The word Privacy is not mentioned in the GDPR!
Having perused the text of the GDPR multiple times I noted some time back that the word ‘privacy’ is absent from the main text. Some of you familiar with the GDPR may not find this to be ‘earth-shattering’ news but I have been mulling over this a while and so I have decided now to put a few thoughts out there for others to consider and comment upon should you wish? It cannot be a coincidence that the all-important ‘privacy’ word is not to be seen in 2016/679 (main text) given the nature and purpose of the Regulation, or can it? I sometimes hear the words ‘data protection’ and ‘privacy’ used interchangeably which creates some confusion in the interpretation of both as a result, in my experience.
Let me try to distinguish between them, show them to be distinct legal rights and perhaps postulate a little also about the absence of the word privacy in the GDPR. I hope this will be of some assistance to those who are processing personal information and are looking to discover where and what relevant responsibilities are prevalent in respect of their activity in Ireland (and indeed beyond!).
First up, Privacy!
The concept of privacy is not easy to nail down! The famous ‘boiled down’ definition; ‘the right to be let alone’ (Warren and Brandeis 1890) still carries credibility in today’s world though! I have read of privacy not simply being a right but a bundle of rights with a common theme (Quill. Torts in Ireland 2009)! For example, common law provides protection for trespass in the context of unwanted contact with your person, land or chattels (personal possessions). In Kennedy and Arnold v Ireland, where the issue at hand related to phone tapping, Hamilton J offered
‘The right to privacy must be such as to ensure the dignity and freedom of an individual in…a sovereign, independent and democratic society but balancing the rights of others, the common good, public order and morality’.
So privacy obviously appears in several facets of human existence including, intellectual, bodily, proprietary, and not least, informational privacy, which relates to data protection.
In times past the Irish Government was responsive to privacy as a standalone requirement in wider society and in 2006 the Privacy Bill was published (not to be confused with the Data Protection Bill 2017!). Sadly however, this Bill has since been languishing in that dark place at the back of a shelf where only old Bills go!
The purpose of the Bill to…
‘provide for a new tort of violation of privacy taking into account the jurisprudence of our courts and the European Court of Human Rights’
appears unlikely to see daylight at this point! I hope I am incorrect! An interesting definition of the entitlement to privacy in the Privacy Bill 2006 is useful as a ‘then and now’ comparator though:
It ‘provides that a person’s entitlement to privacy is that which might be reasonable in all the circumstances having regard to the rights of others and to public order and the common good. Without prejudice to the generality of the entitlement, there shall be a violation of privacy, subject to the provisions of sections 5 (defences)and 6 (certain disclosures not a violation of privacy), by subjecting another person to surveillance and by the disclosure of information so obtained; by (unauthorised) use of name, voice or likeness of an individual for commercial purpose; by the disclosure of personal information or documents of a person or to commit an act (of harassment) as described in section 10 of the Non-Fatal Offences Against the Person Act 1997’
While the word privacy receives no mention in the GDPR (main text), there is however a phrase which is sprinkled liberally throughout the GDPR where a link to privacy is connectable I believe. The phrase ‘Rights and Freedoms’ receives mention 77 times (though this number of mentions still does not earn it an all-important (and helpful) presence in the Article 4 definitions. Pity!)).
To make the connection we can eliminate ‘Rights’ from our query. Rights generally pertain to data protection and an objective list of these can be found on the Irish Data Protection Commissioner’s website and in articles 12-22 in the GDPR.
Rights for individuals under the GDPR include:
• Subject access
• To have inaccuracies corrected
• To have information erased
• To object to direct marketing
• To restrict the processing of their information, including automated decision-making
• Data portability
• Right to be forgotten (erasure) is acknowledged
The rights individuals will enjoy under the GDPR are the same as those under the current, but with some significant enhancements. (See Articles 12-22)
What are freedoms then?
Here, things become a little more complicated. Freedom is an emotive word, conjuring up a myriad of (negative!) images when it is believed to have been removed from the individual. To attempt a detailed description of freedom is to fill many pages with text and then maybe not reach the end point! Freedom (fundamental) in the context of data protection appears to mean that which is set down in The European Convention on Human Rights (ECHR) which defines fundamental freedoms as…
‘Those which are the foundation of justice and peace in the world and are best maintained on the one hand by an effective political democracy and on the other by a common understanding and observance of the Human Rights upon which they depend.’
ECHR Art. 8 Covers: The right to respect for private and family life and it received recognition in the context of data processing in Case: Von Hanover v Germany (24 June 2004) ECtHR. Here the Court suggested:
‘Increased vigilance in protecting private life is necessary to contend with the new communication technologies which make it possible to store and reproduce personal data’.
In the EU Charter of Fundamental Rights, freedoms receive more amplified consideration. Title II contains 14 articles, one of which, Article 8, directly covers personal data…
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority
Whereas Article 7 of that same Charter provides explicit protections for privacy…
‘Respect for private and family life. Everyone has the right to respect for his or her private and family life, home and communications’.
So, there you have a very brief definitional outline of rights and freedoms as they relate to personal data and perhaps, a vinculum between data protection and privacy! Of course there are more legal elements (Acts, S.I.s, Directives, Case Law and so on…) to consider as you drill deeper into the subject but the foundational information above gives some indication of the potential legal complexity attached to uttering the words ‘fundamental rights and freedoms’ (of natural persons), for example, when weighing up a decision whether or not to report a personal data breach under the GDPR (Art 33 (1)) or should I undertake a DPIA(Art 35(1)?.
A business or organisation, in essence, is expected to assess how unlikely a breach results in a ‘risk’ to the above rights and freedoms are and then affirmatively take action or not. Even more responsibility is attached to deciding whether to undertake a DPIA if there is a ‘likely resulting’ ‘high risk’ to the rights and freedoms of individuals. Not small matters in my view.
So freedoms in the context of privacy are protected by a broad statute base including international Charters and Treaties and so require wider reading to gain a fuller picture of them.
The image below provides a good general representation of the relationship between the various legal entities at play.
Reproduced with kind permission of Clarus Press, Kennedy and Murphy. Information and Communications Technology Law in Ireland 2017. ISBN 978-1-905536-96-2. A helpful read in my line of work for sure!
The Irish Data Protection Commissioner’s website offers the following in answer to the question, what is data protection?
‘When you give your personal details to an organisation or individual, they have a duty to keep these details private and safe. This process is known as data protection’
Kennedy and Murphy (above) state…
‘Currently, the average individual going about their normal activities generates more data in 24 hrs than their near ancestors would have generated in their entire lives’.
Data protection refers to ‘informational data’ about a person though one can stretch this to also mean ‘informational privacy’. In contrast to Privacy generally though, data protection seeks to facilitate the sharing and use of data (rather than ‘leaving it alone’, the privacy definition!) in a controlled manner.
Like it or not generated personal data is set to continue to rise in response to ecommerce generally. The issue going forward has to be how all of this personal data will be cared for?
Were the creators of the GDPR correct to ‘exclude’ the word privacy from the GDPR? Hmm!
Martin O’Dwyer is Principal at DATA LEX Consultancy. DATA LEX offers data protection and privacy law services. Tel. +353864169922 Email: firstname.lastname@example.org