Passenger Name Records in the Framework of EU Principles of Data Protection

Table of Contents

1. The evolution of the European discipline concerning data protection: from Directive 95/46 to the new GDPR
1.1 A brief history of privacy and data protection
1.1.1 The role played by the European Union in data protection
1.2 Relevant Provisions of Directive 95/46/EC
1.3 The principles regarding data protection established in the case-laws of the European Court of Justice
1.3.1 “Bodil Lindqvist” Case: processing personal data by automatic means through internet pages
1.3.2 Google Spain SL & Google Inc v. l’Agencia Española de Protección de Datos & Costeja González
1.3.3 Schrems v. Data Protection Commissioner
1.4 The enactment of Regulation 679/2016: general structure and principles
1.4.1 Material and territorial scope of application
1.4.2 Key Definitions of the GDPR
1.4.3 General principles established for processing and the data quality principles
1.4.4 The rights of the data subject: Chapter III of the GDPR
1.4.5 Privacy by design and by default
1.4.7 Subjects ensuring compliance: The Data Protection Officer (DPO) and the European Data Protection Board (EDPB)
1.4.8 Supervisory Authorities (DPA)
1.4.9 Transfers of personal data to third countries or international organizations

2. The PNR Agreements adopted by the EU with third countries
2.1 What is a ‘Passenger Name Record’?
2.2 The EU-US PNR-Agreements
2.2.1 The 2004 Agreement, in the aftermath of 9/11
2.2.2 The Court’s Judgement in the joined cases C-317/04 & C-318/04 and the Opinion of the Advocate General Philippe Léger
2.2.3 Introduction to the 2007 Agreement and its risks for passengers’ right to privacy
2.2.4 The 2012 PNR Agreement between the US and the EU
2.3 The EU – Australia PNR Agreements
2.3.1 The 2008 EU – Australia PNR Agreement
2.3.2 The 2011 PNR Agreement between Australia and the European Union
2.4 The 2005 Agreement between the EU and Canada regarding processing of API/PNR Data
2.5 The Opinion 1/15 of the European Court of Justice
2.5.1 The ECJ’s analysis of the Draft Agreement with Canada and the Opinion of Advocate General Paolo Mengozzi
2.5.2 The ECJ’s reasonings
2.5.3 Will the Opinion 1/15 have “systematic” effects?

3. The process of adoption of PNR Directive 2016/681
3.1 The 2007 Proposal to establish a common framework on PNR in the EU
3.2 The 2011 Proposal for a Directive, in the aftermath of the Treaty of Lisbon
3. The principles established by the European Court of Justice for data retention
3.3 “Digital Rights Ireland” case: the invalidation of the Data Retention Directive
3.3.1 The Judgement of the Court and the principles set out for Data Retention
3.4 “Tele 2 Sverige and Watson” Case: a European digital rule of law?
3.4.1 The facts of the proceeding
3.4.2 The Judgement of the European Court of Justice
3.5 The adoption of Directive 2016/681
3.5.1 The provisions of the new EU PNR Directive
3.5.2 Scrutinizing Directive 2016/681

4. Conclusion

Bibliography

Introduction

The aim of this work is to describe the framework of data protection principles within EU law. It will be described how the right to privacy and data protection have been evolving since their birth and how they became fundamental rights that need to be balanced with other crucial interests of the Union, namely, national or public security, with special regard to Passenger Name Records (PNR).

A passenger name record consists in a set of data elements which concern each airline passenger’s travel itinerary, such as the number and method of reservation , home address, email address, timestamped IP address, mobile and phone numbers, emergency contacts, travel details, payment methods, Frequent Flyer Numbers, and even other billing information as meals or services required by the passengers.In Chapter I it will be pointed out: at first, how the right to privacy was firstly debated within the domestic law of the United States; secondly, which international organizations laid down principles dedicated to the right to respect for private and family life; eventually, how the European Union created a comprehensive set of data protection laws safeguarding data subjects’ rights.

In this regard, there will be analysed also the most relevant principles of the former Directive 95/46/EC¹ and the process that brought into the adoption of the General Data Protection Regulation².

Within Chapter I there will be also examined the most remarkable judgements given by the European Court of Justice, which established several benchmarks for the right to data protection, such as “Lindqvist” Case, “Google Spain”, and “Schrems”³ Regulation 2016/679 will be the main object of Chapter I, as far as it represents nowadays a set of rules that put data subjects’ rights at the core of the discipline set out for data protection.

The final purpose of Chapter I is to explain the most relevant concepts and definitions of data protection. Understanding such principles is necessary to analyse appropriately Chapter II and III.

Chapter II will deal with the international agreements regarding “Passenger Name Record” that have been adopted by the EU with third countries.

There will be even observed the main characteristics of ‘Passenger Name Records’ pointing out how they were perceived, at first, as commercial records and when they became useful for purposes of preventing terrorist offences and other serious crimes.

In fact, in the aftermath of the terrorist attacks of 9/11, in 2001, Passenger Name Records were seen as fundamental tools in order to counteract efficiently terrorism.

Thanks to PNR it is indeed possible to know in advance the travel information of airline passengers, allowing national authorities to intercept alleged terrorists.

The need to ensure national security not disregarding at the same time the right to data protection created a new dialectic between the EU institutions, supporting different ideas of what approach the EU should have undertaken to regulate Passenger Name Records: firstly, there were the European Commission and the Council, emphasising particularly how international cooperation to regulate transfers of PNR data could be useful for purposes of crime prevention, even “sacrificing” the rights to privacy and data protection; secondly, there was the European Parliament which adopted a “human-rights oriented” approach, insisting on the need to safeguard the rights to privacy and data protection; at last, it is possible to find another view in the European Court of Justice (ECJ), aware of the exigence of preventing and combating crimes, but not disregarding the essential content of the fundamental rights to privacy and data protection.

It will be indeed demonstrated how the ECJ adopted a realistic compromise between data protection and national security, legitimising mass surveillance, but criticising also how it has been concretely enacted regulating PNR data⁴.

In order to examine in depth such dialectic there will be described the current Agreements adopted on PNR data and especially the joined Cases “EU Parliament v. Council of the European Union and Commission of the European Communities”⁵.

As regard to such dialectic, the Opinion 1/15⁶ represents the core of Chapter II, as far as the ECJ established for the first-time certain guidelines that can inspire in the future the negotiations between the EU and third countries concerning the PNR Agreements. Moreover, in the above-mentioned Opinion, the European Court of Justice set out general principles that should inspire every legislation adopted within Member States domestic law that seeks to find a compromise between public security and data protection.

In the third Chapter there will be analysed the historical efforts of the EU Institutions to create a consistent regime within EU law regarding PNR.

In this respect, there will be also examined specific rulings referring to data retention, that have been recalled within the Opinion 1/15.

Analysing these judgements is necessary in order to understand whether the current PNR Directive is in line with the benchmarks established by the Luxembourg Judges for data retention, according also to the principles set out by the ECJ in the Opinion 1/15 which clarified the appropriate legal bases to adopt rules for PNR data. Within Chapter III there will be even explained the content and criticisms of the recent PNR Directive, which established for the first time a regime within EU law concerning transfers of air passengers’ data.

Finally, the purpose of Chapter III is to ascertain whether there exists nowadays a set of principles defining the approach that should be followed by the EU Institutions whenever they try to find a compromise between data protection and national security and to ascertain whether the new PNR Directive is respectful of such principles.

Another objective of this dissertation is also to verify how the protection provided by the ECJ for the right to privacy and data protection is linked to the Charter of Fundamental Rights (CFR), which enshrined in Articles 7 and 8 CFR the rights to privacy and data protection. In fact, in the aftermath of the Treaty of Lisbon, the Charter has acquired the same legal value as the other Treaties, pursuant to Article 6 TEU.

The European Court of Justice laid down relevant principles within the judgements that will be analysed in Chapter III, thanks also to the interpretation of Articles 7 and 8 CFR.

Furthermore, this work will try to remark the difficulties and efforts to lay down rules for transfers of PNR data, having regard to the legal basis to adopt. In this regard, it will be useful to compare the joined Cases “EU Parliament v. Council of the European Union and Commission of the European Communities” with the recent Opinion 1/15. In fact, the legal framework to adopt rules for data protection is different in the two cases. When the ECJ dealt with the first case there still was the Pillar structure introduced with the Treaty of Maastricht, whilst the Opinion 1/15 allowed the Judges to analyse the appropriate legal basis to adopt rules for transfers of PNR data with a clearer framework, in the aftermath of the Treaty of Lisbon.

Analysing the above-mentioned cases enables the readers to understand how the changes of the general legal framework had an impact on the adoption of rules for PNR data and to grasp how the European Court of Justice has had the possibility, thanks to the Treaty of Lisbon, to examine more thoroughly the essential content of the rights to privacy and data protection, balancing them with the interest to ensure national security.

1. The evolution of the European discipline concerning data protection: from Directive 95/46 to the new GDPR

1.1 A brief history of privacy and data protection

The aim of this Chapter is to illustrate the fundamental principles of privacy and data protection, pointing out how they have been evolving in the last decades and demonstrating how they acquired a prominent role within EU law, also thanks to the judgements given by the European Court of Justice⁷.

It will be considered, for instance, how data protection rules were set out, at first, to ease the functioning of the Internal Market and how awareness has grown with regard to the importance of data subjects’ rights. Analysing the development of data protection rules will demonstrate how there exists nowadays a set of fundamental precepts that shall be respected by each legislative measure having an impact on privacy and data protection⁸.

In this regard, it will be even examined the recent Regulation 2016/679⁹, which represents the very significant step forwards in the recent evolution of the right to privacy and data protection.

Compared to other fundamental rights, privacy is one of those that has been more threatened in the last decades by technological innovations. It always attracted the attention of numerous authors, especially to define the content of this right and because, since its birth, it was already clear that privacy is intimately connected with human dignity and with the independence of the individual.¹⁰

One of the peculiarities of the right to privacy is its genesis. Usually, fundamental rights and freedoms arise and spread thanks to International Conventions or constitutional traditions, whilst “privacy” had been firstly debated within the domestic law of the United States and, afterwards, it was enshrined in several International Conventions, before its conceptualization in some national legal systems.

Designing the historical lineage, traditionally, the origin of the debate concerning the definition of privacy is attributed to Samuel D. Warren and L. D. Brandeis, two jurists from Boston who published in 1890 in the Harvard Law Review an article called "The right to privacy"¹¹, intended as “the right to be let alone”, jeopardized by gossip through “instantaneous photographs and newspapers” (which were the technologies spreading at that time).

The authors demanded the recognition of the right to be let alone as a general and separate right which ensures the protection of feeling and emotions.

The society indeed had to safeguard the individuals against any unwanted disclosure of private facts or thoughts¹² and probably, the continuous technological developments, made easier to affirm this right in the last century¹³.

The right to privacy was not perceived, at its birth, as a fundamental and autonomous right to set out in national Constitutions. International guarantees anticipated the protection offered by national laws in Europe. In other words, international conventions created a right that was not transposed in any European constitution existing at that time, a right arisen at that moment, only within US national law. “Private life” is the key concept, namely, a value that needed to be protected similarly as the domicile, correspondence and reputation, without having an autonomous dignity as a right. There was not indeed a real awareness about the creation of a right in the same way as it is designed today.

Nonetheless, further debates and reflections made “private life” an umbrella term, meant to protect more than what was originally established within these international conventions¹⁴. So, analysing international humanitarian law might be useful to understand how this right expanded, and, also, to understand how this right was designed at its first conceptualization. In international human right law indeed, the “right to respect for private life” emerged firstly in Article 12 of the Universal Declaration of Human Rights (UDHR) adopted in 1948¹⁵ and then, in Europe, thanks to the Article 8 of the European Convention of Human Rights (ECHR)¹⁶ providing protection for the individual’s private and family life, home and correspondence, forbidding any interference by public authorities that is not envisaged by the law and that is not necessary in a democratic society. These international conventions thus protect only some aspects of private lives; and, state constitutions, signed in the aftermath of second world war, were neither containing a general definition of the right to privacy¹⁷. The UDHR consisted in soft laws, so, it did not impose binding duties to Member States of the UN, whilst the European Convention on Human Rights became the main instrument to foster reflections and development of the conceptualization of ‘privacy’ in Europe. In fact, the European Court of Human Rights, thanks to the teleological interpretation, was able to interpret the right originally designed in article 8, making it more adapted to the new needs and demands of the society, and creating new standards in data protection¹⁸.

Furthermore, in 1966, the United Nations adopted two international conventions concerning human rights: the “International Covenant on Civil and Political Rights” (ICCPR), and the “International Covenant on Economic, Social and Cultural Rights” (ICESR). The ICCPR, in article 17¹⁹, reproduces almost exactly article 12 UDHR, but there is a difference: the right in Article 17 ICCPR is enshrined in a binding instrument.

From the 1970s, at the dawn of information technology age, it was evident that the European Convention of Human Right had some limitations. Firstly, because there was not any clear definition of privacy and it was only ensured protection between individuals and state authorities, not providing any horizontal effect and protection for ordinary data²⁰. So, the Council of Europe decided to adopt the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal data” (“Convention no.108”)²¹ in 1981.

The aim of this Convention was “to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him”.

Looking at the terminologies of the Convention no. 108 (which refers to data protection), it might be useful to trace a general distinction between privacy and data protection. It is not the aim of this paper to trace a formal and detailed distinction of these two rights. In fact, when it comes to the content of these two definitions there might be overlaps; sometimes, data protection is a wider concept than privacy and, sometimes, vice-versa.

Data protection is wider when we consider that data protection laws apply to all kind of personal data processing, even when privacy itself is not infringed. Furthermore, not all kind of data-processing are necessarily related to the private sphere of an individual.

On the other hand, a law regarding privacy does not imply rules referred to all data processing that do not interfere with the individual’s private life. The nucleus of the privacy definition indeed consists in the right to impede everyone from interfering with our own private and intimate life (ius excludendi alios).

Data protection affirmed, instead, as another concept after the second world war because the totalitarian regimes showed the inauspicious effects that automatic data processing may have²², and it consists in the protection of natural people against automatic data pro­­cessing that take place without their consent or without an explicit law prevision.

1.1.1 The role played by the European Union in data protection

We can notice that the European Union has been the last international organization to provide a law concerning data protection. This can be explained because originally the cooperation sought by the European Member States was oriented to the economic field, though, during the last decades, the EU became more than an “economic community”, becoming rather a community of law.

In the aftermath of the Maastricht Treaty, Member States realized that only with a European Data protection system could be possible to reach a complete economic integration and a creation of a real single market. Maastricht Treaty indeed created the European Union and spread the integration process. The EU organization was set in three pillars: the European Communities, the Common Foreign and Security Policy (CFSP) and, eventually, cooperation in the field of justice and home affairs (JHA). This implied, for the first time, clear legal frameworks to adopt data protection rules. Furthermore, Article 6 TEU²³ stated that the Union would have respected the rights and freedoms of the ECHR resulting from the Member States constitutional common traditions, as general principles of Community law. This may have contributed to introduce international parameters in data protection matters, as designed by the European Court of Human Rights²⁴. Afterward, the European Union deemed appropriate to design its own “system” to protect human rights. The EU, so, firstly promulgated its own data protection standards with Directive 95/46/EC²⁵ (adopted within the First pillar) and, after, the “Charter of Fundamental Rights of the European Union” (CFR), ratified in 2000 (also called “Nice Charter”).

The Nice Charter is fundamental to understand the importance of data protection for the European Union, especially, if we consider that thanks to the Treaty of Lisbon signed in 2007, the Charter has the same legal value as the other Treaties.

Article 7 CFR²⁶ enshrined the right to respect for private and family life (the nucleus and original definition of the right to privacy, whilst Article 8²⁷ deals specifically with data protection. The CFR divides thus the right to privacy and data protection in two autonomous rights²⁸.

Moreover, it is also relevant Article 16 TFEU²⁹ that set out once again data protection as an autonomous right but, especially, provides a legal basis allowing the EU to adopt rules in data protection, which is a fundamental right of the individuals that must coexist with all the other fundamental rights (such as freedom of expression and freedom of the press). Nevertheless, we should also notice that Article 52 CFR authorizes restrictions of the rights expressed in the Articles 7 and 8 whether the limitations are established by the law and if the laws respect the essential content of these rights.³⁰

The evolution of data protection is strictly connected to the case laws of the European Court of Justice³¹. In fact, thanks to some historical judicial rulings, it became clear that Directive 95/46/EC needed to be replaced. This happened with Regulation 679/2016 that will be the main object of this Chapter³².

1.2 Relevant Provisions of Directive 95/46/EC

After five long years of negotiation, Directive 95/46/EC³³ entered into force in 1995 under the First pillar, that was including the European Communities pursuant to Articles 100(a) and 189 (b) of the Treaty of Rome. The aim of this Directive was to harmonize the Single Market and national laws concerning data protection. Different rules in data protection could become indeed “immaterial frontiers” preventing the Internal Market from developing a full Union³⁴.

In the time in which the Directive was entering into force, the internet was spreading, and it was already possible to guess the potentialities that it could have had in the future: The World Wide Web could become indeed an opportunity to advertise directly online consumers. Maybe, it would have been better establishing new standards through a Regulation; nevertheless, the Directive represented for more than twenty years an important instrument to grant data protection to European citizens and many definitions within it are repeated and modified by the new Regulation.

The Directive reflected some data protection principles that were contained in the Convention no. 108 and in some European Member States laws³⁵, but there have been introduced direct enforceable rights and other measures to ensure compliance within the EU; for example, the Directive introduced an independent supervision authority as an instrument to improve compliance with data protection rules.

A Directive is a legal instrument that does not applying directly and needs to be transposed into the national laws of the Member States. This meant that the latter had a margin of discretion in transposing the Directive’s rules. Practically, this implied that Directive had been transposed differently throughout EU Member States and, as a consequence, definitions and rules have been interpreted differently in every State.

Just to make some examples, the severity of sanctions and the levels of enforcement were varying among the States. These facts, together with the technological development, and some judicial rulings³⁶ favoured a new proposal in 2012, published by the Commission that brought into the adoption of the General Data Protection Regulation that became fully applicable in 25th May 2018.

Starting to analyse the general provisions of the Directive, due to Article 2 (a) personal data are defined as “any information relating to an identified or identifiable natural person (called “data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, mental, economic, cultural or social identity”. From this definition is clear that the personal data are related to the information that permit to identify an individual.

Article 2 (b) proceeds stating that “'processing of personal data' shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.

Responsible to compliance with the data protection rules is the “controller”, namely the natural or artificial person, public authority, agency or any other body which alone, or jointly with others, determines the purposes and means of the processing of personal data (art. 2 let. d). Even if the controller is established outside the EU, whether processes data in the EU using automated equipment, or otherwise, situated on the territory of a Member State (this is the situation that involves online companies that trades with EU consumers) had to grant compliance with the European Data protection Rules (art. 4, let. c).

Then, it is noteworthy noticing the principles relating to data quality expressed by Article 6, stating that Member States shall provide that personal data must be processed fairly and lawfully, collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.

The principle of ‘transparency’, in the meaning of the Directive, implies that the individual has the right to know how and when his personal data are being processed. Moreover, the controller must provide his address and name, the aims of processing, the recipients of data and all the other relevant information which are necessary to demonstrate a fair data-processing. Conditions for lawful data processing are also expressed in Article 7, these are: the data subject’s consent, if processing is necessary for compliance with a legal obligation, or whether is necessary for the performance or the entering into a contract. It is also lawful when processing is needed to protect the “vital interests” of the data subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller or in a third party to whom the data are disclosed. It is also lawful whenever processing is necessary for the purposes of the “legitimate interests” pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. Processing of personal data shall not exceed the purposes for which they have been collected. They must be adequate, relevant, and kept up to date (with deletion or rectification). There is also a specific section (the third) dedicated to sensitive data, namely, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or data concerning health or sex life, having more guarantees and extra-restrictions than personal data having regard to processing³⁷.

One of the most central disciplines of the Directive is the one set out for the transfer of personal data to third countries. Due to the Directive, it is not forbidden to transfer data to third countries if they grant an adequate level of protection. This discipline was one of the most problematic. The European Court of Justice indeed has been called to rule in several cases how to interpret these rules in accordance with data protection principles³⁸.

The main rule was provided by article 25 (6). The Commission was the subject with the task to assess whether a third country grants an adequate level of data protection with an “Adequacy Decision³⁹ ”. The procedure to adopt such Decision begins with a proposal from the European Commission, then, the “Article 29 Data Protection Working Party⁴⁰ ” and a Committee composed by representatives of EU Member State have the faculty to put forward their view to decide whether (or not) a third country grants a level of data protection substantially and essentially equivalent to EU standards.

The Working Party of Article 29 (from now WP29) has been also important for the evolution of data protection. It was an advisory body, composed by representatives from the data protection authorities of every EU Member State, the Commission and the European Data Protection Supervisor. Its tasks were to provide advice to States regarding data protection, to promote the consistent application of the Data Protection Directive throughout EU Member States, to give to the Commission an opinion on every project to reform the Directive, and, eventually, to make recommendations to the public on matters relating to data protection.

So, the WP29 used to gather every two months and it released several Opinions on some data protection themes; some of them were relevant for the adoption of the GDPR.⁴¹ After the 2016 Regulation, the WP29 has been replaced by the European Data Protection Board⁴², a body having similar functions.

1.3 The principles regarding data protection established in the case-laws of the European Court of Justice

Directive 95/46/EC has been an instrument that allowed the European Court of Justice (ECJ) to set out some principles that inspired the new Regulation. Moreover, the ECJ had an important role not only “updating” and integrating the rules established in the Directive in two decades of rapid technological changes, but also laying down the concrete meaning of the dispositions contained in the Directive, appearing in some cases incomplete.

Some of the precepts set out by Luxembourg Judges continue to constitute a fundamental benchmark to interpret the new rules and they still are a guide for the rule-makers that cannot be neglected, especially concerning data-transfers outside the EU.

The most relevant case laws are three: “Lindqvist case”, “Google Spain v Costeja”, and, eventually, “Maximillian Schrems Case”⁴³.

1.3.1 “Bodil Lindqvist” Case: processing personal data by automatic means through internet pages

“Lindqvist” case regards a criminal proceeding against Bodil Lindqvist⁴⁴. She was a Swedish church worker who published on the homepage of her personal website personal information concerning the parish workers. These data included their names, telephone numbers and hobbies. There were even some descriptions of her colleagues in a playful and not offensive way. Her aim was to give some useful information to those who wanted to receive the saint Confirmation. Considering that Mrs. Lindqvist did not obtain their consent, a criminal proceeding started in Sweden. Obviously, the data protection Directive applied even if the data processed were trivial or inoffensive.

The Swedish Court argued that Bodil Lindqvist had processed personal data without notifying the Swedish data protection regulator, that she did not obtain an explicit consent to process sensitive data (which are the particular categories of data revealing ethnic origin, sex life, etc) and she even transferred personal data to a third country without authorisation.

The European Court of Justice was then referred for a preliminary ruling and it stated that the act of loading personal information in an Internet page onto a server, making it available to all other internet users involves automatic operations and certainly it falls within the scope of the definition of ‘processing’ given by Directive 95/46/EC.

Analysing the opinion of Antonio Tizzano⁴⁵ might be interesting, in fact, the Advocate General held that the Directive could only be used to fulfil the aims for which the Directive has been laid down, namely, for the proper functioning of the internal market, and not to protect human rights. He continues, stating that in this case, Mrs. Lindqvist did not pursue any economic activity and so, the field of the application of the Directive appears particularly “unsure and uncertain”.

The European Court of Justice disagreed with Tizzano’s opinion.

Theoretically, the opinion of Antonio Tizzano could be agreed looking at the literal rules expressed by the Directive. However, the Judges perceived the risks of such interpretation ignoring the effects and the deep impact that data protection rules may have on human rights. Mrs. Lindqvist, publishing her colleagues’ personal data on the Internet, made their data accessible to an indefinite number of people.

For this reason, the ECJ also states that it is not possible holding the thesis that the publication has been done for personal or household reasons (it would fall into the exception of the article 3, paragraph 2, of the Directive⁴⁶ ). Eventually, the Court held that it belongs to the Swedish Court the task to assess and balance the right of freedom of expression and to judge if possibly the punishment foreseen by Swedish law is disproportionate (or not) to the offense committed. But there are no doubts that such behaviour violated the Directive.

Despite the webpages were accessible outside the EU, the Luxembourg Judges deemed that there was not any transfer of data to a third country.

The Internet indeed was not developed in such a way suggesting that the word “transfer” (defined within the Directive) was intended to cover the loading of data made by any individual onto an internet page⁴⁷.

Finally, it is also noteworthy pointing out that in this case, the ECJ was asked to consider only Mrs. Lindqvist internet activities and not the processing carried out by the Hosting Companies.

1.3.2 Google Spain SL & Google Inc v. l’Agencia Española de Protección de Datos & Costeja González

Another relevant case is “Google Spain v. Costeja”⁴⁸. In 2010, Mr. Mario Costeja Gonzàlez, a Spanish citizen, brought a complaint before the Spanish Data Protection Agency against the newspaper “La Vanguardia Ediziones SL” (famous in Catalonia), Google Spain and Google Inc.

Mr. Gonzalèz was pointing out that searching through Google, it was possible to find among the various results some links of the Catalan newspaper, with the record of his attachment and garnishment proceedings of 1998. He wanted the newspaper to remove or alter the information available so that the latter would be no longer available through Internet search engines.

He also requested Google Inc. or its subsidiary, Google Spain to conceal or remove the data. In fact, his proceeding was already resolved and there was no reason still justifying that link on Google.

However, the Spanish Authority rejected the complaint against the newspaper, considering that there was a government order and so, the publication was lawful.

Nevertheless, the Spanish Data Protection Authority upheld the argument against Google, noticing instead that Internet search engines are surely subject to data protection rules and they must take all the necessary precautions to protect personal information. As a consequence, Google Spain and Google Inc. had to remove their data from their search indexes, in order to make impossible to access information regarding Mr. Gonzàlez.

On appeal, Google Spain and Google Inc. involved the National Hight Court of Spain, asking to amend the Agency decision. But the Appeal Court presented numerous questions to the European Court of Justice to have some clarification regarding the interpretation of Directive 95/46/EC.

The ECJ held that the Directive can be applied to a foreign internet search engine company having a branch or subsidiary that has the clear intention to promote or sell advertising space geared toward the inhabitants of a European Member State⁴⁹.

Furthermore, search engines are controllers and they process personal data whenever they locate, index the results, store and elaborate information. This means that they must guarantee the right to privacy and data protection, even removing personal information published by third party websites.

The data subject has thus the right to make a request to erase the data indexed in the list of the results displayed searching the person’s name or any other information that bring to web pages through links. This request must be balanced with other values, such a possible public interest to access certain data. There might be the possibility to ask for deletion of data even if a name or information is not erased beforehand or simultaneously from the web pages ad it can be asked even if an initial dissemination of information made by a search engine is lawful⁵⁰.

The right to privacy and data protection overrides not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name⁵¹.

But the Court pointed out eventually an important issue: there might be some cases where the indexed publications are justified by a preponderant interest of the general public. In these cases, the right to privacy and data protection ceases to exist⁵². Nevertheless, if a request met the requirements of this judgement, but the Search Engine decides to ignore it, the data subject has the possibility to bring a claim to the Data Protection Authority or to the national judge that can evaluate the legal basis of the claim, possibly ruling the appropriate measures after the suitable assessments.

This ruling of the European Court of Justice made many authors⁵³ write about a sort of “right to be forgotten”, now surely set out in Article 17 of the GDPR.

1.3.3 Schrems v. Data Protection Commissioner

A fundamental judgement that also contributed to the evolution of the data protection discipline concerning data transfer to third countries is surely “Maximilian Schrems” case⁵⁴.

Before analysing the case, it is necessary to explain some preliminary issues. In 2000, the European Commission adopted Decision 2000/520/EC⁵⁵, authorizing personal data transferring from Europe to US businesses, due to the so-called “Safe Harbour Principles⁵⁶ ”.

Overviewing data protection rules in the United States of America, it would be possible to notice a lack of a Data Protection system comparable to the one which was ruling in the EU.

So, the European Union gave the possibility to US companies to adhere spontaneously to specific principles of protection, expressed by the Safe harbour principles. The acceptance of these was optional, but whether they were subscribed, US companies had to respect them. There was the Federal Trade Commission, and, for transportations, there was the Department of Transportation having the task to ensure the respect of the Safe Harbour Principles⁵⁷.

The facts of the case law involved Maximillian Schrems, an Austrian Facebook user and privacy activist. In 2011, he lodged twenty-three complaints to the Irish Data Protection Commissioner against Facebook Ireland, holding that Facebook Ireland had committed severe infringements of data protection provisions under EU and Austrian data protection law, especially because Facebook transferred his data to servers located on the territory of the United States. Basically, Schrems held that after the revelations of Edward Snowden concerning the intelligence activities carried out by the National Security Agency, it was evident that the US was not offering adequate protection. The Irish Commissioner rejected the claim holding that there is Decision 2000/520/EC with which the European Commission assessed as adequate the level of protection granted by American Businesses that subscribed the Safe Harbour Principles.

After Schrems’ claim had been refused, he brought a new claim before the High Court, which decided to refer for a preliminary ruling the European Court of Justice to know whether an adequacy Decision of the EU Commission prevents or not an autonomous evaluation of a national Data Protection Authority concerning the adequacy of the protection ensured by a third country. Moreover, the High Court asked the ECJ whether a Data Protection Authority has the possibility to suspend the transfer of data wherever it ascertains that the protection guaranteed of a third country is not sufficient.

The ECJ invalidated Decision 2000/520/EC. As a consequence, the Irish Data Protection Authority has the task to examine and decide whether, basing on Directive 95/46/EC, it was necessary to suspend the transfer of data to a third country.

The data protection instruments of a third country must be assessed in their practical efficiency. The Court also analyses the article 1 of the Decision, pointing out that to adhere to the Safe Harbour principles is enough a self-certification based on a voluntary approach and it noticed that no guarantee is required by the US.

Such exemption implies that US Public Authorities are not practically obliged to ensure data protection to EU citizens.

In paragraph 92, the Court stated that “protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary”.

The US legal system was giving the possibility to public authorities to access on a general basis the content of electronic communications infringing severely the right to privacy enshrined in Article 7 CFR.

Moreover, there were not rules granting a European Citizen to access data that regard him or her, nor to rectify or delete them. Eventually, the absence of a judicial remedy violates article 47 CFR.

So, the Commission, adopting a Decision limiting the prerogatives of Data Protection authorities, violated the rule laid down by Article 28 of Directive 95/46/EC (defining the powers of the Supervisory Authorities) and it has gone beyond its competences expressed in the Article 25 (6) of the Directive, interpreted due to the dispositions and principles of the Charter.

The ECJ, in this ruling, narrowed the discretion of the Commission when it assesses the adequate data protection offered by third countries, which must be “essentially equivalent”⁵⁸ to EU standards.⁵⁹ Data Protection Supervisory Authorities counterbalance the assessment powers of the Commission and they can examine the Commission Decision of adequacy.

1.4 The enactment of Regulation 679/2016: general structure and principles

Directive 95/46/EC was becoming inadequate, whereas it was made in an era where the Internet was not widely spread as today, before the Charter of Fundamental Rights and before the Treaty of Lisbon.

“Social networks”, “drones”, “vehicle-data”, “self-driving vehicles”, “cloud computing”, “big data”, “internet of things”, the so-called “Web 2.0” and so on, were unthinkable terms in 1995.

The Luxembourg Judges, interpreting the Directive, partially anticipated some contents and principles of the new Regulation, establishing several benchmarks in the case laws analysed in the previous paragraph⁶⁰.

Thanks eventually to the WP29, the EU Commission recognized the necessity to update data protection rules. It was also an opportunity to strengthen individuals’ rights and, at the same time, to improve the discipline concerning data transferring to third countries. Furthermore, as some authors pointed out, making a new Regulation could be an opportunity to strengthen consumer confidence in eCommerce and to enable individuals to better control their data, being more aware of how such data are used and processed.⁶¹ As the European Commission had held, the EU Digital Single Market could even benefit from a new law fostering consumer trust⁶².

The Regulation is inspired by the former Directive, but it introduced new rights and definitions. Just to make some examples, we have the definition of ‘biometric data’, ‘pseudonymization’, a well-explained right to be forgotten, and the right to know all the data breaches. Moreover, some important and fundamental concepts such as ‘privacy by design’, ‘privacy by default’, and ‘accountability’ are disciplined.

The procedure for the adoption of a new data protection Regulation began in 2012, when the European Commission released a new proposal to adopt new rules in data protection. After that year, separate negotiations had started within the Council and the European Parliament (EP), with the participation of WP29. In March 2014, the European Parliament voted in plenary for the adoption of the GDPR, and in December 2015 there was the approval within the three EU Institution (the EU Parliament, the Council and the European Council). On 27th April 2016 the GDPR⁶³ was promulgated, but it entered into force on 25th May 2018.

As regards the structure of the Regulation, it is articulated in 99 articles, with 173 Recitals that contribute to define the material and territorial scope together with articles 1, 2, 3.

As expressed indeed in Recital 2, the right to data protection is a right granted regardless of a person’s nationality or domicile. However, in Recital 4, the EU legislator pointed out that this value is not absolute, but it must be balanced against other fundamental rights in accordance with the principle of proportionality.

After the first articles, dedicated to the definitions and to data quality principles, the third Chapter of the Regulation gives directly enforceable rights to the data subjects. Leaving aside Chapter III, it is possible noticing that the GDPR contains measures for preventive compliance to protect data subjects⁶⁴. The Regulation also suggests, for instance, the best practices to which enterprises must comply with (even encouraging self-regulations⁶⁵ such as Code of Conducts and Certifications); it advices the adoption of techniques as the “anonymisation” and lays down the conditions for which it is necessary to appoint a Data Protection Officer, a novelty introduced to ensure compliance with data protection during and before processing, already within enterprises’ activities. There are thus rules to ensure that ex ante, processing is lawful, then, rights exercisable by individuals during and after processing, and, eventually, rules to safeguard them ex post, in “pathological” phases of the legal relationship between controllers and data subjects. In fact, there are different remedies for individuals, and different categories of penalties to punish those undertakings which infringed the values afforded by the GDPR.

Looking at the general structure of the Regulation, it is clear that it has many objectives, in addition to ease the Internal Market. The GDPR indeed has the ambition to put the “user” (data subject) at the centre⁶⁶. It lays down general principles, but it also tries to concrete them in specific provisions, enabling the individuals to be proactive during data processing.

Eventually, irrespective of how data subjects behave concretely, the GDPR still sets out specific provisions to protect them, even if they are inactive and also if they have lost the interest to know exactly how their data are being processed.

1.4.1 Material and territorial scope of application

The objective of the GDPR, pursuant to article 1, is granting protection to all the natural persons not deceased both for automatic processing as well as for manual processing. The legal persons are not included in the scope of the protection, as expressed in Recitals (14) and (26).

Moreover, this Regulation does not apply to issues of protection of fundamental rights and freedoms related to activities falling outside the scope of Union law, such as activities concerning national security, common foreign and security policy⁶⁷, as well as personal data processed by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties⁶⁸. It falls also outside of the scope of this Regulation processing of personal data of a purely personal or household activity and thus with no connection to a professional or commercial activity.

These Recitals explained together with article 2 the material scope of this Regulation⁶⁹. Article 3 sets instead the territorial scope. The GDPR indeed applies to processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether processing takes place within the Union or not⁷⁰. Even whether a controller or a processor is not established in the EU, the Regulation applies whenever the processing activities occurred in relation to the offering of goods and services (regardless of whether a payment of an individual is required), to such data subject in the Union and also whether the processing activities are related to the monitoring of the data subjects’ behaviour as far as their behaviour takes place within the Union.

The third paragraph points out that the Regulation applies to the processing of a personal data by a controller or processor not established in the Union, but in a place where Member State law applies by virtue of Public International law.

This implies that social networks and all the web platforms and search engines will be subject to European rules though they are managed by companies established outside the EU.

After having analysed the material and the territorial scope, it is appropriate to keep up the examination looking at the key definitions of the Regulation.

1.4.2 Key Definitions of the GDPR

There are numerous definitions in article 4, some of them were already in force with the Directive, others are instead novelties of the General Data Protection Regulation. ‘Personal data’ is not a novelty, and it means “any information relating to an identified or identifiable natural person”.⁷¹ A person can be identifiable thanks to many factors such as multiple references to its physical, mental, economic, cultural or social identity. Even when a consumer books a place for his or her stay, takes a flight for a journey, and even a simple payment with a credit card: many elements can be items of information that can permit to identify people.

There are two categories of personal data: general and sensitive personal data (defined within the Regulation as “particular categories of data”). The main difference is that Article 9 (referring to sensitive data) of the Regulation sets out further and specified conditions for lawful processing.

Sensitive data indeed includes “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.” The general rule established by article 9 (1) is that it is forbidden to process these data. The second paragraph⁷² establishes ten important exceptions that need to be examined. It is possible indeed to process personal data whenever the data subject has given his or her explicit consent. However, there are fundamental values that override the explicit consent of a data subject. For instance, if the controller has to pursue specific duties or obligations concerning labour law or social security (authorized by legislative measures or collective agreements) it is possible processing of sensitive data without an explicit consent of a data subject. Sometimes, an individual might not be in a condition to give a free consent because is mentally incompetent; in these cases, to protect its vital interest it is possible processing personal data. Even associations, trade unions and other not-for-profit organizations can process without authorizations sensitive data if the processing activities refer solely to current or ex-members, and if data are not disclosed externally.

Member states have the possibility, thanks to article 9 (5) to maintain or introduce further conditions or limitations for what concerns genetic data, biometric data or health data. Moreover, as expressed by article 9 (2) let h), data for health reasons can be processed under the responsibility of a professional or another person, subject to the obligation of professional secrecy under EU or Member State law or rules established by national competent bodies.

It is worthy now analysing the most relevant definitions of the particular categories of personal data listed in article 4. Some of them were not contained in the Directive and so, they are novelties introduced by the GDPR. Firstly, health-data, which include:

1)“Genetic data”, namely personal data which relates to the inherited or acquired genetic characteristics of an individual which give unique information about the health or physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question, for instance deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) and every sample, chromosome, etc, enabling to obtain the information mentioned above⁷³ ;
2)”Biometric Data” which means personal data resulting from specific technical processing relating to the physical physiological or behavioural characteristics of an individual, which permit or confirm the unique identification of that person, such as facial images or dactyloscopy. Examples of such data are irises, voice, and thumbprints.

Then, there are other definitions that were already in Directive 95/46/EC such as ‘processor’, namely, a natural or legal person, public authority, agency or other body which processes personal data⁷⁴ on behalf of the controller.

The latter is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing⁷⁵. Being a controller or a processor does not depend on a formal act, it is a matter of facts and circumstances⁷⁶.

The concept of ‘profiling’ is another novelty of the GDPR, which consists in any form of automated processing of personal data that has the aim to evaluate certain personal aspects which relate to a natural person, in order to assess the individuals’ performance at work, their economic situation, personal preferences, health, interests, reliability, behaviour, location or movement. Article 22 GDPR prohibits any decision that affects data subjects which has been based uniquely on automated processing. WP29 recently adopted new “Guidelines on Automated Individual Decision-making and profiling”⁷⁷.

The ways through which safeguards should be provided may depend on the technologies that carry out the automated processing activities. Trying to outline the most common safeguards of automated processing, it is possible to think that these should include: the right of the individual to have specific information about the possible automated decision, the right to obtain an eventual human intervention on automated processing, the right, for the data subject, to express his or her point of view, the right to obtain an explanation of the decision adopted, and, eventually, the right to challenge such decision⁷⁸.

Pseudonymisation is another definition consisting in a particular technique having the purpose to mask an individual’s identity. This occurs separating some pieces of information that are stored, separated from the others⁷⁹ to avoid traceability.

Moreover, it is necessary to adopt further techniques to prevent identification of the data subject.

1.4.3 General principles established for processing and the data quality principles

Article 5 sets out general data principles which relate to processing activities. In fact, any processing of personal data should be fair, lawful and in a transparent manner pursuant to the principle of transparency, which requires natural people to be aware of rules, safeguards and risks concerning the processing. Individuals also have the right to know any information that relates to the processing in a form that is clear and understandable⁸⁰. They should know the specific purposes for which data are processed, the controller’s and the processor’s identity⁸¹, and they should also know their right to receive confirmation and communication with the data that concern them.

The amount of the personal data must also be relevant, adequate and limited to what is necessary for the purposes for which they were collected and processed (the so-called data minimization principle⁸² ). Linked to this last principle is also ‘storage limitation’ which requires that data must be kept in a form that permits identification of the data subject for no longer than is necessary for the purposes for which they have been processed. Another data principle is ‘accuracy’, which requires the controller to keep up to date and possibly rectify without delay all the data processed; it is linked to the principle of ‘integrity and confidentiality’. The latter implies data to be processed in a manner that ensures appropriate security measures against unwanted and unlawful processing. Even accidental loss, destruction or damages must be avoided using appropriate technical or organizational measures.

The controller is the subject responsible and he has to be able to demonstrate compliance with the above principles whether the data protection authority asks for it. This is the principle of accountability, already expressed in Recital 78 and enshrined more specifically in article 24⁸³.

As result reading article 24, the principle of accountability may be strictly related to the technical implementations that may vary business-to-business and it can depend on the economic activities pursued by businesses⁸⁴.

The principles relating to processing of personal data expressed above in article 5 are completed by the rules established for the lawfulness of processing in article 6.

Traditionally, consent has always been the condition for a lawful processing par excellence. To be valid, it needs to be freely given, specific, informed, and with an unambiguous indication of the data subject’s wishes. This means that it can be expressed by a statement, or any other clear affirmative action that makes evident the individual’s consent. Then, data can be collected and processed in relation to this kind of consent, and in a way that cannot be considered to be incompatible with the initial purposes for which the consent has been given (purpose limitation principle, article 5, paragraph 1, letter b). There are other conditions that constitute a lawful premise for data processing.

For instance, it is lawful to process data wherever it is necessary for performance of a contract to which the data subject is party or for the performance of pre-contractual steps prior to entering into a contract. Both when processing is necessary for compliance with legal obligations to which the controller is subject or whether is necessary to protect the vital interests of the data subject or of another individual, processing data shall be lawful. It is also possible to process data whenever processing is necessary for the performance of a task carried out in the exercise of an official authority vested in the controller or in the public interest.

The legal obligations to which the controller is subject, the tasks carrier out in the vest or in the exercise of an official authority, as far as the public interests, can be determined both by EU law or Member State law to which the controller is subject. So, Member States have the possibility to establish further provisions, determining the specific requirements to ensure a lawful processing. In fact, they can contribute to establish other measures and more specified rules for a lawful processing in case of: provisions relating to processing and freedom of expression, processing and public access to official documents, processing in the context of employment and all the others expressed by Chapter IX of the GDPR⁸⁵.

Eventually, it is useful to know that it is lawful to process personal data when it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (not when processing is carried out by public authorities). Whether such interests are overridden by fundamental rights and freedoms of a data subject⁸⁶ (particularly when a data subject is a child⁸⁷ ) which requires protection, processing shall not be lawful.

Further conditions for a lawful processing concerning sensitive data, pursuant to the article 9, have been expressed in the previous paragraph to put in evidence the differences and peculiarities in comparison with “simple” personal data.

1.4.4 The rights of the data subject: Chapter III of the GDPR

Chapter III of the GDPR dedicates a specific and organic discipline to data subjects’ rights. A practical and specified application of the principle of transparency is set out by article 15, that permits data subject to access and to obtain a copy of its personal data as held by organizations or companies. This allows individuals to know also if the inaccurate information that needed to be rectified or deleted have been effectively modified. Concretely, this may include for instance the possibility to ask to be taken off from a direct mailing list.

The “right of access” implies also that the data subject can ask to know if actually his or her data are being processed or not. Article 15 includes a list of information to provide to data subjects⁸⁸. It is noteworthy noticing that, due the fourth paragraph of article 15, the right to access cannot prejudice other individuals’ rights and freedoms; a general provision that will be probably specified by the European Data Protection Board⁸⁹.

Another relevant norm stated by article 16 is “the right to rectification” that permits the individual to obtain without undue delay from the controller the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing supplementary statements. This is a novelty from the Regulation. In fact, Directive 95/46/EC in article 12 was permitting rectification only when processing was not according to the law and it was not disciplining the possibility to ask for integrations of data whereas these were inaccurate.

The European Data Protection Supervisor⁹⁰ pinpointed specific grounds for rectification: process of selections or evaluation, health information, administrative and disciplinary proceedings and blacklisting.⁹¹

One of the most remarkable right of the GDPR, is the right to be forgotten of article 17, which lists in detail several grounds to ask for erasure.

Trying to point out the most relevant cases, it is possible indeed to ask for deletion without an undue delay of the controller of all the personal data that are no longer necessary in relation to the purposes for which they have been collected or processed.

The data subject can also withdraw his or her consent both for general personal data and sensitive data, if there is no more any legal ground for processing. There is a legal ground to ask for deletion also if are met the requirements of the right to object of article 21⁹².

A legal obligation in EU law or in Member State law is also a ground to ask for data deletion, as expressed in article 17 (1) let. ‘e’. In this case, the controller subject to such legal obligation shall erase the data.

The controller that made personal data public and is obliged to delete them, should erase them in a way that takes into account the available technology, the costs of implementations, the technical measures⁹³.

As for the right to access, even the right to be forgotten, pursuant to article 17 (3), must be balanced with other fundamental rights and freedoms. It is not possible indeed to ask for deletion of data if processing is necessary for exercising the freedoms of expression and information. It has been suggested that such freedoms should not be based only on EU law but also on Member States’ domestic law⁹⁴.

Article 18 rules the right to restrict processing. Sometimes, the accuracy of data can be contested by the data subject, processing can be unlawful, or, for instance, the data subject simply exercised the right to object to certain processing activities. In such cases, and in the others ruled by article 18, it is possible for the data subject to ask for a restriction of processing.

A new right, linked to the right to access, is the right to data portability⁹⁵, disciplined by article 20 which allows the data subject to receive in a structured, commonly used, and in a machine-readable format his data to transmit them to another controller. This norm responds to two exigences:

-the first one is to give the data subject the control of his or her data. In this sense, it is possible to notice similarities with the above-mentioned right to access;
-the second exigence is to foster free flow of data along the EU, increasing competition, especially in the digital market⁹⁶.

Every time it is asked rectification, erasure, or restriction of data, the individuals concerned have the right to receive a notification, pursuant to article 19 GDPR.

The Regulation even introduced some dispositions in articles 33-34 to protect data subjects after harmful incidents related to processing of data, namely violations of personal data: article 33 rules the notifications to supervisory authorities, whilst article 34 refers to the communication of data breaches to data subjects wherever their freedoms and rights have been involved in the infringement.

An infringement is a situation that implies an accidental or unlawful destruction, loss, modification or unauthorized disclosure.

Article 33 rules that there must be a notification without undue delay (and not later than 72 hours) of all the data breaches from the controller to the Data Protection Authority, (unless it is unlikely that such violation of personal data puts in a risk the freedoms and the rights of natural people). The notification comprises the description of the nature of the data breach, including for instance the categories of data that were involved, the numbers of the data subjects, and the consequences of the breach. Eventually, the controller must demonstrate which measures wants to adopt to mitigate the possible adverse effects.

Sometimes, it may be impossible to give this amount of information in one notification. The legislator seemed aware of this possibility and, article 33 (4) establishes that insofar as it is impossible to notify all the information in one notification, the other pieces of information must be notified as soon as they are available without undue further delay.

An infringement of personal data might likely jeopardize freedoms and rights of individuals; in this case, data subjects shall have the right to receive a communication with all the relevant information about the data breach⁹⁷. However, the controller can avoid communicating the data breaches to the individuals concerned if he already implemented the appropriate organizational or technical protection measures and whether he already applied such measures to the data breach⁹⁸.

As result from this examination, the third Chapter of the GDPR is user-centric, and it applies concretely the general principles analysed in the previous paragraphs, such as the principle of transparency or purpose-limitation, giving data subjects directly enforceable rights.

Excluding these cases where individuals decide to intervene and take action during processing, they are generally protected by other legal arrangements that ensure preventive compliance.

[...]

---

¹ Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data - OJ L 281, 23.11.1995, p. 31–50.

² Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119, 4.5.2016, p. 1–88

³ See infra, Chapter I, paragraph 3 of this paper.

⁴ GRAZIANI, C. PNR EU-Canada, la Corte di Giustizia blocca l’accordo: tra difesa dei diritti umani e implicazioni istituzionali. DPCE online, p. 962, 2018.

⁵ Judgment of the Court (Grand Chamber) of 30 May 2006, European Parliament v Council of the European Union (C-317/04) and Commission of the European Communities (C-318/04), Joined cases C-317/04 e C-318/04, ECLI:EU:C:2006:346.

⁶ Opinion of the Court (Grand Chamber) of 26 July 2017, pursuant to Article 218 (11) TFEU on the Draft agreement between Canada and the European Union — Transfer of Passenger Name Record data from the European Union to Canada, Case Opinion 1/15. ECLI:EU:C:2017:592.

⁷ CAGGIANO G. “La Corte di Giustizia consolida il ruolo costituzionale nella materia dei dati personali”, in “Studi sull’integrazione europea, XIII, p.9-29, 2018. See infra, Chapter 1, paragraph 3 of this paper.

⁸ FUSTER, G.G. The Emergence of Personal Data Protection as a Fundamental Right of the EU. Springer, Cham, p. 213-252, 2014.

⁹ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119, 4.5.2016, p. 1–88.

¹⁰ LUKÁCS, A. What is Privacy? The History and Definition of Privacy, Keresztes Gabor, p. 256-265, 2016.

¹¹ WARREN, S.D., BRANDEIS, L.D. Right to privacy. Harvard Law Review, p. 193-220, 1890.

¹² PROSSER, L.W. Privac y, California Law Review, p. 383-423, 1960.

¹³ BRATMAN, B. Brandeis and Warren's the Right to Privacy and the Birth of the Right to Privacy. Tennessee Law Review, p. 623-651, 2001; STRUM, P. The Legacy of Louis Dembitz Brandeis, People’s Attorney, in American Jewish History, The Johns Hopkins University Press, p. 406-427, 1994; Nowadays technology has an impact on the right to privacy more perceivable compared to two centuries ago. Just thinking that the technologies recalled by Warren and Brandeis were only “media and newspapers”. DIGGELMANN, O., CLEIS, M.N. How the right to privacy became a Human Right. Human Rights Law Review, p. 441-458, 2014.

¹⁵ Article 12 of the UDHR states: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

¹⁶ Article 8 of the European Convention of Human Rights states: 1. Everyone has the right to respect for his private and family2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

¹⁷ DIGGELMANN, O., CLEIS, M.N, see op. cit. Paragraph 3 “Concluding Remarks”, p. 457-458. The authors deem that privacy is a right which was born “silently”.

¹⁸ To see the contribution of the European Court of Human Right in data protection: BYGRAVE, L.A. Data privacy law: an international perspective, Oxford University Press, 2014. GELLERT, R., GUTWIRTH, S. The legal construction of privacy and data protection. Computer Law & Security Review, p. 522-530, 2013. KOKOTT, J., SOBOTTA, C. The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR. International Data Privacy Law, p. 222-228, 2013.

¹⁹ Article 17 ICCPR states: “1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. 2. Everyone has the right to the protection of the law against such interference or attacks.”

²⁰ DE HERT, P. Privacy and data protection concepts, in Europe. Computers Freedom & Privacy, p. 20-23, 2004.

²¹ Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, no. 108 Council of Europe.

²² PIZZETTI, F. Privacy e Il Diritto Europeo Alla Protezione Dei Dati Personali: Dalla Direttiva 95/46 Al Nuovo Regolamento Europeo. Torino, G. Giappichelli, 2016.

²³ Article 6 TEU (consolidated version): 1. The Union is founded on the principles of liberty, democracy, respect for human rights and fundamental freedoms, and the rule of law, principles which are common to the Member States. 2. The Union shall respect fundamental rights, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms signed in Rome on 4 November 1950 and as they result from the constitutional traditions common to the Member States, as general principles of Community law. 3. The Union shall respect the national identities of its Member States. 4. The Union shall provide itself with the means necessary to attain its objectives and carry through its policies.

²⁴ For instance, international data protection standards designed by the ECHR will be recalled by the joined cases C-317/04 & C-318/04, analysed further in Chapter II of this paper.

²⁵ Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data - OJ L 281, 23.11.1995, p. 31–50.

²⁶ Article 7 CFR states: Everyone has the right to respect for his or her private and family life, home and communications.

²⁷ Article 8 CFR states: 1. Everyone has the right to the protection of personal data concerning him or her.2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.3. Compliance with these rules shall be subject to control by an independent authority.

²⁸ As Stefano Rodotà pointed out in “Intervista su privacy e libertà”, - GLF Editori Laterza, 2005 - the right to privacy of article 7 consists in a sort of “negative liberty”: we have indeed the right to exclude everyone from our private life, whilst the formulation of the article 8 gives to the individuals the control of all the personal information. Individuals are the one who decide which are their own data that may be used and processed.

²⁹ Article 16 TFEU (former Article 286 TEC) states: 1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union.

³⁰ Article 52 CFR states: 1. Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.2. Rights recognised by this Charter for which provision is made in the Treaties shall be exercised under the conditions and within the limits defined by those Treaties. 3. In so far as this Charter contains rights which correspond to rights guaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, the meaning and scope of those rights shall be the same as those laid down by the said Convention. This provision shall not prevent Union law providing more extensive protection.4. In so far as this Charter recognises fundamental rights as they result from the constitutional traditions common to the Member States, those rights shall be interpreted in harmony with those traditions.5. The provisions of this Charter which contain principles may be implemented by legislative and executive acts taken by institutions, bodies, offices and agencies of the Union, and by acts of Member States when they are implementing Union law, in the exercise of their respective powers. They shall be judicially cognisable only in the interpretation of such acts and in the ruling on their legality.6. Full account shall be taken of national laws and practices as specified in this Charter.7. The explanations drawn up as a way of providing guidance in the interpretation of this Charter shall be given due regard by the courts of the Union and of the Member States. In Chapter II of this paper, it will be analysed the Opinion 1/15 given by the European Court of Justice and also the Opinion of Advocate General, showing a typical example of how the principle of proportionality is applied in data protection issues.

³¹ See infra paragraph 3 of this Chapter that will analyse the most relevant case laws of the ECJ.

³² See infra paragraph 4 of this Chapter that will analyse the General Data Protection Regulation.

³³ Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJ L 281, 23.11.1995, p. 31–50.

³⁴ There are several recitals explaining how a common framework in data protection was essential for the proper functioning of the Internal Market. One of the clearest is Recital (7), which states: “Whereas the difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the Member States may prevent the transmission of such data from the territory of one Member State to that of another Member State; whereas this difference may therefore constitute an obstacle to the pursuit of a number of economic activities at Community level, distort competition and impede authorities in the discharge of their responsibilities under Community law; whereas this difference in levels of protection is due to the existence of a wide variety of national laws, regulations and administrative provisions”.

³⁵ For example, there were inspiring the legislation of the German state of Hesse that adopted the world’s first data protection rules in 1970; Sweden adopted its own one, called “Datalagen” in 1973, France adopted the “Loi relatif à l’informatique, aux fichiers et aux libertès” in 1977, in the UK in 1984 with the “Data Protection Act”.

³⁶ See infra, Chapter I, paragraph 3 of this paper.

³⁷ To process sensitive data it was necessary to respect the conditions laid down by Article 8 (2) of the Directive, which were: (a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent; or (b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or (c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or (d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or (e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.

³⁸ See infra, paragraph 3.1 and 3.3.

³⁹ See infra, paragraph 4, to see the current discipline.

⁴⁰ See infra within this same paragraph.

⁴¹ See, for instance: Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposal, 00530/12/EN WP 191; Article 29 Data Protection Working Party, Opinion 08/2012 providing further input on the data protection reform discussions , 01574/12/EN WP199.

⁴² See infra Chapter 1 paragraph 4.6 of this paper.

⁴³ Other fundamental judicial rulings, such as “Digital Ireland” or “Tele 2 Sverige”, will be examined in Chapter III, paragraph 3 of this paper whereas they relate specifically to data retention.

⁴⁴ Judgment of the Court of 6 November 2003, Criminal proceedings against Bodil Lindqvist, Case C-101/01, ECLI:EU:C:2003:596.

⁴⁵ Opinion of Mr Advocate General Tizzano delivered on 19 September 2002. (Case C-101/01), ECLI identifier: ECLI:EU:C:2002:513.

⁴⁶ Exception still in force in the GDPR, in Recital (18), which states: 1. This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. 2. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. 3. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

⁴⁷ As paragraph 68 states: “Given, first, the state of development of the internet at the time Directive 95/46 was drawn up and, second, the absence, in Chapter IV, of criteria applicable to use of the internet, one cannot presume that the Community legislature intended the expression 'transfer [of data] to a third country' to cover the loading, by an individual in Mrs Lindqvist's position, of data onto an internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them”.

⁴⁸ Judgment of the Court (Grand Chamber), 13 May 2014, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, case C−131/12, ECLI:EU:C:2014:317.

⁴⁹ C-131/12, ibidem, paragraph 60.

⁵⁰ C-131/12 ibidem, paragraph 88.

⁵¹ C-131/12 ibidem, paragraph 81.

⁵² C-131/12 , ibidem, paragraph 99.

⁵³ RESTA, G., ZENO-ZENCOVICH, V. Il diritto all’oblio su Internet dopo la sentenza Google Spain. RomaTrE-Press, 2015. VOSS, W.G, ‘After Google Spain and Charlie Hebdo: The Continuing Evolution of European Union Data Privacy Law in a Time of Change’, Social Science Research Network, p. 281-293, 2016. FRANTZIOU, E. Further Developments in the Right to be Forgotten: The European Court of Justice's Judgment in Case C-131/12, Google Spain, SL, Google Inc v Agencia Espanola de Proteccion de Datos, Human Rights Law Review, p . 761-777, 2014.

⁵⁴ Judgment of the Court (Grand Chamber) of 6 October 2015, Maximillian Schrems v Data Protection Commissioner, Case C-362/14, ECLI:EU:C: 2015:650.

⁵⁵ 2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441)- OJ L 215, 25.8.2000, p. 7–47.

⁵⁶ The seven principles were summarized in: “Notice, Choice, Onward Transfer, Security, Data Integrity, Access, Enforcement. See also: WEISS, M. A., ARCHICK, K. US-EU data privacy: from Safe Harbour to Privacy Shield, Congressional Research Service p. 1-16, 2016.

⁵⁷ In 2016 the EU and the US concluded the “Privacy Shield” agreement that substitutes the so-called Safe Harbour approach.

⁵⁸ Opinion of Advocate General Yves Bot, delivered on 23 September 2015, Case C‑362/14, paragraph 141-144.

⁵⁹ There are other interesting arguments pointed out by the Court concerning for instance the notion of “consumer”, pursuant to Regulation 44/2001, that is disregarded within this paragraph because it is not strictly pertinent to data protection. See also: KUNER, C. Reality and illusion in EU data transfer regulation post Schrems. German Law Journal, p. 881-918, 2017. OJANEN, T. Making the Essence of Fundamental Rights Real: The Court of Justice of the European Union Clarifies the Structure of Fundamental Rights under the Charter: ECJ 6 October 2015, Case C-362/14, Maximillian Schrems v Data Protection Commissioner. European Constitutional Law Review, p. 318-329, 2016.

⁶⁰ For this reason, Directive 95/46/EC cannot be overlooked, the Recital (9) explains why. In fact, it is explicitly stated that the principles and the objectives expressed there remain sound. But the EU is conscious that the Directive failed in preventing fragmentation in the implementation of data protection across the Union, due to the practical differences in how the Directive had been implemented within EU Member States law.

⁶¹ TAMBOU, O., LAMBERT, P. Understanding the New European Data Protection Rules. New York: Auerbach Publications, p. 37, 2018.

⁶² European Commission: Press release, “Agreement on Commission’s EU Data Protection Reform Will Boost Digital Single Market,” Brussels, 15th December 2015. See also Recital (5), where it is clear the awareness of the European Union that a free flow of data is a premise to the development of the internal market, not disregarding the consumer’s point of view. The General Data Protection Regulation indeed, wherever increases consumer trust (especially for online operation), increases as a consequence the digital market.

⁶³ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119, 4.5.2016, p. 1–88.

⁶⁴ See infra, paragraph 4.5 of this Chapter.

⁶⁵ See infra, paragraph 4.5.1 of this Chapter.

⁶⁶ SOBOLEWSKI, M., MAZUR, J., PALIŃSKI, M. Gdpr: A step towards a user-centric internet? in Intereconomic s, p. 207-213, 2017; URQUHART, L. Ethical dimensions of user centric regulation. ACM SIGCAS Computers and Society, p. 81-95, 2018.

⁶⁷ As expressed indeed in Recital (16) which states: “This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union”.

⁶⁸ Recital (19) states that personal data processed by public authorities for these purposes are governed by Directive 2016/680.

⁶⁹ For a need of completeness, it is necessary to notice that article 2 (5) states that: “It is not prejudiced the application of the 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive”.

⁷⁰ Recital (22) also states that establishment implies the effective and real exercise of activity through stable arrangements. It does not matter the legal form of such arrangements, whether through a branch or a subsidiary with a legal personality is not the determining factor in that respect.

⁷¹ Article 4 (1) of Regulation 679 continues: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

⁷² Article 9 (2) provides the conditions to process lawfully sensitive data: “a) the individual has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject;b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; e) processing relates to personal data which are manifestly made public by the data subject; f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) [72] based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”

⁷³ SHABANI, M., BORRY, P. Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation. European Journal of Human Genetics, p. 149, 2018.

⁷⁴ The definition of ‘processing’ is the same as the one within Directive 95/46/EC. There are included into the set of the operation “restriction” and “structuring” instead of “blocking”. It is expressed fully by Article 4 (2): “ ‘ processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

⁷⁵ Article 4 (7) continues: “where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

⁷⁶ FINOCCHIARO, G., AVITABILE A. Il Nuovo Regolamento Europeo Sulla Privacy e Sulla Protezione Dei Dati Personali, Zanichelli, page 87, 2017.

⁷⁷ Article 29 Data Protection Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, 17/EN - WP 251.

⁷⁸ ROIG, A. Safeguards for the right not to be subject to a decision based solely on automated processing (Article 22 GDPR). European Journal of Law and Technology, p. 1-17, 2018.

⁷⁹ WP 29 about it released the “Opinion 4/2007 on the concept of personal data”, WP 136, pointing out the usefulness of unidirectional cryptography or bidirectional algorithm cryptographed for pseudonymisation.

⁸⁰ Article 12 about it states: 1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

⁸¹ There are other pieces of information to provide to data subjects if their data are being processed, beyond the ones mentioned. Article 13 states that also the Representative’s identity should be known, as far as the contact information of a data protection officer whether designated. Article 13 lists in details all the information that need to be given in a “privacy policy”. It can be regarded as a further specification and application of the principle of transparency.

⁸² Data Minimisation is useful also in cases of data breaches. In fact, the authorised person who obtain such data would only have access to a limited amount of information.

⁸³ Article 24 states: “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. 2.Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller. 3.Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.”

⁸⁴ LINDQVIST, J. New challenges to personal data processing agreements: is the GDPR fit to deal with contract, accountability and liability in a world of the Internet of Things? International Journal of Law and Information Technolog y, p. 45-63, 2017.

⁸⁵ Such as “processing of the national identification number”. Member States can establish within their national law safeguards and derogations relating to processing for archiving purposes in the public interest, historical, scientific, or statistical research.

⁸⁶ This legal basis to process data is risky. In fact, processing must be “necessary” in relation to the purpose that the controller wants to achieve. The assessment about the existence of a legitimate interest might be also problematic. Probably, its existence should be based on EU or national laws. Eventually, there should be a sort of “link” between controllers and data subject, that may justify a processing based on this basis. Substantially, there must be an equilibrium between the reasonable expectations of individuals, based on their relationships with controllers. See in this sense: Article 29 Data Protection Working Party, Opinion 6/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46, WP 217. Though this opinion refers to Directive 95/46/EC, there are not particular reasons for which it should not be still pertinent nowadays, under the GDPR, considering that it has been released in 2014, in line with the relevant principles set out by the ECJ, and when there was already a first proposal of the current Regulation.

⁸⁷ In relation to information society services, processing of personal data of a child shall be lawful when he is at least sixteen years-old. Member states can provide by law a lower age, which cannot be less than 13. Outside these conditions, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

⁸⁸ These information include: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 2.Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. 3.The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

⁸⁹ See infra paragraph 4.6 of this Chapter. Within such freedoms and rights that cannot be prejudiced by the right to access might be included also industrial or professional secrecy.

⁹⁰ It is an independent supervisory authority whose task is to ensure that European institutions respect the right to data protection when they process personal data and develop new policies. The powers and duties are ruled by Regulation 45/2001.

⁹¹ European Data Protection Supervisor, “Guidelines on the rights of individuals with regard to the processing of personal data”, 2014.

⁹² Article 21 states: 1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. 2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. 3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. 4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information. 5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications. 6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

⁹³ The GDPR impose demanding duties to businesses to comply with the GDPR, but at the same time, it takes into account the state of the available technologies. TANKARD, C. What the GDPR means for businesses. Network Security, p. 5-8, 2016.

⁹⁴ ROSEN, J. The right to be forgotten, Stanford Law Review Online, p. 90, 2011.

⁹⁵ Article 29 Data Protection Working Party, Guidelines on the right to data portability, adopted in 2016, revised in 2017. These guidelines suggest that the controllers should inform the data subject in a clear way about the distinction between right to data portability and right to access.

⁹⁶ DE HERT, P. The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Computer Law & Security Review, p. 193-203, 2018. LYNSKEY, O. Aligning data protection rights with competition law remedies? The GDPR right to data portability. European Law Journal, p. 794-812, 2017.

⁹⁸ For instance, the controller can render such data intelligible to any person with encryption. In this case, it is unnecessary to communicate the data breaches, as in the case where such communication would involve a disproportionate effort. The controller must also document any data breach.