Tải bản đầy đủ - 0trang
8 Security: An Area Where the EU and the Member States Have Significant Competence
6 Understanding the Scope and Limits of the EU Legislator’s Contribution…
ment) and Article 62 (relating to the free movement of services). In the case law of
the European Court of Justice, public security extends to both internal and external
security.124 Equally, EU directives for the harmonisation of the internal market contain provisions on possible derogations by Member States from the harmonisation
pursued by the directives for reasons of public security. Examples are Article 3(4)
of Directive 2000/31 on electronic commerce,125 which also mentions national security and defence, and Article 16(3) of Directive 2006/123 on services in the internal
market.126 In the area of data protection, Article 13 of Directive 95/46 contains wide
possibilities for Member States to restrict the scope of the obligations and rights laid
down in the directive, mainly for reasons of public security. The text of Article 13
additionally refers to national security, defence and the combat of crime.127
Whereas safeguarding public security was at first left to the Member States and
not considered to be a task of the European Union, this changed with the inclusion
in 1992 by the Maastricht Treaty, of an area of freedom, security and justice in the
Treaties. This area is established for the purpose of ensuring the safety and security
of the peoples,128 originally as a flanking measure of the free movement of p ersons.129
However, this limited rationale was gradually replaced by a wider assignment. As
the first multi-annual programme in the area of freedom, security and justice
(Tampere, 1999) specified: “People have the right to expect the Union to address the
threat to their freedom and legal rights posed by serious crime.”130
The Lisbon Treaty made a further step towards developing an area of freedom,
security and justice as one of the Union’s main building blocks. The pillar structure
of the European Union disappeared and the area has now been fully integrated into
the Treaty on the Functioning of the European Union and is no longer subject to
specific procedures.131 The area is meant to facilitate the free movement of persons,
while ensuring the safety and security of the peoples.132 In the TFEU, the task of
providing security is specified in Article 67(3): “The Union shall endeavour to
ensure a high level of security”.133
Case C-285/98, Kreil, EU:C:2000:2, at 17.
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain
legal aspects of information society services, in particular electronic commerce, in the Internal
Market (‘Directive on electronic commerce’), OJ L 178/1.
Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on
services in the internal market, OJ L/376/36.
And a number of other grounds, not relevant in this context.
See recitals of the TEU.
Further read: Paul Craig and Grainne de Burca, EU Law, Text, Cases and Material (Fifth
Edition), Oxford University Press, 2011, pp. 926–931.
European Council, Presidency Conclusions – Tampere, 15–16 October 1999, The Tampere
Milestones, No. 6.
Despite the fact that there are significant exceptions to this rule.
As laid down in the preamble of the TEU.
Article 67(3) TFEU is included in Title V on the area of freedom, security and justice, and
encompasses, strictly speaking, the internal security of the EU. However, internal and external
6.8 Security: An Area Where the EU and the Member States Have Significant…
The task of providing security under EU law must not only respect the Charter of
Fundamental Rights of the European Union, but must also be exercised in respect of
national sovereignty. Providing security as a core task of the state means that in the
area of freedom, security and justice – an area of shared competence under Article
4 TFEU – only limited competences have been transferred to EU level, with the following nuance. First, Article 67(3) TFEU also refers to measures to prevent and
combat crime (and xenophobia and racism) which may be an indication of the competence being broader. Second, the qualification of the Union’s competences as
being either narrow or broad depends on the perspective that is adopted, for instance,
whether the EU competence on security is compared to the internal market competences or to the situation before the Lisbon Treaty entered into force. Not all authors
characterise the competences as narrow.134
The EU competences have a wide impact on data protection and they also interconnect with the competences of the Member States. The role of the European
Union focuses on the coordination and cooperation for reasons of security. This
includes the exchange of large amounts of personal data135 between police and
judicial authorities on the national and EU levels.136 This exchange of information,
including personal data, is a significant manifestation of coordination and cooperation between the Union and its Member States. This is well illustrated by the multi-
annual programmes in the area of freedom, security and justice. The Hague
programme of 2004137 aimed at improving the exchange of information under the
‘availability principle’, which was meant to govern law enforcement related data
exchange, whereas in the Stockholm programme of 2009138 the Information
Management Strategy for EU internal security was set out as one of the main
Beyond the internal EU instruments dealing with security and privacy much has
also been done to ensure protection of individuals in the European Union within the
international context, in particular where information was needed for the purpose of
security are closely connected. The wording “endeavour to ensure a high level of security” is also
included in Article 67(3) TFEU.
E.g., Mitsilegas talks about broad Treaty powers, in Reports of the FIDE-Congress Tallinn 2012,
Tartu University Press: Volume 3: The Area of Freedom, Security and Justice, Including
Information Society Issues, at 22.
See: Communication from the Commission to the European Parliament and the Council,
Overview of information management in the area of freedom, security and justice, COM(2010)
385 final. The area is extensively described by Franziska Boehm in Information Sharing and Data
Protection in the Area of Freedom, Security and Justice, Towards Harmonised Data Protection
Principles for Information Exchange at EU-level, Springer 2012.
For instance involving Europol and Eurojust.
Council, The Hague Programme: strengthening freedom, security and justice in the European
Union, OJ 2005, C 53/01, at 2.1. The ‘availability principle’ means that information available in
one Member State for police purposes should also be available for colleagues in another Member
European Council, The Stockholm Programme – An open and secure Europe serving and protecting citizens, OJ 2010, C 115, at 4.2.
6 Understanding the Scope and Limits of the EU Legislator’s Contribution…
security in the United States or in connection with security issues shared between
the EU and its Member States and the US.139 The agreements on passenger name
records (PNR) and on the Terrorist Finance Tracking Programme (TFTP) are the
most obvious examples. Both agreements aim at balancing security and privacy.140
ynergies with Public Interests Relating to the Internal
Market: The Economic Dimension of Privacy and Data
This section introduces synergies between the fundamental rights of privacy and
data protection, on the one hand, and one of the European Union’s objectives, establishing and ensuring the functioning of an internal market,141 on the other hand. The
relation between these fundamental rights and the interests of the internal market is
not by definition synergetic. Privacy is often perceived as having a negative impact
on economic innovation, or as conflicting with new technology. For example, the
PCAST Report, addressed to President Obama, puts the conflict between privacy
and new technology centre stage.142
The recognition under EU law of privacy and data protection as fundamental
rights, combined with the EU legislator’s mandate under Article 16(2) TFEU may
adversely affect innovation and competitiveness of industries. This is the logical
consequence of the role these fundamental rights play under EU law. Fundamental
rights must be respected and Article 52 Charter requires that limiting the exercise of
a fundamental right must be necessary and genuinely meet the objective of general
The Charter does not exclude a limitation of a fundamental right in the economic
interest. The Explanations to Article 52 Charter143 refer for instance to Article 3
TEU, which mentions economic growth and a highly competitive social market
economy as part of the internal market. However, allowing economic interests to
Not exclusively, also other third countries require data on EU citizens. Examples are the
Agreement between Canada and the European Union on the transfer and processing of Passenger
Name Records, signed on 25 June 2014, and the Agreement between the European Union and
Australia on the processing and transfer of European Union-sourced passenger name record (PNR)
data by air carriers to the Australian customs service, OJ L 186/4.
These agreements will be further discussed in Chap. 9, Sect. 9.13 of this book.
Wording taken from Article 26 TFEU. Pursuant to Article 3(3) TEU, the Union shall establish
an internal market.
Big Data and Privacy: A Technological Perspective. Executive Office of the President,
President’s Council of Advisors on Science and Technology (PCAST Report), May 2014.
The Explanations to Article 52 contain references to general interests, which should probably be
considered exhaustive; Peers and Prechal in: “The EU Charter of Fundamental Rights, A
Commentary,” Edited by Steve Peers, Tamara Hervey, Jeff Kenner and Angela Ward, Hart
Publishing, Oxford, 2014, at 1475.
6.9 Synergies with Public Interests Relating to the Internal Market: The Economic…
limit a fundamental right is criticised144 and under Article 8 ECHR the limitation is
restricted to the economic well-being of a country as a whole, which does not
include the interests of companies.145 Where economic growth and a highly competitive social market economy are invoked as ground for a limitation of the rights
to privacy and data protection the threshold is high, also as a result of Article 52(3)
Charter, which specifies that the meaning and scope of fundamental rights shall be
the same as those laid down by the European Convention on Human Rights. More
generally, it would be difficult to accept limitations to fundamental rights representing essential values in a democratic society for purely economic objectives.
6.9.1 Not Conflicting, But Interfacing and Creating Synergies
Another perspective for looking at the interface between privacy and data protection
on the one hand and the internal market on the other hand is the – strong – economic
dimension of privacy and data protection. Delivering privacy and data protection
may be in the economic interest of a company, for instance where the respect of high
privacy and data protection standards is considered a competitive advantage. The
concept of Privacy by Design,146 which enables combining strong privacy with technological innovation, illustrates this. Moreover, the right to data protection, as laid
down in Directive 95/46 also has an economic objective.147
Article 3(3) TEU entrusts the European Union – as part of its responsibility for
the internal market – with the task of promoting scientific and technological advance.
In its Europe 2020 Strategy, the Commission gave an outline of how it proposed to
“turn the EU into a smart, sustainable and inclusive economy delivering high levels
of employment, productivity and social cohesion.” One priority is smart growth, the
development of an economy based on knowledge and innovation, which includes a
true single market for online content and services.148 The Digital Agenda for
Europe149 is a concretisation of this strategy. In an economy based on knowledge
Paul Craig and Grainne de Búrca, EU Law, Text, Cases and Material (Fifth Edition), Oxford
University Press, 2011, at 397.
Bernadette Rainey, Elizabeth Wicks, Clare Ovey, Jacobs, White and Ovey, The European
Convention on Human Rights (Sixth Edition), Oxford 2014, at 318–319.
Included, under the heading of Data protection by design and by default, in Article 23 GDPR as
an obligation to implement the appropriate technological and organisational measures.
The free flow of information in recital (3) of the Directive. See also Chap. 4, Sect. 4.3.
Communication from the Commission, Europe 2020, A strategy for smart, sustainable and
inclusive growth, COM(2010) 2020, Executive summary. The priority to realise a digital single
market is specified by the European Council in October 2013, Conclusions of the European
Council 24–25 October 2013, available on: www.consilium.europa.eu/uedocs/cms_data/docs/
pressdata/en/ec/139197.pdf. The digital single market was planned to be completed in 2015 and be
targeted more towards developments in cloud computing, big data and open data.
Communication from the Commission to the European Parliament, the Council, the European
Economic and Social Committee and the Committee of the Regions, A Digital Agenda for Europe,
COM(2010) 245 final.