Stepping out of the modernized Energy Charter Treaty – the best way forward?

Blogpost 40/2022

On 24 August 2022, Italy was ordered by an international arbitral tribunal established under the Energy Charter Treaty (ECT) to pay EUR 240 million to the English gas and oil company, Rockhopper. The reason for awarding damages to Rockhopper was Italy’s decision to prohibit further drilling for oil and gas within the range of 12 nautical miles of its coast. The ECT to which 53 parties are signatories – including the EU and its Member States, except Italy – has become a weapon in the hands of fossil companies that seriously hampers fighting the climate crisis. The EU and its Member States should withdraw from this toxic treaty as soon as possible.

The ECT was signed in 1994 and entered into force in 1998. It aimed to incentivise and protect Foreign Direct Investments (FDIs) in the energy sector, in particular from Western European countries into fossil rich countries in the East. In many respects, the ECT is an unusual and anachronistic investment treaty that would not meet current standards of protecting the right to regulate, in particular in order to meet other legal obligations, including obligations to reduce emissions.

Continue reading

On synthetic data: a brief introduction for data protection law dummies

Blogpost 39/2022 1

by César Augusto Fontanillo López and Abdullah Elbi

Synthetic data is attracting increasing attention from technicians and legal scholars in recent years. This is especially noticeable among entities and people working on data-driven technologies, particularly in the artificial intelligence application development and testing sector, where sheer volumes of data are needed. In these circles, synthetic data has become a growing trend under the “fake it till you make it” concept by promising to alleviate existing data access and analytics challenges while respecting data protection rules. Given the rising prospects and acceptance of data synthesis, there is a need to assess the legal implications of its generation and use, the starting point being the legal qualification of synthetic data.

Synthetic data is a broad concept encompassing both personally and non-personally identifiable information. This blog entry focuses, notwithstanding, on the intersection between synthetic data and personal data. The reasons for so doing are that generating synthetic data by means of personal data (including hybrid data) provides a more straightforward assessment and is more suitable for the introductory purposes of this blog entry. At the same time, given the lively academic debate on the concept of personal data, we recognise as particularly relevant to this topic the issues surrounding the qualification as personal data of existing models and background knowledge used as sources for data synthesis. These issues will, however, not be dealt with in this entry.

Continue reading

Comment to Case C-184/20 and the perils of a broad interpretation of Art. 9 GDPR

Blogpost 38/2022

On 1 August 2022, in Case C-184/20, by responding to a referral procedure brought by the Regional Administrative Court of Vilnius, Lithuania, the Court of Justice (hereinafter Court) addressed two prominent issues of data protection law, namely the balancing of transparency obligations with data protection rights, as well as the extent of protection of – potentially – sensitive data.

This judgement has attracted plenty of interest from the data protection community, and generated speculations regarding the consequences of this case. In this blog post, it will be argued that although transparency obligations, conceived to fight against corruption, can conflict with the rights of privacy and data protection, the key for solving this conflict lies in a sophisticated and complex proportionality test, that keeps into account all the specific legal and factual elements of the case.

Moreover, in the second part of this blog, it will be shown, contrarily to what stated in several hot takes to this judgement, how this ruling, in the part concerning the interpretation of personal data that can be intended to reveal sensitive data, does not provide sufficient clarity for determining what data can be considered potentially sensitive.

Continue reading

The public role of private actors: Internet service providers in the E-Evidence proposal

Blogpost 37/2022

The European Commission proposed on 17 April 2018 the “E-Evidence” legislative package (E-Evidence) to overcome the widely discussed issues relating to the traditional instruments for cross-border gathering of electronic evidence (K. Ligeti, G. Robinson; S. Tosza 2020). The main innovation of this proposal consist in allowing law enforcement in one member state to directly compel service providers in another member state to produce or preserve data (for a comprehensive analysis of the proposed package, see V. Franssen in this blog). Already now Internet service providers (ISPs) play a key role of gatekeepers to the data they have, especially in the context of voluntary cooperation. Because of limited possibilities for enforcement, the often transnational context of data gathering and economic power of major ISPs, they are the ones to decide whether to provide data to authorities or not (I develop this argument in details here). While the final text of the EPO Regulation is still being negotiated, in this post I argue that the proposal for the E-Evidence regulation (in all its available versions) does not solve the problem of such “privatisation” of enforcement in the context of e-evidence gathering (V. Mitsilegas) and explain why this is worrisome.

Continue reading

Directives, direct concern, and direct access to the CJEU: Case C-348/20 P Nord Stream 2 v Parliament and Council

Blogpost 36/2022

The limited direct access of individuals to the CJEU is, and has been, the cause for much debate in EU law. However, in the recent Nord Stream 2 judgment, the Court of Justice confirmed that it is not quite as limited as the General Court had laid it out to be in its 2020 order. Generally, for private persons – natural or legal – to be able to challenge an EU legislative act before the CJEU under Article 263(4) TFEU, they must show that, despite not being explicitly addressed by the act, they are nevertheless directly and individually concerned. Since the notorious Plaumann judgment, the “individual concern” condition has been the focus of the debate. In Nord Stream 2, however, the “direct concern” condition is at issue. According to CJEU case law, two criteria must be met to show direct concern: (1) the EU act directly affects the individual’s legal situation and (2) the addressees of the act have no discretion in implementing it (see e.g., C-404/96 P Glencore Grain, para 41).

In the present case, the General Court argued that, before transposition into national law, a directive cannot in itself impose obligations on individuals and therefore cannot directly affect their legal situation (para 107). It concluded that the applicant could not demonstrate to be directly concerned by a directive (para 116). These findings have now been reversed by the Court of Justice, confirming that directives may indeed directly concern individuals under certain circumstances and thus continue to be challenged under Article 263(4) TFEU.Continue reading

European Cybersecurity Regulation Takes a Sovereign Turn

Blogpost 35/2022

Over the past year, the European Union’s ambitious digital regulatory agenda has steadily advanced. The EU adopted the far-reaching Digital Markets and Digital Services Acts, and it is completing negotiations with the United States on a revised data transfer regime, christened the Transatlantic Data Privacy Framework (TADPF), that was necessitated by the Schrems II judgment of the Court of Justice of the European Union (CJEU). These developments have had a significant impact on transatlantic economic relations, even stimulating legislative initiatives on privacy and antitrust in the United States. One might think that resolving such contentious topics would set the stage for a quieter, more harmonious phase in the transatlantic technology policy relationship.

As EU regulatory activity resumes this fall, a lesser-known initiative – creating an EU-wide certification framework for ICT products and services (EUCS) – could cause renewed disturbance between Brussels and Washington, however. Under the EUCS proposal being developed by the EU’s cybersecurity agency ENISA, cloud service providers would be compelled to localize their operations and infrastructure within the EU and to demonstrate their ‘immunity’ from foreign law.

Europe’s concerns about the security of U.S. cloud services providers are in fact closely intertwined with its worries, expressed in Schrems II, about the privacy of Europeans’ information entrusted to these companies. In both cases, European policymakers fear the perceived extraterritorial reach of U.S. national security surveillance and law enforcement authorities. New cybersecurity regulation thus is seen as another way to safeguard Europe’s ‘sovereign’ interest in protecting data from foreign government access.  It also would reinforce separate European efforts to bolster smaller, home-grown cloud service providers, including through the GAIA-X project to create an interoperable network “explicitly based on principles of ‘sovereignty-by-design,’” as a leading European technology lawyer has characterized it.

Continue reading

Ex-ante measures regarding data transfers and ex-post enforcement of rights

On the 25th of March 2022, it was announced that the European Union (“EU”) and the United States (“U.S.”) had reached an agreement in principle on a new framework for “transfers” of personal data from legal entities in the EU Member States to controllers or processors in the U.S. Whereas the two previous adequacy decisions regarding federal U.S. data protection law were based on the revoked Data Protection Directive (“DPD”) the new implementing act will be adopted in accordance with Article 45 of the General Data Protection Regulation (“GDPR”). Although the DPD approximated the legal systems in the EU Member States regarding data protection, and the GDPR applies directly as law across the Union, the comitology procedure referred to in Article 93 GDPR remains the same as it was under the DPD. Hence, in parity with the first decision regarding U.S. data protection law (“the Safe Harbour decision”) and the second decision on the matter (“the Privacy Shield decision”), the new agreement concluded by the Commission needs to be approved by a committee consisting of representatives of the Member States and the European Data Protection Board (“EDPB”).

Continue reading

Opinion 1/20 and the modernisation effort of the Energy Charter Treaty

On 16 June the Court found Belgium’s request for an Opinion pursuant Article 218 (11) TFEU on the compatibility of Article 26 of the ‘modernised’ Energy Charter Treaty (ECT) inadmissible on grounds that it did not have ‘sufficient information’ on its envisaged provisions. Article 26 is the provision that allows foreign investors to have recourse to investor-state dispute settlement (ISDS) when their investments are negatively affected by government action in breach of the substantive provisions of the ECT. While the modernisation process did not foresee any changes to Article 26 ECT and at the time of the opinion there was no public information available that parties may do so, the Court speculated that the parties may change their positions and that it therefore did not have ‘sufficient information’. No less than 12 days later, an agreement in principle was reached by the contracting parties of the ECT to amend the ECT that inter alia introduced a so-called disconnection clause (a clause that would make part of the ECT inapplicable between EU Member States). This post will offer commentary on the Court’s interpretation of the Opinion procedure (Article 218 (11) TFEU) in the wake of ongoing negotiations to ‘modernise’ the ECT and offer some thoughts on the outcome of the negotiations themselves from the perspective of climate change mitigation efforts. It will start with a brief introduction to why Belgium requested this Opinion, outline the rationale of the Opinion procedure, and subsequently discuss the ruling of the Court. It will end with a brief discussion with the current efforts to ‘modernise’ the ECT and its relationship with efforts to mitigate climate change.  Continue reading

X