Docsity
Docsity

Prepara i tuoi esami
Prepara i tuoi esami

Studia grazie alle numerose risorse presenti su Docsity


Ottieni i punti per scaricare
Ottieni i punti per scaricare

Guadagna punti aiutando altri studenti oppure acquistali con un piano Premium


Guide e consigli
Guide e consigli


Privacy&Security (primo modulo), Appunti di Diritto

Appunti del primo modulo di Privacy&Security con Prof. Bachelet (corso Innovation and Technology Management, 2020-2021) + questions for the exam Voto: 30 Argomenti: Characteristics of EU data protection regulation, dual objective of the data protection regulation, Court of Justice of EU, Policy of the ECJ about the Data Protection, Principle of Conferral, Harmonising attitude of GDPR, DP and Privacy in European Legal Order, DP&Privacy, ECHR, ECtHR, DP and the other rights

Tipologia: Appunti

2019/2020

In vendita dal 10/07/2021

--federica
--federica 🇮🇹

4.5

(19)

27 documenti

1 / 31

Toggle sidebar

Questa pagina non è visibile nell’anteprima

Non perderti parti importanti!

bg1
INTRODUCTION REVIEW !
In order to explain privacy and security we can use the metaphor of a window: privacy is using a
curtain on the window to stop the unwanted vision of others; the security is a stronger application
on data protection, we can use a gasp to protect our home by the incoming of other people
inside. !
Privacy and security concern personal data of course; it’s a sort of war between individuals that
are generally accepting it, government and firms are using this data for porpoise of economic and
commercial application, the third driver is the technology that is the main tools used to use them. !
Why there’s an increase appetite for data? It allows to have huge control on citizen and can be
analyse in a specific way, allowing companies to profiles people and allow them to understand
what we like (advertising for example). Allows google or Facebook to gain a lot selling our datas. !
Privacy paradox: people are concern with their personal data but they use and share a lot of
them. They want protection in theory
but they act in a dierent way. !
Legal respond in the UE: three steps in
the history of UE regarding the legal
respond on the protection of data. The
first was in 1975 it wasn’t specific to
internet, the second 1995 first data
protection directive, but the use of
internet was like 1% of UE population;
the last 2016 we had the first
important protection regulation with
the GDPR, used until 2018. !
Distinction between regulation and
directive, the two most important legal
acts in UE legal system: regulation
aims to uniform the legal framework
and are binding in their interactive,
directive try to harmonise the legal framework but they are more free to choose the way to adopt
them, they set an objective. Regulation are similar to our formal legal acts, binding; directive
implies more discretion of the states, they are binding the goals, they harmonise but not uniform. !
The states normally has time to execute the directive, so when this time finish if the directive
provides a rule that doesn’t require a rule, in case of delay citizen may ask for the application of
this prohibition not against another citizen, so there’s anyway the possibility of the citizen to
applicate this to the state (vertical application). !
Distinction between primary and secondary registration in UE legal order: the primary legislation is
made by the treaties, the first is EU and the second one; the secondary legislation is more wire, is
based on the treaties. We have a
sort of pyramid, on the top the
primary, made by the two
treaties TFU and TFIU. On the
bases of these two all the
secondary legislation can be
created. !
Primary legislation, in the
history of the constitution of the
treaties, we have the 1957
Treaties of Rome, then from 92
Treat of Maastricht, Treat of
Lisbon. 27 member states. !
di 1 31
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f

Anteprima parziale del testo

Scarica Privacy&Security (primo modulo) e più Appunti in PDF di Diritto solo su Docsity!

INTRODUCTION REVIEW

In order to explain privacy and security we can use the metaphor of a window: privacy is using a curtain on the window to stop the unwanted vision of others; the security is a stronger application on data protection, we can use a gasp to protect our home by the incoming of other people inside. Privacy and security concern personal data of course; it’s a sort of war between individuals that are generally accepting it, government and firms are using this data for porpoise of economic and commercial application, the third driver is the technology that is the main tools used to use them. Why there’s an increase appetite for data? It allows to have huge control on citizen and can be analyse in a specific way, allowing companies to profiles people and allow them to understand what we like (advertising for example). Allows google or Facebook to gain a lot selling our datas. Privacy paradox: people are concern with their personal data but they use and share a lot of them. They want protection in theory but they act in a different way. Legal respond in the UE: three steps in the history of UE regarding the legal respond on the protection of data. The first was in 1975 it wasn’t specific to internet, the second 1995 first data protection directive, but the use of internet was like 1% of UE population; the last 2016 we had the first important protection regulation with the GDPR, used until 2018. Distinction between regulation and directive, the two most important legal acts in UE legal system: regulation aims to uniform the legal framework and are binding in their interactive, directive try to harmonise the legal framework but they are more free to choose the way to adopt them, they set an objective. Regulation are similar to our formal legal acts, binding; directive implies more discretion of the states, they are binding the goals, they harmonise but not uniform. The states normally has time to execute the directive, so when this time finish if the directive provides a rule that doesn’t require a rule, in case of delay citizen may ask for the application of this prohibition not against another citizen, so there’s anyway the possibility of the citizen to applicate this to the state (vertical application). Distinction between primary and secondary registration in UE legal order: the primary legislation is made by the treaties, the first is EU and the second one; the secondary legislation is more wire, is based on the treaties. We have a sort of pyramid, on the top the primary, made by the two treaties TFU and TFIU. On the bases of these two all the secondary legislation can be created. Primary legislation, in the history of the constitution of the treaties, we have the 1957 Treaties of Rome, then from 92 Treat of Maastricht, Treat of Lisbon. 27 member states.

In general when it comes to secondary legislation it requires the ordinary esecutive procedure: the initiative is at the commission, the approve or amend by the council and the parliament (co-legislators), we had a directive on the protection of data in 95 and since 2018 the regulation (GDPR). In theory the goal of the UE regarding data protection moved from harmonised to uniform. The hybrid nature of the EU data collection: economic and social. Economic is related to the possibility to trade data in markets, the social is related to the dignity of the data protection right. According to the treaties more and more competences move from every single states to the Union. According to it we saw that just an economic state moved the intervene of UE, because it affect the market of the UE. A social right based competence arises because the community change from and economic one to a something more. Since the protection of data and privacy becomes something that doesn’t require anymore a simply link on the market. The UE keeps a hybrid nature, maintains even economic aspect in itself.

THE KEY CHARACTERISTICS OF THE EU DATA PROTECTION REGIME

What was the main innovation according to the Treaty of Lisbon (2007, in force by 2009) this treaty has brought significant changes from 2 points of view:

  1. Art. 16 (1) TFEU “everyone has the right to the protection of personal data concerning them”: data protection has a dignity, has a value in itself. This means that a provision like that gives to the European institution a competence to intervene in the field of data protection and privacy with its legal act.
  2. Art. 8 Charter of Fundamental Rights of EU (ECFR) or the Nice Charter (2000), proclaimed by in Nice; before Lisbon this charter had only a soft law value, not binding, just like moral, but since the treat of Lisbon, in general this charter become binding so for what concern privacy it’s very important. The four main feature of the EU data protection regime: omnibus regime, legitimising regime, right-based regime, extraterritorial impact. A. OMNIBUS REGIME In general we have two possibilities about data protection regime: sectoral (sectional/limited), each sector has its own data protection regime, it’s the case of the USA, so every single sector has been regulated in a different way, fragmented system. The omnibus regime means a system with only one and very broad regime of protection for data. This is the case of the UE.

2. Exemptions for the public sector: Art. 23 GDPR (Restrictions) EU or MS (member states) law may restrict by way of a legislative measure the scope of certain obligations and rights when such a restriction is a necessary and proportionate measure to safeguard: national security, defence, public security, criminal offences (PJCCM) and other important objectives of general public interest of the UE o MS. (See the entire article!) There’re a lot of restrictions applying to GDPR when that restrictions of the fundamental rights and values. No such broad carve-outs apply to privates! When it comes to public sector the regime could be very different in each MS because of these broad conditions. In the US we have a propter sector regime, when it comes to private sector there’re some just rules in specific areas: health, banking, the approach is on an ad-hoc basis; some specific sector need a regulation because they are likely to have harmful effect. 1988 Video, 2015 Consumer… it’s a sectoral regime. 3. Enforcement, independent DPAs : how the rule are in practice applied; we should consider first on primary legislation the art. 26 or 16 (2-last part) TFEU: compliance with these rules shall be subject to the control of independent authorities; art. 4(21) GDPR what is a supervisory authority: an independent public authority which is established by a MS pursuant to art. 51. art. 52 about independence of authority required to execute rules in the field of DP, independence: each supervisory authority should act in complete independence and members remain free from external influence. B. LEGITIMISING REGIME What does it mean? To understand go to art. 6 GDPR “lawfulness of processing”, processing shall be lawful only if and to the extent at at least one of the following applies: a. The data subject has given CONSENT to the processing of PD for one or more specific purposes. Art. 4 (11) Data Subject’s “consent”: freely given, specific, informed, unambiguous -> Agreement by a statement or by a clear affirmative action. b. (Legal reason) for the performance of a contract to which the data subject is party (CONTRACT) c. (Legal reason) for compliance with a legal obligation to which the controller is subject d. (Public/individual purposes) for the performance of a task carried out in the public interest e. (Public/individual purposes) for the purposes of a legitimate interests except where such interests are overridden by the interest of FRs and freedoms of the DS (data subject) PROCESSING SAFEGUARDS: Art. 5 GDPR (PD-processing principles): a. Lawfulness, fairness and transparency b. Purpose limitation c. Data minimisation d. Accuracy e. Storage limitation f. Integrity and confidentiality So legitimate PD processing of UE is given by CRITERIA (ART. 4) and SAFEGUARDS (ART. 5). C. RIGHT-BASED REGIME The system is a rights-conferring one , it means that it confirms right of the data subject (Chapter 3 GDPR): art. 15 right of access of DS + information: clear language/free of charge; art. 16 right to rectification; art. 17 right to erasure “right to be forgotten” (“diritto all’oblio”) (…) so number of right for every citizen. Those rights are considered as fundamental rights, it means that there’s a minimum non negotiable level of protection of data. ECFR (2000) art. 8 and recital no.1; an essence that any states can’t reduce (not allowed application of art. 23 GDPR).

D. EXTRATERRITORIAL IMPACT

Art. 45 GDPR (Transfers on the basis of an adequacy decision): a transfer of PD to a third country may take place where the Commission has decided that the third country ensures an adequate level of protection. Non-exhaustive list of factors to be considered (for example the rule of law, respect of rights and freedom…). About this topic there’s a very important case: Max Schremps (1) case 2015 and Schremps (2) 2020 Austrian guy against social platform. This is called supremacy by default (95 Dir.) There’s another aspect of the extraterritorial impact, the Supremacy by design: art. 3 (2) GDPR (territorial scope), this regulation applies to the processing of PD of DS who are in the union by a controller or processor not established in the Union, where the processing activities are related to: a. The offering of goods or services, irrespective of whether a payment of the data subject is required to such data subject in the Union; b. The monitoring of their behaviour as far as their behaviour takes place within the Union. This is the attempt of the UE to extent GDPR territorial scope, to exercise supremacy over the regulation of other countries.

The dual objectives of EU data protection regulation

Economic and social hybrid nature. Art. 1 GDPR sets out two different objective:

paragraph 2 says that the GDPR protects fundamental rights and freedom fo natural

person and in particular theirs right to the protection of PD; paragraph 3 says the free

movement of PD within the EU shall be neither restricted nor prohibited for reasons

connected with the protection of a natural person with the regard to processing of PD.

Before the treaty of Lisbon the EU hadn’t competence about fundamental rights, in the

area. Art. 16 of treaty, the other main innovation bending Charter of Fundamental Rights.

If the UE ensures the same level of protection throw the member states there would be

obstacles to the market; there’s something more to say: if we carefully read paragraph 3

the only simple logic, data protection could also be seen as an obstacle for the market!

There’s no a simple relation between the two objects.

In order to understand the relation between the two natures we have to separately

illustrate the harmonisation process on one side and the story with regard to the evolution

of the fundamental rights of EU data protection regulation.

1970s the EU didn’t feel any need to harmonise the legislation in Europe about data

protections, some of the countries had a national (Germany 67, France 68), but in the 80s

the OECD (organisation for economic

cooperation and development) sets out

a non-binding objectives and these are:

1. Minimum level of data protection

2. Minimum level of harmonisation

(simplify the flowing of data)

In 1981 another institution, the Council

of Europe (≠from European institution!!

1949 international institution, before

Treaty of Rome, 47 States) adopted the

The preliminary rulings: art. 267 TFEU the ECJ shall have jurisdiction concerning the interpretation of the treaties and then the validity and interpretation of acts of the EU institutions, bodies and agencies… when it comes to primary legislation the ECJ has only the power of interpretation, so to get the normative meaning. While when it comes to secondary legislation the ECJ also deals with validity, not only interpretation of acts, but also the validity. Why? Because the validity of the secondary legislation according to the importance pyramid, we have on top the primary TEU, TFEU and the secondary is just based on the primary legislation. This is very important because only in the areas that members states gives away its sovereignty they can intervene. There’re procedures on the treaties to adopt for example a directive, if a regulation has been adopted in respective of these rules and inside the area where the EU has competence. Who is gonna referred to the court? When it comes to preliminary rulings, Art. 267 TFEU: they are not citizen that can ask, but a judge of every member state, if necessary to give judgement. Normally so it’s up to single judge to decide if it’s necessary. According to the 3rd paragraph, in case of pending court (in Italia court of cassation, court of last resource), there’s no possibility to ask justice for another court, definitive decision; so normally it’s up to the judge to go on the ECJ, while if the judge belongs to a court that is making the last decision, just because this decision is definitive, it’s important and mandatory for the judge to go in from of the ECJ if there’s any doubt for interpretation or validity. Tribunale, Corte d’Appello, Cassazione in Italy, if you are a judge of cassazione you have to refer to ECJ. Another competence is annulment or failure to act: art. 263 TFEU the ECJ shall review Lack of competence for example EU institution adopted an act out of its competence, so the ECJ can intervene. It’s a direct appeal from MS or EU institution against an institution or viceversa; Or I have the competences but I didn’t respect the essential procedure requirement / infringement of procedure requirement. Who is entitled to refer to ECJ? A member state or any EU institution (Council, Commission or Parliament).

POLICY OF ECJ ABOUT DP

In 2003 there’s the first case where DP is

before a Court of Justice, RUNDFUNK

A Supreme Court (mandatory for the judge

to refer to ECJ): “Is the Austrian law, that

makes the salaries of senior public officials

publicly available, compatible with the 1995

DP Directive?”

If the answer is negative the Austrian Law

can’t apply the implementation of the

directive anymore. An argument could be “no

link with internal market issue, so didn’t fall within the scope of the EU law”. If you want to

defend the validity of internal law in my national country that deals with DP at that time

you could say that EU didn’t apply to this case because there’s no link with the impact of

DP in the market, it’s my competence! (At that time was just related to that impact, before

the adoption of Lisbon).

The decision taken my the ECJ was based on Art. 114 TFEU: “measures for the

approximation of the provisions laid down by law… in MS which have as their object the

establishment and functioning of the internal market”, but the ECJ read this provision in a

very broad way, so accepted the application of the directive, in short in that case the ECJ

decided that even if there’re no clear effect on the market, it’s still up to the EU to

intervene. So it’s not possible to the Austrian Law to deal with that topic.

LINQVIST (2003)

It’s a voluntary catechist in Sweden that

shows in a website info about new colleagues

to introduce them to the parish; for that she

was prosecuted by the Swedish authorities

(94 European Directive). The argument

against the application of the directive to this

case is that the directive doesn’t apply to

leisure activities (no market); so the idea is

that because of no effects on the market

there’s no link for the EU to intervene. Even in

this case the idea of ECJ is quite different:

reading art. 114 TFEU, the provision doesn’t

require an actual link, but a general link! Even in this case there’s a very broad application

of the sense of the directive.

The ECJ want enlarge more and more the

scope of DP; harmonise the scope of

application directive through the internal

market to ensure an higher level of

protection.

The general advocate said that it was outside the scope of the Directive, but since they were in this development harmonisation of the market, they applied the Directive. The goal was the market harmonisation, by pursuing this goals they wanted to ensure the protection by enlarging the scope of the DP Directive.

Compared legal interpretation: Satamedia (2008)

The problem was the conflict between freedom of expression and the right to privacy;

ECJ vs European Court of Human Rights; they asked the mediator to ban it. They asked

to right interpretation of the Directive. It was a legitimate use of the personal data, but

ECHR said said that these activities were within the Journalistic activity for purpose,

possible at national level. At European level they required a (…)

Compared legal interpretation: Promusicae (2008)

The

sentence was related to the only competence at that time, so economic one. The

directive has to be annulled. No link with the market. Very different approach.

Schecke and Eifert (2010)

After the treaty of lisbon; not annulment but preliminary ruling, ECJ invoked to the validity

of a commission regulation; publication of PD of who received funds.

A judge invoked the ECJ, in Germany, the litigation between them and the federal state.

Were valid and consistent with the requirements?

The decision was to invalidate partially. The sentence referred to art. 16 TFEU and 8

ECFR, fundamental rights and legitimising criteria of lawful criteria. First time that ECJ

that the procedure invalid, interference to proper DP rights exploitation from this DS. So

using primary law.

ASNEF (2011)

ASNEF against Spanish supreme court, the dispute is presented by ASNEF that has

brought administrative proceeding challanges. This proceedings are against few articles

related to the interpretation of directive 94, against in particle art. 7 that sets a list of

legitimising criteria to provide personal data to be processed.

The supreme court decides to present the case to the ECJ and the main frame is that

Spanish legislation add an extra condition according to the art. 7 of TEU, that is

represented by the fact that data has to be appear in public. In the absence of consent of

a person to protect the right of freedom of data.

The question is brought to ECJ in

preliminary ruling and the answer is

that the directive must be interpreted

as including national rules, so no

national rules can’t be over that article;

the second question was related to the

directive effectiveness of the

precluding, the answer is that it had a

direct effect.

In short: even if according to the previous cases now DP has fundamental right dimension

and that led to an Secondary legislation act that interefferd with that rights, the DP in EU

maintains a market nature so the social nature is together with the other; market

harmonisation is not overlook at all, the two objectives stand on an equal footing. In this

case we have a very different approach from the precedents (satamedia-jeopardise rule).

Harmonising Attitude of GDPR

Three points that together work to get the goal of have a consistent application.

One stop shop: create a single point of contact for compliance of DP that has a cross-

boarder dimension; recital 124 ff: more than one national authority competence, so we

need some rules; we could have two different cases: only a local DP authority

competence or local DP authority and

another one.

When a supervisory authority has a case

the supervisory authority should inform

the lead supervisory authority that has to

decide whether to have the case.

Derogation from this rule (128): when it

comes INTO PRIVATE INTEREST it only

competence the local DPA.

Co-operation among supervisor authority

(120 GDPR): duty to cooperate, duty on

A negative externality is an activity that imposes costs on others and they are not reflected in the price (company dumps its waist in a local river), a company that holds PD for one purpose and they could sell them for another one or use them for other purposes. Public good: DP is not, because it’s non excludable and also non rejectable (fundamental).

Data protection and Privacy in European Legal Order

So far we have dealt with privacy&Data protection like two side of the same coin, we

didn’t say anything more about this relationship, now we try to separate.

Starting from histrorial proposective: art. 1,1995 Directive, we find a provision focused on

Privacy “object of the directive”, in accordance with this directive MS shall respect the

natural rights (…) and in particular the right to privacy.

If we go to the new GDPR (in force since 2018 replacing the Directive), art. 1, different

approach! In principle we have tow

different approach: directive on privacy,

GDPR no reference to privacy.

If we go to another source, from

secondary law to primary legislation, the

European charter of Rights we have two

different provision: art. 8 ECFR (Protection

of personal data), art. 7 (Respect for

private and family life).

The framework is actually complex. In this

view, why the ECFR acknowledges two different rights? Why it’s split?

Explanatory memorandum on art. 8: the

directive 95, art. 8 ECHR, Convention 108,

it doesn’t help.

According to Scholars, the reason why

ECFR decided to split them is bust,

emphasise the fundamental right

dimension of the 95 directive. It’s like an

ex post legitimacy of the directive,

emphasising the fundamental right

dimension. But we could say that privacy

would be sufficient, not necessary to split!

Also the legitimacy has to be detected at the time of the directive, in 95, it makes no

sense in a legal world to talk about an ex post legitimacy.

DP&Privact

There’re three different ways of conceding DP and privacy:

1. Disjoint but complementary sets, both DP and privacy are conceived as intermediary

tools to dignity. A decision of the BVerfG (Supreme Court of Germany in1983) the

informational self-determination right is a right that arise from the right of personality,

just an aspect of the right of personality. This is a constitutional approach. Very similar

to this approach is the one in 2001 ECJ according to the decision human dignity is

seen as a principle in the EU, (annulment of a bio-tech act), secondary legislation act

is invalid because of the human dignity. A reference to human dignity even in 2000

ECFR, art. 1 “human dignity in inviolable”.

“It underlined the HD as an interest often served by DP & Privacy”

The thesis is weak because:

a. There’s no consensus on what HD is, in contrast of the case of ECJ, no common

constitutional tradition in the EU MS on what is really HD. Human dignity is cultural, it

depends on the history of every MS, no consensus.

b. Even if we find consensus on HD, which are the implication for the application of DP?

Ambiguous implication for the DP interpretation.

c. Even if we see an explicit reference on HD, there’re two different chapters (1 dignity, 2

freedom)

d. It’s true that HD is of course inviolable right, but anyway when it comes to DP we have

other goals; so it’s ok, it’s a FR, but has other goals, for example facilitate the free

movement of PD.

e. There’re some rights not easy to explain (Data Portability, art 20 GDPR).

So it doesn’t work.

2. DP as a subset of privacy. This view is preeminent in academic literature, according to

this theory DP is the most recent aspect of Privacy, privacy was the right to be left

alone. DP is the new face of privacy today when it comes to tech. It’s not easy to

detect a common denominator of DP and Privacy, so there’re some aspect of DP

justified by privacy concept, but not at all! “ Privacy law can encompass some DP

aspects!”

3. The most convincing way: those rights are intersecting sets. There’s a common area

when DP overlaps considerably with the right to privacy, it’s the one related to info

and data privacy. But DP also serves purposes that privacy doesn’t and vice versa;

there’re aspect not covered by each!

“Dp&Privacy are different from each other, but highly overlapping! “

At the end of the story, in view of these 3 views, the third one is the best one.

Why?

1. It explains why privacy law doesn’t include all elements of DP! (This is why

better then the second one)

2. This theory is more respectful of the divergent constitutional traditions of Eu MS

(this is why better of the first one)

3. More reflective of how the right to privacy as been interpreted by the ECHR

(European court of human right)

USA society: privacy in the fourth amendment before the article of warren; this was corrected by the supreme court. The privacy act 1974; US are not homogeneous world, so it’s interesting how the different states react. California is the most strong regulated about privacy, directly reference to privacy. FRANCE: has the most strict privacy regulation now, in the art. 8 of ECFR, France has is own regulation even before the article. For example had initiative against google for cookies. The article was based on the principle of “individual must have the full protection”, but In contrast with before age.

European Convention of Human Right (ECHR)

Art. 8 ECHR (convention) states that everyone has the right to respect for his private and

family life, his home and his correspondence; it also states some limitations (par. 2).

The European court of human rights interprets this provision in a very broad way, for ex.

when it comes to private life, or corresponded or home, it is interpreted in a broad way,

which are the interest protected also encompass also email from work; apart from the

wording of this article that can reminds us the idea of the right to be left alone, we don’t

have only a static idea of privacy, but also a more dynamic one, that help us in establish

relationship with other human being.

Privacy allows us to interact with other people, to create relationship, the essence of

human kind, dynamic.

The European convention of human rights (ECHR) is broader then the European Union,

it’s also older than the EU, it’s born in 1950, so seven years before the birth of European

Community. “European Convention for the protection of human right and fundamental

freedoms” at that time, signed in Rome by the council of Europe. They wanted to react to

2ww, we had not only the European founder but also UK, Ireland, Denmark (…) involved

in the EU in the seventies or even later. Most European states have acceded to the

European Council, all the European MS belonging to it before getting in the European

Union, this convention came before and involved all the MS of the EU.

It’s even broader because there’re some states that belong to the Council of Europe but

not EU, like Russia. It’s possible some confusion between this two entities (Council of

Europe and European Union), the European Flag was adopted before by the Council of

Europe and then by the European Union, but they include different MS!

It wanted to ensure a protection of fundamental rights, while at the beginning UE was to

obtain a common market, also the competences grew up, but today the main goal of

Council of Europe is to protect FR with a larger number of MS.

The most important provision to understand how it works; art. 1 “the high contraction

parties (MS that have signed) shall secure to everyone within their jurisdiction the rights

and freedoms defined in section 1 of this Convention” (prohibition of torture, … , to

respect private and family life).

According to art. 14 of the Convention.

European Court of Human Right (ECtHR)

European Court of Human Right (ECtHR), the interpretation of this court is consistent with

the idea of the third model of DP&privacy. The main differences from the ECJ is that this

court is based in Strasbourg (FR) while the ECJ is in Luxembourg. The role is art. 19

ECHR “to ensure the observance of the engagements undertaken by the High

Contracting Parties in the Convention”. art. 34 remind us that very important differences

of how they work (Individual applications), in contrast of how we used to see in ECJ the

applicants here are the individuals, not European institution or other, just citizens of the

states that has signed the convention.

Another aspect is Admissibility criteria, which are the conditions? Art. 35, after all the

domestic remedies has been exhausted and whiting 6 months from the last decision was

taken. You don’t have to pay anything and don’t need a lawyer, there’re rules sets to easy

due to go before the court, you can also write your submission in every language in the

European Union.

art. 46 and 41; the high contracting parties that has signed the convention had to comply

with the final decision of the European court of human right. If the court finds that there

was a violation of the convention, the ECtHR has to have partial reparation (just

satisfaction).

The scope of application; in theory and

practice there’re a lot of differences. For

the ECHR there’re obligation on the

contracting parties to protect the citizens;

just a vertical protection, not horizontal

way. Art. 8 (2) no interference by a public

authority (not private!). anyway it’s true in

principle we have a standard international

treaty, so vertical, but anyway we can

identify three observation that lead us to

think that in some way we could be in a

sort of horizontal application as well:

1. The ECtHR’s doctrine of “positive

obligations”, in addition to the general and negative duty imposes by the convention,

in the opinion of the ECHR there’s also an obligation for the MS to take concrete steps

to secure FR, not only negative obligation but also positive one.

2. The Mittelbare Drittwirkung of Convention Rights, direct application with the

intermediation of the law, it means that the judge of the MS may apply national rules

interpreting them in the light of the convention itself.

3. The reception of Convention rights into national legal orders, it’s possible that some of

the MS may decide to adopt some internal acts that reflect in total the provision laid

down in the Convention.

Difference between the range of data and the activities involved in DP&Privacy: in

principle the notion of personal data and processing is wider according to European Law

(GDPR art. 4 broad, ECJ Lindqvist); if we go to ECHR we see that Personal Data

protection is narrower, it’s a smaller number of information that are involved by this

protection. For example doesn’t referred to identifiable person (Fredo case, picture taken

by police in public demonstration, the police didn’t take any action to identify the people),