Responsible Information Sharing Converging boundaries between private and public in privacy and copyright law
| Author | Annelies Vandendriessche, Bernd Justin Jütte |
| Position | Doctoral Researcher, Faculty of Law, Economics & Finance, University of Luxembourg/Assistant Professor, School of Law, University of Nottingham and Senior Researcher, Vytautas Magnus University |
| Pages | 310-329 |
2020
Annelies Vandendriessche and Bernd Justin Jütte
310
3
Responsible information sharing
Converging boundaries between private and public in privacy
and copyright law
by Annelies Vandendriessche and Bernd Justin Jütte*
© 2019 Bernd Justin Jütte and Annelie s Vandendriessche
Everybody may disseminate this ar ticle by electronic m eans and make it available for downloa d under the terms and
conditions of the Digital P eer Publishing Licence (DPPL). A copy of the license text may be obta ined at http://nbn-resolving.
de/urn:nbn:de:0009-dppl-v3-en8.
Recommended citation: Ber nd Justin Jütte and Annelies Vandendri essche, Responsible information sharing - conve rging
boundaries betwe en private and public in privacy and copyri ght law 10 (2019) JIPITEC 310 para 1.
Keywords: privacy, personal information, copyright, reasonable expectations, communication to
the public, new public
other ‘publics’, still remains under the control of the
right holder. It is suggested that the notion of a “new
public” can be instrumental in better understanding
the delimitation of public and private space in EU pri-
vacy law. The authors propose a concept of privacy as
controlled public exposure, modelled on the notion of
a “new public” under Article 3 of the Information So-
ciety Directive, and inspired by recent jurisprudence
right to respect for private life. This, the authors ar-
gue, leads to an expansion of private spheres in pub-
lic life.
Abstract: Copyright Law and Privacy Law both grant
individuals exclusive control over the dissemination
of expression or personal information, respectively.
A number of criteria emerged in the ‘new public’ ju-
risprudence of the CJEU based on Article 3 Directive
2001/29/EC (InfoSoc Directive), that determine how
right holders can retain control over copyright-pro-
tected works after their first publication. The Court
established that the scope of a public in copyright law
depends, among other factors, on the subjective in-
tention of the person who exposes a work to an audi-
ence. The case law suggests that several ‘publics’ co-
exist, and that the exposure of works to one of these
‘publics’, does not automatically justify exposure to
other public spheres. The exposure of these works to
A. Introduction
1 In their seminal 1890 article “The Right to Privacy”,
Samuel D. Warren and Louis D. Brandeis relied on
copyright law to construct a right to privacy.
1
While
both legal regimes have been under extreme pressure
over the last years they have developed similar
solutions in order to adapt to constant technological
* Dr. Bernd Justin Jütte, Assistant Professor, School of Law,
University of Nottingham and Senior Researcher, Vytautas
Magnus University. For correspondence
nottingham.ac.uk>; Annelies Vandendriessche, Doctoral
Researcher, Faculty of Law, Economics & Finance,
University of Luxembourg. For correspondence
vandendriessche@uni.lu>.
1 Samuel D Warren & Louis D Brandeis, ’The Right to Privacy’
[1890] Harvard Law Review 193.
challenges to their respective scope. Therefore, it
seems appropriate to revisit the similarities between
the right to privacy and copyright, similarities which
have indeed also inspired recent legal doctrine
concerning the rights of control of data subjects
over their personal data.2 This article examines
the commonalities between the right to privacy
under Article 8 of the European Convention on
Human Rights (ECHR) and the exclusive right to
‘communication to the public’ under Article 3 of the
Information Society Directive
3
in order to expose
2 See only Pamela Samuelson, ‘Protecting Privacy Through
Copyright Law?’ in Marc Rotenberg, Julia Horowitz &
Jeramie Scott (eds), (The New Press 2014), 191 and Neil M.
Richards, ‘The Puzzle of Brandeis, Privacy, and Speech’
[2010], Vanderbilt Law Review 1295.
3 European Parliament and Council Directive 2001/29/EC
Responsible information sharing
2020
311
3
what is considered the foundation for a horizontal
concept of the public and private divide in a modern
and digital environment.
2
Accordingly, this article will rst explore the
evolving interpretation of the right to privacy by
the European Court of Human Rights (ECtHR), which
lays down rst steps in, what is argued, the right
direction for allowing the legal concept of privacy
to better respond to contemporary challenges to
privacy in a digital environment. Second, it will trace
the evolution of the communication to the public
(C2P)-right in EU copyright law as an example of a
different approach to delineate private and public.
It will conclude by positioning these concepts in
the context of European data protection law and
its general principles to demonstrate that the
incorporation of the C2P-concept into privacy
law is not only a possible solution for delimiting
the private/public divide in the Information and
Communication Technology (ICT) context, but
can also be accommodated within the systematic
structure of privacy law.
B. Towards a contextual
approach to privacy in the
jurisprudence of the ECtHR
I. The validity of the private
sphere/public sphere
divide in the ICT context
3
There are many different legal perceptions of exactly
what type of information should be protected by a
right to privacy, which are the underlying reasons
to protect privacy, and to which extent protection
is required. Therefore, one could classify the
concept of privacy as somewhat of an essentially
contested concept.
4
The fact that there are multiple
understandings of what the concept of privacy
encompasses helps to explain why privacy has
consistently grappled to adapt to changing social
and technological contexts.
4
Despite various interpretations of the meaning
of the term ‘privacy’, one aspect all traditional
interpretations of privacy have in common is their
reliance on a private sphere/public sphere divide.
of 22 May 2001 on the harmonisation of certain aspects
of copyright and related rights in the information society
[2001] OJ L 167/10 (InfoSoc Directive).
4 Walter Bryce Gallie, ‘Essentially Contested Concepts’ [1956]
Proceedings of the Aristotelian Society 167, 167.
This separation of spheres is traditionally used to
determine when the right to privacy is violated;
namely when personal information, which belongs to
the private sphere, is inappropriately released into the
public sphere.5 An appropriate disclosure of personal
information into the public sphere must, according
to the private/public dichotomy, be legitimised by
means of principles such as consent and contractual
agreement, possibly coupled with a right of
ownership of personal information or of control over
publicising that personal information.
6
According
to this traditional divide, once an individual, or his
information, enters the public sphere, his behaviour
and information become public, and are therefore
no longer protected by a right to privacy.7 In the
traditional interpretation of the private sphere/
public sphere divide, the focus has thus been on the
origin of the information, whether it originated in a
private or in a public context, since this origin would
also determine the nature of the information in an
inextricable manner.
5 Nissenbaum argued that this aspect in particular is
at odds with what individuals intuitively understand
when they consider what constitutes their private
life, at odds with their ‘expectations of privacy’:
not all information made public or available within
a public space should automatically be there
for the taking.8 Technological progress further
aggravates the consequences of this misconception
by contributing to blurring the demarcations of
the private-public divide. As a result, it becomes
increasingly problematic to rely on the intuitive
expectation that all information that is public or
collected within the public sphere is also immediately
available for all to use. The use of new technologies
leads to questioning of the traditional perception
that information available in the public domain is by
consequence and necessarily also public in nature.
Examples that illustrate this problem are the “DNA
traces we automatically ‘leak’ into public space by just
being there” or the “proliferation of smart devices in public
space that blur the boundaries between public and private
information and the storing and sensing thereof”.9 Other
5 Maria Brincker, ‘Privacy in Public and the Contextual
Conditions of Agency’ in Tjerk Timan, Bryce C Newell &
Bert-Jaap Koops (eds), Privacy in Public Space: Conceptual
and Regulatory Challenges (Edward Elgar Publishing 2017)
66.
6 ibid.
7 ibid; Helen Nissenbaum, ’Protecting Privacy in an
Information Age: The Problem of Privacy in Public.’ [1998]
Law and Philosophy 559, 559.
8 Brincker (n 5) 66.
9 Tjerk Timan, Bryce Newell & Bert-Jaap Koops (eds), Privacy
2020
Annelies Vandendriessche and Bernd Justin Jütte
312
3
examples are new surveillance technologies such
as drones, or the use of location trackers contained
in our cell phones, smart watches and exercise
trackers, and the use of ever more sophisticated
data analysis tools for analysing social networking
websites. All these technologies process personal
data which is, in principle and seemingly public
(or rather communicated in a public space).
10
The
processing of personal data constitutes a particular
challenge for privacy protection in general, and for
demarcating the public/private divide in particular,
since technological advances have rendered personal
data processing more effortless, sophisticated and
large-scaled than could be foreseen at the time
of adoption of the ECHR.11 Instead of viewing the
public-private divide in a strictly dualist manner,
the current partition between both spheres should
rather be considered multi-facetted, unsettled and
with several fault lines and cutting edges overlapping
and crossing each other.12
6 The boundaries have become blurred in such a way
that it is no longer possible to consider privacy
concerns in terms of a simple dichotomy, where
the domain in which the information originated
also determines the private or public nature of
that information. A more valid paradigm today
could be to consider privacy concerns in context.13
Privacy will increasingly need to protect not only
personal, private and intimate information for which
individuals are generally cautious about how and
where they share it, but also information individuals
share willingly or not, but which will be stored,
analysed and manipulated increasingly frequently
for often unforeseeable purposes, with impacts on
private life in equally unforeseeable ways.14
7
In this regard, Helen Nissenbaum developed the idea
of a concept of privacy understood as ‘contextual
integrity’, which would be adapted to the manner
in which technology has inuenced our day-to-day
in Public Space: Conceptual and Regulatory Challenges
(Edward Elgar Publishing 2017) 3.
10 Mathias Vermeulen, ‘The Scope of the right to private
life in public spaces’ (2014) European University Institute
SURVEILLE Working Paper D4.7, 5.
11 Seyed E Dorraji & Mantas Barcys, ’Privacy in Digital Age:
Dead or Alive?! Regarding the New EU Data Protection
Regulations’ [2016] Social Technologies 306, 307.
12 Gary T Marx, ’Murky conceptual waters’ [2001] Ethics and
Information Technology 157, 160.
13 Timan et al (n 9) 2.
14 Brincker (n 4) 67.
lives.
15
She conceptualised the right to privacy as
a right to “context-appropriate ows” of information
about oneself rather than as an absolute right to
secrecy and control over information.
16
This can best
be described as a “norm-governed ow of information
that has been calibrated with features of the surrounding
social landscape, including important moral, political,
and context- based ends, purposes, and values.”
17
This
framework helps to understand why individuals
have varying privacy expectations in different social,
public, contexts: such as politics, education, health
care or the workplace, or when individuals engage
with close family and friends.18 Many have attempted
to further develop Nissenbaum’s idea of contextual
integrity and to apply it in practice, but the concept
is not easily integrated into formal law.19
8
Notwithstanding this difculty, the ECtHR has
already developed a legal framework for privacy
protection for the Member States (MS) of the ECHR,
which afrms that the private-public divide can
no longer be upheld in a dogmatic manner. This
jurisprudence has gradually broadened the scope
of application of ‘private life’ as understood under
of privacy in public in response to technological
evolution and increasing and diverse use of ICT.
II. The broadened scope of
the right to the protection
of private life under Article
9
Three crucial steps can be discerned in the
jurisprudence of the ECtHR, which have contributed
to moving towards a contextual approach to the
steps which we will develop more extensively
hereinafter, have led to the recognition of a degree
of privacy in public to individuals, in the face of new
technological developments.
10
First, by gradually broadening the scope of the notion
of ‘private life’ in light of modern developments, the
ECtHR increasingly interpreted the right to respect
15 Helen Nissenbaum, Privacy in Context: Technology, Policy,
and the Integrity of Social Life (Stanford University Press
2010).
16 ibid 187.
17 ibid 188.
18 ibid 3.
19 Timan et al (n 8) 2.
Responsible information sharing
2020
313
3
for private life as a positive right, 20 which includes
granting a limited right to privacy in public, and
which adapts to varying contexts.
challenges posed to private life by the use of modern
technology, including to those blurring the public-
private divide, through the incorporation of a right
to protection of personal data under the scope of the
right to protection of private life.21
12
And third, even if a situation does not strictly fall
under the category of processing of personal data,
it can still be considered an intrusion of private life
beyond the ‘reasonable expectations of privacy’
(REoP). The importance of this nal jurisprudential
criterion, although still quite undeveloped under the
ECHR framework, is not to be underestimated when
it comes to delimiting privacy in public.
1. The broad conception of the
notion of ‘private life’
13
negative freedom from arbitrary intervention by
the State with the right to private life.22 However,
under the Convention, States may also have
positive obligations to ensure effective respect for
private life, including in relations between private
individuals.23 Even more, in Niemitz v Germany
the ECtHR afrmed t hat a broad non-exhaustive
denition should be given, and preferred over
a narrow one, to the concept ‘private life’.24 The
Court already acknowledged here that limiting the
notion of private life strictly to an ‘inner circle’ in
which an individual can live his personal life, from
which the outside world is excluded, would be
20 Bart van der Sloot, ‘Privacy as Personality Right: Why
the ECtHR’s Focus on Ulterior Interests Might Prove
Indispensable in the Age of “Big Data”’ [2015] Utrecht
Journal of International and European Law 25, 28.
technological developments is already reected in and has
been discussed e.g. by Peter J Hustinx, ‘Data Protection in
the European Union’ (2005) Privacy & Informatie 62, 62.
22 Kroon and Others v The Netherlands App no 18535/91
(ECtHR, 27 October 1994) para 31.
23 Marckx v Belgium App no 6833/74 (ECtHR, 13 June 1979)
para 31.
24 Niemitz v Germany App no 13710/88 (ECtHR, 16 December
1992) para 29.
too narrow a denition.25 With this interpretation
the ECtHR already moved beyond a strict private
space/public space dichotomy. The Court stressed
in Niemitz v Germany that the private sphere includes
aspects of professional life and business activities,
since it is “in the course of their working lives that the
majority of people have a signicant, if not the greatest,
opportunity of developing relationships with the outside
world”.26 It further emphasised that giving such a
broad interpretation to the notion of private life is
essential given that both personal and professional
spheres cannot always be easily distinguished.
27
The
Court interpreted the concept of ‘privacy’ further
to encompass issues such as privacy in se, physical,
psychological or moral integrity, as well as issues
has been interpreted to include, in essence, any
issue concerning “the development, without outside
interference, of the personality of each individual in his
relations with other human beings.”29 This should be
understood to mean that the ECtHR also includes
interactions of individuals with others, even in a
public context or setting.30
14
Despite its original conception as a negative
freedom, the right to the protection of private life
with its emphasis on self-development under Article
31
has been interpreted as closer to a positive
freedom,32 which not only shields individuals from
outside interference, but also allows individuals to
take control of how they manage their privacy or
rather their relationships with others in a societal
context. 33
25 ibid.
26 ibid.
27 ibid.
28 Guide on Article 8 of the Convention – Right to respect for
private and family life (last updated 31/12/2017)
www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf> 18.
29 ibid 28.
30 Von Hannover (No 2) v Germany App nos 40660/08 &
60641/08 (ECtHR, 7 February 2012) para 95.
31 See Pretty v The United Kingdom App no 2346/02 (ECtHR,
29 April 2002) para 61.
32 Bart van der Sloot, ’Privacy as Human Flourishing: Could a
shift towards virtue ethics strengthen privacy protection in
the age of Big Data?’ [2014] Journal of Intellectual Property,
Information Technology and E-Commerce Law 230, 232.
33 Theo Hooghiemstra, ’Informational Self-Determination,
Digital Health and New Features of Data Protection’ [2019]
2020
Annelies Vandendriessche and Bernd Justin Jütte
314
3
2. Integrating the right to protection of
15 Together with a broad conception of the notion of
private life as a positive freedom, the inclusion of
the right to protection of personal data within the
in public contexts. The fact that the ECtHR found
it neither possible nor necessary to exhaustively
determine the content of the notion of ‘private life’,
34
has, on the one hand, kept the boundary between
the private and the public purposely vague. On the
other hand, it has lent the concept of ‘private life’ the
necessary malleability to respond to technological
advancements and the emergence of new interests.
Technological advancements have frequently
challenged the right to protection of private life.
Indeed, Warren and Brandeis’s plea favouring the
creation of a right to privacy, did so in response to
“recent inventions and business methods” which were
thought to be intrusive on private life, such as
“instantaneous photographs and newspaper enterprise”.
35
Likewise, the creation of a right to protection of
the adoption of Convention 10836 in 1981,37 occurred
in response to increasing automated personal data
processing since the 1960s as a result of the increased
use of the computer. More recently, processing of
personal data is taking place in an ever more large-
scaled and rened manner through the use of the
Internet and connected technologies and for new
business purposes, such as the phenomenon of ‘Big
Data’, leading the EU to revise its data protection
legal framework with the adoption of the GDPR38 and
the Council of Europe to modernise Convention 108.39
European Data Protection Law Review 160, 167, see on the
notion of positive freedoms: ‘Two Concepts of Liberty’ in
Isaiah Berlin, Four Essays on Liberty (Oxford University
Press 1969).
34 See Niemitz v Germany App no 13710/88 (ECtHR, 16
December 1992) para 29.
35 Warren & Brandeis (n 1) 195.
36 Convention for the Protection of Individuals with regard
to Automatic Processing of Personal Data (adopted 28
January 1981, entered into force 1 October 1985) ETS No 108
(Convention 108).
37 See Convention 108, art 1: the “right to privacy, with regard
to automatic processing of personal data relating to him
(“data protection”)”.
38 Mathias Vermeulen (n 10) 4.
39 See Protocol amending the Convention for the Protection of
Individuals with regard to Automatic Processing of Personal
Data (10 October 2018) CETS No 223 (Protocol 223).
Due to the increased role of processing of personal
data in our daily lives as a consequence of internet-
usage, the right to protection of personal data has
gained a very important place in privacy protection.
16
In line with the ECtHR’s interpretation of the
Convention as “a living instrument, which [...] must
be interpreted in light of present-day conditions”,40
the ECtHR gradually included many provisions of
Convention 108 under the scope of protection of
17 In Z v Finland, the ECtHR nally explicitly conrmed
the connection between Convention 108 and Article 8
ECHR,
41
by holding that “the protection of personal data
[...] is of fundamental importance to a person’s enjoyment
of his or her right to respect for private and family life
jurisprudence then asserted that the broadening
of individuals to develop relationships with others,
including in professional or business contexts
meant the equalisation of the respective scopes of
Moreover, the ECtHR explicitly stated that “public
information can fall within the scope of private life where
it is systematically collected and stored in les held by
the authorities.”44 Despite the equalisation of the
108 for the processing of personal information,
not all processing of public information can fall
in the jurisprudence is placed on the systematic
collection and storage of such public information
creating a permanent record, thereby excluding the
simple possession of, or the simple use of, public
40 Tyrer v The United Kingdom App no 5856/75 (ECtHR, 25
April 1978) para 31.
41 Herke Kranenborg, ‘Article 8’ in Steve Peers, Tamara
Hervey, Jeff Kenner & Angela Ward (eds), The EU Charter of
Fundamental rights, A Commentary (Hart Publishing 2014)
228.
42 Z v Finland App no 22009/93 (ECtHR, 25 February 1997) para
95.
43 See Rotaru v Romania App no 28341/95 (ECtHR, 4 May 2000)
para 43 & Amann v Switzerland App no 27798/95 (ECtHR, 16
February 2000) para 65.
44 Rotaru v Romania App no 28341/95 (ECtHR, 4 May 2000)
para 43 & PG and JH v The United Kingdom App no 44787/98
(ECtHR, 25 September 2001) para 57.
45 Herke Kranenborg, Toegang tot documenten en
bescherming van persoonsgegevens in de Europese Unie:
Over de openbaarheid van persoonsgegevens (Meijers-
reeks) (1st edn, Kluwer 2007) 118.
Responsible information sharing
2020
315
3
therefore only a systematic subsequent processing
of public personal data which may raise concerns for
the protection of the rights guaranteed by Article 8
ECHR. 47
18
In order to establish whether or not a specic
processing or further processing of personal
data drawn from a public context falls under the
protective scope of private life, the Court devised
three criteria in S and Marper v The United Kingdom
which are to be taken into account. The application of
these criteria can both alternatively or cumulatively
bring a processing of public information within the
examine the “specic context in which the information
at issue has been recorded and retained”. Second, “the
nature of the records” will be examined, and third, “the
way in which these records are used and processed and the
result that may be obtained” must be considered.49 In
practice however, when the Court does not succeed
in drawing a link to private life based on these
three criteria, a fourth criterion comes into play,
namely whether a situation exceeds an individual’s
Reasonable Expectation of Privacy (REoP).50 It is
of particular relevance when “the way in which the
records are used and processed” results in making
this personal information available to a broader
public than could be reasonably expected by the
individual concerned.51 An important example of
a way in which the further processing of personal
data originating from the public domain could lead
to a publication of this data to a larger public than
could be expected, is when such data is published
to a broad audience by the media. Such a further
processing would however not only raise potential
privacy concerns, it would also require a balancing
between the right to protection of private life and
the right to freedom of expression guaranteed by
46 ibid.
47 ibid.
48 Kranenborg (n 45) 119.
49 S and Marper v The United Kingdom App nos 30562/04 &
30566/04 (ECtHR, 4 December 2008) para 67.
50 Kranenborg (n 45) 121.
51 ibid.
3. The role of the REoP-criterion in
protecting privacy in public
19
The REoP-criterion seems rather underdeveloped
as a legal concept when used by the ECtHR to
determine the scope of application of ‘private
life’. In some cases, the Court seems to be able to
determine without difculty whether or not private
life safeguards apply, whilst in other cases the
Court makes recourse to the REoP -criterion.52 As a
legal concept, it may have seeped into the ECtHR’s
jurisprudence by inuence of the English common
law, in which a ‘general tort of privacy’ has not yet
been developed,
53
and which applies the criterion
to determine the scope of the right to privacy.54
A double-layered approach in cases concerning
misuse of private information is generally followed
by the English courts: rst, the question examined is
whether the individual had a reasonable expectation
of privacy; second, a balancing will be carried out
between the privacy interests and the interests in
revealing the private information to the public.55
Carrying out a REoP-test in this manner is founded
on two justications. The rst justication, refers
to the impossibility of the alternative to this test,
to exhaustively dene distinct categories of private
information, a drawback which can be offset by
reference to a more objective REoP-test.56 The
second justication sees the test as effectively
striking the balance between the objective notion
of what information society deems an individual
to reasonably have a right to keep private, and the
subjective notion of the expectations an individual
may have in relation to the control of the disclosure
of information concerning himself.57
52 Eric Barendt, ‘A reasonable expectation of privacy’: a
coherent or redundant concept?’ in Andrew T Kenyon
(ed), Comparative Defamation and Privacy Law (Cambridge
University Press 2018), 104.
53 Gavin Phillipson, ‘The ‘right’ of privacy in England and
Strasbourg compared’ in Andrew T Kenyon & Megan
Richardson (eds), New Dimensions in Privacy Law:
International and Comparative Perspectives (Cambridge
University Press 2011) 184; see also Raymond Wacks,
’Why there will never be an English common law privacy
tort’ in Andrew T Kenyon & Megan Richardson (eds), New
Dimensions in Privacy Law: International and Comparative
Perspectives (Cambridge University Press 2011).
54 Barendt (n 52) 105.
55 ibid 102.
56 ibid 105.
57 ibid 106.
2020
Annelies Vandendriessche and Bernd Justin Jütte
316
3
20
A review of the ECtHR’s jurisprudence reveals
that the Court opted for an approach that denes
categories of private information non-exhaustively,
supplemented by a REoP - test, which captures
the objective notion of what an individual has a
reasonable right to keep private in the information
society. The REoP-criterion carries a specic purpose
in the jurisprudence of the ECtHR. It functions as a
fallback criterion when a data processing situation
involving personal data available in the public
domain could not be tied to private life according
to the three criteria developed in S and Marper
v UK, yet exceeds the REoP of an individual and
would therefore merit to fall under the protective
particular when personal data is exposed to a wider
audience than originally intended or expected by
the individual in question, without his consent.59
The application of this criterion would also bring
any further processing of personal data beyond what
could be reasonably expected under the protective
60
Hence, it represents an
important criterion for delimiting privacy in public
space.
21 It is important in this context not to overstate the
jurisprudence, since the REoP is not necessarily
a conclusive factor for the application of the
The Court held in PG and JH v The United Kingdom
regarding expectations of privacy specically, that
a number of factors must be taken into consideration
when contemplating whether or not the right to
private life is affected by matters occurring outside
of the home or outside of private property. The
Court nevertheless emphasised that, in situations
in which people “knowingly or intentionally” engage
in activities which they know could or will be
reported or recorded publicly, a person’s “reasonable
expectations as to privacy” still remain a signicant
factor in determining the scope of privacy protection
applicable.61
22 Privacy protection was interpreted by the ECtHR to
cover a person’s identity, including the publication
of a person’s name or photographs of a person taken
in public, it includes his physical and moral integrity,
as well as any personal information which a person
can legitimately expect should remain private and
should not be publicised without requiring prior
58 Kranenborg (n 41) 121.
59 ibid.
60 ibid.
61 PG and JH v The United Kingdom App no 44787/98 (ECtHR,
25 September 2001) para 57.
consent.62 This entails that these aspects of private
life for which there is a REoP can also remain
protected, even in a public context. Moreover,
the processing of publicly available personal data
does not need to concern data of a sensitive nature,
the mere coming into existence of a systematic or
permanent record of any type of publicly available
data, beyond its originally expected use, may in itself
raise a privacy concern. 63
23
The REoP-criterion is thus particularly interesting
for its potential use in delimiting the further
processing and use of personal information already
made available in the public domain, when it is
published to a larger audience or public than was
originally intended. One could consider, for example,
the sharing of personal information by users of social
media platforms. News outlets regularly publish
news stories containing social media content made
publicly available by private users on these social
media networks, thereby exposing this content to a
larger public than was originally intended, or could
be reasonably expected, by that user. Taking the
REoP-criterion into account as an additional criterion
when balancing the right to freedom of expression
of the media with the right to protection of private
life of the social media user, could enable the user to
retain some measure of control over if and how his
personal information is subsequently disclosed to the
public at large. In sum, the ECtHR’s case law supports
the idea that it is not because personal and private
information is publicly available, that it becomes by
its nature public, it retains its private character. Any
further systematic processing of that information,
bringing into existence a permanent record of that
information, such as through a media publication
disclosing or further exposing the information in
question, may give rise to privacy concerns.
62 Guide on Article 8 of the Convention – Right to respect for
private and family life (last updated 31/12/2017)
www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf> 28.
63 PG and JH v The United Kingdom App no 44787/98 (ECtHR,
25 September 2001) para 57.
Responsible information sharing
2020
317
3
4. The REoP-test in practice
24
In Satakunnan Markinapörssi Oy and Satamedia Oy v
Finland (2017), the ECtHR demonstrated the use of the
REoP-criterion to tie a public personal data processing
when balancing the right to protection of private life
with the right to freedom of expression. Although
the ECtHR’s use of the REoP-criterion is not explicit
in this case, the Court’s arguments seem inspired
by the REoP-criterion when referring to the fact
that the media companies in question made public
tax data “accessible in a manner and to an extent not
intended by the legislator”.
64
The Court thus attributed
signicant importance to the purpose of the original
rst publication of tax data of Finnish citizens under
public access to tax information legislation, in order
to determine whether a further processing of that
information was legitimate from a privacy and
data protection viewpoint. The Court considered
that although personal information was publicly
available, it could not simply be republished in a
simpler, more easily accessible form.
25
At stake was the question whether tax data of 1.2
million people, without distinction of whether they
were ordinary individuals or individuals with a public
function, could be published as a list in a newspaper
and made searchable through an on-request SMS
service, without the consent of the individuals
concerned. Important in relation to this case is the
fact that tax data of all Finnish citizens was made
publicly available by the State and could be freely
consulted. Legislative safeguards restricted bulk
downloading of the database for media companies.
Access-requests were limited to a maximum of 10
000 persons for the whole country, and 5 000 persons
for a specic region.
65
Further restrictions applied
when requesting data on the basis of income. When
requesting data, the limit for earned income is
set to at least 70 000 euros, whereas the limit for
capital income is set at 50 000 euros.66 This taxation
data is available in digital format, but the making
of copies of this data is prevented by the Tax
administration and is prohibited.67 When requested
for journalistic purposes, the inquirer must declare
that the information will not be published as such
in the form of a list.68 When the Data Protection
Ombudsman was notied of the access request made
64 Satakunnan Markinapörssi Oy and Satamedia Oy v Finland
App no 931/13 (ECtHR, 27 June 2017) para 190.
65 ibid para 52.
66 ibid.
67 ibid, para 49.
68 ibid, para 51.
by the applicant companies in 2000 and 2001, it asked
these companies to give more information regarding
their request and that access to the data could not
be given if the applicant companies continued to
publish the information in its current form.69 The
applicant companies circumvented this hurdle by
hiring individuals to manually collect the taxation
data, which would later be compiled to reconstruct
large parts of the database.70
26 It must be claried with regard to the Satakunnan-
case, that although it concerned a conict between
Article 10 ECHR rights of media companies, the
applicants Satakunnan Markinapörssi and Satamedia
led a case with the ECtHR claiming an infringement
of Article 10 ECHR. As a consequence, the evaluation
of the ECtHR was carried out from the perspective
of whether or not Article 10 ECHR was infringed
by the Finnish State when it limited publication of
the tax data by the applicant companies. However,
protect fundamental rights of an equal importance,
the balancing test carried out by the ECtHR has been
standardised by the Court no matter under which
of the two articles an application is led. In a rst
step, the ECtHR therefore did establish whether
evaluating whether or not privacy concerns were at
stake. By reference to its previous jurisprudence the
ECtHR concluded that despite the fact that taxation
data in Finland are in the public domain, privacy
issues nevertheless arise,71 for seven reasons:72
1.
the concept of private life must be dened
broadly, rather than exhaustively;73
2.
private life not only includes physical and
psychological integrity, but also business or
professional activities of the individual,74 as
well as his right to live in a private, isolated and
secluded manner;75
69 ibid, para 12.
70 ibid, para 12.
71 ibid, paras 196-199.
72 ibid, paras 138.
73 S and Marper v The United Kingdom App nos 30562/04 &
30566/04 (ECtHR, 4 December 2008) para 66.
74 Niemitz v Germany App no 13710/88 (ECtHR, 16 December
1992) para 29.
75 Smirnova v Russia App nos 46133/99 & 48183/99 (ECtHR,
2003) para 95.
2020
Annelies Vandendriessche and Bernd Justin Jütte
318
3
3. even in public, a sphere of interaction between
individuals may be considered to fall under the
4.
when data protection issues are concerned,
the ECtHR refers to the Convention in order
to afrm that private life must be interpreted
broadly also in the context of data protection,
since this corresponds to the object and purpose
of Convention 108, expressed in its articles 1 and
2;77
5.
even if information is already in the public
necessarily removed, a balance of interests must
still be made between further publishing that
information and privacy considerations;78
6. private life is affected whenever personal data
of the individual is compiled, used, processed
or published in a manner beyond what can be
reasonably foreseen;79
individuals with a right to a form of informational
self-determination, the right to privacy should
apply whenever data are collected, processed
and disseminated in a form or manner which
raises privacy concerns.80
27
Taking all these elements into consideration, the
Court held in Satakunnan that mass-processing
and publication of tax data of a large number of
individuals in the newspaper Veropörssi gave rise
to privacy concerns, notwithstanding the fact that
such tax data were made available to the public by
the Finnish State on access request.81
28
More specically, when balancing the right to privacy
against the right to freedom of expression the Court
found that ve factors must be evaluated. The rst
76 PG and JH v The United Kingdom App no 44787/98 (ECtHR,
25 September 2001) para 56.
77 Amann v Switzerland App no 27798/95 (ECtHR, 16 February
2000) para 65.
78 Von Hannover v Germany App no 59320/00 (ECtHR, 24 June
2004) paras 74-75 & para 77.
79 Uzun v Germany App no 35623/05 (ECtHR, 2 September
2010) paras 44-46.
80 Satakunnan Markinapörssi Oy and Satamedia Oy v Finland
App no 931/13 (ECtHR, 27 June 2017) paras 138.
81 ibid, para 138.
factor relates to whether the publication contributed
to a debate of public interest or whether it was “aimed
solely at satisfying the curiosity of a particular readership
regarding the details of a person’s private life”.82 In order
to establish this, the publication as a whole must
be taken into account and the context in which it
was released.83 The Court afrmed in Satakunnan
that although the publication of tax data by the
Finnish authorities undoubtedly serves a public
interest, namely that of government transparency,
access to this information was not unlimited and was
subject to clear rules and conditions under Finnish
law: public interest in the publicity of tax data does
not automatically justify its re-publication.84 The
Court was not convinced that publishing raw tax
data by the applicant was in the public interest,
considering that the data of 1.2 million Finns was
simply published as catalogues, the only editorial
input being their organisation by municipality.
85
The
applicant companies argued that the publishing of
raw tax data would enable Finns to draw conclusions
on the results of tax policy, but they did not explain
how they would be able to perform such an analysis
based on the publication of raw data alone.86 For
these reasons, the publication was found not to be
in the public interest but merely aimed at enabling
voyeurism.87
29
The second factor relates to the subject of the
publication and the notoriety of the persons
concerned by the publication.88 The Court observed
that with 1.2 million individuals a third of the Finnish
population was concerned by the publication, most
of which belonged to low income groups. The
newspaper did not distinguish between particular
categories of persons, such as politicians, public
ofcials or public gures who belong to the public
sphere as a result of their profession, earnings or
position.89
82 Satakunnan Markinapörssi Oy and Satamedia Oy v Finland
App no 931/13 (ECtHR, 27 June 2017) para 169.
83 Couderc and Hachette Filipacchi Associés v France App no
40454/07 (ECtHR, 10 November 2015) para 102.
84 Satakunnan Markinapörssi Oy and Satamedia Oy v Finland
App no 931/13 (ECtHR, 27 June 2017) paras 173-174.
85 ibid, para 176.
86 ibid, para 176.
87 ibid, para 177.
88 ibid, paras 179-181.
89 ibid, para 179.
Responsible information sharing
2020
319
3
Furthermore, not only did the applicants not take the
personal nature of this data into account, but they
also failed to consider that information collected by
the tax authorities for one specic purpose could not
simply be repurposed by them.90
30
A third factor concerns how the information was
obtained and the truthfulness of the information.91
The latter was not in question, however although the
applicants did not use illicit means to access the data,
they circumvented both the technological and legal
limitations for the access to tax data by journalists.
These measures were aimed at striking a balance
between the various interests at stake: to ensure
that collected data was used only for journalistic
purposes and would not be published in its entirety.92
31
A fourth factor then relates to the content, form and
consequences of the publication.
93
In this regard, the
main issue addressed by the Court was the fact that
even though the data were publicly accessible under
Finnish law this still did not mean that they could
be re-published without limitation.
94
What was truly
objectionable was that the publication of long lists
of raw personal data and its searchability through
an SMS-service made the information accessible
in a manner and to an extent not foreseen by the
legislator.95
32
Finally, the fth factor relates to the severity
of the sanction imposed on the publisher of the
personal information.
96
The Court concluded that
the applicants were not prohibited by the local
authorities from continuing to publish tax data,
they simply had to do so in a fashion consistent
with European data protection legislation, this was
therefore not a disproportionate measure. 97
33
Without providing a bright-line rule, the Court in
Satakunnan applied and developed its earlier case-
law, to carefully balance all involved interests, taking
into account the technological context of publicly
available information. Important to remember for
90 ibid, para 181.
91 Satakunnan Markinapörssi Oy and Satamedia Oy v Finland
App no 931/13 (ECtHR, 27 June 2017) paras 182-185.
92 ibid, paras 184 &185.
93 ibid, paras 186-196.
94 ibid, para 190.
95 ibid.
96 ibid, paras 186-196.
97 ibid, 196-199.
our purposes, is that although Finnish tax data
may have been publicly available, it was subject to
access limitations. Consequently, obtaining access to
personal information does not automatically allow
the decontextualization and repurposing of that
personal information. This would only be possible
under strict conditions of proportionality, which
must be assessed by a balancing exercise.
C. European Copyright solutions for
delimiting the private public divide
34 This section lays out the main elements of the right
to communication to the public under Article 3
of the InfoSoc Directive as developed by the CJEU
and positions it vis-à-vis the right to privacy. For
the lawful access to works protected by copyright
it is necessary that the work has been published.
Publication requires, as a general rule, the consent
of the right holder, which in most cases will be
the author of the work. The act of publication is,
therefore, a conscious act that exposes a work to
the public. This language is also found in a number
of international and national legal instruments. For
example, Article 3(3) of the Berne Convention denes
‘published works’ as “works published with the consent
of their authors”. By analogy to the jurisprudence of
the ECtHR on privacy expectations for individuals,98
an author has to push his work into the limelight by
publishing it so members of the public can perceive
it. The analogy becomes even stronger in light of
the natural law theories on copyright, which protect
copyright as an emanation of the personality of the
author.99
35
The CJEU has consistently balanced the right to
freedom of expression, the right to property and
the right to privacy in the context of copyright
enforcement in relation to infringements via
the Internet. Privacy and property usually found
themselves on opposite sides of the balancing scale,
representing proprietary interests in intellectual
creations and in private information. Although
infringers, at least in the cases referred to the CJEU
for preliminary questions, did not themselves step
into the limelight, thereby exposing their private
98 See the von Hannover cases, in which the ECtHR
continuously developed the protection of privacy for public
gures based on their prior behavior, see in particular in
Von Hannover v Germany (No 1) App no 59320/00 (ECtHR,
24 June 2004) paras 70-75.
99 Jane C Ginsburg, ‘A Tale of Two Copyrights: Literary
Property in Revolutionary France and America’ [1990]
Tulane Law Review 991, 1013; Paul Goldstein & P Bernt
Hugenholtz, International Copyright: Principles, Law, and
Practice (3rd edn, Oxford University Press 2012) 6.
2020
Annelies Vandendriessche and Bernd Justin Jütte
320
3
information or simply their identity to the public.
But revealing private information was necessary
in order to effectively protect the interest of right
holders against infringements of their property
rights.
36
One particularly striking differentiation was made in
Promusicae, when the CJEU ruled that, because of the
different interests at stake, the right to privacy must
be balanced differently against the right to property
in the context of civil and criminal proceedings.
100
Whereas in relation to the former, MS are not obliged
to limit the privacy of internet users by ordering
the disclosure of trafc and access data to victims
of copyright infringements, in the latter case, as a
matter of public policy, MS can foresee limitations to
the right to privacy in electronic communications in
order to serve a number of public interests, including
the effective detection and prosecution of criminal
offences.101 In cases where copyright infringement
constitutes a criminal offence, national courts can
thus be required to order an intermediary to disclose
condential information about its customers.
Without having stepped into a public sphere,
infringers of copyright forfeit their right to absolute
condentiality when they unlawfully download or
stream protected works.
37 The CJEU has interpreted the notion of ‘the public’
in its jurisprudence on the exclusive C2P-right.
Under Article 3(1) right holders of protected work
enjoy the exclusive right “to authorise or prohibit any
communication to the public of their works, by wire or
wireless means, […].”
102
Exclusive rights allow right
holders to prevent or prohibit the use of their
works without their consent. In other words, save
for expressly permitted exceptions,103 all uses of
100 CJEU, Judgment of 29.01.2008, Promusicae, Case C-275/06,
EU:C:2008:54, para 51.
101 European Parliament and Council Directive 2002/58/EC of
12 July 2002 concerning the processing of personal data and
the protection of privacy in the electronic communications
sector [2002], OJ L 201/37 (E-Privacy Directive), art 15.
102 Article 3 of the directive serves to implement Article 8 of the
WIPO Copyright Treaty (1996), see also InfoSoc Directive,
recital 15.
103 The majority of these exceptions at EU level are contained
in Article 5 of the Information Society Directive, including
exceptions for quotations for purposes such as criticism
or review and uses for the purpose of caricature, parody
or pastiche, both of which have been made mandatory for
uses on online platforms, which fall within the scope of
Directive (EU) 2019/790 of the European Parliament and of
the Council of 17 April 2019 on copyright and related rights
in the Digital Single Market and amending Directives 96/9/
EC and 2001/29/EC [2019], OJ L 130, 17.5.2019, p. 92–125
a given work require permission from the right
holder. A general exible norm that would allow for
the accommodation of uses not expressly permitted
by an exception does not exist under EU copyright
law, and AG Szpunar has expressly rejected the
legality of such a norm.
104
However, he admitted that
in extreme situations copyright as an intellectual
property right protected under Article 17(2) of the
EU Charter, could be balanced directly against other
competing fundamental rights.105 However, the Court
did not follow this argument in its nal judgment.
38
As a general rule, a right holder, by consenting to the
publication of his work, agrees that the work can be
accessed by others. However, further dissemination
in a digital environment implies the C2P-right and
requires, as a result, consent.
39 The CJEU has developed the scope of the C2P-right
in several steps. The present analysis will focus on
the jurisprudence in relation to hyperlinking. The
question whether hyperlinking constitutes an act of
(DSM Directive), see in this regard João Quintais, Giancarlo
Frosio, Stef van Gompel, P. Bernt Hugenholtz, Martin
Husovec, Bernd Justin & Martin Senftleben, Safeguarding
User Freedoms in Implementing Article 17 of the Copyright
in the Digital Single Market Directive: Recommendations
from European Academics (November 11, 2019). Available
at SSRN: https://ssrn.com/abstract=3484968, in particular
p. 3. The general and global rule for exceptions to copyright
is contained in Article 5(5) of the Information Society
Directive, which contains a slightly modied version of the
International three-step test, as it rst appeared in the 1973
revision of the Berne Convention. Due to the structure of
the international and European norms the test binds the
national legislator when implementing the exceptions of
the InfoSoc Directive and serves an interpretative aid when
applying the exceptions as implemented into national
law, see Richard Arnold & Eleonora Rosati, ’Are national
courts the addressees of the InfoSoc three-step test?’ [2015]
Journal of Intellectual Property Law & Practice 741; see for
an application of the text in CJEU, Judgment of 26.04.2017,
Stichting Brein, Case C-527/15, EU:C:2017:300 paras 63-70.
104 AG Szpunar, Opinion of 12.12.2018 in Pelham and Others,
Case C-476/17, EU:C:2018:1002, para 98, conrmed by the
Court in CJEU, Judgment of 29.07.2019, Pelham and Others,
Case C-476/17, EU:C:2019:624, paras 56-65. For a recent
argument for a more exible norm to permit unauthorised
uses see Christophe Geiger & Elena Izyumenko, ‘Towards
a European ‘Fair Use’ Grounded in Freedom of Expression’
(April 26, 2019). Forthcoming in: American University
International Law Review, Vol. 35, No. 1, 2019; Centre
for International Intellectual Property Studies (CEIPI)
Research Paper No. 02-19. Available at SSRN: https://
ssrn.com/abstract=3379531 or http://dx.doi.org/10.2139/
ssrn.3379531.
105 AG Szpunar, Case C-476/17 (Pelham and Others), para 56.
Responsible information sharing
2020
321
3
communication to the public has inspired the CJEU
to develop a complicated construct of conditions for
the legality of providing web links. This case law,
and its application in a digital environment, can give
valuable insights into the public/private divide. The
following section will outline the different criteria
developed by the CJEU and highlight some of the
cases in which the Court provided arguments and
interpretation that can be instrumentalised to
further a discussion on the use and re-use of private
data on the internet.
I. The right of communication
to the public
40
In the absence of a denition of the right to
communication to the public, the CJEU has
interpreted the scope of Article 3 InfoSoc Directive
on the basis and in the light of the EU’s international
obligations.106 The two central elements to the
exclusive right are an act of communication, and that
this act is directed towards a public. The requirement
of an act of communication underlines the necessity
of a conscious intervention,107 as opposed to a
mere passive behaviour. An act of communication
within the meaning of Article 3(1) must consist in a
transmission or an indispensable intervention that
provides or facilitates third party access to a work.108
41
The communication must further be directed to a
public, which is dened as an indeterminate and
large number of people. The Court established a de
minimis threshold excluding private gatherings and
small and insignicant numbers of persons,109 but
106 CJEU, Judgment of 7.12.2006, SGAE v Rafael Hoteles, Case
C-306/05, EU:C:2006:764, paras 40-41.
107 ibid, para 42, the CJEU has also interpreted this criterion to
the effect that the mere provision of a directory of torrent
les (CJEU, Judgment of 14.06.2017, Ziggo, Case C-610/15,
EU:C:2017:456, para 26) and even the sale of a receiver box
that contains software that makes links to unauthorised
streaming offers available to owners of such a box are,
if not indispensable interventions, interventions that
signicantly facilitate access to infringing content (CJEU,
C-527/15 (Stichting Brein), para 41)
108 This rather murky criterion has been developed by the
CJEU in a line of cases from CJEU, C-306/05 (SGAE v Rafael
Hoteles), para 42 to CJEU, C-610/15 (Ziggo), para 36; on the
gradual softening of the ‘indispensability’ requirement see
João Pedro Quintais, ‘Untangling the hyperlinking web: In
search of the online right of communication to the public’
[2018] The Journal of World Intellectual Property 385, 388.
109 CJEU, Judgment of 15.03.2012, SCF, Case C-135/10,
EU:C:2012:140, para 86.
ruled that subsequent guests of a hotel constitute
a public large enough to be considered relevant for
the purposes of Article 3.110 It, unsystematically,
also links this criterion to the question whether the
commission of the act of communication is made in
the context of an economic activity.111
1. The notion of public
42
In addition to the quantitative requirement of a “large
number of people” the CJEU has also added a subjective
and qualitative element to the notion of ‘the public’.
A communication must be directed towards a ‘new’
public, which is a public that has not been taken into
consideration by the right holder or his assignee in
any prior act of communication.
112
As a general rule,
the transmission of a work by different technical
means always constitutes a communication of the
work to a new public.113 The retransmission by the
same technological means is therefore an act of
communication to a new public only if it is targeted
at an audience or a circle of recipients included in
earlier acts of communication. This means rst, that
there are several publics and not merely one large
group of people that form ‘the’ public.
114
And second,
the right holder decides or has a certain inuence
on what the relevant public is. To relate this to the
right to privacy, a right holder can consciously direct
towards and expose his work to a selected, roughly
dened public in the same way that an individual
could chose to surrender his information to the
public in a way that personal data becomes freely
accessible to third parties.
110 CJEU, C-306/05 (SGAE v Rafael Hoteles), paras 37-38.
111 Quintais (n 108) 397-398; see for example CJEU, C-306/05
(SGAE v Rafael Hoteles), para 39; CJEU, Judgment of
08.09.2016, GS Media, Case C-160/15, EU:C:2016:644, paras
47-53.
112 According to the Court in CJEU, C-306/05 (SGAE v Rafael
Hoteles), the retransmission of a broadcast signal to
individual hotel rooms constitutes a “transmission [that]
is made to a public different from the public at which the
original act of communication of the work is directed, that is,
to a new public.” (para 40).
113 CJEU, Judgment of 07.03.2013, ITV Broadcasting, Case
C-607/11, EU:C:2013:147, paras 24-26.
114 Bernd Justin Jütte, ‘Ein horizontales Konzept der
Öffentlichkeit - Facetten aus dem europäischen
Urheberrecht’ [2018] UFITA - Archiv für Medienrecht und
Medienwissenschaft 354, 363.
2020
Annelies Vandendriessche and Bernd Justin Jütte
322
3
The recipients of this information – protected
expression or personal data – are subsequently
barred from repurposing or decontextualizing the
information.115
2. The novelty of a public
43
In relation to hyperlinks, the CJEU has further
rened the notion of a ‘new public’. In Svensson,
the Court ruled that a hyperlink constitutes an act
of communication,116 but not to a new public if the
link leads to a protected work which is available on
the internet freely and without restrictions.117 As a
result, any right holder who consents to his works
being posted online without any access restrictions
cannot prevent the linking of that content by other
users. This approach was extended by the CJEU to
the inclusion of works by framing.118
44
An act of communication to a new public does,
however, take place when a link is set to a protected
work that has been uploaded without the consent of
the right holder because the link would expose the
work to a public which had not been targeted before.
This is of course particularly relevant, as was the case
in GS Media, when pictures that were supposed to be
published exclusively in a magazine are published
prematurely on the Internet without the consent
of the right holder. In GS Media the Dutch publisher
of the Playboy magazine sued a webpage that had
linked to nude pictures of a celebrity which were to
appear at a later time in the Dutch edition of Playboy.
The parallels to the right to privacy here are striking.
The right holder in the images had an interest in
115 Although copyright law also provides other mechanisms,
such as moral rights, that can be advanced against the
distortion of information.
116 CJEU, Judgment of 13.02.2014, Svensson and Others, Case
C-466/12, EU:C:2014:76 paras 17-23, where the Court
argues that the notion of an act of communication must
be interpreted broadly and that for there to be an act
of communication “it is sufcient, in particular, that a
work is made available to a public in such a way that the
persons forming that public may access it, irrespective
of whether they avail themselves of that opportunity“.
Critically, suggesting that hyperlinking is not an active
act of communication, P Bernt Hugenholtz & Sam C van
Velze, ’Communication to a New Public? Three reasons
why EU copyright law can do without a ‘new public’’
[2016] International Review of Intellectual Property and
Competition 797–816, 813.
117 CJEU, C-466/12 (Svensson and Others), paras 27-28.
118 CJEU, Order of 21.10.2014, BestWater, Case C-348/13,
EU:C:2014:2315.
the exclusivity of the images in order to reap the
economic benets and not to preserve the secrecy
of private data or reputation in this particular case.
This was, for example different in Funke Medien,119
when the German government relied on copyright
to prevent the further dissemination of condential
information.
120
What is important, though, is that the
C2P-right preserves non-public spaces for a right
holder. Exposure of a work in these spaces is subject
to the consent of the latter.
II. Consenting to exposure
45
A right holder can use the criterion of a new public to
delimit the exposure of his work to a specied circle
of recipients. Without prior consent for publication,
a work available on the Internet cannot be legally
shared by others. Moreover, a work that has been
published, but only to a limited number of recipients,
either in a private environment, viz. to a circle of
recipients that do not constitute a public in the rst
place, or a public that is clearly dened in its scope,
cannot be shared with others outside the circle of
recipients. The public or private circles dened by
the consent of the right holder constitute closed
spheres beyond which a further publication requires
consent.
1. Identifying public spheres
46
In GS Media the Court explicitly addresses the problem
that the identication of (restricted) public and
private spheres would turn out to be a complicated
exercise, given the vast amount of information
available on the Internet. A normal user would nd it
difcult to ascertain whether protected works freely
available on the Internet had been made available
with the consent of the right holder or whether
they had been uploaded without consent. The fear
of infringement proceedings for unauthorised acts
of C2P could, as a result, lead to a chilling effect for
sharing of information on the Internet. But the CJEU
highlighted the importance of the Internet for the
119 CJEU, Judgment of 29.07.2019 in Funke Medien NRW, Case
C-469/17, EU:C:2019:623.
120 See also for similar cases in the UK, where courts have relied
inconsistently on the public interest defence in s.171(3) of
the 1988 Copyright, Designs and Patents, Act; Ashdown v
Telegraph Group Ltd [2001] EWCA Civ 1142; [2002] Ch. 149
(CA (Civ Div) and Hyde Park Residence Ltd v. Yelland [2001]
Ch. 143 (CA), se.. e.g. Jonathan Grifths, ‘Copyright Law
after Ashdown – time to deal fairly with the public’ [2002]
Intellectual Property Quarterly 240.
Responsible information sharing
2020
323
3
exercise of the right to freedom of expression121
and distinguished between hyperlinks set for non-
commercial122 and commercial purposes.123 Whereas
commercial users, when setting hyperlinks, are
now expected to verify whether the works they
are linking to have been made available with the
consent of the right holder, non-commercial users
do not incur such an obligation. In other words,
commercial users have to check whether the work
they are linking to has been made available with the
consent of the right holder, which Matthias Leistner
criticised as lacking a clear dogmatic basis in the EU
copyright rules.124 This distinction highlights the
economic nature of exclusive rights in copyright,
which, as the InfoSoc Directive explicitly states in
Recitals 4 and 9, requires a high level of protection.
125
But the duties of care imposed upon commercial
hyperlinkers are not fundamentally different from
those required of journalists pursuant to the case-
law of the ECtHR.126
121 CJEU, C-160/15 (GS Media), para 45.
122 For non-commercial users who link to content which is
freely available on the internet it is assumed that they “[do]
not know and cannot reasonably know” (CJEU, C-160/15 (GS
Media), para 47) that the content to which the link is set has
been uploaded without the consent of the right holder. This
means that such a user does not act in full knowledge of the
consequences of his actions.
123 Commercial users, on the other hand, are expected to be
able to identify unauthorised content on the internet and
incur an obligation to check whether content has been
uploaded with the consent of the right holder. This applies
in particular when a link enables the circumvention of
technical barriers, the passing of which would require
individual authorisation, possible against remuneration,
CJEU, C-160/15 (GS Media), paras 49-51. Article 17 deals
with uploads to platforms and not mere hyperlinking.
Furthermore, Article 17 serves a different purpose and
entails an obligation to license, viz. more information
should be made available legally, which does not affect the
basic right to refuse authorization for publication.
124 Matthias Leistner, ’Copyright law on the internet in need
of reform: hyperlinks, online platforms and aggregators’
[2017] Journal of Intellectual Property Law & Practice 136,
138 (with further references).
125 CJEU, C-160/15 (GS Media), para 53.
126 The ECtHR includes in its balancing between the right to
freedom of expression (Article 10) and the right to privacy
(Article 8) whether the information used by journalists or
other public watchdogs, such as NGOs, has been acquired
in good faith and is based “on an accurate factual basis and
provide ‘reliable and precise’ information in accordance
with the ethics of journalism”, Axel Springer AG v. Germany
(No. 1) App no 39954/08 (ECtHR, 7 February 2012) para 93.
2. Reusing published works
outside a specified public
47
A right holder who has made his work freely available
on the Internet must accept that, within the public
his works have been released in, these works can be
linked to without restrictions. This should also allow
commercial users who would, upon closer scrutiny,
nd out the respective work has been published
with the consent of the right holder, to link to this
content. With similar arguments as those used in
GS Media, AG Campos Sánchez-Bordona in Renckhoff
suggested that the non-commercial reproduction
of freely available images on the Internet does
not constitute an act of communication to a new
public. Although the referring court had advanced
an argument that the public a right holder has in
mind when publishing an image on the Internet
would be restricted to those users who directly or
via hyperlink would access the website containing
the image. Another conclusion, the referring court
argued, would lead to the exhaustion of the right
under Article 3(1) InfoSoc Directive, which is
explicitly prohibited under Article 3(3) of the same
directive.
127
AG Campos Sánchez-Bordona rejected
this argument and underlined that the assumption
that a work published on the internet could be re-
used for non-commercial purposes in the absence of
clear indication that the consent for publication was
restricted to a certain webpage and in the absence of
technical restrictions to access the website on which
an image had been originally published.128
48
The AG went on to state that a right holder who
communicated his work to the public, even via a
third party, could be required to apply a certain
duty of care when authorising the publication
of his works. Such a duty of care would include
the installation of technological measures or the
express communication of his limited consent
for the publication of a work. This, according to
AG Campos Sánchez-Bordona, could be expected
from right holders in return for the high level of
protection provided through Article 3(1) InfoSoc
Directive and in the interest of a balance between
the interests of right holders and internet users. The
CJEU rejected the AG’s assessment, ruling instead
that the reproduction of a freely available image on
the internet constitutes an act of C2P and, as a result,
For more information on the public watchdog function of
NGOs see also Animal Defenders International v The United
Kingdom App no 48876/08 (ECtHR, 22 April 2013) para 103;
Magyar Helsinki Bizottság v Hungary App no 18030/11
(ECtHR, 8 November 2016) para 166.
127 AG Cámpos-Bordona, AG Sanchez, Opinion of 25.04.2018,
Renckhoff, Case C-161/17, EU:C:2018:279, para 97.
128 ibid, para 104.
2020
Annelies Vandendriessche and Bernd Justin Jütte
324
3
requires authorisation.129 The Court came to this
conclusion by highlighting the nature of the right of
communication to the public, which is preventive in
nature. The preventive nature of the right enables a
right holder to control, and if necessary to terminate
the dissemination of his work.130 However, if a work
can be freely copied once it has been published on the
internet without restrictions, the right holder would
lose the ability to control the further dissemination
of that work.131
49
This is different, according to the Court, in the
case of hyperlinking. The deletion of a work from
a website would also make all hyperlinks to that
site obsolete because the deletion at the source
would make the work inaccessible also through
hyperlinks.132 Any other interpretation of the right
to communication to the public would effectively
result in the exhaustion of the exclusive right and
the loss of control over the further dissemination
of the work online.133 This approach is also reected
in AG Szpunar’s Opinion in Spiegel Online, where he
suggested that a newspaper cannot, in the absence of
an applicable exception, re-publish a controversial
text authored by a (now former) member of the
German Parliament, which the latter already
published with accompanying annotations on his
own website.134 The Court, derogated from the AG’s
strict interpretation of the quotation exception
under Article 5(3)(d) InfoSoc Directive.
129 CJEU, Judgment of 07.08.2018, Renckhoff, Case C-161/17,
EU:C:2018:634.
130 Ohly distinguishes between direct and indirect interventions
(see Ansgar Ohly, ’Unmittelbare und mittelbare Verletzung
des Rechts der öffentlichen Wiedergabe nach dem
„Córdoba“-Urteil des EuGH’ [2018] Geweblicher Rechtschutz
und Urheberrecht 996, 998); only the former constitutes an
act of communication to the public as they generate a new
audience. Mere indirect interventions require additional
qualifying elements in order to constitute an infringement
of the exclusive right.
131 CJEU, C-161/17 (Renckhoff), para 30.
132 CJEU, C-161/17 (Renckhoff), para 44.
133 CJEU, C-161/17 (Renckhoff), paras 32-33; see also Jütte (n
114), 366.
134 AG Szpunar, Opinion of 10.01.2019, Spiegel Online, Case
C-516/17, EU:C:2019:16, para 74; however, the AG suggests,
in passing, that his conclusion would have been different
had the author of the article deleted the work; the situation
would then have to be reconsidered in the light of the right
to freedom of expression.
It held that, given all the conditions of the exception
are fullled, a work may be republished, however
only “in its specic form”.135
III. Control through consent
50
The C2P-right equips the right holder of a work
with control mechanisms that are based on consent
or the withdrawal of consent. The consent-based
publication of a work online enables other users
to access the work, directly or through hyperlinks,
which can be set without prior authorisation. Any
further dissemination that would restrict the right
holder’s control over the work constitutes an act of
C2P and can require further authorisation.
51
However, control over a work is lost when one of
the exceptions of Article 5 applies, which include
uses such as parody, educational uses and uses for
the purpose of quotation.136 These uses are subject
to a strict interpretation and relieve the user from
the requirement of prior authorisation only for that
particular instance of a use.137 Linking to works which
are used under an exception must then respect the
particular modalities and the context of a use in
order to remain authorization-free.
52
Any uses of protected work that result in a
circulation of the work that reaches beyond the
public demarcated by the consent of the right holder
is, by law, limited to such uses that do not erode the
economic potential of the work. This underlines the
economic nature of copyright as harmonised at EU
level, and which is also reected in the reasoning
behind the exhaustion doctrine.138 It is noteworthy
that an application of the exhaustion doctrine,
which safeguards the circulation of legally marketed
135 CJEU, Judgment of 29.07.2019, Spiegel Online, Case C-516/17,
EU:C:2019:625, para 95, in this case, the text published on
the website had been accompanied with annotations with
which the author indicated that he had distanced himself
from the text, the republished version on Spiegel Online’s
website did not include these annotations.
136 See Article 5(3)(k), (a) and (d) InfoSoc Directive, respectively.
137 See e.g. CJEU, Judgment of 4.10.2011, FAPL/Murphy, Joined
cases C-403/08 and C-429/08, EU:C:2011:631, para 162 and
CJEU, Judgment of 03.09.2014, Deckmyn, Case C-201/13,
EU:C:2014:2132, para 22.
138 See for example Péter Mezei, Copyright Exhaustion: Law
and Policy in the United States and the European Union
(Cambridge University Press 2018), 140-141; Pascale
Chapdelaine, Copyright User Rights: Contracts and the
Erosion of Property (Oxford University Press 2017), 111.
Responsible information sharing
2020
325
3
carriers of works protected by copyright,
139
is not
applicable to digital content.140 In light of the
distinction between economically rivalling uses it is
worth mentioning that the strict limitations to non-
commercial, or not primarily commercial uses have
given rise to a number of preliminary references.141
53
The C2P-right is fundamentally economic in
nature. This is why economically non-rivalrous, or
insignicant but still revealing uses are permitted
under copyright law. Restrictions and the
authorisation requirement are there to maintain
the economic potential and safeguard a reasonable
remuneration for right holders, and not to keep
information out of the public sphere. Exceptions
that reect the public interest ensure that in some
situations consent from the right holder to use a
work, and to make it available to another public, is
not required. This seems to be limited to cases in
which a rst publication has already taken place.142
The exclusive rights in general, and the right to
communication to the public in particular, can, as a
result, not be considered as a means of censorship,
which would enable a right holder to keep
information out of the public sphere by exercising
exclusive rights.
143
It can merely be instrumentalised
139 See Article (2) InfoSoc Directive.
140 The CJEU conrmed this in CJEU, Judgment of 19.12.2019,
Tom Kabinet, Case C-263/18, EU:C:2019:1111, see for an
exception under the Software Directive in CJEU, Judgment
of 03.07.2012, UsedSoft, Case C-128/11, EU:C:2012:407,
however under the caveat that the conditions under which
the software had originally been marketed are carried over
when resold. See for an argument for the application of
the doctrine to digital content Mezei (n 138), 139 et seq.,
similarly Bernd Justin Jütte, Reconstructing European
Copyright Law for the Digital Single Market: Between Old
Paradigms and Digital Challenges (Nomos 2017), Chapter
3.A.V.
141 Three of the most recently decided cases are Case C-469/17
(Funke Medien NRW), C-476/17 (Pelham and Others);
CJEU, C-516/17 (Spiegel Online), on the Pelham reference
see Bernd Justin Jütte & Henrike Maier, ’A Human Right
to Sample – Will the CJEU Dance to the BGH-Beat’ [2017]
Journal of Intellectual Property Law & Practice 784, and
a summary of all three cases Bernd Justin Jütte, Finding
Comfort between a rock and a hard place – Advocate
General Szpunar on striking the balance in copyright law,
available at: https://europeanlawblog.eu/2019/02/28/
nding-comfort-between-a-rock-and-a-hard-place-
advocate-general-szpunar-on-striking-the-balance-in-
copyright-law/, accessed: 01.08.2019
142 See the interpretation of AG Szpunar of Article 5(3)(e) in AG
Szpunar, C-516/17 (Spiegel Online), paras 53-58.
143 AG Szpunar, Opinion of 25.10.2018, Funke Medien NRW,
to protect the specic expression of information
within the control of the right holder.
54 EU copyright, as a result, only enables control over
the (rst lawful) access to protected subject matter,
but not to protect the expressive context in which
lawfully accessible works are set. The relatively
high national barriers for moral rights protection
will only be able to mitigate this in a very limited
way.144 Leistner criticised that the law does not
differentiate between the ways in which content
is contextualised.145 But AG Szpunar has seemingly
suggested to strengthen the position of moral rights
in copyright law as balancing elements within the
systematic structure of copyright law.146 This means
that national courts are also obliged to consider the
author’s personality rights when applying exclusive
rights and L&E. However, only the latter two are
harmonized under EU law.147
55
Although copyright pursues different objectives
than privacy law, it offers authors a certain degree
of control through the exercise of exclusive rights.
In a digital context, and by use of ICT this often
implies the C2P-right. In its development by the
CJEU, the right offers authors the tools to target
certain audiences and control the dissemination of
their expression – but not the information expressed
by the work. However, the specic expression, itself
reective of the author’s personality,148 remains
relatively rmly under the control of the author.
D. Integrating privacy and
copyright concepts to delimit
the private-public divide
56
As much as one might be tempted to - and as
some scholars indeed have done - scold the CJEU
for overcomplicating the C2P-right, it reveals a
particular attitude toward a borderless and limitless
online environment and toward the notions of
property and, by analogy, privacy.
Case C-469/17, EU:C:2018:870, para 64.
144 Leistner (n 124), 137-39.
145 ibid, 139.
146 AG Szpunar, C-516/17 (Spiegel Online), para 77.
147 AG Szpunar, C-516/17 (Spiegel Online), paras 55-57, and
implicitly CJEU, C-516/17 (Spiegel Online), para 95.
148 See CJEU, Judgment of 11.12.2011, Painer, Case C-145/10,
EU:C:2011:798, para 94.
2020
Annelies Vandendriessche and Bernd Justin Jütte
326
3
57
The accessibility and shareability of content and data
require a stricter analysis of the effect of consent. It
cannot reasonably be assumed that with the release
of protected subject matter, works or private data,
the right holder cedes any control over its further
use. The ‘new public’ criterion developed by the CJEU
divides the internet into different and distinct public
spheres, the publication in one of them of a given
work cannot be equated with global consent for all
other spheres. Similarly, the mere accessibility of
private data, in some form, does not automatically
permit the re-use or re-publication is some other
form. Hence, an unrestricted public sphere in which
protected information moves freely does not exist.
I. Consent and purpose specification
58
Interestingly for our purposes, European data
protection legislation does not distinguish between
private or publicly accessible personal information.
However, the processing of data must occur “fairly
for specied purposes and on the basis of the consent of the
person concerned or some other legitimate basis laid down
by law.”149 In the eld of protection of private life,
the notions of consent, and of purpose specication
(Articles 6(a) and 5(1)(b) GDPR respectively) are
essential for giving the data subject control over
the dissemination of his personal data. Of particular
relevance in determining the private-public divide
with regard to the use of publicly available personal
information is the consent-requirement for one or
more specic purposes.150 The limits of this specic
consent are further circumscribed by the principle
of purpose limitation, according to which personal
data must only be “collected for specied, explicit and
legitimate purposes and not further processed in a manner
that is incompatible with those purposes”.151
59
The notions of consent and purpose specication are
particularly relevant for delimiting what is private,
given that the ECtHR for the rst time held in
form of informational self-determination”, which allows
individuals, even when seemingly ‘neutral’ data “are
collected, processed and disseminated collectively and in
such a form or manner that their Article 8 rights may
149 Charter of Fundamental Rights of the European Union
[2000], OJ C 364/1, art 8(2).
150 European Parliament and Council Regulation (EU) 2016/679
of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC
[2016], OJ L 119/1 (GDPR), art 6(a).
151 GDPR, art 5(1)(b).
be engaged.”152 The ECtHR thereby emphasised that
when personal data are concerned, it is not only the
nature of the data (whether it is ‘public’ or ‘private’
data) which must be considered, but also the form
and manner of processing or dissemination of that
data.
60
Accordingly, consent for making personal data
publicly available, especially when subject to access
restrictions, is limited to that specic, explicit
and legitimate purpose. Any further processing of
that data, in violation of access restrictions and in
a manner that could not be foreseen by the data
subjects, constitutes a violation of the requirements
of consent and purpose specication, and impedes
upon the individual’s so-called right to informational
self-determination. The principle of purpose
specication in European data protection law has a
crucial role in further giving a more objective and
measurable character to the criterion of the REoP,
by relating it to the initial legitimation and purpose
of the data processing. It strengthens the objectivity
of the REoP-criterion, which as we have discussed
previously, incorporates both an objective notion
of what information society deems individuals may
be entitled to keep private and a more subjective
measure of what individuals themselves believe they
should be able to keep private.
II. Freedom of expression
as a limit to privacy
61
The dissemination of personal data, and also of
publicly available personal data, to the public
necessarily implicates the right to freedom of
expression, which includes the right to impart
information. The GDPR emphasises that the right
to the protection of personal data and the right
to freedom of expression and information must
be reconciled by law.153 A balance must therefore
be achieved between both fundamental rights.
Article 85(2) GDPR requires Member States to
adopt exemptions and derogations, which are
possible from most provisions of the GDPR,
including exemptions and derogations from the
data protection principles and data subject rights,
such as the requirements of consent and purpose
specication.
154
In Satamedia, the CJEU considered
the scope of application of Article 9 DPD,
155
152 Satakunnan Markinapörssi Oy and Satamedia Oy v Finland
App no 931/13 (ECtHR, 27 June 2017) para 137.
153 GDPR, art 85(1).
154 GDPR, art 85(2).
155 European Parliament and Council Directive 95/46/EC of 24
Responsible information sharing
2020
327
3
GDPR’s predecessor, to situations of dissemination
of personal information for the purpose of freedom
of expression. In essence, the CJEU held that the
right to protection of personal data and the right
to freedom of expression must be reconciled
whenever the purpose of a dissemination to the
public of personal data is “the disclosure to the public of
information, opinions or ideas, irrespective of the medium
which is used to transmit them.”156 Unfortunately, the
CJEU did not further determine when exactly a
dissemination of personal information is considered
a “disclosure to the public”. Further clarication could
help to better delimit the boundary between what
can legitimately be disclosed in the public sphere
and what information should remain private, since
this notion determines when exemptions from data
protection law protecting freedom of expression
apply. Moreover, it is precisely here, where data
protection legislation and the notion of ‘(new)
public’ of the C2P-right may converge.
62
Although the protection of private life in public
and the protection of copyright as a property right
is motivated by different rationales, the reasons
why they are protected are also somewhat similar
in the sense that both rights are (at least partially)
considered as personality rights,
157
and are protected
as an emanation of the individual and reecting
on the individual. When recognising a right to
informational self-determination for individuals,
also in public life, the element of control over the
spread of information is strengthened. Protection
of private life has thus become a tool for protecting
condentiality, as well as a tool for “control over
an aspect of the identity one projects to the world”.158
Harmonising the interpretation of “disclosure to the
public” of private information and “communication
to the public” of copyrighted works would re-enforce
consistency in adjudication, by attributing the same
meaning to similar terms across the domains in
October 1995 on the protection of individuals with regard to
the processing of personal data and on the free movement
of such data [1995] OJ L 281/ 31 (Data Protection Directive).
156 CJEU, Judgment of 16.12.2008, Satakunnan Markkinapörssi
and Satamedia, Case C-73/08, EU:C:2008:727, para 61.
157 For more information on the development of the right to
into a personality right, see Bart van der Sloot, ‘Privacy
as Personality Right: Why the ECtHR’s Focus on Ulterior
Interests Might Prove Indispensable in the Age of “Big
Data”’ [2015] Utrecht Journal of International and European
Law 25.
158 Philip E Agre & Marc Rotenberg, Technology and Privacy:
The New Landscape (MIT Press 1998) 7.
which they are used.159
63
Although there is no secondary legislation in
the European Union harmonising the terms and
conditions for the implementation of the right to
freedom of expression in the EU Member States, the
jurisprudence of the ECtHR sets the guidelines for
judicial balancing when conicts between Article
the disclosure of personal and private information
to the public is approached from a different angle,
perspective, the question concerns whether an
individual has a REoP in seeing that his personal
information is kept private and out of the public
eye, and from an Article 10 ECHR perspective, the
question concerns whether the public interest in
knowing about certain information legitimates the
disclosure of personal information, the balancing
criteria developed by the ECtHR in its case law in
have been unied, independent of the Article under
which a claim is brought to the Court since 2012.160
ECHR conict of rights case law thus remains under
which conditions and circumstances can private
information, even private information originating
from the public domain, be disclosed to the public,
or be further disclosed to a larger or different public
than concerned by the original disclosure. A balance
must be sought between both rights, and revelations
of private information must be proportionate to
the public interest in knowing of the disclosed
information.
64
We have seen that particularly the REoP-criterion
is signicant for delimiting privacy in public, since
the further processing and dissemination of data in a
manner and scope beyond what could be reasonably
expected could engage privacy protection, even if
data is already publicly available. It is therefore
a potentially important criterion which could
contribute to getting the balance right between
the right to freedom of expression and the right to
protection of private life, particularly when personal
or private information originating from the public
159 The Court has already referred to certain concepts,
amongst them the right of communication to the public,
as autonomous concepts under EU law (implicit in CJEU,
C-466/12 (Svensson and Others), para 34) see also for
limitations and exceptions CJEU, C-201/13 (Deckmyn),
para. 14. See also Raquel Xalabarder, ’The Role of the CJEU
in Harmonizing EU Copyright Law’ [2016] International
Review of Intellectual Property and Competition 635, 635.
160 See Axel Springer AG v Germany App no 39954/08 (ECtHR, 7
February 2012) & Von Hannover (No 2) v Germany App nos
40660/08 & 60641/08 (ECtHR, 7 February 2012).
2020
Annelies Vandendriessche and Bernd Justin Jütte
328
3
domain is concerned. What can be reasonably
expected is however still a somewhat indeterminate
criterion and could be further dened by reference
to the notion of ‘disclosure to the public’.
III. Squaring the triangle with privacy
65
In analogy to the jurisprudence on the C2P-
right, a disclosure to the public for privacy law
purposes, even of publicly accessible information
would therefore also be subject to the principle
of consent of the individual concerned. Based on
the denition of what constitutes a ‘public’ under
Article 3 of the InfoSoc Directive, a self-disclosure
of private information by an individual to a small
and insignicant number of people would not
be considered a disclosure to the public, which
consists of a large and indeterminate number of
people. Disclosing private information to a new
public, beyond the originally small and insignicant
number of people the information was originally
disclosed to, or exposing the information further
than could be reasonably expected at the moment
of disclosure, would require additional consent
from the individual whose private information is
concerned. Even more, the dissemination of private
information using a different medium could also
be considered a dissemination to a new public,
since different media are considered to have a
more harmful impact on private life than others
as discussed in the jurisprudence of the ECtHR. For
instance, “audio-visual media often have a much more
immediate and powerful effect than the print media”,161
whereas “the ease, scope and speed of the dissemination
of information on the Internet, and the persistence of
the information once disclosed” caries an even greater
potential for harm to private life according to the
Court.162
66 Even when personal data is disclosed to a large and
indeterminate group of people, i.e. to the general
public as in Satakunnan, but access restrictions apply,
this data could still be considered private for the
subsequent uses occurred in violation of these access
restrictions.163 This is comparable to a situation
161 Del AS v Estonia App no 64569/09 (ECtHR, 16 June 2015)
para 134.
162 ibid para 147.
163 Publicity of Finnish tax data is authorised by law and is
therefore not subject to individual consent by the data
subject. See Sections 1-3 of the Act on the Public Disclosure
and Condentiality of Tax Information ( no. 1346/1999)
which provide for the publicity of tax information, subject
to access requests in the framework of Act on the Openness
when copyright works are made available behind
a paywall and a deep-link behind a technological
access restriction would constitute a communication
to a new public.
67 The ‘public’ could thus be considered a subdivided
sphere in which several private places could be
reserved for individuals. These observations could
be particularly relevant for delimiting which
personal information on social media merit privacy
protection and require further consent from the
individual concerned when reproduced, and which
could be considered public. In a practical application
this would mean that personal information shared
on social media with a (technologically) limited
number of friends falls under the protection of
private life. This is because the information is shared
with a determinate group of people as opposed
to the public at large and does not constitute a
disclosure to the public. Subsequent disclosure to an
indeterminate and large group of people, whichever
the technical means employed, requires consent. In
the absence of access restrictions, the publication
of information can be considered a disclosure to the
public. However, the further dissemination of that
information by different technological means, for
example on television, in newspapers or in archives,
requires fresh consent. As has been demonstrated,
this consent requirement is analogous to the
CJEU’s jurisprudence on the C2P-right. They reect
an individual’s REoP at the time of the original
disclosure similar to the expectation of diverse
economic exploitability in copyright law.
E. Conclusion
68
While it is true that the carving out of a larger
space for private life in public may limit the right
to freedom of expression and the disclosure to
the public of personal information of individuals,
it is important to distinguish between personal
information shared by individuals in the context
of friendship, work-relations, social networking,
disclosures which do not reach the public at large,
and personal information shared with the public at
large by mass-media. The traditional media enjoy
great privilege as public watchdogs for democracy
when making use of the right to freedom of
expression, but in return they are imposed duties
of responsible journalism, including the need to
ensure that disclosures of personal information are
proportionate to the public interest of disclosing this
information.
of Government Activities (621/1999) and subject to data
protection law restrictions pursuant to the Personal Data
Act (523/1999).
Responsible information sharing
2020
329
3
69
In order to fortify this stewardship over
information, but also to translate the responsible
use of information into non-journalistic circles,
the development of an autonomous notion of
‘disclosure’ or ‘communication to the public’ would
enable a more responsible use and re-use of personal
data and copyrighted content. It would not lead to
so much of a chilling effect on speech, but perhaps
more to a chilling effect on over-information, or on
careless sharing, in the face of the wide public reach
of new ICT.
70
On the behavioural side, it would help laypersons
lacking a relevant legal understanding usually
only possessed by informed academics or lawyers
to be able to anticipate the impact of their actions
in relation to their own privacy and the privacy
and economic rights of others. A harmonisation
of privacy and copyright standards under a rule of
reason or reasonable expectations could, therefore,
work to the benet of legal certainty and responsible
use and sharing of information.
To continue reading
Request your trial