Tải bản đầy đủ - 0 (trang)
9 External EU Action on the Internet: Solving Conflicting Jurisdictional Claims and Substantive Divergences, with a Powerful EU in the International Domain

9 External EU Action on the Internet: Solving Conflicting Jurisdictional Claims and Substantive Divergences, with a Powerful EU in the International Domain

Tải bản đầy đủ - 0trang

550



10  Making Article 16 TFEU Work: Analysis and Conclusions



Where the European Union uses its external competence, it acts under international law. The Court of Justice determines the limits of the Union’s external competence and of the primacy of international law in the EU legal order. It is the Court

itself that ultimately – and in last resort exclusively – interprets the Charter and,

more generally, EU law. Provisions of international agreements have direct effect

within the EU legal order, but subject to the nuance that international law cannot

have the effect of prejudicing the constitutional principles of the Treaties (the Kadi

case law).66

The qualification of DPAs as new branches of government also has institutional

consequences in the external domain. In the areas of their competence, the DPAs

represent the European Union externally. However, they must respect the consistency of external EU policy. The principle of sincere cooperation binds the DPAs,

but also commits the EU institutions to involve the DPAs where they take positions

in the external domain on policies touching upon privacy and data protection, for

instance in negotiations with third countries in this area, conducted according to the

procedure of Article 218 TFEU. DPAs should not commit the European Union to

international obligations, but they are empowered to engage in enforcement

arrangements.

This brings us to the external strategies in the light of the constitutional safeguards under EU law. This book distinguishes three strategies for the European

Union operating in the external domain: a unilateral, a bilateral and a multilateral

strategy. The unilateral strategy basically means exporting the EU standards. The

bilateral strategy involves seeking arrangements with relevant, like-minded jurisdictions such as the US and, by doing so, building bridges between these jurisdictions.

The multilateral strategy aims at developing global standards.

These strategies should deal with the two types of issues mentioned above: conflicting jurisdictional claims and divergences in substantive law. Reconciling

­legitimacy and effectiveness means in relation to jurisdictional claims: ensuring

effective protection of individuals in the European Union and, at the same time, basing the legitimate claim of jurisdiction on the internet on a meaningful link with the

Union. Divergences in substantive laws could be addressed by allowing practical

arrangements with third countries and international organisations at an effective

level of protection, but not by lowering the legitimate level of protection of individuals in the European Union.



66



 Mainly, Joined cases C-402/05P and 415/05P, Kadi and Al Barakaat, EU:C:2008:461.



10.9 External EU Action on the Internet: Solving Conflicting Jurisdictional Claims…



551



10.9.3  L

 egitimacy as a Factor for Success for the EU Acting

in the External Domain (The Third Component)

The relationship between the European Union and the jurisdictions of third countries and international organisations is one of the main complicating factors of

effective internet regulation, also from a perspective of legitimacy. The -legitimacy

of external EU action is also affected by – possibly conflicting – legitimate claims

of third countries and international organisations.

In the external relations with third countries, the relationship with the United

States plays an important role. An important element of the controversy between the

EU and the US is a difference in approach between the two jurisdictions. The

approach of the US – at least in relation to consumer privacy – does not aim at giving wide territorial scope to US law, but at increasing interoperability between privacy laws by pursuing mutual recognition. In contrast, the fact that privacy and data

protection have the status of fundamental rights under EU law prevents the mutual

recognition of substantive principles of EU law in this area, if the standards in a

third country do not comply with the Charter.

Two of the most relevant international organisations for the European Union are

the United Nations and the OECD. Under current law, the UN does not impose any

obligation on the EU. However, the EU should encourage the UN to play a more

prominent role. The OECD guidelines emphasise the need for improved interoperability of privacy frameworks and for cross-border cooperation between privacy

enforcement authorities. The OECD is a suitable forum for discussion with the US.

The closest ally of the European Union in the field of data protection is the

Council of Europe, which provided inspiration for privacy and data protection in the

Union, through the case law of the European Court of Human Rights and through

Convention 108. Institutionally it is a difficult relationship, as may be illustrated by

the negative Opinion of the EU Court of Justice on the draft accession agreement on

the accession of the Union to the ECHR,67 as provided for in Article 6 TEU. An

example in the domain of privacy and data protection illustrates the difficult relationship: ratification by a third country of Convention 108 – meaning compliance

with the Convention – does not guarantee that a third country is considered as providing adequate protection under Directive 95/46 making it possible that personal

data are transferred to this third country without further safeguards.

A legitimate claim to external EU jurisdiction in the area of privacy and data

protection should be based on a meaningful link with the effective protection of the

individual in the European Union. This meaningful link with the Union could consist of personal jurisdiction based on residence and the doctrine of effect. The book

suggests that the Union should promote this foundation of – personal – jurisdiction

in the international context. This suggestion does not aim at solving the problem of

67



 Opinion 2/13 pursuant to Article 218(11) TFEU – Draft international agreement – Accession of

the European Union to the European Convention for the Protection of Human Rights and

Fundamental Freedoms, EU:C:2014:2475.



552



10  Making Article 16 TFEU Work: Analysis and Conclusions



internet jurisdiction, but could be included in the external EU action in the area of

privacy and data protection.

The European Union should, also in the external domain, respect some degree of

accountability towards political institutions. This accountability has a connection

with the democratically agreed substantive level of privacy and protection, as laid

down in the EU rules under Article 16(2) TFEU. Where the Union acts in the external domain, individuals may have the legitimate expectation that this will not lower

the – legitimate – level of protection of individuals in the European Union.68



10.9.4  E

 ffectiveness as a Factor for Success for the EU Acting

in the External Domain (The Fourth Component)

Effectiveness is even more decisive as a factor in the external domain than it is in the

internal domain. The perceived loss of control is closely related to the fact that many

data controllers have their establishment outside EU territory and that personal data

of individuals in the European Union are available all over the globe. Effectiveness

is the factor for success. This justifies explaining three strategies for external action

of the Union in the light of the effectiveness of the EU action.

The unilateral strategy – which basically means exporting the EU standards – is

a potentially successful approach, if it is based on the conditions of Bradford, which

are summarised as the “Brussels effect”.69 The European Union has regulatory

clout, manages to set the global standards for regulation on privacy and data protection and is capable of ‘exporting’ its system on privacy and data protection and of

assuming leadership in global regulation. This strategy enables the building of alliances on a practical level with like-minded countries, based on common challenges

in the field of internet privacy.

This book explained the bilateral strategy as an approach through which the

European Union seeks to conclude arrangements with relevant, like-minded jurisdictions such as the US and, by doing so, to build bridges between these j­ urisdictions.

A bilateral agreement on privacy and data protection between the EU and the US,

based on reciprocity, would be something new.70 An agreement does not necessarily

mean an approximation of standards of privacy and data protection, which could be

difficult to align with the Charter, but could also focus on mutual recognition, standardisation processes or enforcement cooperation.



 This is illustrated by Case C-362/14, Schrems, ECLI:EU:C:2015:650, where this expectation

was not met and hence a Commission Decision was declared invalid.

69

 Anu Bradford, “The Brussels Effect”, Northwestern University Law Review, Vol. 107, No. 1, 2012.

70

 Possibly, with the exception of the Agreement between the United States of America and the

European Union on the protection of personal information relating to the prevention, investigation,

detection, and prosecution of criminal offenses (“Umbrella Agreement”), signed by the EU and the

US on 2 June 2016.

68



10.9 External EU Action on the Internet: Solving Conflicting Jurisdictional Claims…



553



The multilateral strategy aims at developing global standards. The European

Union should strive for global rules, most logically within the framework of the

United Nations. The multilateral strategy is rather a long shot, but a multilateral,

global agreement, would in the long term, be the most appropriate instrument for

effectively ensuring privacy and data protection on a global scale. Such an agreement would not necessarily include an approximation of standards, but it could also

focus on mutual recognition, standardisation processes or enforcement

cooperation.

The contributions of the actors and roles indicated in Article 16 TFEU demonstrate that in practice the unilateral strategy is most important.

In Google Spain and Google Inc, the Court of Justice contributed to the unilateral strategy under Article 16 TFEU, by highlighting the effectiveness of the protection of Europeans and by requiring a meaningful link with the European Union. The

Court did not address the impact of its ruling on competing jurisdictions on the

internet. The ruling in Schrems71 on the Safe Harbour Agreement with the US72 was

the first opportunity for the Court to clarify the essential requirements for bilateral

and multilateral agreements, affecting the protection of individuals within the

Union. A second opportunity will present itself with the Opinion on the agreement

with Canada on passenger name record data.73

The EU legislator gives wide external effect to EU law on data protection, with

the unilateral approach as a composing element and the regime of data transfers as

a typical example. Article 48 of the General Data Protection Regulation is a unilateral solution for a conflict of law. Promising bilateral or multilateral strategies

include methods to ensure the interoperability between different legal systems,

without necessarily adapting the level of protection in other regions of the world to

the EU level, nor lowering the level of protection in the European Union.

For the DPAs and the cooperation between DPAs the starting point is a unilateral strategy: the task of the authorities is to control EU law. The cooperation

between DPAs and regulatory agencies in third countries is an exponent of the

bilateral and multilateral strategy. Bilateral Memoranda of Understanding

between European DPAs and the Federal Trade Commission74 and multilateral

cooperation in the Global Privacy Enforcement Network (GPEN)75 are examples.

It is an omission that the General Data Protection Regulation does not include



 Case C-362/14, Schrems, ECLI:EU:C:2015:650.

 Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the

European Parliament and of the Council on the adequacy of the protection provided by the safe

harbour privacy principles and related frequently asked questions issued by the US Department of

Commerce, OJ L 215/7.

73

 Opinion 1/15 (pending) on Agreement between Canada and the European Union on the transfer

and processing of passenger name record data

74

 The DPAs in Ireland, the UK and The Netherlands cooperate with the FTC on the basis of these

memoranda, see Chap. 9, Sect. 9.17.

75

 See: https://www.privacyenforcement.net.

71

72



554



10  Making Article 16 TFEU Work: Analysis and Conclusions



rules on enforcement cooperation with authorities of third countries and with

international organisations.



10.9.5  Final Recommendation

The European Union emphasises the need for taking responsibility for globalisation, claiming that its values have a normative strength and are universally applicable. The Union has global power through the legal standards representing these

values.

In order to ensure effective protection of individuals on the internet, the preferred

strategy should be the unilateral strategy, aiming at exporting EU values in the international domain. The European Union could thereby use facilities offered by the

Council of Europe, such as the possibility of non-European countries adhering to

Convention 108. As part of this strategy, on a practical level, bridges should be built

with like-minded countries.

In addition, the bilateral strategy should be explored, focusing on mutual recognition, standardisation processes or enforcement cooperation, based on the communalities between the systems, but also accepting the differences. The OECD

could possibly play a role.

In the long term, a UN Treaty would ensure the best protection (the multilateral

approach). The European Union should take initiatives in order to facilitate the

adoption of such a Treaty, with the ambition to achieve a minimum standard of data

protection.



10.10  The Prospect of a GDPR

This book was based on the present state of EU data protection law. This final chapter ends with a short outlook towards future EU law on data protection, by expressing some expectations in respect of the governance model under Article 16 TFEU

following the data protection reform, particularly the General Data Protection

Regulation. These observations will remain general, to avoid becoming speculative,

also because at the time of writing much was still unclear about the final outcome of

legislative texts and about the application of these texts in practice.

The subject of this book was Article 16 TFEU. The book gave an analysis of the

mandate under Article 16 TFEU. The book analysed neither Directive 95/46, nor

any other legislative instrument of the European Union in the area of privacy and

data protection. Of course, Article 16 TFEU cannot be analysed in isolation and the

book regularly referred to Directive 95/46, and sometimes to other legislative instruments on data protection.

These considerations explain why this book does not include an assessment of

the General Data Protection Regulation, nor of the directive for data protection in



10.10 The Prospect of a GDPR



555



the police and judicial sectors.76 At several places the book includes references to

the General Data Protection Regulation and sometimes to the directive, as an illustration of points made.

The General Data Protection Regulation contains elements designed to significantly change the governance of EU privacy and data protection, not the least of

which is the changed legal instrument, with a regulation replacing a directive as the

core instrument. The provisions in the General Data Protection Regulation have an

impact on the exercise of the various roles under Article 16 TFEU.77 The regulation

is designed to contribute to the effective and legitimate exercise of the mandate of

the European Union, enabling the actors under Article 16 TFEU to contribute to the

fulfilment of this mandate in a successful manner.



10.10.1  The Legislative Process

On 25 January 2012, the Commission adopted its proposal for a General Data

Protection Regulation,78 together with a proposal for a directive for data protection

in the police and judicial sectors,79 and a Communication explaining the data protection reform, as a package. These documents followed wide consultations with

interested parties lasting for over 2 years.80 The European Data Protection Supervisor

had already called for a reform of the legislative framework in July 2007.81

On 12 March 2014, the European Parliament adopted a legislative resolution on

the proposed regulation, in which it proposes 207 amendments on the recitals and

articles of the Commission proposal.82 These 207 amendments are a synthesis of

more than 4000 proposals for amendments submitted by Members of the European



76



 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences

or the execution of criminal penalties, and on the free movement of such data, and repealing

Council Framework Decision 2008/977/JHA, OJ L 119/89.

77

 As explained, e.g., by Viviane Reding, The European data protection framework for the twentyfirst century, International Data Privacy Law, Vol. 2, No. 3, pp 119–129, 2012.

78

 Commission Proposal for a General Data Protection Regulation, COM (2012), 11 final.

79

 Proposal for a Directive of the European Parliament and of the Council on the protection of

individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution

of criminal penalties, and the free movement of such data, COM (2012), 10 final.

80

 Commission Proposal for a General Data Protection Regulation, COM (2012), 11 final,

Explanatory Memorandum, at 2.

81

 European Data Protection Supervisor, Opinion of 25 July 2007 on the Communication from the

Commission to the European Parliament and the Council on the follow-up of the Work Programme

for better implementation of the Data Protection Directive, OJ C 255/1.

82

 Report of the European Parliament, available on: http://www.europarl.europa.eu/sides/getDoc.

do?type=TA&reference=P7-TA-2014-0212&language=EN&ring=A7-2013-0402.



556



10  Making Article 16 TFEU Work: Analysis and Conclusions



Parliament.83 On the same date, the European Parliament adopted a legislative resolution on the proposal for a directive for data protection in the police and judicial

sectors.

On 15 June 2015, the Council of the European Union adopted a general approach

on the proposed regulation, but not yet on the proposed directive.84 In this general

approach, the Council submits a fully revised text of the Commission proposal. On

the basis of these three documents,85 the informal trilogue was taking place in which

the European Parliament, the Council and the Commission participated. This led to

an outcome86 on substance and finally to the formal adoption on 27 April 2016.

These trilogues, not mentioned in Article 294 TFEU, which outlines the ordinary

legislative procedure under EU law, are usually conducted in a non-transparent

manner.87 The objective is to reach an agreement on the text that enables the adoption of the regulation under what Article 294 TFEU calls “the first reading”. The

TFEU lays down formally that “if the Council approves the European Parliament’s

position, the act concerned shall be adopted in the wording that corresponds to the

position of the European Parliament”.88 In practice, the agreement between the

institutions is laid down in a position of the European Parliament and subsequently

approved by the Council.

This all demonstrates the complexity of the process and is a confirmation of what

was said earlier in this book,89 namely that legislation requires reflection and thus

time, whereas in the information society technologies change with a rapid pace. At

the same time, this short overview reflects the determination of the Commission, the

European Parliament and the Council to come to a result.



10.10.2  G

 eneral Remarks on the GDPR, on Effectiveness

and Legitimacy

The debate on the General Data Protection Regulation was largely dominated by

arguments relating to efficiency and effectiveness. The Commission motivates its

proposal on the basis of these arguments. The Explanatory memorandum underlines

83



 J.P. Albrecht, in: Data protection anno 2014: how to restore trust? Contributions in honour of

Peter Hustinx, European Data Protection Supervisor (2004–2014), Hielke Hijmans and Herke

Kranenborg (eds), Intersentia 2014, at 126.

84

 See: http://www.consilium.europa.eu/en/press/press-releases/2015/06/15-jha-data-protection/.

See also Preparation of a general approach, Note from Presidency to Council, 11 June 2015,

9565/15.

85

 For an overview of the different texts, see the Annex (also available as app) of European Data

Protection Supervisor, Opinion of 27 July 2015 – Europe’s big opportunity, EDPS recommendations on the EU’s options for data protection reform.

86

 Available

on

http://www.emeeting.europarl.europa.eu/committees/agenda/201512/LIBE/

LIBE(2015)1217_1/sitt-1739884.#

87

 As referred to in Chap. 4, Sect. 4.10.

88

 Article 294(4) TFEU.

89

 In Chap. 6.



10.10 The Prospect of a GDPR



557



that the “current framework remains sound as far as its objectives and principles are

concerned”. A new framework is needed for other reasons. It should be stronger

than the present one, more coherent and backed by strong enforcement, just to mention a few catchwords used in the Explanatory memorandum.90

An essential impetus for the reform is the empowerment of the individual, the

data controller and the data protection authorities, as is clear from the two communications of the Commission explaining the reform.91 Other documents contributing

to the legislative procedure, too, emphasise the need for improving the effectiveness

of data protection in the European Union. An example is the Opinion of the European

Data Protection Supervisor of 27 July 2015, which underlines the need for the

empowerment of the individual and for the strengthening of the responsibilities of

businesses and public authorities.92

However, these are not the only arguments in the debate. Legitimacy also plays

a role in the discussion in the legislative process. An example is the discussion on

the tasks of the independent data protection authorities and their cooperation within

a one-stop shop mechanism. Several arguments have been put forward,93 relating to

‘proximity’ to ensure that the primary responsibility for protection remains with the

national DPAs.94 The consistency mechanism with involvement of the EDPB should

only be triggered “where it is necessary”. In addition, the mechanism “should not

encroach upon the independence of national supervisory authorities and should

leave the responsibilities of the different actors”.95

Another topic in the discussion is the need for flexibility for the Member States,

to complement and possibly even derogate from the regulation, also in view of the

democratic legitimacy. The concern of the Member States inspired the Council to

propose a new Article 2a for the regulation, allowing Member States to specify the

regulation for the public sector or for data processing “for compliance with a legal

obligation or for the performance of a task carried out in the public interest”.96 This

provision did not survive the trilogues, but some leeway is given to the Member

States in Article 6(2) of the adopted instrument.

90



 Commission Proposal for a General Data Protection Regulation, COM (2012), 11 final,

Explanatory Memorandum, at “Context of the proposal”.

91

 See the references to empowerment or strengthening the control in Communication from the

Commission to the European Parliament, the Council, the European Economic and Social

Committee and the Committee of the Regions, Safeguarding Privacy in a Connected World, A

European Data Protection Framework for the 21st Century, COM (2012) 9 final; Communication

from the Commission to the European Parliament, the Council, the European Economic and Social

Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM (2010) 609 final.

92

 “Effective data protection empowers the individual and galvanises responsible businesses and

public authorities”; European Data Protection Supervisor, Opinion of 27 July 2015 – Europe’s big

opportunity, EDPS recommendations on the EU’s options for data protection reform, at 2.

93

 E.g., by the French DPA (CNIL); Raynal in Carine Dartiguepeyrou (ed.), The Futures of Privacy,

Cahier de prospective, Think Tank Futur Numérique, at 72.

94

 As explained in Chap. 8, Sect. 8.12 of this book.

95

 Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals – WP 191 (23.03.2012), at 20.

96

 Preparation of a general approach, Note from Presidency to Council, 11 June 2015, 9565/15.



558



10  Making Article 16 TFEU Work: Analysis and Conclusions



10.10.3  O

 bservations on the Ambitions of the GDPR to Ensure

a Successful Exercise of the Roles Under Article

16 TFEU

The General Data Protection Regulation implements the mandate under Article 16

TFEU, in principle, in a comprehensive manner, although Article 2(2) thereof

excludes certain areas from its scope.97

First, the General Data Protection Regulation will change the conditions for a

successful exercise of the mandate under Article 16 TFEU in a significant manner.

The chosen instrument – a regulation, with general application, binding in its

entirety and directly applicable in all Member States98 – significantly limits the margin of discretion of the Member States. The Member States will have to repeal their

national data protection laws. The General Data Protection Regulation will centralise the governance of data protection to a large extent at the EU level. This is a

significant change in the exercise of the role of the EU legislator. However, a successful use of the EU mandate will also require that in this domain of fundamental

rights the Member States continue to play a role. The effects of the General Data

Protection Regulation on the Member States are not obvious. It will delegate certain

roles to the Member States, but its effect on the relationship between the two levels

in privacy and data protection and related areas is, at this stage, not fully clear.

Second, the General Data Protection Regulation will have an impact on the conditions for a successful exercise of the role of the Court of Justice’s mandate under

Article 16(1) TFEU. The regulation has a strong focus on improving governance

and will not fundamentally change the main principles of data protection, although

some changes have been included. However, the regulation will not only have an

impact on the possibilities to protect the fundamental right to data protection within

the national jurisdiction, but also on the possibilities of Member States to protect the

rights coinciding with it, such as the freedom of expression, and public interests.

Privacy and data protection are regulated by EU law, whereas other fundamental

rights – and the public interest of security – are mainly a concern for the Member

States. This may impact the balancing in a significant manner, for instance regarding the relationship with the freedom of expression which is left to the Member

States, under Article 85 of the Regulation.

Third, the choice of instrument as well as the substance of a number of provisions in the General Data Protection Regulation will have – as was mentioned

above – a centralising effect on the governance of privacy and data protection and

lead to an expansion of the role of the EU legislator. On the one hand, the regulation

centralises, but, on the other hand, it will also have a strong focus on the involvement of other governmental and non-governmental stakeholders. The regulation

97



 In particular the areas covered by the directive in the police and judicial sectors and the processing by EU institutions, bodies, offices and agencies, Consolidated text (outcome of the trilogue of

15/12/2015), available on http://www.emeeting.europarl.europa.eu/committees/agenda/201512/

LIBE/LIBE(2015)1217_1/sitt-1739884.#.

98

 Article 288 TFEU.



10.10 The Prospect of a GDPR



559



contains provisions detailing the involvement of the private sector, provisions relating to independent supervisory authorities and the cooperation between these

authorities, and provisions on the external aspects of the General Data Protection

Regulation, defining the relationship between the European Union and third countries and international organisations.

A further change is that the General Data Protection Regulation will introduce or

reinforce arrangements with the purpose of improving the governance of privacy

and data protection and, at the same time, bridging the gap between principles and

practice. Accountability is an alternative for command-and-control legislation,

based on general notions of the quality of legislation. Privacy by Design should

enhance trust in data protection and at the same time create economic incentives.

Fourth, the provisions in the General Data Protection Regulation relating to independent supervisory authorities are expected to bring a significant change. These

provisions centralise the main conditions for the functioning of these authorities at

the European level. These provisions also address the presumed weaknesses in the

powers and resources of the DPAs, for instance by attributing strong sanctioning

powers to the DPAs.

Fifth, the General Data Protection Regulation will significantly change the cooperation mechanisms of DPAs. The regulation will create a one-stop shop mechanism with a lead supervisory authority cooperating with its peers, and a consistency

mechanism giving the EDPB a formal role in enforcement. This new structure recognises that horizontal enforcement cooperation between DPAs is not sufficient,

and that a European body should play a role in the enforcement. The structure will

not distinguish between the various roles of the EDPB. The EDPB, as envisaged in

the regulation, could function both as a structured network and as a European

DPA. However, the requirements for the functioning of the EDPB are different,

depending on the function.

Sixth, the provisions of the General Data Protection Regulation dealing with the

external effect of EU data protection law should improve the protection of individuals in the Union, in situations not confined within the territory of the European

Union. The regulation underlines that the offering of goods or services to data subjects in the Union and the monitoring of these data subjects falls within its scope.99

Also, the rules on transfers of personal data to third countries will be modernised,

for instance by creating an explicit legal basis for transfers by way of binding corporate rules.100 However, the regulation itself may be the most important development for the external action of the Union. An EU with a modern and effective regime

for privacy and data protection is expected to give it more leverage in the international domain than an EU that can be criticised because of the imperfections of its

internal legal framework.

99



 Article 3(2) of the GDPR, Consolidated text (outcome of the trilogue of 15/12/2015), available

on http://www.emeeting.europarl.europa.eu/committees/agenda/201512/LIBE/LIBE(2015)1217_1/

sitt-1739884.#.

100

 Article 43 of of the GDPR, Consolidated text (outcome of the trilogue of 15/12/2015), available

on http://www.emeeting.europarl.europa.eu/committees/agenda/201512/LIBE/LIBE(2015)1217_1/

sitt-1739884.#.



560



10  Making Article 16 TFEU Work: Analysis and Conclusions



10.11  Final Conclusions

The success of the European Union in exercising its mandate under Article 16

TFEU is essential for individuals whose fundamental rights are at stake. It is also

essential for our democracies, which are subject to the rule of law. Moreover, if the

Union can successfully realise its ambitions under Article 16 TFEU and is capable

of effectively contributing to the respect of the rights to privacy and data protection,

this will give legitimacy to the mandate under the same article and, in a wider context, raise trust in the European Union (and indirectly, in national governments).

The perspective of this book is optimistic. Under Article 16 TFEU, the European

Union has an appropriate mandate to act in the area of privacy and data protection,

with tasks attributed to the judiciary, the EU legislator and the independent data

protection authorities, in principle without restrictions. The mandate also enables a

successful cooperation between the data protection authorities and for the European

Union as such to operate in the international domain. This optimistic perspective is

also based on the strong position of Europe in the international domain, based on

what has been called the “Brussels effect”.101 Law can make a difference in an information society provided that the available instruments are used in an intelligent

manner. Moreover, the European Union is capable of realising the objectives laid

down in its general constitutional structure, and in particular in Article 16 TFEU.

The success of the European Union in the exercise of its mandate under Article

16 TFEU depends on the way the Union manages to reconcile the requirements of

legitimacy and effectiveness. A successful exercise of the EU mandate in the domain

of privacy and data protection could demonstrate the capabilities of the Union to

protect fundamental rights in a global environment. This is a domain where not only

law, but also the European Union, by exercising its mandate in a successful manner,

can make a difference.

This book argues that Article 16 TFEU could benefit from an understanding of

the fundamental rights to privacy and data protection as such and in their relation to

other fundamental rights, which takes the changed environment of the internet into

account. Since, in an internet environment, all processing of personal data potentially affects the privacy of an individual, it no longer makes sense to consider privacy and data protection as separate fundamental rights. On the contrary, these

rights are part of one system. Moreover, on the internet, privacy and data protection,

on the one hand, and other fundamental rights, on the other hand, increasing collide,

whereas, at the same time, the protection of fundamental rights is becoming increasingly complicated. Against this background, a simple taxonomy of fundamental

rights is proposed that makes it possible to differentiate in the level of protection,

depending on the nature of the right.

The Court of Justice, in its case law, considers the need to compensate the perceived loss of control over personal data, enabled by the current legislative instruments on data protection and in particular Directive 95/46. The EU legislator

adopted a comprehensive and up-to-date legislative framework for data protection

 Anu Bradford, “The Brussels Effect”, Northwestern University Law Review, Vol. 107, No. 1, 2012



101



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

9 External EU Action on the Internet: Solving Conflicting Jurisdictional Claims and Substantive Divergences, with a Powerful EU in the International Domain

Tải bản đầy đủ ngay(0 tr)

×