Complete Independence of national Data Protection Supervisory Authorities: About persons, czars and data governance in Belgian debates

There is a beautiful debate about the independence of the national Data Protection Authority (DPA) in Belgium and there is a European dimension to it. While many independent administrative authorities have been created by EU law, the authorities in EU data protection law are special:  (1) they are active in enforcing fundamental rights while the others are mostly active in market regulation and (2) their independence is guaranteed by EU primary law since the adoption of the Lisbon Treaty and the Charter.

The European Commission now pursues legal action against Belgium about lack of independence of the Data Protection Authority, but the Belgium government is reluctant to see the problem. While the infringement procedure is steaming up, one of the directors of the Belgian DPA steps up, dissatisfied with attempts to make the DPA more ‘complete independent’. What is happening?   What follows is an attempt to clarify a complex multilevel interplay, topped with a sauce of Belgian surrealism. Essential documents, both on the EU side and on the Belgian side, are not public. Hence, the wealth of references to journals by the author. The story unfolds in a surprising way, without a definitive plot. Slow reading with a pleasure for the anecdotical, but a concern for the fundamental is recommended.

Continue reading

EU Digital Constitutionalism, Digital Sovereignty and the Artificial Intelligence Act – A network perspective

Introduction – The Need for a Network Perspective

The European Union’s efforts to regulate various aspects of the digital age have significantly advanced recently, as the Union’s institutions reached notable milestones throughout the month of December.  On the 15th of the month, the European Parliament has held its plenary vote on the Digital Markets Act (‘DMA’), finalising the position it is going to take in the trialogues due to start in the beginning of 2022. The day before, on the 14th of December, a compromise text of the Digital Services Act (‘DSA’) had been adopted by the Parliament’s Internal Market Committee, paving the way for a plenary vote which is widely expected to take place in January 2022.

These developments came after the Parliament had started the month with a breakthrough on its work on the Artificial Intelligence Act (‘AIA’/’the proposal’), the Conference of the Committee Presidents deciding to name the Internal Market and the Civil Liberties committees as co-leaders on the file, just a few days after the Slovenian Presidency of the Council published its progress report on the file.

The fact that these files are going through the legislative process in the same time frame is proof of the EU’s understanding of the interplay between different elements of the digital age. Indeed, one of the defining characteristics of the digital era is increased connectivity. In addition to bringing people closer together, connectivity also refers to the overlaps and interactions between different technologies, from algorithms shaping the functioning of social media platforms to machine learning systems being used to process the large amounts of data internet users produce every day. Consequently, to properly understand the functioning of a specific technology, one also has to understand its interactions with other technologies and consider it as part of a network rather than in isolation.

Similarly, the general challenges that emerge as the digital revolution unfolds also require a holistic perspective and an understanding of all the elements at play and the connections between them – in other words – an understanding of the network they are part of. The purpose of this piece is to take such a holistic (‘network’) approach to the AIA proposal. The post will particularly consider this proposal in light of two central doctrines: EU digital sovereignty and EU digital constitutionalism. Having analysed the role of each and the relation between these two doctrines, the post will argue that the AIA proposal can be interpreted as an expression of both doctrines.

Continue reading

The Cross-Border Recognition of the Parent-Child Relationship in Rainbow Families under EU Law: A Critical View of the ECJ’s V.M.A. ruling

Introduction

In its much-awaited ruling in Case C-490/20 V.M.A. v. Stolichna obshtina, rayon ‘Pancharevo’ (the ‘VMA’ case), the ECJ held that EU Member States are required to recognise – for the purposes of EU free movement law – the familial ties established in another EU Member State between a child and her parents who are a same-sex couple. With this judgment, the Court has entered uncharted territory: although the Court has previously already seen cases involving same-sex couples before it (e.g. Coman, Maruko, Römer, Hay and Parris), this is the first time that it has been asked to rule in a case involving the controversial question of parenting by same-sex couples. As Advocate General Kokott noted in her Opinion in V.M.A. (para 4), what is at issue in this case ‘is a very sensitive matter, given the exclusive competence of the Member States in the area of nationality and family law and the considerable differences that exist, to date, within the European Union in respect of the legal status of and the rights conferred on same-sex couples’. For this reason, and even though gaps and uncertainties persist, the Court’s ruling can be hailed as a success, and a positive first step towards the full recognition of rainbow families in Europe.

Continue reading

Opinion 1/19: no common accord among the Member States required for the Council to conclude a mixed agreement

On 6 October 2021, the Court of Justice of the EU handed down Opinion 1/19 on the conclusion, on behalf of the EU, of the Council of Europe Convention on preventing and combating violence against women and domestic violence (‘the Istanbul Convention’). In its request for an opinion, the European Parliament had asked the Court three questions: one on the choice of legal basis; another on whether and, if yes, under what conditions, the Council may or even has to split a Council decision to conclude an international agreement into several separate decisions; and a third question on whether it is permissible for the Council to wait for a common accord among the Member States to crystallize before adopting the Council decision to conclude the agreement on behalf of the EU.

Opinion 1/19 has already been commented upon: Merijn Chamon has published a blog post summarizing the lengthy Opinion and providing a preliminary analysis of the Court’s answer to all three of the questions, and Gesa Kübek has published a post that focused on the third question. In this blog post, I offer my own perspective on the Court’s reply to the third question – a reply which I believe has broader implications for the vertical relationship between the EU and its Member States in the context of mixed external action.Continue reading

The New Rule of Law Conditionality Mechanism clears its first hurdle –Analysis of AG Campos Sánchez-Bordona Opinions in Hungary v Parliament and Council (C-156/21) and Poland v Parliament and Council (C-157/21)

On 2 December 2021, Advocate General Manuel Campos Sánchez-Bordona delivered his Opinions on the actions of annulment brought by Hungary (see here) and Poland (see here) against the new Rule of  Law Conditionality Regulation (Regulation (EU, Euratom) 2020/2092). Few cases in front of the European Court of Justice (ECJ) have garnered as much attention in recent months as these two. Already the hearings in front of the Grand Chamber on 11 and 12 October 2021, where the Polish and Hungarian agents were cornered by critical questions from the Judges and a phalanx of vociferous rule of law defenders from the EU institutions and 11 Member States, drew far more media coverage than usually. 

With the escalating rule of law crisis in Europe as a constant backdrop, these cases and the ‘success’ of the new conditionality mechanism have been cast as a defining moment for the European project as a wholeContinue reading

Exploring the Awkward Secret of Data Transfer Regulation: the EDPB Guidelines on Article 3 and Chapter V GDPR

If an awkward secret is something that is known but not discussed because it is too difficult or embarrassing, then the interplay of territorial scope and data transfer rules in data protection law certainly fits this description. 

For over 20 years since the enactment of the EU Data Protection Directive 95/46 and subsequent adoption of the EU General Data Protection Regulation 2016/679 (GDPR), confusion has reigned about the relationship between rules delimiting the territorial scope of the law and its application to data processing by parties established outside the EU (currently governed by Article 3(2) GDPR), and those dealing with transfers of EU data to non-EU parties (currently governed by Chapter V). The Court of Justice of the EU (CJEU) has never opined on this topic, even when the opportunity to do so was present. For instance, in its judgment in Case C-210/16 Wirtschaftsakademie the Court did not deal with it, despite the fact that the Opinion of Advocate General Bot established that both online monitoring of EU individuals via cookies and international data transfers were being carried out (see paras. 50 and 81 of his Opinion).

On 18 November 2021 the European Data Protection Board or EDPB (the body established under the GDPR comprised of DPAs from Member States and the European Data Protection Supervisor (EDPS)) adopted its Guidelines 05/2021 (the Guidelines), which mark the first time the DPAs have opined on the interplay between territorial scope and data transfer rules. The topic is of significant importance, since the coherence and consistency of EU data protection law require clarity about the interaction of the two sets of rules governing its extension outside EU borders. From a practical point of view, their interaction helps determine the GDPR’s effectiveness in providing protection for cross-border activities such as data processing by social media, data transfers by international companies, and international data sharing by public authorities. The Guidelines deal with issues that are important for individuals who want to know how their data are protected internationally; data controllers and processors that must implement protections for international data processing; and DPAs that enforce the law regarding data transferred to and/or processed by parties in third countries.

The Guidelines raise a number of complex legal issues that cannot be dealt with in detail here; for more extensive discussion, I refer readers to my recent Research Paper on this subject. All I can do within the limits of a blog post is to make a few observations about the Guidelines, and draw some conclusions about their implications. Svetlana Yakovleva has also published on this blog an insightful analysis of some of the EU and international trade law issues raised by the Guidelines.Continue reading

GDPR Transfer Rules vs Rules on Territorial Scope: A Critical Reflection on Recent EDPB Guidelines from both EU and International Trade Law Perspectives

Just last year EU rules governing cross-border data flows made headlines after the European Court of Justice’s (CJEU) judgement in Schrems II (analysed here, here, here, and here in the blog). In that judgement, the CJEU invalidated for the second time the mechanism for personal data transfers from the EU to the United States (this time the EU-US Privacy Shield) because it failed to meet the ‘essential equivalence’ standard previously developed by the CJEU in Schrems I (analysed here in the blog). The court clarified that the same standard applies to all other mechanisms for transferring personal data, including widely used Standard Contractual Clauses (SCC). In practice, this translates into an obligation on data exporters to conduct an assessment of whether the legal system of the country of destination of the data meets that standard and, if not, to either refrain from transfers altogether or adopt  so-called ‘supplementary measures’ (analysed here and here in the blog). As readers no doubt know,  EU restrictions on transfers of personal data outside the EEA have been contentious in digital trade negotiations in the past years, including the most recent one with the United Kingdom

As transfer mechanisms, strengthened by the CJEU, have become harder to comply with, it is now crucial to determine the  scope of the transfer rules. This is a two-fold inquiry. First, what is a ‘transfer’ that triggers the application of the transfer rules in Chapter V of the General Data Protection Regulation (GDPR)? This notion is not defined in the GDPR, despite calls for this definition from the European Data Protection Supervisor (EDPS) and the European Economic and Social Committee. Second, how do the rules on transfers in Chapter V interact with the GDPR’s territorial scope, which extends to data controllers and processors outside the EU (Article 3 GDPR)? In particular, given that the primary goal of the transfer rules is to prevent circumvention of the GDPR, is the application of transfer mechanisms necessary when a foreign data controller or processor falls under the scope of the GDPR? 

Both of the above issues were addressed in much awaited EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (the ‘Guidelines’), that were just published for public consultation. Below I evaluate the Guidelines critically from both an EU data protection and an international trade law perspectives. First, however, a short summary of the main points of the Guidelines is in order. Continue reading

SN and SD – The judicial endorsement of the EU’s exclusive competence in negotiating and concluding the EU-UK Withdrawal Agreement

On 16 November 2021, the Court of Justice delivered its ruling in Case C‑479/21 PPU, SN and SD v Governor of Cloverhill Prison and Others. The Court held that the provisions of the EU-UK Withdrawal Agreement (WA) on the European Arrest Warrant (EAW) and the provision of the Trade and Cooperation Agreement (TCA) on the newly established surrender regime are binding upon Ireland. Arguably, this conclusion looks fairly obvious at first glance. Indeed, pursuant to Article 216(2) TFEU, international agreements concluded by the EU are binding on the Member States. Ireland being one of them is bound by such agreements.

So why did this question arise in the first place or, maybe more provocatively, did the Court not have to assess the obvious here? The reason for this preliminary reference is Protocol 21 attached to the Treaties. The Protocol provides for the non-participation of Ireland (and previously also of the UK) in the adoption of the measures pursuant to Title V Part Three of the TFEU (Area of Freedom, Security and Justice – AFSJ), with the possibility to opt in. Since the EAW forms part of the AFSJ, the question arose whether the provisions of the Withdrawal Agreement and the TCA fell within Ireland’s opt-out under Protocol 21. If the provisions did in fact fall within the scope of the Protocol, they would not apply to Ireland. The application of the Protocol depends on whether Article 82(1) TFEU should have been included as a substantive legal basis of the two agreements between the EU and the UK. The Court seized this opportunity as a follow-up to the Wightman case to provide some additional clarifications on the EU’s competence to conclude the Withdrawal Agreement. Whilst the reasoning of the Court is convincing, this blog post presents some further arguments that were neglected by the Court in its judgment.Continue reading

X