In Privacy in European Cross-Border Settings, Dr. Christina Mariottini spoke of a new understanding of privacy, distinguishing between the traditional notions of privacy, which were territorial and time-limited, versus privacy in an automated and computerized setting, where violations are potentially permanent in nature and information is ubiquitous. Whereas in the year 2000, 738 million people used the Internet, now 4.2 billion do, creating a complex and layered legal privacy landscape.
Historically, continental Europe, the US, and the UK have embraced different rationales for a right to privacy. In continental Europe, privacy is considered an expression of dignity and self-determination. In the US, privacy is considered an expression of liberty and protection from government intrusion (ex. unreasonable searches and searches), and commodified in certain instances (ex. a right to publicity). Conversely, in the UK there was until recently no general tort for violation of privacy. Privacy is generally defined in accordance with the notion of an individual’s space, whereas data protection refers to the specific area of the law that regulates the “processing of data associated with an identifiable individual.” Defamation and the right to reputation are defined as allegations or imputations, characterized by a certain degree of falsehood, of a fact made public that disparages the reputation. The right to freedom of expression must be balanced against the right of privacy in these conceptions.
Dr. Mariottini went on to describe a number of sources of regulation of privacy in the EU:
- Article 8 of the European Convention on Human Rights, which states: “everyone has the right to respect for his private and family life, his home and his correspondence.” The European Court of Human Rights (ECHR) construes article to include data protection.
- The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) of 1981 (modernized in 2018), the first binding legal instrument adopted in the EU in the field of data protection.
- The Charter on Fundamental Rights of the EU, Articles 7 and 8, recognizing respect for private life and protection of personal data as closely related, but separate fundamental rights. (In addition, Article 53 clarifies that these provisions set a minimum standard.)
- And, most recently, the General Data Protection Regulation (GDPR), the aim of which is to protect all EU citizens from privacy and data breaches in today’s data-driven world.
In the GDPR, “personal data” is “any information relating to an identified or identifiable natural person (‘data subject’)…in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” “Processing” refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means…”
The GDPR includes several notable provisions. Whereas prior privacy regulations were ambiguous with respect to territorial scope, Article 3 expands territorial scope to include personal data processed outside the EU. Data subjects can easily withdraw consent to use of their data, and data controllers must notify data subjects of breach within 72 hours of knowledge of that breach. Data subjects also retain a right to access their personal data and a right to have their data erased and no longer disseminated—the “right to be forgotten.” The law enforcement directive provides rules governing use of personal data by law enforcement authorities
Dr. Mariottini concluded by discussing the outlook on the current proposals for new legislation. E-evidence regulations governing access to and preservation of electronic data held by companies is one area of concern, and Mariottini discussed debates regarding the CLOUD Act in the US, and improving existing mutual legal assistance agreement. In response to questions from the group, Mariottini noted that despite criticism, the GDPR is serving as a model, with Brazil about to adopt similar legislation, and even China considering the issue. She noted that though social media platforms such as Facebook were quick to draft policies purporting to align with GDPR, most of these policies do not, in fact, comply with EU law.