The classic assumption in privacy theory is that individuals can invoke a right to privacy to protect their individual interests. I’ve challenged the idea that only individuals can rely on the right to privacy in a series of articles (click here). A second theme in my work challenges the assumption that privacy only serves to protect individual interests. There are two counter arguments. First, privacy is also a societal and public interest. Second, privacy is a minimum requirement for many professions (lawyers; doctors; journalists; etc.), for democracy (e.g. the secrecy of ballot) and for the rule of law (minimum requirements of law). This means that (parts of the right to) privacy cannot be outwheighed or outbalanced by other interests (click here).
This chapter is kind of the predecessor of the article above and analyzes the jurisprudence of the European Court of Human Rights on the interpretation of Article 8 ECHR, the right to privacy, in cases revolving around (mass) surveillance.
Human rights protect humans. This seemingly uncontroversial axiom might become quintessential over time, especially with regard to the right to privacy. Article 8 of the European Convention on Human Rights grants natural persons a right to complain, in order to protect their individual interests, such as those related to personal freedom, human dignity and individual autonomy. With Big Data processes, however, individuals are mostly unaware that their personal data are gathered and processed and even if they are, they are often unable to substantiate their specific individual interest in these large data gathering systems.
Big Data processes typically run through three phases: gathering data, analysing data and using data. The current legal regime focusses primarily on the first phase, setting limits on which data organizations are allowed to gather, how much data can be gathered and for what reasons. It has been suggested to let go of this focus and instead introduce regulation on the use of data. This would remove the hurdles for datadriven innovation and at the same time focus on preventing harms following from Big Data usage, which they feel is currently under-regulated.
Moving beyond this so-called access-use debate, this chapter suggests to look at the second phase of Big Data processes, during which data are stored, categorized and analysed. It is this phase where most errors occur and at the same time, where no or very limited rules and regulations exist.
Until very recently, the European Court of Human Rights was willing to assess whether Member States’ executive branch had operated on a legal basis, whether national courts had struck a fair balance when adjudicating cases, and whether Member States had a positive obligation to ensure adequate protection of citizens’ human rights. One thing it did not assess however, was whether Member States’ legislative branch had respected the principles of the rule of law and the minimum requirements of good law-making. That is, until recently. Propelled by cases revolving around mass surveillance activities, in just a small number of years, the Court has undergone a revolutionary transformation and now formally assesses the quality of Member States’ laws and even advises Member States’ legislative branch on how to amend its legal system in order to be Convention-compliant. Doing so, it has gradually turned into a European Constitutional Court, in particular for privacy cases.
Seeing privacy as an intrinsic limit on governmental policies could provide a theoretical foundation for an alternative approach to privacy regulation, in which privacy protection is aligned in part to the principles of the rule of law, which the state needs to respect as a minimum condition for exercising power, even if there are no concrete individual interests at stake. This might ameliorate privacy protection, because right now, it is often difficult to address more systematic and systemic privacy infringements. These infringements do not directly affect a personal interest or undermine an individual right by a specific person. That is why the rights-based approach to privacy often is unable to provide satisfying answers to modern privacy questions. Consequently, many authors have tried to find alternatives for the rights-based approach to privacy, in which the focus is not on the individual, his rights and his interests, but on the actor, the one engaging in a privacy infringement. The problem is, however, finding a suitable ground and theoretical basis for such and approach. This chapter will argue that such a basis may be found in the legal positivist writing of H.L.A. Hart.