Tải bản đầy đủ - 0 (trang)
2 A General Design of the Legislator’s Contribution: What Needs to Be Done?

2 A General Design of the Legislator’s Contribution: What Needs to Be Done?

Tải bản đầy đủ - 0trang

6.2  A General Design of the Legislator’s Contribution: What Needs to Be Done?



265



upon its ambitions. Article 16 applies to all processing activities taking place within

the scope of EU law, with one exception: specific rules will be adopted by the

Council for the Common Foreign and Security Policy, under Article 39 TEU.1



6.2.1  T

 he Scope of the Mandate: Article 16(2) TFEU Contains

a Duty to Adopt EU Legislation

The mandate under Article 16 TFEU extends to the rules relating to data protection,

with regard to the processing of personal data by the EU institutions and bodies, the

authorities of the Member States and the private sector.

The first sentence of Article 16(2) TFEU gives the EU legislator a tool to actively

ensure privacy and data protection. The question arises whether this tool imposes on

the EU legislator an obligation to act. In general, the power of EU institutions to

adopt legislative acts is not considered to be a duty, but there are exceptions.2 The

issue is whether Article 16(2) TFEU can be considered as such an exception and

whether this legal basis obliges the European Union to legislate in this area.3 These

may seem to be purely academic questions given that EU data protection law already

exists, with Directive 95/46 as the main instrument, and given the pending reform of

the legislative framework.4 However, Directive 95/46 only covers the former first

pillar of the EU Treaty and in the former third pillar the EU rules are incomplete.5

Although the data protection reform remedies the incomplete nature of EU law in

this specific area, there is no guarantee that the reform of the EU framework for data

protection – once fully adopted – will cover all areas where personal data are processed and will ensure the control by independent authorities in all these areas.



1



 The final sentence of Article 16 TFEU reads: “The rules adopted on the basis of this Article shall

be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union”.

“Article 39 does not play a significant role in practice and is not specifically addressed in this

book”. See also Chap. 4, Sect. 4.2.

2

 Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition), Sweet & Maxwell,

2010, at 16-006.

3

 Further read: H. Hijmans and A. Scirocco, Shortcomings in EU data protection in the Third and

the Second Pillars. Can the Lisbon Treaty be expected to help?, CMLR 46 (2009), 1485–1525.

4

 Which in any event should lead in 2018 to the application of the General Data Protection

Regulation and a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or

prosecution of criminal offences or the execution of criminal penalties, and the free movement of

such data.

5

 The former third pillar covers police and judicial cooperation in criminal matters. As explained in

Chap. 4, Sect. 4.3, there are no general EU rules applicable to purely national situations; Article

1(2) of Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of

personal data processed in the framework of police and judicial cooperation in criminal matters,

OJ L 350/60. This will be remedied by Directive (EU) 2016/680 of the European Parliament and

of the Council of 27 April 2016 on the protection of natural persons with regard to the processing

of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free

movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119/89.



266



6  Understanding the Scope and Limits of the EU Legislator’s Contribution…



Moreover, in view of the perceived loss of control in the information society,

legislation is indispensable to ensure the individual has a right which has meaning

in practice. Under the principle of subsidiarity this must be EU legislation, in view

of the scale of the problem, but in accordance with that same principle of subsidiarity the Member States have an important role to play within the pluralist legal context of the European Union.6 Furthermore, in exercising its legislative mandate, the

Union must ensure that the rules are effective.7 The legislator must take conditions

of quality of legislation into consideration, to ensure that the protection is indeed

effective.

Article 16(2) TFEU states that the European Parliament and the Council, acting

in accordance with the ordinary legislative procedure, shall lay down the rules on

data protection. This provision is precisely formulated, its scope is wide and, in

principle, not subject to conditions.

This formula also means that the material scope of the rules must include all

personal data and that any exception to the material scope cannot be laid down in

secondary EU law. An illustration of this situation is provided by amendments proposed by the European Parliament in the legislative procedure of the General Data

Protection Regulation, aiming at excluding ‘pseudonomysed data’ from the scope of

protection. However, pseudonomysed data by definition relate to an individual and

cannot be taken out of the scope of protection, since they are personal data.8 As

Barak explains,9 in the theory on fundamental rights a distinction is made between

the boundaries of a fundamental right (“scope” or “Normbereich”) and the extent of

protection. The limitations imposed by legislation can only affect the protection

given by a fundamental right, not its scope. This is relevant for this book because,

under this theory, EU law does not allow the legislator to limit the scope of the data

protection under Article 8 Charter.10

The European Union shall lay down the rules. In itself, this formula does not give

sufficient grounds to qualify the assignment of Article 16(2) TFEU as an obligation.

Other provisions in the Treaties are formulated in a similar manner, providing that

the European Parliament and the Council shall lay down the rules. An example is

the legal basis for the internal market in Article 114 TFEU.

However, not only is the wording of Article 16(2) TFEU precise, but legislation

is also needed to give practical meaning to the right to data protection. These two

arguments substantiate the view that Article 16(2) TFEU does indeed impose an

obligation on the EU legislator. The classical case in this respect is European

Parliament v Council11 of 1985, on the European transport policy. In this case, the

6



 See Chap. 4, Sect. 4.4 of this book.

 As discussed in Chap. 4, Sect. 4.15.

8

 European Data Protection Supervisor, Additional EDPS Comments of 15 March 2013 on the Data

Protection Reform Package. Further read on the notion of personal data: Article 29 Data Protection

Working Party, Opinion 4/2007 on “the concept of personal data”, WP 136.

9

 Aharon Barak, Proportionality; Constitutional Rights and their limitations, Cambridge University

Press, 2012, e.g. at 19–26.

10

 Possibly, the ‘household exception’ in Article 3(2) of Directive 95/46 could be seen as a limitation of the scope; see: Case C-212/13, Ryneš, EU:C:2014:2428, and the case note by H. Hijmans:

On Private Persons Monitoring the Public Space C-212/13, in EDPL, 2015/2.

11

 Case 13/83, Parliament v Council, EU:C:1985:220.

7



6.2  A General Design of the Legislator’s Contribution: What Needs to Be Done?



267



European Court of Justice accepted that there was an obligation to act by the legislator (at the time the Council, the European Parliament not yet having legislative

powers), because the obligation to act was sufficiently well-defined, taking into

account that the result to be achieved was determined by the EC Treaty. The EC

Treaty also included a time limit for the legislator.12 The obligation of the EU legislator to act under Article 16(2) TFEU could be established on the basis of this reasoning of the Court of Justice although, admittedly, a time limit is not included in

Article 16(2) TFEU.

The result to be achieved is determined by Article 16(1) TFEU: the right of

everyone to data protection would not be meaningful if there were no legislation

defining the main substance of the right and ensuring control by independent

authorities. To conclude, if Article 16(2) TFEU would indeed impose an obligation

on the EU legislator, non-compliance with this obligation could successfully be

challenged before the Court of Justice as a failure to act.

This book defends the view that Article 16(2) TFEU, first sentence, raises the

expectation that the rules adopted by the EU legislator cover the whole domain of

data protection, notwithstanding the fact that not all the rules in the area of data

protection should be laid down at EU level. The data protection reform – with the

General Data Protection Regulation as the centrepiece – should lead to the full

implementation of this duty of the EU legislator, also in areas where at present EU

rules are lacking.13



6.2.2  T

 he Mandate of the EU Legislator Has Two Remarkable

Features

The mandate of the EU legislator is neither unrestricted nor exhaustive. The legislator must take into account conditions set in other areas of EU law or, in other words,

other mandates of national legislators and the EU legislator. This is the logical

sequel of the interfaces between data protection and other fundamental rights and

public interests as recognised in the case law of the Court of Justice of the European

Union.14 Besides, data protection legislation itself serves different interests. It is not

solely adopted for the protection of the fundamental rights of individuals, but it also

has an economic component, which is to ensure the free flow of information. These

considerations restrict the discretion of the EU legislator in the exercise of its task.

A closer look at Article 16(2) TFEU, first sentence, reveals two incoherences in

the text. First, although the provision gives effect to a fundamental right under the

Charter, it is also formulated as covering the rules relating to the free movement of

such data. The added value of the reference to free movement is not evident. One



12



 In (the former) Article 75 of the EC Treaty.

 See also Chap. 4, Sect. 4.3.

14

 As explained in Chap. 5.

13



268



6  Understanding the Scope and Limits of the EU Legislator’s Contribution…



could argue that the reference to the free movement of data is mainly a remnant

from the past and in particular from one of the two objectives of Directive 95/46,

providing that “personal data should be able to flow freely from one Member State

to another”.15 The relevance of this objective is underlined by the Court of Justice,16

but seems less important after the entry into force of the Lisbon Treaty, now data

protection is recognised as fundamental right under EU law. In our view, the EU

legislator is not required to lay down a separate set of rules on the free flow of

information.

It is safe to say that the addition in the text of the free movement of personal data

does not change much, as far as the material scope of Article 16(2) TFEU, first sentence, is concerned. It does however have a meaning for the personal scope of this

provision. By common interpretation,17 Article 16(2) TFEU does not only apply to

activities of the EU institutions and the authorities of the Member States, but also to

activities of the private sector. This is most clearly evidenced by the fact that

Directive 95/46 applies equally to the public and the private sectors and that the

General Data Protection Regulation will apply to both sectors.

The second incoherence in the text of Article 16(2) TFEU is the limitation of the

mandate, as far as processing of personal data by the Member States is concerned.

The mandate only applies to the Member States when they carry out activities that

fall within the scope of Union law. This limitation is not supposed to have a self-­

standing meaning. As explained in Chap. 5,18 it follows from the wide formulation

of the right to data protection in Article 16(1) TFEU that all processing by Member

States falls by definition within the scope of EU law.



6.2.3  What About the Competence of the Member States?

As explained in Chap. 4, this is an area where the European Union shares competence with the Member States. Data protection is not mentioned in any of the

exhaustive lists on exclusive, respectively supporting, coordinating and complementing competences, included in Articles 3 and 6 TFEU. Although data protection

is equally not included in the open list of shared competences of Article 4 TFEU, it

is a shared competence, precisely because the latter list is open. Member States may

only act to the extent the Union has not exercised its competence.19

Although Article 16(2) TFEU is qualified as a shared competence, there is not

much autonomous room for the Member States to adopt legislation in this area, in

view of the scope and nature of the mandate of the EU legislator under Article 16(2)

15



 Recital (3) of the directive.

 Most recently in Case C-362/14, Schrems, EU:C:2015:650.

17

 This was not put into question during the legislative process on the GDPR.

18

 In Sect. 5.2.

19

 Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition), Sweet & Maxwell,

2010, at 125.

16



6.2  A General Design of the Legislator’s Contribution: What Needs to Be Done?



269



TFEU, as explained above. Moreover, under the principle of subsidiarity, protection

can – normally – better be achieved by EU action than by the Member States acting

individually, in view of the scale and effects of the action.20 This is the particular

consequence of the fact that on the internet all acts, in principle, have a cross-border

effect. In short, the mandate of the EU legislature is a complete mandate, leaving

little autonomous room for the Member States, particularly after the entry into force

of the General Data Protection Regulation, which will take away most of the

Member States’ autonomy.

However, this is only part of the story. The Member States remain an essential

player in this area. Privacy and data protection as guaranteed by EU law have an

impact on core competences of Member States and, therefore, the Member States

also have a legitimate role to play, although often by delegation.

First, data protection is a sensitive subject area affecting the daily lives of the citizens. In the field of privacy and data protection, competences are attributed to the

EU level, but Member States retain a responsibility for protecting the fundamental

rights of their citizens.

Second, a role of the Member States also results from the effect of data protection law on core government tasks such as the protection of other fundamental rights

and ensuring the physical security of the citizens.

Third, Member States play a role, because of the European Union’s organisational structure – leaving implementation and enforcement to a large extent in the

hands of the Member States – and as a result of the limitation of EU power under

Article 4(2) TEU, particularly on national security.21

Fourth, the legislative framework on data protection under Article 16 TFEU

interferes with an even wider range of areas of public interest. All personal data

processing in the public sector (and the private sector as well) must be based on one

of the legitimate grounds mentioned in Article 7 of Directive 95/46. Hence, data

protection has a cross-cutting effect on all policy areas where personal data are processed. This means, virtually all areas of government intervention, also in policy

areas where the Union has no or limited competences.



6.2.4  A

 ll in All, the EU Legislator Operates in a Complex

Reality

The complex reality is evidenced by the developments in connection with the

General Data Protection Regulation. The European Union acts internally within a

pluralist legal context, with an important role for the Member States in accordance

with the principle of subsidiarity. On the one hand, as the Commission’s analysis of



20

21



 This is the wording of the principle of subsidiarity in Article 5(3) TEU.

 This was explained in Chap. 4.



270



6  Understanding the Scope and Limits of the EU Legislator’s Contribution…



subsidiarity illustrates,22 the General Data Protection Regulation is supposed to

strengthen the role of the Union in an area where a developed EU legal framework

already exists, namely in Directive 95/46 and other legal instruments. On the other

hand, there are multiple claims of Member States, with an impact on data protection

legislation under Article 16(2) TFEU, first sentence. The complex reality is illustrated by the difficult negotiations on the General Data Protection Regulation over

a period of several years.23



6.3  T

 he EU Legislator’s Institutional Role, Institutional

Balance and the Contributions of the European

Parliament, the Council and the Commission

Under the ordinary legislative procedure as defined in Article 294 TFEU, a legislative act is adopted jointly by the European Parliament and the Council on a proposal

from the Commission. This procedure has become the rule under EU law.24 The

involvement of these three institutions must ensure the legitimacy of the legislative

procedure and hence of EU action, with the caveat being that the legitimacy of the

European Union to act in the area of data protection is also influenced by the – presumed – democratic deficit of the Union.25 This section deals with the legislative

process, under the ordinary legislative procedure.

The main actors in the legislative procedure are the Council and the European

Parliament, as the two institutions endowed with legislative power, and the

Commission, which has the monopoly of legislative initiative. An analysis of the

roles generally taken on by the European Parliament, the Council and the European

Commission in the legislative process exceeds the scope of this book. Nevertheless,

this chapter includes remarks on the various roles in the legislative procedure, with

specific relevance for the tasks under Article 16 TFEU. The outcome of the ­legislative

process, bringing together the institutions’ different roles, has, by definition, the

features of a compromise.

The legislative procedure is made more legitimate and effective by including

other actors in the legislative process. These are representatives of the Member

States, the private sector, civil society and expert bodies.

Finally, the ordinary legislative procedure does not provide for any formal role

for the European Council, which is composed of the Member States’ heads of state

and government. Sometimes, however, European Council conclusions support the

legislative process. For example, conclusions of the European Council emphasised

22



 Commission Proposal for a General Data Protection Regulation, COM (2012), 11 final,

Explanatory Memorandum, at 3.2.

23

 See Chap. 10, Sect. 10.10 of this book.

24

 Koen Lenaerts and Piet van Nuffel, There are exceptions in the Treaties, not relevant here. See:

European Union Law, Third edition, Sweet & Maxwell 2010, at 16-004.

25

 See Chap. 4, Sects. 4.8, 4.9, 4.10 and 4.11.



6.3  The EU Legislator’s Institutional Role, Institutional Balance…



271



the need for the data protection reform and gave an impetus to the legislative process.26 This role of the European Council will not be discussed further.



6.3.1  T

 here Is One EU Legislator, But Composed of Three

Institutions

Under the ordinary legislative procedure, the legislative power lies with the

European Parliament and the Council. However, they cannot act of their own

motion, without an initiative of the Commission. The monopoly of legislative initiative is established in Article 17(2) TEU. Both the European Parliament and the

Council may request the Commission to submit proposals. If the Commission does

not give effect to such a request, it must motivate its decision.27

Despite the different responsibilities of the three institutions, the emphasis in

practice is on compromise and dialogue,28 as illustrated by the important role of the

trilogues – not provided for in the Treaties – in the decision-making process.29 This

justifies speaking about one legislator, whilst at the same time recognising that, in

the words of Craig: “The EU institutions have always been ‘singular’.”30 The input

of the three institutions, respecting the institutional balance, gives democratic legitimacy to the EU legislator’s mandate, with the nuances relating to the Union’s democratic legitimacy explained in Chap. 4.

However, the institutions each play their own role within the EU system, based

on an institutional balance. The positions the institutions take on data protection and

their input in the negotiations on the data protection reform also reflect institutional

concerns. An example is the legislative resolution of the European Parliament of 11

February 2010.31 In this resolution, the European Parliament withholds its consent

to the conclusion of an agreement between the European Union and the United

States on the Terrorist Finance Tracking Program. This legislative resolution was

based on considerations of privacy and data protection, but was also a demonstra26



 E.g., the Conclusions of the European Council of 24–25 October 2013, available on: www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/ec/139197.pdf

27

 This is laid down in Article 225 TFEU (European Parliament) and Article 241 TFEU (Council),

which also includes the request for a study.

28

 Paul Craig and Grainne de Búrca, EU Law, Text, Cases and Material (Fifth Edition), Oxford

University Press, 2011, at 127–129.

29

 Raya Kardasheva, Trilogues in the EU legislature, King’s College London, Department of

European and International Studies, Research Paper, 30 April 2012.

30

 Paul Craig in: Paul Craig and Grainne de Búrca (eds), The evolution of EU Law (Second

Edition), Oxford University Press, 2011, at 41.

31

 European Parliament legislative resolution of 11 February 2010 on the proposal for a Council

decision on the conclusion of the Agreement between the European Union and the United States

of America on the processing and transfer of Financial Messaging Data from the European Union

to the United States for purposes of the Terrorist Finance Tracking Program (05305/1/2010 REV

1 – C7-0004/2010 – 2009/0190(NLE)).



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

2 A General Design of the Legislator’s Contribution: What Needs to Be Done?

Tải bản đầy đủ ngay(0 tr)

×