All issues > Volume 14 > Issue 2 > The Fundamental Right to Data Protection: Normative Value in the Context of Counter-Terrorism Surveillance

Maria Tzanou’s book, The Fundamental Right to Data Protection: Normative Value in the Context of Counter-Terrorism Surveillance, places at the centre stage “the scope, the content and the capabilities of data protection as a fundamental right to resolve problems and to provide for effective protection” (p. 1). The status and relationship of both these provisions have of course been the subject of judicial observations, particularly from the Court of Justice of the European Union.[1] The interplay between privacy and data protection has also been an area of interest amongst scholars and policymakers and in no small way fuelled by the coming into force of the Charter of Fundamental Rights of the European Union, which provides for both the right to privacy (Article 7) and the right to the protection of personal data (Article 8).[2] Tzanou’s book is timely, particularly at a time when the State and its security and law enforcement agencies continue to make well-publicised demands for access to personal information of consumers from social media platforms, communications technology providers, and businesses. Her principal contribution is that scholars and policymakers should engage much more critically than has been previously been the case to a right to the protection of personal data:  “what is the added value of a right to personal data protection?”

The Fundamental Right to Data Protection succeeds in providing answers to this question. It can be seen as an essay aimed at ensuring that claims to rights to personal information are reflected in individuals gaining greater control over their data. The book is divided into two parts, consisting of seven chapters. Part I explores the theoretical framework underpinning current conceptualisations and understandings of privacy and data protection. Chapter 1 reviews some of the key scholarly debates regarding the relationship between privacy and data protection and the significance of the conceptual lens provided by Article 8 of the European Convention on Human Rights jurisprudence in shaping discourse in data protection law. Tzanou suggests that following the elevation of data protection as a fundamental right, there has been very little attempt made to reflect on its normative and instrumental value (pp. 33-35). The paradigm shift in the way information is created, used, and accessed, it is suggested, merits consideration of this question: does the right to the protection of personal data offer a complementary value? According to Tzanou, it is not only scholars who are culpable. Judicial pronouncements, she argues, merely add to the uncertainty and confusion by continuing to view data protection values through the rear view mirror of an individual’s right to respect for private life (pp. 51-53).

Chapter 2 provides a careful analysis of CJEU jurisprudence and hints of “data privacy rights [being] favoured with regard to opposing rights as a general, a priori rule” (p. 63). This conclusion is preceded by Tzanou’s emphasis that if data protection is to evolve as a right that is valued independently and with its own set of values, three conditions must be met: (i) its descriptive reach must be identified; (ii) the normative values must be ascertained and assessed in light of other competing data protection values and interests; and (iii) its instrumental role must be both acknowledged and demonstrated (pp. 38-44). Tzanou takes the view that all the fair information processing principles provide the “essence” of a fundamental right (pp. 42-44). She has a point here, and in light of current concerns about collapsing contexts and the ease with which personal information can be collected, repurposed, and distributed, data protection rights must be taken seriously rather than viewed as a proxy for privacy.

As the subtitle suggests, the book provides several case studies to investigate how a reconstructed right to data protection might work in the specific context of counter-terrorism surveillance. The four case studies presented are: (i) metadata surveillance (Chapter 3); (ii) travel data surveillance (Chapter 4); (iii) financial data surveillance (Chapter 5); and (iv) Internet data surveillance (Chapter 6). Each is underpinned by careful research and thoughtful analysis of CJEU judgments and opinions of the Advocate General. What is particularly fascinating about the issues covered in these case studies is their grim reminder of how very little control we have over our personal information in the networked environment.  The case studies also give us an insight into why Tzanou thinks that the right to the protection of personal data should now be utilised to help solve many of the problems of transparency and accountability that continue to be encountered in national security policy debates. Tzanou maintains that while the rulings in cases of Schrems, Digital Ireland, and Passenger Name Record Agreement (Joined Cases C-317/04 and C-318/04AG) can be viewed as instances where the law safeguards an individual’s right to respect for private life, the right to the protection of personal data can provide equally credible and principled answers. She points to the observation of Attorney General Philippe Léger regarding the Commission’s adequacy decision, with the “specific data protection principles” as providing one example of a coherent and principled framework that can be used to ensure that data controllers respect the fundamental right under Article 8 of the Charter (p. 165). Indeed, data protection rules and principles do ensure that data controllers are held to account for adopting operations such as repurposing, profiling, surveillance. The analysis on the SWIFT Affair (Society for  Worldwide  Interbank  Financial  Telecommunication), the Terrorist Finance Tracking Programme (“TFTP”), and the prevalence of communications surveillance serves to emphasise the problems that can arise when the lifecycle of personal data become the focal point of impact assessment strategies.[3]

What are we to make of this book’s objective in reconstructing a new role for data protection? Tzanou gets many things right. It is impossible to exaggerate the value of the core arguments and reflections on key CJEU rulings and policy responses. The right to the protection of personal data is important, not least that it is always to the advantage of government agencies and organisations to utilise technological infrastructures to regulate the space of information flows and frustrate attempts to require data controllers to respect individual’s fundamental rights. Many will agree that while data protection and privacy concepts are to be valued in their own right and possess values that may overlap, the ease with which personal information can be collected, stored, and used mandates a concerted effort in recognising the descriptive, normative, and instrumental role of the fundamental right to the protection of personal data.

The Fundamental Right to Data Protection also illuminates the various ways judicial and policy narratives treat privacy and data protection rules as interchangeable frames, as well as what it implies for the way we think about the relationship between data subjects, personal data, and data controllers.  In short, Tzanou’s work makes visible the cognitive blind spot that defines the way we tend to assemble our knowledge and understanding of the role of data protection in the age of counter-terrorism surveillance. This book condenses wonderfully what judges and policymakers sometimes do when they fail to recognise that the answer to many data processing problems encountered in counter-terrorism situations can be found in data protection rules and principles.

The nature of a fundamental right is an aspect that would have merited further investigation.  In Taking Rights Seriously, Ronald Dworkin regarded understanding the concept of rights as a pre-requisite to establishing claims for establishing entitlements as well as place on firm footing arguments whether a policy or action constitutes an infraction of an individual’s fundamental rights.[4] Even though Taking Rights Seriously was published well before the Internet and data processing rules, the problem Dworkin attempted to confront also lies at the core of the case studies covered in The Fundamental Right to Data Protection – what does it mean to take the fundamental right to the protection of personal data seriously? This is an important question since the language of fundamental rights continues to dominate debates and discourses on national security. The Fundamental Right to Data Protection could have confronted directly the ambiguity in the right to the protection of personal data and articulate fully the ramifications of taking such a right seriously. It is only when we understand the language of rights, contexts, and nuances are we likely to come to terms that disagreements about the interpretation of rights, duties, and obligations are not exceptional.[5] Unsurprisingly, even in a national security/counter-terrorism context, we encounter not dissimilar arguments about fairness or have to evaluate how best competing perspectives about how best balances are to be maintained between citizens fundamental rights and exercise of Executive power.[6] The recent decision by the High Court in Ireland to seek guidance from the Court of Justice of the European Union on a range of issues that have a bearing on the protection of EU citizens data protection rights is a case in point.[7] As we turn to European Law and the Judiciary to help disentangle constitutional and political issues, we should also recall the timeliness of Freeman’s echoing of Dworkin’s reminder that the “right” answer may be ethically the “wrong” answer.[8]

[1]     Productores de Música de España (Promusicae) v Telefónica de España SAU, Case C-275/06 judgment of 29 January 2008; Digital Rights Ireland   Ltd   v   Minister   for   Communications, Joined Cases C–293/12 and C–594/12, 8 April 2014, ECLI:EU:C:2014:238; Maximillian Schrems v Data Protection Commissioner, Case C–362/14, 6 October 2015, ECLI:EU:C:2015:650; Tele2 Sverige AB v Post-och telestyrelsen, Joined Cases C–203/15 and C–698/15, 21 December 2016, ECLI:EU:C:2016:970.

[2]     See as an example Peter Hustinx, “EU Data Protection Law – Current State and Future Perspectives”, speech  at  High  Level  Conference:  “Ethical  Dimensions  of  Data  Protection  and  Privacy”,  Centre  for  Ethics, University   of   Tartu   /   Data   Protection   Inspectorate,   Tallinn,   Estonia,   9   January   2013, available   at https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2013/13-01-09_Speech_Tallinn_EN.pdf (accessed 29 September 2017) and Antonella Galetta and Paul De Hert, “Complementing the Surveillance Law Principles of the ECtHR with its Environmental Law Principles: An Integrated Technology Approach to a Human Rights Framework for Surveillance” (2014) 10(1) Utrecht Law Review 55–75.

[3]     Following the terrorist attacks in the US on 11 September 2001, SWIFT, a Belgian based messaging service owned by the international banking community, permitted the US Central Intelligence Agency (CIA) to undertake covert surveillance of financial transfers involving US and EU citizens’ transborder financial transfers activities. The EU and the US concluded the TFTP in mid-2009 to permit access to personal data relating to EU citizens, on the condition that adequate safeguard mechanisms were provided. See European  Commission,  “The  EU-US  TFTP Agreement: Main Elements” (2013), MEMO/13/1060, available at http://europa.eu/rapid/press-release_MEMO-13-1060_en.htm (accessed 3 October 2017).

[4]     Ronald Dworkin, Taking Rights Seriously (London: Duckworth, 1977).

[5]     Jeremy Waldron, Law and Disagreement (Oxford: Clarendon Press, 1999).

[6]     Ibid., pp. 1889-91.

[7]     Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, available at https://dataprotection.ie/documents/judgements/DPCvFBSchrems.pdf (accessed 5 October 2017).

[8]     Michael Freeman, “Why It Remains Important to Take Children’s Rights Seriously” (2007) 15 International Journal of Children’s Rights 5-23.