Professor Christopher Vajda KC bears the distinction of having been the last UK judge to serve at the Court of Justice of the European Union, where he sat from 2012 until his mandate officially ended with the UK’s withdrawal from the EU in January 2020. It is a singular badge of honour, and one which makes him uniquely qualified to speak at last month’s event: the 47th annual lecture of the United Kingdom Association for European Law. Titled “Data Protection: Made in Europe and Exported Globally“, Vajda’s lecture promised to “explore the rapid development of data protection rights within Europe, their inter-relationship with other rights and their impact outside Europe”. This is not an abstract subject matter for the former EU justice.
“The most novel and interesting cases I sat on as a judge were data protection cases”, he states.
Rather than regaling listeners with tales from his time on the bench, however, his presentation appears to be broader in both scope and purpose.
Over the next hour, those in attendance were treated to a condensed yet thorough education on the nature of personal data and the legal frameworks used to protect it. Vajda is clearly passionate about his chosen topic. His account of the history of the field was comprehensive, mapping the development of data protection rights across 50 years of European law. He began by detailing the establishment of data protection laws in Sweden in 1973, indicating that such protections quickly spread across Europe amidst rising concerns regarding “the storage of electronic data” and “data processing’s impact on human rights”. Since the 1970s, Europe has been at the forefront of the battle for privacy, at least when it comes to the safeguarding of personal information.
However, the real origins of data protection as a legal concept, Vajda proposed, can be traced back to the publication of Louis Brandeis and Samuel Warren’s “The Right to Privacy”. Published in the December 1890 edition of the Harvard Law Review, the renowned article is often cited as having added a “new chapter” to American law. Yet its true impact, Vajda suggests, continues to be felt even now. “In simplest terms, for Warren and Brandeis the right to privacy was the right of each individual to protect his or her psychological integrity by exercising control over information which both reflected and affected that individual’s personality”. Given the article’s publication date, the two young lawyers were writing from a distinctly late 19th century perspective. What can be done to safeguard individuals from the gossip-mongering of the press in the face of ever more widespread newspaper circulation? How will the invention of instant photography impact our general “right to be let alone”? No matter how specific these concerns may seem to the era in which Brandeis and Warren were writing, however, Vajda indicates that such questions served as the forerunners for those faced by lawyers today. Ultimately, he tells us, the core message in “The Right to Privacy” is that the law must adapt in the face of emerging threats to our personal information. Just as technology advances and business practices change, so too must the legal architecture used to govern such enterprises.
In the age of data processing, the “right to informational self-determination” has become a far more complex and widespread matter than even Brandeis and Warren could have predicted. The internet is a veritable Wild West when it comes to the protection of personal information, and Vajda states that “the increasing number of such cases is easily explained by how much of our time we spend online”. It would be hard to overlook echoes of Brandeis and Warren’s “right to be let alone” in 2014’s Google v Spain, which famously gave rise to the “right to be forgotten”. Ultimately, the CJEU ruled, so fundamental is the right to safeguard one’s information that, under certain circumstances, it takes precedence over public interest regarding access to information. “These days, the right to protect one’s personal data is greater even than one’s right to privacy”, Vajda indicates. “The right to be forgotten”, however, “is not an absolute right”. Rather, it continually “has to be balanced against other rights, such as freedom of expression”. The precise difficulty of achieving such a balance is partly responsible for the large body of EU case law in this area. According to Art. 4 (1) of the EU’s 2016 General Data Protection Regulation (GDPR) (the most comprehensive EU regulation on the protection of personal information to date), the term “personal data” encompasses “any information which are related to an identified or identifiable natural person”. This is an admittedly broad definition, and one which provides enormous scope for interpretation by the courts.
Given that there is no “one size fits all solution”, Vajda indicates that it is therefore “not surprising that most of the major developments in this area have derived from the court in Luxembourg rather than the legislators in Brussels”. Decisions at EU level often go against those made by national courts, with Vajda citing the CJEU’s 2022 judgment in the case of SpaceNet and Telekom Deutschland in this context. The ruling in question has been interpreted as striking a decisive blow against overly aggressive data retention practices, with the court’s press release stating that EU law precludes the “general and indiscriminate retention” of personal data.[i] Nonetheless, even in such cases, the equilibrium between state and individual rights can be difficult to ascertain. It all comes down to that most prominent of EU buzzwords: proportionality. Whilst certain data practices may be justified in the face of serious crimes or threats to national security, Vajda stresses the need for independent safeguards to “control both the transfer and access of such data”.
Whether its provisions are forged in parliament or from the bench, the ‘Brussels effect’ means that European regulatory standards have a way of becoming global standards. As Vadja’s presentation makes clear, this has certainly been the case when it comes to data protection. Vajda’s assertion that the EU model has been “exported globally” is a statement of fact. Countries such as Japan, Argentina, and South Africa, to name but a few, have all directly modelled their own national legislation on the EU’s GDPR.
However, for those of us who were gathered at the event, the question looms of what such standards mean for the UK post both Brexit and the passing of the Brexit Freedoms Bill. On the one hand, although the UK has sought to reform its data protection strategy post-Brexit, it does not appear to be in a hurry to deviate from the EU model. The GDPR was integrated into domestic law with 2022’s Data Protection and Digital Information Bill, with the majority of data protection provisions passing through parliament being based on pre-existing EU architecture. This is in keeping with UK’s EU “data adequacy” status, which allows the UK to maintain a free flow of information and personal data with the rest of the European Economic Area. Yet, on the other hand, the government’s 2020 National Data Strategy paper makes clear that this commitment will have to be balanced against post-Brexit opportunities for “unlocking the value of data” and data processing. This feasibly reads as an example of the UK wanting to have its cake and eat it too and, as Vajda concludes, exactly “how this is to be achieved is yet to be seen”. Nonetheless, it seems apparent that, post-Brexit, the “voice that the UK will have regarding international regulatory arrangements will be significantly diminished”.
This piece concerns the UKAEL’s Annual Lecture: “Data Protection: Made in Europe and Exported Globally?”. It was delivered by Christopher Vajda KC at King’s College London on the 19th of January 2023.
The United Kingdom Association for European Law (UKAEL) is the UK branch of the International Federation of European Law (FIDE). As part of an international network of European law associations, it hosts regular seminars and lectures which aim to promote discussion and debate amongst those with an interest in European Union law. See the UKAEL website for further information, future events, and membership details, or take a look at its blog. They’re also on Twitter.
 United Kingdom Association for European Law, “Events: UKAEL Annual Lecture: Data Protection: Made in Europe and Exported Globally?” (January 2023), https://ukael.org/past-events/
 Samuel D. Warren and Louis D. Brandeis. “The Right to Privacy.” Harvard Law Review 4, no. 5 (1890): 193–220. https://doi.org/10.2307/1321160.
 Letter from Roscoe Pound to William Chilton (1916) quoted in A. Mason, Brandeis: A Free Man’s Life (USA: Viking, 1956), 70.
 Dorothy J. Glancy, “The Invention of the Right to Privacy”, Arizona Law Review 21, no. 1 (1979): 1-39, 1. https://law.scu.edu/wp-content/uploads/Privacy.pdf
 Warren and Brandeis, “Right to Privacy”, 193.
 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014), ECLI:EU:C:2014:317.
 Art. 4 (1) – Regulation (EU) 2016/679 of the Councill of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)  OJ L 119/1.
 Bundesrepublik Deutschland v SpaceNet AG (C‑793/19) and Telekom Deutschland GmbH (C‑794/19). ECLI:EU:C:2021:939.
 The Department for Digital, Culture, Media and Sport, UK National Data Strategy (December 2020), https://www.gov.uk/government/publications/uk-national-data-strategy/national-data-strategy
Chiara Shea is a current GDL student and aspiring barrister at City Law School, hoping to practice in the areas of intellectual property and media law. Before deciding to pursue a legal career, she worked as a writer, researcher and academic in the fields of literature and the arts. She is a graduate of Balliol College, Oxford, and holds a doctorate in modern American poetry and spatial theory from King’s College London. She lives in North London with her two (very spoiled) cocker spaniels, Waffles and Bowser, and will subject anyone to photos of them if they so much as loiter near her for too long.