In her General Principles of the European Convention on Human Rights, Janneke Gerards demonstrates how one of Europe’s two highest Courts offers ‘practical and effective’ protection to a number of human rights. These rights are at stake when governments or other big players use data-driven measures to fight e.g. international terrorism, a global pandemic or social security fraud. For those who wish to understand how the General Data Protection Regulation (GDPR) is grounded in European constitutional law, this book is an excellent point of departure, because the GDPR explicitly aims to protect the fundamental rights and freedoms of natural persons. Rather than ‘merely’ protecting the right to privacy of data subjects, the GDPR does not mention privacy at all; it is pertinent for all human rights, including non-discrimination, fair trail, presumption of innocence, privacy and freedom of expression.
Those not versed in European law may frown upon calling the European Convention of Human Rights (ECHR, “the Convention”) European constitutional law, as they may conflate ‘Europe’ with the European Union (EU). The EU has 27 Member States who are all Contracting Parties to the Convention, and at the constitutional level the EU is grounded in the various Treaties of the EU and in the Charter of Fundamental Rights of the EU (CFREU, “the Charter”). The Convention is part of a larger European jurisdiction, namely that of the Council of Europe (CoE), which has 47 Contracting Parties. The CoE is an international organisation, whereas the EU is a supranational organisation (though not a federal state). To properly understand both the GDPR and the Charter, however, one must first immerse oneself in the ‘logic’ of the Convention, because the Charter stipulates that the meaning and scope of Charter rights that overlap with Convention rights are at least the same as those of Convention rights. The reader who finds all this complex and cumbersome, may want to consider that the overlap often enhances the protection of fundamental rights and freedoms, similar to how the interrelated systems of federal and state jurisdiction in the US may increase access to justice. It is for good reason that Montesquieu observed that the complexity of the law actually protects against arbitrary rule, providing an important countervailing power against the unilateral power of a smooth, efficient and streamlined administration of ‘justice’ (The Spirits of the Laws, VI, II).
(For those interested in exploring the complexities of the two European jurisdictions to better understand the ‘constitutional pluralism’ that defines European law, I recommend Steven Greer, Janneke Gerards, and Rose Slowe’s 2018 Human Rights in the Council of Europe and the European Union: Achievements, Trends and Challenges (New York: Cambridge University Press.)
On 8 April 2014, the Court of Justice of the European Union (CJEU) invalidated the 2006 EU Data Retention Directive (DRD) that required Member States (MS) to impose an obligation on telecom providers to retain metadata and to enact legislation to allow access to such data by criminal justice authorities (case Digital Rights Ireland C-293/12). The CJEU’s invalidation of an entire legislative instrument highlights the significance of Janneke Gerards’ work on the Convention. Let me briefly explain: (1) the CJEU invalidated the DRD because it violated the fundamental rights to privacy and data protection of the Charter, (2) this violation was due to the fact that the DRD was deemed disproportional in relation to its legitimate goal of fighting terrorism, (3) the reason being that the DRD enabled infringements of privacy and data protection that were not strictly necessary to achieve this goal and therefore not justified, (4) this criterion of necessity, framed in terms of proportionality, builds on the case law of the European Court of Human Rights (ECtHR, ‘the Court’) that decides potential violations of the Convention.
The invalidation of the DRD obviously demonstrates that those who wish to situate the remit of the General Data Protection Regulation (GDPR) should study the EU’s Charter, because the fundamental right to data protection is one of the Charter rights. It also marks out that where the right to data protection overlaps with the Convention’s right to privacy the case law of the (other) Court must be taken into account. Thus, precisely because the fundamental right to data protection is part of European constitutional law, those interested in legal protection against data-driven systems should probe the salience of legal framework for constitutional protection of human rights in Europe.
In General Principles, Gerards explains in simple and lucid prose how the Convention operates, while nevertheless respecting the complexity of an institutional system that provides human rights protection in 47 national jurisdictions, including Russia and Turkey. She introduces the Convention as ‘a living instrument’ (see section 3.3), which flies in the face of the cumbersome discussions in the US on ‘plain text’ meaning, ‘Framers’ intention,’ and ‘Originalism’. Its meaning is decided by the Court in Strasbourg on a case-to-case basis. The Court squarely faces the need for interpretation that is inherent in text-based law (chapter 4), while taking into account that deciding the meaning of the text decides the level of protection across all 47 Contracting States. The meaning of the Convention is not immutable but adaptive. That is why it is capable of offering what the Court calls ‘practical and effective protection’ (chapter 1). Unlike what some blockchain afficionados seem to believe, immutability does not necessarily offer better protection, especially not in real life.
Gerards discusses the constitutional nature of the Convention, and the emphasis of the Court on an interpretation of Convention rights as rights that should be both ‘practical and effective’, while taking into account that the role of the Court is subsidiary in relation to the national courts, who are the primary caretakers. This results in the double role of the Court: (1) supervising compliance by the contracting states on a case-to-case basis, including redress in case of a violation and (2) providing an interpretation of convention rights that clarifies the minimum level of protection in all contracting states.
To mediate these twin objectives the Court has developed an approach that incorporates three steps: (1) the Court decides whether the case falls within the scope of the allegedly violated right, (2) the Court decides whether the right has been infringed and (3), the Court decides whether the infringement was justified. Though infringements can be justified if specific explicit or implied conditions are fulfilled, some rights are absolute in the sense that if the right is infringed it is necessarily violated, meaning that no justification is possible (notably in the case of torture and degrading or inhuman treatment). Gerards explains how the first and the second step interact as the facts of the case are qualified in light of the applicable Convention text while, in turn, the applicability and the meaning of the Convention text are decided in light of the facts of the case at hand. She understands this as a ‘reflective equilibrium’ where facts and norms, the concrete and the abstract are – in my own words – mutually constitutive.
General Principles proceeds to a detailed discussion of the principles that determine the Court’s ‘evolutive interpretation’ (chapter 3), which takes into account, on the one hand, the changing understanding of the meaning of convention rights (the first step mentioned above) and on the other hand, the confrontation with new cases that cannot be reduced to prior cases (highlighting the second step). Note that Gerards’ structured conceptual approach is firmly anchored in the case law of the Court, providing concrete examples of the reasoning of the Court based on succinct and lucid accounts of what is at stake in the relevant case law. This is also how she discusses arduous issues such as positive and negative obligations for states (chapter 5) as well as the difference between vertical and horizontal effect (both direct and indirect) (chapter 6), explaining convoluted legal framings without ignoring their complexity.
Finally, Gerards explains in rich detail the third step indicated above, that of justification, anchored in an in-depth and crystal-clear analysis of the Court’s case law. Justification of a restriction of human rights is only possible if three cumulative conditions are fulfilled: the infringing measures are lawful (chapter 8), have a legitimate aim (chapter 9) and are necessary in a democratic society (chapter 10). Lawfulness is interpreted by the Court as legality, not as legalism; it not only requires a basis in written or unwritten law, but also demands both accessibility and foreseeability, while to qualify as lawful the legal basis must incorporate sufficient safeguards to mitigate the impact on relevant human rights (including procedural due care). As to necessity, the Court checks the proportionality between measures and legitimate aim, performing a fair balancing test, taking into account the scope and severity of the infringements in relation to the importance of the aim at stake.
This is the necessity criterion that also plays a crucial role in infringements of the fundamental right to data protection. The Charter requires necessity in a way similar to the Convention and even though ‘necessity’ plays a crucial role in the GDPR’s own principles and its requirement of a legal basis, necessity often plays a seminal role when testing these infringements against the necessity principle of European constitutional law. When the CJEU invalidated the DRD it explicitly invoked the meaning of ‘necessity’ in this sense.
This book is not only relevant as a textbook for students of human rights in Europe. It also offers a detailed account of why and how individual rights and freedoms matter, what difference they can make, and which complex balancing acts must be performed to ensure legal certainty as well as justice. For those seeking protection against algorithmic decision-making and data-driven surveillance General Principles is a key resource. The clarity of explanation highlights the difficult dynamics between public and individual interests, between national and supranational jurisdictions and between the freedom of states to act in the general interest and the freedom from unlawful interference for individual citizens, acknowledging that such individual freedom is also a public good. Whereas human rights can be used to protect the interests of those already in power by ignoring the rights and freedoms of marginalised communities, the Court’s requirement that rights are ‘practical and effective’ rather than formal or efficient gives clear direction to an interpretation strategy that is firmly grounded in a substantive and procedural conception of the rule of law. I guess this comes closest to Jeremy Waldron’s ‘The Rule of Law and the Importance of Procedure’, 50 Nomos 2011, 3-31, underlining the need for institutional checks and balances without which rule of law checklists offer little to no protection when push comes to shove.