Tải bản đầy đủ - 0 (trang)
5 The CJEU Interprets the Law in Cases Brought Before It and Acts as Constitutional Court

5 The CJEU Interprets the Law in Cases Brought Before It and Acts as Constitutional Court

Tải bản đầy đủ - 0trang

526



10  Making Article 16 TFEU Work: Analysis and Conclusions



The Court deals with the remarkable elements of Article 16 TFEU and Article 8

Charter. As an example, the interpretation of the right to data protection under

Article 8(2) Charter draws on the acquis laid down in Directive 95/46 on data protection. This reasoning is circular, since the Court interprets Directive 95/46 in the

light of the Articles 7 and 8 Charter.

Often, the contribution of the Court of Justice consists of giving guidance, where

it adjudicates in cases by explaining EU data protection legislation in the light of the

Articles 7 and 8 Charter. Cases end up at the Court on the basis of preliminary questions referred by national courts on the explanation of Directive 95/4634 or of other

legislative instruments relating to privacy and data protection.

For the Court, an important perspective is and will increasingly be that the reality

of the internet is difficult to reconcile with core data protection principles. ‘Consent’

and ‘purpose limitation’ are examples of such principles that the Court may have to

interpret, whilst taking into consideration the developments in the information society. These developments also influence the balancing with other interests since fundamental rights and public interests increasingly coincide.

More generally, the assessment by the Court of Justice of limitations applicable

to a fundamental right focuses on proportionality. The entry into force of the Lisbon

Treaty prompted a fundamental change of the approach of the Court in relation to

fundamental rights. In this approach, the Charter has become the yardstick and has

a wide scope, without extending the competences and tasks of the European Union.

The proportionality test under the Charter is strict; the strictness in a concrete situation depends on a number of factors. The nature of the fundamental right is such a

factor. This factor is elaborated in this book, which analyses whether meaningful

distinctions can be made between the fundamental rights that must be protected on

the internet.



10.5.2  T

 he Constitutional Safeguards Under EU Law:

A Judiciary Explaining the Boundaries with Other

Mandates in an Information Society (The Second

Component)

This book distinguished two different types of safeguards flowing from the role of

the Court of Justice within the EU constitutional framework, in relation to Article

16(1) TFEU.

The first type of safeguards is institutional, relating to the role of the judiciary.

Most cases are brought before the Court in the context of the preliminary ruling

procedure. This procedure is a success, also in privacy and data protection. The

preliminary ruling procedure enables the Court to provide guidance, also in important issues. However, the case law of the Court is by definition incremental. It is not

34



 The example is Case C-131/12, Google Spain and Google Inc., EU:C:2014:317.



10.5 The CJEU Interprets the Law in Cases Brought Before It and Acts…



527



the role of a court to develop a policy for better protection. Therefore, guidance by

the Court is not sufficient for bridging the gap between general principles and practice. Bridging the gap requires contributions of actors that can develop a comprehensive policy, such as the EU legislator and the independent DPAs.

The second type of safeguards is substantive: the exercise of the mandate of the

European Union under Article 16 TFEU is limited by mandates of the Union in

other fields and by the competences of the Member States. Ensuring privacy and

data protection requires balancing privacy and data protection with other fundamental rights and essential interests, in the specific internet context. This balancing

plays a key role in the case law of the Court, as the following examples illustrate.

First, the link between the fundamental rights of privacy and data protection, on

the one hand, and the freedom of expression and information, on the other hand, is

changing and intensifying due to internet-related developments. The dividing line

between private and public speech is becoming blurred on the internet. Changes are

caused by the impact of a free and open internet on privacy and data protection,

whereas new intermediaries, like search engines, play a role in promoting the freedom of expression and information.

The debate on the right to be forgotten demonstrates that where an individual is

entitled to request the deletion of personal data, this automatically has an impact on

the right to receive information under Article 11 Charter. In Google Spain and

Google Inc.,35 the Court accepted this consequence, taking the changed reality in the

information society into consideration. This changed reality has an impact on privacy and data protection and on the balancing of fundamental rights. The ubiquitous

availability of information implies a lack of control of the data subject and affects

his autonomy. This ruling of the Court is not undisputed. For instance, the case law

of the US Supreme Court shows a different approach in balancing privacy and with

free speech, with more emphasis on free speech.36 At the same time, Google Spain

and Google Inc. was heavily criticised in the US and by various European scholars,

because of its presumed impact on free speech and democracy.37 Although this book

does not support this criticism, admittedly, the ruling does not precisely define the

boundaries between the fundamental rights at stake. Further case law may be

needed.38

In Google Spain and Google Inc., the Court also took the changed reality in the

information society into consideration in another respect. The Court gave search

engines a social responsibility, attributing to them the task of the balancing of fundamental rights, after they have received requests for the deletion of links containing personal data.



 Case C-131/12, Google Spain and Google Inc., EU:C:2014:317.

 E.g., in Sorrell v. IMS Health Inc., No. 10-779 131 S.Ct. 2653 (2011), see Chap. 5, Sect. 5.11.

37

 Further read: Stefan Kulk and Frederik J. Zuiderveen Borgesius, Google Spain v. González: Did

the Court Forget About Freedom of Expression? September 4, 2014, European Journal of Risk

Regulation (2014).

38

 E.g., in Case C-398/15, Manni (pending).

35

36



528



10  Making Article 16 TFEU Work: Analysis and Conclusions



Second, the right of access to documents gives effect to core values in society as

transparency, which includes the right to know, and democratic control. The Court

scrutinises the exceptions and limitations to this right restrictively. However, the

same restrictive approach is not applied where the Court balances the right of access

to documents with privacy and data protection. Under the Court’s case law, applicants who request access to documents of the European Union must demonstrate

the necessity for having access to documents if these documents include personal

data.39 The Court does not seem to balance privacy and data protection on an equal

footing with public access to documents, but seems to give more weight to privacy

and data protection.

Third, there are different scholarly views on the status of the right to property as

an essential value in a democratic society.40 The right to property is not included in

all fundamental rights treaties although it plays an important role in the application

of the ECHR. This book argues that privacy and data protection, on the one hand,

and property and especially intellectual property, on the other hand, should not necessarily be balanced on equal footing. The example in support of this argument is

the enforcement, on the internet, of copyright, which is an intellectual property

right. Since copyright is difficult to enforce on the internet, copyright holders claim

that the monitoring of the behaviour of all individuals on the internet is needed to

enforce their copyrights. Recognition of this claim would obviously weaken the

level of privacy and data protection. In view of the essential nature of privacy and

data protection in our democratic societies, it is submitted that, where both rights

need to be balanced against each other, the rights to privacy and data protection

should carry greater weight than the right of the rights holder.

Fourth, the relationship between privacy and data protection and security has

elements of a trade-off. Privacy is, on the one hand, seen as inhibiting the appropriate protection of our societies against threats caused by terrorist attacks or by serious crime and, on the other hand, as a value that should prevail against risks of

unconditioned surveillance. Digital Rights Ireland and Seitlinger41 gives indications

for balancing privacy and security, with an emphasis on the intrusiveness of monitoring of individuals in an information society. The book includes an interesting

parallel with the approach of the US Supreme Court. The US Supreme Court, too,

considers the intrusive consequences of the information society. For instance, the

US Supreme Court decided that generally a warrant is needed before the search of

a smartphone, because of the immense storage capacity of a device people carry on

them.42 A smartphone is not just a physical device that people have on them, but can

provide – when it is searched – a broad insight into the private life of individuals.

More generally, the outcome of the trade-off between privacy and data protection

and security is determined by trends in these two areas: the effects of ubiquitous

 The leading case is Case C-28/08P, Commission v. Bavarian Lager, EU:C:2010:378.

 As explained in Chap. 5, Sect. 5.15 of this book.

41

 Joined cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger

(C-594/12), EU:C:2014:238.

42

 Riley v California, No. 13–132.

39

40



10.5 The CJEU Interprets the Law in Cases Brought Before It and Acts…



529



connectivity for privacy and data protection, on the one hand, and the security

threats for society, on the other hand. Moreover, it proved difficult to measure these

trends and to measure the effects of proposed instruments and to make comparisons

on the basis of this measurement.

Other arguments that should play a role in the trade-off are: (a) the lack of transparency of government surveillance should be addressed, (b) the value given to

privacy and data protection should not depend on political preferences of a majoritarian body, and (c) strong privacy and data protection can benefit law enforcement.

The challenge is to find synergies.



10.5.3  L

 egitimacy as a Factor for Success of the CJEU (The

Third Component)

In a general sense, the extensive role of the Court of Justice compensates for the

democratic deficit of the Union. The Court has further legitimacy because of its

close connection with national courts through the preliminary ruling procedure. The

Court enhances its legitimacy by properly balancing the interest of EU integration

with national interests.

The challenges for internet privacy and data protection justify an emphasis on

context-related balancing with other fundamental rights taking into account that the

internet does not pose the same challenges for all fundamental rights. Freedom of

expression is an example43: as a rule, the internet is a vehicle for the freedom of

expression, not a challenge. This balancing is at the heart of the contribution of the

Court to the exercise of the mandate under Article 16 TFEU, more than it is for the

other actors and roles under Article 16 TFEU. Where the Court succeeds in striking

an acceptable balance between the various interests concerned, this increases the

legitimacy of EU action under Article 16 TFEU.

This book claims that the legitimacy of the European Union, in general, and the

Court, in particular, can even improve if distinctions are made between fundamental

rights (and essential interests), in the sense that not all rights and values are balanced on an equal footing, albeit without establishing a hierarchy between rights.

Making a distinction between fundamental rights can be useful for three purposes. First, this should prevent any weakening of privacy and data protection (and

other fundamental rights that are most crucial for our democracies), which could

result from the equal protection of all rights, by allowing a differentiation in the

standard of review for the different fundamental rights enabling a high standard of

protection for these most crucial fundamental rights. Second, the distinctions should

assist in compensating for the particular challenges of certain rights on the internet,

and enable an efficient use of resources. Third, these distinctions would make it



43



 As illustrated by the CJEU in Case C-131/12, Google Spain and Google Inc., EU:C:2014:317.



530



10  Making Article 16 TFEU Work: Analysis and Conclusions



possible to focus on extraterritorial application of fundamental rights, taking into

consideration legitimate claims of third countries or international organisations.

Extraterritorial application of EU law in certain fields of EU intervention such as

privacy and data protection is legitimate, precisely because the core values of Article

2 TEU – particularly democracy, the rule of law and fundamental rights – are at

stake. This legitimacy does not necessarily exist to the same extent for all fundamental rights included in the Charter.

The Charter does not establish a hierarchy between fundamental rights. This

book proposes a simple taxonomy that would permit to apply different standards of

review in respect of fundamental rights protection on the internet, without creating

a hierarchy. This taxonomy would serve the three purposes mentioned above, and

would enable an efficient use of resources, whilst also taking a focused approach on

extraterritorial application.

The book suggests that the legitimacy of the role of the Court would further

improve, if the Court were to assess, in a systematic manner, the application of the

rights to privacy and data protection, taking into account this simple taxonomy.

Privacy and data protection fall within the category of fundamental rights that have

a high impact on human dignity.

This means more concretely that: (1) there is a necessity of protection in an

online environment; (2) where needed, extraterritorial application of the rights must

be safeguarded; (3) the rights should be applicable in horizontal relations; (4)

restrictions and limitations of these rights are subject to a strict test; (5) where a balance is needed with other fundamental rights and public interests, the essential

nature of the rights to privacy and data protection should be taken into account; and

(6) this may lead to an approach where the Court adjudicates itself, and does not

defer the matter to the national courts (in preliminary ruling procedures). These

requirements are in line with the current practice of the Court on privacy and data

protection.



10.5.4  E

 ffectiveness as a Factor for Success of the CJEU (The

Fourth Component)

Effectiveness is a key factor in the case law of the Court of Justice. Effectiveness is

an important perspective in the Court’s interpretation of everyone’s rights to privacy

and data protection. Effectiveness is a guiding principle for the Court, also where it

assumes the role of promoting integration (on markets and elsewhere) and where it

acts as an umpire in situations where other public interests or other governmental

actors have an impact on the exercise of Article 16(1) TFEU.

Integration (on markets and elsewhere) is an additional interest to be taken into

account by the Court, where it rules on the basis of Article 16 TFEU. The integration of data protection law in the European Union is to a large extent based on

considerations of effectiveness, based on the view that fragmentation would weaken



10.6 The European Parliament and the Council Lay Down the Rules, Whilst…



531



the protection. Forum shopping by big internet companies, in the sense of choosing

a forum in a Member States with a perceived low level of protection in a fragmented

Europe, is the example of a practice that may weaken the protection.

The Court acts as an umpire between different powers. Precise answers by the

Court are required, in compliance of the principle of effectiveness, where the Court

adjudicates on the boundaries between competences under Article 16 TFEU and

relating competences.



10.5.5  Final Recommendation

In recent years, the Court Of Justice played an important role in promoting privacy

and data protection, also taking into account the impact of the information society.

Two rulings in 2014, Google Spain and Google Inc, and Digital Rights Ireland and

Seitlinger, are the best illustrations of a court taking privacy and data protection

seriously.

This book makes the recommendation to base the scrutiny of fundamental rights

on a simple taxonomy. This taxonomy of fundamental rights is structured as

follows:

(a)Non-derogable or absolute fundamental rights, corresponding to the rights

included in Title I of the Charter, entitled dignity;

(b)Rights with a huge impact on the human dignity, but not qualified as



non-derogable;

(c) Social, cultural and economic rights.

Further categories include: principles in the Charter (as meant in Articles 51(1)

and 52(5) thereof), the fundamental freedoms of the Treaties relating to free movement, the undefined species of public and general interests.



10.6  T

 he European Parliament and the Council Lay

Down the Rules, Whilst Respecting the Role

of the Member States Under Article 16(2) TFEU

10.6.1  A

 rticle 16(2) TFEU and the Exhaustive Nature

of the EU Legislator’s Task (The First Component)

The mandate of the European Union to act under Article 16 TFEU is widely formulated, and gives the Union the opportunity to realise its ambitions. Article 16(2)

TFEU must be seen as an explicit choice of the authors of the Treaty to bring data

protection to the Union level, by giving the European Parliament and the Council,

in their common capacity as the EU legislator, the duty to lay down the rules. The



532



10  Making Article 16 TFEU Work: Analysis and Conclusions



European Parliament and the Council must act in accordance with the ordinary legislative procedure, on the basis of a proposal by the European Commission.

Article 16(2) TFEU contains a duty to adopt EU legislation: the EU legislator

shall adopt the rules on data processing. The material scope of the rules includes all

personal data. An exception to the material scope, excluding certain types of personal data – such as pseudonymised data – from the EU rules, cannot be laid down

in secondary EU law. The European Union shares the competence under Article

16(2) TFEU with the Member States. However, there is not much autonomous room

for the Member States to adopt legislation in this area. The General Data Protection

Regulation, in particular, will take away most of the remaining Member States’

autonomy.

The data protection reform – with the General Data Protection Regulation as the

centrepiece – should lead to the full implementation of this duty of the EU legislator, also in domains where at present EU rules are lacking.44

The mandate under Article 16(2) TFEU runs a parallel with the competence of

the EU legislator under Articles 18 and 19 TFEU on equal treatment and non-­

discrimination. Both mandates deal with fundamental rights, although they both

have their origins in the internal market. High standards of effective protection are

observed in both areas, due to this enhanced status. However, under Articles 18 and

19 TFEU, the Member States may still claim discretionary powers and require a

higher level of protection under national law. These discretionary powers do not

exist under Article 16(2) TFEU, for instance because of the importance of a uniform

level of data protection in the digital single market.



10.6.2  T

 he Constitutional Safeguards Under EU Law:

A Regulation as the Appropriate Instrument

and a Legislator Confronted with Interfaces with Other

Competences (The Second Component)

The adoption of the General Data Protection Regulation – an EU regulation replacing an EU directive – as the main instrument for data protection is an appropriate

choice of legislative instrument. This regulation should not only ensure a high level

of protection, but also a harmonised level. In the context of the negotiations on the

General Data Protection Regulation, it was discussed whether – in the light of subsidiarity – protection in the public sector should not be left to the Member States, or

whether it should be subject to a specific regime with limited harmonisation making



44



 Such as the processing of personal data in the police and judicial sectors in the absence of crossborder elements, Article 1(2) of Council Framework Decision 2008/977/JHA of 27 November

2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, OJ L 350/60.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

5 The CJEU Interprets the Law in Cases Brought Before It and Acts as Constitutional Court

Tải bản đầy đủ ngay(0 tr)

×