Proportionality has come to the GDPR

1. Proportionality overlooked

With the recent publication of their guidance on international personal data transfers (a draft of Recommendation 01/2020 and a final version of 02/2020; November 2020), the European Data Protection Board (EDPB) has provided advice on how such transfers should occur within the framework of the General Data Protection Regulation (GDPR). This was long-awaited, especially since the Court of Justice of the European Union’s (CJEU) seminal judgment in Case C-311/18 (Schrems II) in July 2020, in which the CJEU (yet again) struck down a general mechanism for data transfers to the private sector in the United States (US) (technically, an adequacy decision, called “Privacy Shield”) and furthermore declared that the so-called “appropriate safeguards” – a group of legal mechanisms for such transfers (Articles 46-47 GDPR) – might not always be appropriate.

Both the Schrems II judgment and the aforementioned EDPB guidance have immediately sparked much debate in academia (for example, here) and among data protection practitioners (for example, here) on how to actually transfer personal data, especially towards the US, without breaching the GDPR. These vivid debates tend to focus mainly on compliance issues, though from a broader perspective, both the judgment and the guidance also demonstrate that one of the most complex yet uncharted legal concepts has gained more and more prominence in the GDPR – proportionality. In our view, both Schrems II and the EDPB guidance confirm and endorse the entrance of proportionality to the area of data transfers. However, this is not the only use of proportionality in the GDPR.

The increased usage of proportionality in the GDPR has, in our view, so far not received sufficient academic and professional attention, despite its significance and the practical difficulties it brings to the fore. This stands in a stark contrast with the rich debate on proportionality per se and on parallel, equally significant elementary recent developments in the GDPR, e.g. the risk-based approach or the strengthening of the principle of accountability.

Putting aside the critical appraisal of the Schrems II judgment and the EDPB guidance, with this exploratory blog post we intend to draw attention to the increasing usage of proportionality in the GDPR and to its significance. We further intend to map its use in the GDPR, direct or indirect, focusing on the example of the most recent developments in data transfers, this way paving a way for further research. To paraphrase Leonard Cohen, proportionality has come to the GDPR, yet this does not mean it had not been there before, in data protection law, e.g. in the Data Protection Directive (DPD), the predecessor of the GDPR. It rather means – as in Cohen’s song Democracy – that the GDPR is nowadays “really where the experiment is unfolding” and this “experiment” of proportionality makes the GDPR a “real laboratory” thereof, bringing ramifications for the broader field of EU data protection law and – even – human rights law. This “experiment” brings to the fore profound consequences for both theory and practice of personal data protection, hence meriting both academic and professional attention.

Continue reading

FNV v Van den Bosch, or the thin line between the free movement of services and ‘social dumping’ in the never-ending story of posted workers

December 2020 began in Luxembourg with a focus on the posting of workers, as the CJEU delivered its judgment in a dispute between the Federation of Dutch Trade Unions (FNV) and a transnational group of undertakings in the transport sector. Case C-815/18 FNV v Van den Bosch is the second act in a tragedy of errors, initiated exactly a year earlier in Case C-16/18 Dobersberger concerning the definition of a ‘posted worker’. Against the current of the ongoing reform of the EU framework on posted work, Dobersberger cast doubts over the applicability of the Posted Workers Directive (PWD) to the transport sector. In FNV, the Grand Chamber has now corrected its previous stance by confirming that transport workers can also be posted workers. Yet, the Court erroneously persists in applying the test of a sufficient connection to the territory of the receiving country, which workers have to pass before they can benefit from the protection of that state. This concept, albeit nowhere to be found in the wording of the PWD, further deepens the inequalities between different types of intra-EU labour migrants whose realities are often similar.

Continue reading

The Charter at 20: Returning to its origin as a critical juncture for fundamental rights protection in the EU

The Charter of Fundamental Rights of the European Union (‘the Charter’) was proclaimed exactly twenty years ago, on 7 December 2000, and its elevation to primary law status dates to 1 December 2009. Today is thus an important anniversary for the EU’s key instrument for the protection of fundamental rights. Since its proclamation, the Charter has deepened the embedment of fundamental rights in the EU. It has been increasingly used in adjudication, even in national law (see for example here or here). Whilst many are familiar with the Charter’s jurisprudential journey, its history up to 2009 is less explored. It is for this reason that we invite our readers to follow us on a journey towards a forgotten juncture in the Charter’s coming of age: its drafting history.

Continue reading

Wild hamsters in the city: how does EU law deal with urban biodiversity?


The current rate of biodiversity loss has been gaining more attention over recent years, with some scientists now claiming that a so-called sixth mass extinction event is currently under way. Despite its progressive image as a world leader in environmental governance, the EU’s biodiversity is not doing any better. The plight of the wild or common hamster (Cricetus cricetus), which was recently added by the International Union for the Conservation of Nature (IUCN) to its list of critically endangered species, is one of the starkest illustrations of the apparent deficiencies of the existing conservation approaches in Europe.

In this blog post, the legal protection offered by Union law to this much larger relative of Syrian or dwarf hamsters that are kept widely as pets will be placed at the forefront. I will use the recent decision of the Court of Justice of the European Union (CJEU) in Case C-477/19 Magistrat der Stadt Wien on the protection of common hamsters in the Austrian capital of Vienna as a benchmark to analyse our current understanding of the EU Habitats Directive (Directive 92/43/EEC). This case might ring a bell with some readers, for these unexpected city dwellers received their five minutes of fame when they featured in an episode of David Attenborough’s Seven Worlds series in 2019. The rapid expansion of the city into the countryside forced them to adapt or perish. However, while safe for now, they face new challenges, which are tied to the inherent tension between strict protection duties and economic aspirations in city environments.

Continue reading

Refusing to award legal personality to AI: Why the European Parliament got it wrong

When is new law needed and when are patches of existing legal tools preferrable?

In October 2020 the European Parliament issued three Resolutions on the ethical and legal aspects of Artificial Intelligence software systems (“AI”): Resolution 2020/2012(INL) on a Framework of Ethical Aspects of Artificial Intelligence, Robotics and related Technologies (the “AI Ethical Aspects Resolution”), Resolution 2020/2014(INL) on a Civil Liability Regime for Artificial Intelligence (the “Civil Liability Resolution”), and Resolution 2020/2015(INI) on Intellectual Property Rights for the development of Artificial Intelligence Technologies (the “IPR for AI Resolution”).

All three Resolutions acknowledge that AI will bring significant benefits for a number of fields (business, the labour market, public transport, the health sector). However, as identified in the AI Ethical Aspects Resolution, “there are concerns that the current Union legal framework, including the consumer law and employment and social acquis, data protection legislation, product safety and market surveillance legislation, as well as antidiscrimination legislation may no longer be fit for purpose to effectively tackle the risks created by artificial intelligence, robotics and related technologies” (K). Therefore, “in addition to adjustments to existing legislation, legal and ethical questions relating to AI technologies should be addressed through an effective, comprehensive and future-proof regulatory framework of Union law reflecting the Union’s principles and values as enshrined in the Treaties and the Charter of Fundamental Rights that should refrain from over-regulation, by only closing existing legal loopholes, and increase legal certainty for businesses and citizens alike, namely by including mandatory measures to prevent practices that would undoubtedly undermine fundamental rights” (L). It is in this context that the Parliament makes concrete legislative proposals in each Resolution within its respective subject-matter.

However, all three Resolutions are also adamant on not providing AI software systems with legal personality. To our mind all three make a mistake, failing to see that their otherwise excellent assessment of the problems at hand would best be served by embracing change and not shying away from it.

Continue reading

Adieu Dublin! But what’s next?


On 16th September 2020, Ursula von der Leyen, the President of the European Commission, announced in a State of the Union address a New Pact on Migration and Asylum. The new pact seeks to abolish the Dublin Regulation III, in furtherance of the recommendations the Commission made in 2016, which would be replaced with an Asylum and Migration Management Regulation (‘AMR’). The pact consists of three main pillars: discouraging migration by supporting origin countries, modernising border security, and sponsoring returns procedures of asylum seekers or extending solidarity to member states experiencing exceptional migratory influx.

The Dublin Regulation III was preceded by the Dublin Regulation II (‘Dublin II’) and the Dublin Convention (‘Dublin I’). These regulations are considered the cornerstone of the EU’s harmonised system of asylum protection known as the Common European Asylum System (‘CEAS’). CEAS was established in 1999 to grant freedom, security and justice to the third-country nationals who are unable to secure legitimate protection of their state of origin. In line with the obligation of non-refoulement under the 1951 UN Refugee Convention , Article 18 of the EU Charter guarantees the right to seek asylum. For CEAS to work efficiently, a clear and workable method of state responsibility to determine asylum claims was required. To this end, Dublin II was adopted in 2003.

This blog post is divided into six parts. The first two parts focus on Dublin II, its legal framework and the irregularities that led to Dublin III. The third part is devoted to Dublin III and the problems it caused at the time of the 2015 refugee crisis. The fourth part provides a brief overview of the new pact. In the fifth and the sixth part, the author discusses the new pact and analyses the AMR in light of the normative inconsistencies in Dublin III.

Continue reading

True (Bad) Faith 2020? Part Two: Excavating the Legal Rationale for the ‘Emergency Clauses’ in the UK Internal Market Bill

Introduction: Brexit Denouement?

1 November 2020 saw the expiry of the time-limit for the United Kingdom to respond to the European Commission’s notice of infringement proceedings for breach of the EU-UK Withdrawal Agreement. On 9 November 2020, the House of Lords voted in favour of removal of the relevant clauses from the UK Internal Market Bill (UKIMB).

The denouement of this epilogic Brexit drama may be approaching. At the domestic level, the House of Commons will be faced with the decision whether or not to re-instate the ‘emergency clauses’. At the supranational level, the Commission will be faced with the choice whether to prosecute the infringement claim against the UK before the Court of Justice of the European Union (CJEU).

All of this will take place against the backdrop of attempts by the United Kingdom and the European Union to finalise a Future Relationship Agreement before the end of the transition period on 31 December 2020.

This post follows up the legal analysis of the Commission’s claim of breach of good faith on this blog. The objective is to analyse the UK government’s justifications for providing itself with a permission to breach the Withdrawal Agreement.

The hypothesis is advanced that the UK government has based its policy on an interpretation of Article 5 of the Protocol on Ireland/Northern Ireland (NIP) that would enable the EU to enforce its customs law on all goods movements from Great Britain (GB) to Northern Ireland (NI), rather than such EU law only being triggered by the limited condition of onward movement into the EU single market.Continue reading

“Schrems III”? First Thoughts on the EDPB post-Schrems II Recommendations on International Data Transfers (Part 3)

Three Scenarios for the Way Forward (and a Recommendation)

Despite the very short available time, I have tried in Part 1 and Part 2 of this article to carefully review the EEGs and Supplementary Measures guidelines. Based on my review, there are two central conclusions that emerge from the EDPB publications on November 11:

(1) Third countries might rarely if ever meet the EEG requirements. This means that, beyond the 8 sovereign States/12 entities that have the opportunity of benefiting today from an EU adequacy decision, few other countries might be considered as offering a protection “essentially equivalent” to that offered by EU law.

(2) If third countries are not considered as “adequate/essentially equivalent”, then data transfers to them are lawful only if supplemental measures are adopted by the data exporter. The EDPB Guidance seems nonetheless to prohibit almost all such transfers when the personal data is readable in the third country.

Perhaps other commentators will find ways to reach a different conclusion. If not, however, then the implications of the EDPB position in its current writing might be: regular transfers to third countries are almost always unlawful if the personal data can be read in the third country.

As the world cannot suddenly stop moving nor international trade end as a result of Schrems II and the EDPB Recommendations, there are in reality at least three possible scenarios/solutions for the future. There might also exist other scenarios. I will present here only the ones which seem more probable to me. These scenarios are not independent from one another, but could be easily combined. I will end by detailing an important first recommendation in view of the expected update of the guidelines by the EDPB after November 30, 2020.

Continue reading