Proportionality has come to the GDPR

1. Proportionality overlooked

With the recent publication of their guidance on international personal data transfers (a draft of Recommendation 01/2020 and a final version of 02/2020; November 2020), the European Data Protection Board (EDPB) has provided advice on how such transfers should occur within the framework of the General Data Protection Regulation (GDPR). This was long-awaited, especially since the Court of Justice of the European Union’s (CJEU) seminal judgment in Case C-311/18 (Schrems II) in July 2020, in which the CJEU (yet again) struck down a general mechanism for data transfers to the private sector in the United States (US) (technically, an adequacy decision, called “Privacy Shield”) and furthermore declared that the so-called “appropriate safeguards” – a group of legal mechanisms for such transfers (Articles 46-47 GDPR) – might not always be appropriate.

Both the Schrems II judgment and the aforementioned EDPB guidance have immediately sparked much debate in academia (for example, here) and among data protection practitioners (for example, here) on how to actually transfer personal data, especially towards the US, without breaching the GDPR. These vivid debates tend to focus mainly on compliance issues, though from a broader perspective, both the judgment and the guidance also demonstrate that one of the most complex yet uncharted legal concepts has gained more and more prominence in the GDPR – proportionality. In our view, both Schrems II and the EDPB guidance confirm and endorse the entrance of proportionality to the area of data transfers. However, this is not the only use of proportionality in the GDPR.

The increased usage of proportionality in the GDPR has, in our view, so far not received sufficient academic and professional attention, despite its significance and the practical difficulties it brings to the fore. This stands in a stark contrast with the rich debate on proportionality per se and on parallel, equally significant elementary recent developments in the GDPR, e.g. the risk-based approach or the strengthening of the principle of accountability.

Putting aside the critical appraisal of the Schrems II judgment and the EDPB guidance, with this exploratory blog post we intend to draw attention to the increasing usage of proportionality in the GDPR and to its significance. We further intend to map its use in the GDPR, direct or indirect, focusing on the example of the most recent developments in data transfers, this way paving a way for further research. To paraphrase Leonard Cohen, proportionality has come to the GDPR, yet this does not mean it had not been there before, in data protection law, e.g. in the Data Protection Directive (DPD), the predecessor of the GDPR. It rather means – as in Cohen’s song Democracy – that the GDPR is nowadays “really where the experiment is unfolding” and this “experiment” of proportionality makes the GDPR a “real laboratory” thereof, bringing ramifications for the broader field of EU data protection law and – even – human rights law. This “experiment” brings to the fore profound consequences for both theory and practice of personal data protection, hence meriting both academic and professional attention.

2. Fundamental rights, proportionality and (now) all legal mechanisms for data transfers

Let us start with a step back in time. In 2015, in Case C-362/14 (Schrems I), the CJEU not only declared invalid the predecessor of the Privacy Shield, a curious legal creature named “Safe Harbor”, but also – and more importantly – linked data transfers to fundamental rights, especially the fundamental rights to protect private life (Article 7 EU Charter of Fundamental Rights; hereinafter: Charter), personal data protection (Article 8 Charter) and the right to an effective remedy (Article 47 Charter). This judgment confirmed the obvious, namely that with the adoption and the entry into force of the Charter (2009), personal data have explicitly received protection at the level of fundamental rights (Article 8), parallel to – yet distinct from – the right to privacy (Article 7). The same judgment further clarified the interlinkage of personal data processing and fundamental rights, which had already been at that point discussed in several earlier CJEU judgments (for example, Joined Cases C-92/09 and C-93/09, Schecke and Eifert, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Kärntner Landesregierung).

More concretely, the CJEU established in Schrems I that for a data transfer to take place, the intended destination must offer a “standard of essential equivalence” in terms of fundamental rights protection when compared to the one guaranteed in the EU by the Charter and secondary data protection legislation (para. 73). Since this “standard of essential equivalence” carries a fundamental rights narrative, it brings proportionality to the realm of data transfers. This is so because proportionality forms a key component of both assessing whether an interference into a fundamental right can ever be made (Article 52(1) Charter) and of balancing fundamental rights that seem to be conflicting with each other. However, the exact way in which proportionality operates in both these situations is a subject of intense debates in academia and beyond.

As Schrems I concerned an adequacy decision, considered the hierarchically superior method for data transfers (the other being the various types of appropriate safeguards (Articles 45-47 GDPR)), in the wake of the judgment, opinions emerged that this “standard of essential equivalence” was only relevant for adequacy decisions. Thus, these opinions held, it did not affect the other transfer mechanisms, namely the appropriate safeguards, including standard contractual clauses (SCCs). This was important from the perspective of a data controller (hereinafter: controller), as the assessment of the “standard of essential equivalence” was (and is) a complex and difficult one, that would have had to at least partially be conducted by controllers themselves. However, from the perspective of fundamental rights, such a supposed “hierarchy” or “cascade” never made any sense, as the protection of fundamental rights cannot vary depending on the mechanism used for a data transfer. In Schrems II, the CJEU expressed what has become a sort of (recent) catchphrase for the European Commission, “the protection must travel with the data, no matter where the data is” (for example, European strategy for data, p. 23) and this regardless of whether such “travelling” occurs based on adequacy decisions or on some appropriate safeguards (Schrems II, para. 96).

Schrems II therefore confirms that a controller is tasked with assessing if the system of protection of personal data in the intended destinations conforms to the fundamental rights of the EU, regardless of the transfer mechanism used. As a consequence, inter alia, controllers are now also confronted with proportionality. The EDPB has highlighted this much in their guidance (cf. draft Recommendation 01/2020), as in their proposed six-step-assessment, several steps expressly require a controller to assess proportionality.

3. Intermezzo: what is proportionality?

Let us now take a bit broader perspective. “Proportionality” is an essentially contested concept, bearing many labels, admitting a variety of interpretations and serving multiple purposes. Semantically, “proportionality” is to be understood as the “quality of corresponding in size or amount to something else”; it might also mean to be “[p]roperly related in size, degree, or other measurable characteristics; corresponding”. In popular parlance, “proportionate” is often understood as “related” and – perhaps more importantly – “not excessive”. This has, at least to some extent, informed the understanding of “proportionality” in the many domains in which it is used, from mathematics to ethics and aesthetics, and from philosophy to law. In law, its presence ranges from criminal to administrative law, and from international trade law to international human/fundamental rights law. In each of these domains, even within each branch of law, proportionality plays a (slightly) different role – e.g. a standard of interpretation, a judicial review parameter or a limitation criterion to fundamental rights – and, furthermore, constitutes something (slightly) different.

In the context of human/fundamental rights law, proportionality has become a “tool” for the resolution of multifaceted conflicts between such rights, freedoms and some other interests. In its most significant use, proportionality forms part of the criteria that can justify a limitation to the enjoyment of human rights that are of a non-absolute nature (i.e. these rights are relative), for example the right to personal data protection. It is equally mobilised to accommodate two or more conflicting fundamental rights, freedoms and interests. There is no consensus as to the contents of proportionality in these different scenarios. In doctrine, it is frequently argued that it consists of a few sub-concepts: suitability, necessity, legitimacy and – a central component – proportionality in the narrower sense (sensu stricto).

More broadly, there is no consensus as to the contents of these limitation criteria either and each legal instrument spells out these criteria differently. For example, in the EU, the Charter contains a general limitation clause and requires for “[a]ny limitation on the exercise of the rights and freedoms […] be provided for by law [legality] and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others [legitimacy]” (Article 52(1); emphasis ours). By contrast, in jurisprudence, each national jurisdiction has developed its own contents of proportionality, for example Germany (BVerfG, Apothekenurteil, 1958) or Canada (Supreme Court, R v Oakes, 1986).

4. Mapping proportionality in the GDPR

Proportionality is nothing new in EU personal data protection law. Although not always explicitly named so the DPD already included several usages of “proportionality” (“necessity”, “balancing”, etc.), such as in determining whether there was a legitimate interest to process personal data (Article 7(f) Directive 95/46/EC, now Article 6(1)(f) GDPR). Under the regime of the said directive, the CJEU, on a number of occasions, had already invoked proportionality, such as in determining if a disclosure of personal data was proportionate to the legitimate aim pursued (Case C-465/00, Österreichischer Rundfunk). Similarly, several senior courts in EU Member States have employed proportionality to solve data protection disputes, although perhaps less frequently, e.g. the Hoge Raad der Nederlanden once considered whether a consent to process personal data waives a condition of proportionality of an interference with an individual interest (10/03988, 2011).

Taking a concrete look at the text of the GDPR, “proportionality” and its differently named usages, such as “necessity” or “balancing”, have sprouted throughout its different provisions. The full term “proportionality” appears for the first time as early as Recital 4. Overall, the lemmas “necess-“, “proportiona-“ and “balance-“ appear 130 times, 26 and 3 times, respectively. For comparison, in Directive 95/46/EC, although a few times shorter in length than the GDPR, these three lemmas appeared 45, three and – again – three times, respectively. If the frequency counts can be taken as a measure of significance, this already shows a heightened importance of proportionality for the GDPR.

In detail, we have identified thus far more than a dozen usages of “proportionality” in the GDPR, in particular:

  1. Principles relating to processing of personal data (Article 5);
  2. Lawfulness of processing (Article 6);
  3. Processing of special categories of personal data (Article 9);
  4. Limiting the scope of data subject rights (Articles 12-22)
  5. Restricting data subject rights (Articles 23);
  6. Responsibilities of the controller (Article 24);
  7. Data breach notification (Article 34);
  8. Data protection impact assessment (Article 35);
  9. International personal data transfers (Articles 44-50);
  10. Administrative fines (Article 83);
  11. Penalties (Article 84);
  12. Processing and freedom of expression and information (Article 85); and
  13. Obligations of secrecy (Article 90).

Each of these usages of proportionality is slightly different, especially as to the exact contents. For example, from a perspective of a controller, in determination of a legitimate interest of the controller to process personal data, a controller has to assess if their “interests are [not] overridden by the interests or fundamental rights and freedoms of the data subject” (Article 6(1)(f)). Within the process of data protection impact assessment (DPIA) – proportionality and necessity of the envisaged processing operations have to be assessed alongside the risks to the rights and freedoms of individuals these operations might pose (Article 35). The enjoyment of data subject rights might be limited only if such limitations are necessary and proportionate (Article 23). Sister instruments to the GDPR, such as Directive 2016/680 (concerning the protection of personal data in criminal matters) and Regulation 2018/1725 (protection of personal data processed by the EU), alike resort to proportionality equally frequently.

5. Are we “getting lost in that hopeless little screen”?

The expansion of proportionality in the GDPR brings to the fore profound ramifications for the modus operandi of personal data protection law.

First and foremost, dealing with proportionality has been now more often vested in a controller, and this ex ante. Until recently, in the practice of data protection law, proportionality has been typically left for senior courts of law – such as the CJEU – to be dealt with, and this ex post. This change now makes controllers accountable for their proportionality assessment, subject to possible verification ex post by a court of law.

Second, the growing usage of proportionality challenges the legal practice, possibly at the expense of legal certainty and the coherence of the legal system. For example, it remains unclear whether and to what extent proportionality assessment by a controller would bear any authoritativeness or whether their assessment thereof could be accepted as evidence in a court.

Third, from a theoretical viewpoint, the exact understanding of proportionality in data protection law remains uncharted. Proportionality has a specific meaning, or meanings, in each branch of law, and EU data protection law is no different. Its understanding therein is informed by its understanding in human/fundamental rights law, which thus far remains unchartered. Furthermore, even within this single branch of law, in the GDPR, proportionality is invoked more than a dozen of times and each its uses is (slightly) different.

Fourth, from the practical viewpoint, one of the main problems seems to be that nobody knows exactly how to assess proportionality in the context of personal data protection. Controllers frequently lack expertise to conduct a highly advanced, specialized legal analysis. Dealing with proportionality has already led to difficulties under the Data Protection Directive, especially when controllers had to justify their legitimate interest for processing.

Fifth, literature on proportionality in EU data protection law is still lacking. While there exists already an abundance of literature on proportionality per se (for example, seminal works of Barak or Alexy) or on proportionality in specific domains of law, both academic and professional literature on proportionality in the GDPR, put simply, is scarce. Academic writings on EU personal data protection law thus far treat proportionality only in conjunction with some other subject matter, in which the former is invoked, e.g. DPIA or the right to erasure. Amongst professional guidance, to date, only some aspects have been discussed, such as the use of proportionality in determining the so-called legitimate interest of a controller to process personal data, DPIA or the above-mentioned EDPB guidance, which is basically a recast of a 2016 guidance. However, all this guidance falls short of providing sufficiently detailed practical information.

To sum up, proportionality in the context of the GDPR is still far from being sufficiently clarified and mapped. With this blogpost we aim to encourage further research into this area. Indeed, proportionality has come to the GDPR, yet without fully understanding this development and its implications, not only controllers – to paraphrase Cohen again – will be only “getting lost in that hopeless little screen”.