Why data protection is the bedrock of data rights law
The role of data protection law in the EU's evolving digital policy agenda
I recently read a paper on the role of data protection law in the context of the EU's evolving digital policy agenda.
The paper, written by Gabriela Zanfir-Fortuna (Vice President for Global Privacy at the Future of Privacy Forum), argues that data protection law remains "the cornerstone of the EU's Digital Rulebook":1
...regardless of the number, complexity and depth of various legal acts focusing on conduct and relationships in the digital space, ultimately data protection law and the supervisory authorities entrusted with its enforcement remain at the core of protecting the fundamental rights of individuals and society from risks and systemic risks resulting from the use of any technology relying on processing of personal data, as well as from personal data sharing among businesses and public authorities.2
The EU's digital rulebooks is now packed with various pieces of intertwining legislation. This includes the Digital Services Act (DSA), the Digital Markets Act (DMA), the Data Act (DA), the Data Governance Act (DGA), the AI Act (AIA), the Platform Workers Directive (PWD) and the European Health Data Space (EHDS).
Even with this body of data rights legislation and the obligations they impose, Zanfir-Fortuna contends that data protection law remains highly relevant to compliance with these laws. She makes the following points to this effect:
The EU's New Digital Rulebook also regulates processing of personal data and the entities engaging in such processing.
The EU's New Digital Rulebook includes interference with the fundamental right to the protection of personal data.
The EU's New Digital Rulebook applies without prejudice to the GDPR.
The EU's New Digital Rulebook does envisage a role for data protection supervisory authorities in the enforcement of these laws, even if that role is sometimes unclear.
The broad application of data protection law
The principal piece of legislation implementing the right the protection of personal data in the EU is the GDPR. That Regulation contains broad definitions for 'processing' and 'personal data' covering the use of a wide variety of information that can be used to identify a person.3
The broad scope of the GDPR is such that the activities subject to the different laws in the EU's New Digital Rulebook are also subject to data protection law. As the European Data Protection Board has stated previously:
Processing of personal data already is or will be a core activity of the entities, business models and technologies regulated by these proposals.4
Interference with Article 8 of the EU Charter
Zanfir-Fortuna points how each piece of legislation in the EU's New Digital Rulebook "include at least some instances of clear obligations to process personal data for the actors covered, or lay down conditions for such processing."5 For example, Article 40 of the DSA obligates very large online platforms to give competent authorities and vetted researchers access to the data necessary to monitor compliance with the Act, which may include access to personal data.6
Zanfir-Fortuna points out how such provisions "constitute interference with the right to protection of personal data as provided by Article 8 [EU] Charter, to the extent that the data at issue includes personal data."7 This on the basis on previous rulings from the Court of Justice of the European Union (CJEU).
One such ruling comes from the Digital Rights Ireland case, in which the CJEU annulled the 2006 Data Retention Directive in its entirety after finding that it violated EU law. In that judgment, the Court held the Directive "constitutes an interference with the fundamental right to the protection of personal data guaranteed by Article 8 of the Charter because it providers for the processing of personal data."8
Another judgment is that from the Ligue des droits humains case. In that case, the CJEU reiterated its findings from Digital Rights Ireland when assessing the Passenger Name Records (PNR) Directive, which requires, among other things, the communication of personal data to third parties such as public authorities:
...processing of PNR data such as that covered by the PNR Directive also falls within the scope of Article of the Charter because it constitutes processing personal data within the meaning of that article, and, accordingly, must necessarily satisfy the data protection requirements laid down in that article.9
Accordingly, as Zanfir-Fortuna points out, laws including an interference with the right to data protection must define the scope of the limits on this right and lay down clear and precise rules to ensure the necessity and proportionality of measures interfering with this fundamental right. Challenges on the validity of the EU's New Digital Rulebook in this regard could therefore be brought before the CJEU in the future.10
The precedence of the GDPR
The legal acts within the EU's new Digital Rulebook "establish, without exception, the precedence of the GDPR (and other data protection acquis where necessary)."11 For example, the DSA, DGA and DA contain provisions stating that their application is 'without prejudice' to EU data protection law, explicitly referencing the GDPR.12
This demonstrates the EU's awareness of the potential overlap between its Digital Rulebook and the GDPR. As a result, provisions to resolve potential conflicts between these laws are included.
The future role of data protection supervisory authorities
Zanfir-Fortuna notes that the final version of the legal texts making up the EU's Digital Rulebook recognise a role for data protection supervisory authorities (SAs), though with some variations. Some laws anticipate an explicit role for these authorities, whereas others are less clear.
In the DA for example, data protection authorities are "responsible for monitoring the application of [the] Regulation insofar as the protection of personal data is concerned."13 Contrastingly, the DSA "does not refer to DPAs in its chapter dedicated to enforcement, despite some of its key provisions relying on concepts defined in the GDPR...or involving obligations to process personal data."14
The DMA is vague on the role of data protection authorities, with recital (37) merely stating that the Act is without prejudice to the GDPR "including its enforcement network, which remains fully applicable with respect to any claims by data subjects relating to an infringement to their rights under that Regulation." A clear role for data protection authorities is absent from the AIA.
However, as Zanfir-Fortuna highlights, important stipulations from the CJEU in the Bundeskartellamt case on the role of data protection authorities should be considered. In considering the respective competencies of competition and data protection authorities in cases concerning relevant issues for both, the Court established two relevant principles:
Where competition authorities need to look at the GDPR as part of their investigations, they must "consult and cooperate sincerely with the national [data protection] supervisory authorities concerned or with the lead supervisory authority." This is to enable all the authorities to exercise their respective powers and competences to ensure compliance with the GDPR.15
Competition authorities must follow any decision from a compenent data protection authority or court if the conduct they are investigating is covered by that decision. Competition authorities cannot therefore depart from such decisions but they can draw their "own conclusions from the point of view of the application of competition law."16
Such a ruling suggests that data protection authorities will have competence over matters regarding the EU's Digital Rulebook if such matters concern the processing of personal data.
Gabriela Zanfir-Fortuna, 'Follow the (personal) data: Positioning data protection law as the cornerstone of EU's 'Fit for the Digital Age' legislative package' (June 2024), p.15.
Gabriela Zanfir-Fortuna, 'Follow the (personal) data: Positioning data protection law as the cornerstone of EU's 'Fit for the Digital Age' legislative package' (June 2024), p.1
Gabriela Zanfir-Fortuna, 'Follow the (personal) data: Positioning data protection law as the cornerstone of EU's 'Fit for the Digital Age' legislative package' (June 2024), pp.4-5
EDPB, ‘Statement on the Digital Services Package and Data Strategy’ (18 November 2021), p.1.
Gabriela Zanfir-Fortuna, 'Follow the (personal) data: Positioning data protection law as the cornerstone of EU's 'Fit for the Digital Age' legislative package' (June 2024), p.8
Article 40, Digital Services Act.
Gabriela Zanfir-Fortuna, 'Follow the (personal) data: Positioning data protection law as the cornerstone of EU's 'Fit for the Digital Age' legislative package' (June 2024), p.8
Joined Cases C‑293/12 and C‑594/12, Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources & Others (8 April 2014), para. 36.
Case C‑817/19, Ligue des droits humains v Conseil des ministres (21 June 2022), para. 95.
Gabriela Zanfir-Fortuna, 'Follow the (personal) data: Positioning data protection law as the cornerstone of EU's 'Fit for the Digital Age' legislative package' (June 2024), p.9.
Gabriela Zanfir-Fortuna, 'Follow the (personal) data: Positioning data protection law as the cornerstone of EU's 'Fit for the Digital Age' legislative package' (June 2024), p.11.
Article 2(4)(g) DSA, Article 1(3) DGA, Article 1(5) DA.
Article 37(3) Data Act.
Gabriela Zanfir-Fortuna, 'Follow the (personal) data: Positioning data protection law as the cornerstone of EU's 'Fit for the Digital Age' legislative package' (June 2024), p.13.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 54.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 54.