ECHR, on the private life of third parties in the context of telephone tapping authorised by a judge

The European Court of Human Rights gave its judgment yesterday in Case Pruteanu v. Romania (Case 30181/05), which concerns the complaint of a lawyer whose conversations with a client were intercepted by prosecutors in the context of a criminal case. The client was not a part of the criminal case, but he was an associate of the accused persons. The recordings were used in the criminal trial, where neither the lawyer, nor his client, were a part. The lawyer wanted to challenge the legality of the interceptions and to require their deletion, but was not able to do so.

The facts of the case bring forward the issue of the extent that third parties whose telephone conversations are recorded following an authorisation to intercept them issued on the name of someone else, enjoy the right to private life under Article 8 of the European Convention of Human Rights.

The Court emphasises in this judgment that an “effective control”, be it a posteriori, of an authorisation to intercept issued by a judge, exercised by a third-party to the authorisation to intercept, is necessary in order to make the interception compliant with the right to private life of the third party.


“On 1 September 2004 the commercial company M. was barred from carrying out bank transactions. The police received several criminal complaints against the company for deceit. One of the company’s partners, C.I., instructed the applicant as his defence lawyer. On 24 September 2004 the District Court authorised the prosecuting authorities to intercept and record the partners’ telephone conversations for a period of thirty days.

From 27 September to 27 October 2004 the fraud investigation unit intercepted and recorded C.I.’s conversations, including twelve conversations with the applicant. On 21 March 2005 the District Court held that the recordings were relevant to the criminal case against C.I.’s fellow partners in company M., and ordered that the transcripts and the tapes be placed under seal. Mr Pruteanu and C.I. both lodged appeals, which were declared inadmissible” (Source).

Findings of the Court

After stating that any interception of a conversation is an interference in the right to private life, the Court analysed whether this interference is necessary in a democratic society.

The Court notes that “the authorisation to record the conversations of C.I. was given by a tribunal. Nevertheless, that authorisation targeted C.I. and not the applicant, in such a way that it cannot be concluded that the tribunal had examined a priori the necessity of the measure regarding the person concerned. Furthermore, the Court recalls that it already rejected the argument which lead to consider that the mere fact that the person who issues an order and supervises the interceptions is a magistrate implies, ipso facto, the lawfulness and the conformity of the interceptions with Article 8 of the Convention, such a reasoning making any remedy for the interested parties inoperative” (para. 50, my translation; the Court refers here to Matheron case, para. 40).

Further, the Court considers it has to examine “if the applicant had the possibility to appeal a posteriori the recordings in order to control them” (para. 51, my translation).

Analysing the legislation in force at the time of the facts, the Court concluded that the applicant did not have legal standing to intervene in the criminal proceedings in which the recordings were used – “therefore, the applicant could not control, based on his own arguments, the legality and the necessity of the recordings, nor could he require the balancing of the interests of justice with his right to respect for private life and correspondence” (para. 52, my translation).

Considering the only way the applicant could have challenged the legality of the interceptions was during a criminal trial against himself or against his client, the Court concluded that “the accessibility of the remedy for the applicant must be considered uncertain” (para. 54, my translation).

As regards a civil action to request for damages (which was indicated by the Government as an alternative), the Court stated that “the Government did not provide any example of case-law which would prove the effectiveness of this particular remedy. In addition, a complaint in front of the civil judge regarding the pecuniary liability of the state does not have the nature to allow the control of the legality of the recordings and to lead, where appropriate, to a decision to order their destruction – a result sought by the applicant -, so as it cannot be seen as an effective control for the purposes of Article 8” (para. 55, my translation).

The applicant received 4.500 EUR as non-pecuniary damage.

Trouble with Science’s special issue on privacy is that it’s called “The End of Privacy”

scienceThe prestigious Science magazine’s issue released today is dedicated to Privacy. The only problem is that it’s title is “The End of Privacy”. This statement is too dramatic. I don’t think we are facing the end of privacy, but the explosion of privacy invading technologies and practices.

Privacy as an inherent human value cannot disappear.

Privacy as the web of legal protection is not likely to disappear soon. Au contraire. It is likely it will be developed and taken more and more seriously.

The fact remains that privacy is under siege. But if scientific magazines are starting to publish entire issues on this topic, it would be more useful if they would not declare privacy dead, but figure out ways to construe a stronger web (technical, legal or whatever else nature) of protecting privacy.

Never-mind the title. Beyond it, there are some interesting articles:

1) Privacy and human behavior in the age of information, by Alessandro Acquisti, Laura Brandimarte and George Loewenstein.

2) Could your pacemaker be hackable?, by Daniel Clery (Medical devices connected to the Internet are vulnerable to sabotage or data theft).

3) Hiding in plain sight, by Jia You. (Software lets you use location-based apps without revealing where you are).

4) Control use of data to protect privacy, by Susan Landau (“..But notice, designated as a fundamental privacy principle in a different era, makes little sense in situations where collection consists of lots and lots of small amounts of information, whereas consent is no longer realistic, given the complexity and number of decisions that must be made. Thus, efforts to protect privacy by controlling use of data are gaining more attention…”)

While at it, also check my CPDP 2013 paper (presented two years ago at the conference in Brussels and published that year in a Springer volume edited by the organisers of the conference), Forgetting about consent. Why the focus should be on suitable safeguards in data protection law.

In conclusion, no, this is not the end of privacy. This is just the middle of a very, very difficult fight to protect privacy.

Main points from FTC’s Internet of Things Report

FTC published on 27 January a Report on the Internet of Things, based on the conclusions of a workshop organised in November with representatives of industry, consumers and academia.

It is apparent from the Report that the most important issue to be tackled by  the industry is data security – it represents also the most important risk to consumers.

While data security enjoys the most attention in the Report and the bigger part of the recommendations for best practices, data minimisation and notice and choice are considered to remain relevant and important in the IoT environment. FTC even provides a list of practical options for the industry to provide notice and choice, admitting that there is no one-size-fits-all solution.

The most welcomed recommendation in the report (at least, by this particular reader) was the one referring to the need of general data security and data privacy legislation – and not such legislation especially tailored for IoT. FTC called the Congress to act on these two topics.

Here is a brief summary of the Report:

The IoT definition from FTC’s point of view

Everyone in the field knows there is no generally accepted definition of what IoT is. It is therefore helpful to know what FTC considers IoT to be for its own activity:

“things” such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet.

In addition, FTC clarified that, consistent with their mission to protect consumers in the commercial sphere, their discussion of IoT is limited to such devices that are sold to or used by consumers.

Stunning facts and numbers

  • as of this year, there will be 25 billion connected devices worldwide;
  • fewer than 10,000 households using one company’s IoT home automation product can “generate 150 million discrete data points a day” or approximately one data point every six seconds for each household.

Data security, the elephant in the house

Most of the recommendations for best practices that FTC made are about ensuring data security. According to the Report, companies:

  • should implement “security by design” by building security into their devices at the outset, rather than as an afterthought;
  • must ensure that their personnel practices promote good security; as part of their personnel practices, companies should ensure that product security is addressed at the appropriate level of responsibility within the organization;
  • must work to ensure that they retain service providers that are capable of maintaining reasonable security, and provide reasonable oversight to ensure that those service providers do so;
  • should implement a defense-in-depth approach, where security measures are considered at several levels; (…) FTC staff encourages companies to take additional steps to secure information passed over consumers’ home networks;
  • should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network;
  • should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.

Attention to de-identification! 

In the IoT ecosystem, data minimization is challenging, but it remains important.

  • Companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data.
  • To the extent that companies decide they need to collect and maintain data to satisfy a business purpose, they should also consider whether they can do so while maintaining data in deidentified form.

When a company states that it maintains de-identified or anonymous data, the Commission has stated that companies should

  1. take reasonable steps to de-identify the data, including by keeping up with technological developments;
  2. publicly commit not to re-identify the data; and
  3. have enforceable contracts in place with any third parties with whom they share the data, requiring the third parties to commit not to re-identify the data.

Notice and choice – difficult in practice, but still relevant

While the traditional methods of providing consumers with disclosures and choices may need to be modified as new business models continue to emerge, (FTC) staff believes that providing notice and choice remains important, as potential privacy and security risks may be heightened due to the pervasiveness of data collection inherent in the IoT. Notice and choice is particularly important when sensitive data is collected.

  • Staff believes that providing consumers with the ability to make informed choices remains practicable in the IoT;
  • Staff acknowledges the practical difficulty of providing choice when there is no consumer interface, and recognizes that there is no one-size-fits-all approach. Some options are enumerated in the report – several of which were discussed by workshop participants: choices at point of sale, tutorials, codes on the device, choices during set-up.

No need for IoT specific legislation, but general data security and data privacy legislation much needed

  • Staff does not believe that the privacy and security risks, though real, need to be addressed through IoT-specific legislation at this time;
  • However, while IoT specific-legislation is not needed, the workshop provided further evidence that Congress should enact general data security legislation;
  • General technology-neutral data security legislation should protect against unauthorized access to both personal information and device functionality itself;
  • General privacy legislation that provides for greater transparency and choices could help both consumers and businesses by promoting trust in the burgeoning IoT marketplace; In addition, as demonstrated at the workshop, general privacy legislation could ensure that consumers’ data is protected, regardless of who is asking for it.

“The EU-US interface: Is it possible?” CPDP2015 panel. Recommendation and some thoughts

The organizers of CPDP 2015 made available on their youtube channel some of the panels from this year’s conference, which happened last week in Brussels. This is a wonderful gift for people who weren’t able to attend CPDP this year (like myself). So a big thank you for that!

While all of them seem interesting, I especially recommend the “EU-US interface: Is it possible?” panel. My bet is that the EU privacy legal regime/US privacy legal regime dichotomy and the debates surrounding it will set the framework of “tomorrow”‘s global protection of private life.

Exactly one year ago I wrote a 4 page research proposal for a post-doc position with the title “Finding Neverland: The common ground of the legal systems of privacy protection in the European Union and the United States”. A very brave idea, to say the least, in a general scholarly environment which still widely accepts  Whitman’s liberty vs dignity solution as a fundamental “rift” between the American and European privacy cultures.

The idea I wanted to develop is to stop looking at what seems to be fundamental differences and start searching a common ground from which to build new understandings of protecting private life  accepted by both systems.

While it is true that, for instance, a socket in Europe is not the same as a socket in the US (as a traveller between the two continents I am well aware of that), fundamental human values do not change while crossing the ocean. Ultimately, I can convert the socket into metaphor and say that even if the continents use two very different sockets, the function of those sockets is the same – they are a means to provide energy so that one’s electronic equipment works. So which is this “energy” of the legal regime that protects private life in Europe and in the US?

My hunch is that this common ground is “free will”, and I have a bit of Hegel’s philosophy to back this idea. My research proposal was rejected (in fact, by the institute which, one year later, organized this panel at CPDP 2015 on the EU-US interface in privacy law). But, who knows? One day I may be able to pursue this idea and make it useful somehow for regulators that will have to find this common ground in the end.

You will discover in this panel some interesting ideas. Margot Kaminski (The Ohio State University Moritz College of Law) brings up the fact that free speech is not absolute in the US constitutional system – “copyright protection can win over the first amendment” she says. This argument is important in the free speech vs privacy debate in the US, because it shows that free speech is not “unbeatable”. It could be a starting point, among others, in finding some common ground.

Pierluigi Perri (University of Milan) and David Thaw (University of Pittsburgh) seem to be the ones that focus the most on the common grounds of the two legal regimes. They say that, even if it seems that one system is more preoccupied with state intrusions in private life and the other with corporate intrusions, both systems share a “feared outcome – the chilling effect on action and speech” of these intrusions. They propose a “supervised market based regulation” model.

Dennis Hirsch (Capital University Law School) speaks about the need of global privacy rules or something approximating them, “because data moves so dynamically in so many different ways today and it does not respect borders”. (I happen to agree with this statement – more details, here). Dennis argues in favour of sector co-regulation, that is regulation by government and industry, to be applied in each sector.

Other contributions are made by Joris van Hoboken, University of Amsterdam/New York University (NL/US) and Eduardo Ustaran, Hogan Lovells International (UK).

The panel is chaired by Frederik Zuiderveen Borgesius, University of Amsterdam  and organised by Information Society Project at Yale Law School.


CJEU: CCTV camera in family home falls under the Data protection directive, but it is in principle lawful

CJEU gave its decision today in Case C-212/13 František Ryneš – under the preliminary ruling procedure. The press release is available here and the decision here.


A person who broke the window of the applicant’s home and was identified by the police with the help of the applicant’s CCTV camera complained that the footage was in breach of data protection law, as he did not give consent for that processing operation. The Data Protection Authority fined the applicant, and the applicant challenged the DPAs decision in front of an administrative court. The administrative court sent a question for a preliminary ruling to the CJEU.

Video image is personal data

First, the Court established that “the image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned” (para. 22).

In addition, video surveillance involving the recording and storage of personal data falls within the scope of the Directive, since it constitutes automatic data processing.

Household exception must be “narrowly construed”

According to the Court, as far as the provisions of the Data protection directive govern the processing of personal data liable to infringe fundamental freedoms, they “must necessarily be interpreted in the light of the fundamental rights set out in the Charter (see Google Spain and Google, EU:C:2014:317, paragraph 68)”, and “the exception provided for in the second indent of Article 3(2) of that directive must be narrowly construed” (para. 29).

In this sense, the Court emphasized the use of the word “purely” in the legal provision for describing the personal or household activity under this exception (para. 30).

Such processing operation is most likely lawful

In one of the last paragraphs of the decision, the Court clarifies that “the application of Directive 95/46 makes it possible, where appropriate, to take into account — in accordance, in particular, with Articles 7(f), 11(2), and 13(1)(d) and (g) of that directive — legitimate interests pursued by the controller, such as the protection of the property, health and life of his family and himself, as in the case in the main proceedings” (para. 34).

This practically means that, even if the household exception does not apply in this case, and the processing operation must comply with the requirements of the Data protection directive, these requirements imply that a CCTV camera recording activity such as the one in the proceedings is lawful.

NB: The Court used a non-typical terminology in this decision – “the right to privacy” (para. 29)

What Happens in the Cloud Stays in the Cloud, or Why the Cloud’s Architecture Should Be Transformed in ‘Virtual Territorial Scope’

This is the paper I presented at the Harvard Institute for Global Law and Policy 5th Conference, on June 3-4, 2013. I decided to make it available open access on SSRN. I hope you will enjoy it and I will be very pleased if any of the readers would provide comments and ideas. The main argument of the paper is that we need global solutions for regulating cloud computing. It begins with a theoretical overview on global governance, internet governance and territorial scope of laws, and it ends with three probable solutions for global rules envisaging the cloud. Among them, I propose the creation of a “Lex Nubia” (those of you who know Latin will know why ;) ).  My main concern, of course, is related to privacy and data protection in the cloud, but that is not the sole concern I deal with in the paper.


The most common used adjective for cloud computing is “ubiquitous”. This characteristic poses great challenges for law, which might find itself in the need to revise its fundamentals. Regulating a “model” of “ubiquitous network access” which relates to “a shared pool of computing resources” (the NIST definition of cloud computing) is perhaps the most challenging task for regulators worldwide since the appearance of the computer, both procedurally and substantially. Procedurally, because it significantly challenges concepts such as “territorial scope of the law” – what need is there for a territorial scope of a law when regulating a structure which is designed to be “abstracted”, in the sense that nobody knows “where things physically reside” ? Substantially, because the legal implications in connection with cloud computing services are complex and cannot be encompassed by one single branch of law, such as data protection law or competition law. This paper contextualizes the idea of a global legal regime for providing cloud computing services, on one hand by referring to the wider context of global governance and, on the other hand, by pointing out several solutions for such a regime to emerge.

You can download the full text of the paper following this link:

How the ECHR defended the freedom of speech of a whistleblower who warned of illegitimate wiretapping by a secret service

It took the European Court of Human Rights 11 years to give its judgment in the case of Bucur and Toma v. Romania, the case of a whistleblower from the Romanian Intelligence Service (SRI) who warned the public in 1996 about the arbitrary wiretapping of journalists and other people by the service (Bucur) and one of the wiretapped journalists and his daughter (Toma and Toma).

The facts of the case have certain similarities to the “Snowden revelations” situation, in that it involves a whistleblower from a secret service which has powers in the field of national security, who warned the public that the service was arbitrarily interfering with the private life (especially, but not only) of journalists, businessmen and politicians, by wiretapping their phones. The decision of the ECHR is interesting because it is dual: it analyzes the situation of the whistleblower, as well as the situation of two individuals who were arbitrarily wiretapped.

ECHR gave its judgment on January 8, 2013, while the request was sent in 2002 (No. 40238/02). It found that, by sentencing Mr. Bucur to 2 years of imprisonment for his revelations for breaching the national security law, Romania had breached Article 10 – freedom of expression, of the European Convention of Human Rights. In addition, the Court found that by allowing the arbitrary wiretapping of Mr. Toma and his daughter, according to Mr. Bucur’s revelations, Romania had breached Article 8 – the right to private life, of the Convention.

Following the decision of the Court, Mr. Bucur received 20.000 EUR as a compensation for moral damages, and Mr. Toma and his daughter each received 7.800 EUR.

What did Mr. Bucur’s revelations say?

Mr. Bucur was an employee of SRI, responsible for monitoring and recording the wiretapped telephone communication of persons listed on a certain registry.

Within the framework of his activity, Mr. Bucur observed several irregularities: pencil was used to write in all the sections of the registry, a registry which was not complete; the real names of the wiretapped persons did not appear in the registry, nor the number of the order to wiretap issued by the prosecutor, the location of the wiretapped telephone, and the purposes of the wiretapping (para. 8). He also observed that the name in the registry did not always indicate the actual owner of the telephone (para. 8). “Furthermore, a considerable number of journalists, politicians and businessmen were wiretapped, especially with regard to resounding stories published by the press” (para. 8 – my translation).

Mr. Bucur took the issue to the head of the department, who reprimanded him: “(the head of the department) had advised him to give up his allegations and reminded him he had other problems and had children to raise, and he reportedly said: <<it is not us who will change how things are>>” (para. 9 – my translation).

Mr. Bucur further took the issue to a member of the Parliamentary Commission of the Control of SRI, who advised him that the best and quickest means to inform the public with regard to these issues is to hold a press conference (para. 10), which Mr. Bucur did on 13 May 1996.

Justification of his actions

According to the Court, he justified his actions by his wish to have Romanian laws complied with, and especially the Constitution. He mentioned that the disclosed information was not state secret, but the proof that SRI was involved in activities of political police, by order of the service’s chief, during a year of parliamentary and presidential elections. He also said that the beneficiaries of the arbitrary wiretapping were only the governing political party, and other political parties for their internal affairs. (para. 10).

Who is Mr. Bucur?

Unlike Mr. Snowden, Mr. Bucur had considerable experience for working in a secret service and surveilling people. He was 44 years old at the time of the revelations. Before working for SRI, he was an employee of the former Securitate forces under the Communist regime of Nicolae Ceauşescu, which was replaced in 1989 by a democratic regime after the Revolution.

In a 2009 interview for the French newspaper L’Express, he admitted that he decided to give this information to the public because he felt that the surveillance in 1995 Romania was even more arbitrary than what happened during the Communist regime: “In 1995 I woke up when I saw the name of many journalists, working for the daily newspapers “Ziua”, “Evenimentul Zilei”, on the list of persons whose conversations were listened to. In 1989, when I was listening to a sportsman, I had to ask for 5 authorizations, I had to make tones of administrative paperwork… In 1995, there was no more such an official aspect (of surveilling – my note): they would give me a piece of paper with the name of the person written with a pencil”.

What did the Court say with regard to Mr. Bucur’s freedom of expression?

The Decision of the Court is ample – having 182 paragraphs, and it is only available in French and Romanian. I will only point out to a few highlights.

-> In deciding whether the interference with Mr. Bucur’s right to freedom of expression was necessary in a democratic society, the Court applied the criteria with regard to public servants whistleblowers, developed in its Guja v. Moldova case (No. 14277, from February 12, 2008, paras. 70-78). The criteria are (NB: this is my translation, not an official one):

a) whether the applicant had other means to make the revelations

b) whether the information revealed was in the public interest

c) whether the information revealed is authentic

d) whether the information revealed caused “considerable damage” to the institution

e) whether the whistleblower acted with good faith

f) whether the sanction brought by the state against the whistleblower was severe

-> The Court found, regarding the public interest of the revelations, that: “the information revealed by the applicant is undoubtedly of public interest. The interception of telephone communications is particularly important in a society which has experienced during the communist regime a close surveilling by the secret services. This [the public interest – n.] is also proven by the fact that the press conference of 13 May 1996 was the subject of extensive media coverage, as evidenced by the documents filed by both the applicant and the Government. In addition, civil society was directly affected by the information disclosed, as anyone could have their telephone calls intercepted”. (para 101, my translation).

-> The Court, on the damage brought to the institution, balanced against the public interest: “the Court considers that the public interest in the disclosure of unlawful acts within the activity of SRI is so important in a democratic society that it outweighs the interest to maintain the trust of the public in this institution. The Court recalls in this regard that the free debate on issues of public interest is essential in a democratic state and it is important notto  discourage citizens to decide on such issues (Barfod c. Denmark, 22 February 1989 § 29, Series A No. 149)” (para. 115, my translation).

-> Conclusion of the Court: “Recognizing the importance of the right to freedom of expression on matters of public interest, the right of civil servants and other employees to signal unlawful conducts and actions observed within their working place, the duties and responsibility of employees owed to their employers and the right of the latter to manage their staff, the Court, after weighing in the other interests involved, concludes that the interference with the right to freedom of expression of the applicant, in particular his right to communicate information, is not “necessary in a democratic society. Accordingly, there has been a violation of Article 10 of the Convention” (para 120, my translation).

What did the Court say with regard to the right to private life of the wiretapped journalist and his daughter?

The Court only declared admissible the request of Mr. and Ms. Toma with regard to the storage of the files containing recorded telephone conversations (tapes) by SRI, and not the request regarding the wiretapping itself, which was found to have been filed too late, outside the 6 months term required by the Convention.

The Court recalled that “the telephonic communications are comprised in the notions of <<private life>> and <<correspondence>> as enshrined in Article 8(1) of the Convention, their interception, their storage in a secret file, and the communication of data related to the private life of an individual amount to an <<interference of a public authority>> in the exercise of the right guaranteed by Article 8 (see, among others, Dumitru Popescu v. Romania (No. 2), para. 61). For such an interference not to breach Article 8, it should be afforded by law, pursue a legitimate aim in accordance with Article 8(2) and, in addition, it must be necessary in a democratic society to achieve this aim” (para. 162 – my translation).

Among other things, the Court found that although SRI had some procedures regarding the time when a wiretapped conversation will be destroyed when it no longer serves a purpose, the procedures allowed a substantial risk that the conversations would not be destroyed and, thus, could be easily accessible at a later time (para. 164, as synthesized by

The Court considered that the applicants did not enjoy “a sufficient degree of protection against arbitrariness, as requested by Article 8 of the Convention” (para. 165 – my translation).

ECHR: an article about a wedding is not exclusively private

The European Court of Human Rights in Strasbourg decided on Thursday (16 January) that publishing photos from the wedding of two celebrities in a magazine without their consent, as long as the photos were not taken at the ceremony per se, but outside of the ceremony location, is not a violation of the right to private life as it is enshrined in Article 8 of the European Convention of Human Rights.

The Court decided in its Lillo Stenberg and SÆTHER v. Norway decision (Application no. 13258/09that “a wedding has a public side” (para. 37), hence “the publication of an article about a wedding cannot itself relate exclusively to details of a person’s private life and have the sole aim of satisfying public curiosity in that respect (see, Von Hannover (no. 2), § 110). It (the Court – n.n.) therefore considers that there was an element of general interest in the article about the applicants’ wedding” (para. 37).

In this regard, the Court entirely admitted the argument of the Supreme Court of Norway, which stated in a decision concerning the facts of the case that “a wedding is a very personal act. At the same time it also has a public side. A wedding is a public affirmation that two persons intend to live together, and has legal consequences in many different sectors of society. Thus information about a wedding does not in itself involve a violation of privacy if it is given in a natural form and based on a reliable source” (see para. 37 of the ECHR Decision).

According to the facts of the case, the first applicant is a musician and the second applicant is an actress. They are both known to the public in Norway. On 20 August 2005, the applicants married in a private ceremony which took place outdoors on an islet in the municipality of Tjøme in the Oslo fjord, approximately 100 km south of the capital. The weekly magazine Se og Hør published a two-page article about the wedding, accompanied by six photographs. The photographs were taken without the consent of the applicants and outside of the premises of the wedding.

Highlights of the judgment

A. Criteria to assess the balance between freedom of expression and the right to private life

The Court reiterated the specific criteria it uses to assess which right prevails in a certain situation – freedom of expression or the right to private life:

“(i) contribution to a debate of general interest

(ii) how well known is the person concerned and what is the subject of the report?

(iii) prior conduct of the person concerned

(iv) method of obtaining the information and its veracity/circumstances in which the photographs were taken

(v) content, form and consequences of the publication.”

(see para. 34 of the current case, Von Hannover (no. 2), paras. 109‑113, and Axel Springer AG,  paras. 89-95). 

B. Interference with dignity to weigh in between freedom of expression and private life?

Without clearly indicating in the wording of the judgment that it rallies with the point of view of the Norwegian Supreme Court, ECHR pointed out one of the arguments used by the Supreme Court which indicates that an interference with dignity is able to decisively lean in towards the protection of private life or freedom of expression.

“It [the Supreme Court – n.] also pointed out that neither the text nor the photographs in the disputed magazine article contained anything unfavourable to the applicants. It did not contain any criticism, nor was there anything in the content that could damage their reputation (see para. 41).

C. The implied legitimate expectation of privacy

ECHR accepted the Supreme Court’s view that “since the ceremony took place in an area that was accessible to the public, easily visible, and a popular holiday location, it was likely to attract attention by third parties”, hence “these elements should also be given a certain amount of weight” (see para. 43).

D. The increased autonomy of the national courts

Finally, I have to point out to the reiteration of the ECHR that “although opinions may differ on the outcome of a judgment, where the balancing exercise has been undertaken by the national authorities in conformity with the criteria laid down in the Court’s case‑law, the Court would require strong reasons to substitute its view for that of the domestic courts” (see para. 44).

UPDATE Tracing the right to be forgotten in the short history of data protection law: The “new clothes” of an old right


The paper received the “Junior Scholar Award 2014”. “The junior scholar award is a new award at CPDP which is generously supported by Google. The winning paper is selected from the papers written by junior scholars who have already been selected from the general CPDP call for papers. The jury consists of: Ronald Leenes, University of Tilburg (NL), Bert-Jaap Koops, University of Tilburg (NL), Jess Hemerly, Google (US), Mariachiara Tallachini, EC-JRC (IT) and Chris Jay Hoofnagle, UC Berkeley (US). The award recognises outstanding work in the fi eld of privacy and data protection”.

This is an incredible honor! Thank you, CPDP!


I will present the paper Tracing the right to be forgotten in the short history of data protection law: The “new clothes” of an old right at the Computers, Privacy and Data Protection conference, next week in Brussels. I am scheduled on Wednesday, 22 January, from 15.30, at La Maison des Arts, within the “Academic/PhD session. The right to be forgotten”.

The session will be chaired by Bert-Jaap Koops, from Tilburg University (TILT).

The other papers from the session are:

  • Ten Reasons Why the ‘Right to be Forgotten’ should be Forgotten by Christiana Markou.
  • Information Privacy and the “Right to be Forgotten”: An Exploratory Survey of Public Opinion and Attitudes by Clare Doherty and Michael Lang.
  • Purpose Limitation and Fair Re-use by Merel Koning.

As for my paper, here you have its abstract:

When the European Commission (EC) published its draft Data Protection Regulation (DPR) in early 2012, a swirl of concern hit data controllers regarding the introduction of a sophisticated “right to be forgotten” in the proposal for the future DPR, which was considered to unprecedentedly impact the internet and its economics. Critics and advocates of the right to be forgotten engaged in consistent theoretical debates, doubled by the technical discourse about its (un)feasibility. This paper “decomposes” the right to be forgotten into the tangible prerogatives which are in fact granted to individuals. It shows that those prerogatives already exist to an extended degree in EU law, and have existed in the first data protection laws enforced in Europe. In addition, the controversial obligation to inform third parties about the erasure request is a “duty of best efforts” which pertains to controllers and which is significantly different than a duty to achieve a result. Recourse will be made to private law theory to underline this difference.

Keywords: the right to be forgotten, data protection, privacy, duty of best efforts.

For further information on CPDP 2014, check out the conference web page. It looks like it will be a tremendous get-together of privacy people.

Academic Paper: Personal Jurisdiction and Choice of Law in the Cloud

Authors: Damon C. Andrews, John M. Newman


Cloud computing has revolutionized how society interacts with, and via, technology. Though some early detractors criticized the “cloud” as being nothing more than an empty industry buzzword, we contend that by dovetailing communications and calculating processes for the first time in recorded history, cloud computing is — both practically and legally — a shift in prevailing paradigms. As a practical matter, the cloud brings with it a previously undreamt-of sense of location independence for both suppliers and consumers. And legally, the shift toward deploying computing ability as a service, rather than a product, represents an evolution to a contractual foundation for all relevant interactions.

Already, substantive cloud-related disputes have erupted in a variety of legal fields, including personal privacy, intellectual property, and antitrust, to name a few. Yet before courts can confront such issues, they must first address the two fundamental procedural questions of a lawsuit that form the bases of this Article — first, whether any law applies in the cloud, and, if so, which law ought to apply. Drawing upon novel analyses of analogous Internet jurisprudence, as well as concepts borrowed from disciplines ranging from economics to anthropology, this Article seeks to supply answers to these questions. To do so, we first identify a set ofnormative goals that jurisdictional and choice-of-law methodologies ought to seek to achieve in the unique context of cloud computing. With these goals in mind, we then supply structured analytical guidelines and suggested policy reforms to guide the continued development of jurisdiction and choice of law in the cloud.

Full text: Digital Commons Network