Desktop version

Home arrow Law

  • Increase font
  • Decrease font

<<   CONTENTS   >>

: EU primary law provisions on data protection and the imperative to improve EU data protection

The foregoing shows an intense regulatory activity in the past years. Data Protection was gradually working itself up to the short list of EU top priorities. The first important step in that development was the Charter of Fundamental Rights of the European Union (Charter), proclaimed as soft law instrument on 7 December 2000 and turned into a binding legal instrument with the Treaty of Lisbon, which entered into force on 1 December 2009.[1] Significant and deviating from the 1950 European Convention on Human Rights (ECHR) was the distinction made in the Charter between the right to respect for private life, which included protection of communications (Article 7 Charter) and the right to the protection of personal data (Article 8 Charter), spotlighting the growing importance of data protection in the constitutional assemblage of current society.

The Treaty of Lisbon has contributed to this success of data protection law. In particular, Article 16 of the Treaty on the Functioning of the European Union (TFEU) constitutes a central provision in the EU data protection field since it recognizes (again) an independent individual right to data protection, separate from any other right. It is essentially this specific Article that triggered the EU data protection overhaul discussed in the foregoing.

While an analysis of Article 16 TFEU and its requirements for EU data protection exceeds the purposes of this analysis,[2] here it is enough to make three observations.

Firstly, Article 16 TFEU allows law-makers to approach data protection not in terms of the EU internal market or the old pillar system or any other similar limitations, but in terms of an independent, separate, cross-sector individual right that needs to be respected in all the EU competence areas. The limit is no longer EU secondary law, but EU primary law. In other words, it is no longer necessary to consider EU secondary data protection laws such as the 1995 EU Data Protection Directive as the data protection standard-setting texts, against which all level of data protection both in and out of the EU ought to be assessed. Article 16 TFEU makes this exercise superficial and mandates the EU co-legislators to regulate both data processing by EU institutions and data processing by (all) actors in Member States when carrying out activities which fall within the scope of Union law (see also our third point below). Our feeling is that Article 16 TFEU intentionally draws the attention away from the normal subsidiarity principle exercise (‘powers are in hands of Member States, unless the Union can do better’) and draws the data protection policy agenda to the Brussels levels, based on an implicit understanding that this area is supra national. As we will see below the current enforcement system defined by the GDPR and the LED still relies on the intervention of national supervisory authorities. When this turns out to be inadequate it is conceivable one day, based on Article 16 TFEU, to replace this with an enforcement system that relies more on an EU supervisory body.

Secondly, Article 16 TFEU asks for effective, independent oversight. While “independent" oversight is most likely external, ‘effective oversight’ may well be a combination of internal and external mechanisms. To this end, existing preLisbon data protection oversight mechanisms were not necessarily need to be replaced under the new EU data protection environment, but a fresh look at those mechanisms, in place at the time of the Lisbon Treaty, in light of Article 16 TFEU, is nevertheless warranted by the TFEU.

Thirdly, Article 16 TFEU asks for simple and straightforward individual access to justice. This in turn requires clear and direct replies to the basic questions of legal standing (who can sue data controllers and in which court?), scope of judicial review (what can the judge assess?), available remedies (monetary indemnity) and cost of the whole process. These answers need to be clear and accessible to individuals across the EU, regardless of the legal instruments they are based on or the type of processing they refer to.

Of equal importance is Declaration 21 attached to the Treaty.[3] This provision demonstrates that in EU law the criminal justice and law enforcement area is distinguished from other personal data processing activities and awarded with the possibility (but not obligation) to benefit from specific rules, fitted to its particular needs and purposes. It explains the continued presence of a specific general instrument for this area (the LED Directive) and specific data protection provisions in the EU laws on law enforcement related agencies (like Europol, Eurojust, European Public Prosecutor Office) and databases (like Schengen and Eurodac), with specific provisions on data subject rights (such as the access to their data) and supervision.

It is interesting to observe what the drafters have summarized and mentioned both in the Charter and in the TFEU. Data Protection law is in fact a complex bundle of principles, rules, ideas, obligations and powers, a bundle that grows over time, with new ideas and sensibilities (such as about a right to be forgotten). Both primary texts only ‘pick’ some of these elements, and consequently do not mention others (like the principle of data minimization). Striking pick in both texts is the right to have independent authorities controlling on processing activities.[4]

Hijmans emphasizes the importance of this anchor for data protection authorities (DPAs) in EU primary law: “control by these authorities is not only an essential part of enforcement, it is even qualified as “an essential component of the protection” itself. In other words, EU law does not only provide for institutions with a specific responsibility for the protection, but it gives the right to data protection an institutional dimension. DPAs as independent public authorities for data protection are a unique phenomenon in EU law. This specific position is, in the first place, the result of the constitutional foundation of the role of the DPAs in primary law”.

Primary law does not only anchor the existence of supervisory authorities, but also requires them to be independent. Hijmans identifies a plurality of more or less self-explanatory reasons for this, but does not mention the identity building aspect behind this institutional requirement vis-à-vis the outside world. Many third countries, with the US as the most striking example, have no independent supervision as an essential component of data protection,3 and in a connected world with international transfers, the EU is using its basic documents to defend its vision on effective enforcement of privacy and data protection, with independent agencies as a major building block.

Now, what are these intriguing controlling bodies? What does independent mean? and Why is their independent supervision of such an importance to have it anchored in EU primary law? [5] The following offers a conceptualization of the exercise of sanctioning powers by these authorities rather than a conceptualization of the authorities as such. We refer to the excellent book of Hielke Hijmans for more in-depth conceptualizations of these authorities.

  • [1] Charter of Fundamental Rights of the European Union, OJ 2012, C326/391. 2 Article 8 Charter (Protection of personal data): “1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.” 3 Article 16 TFEU: “1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the
  • [2] See for instance the relevant analysis in H. Hijmans, A. Scirocco, ‘Shortcomings in EU Data Protection in the Third and the Second Pillars. Can the Lisbon Treaty be expected to help?’, (2009) 46 Common Market Law Review, 1494. See also P. De Hert, ‘The Right to Protection of Personal Data. Incapable of Autonomous Standing in the Basic EU Constituting Documents?’, (2015) 31 Utrecht journal of International and European Law, 1. 2 Directive 95/46/EC.
  • [3] w “The Conference acknowledges that specific rules on the protection of personal data and the free movement of such data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 of the Treaty on the Functioning of the European Union may prove necessary because of the specific nature of these fields”. 2 See P. De Hert, V. Papakonstantinou, ‘The Data Protection Framework Decision of 27 November 2008 Regarding Police and Judicial Cooperation in Criminal Matters - A Modest Achievement However Not the Improvement Some Have Hoped for’, (2009) 26 Computer Law & Security Review 403. These are well-identified by now and need only be mentioned here in brief: the need for security agencies to, among others, use hints and hearsay as well as to constantly correlate and reexamine information within their systems in order to effectively execute their tasks makes a level of flexibility as regards individual data protection imperative. Declaration 21 carries therefore concrete consequences for the EU criminal justice and law enforcement area both in tenus of architecture, whereby specialized data protection legislation is permitted, if not encouraged, and in terms of substantial law, whereby such specialized legislation may include different data protection provisions than those applying to all other, general personal data processing. 3 P. De Hert, J. Sajfert, ‘Police, privacy and data protection from a comparative legal perspective’, in M. den Boer (ed.), Comparative Policing from a Legal Perspective (Edward Elgar, 2018), 306; P. De Hert, V. Papakonstantinou, ‘Data protection policies in EU Justice and Home Affairs. A multi-layered and yet unexplored territory for legal research’ in A. Ripoil Servent, F. Trauner (eds), Routledge Handbook of Justice and Home Affairs Research (Routledge, 2018), 169; P. De Hert, V. Papakonstantinou, ‘Data protection: the EU institutions’ battle over data processing vs individual rights’, in F. Trauner, A. Ripoil Servent (eds), Policy change in the Area of Freedom, Security and Justice. How EU Institutions Matter (Routledge, 2015), 178.
  • [4] 2 25 H. Hijmans, The European Union as Guardian of Internet Privacy (Springer, 2016), 564. 3 Hijmans, supra note 23, 339-340. 4 See on six reasons for independence of DPA’s, Hijmans, supra note 23, 330-333. 5 1 share the skepticism of Neudorf about creating a big fuzz about independence (as opposed to effectiveness), especially in a global context. We recall that Article 13 ECHR requires ‘effective’ remedies and keeps silence about the ‘independence’ of the authorities empowered to discuss the rights infringements. Independence is only one of the formulae to enhance impartiality, as opposed to the realization of a particular political arrangement or a proxy for substantive views about fundamental rights protection. There is no magic checklist to produce impartially. Courts are social institutions bound up with their culture and context that build their legitimacy over the course of time. Promoting high substantive and formal standards of independence, without taken into consideration local history and the important role played by informal constraints in judicial institutions and oversight mechanism. Compare L. Neudorf, ‘Promoting Independent Justice in a Changing World’, (2012) 12 Human Rights Law Review, 107; A. Jori, ‘Shaping vs applying data protection law: two core functions of data protection authorities’, (2015) 5 International Data Privacy Law 133. This author identifies hesitations within the EU and its Member States between DPAs adding political advocacy to their basic roles as mediators and enforcers, and DPAs reducing themselves or being reduced by politics to the more technical roles of mediators and enforcers checking compliance with the law and no more. The author develops the thesis that countries with ‘grand’ DPAs that dare to stand up against governments are probably those that meet all criteria of the rule of law and vice versa (135).
  • [5] Compare with the right to non-discrimination. This right is also one of the selected Charter rights that has made it explicitly into the TFEU, but there is no mentioning of the presence of a specific oversight mechanism. 2 Hijmans’s analysis is very rich and productive and is based on a comparison between DPA’s and EU agencies in other areas of law and on literature on expert bodies. The most fundamental claim in his book is that DPAs -and certain other expert bodies- qualify as a new branch of government complementing the traditional separation of powers. See Hijmans, supra note 23, 341-353.
<<   CONTENTS   >>

Related topics