Table of Contents
Acknowledgements v
Table of Cases xiii
Table of Legislation xvii
Introduction 1
Part I The Theoretical Framework
1 Data Protection as a Fundamental Right 7
I Conceptualising Privacy 7
II Conceptualising Data Protection 12
A Approaches to Data Protection 14
i The Economic Approach 14
ii The Fundamental Rights' Approach 16
B Data Protection as a Fundamental (Human?) Right 18
C A Complicated Relationship: Data Protection and Privacy 21
D The Foundational Values of Data Protection 24
i Privacy 24
ii Transparency, Accountability and Due Process 26
iii Data Security and Data Quality 27
iv Non-Discrimination 28
v Proportionality 28
vi Dignity 29
III Theories of Data Protection and their Shortcomings 31
IV A New Theory for Data Protection 35
A Method: How Should We Approach Data Protection? 35
B Is Data Protection 'Mature' to Stand Alone? Problems and Limitations 35
i Data Protection and Privacy 35
ii Data Protection and Secondary Legislation 37
C Reconstructing Data Protection: The Conditions 38
i The Fundamental Right to Data Protection Should Have an 'Autonomous' Content 38
ii A Balancing Mechanism for Data Protection 40
iii The Essence of the Right to Data Protection: 'Hard Core' Data Protection Principles 42
2 The Judicial Assessment of the Right to Data Protection 45
I The European Court of Human Rights (ECtHR) Case Law 45
II Data Protection in the Case Law of the Court of Justice of the EU 48
A The Court's Approach Before the EU Charter of Fundamental Rights Became Legally Binding 48
B The Court's Approach after the EU Charter of Fundamental Rights Became Legally Binding 53
i The Initial Years: Data Protection as an Aspect of Privacy 53
ii The Intermediate Phase: The Recognition 55
iii The Age of Maturity: Application and Interpretation of the Fundamental Right to Data Protection 58
Part II Case Studies
3 Metadata Surveillance 67
I The EU Data Retention Directive 67
A Aim and Scope 68
B Content 69
II Data Retention Before the Courts 72
A The EU Inter-Pillar Litigation 72
B Data Retention Before National Courts 74
i The Bulgarian Administrative Court Decision 74
ii The Romanian Constitutional Court Decision 76
iii The German Constitutional Court Decision 77
iv The Decision of the Supreme Court of Cyprus 79
v The Czech Constitutional Court Decision 80
C The Invalidation of the Data Retention Directive by the CJEU 81
i The Opinion of the Advocate General 82
ii The Judgment of the Court 84
III Data Retention and the Rights to Privacy and Data Protection 88
A The Conceptual Difficulties 88
B Metadata Retention and the Rights to Privacy and Data Protection 92
IV A Substantive Assessment of Metadata Retention on the Basis of the Fundamental Rights to Privacy and Data Protection 95
A The Essence of the Fundamental Rights to Privacy and Data Protection 95
B Provided for by Law 97
C Objective of General interest Recognised by the Union 97
D Proportionality 98
V Metadata Retention after the Invalidation of the Data Retention Directive 102
A The Imminent Consequences of the Digital Rights Ireland Judgment 102
B National Data Retention Measures and EU Fundamental Rights 104
C The Opinion of the Advocate General 105
4 Travel Data Surveillance 107
I PNR 107
A Defining Passenger Name Record (PNR) 107
B Why is Airline Passenger Surveillance Needed? Uses of PNR data 108
C 'Born in the USA': A Brief History of Airline Passenger Screening 110
II The EU-US Passenger Name Record (PNR) Agreements: A Chronology 115
A The First EU-US PNR Agreement 115
i EU Airlines between a Rock and a Hard Place 115
ii Appeasing the Conflict: The 2004 PNR Agreement 118
iii The Commission's Adequacy Decision and the CBP Undertakings 119
iv The CJEU PNR Decision and 'the Decline and Fall' of the 2004 Agreement 122
B The Second (Interim) EU-US PNR Agreement 127
C The Third EU-US PNR Agreement 129
i The 2007 PNR Agreement 129
ii The Implementation of the 2007 PNR Agreement: An Insight into the DHS Privacy Office Report 133
D The Fourth EU-US PNR Agreement 134
i The 2012 EU-US PNR Agreement 134
III The US Privacy Regime 138
A The Constitutional Protection of Privacy 138
B Federal Privacy Laws 142
C The Need for a Comprehensive Framework? 144
i The EU-US High Level Contact Group on Information Sharing and Privacy and Personal Data Protection 144
ii The EU-US Umbrella Agreement 146
IV The EU PNR 155
A The Proposal for an EU PNR Framework Decision 155
B The EU PNR Directive 157
V Air Passenger Surveillance and the Rights to Privacy and Data Protection 162
A The Rights to Privacy and Data Protection and the Standard of Judicial Review: The Case of PNR 162
B The Added Normative Value of the Fundamental Right to Data Protection in the Case of PNR 164
VI A Substantive Assessment of PNR under the Fundamental Right to Data Protection 165
A Limitation of the Right to Data Protection 166
B Provided for by Law 168
C Objectives of General Interest Recognised by the Union 168
D Necessity 169
E Proportionality 169
F Respect the 'Essence' of the Fundamental Right to Data Protection 172
VII Data-Mining PNR Data 173
A The Question of Effectiveness 173
B Fundamental Rights Affected 176
5 Financial Data Surveillance 181
I The SWIFT Affair 181
A The Secret Operations 181
B Disclosure and European reactions 184
C A Temporary Solution 187
D SWIFT's New Architecture and the Need for a New Arrangement 189
E The Interim TFTP Agreement and its 'Historic' Rejection 191
F Renegotiating a TFTP Agreement 195
G The Long-Term TFTP Agreement: An Improvement? 197
H The Role of Europol under the TFTP: A Fox Guarding the Henhouse? 200
I A European Terrorist Finance Tracking System 203
II The Terrorist Finance Tracking Programme and the Rights to Privacy and Data Protection 205
III A Substantive Fundamental Rights' Assessment of TFTP 207
A Provided by Law 207
B Objectives of General Interest Recognised by the Union 208
C Necessary 208
D Proportionate 210
E Respect the Essence of the Right 211
6 Internet Data Surveillance 212
I Communications Surveillance in the US 212
A The Snowden Revelations 212
B A Brief History of US Communications Surveillance 213
C Section 702, PRISM and Upstream Surveillance 215
II Transatlantic Data Transfers and EU Fundamental Rights 217
A The European Reaction to the Snowden Revelations 217
B The Snowden Revelations and Safe Harbour 218
III The Schrems Judgment 221
A Factual Background 221
B The Opinion of the Advocate General 222
C The Judgment of the Court 224
IV Internet Data Surveillance and the Rights to Privacy and Data Protection 226
A The Fundamental Rights Involved 226
B Transnational Data Transfers and 'Adequacy' of Protection: Extraterritorial Application of EU Fundamental Rights 228
V A Substantive Fundamental Rights' Assessment of Internet Data Surveillance 230
A Internet Data Surveillance and the Right to Privacy 230
i Interference 230
ii The Essence of the Fundamental Rights to Privacy and Effective Judicial Protection 232
iii Provided for by Law 233
iv Objective of General Interest Recognised by the Union 234
v Proportionality 235
B Internet Data Surveillance and the Fundamental Right to Data Protection 235
VI Transatlantic Data Flows after Schrems 237
A The Consequences of the Schrems Judgment 237
B Privacy Shield 238
i Access and Use of the Data by US Authorities for National Security Purposes 240
ii Oversight and Redress 243
iii The Privacy Shield Ombudsperson Mechanism 244
7 Conclusions 247
I The Fundamental Right to Data Protection Reconstructed 247
II Data Surveillance and the Fundamental Right to Data Protection 251
III Counter-Terrorism Data Surveillance and Permissible Limitations to the Fundamental Right to Data Protection 252
IV The Normative Value of the Fundamental Right to Data Protection in Counter-Terrorism Surveillance 254
Bibliography 257
Index 285