Author: Mzekala Romanadze
This essay was originally published in the collection of essays prepared within the scope of the project funded by the Internet Society.
Introduction
The
protection of privacy and confidentiality of communication is one of the basic
human rights. "The right of a person to exist independently of society, to
have relations with the circle of persons he/she chooses, is a necessary factor for the
existence of a person."[1]
At the same time, it is essential to protect the privacy and inviolability of
personal space. A person creates his/her personal space both in the field of "live" and
electronic communication. In any communication, there is a reasonable
expectation that the communication on matters selected, desired or needed by
the data subject will remain inaccessible, anonymous, and inviolable to all
persons he/she has left outside his/her personal space. The issue of personal data
protection is particularly critical since the disclosure of this information
without the consent of the data subject is a gross violation of the right to
privacy (if it is done without a legitimate basis) and leaves a person without
personal space. There is no independence without personal space.
Unlike
"live communication", the field of electronic communications carries
high risks. In particular, during "live communication" access to
personal data by another person depends on the will of the data subject himself/herself, and
accordingly, the degree of protection of personal data is based on trust
between people. In the field of
electronic communications, personal data processing is a more complex issue and
is devoid of fiduciary relationships.
Modern
technologies and the Internet provide the data controller[2] with opportunities to access information, including personal
data, even without revealing the will of the data subject. In order to insure the risks of
misuse of such access by the data controller, it is necessary to develop
minimum standards for ensuring the inviolability and privacy of human personal
space. Specifically, the mentioned minimum standard implies the necessity of
the data subject's permission for the processing of personal data or, in the
absence of permission, the existence of a valuable public legitimate purpose
(and justified interference with the right). It is necessary that the
processing of personal data of individuals in the field of electronic
communications depends on the will of the data subject (as it happens in
"live communication").
The purpose
of this work is to identify the risks of personal data processing in the field
of electronic communications and to determine the role of the data subject in
the mentioned process - based on the decisions of the ECtHR and CJEU. Using the
method of comparative-legal analysis, the essay presents the standards of personal
data protection (established within the framework of the Council of Europe and
the European Union) in the field of electronic communications.
In the first chapter the scope of electronic communications is explained and additionally, the types of personal data processed in this field are identified. The second chapter describes the current regulation of personal data processing in the field of electronic communications in the Council of Europe and the European Union. In the same chapter, a review of the relevant decisions of the European Court of Human Rights and the Court of Justice of the European Union is presented, on the basis of which a comparison of the named legal systems is given, in particular, the similarities and differences between the approaches formed by them are identified. At the end of the work, a summary of the research is provided, taking into account the main findings related to personal data protection in the field of electronic communications.
1. The field of electronic communications and the types of processed personal data
According to
Article 2(d) of Directive 2002/58/EC concerning the processing of personal data
and the protection of privacy in the electronic communications sector (Directive on
privacy and electronic communications) (hereinafter "Directive 2002/58/EC"),
communication means the following: any information exchanged or conveyed
between a finite number of parties by means of a publicly available electronic
communications service.[3] It should be emphasized that the scope of the
mentioned directive is limited and includes only communication services
provided by public networks.[4]
A publicly available electronic communications service is a fee-based service
that transmits signals over electronic communications networks and therefore,
transmits information. Electronic means of communication include the use of
both telecommunication means (telephone or similar technical devices)[5]
and the Internet for the purposes of "circulation" of information.
Therefore, the electronic communications sector includes the following forms of
data transmission: telephone calls, faxes, text messages, voice messages, video
messages, e-mails,[6]
Internet messages and other information that is not generally available and has
individual content (part of the private space of a specific person/persons).
The privacy
of electronic communication in the digital world includes ensuring the
confidentiality of its content, as well as the protection of any other data
related to mentioned communication from disclosure.[7]
Accordingly, in the sector of electronic communications, there are content and
non-content (technical) data of communication.
Based on the characteristics of the "circulation" of information and the types of data, Directive 2002/58/EC distinguishes 3 categories of data:
- Data on the content of messages sent during communication;
- Data necessary for establishing and conducting communication (so-called "traffic data", which includes information on communication between the parties, its time and duration);[8]
- Data related to the location of the communication device (so-called location-determining data (IP addresses). In addition, the said data may include information about the location of users of communication devices. For example, when it comes to users of mobile communication devices.
Considering that the right to privacy and privacy of communication is not an absolute right, which means that in some cases it is permissible to process the above-mentioned data based on the consent of the data subject or in the presence of a corresponding legitimate basis even without the presence of permission, it is necessary to assess the specific grounds of interference with the right and identify the risks associated with them.
2. Rules governing personal data processing in the field of electronic communications and judicial practice
2.1. Council of Europe and the case-law of the
European Court of Human Rights (ECtHR)
Article 8 of
the European Convention guarantees the right to respect
for private and family life. In particular, "Everyone
has the right to respect for his private and family life, his home and his
correspondence." The mentioned article lists the legitimate grounds for
limiting this right: "There shall be no interference by a public authority
with the exercise of this right except such as is in accordance with the law
and is necessary in a democratic society in the interests of national security,
public safety or the economic well-being of the country, for the prevention of
disorder or crime, for the protection of health or morals, or for the protection
of the rights and freedoms of others."[9]
Therefore, the European Convention defines the legitimate grounds when it is
possible to interfere with the said right. However, only the existence of a
legitimate aim is not the main thing, and it is necessary to interfere with
the said right to meet formal (the basis of the restriction must be the law)
and content (along with the existence of a legitimate aim, the means of
limiting the right must be useful, necessary and proportional) requirements.
The issue of
data protection in the field of electronic communications also falls within the
protected area of Article 8 of the European Convention. In particular, the
security of "correspondence" involves ensuring the confidentiality of
communication in various situations.[10]
In its practice, the ECtHR interprets the scope of this right broadly and
includes such types of communications in correspondence as, for example, telephone
conversations,[11]
electronic messages (e-mails)[12],
Internet usage,[13]
data stored on a computer server, etc. and considers such actions as the
imposition of content censorship during communication as interference in the
protected area of the mentioned right, use of data to determine the location
of a person, including tracking, data monitoring, information processing,
including the creation of copies of correspondence, recording, storage and
other actions that constitute data processing. The ECtHR considered even sending
an electronic message (e-mail) to a third party as an interference with this right.[14]
In addition, the ECtHR considers the right to personal data protection within the framework of Article 8 of the European Convention and does not distinguish it as a separate independent right. The ECtHR has established a rather diverse and solid practice, where personal data processed in the field of electronic communications can be identified among them (such as content as well as non-content data).[15] For example, the ECtHR has considered privacy issues of the so-called traffic data, voice recordings, GPS location data and data sent/transmitted via electronic communications. Important decisions in the practice of the ECtHR are the cases of Malone v. the United Kingdom (1984) and Copland v. the United Kingdom (2007) where the court made important clarifications of the so-called processing of "traffic data". On the one hand, in the mentioned decisions, the content of the data was explained and it was established that the processing of the mentioned data for the purposes of a criminal investigation without the consent of the data subject was justified.
It should be
noted that in 1995, the Council of Europe adopted a recommendation on personal
data protection issues in the field of telecommunications services[16]
(hereinafter referred to as the "Recommendation"), which has no
binding force, although it had an impact on the development of data protection
law in Europe. The mentioned recommendation mainly defines data protection standards
related to telecommunication services. The recommendation
mentions that the purposes of collecting and
processing personal data in the field of telecommunications should be related
to the user's connection to a specific network, or the provision of specific
telecommunications services, reporting, verification, technical operations,
network and service development. The aforementioned purposes were written as
the basis of personal data processing, which are required to be specified at
the domestic level.
2.2. European Union and the case-law of the Court
of Justice of the European Union (CJEU)
According to Article 8 of the EU Charter of
Fundamental Rights (hereinafter "the Charter"), "everyone has
the right to the protection of personal data concerning him or her." In accordance
with paragraph 2 of the same article, "Such data must be processed fairly
for specified purposes and on the basis of the consent of the person concerned
or some other legitimate basis laid down by law." Based on the mentioned provision, several
distinguishing features can be seen between the European Convention and the Charter. Unlike
the European Convention, the
Charter singles out personal data protection as an
independent right. It should also be emphasized that the Charter does not list
specific legitimate grounds and provides for its regulation by domestic laws.
However, this does not mean giving absolute discretion to member states. Article
54 of the Charter guarantees the prohibition of abuse of rights, on the basis of which the Member
States cannot limit the right more than is necessary.
Unlike the
legal sources of the Council of Europe, a special directive on personal data
protection issues in the field of electronic communications has been adopted in
the European Union. Due to the nature of the directive, it defines the main
goals, while the means of interpretation remains for the selection of
appropriate forms of goal achievement using the internal legal mechanisms of
the state.
Directive
2002/58/EC, also known as the e-privacy directive, deals with the processing of
personal data within the framework of the provision of communications services
at the EU level. The privacy of electronic communications extends not only to
the content of the communication, but also to other data such as: between whom
communication takes place, when, how long, and from where - the place from
which the data is transmitted. Content data is strictly confidential and the
CJEU sets a very high standard for the propriety of its disclosure. For example,
access to content information may be justified for investigating a crime. According
to Directive 2002/58/EC, the traffic data can be used by the service provider
only for billing and service purposes, and with the consent of the data
subject, it is allowed to transfer this data to another controller that
offers additional services to users. It is worth noting the changes made in the
mentioned directive in 2009, on the basis of which the possibilities of the
data processor were limited and, accordingly, the obligations were increased -
in connection with ensuring the security of users' data.
At the same
time, the first paragraph of Article 15 of the Directive is worth noting,
which lists the legitimate grounds when it is possible to interfere with the
right. The mentioned legitimate grounds are similar to the requirements
established by the European Convention. In addition, it is worth noting that a
new guide[17] for the review of judgments of the
ECtHR has been published, which includes cases of application of EU law. In
particular, consideration of those cases when the ECtHR referred to EU law when
making a decision. For example, in the case of BENEDIK v. SLOVÉNIE, the ECHR
referred to EU Directive 2002/58/EC and used the definition of terms specified
in that document. It is worth noting that the ECtHR always refers to EU law and
takes into account the standards established by special directives/regulations
when considering cases against EU member states.
Conclusion
In light of the above, the standards
established within the European Union and the Council of Europe are
focused on the insurance of the threats faced by the data subject in the field
of electronic communications. In order to minimize the realization of risks,
the issue of granting permission for the processing of personal data is
transferred to the data subject, which is why the powers of the data controllers are
very small. However, at the same time, the legal sources operating in the
mentioned two systems and the practice of the courts provide for exceptional
cases when the processing of personal data is allowed even without the consent
of the data subject. In particular, such exceptional cases should serve to
achieve predetermined publicly valuable legitimate aims. Based on the
legal framework, the practice of the ECtHR and the CJEU ensures the protection
of the balance between the confidentiality of personal data and the legitimate objectives of the state in
the field of electronic communications.
[1]
Decision N2/1/484 of the Constitutional Court of Georgia dated February 29,
2012 in the case "Young Lawyers Association of Georgia" and Georgian
citizen Tamar Khidasheli against the Parliament of Georgia", II-5. See https://bit.ly/3oH5OQC [01.08.2022]
[2]
Data controller - "a public institution, natural or legal entity, which
individually or jointly with others determines the purposes and means of personal
data processing, directly or through an authorized person carries out data
processing."
[3]
Directive 2002/58/EC concerning the processing of personal data and the
protection of privacy in the electronic communications sector. See https://bit.ly/2LN9e2m [01.08.2022]
[4]
Ibid, Article 3.
[5]
Telecommunication means - "a set of hardware devices, algorithms and
software that allows to transmit and receive speech, information data, and
multimedia information using electric and electromagnetic oscillations through
cable, optical fiber and radio channels in different wave bands." These
are information conversion devices."
[6] See
Note 7, Article 2(h).
[7] See
Note 7, paragraph 21 of the preamble.
[8] Ibid,
subsection "b" of Article 2.
[9] Convention
for the Protection of Human Rights and Fundamental Freedoms, Rome, November 4,
1950, Article 8. See https://bit.ly/2WrE0nY
[01.08.2022]
[10]
Guide on Article 8 of the European Convention on Human Rights, Right to respect
for private and family life, home and correspondence, Updated on 31 August
2021, 115/161. See https://bit.ly/2GPofwr [01.08.2022]
[11]
The decision of the European Court of Human Rights of February 25, 1992 in the
case Margareta and Roger Andersson v. Sweden, Fri. 72. See, https://bit.ly/3cYKdAS [01.08.2022]
[12] The
decision of the European Court of Human Rights of April 3, 2007 in the case,
COPLAND v. THE UNITED KINGDOM, Fri. 41. See https://bit.ly/3zQhJSJ
[01.08.2022]
[13]
Ibid.
[14] The
decision of the European Court of Human Rights of October 17, 2003 in the case
of LUORDO v. ITALY, Fri. 75. See https://bit.ly/3BBuNwy
[01.08.2022]
[15] Guide
to the Case-Law of the European Court of Human Rights, Data protection, Updated
on 30 April 2022. See https://bit.ly/3vwQWbm
[01.08.2022]
[16]
RECOMMENDATION No. R (95) 4 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES ON
THE PROTECTION OF PERSONAL DATA IN THE AREA OF TELECOMMUNICATION SERVICES, WITH
PARTICULAR REFERENCE TO TELEPHONE SERVICES, Adopted by the Committee of
Ministers on February 7, 1995. See https://bit.ly/3zNcMKr [01.08.2022]
[17] Guide
sur la jurisprudence de la Cour européenne des droits de l'homme, Le droit de
l'Union européenne dans la jurisprudence de la Cour, Première édition – 31 mars
2022. See https://bit.ly/3zQwKny [01.08
.2022]
No comments:
Post a Comment