European Cybersecurity Regulation Takes a Sovereign Turn

Blogpost 35/2022

Over the past year, the European Union’s ambitious digital regulatory agenda has steadily advanced. The EU adopted the far-reaching Digital Markets and Digital Services Acts, and it is completing negotiations with the United States on a revised data transfer regime, christened the Transatlantic Data Privacy Framework (TADPF), that was necessitated by the Schrems II judgment of the Court of Justice of the European Union (CJEU). These developments have had a significant impact on transatlantic economic relations, even stimulating legislative initiatives on privacy and antitrust in the United States. One might think that resolving such contentious topics would set the stage for a quieter, more harmonious phase in the transatlantic technology policy relationship.

As EU regulatory activity resumes this fall, a lesser-known initiative – creating an EU-wide certification framework for ICT products and services (EUCS) – could cause renewed disturbance between Brussels and Washington, however. Under the EUCS proposal being developed by the EU’s cybersecurity agency ENISA, cloud service providers would be compelled to localize their operations and infrastructure within the EU and to demonstrate their ‘immunity’ from foreign law.

Europe’s concerns about the security of U.S. cloud services providers are in fact closely intertwined with its worries, expressed in Schrems II, about the privacy of Europeans’ information entrusted to these companies. In both cases, European policymakers fear the perceived extraterritorial reach of U.S. national security surveillance and law enforcement authorities. New cybersecurity regulation thus is seen as another way to safeguard Europe’s ‘sovereign’ interest in protecting data from foreign government access.  It also would reinforce separate European efforts to bolster smaller, home-grown cloud service providers, including through the GAIA-X project to create an interoperable network “explicitly based on principles of ‘sovereignty-by-design,’” as a leading European technology lawyer has characterized it.

Continue reading

Ex-ante measures regarding data transfers and ex-post enforcement of rights

On the 25th of March 2022, it was announced that the European Union (“EU”) and the United States (“U.S.”) had reached an agreement in principle on a new framework for “transfers” of personal data from legal entities in the EU Member States to controllers or processors in the U.S. Whereas the two previous adequacy decisions regarding federal U.S. data protection law were based on the revoked Data Protection Directive (“DPD”) the new implementing act will be adopted in accordance with Article 45 of the General Data Protection Regulation (“GDPR”). Although the DPD approximated the legal systems in the EU Member States regarding data protection, and the GDPR applies directly as law across the Union, the comitology procedure referred to in Article 93 GDPR remains the same as it was under the DPD. Hence, in parity with the first decision regarding U.S. data protection law (“the Safe Harbour decision”) and the second decision on the matter (“the Privacy Shield decision”), the new agreement concluded by the Commission needs to be approved by a committee consisting of representatives of the Member States and the European Data Protection Board (“EDPB”).

Continue reading

Opinion 1/20 and the modernisation effort of the Energy Charter Treaty

On 16 June the Court found Belgium’s request for an Opinion pursuant Article 218 (11) TFEU on the compatibility of Article 26 of the ‘modernised’ Energy Charter Treaty (ECT) inadmissible on grounds that it did not have ‘sufficient information’ on its envisaged provisions. Article 26 is the provision that allows foreign investors to have recourse to investor-state dispute settlement (ISDS) when their investments are negatively affected by government action in breach of the substantive provisions of the ECT. While the modernisation process did not foresee any changes to Article 26 ECT and at the time of the opinion there was no public information available that parties may do so, the Court speculated that the parties may change their positions and that it therefore did not have ‘sufficient information’. No less than 12 days later, an agreement in principle was reached by the contracting parties of the ECT to amend the ECT that inter alia introduced a so-called disconnection clause (a clause that would make part of the ECT inapplicable between EU Member States). This post will offer commentary on the Court’s interpretation of the Opinion procedure (Article 218 (11) TFEU) in the wake of ongoing negotiations to ‘modernise’ the ECT and offer some thoughts on the outcome of the negotiations themselves from the perspective of climate change mitigation efforts. It will start with a brief introduction to why Belgium requested this Opinion, outline the rationale of the Opinion procedure, and subsequently discuss the ruling of the Court. It will end with a brief discussion with the current efforts to ‘modernise’ the ECT and its relationship with efforts to mitigate climate change.  Continue reading

Convenient, but controversial: Why the European Defence Fund should not be expanded as the Commission becomes ‘geopolitical’

In the wake of the Russian military invasion of Ukraine, the European Council called for the EU to play a larger role in coordinating Member States’ military and defence policies. This call falls within a period in which the Commission is actively striving to become, in the words of President von der Leyen, ‘a geopolitical Commission’. Arguably the most significant development in this regard has been the launch of the European Defence Fund (EDF) in 2021. Logically, since it is already up and running, the EDF is viewed as a policy instrument which could potentially facilitate a further expansion of the EU’s role in directing defence policy, and a practical mechanism for dealing with inflated defence budgets. Most prominently, the Commission itself suggested in May this year that it will ‘consider strengthening [the EDF’s] budget.’ This blogpost argues that the specific features of the Fund, which are the result of a rather controversial history, make the EDF unsuitable for further expansion, and raises more fundamental questions about the Commission’s ability to function in the area of defence without being overly reliant on the European arms industry.Continue reading

States as platforms under new EU (online platforms’) law

The recent political agreement on the Digital Services Act (the “DSA”) means that, once officially released, it will formally introduce into EU law the term “online platforms”: These (according to the Commission’s original proposal, at least) are meant to be “a provider of a hosting service which, at the request of a recipient of the service, stores and disseminates to the public information” (art. 2, point (h) of the DSA), whereby a hosting service, in turn, “consists of the storage of information provided by, and at the request of, a recipient of the service” (point f). Therefore, between the DSA and the Digital Markets Act (the “DMA”), that has also been recently finalised, a comprehensive framework for the regulation of online platforms is introduced in EU law, the first of its kind both in Europe and internationally.

What if, however, this framework was applied to states themselves? What if states fell within the definition of an online platform within this context?

1.   What is an online platform (in EU law)?

Platforms is a term that only recently entered forcefully not only the EU legislator’s but also general vocabulary: indicatively, Google trends indicate that interest was fairly low from 2004 until 2014 but has spiked since.

There is some repetition in the Commission’s definition: as seen, a “hosting service” is already defined in point (f), there is therefore no need to repeat “which, at the request of a recipient of the service, stores“. Accordingly, the “recipient of a service” is “any natural or legal person who uses the relevant intermediary service” (point (b). Consequently, leaving aside the part of the definition of an explanatory nature (“unless that activity is a minor and purely ancillary feature of another service and, for objective and technical reasons cannot be used without that other service, and the integration of the feature into the other service is not a means to circumvent the applicability of this Regulation”), the definition should read: online platforms store and disseminate to the public information at the request of their users. The digital, online environment is implied.

Continue reading

Clarifying the Court’s judgment in Préfet du Gers on UK nationals’ voting rights in local elections in the EU post-Brexit

On 9 June 2022, the Court of Justice delivered another Brexit-related ruling in Case C-673/20 Préfet du Gers and Institut national de la statistique et des études économiques concerning the EU-UK Withdrawal Agreement. The Agreement covers in particular the residence and social rights of the UK nationals resident in the EU and EU citizens resident in the UK. However, Brexit also affected the wider scope of EU citizenship rights, e.g. the voting rights of the UK nationals residing in the EU and vice-versa. The Court had to address the question whether these rights are protected by the Withdrawal Agreement, and if not, what is the impact on its validity. The Court found that following the loss of EU citizenship the UK nationals have lost their voting rights in local elections, and these are not protected by the Withdrawal Agreement. However, the judgment provoked various alarming media reactions that do not reflect reality and should be clarified.

Facts of the case

A British national, EP, resident in France since 1984, was removed from the municipal electoral roll. She challenged this removal before the referring French court, claiming that she was deprived of her active and passive voting rights in local elections in both the UK and France. Whilst the loss of the voting rights in the UK elections was the result of the domestic legislation preventing the UK nationals living for fifteen years abroad from exercising them, the removal from the French electoral roll was based on UK Withdrawal from the EU and the loss of EU citizenship. The French court, in essence, referred the following questions to the Court of Justice:

  1. Have UK nationals, who were settled in the EU before the end of the transition period, lost their EU citizenship status and the rights stemmed therefrom, or do they retain such rights based on the Withdrawal Agreement?
  2. If such UK nationals are not able to retain their EU citizenship rights based on the EU-UK Withdrawal Agreement, does the Agreement infringe Articles 18, 20, and 21 TFEU and 39 and 40 of the Charter of Fundamental Rights, and further the principle of proportionality?

Continue reading

The (dual) primary mandate of the European Central Bank: between inflation and eurozone survival

Introduction

Inflation is affecting the whole world and the European Union (EU) is no exception. Following the lead of the Bank of England and the US Federal Reserve, the European Central Bank (ECB) recently decided  to address this issue. However, as I will endeavour to explain, the decision seems contradictory in its terms since it has prompted a change in monetary policy in order to tackle inflation while also committing to continue purchasing of governmental bonds of some Member States, which arguably fosters inflation.

This contradiction highlights the vertical nature of the monetary union, in that the central bank’s policy-making seems very much tailored to its Member States on an individual basis, instead of focusing on eurozone-wide indicators. This state of affairs is difficult, if not impossible, to reconcile with the EU Treaties in their current form. Moreover, it can also put into question the effectiveness of the EU economic governance framework developed since the sovereign debt crisis.

Relevant facts

In the press release following the Governing Council’s meeting of 9 June 2022, the ECB stated that, in May, inflation again rose significantly, to an annual rate of 6.8%, mainly because of surging energy and food prices, including the impact of Russian invasion of Ukraine.

Nevertheless, the ECB acknowledges that ‘inflation pressures have broadened and intensified, with prices for many goods and services increasing strongly’, which is projected to ‘remain undesirably elevated for some time’. These pressures are expected to subside in a context of future moderating energy costs, easing of supply chain disruptions and normalisation of monetary policy, which entails gradually ceasing quantitative easing.

Continue reading

The Data Act or the final piece to create a comprehensive legal framework for international transfers of data

With the Data Act proposal the European Commission introduces new rules to govern international transfers of and access to non-personal data protected by IP and trade secrets held by cloud services providers, upon request by non-EU/EEA governments (Article 27). Following the Data Governance Act (Articles 5 and 30)*, this constitutes the final piece to elaborate a comprehensive legal framework for international transfers of data, which builds on the GDPR rules (Chapter V). Against this background, this post aims to present the future EU regulatory landscape in relation to international transfers of data. While it exposes the rationale behind these new rules, it also points out potential legal interoperability issues.  Continue reading

X