Skip to content

Refining the Concept of the Right to Data Protection in Article 8 ECFR – Part II

Controlling Risks Through (not to) Article 8 ECFR Against Other Fundamental Rights


Maximilian von Grafenstein


This work is distributed under the Creative Commons Licence Attribution 4.0 International (CC BY 4.0).

There may be no other fundamental right of the European Charter of Fundamental Rights (ECFR) that raises more questions on the precise object and concept of protection than the right to data protection in Article 8 ECFR. A prominent example is the principle of purpose limitation. The preceding first part of this three-parted series has shown how this ambiguity creates various problems both on the conceptual level of fundamental rights as well as on the level of ordinary law (esp. the GDPR). However, it has also been shown how a re-connection of data protection law to concepts of risk regulation may help clarify these ambiguities. On this basis, the second part of this series demonstrates in detail why data protection laws apply a risk-based approach and why this protection strategy is more effective than a harm-based approach. Further, it is possible to assess whether data protection laws apply certain concepts of the precautionary principle and/or the risk-based approach (in the Anglo-Saxon meaning), and if both, which elements of the law may belong to which strategy. The concept proposed in this chapter will promote, focusing on the principle of purpose limitation, a combination of both strategies leading not only to more effective but also more proportionate protection. The last chapter of this second part will demonstrate why all this makes the fundamental right to data protection in Article 8 ECFR indispensable with respect to the other fundamental rights.
Keywords: Article 8 ECFR | fundamental right to data protection | precautionary principle | risk-based approach | GDPR | regulating risks | effects on public and private actors | scope of application | principle of purpose limitation | consent | data protection by design | data protection impact assessment

Maximilian von Grafenstein LL.M. is Professor for 'Digital Self-Determination' at the Berlin Career College of the University of the Arts in Berlin (UdK), part of the Einstein Center Digital Future (ECDF) as well as co-head of the research program Governance of Data-Driven Innovation at the Alexander von Humboldt Institute for Internet and Society. For correspondence: <>.


Lx-Number Search

(e.g. A | 000123 | 01)

Export Citation