Note: Issues marked in red were not discussed in class and will not be a part of the exam. Only cases listed at the end of this document were discussed and may be a part of the exam.

It is sometimes taken for granted that privacy is a specific standalone right, as argued by Samuel D. Warren and Louis D. Brandeis in the famous article in Harvard Law Review (old but still worth reading):

There are plenty of concepts of privacy. The following text provides for their comprehensive summary (there is no need to learn all types of privacy by heart, so you can take the article just as a source of references):

However, the question as to whether privacy stands alone or is to be understood as being subsequent to other rights (personality, reputation, property etc.) is still relevant. That became apparent in the recent case Lloyd v. Google LLC where UK courts try to find an answer as to whether mere loss of control over data (without any further harms) constitutes recoverable harm to privacy. This is a summary of the recent decision of the Court of Appeals (the case is currently pending at the Supreme Court):

The right to privacy is laid down in Europe primarily through the European Convention on Human Rights and national constitutions or similar documents. The ECHR, however, does not expressly speak about privacy, but the right to privacy is interpreted from the right to private life (Art. 8). The European Court of Human Rights has also extensive case-law on privacy and related matters.

Similarly to the ECHR is privacy legislated also in the Charter of Fundamental Rights of the European Union. Unlike the European Convention of Human Rights, the Charter of Fundamental Rights of the European Union also contains a dedicated chapter on the right to protection of personal data.

The distinction between the right to private life and the right to protection of personal data is very important. Personal data protection shares the same fundamental idea as privacy protection, but represents an entirely autonomous regulatory regime with directly applicable EU laws and dedicated institutions. The core of European regulation of protection of personal data is the GDPR and the Police Directive.

The distinction between privacy protection and protection of personal data can be demonstrated on the first case that was decided by the ECJ according to the late Data Protection Directive that was later replaced by the GDPR. The case also outlined basic interpretive principles of the ECJ regarding some fundamental issues such as the definition of 'personal data' or the scope of 'transfer'.

The GDPR is strongly oriented to individual rights of data subjects. We discuss in the seminar the advantages and disadvantages of such approach upon the publicly famous affair of Cambridge Analytica.

The key term of the GDPR is obviously 'personal data'. The scope of its definition, which is relatively broad, was interpreted in a number of cases by the courts of the member states as well as the ECJ and later CJEU. One of issues that are permanently debated is whether the term 'identifiable' in the definition should be interpreted subjectively or objectively with regards to the controller. The following case offered a good guidance, but it was understood very differently by national courts in the member-states.

The subject that has most duties arising from processing of personal data is the 'controller'. It is a person, natural or artificial, who sets the purpose and means of processing of respective data. In some cases, there might also act a 'processor' which is a person who actually processes the data, but without setting a specific purpose (i.e. a 'processor' is processing data for a 'controller'). In practice, it might be difficult to distinguish between the roles of a controller and a processor and to label them correctly. Some guidance as to interpretation were provided by the CJEU in the following case:

The GDPR uses a relatively novel performance-based regulatory method. It means, in a nutshell, that the law provides only for very basic general guidance. Each controller then has a duty to evaluate every process that contains personal data and to develop own internal rules, procedures and safeguards for their proper protection. It is also a duty of every controller to know (and document) valid legal cause (title) according to Art. 6(1) as well as particular purpose of each processing. At the seminar, we briefly discuss two of the most problematic titles, i.e. consent according to Art. 6(1)(a) and legitimate interest according to Art. 6(1)(f). The scope of consent was also discussed by the CJEU in the following case:

There are plenty of individual rights that data subjects can claim. We particularly focus at the seminar on the following:

- information and access - Art. 12, 13 and 14

- erasure - Art. 17

- automated decisions - Art. 22

- compensations - Art. 82

The right to erasure, or the right to be forgotten, was broadly debated even before the introduction of the GDPR. The CJEU ruled on that matter in the following landmark case:

Enforcing rights arising from privacy or data protection is not always easy. We demonstrate some procedural, jurisdictional and substantive issues on the following two cases.

• This case was not mentioned in the presentation and will not be part of the exam

Cases mentioned during the presentation (these cases may be a part of the exam):

• C-101/01 - Bodil Lindqvist
• C-131/12 - Google Spain
• C-212/13 - Ryneš
• C-230/14 - Weltimmo
• C‑582/14 - Breyer
• C‑210/16 - Wirtschaftsakademie Schleswig-Holstein
• C‑25/17 - Jehovan todistajat
• C‑40/17 - Fashion ID
• C-362/14 - Schrems I
  
• C-311/18 - Schrems II