Joris Van Hoboken, The European Approach to Privacy

2014 TPRC Conference Paper

Abstract

This paper critically assesses the character of European (Union’s) privacy law and policy in the field of online media and electronic communications. Contrary to current understanding, this field of law is more fragmented and ill-developed than is often assumed, in particular by those discussing privacy law and policy in an international and transatlantic context. In fact, some of the most challenging regulatory issues in the field of online media and electronic communications still lack a well-developed common European approach and remain the subject of regulation at the level of the different member states of the European Union. Drawing on historic insights, the paper shows how EU policy making in the field of privacy and data protection is and remains strongly influenced by the EU institutional setting. In particular, the paper shows that the specific substantive outcome of European privacy law and policy is strongly influenced by and can only be understood properly through the lens of the ongoing project of European integration more generally.

The paper will develop its main thesis by focusing on three important and current privacy issues and their treatment by EU lawmakers and the EU legal system. These are: (I.) the question of retention of communications meta-data (e.g. traffic and location data) in the field of electronic communications; (II.) the legal framework for liability of search engines for privacy and reputational harms in the online environment, including a ‘right to be forgotten’, and (III.) the question of the security of and the potential lawful access by foreign governments to data in the cloud. After discussing these substantive privacy policy issues and the legal frameworks that have developed (and are developing) to address them at the EU level, the paper will analyze these frameworks in view of the apparent interplay of the substance of privacy law and policy at the EU level on the one hand and the broader constitutional and institutional dynamics related to EU competency and integration.

The paper starts with a discussion of the basic underlying motivations, rationales and competences for addressing privacy issues at the European level, which until recently were predominantly economic in nature. The implication of this is that some of the most pressing data privacy issues which are primarily non-economic in character, have been addressed at the fringes of what could be called the European approach to data privacy, in which the establishment of a functioning European internal market and the free flow of personal data under sufficient safeguards relating to data privacy are the dominant concerns. More recently, the adoption of the Lisbon treaty, the establishment of a binding right to data protection and privacy in the EU Charter and a new legal basis for the establishment of data protection rules at the EU level, EU privacy law and policy has become increasingly connected to the furtherance of the protection of privacy and data protection as fundamental rights more generally. Through the case studies in the paper, this dynamic of how policy rationales end up playing out at the EU level and inform the substance of privacy policies adopted, is illustrated in detail. In particular, the analysis shows how EU policy making tends to strive towards a common and comprehensive European approach, but typically fails to take account of some of the leading concerns, and is often simply not equipped or even allowed to include them in the process. For instance, there is significant disagreement about the weight that should be attributed to freedom of expression concerns in the online environment and the role of the EU with respect to media and the proper balancing of freedom and privacy in the media remains limited. With respect to national security concerns there are no European harmonization of national approaches at all.

The result is that important policy concerns from the perspective of privacy in electronic communications end up being addressed indirectly, inefficiently and incompletely, through the European data privacy frameworks that may aspire to be comprehensive but would need significant reforms to achieve this aim. The article will discuss possible reforms but will warn against aspirations of further harmonization and unification of European Privacy Law. In the absence of fundamental institutional reform of the EU, further harmonization could end up being detrimental to other important policy goals currently addressed largely outside of the EU legal framework, including the issues of media freedom, criminal procedural justice and the protection of privacy and information security in relation to foreign intelligence agencies specifically discussed in this paper.

The full text is available at http://ssrn.com/abstract=2418636 or http://dx.doi.org/10.2139/ssrn.2418636