                                     Introduction to Cyberlaw

                               handout 4 – privacy and personal data


           Brandeis, L. Warren, S. The Right to Privacy, Harvard Law Review, vol. 4(5).


That the individual shall have full protection in person and in property is a principle as old as
the common law; but it has been found necessary from time to time to define anew the exact nature
and extent of such protection. Political, social, and economic changes entail the recognition of
new rights, and the common law, in its eternal youth, grows to meet the new demands of society.
Thus, in very early times, the law gave a remedy only for physical interference with life and
property, for trespasses vi et armis. Then the "right to life" served only to protect the subject
from battery in its various forms; liberty meant freedom from actual restraint; and the right to
property secured to the individual his lands and his cattle. Later, there came a recognition of
man's spiritual nature, of his feelings and his intellect. Gradually the scope of these legal
rights broadened; and now the right to life has come to mean the right to enjoy life, -- the right
to be let alone; the right to liberty secures the exercise of extensive civil privileges; and the
term "property" has grown to comprise every form of possession -- intangible, as well as tangible.


    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
 protection of individuals with regard to the processing of personal data and on the free movement
                                           of such data


                                       Article 2 Definitions

For the purposes of this Directive:

(a) 'personal data' shall mean any information relating to an identified or identifiable natural
person ('data subject'); an identifiable person is one who can be identified, directly or
indirectly, in particular by reference to an identification number or to one or more factors
specific to his physical, physiological, mental, economic, cultural or social identity;

(b) 'processing of personal data' ('processing') shall mean any operation or set of operations
which is performed upon personal data, whether or not by automatic means, such as collection,
recording, organization, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or combination,
blocking, erasure or destruction;


                                             Article 7

Member States shall provide that personal data may be processed only if:

(a) the data subject has unambiguously given his consent; or

(b) processing is necessary for the performance of a contract to which the data subject is party or
in order to take steps at the request of the data subject prior to entering into a contract; or

(c) processing is necessary for compliance with a legal obligation to which the controller is
subject; or

(d) processing is necessary in order to protect the vital interests of the data subject; or

(e) processing is necessary for the performance of a task carried out in the public interest or in
the exercise of official authority vested in the controller or in a third party to whom the data
are disclosed; or

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller
or by the third party or parties to whom the data are disclosed, except where such interests are
overridden by the interests for fundamental rights and freedoms of the data subject which require
protection under Article 1 (1).


                      Article 8 The processing of special categories of data

1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade-union membership, and the processing
of data concerning health or sex life.


                                       Article 25 Principles

1. The Member States shall provide that the transfer to a third country of personal data which are
undergoing processing or are intended for processing after transfer may take place only if, without
prejudice to compliance with the national provisions adopted pursuant to the other provisions of
this Directive, the third country in question ensures an adequate level of protection.

2. The adequacy of the level of protection afforded by a third country shall be assessed in the
light of all the circumstances surrounding a data transfer operation or set of data transfer
operations; particular consideration shall be given to the nature of the data, the purpose and
duration of the proposed processing operation or operations, the country of origin and country of
final destination, the rules of law, both general and sectoral, in force in the third country in
question and the professional rules and security measures which are complied with in that country.


                                 GDPR - Council Proposal, 9565/15


                                            Article 17

Right to erasure and “to be forgotten”

1. The controller shall have the obligation to erase personal data without undue delay, especially
in relation to personal data which are collected when the data subject was a child, and the data
subject shall have the right to obtain from the controller the erasure of personal data concerning
him or her without undue delay where one of the following grounds applies:

(a) the data are no longer necessary in relation to the purposes for which they were collected or
otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of
Article 6(1) or point (a) of Article 9(2) and (…) there is no other legal ground for the processing
of the data;

(c) the data subject objects to the processing of personal data pursuant to Article 19(1) and there
are no overriding legitimate grounds for the processing or the data subject objects to the
processing of personal data pursuant to Article 19(2);

(d) the data have been unlawfully processed;

(e) the data have to be erased for compliance with a legal obligation to which the controller is
subject;

1a The data subject shall have also the right to obtain from the controller the erasure of personal
data concerning him or her, without undue delay, if the data have been collected in relation to the
offering of information society services referred to in Article 8(1).

2a. Where the controller (…) has made the personal data public and is obliged pursuant to paragraph
1 to erase the data, the controller, taking account of available technology and the cost of
implementation, shall take (…) reasonable steps, including technical measures, (…) to inform
controllers which are processing the data, that the data subject has requested the erasure by such
controllers of any links

to, or copy or replication of that personal data.

3. Paragraphs 1, 1a and 2a shall not apply to the extent that (…) processing of the personal data
is necessary:

a. for exercising the right of freedom of expression and information ;

b. for compliance with a legal obligation which requires processing of personal data by Union or
Member State law to which the controller is subject or for the performance of a task carried out in
the public interest or in the exercise of official authority vested in the controller;

c. for reasons of public interest in the area of public health in accordance with Article 9(2) (h)
and (hb) as well as Article 9(4);

d. for archiving purposes in the public interest or for scientific, statistical and historical (…)
purposes in accordance with Article 83;