The EU Court of Justice: privacy and data protection are different rights. Data Protection Authorities are on notice

The press release 84/2017 issued by the EU Court of Justice on the EU-Canada PNR transfer contains  an important (though unnoticed) statement:

… the transfer of PNR data from the EU to Canada, and the rules laid down in the envisaged agreement on the retention of data, its use and its possible subsequent transfer to Canadian, European or foreign public authorities entail an interference with the fundamental right to respect for private life (emphasis added). Similarly, the envisaged agreement entails an interference with the fundamental right to the protection of personal data (emphasis added).

This statement from the Court clarifies what the Data Protection Directive and the GDPR both say: privacy is a different right than protection of personal data.

That’s not just an issue of legal semantics: by re-asserting the difference between privacy and data protection, the Court issued a (possibly unintended) warning to all of  the parties (Data Protection Authorities and Article 29) involved into the enforcement of the DPD and the GDPR: interpreting the DPD and the GDPR as “privacy laws” leads to wrong interpretation of the letter of the law, thus involving the risk of unnecessary costs to comply with non-involved provisions and injust fines that will force companies to spend time and resources to stand for its right in Court.

2 Replies to “The EU Court of Justice: privacy and data protection are different rights. Data Protection Authorities are on notice”

  1. Andrea, I’m not clear where you stand on this. One (but only one) of the reasons for the protection of personal data is in order to protect the person’s privacy.

    (Are we crossing swords again?)

  2. Robert, happy to meet you 🙂
    Once again I’m not voicing an interpretation, but just transposing what the GDPR whereas say. The purpose of the GDPR is to guarantee a fair processing of personal data in relationship to fundamental rights including (but not limited to) privacy.
    Thus, calling the GDPR “privacy law” is technically wrong, because the right to privacy is one of the pillars the GDPR is laid upon.
    From the privacy protection perspective, both DPD and GDPR have many limitation (the “filing system” requirement, being the most relevant.) Both DPD and GDPR are tool to accomplish the job, but to me it looks like since we have a hammer, all of what we see looks like a nail.
    Privacy has its own provision both a International, European and National level. The GDPR is a useful complement, but it is not a synonym for privacy.

Leave a Reply

Your email address will not be published. Required fields are marked *