The Need for Employee-specific Data Protection Law: Potential Lessons from Germany for the EU

Blogpost 43/2022

1. Data Protection at Work

It has long been recognised that personal data processing in the employment context has distinct challenges that require special regulatory treatment. As early as 1999, Spiros Simitis and Mark Freedland, writing independently, reached the same conclusion (see here and here): that the omnibus rules of the now repealed Directive 95/46/EC were not fit for the particular requirements of the employment sector. A specific European directive on the protection of employees’ data was needed. Two decades on, little meaningful progress has been achieved at the policy level. Multiple attempts to introduce employment-specific data protection law at the Union level failed due to a combination of legal, political, and constitutional reasons.

While its fundamental objective is to harmonise data protection rules throughout the EU, the GDPR has a less than stellar reputation when it comes to the employment context: the GDPR is too generic adequately to cover the specificities of the employment relationship; it does not counter the informational and power asymmetry inherent in the employment relationship; and it fails to address the collective rights and interests of employees. Instead, the GDPR leaves these issues to be addressed at the Member State level. Through the opening clause under Article 88 GDPR, Member States can provide ‘more specific rules’ for data protection in the workplace through their regulatory choice (whether through legislation, collective bargaining agreements or a combination of both).

Continue reading

Case C‑22/21 Minister for Justice and Equality – Facilitating entry and residency for distant family members based on emotional dependence

Blogpost 42/2022

Introduction

On 15 September 2022, the Court of Justice issued an important judgment on the matter of the residence rights of ‘any other family member who is a member of a household of a Union citizen’ as defined in Article 3(2)(a) of Directive 2004/38/EC. In its judgment, the Court of Justice held that a family member is part of a Union citizen’s household if a dependence relation is established, based on close and personal ties, forged within the same household. The Court essentially defines the concept of ‘emotional dependence’. A seemingly new concept of dependency that is based on strong emotional ties between two individuals. The degree of dependence, thus, goes beyond cohabitation for pure convenience.

Unlike the family members falling within the definition of Article 2(2) of the Directive, the beneficiaries of Article 3(2)(a) are not entitled to an automatic right to entry and residency within a host Member State. ‘Family members’ as in Article 3(2)(a) of Directive 2004/38, are facilitated entry and residency into a host Member State only after an extensive examination of their personal circumstances. Directive 2004/38, thus, makes a clear distinction between core family members, for example, children and spouses, and more distant ‘other’ family members.

Continue reading

The European Commission’s Assessment of EU Withdrawal from the Energy Charter Treaty: Legal analysis or confidential strategy?

Blogpost 41/2022

‘The polluter is paid!’ – This is how one could summarise the outcome of latest arbitration award under an outdated legal framework protecting investments within the energy sector, the Energy Charter Treaty (ECT). Italy was asked to pay EUR 240 million to the English gas and oil company, Rockhopper.

Such awards put great pressure on the domestic right to regulate, in particular with regard to the necessity of adopting climate mitigation policies. This is why many social society organisations and certain national parliaments, including the Dutch parliament and the Polish parliament, plead for withdrawal of their respective states.

Since 2019, the Contracting Parties have been negotiating to modernise the ECT. On 24 June 2022, the ad hoc meeting of the Energy Charter Conference endorsed the outcome of the modernization negotiations and gave an ‘agreement in principle’. The text, while having been leaked, has not yet officially been made publicly available.

What is missing above all is an open public debate on the legal constraints and consequences of withdrawal from the ECT of the EU and its Member States. As we argue here, the European Commission, instead of facilitating such a debate, has done its part to silence it. However, entry into force does not just require the formal adoption of the modernised text at the adoption at the Energy Charter Conference. It will enter into force only between the Contracting Parties that have ratified them on the 90th day after deposit of the ratification instruments of at least three fourths, or 41, of the Contracting Parties. In light of the critical position of certain national parliaments and the European Parliament, as well as the negative experience in the ratification process of the EU-Canada Trade Agreement (CETA), the executive secrecy and lack of public debate may come around to bite the Commission.

Continue reading

Stepping out of the modernized Energy Charter Treaty – the best way forward?

Blogpost 40/2022

On 24 August 2022, Italy was ordered by an international arbitral tribunal established under the Energy Charter Treaty (ECT) to pay EUR 240 million to the English gas and oil company, Rockhopper. The reason for awarding damages to Rockhopper was Italy’s decision to prohibit further drilling for oil and gas within the range of 12 nautical miles of its coast. The ECT to which 53 parties are signatories – including the EU and its Member States, except Italy – has become a weapon in the hands of fossil companies that seriously hampers fighting the climate crisis. The EU and its Member States should withdraw from this toxic treaty as soon as possible.

The ECT was signed in 1994 and entered into force in 1998. It aimed to incentivise and protect Foreign Direct Investments (FDIs) in the energy sector, in particular from Western European countries into fossil rich countries in the East. In many respects, the ECT is an unusual and anachronistic investment treaty that would not meet current standards of protecting the right to regulate, in particular in order to meet other legal obligations, including obligations to reduce emissions.

Continue reading

On synthetic data: a brief introduction for data protection law dummies

Blogpost 39/2022 1

by César Augusto Fontanillo López and Abdullah Elbi

Synthetic data is attracting increasing attention from technicians and legal scholars in recent years. This is especially noticeable among entities and people working on data-driven technologies, particularly in the artificial intelligence application development and testing sector, where sheer volumes of data are needed. In these circles, synthetic data has become a growing trend under the “fake it till you make it” concept by promising to alleviate existing data access and analytics challenges while respecting data protection rules. Given the rising prospects and acceptance of data synthesis, there is a need to assess the legal implications of its generation and use, the starting point being the legal qualification of synthetic data.

Synthetic data is a broad concept encompassing both personally and non-personally identifiable information. This blog entry focuses, notwithstanding, on the intersection between synthetic data and personal data. The reasons for so doing are that generating synthetic data by means of personal data (including hybrid data) provides a more straightforward assessment and is more suitable for the introductory purposes of this blog entry. At the same time, given the lively academic debate on the concept of personal data, we recognise as particularly relevant to this topic the issues surrounding the qualification as personal data of existing models and background knowledge used as sources for data synthesis. These issues will, however, not be dealt with in this entry.

Continue reading

Comment to Case C-184/20 and the perils of a broad interpretation of Art. 9 GDPR

Blogpost 38/2022

On 1 August 2022, in Case C-184/20, by responding to a referral procedure brought by the Regional Administrative Court of Vilnius, Lithuania, the Court of Justice (hereinafter Court) addressed two prominent issues of data protection law, namely the balancing of transparency obligations with data protection rights, as well as the extent of protection of – potentially – sensitive data.

This judgement has attracted plenty of interest from the data protection community, and generated speculations regarding the consequences of this case. In this blog post, it will be argued that although transparency obligations, conceived to fight against corruption, can conflict with the rights of privacy and data protection, the key for solving this conflict lies in a sophisticated and complex proportionality test, that keeps into account all the specific legal and factual elements of the case.

Moreover, in the second part of this blog, it will be shown, contrarily to what stated in several hot takes to this judgement, how this ruling, in the part concerning the interpretation of personal data that can be intended to reveal sensitive data, does not provide sufficient clarity for determining what data can be considered potentially sensitive.

Continue reading

The public role of private actors: Internet service providers in the E-Evidence proposal

Blogpost 37/2022

The European Commission proposed on 17 April 2018 the “E-Evidence” legislative package (E-Evidence) to overcome the widely discussed issues relating to the traditional instruments for cross-border gathering of electronic evidence (K. Ligeti, G. Robinson; S. Tosza 2020). The main innovation of this proposal consist in allowing law enforcement in one member state to directly compel service providers in another member state to produce or preserve data (for a comprehensive analysis of the proposed package, see V. Franssen in this blog). Already now Internet service providers (ISPs) play a key role of gatekeepers to the data they have, especially in the context of voluntary cooperation. Because of limited possibilities for enforcement, the often transnational context of data gathering and economic power of major ISPs, they are the ones to decide whether to provide data to authorities or not (I develop this argument in details here). While the final text of the EPO Regulation is still being negotiated, in this post I argue that the proposal for the E-Evidence regulation (in all its available versions) does not solve the problem of such “privatisation” of enforcement in the context of e-evidence gathering (V. Mitsilegas) and explain why this is worrisome.

Continue reading

Directives, direct concern, and direct access to the CJEU: Case C-348/20 P Nord Stream 2 v Parliament and Council

Blogpost 36/2022

The limited direct access of individuals to the CJEU is, and has been, the cause for much debate in EU law. However, in the recent Nord Stream 2 judgment, the Court of Justice confirmed that it is not quite as limited as the General Court had laid it out to be in its 2020 order. Generally, for private persons – natural or legal – to be able to challenge an EU legislative act before the CJEU under Article 263(4) TFEU, they must show that, despite not being explicitly addressed by the act, they are nevertheless directly and individually concerned. Since the notorious Plaumann judgment, the “individual concern” condition has been the focus of the debate. In Nord Stream 2, however, the “direct concern” condition is at issue. According to CJEU case law, two criteria must be met to show direct concern: (1) the EU act directly affects the individual’s legal situation and (2) the addressees of the act have no discretion in implementing it (see e.g., C-404/96 P Glencore Grain, para 41).

In the present case, the General Court argued that, before transposition into national law, a directive cannot in itself impose obligations on individuals and therefore cannot directly affect their legal situation (para 107). It concluded that the applicant could not demonstrate to be directly concerned by a directive (para 116). These findings have now been reversed by the Court of Justice, confirming that directives may indeed directly concern individuals under certain circumstances and thus continue to be challenged under Article 263(4) TFEU.Continue reading

X