU fundamental rights through the prism of data privacy,” organized by the Brussels Privacy Hub on April 20, 2018. Furthermore, the author would like to thank the organizers—Mark Dawson, Orla Lynskey, and Elise Muir—and participants of the conference “The Essence of Fundamental Rights in EU Law,” held on May 17-18, 2018 in Leuven, for their observations on an earlier draft of this paper.

References

1 Charter of Fundamental Rights of the European Union, Oct. 26, 2012, 2012 O.J. (C 326) 391 [hereinafter Charter].

2 Hereinafter “CJEU” or “the Court.”

3 See ECJ, Case C-362/14, Schrems v. Data Protection Commissioner, ECLI:EU:C:2015:650, Judgment of 6 October 2015.

4 The analysis of the distinction between the two fundamental rights exceeds the scope of this chapter. For discussion in the doctrine, see Orla Lynskey, The Foundations of EU Data Protection Law 91, et seq., (2015); Maria Tzanou, Data protection as a fundamental right next to privacy? ‘Reconstructing’ a not so new right, 3 Int’l Data Privacy L. 88–99 (2013); Gloria González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU 268 et seq. (2014); Aidan Forde, The Conceptual Relationship Between Privacy and Data Protection, 1 Cambridge L. Rev. 135–49 (2016); Maja Brkan, Courts, Privacy and Data Protection in the Digital Environment 13–17 (Maja Brkan & Evangelia Psychogiopoulou eds., 2017).

5 ECJ, Joined Cases 293 & 594/12, Digital Rights Ireland v. Minister for Commc’n, ECLI:EU:C:2014:238, Judgment of 8 April 2014.

6 Schrems, Case C-362/14.

7 ECJ, Case C-203/15 Tele2 Sverige AB v. Post-och telestyrelsen et al., ECLI:EU:C:2016:970, Judgment of 21 December 2016.

8 Case Opinion 1/15, ECLI:EU:C:2017:592, Judgment of 26 July 2017.

9 This section draws inspiration from and builds upon the author’s previous work on the concept of essence of fundamental rights. See Maja Brkan, The Concept of Essence of Fundamental Rights in the EU Legal Order: Peeling the Onion to its Core, 14 Eur. Const. L. Rev. 332–68 (2018).

10 See generally Takis Tridimas & Giulia Gentile, The Essence of Rights: An Unreliable Boundary?, 20 German L.J. 794 (2019).

11 Eike von Hippel, Grenzen und Wesensgehalt der Grundrechte (1965); Christoph Enders, BeckOK Grundgesetz 36 (Volker Epping & Christian Hillgruber eds., 2018), paras. 19 et seq.; Barbara Remmert, Grundgesetz-Kommentar, 81 (Theodor Maunz & Günther Dürig eds., 2017), paras. 1 et seq.

12 M.E. Casas Baamonde et. al., Comentarios a la Constitución Española, 1167–68 (2008).

13 J.J. Gomes Canotilho & V. Moreira, Constituição da República Portuguesa Anotada, 394–95 (4th ed. 2007).

14 H. Küpper, Die ungarische Verfassung nach zwei Jahrzehnten des Übergangs, 92 (2007).

15 J. Drgonec, Ústava Slovenskej Republiky: Komentár, 291–92 (3d ed. 2012).

16 See, e.g., Eesti Vabariigi põhiseadus [Constitution] June 28, 1992, art. 17(2) (Est.); Grundegesetz [GG] [Basic Law], art. 19(2) (Ger.), translation at http://www.gesetze-im-internet.de/englisch_gg/englisch_gg.html; Magyarország Alaptörvénye [The Fundamental Law of Hungary], Alaptörvény, art. I(3); Konstytucja Rzeczypospolitej Polskiej [Constitution] Apr. 2, 1997, art. 31(3) (Pol.); Constitution of the Portuguese Republic, Apr. 25, 1974, art. 18; Constitutia României [Constitution] Dec. 8, 1991, art. 53(2) (Rom.); Ústava Slovenskej republiky [Constitution] Oct. 1, 1992, art. 13(4) (Slovk.); C.E., B.O.E. n. 311, Dec. 29, 1978, art. 53.1 (Spain). For third countries, see notably Art. 28, Constitución Nacional [Const. Nac.] (Arg.); Constitution of the Republic of Namibia, Feb. 9, 1990, art. 22(a); Bundesverfassung [BV] [Constitution] Apr. 18, 1999, SR 101, art. 36 (Switz.); Türkiye Cumhuriyeti Anayasası [Constitution] Nov. 7, 1982, art. 13 (Turk.).

17 See J. Kokott, Handbuch der Grundrechte in Deutschland und Europa, 891 (D. Merten & H. J. Papier eds., Müller, 2004) (pointing out that the notion of essence of constitutional rights in the Austrian constitutional order was recognized by the Austrian constitutional court); Hutten-Czapska v. Poland, App. No. 35014/97, para. 12 (June 19, 2006) (referencing the judgment of Polish Constitutional Court of 12 January 2000); S.T.C., Nov. 7, 2007 (No. 236) (Spain). See also S.T.C., Apr. 8, 1981 (No. 11) (Spain); Tribunal Constitucional Portugal, Oct. 22, 2011, No. 460/2011 (2011); Tribunal Constitucional Portugal, May 4, 1999, No. 254/99 (1999).

18 Robert Alexy, A Theory of Constitutional Rights, 193 (2004) (advocating this approach).

19 See, e.g., Walter Leisner, Grundrechte und Privatrecht 155 (1960); H. J. Papier, Grundgesetz-Kommentar 81 (Theodor Maunz & Günther Dürig eds., 2017), paras. 332 et seq.

20 Brkan, supra note 9, at 336–37.

21 See J. Rivers, Proportionality and Variable Intensity of Review, 65 Cambridge L.J. 174, 187 (2006) (explaining this theory further); Aharon Barak, Proportionality: Constitutional Rights and their Limitations 498 (2016); G. Van der Schyff, Conflicts Between Fundamental Rights 135 (E. Brems ed., 2008).

22 Rivers, supra note 21, at 184.

23 See J. Jiménez Campo, Derechos fundamentales: conceptos y garantías 22 (1999) (supporting this theory); Walter Leisner, Grundrechte und Privatrecht 155 (1960) (same); J. Kokott, Handbuch der Grundrechte in Deutschland und Europa 892 (D. Merten & H. J. Papier eds., 2004) (same).

24 Alexy, supra note 18, at 196.

25 Aharon Barak, Proportionality: Constitutional Rights and their Limitations (2016).

26 Emphasis added.

27 Brkan, supra note 9, at 337–38, 359.

28 Brkan, supra note 9, at 360, 368.

29 Brkan, supra note 9, at 360.

30 A scale of different types of interferences with a fundamental right can be established—namely: a particularly serious unjustified interference; an unjustified interference; a justified interference; and no interference.

31 Brkan, supra note 9, at 360.

32 For cases using this concept, see, e.g., ECJ, Case C-4/73, Nold KG v. Comm’n, ECLI:EU:C:1974:51, Judgment of 14 May 1974, para. 14; ECJ, Case C-44/79, Hauer v. Land Rheinland-Pfalz, ECLI:EU:C:1979:290, Judgment of 13 Dec. 1979, paras. 23, 30; ECJ, Case C-265/87, Schräder v. Hauptzollamt Gronau, ECLI:EU:C:1989:303, Judgment of 11 July 1989, para. 15; ECJ, Case C-292/97, Karlsson, ECLI:EU:C:2000:202, Judgment of 13 Apr. 2000, para. 45; ECJ, Case C-274/99 P, Connolly v. Comm’n, ECLI:EU:C:2001:127, Judgment of 6 Mar. 2001, para. 111.

33 See Explanations relating to the Charter of Fundamental Rights, 2007 O.J (C 303) 17, 32 (citing Karlsson, Case C-292/97 at para. 45).

34 Brkan, supra note 9, at 337. It is to be noted, however, that the notion of “very substance” also persists in the post-Charter case law. See, e.g., ECJ, Case C-383/13 PPU, G. & R., ECLI:EU:C:2013:533, Judgment of 10 Sept. 2013, paras. 32–33 (reference to the notion of very substance); Case C-418/11, Texdata Software, ECLI:EU:C:2013:588, paras. 71–77, 84 (same); Case C-416/10, Križan, ECLI:EU:C:2013:8, paras. 111–116 (same); Case C-314/12, UPC Telekabel Wien, ECLI:EU:C:2014:192, paras. 47, 51 (same). See ECJ, Case C-190/16, Fries, ECLI:EU:C:2017:513, Judgment of 5 July 2017, para. 75 (using the wording “actual substance”). See also id. at para. 73 (using the very substance formulation while citing previous cases). The use of “actual substance“ seems to be the consequence of a somewhat imprecise translation of the French “substance même,” given that the CJEU judgments are drafted in French. The version of the judgment in the language of the procedure—German—uses the notion of essence—Wesensgehalt. On interchangeability of “essence” and “very substance,” see also Koen Lenaerts, Limits on Limitations: The Essence of Fundamental Rights in the EU, 20 German L.J. 779 (2019).

35 Digital Rights Ireland, Joined Cases 293 & 594/12.

36 Schrems, Case C-362/14.

37 ECJ, Case C-426/11, Alemo-Herron v. Parkwood Leisure Ltd., ECLI:EU:C:2013:521, Judgment of 18 July, 2013, paras. 35–36.

38 See ECJ, Case C-555/07, Kücükdeveci v. Swedex GmbH & Co. KG, ECLI:EU:C:2010:21, Judgment of 19 Jan. 2010, paras. 21, 27, 32, 43, 50, 51, 53, 55, 56 (using the notion of secondary law giving expression to the principle of non-discrimination on grounds of age); Elise Muir, The Fundamental Rights Implications of EU Legislation: Some Constitutional Challenges, 51 Common Mkt. L. Rev. 219, 223–26 (2014). See also id. at 232 (viewing EU data protection legislation as an “interesting test-case” of such expression); Lynskey, supra note 4, at 36.

39 Admittedly, it could potentially be argued that the EU citizen could still rely on this fundamental right as a general principle of EU law.

40 Schrems, Case C-362/14 at para. 95.

41 ECJ, Case C-207/16, Ministerio Fiscal, ECLI:EU:C:2018:788, Judgment of 2 Oct. 2018, paras. 51–62.

42 Id. at paras. 52–53. A core issue in the case was whether the interference with Articles 7 and 8 of the Charter was sufficiently serious for the access of public authorities to be limited.

43 Brkan, supra note 9, at 363.

44 I am grateful to Christopher Docksey for the useful insight on using the wording “makes it impossible to exercise.”

45 ECJ, Case C-258/14, Florescu v. Casa Judeţeană de Pensii Sibiu, ECLI:EU:C:2017:448, Judgment of 13 June 2017, para. 55; ECJ, Case C-129/14 PPU, Germany v. Spasic, ECLI:EU:C:2014:586, Judgment of 27 May 2014, para. 58; ECJ, Case C-73/16, Puškár v. Finančné riaditeľstvo Slovenskej republiky, ECLI:EU:C:2017:725, Judgment of 27 September 2017, para. 64.

46 Brkan, supra note 9, at 363.

47 The argument is built on the assumption that the Charter applies. Given the existence of EU legislation in the field of asylum, it is possible to fulfil the requirement of ”implementing Union law”—under Article 51(1) of the Charter—and to establish the applicability of the Charter. See, e.g., Directive 2013/32/EU of the European Parliament and of the Council of 26 June 2013 on Common Procedures for Granting and Withdrawing International Protection, 2013 O.J (L 180) 1, 60.

48 See The Right to Asylum is not a Right to Global Social Health Care, Center for Fundamental Rights (Sept. 28, 2016), http://alapjogokert.hu/en/2016/09/28/the-right-to-asylum-is-not-a-right-to-global-social-health-care-2/ (last visited July 5, 2019).

49 It is somewhat surprising that the values enshrined in Article 2 TEU—democracy being one of them—is not among the provisions expressly mentioned by the Explanations to the notion of “objectives of general interests” in Article 52(1) of the Charter. But—as Peers and Prechal correctly point out—the list of Treaty articles referred to in the Explanations is not exhaustive. See Steve Peers & Sacha Prechal, The EU Charter of Fundamental Rights: A Commentary 1475 (Steve Peers et al. eds., 2014).

50 Hereinafter “ECtHR.”

51 Brkan, supra note 9, at 361–62: Kart v. Turkey, App No. 8917/05, para. 93–111 (Dec. 3, 2009), http://hudoc.echr.coe.int/eng?i=001-96007; Cudak v. Lithuania, App No. 15869/02, paras. 60–74 (Mar. 23, 2010), http://hudoc.echr.coe.int/eng?i=001-97879; Leyla Sahin v. Turkey, App. No. 44774/98 (Nov. 10, 2005), http://hudoc.echr.coe.int/eng?i=001-70956.

52 Brkan, supra note 9, at 361:; Al-Dulimi and Montana Management Inc. v. Switzerland, App. No. 5809/08, paras. 37, 151 (June 21, 2016), http://hudoc.echr.coe.int/eng?i=001-164515; Baka v. Hungary, App No. 20261/12, para. 121 (July 23, 2016), http://hudoc.echr.coe.int/eng?i=001-163113; Matthews v. United Kingdom, App. No. 24833/94, para. 65. (Feb. 18, 1999), http://hudoc.echr.coe.int/eng?i=001-58910.

53 Big Brother Watch and Others v. United Kingdom, App. Nos. 58170/13, 62322/14, 24960/15 (Sept. 13, 2018), http://hudoc.echr.coe.int/eng?i=001-186048.

54 Id. at paras 224–28, 463.

55 There is an abundant doctrine commenting upon this decision of the CJEU. See, e.g., Marie-Pierre Granger & Kristina Irion, The Court of Justice and the Data Retention Directive in Digital Rights Ireland: Telling Off the EU Legislator and Teaching a Lesson in Privacy and Data Protection, 39 Eur. L. Rev. 835 (2014); Alessandro Spina, Risk Regulation of Big Data: Has the Time Arrived for a Paradigm Shift in EU Data Protection Law?, 5 Eur. J. Risk Reg. 248 (2014); Jürgen Kühling, Der Fall der Vorratsdatenspeicherungsrichtlinie und der Aufstieg des EuGH zum Grundrechtsgericht, 31 Neue Zeitschrift für Verwaltungsrecht 681 (2014); Alexandre Cassart & Jean-François Henrotte, L’invalidation de la directive 2006/24 sur la conservation des données de communication électronique ou la chronique d’une mort annoncée, 20 Revue de jurisprudence de Liège, Mons et Bruxelles 954 (2014); Reinhard Priebe, Reform der Vorratsdatenspeicherung—strenge Maßstäbe des EuGH, Europäische Zeitschrift für Wirtschaftsrecht 456 (2014); Igor Kolar, Sodišče EU odpravilo retencijsko direktivo, 15 Pravna praksa 21 (2014). For the analysis of decisions of national courts on data retention, see Eleni Kosta, The Way to Luxemburg: National Court Decisions on the Compatibility of the Data Retention Directive with the Rights to Privacy and Data Protection 10 script-ed 339 (2013).

56 Directive 2006/24, of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, 2006 O.J. (L 105) 54.

57 The CJEU’s interpretation of the concept of essence within the framework of the fundamental right to data protection is addressed infra in Section D.

58 Digital Rights Ireland, Joined Cases 293 & 594/12 at para. 26.

59 Id. at paras. 69, 73.

60 Id. at para. 37.

61 Id. at para. 65, 69. The doctrine points out that the disproportionate nature of the interference gives a clear signal to the European legislator on deficiencies of the Data Retention Directive. See, e.g., Spiros Simitis, Die Vorratsspeicherung—ein unverändert zweifelhaftes Privileg, 67 Neue juristische Wochenschrift 2158, 2159 (2014); Priebe, supra note 55, at 458.

62 See also Orla Lynskey, The Data Retention Directive Is Incompatible With the Rights to Privacy and Data Protection and Is Invalid in Its Entirety: Digital Rights Ireland, 51 Common Mkt. L. Rev. 1789, 1803 (2014). In Paragraph 107, the Advocate General seems to see the analysis of whether the interference with the right to privacy respects the essence of this right as a separate element—on the basis of Article 52(1) of the Charter—but does not address the issue in his further examination. See ECJ, Case C-293/12, Opinion of Advocate General Cruz Villalón at para. 107, Digital Rights Ireland v. Minister for Commc’n, ECLI:EU:C:2013:845, Judgment of 12 Dec. 2013.

63 Digital Rights Ireland, Joined Cases 293 & 594/12 at para. 39 (emphasis added). Claus Dieter Classen is of the view that, even though the Court makes it clear that the essence seeks to protect the core of a fundamental right, it does not clarify on the basis of which criteria the essence should be determined. Claus Dieter Classen, Datenschutz ja—aber wie? Anmerkung zum Urteil des EuGH vom 8.4.2014, verb. Rs. C-293/12 und C-594/12 (Digital Rights Ireland u. a.), Europarecht 441, 443 (2014).

64 Granger & Irion, supra note 55, at 847, (pointing out that the Court “reverts to an outdated perspective, according to which the collection of metadata is less sensitive simply because it does not concern the content of communications,” a perception that is agreeably “increasingly contested”). See, e.g., Kühling, supra note 55, at 682 (opining less critically that the Court’s conclusion on absence of interference with the essence is correct, without touching upon the question of distinction of content- and metadata). See also Spina, supra note 55, at 252 (placing the Court’s conclusion on essence within “the narrative of risks for the individual autonomy”).

65 Tele2 Sverige, Case C-203/15.

66 Granger & Irion, supra note 55, at 847; Kolar, supra note 55, at 21 (claiming similarly that metadata allows for a rather precise description of data subject’s everyday life, which is for police often even more useful than the content data). See also Gemma Galdon Clavell, Exploring the Boundaries of Big Data 109 (Bart van der Sloot et al. eds., 2016) (pointing out that telecommunication metadata “can still reveal a great deal of personal information about a specific individual” which should not be considered as “a minor infringement of a data subject’s privacy”).

67 More precisely, the Court was prompted to answer the question of whether Article 15(1) of the ePrivacy Directive—which allowed for the retention of traffic and location data with regard to electronic communication for the purpose of fight against crime—precludes Member State legislation that allows for general and indiscriminate retention of such data. In its judgment, the Court interpreted Article 15(1) in the light of Articles 7 and 8 and answered the question in the affirmative. See Tele2 Sverige, Case C-203/15 at paras. 125, 134.

68 ECJ, Case C-203/1, Opinion of Advocate General Saugmandsgaard Øe at paras. 256–59, Tele2 Sverige AB v. Post- och telestyrelsen, ECLI:EU:C:2016:572, Judgment of 19 July 2016. For a commentary of the opinion, see Caroline Calomme, Strict Safeguards to Restrict General Data Retention Obligations Imposed by the Member States, 2 Eur. Data Protection L. Rev. 590 (2016).

69 Id. at para. 258.

70 Id. at para. 257.

71 See also Bjorn Carey, Stanford computer scientists show telephone metadata can reveal surprisingly sensitive personal information, Stanford News (May 16, 2016), https://news.stanford.edu/2016/05/16/stanford-computer-scientists-show-telephone-metadata-can-reveal-surprisingly-sensitive-personal-information/ (last visited July 5, 2019).

72 Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1 [hereinafter GDPR].

73 Id. at art. 9.

74 Iain Cameron, A. Court of Justice Balancing Data Protection and Law Enforcement Needs: Tele2 Sverige and Watson, 54 Common Mkt L. Rev. 1467, 1469 (2017).

75 Tuomas Ojanen, Privacy Is More Than Just a Seven-Letter Word: The Court of Justice of the European Union Sets Constitutional Limits on Mass Surveillance. Court of Justice of the European Union, Decision of 8 April 2014 in Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others, 10 Eur. Const. L. Rev. 528, 537 (2014).

76 Tele2 Sverige, Case C-203/15 at para. 99.

77 Tele2 Sverige, Case C-203/15 at paras. 155–57.

78 Id. at paras. 256 et seq.

79 Tele2 Sverige, Case C-203/15 at paras 99, 101.

80 See Alexander Roßnagel, Vorratsdatenspeicherung rechtlich vor dem Aus?, Neue juristische Wochenschrift 696, 697–98 (2017) (focusing on the consequences of the judgment for Germany); Reinhard Priebe, Vorratsdatenspeicherung und kein Ende, Europäische Zeitschrift für Wirtschaftsrecht 136, 139 (2017) (calling for a new regulation of data retention on the EU level after the judgment). See also Will R. Mbioh, Post-och Telestyrelsen and Watson and the Investigatory Powers Act 2016, 3 Eur. Data Protection L. Rev. 273 (2017); Xavier Tracol, The Judgment of the Grand Chamber Dated 21 December 2016 in the Two Joint Tele2 Sverige and Watson Cases: The need for a Harmonized Legal Framework on the Retention of Data at EU level, Comput. L. Rev. Int’l 1 (2017); Cameron, supra note 74, at 1467–95.

81 Orla Lynskey, Tele2 Sverige AB and Watson et al: Continuity and Radical Change, Eur. L. Blog (Jan. 12, 2017), https://europeanlawblog.eu/2017/01/12/tele2-sverige-ab-and-watson-et-al-continuity-and-radical-change/; Gunnar Beck, Case Comment: C-203/15 Tele2 Sverige AB v. Post-och telestyrelsen and C-698/15 SSHD v. Tom Watson & Others, eutopia l. (Jan. 13, 2017), https://eutopialaw.com/2017/01/13/; Joined Cases Tele2 Sverige AB v. Post- och telestyrelsen and Secretary of State for the Home Department v. Watson, Colum. Global Freedom Expression, https://globalfreedomofexpression.columbia.edu/cases/joined-cases-tele2-sverige-ab-v-post-och-telestyrelsen-c-20315-secretary-state-home-department-v-watson/. See also Jenny Weinand, Case Note on Joined Cases C-203/15 Tele2 Sverige AB and C-698/15 Tom Watson a.o., Eur. Broadcasting Union 1, 4 (Feb. 1, 2017) (observing that the Court did not find a breach of essence and that, “[i]n terms of the seriousness of the breach, the [Tele2] judgment is just one step below Schrems”).

82 E.g., Roland Derksen, Unionsrechtskonforme Spielräume für anlasslose Speicherung von Verkehrsdaten?, Neue Zeitschrift für Verwaltungsrecht 1005, 1009 (2017). Derksen mentions the notion of essence in the framework of analysis of the consequences of the Tele2 Sverige judgment for Germany and points out that, given that the national legislations at issue in this case did not interfere with the essence, but were considered as disproportionate, it is the CJEU that would have the final word on the compatibility of the German legislation with the requirements from the judgment.

83 Schrems, Case C-362/14 at para. 94.

84 Commission Decision 2000/520, of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, 2000 O.J. (L 215) 7.

85 Schrems, Case C-362/14 at para. 1.

86 Schrems, Case C-362/14 at paras. 84–87. See also ECJ, Case C-362/14, Opinion of Advocate General Bot at para. 177, Schrems v. Data Protection Comm’r, ECLI:EU:C:2015:627, Judgment of 23 Sept. 2015 (considering that these derogations from Safe Harbor “compromise the essence of the fundamental right to protection of personal data”).

87 Schrems, Case C-362/14 at para. 94.

88 Opinion of Advocate General Bot, supra note 86, at para. 177. See also Digital Rights Ireland, Joined Cases 293 & 594/12, at para. 39.

89 Schrems, Case C-362/14 at paras. 92–93.

90 Schrems, Case C-362/14 at para. 93.

91 Brkan, supra note 9, at 354–55.

92 Schrems, Case C-362/14 at para. 93 (emphasis added).

93 Schrems, Case C-362/14 at para. 84.

94 Loïc Azoulai & Marijn van der Sluis, Institutionalizing Personal Data Protection in Times of Global Institutional Distrust: Schrems, 53 Common Mkt L. Rev. 1343, 1365–66 (2016), (correctly observing that the Court referred to the essence “to avoid getting into the need of balancing between privacy and security”). See also Brkan, supra note 9, at 354–55.

95 Schrems, Case C-362/14 at para. 93.

96 Commission Implementing Decision 2016/1250, of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (notified under document C (2016) 4176), 2016 O.J. (L 207) 1 [hereinafter Commission Decision 2016/1250].

97 This conclusion stems from paragraph 90 of the Commission Decision 2016/1250, where the Commission does not refer explicitly to the Court’s conclusion in paragraph 94 of Schrems that the Safe Harbor interferes with the essence of fundamental rights to privacy. To the contrary, the adequacy decision does specifically cite paragraph 95 of Schrems, in which the CJEU found that the legislation at stake does not respect the essence of the fundamental right to effective judicial protection. In its adequacy decision, the Commission concludes that this interference with the essence is eliminated by the fact that the U.S. provides for legal remedies to the data subjects, notably through the introduction of the Ombudsperson mechanism. See Commission Decision 2016/1250, supra note 96, at para. 124.

98 Commission Decision 2016/1250, supra note 96, at para. 90. The Commission refers to paragraph 93 in Schrems where the CJEU found the interference with the fundamental right to privacy as not strictly necessary.

99 Commission Decision 2016/1250, supra note 96, at para. 90 (emphasis added).

100 Commission Decision 2016/1250, supra note 96 (“Sec. 702 FISA allows US Intelligence Community elements to seek access to information, including the content of internet communications, from within the United States, but targeting certain non-U.S. persons outside the United States.”).

101 See, e.g., William C. Banks, Responses to the Ten Questions, 35 WM. Mitchell L. Rev. 5007, 5013–14 (2009); Laura K. Donohue, Section 702 and the Collection of International Telephone and Internet Content 38 Harv. J. L. & Pub. 117, 153–59 (2015).

102 See Edward C. Liu et al., Overview of Constitutional Challenges to NSA Collection Activities and Recent Developments, Cong. Res. Serv. (Apr. 1, 2014), http://www.dtic.mil/dtic/tr/fulltext/u2/a601651.pdf (providing an overview). See, e.g., Clapper v. Amnesty Int’l, 133 S. Ct. 1138 (2013); United States v. Hasbajrami, No. 11-CR-623, 2016 WL 1029500 (E.D.N.Y. Feb. 18, 2016) (currently under appeal at U.S. Court of Appeals for the Second Circuit, Case No. 17-2669); United States v. Mohamud, 834 F.3d 420 (9th Cir. 2016).

103 See Patrick Walsh, Losing Tools in the Intelligence Toolbox: Predicting Future Changes to FISA to Protect Future National Security Prosecutions, Norwich Rev. Int’l and Transnat’l Crime (2015); William C. Banks, Next Generation Foreign Intelligence Surveillance Law: Renewing, 51 U. Rich. L. Rev. 671, 702 (2016–2017); Peter Margulies, Reauthorizing the FISA Amendments Act: A Blueprint for Enhancing Privacy Protections and Preserving Foreign Intelligence Capabilities, 12 J. Bus. & Tech. L. 23 (2016–2017).

104 USA Liberty Act of 2017, H.R. 3989, 115th Cong.

105 See Gregory Voss, The Future of Transatlantic Data Flows: Privacy Shield or Bust?, 19 J. Internet L. 1 (2016) (announcing challenges against the Privacy Shield). See, e.g., Jan-Philipp Albrecht & Max Schrems, Privacy Shield: The new EU rules on transatlantic data sharing will not protect you, Irish Times (July 12, 2016), https://www.irishtimes.com/opinion/privacy-shield-the-new-eu-rules-on-transatlantic-data-sharing-will-not-protect-you-1.2719018.

106 Case T-738/16, La Quadrature du Net v Comm’n, pending, http://curia.europa.eu/juris/liste.jsf?num=T-738/16. See also GC, Case T-670/16, Digital Rights Ireland v Comm’n, ECLI:EU:T:2017:838 (declaring inadmissible another legal action against the Commission Decision 2016/1250); Case C-311/18, Facebook Ireland and Schrems, pending, http://curia.europa.eu/juris/fiche.jsf?id=C%3B311%3B18%3BRP%3B1%3BP%3B1%3BC2018%2F0311%2FP (providing a distinct question of the relevance of Privacy Shield in the assessment of adequacy in the framework of transfers of data on the basis of Standard Contractual Clauses).

107 Agreement between the European Community and the Government of Canada on the Processing of Advance Passenger Information and Passenger Name Record Data, March 21, 2006, 2006 O.J. (L 82) 15 [hereinafter EU-Canada PNR Agreement].

108 Id. art. 2(b).

109 Id. annex.

110 Id. art. 3(1).

111 Id. arts. 3(4), 5.

112 Opinion 1/15, supra note 8, para 148.

113 See Hielke Hijmans, PNR Agreement EU-Canada Scrutinised: CJEU Gives Very Precise Guidance to Negotiators, 3 Eur. Data Protection L. Rev. 406, 410 (2017) (arguing that the CJEU, due to its precise analysis and instructions to the legislator, (almost) acquires the role of the legislator itself). See also Christopher Kuner, Data Protection, Data Transfers, and International Agreements: the CJEU’s Opinion 1/15, Verfassungsblog, July 26, 2017, https://verfassungsblog.de/data-protection-data-transfers-and-international-agreements-the-cjeus-opinion-115/, (last visited July 6, 2019) (discussing the detailed nature of the Court’s analysis); Christopher Docksey, Opinion 1/15: Privacy and security, finding the balance, 24 Maastricht J. Eur. & Comp. L. 768, 771 (2017) (opining less critically that the Court “provides valuable support for European negotiators”).

114 See, e.g., Opinion 1/15, supra note 8, at paras. 181, 203, 211, 215, 217.

115 Id. at para. 150.

116 ECJ, Case Opinion 1/15, Opinion of Advocate General Mengozzi at para. 186, ECLI:EU:C:2016:656, Judgment of 8 Sept. 2016.

117 Hijmans, supra note 113, at 410–11.

118 Nevertheless, its findings do seem to imply that a particularly serious interference with privacy does not suffice for interference with its essence. In paragraph 36, the Court points out that the agreement in question “entails wide-ranging and particularly serious interferences” with the fundamental rights to privacy and data protection. See Opinion 1/15, supra note 8, para 36.

119 Christopher Kuner, International Agreements, Data Protection, and EU fundamental rights on the international stage: Opinion 1/15, EU-Canada PNR, 55 Common Mkt. L. Rev. 857, 876 (2018).

120 Digital Rights Ireland, Joined Cases 293 & 594/12 at para. 40.

121 Id.

122 Lynskey, supra note 4, at 172.

123 Compare id. (pointing out that designating data security measures as being the essence of the fundamental right to data protection “may further fuel debate regarding the propriety of labelling such a right a ‘fundamental right’”).

124 If the challenged Directive contained other safeguards—for example, the requirement of consent prior to bulk collection of data—the Court might have considered this safeguard as sufficient to protect the essence of data protection.

125 Tele2 Sverige, Case C-203/15.

126 Id. at para. 101 (emphasis added).

127 Id. at para. 99. On the artificial nature of distinction between content data and metadata, see supra notes 64, 66, 71, 74, 75.

128 Opinion 1/15, supra note 8, at para. 150.

129 GDPR, supra note 72, at arts. 5(1)(f), 32–34 (encompassing measures to ensure security of personal data). See also id. art. 32(1) (stating that these measures encompass, inter alia, pseudonymization, encryption, ensuring confidentiality and resilience of processing systems and regular testing of measures deployed for data security).

130 Charter, supra note 1, at art. 8(2) (“[D]ata must be processed … for specified purposes.”).

131 Fuster, supra note 4, at 205.

132 Charter, supra note 1, at art. 8(2).

133 See GDPR, supra note 72, at arts. 5(1)(a)–(b).

134 See GDPR, supra note 72, at art. 5(1)(c).

135 Directive 95/46, of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 O.J. (L 281) 31.

136 See Explanations relating to the Charter of Fundamental Rights, supra note 33, at 20 (expressly stating that this provision has been based on the Directive 95/46 and other sources).

137 See Directive 95/46, supra note 135, at art. 6.

138 GDPR, supra note 72, at art. 15.

139 GDPR, supra note 72, at art. 16.

140 Charter, supra note 1, at art. 8(3).

141 Fuster, supra note 4, at 204.

142 That is, according to Article 9(1) GDPR, data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” GDPR, supra note 72, at art. 9(1).

143 See GDPR, supra note 72, at art. 9(2)(g).

144 See GDPR, supra note 72, at art. 9(2)(j).

145 See GDPR, supra note 72, at art. 23(1).

146 For all justificatory grounds, see GDPR, supra note 72, at art. 23(1)(a)–(j).

147 Directive 2016/680, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and on the Free Movement of Such Data, and Repealing Council Framework Decision 2008/977/JHA, 2016 O.J. (L 119) 89.

148 Id. at recital 46.

149 EJC, Case C-496/17, Opinion of Advocate General Campos Sánchez-Bordona at para. 68, Deutsche Post AG v. Hauptzollamt Köln, ECLI:EU:C:2018:838, Judgment of 17 Oct. 2018.

150 ECJ, Case C-496/17, Deutsche Post AG v. Hauptzollamt Köln, ECLI:EU:C:2019:26, Judgment of 16 Jan. 2019.

151 Charter, supra note 1, at art. 21.

152 Charter, supra note 1, at art. 47.

153 Schrems, Case C-362/14 at para. 73.

154 I am grateful to Christopher Kuner for attracting my attention to this question.

155 Schrems, Case C-362/14 at para. 73 (pointing out particularly that the standard of essentially equivalent protection refers to “that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter”).

156 In Schrems—where the data subjects did not have any legal remedies for access or rectification of the personal data relating to them—the Court rightly came to the conclusion that the essence of her fundamental right to effective judicial protection was adversely affected. Schrems, Case C-362/14 at para. 75.

157 See Tuomas Ojanen, Making the Essence of Fundamental Rights Real: The Court of Justice of the European Union Clarifies the Structure of Fundamental Rights under the Charter: ECJ 6 October 2015, Case C-362/14, Maximillian Schrems v. Data Protection Commissioner, 12 Eur. Const. L. Rev. 318, 326 (2016).

158 Ministerio Fiscal, Case C-207/16 at paras. 51 et seq. (referring not to essence in its judgment, but proceeding immediately to the justification of the interference.

159 Kuner, supra note 119, at 876.