The european union as guardian of internet privacy

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (5.22 MB, 631 trang )

Law, Governance and Technology Series 31

Hielke Hijmans

The European
Union as
Guardian of
Internet Privacy
The Story of Art 16 TFEU

Law, Governance and Technology Series
Volume 31

Series editors
Pompeu Casanovas
Institute of Law and Technology, UAB, Spain
Giovanni Sartor
University of Bologna (Faculty of Law-CIRSFID) and European University
Institute of Florence, Italy

The Law-Governance and Technology Series is intended to attract manuscripts
arising from an interdisciplinary approach in law, artificial intelligence and
information technologies. The idea is to bridge the gap between research in IT law
and IT-applications for lawyers developing a unifying techno-legal perspective. The
series will welcome proposals that have a fairly specific focus on problems or
projects that will lead to innovative research charting the course for new
interdisciplinary developments in law, legal theory, and law and society research as
well as in computer technologies, artificial intelligence and cognitive sciences. In
broad strokes, manuscripts for this series may be mainly located in the fields of the

Internet law (data protection, intellectual property, Internet rights, etc.),
Computational models of the legal contents and legal reasoning, Legal Information
Retrieval, Electronic Data Discovery, Collaborative Tools (e.g. Online Dispute
Resolution platforms), Metadata and XML Technologies (for Semantic Web
Services), Technologies in Courtrooms and Judicial Offices (E-Court), Technologies
for Governments and Administrations (E-Government), Legal Multimedia, and
Legal Electronic Institutions (Multi-Agent Systems and Artificial Societies).

More information about this series at />

Hielke Hijmans

The European Union
as Guardian of Internet
Privacy
The Story of Art 16 TFEU

Hielke Hijmans
Brussels, Belgium

ISSN 2352-1902 ISSN 2352-1910 (electronic)
Law, Governance and Technology Series
ISBN 978-3-319-34089-0 ISBN 978-3-319-34090-6 (eBook)
DOI 10.1007/978-3-319-34090-6
Library of Congress Control Number: 2016949456
© Springer International Publishing Switzerland 2016
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of
the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information

storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology
now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, express or implied, with respect to the material contained herein or for any errors
or omissions that may have been made.
Printed on acid-free paper
This Springer imprint is published by Springer Nature
The registered company is Springer International Publishing AG Switzerland

Foreword

Among the many challenges presently facing the European Union, this book – a
revised version of the author’s dissertation which recently served as the basis for a
joint doctorate at the University of Amsterdam and the Free University of Brussels –
addresses a subject which is by its very nature rather invisible, but arguably also one
of the most far-reaching and consequential areas within the Union’s competence,
where it is currently operating with a remarkable degree of success: namely the
protection of privacy and personal data, notably on the Internet.
Today, information about the activities of every individual, at every moment of
the day, is exploding as a result of different social and technological factors. The
exponential growth of information and communication technologies, and the popularity of systems and devices allowing their mobile use to everyone at a global scale,
have exposed the private lives and personal data of every individual to new hazards
which are only gradually understood beyond the limited circles of specialists in this
field. The Internet and a growing number of networked services connected to it,
serve as the driving forces of this development which is likely to reshape our societies in the coming years. It is no wonder therefore that public policymakers, as well

as industry and civil society, are now looking at the implications of this trend and at
different ways to enhance its positive and reduce its negative sides.
Due to the Lisbon Treaty’s entering into force in 2009, the European Union has
received a strong mandate for the protection of personal data, not only at the level of
the EU institutions and bodies, but also at the level of the Member States when acting within the scope of EU law. The author has taken up this mandate – laid down in
Article 16 of the Treaty on the Functioning of the European Union and Articles 7
and 8 of the EU Charter of Fundamental Rights – as a starting point for his analysis,
and looked at the ways in which the different key actors involved – the European
Court of Justice, the EU’s legislative institutions, the independent Data Protection
Authorities at national and EU level, including their cooperation mechanisms, and
those acting in the external relations with third countries – should play their role to
ensure the legitimacy and the effectiveness of their actions in the mandate. The question how and to what extent the EU can – both legitimately and effectively – act in a
global environment, such as the Internet, is one of the central themes of the book.
v

vi

Foreword

In this way, the author has developed a range of views and perspectives which
have truly enriched the scholarly literature, both in the field of data protection and
EU institutional law, and the increasingly relevant interfaces between them. He was
also eminently qualified for this task, due to his extensive experience in most of the
relevant areas: first as a legislative adviser in the Dutch Ministry of Justice, second
as a senior legal adviser of an Advocate General at the European Court of Justice,
and third as the head of unit responsible for Policy and Consultation at the European
Data Protection Supervisor’s Office. All these tasks involved extensive work in and
exposure to the development of EU law. In his third capacity, we have worked
together closely for more than 10 years in Brussels. It is therefore a very special

privilege for me to be able to contribute these words of introduction to this book.
The first chapter mentions that this book was triggered by a perceived loss of
control of governments over societal developments, due to globalisation and technological developments, which inhibit the effective protection of essential values in
democratic societies. Three examples are provided to illustrate this problem. These
examples also illustrate a widespread feeling of citizens that they are losing control
over their own personal data. This double loss of control could easily undermine the
quality of our democracies under the rule of law. These are key elements of the need
to reinforce the existing legal framework for data protection and its impact in practice. That this book appears as the European legislators are about to complete a
comprehensive review of that framework and to open a new chapter for data protection in the EU is a coincidence that can hardly be overrated. Rendering justice in this
domain is a task that continues to be relevant and – in a true sense – will never be
finished.
European Data Protection Supervisor (2004–2014)
Leiden, The Netherlands
February 2016

Peter Hustinx

Preface

An academic sabbatical for over a year resulted in this book. I recommend such a
sabbatical to everyone. It was a luxury to have time and space to think. After 30 years
of office life, a dramatic change of life: no specific place to go in the morning and
being able to decide whether to go to the university or to stay at home, to read or to
write.
I started my sabbatical with the ambition to demonstrate that our much criticized
European Union can make a difference and is capable of protecting individuals in a
complex society. During the period of sabbatical however, much happened and the
Union tumbled into a crisis. We saw, most importantly, that the Union did not manage to protect people who needed it the most, particularly those who run the risk of
drowning in the Mediterranean on their way to seeking asylum in Europe. This

background made my academic adventure even more academic, because my main
argument was that Europe can make a difference and is capable of guaranteeing
individuals’ fundamental rights. This trust in Europe still stands, as this book demonstrates, but it is not self-evident. We see a lack of solidarity between the European
countries and a fading belief in Europe which in my view should not just be a market where one can pick and choose. We need a strong Union based on values. This
book was written before the Brexit made the EU even more vulnerable.
This book is based on combined knowledge and experience gained at different
stages of my career, at various ministries within the Dutch government, the EU
Court of Justice and, in the last decade, with the European Data Protection Supervisor
(EDPS). It is motivated by my convictions that we need a strong state that is capable
of protecting its citizens, that Europe can offer solutions and that we should not give
up on our European values in a globalised world.
It is the slightly modified version of my doctorate thesis, which I defended on 5
February 2016, and resulted in a joint doctorate in law at the University of
Amsterdam and the Vrije Universiteit Brussels. Supervisors were Nico van Eijk and
Paul de Hert. The jury consisted of Sacha Pechal, Christopher Kuner, Serge
Gutwirth, Corien Prins, Natali Helberger and Annette Schrauwen. Valsamis
Mitsilegas was guest opponent.

vii

viii

Preface

This book also fits within my personal background. Both my parents spent most
of their professional lives in academia and they always stimulated me to follow their
path. For a long time, this was precisely the reason not to envisage an academic
career or to write a doctorate thesis. Yet, at this mature age, I changed my mind and
I am happy that my father is still around to see the result of my work and to see how

this makes him happy. I am sure that I would have made my mother extremely proud
when she could realise that I succeeded in what determined much of her life, academic research.
Life goes on, and in recent years I not only enjoyed the continuing friendship of
my old circle of friends, but also the warmth of my own loving family. To you, Zeta,
my big love, and to my daughters Nina, Sophie and Nikki, who make me on my turn
proud, I dedicate this book. The times we spend together makes life even more
wonderful.
Brussels, Belgium

Hielke Hijmans

Contents

1Introduction�� 1
1.1Trigger of This Book: A Perceived Loss of Control �� 1
1.2A First Outline of Article 16 TFEU�� 4
1.2.1The EU Mandate Under Article 16 TFEU
to Ensure Privacy and Data Protection�� 4
1.2.2Legitimacy and Effectiveness as Prerequisites
for Trust�� 5
1.2.3Background �� 6
1.3The Structure of This Book�� 7
1.4Methodology �� 11
1.5Further Limitations�� 13
1.6Terminology�� 14
References�� 15
2Privacy and Data Protection as Values of the EU That Matter,
Also in the Information Society�� 17
2.1Introduction �� 18

2.2Privacy and Data Protection as Part of an EU Based
on Values: A General Design�� 19
2.2.1Privacy, Data Protection and the Ambitions
of the EU in Promoting Its Values�� 19
2.3Privacy and Data Protection as Constitutional Values
That Matter, Also on the Internet�� 20
2.3.1Two Elements Stand Out: There Are No Good
or Bad People, and Monitoring
Changes Behaviour �� 22
2.4Ambitions of the EU in Promoting Democracy:
Democracy Requires a Free Internet,
but Not an Unprotected Internet�� 24
2.4.1Democracy as Guiding Principle in Relation
to the Internet�� 24
ix

x

Contents

2.4.2A Free Internet Does Not Mean
an Unprotected Internet�� 25
2.4.3Democracy and the EU �� 26
2.5Ambitions of the EU in Promoting the Rule of Law:
How to Ensure Effective Privacy and Data Protection
on the Internet Under the Rule of Law�� 27
2.5.1Understanding the Concept of the Rule of Law�� 27
2.5.2The Rule of Law and Its Relation
to Fundamental Rights�� 29

2.5.3Effective Legal Protection for Everyone�� 29
2.5.4The Rule of Law Has a Close Link
with the Right to Data Protection�� 30
2.6Ambitions of the EU in Promoting Fundamental Rights:
Understanding the Context of Privacy and Data Protection
and the Internet Under EU Law�� 32
2.6.1The Broad Applicability of Fundamental Rights:
Application in All Situations�� 32
2.6.2Fundamental Rights Protection and the Internet�� 34
2.7Fundamental Rights Protection Against Private
Parties Acquires a New Dimension on the Internet,
Particularly for Privacy and Data Protection�� 35
2.7.1Four Arguments Supporting Direct
Applicability in Horizontal Situations�� 36
2.8The Right to Privacy, a Broad and Dynamic Concept
on the Internet Extending to the Public Sphere�� 39
2.8.1Historical Development of Privacy, Starting
with Warren and Brandeis �� 39
2.8.2Human Dignity and Personal Autonomy
as Underlying Values and the Broad
Scope of Privacy �� 40
2.9Understanding the Nature of the Right to Privacy
Through Four Types of Qualified Interests:
Information Use by Governments, Health,
Vulnerable Groups and Reputation �� 43
2.9.1Four Types of Qualified Interests: Information
Use by Governments, Health, Vulnerable Groups
and Reputation�� 44
2.9.2Summing Up: All Use of Personal Information
Falls Within the Scope of the Right to Privacy

Under Article 7 Charter�� 47
2.10Historical Development of the Right to Data Protection,
Starting as a Response to Technological Developments�� 48
2.10.1The Council of Europe’s Role in Developing
Instruments on Data Protection�� 49

Contents

xi

2.10.2The EU: Growing Emphasis on Respecting
Constitutional Values in Addition to the Objective
of Market Integration�� 49
2.10.3A Separate Development in the Area of Freedom,
Security and Justice, Leading to a Patchwork�� 51
2.11The Right to Data Protection: A Claim Based
on Fairness Providing Safeguards Where Personal
Data Are Processed �� 54
2.11.1Does the Right to Data Protection Serve
to Give an Individual Control Over Personal
Information?�� 55
2.11.2Is the Right to Data Protection a Claim Based
on Fairness, Providing Safeguards Where
Personal Data Are Processed?�� 56
2.11.3The Right to Data Protection Provides
for a System of Checks and Balances Based
on Fairness�� 57
2.12Data Protection as ‘Rules of the Game’ or ‘a System
of Checks and Balances’ �� 59

2.12.1Diverging Views on the Legitimacy
of Processing Personal Data�� 59
2.12.2Summing Up: The EU and the Member
States Must Establish Checks and Balances �� 61
2.13Privacy and Data Protection: Two Sides
of the Same Coin�� 62
2.13.1It Is Not Important to Distinguish
Between Privacy and Data Protection
on the Internet �� 66
2.13.2A Further Argument for Not Distinguishing
Between Privacy and Data Protection: The Law
of the United States �� 67
2.14A Proposal for a Solution Considering Both Fundamental
Rights as Part of One System�� 68
2.15Conclusions �� 70
References�� 73
3Internet and Loss of Control in an Era of Big Data
and Mass Surveillance �� 77
3.1Introduction �� 78
3.2A General Design of the Internet and the Loss of Control
Over Personal Data �� 79
3.3The Internet as a Single Unfragmented Space with a Loose
Governance Structure�� 81
3.3.1Interconnected and Loosely Governed by Multiple
Stakeholders�� 81

xii

Contents

3.3.2Responsibility for the Integrity of the System,
the Continuity of the Services
and Security Threats�� 83
3.4At the Core of the Internet, Networked Societies
and Globalisation: Is Fragmentation a Threat? �� 85
3.4.1Networked Societies Are Vulnerable�� 86
3.4.2Globalisation, a Trigger for Innovation
and Growth�� 88
3.4.3Is Fragmentation of the Internet a Threat?�� 89
3.5The Internet in Terms of Freedom and Powers:
Is There a Shift from Freedom to Power?�� 91
3.5.1Freedom, a Free Internet as a Common Good�� 91
3.5.2Power on the Internet�� 93
3.6Big Data Justifies a Qualitative Shift in Thinking�� 96
3.6.1Big Data Is Really New
and a Fundamental Change �� 97
3.6.2Big Data Is Pervasive in the Daily Life
of Individuals�� 99
3.7People Can No Longer Evade Surveillance
Through Electronic Means�� 101
3.7.1Surveillance from Different Perspectives �� 102
3.7.2Different Types of Surveillance,
But the Distinctions Are Not Always Crystal Clear�� 104
3.8No Strict Distinction Between Surveillance by the State
and by the Private Sector�� 106
3.8.1The Various Types of Surveillance Are Not
Necessarily Different in Terms of Intrusiveness �� 108
3.8.2Democratic Legitimacy and Accountability
of Surveillance, in Relation to Secrecy

and Cooperation with the Private Sector�� 109
3.9The Perspective of the EU and the Member States:
What Is Changing?�� 110
3.9.1The Governance of the Internet and a Declining
Role for the State�� 111
3.9.2The Reality of the Internet Changes Privacy
and Data Protection and the Balancing with Other
Fundamental Rights and Public Interests�� 112
3.9.3The EU and the Member States Depend
on Private Parties�� 114
3.9.4Conflicts of Jurisdiction Are an Inherent
Phenomenon on the Internet and Should
Be Addressed�� 115
3.10Introductory Ideas on How the EU and Its Member
States Could Regain Control�� 116
3.10.1Three Basic Conditions �� 116

Contents

xiii

3.10.2Five Directions�� 117
3.11Conclusions �� 119
References�� 121
4The Mandate of the EU Under Article 16 TFEU
and the Perspectives of Legitimacy and Effectiveness�� 125
4.1Introduction �� 125
4.2A General Design of the Mandate Under Article
16TFEU: The Member States Are Important Actors �� 126

4.2.1The Context: Article 16 TFEU Gives a Mandate
to the EU, But the Member States Remain
Important Actors�� 128
4.2.2Legitimacy and Effectiveness: Perspectives
for Understanding the Mandate of the EU�� 129
4.3A First Specification of the Mandate Under Article 16
TFEU: Broad Powers of the EU, But a Shared Competence,
and an Outline of the Three Tasks�� 130
4.3.1Wide Powers of the EU in Privacy
and Data Protection �� 130
4.3.2Article 16 TFEU Is a Shared Competence,
But in Practice Complete�� 131
4.3.3An Outline of the Three Tasks of the EU
Under Article 16 TFEU�� 133
4.4The Exercise of the Mandate Under Article 16 TFEU
Should Comply with the Principles of Subsidiarity
and Proportionality�� 135
4.4.1Testing EU Data Protection Action
on Subsidiarity and Proportionality�� 135
4.4.2Member State Competences in Competing Areas�� 137
4.5Security Agencies Could Be Covered by EU Data
Protection Despite the Limitations to EU Competence
in Respect of National Identities, National Security
and Cultural Differences �� 138
4.5.1The National Identities of the EU Member States�� 138
4.5.2The Notion of National Security, in Relation
to Public Security and State Security�� 139
4.5.3National Security of Third Countries�� 143
4.5.4Cultural Differences and Cultural Diversity �� 144
4.6Further Limitations Due to the EU’s Organisational

Structure: Decentralised Implementation�� 145
4.6.1Decentralised Implementation and Cooperation�� 145
4.6.2Sincere Cooperation as a Means to Regain Control
Over Fundamental Rights Protection�� 146
4.7Enforcement and the Organisation of Judicial Protection
Are Normally Tasks of the Member States �� 148

xiv

Contents

4.7.1Administrative Law Enforcement: Multi-level
Governance or Shared Administration�� 149
4.7.2Judicial Protection: The Principle of National
Procedural Autonomy�� 150
4.8Democratic Legitimacy of EU Action
Under Article 16 TFEU: A Prerequisite for Trust �� 151
4.8.1Fundamental Rights and the Academic
Controvery on Democratic Legitimacy�� 151
4.8.2The Legitimacy of EU Action Depends
on the Subject Area �� 152
4.9The EU and Its Citizens: The Concept of EU Citizenship
Contributes to the Legitimacy of the EU’s Role
Under Article 16 TFEU�� 154
4.9.1EU Citizenship: EU Citizens’ Expectations
That Their Rights Are Protected �� 155
4.10Four Arguments Relating to a Lack of Legitimacy
of EU Action �� 157
4.10.1The Lack of Legitimacy Captured

in Four Arguments�� 157
4.10.2Democratic Legitimacy Formally Closer
to the Optimum, But Socially
Not Widely Accepted�� 160
4.11The Background According to Weiler:
The Crisis of Social Legitimacy�� 162
4.12The Legitimacy of EU Action in Relation
to the Member States: A Broad Mandate in a Pluralist
Legal Context�� 164
4.12.1Member States’ Reticence to Enhance EU Power�� 164
4.12.2A Pluralist Legal Context�� 166
4.13Primacy Is Potentially in Conflict with the Protection
of Fundamental Rights by the Member States�� 167
4.13.1Different Positions Taken on the Primacy
of EU Law by National Courts�� 168
4.13.2Schrems as Example of a Potential Conflict
Between Primacy and Respect of Privacy
and Data Protection �� 170
4.14Legitimacy Based on Output: Required to Regain Control
Over Privacy and Data Protection, But Not Sufficient �� 171
4.15Effectiveness: Delivering Privacy on the Ground�� 174
4.15.1Empowerment of Individuals�� 175
4.15.2Data Controllers’ Responsibility:
Multi-stakeholder Solutions as an Alternative
for Command-and-Control Legislation�� 177
4.15.3Enforcement as a Key Element of Effectiveness�� 178
4.16Conclusions �� 179
References�� 182

Contents

xv

5Understanding and Assessing the Contribution of the CJEU
to the Mandate Under Article 16 TFEU�� 185
5.1Introduction �� 185
5.2The General Design on the Task of the CJEU
Under Article 16 TFEU: How to Cope
with the Remarkable Features of This Provision?�� 186
5.3The Institutional Role of the CJEU in the Constitutional
Order of the EU�� 188
5.3.1The CJEU Acting as a Constitutional Court
with Three Functions: The Review
of Fundamental Rights, Market Integration
and Umpire Between the Different Powers�� 189
5.3.2The Perception of an Activist CJEU �� 190
5.3.3Strengths and Weaknesses
in the Role of the CJEU�� 191
5.4The Legitimacy of the CJEU: Compensating
for the Presumed Democratic Deficit of the EU �� 193
5.4.1Legitimacy: The CJEU’s Constitutional
Role Requires Some Nuancing �� 194
5.4.2Effectiveness: The CJEU Contributes
to Bridging the Gap Between Principles
and Practice �� 196
5.5Until the Lisbon Treaty: Emergence of Fundamental
Rights in the EU Legal Order�� 197
5.5.1Connection to Fundamental Rights
Under National Law�� 197

5.5.2A Systematic Review of EU Law, in Light
of the ECHR�� 199
5.5.3Before the Entry into Force of the Lisbon Treaty:
An Increasing Role of Fundamental Rights,
but Article 7 and 8 Charter Are Only
Mentioned Once�� 200
5.6The Charter Since the Entry into Force of the Lisbon
Treaty: A Fundamental Change of Approach of the CJEU �� 202
5.6.1A General Outline of the Fundamental
Rights Assessment by the CJEU Based
on Article 52 (1) Charter �� 203
5.6.2The Proportionality Test Is Key
in the Case Law of the CJEU�� 204
5.6.3The Charter as Yardstick �� 205
5.6.4The Charter Has a Wide Scope, but Does
Not Extend the Competences of the EU �� 208

xvi

Contents

5.7The Test Under the Charter Is Strict and Considers
a Number of Factors�� 209
5.7.1Schecke, Test-Achats, and Google Spain
and Google Inc: Three Cases of Stringent
Testing by the CJEU�� 210
5.7.2The Same Strict Test Does Not Necessarily
Extend to All Fundamental Rights
Under the Charter�� 211

5.8The Notion of Fundamental Rights: Different Methods
of Defining Fundamental Rights Are Useful
for Understanding Fundamental Rights�� 212
5.8.1A Positivist Method of Defining
Fundamental Rights�� 213
5.8.2A Definition of Fundamental Rights
by Their Nature of Moral Value�� 214
5.8.3The Historical Method: Establishing
the Fundamental Nature of Rights Using
Their Backgrounds�� 216
5.9Distinctions Between Fundamental Rights
on the Internet: Towards a Simple Taxonomy�� 217
5.9.1Towards a Simple Taxonomy�� 218
5.9.2The Taxonomy Could Enable the CJEU
to Elaborate Its Case Law, Further Strengthening
the Protection of Individuals on the Internet�� 221
5.10The CJEU Takes a Strict Approach on Privacy
and Data Protection, Particularly When Balancing with Other
Fundamental Rights, and with the Objective of Security �� 222
5.10.1The Strict Approach of the CJEU�� 222
5.10.2Privacy and Data Protection Have a Huge Impact
on Human Dignity and Effective Protection
is Essential in a Democratic Society Which
Is Subject to the Rule of Law�� 224
5.10.3Introduction of the Following Sections�� 224
5.11Case Law of the US Supreme Court: Balancing
with Free Speech and Security�� 225
5.12Article 11 Charter on Freedom of Expression
and Information: An Intensified Link with Privacy
and Data Protection �� 228

5.12.1An Intensifying Link: Three Reasons
and Four Concepts�� 229
5.12.2Balancing Privacy and Freedom of Expression,
in Light of Google Spain and Google Inc.�� 230
5.13Google Spain and Google Inc. Restores a Balance,
but Raises Questions of Legitimacy�� 232

Contents

xvii

5.13.1The CJEU No Longer Takes
a Deferential Approach �� 234
5.13.2Democratic Legitimacy Is Not
Necessarily Guaranteed�� 234
5.14Article 42 Charter on the Right of Access to Documents:
A Strict Scrutiny but Not When Balancing with Privacy
and Data Protection �� 235
5.14.1Access to Documents as a Promotor
of Transparency and Good Governance�� 236
5.14.2Balancing Privacy and Transparency,
in the Light of Bavarian Lager�� 238
5.15Article 17 Charter on the Right to Property
and Intellectual Property: Do These Rights Represent
Essential Values in a Democratic Society? �� 239
5.15.1Intellectual Property Becomes Complicated
in the Information Society and Copyright
Is the Example of a Right Difficult to Enforce �� 241
5.15.2Does the Right to Property Represent Human

Dignity in the Same Way as Privacy
and Data Protection? �� 243
5.16A Strict Review of Measures Aiming at a High Level
of Security with an Impact on Privacy and Data Protection �� 244
5.16.1Privacy and Security: A Trade-Off�� 244
5.16.2The Case Law of the ECtHR Helps
Understanding Privacy, in Its Relation to Security �� 245
5.17The Contribution of the CJEU, with a Focus
on Digital Rights Ireland and Seitlinger�� 247
5.17.1Indiscriminate Retention of Data May
Be Appropriate, but Remains Disproportionate�� 247
5.17.2A New Dimension to the Relation
Between Security and Privacy After Digital Rights
Ireland and Seitlinger? Four Considerations�� 249
5.18The CJEU Also Promotes Integration and Acts
as an Umpire Where Other Public Interests or Other
Governmental Actors Have an Impact on the Exercise
of Article 16 (1) TFEU�� 251
5.18.1Market Integration: An Additional Interest
to Be Taken into Account by the CJEU�� 252
5.18.2The CJEU as an Umpire Between Different
Powers: Precise Answers by the CJEU Are Required,
Where the CJEU Adjudicates on Article 16 TFEU
and Relating Competences�� 254
5.19Conclusions �� 255
References�� 259

xviii

Contents

6Understanding the Scope and Limits of the EU Legislator’s
Contribution to the Mandate Under Article 16 TFEU�� 263
6.1Introduction �� 263
6.2A General Design of the Legislator’s Contribution:
What Needs to Be Done?�� 264
6.2.1The Scope of the Mandate: Article 16(2) TFEU
Contains a Duty to Adopt EU Legislation�� 265
6.2.2The Mandate of the EU Legislator Has Two
Remarkable Features�� 267
6.2.3What About the Competence of the Member
States? �� 268
6.2.4All in All, the EU Legislator Operates
in a Complex Reality�� 269
6.3The EU Legislator’s Institutional Role, Institutional
Balance and the Contributions of the European Parliament,
the Council and the Commission�� 270
6.3.1There Is One EU Legislator, But Composed
of Three Institutions�� 271
6.3.2The European Parliament as a Supporter
of Strong Privacy and Data Protection�� 272
6.3.3The Council of the European Union
Representing National Concerns�� 274
6.3.4The European Commission, Committed
to Integration �� 275
6.4Involving Other Stakeholders: Member States,
Private Sector and Civil Society �� 276
6.4.1Involvement of Actors Within the Member
States Takes Various Forms�� 277

6.4.2Involvement of the Private Sector
and Civil Society �� 278
6.4.3What Do We Learn, in Relation to Tasks,
Limitations, Legitimacy and Effectiveness? �� 278
6.5A Comparison with the Similar, but Not Equal Mandate
of the EU Legislator Under Articles 18 and 19 TFEU
on Equal Treatment and Non-discrimination�� 279
6.6Elements of Privacy and Data Protection Where Member
States Should Exercise Competence: Five Categories�� 281
6.7The EU Legislator’s Mandate and Its Interfaces
with Competences of the EU and the Member States
in Related Areas�� 284
6.7.1Freedom of Expression and Information:
An Area Where the EU Only Has Limited
Competence, But Where Developments
in the Information Society Have a Big Effect�� 285

Contents

xix

6.7.2Open Data and the Interface Between Transparency
and Data Protection �� 287
6.7.3Legislative Measures for Internet Monitoring
with the Aim of Enforcing Intellectual Property Rights 288
6.8Security: An Area Where the EU and the Member
States Have Significant Competence�� 289
6.9Synergies with Public Interests Relating to the Internal
Market: The Economic Dimension of Privacy

and Data Protection �� 292
6.9.1Not Conflicting, But Interfacing
and Creating Synergies �� 293
6.9.2Synergies Between Privacy and Data Protection
and Economic Interests �� 295
6.10Two Illustrations for Synergies: The Legal Frameworks
for Electronic Communications and Consumer Protection�� 296
6.10.1The Legal Framework for Electronic
Communications Makes Governments
Responsible for Network Governance�� 297
6.10.2Consumer Protection�� 299
6.11Competition Law, a Specific Challenge
for Creating Synergies�� 302
6.12Privacy Rules in the US: An Introduction
to the Importance of Multi-stakeholder Solutions�� 306
6.12.1General Features of Privacy Legislation in the US�� 306
6.12.2US Privacy Legislation Has a Limited Scope �� 307
6.12.3Non-legislative Instruments in the US,
a Key Element in Consumer Privacy�� 309
6.12.4The Fair Information Practice Principles,
Substantive Standards of Protection Comparable
to the Principles in the EU�� 310
6.13Effectiveness and Conditions for Good Legislation:
Engaging the Private Sector�� 311
6.13.1Introductory Remarks on Engaging
with the Private Sector�� 312
6.13.2Multi-stakeholder Solutions or Multi-level
Governance �� 313
6.14Accountability as an Overarching Solution for Delivering
Privacy and Data Protection�� 314

6.15Conclusions �� 319
References�� 322

xx

Contents

7Understanding the Role of Independent, Effective
and Accountable DPAs: New Branches of Government
in Between the Union and the Member States�� 325
7.1Introduction �� 325
7.2The General Design of the DPAs: Expert Bodies
with Constitutional Status and with Importance
in the Information Society�� 327
7.2.1The Embedding of the Role of DPAs
in Primary Law Gives Them Constitutional Status�� 327
7.2.2Information Society�� 329
7.3The Institutional Background: Six Reasons
for the Existence of DPAs �� 330
7.3.1The History of DPAs in the EU�� 330
7.3.2Six Reasons Behind Their Existence�� 330
7.4The Competences of DPAs: A Variety of Roles�� 333
7.4.1The First Limitation: Article 16(2) TFEU
and Article 8(3) Charter Are Imprecise,
But Privacy and Data Protection Are Meant
in a Wide Sense �� 333
7.4.2The Second Limitation: Ensuring Control
of Compliance Is Not Limited to Enforcement
Strictu Sensu�� 334

7.4.3The Third Limitation: The Remedy
Before a DPA Is Not Exclusive �� 335
7.4.4Further Tasks of DPAs: The Attribution
of Powers Must Be Sufficient to Ensure Control�� 336
7.4.5A Variety of Roles Raising Questions�� 337
7.5Enforcement in the US: An Alternative System
with a Strong Role for the FTC in Consumer Privacy�� 339
7.6The DPAs as a New Branch of Government:
Non-majoritarian Expert Bodies, Different
But Similar to EU Agencies�� 341
7.6.1Independent DPAs as New Branches
of Government, to Be Distinguished
from Autonomous Agencies�� 341
7.6.2The Example of Electronic Communications:
Two Main Differences Between the Regulatory
Authorities and DPAs�� 342
7.6.3DPAs: Two Main Similarities with Other
Non-majoritarian Expert Bodies �� 344
7.7General Theory on Expert Bodies: The Rise
of the Unelected�� 346
7.7.1Are Expert Bodies a New Branch
of Government?�� 347

Contents

xxi

7.7.2DPAs Are a New Branch of Government:
Towards Good Governance�� 351

7.8EU Agencies and DPAs Are Expert Bodies
with a Hybrid Position in Between the EU
and National Levels�� 352
7.9Independence of DPAs Under the Case Law
of the CJEU: A Strong Requirement �� 354
7.9.1The Meaning of Acting with Complete
Independence: No External Influence Allowed�� 355
7.9.2The Relation Between the Principle of Democracy
and the Broad Notion of Independence�� 357
7.9.3Four Observations Based on This Case Law�� 357
7.10Independence of DPAs: An Analysis�� 360
7.10.1Different Degrees of Independence
Under EU Law, Parallels with the ECB
and with Courts �� 360
7.10.2High Degree of Independence for DPAs,
Confirming Their Status as New Branch
of Government�� 362
7.10.3The Appointment of Members of a DPA:
A Critical Factor Potentially Influencing
Independence�� 363
7.10.4The DPAs Have an Obligation to Safeguard
Their Independence, Under the Principle
of Democracy�� 364
7.10.5Independence in Relation to Effectiveness
and Accountability�� 365
7.11Effectiveness of DPAs: A Presumed Lack of Effectiveness
and the Struggle for Resources �� 366
7.11.1The Presumed Lack of Effectiveness of DPAs �� 367
7.11.2Resources of DPAs�� 368
7.12Effective Powers of DPAs, Proximity and the Developing

Information Society�� 370
7.12.1Member States Must Ensure Effective Powers�� 370
7.12.2Proximity of DPAs Enhancing Effectiveness�� 371
7.12.3Effective DPAs in a Developing
Information Society�� 372
7.13DPAs Are Accountable to the Judiciary
and Not Totally Free from Parliamentary Influence�� 374
7.13.1Judicial Accountability as Compensation
for the Loss of Full Parliamentary Control �� 375
7.14Democratic Accountability: Independence Should
Not Mean That Expert Bodies Act in a Non-controllable
and Arbitrary Manner�� 377

xxii

Contents

7.14.1The Wider Context of Accountability of Public
Bodies: Three Perspectives �� 378
7.14.2Instruments for Democratic Accountability:
Explaining and Justifying Conduct �� 380
7.15Conclusions and a Model for Good Governance
by DPAs�� 381
References�� 385
8Understanding the Role of Cooperation Mechanisms
of DPAs: Towards a Layered Model of Horizontal
Cooperation Between DPAs, a Structured Network
of DPAs and a European DPA�� 389
8.1Introduction �� 390

8.2A General Design of DPAs Cooperating with Each
Other and in Composite Administrations
or Trans-governmental Networks�� 390
8.2.1DPAs Operating in Multiple Jurisdictions:
A Challenge to Reconcile Independence,
Effectiveness and Accountability,
as Illustrated by the GDPR�� 393
8.3Cross-Border Enforcement and Mutual Cooperation
Between DPAs: The State of Play�� 395
8.3.1The EU-Wide Component of Control
by National DPAs and the Task of the Member
States to Secure the Effectiveness
and Uniformity of EU Law �� 395
8.3.2The State of Play in Data Protection Law�� 395
8.3.3Three Types of Enforcement Cooperation
of DPAs �� 396
8.4Institutional Arrangements: Article 29 Working Party
and Other Mechanisms for Institutional Cooperation
Between DPAs�� 398
8.4.1Other Mechanisms for Institutional
Cooperation, Mainly in the Area of Freedom,
Security and Justice�� 400
8.4.2The European Data Protection Supervisor�� 402
8.5Two Main Novelties in the GDPR: A One-Stop
Shop Mechanism and a Consistency Mechanism �� 403
8.5.1A One-Stop Shop Mechanism with a Lead
Supervisory Authority Cooperating with Its Peers�� 403
8.5.2A Consistency Mechanism, but Diverging
Views on Its Rationale�� 405
8.5.3From the Citizens’ Perspective: The Rationale

Behind a Consistency Mechanism Is Not Clear�� 407

Contents

xxiii

8.6Experience in a Related Area: Governance in Electronic
Communications Through a Network of Authorities
with a Task for BEREC to Ensure Consistent Application �� 408
8.6.1Conditions for Effective Cooperation Inspired
by the Parallel with Cooperation
in EU Competition Law�� 412
8.7Cooperation Between DPAs in a Composite
Administration, Against the Background of Developing
EU Administrative Law�� 413
8.7.1Administrative Cooperation Under EU Law
as a Matter of Common Interest�� 413
8.7.2Material Aspects of the Composite Administration:
Mutual Cooperation and Mutual Trust�� 415
8.7.3Procedural Standards Applied in the Composite
Administration Should Ensure Accountability�� 417
8.7.4Fragmentation of Areas of Law as a Further
Complication, also in View of the Special
Status of DPAs�� 419
8.8Three Models to Organise Cooperation Between DPAs,
Against the Background of the GDPR�� 419
8.8.1Introduction of the Three Models of Cooperation�� 420
8.9The First Cooperation Layer: Horizontal Cooperation
Between DPAs�� 421

8.9.1The Essence of Horizontal Cooperation �� 421
8.9.2Developments Towards a Closer Regime
for Horizontal Cooperation with Precisely
Formulated Rules�� 422
8.9.3Procedural Guarantees as Compensation
for Democratic Accountability�� 424
8.9.4How to Ensure That DPAs Give Sufficient Priority
to Horizontal Cooperation�� 425
8.10The Second Cooperation Layer: A Structured Network
of DPAs, Taking the Article 29 Working Party
as an Inspiration to Move Ahead�� 425
8.10.1Development Towards a Closer Structured
Network of DPAs�� 426
8.10.2The Relation Between the Duties and Powers
of a Structured Network and the Requirements
for Composition and Decision-Making Structures �� 427
8.10.3Composition of Structured Networks with Senior
Representatives of DPAs and Consensual
Decision-Making Enhances Legitimacy �� 428
8.10.4The Role of the Commission in the Structured
Network: How to Combine Two Contradicting
Demands�� 430

xxiv

Contents

8.10.5Procedural Guarantees�� 432
8.11The Third Layer Where Independence Must

Be Ensured: Cooperation Within a European DPA�� 432
8.11.1The Essence of Cooperation Within
a European DPA�� 432
8.11.2Towards a Closer Cooperation Within
a European DPA�� 434
8.11.3And the Role of the Commission?�� 436
8.11.4Procedural Guarantees�� 436
8.11.5Further Conditions�� 437
8.12Cooperation Between DPAs: Ensuring Independence,
Effectiveness and Accountability of DPAs
and the Cooperation Mechanisms, a Final Assessment
and a Proposal �� 438
8.12.1The Layered Structure of Cooperation
Mechanisms Should Not Compromise
the Independence of DPAs�� 438
8.12.2The Layered Structure Should Contain Incentives
for Effective Protection and Should Not Result
in an Incomplete – or Extremely Complex – System
of Remedies�� 438
8.12.3Democratic Accountability: The European
Parliament Has a Role to Play�� 439
8.12.4Judicial Accountability: Effective Redress
Mechanisms, Not Necessarily Proximity�� 440
8.12.5The Final Assessment and a Proposal �� 441
8.13Conclusions �� 443
References�� 447
9Understanding the EU Mandate Under Article 16 TFEU
in the External Domain: Towards a Mix of Unilateral,
Bilateral and Multilateral Strategies�� 449
9.1Introduction �� 449

9.2A General Design of EU Data Protection on a Global
Internet and the Relationship with Third Countries
and International Organisations�� 450
9.2.1Externally, the EU Operates in a Pluralist
Legal Context�� 452
9.3The Institutional Component of EU Privacy and Data
Protection in the External Domain, Focusing
on the DPAs and Their Cooperation�� 453
9.3.1A Specific Issue: The Representation of the EU
in the International Context and the Role
of Cooperating DPAs�� 454

The european union as guardian of internet privacy

Tài liệu liên quan

Tài liệu bạn tìm kiếm đã sẵn sàng tải về