The press release 84/2017 issued by the EU Court of Justice on the EU-Canada PNR transfer contains an important (though unnoticed) statement:
… the transfer of PNR data from the EU to Canada, and the rules laid down in the envisaged agreement on the retention of data, its use and its possible subsequent transfer to Canadian, European or foreign public authorities entail an interference with the fundamental right to respect for private life (emphasis added). Similarly, the envisaged agreement entails an interference with the fundamental right to the protection of personal data (emphasis added).
This statement from the Court clarifies what the Data Protection Directive and the GDPR both say: privacy is a different right than protection of personal data.
That’s not just an issue of legal semantics: by re-asserting the difference between privacy and data protection, the Court issued a (possibly unintended) warning to all of the parties (Data Protection Authorities and Article 29) involved into the enforcement of the DPD and the GDPR: interpreting the DPD and the GDPR as “privacy laws” leads to wrong interpretation of the letter of the law, thus involving the risk of unnecessary costs to comply with non-involved provisions and injust fines that will force companies to spend time and resources to stand for its right in Court.