Maximilian von Grafenstein

European Data Protection Law Review, Volume 7 (2021), Issue 3, Page 373 - 387

There may be no other fundamental right of the European Charter of Fundamental Rights (ECFR) that raises more questions on the precise object and concept of protection than the right to data protection in Article 8 ECFR. A prominent example is the principle of purpose limitation. The preceding parts of this three-parted series has shown how this ambiguity creates various problems both on the conceptual level of fundamental rights as well as on the level of ordinary law (esp. the GDPR). However, it has also been shown how a re-connection of data protection law to concepts of risk regulation helps to clarify these ambiguities. On this basis, the third and last part of this series will draw several conclusions for the interpretation of the GDPR. In particular, this third part will focus on the following aspects: First, the actual room for maneuver of the EU legislator transposing the proposed concept for Article 8 ECFR into ordinary law (especially the GDPR). Second, the implications for interpreting the principle of purpose limitation with particular respect to the legal basis (Art. 5 sect. 1 lit. a and b and Art. 6 sect. 1 and 4 GDPR). Third, the phenomenon of the multitude of overlaying risk assessments, beginning with the assessment on an abstract-general basis conducted by the legislator to the variety of individual-specific risk assessments that the controllers and processors have to carry out (when applying the legal norms). Fourth, the possibility to make these risk assessments scale. The three-parted series will conclude with an outlook on further ambiguities to be clarified. Keyboards: Article 8 ECFR | Fundamental Right to Data Protection | Precautionary Principle | Risk-Based Approach | GDPR | Regulating Risks | Effects on Public and Private Actors

Maximilian von Grafenstein

European Data Protection Law Review, Volume 7 (2021), Issue 2, Page 190 - 205

There may be no other fundamental right of the European Charter of Fundamental Rights (ECFR) that raises more questions on the precise object and concept of protection than the right to data protection in Article 8 ECFR. A prominent example is the principle of purpose limitation. The preceding first part of this three-parted series has shown how this ambiguity creates various problems both on the conceptual level of fundamental rights as well as on the level of ordinary law (esp. the GDPR). However, it has also been shown how a re-connection of data protection law to concepts of risk regulation may help clarify these ambiguities. On this basis, the second part of this series demonstrates in detail why data protection laws apply a risk-based approach and why this protection strategy is more effective than a harm-based approach. Further, it is possible to assess whether data protection laws apply certain concepts of the precautionary principle and/or the risk-based approach (in the Anglo-Saxon meaning), and if both, which elements of the law may belong to which strategy. The concept proposed in this chapter will promote, focusing on the principle of purpose limitation, a combination of both strategies leading not only to more effective but also more proportionate protection. The last chapter of this second part will demonstrate why all this makes the fundamental right to data protection in Article 8 ECFR indispensable with respect to the other fundamental rights. Keywords: Article 8 ECFR | fundamental right to data protection | precautionary principle | risk-based approach | GDPR | regulating risks | effects on public and private actors | scope of application | principle of purpose limitation | consent | data protection by design | data protection impact assessment

Maximilian von Grafenstein

European Data Protection Law Review, Volume 6 (2020), Issue 4, Page 509 - 521

There may be no other fundamental right of the European Charter of Fundamental Rights (ECFR) that raises more questions on the precise object and concept of protection than the right to data protection in Article 8 ECFR. The ambiguous object and concept of protection of Article 8 ECFR leads to several significant problems on both the level of fundamental rights and ordinary law, such as the EU General Data Protection Regulation (GDPR). A prominent example is the principle of purpose limitation. While this principle is seen as a cornerstone of data protection law it has been frequently and passionately attacked and defeated. However, only a few authors make a serious attempt to clarify what this principle exactly means and wants in the context of having a consistent concept of data protection in mind. This superficial debate is emblematic for most data protection law debates. Against this background, the author of this contribution proposes in three consecutive articles to refine the object and concept of the fundamental right to data protection in Article 8 ECFR from the angle of regulating risks of personal data processing against the other fundamental rights. This first part pinpoints the various fundamental problems both on the conceptual level of fundamental rights and on the level of ordinary law (especially of the GDPR) and sheds light on how a re-connection of data protection law to concepts of risk regulation may help clarify the ambiguous object and concept of protection. Keywords: Article 8 ECFR | fundamental right to data protection | precautionary principle | risk-based approach