USE OF PERSONAL DATA FOR EXCESSİVE, UNNECESSARY, AND ILLEGİTİMATE PURPOSES
The European Court of Human Rights (ECtHR) approach, which regards the use of data for excessive, unnecessary, and illegitimate purposes as a violation of human rights, is in line with the existing regulations in Articles 6(1)(c) and 7(c) of the European Union Data Protection Directive 95/46/EC. In judicial reviews related to claims of rights violations, the court first examines whether there is an interference with private life. If such interference is found, the court then assesses whether the interference is justified. The first step in this examination is to determine whether the interference is in accordance with the law. If it is lawful, the next step is to assess whether the interference is necessary in a democratic society. In this step, it is also verified whether the interference is proportionate and serves legitimate purposes. If these conditions are met, no violation occurs.
In judicial reviews regarding allegations of rights violations, decisions on data protection measures that are necessary in a democratic society are rare. The Court primarily examines whether there is a legal basis for the infringing act. In cases where this legal requirement has been violated, other conditions are not always examined (P.G. and J.H.).
The review of lawfulness and the review of necessity in a democratic society are distinct. Even if a limitation on privacy is provided for by law and has a legal basis, it is still expected that such a limitation be necessary in a democratic society. The review of necessity in a democratic society is a political review, balancing values and interests. This review seeks to answer the question: was the limitation or violation of data protection made for a legitimate need? However, meeting the necessity test for a democratic society is not sufficient in itself for a limitation on data protection. As the ECtHR examines in Articles 8, 9, 10, and 11, two additional criteria must be considered: the limitation should address social needs and be proportionate to the legitimate aims it seeks to achieve. The social needs criterion is mostly applied to the rights outlined in Article 10, while for Article 8, which protects private life, its application is narrower.
In the proportionality review, the Court considers the severity of the interference with personal data. When applying the principle of proportionality, the Court evaluates whether the limitation is appropriate by considering the nature of the measure (whether it allows misuse, its negative consequences, etc.). The Court also considers whether the same result could be achieved through less restrictive measures, and whether such a harsh measure was necessary. If the criteria pass all these checks, no violation is found. A strict application of proportionality was raised in relation to a case concerning Article 10 violations (Campbell v. United Kingdom, Application No. 13590/88), involving the confiscation of letters to a lawyer and the recording of telephone calls. In fact, there are few decisions on the review of excessiveness, necessity, and legitimacy regarding the processing of personal data in ECtHR jurisprudence. The main reason for this is the Court’s emphasis on reviewing the lawfulness of the interference.
In the cases of Klass, Leander, Amann, P.G. and J.H., and Perry, the Court has viewed personal data as a limited area of privacy. Contemporary approaches to data protection have not been incorporated into the Court’s protection framework. In the Leander case, the Court did not consider the restriction on an individual’s access to their personal data as a violation. Similarly, in Antony and Margaret Mc.Michael v. United Kingdom, the Court did not regard regulations allowing security forces to access personal data as a violation of rights.
The Court has made a distinction between personal data that fall under the scope of Article 8 and those that do not. There are personal data that affect private life, and there are those that do not (Pierre Herbecq and the Association Ligue des droits de l’homme v Belgium, Applications No. 32200/96 and 32201/96). In one case, the applicant argued that there was no regulation allowing for the processing of personal data in the film industry for supervisory purposes and claimed that his privacy was violated. The Court rejected this claim, reasoning that the images taken during filming did not concern private life as they were in public spaces.
The concept of data protection revolves around personal data that relate to an identified or identifiable person. Data protection regulations do not distinguish between data that relates to privacy and data that does not. The data protection system acknowledges that certain data are sensitive. The purpose of the data protection system is to protect all personal data, including those that are not sensitive, such as names and addresses, as these can also be misused. These regulations are undoubtedly products of common sense. While the boundaries of the protection for non-sensitive data may be debatable, there is consensus that these data should also be protected.
The prohibition on the processing of special categories of data, such as data related to Jewish individuals, is a positive regulation. There is no doubt that a simple list of names in this group should be protected from those who target them. Particularly, technical personnel can easily process data without considering data protection regulations on the internet, or by deeming them too bureaucratic.
In the cases of Amann, Rotaru, and P.G. and J.H., the ECtHR has provided a broad definition of privacy under Article 8, referencing the Leander case and highlighting the differences between data protection principles and court decisions. In the Amann case, the Court explicitly stated that the storage of personal data is related to Article 8, and that it should not be defined in a way that limits private life. The Court emphasized that private life includes individuals’ ability to establish and develop relationships with others, and that there is no reason to exclude data processed for professional activities and job-related purposes from the scope of private life. However, decisions in these cases should be approached with caution. The question of how far data should be protected and where the protection ends is still under consideration. Data may be excluded from privacy protection if it is not related to private life, if it is not systematically recorded as images or sounds, or if the data is recorded with the knowledge that it will be processed for reasonable purposes, such as when a specific data carrier is targeted. In this context, street cameras, telecommunication companies’ data on phone call billing, and data storage for statistical purposes (as in P.G. and J.H. v. the United Kingdom) are not considered violations under Article 8. In summary, the Court does not consider all data to be protected.
It is useful to evaluate the issue of the excessive and illegitimate use of personal data in light of the European Court of Human Rights (ECtHR) rulings. The ECtHR has developed several characteristic, detailed approaches to the protection of personal data under Article 8 of the European Convention on Human Rights. In its rulings regarding data protection, the ECtHR has interpreted Article 8 while taking into account the right to respect for private life and the freedom of communication in the context of new technological developments. When interpreting this article, the Court has particularly avoided making an assessment of whether the right to communication or the right to privacy is the more fundamental right. The Court has made several determinations regarding the inclusion of data protection under Article 8 (Lundvall v. Sweden, Application No. 100473/83, Amann v. Switzerland, Rotaru v. Romania, Application No. 28341/95). The Court has ruled that the systematic storage of personal data by public authorities could lead to a violation of Article 8. Furthermore, the Court has recognized the right of individuals to have control over the collection and use of their personal data. It has affirmed that individuals have the right to access their personal data (Gaskin v. the United Kingdom, Application No. 10454/83) (Antony and Margaret McMichael v. United Kingdom, Application No. 16424/90) (Guerra v. Italy, McGinley & Egan v. United Kingdom, Applications Nos. 21825/93 and 23414/94), and that transgender individuals have the right to correct their identity (Leander v. Sweden, Application No. 9248/81).
Moreover, the Court has emphasized the need for independent supervisory authorities in order to ensure the rule of law in the protection of personal data and to prevent the abuse of power (Klass v. Germany, Leander v. Sweden, Rotaru v. Romania). In cases such as Peck, Perry, and P.G. and J.H., the Court has stated that the goal of processing data should be to prevent unforeseen uses of the data (Peck v. the United Kingdom, Perry v. the United Kingdom). In the Amann and Segerstedt Wiberg cases, the Court ruled that state authorities can only collect data related to suspected situations when there is a concrete suspicion.
Av. Yalçın TORUN
Web sitemizde yayımlanan yukarıdaki yazılı metnin, eser sahipliği hakları Av.Yalçın TORUN’a aittir. Bu yazılı metin hak sahipliğinin tespiti amacıyla zaman içerikli elektronik imza ile muhafaza edilmektedir. Sitemizdeki yazılı metinler avukat meslektaşlarımız tarafından dilekçelerinde serbestçe kullanılabilir, fakat metinlerin tamamının, bir kısmının veya özetinin atıf yapılmaksızın başka web sitelerinde yayınlanmasına iznimiz yoktur.