The European Court of Human Rights Approach to the Use of Personal Data for Unnecessary and Illegitimate Purposes
The ECtHR, in the inspections carried out by the court regarding the allegations of violation of rights, firstly examines whether there is an interference with private life, and when it is determined that there is an interference, it is examined whether this interference is justified.
It is useful to evaluate the issue of excessive and illegitimate use of personal data for illegitimate purposes by taking into account the judgements of the European Court of Human Rights (ECtHR). The ECtHR has taken several characteristic detailed approaches to the protection of personal data under Article 8 of the European Convention on Human Rights. In its decisions on data protection, the ECtHR has interpreted Article 8 by taking into account new technological developments within the scope of the right to protection of private life and freedom of communication. In interpreting this Article, it has specifically avoided the assessment of whether communication or private life is a fundamental right. The Court has made several findings that data protection is covered by Article 8 (lundvall v Sweden 100473/83, Amann v Switserland, Rotarou v Romania 28341/95). The Court has held that the systematic storage of personal data by public authority may result in a violation of Article 8. The Court also recognised that individuals have the right to control over the recording and use of personal data. The Court has emphasised that individuals have the right to access personal files (Gaskin v. the United Kingdom, Application No. 10454/83) (Antony and Margaret McMichael v. the United Kingdom, Application No. 16424/90) (Guerra v Italy, McGinley & Egan v. the United Kingdom, Applications nos. 21825/93 and 23414/94,) and that transsexuals have the right to correct their identity (Leander v. Sweden, Application No. 9248/81). Moreover, the Court has emphasised the need for an independent supervisory and oversight authority to ensure the rule of law in the protection of personal data and to prevent abuse of power. (Klass v. Germany, Leander v. Sweden, , Rotaru v. Romania,) In the Peck, Perry, PG VD Jh cases, the court stated that the purpose of purposeful use in data protection is to prevent unforeseen uses. (Peck v. the United Kingdom, Perry v. the United Kingdom) In the Amann and Segerstedt Wiberg cases, the court ruled that state authorities can only collect data related to the suspected situation in case of concrete suspicion.[1]
Since its earliest judgements, the Court of Human Rights has considered the collection and storage of information about an individual's private life in a confidential information register and the disclosure of such information to those concerned within the scope of Article 8 of the Convention. (Leander, 48, Aman, Rotou 43, Sve Marper 67, Khelli 55) According to the Court, the systematic collection and storage of data on certain individuals by security forces (Segerstedt-Wiber and Others 72 Cemalettin Canlı 43), even if such data is collected in the open (Peck 59 PG and J. H 57-59) or even if such information relates only to the person's professional or public activities (Rotaru 43-44), or if the information in question relates to the person's distant past (Peck 59 PG and J. H 57-59). H 57-59) or even if this information is only related to the person's professional or public activities (Rotaru 43-44), the court ruled that even if the information in question is related to the distant past of the person, it will constitute an interference with the private life of the person. (Cemalettin Canlı 43) Determining when and where the person was through the GPS system by means of a device to be placed in the person's private vehicle (Uzun-Germany 51-53) constitutes a violation of the right to respect for private life. Access to information about one's own past is a part of private life (Odievr v. France).
Examples of court judgements on the protection of personal data relating to private life are as follows A person's name is a means of establishing his or her identity and establishing contact with a family, and therefore concerns his or her private and family life (Burghartz 24). Genealogical issues concern a person's private life as they relate to his or her identity ( Rasmmussen 33, Kruskovic 20). Issues related to gender changes are a matter of private life (Rees 42, Cossey 38-39), ethnic identity is a matter of private life (S e Marper 66). Sexual intercourse and sexual orientation constitute the most intimate aspect of an individual's private life (Laskey, Jeggard and Brown 36), requesting information about one's origin and access to information held by public authorities is part of the right to respect for private life (Odievre v. France), interference with the right to respect for private life constitutes interference with the right to respect for private life when public authorities record audio, written and video recordings of an individual and his or her activities in order to obtain information about the commission of a criminal offence. Klass and Others v. Germany 48,49 )[2]
Use of Personal Data for Unnecessary and Illegitimate Purposes
The approach of the ECtHR, which considers the use of data for excessive, unnecessary and illegitimate purposes as a violation of rights, is in line with the existing regulations of paragraphs 6/1/c and 7/c of the European Union 1995/46/EC GDPR. In the inspections made by the court regarding the allegations of violation of rights, the court first examines whether there is an interference with private life, and when it is determined that there is an interference, it is examined whether this interference is justified. The first step in the examination of whether the interference is justified is whether the interference is made in accordance with the law. If it is lawful, it is examined whether the intervention is necessary in a democratic society. After this step, it is also examined whether the intervention is proportionate to meet social needs and fulfil legitimate aims.
In case of an intervention that meets all the conditions, there is no violation of rights. In the Court's judgements in relation to allegations of violation of rights, it is very rare when the Court determines that data protection measures are necessary in a democratic society. Rather, the Court looked at whether there was a legal basis for the infringing action. Where that legal requirement was violated, it did not examine other requirements ( P.G. and J.H.,). A review of legality is different from a review of necessity in a democratic society. If a restriction on the protection of privacy exists in law and has a legal basis, it is expected that this restriction is also necessary in a democratic society. Necessity in a democratic society review is a political review. It balances values and interests. The question that arises in this review is whether the limitation or infringement of data protection is justified by a legitimate need. The fulfilment of the requirement of necessity in a democratic society is not sufficient for the limitation of data protection. Because there are two more criteria in the control made in Articles 8.9.10.11 of the ECHR.
These are the criteria of meeting social needs and being in proportion to realise legitimate aims. However, the criterion of meeting social needs in these criteria is mostly applied for the right regulated in Article 10, and its application area for Article 8 is narrow. In proportionality control, the Court takes into account the gravity of the interference with personal data. In the application of the principle of proportionality, while determining whether the restriction is proportionate or not, the nature of the situation is considered. While assessing proportionality, the Court looks at the nature of the measure taken (whether it will enable misuse, negative consequences, etc.). It looks at whether the same result can be achieved with other measures and whether there is a need to take such drastic measures. If the review passes all these criteria, no violation of rights will be found. A strict application of proportionality review was brought to the agenda in the case of Campbell v. United Kingdom, Application No. 13590/88 (Campbell v. United Kingdom, Application No. 13590/88, ) for violation of Article 10 in secret inspections, confiscation of letters written to the lawyer and keeping telephone records. In reality, there are very few judgements in the ECtHR judgements on the processing of personal data in comparison to other judgements on excessive, necessity and legality checks. The most important reason for this is that the court favours the review of lawfulness.
As seen in the Klass, Leander, Amann, P.G. and J.H. and Perry cases, the court considers the area of personal data as a very limited area of privacy in parallel with the traditional approach. Current approaches to the protection of personal data are not included in the protection area of the court. In the Leander Case, the court did not consider the restriction on the right to access personal data as a violation. A similar situation occurred in the Antony and Margaret McMichael v. United Kingdom case. The Court clearly stated in its judgement that Article 8 does not mean that Article 8 does not grant a right to access personal data. On the contrary, the court explicitly recognises that law enforcement and security forces may access personal data.
The Court made a distinction between personal data that may be covered by Article 8 and personal data not covered by this Article. (Pierre Herbecq and the Association Ligue des droits de l'homme v Belgium, Pierre Herbecq and the Association Ligue des droits de l'homme v Belgium, Applications Nos. 32200/96 and 32201/96). The Court found the claim inadmissible. The reason given was that the images in the filming were not related to private life, but were in public places. At the centre of the idea of Data Protection is personal data, the carrier of which is identified or identifiable. Regulations on Data Protection do not divide data into privacy-related and non-privacy-related data.
On the other hand, the data protection system recognises the existence of sensitive data of a special nature. Data protection regulations regulate that all personal data can be misused, including ordinary names, addresses, etc., and that the purpose of the data protection system is to protect all data. These regulations are undoubtedly the product of common sense. In this case, it can be discussed to which limit ordinary data will be protected, but there is an agreement that these data will also be protected. The prohibition of the processing of special categories of data, for example, the prohibition of the processing of data relating to Jewish persons, is a positive regulation. There is no doubt that they must be protected against those who target them with a simple list of names belonging to this group. Technical staff in particular easily process data on the Internet without taking data protection regulations into account or finding them too bureaucratic.
In the cases of Amann, Rotaru and P.G. and J.H., the ECtHR gave a broad definition of privacy within the meaning of Article 8, referring also to the Leander case, and demonstrated the differences between the principles of data protection and court decisions. In the Amann case, the ECtHR stated that the storage of personal data is relevant to Article 8, that private life should not be defined in a restrictive manner, that private life includes establishing and developing relationships with other people, and that there is no reason to exclude the nature of business life and professional activities from private life. However, the judgements in these cases should be approached with caution. The issue of how far data should be protected and how far it should not be protected is still being worked out. Data are excluded from privacy protection when they do not relate to the private sphere, when they are not systematically recorded as pictures and sounds, or when they are not recorded by targeting a specific data carrier, when the data carrier reasonably knows that the data will be processed. In this context, cameras on the streets, the telephone company's storage of data on telephone calls in the sense of charges and statistics (P.G. and J.H. v. the United Kingdom) do not seem to be a violation in the sense of Article 8. In summary, it is seen by the court that not all data is protected.
