Responsible Information Sharing Converging boundaries between private and public in privacy and copyright law

  1. LL.M. Annelies Vandendriessche
  2. Dr. Bernd Justin Jütte

Abstract

Copyright Law and Privacy Law both grant individuals exclusive control over the dissemination of expression or personal information, respectively. A number of criteria emerged in the ‘new public’ jurisprudence of the CJEU based on Article 3 Directive 2001/29/EC (InfoSoc Directive), that determine how right holders can retain control over copyright-protected works after their first publication. The Court established that the scope of a public in copyright law depends, among other factors, on the subjective intention of the person who exposes a work to an audience. The case law suggests that several ‘publics’ coexist, and that the exposure of works to one of these ‘publics’, does not automatically justify exposure to other public spheres. The exposure of these works to other ‘publics’, still remains under the control of the right holder. The paper suggests that the notion of a “new public” can be instrumental in better understanding the delimitation of public and private space in EU privacy law. The authors propose a concept of privacy as controlled public exposure, modelled on the notion of a “new public” under Article 3 of the Information Society Directive, and inspired by recent jurisprudence of the ECtHR on Article 8 ECHR, which protects the right to respect for private life. This, the authors argue, leads to an expansion of private spheres in public life.

Keywords

  • communication to
  • copyright
  • new public
  • privacy, personal information
  • reasonable expectations
  • the public
  • privacy
  • personal information
  • copyright
  • reasonable expectations
  • communication to
  • the public
  • new public

1. Introduction

1

In their seminal 1890 article “The Right to Privacy”, Samuel D. Warren and Louis D. Brandeis relied on copyright law to construct a right to privacy. [1] While both legal regimes have been under extreme pressure over the last years they have developed similar solutions in order to adapt to constant technological challenges to their respective scope. Therefore, it seems appropriate to revisit the similarities between the right to privacy and copyright, similarities which have indeed also inspired recent legal doctrine concerning the rights of control of data subjects over their personal data. [2] This article examines the commonalities between the right to privacy under Article 8 of the European Convention on Human Rights (ECHR) and the exclusive right to ‘communication to the public’ under Article 3 of the Information Society Directive [3] in order to expose what is considered the foundation for a horizontal concept of the public and private divide in a modern and digital environment.

2

Accordingly, this article will first explore the evolving interpretation of the right to privacy by the European Court of Human Rights (ECtHR), which lays down first steps in, what is argued, the right direction for allowing the legal concept of privacy to better respond to contemporary challenges to privacy in a digital environment. Second, it will trace the evolution of the communication to the public (C2P)-right in EU copyright law as an example of a different approach to delineate private and public. It will conclude by positioning these concepts in the context of European data protection law and its general principles to demonstrate that the incorporation of the C2P-concept into privacy law is not only a possible solution for delimiting the private/public divide in the Information and Communication Technology (ICT) context, but can also be accommodated within the systematic structure of privacy law.

2. Towards a contextual approach to privacy in the jurisprudence of the ECtHR

2.1. The validity of the private sphere/public sphere divide in the ICT context

3

There are many different legal perceptions of exactly what type of information should be protected by a right to privacy, which are the underlying reasons to protect privacy, and to which extent protection is required. Therefore, one could classify the concept of privacy as somewhat of an essentially contested concept. [4] The fact that there are multiple understandings of what the concept of privacy encompasses helps to explain why privacy has consistently grappled to adapt to changing social and technological contexts.

4

Despite various interpretations of the meaning of the term ‘privacy’, one aspect all traditional interpretations of privacy have in common is their reliance on a private sphere/public sphere divide. This separation of spheres is traditionally used to determine when the right to privacy is violated; namely when personal information, which belongs to the private sphere, is inappropriately released into the public sphere. [5] An appropriate disclosure of personal information into the public sphere must, according to the private/public dichotomy, be legitimized by means of principles such as consent and contractual agreement, possibly coupled with a right of ownership of personal information or of control over publicizing that personal information. [6] According to this traditional divide, once an individual, or his information, enters the public sphere, his behavior and information become public, and are therefore no longer protected by a right to privacy. [7] In the traditional interpretation of the private sphere/public sphere divide, the focus has thus been on the origin of the information, whether it originated in a private or in a public context, since this origin would also determine the nature of the information in an inextricable manner.

5

Despite various interpretations of the meaning of the term ‘privacy’, one aspect all traditional interpretations of privacy have in common is their reliance on a private sphere/public sphere divide. This separation of spheres is traditionally used to determine when the right to privacy is violated; namely when personal information, which belongs to the private sphere, is inappropriately released into the public sphere. [8] An appropriate disclosure of personal information into the public sphere must, according to the private/public dichotomy, be legitimized by means of principles such as consent and contractual agreement, possibly coupled with a right of ownership of personal information or of control over publicizing that personal information. [9] According to this traditional divide, once an individual, or his information, enters the public sphere, his behavior and information become public, and are therefore no longer protected by a right to privacy. [10] In the traditional interpretation of the private sphere/public sphere divide, the focus has thus been on the origin of the information, whether it originated in a private or in a public context, since this origin would also determine the nature of the information in an inextricable manner.

6

Nissenbaum argued that this aspect in particular is at odds with what individuals intuitively understand when they consider what constitutes their private life, at odds with their ‘expectations of privacy’: not all information made public or available within a public space should automatically be there for the taking. [11] Technological progress further aggravates the consequences of this misconception by contributing to blurring the demarcations of the private-public divide. As a result, it becomes increasingly problematic to rely on the intuitive expectation that all information that is public or collected within the public sphere is also immediately available for all to use. The use of new technologies leads to questioning of the traditional perception that information available in the public domain is by consequence and necessarily also public in nature. Examples that illustrate this problem are the “DNA traces we automatically ‘leak’ into public space by just being there” or the “proliferation of smart devices in public space that blur the boundaries between public and private information and the storing and sensing thereof”. [12] Other examples are new surveillance technologies such as drones, or the use of location trackers contained in our cell phones, smart watches and exercise trackers, and the use of ever more sophisticated data analysis tools for analyzing social networking websites. All these technologies process personal data which is, in principle and seemingly public (or rather communicated in a public space). [13] The processing of personal data constitutes a particular challenge for privacy protection in general, and for demarcating the public/private divide in particular, since technological advances have rendered personal data processing more effortless, sophisticated and large-scaled than could be foreseen at the time of adoption of the ECHR. [14] Instead of viewing the public-private divide in a strictly dualist manner, the current partition between both spheres should rather be considered multi-facetted, unsettled and with several fault lines and cutting edges overlapping and crossing each other. [15]

7

The boundaries have become blurred in such a way that it is no longer possible to consider privacy concerns in terms of a simple dichotomy, where the domain in which the information originated also determines the private or public nature of that information. A more valid paradigm today could be to consider privacy concerns in context. [16] Privacy will increasingly need to protect not only personal, private and intimate information for which individuals are generally cautious about how and where they share it, but also information individuals share willingly or not, but which will be stored, analyzed and manipulated increasingly frequently for often unforeseeable purposes, with impacts on private life in equally unforeseeable ways. [17]

8

In this regard, Helen Nissenbaum developed the idea of a concept of privacy understood as ‘contextual integrity’, which would be adapted to the manner in which technology has influenced our day-to-day lives.  [18] She conceptualized the right to privacy as a right to “context-appropriate flows” of information about oneself rather than as an absolute right to secrecy and control over information. [19] This can best be described as a “norm-governed flow of information that has been calibrated with features of the surrounding social landscape, including important moral, political, and context- based ends, purposes, and values.”  [20] This framework helps to understand why individuals have varying privacy expectations in different social, public, contexts: such as politics, education, health care or the workplace, or when individuals engage with close family and friends. [21] Many have attempted to further develop Nissenbaum’s idea of contextual integrity and to apply it in practice, but the concept is not easily integrated into formal law. [22]

9

Notwithstanding this difficulty, the ECtHR has already developed a legal framework for privacy protection for the Member States (MS) of the ECHR, which affirms that the private-public divide can no longer be upheld in a dogmatic manner. This jurisprudence has gradually broadened the scope of application of ‘private life’ as understood under Article 8 ECHR, so that it might encompass situations of privacy in public in response to technological evolution and increasing and diverse use of ICT.

2.2. The broadened scope of the right to the protection of private life under Article 8 ECHR jurisprudence

10

Three crucial steps can be discerned in the jurisprudence of the ECtHR, which have contributed to moving towards a contextual approach to the concept of ‘private life’ under Article 8 ECHR. These steps which we will develop more extensively hereinafter, have led to the recognition of a degree of privacy in public to individuals, in the face of new technological developments.

11

First, by gradually broadening the scope of the notion of ‘private life’ in light of modern developments, the ECtHR increasingly interpreted the right to respect for private life as a positive right,  [23] which includes granting a limited right to privacy in public, and which adapts to varying contexts.

12

Second, Article 8 ECHR became responsive to most challenges posed to private life by the use of modern technology, including to those blurring the public-private divide, through the incorporation of a right to protection of personal data under the scope of the right to protection of private life. [24]

13

And third, even if a situation does not strictly fall under the category of processing of personal data, it can still be considered an intrusion of private life and fall under the scope of Article 8 ECHR, if it goes beyond the ‘reasonable expectations of privacy’ (REoP). The importance of this final jurisprudential criterion, although still quite undeveloped under the ECHR framework, is not to be underestimated when it comes to delimiting privacy in public.

2.2.1. The broad conception of the notion of ‘private life’

14

Article 8 ECHR was originally conceived of as a classic negative freedom from arbitrary intervention by the State with the right to private life. [25] However, under the Convention, States may also have positive obligations to ensure effective respect for private life, including in relations between private individuals. [26] Even more, in Niemitz v Germany the ECtHR affirmed that a broad non-exhaustive definition should be given, and preferred over a narrow one, to the concept ‘private life’. [27] The Court already acknowledged here that limiting the notion of private life strictly to an ‘inner circle’ in which an individual can live his personal life, from which the outside world is excluded, would be too narrow a definition. [28] With this interpretation the ECtHR already moved beyond a strict private space/public space dichotomy. The Court stressed in Niemitz v Germany that the private sphere includes aspects of professional life and business activities, since it is “in the course of their working lives that the majority of people have a significant, if not the greatest, opportunity of developing relationships with the outside world”. [29] It further emphasized that giving such a broad interpretation to the notion of private life is essential given that both personal and professional spheres cannot always be easily distinguished. [30] The Court interpreted the concept of ‘privacy’ further to encompass issues such as privacy in se, physical, psychological or moral integrity, as well as issues concerning identity. [31] The scope of Article 8 ECHR has been interpreted to include, in essence, any issue concerning “the development, without outside interference, of the personality of each individual in his relations with other human beings.” [32] This should be understood to mean that the ECtHR also includes under the scope of protection of Article 8 ECHR some interactions of individuals with others, even in a public context or setting. [33]

15

Despite its original conception as a negative freedom, the right to the protection of private life with its emphasis on self-development under Article 8 ECHR, [34] has been interpreted as closer to a positive freedom, [35] which not only shields individuals from outside interference, but also allows individuals to take control of how they manage their privacy or rather their relationships with others in a societal context.  [36]

2.2.2. Integrating the right to protection of personal data under Article 8 ECHR

16

Together with a broad conception of the notion of private life as a positive freedom, the inclusion of the right to protection of personal data within the scope of Article 8 ECHR serves to protect privacy in public contexts. The fact that the ECtHR found it neither possible nor necessary to exhaustively determine the content of the notion of ‘private life’, [37] has, on the one hand, kept the boundary between the private and the public purposely vague. On the other hand, it has lent the concept of ‘private life’ the necessary malleability to respond to technological advancements and the emergence of new interests. Technological advancements have frequently challenged the right to protection of private life. Indeed, Warren and Brandeis’s plea favoring the creation of a right to privacy, did so in response to “recent inventions and business methods” which were thought to be intrusive on private life, such as “instantaneous photographs and newspaper enterprise”. [38] Likewise, the creation of a right to protection of personal data as a sub-right of Article 8 ECHR through the adoption of Convention 108 [39] in 1981, [40] occurred in response to increasing automated personal data processing since the 1960s as a result of the increased use of the computer. More recently, processing of personal data is taking place in an ever more large-scaled and refined manner through the use of the Internet and connected technologies and for new business purposes, such as the phenomenon of ‘Big Data’, leading the EU to revise its data protection legal framework with the adoption of the GDPR [41] and the Council of Europe to modernize Convention 108. [42] Due to the increased role of processing of personal data in our daily lives as a consequence of internet-usage, the right to protection of personal data has gained a very important place in privacy protection.

17

In line with the ECtHR’s interpretation of the Convention as “a living instrument, which [...] must be interpreted in light of present-day conditions”,  [43] the ECtHR gradually included many provisions of Convention 108 under the scope of protection of Article 8 ECHR.

18

In Z v Finland, the ECtHR finally explicitly confirmed the connection between Convention 108 and Article 8 ECHR, [44] by holding that “the protection of personal data [...] is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention”. [45] Later jurisprudence then asserted that the broadening of the scope of Article 8 ECHR to include the right of individuals to develop relationships with others, including in professional or business contexts meant the equalization of the respective scopes of protection of Article 8 ECHR and Convention 108. [46] Moreover, the ECtHR explicitly stated that “public information can fall within the scope of private life where it is systematically collected and stored in files held by the authorities.” [47] Despite the equalization of the respective scopes of Article 8 ECHR and Convention 108 for the processing of personal information, not all processing of public information can fall under the scope of Article 8 ECHR. [48] The emphasis in the jurisprudence is placed on the systematic collection and storage of such public information creating a permanent record, thereby excluding the simple possession of, or the simple use of, public information from the scope of Article 8 ECHR. [49] It is therefore only a systematic subsequent processing of public personal data which may raise concerns for the protection of the rights guaranteed by Article 8 ECHR.  [50]

19

In order to establish whether or not a specific processing or further processing of personal data drawn from a public context falls under the protective scope of private life, the Court devised three criteria in S and Marper v The United Kingdom which are to be taken into account. The application of these criteria can both alternatively or cumulatively bring a processing of public information within the scope of Article 8 ECHR. [51] In a first step the ECtHR will examine the “specific context in which the information at issue has been recorded and retained”. Second, “the nature of the records” will be examined, and third, “the way in which these records are used and processed and the result that may be obtained” must be considered. [52] In practice however, when the Court does not succeed in drawing a link to private life based on these three criteria, a fourth criterion comes into play, namely whether a situation exceeds an individual’s Reasonable Expectation of Privacy (REoP). [53] It is of particular relevance when “the way in which the records are used and processed” results in making this personal information available to a broader public than could be reasonably expected by the individual concerned. [54] An important example of a way in which the further processing of personal data originating from the public domain could lead to a publication of this data to a larger public than could be expected, is when such data is published to a broad audience by the media. Such a further processing would however not only raise potential privacy concerns, it would also require a balancing between the right to protection of private life and the right to freedom of expression guaranteed by Article 10 ECHR.

2.2.3. The role of the REoP-criterion in protecting privacy in public

20

The REoP-criterion seems rather underdeveloped as a legal concept when used by the ECtHR to determine the scope of application of ‘private life’. In some cases, the Court seems to be able to determine without difficulty whether or not private life safeguards apply, whilst in other cases the Court makes recourse to the REoP -criterion. [55] As a legal concept, it may have seeped into the ECtHR’s jurisprudence by influence of the English common law, in which a ‘general tort of privacy’ has not yet been developed, [56] and which applies the criterion to determine the scope of the right to privacy. [57] A double-layered approach in cases concerning misuse of private information is generally followed by the English courts: first, the question examined is whether the individual had a reasonable expectation of privacy; second, a balancing will be carried out between the privacy interests and the interests in revealing the private information to the public. [58] Carrying out a REoP-test in this manner is founded on two justifications. The first justification, refers to the impossibility of the alternative to this test, to exhaustively define distinct categories of private information, a drawback which can be offset by reference to a more objective REoP-test. [59] The second justification sees the test as effectively striking the balance between the objective notion of what information society deems an individual to reasonably have a right to keep private, and the subjective notion of the expectations an individual may have in relation to the control of the disclosure of information concerning himself. [60]

21

A review of the ECtHR’s jurisprudence reveals that the Court opted for an approach that defines categories of private information non-exhaustively, supplemented by a REoP - test, which captures the objective notion of what an individual has a reasonable right to keep private in the information society. The REoP-criterion carries a specific purpose in the jurisprudence of the ECtHR. It functions as a fallback criterion when a data processing situation involving personal data available in the public domain could not be tied to private life according to the three criteria developed in S and Marper v UK, yet exceeds the REoP of an individual and would therefore merit to fall under the protective scope of Article 8 ECHR. [61] This would be the case in particular when personal data is exposed to a wider audience than originally intended or expected by the individual in question, without his consent. [62] The application of this criterion would also bring any further processing of personal data beyond what could be reasonably expected under the protective scope of Article 8 ECHR. [63] Hence, it represents an important criterion for delimiting privacy in public space.

22

It is important in this context not to overstate the significance of the REoP-criterion in Article 8 ECHR jurisprudence, since the REoP is not necessarily a conclusive factor for the application of the protection guaranteed by Article 8 ECHR on its own. The Court held in PG and JH v The United Kingdom regarding expectations of privacy specifically, that a number of factors must be taken into consideration when contemplating whether or not the right to private life is affected by matters occurring outside of the home or outside of private property. The Court nevertheless emphasized that, in situations in which people “knowingly or intentionally” engage in activities which they know could or will be reported or recorded publicly, a person’s “reasonable expectations as to privacy” still remain a significant factor in determining the scope of privacy protection applicable. [64]

23

Privacy protection was interpreted by the ECtHR to cover a person’s identity, including the publication of a person’s name or photographs of a person taken in public, it includes his physical and moral integrity, as well as any personal information which a person can legitimately expect should remain private and should not be publicized without requiring prior consent. [65] This entails that these aspects of private life for which there is a REoP can also remain protected, even in a public context. Moreover, the processing of publicly available personal data does not need to concern data of a sensitive nature, the mere coming into existence of a systematic or permanent record of any type of publicly available data, beyond its originally expected use, may in itself raise a privacy concern.  [66]

24

The REoP-criterion is thus particularly interesting for its potential use in delimiting the further processing and use of personal information already made available in the public domain, when it is published to a larger audience or public than was originally intended. One could consider, for example, the sharing of personal information by users of social media platforms. News outlets regularly publish news stories containing social media content made publicly available by private users on these social media networks, thereby exposing this content to a larger public than was originally intended, or could be reasonably expected, by that user. Taking the REoP-criterion into account as an additional criterion when balancing the right to freedom of expression of the media with the right to protection of private life of the social media user, could enable the user to retain some measure of control over if and how his personal information is subsequently disclosed to the public at large. In sum, the ECtHR’s case law supports the idea that it is not because personal and private information is publicly available, that it becomes by its nature public, it retains its private character. Any further systematic processing of that information, bringing into existence a permanent record of that information, such as through a media publication disclosing or further exposing the information in question, may give rise to privacy concerns.

2.2.4. The REoP-test in practice

25

In Satakunnan Markinapörssi Oy and Satamedia Oy v Finland (2017), the ECtHR demonstrated the use of the REoP-criterion to tie a public personal data processing situation into the protective scope of Article 8 ECHR, when balancing the right to protection of private life with the right to freedom of expression. Although the ECtHR’s use of the REoP-criterion is not explicit in this case, the Court’s arguments seem inspired by the REoP-criterion when referring to the fact that the media companies in question made public tax data “accessible in a manner and to an extent not intended by the legislator”. [67] The Court thus attributed significant importance to the purpose of the original first publication of tax data of Finnish citizens under public access to tax information legislation, in order to determine whether a further processing of that information was legitimate from a privacy and data protection viewpoint. The Court considered that although personal information was publicly available, it could not simply be republished in a simpler, more easily accessible form.

26

At stake was the question whether tax data of 1.2 million people, without distinction of whether they were ordinary individuals or individuals with a public function, could be published as a list in a newspaper and made searchable through an on-request SMS service, without the consent of the individuals concerned. Important in relation to this case is the fact that tax data of all Finnish citizens was made publicly available by the State and could be freely consulted. Legislative safeguards restricted bulk downloading of the database for media companies. Access-requests were limited to a maximum of 10 000 persons for the whole country, and 5 000 persons for a specific region. [68] Further restrictions applied when requesting data on the basis of income. When requesting data, the limit for earned income is set to at least 70 000 euros, whereas the limit for capital income is set at 50 000 euros. [69] This taxation data is available in digital format, but the making of copies of this data is prevented by the Tax administration and is prohibited. [70] When requested for journalistic purposes, the inquirer must declare that the information will not be published as such in the form of a list. [71] When the Data Protection Ombudsman was notified of the access request made by the applicant companies in 2000 and 2001, it asked these companies to give more information regarding their request and that access to the data could not be given if the applicant companies continued to publish the information in its current form. [72] The applicant companies circumvented this hurdle by hiring individuals to manually collect the taxation data, which would later be compiled to reconstruct large parts of the database. [73]

27

It must be clarified with regard to the Satakunnan-case, that although it concerned a conflict between the Article 8 ECHR rights of Finnish citizens and Article 10 ECHR rights of media companies, the applicants Satakunnan Markinapörssi and Satamedia filed a case with the ECtHR claiming an infringement of Article 10 ECHR. As a consequence, the evaluation of the ECtHR was carried out from the perspective of whether or not Article 10 ECHR was infringed by the Finnish State when it limited publication of the tax data by the applicant companies. However, given that Article 8 ECHR and Article 10 ECHR both protect fundamental rights of an equal importance, the balancing test carried out by the ECtHR has been standardized by the Court no matter under which of the two articles an application is filed. In a first step, the ECtHR therefore did establish whether the protective scope of Article 8 ECHR applied, by evaluating whether or not privacy concerns were at stake. By reference to its previous jurisprudence the ECtHR concluded that despite the fact that taxation data in Finland are in the public domain, privacy issues nevertheless arise, [74] for seven reasons: [75]

  1. the concept of private life must be defined broadly, rather than exhaustively; [76]

  2. private life not only includes physical and psychological integrity, but also business or professional activities of the individual, [77] as well as his right to live in a private, isolated and secluded manner; [78]

  3. even in public, a sphere of interaction between individuals may be considered to fall under the scope of Article 8 ECHR; [79]

  4. when data protection issues are concerned, the ECtHR refers to the Convention in order to affirm that private life must be interpreted broadly also in the context of data protection, since this corresponds to the object and purpose of Convention 108, expressed in its articles 1 and 2; [80]

  5. even if information is already in the public domain, the protection of Article 8 ECHR is not necessarily removed, a balance of interests must still be made between further publishing that information and privacy considerations; [81]

  6. private life is affected whenever personal data of the individual is compiled, used, processed or published in a manner beyond what can be reasonably foreseen; [82]

  7. Article 8 ECHR should be understood to provide individuals with a right to a form of informational self-determination, the right to privacy should apply whenever data are collected, processed and disseminated in a form or manner which raises privacy concerns. [83]

28

Taking all these elements into consideration, the Court held in Satakunnan that mass-processing and publication of tax data of a large number of individuals in the newspaper Veropörssi gave rise to privacy concerns, notwithstanding the fact that such tax data were made available to the public by the Finnish State on access request. [84]

29

More specifically, when balancing the right to privacy against the right to freedom of expression the Court found that five factors must be evaluated. The first factor relates to whether the publication contributed to a debate of public interest or whether it was “aimed solely at satisfying the curiosity of a particular readership regarding the details of a person’s private life”. [85] In order to establish this, the publication as a whole must be taken into account and the context in which it was released. [86] The Court affirmed in Satakunnan that although the publication of tax data by the Finnish authorities undoubtedly serves a public interest, namely that of government transparency, access to this information was not unlimited and was subject to clear rules and conditions under Finnish law: public interest in the publicity of tax data does not automatically justify its re-publication. [87] The Court was not convinced that publishing raw tax data by the applicant was in the public interest, considering that the data of 1.2 million Finns was simply published as catalogues, the only editorial input being their organization by municipality. [88] The applicant companies argued that the publishing of raw tax data would enable Finns to draw conclusions on the results of tax policy, but they did not explain how they would be able to perform such an analysis based on the publication of raw data alone. [89] For these reasons, the publication was found not to be in the public interest but merely aimed at enabling voyeurism. [90]

30

The second factor relates to the subject of the publication and the notoriety of the persons concerned by the publication. [91] The Court observed that with 1.2 million individuals a third of the Finnish population was concerned by the publication, most of which belonged to low income groups. The newspaper did not distinguish between particular categories of persons, such as politicians, public officials or public figures who belong to the public sphere as a result of their profession, earnings or position. [92] Furthermore, not only did the applicants not take the personal nature of this data into account, but they also failed to consider that information collected by the tax authorities for one specific purpose could not simply be repurposed by them. [93]

31

A third factor concerns how the information was obtained and the truthfulness of the information. [94] The latter was not in question, however although the applicants did not use illicit means to access the data, they circumvented both the technological and legal limitations for the access to tax data by journalists. These measures were aimed at striking a balance between the various interests at stake: to ensure that collected data was used only for journalistic purposes and would not be published in its entirety. [95]

32

A fourth factor then relates to the content, form and consequences of the publication. [96] In this regard, the main issue addressed by the Court was the fact that even though the data were publicly accessible under Finnish law this still did not mean that they could be re-published without limitation. [97] What was truly objectionable was that the publication of long lists of raw personal data and its searchability through an SMS-service made the information accessible in a manner and to an extent not foreseen by the legislator. [98]

33

Finally, the fifth factor relates to the severity of the sanction imposed on the publisher of the personal information. [99] The Court concluded that the applicants were not prohibited by the local authorities from continuing to publish tax data, they simply had to do so in a fashion consistent with European data protection legislation, this was therefore not a disproportionate measure.  [100]

34

Without providing a bright-line rule, the Court in Satakunnan applied and developed its earlier case-law, to carefully balance all involved interests, taking into account the technological context of publicly available information. Important to remember for our purposes, is that although Finnish tax data may have been publicly available, it was subject to access limitations. Consequently, obtaining access to personal information does not automatically allow the decontextualization and repurposing of that personal information. This would only be possible under strict conditions of proportionality, which must be assessed by a balancing exercise.

3. European Copyright solutions for delimiting the private public divide

35

This section lays out the main elements of the right to communication to the public under Article 3 of the InfoSoc Directive as developed by the CJEU and positions it vis-à-vis the right to privacy. For the lawful access to works protected by copyright it is necessary that the work has been published. Publication requires, as a general rule, the consent of the right holder, which in most cases will be the author of the work. The act of publication is, therefore, a conscious act that exposes a work to the public. This language is also found in a number of international and national legal instruments. For example, Article 3(3) of the Berne Convention defines ‘published works’ as “works published with the consent of their authors”. By analogy to the jurisprudence of the ECtHR on privacy expectations for individuals, [101] an author has to push his work into the limelight by publishing it so members of the public can perceive it. The analogy becomes even stronger in light of the natural law theories on copyright, which protect copyright as an emanation of the personality of the author. [102]

36

The CJEU has consistently balanced the right to freedom of expression, the right to property and the right to privacy in the context of copyright enforcement in relation to infringements via the Internet. Privacy and property usually found themselves on opposite sides of the balancing scale, representing proprietary interests in intellectual creations and in private information. Although infringers, at least in the cases referred to the CJEU for preliminary questions, did not themselves step into the limelight, thereby exposing their private information or simply their identity to the public. But revealing private information was necessary in order to effectively protect the interest of right holders against infringements of their property rights.

37

One particularly striking differentiation was made in Promusicae, when the CJEU ruled that, because of the different interests at stake, the right to privacy must be balanced differently against the right to property in the context of civil and criminal proceedings. [103] Whereas in relation to the former, MS are not obliged to limit the privacy of internet users by ordering the disclosure of traffic and access data to victims of copyright infringements, in the latter case, as a matter of public policy, MS can foresee limitations to the right to privacy in electronic communications in order to serve a number of public interests, including the effective detection and prosecution of criminal offences. [104] In cases where copyright infringement constitutes a criminal offence, national courts can thus be required to order an intermediary to disclose confidential information about its customers. Without having stepped into a public sphere, infringers of copyright forfeit their right to absolute confidentiality when they unlawfully download or stream protected works.

38

The CJEU has interpreted the notion of ‘the public’ in its jurisprudence on the exclusive C2P-right. Under Article 3(1) right holders of protected work enjoy the exclusive right “to authorise or prohibit any communication to the public of their works, by wire or wireless means, […].”  [105] Exclusive rights allow right holders to prevent or prohibit the use of their works without their consent. In other words, save for expressly permitted exceptions, [106] all uses of a given work require permission from the right holder. A general flexible norm that would allow for the accommodation of uses not expressly permitted by an exception does not exist under EU copyright law, and AG Szpunar has expressly rejected the legality of such a norm. [107] However, he admitted that in extreme situations copyright as an intellectual property right protected under Article 17(2) of the EU Charter, could be balanced directly against other competing fundamental rights. [108] However, the Court did not follow this argument in its final judgment.

39

As a general rule, a right holder, by consenting to the publication of his work, agrees that the work can be accessed by others. However, further dissemination in a digital environment implies the C2P-right and requires, as a result, consent.

40

The CJEU has developed the scope of the C2P-right in several steps. The present analysis will focus on the jurisprudence in relation to hyperlinking. The question whether hyperlinking constitutes an act of communication to the public has inspired the CJEU to develop a complicated construct of conditions for the legality of providing web links. This case law, and its application in a digital environment, can give valuable insights into the public/private divide. The following section will outline the different criteria developed by the CJEU and highlight some of the cases in which the Court provided arguments and interpretation that can be instrumentalized to further a discussion on the use and re-use of private data on the internet.

3.1. The right of communication to the public

41

In the absence of a definition of the right to communication to the public, the CJEU has interpreted the scope of Article 3 InfoSoc Directive on the basis and in the light of the EU’s international obligations. [109] The two central elements to the exclusive right are an act of communication, and that this act is directed towards a public. The requirement of an act of communication underlines the necessity of a conscious intervention, [110] as opposed to a mere passive behavior. An act of communication within the meaning of Article 3(1) must consist in a transmission or an indispensable intervention that provides or facilitates third party access to a work. [111]

42

The communication must further be directed to a public, which is defined as an indeterminate and large number of people. The Court established a de minimis threshold excluding private gatherings and small and insignificant numbers of persons, [112] but ruled that subsequent guests of a hotel constitute a public large enough to be considered relevant for the purposes of Article 3. [113] It, unsystematically, also links this criterion to the question whether the commission of the act of communication is made in the context of an economic activity. [114]

3.1.1. The notion of public

43

In addition to the quantitative requirement of a “large number of people” the CJEU has also added a subjective and qualitative element to the notion of ‘the public’. A communication must be directed towards a ‘new’ public, which is a public that has not been taken into consideration by the right holder or his assignee in any prior act of communication. [115] As a general rule, the transmission of a work by different technical means always constitutes a communication of the work to a new public. [116] The retransmission by the same technological means is therefore an act of communication to a new public only if it is targeted at an audience or a circle of recipients included in earlier acts of communication. This means first, that there are several publics and not merely one large group of people that form ‘the’ public. [117] And second, the right holder decides or has a certain influence on what the relevant public is. To relate this to the right to privacy, a right holder can consciously direct towards and expose his work to a selected, roughly defined public in the same way that an individual could chose to surrender his information to the public in a way that personal data becomes freely accessible to third parties. The recipients of this information – protected expression or personal data – are subsequently barred from repurposing or decontextualizing the information. [118]

3.1.2. The novelty of a public

44

In relation to hyperlinks, the CJEU has further refined the notion of a ‘new public’. In Svensson, the Court ruled that a hyperlink constitutes an act of communication, [119] but not to a new public if the link leads to a protected work which is available on the internet freely and without restrictions. [120] As a result, any right holder who consents to his works being posted online without any access restrictions cannot prevent the linking of that content by other users. This approach was extended by the CJEU to the inclusion of works by framing. [121]

45

An act of communication to a new public does, however, take place when a link is set to a protected work that has been uploaded without the consent of the right holder because the link would expose the work to a public which had not been targeted before. This is of course particularly relevant, as was the case in GS Media, when pictures that were supposed to be published exclusively in a magazine are published prematurely on the Internet without the consent of the right holder. In GS Media the Dutch publisher of the Playboy magazine sued a webpage that had linked to nude pictures of a celebrity which were to appear at a later time in the Dutch edition of Playboy. The parallels to the right to privacy here are striking. The right holder in the images had an interest in the exclusivity of the images in order to reap the economic benefits and not to preserve the secrecy of private data or reputation in this particular case. This was, for example different in Funke Medien, [122] when the German government relied on copyright to prevent the further dissemination of confidential information. [123] What is important, though, is that the C2P-right preserves non-public spaces for a right holder. Exposure of a work in these spaces is subject to the consent of the latter.

3.2. Consenting to exposure

46

A right holder can use the criterion of a new public to delimit the exposure of his work to a specified circle of recipients. Without prior consent for publication, a work available on the Internet cannot be legally shared by others. Moreover, a work that has been published, but only to a limited number of recipients, either in a private environment, viz. to a circle of recipients that do not constitute a public in the first place, or a public that is clearly defined in its scope, cannot be shared with others outside the circle of recipients. The public or private circles defined by the consent of the right holder constitute closed spheres beyond which a further publication requires consent.

3.2.1. Identifying public spheres

47

In GS Media the Court explicitly addresses the problem that the identification of (restricted) public and private spheres would turn out to be a complicated exercise, given the vast amount of information available on the Internet. A normal user would find it difficult to ascertain whether protected works freely available on the Internet had been made available with the consent of the right holder or whether they had been uploaded without consent. The fear of infringement proceedings for unauthorized acts of C2P could, as a result, lead to a chilling effect for sharing of information on the Internet. But the CJEU highlighted the importance of the Internet for the exercise of the right to freedom of expression [124] and distinguished between hyperlinks set for non-commercial [125] and commercial purposes. [126] Whereas commercial users, when setting hyperlinks, are now expected to verify whether the works they are linking to have been made available with the consent of the right holder, non-commercial users do not incur such an obligation. In other words, commercial users have to check whether the work they are linking to has been made available with the consent of the right holder, which Matthias Leistner criticized as lacking a clear dogmatic basis in the EU copyright rules. [127] This distinction highlights the economic nature of exclusive rights in copyright, which, as the InfoSoc Directive explicitly states in Recitals 4 and 9, requires a high level of protection. [128] But the duties of care imposed upon commercial hyperlinkers are not fundamentally different from those required of journalists pursuant to the case-law of the ECtHR. [129]

3.2.2. Reusing published works outside a specified public

48

A right holder who has made his work freely available on the Internet must accept that, within the public his works have been released in, these works can be linked to without restrictions. This should also allow commercial users who would, upon closer scrutiny, find out the respective work has been published with the consent of the right holder, to link to this content. With similar arguments as those used in GS Media, AG Campos Sánchez-Bordona in Renckhoff suggested that the non-commercial reproduction of freely available images on the Internet does not constitute an act of communication to a new public. Although the referring court had advanced an argument that the public a right holder has in mind when publishing an image on the Internet would be restricted to those users who directly or via hyperlink would access the website containing the image. Another conclusion, the referring court argued, would lead to the exhaustion of the right under Article 3(1) InfoSoc Directive, which is explicitly prohibited under Article 3(3) of the same directive. [130] AG Campos Sánchez-Bordona rejected this argument and underlined that the assumption that a work published on the internet could be re-used for non-commercial purposes in the absence of clear indication that the consent for publication was restricted to a certain webpage and in the absence of technical restrictions to access the website on which an image had been originally published. [131]

49

The AG went on to state that a right holder who communicated his work to the public, even via a third party, could be required to apply a certain duty of care when authorizing the publication of his works. Such a duty of care would include the installation of technological measures or the express communication of his limited consent for the publication of a work. This, according to AG Campos Sánchez-Bordona, could be expected from right holders in return for the high level of protection provided through Article 3(1) InfoSoc Directive and in the interest of a balance between the interests of right holders and internet users. The CJEU rejected the AG’s assessment, ruling instead that the reproduction of a freely available image on the internet constitutes an act of C2P and, as a result, requires authorization. [132] The Court came to this conclusion by highlighting the nature of the right of communication to the public, which is preventive in nature. The preventive nature of the right enables a right holder to control, and if necessary to terminate the dissemination of his work. [133] However, if a work can be freely copied once it has been published on the internet without restrictions, the right holder would lose the ability to control the further dissemination of that work. [134]

50

This is different, according to the Court, in the case of hyperlinking. The deletion of a work from a website would also make all hyperlinks to that site obsolete because the deletion at the source would make the work inaccessible also through hyperlinks. [135] Any other interpretation of the right to communication to the public would effectively result in the exhaustion of the exclusive right and the loss of control over the further dissemination of the work online. [136] This approach is also reflected in AG Szpunar’s Opinion in Spiegel Online, where he suggested that a newspaper cannot, in the absence of an applicable exception, re-publish a controversial text authored by a (now former) member of the German Parliament, which the latter already published with accompanying annotations on his own website. [137] The Court, derogated from the AG’s strict interpretation of the quotation exception under Article 5(3)(d) InfoSoc Directive. It held that, given all the conditions of the exception are fulfilled, a work may be republished, however only “in its specific form”. [138]

3.3. Control through consent

51

The C2P-right equips the right holder of a work with control mechanisms that are based on consent or the withdrawal of consent. The consent-based publication of a work online enables other users to access the work, directly or through hyperlinks, which can be set without prior authorization. Any further dissemination that would restrict the right holder’s control over the work constitutes an act of C2P and can require further authorization.

52

However, control over a work is lost when one of the exceptions of Article 5 applies, which include uses such as parody, educational uses and uses for the purpose of quotation. [139] These uses are subject to a strict interpretation and relieve the user from the requirement of prior authorization only for that particular instance of a use. [140] Linking to works which are used under an exception must then respect the particular modalities and the context of a use in order to remain authorization-free.

53

Any uses of protected work that result in a circulation of the work that reaches beyond the public demarcated by the consent of the right holder is, by law, limited to such uses that do not erode the economic potential of the work. This underlines the economic nature of copyright as harmonized at EU level, and which is also reflected in the reasoning behind the exhaustion doctrine. [141] It is noteworthy that an application of the exhaustion doctrine, which safeguards the circulation of legally marketed carriers of works protected by copyright, [142] is not applicable to digital content. [143] In light of the distinction between economically rivalling uses it is worth mentioning that the strict limitations to non-commercial, or not primarily commercial uses have given rise to a number of preliminary references. [144]

54

The C2P-right is fundamentally economic in nature. This is why economically non-rivalrous, or insignificant but still revealing uses are permitted under copyright law. Restrictions and the authorization requirement are there to maintain the economic potential and safeguard a reasonable remuneration for right holders, and not to keep information out of the public sphere. Exceptions that reflect the public interest ensure that in some situations consent from the right holder to use a work, and to make it available to another public, is not required. This seems to be limited to cases in which a first publication has already taken place. [145] The exclusive rights in general, and the right to communication to the public in particular, can, as a result, not be considered as a means of censorship, which would enable a right holder to keep information out of the public sphere by exercising exclusive rights. [146] It can merely be instrumentalized to protect the specific expression of information within the control of the right holder.

55

EU copyright, as a result, only enables control over the (first lawful) access to protected subject matter, but not to protect the expressive context in which lawfully accessible works are set. The relatively high national barriers for moral rights protection will only be able to mitigate this in a very limited way. [147] Leistner criticized that the law does not differentiate between the ways in which content is contextualized. [148] But AG Szpunar has seemingly suggested to strengthen the position of moral rights in copyright law as balancing elements within the systematic structure of copyright law. [149] This means that national courts are also obliged to consider the author’s personality rights when applying exclusive rights and L&E. However, only the latter two are harmonized under EU law. [150]

56

Although copyright pursues different objectives than privacy law, it offers authors a certain degree of control through the exercise of exclusive rights. In a digital context, and by use of ICT this often implies the C2P-right. In its development by the CJEU, the right offers authors the tools to target certain audiences and control the dissemination of their expression – but not the information expressed by the work. However, the specific expression, itself reflective of the author’s personality, [151] remains relatively firmly under the control of the author.

4. Integrating privacy and copyright concepts to delimit the private-public divide

57

As much as one might be tempted to - and as some scholars indeed have done - scold the CJEU for overcomplicating the C2P-right, it reveals a particular attitude toward a borderless and limitless online environment and toward the notions of property and, by analogy, privacy.

58

The accessibility and shareability of content and data require a stricter analysis of the effect of consent. It cannot reasonably be assumed that with the release of protected subject matter, works or private data, the right holder cedes any control over its further use. The ‘new public’ criterion developed by the CJEU divides the internet into different and distinct public spheres, the publication in one of them of a given work cannot be equated with global consent for all other spheres. Similarly, the mere accessibility of private data, in some form, does not automatically permit the re-use or re-publication is some other form. Hence, an unrestricted public sphere in which protected information moves freely does not exist.

4.1. Consent and purpose specification

59

Interestingly for our purposes, European data protection legislation does not distinguish between private or publicly accessible personal information. However, the processing of data must occur “fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.”  [152] In the field of protection of private life, the notions of consent, and of purpose specification (Articles 6(a) and 5(1)(b) GDPR respectively) are essential for giving the data subject control over the dissemination of his personal data. Of particular relevance in determining the private-public divide with regard to the use of publicly available personal information is the consent-requirement for one or more specific purposes. [153] The limits of this specific consent are further circumscribed by the principle of purpose limitation, according to which personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.  [154]

60

The notions of consent and purpose specification are particularly relevant for delimiting what is private, given that the ECtHR for the first time held in Satakunnan that Article 8 ECHR includes a “right to a form of informational self-determination”, which allows individuals, even when seemingly ‘neutral’ data “are collected, processed and disseminated collectively and in such a form or manner that their Article 8 rights may be engaged.”  [155] The ECtHR thereby emphasized that when personal data are concerned, it is not only the nature of the data (whether it is ‘public’ or ‘private’ data) which must be considered, but also the form and manner of processing or dissemination of that data.

61

Accordingly, consent for making personal data publicly available, especially when subject to access restrictions, is limited to that specific, explicit and legitimate purpose. Any further processing of that data, in violation of access restrictions and in a manner that could not be foreseen by the data subjects, constitutes a violation of the requirements of consent and purpose specification, and impedes upon the individual’s so-called right to informational self-determination. The principle of purpose specification in European data protection law has a crucial role in further giving a more objective and measurable character to the criterion of the REoP, by relating it to the initial legitimation and purpose of the data processing. It strengthens the objectivity of the REoP-criterion, which as we have discussed previously, incorporates both an objective notion of what information society deems individuals may be entitled to keep private and a more subjective measure of what individuals themselves believe they should be able to keep private.

4.2. Freedom of expression as a limit to privacy

62

The dissemination of personal data, and also of publicly available personal data, to the public necessarily implicates the right to freedom of expression, which includes the right to impart information. The GDPR emphasizes that the right to the protection of personal data and the right to freedom of expression and information must be reconciled by law. [156] A balance must therefore be achieved between both fundamental rights. Article 85(2) GDPR requires Member States to adopt exemptions and derogations, which are possible from most provisions of the GDPR, including exemptions and derogations from the data protection principles and data subject rights, such as the requirements of consent and purpose specification. [157] In Satamedia, the CJEU considered the scope of application of Article 9 DPD, [158] Article 85 GDPR’s predecessor, to situations of dissemination of personal information for the purpose of freedom of expression. In essence, the CJEU held that the right to protection of personal data and the right to freedom of expression must be reconciled whenever the purpose of a dissemination to the public of personal data is “the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. [159] Unfortunately, the CJEU did not further determine when exactly a dissemination of personal information is considered a “disclosure to the public”. Further clarification could help to better delimit the boundary between what can legitimately be disclosed in the public sphere and what information should remain private, since this notion determines when exemptions from data protection law protecting freedom of expression apply. Moreover, it is precisely here, where data protection legislation and the notion of ‘(new) public’ of the C2P-right may converge.

63

Although the protection of private life in public and the protection of copyright as a property right is motivated by different rationales, the reasons why they are protected are also somewhat similar in the sense that both rights are (at least partially) considered as personality rights, [160] and are protected as an emanation of the individual and reflecting on the individual. When recognizing a right to informational self-determination for individuals, also in public life, the element of control over the spread of information is strengthened. Protection of private life has thus become a tool for protecting confidentiality, as well as a tool for “control over an aspect of the identity one projects to the world”. [161] Harmonizing the interpretation of “disclosure to the public” of private information and “communication to the public” of copyrighted works would re-enforce consistency in adjudication, by attributing the same meaning to similar terms across the domains in which they are used. [162]

64

Although there is no secondary legislation in the European Union harmonizing the terms and conditions for the implementation of the right to freedom of expression in the EU Member States, the jurisprudence of the ECtHR sets the guidelines for judicial balancing when conflicts between Article 8 ECHR and Article 10 ECHR rights occur. Although the disclosure of personal and private information to the public is approached from a different angle, depending on whether an Article 8 ECHR and Article 10 ECHR perspective is used: from an Article 8 ECHR perspective, the question concerns whether an individual has a REoP in seeing that his personal information is kept private and out of the public eye, and from an Article 10 ECHR perspective, the question concerns whether the public interest in knowing about certain information legitimates the disclosure of personal information, the balancing criteria developed by the ECtHR in its case law in which Article 10 EHCR and Article 8 ECHR conflict have been unified, independent of the Article under which a claim is brought to the Court since 2012. [163] The central question in Article 10 ECHR and Article 8 ECHR conflict of rights case law thus remains under which conditions and circumstances can private information, even private information originating from the public domain, be disclosed to the public, or be further disclosed to a larger or different public than concerned by the original disclosure. A balance must be sought between both rights, and revelations of private information must be proportionate to the public interest in knowing of the disclosed information.

65

We have seen that particularly the REoP-criterion is significant for delimiting privacy in public, since the further processing and dissemination of data in a manner and scope beyond what could be reasonably expected could engage privacy protection, even if data is already publicly available. It is therefore a potentially important criterion which could contribute to getting the balance right between the right to freedom of expression and the right to protection of private life, particularly when personal or private information originating from the public domain is concerned. What can be reasonably expected is however still a somewhat indeterminate criterion and could be further defined by reference to the notion of ‘disclosure to the public’.

4.3. Squaring the triangle with privacy

66

In analogy to the jurisprudence on the C2P-right, a disclosure to the public for privacy law purposes, even of publicly accessible information would therefore also be subject to the principle of consent of the individual concerned. Based on the definition of what constitutes a ‘public’ under Article 3 of the InfoSoc Directive, a self-disclosure of private information by an individual to a small and insignificant number of people would not be considered a disclosure to the public, which consists of a large and indeterminate number of people. Disclosing private information to a new public, beyond the originally small and insignificant number of people the information was originally disclosed to, or exposing the information further than could be reasonably expected at the moment of disclosure, would require additional consent from the individual whose private information is concerned. Even more, the dissemination of private information using a different medium could also be considered a dissemination to a new public, since different media are considered to have a more harmful impact on private life than others as discussed in the jurisprudence of the ECtHR. For instance, “audio-visual media often have a much more immediate and powerful effect than the print media”, [164] whereas “the ease, scope and speed of the dissemination of information on the Internet, and the persistence of the information once disclosed” caries an even greater potential for harm to private life according to the Court. [165]

67

Even when personal data is disclosed to a large and indeterminate group of people, i.e. to the general public as in Satakunnan, but access restrictions apply, this data could still be considered private for the purposes of the application of Article 8 ECHR, when subsequent uses occurred in violation of these access restrictions. [166] This is comparable to a situation when copyright works are made available behind a paywall and a deep-link behind a technological access restriction would constitute a communication to a new public.

68

The ‘public’ could thus be considered a subdivided sphere in which several private places could be reserved for individuals. These observations could be particularly relevant for delimiting which personal information on social media merit privacy protection and require further consent from the individual concerned when reproduced, and which could be considered public. In a practical application this would mean that personal information shared on social media with a (technologically) limited number of friends falls under the protection of private life. This is because the information is shared with a determinate group of people as opposed to the public at large and does not constitute a disclosure to the public. Subsequent disclosure to an indeterminate and large group of people, whichever the technical means employed, requires consent. In the absence of access restrictions, the publication of information can be considered a disclosure to the public. However, the further dissemination of that information by different technological means, for example on television, in newspapers or in archives, requires fresh consent. As has been demonstrated, this consent requirement is analogous to the CJEU’s jurisprudence on the C2P-right. They reflect an individual’s REoP at the time of the original disclosure similar to the expectation of diverse economic exploitability in copyright law.

5. Conclusion

69

While it is true that the carving out of a larger space for private life in public may limit the right to freedom of expression and the disclosure to the public of personal information of individuals, it is important to distinguish between personal information shared by individuals in the context of friendship, work-relations, social networking, disclosures which do not reach the public at large, and personal information shared with the public at large by mass-media. The traditional media enjoy great privilege as public watchdogs for democracy when making use of the right to freedom of expression, but in return they are imposed duties of responsible journalism, including the need to ensure that disclosures of personal information are proportionate to the public interest of disclosing this information.

70

In order to fortify this stewardship over information, but also to translate the responsible use of information into non-journalistic circles, the development of an autonomous notion of ‘disclosure’ or ‘communication to the public’ would enable a more responsible use and re-use of personal data and copyrighted content. It would not lead to so much of a chilling effect on speech, but perhaps more to a chilling effect on over-information, or on careless sharing, in the face of the wide public reach of new ICT.

71

On the behavioral side, it would help laypersons lacking a relevant legal understanding usually only possessed by informed academics or lawyers to be able to anticipate the impact of their actions in relation to their own privacy and the privacy and economic rights of others. A harmonization of privacy and copyright standards under a rule of reason or reasonable expectations could, therefore, work to the benefit of legal certainty and responsible use and sharing of information.

By Dr. Bernd Justin Jütte, Assistant Professor, School of Law, University of Nottingham and Senior Researcher, Vytautas Magnus University. For correspondence bernd.jutte@nottingham.ac.uk ; Annelies Vandendriessche, Doctoral Researcher, Faculty of Law, Economics & Finance, University of Luxembourg. For correspondence annelies.vandendriessche@uni.lu .



[1] Samuel D Warren & Louis D Brandeis, ’The Right to Privacy’ [1890] Harvard Law Review 193.

[2] See only Pamela Samuelson, ‘Protecting Privacy Through Copyright Law?’ in Marc Rotenberg, Julia Horowitz & Jeramie Scott (eds), (The New Press 2014), 191 and Neil M. Richards, ‘The Puzzle of Brandeis, Privacy, and Speech’ [2010], Vanderbilt Law Review 1295.

[3] European Parliament and Council Directive 2001/29/EC of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society [2001] OJ L 167/10 (InfoSoc Directive).

[4] Walter Bryce Gallie, ‘Essentially Contested Concepts’ [1956] Proceedings of the Aristotelian Society 167, 167.

[5] Maria Brincker, ‘Privacy in Public and the Contextual Conditions of Agency’ in Tjerk Timan, Bryce C Newell & Bert-Jaap Koops (eds), Privacy in Public Space: Conceptual and Regulatory Challenges (Edward Elgar Publishing 2017) 66.

[6] ibid.

[7] ibid; Helen Nissenbaum, ’Protecting Privacy in an Information Age: The Problem of Privacy in Public.’ [1998] Law and Philosophy 559, 559.

[8] Maria Brincker, ‘Privacy in Public and the Contextual Conditions of Agency’ in Tjerk Timan, Bryce C Newell & Bert-Jaap Koops (eds), Privacy in Public Space: Conceptual and Regulatory Challenges (Edward Elgar Publishing 2017) 66.

[9] ibid.

[10] ibid; Helen Nissenbaum, ’Protecting Privacy in an Information Age: The Problem of Privacy in Public.’ [1998] Law and Philosophy 559, 559.

[11] Brincker (n 5) 66.

[12] Tjerk Timan, Bryce Newell & Bert-Jaap Koops (eds), Privacy in Public Space: Conceptual and Regulatory Challenges (Edward Elgar Publishing 2017) 3.

[13] Mathias Vermeulen, ‘The Scope of the right to private life in public spaces’ (2014) European University Institute SURVEILLE Working Paper D4.7, 5.

[14] Seyed E Dorraji & Mantas Barcys, ’Privacy in Digital Age: Dead or Alive?! Regarding the New EU Data Protection Regulations’ [2016] Social Technologies 306, 307.

[15] Gary T Marx, ’Murky conceptual waters’ [2001] Ethics and Information Technology 157, 160.

[16] Timan et al (n 9) 2.

[17] Brincker (n 4) 67.

[18] Helen Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life (Stanford University Press 2010).

[19] ibid 187.

[20] ibid 188.

[21] ibid 3.

[22] Timan et al (n 8) 2.

[23] Bart van der Sloot, ‘Privacy as Personality Right: Why the ECtHR’s Focus on Ulterior Interests Might Prove Indispensable in the Age of “Big Data”’ [2015] Utrecht Journal of International and European Law 25, 28.

[24] The basic problem of adapting Article 8 ECHR to technological developments is already reflected in and has been discussed e.g. by Peter J Hustinx, ‘Data Protection in the European Union’ (2005) Privacy & Informatie 62, 62.

[25] Kroon and Others v The Netherlands App no 18535/91 (ECtHR, 27 October 1994) para 31.

[26] Marckx v Belgium App no 6833/74 (ECtHR, 13 June 1979) para 31.

[27] Niemitz v Germany App no 13710/88 (ECtHR, 16 December 1992) para 29.

[28] ibid.

[29] ibid.

[30] ibid.

[31] Guide on Article 8 of the Convention – Right to respect for private and family life (last updated 31/12/2017) https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf 18.

[32] ibid 28.

[33] Von Hannover (No 2) v Germany App nos 40660/08 & 60641/08 (ECtHR, 7 February 2012) para 95.

[34] See Pretty v The United Kingdom App no 2346/02 (ECtHR, 29 April 2002) para 61.

[35] Bart van der Sloot, ’Privacy as Human Flourishing: Could a shift towards virtue ethics strengthen privacy protection in the age of Big Data?’ [2014] Journal of Intellectual Property, Information Technology and E-Commerce Law 230, 232.

[36] Theo Hooghiemstra, ’Informational Self-Determination, Digital Health and New Features of Data Protection’ [2019] European Data Protection Law Review 160, 167, see on the notion of positive freedoms: ‘Two Concepts of Liberty’ in Isaiah Berlin, Four Essays on Liberty (Oxford University Press 1969).

[37] See Niemitz v Germany App no 13710/88 (ECtHR, 16 December 1992) para 29.

[38] Warren & Brandeis (n 1) 195.

[39] Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (adopted 28 January 1981, entered into force 1 October 1985) ETS No 108 (Convention 108).

[40] See Convention 108, art 1: the “right to privacy, with regard to automatic processing of personal data relating to him (“data protection”)”.

[41] Mathias Vermeulen (n 10) 4.

[42] See Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (10 October 2018) CETS No 223 (Protocol 223).

[43] Tyrer v The United Kingdom App no 5856/75 (ECtHR, 25 April 1978) para 31.

[44] Herke Kranenborg, ‘Article 8’ in Steve Peers, Tamara Hervey, Jeff Kenner & Angela Ward (eds), The EU Charter of Fundamental rights, A Commentary (Hart Publishing 2014) 228.

[45] Z v Finland App no 22009/93 (ECtHR, 25 February 1997) para 95.

[46] See Rotaru v Romania App no 28341/95 (ECtHR, 4 May 2000) para 43 & Amann v Switzerland App no 27798/95 (ECtHR, 16 February 2000) para 65.

[47] Rotaru v Romania App no 28341/95 (ECtHR, 4 May 2000) para 43 & PG and JH v The United Kingdom App no 44787/98 (ECtHR, 25 September 2001) para 57.

[48] Herke Kranenborg, Toegang tot documenten en bescherming van persoonsgegevens in de Europese Unie: Over de openbaarheid van persoonsgegevens (Meijers-reeks) (1st edn, Kluwer 2007) 118.

[49] ibid.

[50] ibid.

[51] Kranenborg (n 45) 119.

[52] S and Marper v The United Kingdom App nos 30562/04 & 30566/04 (ECtHR, 4 December 2008) para 67.

[53] Kranenborg (n 45) 121.

[54] ibid.

[55] Eric Barendt, ‘A reasonable expectation of privacy’: a coherent or redundant concept?’ in Andrew T Kenyon (ed), Comparative Defamation and Privacy Law (Cambridge University Press 2018), 104.

[56] Gavin Phillipson, ‘The ‘right’ of privacy in England and Strasbourg compared’ in Andrew T Kenyon & Megan Richardson (eds), New Dimensions in Privacy Law: International and Comparative Perspectives (Cambridge University Press 2011) 184; see also Raymond Wacks, ’Why there will never be an English common law privacy tort’ in Andrew T Kenyon & Megan Richardson (eds), New Dimensions in Privacy Law: International and Comparative Perspectives (Cambridge University Press 2011).

[57] Barendt (n 52) 105.

[58] ibid 102.

[59] ibid 105.

[60] ibid 106.

[61] Kranenborg (n 41) 121.

[62] ibid.

[63] ibid.

[64] PG and JH v The United Kingdom App no 44787/98 (ECtHR, 25 September 2001) para 57.

[65] Guide on Article 8 of the Convention – Right to respect for private and family life (last updated 31/12/2017) https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf 28.

[66] PG and JH v The United Kingdom App no 44787/98 (ECtHR, 25 September 2001) para 57.

[67] Satakunnan Markinapörssi Oy and Satamedia Oy v Finland App no 931/13 (ECtHR, 27 June 2017) para 190.

[68] ibid para 52.

[69] ibid.

[70] ibid, para 49.

[71] ibid, para 51.

[72] ibid, para 12.

[73] ibid, para 12.

[74] ibid, paras 196-199.

[75] ibid, paras 138.

[76] S and Marper v The United Kingdom App nos 30562/04 & 30566/04 (ECtHR, 4 December 2008) para 66.

[77] Niemitz v Germany App no 13710/88 (ECtHR, 16 December 1992) para 29.

[78] Smirnova v Russia App nos 46133/99 & 48183/99 (ECtHR, 2003) para 95.

[79] PG and JH v The United Kingdom App no 44787/98 (ECtHR, 25 September 2001) para 56.

[80] Amann v Switzerland App no 27798/95 (ECtHR, 16 February 2000) para 65.

[81] Von Hannover v Germany App no 59320/00 (ECtHR, 24 June 2004) paras 74-75 & para 77.

[82] Uzun v Germany App no 35623/05 (ECtHR, 2 September 2010) paras 44-46.

[83] Satakunnan Markinapörssi Oy and Satamedia Oy v Finland App no 931/13 (ECtHR, 27 June 2017) paras 138.

[84] ibid, para 138.

[85] Satakunnan Markinapörssi Oy and Satamedia Oy v Finland App no 931/13 (ECtHR, 27 June 2017) para 169.

[86] Couderc and Hachette Filipacchi Associés v France App no 40454/07 (ECtHR, 10 November 2015) para 102.

[87] Satakunnan Markinapörssi Oy and Satamedia Oy v Finland App no 931/13 (ECtHR, 27 June 2017) paras 173-174.

[88] ibid, para 176.

[89] ibid, para 176.

[90] ibid, para 177.

[91] ibid, paras 179-181.

[92] ibid, para 179.

[93] ibid, para 181.

[94] Satakunnan Markinapörssi Oy and Satamedia Oy v Finland App no 931/13 (ECtHR, 27 June 2017) paras 182-185.

[95] ibid, paras 184 &185.

[96] ibid, paras 186-196.

[97] ibid, para 190.

[98] ibid.

[99] ibid, paras 186-196.

[100] ibid, 196-199.

[101] See the von Hannover cases, in which the ECtHR continuously developed the protection of privacy for public figures based on their prior behavior, see in particular in Von Hannover v Germany (No 1) App no 59320/00 (ECtHR, 24 June 2004) paras 70-75.

[102] Jane C Ginsburg, ‘A Tale of Two Copyrights: Literary Property in Revolutionary France and America’ [1990] Tulane Law Review 991, 1013; Paul Goldstein & P Bernt Hugenholtz, International Copyright: Principles, Law, and Practice (3rd edn, Oxford University Press 2012) 6.

[103] CJEU, Judgment of 29.01.2008, Promusicae, Case C-275/06, EU:C:2008:54, para 51.

[104] European Parliament and Council Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector [2002], OJ L 201/37 (E-Privacy Directive), art 15.

[105] Article 3 of the directive serves to implement Article 8 of the WIPO Copyright Treaty (1996), see also InfoSoc Directive, recital 15.

[106] The majority of these exceptions at EU level are contained in Article 5 of the Information Society Directive, including exceptions for quotations for purposes such as criticism or review and uses for the purpose of caricature, parody or pastiche, both of which have been made mandatory for uses on online platforms, which fall within the scope of Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC [2019], OJ L 130, 17.5.2019, p. 92–125 (DSM Directive), see in this regard João Quintais, Giancarlo Frosio, Stef van Gompel, P. Bernt Hugenholtz, Martin Husovec, Bernd Justin & Martin Senftleben, Safeguarding User Freedoms in Implementing Article 17 of the Copyright in the Digital Single Market Directive: Recommendations from European Academics (November 11, 2019). Available at SSRN:  https://ssrn.com/abstract=3484968 , in particular p. 3. The general and global rule for exceptions to copyright is contained in Article 5(5) of the Information Society Directive, which contains a slightly modified version of the International three-step test, as it first appeared in the 1973 revision of the Berne Convention. Due to the structure of the international and European norms the test binds the national legislator when implementing the exceptions of the InfoSoc Directive and serves an interpretative aid when applying the exceptions as implemented into national law, see Richard Arnold & Eleonora Rosati, ’Are national courts the addressees of the InfoSoc three-step test?’ [2015] Journal of Intellectual Property Law & Practice 741; see for an application of the text in CJEU, Judgment of 26.04.2017, Stichting Brein, Case C-527/15, EU:C:2017:300 paras 63-70.

[107] AG Szpunar, Opinion of 12.12.2018 in Pelham and Others, Case C-476/17, EU:C:2018:1002, para 98, confirmed by the Court in CJEU, Judgment of 29.07.2019, Pelham and Others, Case C-476/17, EU:C:2019:624, paras 56-65. For a recent argument for a more flexible norm to permit unauthorised uses see Christophe Geiger & Elena Izyumenko, ‘Towards a European ‘Fair Use’ Grounded in Freedom of Expression’ (April 26, 2019). Forthcoming in: American University International Law Review, Vol. 35, No. 1, 2019; Centre for International Intellectual Property Studies (CEIPI) Research Paper No. 02-19. Available at SSRN: https://ssrn.com/abstract=3379531 or  http://dx.doi.org/10.2139/ssrn.3379531 .

[108] AG Szpunar, Case C-476/17 (Pelham and Others), para 56.

[109] CJEU, Judgment of 7.12.2006, SGAE v Rafael Hoteles, Case C-306/05, EU:C:2006:764, paras 40-41.

[110] ibid, para 42, the CJEU has also interpreted this criterion to the effect that the mere provision of a directory of torrent files (CJEU, Judgment of 14.06.2017, Ziggo, Case C-610/15, EU:C:2017:456, para 26) and even the sale of a receiver box that contains software that makes links to unauthorised streaming offers available to owners of such a box are, if not indispensable interventions, interventions that significantly facilitate access to infringing content (CJEU, C-527/15 (Stichting Brein), para 41)

[111] This rather murky criterion has been developed by the CJEU in a line of cases from CJEU, C-306/05 (SGAE v Rafael Hoteles), para 42 to CJEU, C-610/15 (Ziggo), para 36; on the gradual softening of the ‘indispensability’ requirement see João Pedro Quintais, ‘Untangling the hyperlinking web: In search of the online right of communication to the public’ [2018] The Journal of World Intellectual Property 385, 388.

[112] CJEU, Judgment of 15.03.2012, SCF, Case C-135/10, EU:C:2012:140, para 86.

[113] CJEU, C-306/05 (SGAE v Rafael Hoteles), paras 37-38.

[114] Quintais (n 108) 397-398; see for example CJEU, C-306/05 (SGAE v Rafael Hoteles), para 39; CJEU, Judgment of 08.09.2016, GS Media, Case C-160/15, EU:C:2016:644, paras 47-53.

[115] According to the Court in CJEU, C-306/05 (SGAE v Rafael Hoteles), the retransmission of a broadcast signal to individual hotel rooms constitutes a “transmission [that] is made to a public different from the public at which the original act of communication of the work is directed, that is, to a new public.” (para 40).

[116] CJEU, Judgment of 07.03.2013, ITV Broadcasting, Case C-607/11, EU:C:2013:147, paras 24-26.

[117] Bernd Justin Jütte, ‘Ein horizontales Konzept der Öffentlichkeit - Facetten aus dem europäischen Urheberrecht’ [2018] UFITA - Archiv für Medienrecht und Medienwissenschaft 354, 363.

[118] Although copyright law also provides other mechanisms, such as moral rights, that can be advanced against the distortion of information.

[119] CJEU, Judgment of 13.02.2014, Svensson and Others, Case C-466/12, EU:C:2014:76 paras 17-23, where the Court argues that the notion of an act of communication must be interpreted broadly and that for there to be an act of communication “it is sufficient, in particular, that a work is made available to a public in such a way that the persons forming that public may access it, irrespective of whether they avail themselves of that opportunity“. Critically, suggesting that hyperlinking is not an active act of communication, P Bernt Hugenholtz & Sam C van Velze, ’Communication to a New Public? Three reasons why EU copyright law can do without a ‘new public’’ [2016] International Review of Intellectual Property and Competition 797–816, 813.

[120] CJEU, C-466/12 (Svensson and Others), paras 27-28.

[121] CJEU, Order of 21.10.2014, BestWater, Case C-348/13, EU:C:2014:2315.

[122] CJEU, Judgment of 29.07.2019 in Funke Medien NRW, Case C-469/17, EU:C:2019:623.

[123] See also for similar cases in the UK, where courts have relied inconsistently on the public interest defence in s.171(3) of the 1988 Copyright, Designs and Patents, Act; Ashdown v Telegraph Group Ltd [2001] EWCA Civ 1142; [2002] Ch. 149 (CA (Civ Div) and Hyde Park Residence Ltd v. Yelland [2001] Ch. 143 (CA), se.. e.g. Jonathan Griffiths, ‘Copyright Law after Ashdown – time to deal fairly with the public’ [2002] Intellectual Property Quarterly 240.

[124] CJEU, C-160/15 (GS Media), para 45.

[125] For non-commercial users who link to content which is freely available on the internet it is assumed that they “[do] not know and cannot reasonably know” (CJEU, C-160/15 (GS Media), para 47) that the content to which the link is set has been uploaded without the consent of the right holder. This means that such a user does not act in full knowledge of the consequences of his actions.

[126] Commercial users, on the other hand, are expected to be able to identify unauthorised content on the internet and incur an obligation to check whether content has been uploaded with the consent of the right holder. This applies in particular when a link enables the circumvention of technical barriers, the passing of which would require individual authorisation, possible against remuneration, CJEU, C-160/15 (GS Media), paras 49-51. Article 17 deals with uploads to platforms and not mere hyperlinking. Furthermore, Article 17 serves a different purpose and entails an obligation to license, viz. more information should be made available legally, which does not affect the basic right to refuse authorization for publication.

[127] Matthias Leistner, ’Copyright law on the internet in need of reform: hyperlinks, online platforms and aggregators’ [2017] Journal of Intellectual Property Law & Practice 136, 138 (with further references).

[128] CJEU, C-160/15 (GS Media), para 53.

[129] The ECtHR includes in its balancing between the right to freedom of expression (Article 10) and the right to privacy (Article 8) whether the information used by journalists or other public watchdogs, such as NGOs, has been acquired in good faith and is based “on an accurate factual basis and provide ‘reliable and precise’ information in accordance with the ethics of journalism”, Axel Springer AG v. Germany (No. 1) App no 39954/08 (ECtHR, 7 February 2012) para 93. For more information on the public watchdog function of NGOs see also Animal Defenders International v The United Kingdom App no 48876/08 (ECtHR, 22 April 2013) para 103; Magyar Helsinki Bizottság v Hungary App no 18030/11 (ECtHR, 8 November 2016) para 166.

[130] AG Cámpos-Bordona, AG Sanchez, Opinion of 25.04.2018, Renckhoff, Case C‑161/17, EU:C:2018:279, para 97.

[131] ibid, para 104.

[132] CJEU, Judgment of 07.08.2018, Renckhoff, Case C‑161/17, EU:C:2018:634.

[133] Ohly distinguishes between direct and indirect interventions (see Ansgar Ohly, ’Unmittelbare und mittelbare Verletzung des Rechts der öffentlichen Wiedergabe nach dem „Córdoba“-Urteil des EuGH’ [2018] Geweblicher Rechtschutz und Urheberrecht 996, 998); only the former constitutes an act of communication to the public as they generate a new audience. Mere indirect interventions require additional qualifying elements in order to constitute an infringement of the exclusive right.

[134] CJEU, C‑161/17 (Renckhoff), para 30.

[135] CJEU, C‑161/17 (Renckhoff), para 44.

[136] CJEU, C‑161/17 (Renckhoff), paras 32-33; see also Jütte (n 114), 366.

[137] AG Szpunar, Opinion of 10.01.2019, Spiegel Online, Case C-516/17, EU:C:2019:16, para 74; however, the AG suggests, in passing, that his conclusion would have been different had the author of the article deleted the work; the situation would then have to be reconsidered in the light of the right to freedom of expression.

[138] CJEU, Judgment of 29.07.2019, Spiegel Online, Case C-516/17, EU:C:2019:625, para 95, in this case, the text published on the website had been accompanied with annotations with which the author indicated that he had distanced himself from the text, the republished version on Spiegel Online’s website did not include these annotations.

[139] See Article 5(3)(k), (a) and (d) InfoSoc Directive, respectively.

[140] See e.g. CJEU, Judgment of 4.10.2011, FAPL/Murphy, Joined cases C-403/08 and C-429/08, EU:C:2011:631, para 162 and CJEU, Judgment of 03.09.2014, Deckmyn, Case C-201/13, EU:C:2014:2132, para 22.

[141] See for example Péter Mezei, Copyright Exhaustion: Law and Policy in the United States and the European Union (Cambridge University Press 2018), 140-141; Pascale Chapdelaine, Copyright User Rights: Contracts and the Erosion of Property (Oxford University Press 2017), 111.

[142] See Article (2) InfoSoc Directive.

[143] The CJEU confirmed this in CJEU, Judgment of 19.12.2019, Tom Kabinet, Case C-263/18, EU:C:2019:1111, see for an exception under the Software Directive in CJEU, Judgment of 03.07.2012, UsedSoft, Case C-128/11, EU:C:2012:407, however under the caveat that the conditions under which the software had originally been marketed are carried over when resold. See for an argument for the application of the doctrine to digital content Mezei (n 138), 139 et seq., similarly Bernd Justin Jütte, Reconstructing European Copyright Law for the Digital Single Market: Between Old Paradigms and Digital Challenges (Nomos 2017), Chapter 3.A.V.

[144] Three of the most recently decided cases are Case C-469/17 (Funke Medien NRW), C-476/17 (Pelham and Others); CJEU, C-516/17 (Spiegel Online), on the Pelham reference see Bernd Justin Jütte & Henrike Maier, ’A Human Right to Sample – Will the CJEU Dance to the BGH-Beat’ [2017] Journal of Intellectual Property Law & Practice 784, and a summary of all three cases Bernd Justin Jütte, Finding Comfort between a rock and a hard place – Advocate General Szpunar on striking the balance in copyright law, available at: https://europeanlawblog.eu/2019/02/28/finding-comfort-between-a-rock-and-a-hard-place-advocate-general-szpunar-on-striking-the-balance-in-copyright-law/ accessed: 01.08.2019

[145] See the interpretation of AG Szpunar of Article 5(3)(e) in AG Szpunar, C-516/17 (Spiegel Online), paras 53-58.

[146] AG Szpunar, Opinion of 25.10.2018, Funke Medien NRW, Case C-469/17, EU:C:2018:870, para 64.

[147] Leistner (n 124), 137-39.

[148] ibid, 139.

[149] AG Szpunar, C-516/17 (Spiegel Online), para 77.

[150] AG Szpunar, C-516/17 (Spiegel Online), paras 55-57, and implicitly CJEU, C-516/17 (Spiegel Online), para 95.

[151] See CJEU, Judgment of 11.12.2011, Painer, Case C-145/10, EU:C:2011:798, para 94.

[152] Charter of Fundamental Rights of the European Union [2000], OJ C 364/1, art 8(2).

[153] European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016], OJ L 119/1 (GDPR), art 6(a).

[154] GDPR, art 5(1)(b).

[155] Satakunnan Markinapörssi Oy and Satamedia Oy v Finland App no 931/13 (ECtHR, 27 June 2017) para 137.

[156] GDPR, art 85(1).

[157] GDPR, art 85(2).

[158] European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/ 31 (Data Protection Directive).

[159] CJEU, Judgment of 16.12.2008, Satakunnan Markkinapörssi and Satamedia, Case C-73/08, EU:C:2008:727, para 61.

[160] For more information on the development of the right to protection of private life as protected under Article 8 ECHR into a personality right, see Bart van der Sloot, ‘Privacy as Personality Right: Why the ECtHR’s Focus on Ulterior Interests Might Prove Indispensable in the Age of “Big Data”’ [2015] Utrecht Journal of International and European Law 25.

[161] Philip E Agre & Marc Rotenberg, Technology and Privacy: The New Landscape (MIT Press 1998) 7.

[162] The Court has already referred to certain concepts, amongst them the right of communication to the public, as autonomous concepts under EU law (implicit in CJEU, C-466/12 (Svensson and Others), para 34) see also for limitations and exceptions CJEU, C-201/13 (Deckmyn), para. 14. See also Raquel Xalabarder, ’The Role of the CJEU in Harmonizing EU Copyright Law’ [2016] International Review of Intellectual Property and Competition 635, 635.

[163] See Axel Springer AG v Germany App no 39954/08 (ECtHR, 7 February 2012) & Von Hannover (No 2) v Germany App nos 40660/08 & 60641/08 (ECtHR, 7 February 2012).

[164] Delfi AS v Estonia App no 64569/09 (ECtHR, 16 June 2015) para 134.

[165] ibid para 147.

[166] Publicity of Finnish tax data is authorised by law and is therefore not subject to individual consent by the data subject. See Sections 1-3 of the Act on the Public Disclosure and Confidentiality of Tax Information ( no. 1346/1999) which provide for the publicity of tax information, subject to access requests in the framework of Act on the Openness of Government Activities (621/1999) and subject to data protection law restrictions pursuant to the Personal Data Act (523/1999).