Tải bản đầy đủ - 0 (trang)
2 General Design of Article 16 TFEU: Recalling the Main Challenges and the Outline of the Governance Under This Provision

2 General Design of Article 16 TFEU: Recalling the Main Challenges and the Outline of the Governance Under This Provision

Tải bản đầy đủ - 0trang

514



10  Making Article 16 TFEU Work: Analysis and Conclusions



t­endency. The book focused on the internet as a networked society with a loose

government structure. Big data enables unprecedented predictions on private lives

and shifts powers to those who hold information and those who supply it. Mass

surveillance is characterised by secrecy, which complicates democratic and judicial

oversight and – at least potentially – has an impact on the behaviour of individuals.

The qualitative change was summarised in various places of this book as a perceived

‘loss of control’.

This qualitative change justifies the analysis of the mandate of the European

Union under Article 16 TFEU in the light of the developments in the information

society and, on that basis, to provide recommendations for a successful exercise of

the mandate, in the context of the internet. Of course, the mandate under Article 16

TFEU is broader and also applies to privacy and data protection in situations that are

not related to the internet, where people are not connected through networks.

However, these situations are losing, relatively speaking, importance and, thus, are

also becoming less relevant for understanding Article 16 TFEU.



10.2.2  A

 rticle 16 TFEU as an Adequate Mandate

Guaranteeing the Privacy and Data Protection of EU

Citizens on the Internet: The Stakes Are High

This book analysed the mandate of the European Union to guarantee the privacy and

data protection of Europeans citizens on the internet. This analysis comprised the

adequacy of the mandate as such and the way in which the Union – and the various

actors and roles under Article 16 TFEU – uses and should use this mandate. The

introduction of this book (Chap. 1) formulated three objectives for the exercise of

the mandate.4 We repeat these objectives here:

(a) Ensuring protection, through full respect of the rights to privacy and data protection and the restrictive application of exceptions and limitations.

(b) Balancing with other fundamental rights and essential interests in society.

(c) Managing centralisation, an inherent effect of the mandate of the Union under

Article 16 TFEU, and includes balancing the mandate with the competences of

the Member States.

The stakes are high. The book took the view that our democracies cannot function without privacy and data protection. These fundamental rights are an expression of human dignity and the autonomy of the individual.5 The two convincing

arguments for privacy and data protection were: first, the world is not divided into



4



 See Chap. 1, Sect. 1.4.

 As explained in Chap. 2.



5



10.2 General Design of Article 16 TFEU: Recalling the Main Challenges…



515



good people who have nothing to hide and bad people who are monitored for a

reason, and, second, constant monitoring changes peoples’ behaviour.6

The developments in the information society challenge the protection of these

fundamental rights in what some consider an unprecedented manner.7 The era of big

data and mass surveillance by governments and big internet companies underscore

this challenge.

This situation is perceived as a loss of control, where the European Union and the

Member States do not provide sufficiently protection, also because the internet is a

global structure and privacy and data protection are challenged by acts of governments and private companies located outside the European Union. Others speak

about the data protection credibility crisis.8

The stakes are high for a further reason. Article 16 TFEU contains a commitment

for the Union to ensure privacy and data protection for all individuals within the

European Union. The Union must honour this commitment, for two reasons. First,

people are entitled to protection of these essential values and, second, the Union

should be credible.

Privacy and data protection are fields where the Treaty legislator has provided

the instruments for the Union to make the difference. Article 16 TFEU has the

potential to become a success story for the European Union. The realisation of this

potential depends on the contributions of the actors and roles under Article 16

TFEU.

Many of the challenges are of a global nature. Within the structure of the

European integration, the European Union is the most appropriate platform to deal

with these challenges. EU action in this domain complies with the principle of subsidiarity, one of the key principles for EU intervention. This does not mean that the

European Union does or should do everything. The Member States and their authorities remain important players, also to ensure the legitimacy of interventions in this

field, which affect the daily lives of the individuals.

As said, the stakes are high. Regaining control requires an ambitious approach.

Article 16 TFEU enables the European Union to be ambitious, to deal with the challenges in the information society and to effectively ensure privacy and data protection in an internet environment. The ambitious approach is needed even more in the

light of a more general phenomenon that has arisen in recent times: a declining role

of nation-states and of government intervention, with a growing dependency of



6

 Glenn Greenwald, TED Talk, “Why privacy matters”, October 2014, Interactive transcript

available on: http://www.ted.com/talks/glenn_greenwald_why_privacy_matters/transcript?

language=en.

7

 E.g.., OECD Guide to Measuring the Information Society 2011, available on: http://browse.oecdbookshop.org/oecd/pdfs/free/9311021e.pdf; Big Data: Seizing Opportunities, Preserving Values,

Executive Office of the President (Podesta Report).

8

 Kuner, Christopher et al. 2015, “The data protection credibility crisis”, International Data Privacy

Law, Vol. 5, No. 3, 2015.



516



10  Making Article 16 TFEU Work: Analysis and Conclusions



g­ overnments on cooperation with the private sector.9 The loose governance structures of the internet are exemplary for this declining role.



10.2.3  The Governance Model Under Article 16 TFEU

Article 16 TFEU contains a specific mandate for the European Union in the domain

of the protection of fundamental rights: an assignment for the Union to ensure protection. Under Article 16 TFEU, the Union must ensure everyone’s right to data

protection.

This mandate has a wider scope than the Charter, which obliges the European

Union – and the Member States acting within the scope of EU law10 – to respect the

fundamental rights in their laws and policies. Article 16 TFEU implies an obligation

for the Union to act and to ensure that citizens are protected. This obligation goes

beyond the obligation to respect the fundamental rights in the course of interventions of the Union in other domains. Article 16 TFEU brings privacy and data protection by definition within the scope of EU law.

Article 16 TFEU also contains a governance model for privacy and data protection. This governance model provides for explicit roles for three (categories of)

actors: the Court of Justice ensures that the rights to privacy and data protection are

respected under the rule of law, the European Parliament and the Council acting as

EU legislator adopt the rules and the independent data protection authorities ensure

control. Within the structure of the European Union, based on an institutional balance and a separation of powers, the roles of these (categories of) actors are separate, not shared. The actors contribute to the fulfilment of the same mandate, but

their responsibilities are separate. The qualification of the independent data protection authorities as new branches of government – in Chap. 7 of this book – illustrated this separation of responsibilities.

In an internet environment, this governance model of EU privacy and data protection also implies a role for cooperation structures of independent data protection

authorities. The governance model further implies an active role of the Union as

such in the international domain, in view of the global nature of the challenges for

privacy and data protection.

The model further requires the involvement of other governmental and non-­

governmental stakeholders, not explicitly referred to in Article 16 TFEU. As this

book demonstrated, involvement of other stakeholders is a success factor for the

exercise of the EU mandate in an effective and legitimate manner, particularly in an

internet environment.

In short, the governance model involves roles for institutions and bodies of the

European Union, Member States, national DPAs, cooperation mechanisms of DPAs,

private companies and representatives of the private sector, civil society as

­represented by NGOs, as well as third countries and international organisations.

9



 See, e.g., Conclusions Chap. 3.

 As interpreted by the CJEU in Case C-617/10, Åkerberg Fransson, EU:C:2013:280.



10



10.3 The Main Components for Analysis



517



This governance model takes on different shapes, and resembles what is known in

the literature as a composite administration, a multi-level governance or a multi-­

stakeholder model.11

In many situations, not governed by the separation of powers, governance is

shared between different actors, not separated. However, this sharing does not mean

sharing the final responsibility. The involvement of other governmental and non-­

governmental stakeholders should not result in a situation in which the European

Union can no longer assume its final responsibility for privacy and data protection.

The EU should remain in the driving seat.



10.3  The Main Components for Analysis

This book analysed of how the European Union and the actors within the Union can

best ensure internet privacy and data protection, within the constitutional safeguards

provided for under EU law, in a manner that is legitimate in a democracy, subject to

the rule of law, and, at the same time, effective in view of the huge challenges in an

information society.

The previous chapters described in detail how the European Union exercises its

mandate under Article 16 TFEU and how the different institutional actors and roles

contribute to the success of the mandate. These chapters demonstrated that the contributions of the different actors and roles raise a variety of issues. These issues are

not similar for each and every actor and role, despite the fact that the aspirational

goals are the same: contributing to the respect of privacy and data protection. This

explains the diversity in focus in the chapters of this book.

The analysis in this chapter has four components. First, Article 16 TFEU, read in

connection with Articles 7 and 8 Charter, defines the task of the European Union to

ensure privacy and data protection. Second, constitutional safeguards under EU law

impose limits on the exercise of the task. Third and fourth, conditions of legitimacy

and effectiveness must be fulfilled to make Article 16 TFEU work. The difference

between the first two components (Article 16 TFEU and the constitutional safeguards) and the two last components (legitimacy and effectiveness) is that the first

two are mainly legal requirements, whereas the last two are more policy

considerations.



10.3.1  T

 he First Component: Article 16 TFEU Defines

a Broad Mandate

Article 16 TFEU provides a mandate for the European Union to act that is in principle unconditional. This mandate enables the Union – in principle – to act in accordance with its ambitions and take the leading role in ensuring the respect of data

11



 These three notions do not necessarily overlap. See Chap. 6, Sect. 6.13 of this book.



518



10  Making Article 16 TFEU Work: Analysis and Conclusions



protection as a fundamental right, and by doing so regaining control over the processing of personal data in an internet environment.

Article 16 TFEU also gives the Union tools: Article 16 TFEU ensures the respect

of privacy and data protection as fundamental rights for individuals, ultimately

under control of the Court of Justice, it assigns to the EU legislator the task to lay

down a legal framework for data protection, and, finally, it ensures control by independent data protection authorities. In an internet environment, the governance

model of EU privacy and data protection also implies a role for cooperation structures of independent data protection authorities, as well as for the European Union

in general as an actor in the external domain.

The substance of the protection to be provided is laid down in Articles 7 and 8

Charter, as well as in the legislative instruments for data protection, particularly

Directive 95/46. These instruments also describe the substantive limits of the competence of the European Union under Article 16 TFEU.12



10.3.2  T

 he Second Component: Constitutional Safeguards

Under EU Law

This mandate of the European Union under Article 16 TFEU is not unlimited. The

exercise of the mandate coincides with other mandates of the Union itself and with

the Member States’ powers in related areas of government intervention.

Moreover, the exercise of the mandate is also delimited by the general safeguards

of EU competence requiring the European Union to respect the national identities

of the Member States, including national security,13 and cultural differences. EU

action must also comply with the principles of subsidiarity and proportionality and

with the features of a system of executive federalism,14 in which implementation,

enforcement and the organisation of judicial protection are normally tasks of the

Member States. This was all explained in Chap. 4.

Furthermore, the contributions of the actors and roles under Article 16 TFEU are

embedded in the institutional positions of the various actors and roles under EU law,

in respect of the institutional balance and the separation of powers.



12



 Wording taken from Order of the Court of 17 March 2005, ECLI:EU:C:2005:189 in Joined cases

C-317/04 and C-318/04, European Parliament v Council Union (C-317/04) and Commission

(C-318/04), EU:C:2006:346, at 16.

13

 Article 4(2) TEU.

14

 Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition), Sweet & Maxwell,

2010, at 17-002.



10.3 The Main Components for Analysis



519



10.3.3  T

 he Third Component: Legitimacy as a Factor

for Success

In this book, legitimacy means in relation to the governance of privacy and data

protection under EU law: ensuring that there is some degree of accountability

towards political institutions.15 In the specific context of external EU action, legitimacy has an additional element: the legitimacy of external EU action is also determined by – possibly conflicting – legitimate claims of third countries and

international organisations.

Legitimacy in this domain is not self-evident, for various reasons. First, under

Article 16 TFEU, the protection of a fundamental right is a task of the European

Union, which is often criticised for its democratic deficit. Second, the mandate

requires the involvement of actors outside the traditional trias politica who are not

subject to full democratic control by parliaments, such as particularly the DPAs as

expert bodies. Third, the link between the cooperation mechanisms of DPAs – operating in between the Union and the Member States – and political institutions is

weak. Fourth, the involvement of the private sector in the exercise of the mandate

under Article 16 TFEU further weakens democratic guarantees.

Against this background, the European Union should take into consideration that

individuals have justified claims that the democratic accountability be ensured and

that decisions be taken at a level “as close as possible to the citizen”.16

The European Union should also take justified claims of national governments

into consideration. The mandate of the Union under Article 16 TFEU contains an

exception to the main rule in the EU system that the protection of fundamental

rights is a core task of national governments that should be fully democratically

accountable. The exercise of the mandate under Article 16 TFEU could, to a certain

extent, deprive Member States of the power to protect the fundamental rights of

their nationals.17

Finally, the European Union has justified claims vis-à-vis third countries in

respect of activities on the internet and is, vice versa, confronted with similar justified claims of third countries and international organisations. In theory, the Union

acting as a guardian of privacy and data protection would be most effective if it

could claim jurisdiction over the entire internet. However, this claim would coincide

with legitimate claims of third countries and international organisations, because

jurisdictions overlap on the internet. This is particularly problematic in cases where

other jurisdictions have made different arrangements for privacy and data

protection.18

15



 As explained in Chap. 1, using the wording in the CJEU’s case law on the independence of the

DPAs.

16

 Article 1 TEU.

17

 Judge Masing of the German constitutional court claimed that this would result from the General

Data Protection Regulation; see: “Ein Abschied von den Grundrechten”, Süddeutsche Zeitung 9

January 2012.

18

 As explained in Chap. 9.



520



10  Making Article 16 TFEU Work: Analysis and Conclusions



10.3.4  T

 he Fourth Component: Effectiveness as a Factor

for Success

High standards of effectiveness are required in view of the phenomena on the internet that challenge privacy and data protection. Effectiveness is a general principle of

EU law19 that was specified in this book for the purposes of the governance of privacy and data protection: ensuring protection by bridging the gap between principles and practice.20 Involvement of various stakeholders, including the private

sector, in the implementation is a component of the governance under Article 16

TFEU in order to deliver privacy and data protection in an effective manner.

Effective exercise of the mandate under Article 16 TFEU gives legitimacy to the

EU action itself. Legitimacy based on effectiveness (output legitimacy) justifies the

capacity of the European Union to act and to impose rules in a global environment,

to involve private parties, and to attribute tasks to the independent data protection

authorities, which are non-majoritarian expert bodies. However, output legitimacy

alone is not sufficient for EU action in privacy and data protection. Democratic

legitimacy (or input legitimacy) is also required.



10.4  T

 he Contribution of Article 16 TFEU to Legitimate

and Effective Privacy and Data Protection

on the Internet: An Appropriate Mandate Is Provided

This section describes how Article 16 TFEU contributes to legitimate and effective

privacy and data protection on the internet. It outlines a general framework enabling

the various actors and roles to make Article 16 TFEU work.



10.4.1  A

 rticle 16 TFEU Brings Privacy and Data Protection

by Definition Within the Scope of EU Law and Makes

Ambitious Approaches Possible (The First Component)

As a result of Article 16 TFEU, privacy and data protection fall by definition within

the scope of EU law. Privacy and data protection have become concerns of the

European Union, although the implementation is shared with the Member States.

The EU mandate in this field is also broad in terms of substance: privacy and data

protection are considered to be one complex of concerns, particularly in an internet

environment, based on human dignity, autonomy and fairness. The right to

19



 As explained in Chap. 1,with reference to Paul Craig and Grainne de Búrca, EU Law, Text, Cases

and Material (Fifth Edition), Oxford University Press, 2011, Chapter 8.

20

 As explained in Chap. 1,with reference to Kenneth A. Bamberger, Deirdre K. Mulligan, Privacy

on the Books and on the Ground, 2011, Stanford Law Review, Vol. 63, January 2011.



10.4 The Contribution of Article 16 TFEU to Legitimate and Effective Privacy…



521



privacy – in a wide sense – represents the value, whilst the right to data protection

determines the rules of the game.

Privacy and data protection are part of a European Union based on values. The

European Union has high ambitions in promoting its values, particularly democracy, the rule of law and fundamental rights. These three values are inextricably

linked. These values are shared between all the Member States and represent the

premise of mutual trust amongst the Member States themselves and between the

Member States and the Union.

The European Union has ambitions to promote democracy, which, in relation to

the internet, means a free internet but not an unprotected internet. The Union has

ambitions to promote the rule of law, which, in relation to the internet, “requires as

a minimum that the law actually rules”,21 meaning that the law should also be

respected on the internet. The Union has ambitions to promote fundamental rights,

which, in relation to the internet, means that fundamental rights should be applied

broadly, with a strong focus on protecting individuals in horizontal situations,

against private parties.

Promoting fundamental rights in an internet context entails at least two things:

first, individuals are entitled to the protection of fundamental rights when they are

active on the internet (online), in the same way as when they act in any other capacity (offline); second, the external dimension – protection vis-à-vis actors in third

countries – acquires a new dimension because individuals in the European Union

interact on the internet on a constant basis with actors based outside the Union.

However, individuals are not entitled to protection against all risks on the internet.

A zero risk approach does not exist.

Article 16 TFEU makes it possible, with these notions in mind, for the European

Union to realise its high ambitions by giving priority to ensuring privacy and data

protection on the internet. By making Article 16 TFEU work, the Union should

compensate for phenomena resulting from developments on the internet.

Compensation is needed because, as was explained above, the internet as a networked society leads to insecurity and a lack of grip. Internet freedom is threatened

by fragmentation of the internet, by asymmetry in relation to big data and by secrecy

in relation to surveillance.



10.4.2  T

 he Constitutional Safeguards Under EU Law:

The Member States Play and Should Play an Important

Role (The Second Component)

First, the mandate under Article 16 TFEU does not mean that the European Union

is the sole guardian of EU data protection. The Member States play and should play

an important role. To start with, the exercise of the EU mandate should comply with

21



 Armin von Bogdandy, Michael Ioannidis, “Systemic deficiency in the rule of law: What it is,

what has been done, what can be done”, CMLR, 51, Issue 1, pp. 59–96, 2014, p. 63. See Chap. 2,

Sect. 2.5 of this book.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

2 General Design of Article 16 TFEU: Recalling the Main Challenges and the Outline of the Governance Under This Provision

Tải bản đầy đủ ngay(0 tr)

×