Courts, Privacy and Data Protection in the Digital Environment, edited by Maja Brkan and Evangelia Psychogiopoulou, provides the reader what the title suggests: a birds-eye view of the case law of the European supranational and national courts on the protection of privacy and personal data. In the words of its editors, the aim of the book is “not to offer an exhaustive analysis of the case law, but to identify key trends and patterns in national and European judicial reasoning as regards the rights to privacy and data protection and their balancing with other fundamental rights and interests” (p. 7). With this aim in mind, 13 contributors, who are experts in European jurisprudence on privacy and data protection rights, have come together to form 11 chapters on the interpretation of laws by courts in the course of the digital revolution. Two opening chapters deal with the jurisprudence of the Court of Justice of the European Union (CJEU) and of the European Court of Human Rights (ECtHR), respectively. These chapters are followed by those devoted to the jurisprudence of national courts in Belgium, Finland, Germany, Greece, Italy, the Netherlands, Slovakia, Spain, and the United Kingdom. Evidently, the book covers countries with different legal genealogies, constitutional traditions, histories, and modes of jurisdictional practices. This diversity is the crux of the book, which enables the reader both to have an insight into the jurisprudence of privacy and data protection issues in the national courts of the mentioned countries, and also to make comparisons.
In the first chapter, Maja Brkan gives a brief account of the most prominent cases in relation to privacy and data protection in the case law of the CJEU. In doing so, the author reiterates the question of the relationship between the right to privacy and personal data protection within the case law and the question of balancing these rights with other fundamental rights. According to the author, data protection and privacy are “intrinsically linked” (p. 17). This means that exceptions to data processing under the EU secondary legal framework on data protection (i.e. the then Data Protection Directive) must be interpreted narrowly, particularly when that legislation is not applicable to data processing (i.e. processing for national security purposes) (p. 18). This argument is valuable because it highlights that exceptions to data processing must be justified in light of the proportionality principle. This point is demonstrated in the CJEU’s Opinion 1/15 concerning the compatibility of the international agreement signed between the EU and Canada on the transfer of passenger information for purposes of the fight against terrorism, where the Court held that the passengers’ consent did not constitute the legal basis for that transfer.
This chapter is followed by Evangelia Psychogiopoulou’s exploration of the ECtHR’s jurisprudence on privacy and data protection rights. The author focuses on the ECtHR’s prominent decisions in relation to the balance between privacy and free speech and to the interferences with the privacy right for the purpose of protecting national security and prevention of disorder or crime. In the concluding part of her chapter, Psychogiopoulou includes the (non)referral by the ECtHR to the decisions by the CJEU – a point that begs the question whether the chapter would have benefited from devoting more discussion to the issue.
In Chapter 4, Paul De Hert gives an account of decisions in relation to privacy and data protection, ranging from the exchange of health information, surveillance at the workplace, to data retention by law enforcement and secret service and publication of personal data online given either by the Belgian Constitutional Court or the Cour de Cassation. The author’s contribution illustrates interesting insights into the approach taken by these courts, particularly the latter: the Cour de Cassation has been reluctant to refer to the EU law aspects of privacy and data protection rights.
Tuomas Ojanen’s contribution starts with the acknowledgement that “the case law of the Finnish courts on privacy and data protection in the digital environment has so far been almost non-existent” (p. 85) and explains the reasons for this non-existence. These include the limited role the courts play in constitutionalism, the existence of a committee on ex ante revision of legislative proposals, the existence of the Parliamentary Ombudsman and the preventive measures to ensure compliance with data protection principles, and the homogenous nature of Finnish society. The most interesting part of the contribution is (at least for those who are mostly concerned with the data retention schemes in the context of law enforcement) that the author elaborates the Finnish Constitutional Law Committee’s view on re-evaluating the distinction between metadata of electronic communications (i.e. data about who called whom when, where, for how long, and from which communication means) and content of such communications (p. 97). Moreover, the Finnish law on data retention after the CJEU’s Digital Rights Ireland decision was amended to meet with the fundamental rights standards set out in that decision (p. 97).
The contribution by Johannes Eichenhofer and Christoph Gusy is perhaps the most valuable in illustrating the example of “judicial activism”, which is defined by the authors as “the legal technique allowing [the Court], through interpretation of [law], to extend its competences, particularly by broadening its own jurisdiction” (p. 118). In this regard, the Constitutional Court created the concept of “informational self-determination” in 1983 on the basis of the constitutional right of personality, and then further created “the right to guaranteed confidentiality and integrity of information technology” in 2008 (pp. 103-106). Having taken criticisms of judicial activism into account, particularly in relation to its compatibility with the constitutional principle of the separation of powers, the authors argue that such judicial activism by the German Constitutional Court can be treated “as the foundation of a cooperation between the legislator and the courts in order to help the privacy and data protection potential of the [Constitution] evolve as a living instrument” (p. 119). It is clear that this judicial activism provides protection on a constitutional level against new threats in the digital era. What is more interesting is that this judicial self-restraint appears to be the reason why the German Constitutional Court has been hesitant in referring to the ECtHR and the Charter in issues dealing with privacy and data protection rights (pp. 112-115).
Tania Kyriakou’s contribution provides the reader with another aspect of the judiciary in charting privacy and data protection issues in the digital environment. After outlining the protection of privacy and data protection under Greek law as well as several prominent cases on the matter, the author touches on the inconsistencies of the Greek courts in dealing with privacy and data protection. Kyriakou argues that the reasons for these inconsistencies are: the lack of digital literacy, particularly amongst the judges in the higher courts; the lack of familiarity with the legal framework on the matter; and the slow pace of the Greek judicial process. This contribution provides an illustration of the impact that the judiciary practice has over the evolution of privacy and data protection rights in the digital era.
Claudio di Cocco and Giovanni Sartor’s contribution on the jurisprudence of the Italian courts provides another example of judicial activism in the face of the challenges that the digital revolution raise for individuals’ fundamental rights. In this regard, the authors explain how the Italian legal doctrine and the case law recognise “informational self-determination” on the basis of a general right to personality (pp. 141-145). An important aspect of this contribution is that the authors mention the way Italian courts have referred not only to ECtHR and the Charter, but also to other international treaties protecting privacy rights to recognise privacy and personal identity as constitutional rights. This approach can be distinguished from that of the German courts, where, for example, the German Constitutional Court only relies on the German Constitution when addressing emerging privacy and data protection issues.
Collete Cuijpers deals with the jurisprudential question through a different method, providing the results of keyword research conducted in the database for court cases in the Netherlands. The key finding is that the courts in the Netherlands follow closely the path that has been taken by the CJEU and the ECtHR when interpreting the legal framework for privacy and data protection.
Martin Husovec explores the jurisprudence of privacy and data protection in post-Soviet Eastern European countries, such as Slovakia. The author’s insight into the case law of the Slovakian Constitutional Court depicts that Court’s willingness to follow closely the case law of the ECtHR when adjudicating issues in relation to privacy and data protection rights. Perhaps the Court associates the ECtHR and the European Convention on Human Rights (ECHR) as part of Western liberal democracy and seeks to strengthen human rights protection in the country in light of them. The author’s brief account of the Constitutional Court’s fidelity to the case law of the ECtHR and hesitancy towards the Charter, as well as the impact the Slovakian transparency law might have on the possible challenges in the digital environment, gesture towards further research in the area.
Gloria González Fuster’s chapter follows up with the jurisprudence of the Spanish courts on privacy and data protection rights. The author elaborates another example of judicial activism, but this time by the Spanish Constitutional Court, which puts forward the right to protection of personal data as a self-standing right on the basis of the constitutional provision on delimiting the use of computers for purpose of guaranteeing citizens’ honour, personal, and family privacy, and the full exercise of their rights. The author cites prominent cases in strengthening privacy and data protection in Spain. Although stated only in brief, the difficulty of the Spanish national courts in embracing Article 8 of ECHR (right to respect for private life) as a guarantor for the right to personal data protection is an intriguing aspect of the chapter for those who are engaged with the discourse on the link between privacy and data protection rights.
The last chapter features the contribution by Orla Lynskey on the jurisprudence of the UK courts on privacy and data protection rights. The author traces concisely the evolution of these rights in the UK, where privacy protection was originally provided through in a tort law. For this reason, most of the decisions considered in the chapter relate to defamation. The contribution elaborates the enshrinement of privacy and data protection rights in light of Article 8 of ECHR and the Charter, which makes it more valuable amidst the UK’s withdrawal from the EU and the continued discussion regarding its possible withdrawal from the ECHR.
In sum, Courts, Privacy and Data Protection in the Digital Environment compiles the jurisprudence of European supranational and national courts in relation to privacy and data protection rights into one source. For this reason, the book adds thoughts on the (dis)ability of judiciary to entrench protection of privacy and personal data against challenges raised by new technologies. Though (as is often the case with edited books) the contributions may be too brief to fully unpack all aspects of the privacy and data protection jurisprudence, nonetheless they serve as reliable and intriguing sources for further thought and research.
 For different perspectives on the relationship between privacy and data protection, see Bart van der Sloot, “Legal Fundamentalism: Is Data Protection Really a Fundamental Right” in Ronald Leenes et al. (eds.), Data Protection and Privacy: (In)visibilities and Infrastructures (Switzerland: Springer International Publishing, 2017), pp. 3-30; Orla Lynskey, The Foundations of EU Data Protection Role, (Oxford: OUP, 2015); Antoinette Rouvroy and Yves Poullet, “The Right to Informational Self-Determination and the Value of Self-Development: Reassessing the Importance of Privacy for Democracy” in Serge Hutwirth et al. (eds), Reinventing Data Protection, (Dordrecht: Springer Science+Business Media B.V., 2009) pp. 43-76; Paul de Hert and Serge Gutwirth, “Privacy, Data Protection and Law Enforcement. Opacity of the Individual and Transparency of Power” in Erik Claes, Anthony Duff, and Serge Gutwirth (eds.) Privacy and Criminal Law (Antwerpen: Intersentia, 2006), pp. 61-104.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23 November 1995.
 Opinion 1/15 of the Court (Grand Chamber) , paras 142-143.
 Joined Cases C293/12 and C594/12 Digital Rights Ireland v. The Minister for Communications, Marine and Natural Resources and Others (CJEU) .
 For the use of the notion “judicial activism” see Craig Green, “An Intellectual History of Judicial Activism” (2009) 58(5) Emory Law Journal 1195-1264.