Data protection and personal integrity in the context of data processing for personalized advertising

Abstract: It is concluded in this thesis that there are uncertainties on the framework of the right to data protection for several reasons. Firstly, the degree to which personal integrity must be protected by technology companies is not completely clear. This is because the scope of the right to data protection in article 8 of the Charter is dependent on the scope of the right to privacy in article 7 of the Charter. Although there is plenty of case law in the area of privacy in general, privacy in the context of processing personal data from digital platforms is a relatively new European judicial area with a limited amount of case law. This makes it difficult for member states as well as for technology companies to comprehend the level of protection required by the EU law in the processing of personal data in the digital environment.  The unclarity of the protection of personal integrity has come to work for the advantage of technology companies in the processing of data for advertising purposes in particular. This is because the legal bases for lawfully collecting personal data in the GDPR has allowed them to collect large pools of personal data, while at the same time, the assessment of whether an intrusion of the right to private life has occurred is dependent on the member states’ supervisory system. Whether there has been an intrusion of the right to private life further requires an assessment on a case-by-case basis. This means that the data protection system is perhaps not built in a way that effectively protects personal integrity in the digital environment. The EU data protection is rather built to protect the collection of personal data in the first place, for instance by requiring that a consent is informed and freely given or by the balancing test in the legitimate interest. The problem here is however that there is a wide margin of appreciation within these requirements as to the level of protection of personal integrity through the processing of personal data. There seems to be an absence of appropriate guidelines as to how these requirements should be interpreted in order for the data – and the individuals behind the data – to be fully protected.