ISSN 2519-4216
e-ISSN 2519-4313
UDC 34
Law Journal of the National Academy of Internal Affairs
- European regulatory private law; European Union; GDPR; EU law; human rights; proportionality; balancing exercise
- https://doi.org/10.63341/naia-chasopis/1.2025.48
- Pages 48-58
This article explored how the General Data Protection Regulation, seen as an element of the regime of European regulatory private law, reflects both soft and hard forms of legal paternalism. Employing a doctrinal methodology, this research analysed relevant EU law and the CJEU’s jurisprudence in order to examine how the regulation of the right to personal data protection in the European Union’s legal order is informed by soft and hard types of legal paternalism. The findings reveal that the General Data Protection Regulation imposes strict obligations on data processors, highlighting a hard paternalistic approach because compliance with such obligations, by implication, limits data subjects’ autonomy. Soft paternalism, on the other hand, can be seen in EU lawmakers’ attempts to nudge data subjects into using their data carefully and reasonably in digital environments without heavily restricting their data autonomy. This approach raises concerns about the proportionality of restrictions on other fundamental rights, as hard paternalism of the European Union’s primary law in this field is strongly reflected in the jurisprudence of the Luxembourg Court that prioritises data protection over competing public interests. A possible way to address this issue is recalibration towards soft paternalism to enhance data subjects’ autonomy and improve the balance between privacy and other rights. Such a shift could lead to more context- sensitive rulings emphasising the importance of protection of other human rights
References
[1] Bhat, P.I. (2019). Doctrinal legal research as a means of synthesizing facts, thoughts, and legal principles. Oxford: Oxford University Press. doi: 10.1093/oso/9780199493098.003.0005.
[2] Brownsworth, R. (2019). Legal rules, technological disruption, and legal/regulatory mindsets. In R. Brownsworth (Ed.), Law, technology and society: Reimagining the regulatory environment (pp. 181-204). New York: Routledge. doi: 10.4324/9781351128186.
[3] Bunn, A. (2015). The curious case of the right to be forgotten. Computer Law & Security Review, 31(3), 336-350. doi: 10.1016/j.clsr.2015.03.006.
[4] Bygrave, L.A. (2017). Data protection by design and by default: Deciphering the EU’s legislative requirements. Oslo Law Review, 4(2), 105-120. doi: 10.18261/issn.2387-3299-2017-02-03.
[5] Cafaggi, F., & Watt, H.M. (2009). The regulatory function of European private law. Edward London: Elgar Publishing. doi: 10.1017/9781108565417.036.
[6] Cherednychenko, O. (2021). Islands and the ocean: Three models of the relationship between EU market regulation and national private law. Modern Law Review, 84(6), 1294-1329. doi: 10.1111/1468-2230.12664.
[7] Cherednychenko, O. (2024). EU Financial regulation and private law: Towards a holistic approach. In M. Heidemann (Ed.), The transformation of private law – principles of contract and tort as European and international law (pp. 855-882). Cham: Springer. doi: 10.1007/978-3-031-28497-7_39.
[8] Clarke, N., Vale, G., Reeves, E.P., Kirwan, M., Smith, D., Farrell, M., Hurl, G., & McElvaney, N.G. (2019). GDPR: An impediment to research? Irish Journal of Medical Science, 188(1), 1129-1135. doi: 10.1007/s11845-019-01980-2.
[9] Clifford, D., & Ausloos, J. (2018). Data protection and the role of fairness. Yearbook of European Law, 37(1), 130-187. doi: 10.1093/yel/yey004.
[10] Coghlan, N., & Steiert, M. (2021). The Charter of Fundamental Rights of the European Union: The travaux préparatoires and selected documents. Florence: European University Institute Publishing. doi: 10.2870/004119.
[11] Dalla Corte, L. (2022). On proportionality in the data protection jurisprudence of the CJEU. International Data Privacy Law, 12(4), 259-275. doi: 10.1093/idpl/ipac014.
[12] De Hert, P., & Lazcoz, G. (2022). When GDPR-principles blind each other: Accountability, not transparency, at the heart of algorithmic governance. European Data Protection Law Review, 8(1), 31-40. doi: 10.21552/ edpl/2022/1/7.
[13] Dworkin, G. (1972). Paternalism. Philosophy and Public Policy, 56(1), 64-75. doi: 10.1017/ S026626710000359X.
[14] Erdos, D. (2016). European union data protection law and media expression: Fundamentally off balance. European Comparative Law Quarterly, 65(1), 139-183. doi: 10.1017/S0020589315000512.
[15] European Parliament. (2013). Report on the proposal for a regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free movement of Such Data (General Data Protection Regulation) (COM(2012)0011–C7- 0025/2012–2012/0011(COD)). Retrieved from https://www.europarl.europa.eu/cmsdata/59696/ att_20140306ATT80606-4492192886392847893.pdf.
[16] European Parliament. (2018). Recording of the Plenary Session of 23/10/2018. Retrieved from https://multimedia.europarl.europa.eu/en/webstreaming/plenary_20181023-0900-PLENARY?seekTo= 181023090224.
[17] European Parliament. (2023). Resolution of 11 May 2023 on the adequacy of the protection afforded by the EU-US data privacy framework (2023/2501(RSP)). Retrieved from https://www.europarl.europa.eu/doceo/ document/TA-9-2023-0204_EN.html.
[18] Fateh-Moghadam, B., & Gutmann, T. (2014). Governing [through] autonomy. The moral and legal limits of “soft paternalism”. Ethical Theory and Moral Practice, 17(3), 383-397. doi: 10.1007/s10677-013-9450-3.
[19] Feinberg, J. (1971). Legal paternalism. Canadian Journal of Philosophy, 1(1), 105-124. doi: 10.1080/00455091.1971.10716012.
[20] González-Pizarro, F., Figueroa, A., López, C., & Aragon, C. (2022). Regional differences in information privacy concerns after the Facebook-Cambridge Analytica data scandal. ECSCW Contributions, 31(1), 33-77. doi: 10.1007/s10606-021-09422-3.
[21] Hesselink, M.W. (2017). Private law, regulation, and justice. European Law Journal, 22(5), 681-695. doi: 10.1111/eulj.12195.
[22] Imamović, S., Börjedal, E., & Di Franco, E. (2024). The future of EU fundamental rights. Maastricht Journal of European and Comparative Law, 31(2), 137-146. doi: 10.1177/1023263X241290470.
[23] Ivanova, Y. (2021). The role of EU fundamental right to data protection in an algorithmic and big data world. In D. Hallinan, R. Leenes, S. Gutwirth & P. De Hert (Eds.), Data protection and privacy, volume 13: Data protection and artificial intelligence. New York: Bloomsbury Publishing. doi: 10.2139/ssrn.3697089.
[24] Jabłonowska, A., & Michałowicz, A. (2020). Planet49: Pre-ticked checkboxes are not sufficient to convey user’s consent to the storage of cookies (C-673/17 Planet49). European Data Protection Law Review, 6(1), 137-142. doi: 10.21552/edpl/2020/1/19.
[25] Justickis, V. (2020). Balancing personal data protection with other human rights and public interest: Between theory and practice. Baltic Journal of Law and Politics, 13(1), 140-162. doi: 10.2478/bjlp-2020-0006.
[26] Kanter, J.S. (2023). Digital markets and “trends towards concentration”. Journal of Antitrust Enforcement, 11(2), 143-148. doi: 10.1093/jaenfo/jnad030.
[27] Kedzior, M. (2021). The right to data protection and the COVID-19 pandemic: The European approach. ERA Forum, 21(4), 533-543. doi: 10.1007/s12027-020-00644-4.
[28] Khadzhiradieva, S., Bezverkhniuk, T., Nazarenko, O., Bazyka, S., & Dotsenko, T. (2024). Personal data protection: Between human rights protection and national security. Social and Legal Studios, 7(3), 245-256. doi: 10.32518/sals3.2024.245.
[29] Kovalenko, Y. (2022). The right to privacy and protection of personal data: Emerging trends and implications for development in jurisprudence of European Court of Human Rights. Masaryk University Journal of Law and Technology, 16(1), 37-57. doi: 10.5817/MUJLT2022-1-2.
[30] Lenaerts, K. (2019). Limits on limitations: The essence of fundamental rights in the EU. German Law Journal, 20(6), 779-793. doi: 10.1017/glj.2019.62.
[31] Lixinski, L., & Peleg, N. (2022). Paternalism in international human rights law. Duke Journal of Comparative and International Law, 33(1), 1-43. doi: 10.2139/ssrn.4342084.
[32] Lynskey, O. (2023). Complete and effective data protection. Current Legal Problems, 76(1), 297-344. doi: 10.1093/clp/cuad009.
[33] Ogus, A. (2010). The paradoxes of legal paternalism and how to resolve them. Legal Studies, 30(1), 61-73. doi: 10.1111/j.1748-121X.2009.00146.x.
[34] Organisation of American States. (2017). Annual report of the Office of Special Rapporteur for Freedom of Expression. Retrieved from https://www.oas.org/en/iachr/expression/reports/annual.asp.
[35] Padilla, J., Piccolo, S., & Vasconcelos, H. (2022). Business models, consumer data and privacy in platform markets. Journal of Industrial and Business Economics, 49(3), 599-634. doi: 10.1007/s40812-022-00218-0.
[36] Parsons, C. (2003). Showing ideas as causes: The origins of the European Union. International Organisation, 56(1), 47-84. doi: 10.1162/002081802753485133.
[37] Quelle, C. (2017). Not just user control in the General Data Protection Regulation: On the problems with choice and paternalism, and on the point of data protection. In A. Lehmann, D. Whitehouse, S. Fischer-Hübner, L. Fritsch & C. Raab (Eds.), Privacy and identity management: Facing up to next steps. New York: Springer. doi: 10.1007/978-3-319-55783-0_11.
[38] Quinn, P., & Malgieri, G. (2021). The difficulty of defining sensitive data – the concept of sensitive data in the EU data protection framework. German Law Journal, 22(8), 1583-1612. doi: 10.1017/glj.2021.79.
[39] Safari, B. A. (2016). Intangible privacy rights: How Europe’s GDPR will set a new global standard for personal data protection. Seton Hall Law Review, 47, 809-848.
[40] Solove, D.J. (2012). Introduction: Privacy self-management and the consent dilemma. Harvard Law Review, 126, 1880-1903.
[41] Sun, Y. (2024). Research on legal protection of minor females from the perspective of soft paternalism. Scientific and Social Research, 6(1), 154-160. doi: 10.26689/ssr.v6i1.6018.
[42] Tambou, O. (2019). Lessons from the first post-GDPR fines of the CNIL against Google LLC. European Data Protection Law Review, 5(1), 80-99. doi: 10.21552/edpl/2019/1/13.
[43] Trstenjak, V. (2023). Limitations of fundamental rights in EU law: Are human rights absolute? European Review, 32(2), 135-149. doi: 10.1017/S1062798723000509.
[44] Veale, M., Binns, R., & Ausloos, J. (2018). When data protection by design and data subject rights clash. International Data Privacy Law, 8(2), 105-123. doi: 10.1093/idpl/ipy002.
[45] Zelger, B. (2023). The right to be forgotten in the European Union: Towards a uniform approach? Global Privacy Law Review, 3(1), 19-28. doi: 10.54648/gplr2022003.