The 8th of all EU-r rights: Data protection and how the Charter contributes

28 April 2020
The 8th of all EU-r rights: Data protection and how the Charter contributes - © Courtesy of Miloladesign

Personal data. Sounds dry? Try this: a former soldier looks for experience as crew member on a private yacht. Soon the Caribbean paradise turns into Sodom and Gomorra. He kills close to half of the crew. Then spends 17 years in a German prison. Once out of prison, he starts an entirely new life. But the story is too spectacular not to have develeped a life of its own: any google search brings the drama up, including his name. A violation of data protection and of his ability to develop his personality in his new life?

What sounds rather unreal, are nothing other than the facts of the case concerning the Apollonia.[1] yacht. The murders took place in 1981. The data protection aspects were dealt with at the end of 2019 before the German Constitutional Court.[2] And the EU Charter stood at the centre of the attention. In substance, the question was, whether the former soldier could invoke a ‘right to be forgotten’ as it was developed by the EU Court in Luxembourg back in 2014.[3]

The Charter right in action

The right to data protection can be considered one of the most well-known provisions of the Charter. This is due to three facts. Firstly, the Charter took an innovative approach by separating the protection of personal data from the classical human right to private life thereby giving new prominence to this entitlement. Secondly, data protection is an area where the EU holds a strong legislative competence and therefore the fundamental right of data protection is also directly implemented by the EU legislator and EU policies (see box below).[4] Thirdly, the EU Court in Luxembourg soon developed a very pronounced and prominent law case in the field. The Court clearly signalled to the EU legislator that it was prepared to declare EU law null and void if it did not come up to Charter standards. [5]

Two example of how EU legislation engages with data protection
  • The EU has harmonised the area of data protection thereby prescribing how the Member States have to deal with personal data in their legislation and administration. This is done in the General Data Protection Regulation 2016/679 of 27 April 2016 and in Directive 2016/680 which applies to police and other crime related authorities. The EU also adopted legislation to ensure a high common level of security of network and information systems across Europe (Directive 2016/1148).
  • The EU legislator needs to ensure that in areas of key relevance, data protection standards are upheld. See for instance the EU legislation on the use of passenger name record (Article 13 of Directive 2016/681), on the establishment of ‘Eurodac’ (a system for comparing fingerprints in the context of asylum, Articles 1 and 23 of Directive 603/2013), or on the work of Europol (see Articles 28, 31, 36 of Regulation 2016/794).

The Charter requires that personal data must be processed fairly, only for “specified purposes and only on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Moreover, the Charter establishes “the right of access to data which has been collected” and the right to have it rectified. Finally, the Charter – and Article 8 is the only provision in the Charter that has the luxury of such a special regime – states that compliance with these rules shall be subject to control by an independent authority.[6]

What do the constitutions of the Member States say?

Given that data protection is a rather new right that has increasingly gained relevance with the development of the information society, many constitutions do not reflect the right explicitly. In fact, less than half of the EU Member States have constitutions that explicitly establish data protection as a fundamental right – most of these are countries from Eastern Europe.[7]

Where data protection is laid down as a fundamental right, the provisions tend to be short and refer to the respective legislation. The constitutions of Greece (Article 9A) and Hungary (Article VI) establish that the right is supervised by an independent authority. And the constitutions of Poland (Article 51 Para 4) and Portugal (Article 35 Para 1) establish the right to have incorrect information stored by the State, to be corrected.

So what?

Back to the start. The same day the German Constitutional Court decided on the case of the ‘Apollonia-murder’ it handed down a second decision also concerning Art 8 and the right to be forgotten. There the Court came to a ground-breaking conclusion: whenever an area is fully determined by EU legislation it is not the human rights under the German constitution that the Court will apply but those under the EU Charter of Fundamental Rights.[8] One of the most powerful Constitutional Courts within the EU became a ‘Charter Court’. This can be seen as a reflection of a broader trend: increasingly the EU Charter is gaining foothold in the national legal systems.

Interested in knowing more? Well, here you are: ‘All EU-r rights, stay tuned!

Gabriel N. Toggenburg is an Honorary Professor for European Union and Human Rights Law at the University of Graz, Austria. He worked as a Senior Researcher for Eurac Research in Bolzano/Bozen (Italy) from 1998 to 2008. Since 2009, he has been working for the European Union. All views expressed are his own and cannot be attributed to his current or former employers. His blog series “All EU-r rights” published on EUreka! aims at making the EU Charter of Fundamental Rights better known. He is grateful for the honour to have every blog entry introduced by a piece of art by Miloladesign. An annotated list of all Charter rights is available here.

[1] For a TV-movie (2004) retelling the story see Mord in der Karibik – Die Todesfahrt der Apollonia, for a book on the story see Klaus Hympendahl, Logbuch der Angst – Der Fall Apollonia (2001).

[2] See Federal Constitutional Court, case 1 BvR 16/13, decision of 6.11.2019. There is a detailed press release of the Court available in English.

[3] On 13 May 2014 the CJEU established that if following a search made on the basis of a person’s name, the list of results displays a link to a web page which contains information on the person in question, that persons may approach the operator such as google directly and, where the operator does not grant his request, bring the matter before the courts to obtain, under certain conditions, the removal of that link from the list of results. See CJEU, case C-131/1 (so called Google Spain case‘). In a more recent case the CJEU has clarified that google is not obliged to delete links to sensitive personal data upon request worldwide. See CJEU, case C-507/17 decided on 24.09.2019.

[4] For information regarding the EU’s policies in the area of the information society see the European Commission’s website and for the fundamental rights implications see here.

[5] For instance, the Court struck down the so called ‘Data Retention Directive’ which obliged telecommunication operators to store all metadata of all persons irrespective of their behaviour and without sufficient procedural safeguards. See CJEU, Case C-293/12 decided on 8.4.2014.

[6] See in this regard the European Data Protection Board (EDPB), the independent European body which brings together representatives of all the national data protection authorities, and the European Data Protection Supervisor (EDPS).

[7] See Art. 37 of the Croatian constitution, Art. 10 (3) of the Czech constitution, Art. 42 of the Estonian constitution, Art. VI (2)(3)of the Hungarian constitution, Art. 22 of the Lithuanian constitution, Art. 51 of the Polish constitution, Art. 19 (3) of the Slovak constitution and Art. 38 of the Slovenian constitution. However, data protection provisions can also be found in some constitutions in Western Europe: see in this regard Art. 9A of the Greek constitution, Art. 10 (2)(3) of the Dutch constitution, Art. 35 of the Portuguese constitution and Articles 3 and 6 of the Swedish constitution.

[8] See Federal Constitutional Court, case 1 BvR 276/137 (the so called ‘the right to be forgotten II case´), decision of 6.11.2019. Also for this decision there is a detailed press release of the Court available in English.


Toggenburg, G. N. The 8th of all EU-r rights: Data protection and how the Charter contributes.

Related Post

29 March 2019eureka

Q&A with Pasquale Pasquino: A US perspective on the EU elections

28 March 2019eureka

Vox Pop: Geoff from England

27 March 2019eureka

EU politics on Twitter. Which role for the EU digital influencers?

Alessia Setti