The 8th of all EU-r rights: Data protection and how the Charter contributes
Personal data. Sounds dry? Try this: a former soldier looks for experience as crew member on a private yacht. Soon the Caribbean paradise turns into Sodom and Gomorra. He kills close to half of the crew. Then spends 17 years in a German prison. Once out of prison, he starts an entirely new life. But the story is too spectacular not to have develeped a life of its own: any google search brings the drama up, including his name. A violation of data protection and of his “ability to develop his personality“ in his new life?
What sounds rather unreal, are nothing other than the facts of the case concerning the Apollonia. yacht. The murders took place in 1981. The data protection aspects were dealt with at the end of 2019 before the German Constitutional Court. And the EU Charter stood at the centre of the attention. In substance, the question was, whether the former soldier could invoke a ‘right to be forgotten’ as it was developed by the EU Court in Luxembourg back in 2014.
The Charter right in action
The right to data protection can be considered one of the most well-known provisions of the Charter. This is due to three facts. Firstly, the Charter took an innovative approach by separating the protection of personal data from the classical human right to private life thereby giving new prominence to this entitlement. Secondly, data protection is an area where the EU holds a strong legislative competence and therefore the fundamental right of data protection is also directly implemented by the EU legislator and EU policies (see box below). Thirdly, the EU Court in Luxembourg soon developed a very pronounced and prominent law case in the field. The Court clearly signalled to the EU legislator that it was prepared to declare EU law null and void if it did not come up to Charter standards. 
|Two example of how EU legislation engages with data protection|
The Charter requires that personal data must be “processed fairly“, only for “specified purposes“ and only “on the basis of the consent of the person concerned or some other legitimate basis laid down by law“. Moreover, the Charter establishes “the right of access to data which has been collected” and “the right to have it rectified“. Finally, the Charter – and Article 8 is the only provision in the Charter that has the luxury of such a special regime – states that “compliance with these rules shall be subject to control by an independent authority“.
What do the constitutions of the Member States say?
Given that data protection is a rather new right that has increasingly gained relevance with the development of the information society, many constitutions do not reflect the right explicitly. In fact, less than half of the EU Member States have constitutions that explicitly establish data protection as a fundamental right – most of these are countries from Eastern Europe.
Where data protection is laid down as a fundamental right, the provisions tend to be short and refer to the respective legislation. The constitutions of Greece (Article 9A) and Hungary (Article VI) establish that the right is supervised by an independent authority. And the constitutions of Poland (Article 51 Para 4) and Portugal (Article 35 Para 1) establish the right to have incorrect information stored by the State, to be corrected.
Back to the start. The same day the German Constitutional Court decided on the case of the ‘Apollonia-murder’ it handed down a second decision also concerning Art 8 and the right to be forgotten. There the Court came to a ground-breaking conclusion: whenever an area is fully determined by EU legislation it is not the human rights under the German constitution that the Court will apply but those under the EU Charter of Fundamental Rights. One of the most powerful Constitutional Courts within the EU became a ‘Charter Court’. This can be seen as a reflection of a broader trend: increasingly the EU Charter is gaining foothold in the national legal systems.
Interested in knowing more? Well, here you are: ‘All EU-r rights‘, stay tuned!
|Gabriel N. Toggenburg is an Honorary Professor for European Union and Human Rights Law at the University of Graz, Austria. He worked as a Senior Researcher for Eurac Research in Bolzano/Bozen (Italy) from 1998 to 2008. Since 2009, he has been working for the European Union. All views expressed are his own and cannot be attributed to his current or former employers. His blog series “All EU-r rights” published on EUreka! aims at making the EU Charter of Fundamental Rights better known. He is grateful for the honour to have every blog entry introduced by a piece of art by Miloladesign. An annotated list of all Charter rights is available here.|
 For a TV-movie (2004) retelling the story see Mord in der Karibik – Die Todesfahrt der Apollonia, for a book on the story see Klaus Hympendahl, Logbuch der Angst – Der Fall Apollonia (2001).
 On 13 May 2014 the CJEU established that if following a search made on the basis of a person’s name, the list of results displays a link to a web page which contains information on the person in question, that persons may approach the operator such as google directly and, where the operator does not grant his request, bring the matter before the courts to obtain, under certain conditions, the removal of that link from the list of results. See CJEU, case C-131/1 (so called ‘Google Spain case‘). In a more recent case the CJEU has clarified that google is not obliged to delete links to sensitive personal data upon request worldwide. See CJEU, case C-507/17 decided on 24.09.2019.
 For instance, the Court struck down the so called ‘Data Retention Directive’ which obliged telecommunication operators to store all metadata of all persons irrespective of their behaviour and without sufficient procedural safeguards. See CJEU, Case C-293/12 decided on 8.4.2014.
 See in this regard the European Data Protection Board (EDPB), the independent European body which brings together representatives of all the national data protection authorities, and the European Data Protection Supervisor (EDPS).
 See Art. 37 of the Croatian constitution, Art. 10 (3) of the Czech constitution, Art. 42 of the Estonian constitution, Art. VI (2)(3)of the Hungarian constitution, Art. 22 of the Lithuanian constitution, Art. 51 of the Polish constitution, Art. 19 (3) of the Slovak constitution and Art. 38 of the Slovenian constitution. However, data protection provisions can also be found in some constitutions in Western Europe: see in this regard Art. 9A of the Greek constitution, Art. 10 (2)(3) of the Dutch constitution, Art. 35 of the Portuguese constitution and Articles 3 and 6 of the Swedish constitution.
 See Federal Constitutional Court, case 1 BvR 276/137 (the so called ‘the right to be forgotten II case´), decision of 6.11.2019. Also for this decision there is a detailed press release of the Court available in English.