A. Introduction
This Article focuses on the specificities of the notion of essence of the fundamental right to privacy enshrined in Article 7 of the Charter of Fundamental Rights of the European UnionFootnote 1 and the fundamental right to protection of personal data epitomized in Article 8 of the Charter. Both fundamental rights play a pioneering role in the understanding of this concept, not only because the Court of Justice of the European UnionFootnote 2 established the interference with the essence of a fundamental right for the first time in its privacy and data protection jurisprudence,Footnote 3 but also because it subsequently developed an extensive case law around this notion precisely through interpretation of the two fundamental rights. In the landscape of protection of essence, privacy and data protection therefore play a prominent constitutional role, even though the methodology used by the Court and its conclusions on interference with the essence are contentious and can be subject to criticism. The Court’s case law on this issue can be depicted as a muddled maze where the final destination remains concealed due to reasoning that is full of meanders and unpredictable curves. Against this background, this Article aims to critically assess the findings of the Court regarding the essence in its rich case law on data protection and privacy and to propose a methodological approach that the Court should use when assessing whether the essence of a fundamental right has been interfered with.
The Article is based upon the following structure: After a general introduction, situating the notion of essence into the framework of multi-level protection of fundamental rights in Europe and proposing a test to determine the interference with the essence—Section B—it addresses further interpretative challenges relating to this notion in privacy and data protection case law of the CJEU. Section C therefore focuses specifically on the essence of the fundamental right to privacy, whereas Section D explores the specificities of this concept within the ambit of the fundamental right to protection of personal data.Footnote 4 In both parts, the cornerstone of the analysis focuses on cases Digital Rights Ireland Footnote 5 and Schrems Footnote 6 where the CJEU developed, for the first time, the modalities of the breach of essence of fundamental rights to privacy and data protection and laid down constitutional foundations for interpretation of this notion. Further relevant cases, including the Tele2 Sverige Footnote 7 and Opinion 1/15,Footnote 8 are equally examined in detail as an example of fine-tuning of the CJEU’s approach towards the understanding of this concept. The final part—Section E—delivers concluding observations on the importance of insights in the fields of privacy and data protection for the general constitutional conceptualization of the notion of essence.
B. The Theoretical Foundations of Essence in the EUFootnote 9
I. A Quick Look into Member States’ Constitutional Law
The notion of essence of fundamental rights cannot be analyzed in detachment from a broader constitutional context, notably the EU Member States’ constitutional law.Footnote 10 Indeed, this concept has long attracted vivid attention of scholars studying constitutional law of the EU Member States, notably in Germany,Footnote 11 Spain,Footnote 12 Portugal,Footnote 13 Hungary,Footnote 14 and Slovakia.Footnote 15 Certain Member States, as well as third countries, expressly prohibit interference with the essence of fundamental rights in their constitutions,Footnote 16 and constitutional courts of particular Member States have equally embraced this concept in their case law, sometimes even without a corresponding reference to the essence in national constitutions.Footnote 17 Despite different avenues of recognizing the essence in national constitutional orders of EU Member States, their main purpose remains the same: To prevent the holder of the fundamental right to be stripped of the inalienable core of her fundamental right.
Differently, other Member States, such as France, Italy, Slovenia, or Croatia, decided not to embed this concept into their constitutions. It is arguable whether this discrepancy between different constitutional approaches towards the essence should be seen as a simple semantic difference, or rather as reflecting a deeper conceptual disagreement on whether the existence of essence in a constitutional order is necessary in the fundamental rights protection landscape. In any event, the constitutional orders of various Member States seem to differ on the questions of whether every fundamental right possesses an untouchable core and whether a separate protection of such a core is necessary or even appropriate. In particular, in Germany, where the notion of essence (Wesensgehalt) originates from, scholars to this date disagree whether this concept should be seen as having a merely declaratory natureFootnote 18 or whether it also plays a more practical role, serving as a concrete test to determine interferences with the core of fundamental rights.Footnote 19 At the heart of the quest of (not) seeing essence as an independent concept lies its relationship with the principle of proportionality: If all interferences with fundamental rights, even the most blatant ones, can be identified in application of the proportionality balancing, does the notion of essence still retain an independent value? An intuitive answer to this question seems to be a negative one, but this answer leads to the next question: Can all interferences be determined in application of the principle of proportionality?
The academic responses of national constitutional doctrine and the practice of national constitutional courts to this question are diverse and can largely be classified into two approaches or theories.Footnote 20 According to the absolute theory, every fundamental right has an untouchable core, which brings it outside the scope of application of the principle of proportionality.Footnote 21 It has been asserted that the existence of essence can be justified only if it is “definable independently of proportionality and perform[s] a distinct role in preventing certain forms of state action….”Footnote 22 Differently, the relative approach constructs essence as a redundant concept, building upon the premise that all interferences with fundamental rights can be determined with the deployment of the principle of proportionality.Footnote 23 This latter approach questions the usefulness and added value of the concept of essenceFootnote 24 and designates it as a non-viable alternative to proportionality.Footnote 25 This dilemma, originating from the national constitutions and the related doctrine, came to light also with the binding nature of the Charter which, in Article 52(1), guarantees that “[a]ny limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms.”Footnote 26 Before addressing the question of interpretation of this notion within the framework of privacy and data protection, a more general question of whether the notion of essence should have an independent value in the system of EU fundamental rights protection must be addressed first.
II. Essence and Proportionality: A Relationship in Need of Clarification
It is submitted that the notion of essence, as enshrined in Article 52(1) of the Charter, should be interpreted as an independent constitutional concept that is not part of the principle of proportionality.Footnote 27 Such an approach allows for the possibility to identify interferences with the core of a fundamental right independently from proportionality balancing by distinguishing between interferences with the essence of fundamental rights and other interferences, including particularly serious ones.Footnote 28 The first argument in favor of this view lies in the textual interpretation of Article 52(1) of the Charter.Footnote 29 In the structure of this provision, the quest for respect of essence appears in the first sentence: “Any limitation on the exercise of the rights … must … respect the essence of those rights and freedoms,” whereas the requirement that the limitations must comply with the principle of proportionality can be found only in the second sentence. This separation seems to indicate that the determination of the interference with the essence and all other types of—justified or unjustified—interferencesFootnote 30 with a fundamental right are submitted to two different tests. The wording of Article 52(1) of the Charter, therefore, seems to confirm the practical value of essence.
The second reason supporting the claim that the essence should be seen as an independent concept is a jurisprudential one: It builds upon the case law of the CJEU where the essence was undeniably recognized as an independent concept.Footnote 31 On the one hand, this holds true for the case law on the “very substance” of fundamental rights in the pre-Charter era, which can be seen as a predecessor and a source for codification of essence into the Charter.Footnote 32 Indeed, despite the fact that the Explanations to the Charter do not explicitly recognize the notion of the “very substance” as being the source for the essence, they do expressly refer to the case law that prohibits “undermining the very substance” of fundamental rights,Footnote 33 which indicates that this case law remains relevant for the interpretation of the notion of essence in the post-Charter jurisprudence.Footnote 34 On the other hand, it is undeniable that the CJEU, in its post-Charter judgments, such as Digital Rights Ireland,Footnote 35 Schrems,Footnote 36 and Alemo-Herron,Footnote 37 acknowledges the independent value of the concept of essence by markedly verifying whether the essence of the fundamental rights has been interfered with.
The third argument in favor of independent value of essence is a purpose-based argument. The essence represents an additional safeguard for the protection against the most extreme and blatant interferences with fundamental rights for which justifications do not exist. If there is no possible justification for an interference, the proportionality balancing cannot be performed, which potentially leads to an impairment of essence of a fundamental right. An example of such an impairment is if a Member State offers absolutely no safeguards to protect data of its citizens and entirely disregards both Article 8 of the Charter and the EU secondary legislation that gives expressionFootnote 38 to this fundamental right. Another example of interference with the essence, say of the fundamental right not to be tried or punished twice in criminal proceedings—Article 50 of the Charter—would be if the EU institutions decided to repeal this fundamental right altogether.Footnote 39 The Schrems case offers another illustration of impairment of essence, namely of the right to effective judicial protection—Article 47 of the Charte). The circumstance that the data subject did not have any legal remedies whatsoever allowing her to gain access to data and rectification or erasure of data transferred to the United States under the Safe Harbor agreement led the Court rightly to the conclusion that the essence of this fundamental right is not respected.Footnote 40 To the contrary, when overriding reasons exist, the interference with a fundamental right should follow proportionality analysis. A good illustration is the Ministerio Fiscal case where the Court did not analyze the impairment of essence because there was no need to do so.Footnote 41 The access of public authorities to data helping to identify thieves of a mobile phone could be justified by the objective of prevention of criminal offenses.Footnote 42 These examples demonstrate that the application of and interference with the essence need to be reserved for rare cases on which the principle of proportionality does not have a grip. The inclusion of this notion into the Charter thus accentuates the inalienable nature of fundamental rights more generally and gives the addressees an additional safeguard of protection.
III. How to Establish an Impairment of Essence?
The approach proposed above prompts the question of the appropriate test for determining whether the essence of a fundamental right from the Charter has been impaired. It is submitted that this test should have two prongs.Footnote 43 The first step of analysis should consist of verifying whether the interference with a fundamental right makes it impossible to exercise this rightFootnote 44 or even undermines the sheer existence of this right. In the terminology of the CJEU, it needs to be verified whether the interference “calls into question”Footnote 45 the fundamental right as such. Second, the interference with the essence can be identified only if there are no legitimate reasons in public interest that can override such an interference.Footnote 46 The reasoning for this second prong of the test lies in the differentiation between the interferences that can be detected on the basis of the proportionality and the interferences of essence of a fundamental right. As soon as an overriding reason for interference can be identified, the CJEU should be prompted to apply the proportionality balancing, thus excluding the possibility of interference with the essence of this fundamental right.
Overriding reasons that cannot justify an interference are those that do not pursue “objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others,” as required by Article 52(1) of the Charter. As spelled out in the Explanations to this Charter provision, the general interests of the Union are, inter alia, promotion of peace, establishment of internal market, creation of an area of freedom, security, and justice, promotion of social justice and solidarity—Article 3 of the TEU—as well as observance of the principle of conferral—Article 4(1) of the TEU. Further, fundamental rights might be limited with the rights of others. It is quite possible to imagine grounds that do not meet these standards. Imagine an example where the state abolishes the right to vote for all women on the ground that women represent a threat to the state’s democracy. This would not only call into question the existence of this fundamental right for this particular group of people—first prong of the test—but the justification would also not meet a standard of a legitimate overriding interest—second prong of the test. The recent democracy and rule of law crisis in Hungary and Poland offers further examples. For instance, Hungary has notoriously denied the right to asylum, guaranteed by Article 18 of the Charter,Footnote 47 to refugees and asylum seekers with arguments that “these [migrants] are not refugees, because they arrive through safe countries into Europe” and that “migrants are terrorists.”Footnote 48 In a democratic society, which is one of the values on which the EU is founded, such arguments are devoid of quality of justifications for fundamental rights infringements.Footnote 49 In the absence of another legitimate justification, denying the right to asylum to those asylum seekers could interfere with the essence of their fundamental right of asylum.
Should the CJEU decide to follow the suggested approach, the question arises whether this may lead to tension with the jurisprudence of the European Court of Human RightsFootnote 50 which equally recognizes the possibility of impairment of essence, without always following a consistent test. Indeed, in certain cases, the ECtHR uses the principle of proportionality to determine whether an essence of a fundamental right was interfered with.Footnote 51 In other cases, the Strasbourg court distinguishes the proportionality test from the test for interference with the essence.Footnote 52 The main question that needs to be clarified in this regard is whether the CJEU needs to follow, on the one hand, the (inconsistent) Strasbourg approach or, on the other hand, the conclusion of this court on whether the essence of a fundamental right was impaired. In other words, if the ECtHR finds an interference with the essence of a particular fundamental right, can the CJEU, in the same factual circumstances, conclude that this is “merely” a disproportionate interference? Article 52(3) of the Charter namely requires that the Union has to guarantee either the same or “more extensive protection” of those fundamental rights “which correspond to rights” from the ECHR.
It is submitted that the CJEU should follow the approach of the ECtHR insofar as possible, however, only to the extent that the latter court actually considers the impairment of essence as a distinct test from proportionality. If the Strasbourg court’s conclusion on essence is de facto an application of the principle of proportionality, this should not prevent the CJEU from finding an interference disproportionate. In an inverse situation, where the Strasbourg court finds that a particular measure is disproportionate, the CJEU would not be precluded from applying the essence test. It is not excluded that the jurisprudence of both courts on this issue would gradually converge or that the CJEU approach would even have an impact on its Strasbourg counterpart. However, in Big Brother Watch v United Kingdom,Footnote 53 where the ECtHR extensively referred to Digital Rights Ireland,Footnote 54 it did not engage with the question of whether the secret surveillance schemes interfere with the essence of Article 8 ECHR.
Against this theoretical background, this Article further elaborates on the CJEU’s approach towards the essence of fundamental rights to privacy and protection of personal data. The focus lies on the critical examination of the case law of this court, in particular, on the meanders of constitutional reasoning and particularities of judicial construction of the notion of essence.
C. The Essence of the Fundamental Right to Privacy: Much Ado About Content
I. The Introduction of the Content Debate: Digital Rights Ireland
In the constitutional landscape of essence, the fundamental right to privacy enshrined in Article 7 of the Charter plays a prominent and distinctive role. Indeed, the discussion about what constitutes the essence of this fundamental right began with the CJEU’s seminal decision in Digital Rights Ireland, which is the first case where the Court interpreted this Charter notion.Footnote 55 The Court took the opportunity to give interpretative guidance on the notion of essence within the framework of the analysis of the compatibility of the contentious Data Retention DirectiveFootnote 56 with the fundamental rights to privacy and data protection from the Charter.Footnote 57 The aforementioned directive obliged telecommunication and internet service providers to retain a wide range of data relating to their users, notably their name and address, date, time, duration, and type of communication, as well as IP addresses of users of Internet services.Footnote 58 In its ruling, the CJEU invalidated the directive on the grounds that it violated the fundamental rights to privacy and data protection.Footnote 59 The Court, however, did not reach this conclusion on the account of the interference with the essence of those rights. Rather, the extensive retention of data was seen as a particularly serious interference with those rights,Footnote 60 which was not strictly necessary, and hence disproportionate, to attain the objective of the investigation, detection, and prosecution of serious crime.Footnote 61
In the Court’s reasoning, the analysis of the essence of the fundamental right to privacy is curiously placed within the part of the judgment on justification of the interference with both abovementioned fundamental rights. While the Opinion of Advocate General Cruz Villalón is entirely silent on the question of whether the controversial legislation impairs the essence of those rights,Footnote 62 the Court uses the scope and type of the data retained as a benchmark to assess whether the essence of the fundamental right to privacy has been affected. According to the Court, the retention of data prescribed by the directive “is not such as to adversely affect the essence” of the right to privacy because “the directive does not permit the acquisition of knowledge of the content of the electronic communications as such.”Footnote 63 This conclusion of the Court deserves critical observations from two perspectives: the constitutional and the factual.
The constitutional critique addresses the Court’s perception of essence as a quantitatively—and not qualitatively—different intrusion from the particularly serious interference. Indeed, while the Court seems to base its reasoning on a rather intuitive assumption that the access to the content of electronic communications constitutes a more serious interference than the vast collection of metadata about such communications, it does not flesh out in any way why it is precisely the access to content that would justify the leap in the designation of the type of interference.Footnote 64 The Court seems to perceive the intrusion into the essence as the most serious of all possible intrusions and access to content of the data as an expression of such an intrusion, but it unfortunately fails to explain why the acquisition of knowledge of content could equally not be qualified as a particularly serious interference.
Contrary to what the Court claims, however, the interference with the essence should be seen as a different type of infringement of a fundamental right, subjected to a different methodology for determination of infringement. Consequently, even if the Data Retention Directive allowed for access to the content of electronic communications, that would still constitute a particularly serious disproportionate interference with the fundamental right to privacy and not an interference with its essence. If the notion of essence is to be limited to the most extreme cases of interferences which call into question the existence of a particular fundamental right or prevent the addressee to exercise her right, and for which no overriding reasons exists, the conclusion such as the one of the Court would not be possible. Indeed, as long as the infringement of the fundamental right to privacy, even though through access to content of communication, can be potentially justified by the overriding reason of the fight against serious crime, there is no reason why such an interference could not be covered by a classic proportionality balancing, leading to the conclusion that the interference is (dis)proportionate.
II. A Ray of Hope: Tele2 Sverige
A further critique of Digital Rights Ireland is of a factual nature. As clarified in the later Tele2 Sverige case,Footnote 65 the distinction between the content data and metadata that the Court introduces in Digital Rights Ireland is not only somewhat artificial, but also based on an unconfirmed premise that access to content data necessarily constitutes a greater interference with privacy of users of electronic communications.Footnote 66 That premise might indeed hold true in an environment of limited amount of data collected, but is difficult to advocate in a big data setting of blanket and non-targeted retention of data. This issue was addressed by both the Advocate General and the Court in the Tele2 Sverige case, which raised the question of compatibility with EU law of national legislations that were adopted for the purposes of transposition of the Data Retention Directive and that remained in force after the invalidation of the latter.Footnote 67
As accurately demonstrated by Advocate General Saugmandsgaard Øe, access to metadata can sometimes have the same or an even greater impact on privacy of users of electronic communications compared to content data that might be more cumbersome to be analyzed given the vast amount of data collected.Footnote 68 The Advocate General gives an example of identification of citizens who oppose government policies; identifying them might be more difficult based on content of their communications rather than based on metadata, such as inclusion on anti-government mailing lists or participation in protests.Footnote 69 Other examples could include identification, through location metadata on visits of certain shops, of people who have recently acquired or wish to acquire a weapon; identification, through phone calls to particular medical practitioners, of patients with a particular disease;Footnote 70 identification, through calling or e-mailing of support organizations, of people with alcohol or drug addictions; or people with certain religious beliefs, through mailing lists or location data demonstrating visits of places of worship.Footnote 71
Metadata can thus reveal information about an individual’s sensitive data, whose processing is in principle prohibited by the General Data Protection Regulation,Footnote 72 unless one of the exceptions applies.Footnote 73 Moreover, the collection of metadata can be problematic because of the possibility of automated analysis.Footnote 74 As Ojanen correctly points out, “the distinction between the content … and metadata … is rapidly fading away in a modern network environment.”Footnote 75 In its judgment in Tele2 Sverige, the Court seemed to have embraced this idea by initially putting metadata and content data on an equal footing and recognizing that drawing up a profile of the users “is no less sensitive, having regard to the right to privacy, than the actual content of communications.”Footnote 76
Despite this initial finding, the mantra of interference with the essence of fundamental right to privacy whenever the measure allows access to content of electronic communications strangely persists in both the Court’s and Advocate General’s further reasoning in Tele2 Sverige. In the case of the opinion of the Advocate General, this could perhaps still be explained—but not justified—by the fact that the opinion analyzes the question of interference with the essence priorFootnote 77 to the analysis of the factual impact of generalized and non-targeted data collection.Footnote 78 To the contrary, in the Court’s analysis, the repetition of this reasoning seems contradictory, given that the conclusion on lack of interference with the essence of fundamental right to privacy comes just two paragraphs after the Court acknowledged that profiling of individuals is “no less sensitive” than acquisition of content of communications.Footnote 79 Even though the Court in Tele2 Sverige did not find an interference with the essence, but rather a particularly serious interference with the fundamental rights from Articles 7 and 8 of the Charter, there is still a tension in its reasoning. Despite the fact that the case generally resounded broadly in the doctrineFootnote 80 and online commentaries,Footnote 81 the issue of essence received little attention in the academic literature.Footnote 82
III. Generalized Access to Content as a Benchmark: Schrems
Deplorably, it is precisely the circumstance of access to content data that led the CJEU in Schrems—which preceded the Tele2 Sverige case—to the conclusion that mass surveillance measures compromise the essence of the fundamental right to privacy.Footnote 83 In Schrems, the Court was essentially called upon to adjudicate on the question of whether the Safe Harbor Privacy Principles guaranteed an adequate level of protection of personal data transferred from the EU to the U.S. and, consequently, whether the Commission DecisionFootnote 84 confirming that such an adequate level of protection is guaranteed by those principles, is valid.Footnote 85 The case was brought in the aftermath of Edward Snowden’s revelations that the U.S. National Security Agency gained access to the vast amount of data that was transferred to U.S. companies and organizations under the Safe Harbor Privacy Principles. The Principles namely legally allowed for derogation from its safeguards whenever the U.S. legislation imposed on those companies and organizations conflicting obligations in the interest of national security, public interest or law enforcement requirements.Footnote 86
In its analysis, the Court opined that the legislation that allows “public authorities to have access on a generalised basis to the content of electronic communications” compromises the essence of the fundamental right to privacy.Footnote 87 In adopting this approach, the Court seemed to follow the opinion of Advocate General Bot who, for his part, relies on a contrario reasoning to the one in Digital Rights Ireland: Access to the content of private data would automatically lead to the interference with the essence of the fundamental right to private life.Footnote 88 As argued above, however, access to the content of data should not automatically lead to the conclusion that the interference with the fundamental right to privacy adversely affects its essence. Even though it is understandable that the Court wanted to point out the gravity of the interference, it would have been doctrinally more appropriate to qualify it as a particularly serious interference.
Furthermore, the finding of interference with the essence in Schrems is problematic from a methodological perspective as well since the Court came to this conclusion after it already decided that the measure in question is not in accordance with the principle of proportionality.Footnote 89 In light of the methodology for determining the interference with the essence proposed above, the application of the principle of proportionality excludes the possibility of interference with the essence and only allows for a conclusion that the measure constitutes a justified or unjustified (dis)proportionate interference. Nevertheless, the Court first established that the legislation that authorizes generalized storage of the entirety of personal data transferred from the EU to the US, without differentiating the storage period on the basis of the objective pursued and without limiting the access to this data depending on objective criteria, is not limited to what is strictly necessary.Footnote 90
It is curious to note that the Court applied the necessity part of the proportionality test without precisely identifying the overriding reason in public interest that could potentially justify the generalized storage of personal data transferred from the EU to the US.Footnote 91 The Court merely concluded that a legislation that “authorises, on a generalised basis, storage” of such data, “without any differentiation, limitation or exception being made in the light of the objective pursued,” interferes with the essence of privacy,Footnote 92 but it remains unclear what exactly constitutes such an objective. From the Court’s judgment, it can only be speculated that the overriding reason equals the ones allowing for derogation from Safe Harbor Privacy Principles, that is, protection of (U.S.) national security (U.S.) public interest, or (U.S.) law enforcement requirements.Footnote 93 It cannot be excluded that the Court wanted to avoid proportionality balancing of a non-EU interest, such as U.S. national security or public interest, with the EU fundamental right to privacy, and hence reduced the proportionality analysis merely to the necessity test.Footnote 94 It is, however, undeniable that an overriding reason of public interest existed. Therefore, there was no need to proceed to the conclusion that this measure also interferes with the essence of the fundamental right to privacy. Regrettably, the Court seems to construct the interference with the essence as an example of a disproportionate measure: After concluding that the measure in question is not limited to what is strictly necessary,Footnote 95 the Court goes on to state that, “in particular,” this measure compromises the essence of the right to privacy.
In the Commission’s adequacy decision on Privacy Shield,Footnote 96 adopted in the aftermath of the Schrems case, the Commission does not expressly—but rather implicitly—come to the conclusion that the U.S. legislation no longer interferes with the essence of the fundamental right to privacy.Footnote 97 The Commission points out that the U.S. legislation now conforms to the standard set out in that judgment, which does not allow storage of personal data on a generalized basis.Footnote 98 It further points out that the U.S. intelligence activities “touch only a fraction of the communications traversing the internet” which excludes “that there would be access ‘on a generalised basis’ to the content of electronic communications….”Footnote 99 While this last finding seems to be sufficient to establish lack of interference with the essence, it appears that the Commission did not strictly require the U.S. authorities to forbid any type of access to the content of such communication. Non-generalized access to the content of communication still seems to be allowed under the Privacy Shield, while generalized access is prohibited. While the Commission considers the U.S. level of protection as appropriate, it is questionable whether this criterion is indeed met in practice. The contentious Section 702 of the U.S. Foreign Intelligence Surveillance Act (“FISA”) is described in the Privacy Shield as allowing access to content “targeting certain non-U.S. persons outside the United States….”Footnote 100 In the past, the requirement of “targeting” from Section 702 FISA did not seem to prevent mass surveillance or blanket collection of content data which raised not only academic concerns,Footnote 101 but also led to numerous challenges before U.S. courts against this section of FISA.Footnote 102 The full revision of this Section of FISAFootnote 103 and the scope of the new U.S. Liberty ActFootnote 104 go beyond the scope of this Article, but the question whether the U.S. legislation indeed does not allow for access to content on a generalized basis still remains open.Footnote 105 Indeed, incompatibility of the new Privacy Shield standards with the essence of this fundamental right due to the generalized access to data is one of the core arguments in the pending case La Quadrature du Net and Others v Commission.Footnote 106
IV. Turning to a Quantitative Benchmark: Opinion 1/15
Finally, it is crucial to analyze the findings of the Court in the Opinion 1/15 on the compatibility of the draft EU-Canada Passenger Name Record (PNR) AgreementFootnote 107 with the fundamental rights to privacy—and data protection—from the Charter. The envisaged agreement allowed for collection and sharing of the PNR data, that is data about “each journey booked by or on behalf of any passenger,”Footnote 108 for example the name of the passenger, dates of reservation and travel, information about frequent flyer membership, contact information, payment information, travel itinerary, baggage, seat information, and other data.Footnote 109 On the basis of the agreement, the Canadian authorities could receive PNR data of EU data subjects for the purposes of preventing, investigating or prosecuting terrorist offences or serious crime,Footnote 110 and for other purposes.Footnote 111 The objective of transferring the PNR data to Canada was therefore to ensure public security and the use of this data for prevention of terrorist offenses and serious transnational crime.Footnote 112 Given the panoply of data that could be transferred and processed on the basis of this agreement, the Court found that it was incompatible with Articles 7 and 8 of the Charter, but not on the account of the interference with the essence of these fundamental rights. After an extremely precise analysis,Footnote 113 the Court concluded, rather, that several provisions of the envisaged agreement exceeded what is strictly necessary to achieve the abovementioned objective and thus constitute disproportionate interferences with those fundamental rights.Footnote 114
Nevertheless, the Court made some constitutionally important observations about the essence of the fundamental right to privacy. It justified the lack of interference with the essence of this fundamental right by pointing out that even though “PNR data may, in some circumstances, reveal very specific information concerning the private life of a person,” this information is still limited only to “certain aspects of that private life, in particular, relating to air travel between Canada and the European Union.”Footnote 115 This reasoning essentially follows the reasoning from the opinion of Advocate General Mengozzi who stressed that the “data in question continues to be limited to the pattern of air travel between Canada and the Union.”Footnote 116 From the perspective of type of data collected compared to data collected in Schrems, it has been argued that this conclusion is logical.Footnote 117 From a constitutional perspective, however, the Court distances itself both from its case law where the benchmark was access to content data, as well as from its case law where the interference with the fundamental right should not call into question the existence of the fundamental right. Rather, it adopts a position that the interference with the essence of the right to privacy is a question of a degree of interference with the fundamental right, given that it takes as a benchmark the limited nature of the acquired and processed data.Footnote 118 In that sense, a parallel could perhaps be drawn with Digital Rights Ireland where access to content was also a manifestation of a higher degree of interference. Nevertheless, these divergent findings on essence make it difficult to define how exactly the Court conceptualizes the essence of fundamental rights.Footnote 119
D. The Essence of the Fundamental Right to Data Protection: Maximum Standard Becomes a Minimum One
I. Introduction of Minimum Standard: Digital Rights Ireland
The examination of the case law of the CJEU shows that the essence of the fundamental right to data protection is an even more elusive concept than the essence of the right to privacy. In its efforts to distinguish the two fundamental rights, the Court seems to struggle with the scope of the fundamental right to data protection, including instances of when its essence would be adversely affected. As a result of that struggle, the Court often perplexingly portrays data protection as a minimalistic right limited to security measures, in particular, in the context of blanket retention of data.
As an example of this approach, the judgment in Digital Rights Ireland can be put forward. In this case, the Court adopted an extremely restrictive and technical approach by considering that the essence of this fundamental right is not adversely affected because the contentious Data Retention Directive required the respect of “certain principles of data protection and data security….”Footnote 120 In specifying these principles, the Court specifically singled out the importance of adoption of “appropriate technical and organisational measures … against accidental or unlawful destruction, accidental loss or alteration of the data….”Footnote 121 As Lynskey correctly points out, data security, as well as technical and organizational measures, are mentioned nowhere in Article 8 of the Charter.Footnote 122 This leaves the reader wondering why these measures should have constitutional relevance at all and, even more so, why exactly they could prevent the adverse effect on essence of this fundamental right.Footnote 123 In its reasoning, the Court narrows down the core of the fundamental right to data protection to minimum safeguards of data protection and data security prescribed by the Data Retention Directive. In consequence, this approach makes the essence of this right a minimum standard rather than a maximum one and places the threshold for compliance with the essence rather low.Footnote 124
This conclusion of the Court deserves a critical reflection. Non-interference with the core of a right should not be not tantamount to observance of minimum safeguards for data protection. If compliance with these minimum standards was sufficient to not adversely affect the essence, how would it then still be possible to conclude that Data Retention Directive disproportionally interferes with the fundamental right to data protection at all? The way the test of compliance with the essence should be construed is exactly the opposite: Compliance with minimum standards of data protection and data security is not sufficient to prevent interference with the fundamental right to data protection, but the interference with this right is not of the kind to adversely affect the essence of this right. Seeing the essence of a fundamental right as a minimum standard devoids this concept of its purpose and misconstrues its role in the fundamental rights protection landscape.
II. The Mantra of Content Continues: Tele2 Sverige
A further case relevant for the interpretation of the notion of essence of the fundamental right to data protection is Tele2 Sverige.Footnote 125 In this case, the Court seemed to discontinue its minimalistic approach developed in Digital Rights Ireland. Differently, it applied the reasoning from this latter judgment on access to the content to electronic communications, developed in the framework of the right to privacy, to the right to protection of personal data. More precisely, the Court extended this finding to data protection by stating that the Member State legislation in question “does not permit retention of the content of a communication and is not, therefore, such as to affect adversely the essence of those rights,”Footnote 126 where “those” refers both to the fundamental right to privacy, as well as the fundamental right to data protection.
Purely methodologically speaking, this approach puts both fundamental rights on the same footing and demonstrates that the same interference can call into question the essence of both rights. While this seems indeed feasible and methodologically possible, the substance of the argument, as mentioned already above, contradicts the remainder of the Court’s reasoning in Tele2 Sverige. As analyzed above, the Court namely clearly states that establishing a profile on the basis of metadata is “no less sensitive” than access to content.Footnote 127 This finding begs a question: If the access to metadata is really to be treated equally as access to content data, why does the former not interfere with the essence of the fundamental rights as well? While the Court in Tele2 Sverige decidedly remedies the rather artificial distinction between content and metadata from the perspective of their practical impact, it fails to draw further constitutional consequences and acknowledge that this distinction is not an appropriate test for determination of interference with the essence of neither fundamental right to data protection nor the fundamental right to privacy.
III. Consolidation of Minimum Standard: Opinion 1/15
In Opinion 1/15, given the different nature of data collected, the Court moved away from its reasoning that couples the interference with the essence to the content of data. According to the Court, the envisaged PNR-Canada agreement did not adversely affect the essence of fundamental right to data protection because this agreement, first limited “the purposes for which PNR data may be processed,” and second laid down rules to ensure “the security, confidentiality and integrity of that data, and to protect it against unlawful access and processing….”Footnote 128 Below, this Article analyzes both prongs of this reasoning: Compliance with the purpose limitation principle and availability of data security measures.
The second prong relating to measures to ensure security, confidentiality, and integrity of data will be examined first. This part of the Court’s reasoning is a rather clear indication that the Court considers essence as a minimum requirement of fundamental rights compliance. The Court seems to commit a similar fallacy as in Digital Rights Ireland of treating the essence as a minimum standard of protection. In an a contrario reasoning, it seems difficult to imagine that absence of data security measures could lead to interference with the essence of the fundamental right to data protection or even, for that matter, interference with that fundamental right at all. Rather, the absence of these measures would simply be a violation of secondary legislation requiring data security measures to be put in place.Footnote 129
The first prong of the Court’s reasoning raises a broader constitutional question of whether an interference with an element of a fundamental right to data protection expressly provided by Article 8 of the Charter automatically leads to an interference with the essence of this fundamental right. Even though the Court in Opinion 1/15 does not make an express reference to the text of Article 8 of the Charter, its reasoning on limitation of purposes of processing could be understood from the perspective of compliance with purpose limitation principle integrated into Charter’s Article 8(2).Footnote 130 Given the wording of Article 8(2) of the Charter, could it be claimed that this principle is an essential element of the fundamental right to data protection, the non-observance of which leads to interference with the essence of this fundamental right?
Seen more generally, Article 8 of the Charter offers a much more precise regulation compared to the fundamental right to privacy—Article 7—in that it—in an innovative wayFootnote 131—takes over to the constitutional level certain safeguards that need to be guaranteed to the data subject. By virtue of Article 8, the principles of fairness of processing and purpose limitation gained constitutional status, together with the requirement that processing always needs a legitimate basis, such as consent.Footnote 132 It remains unclear why this right expressly includes fairness and purpose limitation principlesFootnote 133 and not also other principles, such as data minimization.Footnote 134 This is particularly interesting, given that the Directive 95/46,Footnote 135 which was, according to the Explanations to the Charter, one of the sources for drafting of this provision,Footnote 136 also regulated other principles beyond fairness and purpose limitation.Footnote 137 A plausible explanation is that the constitutional legislator had to draw a line between those elements that have a prime importance to protect data and other elements that can be sufficiently well protected with secondary legislation. Constitutional status is further given to the right of access to dataFootnote 138 and the right to rectification of data.Footnote 139 Finally, the Charter recognizes supervision of compliance with data protection rules by an independent supervisory authority to be an integral part of the fundamental right to data protection.Footnote 140 González Fuster points out that all of these elements stem from international data protection instruments.Footnote 141
The inclusion of these specific elements into the constitutional right to data protection evidently raises the question of whether the interference with any of these elements immediately leads to interference with the essence of the fundamental right to data protection. For example, if a data subject is denied access to her data or if data was processed without her consent, does that automatically adversely affect the essence of this fundamental right? This Article submits that this should not be the case. While the abovementioned elements are indeed constitutive of this fundamental right, in order for the essence to be impaired, the interference has to make it impossible to exercise this right or call into question the existence of this right. Unless this threshold is met, it does not seem that the interference with any of those elements would automatically go beyond an ordinary interference with this fundamental right. A different interpretation would mean that almost every interference with this fundamental right would lead to interference with its essence, a result that would be contrary to Article 52(1) of the Charter.
IV. Essence in EU Secondary Legislation on Data Protection
The requirement of respect of essence of fundamental right to data protection is not only embedded into the Charter, but also into the secondary legislation. The GDPR makes reference to the concept of essence on three occasions. The first two relate to lawful grounds of processing of special categories of data,Footnote 142 one on processing that is “necessary for reasons of substantial public interest”Footnote 143 and the other on processing for archiving, scientific or historical research, and statistic purposes.Footnote 144 In both cases, the GDPR requires that the processing has to be proportionate to the aim it pursues, that it has to “respect the essence of the right to data protection” and provide for suitable safeguards for protection of data subject’s fundamental rights. All of the fundamental rights safeguards from Article 52(1) of the Charter thus have to be respected when using these grounds of processing, including the standard of essence.
The third instance of the use of essence relates to the possibility of introducing legislative restrictions to data protection principles or data subjects’ rights.Footnote 145 Such a restriction has to be proportionate, respect the essence of fundamental rights, and be limited to one of the grounds enumerated in the GDPR, such as national security, defense, public security, prevention or prosecution of criminal offences, or the protection of judicial independence.Footnote 146 The Directive on Data Protection in Criminal MattersFootnote 147 similarly mentions the need to respect the essence of fundamental rights in the case of restriction of data subject’s rights, albeit only in the recital.Footnote 148 The reference to the protection of essence within the framework of Article 23 of the GDPR was briefly mentioned by Advocate General Campos Sánchez-Bordona in the recent Deutsche Post case.Footnote 149 Because the restriction of data subjects’ rights was not at stake in this case, however, the Court did not proceed with the analysis of impairment of essence.Footnote 150 It is perhaps important to note that Article 23 of the GDPR does not specifically refer to the essence of data protection, but to the fundamental rights more generally. Indeed, in case of restriction of rights, other fundamental rights might be relevant, such as the prohibition of discriminationFootnote 151 or the right to an effective remedy.Footnote 152
V. Does “Essentially Equivalent” Equal “Essence”? A Postscript to Schrems
The last point to be addressed is a specificity of the Schrems judgment, where the question of compatibility with the essence of fundamental right to data protection was not at issue. With regard to this judgment, it seems important to clarify whether the standard of essentially equivalent protection that a third country needs to offer to data transfersFootnote 153 equals the protection of essence of a fundamental right to protection of personal data.Footnote 154 This Article submits that the notion of essentially equivalent level of protection and the concept of essence of fundamental rights should not be equated. The standard of essentially equivalent protection namely refers not only to the fundamental rights standard, but also and even in particular to the level of protection provided by the EU secondary legislation.Footnote 155 This indicates that the essentially equivalent protection is a broader concept which can provide for a more detailed regime of data protection rights and safeguards. Obviously, this regime is required to respect the fundamental right to data protection, but not only its essence: Rather, the regime itself needs to be in compliance with all aspects of this, and other, fundamental rights. Interpreting an essentially equivalent standard as equalling essence would mean that foreign legislation needs to avoid only the most extreme cases of fundamental rights’ infringements, whereas it should, in fact, be seen as an obligation of a third country to provide for concrete measures to protect data of EU data subjects.
E. Conclusion
The present Article shows that the interference with the essence of the fundamental rights to privacy and data protection should be determined on a case by case basis, and that this examination needs to respect the distinction between (particularly serious) interferences that need to be examined within the framework of the principle of proportionality and interferences with the essence of those fundamental rights. The notion of essence of a fundamental right does not imply that certain parts of this right are more essential than others. Rather, the essence should be seen as interfered with whenever the fundamental right as such is called into question, such as through abolition by constitutional legislature, or whenever there is an impossibility to exercise this right, such as the interference with the fundamental right to effective judicial protection in Schrems.Footnote 156 In practice, this necessarily implies that interferences with the essence can occur in many different factual circumstances.Footnote 157
Purely doctrinally, however, it is important to keep in mind that the distinction between a (particularly serious) disproportionate interference and the interference with the essence is of a qualitative nature. In other words, as long as the interference can be subject to proportionality balancing, it falls within the category of a (dis)proportionate intrusion. An example of this approach is the recent Ministerio Fiscal case, where the Court omitted the analysis of essence in the presence of objectives that could justify the interference with the fundamental rights to privacy and data protection.Footnote 158
In consequence, cases where the essence of a fundamental right is adversely affected are limited to rare and exceptional circumstances where the application of the principle of proportionality is not possible due to the absence of overriding reasons in public interest. Regardless of the numerous meanders of the CJEU’s reasoning that sometimes comes across as a true maze, the Court developed the first contours of the notion of essence precisely through its rich jurisprudence in the field of privacy and data protection. A challenging task for the Court in the future is thus not only to develop a clearer normative framework on the essence,Footnote 159 but also to reach a higher degree of coherence in its jurisprudence, a goal that will probably be achieved hand in hand with the development of the normative framework itself.