Article 11 ePrivacy Regulation – Restrictions

Art. 11 Sec. 1 ePrivacy Regulation ties in to the scope of obligations and rights provided for by Arts. 5 to 8 ePrivacy Regulation. This refers to the general aim of protection for communications data and terminal equipment information on the one hand and the specific measures applied for that purpose on the other. Since both are core elements of privacy pursuant to Art. 7 CFR, limitations on its scope, as with all other fundamental rights and freedoms, must respect their ‘essence’.^[11] Art. 11 Sec. 1 ePrivacy Regulation points out, this particularly includes compliance to the principle of proportionality.^[12] To this end, restrictions must be necessary, appropriate and contain material and procedural safeguards, in order to shield the risks arising from restrictions for the data subject.^[13]

[11] Cf. Art. 52 Sec. 1 CFR.

[12] For details see I.4. and II.

[13] Bäcker, in: Kühling/Buchner, DSGVO BDSG, Art. 23 GDPR (2020), Rec. 6.

Art. 11 Sec. 1 ePrivacy Regulation allows for restrictions “to safeguard one or more of the general public interests referred to in Article 23 Sec. 1 lits. c to e, i and j GDPR”.

a) Public security, Art. 23 Sec. 1 lit. c GDPR

The term of public security is an autonomous European term, which must be interpreted in the light of European primary law.^[14] The TFEU mentions it at various points, regularly in connection with the term of public order (e.g. Arts. 36, 45 Sec. 2, 52, 65 and 202).^[15] Subsequently, public security represents a narrow concept with regard to particularly important goods and elementary legal standards (cf. above).^[16] Recital 73 GDPR mentions the protection of human life especially in response to natural or manmade disasters.

A delimitation problem emerges between Art. 23 Sec. 1 lit. c and lit. d, since both provisions include the term of public security. Lit. c encompasses all respective issues in general. Lit. d targets handling of criminal offences with regard to “the safeguarding against and the prevention of threats to public security”. In view of its regulatory context, lit. d must be considered to exclusively encompass threat prevention in case of impending or committed criminal offences. It represents lex specialis to lit. c, which in that sense serves as a catch-all-clause.

b) Criminal offences and execution of criminal penalties, Art. 23 Sec. 1 lit. d GDPR

As mentioned above, Art. 23 Sec. 1 lit. d GDPR allows for restrictions in order to prevent or prosecute criminal offences, including such, that represent a threat to public security.^[17] ‘Threats’, in that regard, must be specific, i.e. a situation which, according to experience in security law and from the point of view of a reasonable observer ex ante, will in the unimpeded course of events lead to damages to the legal interests of public security or order.^[18] Abstract threats do not suffice.^[19] The term ‘criminal offence’ is defined within each Member State law.^[20] In this respect, Member States determine limitations for the restriction-competence themselves. The same applies to the terms of ‘prevention’, ‘investigation’, ‘detection’ and ‘execution of criminal penalties’.

Problematically, by a first glance, such activities are already excluded from the material scope of the ePrivacy Regulation according to its Art. 2 Sec. 2 lit. d.^[21] Thus, there seems to be no need for further restrictions pursuant to Art. 11 Sec. 1 ePrivacy Regulation in the first place. However, with respect to the particular wording in Art. 2 Sec. 2 lit. d ePrivacy Regulation the exclusion only refers to “competent authorities”. That means, Art. 11 Sec. 1 ePrivacy Regulation´s scope is excluded only in case of authorities or other actors, which are particularly appointed for criminal prosecution or prevention.^[22] Thus, there remains a significant space of application for all other actors, which are not appointed. These might still be in need of exemptions, as for instance service providers, when having access to communications data or terminal equipment, that turns out to be critical for uncovering public security-threats.^[23] Exemptions in this case can allow collection of data or the use of processing capabilities of terminal equipment as well as a change in purpose and further processing, in case such interference with protection under Arts. 5 to 8 ePrivacy Regulation becomes necessary.^[24]

c) Other important objectives of general public interest, Art. 23 Sec. 1 lit. e GDPR

Art. 23 Sec. 1 lit. e GDPR represents a further catch-all-clause for public interests. Examples are made with respect to important economic or financial interests, including “monetary, budgetary and taxation and matters of public health and social security”. Since, however, examples within this provision are not exhaustive, it encompasses any conceivable purpose. This fact has been criticised, since it counteracts the exhaustive character of Art. 23 Sec. 1 GDPR.^[25] Indeed, the legislator leaves unclear, what approach – exhaustive or open legislation – it pursues. Thus, the doors are open to extensive law particulation within the Member States.

The critique applies vis-à-vis to the corresponding purposes under Art. 11 Sec. 1 ePrivacy Regulation.^[26] It is questionable, if harmonisation for exceptions under the ePrivacy Regulation can be achieved, when these are subject to the sole discretion of the Member States.^[27] Indeed, one might argue, Art. 11 Sec. 1 ePrivacy Regulation in connection with Art. 23 Sec. 1 lit. e GDPR stipulated a threshold of ‘importance’, in order to limit objectives and prevent deliberate misuse. Also, in particular, because of its rather vague wording, the provision had to be subject to a stricter interpretation:^[28] Not any given purpose would be justified accordingly.^[29] Rather, a critical assessment in the light of public interests and individual interests of the persons concerned would be required in each individual case, reflecting on the fact that respective interests had to be ‘essential’.^[30] Yet, the threshold for additional purposes remains rather small. In the light of uncertainty about the exact interpretation of the term ‘importance’ and the requirement of an assessment in each individual case, it appears much closer at hand to dissolve this stipulation in the course of compliance to the clearer-cut principle of proportionality and that it will thus remain an empty phrase, after all.^[31]

d) Protection of the data subject or the rights and freedoms of others, Art. 23 Sec. 1 lit. i GDPR

Art. 23 Sec. 1 lit. i GDPR includes two alternative legal bases for restrictions under Union and Member State law: it provides for (i) the possibility to protect the data subject – which in the context of the ePrivacy Regulation is the respective end-user – and (ii) the protection of rights and freedoms of others. The provision serves to balance out conflicting interests of persons concerned, controllers and third parties, withal taking into account the principle of proportionality and fundamental rights pursuant to the European Charter of Fundamental Rights (CFR).^[32]

With regard to Art. 23 Sec. 1 lit. i Alt. 1 GDPR a restriction appears to be sensible, however only in a rather small amount of cases.^[33] This follows from the fact that the rights under Arts. 5 to 8 ePrivacy Regulation are already designed specifically, in order to protect the end-users. Restricting these rights, in order to serve the same end, represents a certain contradiction, consequently. Conceivable constellations further narrow down in light of the fact that Arts. 5 to 8 ePrivacy Regulation themselves provide for exceptions in order to safeguard specific security measures.^[34] That concerns particularly one classical case within Art. 23 Sec. 1 lit. i GDPR, in which obligations of providers can been restricted with regard to the anonymization or deletion of information.^[35] Such restriction follows from the idea that in the course of a longer term of inspection, end-users are provided with better access to information, allowing them to retrace and comprehend certain activities of controllers. Thus, their decision-making power with regard to the use of legal remedies pursuant to Art. 21 ePrivacy Regulation is enhanced.^[36] Indeed, Art. 7 Sec. 4 ePrivacy Regulation already includes Member State authority to provide for respective expansion of retention periods, if installed to prevent or investigate criminal offences or to execute criminal penalties and safeguard against threats to public security. Thus, Art. 11 Sec. 1 Alt. 1 ePrivacy Regulation in connection with Art. 23 Sec. 1 lit. i ePrivacy Regulation only applies to a small amount of remaining use cases,  i.e. the retention in cases of general infringements or in cases of Art. 8 ePrivacy Regulation. Use of processing and storage capabilities or the collection of data from terminal-equipment might moreover be indicated, whenever end-users must be protected towards their own activities, e.g. persons of limited legal capacity or persons, who are defenceless against certain environmental influences. The latter might be the case, for instance, in legal systems with strict drug policies or extensive suicide prevention plans. As already mentioned, cases will be limited in count, making it hard to imagine, Art. 11 Sec. 1 ePrivacy Regulation in connection with Art. 23 Sec. 1 lit. i Alt. 1 GDPR to have a significant scope of application.

With regard to Art. 23 Sec. 1 lit. i Alt. 2 GDPR´s this finding turns into the contrary. The provision´s wording is very broad, encompassing all “rights and freedoms of others”. Restrictions are limited only by the so-called ‘essence-guarantee’ and the principle of proportionality.^[37] Thus, Member States are free to subsume any conceivable right or privilege as long as such is legally approved and not purely of economic nature (e.g. approved business purposes).^[38] Case groups include the collection and processing of data in the course of the enactment of the freedom of press or the work of human rights organisations.^[39]  With regard to the enforcement of rights in the course of legal remedies under Art. 21 ePrivacy Regulation, restrictions might also concern possible rights of inspection, to the extent, in which these could infringe trade secrets (e.g. copyright on software).^[40] In light of the breadth of this provision, further fuel adds to concerns on the scope of harmonisation under Art. 11 ePrivacy Regulation.^[41]

e) Enforcement of civil law claims, Art. 23 Sec. 1 lit. j GDPR

‘Enforcement of civil law claims’ as an interest of third parties specifies the general terms of protection for data subjects or the rights and freedoms of others under Art. 23 Sec. 1 lit. i GDPR. It is therefore considered a mere clarification to the already existing regulatory content.^[42] In that, Art. 23 Sec. 1 lit. j GDPR encompasses all kinds of enforcement. While some assumed, the word “enforcement” only related to the actual proceedings of foreclosure, it is right to subsume both extrajudicial and judicial actions.^[43] That follows from the broader choice of words, which relates to the “enforcement of civil law claims” instead of the more specific term of “enforcement orders”. Following on from this, it has been discussed, if claims of public institutions could be subsumed accordingly. Yet, in light of the clear wording of Art. 23 Sec. 1 lit. j GDPR, this will only be the case for civil law claims, i.e. such resulting from non-sovereign activities (e.g. fiscal activities).^[44] Instead, public orders, such as tax claims or administrative acts, can be privileged under Art. 23 Sec. 1 lit. i GDPR.^[45] Finally, the question was posed, whether the defence against claims might as well be subject to this provision. Indeed, this rather technical issue might prove to be of low practical relevance, since such actions might be privileged on bases of Art. 23 Sec. 1 lit. i GDPR anyways. Nonetheless, it appears unreasonable to privilege the enforcement of claims only on grounds of which party makes the claim at the first instance and which of both follows secondly. Especially in cases of synallagmatic obligations it becomes evident, that both the enforcement and the defence must fall under Art. 23 Sec. 1 lit. j GDPR.^[46]

[14] Ibid., Rec. 19.

[15] Bäcker, in: Kühling/Buchner, DSGVO BDSG, Art. 23 GDPR (2020), Rec. 19.

[16] Ibid., with reference to Müller-Graff, in: von der Groeben/Schwarze/Hatje, Europäisches Unionsrecht, Art. 36 TFEU (2015), Rec. 49 ff.; cf. also introductory comments under I.

[17] Bäcker, ibid., Rec. 21.

[18] As defined in German police law, cf. Krüger, JuS 2013, 985 (985).

[19] Dix, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Art. 23 GDPR (2019), Rec. 26; Paal, in: Paal/Pauly, DS-GVO BDSG, Art. 23 (2021), Rec. 26.

[20] Paal, ibid., Rec. 28.

[21] The stipulation matches the wording of Art. 23 Sec. 1 lit. d GDPR.

[22] Peuker, in: Sydow, Europäische Datenschutzgrundverordnung, Art. 23 GDPR (2018), Rec. 23.

[23] Sydow, ibid., Rec. 24 mentions money laundering and forensic laboratories with regard to Rec. 19 GDPR; Bäcker, ibid., with reference to employer-employee relationships.

[24] Cf. Dix, ibid. Rec. 26; Bäcker, ibid.; for the issue of further processing in general cf. Arts. 6c and 8 Sec. 1 lit. g.

[25] Cf. Dix, ibid., Rec. 27, calling Art. 23 Sec. 1 lit. e GDPR a ‘blankett rule’; Paal, ibid., Rec. 31a; Bäcker, ibid.; Grages, in: Plath, DSGVO/BDSG, Art. 23 GDPR (2018), Rec. 1.

[26] The EDPB criticized that restrictions by Member States regarding data retention and possible exceptions for service providers in general would undermine data protection standards and possibly conflict with jurisdiction of the CJEU, cf. EDPB, statement 03/2021 on the ePrivacy Regulation, 9 March 2021, p. 2; With particular regard to concerns on precautionary data retention see the statement of the German Federal Commissioner for Data Protection and Freedom of Information from 10 February 2021, who raises similar concerns, available at https://www.bfdi.bund.de/DE/Infothek/Pressemitteilungen/

2021/03_Ratsposition-ePrivacy-VO.html, last retrieved 8 February 2022.

[27] Cf. critque by Albrecht/Jotzo, in: Albrecht/Jotzo, Das neue Datenschutzrecht der EU, Teil 4: Individuelle Datenschutzrechte (2017), Rec. 30 and Bäcker, in: Kühling/Buchner, DSGVO BDSG, Art. 23 GDPR (2020), Rec. 11

[28] Dix, ibid., Rec. 27.

[29] Paal, ibid, Rec. 31.

[30] Ibid.

[31] Bäcker, ibid., Rec. 22.

[32] Paal, ibid., Rec. 40 with reference to Petri, DuD 2018, 347 (349).

[33] Dix, ibid., Rec. 33.

[34] Art. 6 Sec. 1 lit. d; Art. 6b Sec. 1 lit. b, lit. d; Art. 7 Sec. 4; Art. 8 Sec. 1 lit. da, lit. e No. (i), lit. f.

[35] Cf. Bäcker, ibid., Rec. 31.

[36] Bäcker, ibid.; cf. e.g. German data protection law in § 35 Sec. 2 S. 1 BDSG.

[37] Bäcker, ibid., Rec. 32; for details see I.4.

[38] This is the prevailing opinion, cf. e.g. Dix, ibid., Rec. 32 and Bäcker, ibid.; as regards the minor opinion: Grages, in: Plath, DSGVO/BDSG, Art. 23 GDPR (2018), Rec. 6.

[39] Peuker, ibid., Rec. 35; Council of Europe, Explanatory Report to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28 January 1981, Rec. 58.

[40] Rec. 63 GDPR; Dix, ibid., Rec. 35; moreover, interferences with such rights might be direct or indirect, cf. Bäcker, ibid., Rec. 32.

[41] Cf. above under No. I.2.c).

[42] Dix, ibid., Rec. 36, calling this provision “redundant”

[43] With regard to the discussion originating from the German word “Durchsetzung” as opposed to the more specific term “Vollstreckung” cf. Koreng, in: Taeger/Gabel, DSGVO – BDSG – TTDSG, Art. 23 (2022), Rec. 54.

[44] Bäcker, ibid., Rec. 33, with reference to the opposing view, held by the German Federal Administrative Court, decision of 4 July 2019, 7 C31.17, NVwZ-RR 2019, 1015, Rec. 17.

[45] Cf. Dix, ibid., Rec. 36 with reference to the contrary opinion in the Explanatory Memorandum to the German draft Data Protection Act, BT-Drs. 18/11325, p. 103.

[46] Contrary position: Bäcker, ibid., Rec. 33a.

Art. 11 Sec. 1 ePrivacy Regulation stipulates that not only the interests referred to in Art. 23 Sec. 1 GDPR serve to be reason for restrictions to the obligations and rights pursuant to Arts. 5 to 8 ePrivacy Regulation, but also actions necessary in the course of an exercise of official authority to enact such interests.^[47] Indeed, respective actions would have already been included to the legal bases of Art. 23 Sec. 1 lit. c to lit. e GDPR, since ‘public security’, ‘criminal justice’ and ‘other important objectives of general public interest’ by nature entail enforcement by executive authority already.^[48] In light of its systematic location subsequent to the enlistment of provisions under Art. 23 Sec. GDPR and the express detachment of this stipulation from its legal origin in Art. 23 Sec. 1 lit. h GDPR, Art. 11 Sec. 1 Alt. 2 ePrivacy Regulation, however, serves as a clarification to that fact.

Respective actions concern monitoring, inspection or regulatory functions, which might, to a greater or lesser extent, include the processing of electronic communications data or the interference with terminal equipment.^[49] Monitoring defines any activity, which extends over a given period of time, i.e. repeated data collections or enduring interferences. An inspection, by contrast, refers to a singular event, in which the respective authority demands access to specific information. Regulatory function, in this regard, must be considered a catch-all provision, encompassing all related activities, required in the course of an effective exercise of power. If such is not being exercised by public agencies, private parties might as well be addressed by respective privileges, as long as they are legally appointed to do so.^[50]

[47] For more details, see above.

[48] Cf. Paal, ibid., Rec. 38.

[49] For context to these terms, see Art. 5 Rec. 7 and Art. 8 ePrivacy Regulation.

[50] Cf. for  the German legal figure of the “Beliehener”, Paal, ibid., Rec. 39.

Art. 11 Sec. 1 ePrivacy Regulation is subject to material limitations as regards the legislative shaping of restrictions to the obligations and rights provided for in Arts. 5 to 8 ePrivacy Regulation. Accordingly, a restriction must “respect the essence of the fundamental rights and freedoms and be a necessary, appropriate and proportionate measure in a democratic society”.

a) Essence-guarantee for fundamental rights and freedoms

The first limitation corresponds to Art. 52 Sec. 1 S. 1 CFR, pursuant to which any restriction on the exercise of its recognised rights and freedoms, must respect its very essence. This so-called ‘essence-guarantee’ originates from German constitutional law and has become a general principle in European constitutions.^[51] In the context of Arts. 5 – 8 ePrivacy Regulation and the specific stipulation by Art. 11 Sec. 1 ePrivacy Regulation, which refers to the respect for the essence of fundamental rights in general, the legislator emphasises that legislative measures might not only concern the right for privacy or protection of personal data as in Art. 7 and 8 CFR, but also other rights can be inflicted in the course of legislation. That is particularly, since any restrictions of certain fundamental rights bear the risk of ‘chilling effects’ towards the exercise of others.^[52] Thus, in every case the individual effects of legislation under Art. 11 Sec. 1 ePrivacy Regulation must be considered and evaluated in the light of possible interferences with the ‘essence’ of respective other fundamental rights.

‘Essence-guarantee’ refers to the ‘core area’ of fundamental rights.^[53] It must be understood as a counterpart to the proportionality-principle, concerning the relation between burdens of interference and importance of pursued ends outside this area.^[54] The core is being respected, if the guarantee of a fundamental right is not called into question and restriction takes place only in accordance to individual and exceptional behaviour.^[55] Conversely, the core is infringed, if restriction leaves no significant remains to that right, i.e. it deprives its very substance.^[56] The CJEU assumed such infringement in cases, the person concerned was not able to make effective use of legal remedies^[57] and a severe interference with fundamental rights was made without further examination^[58]. Also, elements of fundamental rights, originating in the guarantee of human dignity, are part of the core area.^[59] However, the definition of the core area of fundamental rights is difficult to determine in the abstract.^[60] Rather, these depend on each fundamental right individually and must be determined in every single case.^[61] To that effect an infringement of the essence of the right to privacy (Art. 7 CFR) and protection of personal data (Art. 8 CFR) was assumed, if public agencies were allowed to access electronic communications content in general, i.e. in reversal of the rule-exception-ratio.^[62] This ruling must be particularly kept in mind under respective restrictions pursuant to Art. 11 Sec. 1 Alt. 1 ePrivacy Regulation.

b) Proportionality of restrictions

The second limitation refers to the principle of proportionality, which in practice represents the most important requirement.^[63] It is designed according to Arts. 8 – 11 ECHR and its corresponding legal interpretation by the CJEU, which had originally implemented the principle of proportionality into the concept of necessity.^[64] According to common European understanding, sovereign measures must be appropriate, necessary and proportionate to achieve the purpose pursued^[65],   withal entailing a certain ‘margin of appreciation’ of the Member States^[66]. Thus, the explicit fixation in Art. 11 Sec. 1 ePrivacy Regulation, albeit being consistent in light of the related provision of Art. 23 Sec. 1 GDPR, would have actually been dispensable.^[67]

The tripartite examination starts by defining the relevant objectives of restrictions.^[68] Such objectives are determined by the general public interests referred to above. Restrictions must be practically appropriate to achieve these objectives, i.e. they must be purpose-built, at least.^[69] Moreover, they are necessary only, if representing the mildest, least intrusive means for fundamental rights pursuant to Arts. 7 and 8 ECFR.^[70] Accordingly, restrictions, which comprehensively exclude rights pursuant to Arts. 5 to 6b ePrivacy Regulation, e.g. when only linked to the discretion of a particular authority, certain forms of data collection (e.g. remote spying) or certain kinds of data (e.g. electronic communications metadata), without at the same time taking into account possible adjustments or exceptions (e.g. means to avoid collection of intimate conversation content), will regularly not be necessary.^[71] Finally, measures must be weighed up against the quality of interference on the one hand and the importance of objectives on the other hand. To that extent, it makes sense to take an overall view of the legal situation in the respective member state: Member States providing an extensive protection of privacy and personal data will, generally, have more leeway for restrictions, than it is the case for such, completely exhausting possibilities under Art. 11 Sec. 1 ePrivacy Regulation.^[72] Using such leeway, Member States should moreover provide for exception clauses and separate margins of appreciation, since only by then, case-by-case-justice, as a central element of proportionality, will be achievable.^[73]

c) Measures in a democratic society

The reference to the term of a ‘democratic society’ serves to incorporate European standards under the rule of law to the assessment of viable restrictions pursuant to Art. 11 Sec. 1 ePrivacy Regulation.^[74] Such standards encompass elements like pluralism, tolerance and the ‘spirit of an open society’, as entailed by the ECHR´s jurisdiction.^[75] It moreover serves to establish a systematic connection of the assessment of restrictions to the standards under national state organisational laws, which are usually also taken into account in the course of interpretation of national fundamental rights.^[76] However, in respect of the lack of an encompassing constitutional frame within the EU, such interpretation will rather refer to abstract standards of European parliamentary democracies as a whole, than to each individual Member State legislation alone.^[77]

[51] Dix, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Art. 23 GDPR (2019), Rec. 13.

[52] Dix, ibid., with further references; inter alia CJEU, decision of 21 December 2015, C-203/15 – Tele 2 Sverige, C-698/15 – Secretary of State for the Home Department, NJW 2017, 717, Rec. 92-94, 100 f.

[53] Jarass, in: Jarass, EU-Grundrechte-Charta, Art. 52 (2021), Rec. 28.

[54] Jarass, ibid.

[55] CJEU, decision of 14 September 2017, C-18/16 – K., Rec. 35; CJEU, decision of 20 March 2014, C-129/14 – Spasic, Rec. 58.

[56] Schwerdtfeger, in: Meyer/Hölscheidt, GRCh, Art. 52 (2019), Rec. 34.

[57] CJEU, decision of 15 October 2010, C-400/10 – McB, Rec. 55 ff.

[58] CJEU, decision of 23 March 2006, C-408/03 – Commission/Belgium, Rec. 68.

[59] Jarass, ibid., Rec. 29 with further references.

[60] Dix, ibid., Rec. 14.

[61] Jarass, ibid., Rec. 29.

[62] CJEU, decision of 8 April 2014, C-293/12, C-594/12 – Digital Rights Ireland, Rec. 39; CJEU, decision of 6 October 2015, C-362/14 – Schrems, Rec. 94.

[63] Bäcker, in: Kühling/Buchner, DSGVO BDSG, Art. 23 GDPR (2020), Rec. 58.

[64] Peuker, in: Sydow, Europäische Datenschutzgrundverordnung, Art. 23 GDPR (2018), Rec. 43; cf. also Rec. 26 ePrivacy Regulation.

[65] Cf. CJEU, decision of 22 January 2013, C-283/11 – Sky/ORF, Rec. 50 et seqq.; CJEU, decision of 8 April 2014, C-293/12, C-594/12 – Digital Rights Ireland, Rec.;

[66] Peuker, ibid., Rec. 44, with further reference to Grabenwarter/Pabel, in: Grabenwarter/Pabel, EMRK (2021), § 18, Rec. 20; cf. also ECHR, decision of 7 December 1976, 5095/71 – Handyside/UK, Rec. 47 ff.

[67] Peuker, ibid.

[68] Bäcker, ibid., Rec. 44.

[69] Cf, CJEU, decision of 21 December 2016, C-203/15, C-698/15 – Tele 2 Sverige AB, Rec. 110 et seq.

[70] Paal, in: Paal/Pauly, DSGVO, Art. 23 (2021), Rec. 9;

[71] Cf. Rec. 19 GDPR; Paal, ibid.; Bertermann, in Ehmann/Selmayr, DSGVO (2018), Art. 23 Rec. 4.

[72] Dix, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Art. 23 GDPR (2019), Rec.18.

[73] Cf. Bäcker, ibid., Rec. 58; also Paal, ibid

[74] Grabenwarter/Pabel, ibid., § 18, Rec. 18.

[75] Grabenwarter/Pabel, ibid., with further reference to ECHR, decision of 7 December 1976, 5095/71 – Handyside/UK, Rec. 47 ff.; ECHR, decision of 13 August 1981, 7601/76 – Joung, James and Webster, Rec. 64; ECHR, decision of 25 May 1993, 14307/88 – Kokkinakis/GRE, Rec. 33.

[76] Grabenwarter/Pabel, ibid., Rec. 19.

[77] Grabenwarter/Pabel, ibid.