Tagged: Data Protection

PNR Agreements between Fundamental Rights and National Security: Opinion 1/15

By Arianna Vedaschi and Chiara Graziani

On July 26, 2017, the European Court of Justice (ECJ) issued Opinion 1/15 (the Opinion of the Advocate General on this case had been discussed previously in this blog, part I and part II) pursuant to Article 218(11) TFEU on the draft agreement between Canada and the European Union (EU) dealing with the Transfer of Passenger Name Record (PNR) data from the EU to Canada. The draft agreement was referred to the ECJ by the European Parliament (EP) on January 30, 2015. The envisaged agreement would regulate the exchange and processing of PNR data – which reveals passengers’ personal information, itinerary, travel preferences and habits – between the EU and Canada. The adoption of the agreement is crucial because, according to Article 25 of Directive 95/46/EC as interpreted in the Schrems decision (commented here), the transfer of data to a third country (discussed here) is possible only if such country ensures an “adequate level of protection.” This standard can be testified by an “adequacy decision” of the European Commission or, alternatively, by international commitments in place between non-EU countries and the EU – as the one examined by the ECJ in this Opinion.

Not surprisingly, the leitmotiv of the Court’s Opinion is the challenging balance between liberty and security. Maintaining a realistic perspective, the Court considered mass surveillance tolerable at least in theory, because it is a necessary and useful tool for the prevention of terrorism. Yet, it insisted that there should be very strict rules as to the concrete implementation of such surveillance. For this reason, it found some provisions of the draft agreement incompatible with Articles 7 (privacy) and 8 (data protection), in conjunction with Article 52 (principle of proportionality) of the Charter of Fundamental Rights of the European Union (CFREU).

As a result, the agreement cannot be adopted in the current form and the EU institutions will have to renegotiate it with Canada. For sure, this renegotiation will prove to be challenging. Nevertheless, as the analysis below will show, the Luxembourg judges, by addressing particularly technical issues of the agreement, provided a detailed set of guidelines that, if respected, would ideally preserve fundamental rights – in this case, the right to privacy and to data protection – without undermining public security. Through a smooth and refined reasoning, the Court’s decision indeed suggests potential solutions to amend the draft agreement in a way that is compliant with the CFREU and, ultimately, the rule of law. Continue reading

Third country law in the CJEU’s data protection judgments

By Christopher Kuner

Introduction

Much discussion of foreign law in the work of the Court of Justice of the European Union (CJEU) has focused on how it deals with the rules, principles, and traditions of the EU member states. However, in its data protection judgments a different type of situation involving foreign law is increasingly arising, namely cases where the Court needs to evaluate the law of third countries in order to answer questions of EU law.

This is illustrated by its judgment in Schrems (Case C-362/14; previously discussed on this blog, as well as here), and by Opinion 1/15 (also discussed on this blog, part I and part II), a case currently before the CJEU in which the judgment is scheduled to be issued on 26 July. While these two cases deal with data protection law, the questions they raise are also relevant for other areas of EU law where issues of third country law may arise. The way the Court deals with third country law in the context of its data protection judgments illustrates how interpretation of EU law sometimes involves the evaluation of foreign legal systems, despite the Court’s reluctance to admit this. Continue reading

Joined Cases C-446/12 – 449/12 Willems: The CJEU washes its hands of Member States’ fingerprint retention

By Eduardo Gill-Pedro

When is the Charter of Fundamental Rights of the EU applicable to a Member State measure? In C-446/12 – 449/12 Willems the CJEU held that a Member State which stores and uses fingerprint data, originally collected in compliance with Regulation No 2252/2004, but which the Member State then uses for purposes other than those stipulated in the Regulation, is not acting within the scope of EU law, and therefore is not bound by the Charter. This case appears to indicate a retreat by the Court from the expansive interpretation of the scope of application of the Charter which it had previously laid down in C-617/10 FranssonContinue reading

Top 10 Most Read Posts of the Year

With the end of the third year of operation of the European Law Blog approaching, it is once again time to take a brief look back at the most popular posts of the year. Based on our Google Analytics statistics and keeping in mind that there is a certain bias in favour of older posts which have had more time to become popular, we receive the following little tour d’horizon of EU law… Continue reading

Walking the Data Protection Tightrope: The Google Privacy Policy Investigations

On 2 April 2013, Data Protection Authorities (DPAs) in six EU Member States (France, Germany, Italy, the Netherlands, Spain and the United Kingdom) announced the launch of an official investigation regarding the compliance of Google’s revamped privacy policy with national data protection rules.

This announcement came over one year after the EU’s advisory body on data protection – the Article 29 Working Party – first contacted Google regarding the changes to its privacy policy which came into force on 1 March 2012. Since this first contact, Google formally responded to two questionnaires sent on behalf of the Article 29 Working Party and based on its responses, the Working Party sent Google a letter attaching its main findings and recommendations in October of last year.

Google’s new privacy policy effectively merges the individual privacy policies which were previously in place for Google services. Therefore, rather than having separate privacy policies for services such as Gmail, Google +, Google Maps and YouTube, users of Google services can now access one comprehensive document outlining Google’s privacy policy for all services. ‘Sounds wonderful’ you may be thinking: however, not so, according to national DPAs in the EU. This amalgamated privacy policy may be problematic from a data protection perspective for two (overlapping) reasons: its alleged lack of transparency and the data pooling it facilitates. Continue reading