Tải bản đầy đủ - 0 (trang)
17 The Meaning of the Three Strategies for the DPAs and the Cooperation Between Them: Extending Cooperation to Authorities in Third Countries

17 The Meaning of the Three Strategies for the DPAs and the Cooperation Between Them: Extending Cooperation to Authorities in Third Countries

Tải bản đầy đủ - 0trang


9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…

difficulties of regaining control over the privacy settings of big internet companies

through enforcement by DPAs. These difficulties triggered this book.307

In its essence, the task of DPAs (and of cooperation mechanisms of DPAs) of

ensuring control is a unilateral task, ensuring that individuals are protected in accordance with European and national law applicable within their respective jurisdictions. As was explained in Chap. 8, the task of DPAs also involves contributing to

the protection of individuals all over the Union.308 The task also has extraterritorial

components outside the European Union, including the use of enforcement powers

in an external context.

This being said, the basis of the work of the DPAs in their policy activities and

their enforcement practice is defending the high European standards, not aiming at

finding compromises with lower standards of third countries. There is no evidence

that the practice is different.

9.17.2  T

 he Cooperation Between DPAs and Regulatory

Agencies in Third Countries as an Exponent

of the Bilateral and Multilateral Strategy

Fulfilment of the task of DPAs is not only a unilateral activity. Fulfilment of this task

also requires cooperation with authorities in third countries, including cooperation

with regulatory authorities in third countries, in order to ensure effective control.

The cooperation between DPAs and regulatory agencies in third countries has been

developing over the last years, in a bilateral as well as a multilateral context.

This cooperation can be qualified as policy cooperation, where DPAs cooperate

in order to create a better understanding of privacy and data protection issues or

where they engage in common policy development. An important mechanism in

this type of cooperation is the International Conference of Privacy and Data

Protection Authorities, which presents itself as “the assembly of all accredited data

protection and privacy commissioners from around the world”.309 Under its rules

and procedures the Conference is an entity in its own right, representing its ­members

and one of its purposes is to promote and enhance personal data protection and

privacy rights at the international level.310 This conference adopts resolutions and

declarations.311 In 2009 it adopted the Madrid Resolution with a proposal for international privacy standards.312 It would be in line with the principle of sincere coop-


 See Chap. 1, Sect. 1.1 of this book.

 As explicitly recognised in Article 51(2) GDPR.









 Adopted by the 31st International Conference of Privacy and Data Protection Authorities (2009).


9.17 The Meaning of the Three Strategies for the DPAs and the Cooperation…


eration, as explained above, for the DPAs within the European Union to inform the

EU institutions of the positions they are taking in such fora, to the extent these

positions may affect the consistency of EU policies. This could be a role for the

Chair of the Article 29 Working Party.

Another type of cooperation is to engage in enforcement cooperation. Examples

of bilateral enforcement cooperation can be found in the cooperation of various

DPAs in the European Union with the Federal Trade Commission, as illustrated in

memoranda of understanding concluded between the FTC respectively with the

DPAs in Ireland,313 the United Kingdom314 and the Netherlands.315 These MOUs

include intentions to share information, provide assistance in investigations and to

coordinate enforcement actions.

An example of multilateral cooperation is the Global Privacy Enforcement

Network (“GPEN”),316 facilitated by the OECD, in the context of the OECD

Recommendation on Cross-border Co-operation in the Enforcement of Laws

Protecting Privacy,317 recommending, for instance, to improve domestic frameworks

for privacy law enforcement, to better enable authorities to cooperate with foreign

authorities and to develop effective international mechanisms to facilitate cross-­

border privacy law enforcement cooperation and to provide mutual assistance to one


Bilateral and multilateral cooperation on enforcement is essential for ensuring

effectiveness of control in an internet environment. However, it also raises questions

of legitimacy since arrangements on enforcement also mean sharing responsibility

with authorities in third countries. These arrangements are an additional element to

the composite administrative network within the European Union where responsibilities are shared.318 This requires precise rules on responsibilities, ensuring access

to justice under the rule of law (judicial accountability) and a transparent regime of

reporting in order to enhance the democratic accountability. Inspiration could be

drawn from Point 25 of the Joint Statement and Common Approach of the European

Parliament, the Council of the European Union and the European Commission on

Decentralised Agencies, which envisages the streamlining of external activities of

EU agencies, for instance through dedicated work programmes and by laying down

principles and modalities for international cooperation. A specific element of these

precise rules could be rules on the exchange of personal data between these



 https://www.ftc.gov/sites/default/files/attachments/international-antitrust-and-consumer-protection-cooperation-agreements/130627usirelandmouprivacyprotection.pdf (June 2013).


 https://www.ftc.gov/system/files/attachments/international-competition-consumer-protectioncooperation-agreements/140306ftc-uk-mou.pdf (March 2014).



(March 2015).


 See: https://www.privacyenforcement.net, See also Sect. 9.5 above.


 OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting

Privacy, 12 June 2007 – C (2007) 67.


 This was explained in Chap. 8, Sect. 8.7.


9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…

Whereas the General Data Protection Regulation includes precise rules on the

cooperation of DPAs and on consistency,319 it remains general on the enforcement

cooperation with authorities of third countries and with international organisations.

This is an omission that should be addressed.

9.18  Conclusions

This chapter discussed the external aspects of Article 16 TFEU, focusing on the

relations with third countries and international organisations. On the internet, protection of EU citizens does not stop at the external borders of the European Union,

but has an inherent external effect. Giving extraterritorial effect to EU data protection law is also an explicit objective of the EU legislator, resulting from the general

ambitions of the European Union to promote its essential values, also in the wider


As a rule, any intervention by the European Union with the purpose of ensuring

privacy and data protection on the internet has extraterritorial effect. Giving extraterritorial effect to EU data protection law is an explicit objective of the EU legislator. The horizontal relationship between the European Union and jurisdictions of

third countries is one of the main complicating factors of effective internet regulation. Another complicating factor is the vertical relationship between the Union and

international organisations that are active in the area (Sect. 9.2).

From an institutional perspective, the qualification of DPAs as new branches of

government has institutional consequences in the external domain. In the areas of

their competence, the DPAs represent the European Union externally. However,

they must respect the consistency of external EU policy. The principle of sincere

cooperation binds the DPAs, but also obliges the EU institutions to involve the

DPAs where they take positions in the external domain on policies concerning privacy and data protection, for instance in negotiations with third countries in this

area, conducted according to the procedure of Article 218 TFEU. DPAs should not

commit the Union to international obligations, but are empowered to enter into

enforcement arrangements (Sect. 9.3).

In the external relations with third countries, the relationship with the United

States plays an important role. An important element of the controversy between the

EU and the US is a difference in approach between the two jurisdictions. The

approach of the US – at least in relation to consumer privacy – does not aim at giving wide territorial scope to US law, but at increasing interoperability in privacy

laws by pursuing mutual recognition. In contrast, the nature of privacy and data

protection as fundamental rights under EU law prevents the mutual recognition of

substantive principles of EU law in this area, if the standards in a third country do

not comply with the Charter (Sect. 9.4).


 Chapter VII  GDPR.

9.18 Conclusions


Two of the most relevant international organisations for the EU are the UN and

the OECD. Under current law the UN does not impose any obligation on the EU in

the field of data protection. However, the EU should encourage the UN to play a

more prominent role. The OECD guidelines emphasise the need for improved

interoperability of privacy frameworks and for cross-border cooperation between

privacy enforcement authorities. The OECD is a suitable forum for discussion with

the US (Sect. 9.5).

The closest ally of the European Union is the Council of Europe, which provides

inspiration for EU privacy and data protection, through the case law of the European

Court of Human Rights and through Convention 108. Institutionally, it is a difficult

relationship, as illustrated by the negative Opinion of the Court of Justice on the

draft accession agreement of the Union to the ECHR, referred to in Article 6

TEU. An example in the domain of privacy and data protection illustrates the difficult relationship: ratification by a third country of Convention 108 – meaning compliance with the Convention – does not guarantee that the level of protection

provided by a third country is considered adequate under Directive 95/46 making it

possible that personal data are transferred to this third country without further safeguards (Sect. 9.6).

The European Union itself is an organisation sui generis, also in the international

domain. International competence of the Union, under international law, is similar

but not equal to a state. The Union is not a member of international organisations

such as the UN, the OECD and the Council of Europe. Under Article 16 TFEU, an

exclusive external EU competence must be assumed because effective protection on

the internet requires the widest possible geographical scope. Arguably, the Member

States have lost their external competence in the domain of privacy and data protection. In any event, the Member States are expected to lose their competence under

the regime of the GDPR, at least in the areas covered by this instrument (Sect. 9.7).

Where the European Union uses its external competence, it acts under international law. The Court of Justice determines the limits of external competence and,

in certain circumstances, of the primacy of international law. It is the Court itself

that ultimately – and in last resort exclusively – interprets the Charter and, more

generally, EU law. Provisions of international agreements have direct effect within

the EU legal order, but subject to the nuance that international law cannot have the

effect of prejudicing the constitutional principles of the Treaties (the Kadi case law)

(Sect. 9.8).

The overlapping of jurisdictions on the internet is no longer an exception. Under

public international law, there is no generally accepted solution for internet jurisdiction. General public international law implies that states – and the European Union –

are precluded from enforcing their laws in another state’s territory, but they may

prescribe rules for persons and events outside their borders. In accordance with

public international law, the European Union – acting as a state – should claim

extraterritorial jurisdiction, even in the absence of enforcement power, for instance

to stimulate voluntary compliance in third countries. Due to the pervasiveness of the

internet in our daily lives, the internet should not be governed by a separate body of

law (Sect. 9.9).


9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…

If external EU jurisdiction in the area of privacy and data protection is to be

claimed legitimately, that claim should be based on a meaningful link with the

effective protection of the individual in the European Union. This meaningful link

with the Union could consist of personal jurisdiction based on residence and the

doctrine of effect. The book suggests that the Union should promote this foundation

of personal jurisdiction in the international context. This suggestion does not aim at

solving the problem of internet jurisdiction, but it could be included in the external

EU action in the area of privacy and data protection (Sect. 9.10).

The European Union emphasises the need for taking responsibility for globalisation, claiming that its values have a normative strength and that they are universally

applicable. The Union has global power through the legal standards representing

these values. On this basis, the book distinguishes three strategies for the Union

operating in the external domain: a unilateral, a bilateral and a multilateral strategy.

This does not exclude that in practice a smart mix of the three previous strategies

would be the best option (Sect. 9.11).

The unilateral strategy basically means exporting the EU standards. This is a

potentially successful approach, on the basis of the conditions of Bradford summarised as the “Brussels effect”. The European Union has regulatory clout, manages to set the global standards for regulation on privacy and data protection, is

capable of exporting its system on privacy and data protection, and of assuming

leadership in global regulation. The Union could use facilities offered by the Council

of Europe, such as the possibility that non-European countries adhere to Convention

108. On a practical level, this strategy allows bridges to be built with like-minded

countries, finding communalities for joint challenges relating to internet privacy

(Sect. 9.12).

The bilateral strategy involves seeking for arrangements with relevant, like-­

minded jurisdictions such as the US and, by doing so, building bridges between

these jurisdictions. A bilateral agreement on privacy and data protection between

the EU and the US, based on reciprocity, would be something new. An agreement

does not necessarily mean an approximation of standards of privacy and data protection, which could be difficult to reconcile with the Charter, but could also focus

on mutual recognition, standardisation processes or enforcement cooperation

(Sect. 9.13).

The multilateral strategy aims at developing global standards. The European

Union should strive for global rules, most logically within the framework of the

United Nations. The multilateral strategy is rather a long shot, but a multilateral,

global agreement, would in the long term be the most appropriate instrument to

effectively ensure privacy and data protection on a global scale. Such an agreement

does not necessarily include an approximation of standards, but could also focus on

mutual recognition, standardisation processes or enforcement cooperation

(Sect. 9.14).

The Court of Justice contributed, in Google Spain and Google Inc., to the unilateral strategy under Article 16 TFEU, by highlighting the effectiveness of the protec-

9.18 Conclusions


tion of Europeans and by requiring a meaningful link with the European Union. The

Court did not address the impact of its ruling on competing jurisdictions on the

internet. The ruling in Schrems320 on the Safe Harbour Agreement with the US321

was the first opportunity for the Court to clarify the essential requirements for bilateral and multilateral agreements, affecting the protection of individuals within the

Union. A second opportunity will present itself with the Opinion on the agreement

with Canada on passenger name record data.322 (Sect. 9.15).

The EU legislator gives wide external effect to EU law on data protection, with

the unilateral approach as a composing element and with the regime of data transfers as typical example. Article 48 of the General Data Protection Regulation is a

unilateral solution for a conflict of law. Promising bilateral or multilateral strategies

include methods to ensure the interoperability between different legal systems,

without necessarily adapting the level of protection in other regions of the world to

the EU level, or lowering the level of protection in the European Union.

Accountability of data controllers and processors could be included in international

agreements (Sect. 9.16).

For the DPAs and the cooperation between DPAs the starting point is a unilateral

strategy: their task is to control the application of EU law. The cooperation between

DPAs and regulatory agencies in third countries is an exponent of the bilateral and

multilateral strategy. Bilateral Memoranda of Understanding between European

DPAs and the Federal Trade Commission and multilateral cooperation in the Global

Privacy Enforcement Network are examples. The GDPR should have included rules

on enforcement cooperation with authorities of third countries and with international organisations (Sect. 9.17).

In the external domain, the European Union should also respect some degree of

accountability towards political institutions. This accountability is related to the

democratically agreed substantive level of privacy and protection, as laid down in

the EU rules under Article 16(2) TFEU. Where the Union acts in the external

domain, individuals may have the legitimate expectation that this does not lower the

level of protection of individuals in the Union.

The three strategies (i.e. the unilateral, bilateral and multilateral strategies)

should deal with the two types of issues mentioned earlier: conflicting jurisdictional

claims and divergences in substantive law. Reconciling legitimacy and effectiveness

in relation to jurisdictional claims means: ensuring effective protection of individuals in the European Union and, at the same time, basing the legitimate claim of

jurisdiction on the internet on a meaningful link with the Union. Divergences in

substantive laws could be addressed by allowing practical arrangements with third

 Case C-362/14, Schrems, ECLI:EU:C:2015:650.

 Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the

European Parliament and of the Council on the adequacy of the protection provided by the safe

harbour privacy principles and related frequently asked questions issued by the US Department of

Commerce, OJ L 215/7.


 Opinion 1/15 (pending) on Agreement between Canada and the European Union on the transfer

and processing of Passenger Name Record data




9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…

countries and international organisations on an effective level of protection, but not

by lowering the legitimate level of protection of individuals in the Union.

In order to ensure effective protection of individuals on the internet, the preferred

strategy should be the unilateral strategy, aiming at exporting EU values in the international domain. In addition, the bilateral strategy should be explored, possibly

under the wings of the OECD and focusing on mutual recognition, standardisation

processes or enforcement cooperation, based on the communalities between the

systems, but also accepting the differences. In the long term, a UN Treaty would

ensure the best protection (the multilateral approach). The European Union should

take initiatives in order to facilitate the adoption of such a Treaty, with the ambition

to achieve a minimum standard of data protection.


Bach, David, and Abraham L. Newman. 2004. The European regulatory state and global public

policy: Micro-institutions, macro-influence. Yale Law School Legal Scholarship Repository,

Faculty Scholarship Series Yale Law School Faculty Scholarship, 1-1-2004. Available on:


Benkler, Yochai. 2011. Networks of power, degrees of freedom. International Journal of

Communication 5: 721–755.

Bradford, Anu. 2012. The Brussels effect, 2012. Northwestern University Law Review 107(1):


Búrca, Gráinne de, and J.H.H. Weiler (eds). 2012. The worlds of European constitutionalism.

Contemporary European Politics. Cambridge University Press.

Buttarelli, Giovanni (European Data Protection Supervisor). (n.d.). Trade agreements and data

flows, speech of 16 June 2015 for the joint hearing of the INTA and LIBE committees. Brussels:

European Parliament. Available on: https://secure.edps.europa.eu/EDPSWEB/webdav/site/



Castells, Manuel. 2009. The rise of the network society, volume I: The information age: economy,

society and culture, 2nd ed. Wiley-Blackwell.

CMLR Editorial. 2015. The EU’s Accession to the ECHR – a ‘NO’ from the ECJ. Common Market

Law Review 52: 1–15.

Cohen, Julie E. 2007. Cyberspace as/and space. Columbia Law Review 107(1): 210–256.

Craig, Paul, and Grainne de Búrca (eds). 2011. The evolution of EU Law. 2nd ed. Oxford University


Cremona, Marise. 2004. The union as a global actor: Roles, models and identity. Common Market

Law Review 41: 553–573.

de Hert, P., and V. Papakonstantinou. 2013. Three scenarios for international governance of data

privacy: Towards an international data privacy organization, preferably a UN agency? A

Journal of Law and Policy for the Information Society 9(2): 271–324.

de Hert, Paul, and Vagelis Papakonstantinou. 2015. Google Spain: Addressing critiques and misunderstandings one year later. Maastricht Journal of European and Comparative Law 22(4):


Drezner, Daniel W. 2004. Globalization, coercion, and competition: The different pathways to

policy convergence. University of Chicago, February 2004. Available on: http://www.danieldrezner.com/research/gcc.pdf.

Eeckhout, Piet. 2009/2011. EU external relations law. Hart Publishing.

Everson, Michelle, Cosimo Monda, and Ellen Vos (eds). 2014. EU agencies in between institutions

and member states. Kluwer Law International.



Feldman, Noah. 2007. Cosmopolitan law? Yale Law Journal 116: 1022.

Gal-Or, Noemi, and Cedric Ryngaert.(n.d.). From theory to practice: Exploring the relevance of

the Draft Articles on the Responsibility of International Organizations (DARIO)—The responsibility of the WTO and the UN. German Law Journal 13(5):511–541.

Goldsmith, Jack L. 1998. Against cyberanarchy. University of Chicago Law Review 65: 1199.

Greenleaf, Graham. 2012. The influence of European data privacy standards outside Europe:

Implications for globalization of convention 108. International Data Privacy Law 2(2): 68–92.

Grotius, Hugo. (n.d.). The freedom of the sea, or, the right which belongs to the Dutch to take part

in the East Indian trade. Available on: http://upload.wikimedia.org/wikipedia/commons/7/7b/


Hijmans, Hielke. 2014. Book review on Lee A. Bygrave, data privacy law, an international perspective. International Data Privacy Law 5(1): 88–90. 2015.

Hijmans, Hielke, and Herke Kranenborg (eds). 2014. Data protection anno 2014: How to restore

trust? Contributions in honour of Peter Hustinx, European Data Protection Supervisor (2004–

2014). Intersentia.

Hildebrandt, Mireille. 2013. Extraterritorial jurisdiction to enforce in cyberspace? Bodin, Schmitt,

Grotius in cyberspace. University of Toronto Law Journal 63(2): 196–224.

Johnson, David R., and David G. Post. 1996. Law and borders: The rise of law in cyberspace.

Stanford Law Review 48: 1367.

Kokott, Juliane, and Christoph Sobotta. 2015. Protection of fundamental rights in the European

union: On the relationship between EU fundamental rights, the European convention and

national standards of protection. Yearbook of European Law 34: 60–73.

Kuijper, P.J., J. Wouters, F. Hoffmeister, G. de Baere, and T. Ramopoulos. 2013. The law of EU

external relations, cases, material and commentary on the EU as an international legal actor.

Oxford University Press.

Kuner, Christopher. 2013. Transborder data flows and data privacy law. Oxford University Press.

Kuner, Christopher. 2014. The European Union and the search for an international data protection

framework. Groningen Journal of International Law 2(2): 55–71.

Kuner, Christopher, Fred H. Cate, Christopher Millard, Dan Jerker B. Svantesson, and Orla

Lynskey. 2015. Internet balkanization gathers pace: Is privacy the real driver. International

Data Privacy Law 5(1): 1–2.

Lenaerts, Koen, and Piet van Nuffel. 2011. European union law, 3rd ed. Sweet & Maxwell.

Milanovic, Marko. 2015. Human rights treaties and foreign surveillance: Privacy in the digital age.

Harvard International Law Journal 56: 81–146.

Mitsilegas, Valsamis. 2006. The constitutional implications of mutual recognition in criminal matters in the EU. Common Market Law Review 43: 1277–1311.

Nicholas, Mary Lynn. 1990. United States v. Verdugo-Urquidez: Restricting the borders of the

fourth amendment. Fordham International Law Journal 14(1): 267.

Peers, Steve, Tamara Hervey, Jeff Kenner, and Angela Ward (eds.). 2014. The EU charter of fundamental rights, a commentary. Hart Publishing.

Post, David G. 2002. Against against cyberanarchy. Berkeley Technology Law Journal 17: 1365.

Poullet, Yves. 2009. Transborder data flows and extraterritoriality: The European position. Journal

of International Commercial Law and Technology 2: 141.

Princen, S.B.M. 2002. The California effect in the transatlantic relationship. Dissertation. Utrecht


Privacy Bridges, EU and US privacy experts in search of transatlantic privacy solutions,

Amsterdam/Cambridge, September 2015. Available on:https://www.cbpweb.nl/sites/default/


Rainey, Bernadette, Elizabeth Wicks, and Clare Ovey. 2014. Jacobs, White & Ovey: The European

Convention on Human Rights, 6th ed. Oxford University Press.

Reding, Viviane. 2012. The European data protection framework for the twenty-first century.

International Data Privacy Law 2(3): 119–129.

Reidenberg, Joel R. 2001. The Yahoo! case and the international democratization of the Internet.

Fordham Law & Economics Research Paper No. 11, 2001.


9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…

Reidenberg, Joel R. 2005. Technology and internet jurisdiction. University of Pennsylvania Law

Review 153: 1951.

Reidenberg, Joel R. a.o. 2013. Internet jurisdiction, survey of legal scholarship published in

English and United States Case Law. Fordham Center on Law and Information Policy.

Ryngaert, Cedric. 2007. Jurisdiction in International Law, United States and European

Perspectives. Dissertation KU Leuven.

Schmidt, Eric, and Jared Cohen. 2015. The new digital age. Hodder & Stoughton.

Svantesson, Dan Jerker B. 2013. Extraterritoriality in data privacy law. Ex Tuto Publishing.

Svantesson, Dan Jerker B. 2015a. A jurisprudential justification for extraterritoriality in (private)

international law. Santa Clara Journal of International Law 13(1): 517. http://digitalcommons.


Svantesson, Dan Jerker B. 2015b. Extraterritoriality and targeting in EU data privacy law: The

weak spot undermining the regulation. International Data Privacy Law 5(4): 226–234.

Vladeck, David C. 2015. A U.S. perspective on narrowing the U.S.-EU privacy divide. In Hacia un

Nuevo derecho europea de protección de datos, Towards a new European Data Protection

Regime, ed. Artemi Rallo Lombarte, Rosario García Mahamut, 207–245, Tirant lo Blanch.

Wang, Faye Fangfei. 2008. Obstacles and solutions to internet jurisdiction: A comparative analysis

of the EU and US laws. Journal of International Commercial Law and Technology 2008:


Chapter 10

Making Article 16 TFEU Work: Analysis

and Conclusions

Abstract  This final chapter summarises and analyses the main findings of this

book and provides recommendations for a successful exercise of the mandate of the

European Union under Article 16 TFEU.

The chapter recalls the main challenges and the outline of the governance of privacy

and data protection under Article 16 TFEU. It analyses the conclusions of Chaps. 4,

5, 6, 7, 8, and 9, defining the contributions of the EU as a whole, the Court of

Justice, the EU legislator, the independent data protection authorities and their

cooperation mechanisms, and the EU as external actor.

It takes four different perspectives. First, the substance of Article 16 TFEU and

of the roles identified pursuant to this provision; second, the constitutional safeguards imposed by EU law; third, the extent to which Article 16 TFEU or the roles

based on this provision enhance the legitimacy of the European Union; fourth, the

extent to which Article 16 TFEU or the roles based on this provision enhance the

effectiveness of the European Union.

The chapter also introduces the prospect of the General Data Protection

Regulation. It contains final conclusions, taking an optimistic perspective. This is an

area where the EU has a broad mandate and where law can make a difference in an

information society provided that the available instruments are used in an intelligent


10.1  Introduction

The European Union acts, under Article 16 TFEU, as a constitutional guardian of

privacy and data protection. In an information society, the fundamental rights of

privacy and data protection remain essential values for our democracies that are

subject to the rule of law. However, at the same time, this information society is

challenging the enjoyment of these fundamental rights, with big data and mass surveillance as the most obvious illustrations.

© Springer International Publishing Switzerland 2016

H. Hijmans, The European Union as Guardian of Internet Privacy, Law,

Governance and Technology Series 31, DOI 10.1007/978-3-319-34090-6_10



10  Making Article 16 TFEU Work: Analysis and Conclusions

This book started with the Snowden revelations and with the difficulty for governments to gain control over the privacy policies of search engines and social networking providers, as may be illustrated by the complicated enforcement actions of

data protection authorities vis-à-vis, particularly, Google and Facebook. The book

also emphasised the resilience of the fundamental rights’ protection under the rule

of law in the Union, as illustrated by the Court of Justice of the European Union in

its recent ruling in Schrems.1 These cases are exemplary for the mass scale of data

processing and for a lack of overview within democratic bodies and oversight bodies on what is actually happening, and how to keep control.

The mandate of the European Union under Article 16 TFEU was the subject of

this book. This book analysed the role of the European Union in the field of internet

privacy and data protection. The book focused on the contributions of the specific

actors and roles within the EU framework: the judiciary, the EU legislator, the independent supervisory authorities, the cooperation mechanisms of these authorities,

as well as the Union as actor in the external domain. This analysis showed that EU

powers under Article 16 TFEU can be successfully used, in conformity with the

requirements of legitimacy and effectiveness. It also showed that ambitious

approaches are needed, in view of the huge challenges in the information society.

Section 10.2 of this chapter recalls the main challenges and the outline of the

governance of privacy and data protection under Article 16 TFEU, whereas Sect.

10.3 introduces the main components for analysis. Sections 10.4, 10.5, 10.6, 10.7,

10.8, and 10.9 of this chapter analyse the conclusions of the corresponding Chaps.

4, 5, 6, 7, 8, and 9. This means in concrete terms:

(a) What is the substance of Article 16 TFEU and of the roles identified pursuant to

this provision?

(b) Which constitutional safeguards are imposed by EU law?

(c)To what extent does Article 16 TFEU or the roles based on this provision

enhance the legitimacy of the European Union in this domain?

(d)To what extent does Article 16 TFEU or the roles based on this provision

enhance the effectiveness of the European Union in this domain?

Section 10.10 is different in character and introduces the prospect of the General

Data Protection Regulation. Once it has entered into force, this regulation will provide a further framework, enabling the Union to become even more successful.

Section 10.11 contains final conclusions, taking an optimistic perspective.

 Case C-362/14, Schrems, ECLI:EU:C:2015:650.


Tài liệu bạn tìm kiếm đã sẵn sàng tải về

17 The Meaning of the Three Strategies for the DPAs and the Cooperation Between Them: Extending Cooperation to Authorities in Third Countries

Tải bản đầy đủ ngay(0 tr)