Search results for: digital rights

The future of national data retention obligations – How to apply Digital Rights Ireland at national level?

Note by the editors: we will take a short break over the summer and resume blogging in the week of 16 August

By Vanessa Franssen

On 19 July, Advocate General (AG) Saugmandsgaard Øe delivered his much awaited opinion on the joined cases Tele2 Sverige AB and Secretary of State for the Home Department, which were triggered by the Court of Justice’s (CJEU) ruling in Digital Rights Ireland, discussed previously on this blog. As a result of this judgment, invalidating the Data Retention Directive, many Member States which had put in place data retention obligations on the basis of the Directive, were confronted with the question whether these data retention obligations were compatible with the right to privacy and the right to protection of personal data, guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights (Charter). Hence, without a whisper of a doubt, several national legislators eagerly await the outcome of these joined cases, in the hope to get more guidance as to how to apply Digital Rights Ireland concretely to their national legislation. The large number of Member States intervening in the joined cases clearly shows this: in addition to Sweden and the UK, no less than 13 Member States submitted written observations. The AG’s opinion is a first – important – step and thus merits a closer look. Continue reading

Joined Cases C-293/12 and 594/12 Digital Rights Ireland and Seitlinger and Others: The Good, the Bad and the Ugly

By Orla Lynskey

In its eagerly anticipated judgment in the Digital Rights Ireland case, the European Court of Justice held that the EU legislature had exceeded the limits of the principle of proportionality in relation to certain provisions of the EU Charter (Articles 7, 8 and 52(1)) by adopting the Data Retention Directive. In this regard, the reasoning of the Court resembled that of its Advocate General (the facts of these proceedings and an analysis of the Advocate General’s Opinion have been the subject of a previous blog post). However, unlike the Advocate General, the Court deemed the Directive to be invalid without limiting the temporal effects of its finding. This post will consider the Court’s main findings before commenting on the good, the bad and the ugly in the judgment. Continue reading

Plenty to retain? Opinion of the Advocate General in Joined Cases C-293/12 and 594/12, Digital Rights Ireland ltd and Seitlinger and others

In what circumstances is it possible for the EU to introduce a directive which limits the exercise of fundamental rights guaranteed by the EU Charter? This is just one of the many questions of constitutional significance which the Court is asked to address in Joined Cases C-293/12 and C-594/12.  In his Opinion delivered on 12 December 2013, Advocate General (AG) Cruz Villalón provides plenty of food for thought for the Court. For instance, the Opinion offers interesting yet contestable insights into the relationship between the rights to privacy and data protection in the EU legal order.

Continue reading

Reconsidering the blanket-data-retention-taboo, for human rights’ sake?

Belgian Constitutional Court offers CJEU chance to explain its puzzling Tele2 Sverige AB-decision

By Frank Verbruggen, Sofie Royer, and Helena Severijns

Compulsory retention, by ICT-providers, of all non-content user and traffic data, to ensure that that data will be available for subsequent use by law enforcement or intelligence, has been a controversial issue in the EU for several years now. On 19 July 2018 the Belgian Constitutional Court requested a preliminary ruling from the CJEU. Basically, it asks the EU Court to further clarify its earlier case law. The Belgian constitutional judges indicate that they find some aspects of the CJEU’s previous decisions puzzling and they also offer a new angle by explicitly linking the matter to the positive obligations of member states under the European Convention on Human Rights. The implied suggestion seems that the CJEU did not give those obligations enough weight when it found blanket data retention obligations disproportionate.   Continue reading

PNR Agreements between Fundamental Rights and National Security: Opinion 1/15

By Arianna Vedaschi and Chiara Graziani

On July 26, 2017, the European Court of Justice (ECJ) issued Opinion 1/15 (the Opinion of the Advocate General on this case had been discussed previously in this blog, part I and part II) pursuant to Article 218(11) TFEU on the draft agreement between Canada and the European Union (EU) dealing with the Transfer of Passenger Name Record (PNR) data from the EU to Canada. The draft agreement was referred to the ECJ by the European Parliament (EP) on January 30, 2015. The envisaged agreement would regulate the exchange and processing of PNR data – which reveals passengers’ personal information, itinerary, travel preferences and habits – between the EU and Canada. The adoption of the agreement is crucial because, according to Article 25 of Directive 95/46/EC as interpreted in the Schrems decision (commented here), the transfer of data to a third country (discussed here) is possible only if such country ensures an “adequate level of protection.” This standard can be testified by an “adequacy decision” of the European Commission or, alternatively, by international commitments in place between non-EU countries and the EU – as the one examined by the ECJ in this Opinion.

Not surprisingly, the leitmotiv of the Court’s Opinion is the challenging balance between liberty and security. Maintaining a realistic perspective, the Court considered mass surveillance tolerable at least in theory, because it is a necessary and useful tool for the prevention of terrorism. Yet, it insisted that there should be very strict rules as to the concrete implementation of such surveillance. For this reason, it found some provisions of the draft agreement incompatible with Articles 7 (privacy) and 8 (data protection), in conjunction with Article 52 (principle of proportionality) of the Charter of Fundamental Rights of the European Union (CFREU).

As a result, the agreement cannot be adopted in the current form and the EU institutions will have to renegotiate it with Canada. For sure, this renegotiation will prove to be challenging. Nevertheless, as the analysis below will show, the Luxembourg judges, by addressing particularly technical issues of the agreement, provided a detailed set of guidelines that, if respected, would ideally preserve fundamental rights – in this case, the right to privacy and to data protection – without undermining public security. Through a smooth and refined reasoning, the Court’s decision indeed suggests potential solutions to amend the draft agreement in a way that is compliant with the CFREU and, ultimately, the rule of law. Continue reading

Brexit, Fundamental Rights And The Future Of Judicial And Police Cooperation

By Cristina Saenz Perez

The future of EU-UK judicial cooperation in criminal matters is far from certain. In her Florence speech, Theresa May affirmed that one of the goals of the UK government was to establish a “comprehensive framework for future security, law enforcement and criminal justice cooperation” after Brexit. In the government’s ‘Future Partnership Paper’, the government also expressed the need of concluding a separate agreement that guarantees the future of cooperation in police and security matters between the UK and the EU. Despite all the efforts, the latest decisions have shown how difficult an agreement in this area will be. Continue reading

Defamation in the digital age

Last October, the grand chamber of the Court ruled in the joined cases of eDate and Martinez (C-509/09 and C-161/10) on the interpretation of Article 5(3) of the Brussels I Regulation (Regulation 44/2001/EC) in cases of alleged infringement of personality rights by means of content placed on an internet website. Article 5(3) grants jurisdiction to the court of the place where the harmful event occurred or may occur.

In earlier case law, Fiona Shevill, the Court had held that in case of defamation by means of a newspaper article distributed in several Member States, Article 5(3) must be interpreted as giving the victim a choice between fora. Firstly, the victim may bring the action before the courts of the Member State of the place where the publisher of the defamatory publication is established, which have jurisdiction to award damages for all of the harm caused by the defamation. Secondly and alternatively, the victim may bring the action before the courts of each Member State in which the publication was distributed and where the victim claims to have suffered injury to his reputation, and which have jurisdiction to rule solely in respect of the harm caused in the State of the court seised (paragraph 33 of Shevill). Could these criteria be applied in cases where the defamatory content was published on the internet?

Continue reading

A FRAGMENTATION OF EU/ECHR LAW ON MASS SURVEILLANCE: INITIAL THOUGHTS ON THE BIG BROTHER WATCH JUDGMENT

By Theodore Christakis

Last week, the European Court of Human Rights (ECtHR) issued an important, highly anticipated judgment, condemning the United Kingdom for its mass surveillance program.

Following Edward Snowden’s revelations regarding the United States-United Kingdom intelligence surveillance and intelligence sharing programme, 16 organizations and individuals (including the NGO Big Brother Watch) filed an application against the United Kingdom before the ECtHR. The 212page-long judgment published on September 13, 2018 is rich and deals with a great variety of important issues. Several among them are directly linked to some major legal questions examined in the past by the Court of Justice of the European Union (CJEU) or currently pending before it – not to mention the ongoing debate about whether the EU-US data transfer agreement known as Privacy Shield provides an “adequate level of protection”. The objective of this piece is to provide some first thoughts focusing on the strategic place of this judgment in the European legal landscape. Continue reading

Another Turn of the Screw? The ‘Facebook Fanpages’ judgment

By Orla Lynskey

Introduction

The data protection practices of social networking giant Facebook have been the subject of much regulatory and public scrutiny in recent months, from the Cambridge Analytica saga to the allegation that Facebook’s consent mechanism is not GDPR-compliant and its terms of service constitute an abuse of dominance. The recent judgment of the Grand Chamber of the CJEU is therefore likely to add to Facebook’s data protection woes, by increasing the pressure on it to reconsider the data processing practices that underpin its business model. Continue reading

Tele2 Sverige AB and Watson et al: Continuity and Radical Change

By Orla Lynskey

Introduction

The CJEU delivered its judgment in Tele2 Sverige AB and Watson on 21 December 2016. The Court had been asked by a Swedish and British court respectively to consider the scope and effect of its previous judgment in Digital Rights Ireland (discussed here). The judgment reflects continuity in so far as it follows in the line of this, and earlier judgments taking a strong stance on data protection and privacy. Yet, the degree of protection it offers these rights over competing interests, notably security, is radical. In particular, the Court unequivocally states that legislation providing for general and indiscriminate data retention is incompatible with the E-Privacy Directive, as read in light of the relevant EU Charter rights. While the judgment was delivered in the context of the E-Privacy Directive, the Court’s reasoning could equally apply to other EU secondary legislation or programmes interpreted in light of the Charter. This judgment will be a game-changer for state surveillance in Europe and while it offered an early Christmas gift to privacy campaigners, it is likely to receive a very mixed reaction from EU Member States as such. While national data retention legislation has been annulled across multiple Member States (Bulgaria, Czech Republic, Cyprus, Germany and Romania), this annulment has been based on an assessment of the proportionality of the relevant measures rather than on a finding that blanket retention is per se unlawful. For those familiar with the facts and findings, skip straight to the comment below. Continue reading

Opinion 1/15: AG Mengozzi looking for a new balance in data protection (part I)

By Maxime Lassalle

On 8 September 2016, Advocate General (AG) Mengozzi delivered his much awaited opinion on the agreement between Canada and the European Union on the transfer and processing of Passenger Name Record (PNR). It follows the European Parliament’s resolution seeking an Opinion from the Court of Justice of the European Union (CJEU) on the compatibility of the agreement with the Treaties. Even though the opinion concludes that the agreement has many loopholes, it could disappoint those who were expecting a strong condemnation of PNR schemes as such.

This blogpost intends to present the context of this procedure and the main elements of the AG’s opinion before analysing them. The question of the appropriate legal basis for the agreement, also raised by the Parliament, will not be addressed. However, before turning to the AG’s opinion, we need to briefly sketch the background of the proposed agreement. Continue reading

In the Shadows of the Data Protection Juggernaut: Bara and Weltimmo

By Orla Lynskey

Data protection policy, in particular the right to protection of personal data in Article 8 of the EU Charter, has remained firmly within the EU law limelight in recent years. This right played a key role in seminal judgments of the CJEU such as Schecke and Eifert, where for the first time a provision of secondary legislation was annulled for incompatibility with the Charter, and in Digital Rights Ireland (discussed earlier on this blog), where for the first time an entire Directive was annulled on the same grounds. Furthermore, in Google Spain (considered here) this fledgling right was ostensibly given precedence over the more established right to freedom of expression in certain circumstances, leading to a media furore on both sides of the Atlantic. 2015 was no different in this regard as much attention focused on the Court’s judgment in Schrems (discussed here), which invalidated the 15 year old Safe Harbor data sharing agreement between the EU and the US, and on the culmination of four years of negotiation on the new Proposed General Data Protection Regulation in December.

For good or for bad, the EU data protection juggernaut appears unstoppable, leaving in its wake legal instruments that do not meet its strict standards. Yet, in the shadows of these well-documented events, other noteworthy developments occurred. 2015 also saw the Dutch referring court withdraw its preliminary reference in Rease and Wullems, thereby regrettably removing the opportunity for the CJEU to pronounce upon the margin of discretion of national Data Protection Authorities (DPAs) when adopting a de minimis approach to their enforcement strategy to the detriment of individual or small group complainants. The Court did, however, deliver a number of largely overlooked yet significant data protection judgments in 2015. This contribution will focus on two significant cases which the CJEU delivered in the first week of October, immediately prior to the Schrems judgment, in Bara and Weltimmo. These preliminary references allowed the Court to clarify the interpretation of obligations and exemptions under the Data Protection Directive, as well as the Directive’s enforcement in online situations. Continue reading

Schrems vs. Data Protection Commissioner: a slap on the wrist for the Commission and new powers for data protection authorities

By Fanny Coudert

On 6th of October, in Schrems vs. Data Protection Commissioner, the CJEU, following the controversial Opinion of AG Bot, put an end to the specific regime regulating data flows to the US. The 4600 US companies using this agreement are now forced to rethink how to ensure the continuity of the protection when data are transferred from EU to the US. In this milestone ruling, the Court also reaffirmed the key role played by national Data Protection Authorities (DPAs) in the European system of data protection, and clarified the different competences of the European Commission, the DPAs and the courts –including the ECJ- in assessing the adequate level of protection offered by a third country. Continue reading

Top 10 Most Read Posts of the Year

With the end of the third year of operation of the European Law Blog approaching, it is once again time to take a brief look back at the most popular posts of the year. Based on our Google Analytics statistics and keeping in mind that there is a certain bias in favour of older posts which have had more time to become popular, we receive the following little tour d’horizon of EU law… Continue reading

The European Commission’s E-evidence Proposal: Toward an EU-wide Obligation for Service Providers to Cooperate with Law Enforcement?

By Vanessa Franssen

On 17 April 2018 the European Commission published its long awaited legislative proposal on e-evidence. This proposal – which actually consists of two strongly interconnected proposals, a Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters (‘Proposed Regulation’) and a Proposal for a directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings (‘Proposed Directive’) – is probably the first one in the field of criminal justice cooperation that the Council of the EU urged the Commission to put forward. Indeed, while the Member States are usually quite reluctant to give up sovereignty and to accept EU approximating rules in the field of criminal law, a number of Member States strongly pushed for a legislative intervention by the EU.

This is not entirely surprising: due to the increased use of all kinds of online services and information and communication technologies (ICTs), police and judicial authorities are confronted on a daily basis with the problem to collect electronic evidence, as the data they are looking for are often processed, transmitted and/or stored by foreign service providers, including big global technology companies such as Google, Facebook, Microsoft or Amazon. To compel a foreign person to cooperate in a criminal investigation is not obvious – the enforcement jurisdiction of police and judicial authorities is, in principle, limited to their own national territory.

This post will present the highlights of the double e-evidence proposal that is on the table and the first reactions to the proposals, at a moment where the institutional negotiations are picking up speed. Continue reading

The Commission´s Company Law Package: overview and critical view of the proposal for cross border transactions

By Segismundo Alvarez

The much awaited Company Law Package was finally published by the European Commission on April 25. It aims to establish “simpler and less burdensome rules for companies”  regarding incorporation and cross border transactions and consists of two proposals.

Proposal 2018/0113  intends to promote the use of digital tools and procedures in company law. Member States will need to allow a fully online procedure for the registration of new companies and of branches of other companies, that permits the incorporation without the physical presence of the members before any public authority. To avoid fraud and abuse the proposal “sets safeguards against fraud and abuse such as mandatory identification control, rules on disqualified directors and a possibility for Member States to require the involvement of a person or body in the process, such as notaries or lawyers”. The proposal also establishes the need to offer free access to the most relevant information of companies in the Companies Registers. This proposal will require important changes in national legislations and its implementation will be a technological challenge for the Member States that want to preserve the present level of control in the incorporation of companies. The question of online identification will undoubtedly be of special interest and complexity.

This first proposal certainly deserves more detailed examination. However, to keep this post short, I will concentrate here on the second proposal (2018/0114) regarding cross-border conversions, mergers and divisions. Continue reading

The EU Single Market Information Tool: The European Commission’s new investigative power in 2018

By Gianni De Stefano and Jaime Rodríguez-Toquero

The European Commission is about to gain a new investigative power through the Single Market Information Tool (SMIT).  The SMIT will allow the Commission to request information (including factual market data or fact-based analysis) from private firms or trade associations when the Commission initiates or substantiates infringement proceedings against one or more Member State(s) that may have failed to fulfil an obligation under the applicable Single Market legislation.  This post will discuss the background of the SMIT, its purported rationale, and critically reflect on the powers granted to the Commission under the SMIT.

The Commission is at pains to clarify that the SMIT initiative does not aim to create new enforcement powers allowing it to pursue infringements of Union law in the Single Market area against individual market participants.  That said, the Single Market rules can be infringed by either Member States or private companies.  Therefore, companies responding to such information requests will not only incur administrative and financial burdens, but they will also have to be careful not to incriminate themselves in doing so, as we will see below.

Continue reading

POMFR: Challenges in the Field of Economic and Financial Crime in Europe and the US

By Katrien Verhesschen

Katalin Ligeti, Vanessa Franssen (eds), Challenges in the Field of Economic and Financial Crime in Europe and the US (Hart Publishing, Oxford, 2017)

“A European ‘fraud hunter’ is beneficial for taxpayers”, “Fraud costs 100 euros per EU citizen” (own translations). As these examples of newspaper headlines demonstrate, economic and financial crimes are ‘hot topics’. Newspaper articles report on fraud cases on an almost daily basis. Economic and financial criminal law is a constantly evolving field of law, not only within states but also at the level of the EU, as is demonstrated by the recently adopted Council Regulation on the European Public Prosecutor’s Office. However, the globalisation and interconnectedness of financial markets, the digitalisation of our daily lives and the particularities of economic and financial crime pose considerable challenges to legislators and law enforcement trying to tackle these types of crime. The recently published ‘Challenges in the Field of Economic and Financial Crime in Europe and the US’ gives ‒ as its title suggests ‒ an interesting and at times eye-opening description of several of these challenges. Continue reading

Neues aus dem Elfenbeinturm: February 2017

Workshop Series “Current Issues in EU External Relations”

University of Luxembourg, 31 March/19 May/29 May 2017. Deadline for proposal submissions: 6 March 2017.

Conference “Comparative Public Law in Europe – Opportunities and Challenges”

University of Essex, 14 March 2017. Deadline for (free) registration: 10 March 2017.

Radboud Economic Law International Conference “Digital Markets in the EU”

Radboud University, 9 June 2017. Deadline for abstract submissions: 24 March 2017.

Summer Schools “Venice Academy of Human Rights – Economic, Social and Cultural Rights as an Answer to Rising Inequalities” and  “Venice School of Human Rights – Human Rights as Our Responsibility”

EIUC Venice, 3-12 July and 9-17 June 2017, respectively. Deadline for applications: 19/27 April 2017.

CJEU sheds light on liability for operators of open Wi-Fi networks (Case C-484/14 Mc Fadden v Sony Music)

By Bernd Justin Jütte

One week after the Court of Justice (CJEU) handed down its Judgment in GS Media (see for a comment here), it has ruled on another important copyright case. In Mc Fadden v Sony Music the Court followed the Opinion of AG Szpunar (see for comment on this blog here) to a large extent while disagreeing on two crucial points. It decided that the operator of an open wireless network provides an ‘information society service’ (ISS) within the meaning of Article 14 E-Commerce Directive if he provides access to the network as part of his economic activities. This means he can avail himself of the liability exemption laid down in that provision. However, the operator of a wireless network can be required to protect the network with a password in order to deter users from infringing the rights of copyright holders. The Court further decided that the right holder can claim from network operators the costs related to an injunction (e.g. to prevent future infringements), but not the costs related to claims for primary infringements of copyrights by the users of the Wi-Fi network. Continue reading