General
It is beneficial to evaluate the issue of the excessive and illegitimate use of personal data in light of the decisions of the European Court of Human Rights (ECHR). The ECHR has demonstrated several characteristic and detailed approaches to the protection of personal data under Article 8 of the European Convention on Human Rights. In its decisions regarding data protection, the Court has interpreted Article 8 by considering new technological developments in the context of the right to respect for private life and the freedom of communication. The Court has particularly avoided assessing whether communication or private life is the fundamental right when interpreting this article. The Court has made several findings that data protection falls within the scope of Article 8 (Lundvall v. Sweden 100473/83, Amann v. Switzerland, Rotaru v. Romania 28341/95). The Court has ruled that the systematic storage of personal data by public authorities may lead to violations of Article 8. Additionally, the Court has recognized the right of individuals to control the recording and use of their personal data. The Court has emphasized individuals’ rights to access personal files (Gaskin v. the United Kingdom, Application No. 10454/83; Antony and Margaret McMichael v. United Kingdom, Application No. 16424/90; Guerra v. Italy, McGinley & Egan v. United Kingdom, Applications nos. 21825/93 and 23414/94) and the right of transgender individuals to rectify their identities (Leander v. Sweden, Application No. 9248/81). Furthermore, the Court has highlighted the need for an independent oversight and supervisory authority to ensure the rule of law in the protection of personal data and to prevent abuse of power (Klass v. Germany, Leander v. Sweden, Rotaru v. Romania). In the cases of Peck, Perry, and PG and JH, the Court stated that the purpose of targeted data use in data protection is to prevent unforeseen uses (Peck v. the United Kingdom, Perry v. the United Kingdom). In the cases of Amann and Segerstedt Wiberg, the Court ruled that state authorities could only collect data related to a suspected situation in cases of concrete suspicion.[1]
From its earliest decisions, the Human Rights Court has evaluated the collection of information related to an individual’s private life, the storage of confidential information, and the disclosure of such information to relevant parties under Article 8 of the Convention (Leander, 48; Amann, Rotaru 43; Sve Marper 67; Khelli 55). According to the Court, the systematic collection and storage of data about specific individuals by security forces (Segerstedt-Wiberg and Others 72; Cemalettin Canlı 43), even if collected in public, (Peck 59; PG and J.H 57-59) or if the information is solely related to the individual’s professional or public activities (Rotaru 43-44), would still constitute an interference with individuals’ private lives if the information pertains to their distant past (Cemalettin Canlı 43). The identification of a person’s location via GPS through a device placed in their private vehicle (Uzun-Germany 51-53) constitutes a violation of the right to respect for private life. Access to information about one’s own past is part of private life (Odievr-France). Examples from the Court’s decisions regarding the protection of personal data related to private life are as follows: the name carried by an individual is relevant to their identity and connecting them to a family (Burghartz 24). Issues related to parentage concern an individual’s identity and thus their private life (Rasmussen 33, Kruskoviç 20). Matters related to gender reassignment are relevant to private life (Rees 42, Cossey 38-39), and ethnic identity pertains to an individual’s private life (S e Marper 66). Sexual relationships and orientation represent the most intimate aspects of an individual’s private life (Laskey, Jeggard and Brown 36). The request for information regarding one’s own origins and access to information held by public authorities is part of the right to respect for private life (Odievr-France). The identification of audio, written, and visual materials regarding individuals and their activities by public authorities for the purpose of crime investigation constitutes an interference with the right to respect for private life (Klass and Others – Germany 48, 49).[2]
The Use of Personal Data for Excessive, Unnecessary, and Illegitimate Purposes
The approach of the European Court of Human Rights (ECHR) regarding the use of data for excessive, unnecessary, and illegitimate purposes aligns with the provisions of the European Union Directive 1995/46/EC, particularly Articles 6(1)(c) and 7(c). In examining claims of rights violations, the Court primarily investigates whether there has been an interference with private life. If such an interference is established, the Court then assesses whether the interference is justified. The first step in evaluating the justification is to determine whether the interference is lawful. If it is lawful, the next question is whether the interference is necessary in a democratic society. Following this, the Court examines whether the interference serves social needs and achieves legitimate purposes proportionately. If all these conditions are met, no violation of rights occurs. In its decisions regarding claims of rights violations, the Court rarely finds that measures related to data protection are necessary in a democratic society. Instead, the Court has primarily focused on whether there is a legal basis for the infringing action. In cases where this legal necessity is violated, the Court has not examined the other requirements (P.G. and J.H.).
The distinction between the review of legality and the necessity in a democratic society is crucial. Even if a limitation on privacy is present in law, and it has a legal basis, it is still expected to be necessary in a democratic society. The necessity review in a democratic society is a political assessment that balances values and interests. The key question it addresses is whether the limitation or violation imposed on data protection serves a legitimate necessity. Even if the necessity requirement in a democratic society is met, it is not sufficient for the limitation imposed on data protection. The ECHR’s Article 8, 9, 10, and 11 assessments also include two additional criteria: addressing social needs and achieving legitimate purposes proportionately. However, the criterion of meeting social needs is primarily applied to the right governed by Article 10, while its application under Article 8 is limited. In proportionality assessments, the Court considers the severity of the interference with personal data. When determining whether the limitation is proportional, the specific circumstances are taken into account. The Court evaluates whether the nature of the measure taken allows for misuse and its potential negative consequences. It also assesses whether the same result could be achieved by other means and whether such stringent measures were necessary. If the review passes all these criteria, a violation of rights will not be determined. Strict application of proportionality assessments has arisen in cases related to Article 10 violations (Campbell v. United Kingdom, Application No. 13590/88), specifically concerning the confiscation of letters to lawyers and the retention of phone records during covert surveillance.
In ECHR decisions, there are very few rulings regarding excessive, necessary, and legitimate assessments of the processing of personal data when compared to other rulings. This is primarily due to the Court placing significant weight on the legality review.
As seen in the cases of Klass, Leander, Amann, P.G. and J.H., and Perry, the Court perceives the area of personal data within the context of a traditional approach as a very limited privacy sphere. Current approaches to personal data protection have not been included within the Court’s protective scope. In the Leander case, the Court did not view the limitation on a person’s right to access their personal data as a violation. A similar situation arose in the case of Antony and Margaret McMichael v. United Kingdom. The Court explicitly stated that Article 8 does not imply a right to access personal data. Conversely, the Court has clearly accepted provisions allowing law enforcement and security forces access to personal data.
The Court has differentiated between personal data that may fall under Article 8 and those that do not. While there are personal data affecting private life, there are also personal data that do not (Pierre Herbecq and the Association Ligue des droits de l’homme v. Belgium, Applications No. 32200/96 and 32201/96). In the example case, the applicant argued that there was no regulation regarding the processing of personal data for control purposes in the film industry and claimed that private life was violated. The Court found the request inadmissible, stating that the images from filming were not related to private life and were taken in public areas. The concept of data protection revolves around personal data that is identifiable or can be identified. Regulations concerning data protection do not distinguish between data related to privacy and that which is not. On the other hand, the data protection system acknowledges the existence of sensitive data of a private nature. Furthermore, data protection regulations stipulate that all personal data, including ordinary names, addresses, etc., could be misused, and the aim of the data protection system is to protect all data. These regulations are undoubtedly products of common sense. In this context, the boundaries within which ordinary data will be protected can be debated, but there is consensus that such data will also be protected. The prohibition on processing sensitive data, such as data related to Jewish individuals, is a positive regulation. There is no doubt that a simple list of names from this group must be protected from those who target them. Especially technical personnel often process data without considering data protection regulations or deeming them overly bureaucratic.
In the cases of Amann, Rotaru, and P.G. and J.H., the ECHR has presented a broad definition of privacy in the context of Article 8, referencing the Leander case to highlight differences between data protection principles and court decisions. In the Amann case, the Court stated that the storage of personal data is related to Article 8 and that private life should not be defined restrictively, as it includes individuals’ interactions and relationships with others, and there is no reason to exclude work life and professional activities from private life. However, caution must be exercised regarding decisions in these cases. The issue of how far data will be protected and where protection will cease is still under discussion. When data is not related to private matters, not systematically recorded in images and sounds, or not specifically targeted for recording, the data carrier is considered to be outside the privacy protection when they reasonably know that the data will be processed. In this context, street cameras and the storage of billing and statistical data regarding phone calls by telecom companies (P.G. and J.H. v. the United Kingdom) do not appear to constitute a violation under Article 8. In summary, it is evident that not all data is protected by the Court.
[1] P. De Hert and S. Gutwirth, Data Protection in the Case Law of Strasbourg and Luxemburg: Constitutiona-lisation in Action
[2] DOĞRU s .25-53
Attorney Yalçın TORUN
© 2025 Torun Law Firm – All Rights Reserved.
This article is protected under the provisions of the Law on Intellectual and Artistic Works (No. 5846). The content, in whole or in part, may not be copied, reproduced, published, or shared on any other website without the prior written permission of the author and Torun Law Firm.
This material may only be shared by licensed attorneys, for professional purposes, without any modifications, and with full attribution to the author and the source.
Any unauthorized use may result in legal and criminal liability.