Authors: Gerrit Hornung and Indra Spiecker gen. Döhmann
- This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
- This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
- The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Ι. Objective and function of the provision
Art. 1 is the guiding provision of the GDPR: It sets out the general objectives, namely the protection of personal data and protection of the free movement of personal data. At the same time, para. 1 lays out the parameters for balancing both objectives where a conflict arises. The provision thus conjoins the core statements; it is to be understood as an interpretation directive. It serves as an interpretation aid for all provisions of the GDPR, especially the various indeterminate legal terms. This also applies to the provisions enacted in the Member States on the basis of “opening clauses” set out in the GDPR. Moreover, together with the fundamental principles set out in Art. 5 (→ Art. 5 mn. 22 et seq.), Art. 1 indicates how margins of assessment and discretionary powers can be utilized; it can also serve to close gaps in provisions and to determine the capability for analogy as well as the extent to which interests are similar. The Recitals Nos. 1-14 relate to Art. 1.
At the same time, Art. 1 indicates what the normative treatment of legal uncertainty[1] should look like, i.e. whether the risks of data processing should be avoided or whether the opportunities should be seized, and how this affects specific, unresolved legal issues and interpretations. In this respect, once again in conjunction with the fundamental principles of Art. 5 (→ Art. 5 mn. 22 et seq.), Art. 1 is a core provision in order to limit excessively large margins of assessment where decisions are made under conditions of uncertainty. In view of the systematic classification of data protection law as technology law (→ mn. 4), this means that a more precautionary interpretation of future events has to be taken as the basis for estimates made in an uncertain environment. Risk-based approaches in the GDPR (→ Introduction mn. 193), as e.g. in Art. 35 (→ Art. 35 mn. 1, 10 et seq.), have to be substantiated accordingly.
On the one hand, the object of protection is, as already stated in Art. 1 para. 1 DPD, the protection of individuals with regard to the processing of personal data (para. 2) as defined in Art. 4 para. 1. Art. 1 does not specify the underlying reasoning, though.[1] However, the history of the Regulation indicates that the European tradition and understanding of data protection is being set forth (→ Introduction. mn. 227 et seq.). Hence, the objective of data protection law is on a first level to protect the individual against the disclosure and use of his/her data including on second and third levels the potential effects for other persons or society.[2] This counteracts the unidirectional usability of information by the data controller; the data subject is able to oversee the basis of decisions concerning him-/herself.[3] The increasing ability to control data subjects by processing their data is to be counter-balanced by their right to decide themselves about the admissibility, extend and formalities of access to and use of their data.[4] Thus, data protection is much more than a concept of privacy as a protection of the individual’s private sphere.
The orientation of the protection of personal data is preventive.[1] In accordance with the principles of technology law approach (→ Introduction. mn. 200), it is supported resolutely by the characteristics of data, i.e. firstly by the characteristic of information as public goods in the economic sense of the term,[2] and secondly by its significance for subsequent decisions. As public goods, information can typically be processed many times without losing its informative value. There is a lack of rivalry in consumption.[3] Digitization made it easy, fast and inexpensive to recombine information. For this reason, it is often impossible to prevent data from becoming accessible and known to others. This applies especially to personal data because it constitutes the bedrock of social relationships and communication. It is therefore often impossible to exclude others from using it.[4] Moreover, information is usually not in demand for its own sake, but, rather, as the basis for the preparation and making of decisions.[5] This means that effective data protection has to start by regulating the processing and by informing the data subjects of the whereabouts of their data so that they can exercise their rights of influence and thus obtain a certain degree of control over subsequent decisions. However, this is only possible preventively, irrespective initially of the specific decision sought on the basis of the information obtained. The essential and decisive point of departure in this respect is not the harm actually caused to, but, rather, the risk potentially faced by the data subject.[6]
The second object of protection of the GDPR is the free movement of data within the internal market (para. 3 → mn. 39). Art. 1 thus encapsulates one of the oldest objectives of the European integration process,[1] namely the establishment of a unified European internal market. This object of protection was already mentioned in the DPD (Art. 1 para. 2 and Recitals Nos. 3, 6, 8, 9 and 56 DPD).
[…]
[1] In the same vein Zerdick in Ehmann/Selmayr Art. 1 mn. 2; similarly Pötters in Gola/Heckmann Art. 1 mn. 1 et seq.; with reference to a lack of necessity in terms of competence Sydow in Sydow/Marsch Art. 1 mn. 19.
[1] This is shown by the overarching regulatory principle of a basic ban on (processing) in data protection law, see e.g. Tinnefeld/Buchner/Petri/Hof, Einführung in das Datenschutzrecht, 6th ed, 2017, pp. 234-235; Fuhrmann ZfRSoz 23 (2002), 115 (125); Ehmann RDV 1999, 12.
[2] See comprehensively on information goods Linde, Ökonomie der Information, 2005, p. 16 et seq.; Cowen in Linde, Public Goods and Market Failures, 1999, 1 (21 et seq.).
[3] Zech, Information als Schutzgegenstand, 2012, p. 118; Zech CR 2015, 137 (139); on restrictions Linde, Ökonomie der Information, 2005, p. 14.
[4] Spiecker gen. Döhmann RW 2010, p. 247 (258-259); Benecke/Spiecker gen. Döhmann in Terhechte (ed), Verwaltungsrecht der Europäischen Union, 2021; Hermstrüwer, Informationelle Selbstgefährdung, 2016, p. 134 et seq.; Fairfield/Engel, Duke Law Journal 65 (2015), 385 (423 et seq.); with – not always correct – limitations Zech, Information als Schutzgegenstand, 2012, p. 118 et seq.; different opinion expressed by Dewenter/Lüth in Körber/Immenga (eds), Daten und Wettbewerb in der digitalen Ökonomie, p. 10 (12).
[5] Spiecker gen. Döhmann, Staatliche Entscheidungen unter Unsicherheit, 2024, to be published.
[6] Cf. Simitis in Simitis § 1 mn. 79 with rerefence to Trute in Roßnagel, Handbuch Datenschutzrecht, Kap. 2.5, mn. 13, 23; Scholz/Pitschas, Informationelle Selbstbestimmung und staatliche Informationsverantwortung, 1984, p. 82 et seq.; Bull in Gedächtnisschrift für Sasse II, p. 879 et seq.; Gallwas Der Staat 18 (1979), 510-511.; Bizer in Schulte (ed), Handbuch des Technikrechts, 2003, 564 (p. 566-567, 569-570); Albers, Informationelle Selbstbestimmung, 2005, especially p. 462 et seq.; Hermstrüwer, Informationelle Selbstgefährdung, 2016, p. 40-41; cf. also von Grafenstein, EDPL 2020, 509; EDPL 2021, 190; EDPL 2021, 373.
[1] See generally on the interests protected by data protection law and its objectives and purpose, Albers in Friedewald/Lamla/Roßnagel (eds), Informationelle Selbstbestimmung im digitalen Wandel, 2017, 11 (11 et seq.); regarding the GDPR, cf. von Grafenstein EDPL 2020, 509; EDPL 2021, 190; EDPL 2021, 373.
[2] Cf. BVerfGE 65, 1 (43); cf. also Simitis in Simitis § 1 mn. 23 et seq.
[3] Cf. BVerfGE 65, 1 (43).
[4] Simitis in Simitis § 1 mn. 26.
[1] Spiecker gen. Döhmann, Staatliche Entscheidungen unter Unsicherheit, 2024, to be published.