Table of Contents

Acknowledgements v

Table of Cases xiii

Table of Legislation xvii

Introduction 1

Part I The Theoretical Framework

1 Data Protection as a Fundamental Right 7

I Conceptualising Privacy 7

II Conceptualising Data Protection 12

A Approaches to Data Protection 14

i The Economic Approach 14

ii The Fundamental Rights' Approach 16

B Data Protection as a Fundamental (Human?) Right 18

C A Complicated Relationship: Data Protection and Privacy 21

D The Foundational Values of Data Protection 24

i Privacy 24

ii Transparency, Accountability and Due Process 26

iii Data Security and Data Quality 27

iv Non-Discrimination 28

v Proportionality 28

vi Dignity 29

III Theories of Data Protection and their Shortcomings 31

IV A New Theory for Data Protection 35

A Method: How Should We Approach Data Protection? 35

B Is Data Protection 'Mature' to Stand Alone? Problems and Limitations 35

i Data Protection and Privacy 35

ii Data Protection and Secondary Legislation 37

C Reconstructing Data Protection: The Conditions 38

i The Fundamental Right to Data Protection Should Have an 'Autonomous' Content 38

ii A Balancing Mechanism for Data Protection 40

iii The Essence of the Right to Data Protection: 'Hard Core' Data Protection Principles 42

2 The Judicial Assessment of the Right to Data Protection 45

I The European Court of Human Rights (ECtHR) Case Law 45

II Data Protection in the Case Law of the Court of Justice of the EU 48

A The Court's Approach Before the EU Charter of Fundamental Rights Became Legally Binding 48

B The Court's Approach after the EU Charter of Fundamental Rights Became Legally Binding 53

i The Initial Years: Data Protection as an Aspect of Privacy 53

ii The Intermediate Phase: The Recognition 55

iii The Age of Maturity: Application and Interpretation of the Fundamental Right to Data Protection 58

Part II Case Studies

3 Metadata Surveillance 67

I The EU Data Retention Directive 67

A Aim and Scope 68

B Content 69

II Data Retention Before the Courts 72

A The EU Inter-Pillar Litigation 72

B Data Retention Before National Courts 74

i The Bulgarian Administrative Court Decision 74

ii The Romanian Constitutional Court Decision 76

iii The German Constitutional Court Decision 77

iv The Decision of the Supreme Court of Cyprus 79

v The Czech Constitutional Court Decision 80

C The Invalidation of the Data Retention Directive by the CJEU 81

i The Opinion of the Advocate General 82

ii The Judgment of the Court 84

III Data Retention and the Rights to Privacy and Data Protection 88

A The Conceptual Difficulties 88

B Metadata Retention and the Rights to Privacy and Data Protection 92

IV A Substantive Assessment of Metadata Retention on the Basis of the Fundamental Rights to Privacy and Data Protection 95

A The Essence of the Fundamental Rights to Privacy and Data Protection 95

B Provided for by Law 97

C Objective of General interest Recognised by the Union 97

D Proportionality 98

V Metadata Retention after the Invalidation of the Data Retention Directive 102

A The Imminent Consequences of the Digital Rights Ireland Judgment 102

B National Data Retention Measures and EU Fundamental Rights 104

C The Opinion of the Advocate General 105

4 Travel Data Surveillance 107

I PNR 107

A Defining Passenger Name Record (PNR) 107

B Why is Airline Passenger Surveillance Needed? Uses of PNR data 108

C 'Born in the USA': A Brief History of Airline Passenger Screening 110

II The EU-US Passenger Name Record (PNR) Agreements: A Chronology 115

A The First EU-US PNR Agreement 115

i EU Airlines between a Rock and a Hard Place 115

ii Appeasing the Conflict: The 2004 PNR Agreement 118

iii The Commission's Adequacy Decision and the CBP Undertakings 119

iv The CJEU PNR Decision and 'the Decline and Fall' of the 2004 Agreement 122

B The Second (Interim) EU-US PNR Agreement 127

C The Third EU-US PNR Agreement 129

i The 2007 PNR Agreement 129

ii The Implementation of the 2007 PNR Agreement: An Insight into the DHS Privacy Office Report 133

D The Fourth EU-US PNR Agreement 134

i The 2012 EU-US PNR Agreement 134

III The US Privacy Regime 138

A The Constitutional Protection of Privacy 138

B Federal Privacy Laws 142

C The Need for a Comprehensive Framework? 144

i The EU-US High Level Contact Group on Information Sharing and Privacy and Personal Data Protection 144

ii The EU-US Umbrella Agreement 146

IV The EU PNR 155

A The Proposal for an EU PNR Framework Decision 155

B The EU PNR Directive 157

V Air Passenger Surveillance and the Rights to Privacy and Data Protection 162

A The Rights to Privacy and Data Protection and the Standard of Judicial Review: The Case of PNR 162

B The Added Normative Value of the Fundamental Right to Data Protection in the Case of PNR 164

VI A Substantive Assessment of PNR under the Fundamental Right to Data Protection 165

A Limitation of the Right to Data Protection 166

B Provided for by Law 168

C Objectives of General Interest Recognised by the Union 168

D Necessity 169

E Proportionality 169

F Respect the 'Essence' of the Fundamental Right to Data Protection 172

VII Data-Mining PNR Data 173

A The Question of Effectiveness 173

B Fundamental Rights Affected 176

5 Financial Data Surveillance 181

I The SWIFT Affair 181

A The Secret Operations 181

B Disclosure and European reactions 184

C A Temporary Solution 187

D SWIFT's New Architecture and the Need for a New Arrangement 189

E The Interim TFTP Agreement and its 'Historic' Rejection 191

F Renegotiating a TFTP Agreement 195

G The Long-Term TFTP Agreement: An Improvement? 197

H The Role of Europol under the TFTP: A Fox Guarding the Henhouse? 200

I A European Terrorist Finance Tracking System 203

II The Terrorist Finance Tracking Programme and the Rights to Privacy and Data Protection 205

III A Substantive Fundamental Rights' Assessment of TFTP 207

A Provided by Law 207

B Objectives of General Interest Recognised by the Union 208

C Necessary 208

D Proportionate 210

E Respect the Essence of the Right 211

6 Internet Data Surveillance 212

I Communications Surveillance in the US 212

A The Snowden Revelations 212

B A Brief History of US Communications Surveillance 213

C Section 702, PRISM and Upstream Surveillance 215

II Transatlantic Data Transfers and EU Fundamental Rights 217

A The European Reaction to the Snowden Revelations 217

B The Snowden Revelations and Safe Harbour 218

III The Schrems Judgment 221

A Factual Background 221

B The Opinion of the Advocate General 222

C The Judgment of the Court 224

IV Internet Data Surveillance and the Rights to Privacy and Data Protection 226

A The Fundamental Rights Involved 226

B Transnational Data Transfers and 'Adequacy' of Protection: Extraterritorial Application of EU Fundamental Rights 228

V A Substantive Fundamental Rights' Assessment of Internet Data Surveillance 230

A Internet Data Surveillance and the Right to Privacy 230

i Interference 230

ii The Essence of the Fundamental Rights to Privacy and Effective Judicial Protection 232

iii Provided for by Law 233

iv Objective of General Interest Recognised by the Union 234

v Proportionality 235

B Internet Data Surveillance and the Fundamental Right to Data Protection 235

VI Transatlantic Data Flows after Schrems 237

A The Consequences of the Schrems Judgment 237

B Privacy Shield 238

i Access and Use of the Data by US Authorities for National Security Purposes 240

ii Oversight and Redress 243

iii The Privacy Shield Ombudsperson Mechanism 244

7 Conclusions 247

I The Fundamental Right to Data Protection Reconstructed 247

II Data Surveillance and the Fundamental Right to Data Protection 251

III Counter-Terrorism Data Surveillance and Permissible Limitations to the Fundamental Right to Data Protection 252

IV The Normative Value of the Fundamental Right to Data Protection in Counter-Terrorism Surveillance 254

Bibliography 257

Index 285