Following through on the Union’s values: The role of international law in setting legal limits on supporting Israel in its war on Gaza

Blogpost 23/2024

For six months, Israel has been waging a brutal offensive on Gaza, killing over 30.000 Palestinians, destroying more than 60% of the homes in Gaza, and making Gazans account for 80% of those facing famine or catastrophic hunger worldwide. High Representative Borrell described the situation as an ‘open-air graveyard’, both for Palestinians and for ‘many of the most important principles of humanitarian law’. Yet, the Union and its Member States seem unwilling to use their capacity to deter Israel from further atrocities. European leaders continue to express steadfast political support for Israel and to provide material support for the war by upholding pre-existing trade relations, including arms exports. This blogpost examines to what extent this continued support displayed by the Union and its Member States constitutes a violation of Union law. It does so in light of two recent rulings, both delivered by courts in The Hague, which suggest support for Israel in the current context might be problematic not just from a moral, but also from a legal standpoint. The central argument developed in this post is that Union law, when interpreted in a manner that respects – or at least does not undermine – the fundamental norms of international law, establishes sufficiently concrete obligations that the Union and its Member States currently do not meet given their continued support for Israel.

Continue reading

Search queries and anonymisation: How to read Article 6(11) of the DMA and the GDPR together?

Blogpost 22/2024

The Digital Markets Act (DMA) is a regulation enacted by the European Union as part of the European Strategy for Data. Its final text was published on 12 October 2022, and it officially entered into force on 1 November 2022. The main objective of the DMA is to regulate the digital market by imposing a series of by-design obligations (see Recital 65) on large digital platforms, designated as “gatekeepers”. Under to the DMA, the European Commission is responsible for designating the companies that are considered to be gatekeepers (e.g., Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft). After the Commission’s designation on 6 September 2023, as per DMA Article 3, a six-month period of compliance followed and ended on 6 March 2024. At the time of writing, gatekeepers are thus expected to have made the necessary adjustments to comply with the DMA.

Continue reading

On the Threshold to a new electoral law: The Bundesverfassungsgericht’s Decision on Electoral Thresholds

Blogpost 21/2024

In February, the German Federal Constitutional Court (Bundesverfassungsgericht) rejected a motion regarding electoral thresholds in EU electoral law, finally allowing for the necessary national approval of Council Decision 2018/994. This Decision intends to amend the European Electoral act and, according to Article 223 (1) TFEU, must be approved by all Member States. Up until now, the court had held that thresholds in European elections were not compatible with German constitutional law. However, a draft legislative act proposes that some Member States would be obliged to establish electoral thresholds for European elections. With this new judgement, the Bundesverfassungsgericht joins other European courts in finding thresholds to be compatible with national constitutional law.

This blog post aims to provide context for a decision that might very well change the composition of the European Parliament.Continue reading

Case C-479/22 P, Case C-604/22 and the limitation of the relative approach of the definition of ‘personal data’ by the ECJ.

Blogpost 20/2024

On 7 March 2024, the ECJ released two very important decisions on the extent of the definition of ‘personal data’ under EU data protection law in cases C-479/22 P and C-604/22.

The latter case involves a Belgian non-profit organisation called IAB Europe which designed a tool, a framework called TCF, with the purpose of enabling website providers and data brokers to process personal data lawfully (see Paragraph 20).

The preferences that a user select via a consent management platform (CMP) are subsequently encoded in the TCF string which is a combination of letters and characters. The CMP places a cookie on the user’s device so that the cookie and the TCF string can be linked to the user’s IP address (see Paragraph 25). The Court was asked whether, in this context, a character string containing the preferences of a web user could be considered personal data in the hands of IAB Europe and whether IAB Europe could be regarded in this scenario as a (joint) controller.

The former case, which has already been discussed here, deals with a Greek researcher that was under investigation by the European Anti-Fraud Office (OLAF) for allegations relating to potential financial misconduct following the attribution of fundings granted by European Research Council Executive Agency (ERCEA) to carry out a research project.

OLAF published a press release concerning the ongoing investigation and its results, which led to an identification of the researcher by journalists. The researcher thus seized the General Court arguing that OLAF infringed Regulation 2018/1725, which is the regulation on the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (EUDPR), as well as her right to the presumption of innocence.

In this case – and without digging into too much detail – the General Court in case T-384/20 basically held that the press release could not be seen as personal data since the German journalist who re-identified the researcher was an investigative journalist with particular knowledge in that matter and could not be seen as an “average reader” (“lecteur moyen” in French). The plaintiff appealed this decision, which gave rise to the decision of the ECJ in case C-479/22 P

In the next two sections we will discuss how these two judgments by the ECJ seem to limit the relative approach of what constitutes personal data as the Court adopts a definition of the notion of personal data which is more protective for data subjects. Eventually, in the last section it is argued that these decisions should not be overinterpreted since they limit the relative approach, without really ruling it off.

Continue reading

The Corporate Sustainability Due Diligence Directive would ensure a level playing field and enhance necessary corporate sustainability

Blogpost 19/2024

The Corporate Sustainability Due Diligence Directive at risk

In December 2023, following a lengthy Trilogue, a political agreement was reached regarding the Corporate Sustainability Due Diligence Directive (CSDDD); the first EU economy-wide mandatory due diligence legislative measure. The Directive aims to promote sustainable corporate conduct across global value chains, which include the full range of activities involved in the creation of a product or service. While the CSDDD is not a panacea, it is expected to foster a level playing field and improve corporate sustainability. However, a last-minute announcement from the internally divided German government to abstain from voting in the European Council has put the Directive’s future at risk.

Despite earlier endorsement, on the 1st of February 2024, Germany suddenly withdrew its support for the CSDDD due to the opposition of the FDP, the liberal government coalition party. Lukas Köhler, FDP deputy head in German Parliament, stated that the FDP cannot support the Directive as its obligations would overburden companies. Subsequently, other EU Member States, such as Italy, followed Germany’s example and decided to abstain from voting, or to vote against approval. The Council vote which was initially planned on 9 February had to be postponed since the required qualified majority would not be reached. On 28 February, once again, due to lack of support, it was decided to postpone the vote on the approval of the Directive. In the meantime, the Belgian Presidency of the Council, reportedly, proposed a new comprise text of the Directive hoping to convince Member States to vote in favour. The revised version would have included a downsized personal scope of application and softened provisions on civil liability. However, on 8 March, the Council vote has again been postponed. While time is running out ahead of the European elections, the Directive has been set on the agenda of the Coreper I meeting on 13 March.

This blog post argues that the failure to approve the CSDDD by the Council under the guise of protecting companies is counterproductive and represents a missed opportunity in mitigating climate change. First, the post looks at the CSDDD from the perspective of European businesses. Then, it connects the urgent societal challenge of climate change to the EU Directive awaiting approval by the Council.

Continue reading

Non-Material Damages under the GDPR: What do we know so far?

Blogpost 18/2024

Since C-300/21 Österreichische Post, the first ECJ decision on non-material damages under GDPR, the ECJ has handed down multiple other decisions on the topic (C-340/21 Natsionalna agentsia za prihodite, C-667/21 Krankenversicherung Nordrhein, C-456/22 Gemeinde Ummendorf and C‑687/21 MediaMarktSaturn). There seems to be a marked effort by the Court to create a reliable jurisprudence for non-material damages. In fact, all the decisions have been assigned to and decided by the Third Chamber under Article 60 of the Rules of Procedure of the Court of Justice. This post analyses the subsequent cases after Österreichische Post to flesh out the Court’s conception of non-material damages under Article 82 GDPR and to analyse whether a coherent approach emerges from the case law.

Continue reading

Opting-in or -out or not at all: secondary use of health data in the EHDS framework

Blogpost 17/2024

In accordance with the European data strategy the European Commission gave its proposal for the Regulation on European Health Data Space (EHDS) in May 2022. The purpose of the EHDS is to establish a mandatory cross-border infrastructure which makes it possible for residents to access their electronic health data anywhere in Europe for health care purposes and use such data for reimbursement purposes and similar purposes (primary use). Furthermore, EHDS creates a mandatory cross-border infrastructure for the secondary use of electronic health data, such as electronic patient records, genetic data, socio-economic data and data processed in relation to healthcare services.  The secondary uses cover everything from public health, planning and statistical purposes, scientific research, development and innovation activities, training and testing of algorithms and providing personalised healthcare.

Each country shall have one central public sector health data access body which shall assess the applications for accessing electronic health data and issue data permits for accessing pseudonymised data sets or answers to data requests in anonymised statistical format. It must also maintain a public information system and fulfil obligations towards natural persons as required by the EHDS Regulation and the GDPR.  Holders of electronic health data are obliged to grant access to their data through the access body when data permit is granted or answer to data request is provided.

Given the sensitive nature of health data, selecting the health data space as the first of several data spaces to be instituted within EU was a bold move from the Commission. This could be explained by the need to make it possible for Europeans to seek health care within the EU and from the pressing need to harmonise interpretation of the GDPR and national laws with regard to carrying out EU-wide health research projects, as well as the desire of the pharmaceutical industry to obtain large amounts of EU-originated health data. The up-coming European elections in June 2024 have put pressure on different institutions to arrive to a common position in relation to the proposed regulation. The Council of Ministers and the EU Parliament both were able to come up with negotiating mandates in December which made it possible to start with the Trilogue negotiations between different EU institutions already in then.

The scope of proposed secondary uses of electronic health data is broad. According to the original Commission proposal the rights of data subjects would rely on the GDPR and the only additional safeguard would be the secure technical processing environment for personal health related data. The extent to which data subjects should control the secondary use of their health related data in the EHDS has turned out to be one of the most contentious issues dividing the Council and the Parliament.

In the following blog I shall first discuss different forms of control envisaged for data subjects over the secondary use of their health data. Thereafter I’ll describe the respective positions of different institutions and discuss them in light of the Finnish law relating to the secondary use of health and social data which has acted as one the models of the EHDS proposal.

Continue reading

Google Ireland and Others (C-376/22): is the strict interpretation of national public policy exceptions to the benefit of EU regulation?

Blogpost 16/2024

On the 9th of November 2023, the Court of Justice issued a judgment concerning the interpretation of the derogation clause in Article 3 (4) of the Information Society Services Directive (also known as the e-commerce Directive). The case concerned an Austrian law that imposed obligations on communication platform services regarding illegal content (such as hate speech, harassment, and content related to terrorist and pornographic offences), even when the platform is established in another Member State.

Under the e-commerce Directive, the rules that apply to the service providers are the ones of the country of origin where they are established. Other Member States where the services are provided may not subject those services to their own national rules. However, as a derogation to this rule, Article 3 (4) provides for specific grounds under which Member States can still apply rules to the service providers, including grounds of public policy. The question hereby was whether the Austrian legislation could be considered to fall under Article 3 (4) of the Directive.

In its judgment, the Court refused to accept that such a law could fall under the derogation clause of the Directive, which cannot be used for general and abstract measures. Instead, the Court affirmed that the derogation clause could only be used to regulate services on a case-by-case basis.

Continue reading