14 November 2022
By Hannah Ruschemeier
All involved in data protection law are well acquainted with the constant anxiety arising in the context of international data transfers since the Schrems decisions of the ECJ. Long story short: According to Art. 44-49 GDPR there has to be a legal basis for transferring personal data from the European Union to third countries. The ambitious goal is to ensure compliance with the protection standards of the GDPR in the global world of data transfers even outside the Union. A very important line of data transfer is the one from the EU towards the US and the provisions are necessary to protect the right to data protection of European citizens in a globalized data-driven world. The GDPR requires the third country transfers either to occur on the basis of an adequacy decision by the Commission (Art. 45) or the transfer to be subject of appropriate safeguards (Art. 46). Additionally, Art. 49 GDPR states subsequent derogations for specific situations. Adequacy decisions refer to an assessment of the legal system of the third country while the appropriate safeguards rely on the individual protections the transferring party implements.
I will briefly summarise the main emphasis of the executive order by President Biden on enhancing safeguards for US signals intelligence activities and explain possible implications on transnational data transfers and the GDPR, followed by an analysis of the intersection of legal and political arguments and a short outlook.Continue reading
7 November 2022
By Samar Abbas Nawaz
“How should anyone be held liable for a harm caused by Artificial Intelligence (AI) systems?” is an oft-raised concern around the use of AI systems. After proposing a regulation for AI systems in 2021, the European Commission has now addressed this critical issue of liability. Regulating AI liability is not an easy task, and the recent legislative efforts of the Commission make this even clearer. Ensuring that AI systems are safe to use is crucial for law makers. On the basis of two proposed directives, the Commission aims to protect victims of AI harm by setting some rules for imposing liability. It is thus imperative to examine to what extent these rules address the concern of liability and make it easier for injured parties to receive damages for the harm incurred.Continue reading
By Christina Eckes and Laurens Ankersmit
Blogpost 47/2022 (PDF)
In the past weeks, several Member States pursued withdrawal from the Energy Charter Treaty (ECT), a multilateral investment treaty to which both the EU and the Member States are party. Some Member States, however, are hesitating because they feared that withdrawal without the EU may have little practical effect for the controversial investor-state-dispute settlement (ISDS) mechanism. We argue that these doubts are not legally justified. As a matter of EU law, the EU cannot hold Member States that have withdrawn liable under EU law as this would go against the internal division of competences. What is more, the EU’s own membership and ability to amend the ECT is legally in doubt as it lacks the necessary competence to assume responsibility for the entirety of the agreement under EU law.Continue reading
17 October 2022
By Tiago Cabral and Sophia Hassel
Blogpost 46/2022 (PDF)
On 4 May 2022, the General Court shielded OLAF (European Anti-Fraud Office) from liability for the infringement of data protection rules, at the cost of departing from ECJ case law and widely accepted legal principles in EU data protection law. This decision was legally flawed (as we argue below) and indeed has already been appealed before the ECJ at the time of writing. Had the General Court arrived at the correct judgment – that is, that the press release by OLAF did contain personal data under Article 3(1) of Regulation 2018/1725 (on the processing of personal data by the Union institutions, bodies, offices, and agencies) – it would have been forced to answer also the question of damages and scope under the GDPR (General Data Protection Regulation). OC v Commission, therefore, missed its chance to be a landmark judgment. Currently, however, the judgment places the General Court on opposing paths with the ECJ, creating uncertainty, causing fragmentation in practice, and undermining the EU’s efforts to harmonise data protection law. Continue reading
13 October 2022
By Christian Breitler
Blogpost 45/2022 (PDF)
The year is 2022. In a Union based on the rule of law, the entire body of EU legal acts is subject to the review of their conformity with the Treaties as the Union’s basic constitutional charter. Well, not entirely! One small Gallic village called the Common Foreign and Security Policy (CFSP) still holds out against the promise of a complete system of legal remedies and procedures – even after the collapse of the pillar structure more than 12 years ago. And life is not easy for claimants, national courts and EU scholars alike who garrison the Court’s fortified barriers of jurisdiction in search for clarity, coherence and justice. However, two cases currently pending before the ECJ might eventually mark the end of the seemingly indomitable village.Continue reading
11 October 2022
By Kristina Irion
Blogpost 44/2022 (PDF)
On 21 June 2022, the European Court of Justice (ECJ) handed down its judgment in Ligue des droits humains concerning the Directive 2016/681 on passenger name record data (PNR Directive). This is the second time that the ECJ has appraised the conformity of a PNR system with the EU Charter of Fundamental Rights (the Charter). In Opinion 1/15, the Court found the draft PNR Agreement between the EU and Canada to be incompatible with Articles 7, 8, 21 and 52(1) of the Charter. This interpretation cast a shadow on the legality of the PNR Directive as well, as it contains partly identical provisions to the EU-Canada draft PNR Agreement. In Ligue des droits humains, the Court now ‘repairs’ the PNR Directive by means of a Charter-conforming interpretation and, without affecting its validity, significantly modifies the permissible scale and scope of the EU-wide security practice on passengers’ data.
This post summarises how the ECJ assesses the validity of the PNR Directive in light of Articles 7, 8 and 52(1) of the Charter (the fundamental right to respect for private life, to protection of personal data, and the principle of proportionality, respectively). For the sake of clarity, the post exclusively focuses on the judgment’s implications for the PNR Directive, leaving aside the two other EU legal instruments also considered in the judgment, namely Council Directive 2004/82/EC (API Directive) and Directive 2010/65/EU on reporting formalities for ships.Continue reading
1. Data Protection at Work
It has long been recognised that personal data processing in the employment context has distinct challenges that require special regulatory treatment. As early as 1999, Spiros Simitis and Mark Freedland, writing independently, reached the same conclusion (see here and here): that the omnibus rules of the now repealed Directive 95/46/EC were not fit for the particular requirements of the employment sector. A specific European directive on the protection of employees’ data was needed. Two decades on, little meaningful progress has been achieved at the policy level. Multiple attempts to introduce employment-specific data protection law at the Union level failed due to a combination of legal, political, and constitutional reasons.
While its fundamental objective is to harmonise data protection rules throughout the EU, the GDPR has a less than stellar reputation when it comes to the employment context: the GDPR is too generic adequately to cover the specificities of the employment relationship; it does not counter the informational and power asymmetry inherent in the employment relationship; and it fails to address the collective rights and interests of employees. Instead, the GDPR leaves these issues to be addressed at the Member State level. Through the opening clause under Article 88 GDPR, Member States can provide ‘more specific rules’ for data protection in the workplace through their regulatory choice (whether through legislation, collective bargaining agreements or a combination of both).
29 September 2022
By Max van Iersel
On 15 September 2022, the Court of Justice issued an important judgment on the matter of the residence rights of ‘any other family member who is a member of a household of a Union citizen’ as defined in Article 3(2)(a) of Directive 2004/38/EC. In its judgment, the Court of Justice held that a family member is part of a Union citizen’s household if a dependence relation is established, based on close and personal ties, forged within the same household. The Court essentially defines the concept of ‘emotional dependence’. A seemingly new concept of dependency that is based on strong emotional ties between two individuals. The degree of dependence, thus, goes beyond cohabitation for pure convenience.
Unlike the family members falling within the definition of Article 2(2) of the Directive, the beneficiaries of Article 3(2)(a) are not entitled to an automatic right to entry and residency within a host Member State. ‘Family members’ as in Article 3(2)(a) of Directive 2004/38, are facilitated entry and residency into a host Member State only after an extensive examination of their personal circumstances. Directive 2004/38, thus, makes a clear distinction between core family members, for example, children and spouses, and more distant ‘other’ family members.