There may be no other fundamental right of the European Charter of Fundamental Rights (ECFR) that raises more questions on the precise object and concept of protection than the right to data protection in Article 8 ECFR. A prominent example is the principle of purpose limitation. The preceding parts of this three-parted series has shown how this ambiguity creates various problems both on the conceptual level of fundamental rights as well as on the level of ordinary law (esp. the GDPR). However, it has also been shown how a re-connection of data protection law to concepts of risk regulation helps to clarify these ambiguities. On this basis, the third and last part of this series will draw several conclusions for the interpretation of the GDPR. In particular, this third part will focus on the following aspects: First, the actual room for maneuver of the EU legislator transposing the proposed concept for Article 8 ECFR into ordinary law (especially the GDPR). Second, the implications for interpreting the principle of purpose limitation with particular respect to the legal basis (Art. 5 sect. 1 lit. a and b and Art. 6 sect. 1 and 4 GDPR). Third, the phenomenon of the multitude of overlaying risk assessments, beginning with the assessment on an abstract-general basis conducted by the legislator to the variety of individual-specific risk assessments that the controllers and processors have to carry out (when applying the legal norms). Fourth, the possibility to make these risk assessments scale. The three-parted series will conclude with an outlook on further ambiguities to be clarified.
Keyboards: Article 8 ECFR | Fundamental Right to Data Protection | Precautionary Principle | Risk-Based Approach | GDPR | Regulating Risks | Effects on Public and Private Actors