What’s this?
An introduction and explainer on ‘fundamental rights and freedoms’; for anyone designing tech or data uses, and for Data Protection Officers/Practitioners
What are ‘fundamental rights and freedoms’?
In general:
Ideas about how people should treat each other (and particularly about how institutions should treat individuals), backed by institutional authority and mechanisms for putting it all into practice.
Codification of shared values within a representative democracy: human dignity, freedom, equality, solidarity and justice, governed by the rule of law.
In data protection law:
Within the GDPR; ‘fundamental rights and freedoms’ refers to the rights set out in the European Charter of Human Rights. While data subjects outside the EEA may not be able to assert their fundamental rights via judicial processes in their location, they must be assumed to have those rights and treated accordingly (even when doing so is inconvenient).
Why are they a thing?
The reason that fundamental rights and freedoms were codified into law in the first place is the ample evidence that people will do horrible things to each other out of fear, spite, arrogance, naïveté, indifference or negligence - unless there’s something official in place to remind them not to and hold accountable those who don’t play by these rules.
The atrocities of World War II provided a stark realisation that Something Must Be Done, because ‘Never Again’ a realisation that brought the UN Declaration of Human Rights into existence in 1948, and the subsequent European Convention on Human Rights in 1950 (which the European Charter of Human Rights referenced within the GDPR is based upon).
Sadly, picking on people for being different is a trait hard-wired into humanity as a whole*, because of our predator-pack-ape origins. We’re supposed to be able to think past that sort of thing now that we have opposable thumbs and language and technology and all that, but….well let’s just say it’s a work in progress.
(*individual meat units may vary)
Anyway, most of the fundamental rights and freedoms are aimed at protecting people from being mistreated because of their differences, but especially when their differences may make them appear less valuable or worthy of humane treatment in the eyes of others (unreasonable prejudice against Them in order to protect Us is hard-wired into human nature - we can overcome these instincts with conscious effort, but we do need frequent reminders to put the work in).
For example, the Charter prohibits discrimination on the basis of age, gender, disability, religion, racial identity, sexual orientation; it demands equality before law, and a presumption of innocence.
The other rights and freedoms are mostly to do with managing the effects of our collective tendency to create dominance hierarchies wherever we go and whatever we’re doing (another evolutionary legacy which has served the species well but is usually a somewhat dismal experience for those people at the bottom), by placing limits on how power can be exercised over individuals (eg, no torture, no arbitrary executions, fair working conditions, representation in government, etc).
Where are they?
Written down here: Rights & Freedoms
In theory, these rights and freedoms exist around everyone, all the time
In practice, they exist to the extent they are recognised, asserted, upheld, defended and protected.
Why do I need to know about them?
As a DP practitioner:
Because data protection - that is, protection of natural persons when they are represented in (personal) data - is itself one of those fundamental rights.
Because ‘as long as it doesn’t infringe on fundamental rights and freedoms’ is a test for validity and lawfulness of processing in several parts of the GDPR.
Because sometimes you will have to assess processing activities (current or future) for their potential effects on the fundamental rights of the data subjects.
You can’t do these tasks effectively unless you are familiar with the rights and freedoms in question.
As a living natural person and a data subject:
Because these are your rights - but even if you think you don’t need them, standing up for them helps others to keep hold of theirs.
Because rights that are not asserted and upheld tend to disappear - to the general detriment of social well-being
Because your rights limit the power others can wield over you; power which can be more easily abused than constrained when digital technology is involved.
References
GDPR articles which reference “fundamental rights and freedoms”:
1.2, 4, 6.1.f, 9.2.b, g, j, 33.1, 45.2.a, 50.b, 51.1 and 88
…plus 27 mentions within the Recital
Other articles which reference “rights and freedoms” (referring to fundamentals plus any context- or locality-specific ones).
5.1.e, 9.2.i, 10, 14.5.b, 15.4, 20.4, 21.1, 22.2.b, -3, -4, 23.1.i, -2.g, 24.1, 25.1, 27.2.a, 30.5, 32.1, 33.1, 34.1, -2.b, 35.1, -7.c, 36.3.c, 49.1, 57.1.c, 66.1, -3, 70.1.h, 80.1, 87, 88.1 and 89.1
….and 28 more references within the Recital.
Clearly, the GDPR places a high significance on the rights and freedoms of natural persons, fundamental or otherwise. And yet, if there’s one thing conspicuously absent from the majority of compliance paperwork (aside from solid evidence of actual compliance); that’s ‘consideration for rights and freedoms of natural persons’. Somehow, the very essence of data protection law seems to have become relegated to the status of ‘optional, nice-to-have extra’.
How do I know whether a data subjects’ rights and freedoms have been infringed?
You probably won’t and can’t, unless they can recognise it for themselves and have the resources to bring it to your attention at the time. That doesn’t mean it’s not happening, just that the effects fly under your [organisation’s] radar
But you can think of how a data subject’s rights and freedoms could be infringed, what that might look like, how it could happen and how it can be avoided - and you should*.
And you can examine processing activities to ensure that the data protection Principles are being put into practice, data subject rights are being upheld and Controller and/or Processor obligations are being met.
Actually, you must go through those thought processes, because that’s what compliance with the GDPR requires.
(*OK, in practice you’ll probably never be challenged over your consideration of fundamental rights unless a) you mess with someone wealthy and high-profile, or b) you’re a public sector body doing something majorly creepy with surveillance or profiling. However, ’no-one’s looking, we’ll get away with it’ is a business justification which can only be decided by the business leaders - as a data protection professional, your job is to tell the business what it needs to know to make informed decisions about data protection compliance. You can be assured that if the organisation later gets into trouble for not having considered impacts on data subjects’ rights and freedoms and you didn’t explicitly warn them it was a possibility; you will be held responsible for that omission and chucked under the nearest bus).
So the next time you are called upon to offer input to a data design, a legitimate interests, purpose compatibility or data protection impact assessment, or to evaluate the potential effects of a personal data breach, or to assess an organisation’s compliance position - the fundamental rights and freedoms should feature in there somewhere, preferably front and centre.
List of fundamental rights and freedoms
Dignity:
1: Dignity
2: Right to life
3: Integrity of the person
4: Prohibition of torture and inhuman or degrading treatment or punishment
5: Prohibition of slavery and forced labour
Freedoms:
6: Right to liberty and security
7: Respect for private and family life
8: Protection of personal data
9: Right to marry and right to found a family
10: Freedom of thought, conscience and religion
11: Freedom of expression and information
12: Freedom of assembly and of association
13: Freedom of the arts and sciences
14: Right to education
15: Freedom to choose an occupation and right to engage in work
16: Freedom to conduct a business
17: Right to property
18: Right to asylum
19: Protection in the event of removal, expulsion or extradition
Equality:
20: Equality before the law
21: Non-discrimination
22: Cultural, religious and linguistic diversity
23: Equality between women and men
24: The rights of the child
25: The rights of the elderly
26: Integration of persons with disabilities
Solidarity:
27: Workers' right to information and consultation within the undertaking
28: Right of collective bargaining and action
29: Right of access to placement services
30: Protection in the event of unjustified dismissal
31: Fair and just working conditions
32: Prohibition of child labour and protection of young people at work
33: Family and professional life
34: Social security and social assistance
35: Health care
36: Access to services of general economic interest
37: Environmental protection
38: Consumer protection
Citizens’ Rights (EU-specific)
39: Right to vote and to stand as a candidate at elections to the European Parliament
40: Right to vote and to stand as a candidate at municipal elections
41: Right to good administration (of the EU as a body)
42: Right of access to documents
43: European Ombudsman
44: Right to petition
45: Freedom of movement and of residence
46: Diplomatic and consular protection
Justice:
47: Right to an effective remedy and to a fair trial
48: Presumption of innocence and right of defence
49: Principles of legality and proportionality of criminal offences and penalties
50: Right not to be tried or punished twice in criminal proceedings for the same criminal offence