Category: EU Commission

The UK Adequacy Decision and the Looming Possibility of a Schrems III

by Osal Stephen Kelly*

Introduction

In July 2020, the Court of Justice of the European Union (“CJEU”) delivered its judgment in the Schrems II case brought by the Austrian lawyer and activist Max Schrems, with far-reaching implications for data protection policy and practice. One question of particular urgency is what the consequences will be for the continued flow of personal data from the EU to the UK; while the EU-UK Trade and Cooperation Agreement temporarily allows these flows to continue on the same terms as between member states, this will end on 30th June 2021.  The purpose of this period is to allow for the EU Commission to determine whether or not to grant an “adequacy decision” that would confirm that the UK provides a level of protection essentially equivalent to that of member states, which would allow for these important transfers to continue indefinitely. While the Commission has issued a draft adequacy decision, some of the issues identified by the European Data Protection Board (“EDPB”) in its recent opinion on the draft expose frailties in these protections that could form the basis for a legal challenge in the future. It is submitted that there are two areas of particular vulnerability that would be key in any such challenge. First, there are serious unresolved questions around the powers of UK and US authorities to access data for security purposes. Second, the UK’s emerging post-Brexit constitutional and legal framework is likely to be somewhat less advantageous to data subjects vindicating their rights than was the case when EU law had direct effect.

Schrems II

Schrems II comes after another case brought forward by Mr Schrems who had already challenged the previous framework as well (Schrems I). The Schrems II case arose from a complaint concerning the transfer of his data from Facebook Ireland to Facebook Inc. (based in the United States). The complaint was made to the Irish Data Protection Commissioner and resulted in the Irish High Court making a preliminary reference to the CJEU. In its submissions, Facebook sought to justify these transfers as permitted by the EU Commission’s Privacy Shield decision, which set additional safeguards for data moving from the EU to the US.  However, the Court found that the Privacy Shield was invalid as the protections offered by US law did not in fact afford the required level of protection. The Court stressed the importance of “effective and enforceable data subject rights” (para. 177 of judgment) and found that data subjects did not enjoy such rights under the Privacy Shield. Particular emphasis was placed on the lack of limits on the power of surveillance agencies to collect data on individuals held by companies such as Facebook (para. 180). While the Court recognised that data controllers could in principle rely on standard contractual clauses approved by the Commission to allow cross-border data transfers to continue, it noted that such clauses did not necessarily protect data from unlawful access by the authorities of the receiving country (para. 141).

from jonesday.com

Schrems III?

Although the UK ceased to be subject to EU law from 31st December 2020, the GDPR has been incorporated (with amendments) into UK domestic law, in line with Section 3 of the European Union (Withdrawal) Act 2018. This amended version, referred to as the “UK GDPR”, now forms the basis of the UK’s legal framework for data protection, along with the UK’s existing Data Protection Act 2018 (draft adequacy decision, Recital 14), and this is the framework that was examined in the Commission’s draft adequacy decision, and, subsequently, the EDPB’s opinion, released on 13th April 2021. Although important, the opinion in itself is non-binding and the final decision on adopting the adequacy decision rests with the Commission, so it is likely to be approved.

The EDPB opinion, read in light of Schrems II, would require the UK’s intelligence operations to apply particular scrutiny over the compliance with the (EU) GDPR. While the tone of the opinion as a whole is very measured, the EDPB nonetheless expresses “strong concerns(para. 88 of opinion) over the data-sharing agreement between US and UK authorities pursuant to the US CLOUD Act. The Act requires US companies to disclose information stored on overseas-based servers on foot of a valid warrant. The EDPB notes that the Commission’s draft decision refers to non-binding “explanations that were provided to it by UK authorities (para. 88 of opinion). Critically, however, the EDPB notes that these explanations did not seem to comprise “any concrete written assurance or commitment” on the part of the UK Government. It is difficult to see how mere explanations without substantive legal force could be relied upon by data subjects in enforcing their rights, which is concerning, given that the existence of “effective and enforceable data subject rights” was deemed vitally important in Schrems II.

Moreover, para. 189 of the opinion highlights how broad the general exemption is for intelligence-related processing, stating that “national security certificate DPA/S27/Security Service provides that until 24 July 2024, personal data processed ‘for, on behalf of, at the request of or with the aid or assistance of the Security Service or’ and ‘where such processing is necessary to facilitate the proper discharge of the functions of the Security Service described in section 1 of the Security Service Act 1989’ are exempted from the corresponding provisions in UK law to Chapter V GDPR in relation to transfers of personal data to third countries or international organisations”.

This provision is similarly open-ended to Section 702 of the US Foreign Intelligence Surveillance Act, which had been considered not to afford a sufficient level of protection to data flows in Schrems II (para. 180 of judgment). If Part V GDPR (and equivalent provisions in the UK GDPR) does not apply to intelligence processing, personal data would be transferred to US authorities and thus fall within the scope of the Court’s ruling in Schrems II.

Given that the UK is no longer a member of the EU and subject to the jurisdiction of the CJEU, issues also arise in relation to the UK’s overall legal framework (para. 54 of opinion). The Commission has placed great emphasis on the fact that the UK will continue to be a party to the European Convention on Human Rights (“ECHR”) and thus of the “European privacy family” (press release accompanying the adequacy decision). However, while the set of rights listed in the ECHR are also included in the EU’s Charter of Fundamental Rights, in Schrems II the Court notes that the ECHR is not part of the EU law acquis (paras. 98, 99 of judgment). Furthermore, the UK Government will review the Human Rights Act 1998 which implements the ECHR in the UK. The review will consider whether courts have been “unduly drawn into matters of policy”. Given that the CJEU identified “effective and enforceable data subject rights” as key in determining whether a country provided an adequate level of protection (para. 45 of judgment), any dilution of the rights of citizens to invoke their ECHR rights would be likely to count against the UK in the event of a legal challenge.

Conclusion

The foregoing indicates that a credible case could be brought before the Court to challenge the validity of the adequacy decision in the future. On a practical note, data controllers can at least be reassured by the CJEU’s clarification in Schrems II that an adequacy decision enjoys, in effect, a presumption of legality until it is successfully challenged (para. 156 of judgment), and accordingly they should not incur any liability for data transfers while the adequacy decision remains in place, for whatever period that may be.

*Osal Kelly is a postgraduate Law student in the Law Society of Ireland in Dublin and holds an undergraduate degree in Philosophy from Trinity College, Dublin. He currently works in the Irish public service. This article is written in a personal capacity.

 

EU Data Protection in Trade Agreements

 

by David Scholte*

Practical solutions to a theoretical conundrum

After the implementation of the General Data Protection Regulation (GDPR) in 2018, the European Union (EU) has been striving to keep up the high standards of protection of personal data transfers of EU citizens throughout the world. In order to secure these standards, it has two powerful different tools at its disposal.

Tool number one is the ´adequacy decision´. The EU commission will ´determine […] whether a country outside of the EU offers an adequate level of data protection´.(European Commission, Adequacy Decisions) Adequate means comparable to the protection offered by the EU. If so determined, the cross-border data flow between the EU and the third country can take place unimpeded and without any further safeguards. Tool number two are data protection provisions in the trade agreements between the EU and third countries. (See art. 28.3(2)(ii) CETA, art. 8.3 JEFTA and art. 8.62(e)(ii) EU-Singapore FTA)

The EU is a prominent advocate of liberalising (digital) trade but will always vehemently protect its data protection standards; this is made explicit in the statement that ´the EU data protection rules cannot be subject to negotiations in a free trade agreement´. (COM(2017) 7 final)

Data protection clauses in previous trade agreements used to be sectorial provisions modelled after art. XIV from the multilateral ´General Agreement on Trade in Services (GATS). However, with the changeability of digital trade and with the implementation of the broad scoped GDPR, the EU´s view was that new provisions were needed.

´These horizontal provisions rule out unjustified restrictions, such as forced data localisation requirements, whilst preserving the regulatory autonomy of the parties to protect the fundamental right to data protection´. (COM(2020) 264 final)

In 2018 the Commission published horizontal draft provisions that it intended to include in future trade agreements. It is noted that the provisions modeled after the GATS article have always included the requirement of ´necessity’ and stated that any measure taken with regard to the protection of personal data must not be a ´means of arbitrary or unjustifiable discrimination [or] a disguised restriction´. However, the new provisions would be applicable throughout the agreement and, most importantly, do away with the conditions and limitations found in the old type of provisions.

There are no longer requirements that must be fulfilled before a measure with regard to personal data can be taken. The Draft provisions regarding data protection are as following:

  1. Each party ecognizes that the protection of personal data and privacy is a fundamental right […]
  2. Each party may adopt and maintain the safeguards it deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data. Nothing in this agreement shall affect the protection of personal data and privacy afforded by the Parties´ respective safeguards.
  3. Each party shall inform the other Party about any safeguard it adopts or maintains according to paragraph 2.
  4. For the purposes of this agreement, ´personal data´ means any information relating to an identified or identifiable natural person.
  5. For greater certainty, the Investment Court System does not apply to the provisions in Articles 1 and 2.
From briefingsforbritain.co.uk

Although the EU had proposed this provision in trade negotiations with Australia and New Zealand. the first agreement where this new type of rules has been fully implemented is the EU-UK Trade and Cooperation Agreement (TCA), albeit in a slightly different form.

  1. Each Party recognises that individuals have a right to the protection of personal data and privacy and that high standards in this regard contribute to trust in the digital economy and to the development of trade.
  2. Nothing in this Agreement shall prevent a Party from adopting or maintaining measures on the protection of personal data and privacy, including with respect to cross-border data transfers, provided that the law of the Party provides for instruments enabling transfers under conditions of general application for the protection of the data transferred.
  3. Each Party shall inform the other Party about any measure referred to in paragraph 2 that it adopts or maintains.

The compromise between the position of the parties reflects the difficulties in translating drafted horizontal provision into real negotiations. What is clear is that the all-encompassing, condition-less provision that the Commission had envisioned did not come to fruition. In the first paragraph data protection is no longer a fundamental right, something that is striking among purists and puts the protection of data legally on a lower pedestal than if it would have remained a fundamental right.

Moreover, in the draft provision, paragraph two gives both parties full authority over the adoption of safeguards, with no conditions attached. In contrast, the adopted TCA’s provision is worded quite differently: ´nothing in this agreement shall prevent […] provided that´ instead of ´Each party may adopt´. This gives the paragraph a negative wording with again some conditions attached. It bears a resemblance to the GATS article meaning that it would not be without conflict and possible dispute. (WTO Analytical Index, GATS – Article XIV (Jurisprudence))

Because of the transition period, under the agreement data flows are still unrestricted as long as the UK continue to apply the data protection rules, based on EU law (EU-UK Agreement part seven, Article FINPROV. 10A(4)). Moreover, with a pending adequacy decision, a large differentiation between the UK and EU data protection is not likely to arise. When the data protection in the UK is deemed to be adequate the article will become moot.

However, this quite substantial modification from the original proposal by the EU does show that the EU might be flexible on the wording of such rules. In the TCA case, the EU position is explained by the special and interconnected relationship with the UK, a European country and a former Member State. Nonetheless, it is interesting that the EU Commission did accept different draft provisions, although it had defiantly stated that those provisions would not be subject to negotiations.

In the future the EU will strive to include such horizontal provision in all future trade deals. Indeed, in the trade negotiations with Australia and New Zealand the provisions proposed are again mirroring the draft provisions. With New Zealand already having received an adequacy decision from the Commission, the question remains if a horizontal provision is a priority for both parties. Considering New Zealand’s ´culture of compliance´ (Henning, 2020) data protection will not be a major hurdle and one can expect the horizontal provision to be included in the upcoming EU-New Zealand trade deal without significant amendments.

For countries without this close connection to the EU data rules, such as Australia, the inclusion of such broad horizontal provision could be problematic. Third countries have the reasonable worry that such blanket exception could be used for ´otherwise unjustifiable IT and data localization requirements´. (Yakovleva & Irion, 2020, 219)

The provisions in the Australia and New Zealand deals will give a clearer idea on what these new horizontal provisions mean for EU trade negotiations and deals. It seems however that the Commission’s position on the matter is far more practical and reliant on adequacy decisions, thus unilateral, than it presents to be at first glance. The full regulatory autonomy that the EU strives for has not been achieved in the TCA and will thus most likely not be achieved in future trade deals. A missed opportunity.

 

*David Scholte is a Junior Lecturer in EU Law at Utrecht University, the Netherlands. He is also currently pursuing a Master in International Relations at Leiden University.

The Commission fights Poland all the way over the rule of law

Giulio Preti 

 

Introduction

On January 24th, 2020 the European Commission applied to the European Court of Justice for the imposition of interim measures against the Republic of Poland.[1] This request came within the context of the proceedings for an infringement of Articles 19 (1) TEU and 267 TFEU. In essence, by creating a politically controlled disciplinary chamber for the judges of the Supreme Court, the Polish legislation allegedly fails to guarantee the rights of defense of the judges under disciplinary proceedings and limits the Supreme Court’s right to refer question for preliminary rulings. The goal of this contribution is to give a brief overview of the factual and legal background of the dispute and to analyse the principle of the rule of law within the European architecture and the justifications brought forward by the Polish government.

 

Factual background

Ever since the introduction of the controversial Law on the Supreme Court on April 3rd, 2018, the European institutions and Poland have been locked into a dispute which culminated in the European Commission triggering the procedure provided for in Article 7 TEU, which may culminate in the suspension of the voting rights of the representative of the Member State in the Council.[2] The law imposed to the judges of the Supreme Court to retire at the age of 65, unless granted an authorisation by the President of the Republic, de facto allowing the ruling party, Law and Justice (PiS), to ensure that only judges aligned with the position of the government would be allowed to keep their position. The Polish government has further escalated the dispute by modifying the law on the Organisation of the Courts by allowing the Minister of Justice to nominate the members of the disciplinary chamber for ordinary judges and for the judges of lower courts, effectively putting the entire judicial system under the direct control of the executive branch.

 

Legal background and jurisprudence of the Court

Interim measures are based on article 279 TFEU which states that: “The Court of Justice of the European Union may in any cases before it prescribe any necessary interim measures” and by articles 160-166 of the Rules of Procedure of the Court. Although not unprecedented, these measures had been “tested” by the Court for the first time only one year earlier against Poland within the controversy regarding the lodging of wood in the forest of Białowieża.[3] On the other hand, a similar case had been brought against Hungary, which had enacted a similar law. That proceeding, however, had been brought for a violation of Directive 2000/78, asserting that the judges, considered as “workers” for the purposes of the Directive, had been discriminated against due to their age.[4] Hardly a comparable approach with the one taken against Poland.

 

The rule of law in Europe

The European Commission has defined the rule of law as a system where “all public powers always act within the constraints set out by law, in accordance with the values of democracy and fundamental rights, and under the control of independent and impartial courts”.[5] The rule of law is at the center of the EU legal system: article 2 of the TEU describes it as one of the foundations of the Union, the Court has repeatedly held that: “the EU is a union based on the rule of law”.[6] However, there is disagreement on whether the rule of law is merely a legal standard to which the Member States have agreed upon, or if it is the essence or, even, the very purpose of the Union,[7] through which the institutions may seek to strengthen their own legitimisation.[8]The EU, however, has intervened rarely in the constitutional matters of Member States. In 2000, for example, the EU did not act directly against Austria for the involvement in the government of the xenophobic FPÖ, but pushed the Member States to retaliate diplomatically against Austria with little success. The subsequent approach taken by the Commission against Hungary, Romania, Greece, Italy and France,[9] on the other hand, clearly endorsed the view which sees the rule of law as the essence of the European project. The successful enforcement of the rule of law within the context of this proceeding, therefore, will likely have an impact on the role of the rule of law in the EU framework.

 

The justifications of the Polish government

On March 7th, 2018 the Polish government published a White Paper [10] seeking to explain the need for judicial reforms. The justifications brought forward relate to i) efficiency of proceedings and to fight the “peculiar bureaucratic corporate culture which has emerged in the Polish administration of justice” ii) the existence of an imbalance of powers, iii) the failure to account for the communist past of judges. Whereas the government highlights that: “subordinating the judiciary to other branches of government cannot be a solution to all the problems described” it does little to hide that one of the objectives of the law must be that of relieving of their duties the judges which have been involved in the administration of justice during the Communist period. This should actually guarantee the rule of law because: “if [justice] is to be exercised by people who were entangled in a dishonorable service to totalitarian or authoritarian systems and did not guard the law but abused it to persecute human rights and civil liberties, it negatively affects the public trust in the judiciary – and thus the rule of law itself”.

 

Conclusions

The proceedings brought forward by the Commission underline the importance attached by the European institutions to this principle. For better or worse any decision of the Court of Justice will constitute a significant precedent in the matter and will define the power of the EU to challenge internal legislation falling within the exclusive competence of Member States for the violation of general principles of EU law.

 

 

The Author

Giulio Preti is an LL.M. student at King’s College London, specialising in Competition Law.

The arm wrestling between the European Parliament and the European Commissioners-designate?

The Editors

 

So here go not one, not two, but three Commissioners.

Granted, the polemics about the title of the portfolio for the Greek Commissioner, ‘Protecting the European way of life’, did sound like a provocation, and there was no doubt that a hard scrutiny in the European Parliament would be in store.

Yet, many simply failed to predict that the Commissioners’ path would be blocked even before the hearings of prospective Commissioners would start (and they did start a couple of weeks ago, on 30 September). Laszlo, Hungarian Commissioner designated for enlargement, and Plumb the Romanian Commissioner for trasport, have instead being ‘rejected’ by the Legal Affairs Committee of the European Parliament. The Committee found they had too obvious conflicts of interests. This opportunity is given to the Committee by a rule in the annex of the rules of procedures of the European Parliament. This rule is commendable: nobody else is entrusted to check whether the Commissioners-designate (i.e., those proposed by the President of the Commission and which need to be approved, collectively, by the Parliament) can indeed represent the interests of the European Union.

In addition to the Legal Affairs Committee, each Commissioner-designate is heard by the European Parliament at a ‘confirmation hearing’. This is an occasion for the EP to  inform its decision over consenting or rejecting the new Commission as a whole. It is also an occasion to hold the President of the Commission accountable, as we will explain later.

The Hungarian and Romanian Commissioner-designate did not make it to the hearing, but the designated French Commissioner Sylvie Goulard also failed to make it into the new college of commissioners. The European Parliament, at the confirmation hearing, took issue with the answers given by Goulard on the alleged wrongdoing during her time as a MEP. It is easy to suspect that the real target of the Parliament was not Goulard herself, but the French President Macron (who hastened to say ‘it’s not my fault’…).

Where does it leave us with interinstitutional relations? The impression is that the European Parliament, who has the power to approve or disapprove the entirety of the Commission, had to build enough criticism over the single Commissioners-designate in order to have leverage on Ursula von der Leyen and her new Commission.

The trajectory has been one of growing influence of the European Parliament since the first elections held with the rules established by the Treaty on the European Union as modified in Lisbon. The rule for the nomination of the President of the Commission is not univocal: ‘Taking into account the elections to the European Parliament and after having held the appropriate consultations, the European Council, acting by a qualified majority, shall propose to the European Parliament a candidate for President of the Commission’ (Article 17.7 TEU).

In 2014, the European Council and the European Parliament struggled over the name of the President of the Commission. The Parliament had the upper hand on that occasion: ‘taking into account the elections of the European Parliament’ was interpreted as meaning that the Spitzenkandidat (the top candidate) chosen by the relative majority party would be the President (Jean-Claude Juncker). Then, only a Commissioner was rejected, the former prime minister of Slovenia Bratusek,

In 2019, it was instead the Member States (championed by Macron) that imposed von der Leyen as President of the Commission (instead of Manfred Weber, the Spitzenkandidat of the European People’s Party, the party with relative majority of seats in the Parliament). The result is not surprising. Remember that in January 2018 the European Parliament had already stated that it ‘will be ready to reject any candidate in the investiture procedure of the Commission President who was not appointed as a Spitzenkandidat in the run-up to the European elections’.