Tải bản đầy đủ - 0 (trang)
6 The European Parliament and the Council Lay Down the Rules, Whilst Respecting the Role of the Member States Under Article 16(2) TFEU

6 The European Parliament and the Council Lay Down the Rules, Whilst Respecting the Role of the Member States Under Article 16(2) TFEU

Tải bản đầy đủ - 0trang

532



10  Making Article 16 TFEU Work: Analysis and Conclusions



European Parliament and the Council must act in accordance with the ordinary legislative procedure, on the basis of a proposal by the European Commission.

Article 16(2) TFEU contains a duty to adopt EU legislation: the EU legislator

shall adopt the rules on data processing. The material scope of the rules includes all

personal data. An exception to the material scope, excluding certain types of personal data – such as pseudonymised data – from the EU rules, cannot be laid down

in secondary EU law. The European Union shares the competence under Article

16(2) TFEU with the Member States. However, there is not much autonomous room

for the Member States to adopt legislation in this area. The General Data Protection

Regulation, in particular, will take away most of the remaining Member States’

autonomy.

The data protection reform – with the General Data Protection Regulation as the

centrepiece – should lead to the full implementation of this duty of the EU legislator, also in domains where at present EU rules are lacking.44

The mandate under Article 16(2) TFEU runs a parallel with the competence of

the EU legislator under Articles 18 and 19 TFEU on equal treatment and non-­

discrimination. Both mandates deal with fundamental rights, although they both

have their origins in the internal market. High standards of effective protection are

observed in both areas, due to this enhanced status. However, under Articles 18 and

19 TFEU, the Member States may still claim discretionary powers and require a

higher level of protection under national law. These discretionary powers do not

exist under Article 16(2) TFEU, for instance because of the importance of a uniform

level of data protection in the digital single market.



10.6.2  T

 he Constitutional Safeguards Under EU Law:

A Regulation as the Appropriate Instrument

and a Legislator Confronted with Interfaces with Other

Competences (The Second Component)

The adoption of the General Data Protection Regulation – an EU regulation replacing an EU directive – as the main instrument for data protection is an appropriate

choice of legislative instrument. This regulation should not only ensure a high level

of protection, but also a harmonised level. In the context of the negotiations on the

General Data Protection Regulation, it was discussed whether – in the light of subsidiarity – protection in the public sector should not be left to the Member States, or

whether it should be subject to a specific regime with limited harmonisation making



44



 Such as the processing of personal data in the police and judicial sectors in the absence of crossborder elements, Article 1(2) of Council Framework Decision 2008/977/JHA of 27 November

2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, OJ L 350/60.



10.6 The European Parliament and the Council Lay Down the Rules, Whilst…



533



it possible that Member States complement the EU rules.45 This book took the position that a specific approach in the public sector would not be an appropriate choice

of instrument: there should be no distinction in law between the private and the

public sector. The individual deserves equal protection in the public and the private

sector. The fact that the Member States play and should play an important role

should not result in an unsatisfactory choice of instruments.

Moreover, in the exercise of its mandate, the EU legislator is confronted with

interfaces with competences of the European Union itself and of the Member States

in related areas. These interfaces have an impact on the mandate under Article 16

TFEU. This book identifies specific areas where interfaces exist: the freedom of

expression and information where the Union has limited competence, but where

internet developments have a big impact on the enjoyment of the freedom; open

data and the interface between transparency and data protection; and measures for

internet monitoring with the aim of enforcing intellectual property rights.

Furthermore, EU data protection affects core competences of Member States and

therefore the Member States have a legitimate role to play, although often by delegation. The book mentions five categories of provisions where the Member States

should exercise competence in privacy and data protection.46 First, EU law builds on

national law where national law provides a ground for the processing of personal

data, for example in the public interest; second, EU law mandates national law to

give effect to its provisions, for example where it obliges the Member States to

establish data protection authorities; third, EU law allows or requires national law

to specify EU rules; fourth, EU law allows or requires national law to depart from

EU rules; fifth, provisions enabling the Member States to balance privacy and data

protection with other fundamental rights, within their field of competence.



10.6.3  L

 egitimacy as a Factor for Success of the EU Legislator

(The Third Component)

There is one EU legislator. However this legislator is composed of different institutions. The input of the three institutions involved in the ordinary legislative procedure, respecting the institutional balance, gives democratic legitimacy to the

mandate of the EU legislator, with the nuances explained in Chap. 4 of this book.

The input in the negotiations on the data protection reform explains this. As a rule,

the European Parliament acts as a supporter of strong privacy and data protection,

whilst the Council represents national concerns and the Commission is committed

to integration.



45



 See Peter Blume, The Public Sector and the Forthcoming EU Data Protection Regulation,

European Data Protection Law Review 1/2015, pp. 32–38.

46

 Largely based on: European Data Protection Supervisor, Opinion of 7 March 2012 on the data

protection reform package, at II.2.a.



534



10  Making Article 16 TFEU Work: Analysis and Conclusions



In addition, involvement of Member States and national authorities is required,

for reasons of legitimacy. The European Union acts internally within a pluralist

legal context, with an important role for the Member States in accordance with the

principle of subsidiarity. Three considerations are: first, minimise the impact of the

uniform EU framework for data protection on competences of Member States

(including core state functions); second, allow additional national standards to the

extent they do not affect the effet utile of the uniform EU framework; third, provide

for implementation and control on national level with respect of the executive federalism of the European Union.

The EU legislator should also involve the private sector and civil society in the

legislative process. Consultation of the different stakeholders in the decision-­making

process enhances the legitimacy of the process, provided the consultation takes

place in a balanced and transparent way. This could lead to a better result that takes

the different interests at stake into consideration.

The EU legislator should address the interfaces between privacy and data protection and security in an intelligent manner, also for reasons of legitimacy, taking into

account the case law of the Court of Justice. Security is a priority for the European

Union and the Member States, and national and EU laws are adopted allowing a

wide use of personal data for security purposes. The EU competences in the area of

freedom, security and justice focus on the coordination and cooperation between the

Member States, for reasons of security. The use of these competences – for instance

through EU legislation – facilitates the exchange of large amounts of personal data

between police and judicial authorities on the national and the EU level, but should

not unduly impact on everyone’s right to privacy and data protection.

There are important synergies between privacy and data protection, on the one

hand, and economic interests, on the other hand. Addressing these synergies is primarily a task of the EU legislator and not of the Court of Justice, which adjudicates

only when disputes are brought before it. The Court does evidently not play a role

where the issue is to find synergies between different areas of intervention. Using

synergies in different areas of intervention by the European Union and the Member

States enhances the legitimacy of the contribution of the EU legislator under Article

16 TFEU.

Respect of privacy and data protection is supposed to create trust. Trust positively influences – or even boosts – growth and innovation. This consequence is, for

instance, recognised, in connection with the Digital Agenda for Europe.47 The concept of Privacy by Design48 is the example. Using this concept must enhance trust in

data protection and create economic incentives. The legal framework for electronic

47



 See: Communication from the Commission to the European Parliament, the Council, the

European Economic and Social Committee and the Committee of the Regions, A Digital Agenda

for Europe, COM(2010) 245 final.

48

 Included – under the heading of “data protection by design or by default” – as an obligation to

implement the appropriate technological and organisational measures in Article 23 of the Proposal

for a Regulation of the European Parliament and of the Council on the protection of individuals

with regard to the processing of personal data and on the free movement of such data (General

Data Protection Regulation), COM (2012), 11 final.



10.6 The European Parliament and the Council Lay Down the Rules, Whilst…



535



communications may create synergies,49 because it gives governments responsibility in network governance, in contrast with the governance of the internet infrastructure, where governments have less of a role to play. Government responsibility

in network governance could be used for enhancing control over the processing of

personal data, provided governments take considerations of privacy and data protection into account in the exercise of this responsibility.

An example of synergy between privacy and data protection, on the one hand,

and consumer protection, on the other hand, is Directive 2005/29 on unfair commercial practices,50 which prohibits misleading omissions and requires transparency

in business-to-consumer transactions. This directive could also be used as an instrument requiring internet services to apply transparent privacy policies.

Competition law has relevance in the context of this book, because the information economy is characterised by an asymmetric structure. In this information economy, personal data have become an asset. Companies acquire market dominance,

precisely because they accumulate large amounts of personal data. At present, competition law and privacy and data protection are areas of EU intervention with little

interconnection. However, an approach based on synergies would enhance the legitimacy of the European Union, demonstrating that different parts of bureaucracy are

managing to join efforts in addressing challenges of the information society. This

book suggests that these synergies should be addressed by the EU legislator, in further changes of the EU legislative framework.



10.6.4  E

 ffectiveness as a Factor for Success of the EU

Legislator (The Fourth Component)

The outcome of a legislative process, which involves three institutions and various

other actors, by definition has the features of a compromise. Compromise solutions

are not necessarily the best solutions for dealing with privacy and data protection on

the internet.

This prospect of a compromise makes an appropriate choice of legislative

arrangements even more crucial. The starting point for the EU legislator is the

choice of the legislative instruments as such. The Commission considers that a regulation is the best legal instrument for data protection, based on reasons that are –

more or less – related to effectiveness. A regulation “will reduce legal fragmentation

49



 E.g., Proposal for a Regulation of the European Parliament and of the Council laying down measures concerning the European single market for electronic communications and to achieve a

Connected Continent, and amending Directives 2002/20/EC, 2002/21/EC and 2002/22/EC and

Regulations (EC) No 1211/2009 and (EU), No 531/2012, COM (2013), 627 final.

50

 Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending

Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European

Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and

of the Council (Unfair Commercial Practices Directive), OJ L 149/22.



536



10  Making Article 16 TFEU Work: Analysis and Conclusions



and provide greater legal certainty by introducing a harmonised set of core rules,

improving the protection of fundamental rights of individuals and contributing to

the functioning of the Internal Market.”51

This book subscribed to this view of the Commission and focused on the substantive content of the legislative instruments, underlining that the arrangements

within these legal instruments should give the right incentives to data controllers to

effectively ensure protection on the internet. The Commission recognises the need

for specific arrangements that anticipate the developments on the internet, more

generally, in its Better Regulation Guidelines of 201552 and in policies under the

umbrella of Smart Regulation. Multi-stakeholder solutions or multi-level governance is a concept that plays an increasing role in the governance of privacy and

data protection in the European Union.

The involvement of the private sector and NGOs in the governance of privacy

and data protection is necessary in view of their key role on the internet. Involvement

of these stakeholders should take place recognising the responsibilities of new roles.

Search engines having a quasi-public role in the distribution of information, as a

result of Google Spain and Google Inc.,53 are an example.

Furthermore, in accordance with the principle of effectiveness, the rules on privacy and data protection should be appropriate to face the challenges in the information society. This means, for instance, that they must provide an adequate response

in a technologically turbulent environment, by defining rules that are technology-­

independent and hence not too precise. At the same time, the mandate of the EU

legislator should be exercised, taking into consideration that fundamental rights of

individuals are at stake. This latter consideration imposes limits on the use of ‘open

norms’ not giving sufficient legal certainty to the data subject.

Accountability of data controllers and data processors should play an important

role as a legislative technique, allocating responsibility to those actors. Accountability

is a concept, connected to corporate social responsibility. Accountability is an alternative for command-and-control legislation, based on general notions of quality of

legislation. Accountability schemes such as company privacy programmes should

be sufficiently precise. The relation of these schemes to the provisions of EU data

protection law should be fully transparent.

Appropriate enforcement is needed as a key element of effectiveness. Under the

rule of law judicial and other remedies must be easily accessible and complete, and

the mechanism of protection must be transparent for the individual. The arrangements in the rules adopted under Article 16(2) TFEU for the DPAs and their cooperation mechanisms should ensure this.

51



 Proposal for a Regulation of the European Parliament and of the Council on the protection of

individuals with regard to the processing of personal data and on the free movement of such data

(General Data Protection Regulation), COM (2012), 11 final, Explanatory Memorandum, at 3.1.

52

 Commission Staff Working Document, Better Regulation Guidelines, SWD (2015) 111 final, at

23.

53

 Further read: Stefan Kulk and Frederik J. Zuiderveen Borgesius, Google Spain v. González: Did

the Court Forget About Freedom of Expression? September 4, 2014, European Journal of Risk

Regulation (2014).



10.7 Independent DPAs Exercise Control as Expert Bodies with Full Independence,…



537



10.6.5  Final Recommendation

The book mentioned five directions for the European Union and the Member States

to regain control of data protection on the internet. First, the existing legal instruments for privacy and data protection should be interpreted in a way that takes the

changed circumstances into consideration; second, the legislative arrangements

should be adapted to the new circumstances; third, the changed relationship between

the public and the private sector should be addressed, by recognising a closer

involvement of the private sector in the implementation of the law without questioning the final responsibility of government; fourth, the European Union and the

Member States should focus their interventions on the essential components of privacy and data protection, for pragmatic reasons and for jurisdictional reasons; fifth,

the European Union and the Member States could reconsider the main principles of

data protection, in order to adapt these principles to the changed circumstances,

however without losing sight of the need for protection of individuals. This fifth

direction is for the long term, if only because the main principles of data protection

are laid down in primary EU law.

These directions are relevant for the entire mandate of the European Union under

Article 16 TFEU. However, the contribution of the EU legislator plays a key role in

regaining control. A regulation is the appropriate legislative instrument, also for the

public sector.

Data protection as a right to fair processing requires the legislator to give effect

to the core elements of data protection, mentioned in the Charter. The focus in the

General Data Protection Regulation is the adaptation of legislative arrangements to

the new circumstances. One thing the regulation explicitly omits, is addressing the

principles or values of privacy and data protection as such.

This book recommends developing a strategy for the legislator on how to regain

control, based on the five directions mentioned above and focusing on the impact of

the internet on the main principles of data protection. In the long term, this strategy

could result in the re-thinking of the principles or values of privacy and data

protection.



10.7  I ndependent DPAs Exercise Control as Expert Bodies

with Full Independence, but Are Not Exempted

from Democratic Accountability

10.7.1  A

 rticle 16(2) TFEU and the Variety of Roles

of the DPAs (The First Component)

An essential part of the enforcement of EU data protection law is assigned to expert

bodies, which are primarily the DPAs of the Member States. These DPAs are independent public authorities with a variety of roles: ombudsmen, auditors,



538



10  Making Article 16 TFEU Work: Analysis and Conclusions



consultants, educators, policy advisors, negotiators and enforcers.54 In short, not

only is the Union’s mandate under Article 16 TFEU broad, but so is the mandate of

the DPAs within the European Union and the Member States.

The embedding of the role of DPAs in primary law gives them constitutional

status under EU law. In the information society, their role is justified by the size of

the issues at stake, and by the fact that traditional methods of governance by the

executive, legislative and judicial branches are not considered sufficient. These

independent authorities fulfil an important public task, but they are not accountable

for their performance to the democratically elected bodies.

The embedding of the role of DPAs in primary law also ensures that they have

full competence under EU law, with a variety of roles attributed to them. Other

European or national authorities – like national ombudsmen or agencies in neighbouring areas – can be competent to deal with data protection issues, but their competence does not derogate from the competence of the DPA. To give an example: an

individual may have a right to submit a complaint relating to a data processing

operation to an ombudsman or an agency in a neighbouring area. However, the

exercise of this right to complain does not deprive the individual of his right to

involve the DPA, nor does it affect the competence of the DPA to act of own motion.

The book identified six reasons behind the existence of DPAs. First, historical

reasons; second, the need for structural support in the area of data protection; third,

the nature of data processing and the skills for understanding data processing;

fourth, the need for control of the private sector and, equally, of governments in

their capacities of controllers or processors of personal data; fifth, the need for independence from political preferences; sixth, the capability to combine expertise and

flexibility, and to dedicate their resources fully to data protection.



10.7.2  T

 he Constitutional Safeguards Under EU Law: DPAs

as Non-majoritarian Expert Bodies (The Second

Component)

From the institutional perspective, the DPAs are a new branch of government: they

are non-majoritarian expert bodies. They are in some respects different from and in

others similar to both national agencies recognised under EU law and EU agencies.

Agencies enjoy autonomy. There are two main differences between agencies and

DPAs. First, the agencies must respect general government policies, whereas the

DPAs do not have to respect this type of guidance. Second, the requirements on

what constitutes institutional independence are considerably less strict for agencies

than for DPAs. There are two main similarities: First, DPAs as well as agencies are

bodies composed of experts exercising public tasks and they function, in substance,



54



 The Governance of Privacy, Colin J. Bennett and Charles D. Raab, Ashgate Publishing, 2003, at

109–114.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

6 The European Parliament and the Council Lay Down the Rules, Whilst Respecting the Role of the Member States Under Article 16(2) TFEU

Tải bản đầy đủ ngay(0 tr)

×