13 April 2021/
By Vanessa Franssen
Organiser: European Law Blog (https://europeanlawblog.eu)
Date: 19 April 2021, 12h-14h (Central European Time)
Venue: Online (via Zoom)
Registration: free but mandatory (max. 50 participants) – via this link: https://bit.ly/2POdq6n
Summary
The issue of data retention has been at the centre of much legal reflection ever since the Court of Justice of the European Union (CJEU) invalidated the 2006 Data Retention Directive in C-293/12 Digital Rights Ireland. While this annulment was very much welcomed by the data protection community and civil society, police and judicial authorities have expressed strong concerns about the impact on criminal enforcement; concerns that have resulted in several court proceedings at national and EU level.
In three recent rulings (C-623/17 Privacy International, C-511/18 La Quadrature du Net e.a. and C-746/18 Prokuratuur), the CJEU has tried to further clarify unsettled questions. Nevertheless, in doing so, the Court has most likely raised more questions than answers and has definitely complicated the way forward for EU and national legislators. Consequently, judicial authorities as well as intelligence agencies are still in search of clarity, while citizens and businesses remain confronted with a lack of legal certainty.
The editors of the European Law Blog are pleased to invite you to the Blog’s first online seminar, which will focus on these tffopical issues. During this seminar, four eminent speakers will take the floor to analyse the current legal situation, in the light of the CJEU’s recent case law, and to reflect on future solutions for what seem nearly inextricable problems.
Panel
- Moderator: Vanessa Franssen, Professor University of Liège, Affiliated Senior Researcher KU Leuven, and Editor European Law Blog
- Speakers:
- Anna Buchta, Head of Policy and Consultation Unit, European Data Protection Supervisor
- Jarek Lotarski, Legal Service of the Council of the EU (previously Policy Officer European Commission, DG Home)
- Nóra Ní Loideain, Director, Information Law & Policy Centre, Institute of Advances Legal Studies, University of London
- Christian Svanberg, General Counsel, Danish Defence (previously Head of Center for Data Protection and DPO, Danish National Police)
13 April 2021/
By Theodore Christakis
/
Part 2: On Double Standards and the Way Forward
In Part 1 of this article, published yesterday here, I explained how the US government tries to exclude Executive Order 12333 and international surveillance from the scope of the EU/US adequacy negotiations and I presented four possible responses to the US arguments. In this second Part, I will enter into a critical approach of the EU position on the relevance of the ECHR and I will argue that the US could reasonably put forward an equally strong and legitimate number of counter-arguments. I will also present a series of thoughts and proposals that could help to get out of this mess without endangering the continuity of protection of EU personal data required by the GDPR.
It is not clear whether the ECHR is really applicable to international surveillance
As discussed in Part 1, the US argues that direct or non-compulsory access to data should be excluded from the scope of EU-US adequacy negotiations because “EU Member State direct access measures are not subject to EU law at all” and “a data exporter would have no comparative standard by which to assess whether privacy protections offered by a destination country for the same type of activities are “essentially equivalent” to protections required by EU law”. I argued that this statement, formulated in such broad terms, seems to be wrong, because the ECHR is binding upon all EU Member States and thus offers such a “comparative standard” in relation with direct or non-compulsory access. However, the point that I will make here is that such a “comparative standard” only exists in relation with domestic surveillance activities of European States. The assumption that the ECHR is applicable in a situation in which international surveillance is being conducted, is far from what you would call an axiom.
Claiming that the ECHR applies to surveillance activities undertaken outside the territory of the state parties, raises the crucial question of whether the ECHR has extraterritorial application. Article 1 of the ECHR lays down the principle that “[t]he High Contracting Parties shall secure to everyone within their jurisdiction the rights and freedoms defined in Section I of this Convention” (emphasis added). In its case law the ECtHR has stressed that the critical test to determine whether the ECHR has extraterritorial application is that of “effective control”, which can be exercised by a State party in the territory under consideration. In the famous Loizidou v. Turkey judgment of 1995, for instance, the Court held Turkey accountable for violations of the Convention that took place outside Turkey’s territory on the basis that these violations were the “result of the continued occupation and control of the northern part of Cyprus by Turkish armed forces”.
Continue reading
Part 1: Countering the U.S. Arguments
As the United States (US) and the European Union (EU) “intensify” negotiations to reach a new adequacy decision following the invalidation of Privacy Shield by the Court of Justice of the European Union (CJEU) in its July 16, 2020 Schrems II judgment (discussed here, here and here), one pressing question is what should be included and what should be excluded from the scope of the negotiations. It went unnoticed, but the US submissions to two recent European public consultations (one by the European Commission and another one by the European Data Protection Board (EDPB)) on post-Schrems II developments provide a glimpse of what could become a thorny issue during the ongoing EU-US negotiations for a successor to Privacy Shield.
More precisely, this thorny issue is whether international surveillance, conducted by US intelligence agencies outside the territory of the US on the basis of Executive Order 12333 (EO 12333)[i], should be (or not) part of the adequacy assessment. The EU seems to consider that excluding international surveillance and EO 12333 from the scope of the successor to the Privacy Shield adequacy decision would be problematic and could give the impression of trying to “re-litigate” the Schrems II judgment, with all the risks that this could involve for a future invalidation by the CJEU of a new adequacy decision in a “Schrems III” case. The US, in contrast, disputes this approach, talks about “double standards” and seems to consider that EU demands about US international surveillance limitations go far beyond what is required by EU law and what is practiced by EU Member States themselves in their international surveillance activities.
This article will be published in two successive parts.
In Part 1, published here, I will present the US arguments which intend to exclude from the scope of the EU-US negotiations all “direct access” to data by US intelligence agencies. I will explain that what is basically at stake here is international surveillance and the effort to exclude Executive Order 12333 from the scope of the adequacy assessment. I will then present four possible responses to the US arguments, based especially on the role that the European Convention of Human Rights (ECHR) could play in this field and on a teleological interpretation of the General Data Protection Regulation (GDPR).
Continue reading
9 April 2021/
By Max Münchmeyer
Solidarity in the European Union’s energy policy is not merely a wishful thought but a justiciable principle of EU primary law. This is according Advocate General (AG) Campos Sánchez-Bordona, who on 18 March 2021 delivered his Opinion in Case C-848/19 P Germany v Poland. In his submission, the AG thus advises the Court of Justice to uphold the General Court’s ruling in Case T-883/16 Poland v Commission. Should the CJEU follow the AG’s opinion, this case has the potential to have far-reaching consequences for Union policy on gas imports and the infrastructure that facilitates them, but also for EU energy and climate law and policy more broadly. In this blog post, I explore some of the aspects of the AG’s Opinion that will make the Court’s judgment one to look out for.
1. The General Court Case and the Appeal
Before analysing the AG’s opinion, it is first necessary to give a brief overview of the proceedings before the General Court. Case T-883/16 concerned a dispute about capacity allocation in the OPAL natural gas pipeline. This pipeline connects to the offshore Nord Stream pipeline near Greifswald in North-East Germany and is a principal avenue for the distribution of Russian gas throughout central Europe. In 2016, the European Commission approved a decision by the German network operator that would have allowed Gazprom, a Russian supplier that is majority-owned by the Russian government, to expand its use of the OPAL pipeline’s capacity potentially far beyond the 50% it had been allowed to use so far under third-party access rules. Fearing that such an increase could endanger its security of supply, Poland brought a case before the General Court.
Continue reading
8 April 2021/
By Pietro Manzini
/
Did AstraZeneca fail to fulfil its obligations under the now famous Advanced Purchase Agreement (APA[1]) signed with the European Commission? At least apparently, yes. The APA accurately quantifies the number of doses AstraZeneca had undertaken to deliver to the EU Member States in the first quarter of 2021. Although this figure was blanked out in the version of the contract made public by the Commission, in the declassified text of the APA which is now also available, it appears that that number of doses varies between 80-100 million. However, the exact figure is not particularly relevant, because AstraZeneca itself has explicitly stated that it would not be able to guarantee the doses promised to the Union, with a planned cut of at least 30%. So how can there be any doubt that AstraZeneca is in breach of its commitments to the Commission?
The defendants of the company point out that the contract in question does not simply state that AstraZeneca must deliver 90 million doses by 31 March 2021, but – more precisely – that it must make its ‘best reasonable effort‘ to reach that figure. Since this effort has been made, there is no breach of contract. Sam Bowman, in a post titled ‘Understanding the European Commission’s dispute with AstraZeneca’, explains AstraZeneca’s position as follows. If a company stocks 1,000 units of vaccine and promises 700 to Ursula (von der Leyen) and 600 to Boris (Johnson), the company will not be able to fulfil both contracts. So if the firm chooses to fulfil the contract with Boris, Ursula will understandably be annoyed (and vice versa). But this is not, Bowman argues, AstraZeneca’s contractual situation. At the time the EU and UK entered into supply contracts with AstraZeneca, the latter had no vaccine doses in stock, indeed the vaccine did not exist at all. What AstraZeneca promised both of them was to make its best reasonable effort to get vaccines approved and produced, and to deliver those it could produce. The UK had committed to purchasing the vaccine (at least informally) in spring 2020 and approved its use on 30 December 2020. The Commission signed the contract with AstraZeneca on 27 August 2020 and only granted approval for use on 29 January 2021.
Continue reading
7 April 2021/
By Luka Mišič
Lately, the Slovenian legislator has been taking bold but somewhat ill-considered steps in the field of social law. Even if bound by the ILO Convention No. 158, the Slovenian Parliament introduced a new cause of dismissal by which an employer can one-sidedly – without an existing business or other genuine reason – terminate a contract of employment if the worker fulfils old-age retirement criteria. The Slovenian Constitutional Court has suspended the use of the said amendment until it reaches a substantive decision in the case put forward by the trade unions. Additionally, the Slovenian government is considering to propose an (anti-)social cap on high wages, relieving high earners from contributory obligations beyond a certain amount of personal income from employment, thus reshaping the well-established notion of vertical solidarity within social insurance groups. Finally, at the time of writing this blog post, the amendment to the Slovenian Market Regulation Act (Zakon o urejanju trga dela) has reached the final stages of the legislative procedure. The proposed amendment, which is the focus of this blog post, aims at substantially increasing the maximum amount of unemployment benefits (by almost €1,000) for Slovenian frontier workers at the sole expense of the Member State of last employment. This post will analyse the compatibility of these proposed amendments with EU law.
1. The coordination of unemployment benefits under EU law
It is old news that EU rules on the coordination of unemployment benefits represent a battlefield between the EU’s East and West (Pennings) and that Regulation (EC) No 883/2004 (‘the EU Regulation’) is in need of revision, even after its 2009 Implementing Regulation. The EU Regulation’s rules on unemployment benefits, for example, allow for dubious shifts of competences, impose disproportionate financial burdens on some Member States whilst preserving a complex system of cost reimbursement. The rules also do not necessarily allow all unemployed persons to register primarily with the employment services in what is for them the most favourable job-seeking environment (see, for example, De Cortazar and others). Chapter 6 of the Regulation on unemployment benefits stipulates special provisions concerning the aggregation of periods, calculation of benefits, residence rules, export of benefits, and, importantly, provisions concerning unemployed persons who (permanently, habitually) reside and work in different Member States. Provisions that depart from the Regulation’s general principles applicable to most other kinds of benefits reflect the sensitive nature of unemployment benefits, caught in between job-seeking opportunities and obligations of the unemployed person, and labour market oriented interests of different Member States.
Continue reading
6 April 2021/
By Lena Hornkohl
/
On 25 March 2021, the Court of Justice of the European Union (CJEU) held that an action for annulment against several EU acts relating to greenhouse gas (GHG) emissions is inadmissible due to the lack of individual concern. The so-called People’s Climate Case, was brought by ten families from Europe, Kenia and Fiji and a Swedish association representing the indigenous Sami youth (Sáminuorra), all particularly affected by climate change. In one of the first climate action against European Union legal acts, the CJEU backed the General Court (GC) order of 2019.
Locus standi is the controversial issue in climate actions. In such actions, either individuals peculiarly affected by climate change or environmental interest groups seek the annulment of legislative acts that, in their opinion, are not far-reaching enough and/or complain about the government’s omissions with regard to measures targeting climate change. The barriers for environmental interest groups are typically very high, as standing for such representative actions is rather exceptional. Dutch law is one of the few exceptions as it gives public interest organisations standing if the public interest they seek to protect is affected (Art. 3:305a Dutch Civil Code) – a situation that resulted in the landmark Urgenda climate action.
Individuals also have a hard time. They typically have to demonstrate a direct relationship between the legal act or state omission and their situation. Time and again there is a hypothetical element to the claim: the damaging effects of climate change have often only just begun, and the true effects will only become apparent later – an event that the plaintiffs would like to avoid. At EU level, direct access to the CJEU for individuals against legislative acts of the Union, in general, has been a much-disputed issue. Admissibility is also the hurdle that most climate actions cannot overcome. Article 263(4) TFEU requires direct and individual concern. While the direct concern could also be disputed, individual concern is the decisive factor, also in the present case. In its (in)famous Plaumann decision, the CJEU has set the barriers for individual concern for natural or legal persons very high: the contested act must affect them “by reason of certain attributes that are peculiar to them or by reason of circumstances in which they are differentiated from all other persons, and by virtue of these factors distinguishes them individually just as in the case of the addressee.”
In the present case, the CJEU clarified that the applicants could not rely on a potential fundamental rights infringement to satisfy the Plaumann criteria. The Court was also unwilling to change the Plaumann case law or grant an exception in the specific circumstances at hand.
Continue reading
1. GDPR mimesis as the only regulatory method?
EU regulatory work on technology-related fronts has recently spiked. The EU has been extremely busy implementing its European Digital Strategy. Over a short period it has released a draft Digital Governance Act (DGA), a Digital Services Act (DSA), a Digital Markets Act (DMA), while also working on its proposal for AI Regulation. This recent battery of EU acts to regulate technology has provoked our comment, on this blog, on EU law “act-ification”. Now, instead of focusing on the title of these initiatives, we wish to turn our attention to their content, in order to identify a second phenomenon: GDPR mimesis.
EU personal data protection law applies a well-known scheme by now: Building on a specialized, unique set of terms, a set of basic principles and case-specific rights that are monitored by a specialized public agency. In some more detail, “data subjects” (meaning individuals) and “controllers” and “processors” (meaning those doing the processing) interact through “processing” of common or “sensitive” “personal information” (all terms closely, and uniquely, defined in the personal data protection context). This processing needs to be based on a set of special principles (e.g., fair and lawful processing, data minimization, purpose specification etc.). Special rights (e.g., information, access, rectification) need to be observed. All of these interactions are monitored by Data Protection Authorities, specialized state agencies that are established particularly for this purpose and carry out only this task.
Today, the most prominent representative of this scheme is the EU General Data Protection Regulation (the “GDPR”). While the same system is reproduced also in other basic instruments (such as the Law Enforcement Directive and the Regulation on the processing of EU organisations), it is the GDPR that stands out among them, if not for anything else than simply due to its sheer width and breadth of scope: With the exception of specific areas of personal data processing, the GDPR aims at regulating nothing less than any and all personal data processing in Europe.
Continue reading
