The European Commission’s Assessment of EU Withdrawal from the Energy Charter Treaty: Legal analysis or confidential strategy?

Blogpost 41/2022

‘The polluter is paid!’ – This is how one could summarise the outcome of latest arbitration award under an outdated legal framework protecting investments within the energy sector, the Energy Charter Treaty (ECT). Italy was asked to pay EUR 240 million to the English gas and oil company, Rockhopper.

Such awards put great pressure on the domestic right to regulate, in particular with regard to the necessity of adopting climate mitigation policies. This is why many social society organisations and certain national parliaments, including the Dutch parliament and the Polish parliament, plead for withdrawal of their respective states.

Since 2019, the Contracting Parties have been negotiating to modernise the ECT. On 24 June 2022, the ad hoc meeting of the Energy Charter Conference endorsed the outcome of the modernization negotiations and gave an ‘agreement in principle’. The text, while having been leaked, has not yet officially been made publicly available.

What is missing above all is an open public debate on the legal constraints and consequences of withdrawal from the ECT of the EU and its Member States. As we argue here, the European Commission, instead of facilitating such a debate, has done its part to silence it. However, entry into force does not just require the formal adoption of the modernised text at the adoption at the Energy Charter Conference. It will enter into force only between the Contracting Parties that have ratified them on the 90th day after deposit of the ratification instruments of at least three fourths, or 41, of the Contracting Parties. In light of the critical position of certain national parliaments and the European Parliament, as well as the negative experience in the ratification process of the EU-Canada Trade Agreement (CETA), the executive secrecy and lack of public debate may come around to bite the Commission.

Continue reading

Stepping out of the modernized Energy Charter Treaty – the best way forward?

Blogpost 40/2022

On 24 August 2022, Italy was ordered by an international arbitral tribunal established under the Energy Charter Treaty (ECT) to pay EUR 240 million to the English gas and oil company, Rockhopper. The reason for awarding damages to Rockhopper was Italy’s decision to prohibit further drilling for oil and gas within the range of 12 nautical miles of its coast. The ECT to which 53 parties are signatories – including the EU and its Member States, except Italy – has become a weapon in the hands of fossil companies that seriously hampers fighting the climate crisis. The EU and its Member States should withdraw from this toxic treaty as soon as possible.

The ECT was signed in 1994 and entered into force in 1998. It aimed to incentivise and protect Foreign Direct Investments (FDIs) in the energy sector, in particular from Western European countries into fossil rich countries in the East. In many respects, the ECT is an unusual and anachronistic investment treaty that would not meet current standards of protecting the right to regulate, in particular in order to meet other legal obligations, including obligations to reduce emissions.

Continue reading

On synthetic data: a brief introduction for data protection law dummies

Blogpost 39/2022 1

by César Augusto Fontanillo López and Abdullah Elbi

Synthetic data is attracting increasing attention from technicians and legal scholars in recent years. This is especially noticeable among entities and people working on data-driven technologies, particularly in the artificial intelligence application development and testing sector, where sheer volumes of data are needed. In these circles, synthetic data has become a growing trend under the “fake it till you make it” concept by promising to alleviate existing data access and analytics challenges while respecting data protection rules. Given the rising prospects and acceptance of data synthesis, there is a need to assess the legal implications of its generation and use, the starting point being the legal qualification of synthetic data.

Synthetic data is a broad concept encompassing both personally and non-personally identifiable information. This blog entry focuses, notwithstanding, on the intersection between synthetic data and personal data. The reasons for so doing are that generating synthetic data by means of personal data (including hybrid data) provides a more straightforward assessment and is more suitable for the introductory purposes of this blog entry. At the same time, given the lively academic debate on the concept of personal data, we recognise as particularly relevant to this topic the issues surrounding the qualification as personal data of existing models and background knowledge used as sources for data synthesis. These issues will, however, not be dealt with in this entry.

Continue reading

Comment to Case C-184/20 and the perils of a broad interpretation of Art. 9 GDPR

Blogpost 38/2022

On 1 August 2022, in Case C-184/20, by responding to a referral procedure brought by the Regional Administrative Court of Vilnius, Lithuania, the Court of Justice (hereinafter Court) addressed two prominent issues of data protection law, namely the balancing of transparency obligations with data protection rights, as well as the extent of protection of – potentially – sensitive data.

This judgement has attracted plenty of interest from the data protection community, and generated speculations regarding the consequences of this case. In this blog post, it will be argued that although transparency obligations, conceived to fight against corruption, can conflict with the rights of privacy and data protection, the key for solving this conflict lies in a sophisticated and complex proportionality test, that keeps into account all the specific legal and factual elements of the case.

Moreover, in the second part of this blog, it will be shown, contrarily to what stated in several hot takes to this judgement, how this ruling, in the part concerning the interpretation of personal data that can be intended to reveal sensitive data, does not provide sufficient clarity for determining what data can be considered potentially sensitive.

Continue reading

The public role of private actors: Internet service providers in the E-Evidence proposal

Blogpost 37/2022

The European Commission proposed on 17 April 2018 the “E-Evidence” legislative package (E-Evidence) to overcome the widely discussed issues relating to the traditional instruments for cross-border gathering of electronic evidence (K. Ligeti, G. Robinson; S. Tosza 2020). The main innovation of this proposal consist in allowing law enforcement in one member state to directly compel service providers in another member state to produce or preserve data (for a comprehensive analysis of the proposed package, see V. Franssen in this blog). Already now Internet service providers (ISPs) play a key role of gatekeepers to the data they have, especially in the context of voluntary cooperation. Because of limited possibilities for enforcement, the often transnational context of data gathering and economic power of major ISPs, they are the ones to decide whether to provide data to authorities or not (I develop this argument in details here). While the final text of the EPO Regulation is still being negotiated, in this post I argue that the proposal for the E-Evidence regulation (in all its available versions) does not solve the problem of such “privatisation” of enforcement in the context of e-evidence gathering (V. Mitsilegas) and explain why this is worrisome.

Continue reading

Directives, direct concern, and direct access to the CJEU: Case C-348/20 P Nord Stream 2 v Parliament and Council

Blogpost 36/2022

The limited direct access of individuals to the CJEU is, and has been, the cause for much debate in EU law. However, in the recent Nord Stream 2 judgment, the Court of Justice confirmed that it is not quite as limited as the General Court had laid it out to be in its 2020 order. Generally, for private persons – natural or legal – to be able to challenge an EU legislative act before the CJEU under Article 263(4) TFEU, they must show that, despite not being explicitly addressed by the act, they are nevertheless directly and individually concerned. Since the notorious Plaumann judgment, the “individual concern” condition has been the focus of the debate. In Nord Stream 2, however, the “direct concern” condition is at issue. According to CJEU case law, two criteria must be met to show direct concern: (1) the EU act directly affects the individual’s legal situation and (2) the addressees of the act have no discretion in implementing it (see e.g., C-404/96 P Glencore Grain, para 41).

In the present case, the General Court argued that, before transposition into national law, a directive cannot in itself impose obligations on individuals and therefore cannot directly affect their legal situation (para 107). It concluded that the applicant could not demonstrate to be directly concerned by a directive (para 116). These findings have now been reversed by the Court of Justice, confirming that directives may indeed directly concern individuals under certain circumstances and thus continue to be challenged under Article 263(4) TFEU.Continue reading

European Cybersecurity Regulation Takes a Sovereign Turn

Blogpost 35/2022

Over the past year, the European Union’s ambitious digital regulatory agenda has steadily advanced. The EU adopted the far-reaching Digital Markets and Digital Services Acts, and it is completing negotiations with the United States on a revised data transfer regime, christened the Transatlantic Data Privacy Framework (TADPF), that was necessitated by the Schrems II judgment of the Court of Justice of the European Union (CJEU). These developments have had a significant impact on transatlantic economic relations, even stimulating legislative initiatives on privacy and antitrust in the United States. One might think that resolving such contentious topics would set the stage for a quieter, more harmonious phase in the transatlantic technology policy relationship.

As EU regulatory activity resumes this fall, a lesser-known initiative – creating an EU-wide certification framework for ICT products and services (EUCS) – could cause renewed disturbance between Brussels and Washington, however. Under the EUCS proposal being developed by the EU’s cybersecurity agency ENISA, cloud service providers would be compelled to localize their operations and infrastructure within the EU and to demonstrate their ‘immunity’ from foreign law.

Europe’s concerns about the security of U.S. cloud services providers are in fact closely intertwined with its worries, expressed in Schrems II, about the privacy of Europeans’ information entrusted to these companies. In both cases, European policymakers fear the perceived extraterritorial reach of U.S. national security surveillance and law enforcement authorities. New cybersecurity regulation thus is seen as another way to safeguard Europe’s ‘sovereign’ interest in protecting data from foreign government access.  It also would reinforce separate European efforts to bolster smaller, home-grown cloud service providers, including through the GAIA-X project to create an interoperable network “explicitly based on principles of ‘sovereignty-by-design,’” as a leading European technology lawyer has characterized it.

Continue reading

Ex-ante measures regarding data transfers and ex-post enforcement of rights

On the 25th of March 2022, it was announced that the European Union (“EU”) and the United States (“U.S.”) had reached an agreement in principle on a new framework for “transfers” of personal data from legal entities in the EU Member States to controllers or processors in the U.S. Whereas the two previous adequacy decisions regarding federal U.S. data protection law were based on the revoked Data Protection Directive (“DPD”) the new implementing act will be adopted in accordance with Article 45 of the General Data Protection Regulation (“GDPR”). Although the DPD approximated the legal systems in the EU Member States regarding data protection, and the GDPR applies directly as law across the Union, the comitology procedure referred to in Article 93 GDPR remains the same as it was under the DPD. Hence, in parity with the first decision regarding U.S. data protection law (“the Safe Harbour decision”) and the second decision on the matter (“the Privacy Shield decision”), the new agreement concluded by the Commission needs to be approved by a committee consisting of representatives of the Member States and the European Data Protection Board (“EDPB”).

Continue reading