Tải bản đầy đủ - 0 (trang)
4 The Contribution of Article 16 TFEU to Legitimate and Effective Privacy and Data Protection on the Internet: An Appropriate Mandate Is Provided

4 The Contribution of Article 16 TFEU to Legitimate and Effective Privacy and Data Protection on the Internet: An Appropriate Mandate Is Provided

Tải bản đầy đủ - 0trang

10.4 The Contribution of Article 16 TFEU to Legitimate and Effective Privacy…



521



privacy – in a wide sense – represents the value, whilst the right to data protection

determines the rules of the game.

Privacy and data protection are part of a European Union based on values. The

European Union has high ambitions in promoting its values, particularly democracy, the rule of law and fundamental rights. These three values are inextricably

linked. These values are shared between all the Member States and represent the

premise of mutual trust amongst the Member States themselves and between the

Member States and the Union.

The European Union has ambitions to promote democracy, which, in relation to

the internet, means a free internet but not an unprotected internet. The Union has

ambitions to promote the rule of law, which, in relation to the internet, “requires as

a minimum that the law actually rules”,21 meaning that the law should also be

respected on the internet. The Union has ambitions to promote fundamental rights,

which, in relation to the internet, means that fundamental rights should be applied

broadly, with a strong focus on protecting individuals in horizontal situations,

against private parties.

Promoting fundamental rights in an internet context entails at least two things:

first, individuals are entitled to the protection of fundamental rights when they are

active on the internet (online), in the same way as when they act in any other capacity (offline); second, the external dimension – protection vis-à-vis actors in third

countries – acquires a new dimension because individuals in the European Union

interact on the internet on a constant basis with actors based outside the Union.

However, individuals are not entitled to protection against all risks on the internet.

A zero risk approach does not exist.

Article 16 TFEU makes it possible, with these notions in mind, for the European

Union to realise its high ambitions by giving priority to ensuring privacy and data

protection on the internet. By making Article 16 TFEU work, the Union should

compensate for phenomena resulting from developments on the internet.

Compensation is needed because, as was explained above, the internet as a networked society leads to insecurity and a lack of grip. Internet freedom is threatened

by fragmentation of the internet, by asymmetry in relation to big data and by secrecy

in relation to surveillance.



10.4.2  T

 he Constitutional Safeguards Under EU Law:

The Member States Play and Should Play an Important

Role (The Second Component)

First, the mandate under Article 16 TFEU does not mean that the European Union

is the sole guardian of EU data protection. The Member States play and should play

an important role. To start with, the exercise of the EU mandate should comply with

21



 Armin von Bogdandy, Michael Ioannidis, “Systemic deficiency in the rule of law: What it is,

what has been done, what can be done”, CMLR, 51, Issue 1, pp. 59–96, 2014, p. 63. See Chap. 2,

Sect. 2.5 of this book.



522



10  Making Article 16 TFEU Work: Analysis and Conclusions



the principles of subsidiarity and proportionality. The exercise of the mandate by the

Union under Article 16 TFEU gives a priori effect to the principle of subsidiarity,

since efficient and effective privacy and data protection on the internet cannot be

sufficiently achieved by the Member States individually.

Second, the European Union should respect national identities, national security

and cultural differences. The exemption of national security from the scope of EU

law played a role in the aftermath of the Snowden revelations. This book explained

that this exemption plays a limited role in the area of privacy and data protection.

The exception to the scope of EU law for national security does not mean that a

justified claim based on national security under Article 13 of Directive 95/46 on

data protection renders EU law inapplicable. The ruling of the Court of Justice in

ZZ22 even provides an argument in support of the application of general EU data

protection law to national security services. The exception to the scope of EU law

does not extend to services of third countries, although they may be covered indirectly. In short, even in the domain of national security, the entitlement of the individual to privacy and data protection should be decisive, which means that the scope

of the national security exception should be interpreted restrictively.

Third, as a rule, within the European Union as a construct with features of executive federalism,23 implementation of EU law is decentralised. Moreover, under EU

law, the enforcement of EU instruments and the organisation of judicial protection

are normally tasks of the Member States However, the decentralisation of the implementation should not adversely affect the harmonised level of protection. To avoid

this undesired result, cooperation is required between the different actors of the

Union and the Member States, under the principle of sincere cooperation.



10.4.3  L

 egitimacy as a Factor for Success for EU Action (The

Third Component)

This book claims that a legitimate and effective exercise of the mandate of the

European Union on privacy and data protection, a field of intervention that affects

the daily lives of individuals, makes the Union more visible and shows that it is

capable of successfully addressing major challenges.

The success of EU action in this field is even more relevant in view of the presumed democratic deficit of the European Union. It is submitted that solutions –

albeit imperfect – have been found for issues relating to the more formal aspects of

democratic legitimacy, for instance by granting the European Parliament more powers. However, this does not resolve what Weiler calls the crisis of social legitimacy.24

The European Union is not perceived as an organisation of the citizens. Although

 Case C-300/11, ZZ, EU:C:2013:363.

 Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition), Sweet & Maxwell,

2010, at 17-002.

24

 The Constitution of Europe, “Do the new clothes have an emperor?” and other essays on

European integration, Joseph Weiler, Cambridge University Press, 1999, p. 84.

22

23



10.4 The Contribution of Article 16 TFEU to Legitimate and Effective Privacy…



523



European leaders may speak in name of the people, many people are not aware that

they are doing so.25

Hence, the European Union should take into consideration justified claims of

individuals that democratic accountability is ensured and that decisions are taken at

a level “as close as possible to the citizen”.

The concept of EU citizenship further contributes to the legitimacy of the role of

the European Union under Article 16 TFEU. EU citizenship justifies the expectations of EU citizens that their rights will be protected. The exercise of the mandate

under Article 16 TFEU contributes to the genuine enjoyment of citizenship of the

Union. Vice versa, this contribution to the enjoyment of citizenship gives legitimacy

to the exercise of the EU mandate under Article 16 TFEU.

EU action should not only be legitimate in the eyes of the citizen, but also vis-à-­

vis the Member States. Legitimacy of EU action under Article 16 TFEU, in the

sense of creating guarantees for some degree of accountability vis-à-vis political

institutions, is a prerequisite for trust, particularly in the domain of privacy and data

protection. The protection of these rights is closely related to traditional state functions belonging to the core of a democracy, which is subject to the rule of law.

The European Union and the Member States interact in a pluralist legal context,

with overlapping claims to legal and constitutional authority. Article 16 TFEU confers a broad and relatively unlimited power on the Union, to regulate the sensitive

area of data protection. Article 16 TFEU has as an effect that to a certain extent

Member States could be deprived of the power to protect the fundamental rights of

their nationals.

The legitimacy is even more at stake where the private sector plays a role in core

government activities, such as the combat of terrorism and serious crime. These are

sensitive areas, requiring additional safeguards such as appropriate oversight mechanisms. The European Union should ensure that these safeguards are respected.

Finally, the principle of sincere cooperation has gained in importance in view of

the loss of power of the Member States, and also in view of the loss of control over

personal data on the internet. Cooperation between the different levels and actors

should compensate for the loss of power of – individual – public entities within a

globalised society and hence enhance the legitimacy of ensuring privacy and data

protection.



10.4.4  E

 ffectiveness as a Factor for Success for EU Action

(The Fourth Component)

The presumed lack of effectiveness of privacy and data protection triggered this

book and is also a key justification for the reform of the data protection legislation

in the European Union.26 Citizens may expect the Union to be able to exercise its

25



 Middelaar, Luuk van, 2009, De passage naar Europa. Geschiedenis van een begin (published in

English as: The Passage to Europe: How a Continent Became a Union), Historische Uitgeverij,

part III.

26

 As explained in Sect. 10.10 below.



524



10  Making Article 16 TFEU Work: Analysis and Conclusions



mandates in an effective manner. This gives the Union legitimacy (output legitimacy). As the Snowden revelations illustrate, output legitimacy is not self-evident

and control over privacy and data protection on the internet should be regained.

Control requires high standards of effectiveness in view of the phenomena on the

internet that challenge privacy and data protection.

This book applied the general principle of effectiveness under EU law to the

governance of privacy and data protection: ensuring protection by bridging the gap

between principles of privacy and data protection and practice. Bridging the gap

requires an appropriate choice of arrangements,27 strengthening the various actors

and roles under EU law. EU legislation should facilitate the contributions of the

judiciary, the independent data protection authorities, the cooperation mechanisms

of these authorities, as well as the European Union as an external actor.

In this book, emphasis was placed on instruments encouraging the involvement

of various stakeholders, including the private sector, in the implementation of the

governance under Article 16 TFEU. The involvement of various stakeholders does

not affect the final responsibility for ensuring privacy and data protection. This final

responsibility remains with governmental actors and, ultimately, the European

Union. Effective governance requires firstly empowerment of the individual, secondly giving responsibility to the data controllers with multi-stakeholder solutions

as an alternative for command-and-control legislation, and thirdly strong enforcement mechanisms.



10.4.5  Final Recommendation

Article 16 TFEU provides the European Union with a strong mandate and ensures

that privacy and data protection, by definition, fall within the scope of EU law. The

high ambitions of the European Union resulting from this mandate should compensate for the presumed lack of control on the internet. The Union is not the sole

guardian of privacy and data protection on the internet. The Member States also

have a role. The executive federalism should not adversely affect the harmonised

level of protection.

An appropriate exercise of the mandate under Article 16 TFEU contributes to the

Union’s social legitimacy and can also be an element of the enjoyment of EU citizenship. EU action should also be legitimate vis-à-vis the Member States. Effective

exercise of the mandate provides the European Union with output legitimacy.

Bridging the gap between principles of privacy and data protection and practice

requires an appropriate choice of legislative arrangements, strengthening the various (public) actors and roles under EU law, as well as involving the private sector

and leaving the final responsibility with governmental actors.



27



 The word ‘arrangement’ is used to distinguish from the legislative ‘instruments’, in the EU context mainly regulations and directives.



10.5 The CJEU Interprets the Law in Cases Brought Before It and Acts…



525



This book includes a number of ideas on the involvement of the various public

and private actors in the governance of internet privacy and data protection. The

book recommends elaborating these ideas and developing a strategy for this involvement that clearly describes the responsibilities of the various actors.



10.5  T

 he CJEU Interprets the Law in Cases Brought

Before It and Acts as Constitutional Court

10.5.1  A

 rticle 16(1) TFEU and the Guidance in Final Instance

by the CJEU (The First Component)

The Court of Justice of the European Union does not only interpret the law by solving the disputes brought before it or by answering preliminary questions of national

courts, resulting from disputes arising in the national jurisdictions. In the exercise of

its tasks, the Court also acts as a constitutional court, with three functions: the

reviewer of fundamental rights, the protector of market integration and the umpire

between the different powers.28 This role as a constitutional court, combined with

a – perceived – activist approach in the exercise of this role29 qualifies the Court as

a suitable actor for privacy and data protection on the internet.

Obviously, in this field, the main contributions of the Court of Justice acting as a

constitutional court serve the first function, the review of fundamental rights. It is

the task of the Court to ensure, in last instance, that everyone’s rights to privacy and

data protection are respected. The case law demonstrates that the Court contributes

in different ways to ensuring the enjoyment of these rights. The Court interprets the

rights to privacy and data protection under EU law,30 balances these rights with

other fundamental rights and public interests,31 contributes to the governance model

by setting the standards for the independence of data protection authorities,32 and

deals with extraterritorial jurisdictional claims of EU law,33 in particular by basing

the claim of EU jurisdiction on a meaningful link with the European Union in ensuring the protection of the individual.

28



 Based on the contribution of A. Stone Sweet, in: Paul Craig and Grainne de Búrca (eds),The

evolution of EU Law (Second Edition), Oxford University Press, 2011, at 121 and 125.

29

 See Chap. 5, Sect. 5.3 of this book, with reference to Paul Craig and Grainne de Búrca,EU Law,

Text, Cases and Material (Fifth Edition), Oxford University Press, 2011, at 63–65

30

 A recent example is Case C-212/13, Ryneš, EU:C:2014:2428, on the interpretation of the household exception.

31

 A recent example is Case C-580/13, Coty Germany, ECLI:EU:C:2015:485, on balancing with

the fundamental right to an effective remedy and the fundamental right to intellectual property.

32

 Cases C-518/07, Commission v Germany, EU:C:2010:125; C-614/10, Commission v Austria,

EU:C:2012:631 and C-288/12, Commission v Hungary, EU:C:2014:237.

33

 In Cases C-101/01, Lindqvist, EU:C:2003:596, and C-131/12, Google Spain and Google Inc.,

EU:C:2014:317.



526



10  Making Article 16 TFEU Work: Analysis and Conclusions



The Court deals with the remarkable elements of Article 16 TFEU and Article 8

Charter. As an example, the interpretation of the right to data protection under

Article 8(2) Charter draws on the acquis laid down in Directive 95/46 on data protection. This reasoning is circular, since the Court interprets Directive 95/46 in the

light of the Articles 7 and 8 Charter.

Often, the contribution of the Court of Justice consists of giving guidance, where

it adjudicates in cases by explaining EU data protection legislation in the light of the

Articles 7 and 8 Charter. Cases end up at the Court on the basis of preliminary questions referred by national courts on the explanation of Directive 95/4634 or of other

legislative instruments relating to privacy and data protection.

For the Court, an important perspective is and will increasingly be that the reality

of the internet is difficult to reconcile with core data protection principles. ‘Consent’

and ‘purpose limitation’ are examples of such principles that the Court may have to

interpret, whilst taking into consideration the developments in the information society. These developments also influence the balancing with other interests since fundamental rights and public interests increasingly coincide.

More generally, the assessment by the Court of Justice of limitations applicable

to a fundamental right focuses on proportionality. The entry into force of the Lisbon

Treaty prompted a fundamental change of the approach of the Court in relation to

fundamental rights. In this approach, the Charter has become the yardstick and has

a wide scope, without extending the competences and tasks of the European Union.

The proportionality test under the Charter is strict; the strictness in a concrete situation depends on a number of factors. The nature of the fundamental right is such a

factor. This factor is elaborated in this book, which analyses whether meaningful

distinctions can be made between the fundamental rights that must be protected on

the internet.



10.5.2  T

 he Constitutional Safeguards Under EU Law:

A Judiciary Explaining the Boundaries with Other

Mandates in an Information Society (The Second

Component)

This book distinguished two different types of safeguards flowing from the role of

the Court of Justice within the EU constitutional framework, in relation to Article

16(1) TFEU.

The first type of safeguards is institutional, relating to the role of the judiciary.

Most cases are brought before the Court in the context of the preliminary ruling

procedure. This procedure is a success, also in privacy and data protection. The

preliminary ruling procedure enables the Court to provide guidance, also in important issues. However, the case law of the Court is by definition incremental. It is not

34



 The example is Case C-131/12, Google Spain and Google Inc., EU:C:2014:317.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

4 The Contribution of Article 16 TFEU to Legitimate and Effective Privacy and Data Protection on the Internet: An Appropriate Mandate Is Provided

Tải bản đầy đủ ngay(0 tr)

×