Constitutional Data Protection Law
Data protection is a fundamental right in the European Union, distinct from the right to privacy. This article explores its constitutional foundations, tracing its development from national constitutions to the EU Charter of Fundamental Rights and the jurisprudence of the CJEU.
Key point: Although the right to data protection is neither part of the US Constitution nor part of US constitutional case law, it has been recognized by the constitutions of countries other than the US since the 70’s and it is today a fundamental right in the EU.
The right to personal data protection is a relative newcomer. The first piece of data protection legislation was enacted in 1970 by the German state of Hesse (1), it was followed by Sweden in 1973 (2) and, subsequently, by other European countries. One early example of the recognition of the right to data protection at the constitutional level is Article 18(4) of the 1978 Constitution of Spain.
The right to data protection is enshrined in European Union (EU) primary law (the functional equivalent of EU constitutional law) and in the constitutions of several individual countries.
Constitutional recognition of the right to data protection in individual countries
Key point
The right of data protection has been in the Constitution of individual countries since the 70s.
The first constitutional recognition of the right to data protection is likely Article 35 of Portugal’s 1976 constitution. Article 18 (4) of the 1978 Constitution of Spain also recognized data protection as a separate and independent right.
A more modern example is the 2018 modification of Article 4 of Chile’s Constitution which enshrined the right to data protection.
The constitutional right to data protection in Portugal

Article 35 of the 1976 Constitution of Portugal is likely the first constitution in Europe to recognize a right to data protection. The original version of states:
ARTICLE 35 (Use of computers)
(1) Every citizen has the right to access to all computerised data that concern him, to be informed of the purpose for which they are intended, all as laid down by law, and to require that they be corrected and updated.
(2) Computers shall not be used to process data concerning political affiliation, religion, or private life, except where the processing of data is done for the purpose of processing statistical data that cannot be individually identified.
(3) The allocation of a single national number to any citizen shall be prohibited.
The Constitution of Portugal has been amended several times to expand the specific requirements associated with the right to data protection.

The Constitutional right to data protection in Spain

The 1978 Constitution of Spain enshrines the right to data protection in Article 18.4 which states:
The law shall limit the use of computerized systems to ensure respect for the honor and the private family life of citizens and the full exercise of all their other rights
The conceptualization the right to data protection in Spain is closely associated with what has been called the right to “information self-determination”.
In 1992 (that is to say, three years before the EU 1995 data protection directive was enacted) Spain enacted its first data protection law: The Organic Law 5/1992, of October 29, regulating the processing of personal data through automated means (LORTAD). This law was superseded by the law that incorporated into the Spanish legal system the 1995 data protection directive.
Since 1993 the Spanish Constitutional Court (the equivalent of SCOTUS in Spain) has taken the position that the right to data protection guaranteed by Article 18.4 of the Spanish Constitution is a fundamental right separate and distinct from the right to privacy (see, STC 254/1993, July 20).
The concept of the right to data protection has been developed through consistent constitutional case law (see, STC 292/2000, of November 30 stating that the right to data protection “is not restricted to the private information of an individual, but rather extends protection to all personal data, private or not, which knowledge or use by third parties could affect the rights of data subjects, whether those rights are constitutionally protected or not. Therefore, the scope of the right to data protection is not limited to the right of privacy which is separately protected by Article 18.1 of the Spanish Constitution and not by the right to data protection. Non private information is within the scope of the right to data protection despite the fact that the information is of public knowledge. In the same way, the requirement that data be personal does not mean that only data related to the private life of individuals is subject to the right to data protection. In fact, the scope of the right to data protection extends to all data that identifies or is capable of identifying a person and can therefore be used to profile an individual on the basis of his or her beliefs, race, sex life, sociology-economic status or any other characteristic, or to in any way threaten the rights of individuals”)

The right to data protection in EU “primary law”
Key Point:
The right to data protection is ‘constitutionally’ protected in the EU
The right to data protection is enshrined in the Charter of Fundamental Rights of the EU as a separate and independent right from the right to privacy.
NOTE: If you are not familiar with what the Charter is and what it does, you can read a short article about it here.
The right to data protection in the EU Charter
Key point:
The Charter explicitly raises the level of the right to data protection (Article 8) to that of a fundamental right in EU law, separate and at the same level as the right to privacy (Article 7).
The Charter not only guarantees the respect for private and family life (Article 7), but also establishes the right to the protection of personal data (Article 8). The Charter explicitly raises the level of this protection to that of a fundamental right in EU law. EU institutions and bodies must guarantee and respect this right, as do Member States when implementing Union law (Article 51 of the Charter). Specifically:
Article 8:
“ Protection of personal data.
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid hdown by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.”
Although not all EU State Members had constitutionally recognized the right to data protection in their respective jurisdictions, the right was included into the Chapter with the support of Article 29 Working Party in order to ensure that its protection as “a legal requirement throughout the Union” and to “reflect its increasing importance in the information society” (see, A29WP Recommendation 4/99). The interpretation of Article 8 has been developed though CJEU jurisprudence.
Formulated several years after the Data Protection Directive, Article 8 of the Charter must be understood as embodying per-existing EU data protection law. The Charter, therefore, not only explicitly mentions a right to data protection in Article 8 (1), but also refers to key data protection principles in Article 8 (2). Finally, Article 8 (3) of the Charter requires an independent authority to control the implementation of these Principles.
The role of the Court of Justice of the European Union (CJEU)
Key point:
The EU fundamental right to data protection and the conditions for limiting such right have been developed and interpreted through the case law of the CJEU.
The CJEU has jurisdiction in determining whether or not a Member State has fulfilled its obligations under EU data protection law, and in interpreting EU legislation to ensure its effective and uniform application throughout the Member States. Since adoption of the Data Protection Directive in 1995, a considerable body of case law has accumulated, clarifying the scope and meaning of the data protection principles and the fundamental right to personal data protection as enshrined in Article 8 of the Charter. Even though the directive has been repealed and a new legal instrument — the General Data Protection Regulation — is now in force, that per-existing case law remains relevant and valid for the interpretation and application of EU data protection principles, to the extent that the core principles and concepts of the Data Protection Directive were kept in the GDPR.
Permissible limitations to the EU fundamental right to data protection
Key Point:
Under EU law, any processing personal data constitutes lawful interference with the right to data protection and can only be carried out if it:
(1) is in accordance with the law;
(2) respects the essence of the right;
(3) subject to the principle of proportionality, is necessary; and
(4) pursues an objective of general interest recognised by the EU, or the need to protect the rights of others.
The fundamental right to personal data protection under Article 8 of the Charter is not an absolute right, “but must be considered in relation to its function in society” (4). According to Article 52 (1) of the Charter,limitations on the exercise of the rights and freedoms recognized by the Charter must be in accordance with the law, respect the essence of the right, be subject to the principle of proportionality and necessity and pursue objectives of general interest recognized by EU law.
As personal data protection is a distinct and stand-alone fundamental right in the EU legal order, protected under Article 8 of the Charter, any processing of personal data by itself constitutes an interference with this right. It is immaterial whether the personal data in question relate to an individual’s private life, are sensitive, or whether the data subjects have been inconvenienced in any way.
To be lawful, the interference has to (1) be in accordance with the law; (2) respect the essence of the right; (3) subject to the principle of proportionality, is necessary; and (4) pursue an objective of general interest recognized by the EU, or the need to protect the rights of others.
See, Article 52(10 of the Chapter of Fundamental Rights of the EU and “SCHECKE”
(1) Provided by law
Limitations on the right to personal data protection must be provided for by law. This requirement implies that limitations must be based on a legal basis that is adequately accessible and foreseeable and formulated with sufficient precision to enable individuals to understand their obligations and regulate their conduct. The legal basis must also clearly define the scope and manner of the exercise of the power by the competent authorities to protect individuals against arbitrary interference (5).
(2) Respect the essence of the right
In the EU legal order, any limitation on the fundamental rights protected under the Charter must respect the essence of those rights. This means that limitations that are so extensive and intrusive so as to devoid a fundamental right of its basic content cannot be justified. If the essence of the right is compromised, the limitation must be considered unlawful, without a need to further assess whether it serves an objective of general interest and satisfies the necessity and proportionality criteria.
The CJEU has never completely articulated what exactly is the core layer of the right to personal data protection. However, there are some interesting CJEU decisions on this point. For example, in Digital Rights Ireland a case where legislation mandating the retention of metadata on electronic communications (such as date, time, and duration of a communication, the calling number, numbers called, and IP addresses) by electronic communications services was struck down, the Court however held that the essence of the right to personal data protection was not compromised by such law where the law required electronic communication services to respect certain principles of data protection and data security and to implement appropriate technical and organizational measures to this end. By contrast, in the Schrems case, the CJEU held that legislation permitting public authorities to access, on generalized basis, the content of electronic communications would compromise “the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Chapter” but, by implication, not the essence of the fundamental right to personal data protection. In the same case the CJEU observed that “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data” is incompatible with the right to effective judicial protection in Article 47 of the Charter but, by implication, not with the essence of the right to personal data protection. The points raised in Schrems and Digital Rights Ireland are important because they make clear that, at least from a EU perspective, imposing the obligation to respect certain principles of data protection and data security and implement appropriate technical and organizational measures is a core component of the right to personal data protection while requiring limitations on the access to personal data by public authorities or enacting legislation providing for an individual right to pursue legal remedies are not. (For a more analysis of these two cases see end-notes 6 & 7)
(3) Necessity and proportionality:
Article 52 (1) of the Charter provides that, subject to the principle of proportionality, limitations on the exercise of the fundamental rights and freedoms recognized by the Charter may be made only if they are necessary.
A limitation may be necessary if there is a need to adopt measures for the public interest objective pursued — but necessity, as interpreted by the CJEU, also implies that the measures adopted must be less intrusive compared to other options for achieving the same goal. For limitations on the rights to respect for private life and protection of personal data, the CJEU applies a strict necessity test, holding that “derogation and limitations must apply only in so far as strictly necessary”. If a limitation is deemed to be strictly necessary, there is also a need to assess whether it is proportionate. (See End-note 8)
Proportionality means that the advantages resulting from the limitation should outweigh the disadvantages the latter causes on the exercise of the fundamental rights at stake.65 To reduce disadvantages and risks to the enjoyment of the rights to privacy and data protection, it is important that limitations contain appropriate safeguards. (See, End-note 9 and examples in Endnotes 10, 11 and 12)
A similar approach, as regards necessity, is taken by the European Data Protection Supervisor in its Necessity Toolkit. The toolkit aims to help assessment of compliance of proposed measures with EU law on data protection. It was developed to better equip EU policymakers and legislators responsible for preparing or scrutinizing measures that involve processing of personal data and limit the right to personal data protection and other rights and freedoms laid down in the Charter. (See End-note 8)
(4) Objectives of general interest:
To be justified, any limitation on the exercise of the rights recognized by the Charter must also genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of other persons. Concerning the need to protect the rights and freedoms of others, the right to protection of personal data often interacts with other fundamental rights. Objectives of general interest include the general objectives of the EU affirmed in Article 3 of the Treaty on the European Union (TEU), such as the promotion of peace and of the well-being of its peoples, social justice and protection and the establishment of an area of freedom, security and justice in which free movement of persons is ensured, in conjunction with appropriate measures to prevent and combat crime, as well as other objectives and interests protected by specific provisions of the treaties. The General Data Protection Regulation (GDPR) further specifies Article 52 (1) of the Charter in this regard: Article 23 (1) of the regulation lists a series of objectives of general interest considered legitimate for limiting the rights of individuals, provided that the limitation respects the essence of the right to personal data protection and is necessary and proportionate. National security and defense, crime prevention, the protection of important economic and financial interests of the EU or Member States, public health and social security are among the public interest aims mentioned therein.
It is important for EU laws to define and explain the objective of general interest pursued by the limitation in sufficient detail, as the necessity of the limitation will be assessed against that background. A clear, detailed description of the objective of the limitation and the measures proposed is essential to allow the assessment as to whether it is necessary. The objective pursued, and necessity and proportionality of the limitation are closely linked. (See Endnote 13 for an example)
Interaction of the fundamental right to data protection with other rights and legitimate interests
Key point:
When different rights such as the right to data protection, the right to free speech and the right to privacy are at stake, courts must carry out a balancing exercise to reconcile them.
The right to data protection often interacts with other rights, such as freedom of expression and the right to receive and impart information. This interaction is often ambivalent: while there are situations where the right to personal data protection is in tension with a specific right, there are also situations where the right to personal data protection effectively ensures the respect of the same specific right.
The need to protect the rights and freedoms of others is one of the criteria used to assess the lawful limitation of the right to personal data protection.
- The General Data Protection Regulation requires Member States to reconcile the right to personal data protection with freedom of expression and information.
- Member States may also adopt specific rules in national law to reconcile the right to personal data protection with public access to official documents and obligations of professional secrecy.
End notes:
- Datenschutzgesetz, 7 Oct. 1970, § 6, 1 Gesetz- und Verordnungsblatt für das Land Hessen 625 (1970).
- Datalagen (Swedish Data Act) of May 11, 1973, entered into force 1 July 1973.
- NOTE: The Charter also recognizes a right to privacy (under Article 7 of the Charter- “Privacy. Everyone has the right to respect for his or her private and family life, home and communications”) and a right to Freedom of expression (under Article 11 of the Charter — “Freedom of expression and information.1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. 2. The freedom and pluralism of the media shall be respected.”)
- See, for example, CJEU, Joined cases C-92/09 and C-93/09, Volker und Markus Schecke GbR and Hartmut Eifert v. Land Hessen [GC], 9 November 2010, para. 48.
- This interpretation resembles the requirement for “lawful interference” under the ECtHR case law, and it has been argued that the meaning of the expression “provided for by law” used in the Charter should be the same as that ascribed to it in connection with the ECHR. The case law of the ECtHR, and especially the concept of “quality of the law” it has developed throughout the years, is a relevant consideration to be taken into account by the CJEU when interpreting the scope of Article 52 (1) of the Charter. See CJEU, Joined cases C-203/15 and C-698/15, Tele2 Sverige AB v. Post- och telestyrelsen and Secretary of State for the Home Department v. Tom Watson, Peter Brice, Geoffrey Lewis, Opinion of Advocate General Saugmandsgaard Øe, delivered on 19 July 2016, para. 140; and CJEU, C-70/10, Scarlet Extended SA v. Société belge des auteurs compositeurs et éditeurs (SABAM), Opinion of Advocate General Cruz Villalón, delivered on 14 April 2011, para. 100.
- Example Schrems: The Schrems case (CJEU, C-362/14, Maximillian Schrems v. Data Protection Commissioner [GC], 6 October 2015) concerned the protection of individuals regarding the transfer of their personal data to third countries — in this case, the United States. Schrems, an Austrian citizen who had been a Facebook user for several years, lodged a complaint with the Irish data protection supervisory authority to denounce the transfer of his personal data from Facebook’s Irish subsidiary to Facebook Inc. and the servers located in the US, where they were processed. He argued that, in light of the 2013 revelations by Edward Snowden, an American whistle-blower, concerning the surveillance activities of US surveillance services, the law and practice of the US did not offer sufficient protection to personal data transferred to US territory. Snowden had revealed that the National Security Agency tapped directly into the servers of firms, such as Facebook, and could read the content of chats and private messages. Transfers of data to the US were based on a Commission adequacy decision, adopted in 2000, allowing transfers to US companies that self-certified that they would protect personal data transferred from the EU and would comply with the so-called “Safe Harbor principles”. When the case was brought before the CJEU, it examined the validity of the Commission decision in light of the Charter. It recalled that fundamental rights protection in the EU requires derogation and limitations to those rights to apply only in so far as strictly necessary. The CJEU regarded legislation permitting public authorities to access, on a general basis, the content of electronic communications as “compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter”. The right would be rendered meaningless if US public authorities were authorized to access communications on a casual basis, without any objective justification based on concrete considerations of national security or crime prevention that are specific individual concerned, and without those surveillance practices being accompanied by appropriate safeguards against abuse of power. Moreover, the CJEU observed that “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data” is incompatible with the fundamental right to effective judicial protection (Article 47 of the Charter). Thus, the Safe Harbor Decision failed to ensure a level of fundamental rights protection by the US essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. The CJEU consequently invalidated the decision. NOTE: The CJEU decision to invalidate Commission Decision 520/2000/EC was also based on other grounds that will be examined in other sections of this handbook. Notably, the CJEU considered that the decision unlawfully restricted the powers of national data protection supervisory authorities. In addition, under the Safe Harbor regime, there were no judicial remedies available for individuals in case they wished to access the personal data concerning them and/or obtain their rectification or deletion. Thus, the essence of the fundamental right to effective judicial protection, enshrined in Article 47 of the Charter, was also compromised.
- See, Joined cases C-293/12 and C-594/12, Digital Rights Ireland Ltd v. Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others.
- On assessing the necessity of measures limiting the fundamental right to the protection of personal see: EDPS (2017), Necessity Toolkit, Brussels, 11 April 2017. See also CJEU, Opinion 1/15 of the Court (Grand Chamber), 26 July 2017
- EDPS (2017), Necessity Toolkit, p. 5.
- Example/Schcke: See, Joined cases C-92/09 and C-93/09, Volker und Markus Schecke GbR and Hartmut Eifert v. Land Hessen
- See, Joined cases C-293/12 and C-594/12, Digital Rights Ireland Ltd v. Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others.
- Example/Tele2: The CJEU came to a similar conclusion in the joined cases Tele2 ( CJEU, Joined cases C-203/15 and C-698/15, Tele2 Sverige AB v. Post- och telestryrelsen and Secretary of State for the Home Department v. Tom Watson and Others [GC], 21 December 2016, para. 105–106.) These concerned the retention of traffic and location data of “all subscribers and registered users and all means of electronic communication as well as metadata” without “differentiation, limitation or exception according to the objective pursued”. In the case at hand, whether or not a person was linked, directly or indirectly, to serious criminal offenses, or whether or not his or her communications were relevant for national security, was not a condition to have their data retained. In view of the absence of either a required link between the retained data and a threat to public security or time period or geographical area restrictions, the CJEU concluded that the national legislation exceeded the limits of what was strictly necessary for the purpose of fighting against serious crime.
- Example/Schwarz: The Schwarz v. Stadt Bochum case (CJEU, C-291/12, Michael Schwarz v. Stadt Bochum, 17 October 2013) concerned limitations on the right to respect for private life and the right to personal data protection arising from the taking and storing of fingerprints when Member State authorities issue passports. The applicant applied to Stadt Bochum for a passport, but refused to have his fingerprints taken; following this, the Stadt Bochum refused his passport application. He then brought an action before a German court to have a passport issued without this fingerprints being taken. The German court referred the issue to the CJEU, asking whether Article 1 (2) of Regulation 2252/2004 on standards for security features and bio metrics in passports and travel documents issued by Member States is to be considered valid. The CJEU pointed out that fingerprints constitute personal data, as they objectively contain unique information about individuals that allows them to be identified with precision, while taking and storing fingerprints constitute processing. The latter processing, which is governed by Article 1 (2) of Regulation №2252/2004, constitutes a threat to the rights to respect for private life and personal data protection. However, Article 52 (1) of the Charter allows for limitations on the exercise of those rights, so long as these limitations are provided for by law, respect the essence of those rights and, in accordance with the principle of proportionality, are necessary and genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others. In the present case, the CJEU first noted that the limitation arising from the taking and storing of fingerprints when issuing passports must be considered to be provided for by law since those operations are provided for by Article 1 (2) of Regulation №2252/2004. Second, the latter regulation was designed to prevent the falsification of passports and their fraudulent use. Thus, Article 1 (2) is in place to prevent, among others, illegal entry into the EU, and so pursues an objective of general interest recognized by the Union. Third, it was not apparent from the evidence available to the CJEU, nor had it been claimed, that the limitations placed on the exercise of these rights in the present case did not respect the essence of those rights. Fourth, the storage of fingerprints on a highly secure storage medium as provided for by that provision requires sophisticated technology. Such storage is likely to reduce the risk of passports being falsified and to facilitate the work of the authorities responsible for checking the authenticity of passports at EU borders. The fact that the method is not wholly reliable is not decisive. Although the method does not prevent all unauthorized persons from being accepted, it is enough that it significantly reduces the likelihood of such acceptance. In light of the foregoing, the CJEU found that the taking and storing of fingerprints referred to in Article 1 (2) of Regulation №2252/2004 were appropriate for attaining the aims pursued by that regulation and, by extension, the objective of preventing illegal entry to the EU. The CJEU next assessed whether such processing is necessary, noting that the action at issue involved no more than the taking of prints of two fingers, which can, moreover, generally be seen by others, so that this is not an operation of an intimate nature. Nor does it cause any particular physical or mental discomfort to the person affected any more than when that person’s facial image is taken. It should also be noted that the only real alternative to the taking of fingerprints raised in the course of the proceedings before the CJEU was an iris scan. Nothing in the case file submitted to the CJEU suggested that the latter procedure would interfere less with the rights recognized by Articles 7 and 8 of the Charter than the taking of fingerprints. Furthermore, with regard to the effectiveness of those two methods, it is common ground that iris-recognition technology is not yet as advanced as fingerprint-recognition technology, is currently significantly more expensive than the procedure for comparing fingerprints and is, for that reason, less suitable for general use. Accordingly, the CJEU had not been made aware of any measures that would be both sufficiently effective in helping to achieve the aim of protecting against the fraudulent use of passports and less of a threat to the rights recognized by Articles 7 and 8 of the Charter than the measures deriving from the method based on the use of fingerprints. The CJEU noted that Article 4 (3) of Regulation №2252/2004 explicitly states that fingerprints may be used only for verifying the authenticity of a passport and the identity of its holder, while Article 1 (2) of the regulation does not provide for the storage of fingerprints except within the passport itself, which belongs to the holder alone. Thus, the regulation did not provide a legal basis for the centralized storage of data collected thereunder or for the use of such data for purposes other than that of preventing illegal entry into the EU.80 In light of all the foregoing considerations, the CJEU concluded that the examination of the referred question revealed nothing capable of affecting the validity of Article 1 (2) of Regulation №2252/2004.
