Tải bản đầy đủ - 0 (trang)
15 The Meaning of the Three Strategies for the CJEU: Google Spain as an Illustration of the Unilateral Strategy Under Article 16 TFEU

15 The Meaning of the Three Strategies for the CJEU: Google Spain as an Illustration of the Unilateral Strategy Under Article 16 TFEU

Tải bản đầy đủ - 0trang

494



9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…



of Justice understands as a level of protection that is essentially equivalent to the

level guaranteed within the Union.258

The ruling of the Court of Justice in Google Spain and Google Inc.259 is the second example of how the unilateral strategy is integrated in the case law of the Court

of Justice. This ruling is the focus of this section, also because at time of writing the

consequences of Schrems were still unclear.

In its ruling, the Court confirmed the wide external effect of European data protection law on the internet. It referred to the objective of ensuring effective and

complete protection of fundamental rights and, in connection with this objective, to

the particularly broad territorial scope of Directive 95/46.260 The Court declared

expressis verbis that it “cannot be accepted that the processing of personal data carried out for the purposes of the operation of the search engine should escape the

obligations and guarantees laid down by Directive 95/46”.261

Hence, for the Court of Justice effectiveness of the protection of Europeans is the

main reason to unilaterally accord a wide external effect of EU law in this area. This

is in line with the claim in the Treaty on European Union that fundamental rights are

universal.262

However, the Court did not address the impact of its ruling on competing jurisdictions on the internet. This problem provoked a debate on the jurisdictional

aspects of the Court’s ruling, revealing a number of sensitivities incited by the wide

territorial scope of EU law on the internet, as interpreted by the Court of Justice.263

In this context, Kuner refers to the growing insularity of EU law.264 These sensitivities come from two seemingly opposite perspectives. On the one hand, there is the

viewpoint that the application of EU law would potentially cover the entire internet,

and thus directly interfere in other jurisdictions. On the other hand, it is argued that

the effect of the ruling could be a fragmented internet, which would prejudice the

benefits of the internet as a global network.265

The implementation of the ruling by Google aims to address these two viewpoints, by deleting the links to individuals266 only from its European-directed search



258



 At 73 of the ruling.

 Case C-131/12, Google Spain and Google Inc., EU:C:2014:317

260

 At 53–54 of the ruling.

261

 At 58 of the ruling

262

 As expressed in the preamble and in Article 21 of the TEU.

263

 The sensitivities around the balance between privacy and data protection and freedom of expression are not addressed – not relating to jurisdiction – are addressed in Chap. 5.

264

 Christopher Kuner, The European Union and the Search for an International Data Protection

Framework, Groningen Journal of International Law, volume 2 number 2, pp. 55–71, 2014, at

III.4.

265

 Further read on the consequences of the ruling, Christopher Kuner, The European Union and the

Search for an International Data Protection Framework, Groningen Journal of International Law,

volume 2 number 2, pp. 55–71, 2014, at III.4.

266

 See on this Chap. 5, Sects. 5.12 and 5.13 of this book.

259



9.15 The Meaning of the Three Strategies for the CJEU: Google Spain…



495



services (the domains relating to the EU Member States) and not from the generic

domain ‘google.com’. This approach would not only ensure that the effect of the

Court’s ruling would not be felt outside the territory of the European Union, but also

that the generic domain of the internet would not be fragmented between

­jurisdictions.267 The argument against this approach is obvious: it would make it

easy to circumvent the effectiveness of the ruling within the Union itself. This is

why the Article 29 Working Party states that the de-listing must also be effective on

Google.com,268 a viewpoint that is not shared by the Advisory Council to Google on

the Right to be Forgotten. This resulted in an enforcement action by the French data

protection authority, the CNIL, against Google.269

The Advisory Council observes in this context that there may be “a competing

interest on the part of users outside of Europe to access information via a name-­

based search in accordance with the laws of their country”.270 This observation challenges the result of the ruling that an EU court can limit the access to search results

by a national of a third country whereas under his or her national law the access

would be legal and possibly even a constitutional right. The question is whether this

is problematic. The answer to this question is in our view negative. Effective data

protection for Europeans necessarily may mean a limitation of access by individuals

in third countries, resulting from a need to avoid circumvention of the effective right

to data protection.271 Since Google Spain and Google Inc. only applies to personal

data of Europeans, it is submitted that this judgement does not substantially affect

fundamental rights of individuals to receive information, in third countries.

The observation shows that applying a unilateral strategy by the Court of Justice

requires that there must be a meaningful link with the European Union, and a link is

indeed required by the Court. In Google Spain and Google Inc.272 extraterritorial

application of EU law was based on the need for protection of individuals within the

267



 As a personal observation, this was discussed during a hearing organised by the Advisory

Council to Google on the Right to be Forgotten, in Brussels on 4 November 2014. Whereas I

insisted in a more effective implementation of the delisting required by the ruling, including

Google.com, the reply by Google’s chief legal officer was that including google.com on a regional

basis could also trigger requests from other – non-democratic – jurisdictions for deleting information from google.com when approached from within such jurisdictions, and could hence lead to

censorship. See: The Advisory Council to Google on the Right to be Forgotten, Final Report, 6

February 2015, at 5.4.

268

 Article 29 Working Party, Guidelines on the implementation of the Court of Justice of the

European Union judgment on “Google Spain and Inc. v Agencia Espola de Protección de Datos

(AEPD) and Mario Costeja González” - WP 225, Executive summary.

269

 See Chap. 7, Sect. 7.11 of this book

270

 The Advisory Council to Google on the Right to be Forgotten, Final Report, 6 February 2015,

at 5.4.

271

 The circumstances in Google Spain are more nuanced, and does not address the technical possibility to prevent internet users in Europe from accessing search results that have been delisted

under European law (Advisory Council to Google on the Right to be Forgotten, Final Report, 6

February 2015, at 5.4).

272

 Case C-131/12, Google Spain and Google Inc., EU:C:2014:317



496



9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…



scope of the Charter. Moreover, in Lindqvist273 the Court ruled that the entire ­internet

cannot be made subject to EU data protection law. However, the case law is not (yet)

clear about the precise nature of this link.



9.15.1  H

 ow Would the CJEU Deal with Bilateral

and Multilateral Strategies?

The ruling in Schrems274 on the Safe Harbour Agreement between the EU and the

US275 has been the first opportunity for the Court of Justice to rule on the compatibility of agreements of the European Union with third countries and international

organisations on privacy and data protection with EU law. The Court annulled the

Safe Harbour Agreement. The second opportunity will be the opinion on the compatibility with the Treaties of the Agreement between Canada and the European

Union on the transfer and processing of passenger name record data, as requested

by the European Parliament.276

In view of these two cases, it is to be expected that the Court will provide more

clarity on the essential requirements for bilateral and multilateral agreements that

affect the protection of individuals within the European Union, building on its first

assessment in Schrems. These requirements could be based on the presumption that

effective protection is also needed outside the EU territory, but that it may probably

not be fully similar to the protection offered within the EU territory, because

enforcement is more complicated and because account has to be taken of diverging

legal systems outside the EU territory and their legitimate claims of jurisdiction.

The notion of adequacy of the level of protection of data transfers under Article 25

of Directive 95/46 could serve as an inspiration. In Schrems, the Court explained

adequacy as meaning essential equivalence.

Possibly, Article 52(1) Charter and, in particular, the obligation to respect the

essence of rights and freedoms would be a good benchmark in the external context

and could set a relevant minimum standard. Article 52(1) Charter could also provide

an indication of the conditions that would allow for mutual recognition (or: interoperability) of systems. We also recall the general case law of the Court of Justice on

the protection on fundamental rights, particularly Kadi and Al Barakaat, which

 Case C-101/01, Lindqvist, EU:C:2003:596, at 69, as interpreted by Christopher Kuner, The

European Union and the Search for an International Data Protection Framework, Groningen

Journal of International Law, volume 2 number 2, pp. 55–71, 2014. Kuner also argues that Google

Spain and Google Inc. undermines Lindqvist.

274

 Case C-362/14, Schrems, EU:C:2015:650.

275

 Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the

European Parliament and of the Council on the adequacy of the protection provided by the safe

harbour privacy principles and related frequently asked questions issued by the US Department of

Commerce, OJ L 215/7.

276

 Opinion 1/15 on Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data (pending).

273



9.16 The Meaning of the Three Strategies for the EU Legislator: Giving Wide…



497



specified that the obligations imposed by an international agreement cannot have

the effect of prejudicing the constitutional principles of the EC Treaty and in

­particular the fundamental rights.277 Finally, the enforceability of the rights to data

protection of individuals in the European Union is a consideration. In Digital Rights

Ireland and Seitlinger278 the Court emphasised the control, required explicitly by

Article 8(3) Charter, by an independent DPA, as an essential element of data protection that could be prejudiced where personal data are not retained within the

European Union.



9.16  T

 he Meaning of the Three Strategies for the EU

Legislator: Giving Wide External Effect

with the Unilateral Strategy as a Composing Element

9.16.1  T

 he EU Legislator Gives Wide External Effect:

The Unilateral Strategy Plays a Key Role

The unilateral strategy in the external domain plays a key role in Directive 95/46 on

data protection. The EU legislator did not rely on the general rules on jurisdiction,

but provided for a specific jurisdictional regime, which is not common in data protection law in third countries.279 The directive acknowledges the need for a wide

jurisdiction in its Article 4(1)(c), based on the notion that an individual must also be

protected when the processing of data is carried out by a person established in a

third country.280 This is what the Court of Justice identified as a “particularly broad

territorial scope”.281 The perspective adopted by the legislator was the use of equipment, automated or otherwise, situated on EU territory. This led to a lively practice,

in which the Article 29 Working Party, for instance, advised that the installation of

cookies on computers of users in the European Union would trigger the applicability of the directive.282

The General Data Protection Regulation widens the applicability further to the

processing activities “related to (a) the offering of goods or services to such data

subjects in the Union; or (b) the monitoring of their behaviour”.283

 Joined cases C-402/05P and 415/05P, Kadi and Al Barakaat, EU:C:2008:461, at 282–285 discussed in Chap. 2, Sect. 2.5 of this book.

278

 Joined cases Joined cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and

Seitlinger (C-594/12), EU:C:2014:238, at 68.

279

 Dan Jerker B. Svantesson, Extraterritoriality in Data Privacy Law, Ex Tuto Publishing, 2013, at

89.

280

 Recital (20) of Directive 95/46.

281

 Case C-131/12, Google Spain and Google Inc., EU:C:2014:317, at 54.

282

 Article 29 Data Protection Working Party, Opinion 8/2010 on applicable law, WP 179, at 21–22.

283

 Article 3(2) GDPR. This provision is criticised by Dan Jerker B Svantesson, Extraterritoriality

and targeting in EU data privacy law: the weak spot undermining the regulation, International Data

Privacy Law, 5 (4), 2015.

277



498



9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…



This wide external effect is not only given to provisions laying down a wide territorial scope of EU data protection law,284 but also to the provisions on transfers of

personal data to third countries and international organisations.285 The requirement

of adequacy of the level of protection afforded by a third country as the main ground

for allowing transfer is a perfect example of how internal EU law can have wide

external effect.



9.16.2  T

 he Regime of Data Transfers: A Typical Example

of a Unilateral Strategy

The adequacy regime for data transfers under Article 25 of Directive 95/46 on data

protection is a typical example of the unilateral approach. The European Union

accepts the transfer of data to third countries who adhere to the European standards,

although some leeway is given to these third countries. Their level of protection

must not be the same as that of the Union itself. An adequate level is sufficient.286 In

a guidance paper of 1998, the Article 29 Working Party understands this as encompassing a core of data protection principles and effective means for their application287 that does not necessarily have to be equal to the level of the European Union

and does not require that the country of destination has established an independent

data protection authority.288 Arguably, this last point is outdated since the Treaties

now confirm independent control as a core element of data protection, in Article

16(2) TFEU an Article 8(3) Charter. In Digital Rights Ireland and Seitlinger289 the

Court of Justice emphasised the need for effective control. More in general, the

leeway for third countries seems to be restricted in Schrems,290 to the extent the

Court explained adequacy as essential equivalence.

In any event, the European Union unilaterally decides the level of protection that

is required for a transfer of data. Article 26 of Directive 95/46 contains derogations,

284



 In particular in Article 4(1)(c) of Directive 95/46 and in Article 3(2) GDPR

 In particular in Chapter IV of Directive 95/46 and in Chapter V GDPR.The requirement of

adequacy is laid down in Article 25 of the Directive and Article 46 GDPR.

286

 Article 12(3)(a) of Convention for the Protection of Individuals with regard to Automatic

Processing of Personal Data, ETS No. 108 requires an equivalent level.

287

 Article 29 Data Protection Working Party, Working Document, Transfers of personal data to

third countries : Applying Articles 25 and 26 of the EU data protection directive, Adopted by the

Working Party on 24 July 1998, WP 12, at 5.

288

 Article 29 Data Protection Working Party, Working Document, Transfers of personal data to

third countries : Applying Articles 25 and 26 of the EU data protection directive, Adopted by the

Working Party on 24 July 1998, WP 12, at 7.

289

 Joined cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger

(C-594/12), EU:C:2014:238, at 68.

290

 Case C-362/14, Schrems, EU:C:2015:650.

285



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

15 The Meaning of the Three Strategies for the CJEU: Google Spain as an Illustration of the Unilateral Strategy Under Article 16 TFEU

Tải bản đầy đủ ngay(0 tr)

×