Tải bản đầy đủ - 0 (trang)
2 A General Design of the Mandate Under Article 16 TFEU: The Member States Are Important Actors

2 A General Design of the Mandate Under Article 16 TFEU: The Member States Are Important Actors

Tải bản đầy đủ - 0trang

4.2  A General Design of the Mandate Under Article 16 TFEU: The Member…


2.The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with

regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope

of Union law, and the rules relating to the free movement of such data. Compliance with

these rules shall be subject to the control of independent authorities.

  The rules adopted on the basis of this Article shall be without prejudice to the specific

rules laid down in Article 39 of the Treaty on European Union.

Privacy and data protection constitute a domain where the competence of the

European Union to protect individuals is laid down in Article 16 TFEU as a positive

obligation for the Union to ensure protection. Article 16 TFEU is closely related to

Articles 7 and 8 Charter, which specify that privacy and data protection are fundamental rights that must be respected where EU law applies.4

The mandate of the Union has a general dimension, since the Union is based on

values and the Treaties are ambitious in promoting these values, also in the wider

world as illustrated by the Treaty on European Union, on which the Union is based.5

The EU mandate has particular relevance on the internet, since privacy and data

protection prove to be constitutional values that matter in an information society.

However, the protection of these values is at risk in view of the features of the internet and the development of communications on the internet, leading to a loss of

control illustrated by phenomena such as big data and mass surveillance. Effective

protection is needed because individuals are entitled to it, yet the protection also

enhances the trust in the Union and more in general in governments.6

Article 16 TFEU delineates three specific tasks that must enable the European

Union and the various actors within the Union to deliver protection. Article 16(1)

TFEU, read in combination with Articles 7 and 8 Charter, implies that the European

Court of Justice has the task to ensure that these rights are respected, under the rule

of law. Article 16(2) TFEU specifies the task of the Council and the European

Parliament to adopt data protection legislation. Additionally, Article 16(2) TFEU

obliges the Union to give the independent data protection authorities the task of

ensuring control of the rules on data protection. The task of these authorities is also

mentioned in Article 8(3) Charter.

The last sentence of Article 16 TFEU is not addressed. It contains a reference to

rules on data protection in Article 39 TEU in relation to the common foreign and

security policy. Article 39 does not play a significant role in practice, in the absence

of EU legislation in this policy area relating to the processing of personal data and

in the absence of legislation or proposed legislation based on Article 39

TEU. However, the findings of this book apply mutatis mutandis also to Article 39



 Because of the limited scope of the Charter, as will be further explained in Chap. 5.

 E.g., in Articles 2, 3 and 21 TEU.


 See Chap. 2.



4  The Mandate of the EU Under Article 16 TFEU and the Perspectives of Legitimacy…

4.2.1  T

 he Context: Article 16 TFEU Gives a Mandate

to the EU, But the Member States Remain Important


Article 16 TFEU confers wide powers on the European Union to act in the domain

of privacy and data protection. However, it is a competence which the Union shares

with the Member States and which it exercises with due regard to the principles of

subsidiarity and proportionality.

In all three tasks under Article 16 TFEU the Member States have a role. The first

task results from Article 16(1) TFEU which specifies that everyone has the right to

the protection of his or her personal data. Ensuring respect for this right to data

protection is primarily undertaken within the legal systems of the Member States,

ultimately subject to review by the Court of Justice of the European Union. The

second task is laid down in Article 16(2) TFEU, first sentence, and requires the

adoption of rules under the ordinary legislative procedure, by the EU legislator, the

Council and the European Parliament; yet, there is room for national legislation.7

The third task is laid down in the second sentence of Article 16(2) TFEU and comprises control of the rules, by independent supervisory authorities which are foremost national authorities.8

The power of the European Union under Article 16 TFEU coincides with competing competences of Member States. An example is the freedom of expression

where the Union does not have competences comparable to those laid down in

Article 16 TFEU. Furthermore, the Union lacks certain powers in relation to national

security, whilst the enforcement of EU law is mainly decentralised and must be

ensured by the Member States.

Article 16 TFEU and the legislative instruments based on this article – particularly the General Data Protection Regulation9 – are not evident choices in the current state of EU law. Several arguments plead against using Article 16 TFEU as a

basis for an overarching regulation on data protection in the European Union. This

book refutes or, where relevant, nuances those arguments.


 As specified in Chap. 6, Sect. 6.6.

 Under Article 28 of Directive 95/46.


 See also Chap. 6.


4.2  A General Design of the Mandate Under Article 16 TFEU: The Member…


4.2.2  L

 egitimacy and Effectiveness: Perspectives

for Understanding the Mandate of the EU

Legitimacy and effectiveness add new perspectives to the complicated reality of

privacy and data protection on the internet. Legitimacy and effectiveness are different issues, but – as explained in this chapter – they are to a certain extent interlinked,

if only because legitimacy can be measured in terms of effectiveness. The objective

of effective protection in itself creates legitimacy. This is what is usually called

‘output legitimacy’. Output legitimacy is opposed to ‘input legitimacy’, the democratic legitimacy of government action.10 Input legitimacy is particularly important

in view of the democratic shortcomings of the European Union itself11 and because

of the involvement of actors, notably the independent data protection authorities,

who are not accountable for their performance to elected bodies. As will be

explained, effectiveness of protection (output legitimacy) is not sufficient for trust;

democratic legitimacy (or input legitimacy) is also required.

The legitimacy of the European Union in the governance of privacy and data

protection is understood as: ensuring that there is some degree of accountability

towards political institutions.12 The Union’s democratic shortcomings affect the

legitimacy of and support for the Union, also because the exercise of powers by the

Union in the domain of fundamental rights has a direct impact on individuals and

limits the scope for decision-making by national governments13 which are no longer

capable to protect their citizens according to national preferences, subject to democratic and judicial accountability in the national legal order. As will be explained

below, the Union operates in a pluralist legal context and needs to take account of

the legitimate interests of its main interlocutors: individuals and Member States.14

This book focuses mostly, but not fully, on legitimacy in a formal sense and not

on more social aspects of legitimacy of the Union. A social aspect of legitimacy is

for instance the question whether the absence of a European demos or – possibly

connected to this – the low turn-out in elections for the European Parliament diminishes the legitimacy of EU action.15


 Further read: Paul Craig, “Integration, Democracy and Legitimacy”, in: Paul Craig and Grainne

de Búrca (eds), The evolution of EU Law (second edition), Oxford University Press, 2011.


 Often referred to as democratic deficit. See, e.g.: Giandomenico Majone, “Europe’s ‘Democratic

Deficit’: The Question of Standards”, European Law Journal, Vol. 4, No.1, pp. 5–28, March 1998.


 See Chap. 1, Sect. 1.2.


 Koen Lenaerts and Piet van Nuffel, European Union Law, (Third Edition), Sweet & Maxwell,

2010, at 125.


 The relation with a third category of main interlocutors – third countries and international organisations – will be discussed in Chap. 9 on the external relations of the Union.


 The Constitution of Europe, “Do the new clothes have an emperor?” and other essays on

European integration, Joseph Weiler, Cambridge University Press, 1999, e.g at 80.


4  The Mandate of the EU Under Article 16 TFEU and the Perspectives of Legitimacy…

Another perspective is effectiveness, a requirement for all action within the scope

of EU law.16 EU action in the domain of privacy and data protection on the internet

must be effective, which this book specifies as: ensuring protection by bridging the

gap between principles and practice.17 Effectiveness requires the use of the most suitable instruments, if only not to lose the trust of citizens. Here we note the declining

effectiveness of traditional government intervention, as such, and the fact that other

forms of governance are emerging, for instance cooperation with n­ on-­governmental

institutional stakeholders, in particular the private sector and civil society.18

4.3  A

 First Specification of the Mandate Under Article 16

TFEU: Broad Powers of the EU, But a Shared

Competence, and an Outline of the Three Tasks

The division of competences between the European Union and the Member States

is one of the essential and difficult issues of EU integration and plays an important

role in this book. This division is determined by the principle of conferral laid down

in Article 5(2) TEU, subject to the provisions of the Treaties, and, where the Union

is competent to act and has acted, by the primacy or supremacy of EU law. Article

5(2) TEU also affirms that competences not conferred on the Union in the Treaties

remain with the Member States.

4.3.1  Wide Powers of the EU in Privacy and Data Protection

Article 16 TFEU confers wide powers on the European Union to act in the domain

of privacy and data protection. In doing so, Article 16 TFEU goes beyond the role

of the Union in respect of most other fundamental rights under the Charter as delimited in Article 51(2) thereof. Where the Charter does not establish “any new power

or task for the Union, or modify powers and tasks as defined in the Treaties”, Article

16 TFEU precisely establishes a power of the Union in relation to privacy and data

protection. Article 16 TFEU also means that privacy and data protection fall, by

definition, within the scope of EU law. This is the necessary corollary of the Union’s

mandate to ensure the protection of everyone’s rights.19


 Paul Craig and Grainne de Burca, EU Law: Text, Cases and Material (fifth edition), Oxford

University Press, 2011, at 223–231.


 With reference to Kenneth A. Bamberger, Deirdre K. Mulligan, “Privacy on the Books and on the

Ground”, 2011, Stanford Law Review, Vol. 63, January 2011. See Chap. 1, Sect. 1.2 of this book.


 See, e.g., Chap. 6, Sects. 6.12, 6.13, and 6.14.


 This understanding has as a further consequence that the addition “within the scope of EU law”

in Article 16(2) TFEU, in relation to processing by the Member States, would be without meaning.

On the text of Article 16(2) TFEU, see Chap. 6, Sect. 6.2 of this book.

4.3  A First Specification of the Mandate Under Article 16 TFEU: Broad Powers…


Article 16 TFEU has a further consequence. The Charter – including Articles 7

and 8 thereof – only applies to the Member States where they act within the scope

of EU law. This limitation of scope of the Charter is laid down in Article 51(1)

Charter. The consequence of Article 16 TFEU is that this limitation of the applicability of the Charter is no longer relevant in the domain of privacy and data protection. Where the Member States act in this domain, they act by definition within the

scope of EU law and the Charter is applicable.

4.3.2  A

 rticle 16 TFEU Is a Shared Competence,

But in Practice Complete

The Treaty of the Functioning of the European Union contains catalogues of areas

where the Union has exclusive competence, where it shares competence with the

Member States and where it may act to support, coordinate or supplement Member

State action.20 Shared competence is the main rule:21 exclusive competences as well

as supporting, coordinating and supplementing competences are listed in an exhaustive way, whereas in all other areas the competences are shared. These catalogues

are not only intended to clarify the EU competence, but also to contain this competence, to avoid a creeping expansion of EU competence or an encroachment on the

exclusive areas of competence of the Member States.22

This book assumes that Article 16 TFEU can be considered a shared competence,

although this is not explicitly mentioned in the Treaty. The assumption is based on

a logical reading of the TFEU. Out of three catalogues of competences, two are

exhaustive, whereas the catalogue of shared competences in Article 4 TFEU contains an enumerative list. Data protection is not mentioned in any catalogue of competences, hence it belongs to the only ‘open’ catalogue.

Article 2(2) TFEU specifies what shared competence means: both the European

Union and the Member States may legislate and adopt legally binding acts in that

area. However, the Member States shall exercise their competence only to the extent

that the Union has not exercised its competence. Timmermans calls this ‘diplomatic

drafting’. The Treaty aims to state that Member States shall not exercise their power

to the extent the Union has exercised its competence.23 Legislative instruments of


 Articles 3, 4 and 6 TFEU.

 Koen Lenaerts and Piet van Nuffel, European Union Law, Third edition, Sweet & Maxwell,

2010, at 113, 124–130; Christiaan Timmermans: ECJ doctrines on Competences, in: Loïc Azoulai

(ed.), The Question of Competence in the European Union, Oxford University Press, 2014.


 See European Council, Presidency conclusions – Laeken, 14 and 15 December 2001, incl. Annex

I Laeken Declaration on the future of the European Union, at 21–22 The Laeken declaration gave

impetus to the inclusion of the catalogues of competences.


 Christiaan Timmermans: ECJ doctrines on Competences, IN: The Question of Competence in

the European Union, Edited by Loïc Azoulai, Oxford University Press, 2014.


Tài liệu bạn tìm kiếm đã sẵn sàng tải về

2 A General Design of the Mandate Under Article 16 TFEU: The Member States Are Important Actors

Tải bản đầy đủ ngay(0 tr)