Taking proportionality seriously: The use of contextual integrity for a more informed and transparent analysis in EU data protection law

• Date: 01 November 2018
• Published date: 01 November 2018
• DOI: http://doi.org/10.1111/eulj.12273
• Author: Audrey Guinchard

ORIGINAL ARTICLE

Taking proportionality seriously: The use of

contextual integrity for a more informed and

transparent analysis in EU data protection law

Audrey Guinchard*

Abstract

Difficulties abound as to where the boundary between legitimate and illegitimate processing of personal data

should be set. The open‐ended wording of the EU Data Protection Directive (DPD) 95/46 leaves space for

diverse interpretations. The European Court of Justice finds it difficult to establish methodically the contextual

data flows associated with individuals’rights and their processing, with cascading consequences for the

proportionality analysis, thus echoing the wider debate on proportionality. Taking stock of the criticisms of

the ECJ's decisions and of the changes introduced by the General Data Protection Regulation, this paper

proposes to use contextual integrity, a framework of analysis developed by Helen Nissenbaum, largely implicit

in EU data protection law, to provide a systematic method of interpretation that ensures more consistency in

current EU legal practice. It recommends adopting a new formal three‐tier structure, so that all factors

necessary to the discussion on proportionality are fully and systematically identified and proportionality is

taken seriously.

1|INTRODUCTION

Processing personal data entails seeking to strike a highly delicate balance between two competing objectives: on the

one hand, enabling the free flow of data at the heart of technological innovations, and on the other, safeguarding

individuals’rights and freedoms, most notably their rights to privacy and data protection. Recognising this tension

in its Article 1, the EU Data Protection Directive (DPD), the main legal instrument of the current European data

protection framework, provides key principles for determining which personal data processing practices are or are

not acceptable. Nevertheless, the DPD's broad wording means its ‘interpretation [notably of its proportionality

requirement] is no easy task’.

1

Taking stock of the diverse interpretations that have emerged and the changes

introduced by the General Data Protection Regulation (GDPR), this paper proposes to use contextual integrity (CI),

a framework of analysis developed by Helen Nissenbaum, largely implicit in EU data protection law, to provide a

*School of Law, University of Essex, Colchester, UK. This research was funded by the Engineering and Physical Sciences Research

Council as part of the grant EP/L005859/1 on Digital Personhood: Digital Prosumer ‐‐ Establishing a 'Futures Market' for Digital

Personhood Data (2013‐2017).

1

L. Bygrave, Data Privacy Law: An International Perspective (Oxford University Press, 2014) at 56.

Received: 6 March 2017 Revised: 6 July 2017 Accepted: 7 February 2018

DOI: 10.1111/eulj.12273

434 © 2018 John Wiley & Sons Ltd. Eur Law J. 2018;24:434–457.wileyonlinelibrary.com/journal/eulj

systematic method of interpretation that promotes a more informed and transparent proportionality analysis and

ensures more consistency in current EU legal practice.

2

To date, as evidenced in recent decisions of the Court of Justice of the European Union (ECJ), processing

practices adopted by some businesses and part of the public sector rest on an interpretation that facilitates extensive

data harvesting, profiling and monitoring of individuals. In reaction, citizens are pushing, with the ECJ's blessing, for a

different boundary between legitimate and illegitimate data flows, which better protects their rights and reflects a

more nuanced balance between rights and interests under the DPD.

3

However, despite the ECJ's response being well

received, strong criticisms of the ECJ's case law endure, fuelling uncertainties about where this boundary should be

set.

4

Scholars criticise the ECJ for shortcomings in identifying, at a preliminary stage, the various elements that need

to be balanced when assessing the proportionality of data processing interference with individuals’rights with the

legitimate aims pursued by data controllers. The ECJ has not examined in sufficient detail data controllers’legitimate

interests in processing data or the data subjects’rights that such processing infringes. Consequently, the ECJ's

weighting and discussion of these elements at the subsequentproportionality stage has been presented as inadequate

and even as ‘unworkable formulae’,

5

a criticism echoing the wider debate on proportionality in constitutional

adjudication.

6

This leaves the various actors who process personal data in a difficult position when having to determine

effectively where the boundary between legitimate and illegitimate data flows lies.

7

Indeed, the GDPR, which will

replace the DPD by 25 May 2018, notes the need to enhance ‘legal and practical certainty’for all stakeholders in

3

Case 131/12, Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González [2014] 3

CMLR 50; linked to third‐country transfers, Case 362/14, Maximillian Schrems v. Data Protection Commissioner [2016] 2 CMLR 2; and

the territorial application of the Directive 95/46, Case 230/14, Weltimmo s.r.o v. Nemzeti Adatvédelmi és Információszabadság Hatóság,

OJ C 381, of 16/11/2015, 6; Joined Cases 203/15 and 698/15, Tele2 Sverige AB and Watson, 21 December 2016.

4

Ch. Tranberg, ‘Proportionality and Data Protection in the Case Law of the European Court of Justice’, (2011) 1 International Data Pri-

vacy Law, 239; E. Frantziou, ‘Further Developments in the Right to be Forgotten: The European Court of Justice's Judgment in Case C‐

131/12, Google Spain, SL, Google Inc v. Agencia Espanola de Proteccion de Datos’, (2014) 14 Human Rights Law Review, 761; D. Erdos,

‘From the Scylla of Restriction to the Charybdis of Licence? Exploring the Scope of the ‘Special Purposes’Freedom of Expression

Shield in European Data Protection’,(2015) 52 Common Market Law Review, 119; Ch. Kuner, ‘The Court of Justice of the EU Judgment

on Data Protection and Internet Search Engines: Current Issues and Future Challenges’,in B. Hess and Ch. Mariottini (eds.), Protecting

Privacy in Private International and Procedural Law and by Data Protection (Routledge, 2015), at 19; O. Lynskey, ‘Deconstructing Data

Protection: The 'Added‐Value' of a Right to Data Protection in the EU Legal Order’, (2014) 63 ICLQ, 569; O. Lynskey, ‘Control over

Personal Data in a Digital Age: Google Spain v. AEPD and Mario Costeja Gonzalez’, (2015) 78 The Modern Law Review, 522; to a lesser

extent, D. Sancho‐Villa, ‘Developing Search Engine Law: It Is Not Just about the Right to Be Forgotten’, (2015) 42 Legal Issues of Eco-

nomic Integration, 357, 373; S. Peers and S. Prechal, ‘Article 52 –Scope and Interpretation of Rights and Principles’, in S. Peers, T.

Hervey, J. Kenner, and A. Ward (eds.), The EU Charter of Fundamental Rights: A Commentary, (Hart Publishing, 2014), at 1455, para.

52.84–54.86.

5

F. Fontanelli, ‘The Mythology of Proportionality in Judgments of the Court of Justice of the European Union on Internet and Funda-

mental Rights’, (2016) 36 Oxford Journal of Legal Studies, 630–660, at 640.

6

See, e.g., S. Tsakyrakis, ‘Proportionality: An Assault on Human Rights?’, (2009) 7 International Journal of Constitutional Law, 468; M.

Khosla, ‘Proportionality: An Assault on Human Rights?: A reply’, (2010) 8 International Journal of Constitutional Law, 298; S. Tsakyrakis,

‘Proportionality: An Assault on Human Rights?: A rejoinder to Madhav Khosla’, (2010) 8 International Journal of Constitutional Law, 307;

K. Lenaerts and J. Gutiérrez‐Fons, ‘The Constitutional Allocation of Powers and General Principles of EU Law’, (2010) 47 Common Mar-

ket Law Review, 1629, 1652–1653; K. Möller, ‘Proportionality: Challenging the Critics’, (2012) 10 International Journal of Constitutional

Law, 709; R. Alexy, ‘On Balancing and Subsumption: A Structural Comparison’, (2003) 16 Ratio Juris, 433, 437–439; R. Alexy, ‘Formal

Principles: Some Replies to Critics’, (2014) 12 International Journal of Constitutional Law, 511. See, also, L. Niglia, ‘Eclipse of the Con-

stitution {Europe Nouveau Siècle}’, (2016) 22 European Law Journal, 132, 143–144, 154.

7

Fontanelli, above, n. 5, 645; Lynskey, ‘Control over Personal Data in a Digital Age’, above, n. 4, 531–532; Frantziou, above, n. 4, 770;

M. Oswald, ‘Seek, and Ye Shall Not Necessarily Find: The Google Spain Decision, the Surveillant on the Street and Privacy Vig ilantism’,

in K. O'Hara, M.H.C. Nguyen and P. Haynes (eds.), Digital Enlightenment Yearbook 2014: Social Networks and Social Machines, Surveil-

lance and Empowerment (IOS Press, 2014), at 99.

GUINCHARD 435