Tải bản đầy đủ - 0 (trang)
3 A First Specification of the Mandate Under Article 16 TFEU: Broad Powers of the EU, But a Shared Competence, and an Outline of the Three Tasks

3 A First Specification of the Mandate Under Article 16 TFEU: Broad Powers of the EU, But a Shared Competence, and an Outline of the Three Tasks

Tải bản đầy đủ - 0trang

4.3  A First Specification of the Mandate Under Article 16 TFEU: Broad Powers…



131



Article 16 TFEU has a further consequence. The Charter – including Articles 7

and 8 thereof – only applies to the Member States where they act within the scope

of EU law. This limitation of scope of the Charter is laid down in Article 51(1)

Charter. The consequence of Article 16 TFEU is that this limitation of the applicability of the Charter is no longer relevant in the domain of privacy and data protection. Where the Member States act in this domain, they act by definition within the

scope of EU law and the Charter is applicable.



4.3.2  A

 rticle 16 TFEU Is a Shared Competence,

But in Practice Complete

The Treaty of the Functioning of the European Union contains catalogues of areas

where the Union has exclusive competence, where it shares competence with the

Member States and where it may act to support, coordinate or supplement Member

State action.20 Shared competence is the main rule:21 exclusive competences as well

as supporting, coordinating and supplementing competences are listed in an exhaustive way, whereas in all other areas the competences are shared. These catalogues

are not only intended to clarify the EU competence, but also to contain this competence, to avoid a creeping expansion of EU competence or an encroachment on the

exclusive areas of competence of the Member States.22

This book assumes that Article 16 TFEU can be considered a shared competence,

although this is not explicitly mentioned in the Treaty. The assumption is based on

a logical reading of the TFEU. Out of three catalogues of competences, two are

exhaustive, whereas the catalogue of shared competences in Article 4 TFEU contains an enumerative list. Data protection is not mentioned in any catalogue of competences, hence it belongs to the only ‘open’ catalogue.

Article 2(2) TFEU specifies what shared competence means: both the European

Union and the Member States may legislate and adopt legally binding acts in that

area. However, the Member States shall exercise their competence only to the extent

that the Union has not exercised its competence. Timmermans calls this ‘diplomatic

drafting’. The Treaty aims to state that Member States shall not exercise their power

to the extent the Union has exercised its competence.23 Legislative instruments of

20



 Articles 3, 4 and 6 TFEU.

 Koen Lenaerts and Piet van Nuffel, European Union Law, Third edition, Sweet & Maxwell,

2010, at 113, 124–130; Christiaan Timmermans: ECJ doctrines on Competences, in: Loïc Azoulai

(ed.), The Question of Competence in the European Union, Oxford University Press, 2014.

22

 See European Council, Presidency conclusions – Laeken, 14 and 15 December 2001, incl. Annex

I Laeken Declaration on the future of the European Union, at 21–22 The Laeken declaration gave

impetus to the inclusion of the catalogues of competences.

23

 Christiaan Timmermans: ECJ doctrines on Competences, IN: The Question of Competence in

the European Union, Edited by Loïc Azoulai, Oxford University Press, 2014.

21



132



4  The Mandate of the EU Under Article 16 TFEU and the Perspectives of Legitimacy…



the Union, once adopted and entered into force, have a blocking effect on the competences of the Member States. This goes quite far. Member States no longer have

competence to legislate, even if they do it in a way that is not in conflict with the

instrument of EU law, but only complements this instrument.24 Article 2(2) TFEU is

a rule of competence, not of conflict. The Member States’ competences revive where

EU instruments no longer exist.25

Protocol (No 25) on the exercise of shared competence further specifies that

“when the Union has taken action in a certain area, the scope of this exercise of

competence only covers those elements governed by the Union act in question and

therefore does not cover the whole area”. In short, under Article 16 TFEU Member

States remain competent on elements where the Union has not exercised its competence.26 The difficulty of Article 2(2) TFEU and Protocol (No 25) is the interpretation of the remaining autonomy of the Member States, in areas where the European

Union has exercised its competence. It is not always clear which elements are covered by an EU instrument and consequently where there is no more room for

Member States’ action. This is a relevant issue in relation to Article 16 TFEU and

the exercise of powers on the basis of this article. The competence of the Member

States on data protection is limited to elements not covered by the Union acts, currently Directive 95/46 on data protection and other EU instruments on data protection.27 The Member States’ room for manoeuvre is reduced, as the ruling of the

European Court of Justice in ASNEF and FECEMD28 illustrates. The Court denied

that the Member States retained competence to specify a provision of Directive

95/46. This room for manoeuvre will be further reduced when the General Data

Protection Regulation will become applicable, on 25 May 2018.29

To be complete, the European Union possibly has an exclusive competence to

conclude international agreements on data protection, under Article 3(2) TFEU. The

Union has exclusive competence in a number of situations, for instance where this

“is necessary to enable the Union to exercise its internal competence, or insofar as

its conclusion may affect common rules or alter their scope.”30

24



 Christiaan Timmermans: ECJ doctrines on Competences, IN: The Question of Competence in

the European Union, Edited by Loïc Azoulai, Oxford University Press, 2014, at 159.

25

 These instruments can be limited in time or repealed by the legislator. Member States competence also revives where an EU instrument is annulled by the CJEU, as was the case with Directive

2006/24 (data retention) in Joined cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12)

and Seitlinger (C-594/12), EU:C:2014:238

26

 Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition) Sweet & Maxwell,

2010, at 125.

27

 . This issue must not be confused with powers given to Member States in an EU act to adopt

additional rules. See on this: European Data Protection Supervisor, Opinion of 7 March 2012 on

the data protection reform package, at II.2.a, on the relation between EU law and national law.

28

 Joined cases C-468/10 and C-469/10, ASNEF and FECEMD, EU:C:2011:777, relating to Article

7(f) of Directive 95/46.

29

 Article 99 (2) GDPR.

30

 Article 3(2) TFEU reads as follows: “The Union shall also have exclusive competence for the

conclusion of an international agreement when its conclusion is provided for in a legislative act of



4.3  A First Specification of the Mandate Under Article 16 TFEU: Broad Powers…



133



4.3.3  A

 n Outline of the Three Tasks of the EU Under Article

16 TFEU

The task of ensuring – under Article 16(1) TFEU – that everyone’s right to data

protection is respected is not necessarily a competence of the Union. The Member

States are important actors, if only because most data processing takes place within

the national jurisdiction, either by authorities of the Member States or by the private

sector. However, EU law determines the result – the guarantee that everyone’s right

is effectively protected – and the Court of Justice of the European Union is the institution ultimately supervising the acts of the Member States. To be complete, where

the processing of personal data takes place within the remit of the EU institutions

and bodies, they must guarantee effective protection, without involvement of the

Member States.31

The task of the EU legislator – under Article 16(2) TFEU, first sentence – is

necessarily a competence of the Union. The EU legislator must lay down the rules

relating to the protection of individuals with regard to the processing of personal

data, in full compliance with the Charter. This formula is unconditional: the

European Parliament and the Council shall lay down the32 rules. This, in principle,

does not leave room for national law in this area.33

The present rules – predating the Lisbon Treaty – do not cover the whole area of

EU competence and do not fully comply with Article 16 TFEU.34 One shortcoming

is the limited scope of application of Council Framework Decision 2008/977/JHA

on the protection of personal data processed in the framework of police and judicial

cooperation in criminal matters, which leaves data protection in the police and judicial sector in domestic situations to national law.35 Article 1(2) of this framework

decision excludes personal data that have not been transmitted or made available

between Member States. In short, in cases where only police or judicial authorities

of one Member State are involved the Framework Decision does not apply.



the Union or is necessary to enable the Union to exercise its internal competence, or in so far as its

conclusion may affect common rules or alter their scope.” See further Chap. 9.

31

 Mainly subject to Regulation (EC) No 45/2001 of the European Parliament and of the Council of

18 December 2000 on the protection of individuals with regard to the processing of personal data

by the Community institutions and bodies and on the free movement of such data, OJ L 8/1.

32

 Italics added by author.

33

 In principle. As explained in Chap. 6 certain elements of data protection should be left to the

Member States.

34

 Further read: H. Hijmans and A. Scirocco, “Shortcomings in EU data protection in the Third and

the Second Pillars. Can the Lisbon Treaty be expected to help?”, CMLR, 46, pp. 1485–1525, 2009.

35

 Article 1(2) of Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal

matters, OJ L 350/60.



134



4  The Mandate of the EU Under Article 16 TFEU and the Perspectives of Legitimacy…



The new EU instruments on data protection,36 which will replace the present EU

rules on data protection such as Directive 95/46,37 must ensure that the EU legislator

fulfils its obligation under Article 16(2) TFEU. As a consequence of the fulfilment

of this obligation of the Union, the Member States are no longer competent to lay

down rules on data protection, notwithstanding the fact that the EU legislator may –

explicitly or implicitly – delegate tasks to the Member States.38

The task of ensuring – under Article 16(2) TFEU, second sentence – that compliance with these rules shall be subject to control by independent authorities is primarily a task of the EU legislator. As part of the rules on data protection, the EU

legislator must lay down the conditions for control by these authorities. Article 28

of Directive 95/46 on data protection contains such conditions.39 This is the consequence of qualifying control by the authorities as “an essential component of the

protection”, as confirmed in the case law of the European Court of Justice.40

Presently, these authorities are mostly public authorities of the Member States.

Article 16 TFEU seems to recognise this reality, since it mentions the authorities in

plural, in contrast to Article 8 Charter.

In short, Article 16(2) TFEU, second sentence, provides for a system of effectively shared competence, where the main tasks of the authorities are defined by the

EU legislator, but their organisation remains a national competence, at least to the

extent that this competence is not limited by a provision of EU law.41 EU law determines the result. The case law of the Court in three infringement cases on the independence of data protection authorities in Germany, Austria and Hungary confirms

this role of EU law.42

Summing up, data protection has become a concern of the European Union,

although the implementation is shared with the Member States. The Member States

have competence to ensure that the right to data protection – a right under EU law –

is respected, but it is the EU legislator that adopts the legislation in this area. The

36



 The GDPR and Directive (EU) 2016/680 of the European Parliament and of the Council of 27

April 2016 on the protection of natural persons with regard to the processing of personal data by

competent authorities for the purposes of the prevention, investigation, detection or prosecution of

criminal offences or the execution of criminal penalties, and on the free movement of such data,

and repealing Council Framework Decision 2008/977/JHA, OJ L 119/89.

37

 The present rules predate the Lisbon Treaty and have different legal bases. Since they do not

cover the whole area of EU competence, it is argued that present law does not fully comply with

Article 16 TFEU (see also Chap. 6, Sect. 6.2 of this book).

38

 Chapter 6 of this book will explain this further.

39

 Chapter VI of the GDPR contains more precise conditions, leaving significantly less room for

maoeuvre for theMember States.

40

 Recital (62) of Directive 95/46/EC of the European Parliament and of the Council of 24 October

1995 on the protection of individuals with regard to the processing of personal data and on the free

movement of such data, OJ L 281/31, as most recently confirmed in Case C-362/14, Schrems,

EU:C:2015:650, at 42. See Chap. 7, Sects. 7.1 and 7.2.

41

 See, mainly Chaps. 7 and 8 of this book.

42

 Cases C-518/07, Commission v Germany, EU:C:2010:125, C-614/10, Commission v Austria,

EU:C:2012:631 and C-288/12, Commission v Hungary, EU:C:2014:237. See Chap. 7, Sect. 7.9 of

this book.



4.4  The Exercise of the Mandate Under Article 16 TFEU Should Comply…



135



control by independent authorities is effectively a shared competence, with the

understanding that EU law determines that there shall be control.



4.4  T

 he Exercise of the Mandate Under Article 16 TFEU

Should Comply with the Principles of Subsidiarity

and Proportionality

Where powers are conferred on the European Union, as is the case in Article 16

TFEU for data protection, EU action must respect the principles of subsidiarity and

proportionality. These principles are used as instruments for demarcating the competences of the Union and the Member States and also as instruments to impose

restraints on the legislative activity of the Union. In practice, these principles mainly

serve to restrain the Union.43 As Craig and de Búrca state, they reflect the “shift

away from hierarchical governance, and away from the dominance of top-down EU

action”.44



4.4.1  T

 esting EU Data Protection Action on Subsidiarity

and Proportionality

The test of subsidiarity under Article 5(3) TEU45 entails two main elements. The

first element is that the European Union can only act if the objectives of an action

cannot be sufficiently achieved by the Member States.46 Subsidiarity expresses a

preference for a national or decentralised approach. To ensure that this preference is

taken seriously, EU law foresees a close involvement of national parliaments in the

legislative procedure of the Union.47 The second element expresses the need for



43



 E.g., the Annual Report of the Commission 2013 on subsidiarity and proportionality (COM(2014),

506 final), presented in the context of the Smart Regulation exercise. See in the same sense, EU

Law, Text, Cases and Material, Fifth Edition, Paul Craig and Grainne de Búrca, 2011, at

168–169.

44

 EU Law, Text, Cases and Material, Fifth Edition, Paul Craig and Grainne de Búrca, 2011, at 169.

45

 This reads: “Under the principle of subsidiarity, in areas which do not fall within its exclusive

competence, the Union shall act only if and in so far as the objectives of the proposed action cannot

be sufficiently achieved by the Member States, either at central level or at regional and local level,

but can rather, by reason of the scale or effects of the proposed action, be better achieved at Union

level”.

46

 “It must be considered whether the objective of the proposed action could be better achieved at

EU level”, Case C-508/13, Estonia v European Parliament and Council, EU:C:2015:403, at 45.

47

 Protocol (No 2) on the Application of the Principles of Subsidiarity and Proportionality, annexed

to the Lisbon Treaty, in particular Articles 6 and 7, which include the ‘yellow card’ procedure.



136



4  The Mandate of the EU Under Article 16 TFEU and the Perspectives of Legitimacy…



efficiency and effectiveness.48 Implementation of this second element takes place

through obligations for the European Commission to consult widely before an act is

proposed and by specific requirements as to the justification of proposals.

The Commission justifies its proposal for a General Data Protection Regulation

in light of subsidiarity by emphasising that “personal data are transferred across

national boundaries, both internal and external borders, at rapidly increasing

rates”.49 In relation to the mandate of the EU legislator under Article 16(2) TFEU,

this book argues that efficient and effective privacy and data protection on the internet cannot be sufficiently achieved by the Member States. This is a subject matter

that, in general, can be better regulated at Union level, if only because of the inherent cross-border effects of the action, both within and outside the EU territory, in

compliance with the second element of the principle of subsidiarity.

This argument does not necessarily mean that all legislation on data protection

should be adopted at EU level, also considering the preference for constraint of EU

action as mentioned above. In the legislative procedure on the proposed General

Data Protection Regulation the Council discussed whether processing activities by

the public sector should not better be regulated on the national level and, therefore,

better not be incorporated in an EU Regulation.50 This is a valid discussion, in particular because the objective of creating a level playing field on the internet in the

context of the digital single market does not directly apply to the public sector.

This book takes the view that there are convincing arguments not to exclude the

public sector from the General Data Protection Regulation. For the individual who

is entitled to protection it should not make a difference whether his or her data are

processed by the private sector or by the public sector. Moreover, the boundary

between the public and the private sectors is not always clear and different in each

Member State.

The outcome of the discussion in the Council was a proposal to include a provision in the General Data Protection Regulation allowing Member States to maintain

or introduce more specific provisions, for instance “with regard to the processing of

personal data for compliance with a legal obligation or for the performance of a task

carried out in the public interest or in the exercise of official authority vested in the

controller”.51



48



 See Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition), Sweet & Maxwell,

2010, at 7–028.

49

 Paragraph in the Explanatory Memorandum on subsidiarity of the Commission Proposal for a

General Data Protection Regulation (COM (2012) 11 final). The Commission combines the need

for protection under Article 8 Charter with the increase of cross-border data transfers.

50

 See Peter Blume, “The Public Sector and the Forthcoming EU Data Protection Regulation”,

European Data Protection Law Review, 1, pp. 32–38, 2015.

51

 Article 2a of Preparation of a general approach, Note from Presidency to Council, 11 June 2015,

9565/15. The input of the Council finally resulted in Article 6(2) GDPR, leaving some leeway for

the Member States.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

3 A First Specification of the Mandate Under Article 16 TFEU: Broad Powers of the EU, But a Shared Competence, and an Outline of the Three Tasks

Tải bản đầy đủ ngay(0 tr)

×