Hostname: page-component-cd9895bd7-fscjk Total loading time: 0 Render date: 2024-12-26T01:10:07.420Z Has data issue: false hasContentIssue false

DECONSTRUCTING DATA PROTECTION: THE ‘ADDED-VALUE’ OF A RIGHT TO DATA PROTECTION IN THE EU LEGAL ORDER

Published online by Cambridge University Press:  25 June 2014

Orla Lynskey*
Affiliation:
Assistant Professor of Law, Law Department, London School of Economics and Political Science, [email protected].

Abstract

Article 8 of the EU Charter of Fundamental Rights sets out a right to data protection which sits alongside, and in addition to, the established right to privacy in the Charter. The Charter's inclusion of an independent right to data protection differentiates it from other international human rights documents which treat data protection as a subset of the right to privacy. Its introduction and its relationship with the established right to privacy merit an explanation. This paper explores the relationship between the rights to data protection and privacy. It demonstrates that, to date, the Court of Justice of the European Union (CJEU) has consistently conflated the two rights. However, based on a comparison between the scope of the two rights as well as the protection they offer to individuals whose personal data are processed, it claims that the two rights are distinct. It argues that the right to data protection provides individuals with more rights over more types of data than the right to privacy. It suggests that the enhanced control over personal data provided by the right to data protection serves two purposes: first, it proactively promotes individual personality rights which are threatened by personal data processing and, second, it reduces the power and information asymmetries between individuals and those who process their data. For these reasons, this paper suggests that there ought to be explicit judicial recognition of the distinction between the two rights.

Type
Articles
Copyright
Copyright © British Institute of International and Comparative Law 2014 

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 European Union, Charter of Fundamental Rights of the European Union [2000] OJ C364/01 and [2010] OJ C83/389.

2 Although such an independent right exists at national level in some EU Member States, data protection is treated as a subset of the right to privacy in international human rights texts and by several other EU Member States, such as the Netherlands, Spain and Finland. For instance, section 10 of the Finnish Constitution, entitled ‘The right to privacy’ states ‘Everyone's private life, honour, and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act.’

3 This right was recognized for the first time by the Court in Promusicae in 2008. Case C-275/06 Productores de Música de España (Promusicae) v Telefónica de España [2008] ECR I-271, para 63.

4 European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/23 (Directive 95/46 EC).

5 Explanatory Memorandum, Convention document CHARTE 4473/00, 11 October 2000 <www.europarl.europa.eu/charter/pdf/04473_en.pdf>.

6 Art 286 EC stated that ‘Community acts on the protection of individuals with regard to the processing of personal data and the free movement of such data shall apply to the institutions and bodies set up by, or on the basis of, this Treaty’.

7 Directive 95/46 EC (n 4).

8 This provision sets out the right to respect for private life and will be the subject of detailed consideration in section III.

9 Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS No 108, 28.I.1981 <www.conventions.coe.int/Treaty/EN/Treaties/Html/108.htm>.

10 De Hert, P and Gutwirth, S, ‘Data Protection in the Case Law of Strasbourg and Luxemburg: Constitutionalisation in Action’ in Gutwirth, S et al. (eds), Reinventing Data Protection? (Springer 2009) 5Google Scholar.

11 The legal basis of the Directive (ex art 95 EEC, now art 114 TFEU) allows for the enactment of legislation which will approximate the laws of the Member States to improve the functioning of the internal market.

12 See Case C-137/79 National Panasonic v Commission [1980] ECR I-2033, paras 18–20.

13 A Rouvroy and Y Poullet, ‘The right to informational self-determination and the value of self-development: Reassessing the importance of privacy for democracy’ in S Gutwirth et al (n 10). See also Cannataci and Mifsud-Bonnici, who note the possibility that ‘having data protection formally firmly entrenched at a constitutional level will put a stop to current “anti-data protection principles” positions taken by the Member States both at an EU level in the areas covered in the second and third pillars and at national levels'. Cannataci, JA and Mifsud-Bonnici, JP, ‘Data Protection Comes of Age: The Data Protection Clauses in the European Constitutional Treaty’ (2005) 14 Information and Communications Technology Law 5, 56Google Scholar.

14 Article 29 Working Party (A29WP), ‘The Future of Privacy—Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data’, adopted on 1 December 2009 (WP168), 7.

15 See Report of the Expert Group on Fundamental Rights, ‘Affirming Fundamental Rights in the EU: Time to Act’, Brussels, February 1999, 8. <http://ftp.infoeuropa.eurocid.pt/database/000038001-000039000/000038827.pdf>.

16 Art 16(2) TFEU provides that the EU legislature shall ‘lay down the rules relating to the protection of individuals with regard to the processing of personal data by … the Member States when carrying out activities which fall within the scope of Union law’ (emphasis added). Some differentiation nevertheless remains: see eg art 39 EU.

17 European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM (2012) 11 final.

18 European Commission, Proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data COM (2012) 10 final.

19 ‘Population Census Decision’, Judgment of 15 December 1983, 1 BvR 209/83, BVerfGE 65, 1.

20 Art 1(1) German Basic Law (Deutscher Bundestag, Basic Law for the Federal Republic of Germany, <https:// www.btg-bestellservice.de/pdf/80201000.pdf >).

21 ibid, art 2(1).

22 For instance, in Durant, the Court of Appeal interpreted the notoriously broad concept of ‘personal data’ narrowly by finding that whether an individual's data constitutes personal data depends inter alia on whether the data is biographical in a significant sense or relates to ‘a life event in respect of which his privacy could not be said to be compromised’ and whether it is ‘information that affects his privacy, whether in his personal or family life, business or professional capacity’ (Durant v Financial Services Authority [2003] EWCA Civ 1746, Auld LJ at para 28).

23 In R (on the application of AB) v Secretary of State for the Home Department [2013] EWHC 3453 Mostyn J was asked to consider a claim based, inter alia, on the claimant's right to data protection. He stated that the right to protection of personal data is not part of the ECHR and has therefore not been incorporated into domestic law by the Human Rights Act (para 16). He argued that Parliament had deliberately excluded aspects of the ECHR from the Human Rights Act and that the Charter contained ‘all of those missing parts and more’ (para 14), including the right to data protection.

24 The situation of the UK and Poland (and subsequently the Czech Republic) remains slightly differentiated to that of other Member States. These three Member States signed Protocol 30 to the Lisbon Treaty, which ostensibly clarifies the effect of the Charter in domestic legal systems. Nevertheless, its precise effect remains contested. The ECJ has held that the Protocol does not have the effect of exempting these countries ‘from the obligation to comply with the provisions of the Charter or to prevent a court of one of those Member States from ensuring compliance with those provisions’ (see Joined Cases C-411/10 N.S. v Secretary of State for the Home Department and C-493/10 M.E. and Others v Refugee Applications Commissioner, Minister for Justice, Equality and Law Reform [2011] ECR I-0000, para 119). However, Mostyn J in the UK High Court in R(AB) (n 23) expressed his surprise at the claimant's reliance on EU Charter rights as he was ‘sure that the British government … had secured at the negotiations of the Lisbon Treaty an opt-out from the incorporation of the Charter into EU law’ (para 10).

25 Case C-139/01 Österreichischer Rundfunk and Others [2003] ECR I-4989.

26 Classen, CD, ‘Case C-139/01 Österreichischer Rundfunk and Others: case-note’ (2004) 41 CMLRev 1377Google Scholar, 1383.

27 Case C-275/06 Promusicae (n 3).

28 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector [2002] OJ L201/37, Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market [2000] OJ L178/1 and Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonization of certain aspects of copyright and related rights in the information society [2001] OJ L167/10.

29 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L201/37.

30 Promusicae (n 3) para 63.

31 ibid para 64.

32 ibid para 65.

33 Case C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinapörssi OY, Satamedia [2008] ECR I-09831.

34 ibid para 54.

35 T-194/04 Bavarian Lager v Commission [2007] ECR II-3201.

36 Regulation No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents [OJ] L 145/43.

37 Regulation 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [2001] OJ L8/1.

38 EDPS pleading in T-194/04 Bavarian Lager v Commission, section 8. Moreover, the EDPS argued that had the legislator intended to give art 4(1)(b) the meaning supported by the Commission's ‘renvoi-theory’ (according to which there is a direct referral to the data protection rules whenever a requested document contains personal data), ‘the wording of the exception could and should have been far more explicit’.

39 T-194/04 Bavarian Lager (n 35) paras 132–133.

40 ibid para 137.

41 It, therefore, argued that, whilst a reference to the name of a participant in the minutes of a meeting constitutes personal data, the disclosure of a name in the context of professional activities does not normally have a link to private life. ibid para 67.

42 It stated that ‘not all personal data are by their nature capable of undermining the private life of the person concerned. In recital 33 of the General Directive, reference is made to data which are capable by their nature of infringing fundamental freedoms or privacy and which should not be processed unless the data subject gives his explicit consent, which implies that not all data are of that nature’. ibid para 119.

43 De Hert and Gutwirth (n 10) 41.

44 C-92/09 and C-93/09 Volker und Markus Schecke and Hartmut Eifert [2010] ECR I-11063, Opinion of Advocate General Sharpston, para 71.

45 C-28/08 European Commission v Bavarian Lager [2010] ECR I-6055.

46 ibid paras 58–59.

47 ibid paras 58–61.

48 ibid para 63.

49 ibid fn 41.

50 Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke and Hartmut Eifert [2010] ECR I-11063, para 47.

51 ibid para 52.

52 Amann v Switzerland (2000) 30 EHRR 843.

53 Rotaru v Romania (App No 28341/95) (unreported) 4 May 2000.

54 Volker (n 50) para 52.

55 Amann (n 52) para 65.

56 See, for instance, Opinion of the A29WP, ‘Opinion 4/2007 on the concept of personal data’, 20 June 2007, 01248/07/EN WP 136, or Kranenborg, H, ‘Access to Documents and Data Protection in the European Union: On the Public Nature of Personal Data’ (2008) 45(4) CMLRev 1079Google Scholar, 1091.

57 Opinion of Advocate General Jääskinen in Case C-131/12, Google Spain SL & Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González [2013] ECR I-0000.

58 ibid para 29.

59 In fact it is submitted that what the Advocate General was asking for was the application of the principle of proportionality when interpreting the Directive (although, as a general principle of EU law, the principle of proportionality is applied at all times when interpreting EU law). He considered that such an approach was necessary in order to avoid ‘unreasonable and excessive legal consequences’. ibid para 30.

60 Schwartz and Reidenberg claim that calling data protection ‘information privacy’ is an attempt to ‘put new wine in old bottles’. Schwartz, PM and Reidenberg, JR, Data Privacy Law: A Study of United States Data Protection (MICHIE Law Publishers 1996), 102Google Scholar.

61 This issue has also been considered by Brouwer in Brouwer, E, Digital Borders and Real Rights: Effective Remedies for Third-Country Nationals in the Schengen Information System (Martinus Nijhoff 2008) 194204Google Scholar and more recently by Purtova (N Purtova, Property Rights in Personal Data: A European Perspective (Kluwer Law International 2011) 224–40).

62 In theory, the right to privacy is not applicable to private parties but this right places ‘positive obligations’ on States. It remains unclear whether the EU Charter can be directly invoked in proceedings between private parties. While the ECJ refused to give such horizontal direct effect to art 27 of the Charter in Case C-176/12 AMS v Union locale des syndicats CGT and Ors [2014] ECR I-0000, it arguably left the door open to grant other rights such effect where the Charter article is ‘sufficient in itself to confer on individuals an individual right which they may invoke as such.’, para 47.

63 Art 2(a) Directive 95/46 EC (n 4); arts 4(1) and (2) Proposed Regulation (n 17).

64 A29WP, ‘Opinion 4/2007 on the concept of personal data’, adopted on 20 June 2007 (WP 136).

65 For instance, in Amann the Court found that details contained in the applicant's file, such as that he was in ‘contact with the Russian embassy’ and did ‘business of various kinds with the company [A.]’ amounted to data relating to his ‘private life’. Amann (n 52) paras 66 and 67.

66 As RAND Europe notes ‘one of the crucial characteristics of the Directive is that it is tied to the concept of personal data, and not to a notion of privacy. Indeed, the provisions of the Directive can apply to data processing acts which are not privacy sensitive.’ RAND Europe, ‘Technical Report on the Review of the European Data Protection Directive’, 27 <www.hideproject.org/downloads/references/review_of_eu_dp_directive.pdf>. See also: Opinion of the A29WP, ‘Opinion 4/2007’ (n 64) or Kranenborg (n 56) 1091.

67 Contrast Durant (n 22).

68 Case C-28/08 Bavarian Lager (n 45) para 167.

69 ibid, para 123.

70 This is for three reasons. First, unlike other cases which have human dignity implications as the applicant is being prevented from being called by his correct or desired name (see, Opinion of Advocate General Jacobs, delivered on 9 December 1992, in Case C-168/91 Konstantinidis v Stadt Altensteig [1993] ECR I-1191, para 40), the disclosure of a name featured in a document has no impact on the individual's name or their rights over it and therefore does not have the same human dignity implications. Secondly, the ECtHR's rationale for extending privacy interests to the workplace and business activities of individuals, namely that ‘private life’ comprises ‘the right to establish and develop relationships with other human beings’ (Niemietz v. Germany 16 December 1992, appl. no. 13710/88, paras 29–30), cannot be applied in Bavarian Lager. One of the aims of the EU's transparency legislation is to enable EU citizen's to verify that EU measures, have been enacted in the absence of such personal relationships. Finally, the meeting attendees had no reasonable expectation in Bavarian Lager that the public would not be privy to data concerning their involvement, in a professional capacity, in the processes of democratic, accountable Institutions (PG and JH v United Kingdom (2008) 46 EHRR 51, para 57).

71 Case T-194/04 Bavarian Lager (n 35) para 67.

72 Directive 95/46 EC (n 4) art 2(a).

73 Friedl v Austria (1996) 21 EHRR 83.

74 ibid para 50.

75 It is often difficult to distinguish a ‘privacy interest’ from the ‘interference’. The Rotaru judgment (n 53) is an excellent example of this point. In Rotaru the ECtHR held that publicly available data, which does not always benefit from privacy protection, fell within the material scope of the right to privacy as this data was treated in a particular way – it was systematically collected or stored.

76 Directive 95/46 EC (n 4) art 2(b).

77 Kuner, C, European Data Protection Law: Corporate Compliance and Regulation (2nd edn, OUP 2007) 74Google Scholar.

78 Pierre Herbecq and the Association ‘Ligue des droits de l'homme’ v Belgium (App Nos 32200/96 and 32201/96) 14 January 1998.

79 Case C-139/01 Rundfunk (n 25).

80 ibid para 74.

81 In PG and JH (n 70) the ECtHR noted that ‘[t]here are a number of elements relevant to a consideration of whether a person's private life is concerned in measures effected outside a person's home or private premises…a person's reasonable expectations as to privacy may be a significant, although not necessarily conclusive, factor.’ Para 57.

82 See also De Hert and Gutwirth who state that privacy covers ‘only flagrant abuse or risky use of data that can easily be used in a discriminatory way’ while ‘other kinds of data processing are left untouched “as long as there is no blood”’ (De Hert and Gutwirth (n 10) 23 and 25); Kranenborg (n 57) 1091.

83 Directive 95/46 EC (n 4) art 6.

84 Proposed Regulation (n 17) art 5.

85 S and Marper v United Kingdom (2009) 48 EHRR 50 para 103; Directive 95/46 EC (n 4) art 6(1)(e) and Proposed Regulation (n 17) art 5(e).

86 In Gaskin the ECtHR stated that ‘a system … which makes access to records dependent on the consent of the contributor can, in principle, be considered compatible with Article 8 ECHR’. Gaskin v United Kingdom Series (1989) 12 EHRR 36, para 49.

87 For instance, in KH v Slovakia the ECtHR held that data subjects should not be obliged to justify a request to be provided with their personal data files; it is for the authorities to provide compelling reasons why these files should not be provided. KH v Slovakia (2009) 49 EHRR 34, para 48.

88 Directive 95/46 EC (n 4) art 15; Proposed Regulation (n 17) art 20(1).

89 Another example of such a right might be the data subject's right to object to processing when personal data is disclosed to third parties for the first time or used for direct marketing (Directive 95/46 EC (n 4) art. 14(b)). While this right might attempt to tackle privacy concerns, it also reflects an effort to empower individuals vis-à-vis data controllers and processors.

90 See further McGoldrick, D, ‘Developments in the Right to be Forgotten’ (2013) 13(4) HRLR 761Google Scholar.

91 Proposed Regulation (n 17) art 18.

92 The term ‘dataveillance’ conveys the message that the systematic use of data systems to monitor the actions or communications of an individual can effectively amount to surveillance. This term was coined by Clarke, RA in ‘Information Technology and Dataveillance’ (1988) 31 Communications of the ACM 498Google Scholar.

93 The German Constitutional Court emphasized the societal importance of ‘informational self-determination’ as a precondition for citizens’ free participation in the political processes of the democratic constitutional state in its famous 1983 ‘Population Census Decision’ (judgment of 15 December 1983, 1 BvR 209/83, BVerfGE 65, 1). The societal costs of surveillance have also been emphasized in the academic literature: N Richards, ‘The Dangers of Surveillance’ HarvLRev (Symposium 2012: Privacy and Technology) 9 November 2012, 18–26 <http://www.harvardlawreview.org/privacy-symposium.php> and Slobogin, C, ‘Public Privacy: Camera Surveillance of Public Places and the Right to Anonymity’ (2002) 72 MissLJ 213Google Scholar.

94 The dichotomy between tangible and intangible harm has received little, if any, attention in the EU context to date. Romanosky and Acquisti recognize this distinction in the context of US information privacy law. Romanosky, S and Acquisti, A, ‘Privacy Costs and Personal Data Protection: Economic and Legal Perspectives’ (2009) 24 BerkeleyTechLJ 1060Google Scholar, 1094.

95 Directive 95/46 (n 4) art 15.

96 Some authors argue that the use of such proxies is an efficient way to make decisions. For instance, Posner argues that it is ‘quite impossible to imagine how society would function without heavy reliance on proxies in lieu of full investigation of relevant facts’. R Posner, ‘Privacy, Secrecy and Reputation’, First Draft, 9 October 1978 (text accessed at Harvard Law Library) 46.

97 Mitchison, N et al. , ‘Identity Theft: A Discussion Paper’ Technical Report EUR 21098, European Commission – Joint Research Centre (2004) 29Google Scholar.

98 Directive 95/46 EC (n 4) art 17. Moreover, art 23 of the Directive obliges Member States to ensure that data controllers compensate individual data subjects for damages suffered as a result of unlawful processing or processing incompatible with the national implementation provisions. However, the Commission's report notes that there remain considerable difficulties in practice in demonstrating who was responsible for data release; hence there have been very few successful lawsuits to date. European Commission, ‘Report on Identity Theft/Fraud’, Fraud Prevention Expert Group, Brussels, 22 October 2007, 27 <http://ec.europa.eu/internal_market/fpeg/docs/id-theft-report_en.pdf>.

99 Arts 31 and 32 of the Proposed Regulation (n 17).

100 Reiman, JH, ‘Driving to the Panopticon: a philosophical exploration of the risks to privacy posed by the highway technology of the future’ (1995) 11 Santa Clara Computer & HighTechLJ 27Google Scholar, 35.

101 Slobogin (n 93) 266.

102 Taslitz, AE, ‘The Fourth Amendment in the Twenty-First Century: Technology, Privacy, and Human Emotions’ (2002) 65 LCP 125Google Scholar, 152.

103 J Shepherd and D Shariatmadari, ‘Would-be students checked on Facebook’ The Guardian (11 January 2008).

104 Blackman, J, ‘Omniveillance, Google, Privacy in Public, and the Right to Your Digital Identity: A Tort for Recording and Disseminating an Individual's Image over the Internet’ (2009) 49 SantaClaraLRev 313Google Scholar, 347.

105 Moreham, NA, ‘Privacy in Public Places’ (2006) 65 CLJ 606CrossRefGoogle Scholar, 622.

106 Rouvroy and Poullet (n 13) 47.

107 Pretty v UK (2002) 35 EHRR 1 35.

108 Similarly, the 14 June 2000 version stipulated that ‘Everyone has the right to determine for himself whether personal data concerning him may be collected and disclosed and how they may be used’. See CHARTRE 4284/00, 14 and CHARTRE 4360/00, 25 respectively. See further Cannataci and Mifsud-Bonnici (n 13) 10.

109 The German Constitutional Court held in its 1983 Population Census Decision that individuals must, in principle, be able to determine whether their data are disclosed and the use to which those data are put. These rights stem from the individual's right to ‘informational self-determination’. 1983 Population Census Decision, judgment of 15 December 1983, 1 BvR 209/83, BVerfGE 65, 1.

110 This notion was referred to for the first time by the CJEU in the Opinion of Advocate General Cruz Villalón in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger delivered 12 December 2013 ECR [2013] I-0000.

111 Population Census Decision (n 109). The text of this judgment is not available in English. This has been confirmed by Hornung and Schnabel who provide a detailed account of the judgment ‘to help overcome the language barrier that has prevented much of the world from understanding the depth and value of German legal theory on data protection’. See Hornung, G and Schnabel, C, ‘Data protection in Germany I: The Population Census Decision and the Right to Informational Self-Determination’ (2009) 25 CLSRev 84Google Scholar.

112 Art 2(1) and art 1(1) respectively. German Basic Law (Deutscher Bundestag, Basic Law for the Federal Republic of Germany <https:// www.btg-bestellservice.de/pdf/80201000.pdf>).

113 S Rodotà, ‘Data Protection as a Fundamental Right’ in Gutwirth et al, Reinventing Data Protection? (n 10) 80.

114 Veljanovski, C, ‘Economic Approaches to Regulation’ in Baldwin, R, Cave, M and Lodge, M (eds), The Oxford Handbook of Regulation (OUP 2010) 18Google Scholar.

115 For instance, the Electronic Privacy Information Centre (EPIC) argues, with regard to online behavioural advertising, that ‘opaque industry practices result in consumers remaining largely unaware of the monitoring of their online behaviour, the security of this information and the extent to which this information is kept confidential’. See EPIC, ‘Search Engine Privacy’ (http://epic.org/privacy/search_engine/#features).

116 See, for instance, Purtova who argues that the ‘vulnerability of the data subject stems from both the widely acknowledged inequality of resources of the individual and of the organisation and from the fact that, at present, most of the interactions between these two parties involve information technology, where the organisation has the benefit of professional expertise and the individual is but a layman’: Purtova (n 61) 205.

117 Purtova notes that ‘an individual's autonomy to make choices – even very simple ones like what book to read next – is questionable when the range of options and the context of the choice are being controlled by others’. ibid 205.

118 Prins argues that individuals may not always capture the value of privacy rights. She states that it is ‘very difficult for individuals to understand what is actually going on when online businesses collect and distribute their personal data and be sufficiently attentive to the implications of such use for their proprietary rights, let alone that they can verify what is really going on’. Prins, C, ‘When Personal Data, Behaviour and Virtual Identities Become a Commodity: Would a Property Rights Approach Matter?’ (2006) 3 SCRIPT-ed 270CrossRefGoogle Scholar, 297.

119 Berger makes this point in relation to online behavioural advertising: Berger, D, ‘Balancing Consumer Privacy with Behavioural Targeting’ (2011) 27 Santa Clara Computer & HighTechLJ 3Google Scholar, 13.

120 Rotenberg, M, ‘Fair Information Practices and the Architecture of Privacy (What Larry Doesn't Get)2001 StanTechLRev 1, 31–2Google Scholar.

121 Purtova (n 61) 47.

122 E Dyson, ‘Privacy Protection: Time to Think and Act Locally and Globally’ (1998) 3 First Monday, 1 June 1998 <http://firstmonday.org/ojs/index.php/fm/article/view/1591/1506>.

123 Solove, DJ, ‘“I've Got Nothing to Hide” and Other Misunderstandings of Privacy’ (2007) 44 SanDiegoLRev 745Google Scholar, 752.

124 This is a reference to Franz Kafka's novel, The Trial, where a bureaucracy whose purposes are unknown uses people's information to make decisions about them while refusing to inform these people about how and why their information is being used. ibid, 757.

125 Glancy, DJ, ‘Privacy on the Open Road’ (2004) 30 OhioNULRev 295Google Scholar, 328. Similarly Calo describes the problem as ‘less a function of top-down surveillance by a known entity for a reasonably clear if controversial purpose. It is characterized instead by an absence of understanding, a vague discomfort punctuated by the occasional act of disruption, unfairness, or violence’: Calo, R, ‘The Boundaries of Privacy Harm’ (2011) 86 IndLJ 1131Google Scholar, 1158.

126 Newman, AL, Protectors of Privacy (Cornell University Press 2008) 24Google Scholar.

127 Brouwer (n 61) 199.

128 Solove, ‘Nothing to Hide’ (n 123) 771.

129 Directive 95/46 EC (n 4) Art 6(1)(b).

130 Brouwer (n 61) 201.

131 ibid 202.

132 Recital 34.

133 ibid.

134 Information Commissioner's Office, ‘Initial Analysis of the European Commission's Proposals for a Revised Data Protection Legislative Framework’ (27 February 2012) 7 <http://www.ico.gov.uk/news/current_topics.aspx>.

135 Such a default setting is already found in the E-Privacy Directive for the collection of data using cookies.

136 Art 4(8) Proposed Regulation (n 17).

137 Schwartz, PM, ‘Property, Privacy and Personal Data’ (2004) 117 HarvLRev 2055Google Scholar, 2100.

138 Art 12 Proposed Regulation (n 17).

139 P De Hert and S Gutwirth ‘Making sense of privacy and data protection. A prospective overview in the light of the future of identity, location based services and the virtual residence’ in Institute for Prospective Technology Studies, Security and Privacy for the Citizen in the Post-September 11 Digital Age: A Prospective Overview, Technical Report EUR 20823 (European Commission – Joint Research Centre, 2003) 89–94.

140 The term ‘opacity’ is not defined. However, the authors do state that ‘[t]he use of the word “opacity” designates a zone of non-interference which in our opinion must not be confused with a zone of invisibility: privacy for instance does not imply secrecy, it implies the possibility of being oneself openly without interference. However, “opacity” contrasts nicely with “transparency”’: ibid, 134.

141 This distinction is also seemingly supported by Solove, who refers to privacy as the ‘secrecy paradigm’, noting that its predominant concern is to promote concealment and that it ‘focuses on breached confidentiality, harmed reputation and unwanted publicity’. He argues that data protection differs from privacy in so far as ‘the problem with databases pertains to the uses and practices associated with our information, not merely whether that information remains completely secret’: Solove, D, The Digital Person: Technology and Privacy in the Information Age (New York University Press 2004), 43Google Scholar.

142 R v Brown (Gregory Michael) [1996] AC 543.

143 ibid 550.

144 Lord Hoffman emphasized that the Act treats ‘processing’ differently from ‘using’: while the retrieval of the data constituted improper processing, contrary to the data protection principles, it was not criminally punishable ‘use’ ibid 562.