Protecting Personal Information: a review from ZD – Zeitschrift für Datenschutz

This is the English translation of the review that Axel Spies published on the German review ZD – Zeitschrift für Datenschutz

Andrea Monti/Raymond Wacks, Protecting Personal Information, Oxford (Hart Publishing) 2019, ISBN 978-1-5099-2485-1, € 60.88

Anyone who wants to deal with the concepts of “data protection” and “privacy” on both sides of the Atlantic on the basis of sources should read Andrea Monti’s and Raymond Wacks’ astute analysis. Monti is adjunct professor at the University of Chieti/Italy and Italian lawyer, Wacks is emeritus professor at the University of Hong Kong – an unusual team of authors. Both are proven practitioners in this field and have been dealing with the subject for many years.

EU law (and thus also German law) has its dear misery with the term “privacy”, which comes from Anglo-American law. The term does not appear in the DS-GVO and in Art. 8 para. 1 ECHR, but it does appear, for example, in Directive 2002/58/EC of 12.7.2002: “concerning the processing of personal data and the protection of privacy in the electronic communications sector (EU-ABl. L 201, 31.7.2002, 37)”. Even the translation of the term “privacy” is difficult in Germany. The term “protection of privacy” does not fit as a term for a right of defence, “privacy” is an artificial word, “informational self-determination” is too short a term.

The authors criticize the conventional concept of privacy. It is too vague, misleads to misunderstandings and abuse and can hardly be delimited legally. The concept of privacy comes from the famous 1890 essay by Warren and Brandeis (4 Harvard Law Review 193). From there, it extended like a plant into many areas of life where it had no place from the original conception. The idea of the protection of privacy is, of course, much older, as the confessional secret of the Catholic Church proves or the painting by Millais of 1862 (“Trust me”) under the title of the book, which shows how a husband demands a letter from his wife, which she holds back behind her back. The authors want to cut the concept of privacy back to its roots. Among other things, a “Protection of Privacy Bill” is required, as the authors present in the appendix to the book. The discussion in Germany is somewhat neglected in the book, although the authors at least mention the Hessian Data Protection Act of 1974 as a data protection law big bang.

A core thesis of the authors is that the concept of personal information should be at the centre of privacy. The authors provide numerous examples to show that the terms “personal data” and “privacy” are not synonyms. The same also applies, by the way, to the term “data protection”, which in the USA is associated more with the understanding that the user locks his computer after work, but not with privacy. Whether the EU legislator will do much better with the overflowing term “personal data” in Art. 4 para. 1 DS-GVO than the Anglo-American legal system with its privacy is an open question. Monti poses the provocative question of whether any data processing under the DS-GVO is automatically an interference with the privacy of the data subject (pp. 111 f.). The authors also ask whether the protection of privacy includes the “right to be forgotten” in Art. 17 DS-GVO. Like other commentators, the authors take a very critical view of this right: why is the right to be forgotten of the plaintiff Coteja in the ECJ decision C-131/12 (ZD 2014, 350 m. Karg – Google Spain), which is fundamental for this right, more worthy of protection than the right of other, much more famous persons whose crimes live on in collective memory? In recourse to Roman history, the infamous conspiracy of Catilina around 63 B.C., Monti lets the “Great Conspirator” Catilina appear with the words: “I am Lucius Sergius Catilina and, after 2000 years now, I deserve to be forgotten” (p. 115). Altogether with all its historical references and remarks from both legal circles (USA/GB compared to continental Europe) the book is a worth reading contribution to the long unfinished debate on what the DS-GVO and other laws should protect as legal right.

Dr. Axel Spies is a lawyer at Morgan Lewis & Bockius LLP in Washington DC and co-editor of ZD.

Criminal Justice System and Personal Data Protection in Japan and Italy – A Special Lecture at Roma Tre University

Special Lecture
(Chair of Criminal Procedure – Prof. Luca Lupària)

 Criminal Justice System
and Personal Data Protection
in Japan and Italy

Tuesday 3 September 2019
h 15.00

via Ostiense 159, Roma

Marco Pittiruti (University Roma Tre)
Hiroshi Miyashita (Chuo University of Tokyo)
Andrea Monti (D’Annunzio University of Chieti-Pescara)

N.B. The lectures are in English

External Ordre Public and The Limit of GDPR’s Extra-Jurisdictional Reach

It is a well established principle in private international law that

The driving force behind development of ordre public externe is the same as that which motivates public policy: no country can afford to open its tribunals to the legislatures of the world without reserving for its judges the power to reject foreign law that is harmful to the forum. 1

This principle affects directly the power of local EU jurisdictions to impose fines on non-EU countries, notwithstanding what the GDPR says.

Continue reading “External Ordre Public and The Limit of GDPR’s Extra-Jurisdictional Reach”
  1. Kent Murphy, The Traditional View of Public Policy and Ordre Public in Private International Law, 11 Ga. J. Int’l & Comp. L. 591 (1981).

Altering Faces. Data Protection And Sore Thumbs

To those that, contrary to any evidence, still believe that data protection equals privacy, this case will come as a shock: the police of Portland (Oregon – USA)  used Adobe Photoshop to remove tattoos from the picture of a suspect so that he could “blend” better in a photo-based identification. The defense of the suspect claimed that that was a way to “frame” him, while the prosecutor said that the “digital make-up” has been necessary to avoid excessive attention on the face of the suspect itself. The Court still haven’t issue a decision on the matter.

A few issues:

  • Is this a Personal Data Case? Yes. A few things but tattoos identify or make a person identifiable.
  • If happened in the EU, would had it be a GDPR Case? The GDPR doesn’t cover judicial activity and law enforcement investigation. Nonetheless, this is case where the notion of “fair processing” comes into play. Altering reality can hardly be hold as a “fair” behaviour.
  • If not the GDPR, what would have stopped this? This is a case of “reverse fairness” and “investigative malice”. Police wanted to be “fair” toward the suspect and – in the meantime – explore the “possibility” that he disguised the tattoos with a make-up. The due process right prevents (or should prevent) law enforcement from resorting to this trick.


A Real-Life Case of Inefficient Profiling

Amazon knows in extreme detail – thanks to the analysis of purchases – my interests and – thanks to the analysis of how I use my Kindle – my reading habits. Yet he sends me an email to suggest, on the basis of my profiling, to buy a book that I wrote.

If all a giant with a limitless computing might like Amazon is able to extract from my personal data is a suggestion to buy my own books either I’m not actually monitored or profiling just doesn’t work.