There may be no other fundamental right of the European Charter of Fundamental Rights (ECFR) that raises more questions on the precise object and concept of protection than the right to data protection in Article 8 ECFR. A prominent example is the principle of purpose limitation. The preceding first part of this three-parted series has shown how this ambiguity creates various problems both on the conceptual level of fundamental rights as well as on the level of ordinary law (esp. the GDPR). However, it has also been shown how a re-connection of data protection law to concepts of risk regulation may help clarify these ambiguities. On this basis, the second part of this series demonstrates in detail why data protection laws apply a risk-based approach and why this protection strategy is more effective than a harm-based approach. Further, it is possible to assess whether data protection laws apply certain concepts of the precautionary principle and/or the risk-based approach (in the Anglo-Saxon meaning), and if both, which elements of the law may belong to which strategy. The concept proposed in this chapter will promote, focusing on the principle of purpose limitation, a combination of both strategies leading not only to more effective but also more proportionate protection. The last chapter of this second part will demonstrate why all this makes the fundamental right to data protection in Article 8 ECFR indispensable with respect to the other fundamental rights.
Keywords: Article 8 ECFR | fundamental right to data protection | precautionary principle | risk-based approach | GDPR | regulating risks | effects on public and private actors | scope of application | principle of purpose limitation | consent | data protection by design | data protection impact assessment