EBA and Game of Thrones: A Match Made in Luxembourg

Is there an unwritten rule mandating that we read all Advocate Generals’ Opinions opening with a quote from the Game of Thrones (GoT)? If not, it is high time we adopted one.

‘What is dead may never die’. Opening with this line from the popular show, AG Bobek is alluding to an important EU law question: can the ECJ invalidate a soft law act, i.e. a non-binding EU measure, under the preliminary reference procedure of Article 267 TFEU? If not, can the Court provide (binding) interpretation of such a measure?

In his Opinion in Case C-911/19 FBF v ACPR, published on April 15th, the AG offered his own answers to these thorny questions. In this post, the background to the case will initially be set out. The key legal issues that arise will then be dissected, and the AG’s findings will be critically assessed.

Factual background 

The facts of the case, as presented by the AG and summarised in the Court’s press release, are relatively straightforward. In 2017, the European Banking Authority (‘EBA’) issued Guidelines on product oversight and governance arrangements for retail banking products. Thereafter, the French Autorité de contrôle prudentiel et de résolution (Authority for Prudential Supervision and Resolution) (‘ACPR’) announced in a notice that it complied with those guidelines, thus making them applicable to all financial institutions under its supervision. The Fédération bancaire française (French Banking Federation; ‘FBF’) sought the annulment of that notice before the referring court, claiming that the EBA did not have the power to adopt those guidelines. In other words, French banks are “attacking” the notice of the French supervisory authority by going after its source of inspiration, i.e. the EBA’s guidelines, and claiming that the latter should be annulled as being ultra vires.

Key legal issues

In a nutshell, three main questions arise from an EU law perspective. Firstly, did the EBA, by adopting the disputed guidelines, go beyond the scope of its powers under Regulation No 1093/2010? Secondly, if yes, what should the consequence be? Is the Court able to declare a non-binding measure invalid under the preliminary reference procedure (Art. 267 TFEU), even though it is not able to do so following an action for annulment (Art. 263 TFEU)? Thirdly, and finally, if national law, contrary to EU law, allows for broader access to direct judicial review of soft-law measures (including national acts ‘implementing’ non-binding EU-law acts), is the national court obliged to refer questions regarding the validity of non-binding EU measures like EBA’s Guidelines, or can it simply annul the national implementing measure on its own?Continue reading

Pre-Market Requirements, Prior Authorisation and Lex Specialis: Novelties and Logic in the Facial Recognition-Related Provisions of the Draft AI Regulation

The draft Artificial Intelligence Regulation proposed by the European Commission on 21 April 2021 was eagerly anticipated. Its provisions on facial recognition to an even greater degree, given the heated debate going on in the background between those who support a general ban of this technology in public spaces and those who consider that it has “a lot to offer as a tool for enhancing public security” provided that rigorous red lines, safeguards and standards are introduced. NGOs (such as those who support the “Reclaim Your Face” campaign) and political groups (such as the Greens) have been calling for a total ban of “biometric mass surveillance systems in public spaces”. Contrary to these calls, in their submissions to the public consultation on the White paper, some countries (e.g. France, Finland, the Czech Republic and Denmark) claimed that the use of facial recognition in public spaces is justified for important public security reasons provided that strict legal conditions and safeguards are met (see the Impact Assessment Study, at 18). The results of the public consultation on the White Paper on AI are mixed on the issue of the ban (see here, at 11), but an overwhelming majority of respondents are clearly calling for new rules in this field.

Whilst the idea of a complete ban has been rejected (as we will discuss later in this paper), leading to reactions of the European Data Protection Supervisor (EDPS) and NGOs, the Commission’s draft Regulation attempts to deliver on the idea of introducing new rules for what it calls “remote biometric identification” (RBI)[i] systems, which include both facial recognition but also other systems for processing biometric data for identification purposes such as gait or voice recognition.

The objective of this paper is to present the basic features of this proposed set of rules; to decipher the “novelties” among these when compared with existing rules related to the processing of biometric data, especially Article 9 of the General Data Protection Regulation (GDPR) and Article 10 of the Law Enforcement Directive (LED); and to explain the logic behind the new mechanisms and constraints that have been introduced. Part 1 of this paper includes a table that we have produced in order to enable an understanding of the facial-recognition-related provisions of the draft AI Regulation “at a glance”. Part 2 focuses on the rules proposed in the draft to regulate the use of RBI in publicly accessible spaces for the purpose of law enforcement.

The analysis below is based on certain highlights of a first high level discussion on this topic organised on April 26, 2021 by the Chair on the Legal and Regulatory Implications of Artificial Intelligence (MIAI@Grenoble Alpes), with the cooperation of Microsoft. The workshop, which was held under Chatham House rules, included representatives of three different directorates-general of the European Commission (DG-Connect, DG-Just and DG-Home), the UK Surveillance Camera Commissioner, members of the EU Agency for Fundamental Rights (FRA) and Data Protection Authorities (CNIL), members of Europol and police departments in Europe, members of the European and the French Parliaments, representatives of civil society and business organisations, and several academics. A detailed report of this workshop and a list of attendees will be published in the coming days on AI-Regulation.Com, where we have already also posted the materials distributed during this workshop that could be very useful for the readers of this blog.

Continue reading

Green light from Karlsruhe for the ratification of new EU own resources decision. First fractures in the prohibition of fiscal integration?

Background facts

 With a decision issued on the 15th April 2021, the German Federal Constitutional Court (GFCC) declined the request for preliminary injunction against the promulgation of the domestic act ratifying the 2020 Own Resources Decision (ORD), on which the activation of Next Generation EU (NGEU) depends. Once the remaining Member States complete the ratification process in accordance with by art. 311 TFEU, the Union will finally be allowed to collect resources on the market to reinforce its budget and develop a recovery plan for Europe in the aftermath of the COVID-19 pandemic. While the decision of the Court brings great relief to those who believe that NGEU represents a turning point in the process of European integration, the outcome wasn’t something expected due to the well-known hostility of the GFCC towards any form of fiscal integration in the Union.

As noticed by Benedikt Riedl in a recent post published on this blog, the real issue  the Court has been called  to consider in the case is whether authorising the Commission to borrow up to € 750 billion on capital markets on behalf of the EU and repay it by the 31st December 2058 may pave the way to the establishment of a fiscal union, where Member States and their citizens are mutually responsible for financial obligations taken by the European institutions. From the point of view of the German constitutional law this might represent a violation of the Bundestag’s overall budgetary responsibility, which is part of the Basic Law’s constitutional identity and guarantees citizen’s right to democratic self-determination. The applicants raised two arguments to prove such violation. On the one hand, the 2020 ORD authorises the European Commission under certain conditions to make additional calls on the Member States to provide financing, thus causing unforeseeable budgetary burdens on the German budget without prior constitutive approval by Parliament. At the same time, the 2020 ORD would consist of an ultra vires act, as it infringes the EU Treaties, in particular the prohibition of bailout (article 125 (1) TFEU) and rules on the amendment of the ORD (article 311 (3) TFEU). Sticking to the consolidated case law of the GFCC (as Riedl does) there are sufficient grounds to believe that the complaints of the applicants are founded, even in an emergency procedure. Yet, this time the Court has gone in the opposition direction, by authorising the promulgation of the act ratifying the ORD. While the decision only deals with the application for preliminary injunction, it presents some arguments which might also help the solution of the principal proceeding.

Continue reading

Eurodac: Biometrics, Facial Recognition, and the Fundamental Rights of Minors

Since its establishment in 2003, Eurodac (European Dactyloscopy System) has played a fundamental role in the digitisation of migration management and border security in the EU. The Eurodac database contains the fingerprints of all asylum applicants and migrants apprehended in connection with an irregular border crossing. Under proposed reforms to the Eurodac database, its scope is to be expanded to aid authorities in facilitating returns, tackling irregular migration and collecting individuals’ facial images with a view to future facial recognition technology.  The recently amended Eurodac proposal released in September 2020 as part of the New Pact on Migration and Asylum (analysed previously on this blog) also proposes to lower the age for biometric data collection from 14 to 6 years old.

This contribution notes the current role of Eurodac and highlights the proposed changes to the system as they relate to minors and their fundamental rights as enshrined in the Charter of Fundamental Rights of the European Union (Charter). The EU asylum acquis, particularly Directive 2011/95/EU (Qualification Directive), considers minors as being children before being migrants. Within this category, unaccompanied minors are understood as a non-EU national or stateless person below the age of 18 who arrive on the territory of EU States unaccompanied by an adult. The challenges raised by the proposed expansion of Eurodac are analysed in the context of its impacts on both unaccompanied and accompanied minors arriving in the EU. Whilst many of the challenges identified affect all minors, the focus is on those faced by minors below the age of 14, who are considered to be a particularly vulnerable group and targeted by the extension of the current Eurodac system.

The proposal to lower the age for biometric data collection of minors from 14 to 6 years old poses significant risks to their right to human dignity (Article 1 Charter), their right to the integrity of person (Article 3 Charter), the rights of the child (Article 24 Charter), and the right to respect for private life (Article 7 Charter).  These challenges are further complicated by efforts to introduce the interoperability of EU-wide databases, forming an increasingly complex and opaque ecosystem of biometric data processing, profiling and automated decision-making. Considering the inherent sensitivity of biometric data, as highlighted below, and the vulnerable position of minors crossing EU borders, this post also focuses on the right to protection of personal data (Article 8 Charter), especially as elaborated through the principles and rights enshrined in Regulation (EU) 2016/679 (GDPR).

Continue reading

“You Cannot Change the Rules in the Middle of the Game” – An Unconventional Chapter in the Rule of Law Saga (Case C-824/18 A.B. and others v the KRS)

In what seems like a breath of fresh air for the Polish constitutional landscape, the Court of Justice recently reaffirmed its vital role in safeguarding the founding principles of EU law in its judgment in C-824/18 A.B. and others v the KRS. On 2 March 2021, the Grand Chamber delivered another verdict that touches upon the rule of law crisis which has been going on in Poland since at least December 2015. This time, the Court was given an opportunity to reflect on the interpretation and the scope of application of the second subparagraph of Article 19(1) TEU with regards to the substantive conditions and procedural rules for the appointment of the members of the Polish Supreme Court. Furthermore, the Court of Justice’s verdict concerns Article 267 TFEU and Article 4(3) TEU and the attempts of the Polish legislature to prevent a national court from referring questions to the CJEU. Continue reading

’In view of the exceptional and unique character’ of the EU-UK Trade and Cooperation Agreement – an Exception to Separation of Powers within the EU?


The Trade and Cooperation Agreement between the EU and Euratom, of the one part, and the UK, of the other, was signed on 30 December 2020 (EU-UK TCA). At the stage of opening the negotiations, as is usual, the option of concluding it as mixed agreement was left open. However, the TCA was signed as an EU-only agreement, based on the argument that the EU had exclusive competence for part of the agreement (Common Commercial Policy (CCP)) and ‘potential competence’ (shared competence that the EU exercises for the first time) for the rest. At present, the EU-UK TCA is provisionally applied and the European Parliament is planned to give its consent in the plenary session starting on 26 April 2021.

The decision to sign the agreement as an EU-only agreement was taken in a hasty written procedure between Christmas and New Year. The Council relied on a confidential but leaked opinion by the Council Legal Service (CLS), which ‘does not provide an in-depth examination of all of its aspects, nor does it provide a comprehensive and detailed competence analysis.’ The Opinion is indeed strategically selective. At the same time, the Member States, who were not involved in the negotiations, are unlikely to have had the necessary time to analyse the competence question in any depth. To what extent their parliaments – whose prerogatives are fundamentally affected by the choice for an EU-only agreement – were involved in approving the Council decision depends on national constitutional provisions and the limited time window. 

The EU-only nature of the agreement, or if you like, the choice against mixity strikes us as an unusual choice. Agreements negotiated by the EU that include provisions outside its exclusive competences are generally concluded as mixed agreements. 

The EU-UK TCA departs from this practice by referring to the exercise of a ‘potential non-exclusive competence’ by the Union. The CLS explains this as a ‘political choice’ that ‘does not prevent Member States from continuing to exercise their national competences vis-à-vis other third countries’. We doubt whether the matter really is this simple. 

Continue reading

Corona Reconstruction Fund stopped for the time being

On March 26, 2021, the German Federal Constitutional Court (GCC) held that the Own Resources Resolution Ratification Act (ERatG) must not be executed by the Federal President for the time being. In doing so, it temporarily averts the danger of taking a path to a fiscal union that as will be argued in this post, is contrary to EU law. What is behind this, and what is to be thought of the questions of EU law raised in this procedure?  The article addresses whether the European Own Resources System and the Corona Reconstruction Fund conform with EU law. As will be shown in this post, the EU may have acted ultra vires (i.e., outside its authority). In particular, the possibly insufficient earmarking of the Own Resources System and the Corona Reconstruction Fund, as well as the high-liability risk for the member states, are problematic. If such an ultra vires act were to exist, the GCC would, under its established case law and the German constitution, deny this EU program its effect in Germany and thus, in effect, finally stop the entire Corona Reconstruction Fund.

More on the domestic constitutional problems of the case can be found in the article from Verfassungsblog, which deals in particular with the violation of Germany’s constitutional identity.

The subject of the summary proceedings is the Own Resources Decision Ratification Act. This is the German law approving the financing of the European Union until 2027. It is the legal basis for the entry into force of the current Own Resources Decision of the European Union of December 14, 2020. The Own Resources Decisions of the European Union are based on Article 311 (3) TFEU and, in addition to other revenue, serve to finance the EU budget. The current Own Resources Decision enables the European Commission in Article 5 (1a) to take out loans of up to 750 billion euros with a term of up to 38 years. With these funds, the European Union intends to temporarily use 750 billion euros within the framework of its NextGenerationEU economic stimulus package to repair the immediate economic and social damage caused by the Corona pandemic. The most important instrument in this stimulus package is the Recovery and Resilience Facility, which will provide 627.5 billion euros in loans and grants to support reforms and investments in the countries of the European Union. Implementation of the economic stimulus packages by the European Union is only possible once all Member States have ratified the Own Resources Decision (Article 311 (3) sentence 3 TFEU).

The German Bundestag approved the Own Resources Ratification Act on March 25, 2021. The vote was preceded by a heated debate, during which the Minister of State at the Federal Foreign Office described the Own Resources System “as a necessary and overdue step towards a fiscal union”.

Continue reading

European Law Blog Lunch Seminar on Data Retention: How to Follow-up on the Court of Justice’s Recent Case Law?

Organiser: European Law Blog (https://europeanlawblog.eu)

Date: 19 April 2021, 12h-14h (Central European Time)

Venue: Online (via Zoom)

Registration: free but mandatory (max. 50 participants) – via this link: https://bit.ly/2POdq6n


The issue of data retention has been at the centre of much legal reflection ever since the Court of Justice of the European Union (CJEU) invalidated the 2006 Data Retention Directive in C-293/12 Digital Rights Ireland. While this annulment was very much welcomed by the data protection community and civil society, police and judicial authorities have expressed strong concerns about the impact on criminal enforcement; concerns that have resulted in several court proceedings at national and EU level.

In three recent rulings (C-623/17 Privacy International, C-511/18 La Quadrature du Net e.a. and C-746/18 Prokuratuur), the CJEU has tried to further clarify unsettled questions. Nevertheless, in doing so, the Court has most likely raised more questions than answers and has definitely complicated the way forward for EU and national legislators. Consequently, judicial authorities as well as intelligence agencies are still in search of clarity, while citizens and businesses remain confronted with a lack of legal certainty. 

The editors of the European Law Blog are pleased to invite you to the Blog’s first online seminar, which will focus on these tffopical issues. During this seminar, four eminent speakers will take the floor to analyse the current legal situation, in the light of the CJEU’s recent case law, and to reflect on future solutions for what seem nearly inextricable problems.


  • Moderator: Vanessa Franssen, Professor University of Liège, Affiliated Senior Researcher KU Leuven, and Editor European Law Blog
  • Speakers:
    • Anna Buchta, Head of Policy and Consultation Unit, European Data Protection Supervisor
    • Jarek Lotarski, Legal Service of the Council of the EU (previously Policy Officer European Commission, DG Home)
    • Nóra Ní Loideain, Director, Information Law & Policy Centre, Institute of Advances Legal Studies, University of London
    • Christian Svanberg, General Counsel, Danish Defence (previously Head of Center for Data Protection and DPO, Danish National Police)