The right to privacy and the right to data protection are often mentioned together,322 and typically there is clearly a connection between these two rights.323 However, formally they are regulated in separate documents, and when it comes to their substantial scope, there exist different theories describing the relations between these two rights, and the additional role fulfilled by the right to data protection.324 What is clear is that besides privacy, data protection can also play an important role in protecting employees’ private lives, in consequence, its analysis must be included.
The right to data protection is much more than just the protection of personal data.
Despite what its appellation might suggest, the right to data protection does not aim to protect personal data, but the individual to whom personal data relates.325 Pál Könyves Tóth emphasizes the connection between the right to data protection and human dignity, stating that it is an essential condition to human dignity that individuals be able to take decisions regarding the disclosure of personal data relating to them.326 Máté Dániel Szabó points out that personal data is more and more valued, as the individual’s personality can be increasingly expressed through personal data.327 To the outside world, the individual is more and more often perceived through (mainly) his/her personal data – instead of as a physical person.328 Because of such an enhanced role, if the processing (e.g. collection and use of such information) does not take place according to the established guarantees and rules, the individual might suffer serious consequences.329
The Section will first (§1) address what additional role data protection can fulfill in comparison to privacy, aiming to clarify the relations between these two rights. Then (§2), it will present how exactly the individuals’ rights must be respected, through examining the most important points of the relevant legislation.
§1. Introduction to the right to data protection
The first data protection regulation appeared a few decades after the right to respect for private life,330 followed by several other instruments both at the international and the national level. Although they will be addressed in detail in part §2, even at this point it must be noted that today data protection is subject to detailed regulations. For its importance, focus will be put on EU regulations: though ever since 1995 the question of data protection has been
322 See, for example, Article 1 of the DPD, and Convention 108.
323 http://www.austlii.edu.au/au/journals/UNSWLJ/2001/6.html (Accessed: 28 February 2018)
324 Orla Lynskey identified three models of understanding the relation between privacy and data protection: they can be understood as separate but complementary rights; data protection can be understood as a subset of privacy; or data protection can be perceived as a separate, independent right in service of different functions, but not limited to privacy. Source: Lynskey 2015. p. 90. and pp. 91–106.
325 Majtényi 2002. pp. 57–58.
326 Könyves Tóth 1990. p. 621.
327 Szabó 2005. p. 47.
328 Szabó 2005. p. 47.
329 For example, as it will be addressed later, if the employer does not process personal data according to the pertinent regulations, it not only infringes the employees’ or prospective employees’ rights but can also have serious consequences for his/her employment – e.g. termination of employment or unfavorable hiring decision.
330 It was adopted in 1970 in Germany. Source: Simitis 2010. p. 1995.
regulated in the DPD, in 2016 the adoption of the GDPR brought considerable changes and became a central piece of legislation.
In the following part, first, (A) it will be explored what the reasons for the emergence of data protection rules were. Then, (B) it will be examined why there was a need when the right to respect for privacy had already existed. To put it differently, it will be explored in what regards there are substantial differences (if there are) between the two rights, which would justify the existence of two rights.
(A) The birth of the right to data protection
The right to data protection is a relatively recent right: it appeared in the 1970s. Similarly to the right to privacy, the right to data protection also emerged as a reaction to technological development: owing to the appearance of computers, the collection, storage, transfer, etc. had never been easier, and the plan for establishing different state registers was evoked by the states.
Under the shadow of how state registers had contributed to the horrible events of the Second World War,331 combined with the growing fear of a surveillance state, the public feared the consequences of unregulated automated processing of personal data. Still, prior to the 1960s and 1970s, technology did not make it possible to conduct automatic data processing; also, mass surveillance came at high costs, and thus the protection of the individual was naturally ensured.332 However, due to the technological development, the situation had changed, and as a response to the arising threats, data protection appeared,333 as these innovations offered unprecedented opportunities for the state to keep records in order to fulfil its functions (e.g.
in relation to taxation, etc.).334 At the same time, plans appeared throughout Europe aiming to unify or to connect national databases.335 It was against this background that the first documents regulating data protection appeared. The world’s first data protection act was adopted in 1970, in the German federal state of Hesse,336 and was soon followed by other countries (Sweden in 1973, Germany in 1977, France in 1978).337 After adopting these national data protection acts, it became also necessary to regulate the transborder flow of personal data, which led to the adoption of international data protection norms.338
France adopted its data protection act, the “Loi informatique” in 1978 [Act No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (“loi relative à l’informatique, aux fichiers et aux libertés”) hereinafter referred to as: FDPA – standing for French Data Protection Act], as a result of the SAFARI scandal concerning a project to interconnect certain files of the French administration – revealed to the public in an article in the newspaper Le Monde.339 In 1978 the FDPA also established the French national data protection authority, named French National Commission on Informatics and Freedoms (“Commission nationale de l’informatique et des libertés”) (hereinafter referred to as:
331 Galántai 2003.
332 Jóri 2005. p. 22.
333 Szőke 2015. p. 27.
334 Sári – Somody 2008. p. 133.
335 Szőke 2015. p. 31.
336 Simitis 2010. p. 1995.
337 On the history of data protection see more in: Szőke 2015. pp. 27–34.; Jóri 2005. pp. 21–66.
338 Jóri 2005. p. 28.
339 Boucher 1974. p. 9.
CNIL). The FDPA was significantly amended in 2004340 in order to transpose the EU’s data protection directive, and in 2016 by the Act for a Digital Republic aiming to address the new challenges of the information society.341 Although the GDPR is directly applicable, it did not repeal national data protection acts: in the case of conflicting provisions, the former will be applied.342 The amendment of the FDPA was realized in June 2018 by Act No. 2018-493 of 20 June 2018 on the Protection of Personal Data (“Loi n° 2018-493 du 20 juin 2018 relative à la protection des données personnelles”).
While France was amongst the first countries in the world to adopt a data protection act in 1978, in Hungary this process was slower: Hungary adopted its first data protection act, Act LXIII of 1992 on the protection of personal data and access to data of public interest in 1992. The act also established the institution of the Hungarian data protection commissioner,343 who was first appointed in 1995. This act was amended in 2003344 due to Hungary’s accession to the EU and replaced in 2011 by Act CXII of 2011 on the Right to Informational Self-determination and Freedom of Information (hereinafter referred to as: HDPA – standing for the Hungarian Data Protection Act). The HDPA also introduced significant changes to the national data protection authority: it replaced the institution of the data protection commissioner by establishing the Hungarian National Authority for Data Protection and Freedom of Information (“Nemzeti Adatvédelmi és Információszabadság Hatóság ”, hereinafter referred to as: NAIH). After the entering into application of the GDPR, the Hungarian legislators adopted Act XXXIV of 2019 on legislative amendments required for the implementation of the European Union’s data protection reform (hereinafter referred to as: Enforcing Act) in April 2019, aiming to adapt the Hungarian legal system to the GDPR, by amending more than 80 acts.
Despite the recent birth of the right to data protection, scholars already distinguish between different generations of data protection regulations. However, these generations are not universal, different authors established different stages in the history of data protection regulations. According to Michael D. Birnhack, the first stage was the very appearance of these regulations, the second was the appearance of international regimes instead of solely national regulation and the third was the emphasis being put on the transfer of personal data instead of the collection.345 In 2005, law professor Yves Poullet differentiated between three generations of data protection regulations, starting with Article 8 of the ECHR, continuing with the EU’s Data Protection Directive and the CoE’s Convention 108, and ending with the EU’s E-privacy Directive.346 Back in 1997, Viktor Mayer-Schönberger already distinguished four generations of data protection regulations. The first one dates back to the very appearance of data protection laws, when these acts aimed to regulate
340 Loi n° 2004-801 du 6 août 2004 relative à la protection des personnes physiques à l’égard des traitements de données à caractère personnel et modifiant la loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés
341 See more on the Act for a Digital Republic in: Masnier-Boché, Lorraine: Loi « pour une République numérique » : état des lieux en matière de protection des données personnelles. Revue Lamy droit de l’immatériel ex Lamy droit de l’informatique, 131, 2016. pp. 50–55.; Richard 2016.
342 Bourgeois 2017. p. 13.
343 Section 23 of Act LXIII of 1992
344 By the Act XLVIII of 2003 on the amendment of Act LXIII of 1992 on the protection of personal data and access to data of public interest. Source: Könyves Tóth 2010. p. 55.
345 Birnhack 2008. pp. 511–512.
346 Poullet 2005. pp. 4–8.
the technology, when processing was conducted only by a few controllers. Then, when processing became differentiated and available not only for states but for businesses too, data protection regulations shifted from regulating technology to guaranteeing individual liberty. The third generation is characterized by the right to informational self-determination, while the fourth (e.g. the EU Data Protection Directive) manifests an intention to strengthen the rights of the individual and to create a mandatory protection of certain data, and a shift and an opening towards sectoral regulation.347
Gergely László Szőke differentiates between three generations: the first generation is characterized by the aim of regulating the automated processing of certain data controllers (mainly the state) who processed a huge amount of personal data. With the appearance and spread of the personal computer in the 1980s, this landscape changed, as the processing of personal data became available to a wider audience (to businesses or to private individuals):
a second type of regulation was needed. These regulations are characterized by the aim of providing the individual the right to informational self-determination in general, instead of regulating the processing of only a few data controllers. The European Data Protection Directive, the OECD Guidelines, the CoE’s Convention 108 are typical examples of the second generation of data protection regulations. However, since then, technology has not stopped evolving: the mass adoption of the Internet, social network sites, profiling, the use of mobile devices, etc. have evoked the necessity for a third generation of regulation.
According to Szőke, the EU’s General Data Protection Regulation (then proposal) represents new tendencies in personal data protection, by taking into account the obligations of data controllers (instead of the individual’s right to self-determination), differentiating between certain types of controllers, aiming to regulate technology and strengthening the role of the internal regulations of controllers.348 Either categorization we agree with, it is undisputed that the changes posed by the mass adoption of the Internet, social media, mobile devices and the shift in users’ behaviour represent a challenge both for the right to privacy and for the right to data protection.
From the generations identified above, it can be observed that data protection went through different phases: since its appearance in the second half of the 20th century, the technological, societal and legal environment has been completely transformed. The conclusion that can be drawn from these generations is that data protection as well should be adequately adjusted to the given circumstances. While data protection at the beginning was regulated at the national level, it was soon recognized that the absence of an international legal framework would inhibit the international transfer of personal data349 –, resulting in the adoption and existence of a complex regulation. While at the beginning data protection regulations had to cope with a limited number of huge databases, nowadays data processings have multiplied due to the rapid advancement of technological development. These changes had an effect on the regulations as well, as at the beginning these regulations constituted
347 Mayer-Schönberger 1997. pp. 221–233.
348 Szőke 2013. pp. 108–111. In his article Szőke also refers to the different existing theories amongst Hungarian scholars. According to László Majtényi, the first generation consists of norms regulating data processing by computers, while the second generation is technology-neutral, and the third focuses on challenges arising in different sectors. (Majtényi 2008. pp. 582–583.) According to András Jóri, the first generation of norms focuses on big data controllers and processing by computers, the second generation is centred around the right to informational self-determination, while the third one is concentrated on the new arising challenges.
(Jóri 2005. pp. 23–66.)
349 Jóri 2005. p. 28.
mainly technical regulations, but later shifted towards guaranteeing the freedom of the individual.350 Existing rules are constantly challenged – for example by social media and SNSs, as it will be examined under Title 2.
(B) Defining data protection: substantial delimitation from the right to privacy As a starting point, data protection can be comprehended as “the regulation and organisation of the conditions under which personal data can be lawfully processed.”351 However, it must also be established what is data protection and what is its relation to privacy? There is an uncontested connection between these two rights,352 however, just like regarding the exact meaning of privacy, there is no uniform standpoint in this question, as there is still no universal consensus with respect to the relationship between these two rights.353
Different interpretations suggest that data protection is a subset of privacy and not a separate right.354 On the one hand, different grammatical formulations support this view:
data protection can be associated with privacy, as Patrik Hiselius’ formulation suggests:
“[i]n the European Union, instead of using the term ‘Privacy’, in general the notion ‘right to data protection’ is used.”355 In the literature, the expressions informational privacy356 or data privacy357 are also used to describe data protection.
On the other hand, Juliane Kokott and Christoph Sobotta also point out that both the ECtHR and the CJEU consider data protection as an expression of the right to privacy.358 Even in the EU, where the CFREU contains two separate articles for these two rights (Article 7 and Article 8), it is not excluded that data protection still forms a part of privacy.359 In the jurisprudence of the CJEU, though in certain decisions it acknowledged that the right to privacy and the right to data protection are two separate rights,360 the two rights are consistently conflated in most of its practice.361 In contrast to the CFREU, the ECHR does not
350 Marta Otto referring to Mark Freedland in: Otto 2016. pp. 106–107.
351 Gellert – Gutwirth 2013. p. 525.
352 According to László Sólyom, it is undisputed that the right to data protection originates from the right to privacy, although it has to be seen that both rights have grown beyond the concept of mere secrecy or intimacy.
Source: Sólyom 1988. p. 55.
353 Purtova 2010. p. 181.
354 For example, Endre Ferenczy argues that data protection is one component of privacy. Ferenczy 2010. p. 48.
355 Hiselius 2010. p. 203.
356 See, for example: Mayer-Schönberger 1997. p. 226.
357 Lee A. Bygrave argues that instead of the use of the expression “data protection”, the expression of “data privacy” is better suited as it can constitute a bridge between the US and the European concept of privacy and data protection, and it better reflects the values to be protected. Bygrave 2004. pp. 321–322.
358 Kokott – Sobotta 2013. p. 222.
359 Purtova 2010. p. 185.
360 In the Bavarian Lager case, the CJEU referred to the existence of a specific system of protection in relation to personal data protection [CJEU: Case C-28/08 P, 2010. par. 60.]. In its opinion in the Volker case, it was stated that “[t]wo separate rights are evoked here: a classic right (protection of privacy under Article 8 ECHR) and a more modern right (the data protection provisions of Convention No 108)” acknowledging the existence of a separate right to data protection. (par. 71.) However, in the Volker judgement the CJEU employed the confusing expression of “the right to respect for private life with regard to the processing of personal data”
(par. 52.) Source: CJEU: Joined cases C-92/09 and C-93/09, 2010
361 For example, in the Rundfunk case he CJEU interpreted the DPD in the light of Article 8 of the ECHR.
(CJEU: Joined Cases C-465/00, C-138/01 and C-139/01, 2003. par. 21.) In the case of Promusicae the CJEU
contain a separate provision corresponding to the right to data protection, still, the ECtHR deducted certain data protection rules from Article 8,362 treating data protection as a privacy interest.363 Lee A. Bygrave refers to the existence of an “almost universal consensus” that data protection mostly aims to protect privacy.364 Indeed, privacy occupies a central role in data protection, as supported by numerous legal documents and by scholars as well.
According to these views, data protection aims to ensure privacy.365
In contrast to interpreting data protection as a subset of privacy, different authors understand data protection as having a wider scope than privacy.366 For example, Orla Lynskey argues that the right to data protection – though overlapping with the right to privacy – offers an additional protection for individuals.367 Several other authors draw attention to the fact that despite the connection between privacy and data protection, data protection cannot be limited to the protection of privacy, but aims to ensure the protection of other rights, being broader than privacy.368 Bygrave also expresses that while data protection aims to benefit society as a whole, privacy has a narrower aim, and concentrates on the
employed the term “the right that guarantees protection of personal data and hence of private life” to refer to one fundamental right, treating privacy and data protection as one right. (CJEU: Case C-275/06, 2008. par.
63.) See more on the conflating position of the CJEU in: Lynskey 2014. pp. 569–597.
362 Though Kokott and Sobotta argue that the ECtHR gave rise to a right to data protection, Paul De Hert and Serge Gutwirth are more cautious when it comes to this subject. They argue that though the ECtHR indeed went further than the narrow concept of privacy as intimacy and acknowledged several data protection aspects under Article 8 case law, basic data protection assumptions are not incorporated in its protection. Kokott –Sobotta 2013. p. 223. and De Hert – Gutwirth 2009. p. 24. and p. 27.
363 Purtova 2010. p. 198.
364 http://www.austlii.edu.au/au/journals/UNSWLJ/2001/6.html (Accessed: 28 February 2018), par. 2.
365 For example, according to András Jóri, data protection is “a unique legal way to protect the private sphere of the individual” and “can be interpreted within the protection of private sphere, as the legal instrument protecting privacy in the current societal and technological environment.” Jóri – Soós 2016. p. 15 and p. 20.
Nadezhda Purtova also interpreted existing doctrine as suggesting that the right to data protection and the right to privacy – though not completely synonymous – can be reduced to the same core, which is the protection
Nadezhda Purtova also interpreted existing doctrine as suggesting that the right to data protection and the right to privacy – though not completely synonymous – can be reduced to the same core, which is the protection