Case C-911/19: the CJEU rules on EBA’s Soft Guidelines

Blogpost 52/2022

On 15th July 2021, the Court of Justice (CJEU) delivered its judgment in Grand Chamber case FBF / ACPR, dealing with the impact of soft law within the EU legal order once again. Especially in the aftermath of the 2008 financial crisis, EU institutions and agencies strongly relied on soft instruments, whose nature and effects have been assessed by the CJEU in different occasions (on this point, see Alberti). Moreover, this approach has been consolidated over the time and still constitutes a reality for the EU financial governance. Indeed, the dispute at stake concerned a series of preliminary questions on the Guidelines of the European Banking Authority (EBA) on product oversight and governance arrangements for retail banking products.

The use of soft law within the Union is often linked to two peculiar situations. On the one hand, non-binding instruments are frequently used to overcome competence questions or to circumvent the difficulty to find political consensus on the adoption of binding rules. On the other hand, soft law is largely preferred in times of crisis, since it is fast, flexible, and easy to enact. The financial sector, furthermore, has always preferred soft forms of regulation, which easily adapt to the speed of change of market’s conditions.Continue reading

New limitations on GDPR enforcement? Advocate General’s Opinion in UI v Österreichische Post

Blogpost 51/2022

I. Introduction

Should you receive compensation for the harm caused by illegal data use? This question may soon have an answer. The Austrian Supreme Court asked the Court of Justice of the European Union (ECJ) how the right to compensation for non-material damages in the GDPR should be interpreted. Other courts have referred comparable questions to the ECJ.

On October 6th 2022 the Advocate General (AG) Campos Sánchez-Bordona delivered his Opinion regarding the Case C-300/21. This blog post aims at providing a short analysis of the AG Opinion. It is argued that the proposed threshold for compensation is not in line with the GDPR and that objective criteria should guide compensation for non-material damages.

II. What is at stake?

Since 2018 the General Data Protection Regulation (GDPR) has provided a uniform regulation for data protection in the EU and EEA. It grants rights to individuals and imposes obligations upon data controllers and data processors in order to safeguard the fundamental right to data protection.

Stronger enforcement was one of the main promises of the GDPR. It includes, generally speaking, two enforcement mechanisms. First, the data protection authorities: Individuals (called data subjects in the GDPR) can lodge a complaint with an authority that should then be handled and addressed accordingly. The authority can also act on their own initiative. The second mechanism is litigation. Data subjects may bring a claim directly against a controller or processor in court.

Certain claims are to be brought in court only. This is the case when an individual is claiming compensation for damages they suffered because provisions of the GDPR were infringed.

Damages in the GDPR are divided into two categories: material and non-material. A material damage could be the loss of income, whereas a non-material damage could be the emotional harm when your data was misused. Non-material damage is typically hard to quantify, as it is not related to assets or wealth (p. 38-39).

The ECJ has now been asked what qualifies as a non-material damage. Given the broad scope of applicability of the GDPR and the common infringement of its provisions, the issue at stake is particularly relevant as it shapes an important part of the redress mechanisms for data subjects.

Continue reading

EU 2.0 Revisited: Between Vetocracy and Rule of Law Concerns

Blogpost 50/2022

On 14 September 2022, the European Parliament declared that Hungary can no longer be considered a full democracy. The adoption of this position was followed by the Commission’s proposal for a Council implementing decision that, if adopted, would trigger the measures envisaged in the Conditionality Regulation concerning the suspension of certain EU budgetary commitments towards Hungary.

While EU institutions keep looking to the EU Treaties for effective tools to address the rule of law crisis, Hungary and Poland exploit those very same Treaties to exercise their ‘vetocracy’ on multiple matters. In a nutshell, they rely on their veto power to block EU decision-making in a number of procedures which require unanimity. The EU then becomes a hostage of its own constitution and the unanimity requirements included therein. Remarkably, the outcome of the Conference on the Future of Europe offers quite an overview of how delicate this moment is for the fate of EU decision-making. The implementation of more than 10% of the 178 recommendations coming from the Citizens’ Panels would require Treaty change. This has resulted in the European Parliament’s urgent call for ‘reforming voting procedures in the Council to enhance the European Union’s capacity to act, including switching from unanimity to qualified majority voting’.Continue reading

Nothing new in the west? The executive order on US surveillance activities and the GDPR

Blogpost 49/2022

All involved in data protection law are well acquainted with the constant anxiety arising in the context of international data transfers since the Schrems decisions of the ECJ. Long story short: According to Art. 44-49 GDPR there has to be a legal basis for transferring personal data from the European Union to third countries. The ambitious goal is to ensure compliance with the protection standards of the GDPR in the global world of data transfers even outside the Union. A very important line of data transfer is the one from the EU towards the US and the provisions are necessary to protect the right to data protection of European citizens in a globalized data-driven world. The GDPR requires the third country transfers either to occur on the basis of an adequacy decision by the Commission (Art. 45) or the transfer to be subject of appropriate safeguards (Art. 46). Additionally, Art. 49 GDPR states subsequent derogations for specific situations. Adequacy decisions refer to an assessment of the legal system of the third country while the appropriate safeguards rely on the individual protections the transferring party implements.

I will briefly summarise the main emphasis of the executive order by President Biden on enhancing safeguards for US signals intelligence activities and explain possible implications on transnational data transfers and the GDPR, followed by an analysis of the intersection of legal and political arguments and a short outlook.Continue reading

The Proposed EU AI Liability Rules: Ease or Burden?

Blogpost 48/2022

“How should anyone be held liable for a harm caused by Artificial Intelligence (AI) systems?” is an oft-raised concern around the use of AI systems. After proposing a regulation for AI systems in 2021, the European Commission has now addressed this critical issue of liability. Regulating AI liability is not an easy task, and the recent legislative efforts of the Commission make this even clearer. Ensuring that AI systems are safe to use is crucial for law makers. On the basis of two proposed directives, the Commission aims to protect victims of AI harm by setting some rules for imposing liability. It is thus imperative to examine to what extent these rules address the concern of liability and make it easier for injured parties to receive damages for the harm incurred.Continue reading

Member States Hold all the Necessary Bargaining Power to Decide the Future of the Energy Charter Treaty, Not the European Union

By Christina Eckes and Laurens Ankersmit

Blogpost 47/2022 (PDF)

In the past weeks, several Member States pursued withdrawal from the Energy Charter Treaty (ECT), a multilateral investment treaty to which both the EU and the Member States are party. Some Member States, however, are hesitating because they feared that withdrawal without the EU may have little practical effect for the controversial investor-state-dispute settlement (ISDS) mechanism. We argue that these doubts are not legally justified. As a matter of EU law, the EU cannot hold Member States that have withdrawn liable under EU law as this would go against the internal division of competences. What is more, the EU’s own membership and ability to amend the ECT is legally in doubt as it lacks the necessary competence to assume responsibility for the entirety of the agreement under EU law.Continue reading

T-384/20 OC v European Commission: The General Court Falls out of Line on Personal Data

Blogpost 46/2022 (PDF)

On 4 May 2022, the General Court shielded OLAF (European Anti-Fraud Office) from liability for the infringement of data protection rules, at the cost of departing from ECJ case law and widely accepted legal principles in EU data protection law. This decision was legally flawed (as we argue below) and indeed has already been appealed before the ECJ at the time of writing. Had the General Court arrived at the correct judgment – that is, that the press release by OLAF did contain personal data under Article 3(1) of Regulation 2018/1725 (on the processing of personal data by the Union institutions, bodies, offices, and agencies) – it would have been forced to answer also the question of damages and scope under the GDPR (General Data Protection Regulation). OC v Commission, therefore, missed its chance to be a landmark judgment. Currently, however, the judgment places the General Court on opposing paths with the ECJ, creating uncertainty, causing fragmentation in practice, and undermining the EU’s efforts to harmonise data protection law. Continue reading

Jurisdiction in CFSP Matters – Conquering the Gallic Village One Case at a Time?

Blogpost 45/2022 (PDF)

The year is 2022. In a Union based on the rule of law, the entire body of EU legal acts is subject to the review of their conformity with the Treaties as the Union’s basic constitutional charter. Well, not entirely! One small Gallic village called the Common Foreign and Security Policy (CFSP) still holds out against the promise of a complete system of legal remedies and procedures – even after the collapse of the pillar structure more than 12 years ago. And life is not easy for claimants, national courts and EU scholars alike who garrison the Court’s fortified barriers of jurisdiction in search for clarity, coherence and justice. However, two cases currently pending before the ECJ might eventually mark the end of the seemingly indomitable village.Continue reading