Weekend Edition Nº28 by eulawlive

Nº28

SEPTEMBER 12

2020

weekend

edition stay alert keep smart

Xavier Groussot Anna Zemskova

THE I-RULE OF LAW IN THE MAKING: A CONSTITUTIONAL PERSPECTIVE ON THE GDPR Alberto Miglio

THE COMPETENCE OF SUPERVISORY AUTHORITIES AND THE 'ONE-STOP-SHOP' MECHANISM Clemens Steinbach

OLD WINE IN NEW BOTTLES? TWO YEARS OF GDPR IN GERMANY

www.eulawlive.com 1

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

The i-Rule of Law in the Making: A Constitutional Perspective on the GDPR Xavier Groussot and Anna Zemskova 1

me a constituent part of our society, espeThe General Data Protection Regulation cially in light of the COVID-19 pandemic. 2016/679 represents a strategic tool created While the GDPR contains solutions that are by the EU in striving for guaranteeing a high designed to protect the processing of persolevel of protection of personal data of natunal data at a high level, some facets of their ral persons that would correspond to the cupractical and constitutional application still rrent state of the art of digital society. While need to be explicated either in the course of digitalisation has demonstrated its massive adjudication or by means of complementary capacity to both serve mankind and aggraguidance. vate serious problematic issues (2), GDPR, alTwo years after its entry so as one of the instruThe GDPR has already had into force, the GDPR has ments of the EU’s exteralready had a signicant nal regulatory inuence a signiﬁcant constitutional constitutional impact on (3), has established a proEU law, and this is only minent system aiming at impact on EU law, and this the beginning! What are minimising detrimental is only the beginning! the reasons for its rapid effects of digitalisation ‘constitutional’ success? and at the same time enAnd what is the future of hancing functionality of its constitutional impact hi-tech innovations. Yet, on the (rule of) law in the long term? In a the active use of new technologies and their nutshell, three main elements can explain rapid transformation indicate existing nuanthe deep constitutional impact of the GDPR ces between the pace of technological adon the law. First, it has a comprehensive vances and the restrained capacity of tradireach since it applies to government and tional legal mechanisms, represented by the companies alike, and covers all sectors of centralised state regulation, to tackle the inthe economy. Its broad constitutional reach trusive effects of digitalisation that has beco-

1. Xavier Groussot is a Professor of EU Law and Pro Dean of the Faculty of Law at Lund University. Anna Zemskova is a PhD student in constitutional law at Lund Univesity. 2. Xavier Groussot, Anna Zemskova and Eduardo Gill-Pedro, ‘Towards General Principles 2.0: the Application of General Principles of EU Law in the Digital Society’, in Ulf Bernitz, Xavier Groussot, Jaan Paju and Sybe de Vries, General Principles of EU Law and the EU Digital Order (Wolters Kluwer 2020), 430. 3. Christopher Kuner, ‘The Internet and the Global Reach of EU Law’, EU Law Beyond EU Borders, Oxford University Press, 2019.

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

rights enshrined in the GDPR leading to a privatisation of EU constitutional law. In the GDPR world, digital services are often provided by private parties and the codes are often owned by private companies, which are usually tech giants (for example, Facebook, Yahoo, Google, Microsoft, and Amazon). In 2006, Lawrence Lessig in Code v. 2 acknowledged that the developments in internet 2.0 led him to recognise that the regulation of cyberspace was not only in the hands of governmental institutions, but that private parties in the market are now also important actors in this eld, as they are in control of the codes that are used to make their applications work (4). The vast majority of parties that provide digital and e-commerce services are also private parties. That means that their relationship with service-recipients is to a signicant degree regulated by the ‘market’ and its regulatory expression – private law. As expressed by Leczykiewicz, there is a clear danger of an asymmetric relationship between the private parties in the digital society leading to an increase in horizontal and constitutional litigation (5). We are witnessing new forms of inequality, not just of the bargaining power between a user and a digi-

is fostered by its decentralised enforcement system built on national Data Protection Authorities with numerous legal disputes eventually navigating their way to the national supreme courts and constitutional courts. Second, the GDPR codies many new constitutional human rights such as the right to be forgotten or the protection of privacy by design (a new right enshrined in Article 25 GDPR) or transparency by design. These rights are subject to intensive litigation before both the national courts (even national constitutional courts such as in Italy and Germany, with some exciting decisions delivered in February and November 2019 by the consulta and the rst senate respectively) and the Court of Justice of the European Union (CJEU). Third, the GDPR has a strong potential for ‘legal disruption’. It enshrines an extraordinary legal force/power that inuences not only EU law internally but also affects the regulation of the (rule of) law outside Europe as recently illustrated by the Schrems II case (C-311/18) delivered in July 2020. We will now look successively at these three interconnected arguments.

The Broad Constitutional Reach of the GDPR As said before the GDPR applies to government and companies alike and to all sectors of the economy. This broad constitutional reach is also exemplied by the widespread horizontal application of the fundamental

We are witnessing new forms of inequality

4. Lawrence Lessig, Code v. 2 (2006). 5. See Dorota Leczykiewicz, Judicial Development of EU Fundamental Rights Law in the Digital Era – a Fresh Look at the Concept of General Principles in Bernitz, Groussot, Paju and de Vries (n 2). As put by Leczykiewicz, ‘Despite many political and ideological transformations, the principle of freedom of contract continues to be central to modern private law regimes, and still consists of three elements: freedom to choose one’s contractual partner, freedom to pursue one’s own goals through contracting, and freedom to set the terms on the basis of which contracting takes place’.

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

tal market operator. The wealth of the information collected by such an organisation, the technical complexity and the interconnectedness of the different media makes the users of its products inherently vulnerable and incapable of exerting any inuence over their relationship (6).

Constitutional Rights and Constitutional Limits While being extremely ambitious in terms of its declared scope and functionality, the GDPR has to face the reality of the digital world that is characterised by a high level of horizontality in data protection issues and unavoidable (constitutional) limits of GDPR regulation. This has been vividly demonstrated in the series of judgments concerning a codied GDPR ‘right to be forgotten’ (Article 17 GDPR): GC and Others (C136/17) and Google v CNIL (C-507/17). Even though the GDPR imposes a high burden of compliance of the level of data protection with GDPR standards on third countries (Articles 44-50 GDPR), that has been tellingly illustrated by the recent Schrems II judgment (C-311/18), the right to dereferencing personal data does not enjoy a global protection, but remains restricted to the territory of the EU (C-507/17). Apart from obvious jurisdictional issues (7), the decision of the CJEU points out the necessity of taking into account other ‘underlying conditions’ of the dispute at hand, going beyond the GDPR considerations – not providing universal protection of ‘the right to erasure’ deprives the authoritarian regimes of a possibility to let the controversial issues sink into oblivion, a concern that has been becoming extremely worrying in light of the capacity of digitalisation to create an ‘alternative reality’ that has been especially visible in the context of COVID-19 pandemic (8).

The danger of this asymmetric relationship is illustrated in our view by the factual situation in the recent Fashion ID case (the socalled ‘Facebook ‘Like’ button’ case, C40/17). In this case concerning the interpretation of the scope of the concept of ‘controller’, it appears that the operator of a website (a private company providing online shopping services) had embedded on that website a social plugin that allows the personal data of a visitor to that website to be transferred to the provider of that plugin. With regard, in particular, to the Facebook ‘Like’ button, it seems to be apparent from the order for reference that, when a visitor consults the website of Fashion ID, that visitor’s personal data are transmitted to Facebook Ireland as a result of that website including that button. It seems that that transmission occurs without that visitor being aware of it regardless of whether or not he or she is a member of the social network Facebook or has clicked on the Facebook ‘Like’ button (Fashion ID, para 27). The user of the Fashion ID website is in an asymmetric situation with the tech giant. Horizontality is destined to grow in the digital society regulated by the GDPR.

6. ibid. 7. Michèle Finck ‘Google v CNIL: Dening the Territorial Scope of European Data Protection Law’, Oxford Business Law Blog, 16 November 2018. 8. Joint Communication to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions ‘Tackling Covid-19 Disinformation - Getting the Facts Right’, Join/2020/8 Final.

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

the current legal situation, (GC, para 78) meaning that the algorithms of a search engine are to be construed in such a way that they will reect an ‘up-to-date’ representation of the data, but not just the existing links regarding a natural person. This is, of course, in line with the standards of GDPR, requiring the personal data to be ‘accurate and, where necessary, kept up to date’ (Article 5(d) GDPR). However, it cannot be denied that in practice operators of search engines would have to ensure the correct representation of the ‘overall picture’, that cannot not be guaranteed by the automatic application of algorithms only (Article 5 (d) GDPR) (9). As can be seen, the judgment GC and Others reafrms an inclination towards a less statecentric model of governance that might be seen as the best possible solution in the context of regulating the digital society.

Another aspect highlighted concerning ‘the right to be forgotten’ in judgment GC and Other represents a - common for the eld in question - pattern of vesting the private actors (mostly hi-tech giants) with the extensive and sometimes extremely burdensome obligations. The Court, while protecting the ‘right to be forgotten’ by establishing an ‘expost’ control of the lawfulness of processing sensitive data, underlined that once fundamental rights under Articles 7 and 8 of the Charter collide with the right to freedom of expression (Article 11 of the Charter), a case-by-case assessment needs to be made. This technically means that an operator of a search engine becomes a private adjudicator that will dene which data constitutes the information falling under the category of public interest and which does not. Moreover, the Court indicated that even if an operator of a search engine comes to a conclusion not to accommodate a request for dereferencing, it is required to adjust the list of the results to

The positive constitutional effects of the introduction of GDPR can be hard to contest.

9. Jure Globocnik, ‘The Right to Be Forgotten Is Taking Shape: CJEU Judgments in GC and Others (C-136/17) and Google v CNIL (C-507/17)’ (2020) 69 GRUR International 380, pp. 384-385.

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

processing personal data and its valid expression in light of GDPR standards, represents a great example of its practical operability. In the course of proceedings the Court interpreted the Privacy and Electronic Communications Directive 2002 (14) through the lens of the GDPR provisions, ruling that valid consent occurs where there is active behaviour on the part of a data subject aimed at expressing that consent (a checkbox containing a preselected tick does not amount to valid consent), whereas a service provider must indicate the duration of the operation of the cookies and a possibility of third parties to obtain access to these cookies. The judgment of the Court, clarifying one of the central concepts of data protection, has immensely contributed to the higher degree of transparency and certainty in the eld of data protection with the help of GDPR.

One of the golden threads of the data protection law that constitutes a vital prerequisite for success of digitalisation, is trustworthiness in data processing that is enhanced, among others, by a high level of transparency. It is no coincidence that the Commission identies the creation of an ‘ecosystem of trust’ as its essential policy objective in constructing the regulatory framework of Articial Intelligence (AI) (10). The EU users of digital tools need to be reassured that processing of their personal data is carried out in accordance with the safeguards prescribed by the data protection instruments and that the protection of their privacy is not compromised in any way. Transparency, being the principle that is closely connected to one of the EU’s foundational values, rule of law, is one of the key requirements for establishing an ‘ecosystem of trust’ (11).Strengthening transparency in processing personal data is crucial especially due to the fact that its absence seems to be a norm in the area of digitalisation (12). In this respect, the GDPR, the provisions of which pay special attention to transparency while processing personal data (13), contributes to creating a safe ‘digital playing eld’ for EU users.

The Force of the GDPR and the Shaping of the i-Rule of Law The GDPR has clear disruptive effects for EU law and for the concept of (the rule of) law in general. This is mostly due to the innovative nature and decentralised application of the rights enshrined in the GDPR and its striking regulatory force. The GDPR not only strongly affects the (constitutional) law of the Member States but also the laws of countries outside the European Union. Its

The protection offered by GDPR cannot be called ephemeral – the recent judgment Planet49 (C-673/17), where the Court claried the concept of consent of a data subject to

10. White Paper ‘On Articial Intelligence - A European Approach to Excellence and Trust’, the European Commission, Brussels, COM (2020) 65 nal, 3. 11. ibid. 12. Lucky Belder ‘Governance of Digital Technology: Towards Principles for the Regulation of the Design, Implementation and Monitoring of AI Systems’, in Bernitz, Groussot, de Vries and Paju (n 2). 13. See Recitals 39, 58, Articles 5, 12 of the GDPR. 14. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

call ‘general principles by design. There is the necessity to develop concepts such as ‘privacy by design’, ‘equality by design’ or ‘transparency by design’. The application of ‘general principles by design’ is already ‘coded’ within the GDPR. Indeed, it is made clear that programming connected to personal data is to encompass ‘privacy by design’, with measures that are implanted into the de-

constitutional impact is therefore both internal and external and leads to the making of an i-rule of law, namely the rule of law in a digital society. An i-rule of law with international reach, but ‘made in Europe’! The impact of the GDPR is for instance exemplied by the human rights protection ‘by design’ (15) enshrined in the Brussels Re-

Its constitutional impact leads to the making of an i-rule of law

sign and architecture of IT systems (16). Article 25 GDPR states that privacy standards are to be integrated as default settings in all computer programmes dealing with personal data (17). Moreover, recital 78 of the GDPR provides some (limited) guidance on this matter and states a few techniques that an engineer can use such as data minimisation and pseudonymisation (18). The requirement to implement ‘privacy by design’ is arguably in conict with the principle of transparency because it essentially asks engineers

gulation and the need to ensure the protection within the whole cycle of the technology. Indeed, the governance of digital technology should not be limited to regulating digital technology’s applications, but should also engage in regulating the design of the software, as well as provide standards that all developers, users and controllers of algorithms and choice architectures must take into account. Therefore, there is a need to develop general principles that apply to the whole cycle of digital technology, which we can

15. See e.g. the contributions of Lucky Belder, Lianne Colonna, Linda Senden and Raphaele Xenidis in Bernitz, Groussot, Paju and de Vries (n 2). 16. European Data Protection Ofcer, Opinion 5/2018, Preliminary Opinion on Privacy by Design, 31 May 2018. 17. ibid. 18 According to recital 78 GDPR, ‘Such measures could consist, inter alia, of minimizing the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features)’.

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

The potential impact of the GDPR in EU law is also visible in the recent debate spurred by Francisco Costa-Cabral and Orla Lynskey on the use of the GDPR and data protection law as a constraint on EU competition law (20). Personal data has become the subject of trade in the digital economy, and undertakings compete to obtain and process this data. This rivalry falls within the scope of competition law. Nevertheless, personal data also has a dignitary dimension, which is protected through the GDPR and EU fundamental rights. The intersection between the GDPR and competition law may lead to important changes in EU law. The GDPR and its ‘privacy standard’ law can potentially be used as a normative yardstick in relation to the interpretation of Article 101 and 102 TFEU.

tutional force of the GDPR. This case, delivered by the Grand Chamber, is paradigmatic many respects. It is certainly one of the most important constitutional cases in the area of the GDPR notably touching upon the scope of Article 4(2) TEU and Articles 7, 8, 47 and 52 of the EU Charter of Fundamental Rights. The CJEU came to the conclusion that the Privacy Shield Decision is invalid by assessing whether the adequate level of protection required by Article 45 GDPR is in line with the standards required by Articles 7, 8 and 47 of the EU Charter of Fundamental Rights (see Schrems II paras 168-199). Effective judicial protection lies at the core of the reasoning of the CJEU. In that sense, we may nd many similarities between Schrems II and the Kadi case (Case C402/05 P); but it can even be said that the Schrems II goes even further than Kadi in terms of effective judicial protection since it evaluates the level of (judicial) protection of a third country, namely the USA.

The high quality of the ‘privacy standard’ enshrined in the GDPR also has a constitutional impact outside the European Union. For instance, the right to be forgotten which is listed in Article 17 GDPR (entitled in this provision as the ‘right to erasure’) is now codied in Russian legislation. This right also appears in litigation in many countries such as in Brazil, Israel and Japan. The recent Schrems II judgment (C-311/18) also constitutes a perfect exemplication of the consti-

This case is very far-reaching and reects the constitutional force of the GDPR outside the European Union. Schrems II also exemplies and conrms the theory of the ‘Brussels Effect’ coined by Anu Bradford. According to that theory, (21) EU law made in Brussels can set the legal standard of protection worldwide in many elds of law such as competition law, health law, consumer safety, data privacy and articial intelligence (22). The ‘Brussels Effect’ reveals the EU’s

to develop privacy norms without having to follow the normal legislative process that engages civil society (19).

19. Lianne Colonna, ‘Reconciling Privacy by Design with the Principle of Transparency’, in Bernitz, Groussot, Paju and de Vries (n 2). 20. Francisco Costa-Cabral and Orla Lynskey, ‘Family ties: the intersection between data protection and competition in EU Law’ (2017) Common Market Law Review, 54 (1) pp. 11-50. 21. Anu Bradford, The Brussels Effect: How the European Union Rules the World (OUP, 2020). 22. ibid.

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

and determine a right to receive information, still less to strike a balance between that right and the other fundamental rights to data protection and to private life…there would then be a danger that the European Union would prevent individuals in third countries from having access to information. If an authority within the European Union could order de-referencing on a worldwide scale, an inevitable signal would be sent to third countries, which could also order de-referencing under their own laws’ (see paras 60-61).

unique power to inuence global corporations and set the rules of the game while acting in a way that is ‘unilateral regulatory globalisation‘. EU law, due to its regulatory and legal strength, acts here as a soft power (23). The situation is comparable to the so-called ‘California Effect ‘where the Californian environmental standards can inuence other US States’ legislation due to the strong market power of the State of California in the US federation. In the context of the GDPR, it means that the high constitutional level of privacy protection affects the world standard of protection.

As shown in this last section, the GDPR, by shaping the i-rule of law has a clear disruptive effect on laws not only in Europe but also worldwide. The constitutional force of the GDPR boasts an extraordinary regulatory power. This regulatory power imposes obvious and certain legal limits on the digital society. Yet as put by Lawrence Lessig,

Some may even view it as an instrument of ‘lawfare’ in the hands of Europe

‘Liberty in cyberspace will not come from the absence of the state. Liberty there, as anywhere, will come from a state of a certain kind. We build a world where freedom can ourish not by removing from society any self-conscious control, but by setting it in a place where a particular kind of selfconscious control survives. We build liberty as our founders did, by setting society upon a certain constitution’ (24).

Viewed from this perspective, the GDPR has a signicant constitutional force. Some may even view it as an instrument of ‘lawfare’ in the hands of Europe. This last argument is not valid in our view since we are dealing here with a soft power rather than a hard one. Yet, the GDPR constitutes an inuential judicial document that may have extensive legal, constitutional and even political consequences outside Europe. Interestingly, AG Szpunar in Google v. CNIL (C507/17) has recognised the constitutional force and the potential danger of the GDPR and its high privacy standards in the context of de-referencing by highlighting that,

By ‘constitution’, he means not just a legal text but a way of life that structures and constrains social and legal power: an architecture to the end of protecting the fundamental values (25). In order to understand the power of a government/institution to regulate, it is thus essential to comprehend the architecture within which it governs (26).

‘If worldwide de-referencing were admitted, the EU authorities would not be in a position to dene

24. Lessig, (n 4) 4. According to Lessig, ‘By “constitution,” I mean an architecture—not just a legal text but a way of life—that structures and constrains social and legal power, to the end of protecting fundamental values. I mean constitution as in lighthouse—a guide that helps anchor fundamental values’. 25. ibid. 26. ibid, 282.

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

The competence of supervisory authorities and the ‘one-stop-shop’ mechanism Alberto Miglio 1

fers considerably according to policy areas. The Commission has major enforcement powers of its own in competition law. Financial market supervision is also to a large extent exercised at the central level through EU agencies (EBA, ESMA and EIOPA). Within the Banking Union, the European Central Bank shares the task of supervising credit institutions with the national banking supervisors.

The administrative enforcement of the General Data Protection Regulation is a typical example of executive federalism. The same body of harmonised law is supposed to apply uniformly in all Member States but is enforced by national authorities. Under the principle of sincere cooperation (Article 4(3) TEU), national administrative authorities must cooperate with each other and with the EU level with a view to achieving consistency.

DPAs occupy centre stage in the GDPR compliance system

In comparison, enforcement under the GDPR is far less centralised. The Regulation established the European Data Protection Board (EDPB), which took over the role of the Article 29 Data Protection Working Party (WP29). The EDPB has a much broader mandate than the WP29, but no direct supervisory powers over data controllers and processors.

This enforcement model is not specic to data protection law. Instead, it is a distinctive feature of EU law in many areas, ranging from competition policy to the regulation of electronic communications and nancial supervision. From a legal perspective, subsidiarity may provide an argument for decentralised enforcement. However, the decisive rationale behind EU executive federalism is practical: The EU simply lacks the resources and personnel to carry out all enforcement tasks alone.

It is for national data protection authorities (DPAs) to perform this task instead. DPAs occupy centre stage in the GDPR compliance system, which relies heavily on administrative enforcement. The 1995 Data Protection Directive (DPD) left considerable discretion to the Member States regarding the

While in general all these examples point to a more or less decentralised enforcement model, the actual degree of centralisation dif-

1. Alberto Miglio is a Postdoctoral Researcher at the University of Turin and visiting researcher at the Brussels Privacy Hub (VUB). He is co-editing a forthcoming book on European Union Law Enforcement: The Evolution of Sanctioning Powers (Routledge, 2020, with Stefano Montaldo and Francesco Costamagna)

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

Because enforcement is decentralised, specic rules are needed to apportion competence between the DPAs as well as coordination mechanisms to make sure that they apply the Regulation consistently.

choice of enforcement tools. By contrast, even a quick look at the structure of the GDPR reveals that the legislature intended administrative enforcement by supervisory authorities to be the main compliance tool under the GDPR. While there are a few provisions on judicial remedies against data controllers and processors (Article 79), on civil liability (Article 82) and on criminal penalties (Article 84), administrative supervision and remedies occupy most of the GDPR’s chapters on enforcement.

Reliance on national authorities for enforcement purposes makes it inevitable to allocate competence according to territorial criteria. Under Article 55 GDPR, each DPA’s competence is in principle conned to ‘the territory of its own Member State’.

Splitting competence along territorial lines may prove problematic

In data protection law, however, splitting competence along territorial lines may prove problematic because data processing very often involves a cross-border dimension. This could result in supervisors being unable to address complaints effectively in cross-border cases or in several DPAs claiming competence over the same processing activity, generating the risk of parallel proceedings with inconsistent outcomes.

DPAs are heavily regulated. Under the EU Charter of Fundamental Rights, compliance with the right to data protection must be ‘subject to control by an independent authority’. Accordingly, the GDPR lays down strict independence requirements (Article 52) and prescribes rules on the establishment of DPAs and the appointment of their members (Articles 53-54). The Regulation also entrusts DPAs with numerous tasks (Article 57) and endows them with wide-ranging investigative, corrective and advisory powers (Article 58). Such degree of detail stands in stark contrast with the DPD, where Article 28 was the only provision specically dealing with national supervisory authorities.

EULAWLIVE stay alert keep smart

Two judgments of the Court of Justice of the European Union (CJEU) decided under the DPD are illustrative of the shortcomings of the previous regime in this respect. In Weltimmo (C-230/14), the CJEU ruled that the Hungarian DPA could only impose penalties

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

tion, the one-stop shop does not apply where despite the existence of multiple establishments the subject matter has only local relevance, or where the processing substantially affects data subjects in one Member State only.

on a controller insofar as Hungarian law applied. In other words, it could not issue remedies for conduct falling outside its territorial jurisdiction. In Wirtschaftsakademie (C210/16), the CJEU pointed out that the lack of rules on competence conicts and coordination of proceedings made it possible for several DPAs to exercise supervision over the same controller without any guarantee of consistency.

Where the one-stop-shop mechanism applies, the DPA of the controller’s or processor’s main establishment is the ‘lead’ supervisor and the company’s sole ‘interlocutor’ (Article 56). However, the other DPAs conTo prevent such occurrences, the legislature cerned must also be involved in the deciintroduced the so-called ‘one-stop-shop’ mesion-making process ‘in an endeavour to chanism, which is commonly considered reach consensus’ (Artione of the GDPR’s most cle 60). Only the lead innovative features. The DPA is competent to isCommission’s proposal The one-stop-shop mechanism sue a decision, but the otenvisaged a more radical is an interesting attempt to her DPAs must be consolution than the one ultisulted and may object to mately retained in the Recombine legal certainty the draft decision. gulation: only the DPA and consistency of a company’s single or If disagreements betmain establishment ween the DPAs concer(lead authority) would ned cannot be solved cooperatively, the be competent to process complaints lodged EDPB will adopt a binding decision accoragainst it. Decisions by the lead authority ding to Article 65. It is noteworthy that two would then be recognised by the other DPAs of the three cases where the EDPB is endopursuant to the principle of mutual recogniwed with decision-making powers relate to tion. However, this aspect of the proposal the operation of the one-stop-shop mechamet with criticism and was discarded in fanism, namely the determination of the lead vour of a more complex ‘coordination’ authority and the ruling on objections to the system. lead authority’s draft decisions. The one-stop-shop mechanism provided for Overall, the one-stop-shop mechanism is an in Articles 56 and 60 GDPR is actually a ‘cointeresting attempt to combine legal cerdecision’ procedural scheme. It applies in tainty and consistency. From the perspective two cases: where the controller or processor of regulated companies, it looks like a major has establishments in multiple Member Staimprovement compared to the DPD supervites, and where it is only established in one sion regime, where cross-border cases resulMember State but carries out processing actited in split competence and the likelihood of vities that substantially affect data subjects parallel proceedings. in several Member States. By way of excep-

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

There are some drawbacks inherent in the one-stop-shop logic

ties in establishing whether a case falls within its scope and which authority is competent. Subsequent practice also indicates that the mere existence of the one-stop-shop mechanism does not make multinational companies subject to supervision by one DPA only. A case in point is CNIL’s investigation of Google’s ads personalisation policy, where the French DPA was competent because the Irish establishment did not have a decision-making power on the data processing concerned.

In terms of effectiveness, however, it may have some serious drawbacks. Some are just technical shortcomings that depend on lacunae in the Regulation. What happens, for instance, if a company moves its main establishment to a different Member State while proceedings are pending before the lead authority? The GDPR is silent on the issue, but the EDPB considers that a new lead authority would have to be designated. Despite the DPAs’ duty to cooperate with one another, this would presumably result in delays.

A request for a preliminary ruling lodged in August 2019 by the Brussels labour court raises similar issues. The case originates from a legal action brought by the Belgian DPA against Facebook for infringement of EU data protection law. In essence, the referring court asks whether and to what extent the one-stop-shop mechanism prevents DPAs of countries where the controller does not have its main establishment from exercising their powers under the Regulation. Since the onestop shop is an exception to the general rule on territorial competence laid down in Article 55, the Belgian DPA argued in the main proceedings that it should be interpreted restrictively. It is clear that the actual impact of the mechanism will depend on how the CJEU construes its scope of application and whether it agrees with the view of the Belgian authority.

Moreover, there are some drawbacks inherent in the one-stop-shop logic. The GDPR’s decentralised enforcement system works on the premise that all DPAs are well-staffed, well-equipped, able to address complaints quickly and to apply the Regulation consistently. The Schrems saga, where the Irish DPA spent years litigating against a complainant to be ultimately proven wrong twice, suggests that this may not always be the case. By preventing the other DPAs from starting parallel proceedings, the one-stop shop actually exacerbates the consequences of a DPA not being able to process complaints swiftly and effectively.

In this regard, the growing body of the practice of DPAs, the EDPB’s power to solve competence conicts and substantive disagreements between DPAs, and the case law of the CJEU will likely contribute over time to address interpretative issues relating to the application of the mechanism. The pu-

It is therefore not surprising that there is considerable disagreement as to the actual scope of the one-stop-shop mechanism. The WP29’s Guidelines on the Lead Supervisory Authority already hinted at possible difcul-

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

chanisms may not fully address the risk of fragmentation that is ‘inherent in [a] decentralised surveillance structure’, as Advocate General Saugmandsgaard Øe noted in Schrems II (C-311/18). As such, they are but a poor replacement for direct supervision by an EU body over multinational companies whose data processing activities affect the whole single market.

blication by the EDPB of a register containing one-stop-shop decisions, making the relevant practice easily accessible to the public, is also a welcome step in this direction. In the long run, however, a greater degree of centralisation may be necessary to ensure effective administrative enforcement of the GDPR. Coordination and consistency me-

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

Old wine in new bottles? Two years of GDPR in Germany Clemens Steinbach 1

rules to a German privacy standard. This simplistic assumption does not however, take all relevant aspects into account.

1. Introduction Germany has a strong privacy tradition and has attached great importance to data protection for several decades. This privacyfocused attitude mainly stems from a historical background given the abuse of power by intelligence services under two totalitarian regimes in Germany in the 20th century.

2. Recent developments in Germany since the entry into application of the GDPR Generally speaking, there has been a positive reception of the GDPR in Germany more than two years after its entry into application on 25 May 2018.

In the German Federal State of Hesse, the rst privacy law worldwide came into force in 1970. Its regional Parliament also elected the world's rst data protection Commissioner in 1971. Moreover, the German Federal Constitutional Court established the right to informational self-determination as a fundamental right in its judgment in 1983, laying down the basic principles of citizens' privacy rights in relation to a national census. Against this background, many General Data Protection Regulation (GDPR) principles like data minimisation or purpose limitation were already well known under previous German data protection laws.

As in many other Member States, there was some confusion right after its entry into application. For instance, in the rst weeks after 25 May 2018, many citizens believed that pictures might only be taken and proces-

There has been a positive reception of the GDPR in Germany

Therefore, many in Germany expected that the new provisions introduced by the GDPR would only align European data protection Clemens Steinbach works as a legal ofcer at the German Federal Commissioner for Data Protection and Freedom of Information. He is a fully qualied German lawyer and holds a Master of European Law (LL.M.) from the College of Europe in Bruges. Previously, he worked as a trainee lawyer in the data protection unit of the European Commission's Directorate-General for Justice and Consumers and as a legal ofcer in the legal affairs unit of the European Commission's Directorate-General for Health and Food Safety. The information and views set out in this contribution are those of the author and do not reect in any way the ofcial opinion of the Federal Commissioner for Data Protection and Freedom of Information or of the European Commission.

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

prove their awareness of data protection, that better structures and automatisms in terms of data protection have been incorporated and that companies consider personal data more worth protecting. Accordingly, since the entry into application of the GDPR, German companies often seem more willing to develop a data protection strategy in order to fully guarantee the protection of their employees. Presumably, the newly established high administrative nes have probably also played their part. Last but not least, citizens' awareness increased signicantly, resulting in record numbers of complaints received by DPAs.

sed after persons shown on the photo provided their written consent. However, after clarication by the regional data protection authority (DPA) of Baden-Württemberg, citizens understood that a legitimate interest could also be a valid basis to take and process pictures, especially in the context of public events. Despite many well-known data protection principles being brought up again under the GDPR, the newly introduced possible maximum amount of nes surprised many stakeholders in Germany. While the highest administrative ne possible under previous German data protection law only amounted to 300,000 euros, under the GDPR, administrative nes can now amount up to 20 million euros or up to 4% of the total worldwide annual turnover of the preceding nancial year, whichever is higher. Thus, the Berlin DPA underlined this new potential in November 2019 by imposing an administrative ne of 14.4 million euros on a real estate company for not having or implementing any deletion concept for a database containing personal data of (potential) tenants, including sensitive data, such as income. Some may have wondered about such a high amount for not complying with the principle of storage limitation. However, in this specic case, the company proved to be particularly unreasonable and had still not introduced any deletion concept for its database when the DPA controlled the company for the second time in 2019 - after the DPA had already objected to this practice during its rst review in 2017.

Finally, in recent times and due to COVID19-related challenges, the private sector praised the exibility of the GPDR and the pragmatic and practice-oriented approach put forward by several DPAs, not urging immediate compliance with the GDPR by all means. For instance, the DPA of Hamburg does not impose any administrative nes on restaurants in the context of COVID-19 measures for the time being. The DPA of NorthrhineWestfalia did not object to the use of video conferencing tools in school classes, but was rather trying to nd workable solutions for children and their parents.

3. A decentralised supervisory regime - too cumbersome or a fruitful cooperation? Germany’s decentralised state structure with its 16 Federal States leads to a nearly unique phenomenon within the EU: whereas all other Member States only dispose of one (or a few) DPA(s), the German supervisory structure is split up between 18 DPAs. There are

Overall, it seems that since its entry into application, the GDPR led companies to im-

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

The operator of privacy-enhancing open source web browser, Brave also argues in this sense in its recent DPA report from April 2020 by putting forward that Germany would be the only EU Member State providing its data protection authorities with sufcient resources. Even if this seems a positive statement for German DPAs, the overall conclusion of the DPA report is rather poor. Brave urged EU governments to expand their DPA tech specialist teams, to fund DPAs to ght big tech in court whenever necessary to defend their enforcement decisions and to develop an EU unit to assist national DPAs in tech investigations. Thus, Brave urged the European Commission to start infringement proceedings against 26 Member States, allegedly failing to comply with their GDPR obligations. Brave only exempted Germany given that almost a third (29%) of all tech specialists within European DPAs work for one of the German DPAs and that Germany provides an overall yearly funding for its DPAs of about 100 million Euros, a large lead compared to only less than 5 million euros, which half of all European governments support their national DPAs with.

17 DPAs at Länder (Federal State) level - the State of Bavaria has two DPAs, one related to the public and one to the private sector and one at Federal level. While DPAs at Länder level principally supervise the private sector, the Federal DPA mainly supervises Federal authorities and intelligence services. One exception to this rule forms the Federal DPA's competence to supervise providers of telecommunication and postal services as well as private providers of security checks. The GDPR obliges each Member State to ensure that its respective supervisory authority is provided with the human, technical and nancial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers. Staff and resources of German data protection supervisory authorities have signicantly increased within the last two years, so that Germany seems to comply with the plea to provide national DPAs with adequate resources as reiterated by the European Commission in its recent report from June 2020 on two years of application of the GDPR.

Discussions came up to centralise the monitoring of the application of the GDPR at Federal level

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

latter, all DPAs work closely together in several working groups and issue guidelines and recommendations which are adopted by the Conference. Just as for the EDPB, the coordination process to reach a common German position works via the EU's Internal Market Information System (IMI), which fosters a coherent approach free of media breaks.

Recently, discussions came up to centralise the monitoring of the application of the GDPR at Federal level while creating additional regional branch ofces all over the country. This idea was rst put forward in an opinion issued by the German Data Ethics Commission in October 2019, which has been set up by the Federal Government to develop ethical standards and guidelines as well as concrete recommendations for action for individuals and society related to data and algorithmic systems. Moreover, in the aftermath of the COVID-19-related lockdown, these plans were taken up to argue for more standardisation in the German supervisory structure. Proponents argue that this would make regulatory action easier and more comprehensive for supervised companies. Another argument put forward stresses that coordination processes within the European Data Protection Board (EDPB) would be nished faster and that Germany would manage quicker to speak with one voice.

There are also several counter-arguments against a centralisation of the supervision In addition, the GDPR and EU primary law already oblige Member States to ensure a coherent application of EU law: the GDPR lays down the obligation for each supervisory authority to contribute to the consistent application of the Regulation throughout the EU. This special obligation for a uniform enforcement practice stems from the general obligation of Member States to effectively implement EU law. Finally, German constitutional law also sets boundaries as to the centralisation and would probably not allow to introduce regional branch ofces of the Federal DPA within the Länder as suggested by the German Data Ethics Commission. However, it is hardly surprising that the latter argument is especially stressed by Länder DPAs, which would otherwise lose the major share of their respective competences.

However, there are also several counterarguments against a centralisation of the supervision: Already by now the Federal DPA constitutes the supervisory authority which is to represent all German DPAs and to speak with one voice vis-a-vis their European colleagues in EDPB plenary meetings. The Federal DPA therefore disposes of a single contact point to coordinate a coherent German position. Within this contact point, a loyal working relationship between the 17 different actors (at Länder and at Federal level) exists, similar to the principle of sincere cooperation between the EU and its Member States under EU law. A similar constructive atmosphere between Länder and the Federal DPA exists in a German 'micro-EDPB', the so-called Data Protection Conference. In the

EULAWLIVE stay alert keep smart

In the end, the nal decision as to whether the GDPR supervision should remain in its current form or will be centralised at Federal level remains with the German legislature.

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

mission's opinion, which furthermore demanded an effective control of algorithms and introduced a risk-based approach, according to which certain high-risk uses of AI shall be prohibited.

4. Remaining challenges Despite a well-established and functional supervisory system and a general acceptance of the GDPR by many public and private actors in Germany, there still are some remaining challenges.

In order to show a reaction to terror threats in recent years, the German legislature has gradually extended competences for police and intelligence services. These new tasks range from mass surveillance measures to experiments of automatic facial recognition in a public train station, up to attempts to reintroduce data retention measures, thereby violating decisions of the German Federal Constitutional Court and the Court of Justice of the European Union.

As in other EU Member States and on an EU level, there have been vivid discussions in Germany about Articial Intelligence (AI). In 2019, the Data Protection Conference issued the 'Hambach Declaration on Articial Intelligence', underlining the need for a responsible use of AI, putting citizens and their basic and fundamental rights at the centre of the technique. This human-based approach was also underlined in the Data Ethics Com-

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

Furthermore, some measures in public health legislation seemed very questionable from a GDPR point of view. A recent example constitutes the draft Patient Data Protection Act, which introduces an electronic medical record, despite lacking IT security and no choice for patients to decide whether their eye doctor should know about their recent abortion or visit to a psychologist. As this very example pinpoints, some laws which are on substance heavily privacyinvading, appear harmless at rst sight given their supposedly data protection friendly name.

These concerns often remain unheard by the legislature

Despite regular loud protests of the Federal DPA and of privacy watchdogs, these concerns often remain unheard by the legislature. In some cases, these laws are annulled by the Federal Constitutional Court, as in a recent decision from May 2020, in which the constitutional judges declared several rules on inventory data information void, underlines. According to the Federal Constitutional Court, the legislature had failed to bring excessive competences for police and intelligence services to obtain access to citizens' telecommunication data via dynamic IPaddresses in line with the principle of proportionality. Many of the above-mentioned challenges and discussions already existed under the previous national data protection framework. Under the GDPR, these questions recur regularly and the challenge to strike the right balance between privacy, data protection, political and nancial interests of companies still remains the same. Thus, many GDPR-related issues seem to be old wine in new bottles.

EULAWLIVE stay alert keep smart

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

News Highlights 7 to 11 September 2020

Appointment of Athanasios Rantos as Advocate General temporarily suspended

Court of Justice to clarify role of courts acting in their judicial capacity under GDPR

Monday 7 September

READ MORE ON EU LAW LIVE

As reported by Brick Court Chambers, on Friday 4 September 2020, the General Court ordered the temporary suspension of the Decision of the Representatives of the Governments of the Member States to appoint Mr Athanasios Rantos to the position of Advocate General at the Court of Justice.

Ofcial publication was made of a request for a preliminary ruling (C-245/20) lodged by the MiddenNederland District Court on the interpretation of Article 55(3) of the GDPR. The questions concern the ability of national supervisory authorities to supervise processing operations of courts acting in their judicial capacity.

General Court judgments conﬁrming unlawful Italian State aid in favour of airport operators in Sardinia appealed

Commission’s long term vision for rural areas: public consultation launched

Monday 7 September

READ MORE ON EU LAW LIVE

Ofcial publication was made of the appeals before the Court of Justice brought by the airlines Volotea (C331/20 P) and EasyJet (C-343/20 P) against the judgments of the General Court (T-607/17 and T-8/18), concerning illegal State aid granted by Italy to airport operators in the region of Sardinia.

The European Commission launched a public consultation on its new initiative on a long-term vision for rural areas. The consultation aims to gather views on the current aspirations, opportunities and challenges in rural areas, and identify necessary actions.

Mairead McGuinness appointed Commissioner, Valdis Dombrovskis reshufﬂed to trade portfolio

Commission proposes measure to coordinate COVID-19 related restrictions of free movement

Tuesday 8 September

READ MORE ON EU LAW LIVE

Former MEP Ms Mairead McGuinness was selected to ll the vacant position left by Mr Phil Hogan, who resigned in August. Mr Valdis Dombrovskis, former Commission Vice-President (Economy and Finance), was appointed Trade Commissioner.

EULAWLIVE stay alert keep smart

READ MORE ON EU LAW LIVE

The European Commission published its proposal for a Council Recommendation on a coordinated approach to the restriction of free movement in response to the COVID-19 pandemic, setting out common rules, criteria and thresholds.

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

Performers from third States are entitled to single equitable remuneration from phonograph producers unless EU legislature says otherwise, Court of Justice rules

Grand Chamber judgment in Carreras Sequeros and Others: Court of Justice clariﬁes the scope of the right to paid annual leave under Article 31(2) of the Charter

Tuesday 8 September

READ MORE ON EU LAW LIVE

The Grand Chamber of the Court of Justice handed down its judgment in Recorded Artists Actors Performers (C-265/19), interpreting Article 8(2) of Directive 2006/115 in the light of the Rome Convention for the Protection of Performers, Producers of Phonograms and Broadcasting Organisations and the World Intellectual Property Organisation Performances and Phonograms Treaty.

READ MORE ON EU LAW LIVE

The Grand Chamber of the Court of Justice gave its judgment in the joined cases Commission v Carreras Sequeros and Others (C-119/19 P) and Council v Carreras Sequeros and Others (C-126/19 P), concerning the EU Staff Regulations and, specically, the assessment of rules signicantly reducing paid leave granted to EU staff in the light of Article 31(2) of the Charter, which guarantees the right to paid leave without specifying its temporal scope.

Parts of the Vertical Block Exemption Commission President responds to Regulation do not reﬂect changing digi- UK’s plans to override parts of UK-EU Withdrawal Agreement tal market Tuesday 8 September

Wednesday 9 September

READ MORE ON EU LAW LIVE

The European Commission published a Staff Working Document summarising its ndings in the context of the evaluation of the Vertical Block Exemption Regulation, due to expire on 31 May 2022. It concluded that the rules have not adapted to changes in the market, and will therefore be launching an impact assessment and public consultation to consider how they can be amended.

The European Commission’s President, Ursula von der Leyen, expressed her concerns ‘about announcements from the British government on its intentions to breach the Withdrawal Agreement”, pointing out that “this would break international law”, and also that it “undermines trust”.

Competition law in times of crisis: an overview of challenges for competition policy and authorities Wednesday 9 September by Dolores Utrilla

stay alert keep smart

AG’s Opinion on how to apply abuse of dominant position rules in the broadband services market: Deutsche Telekom and Slovak Telekom Wednesday 9 September

READ MORE ON EU LAW LIVE

The challenges posed by economic crises – and in particular by the COVID-19 pandemic – to competition law were addressed by representatives of the European Commission and of the national competition authorities of Germany and Spain in the framework of the European Competition Day, organised in Berlin under the auspices of the German Presidency of the Council.

EULAWLIVE

READ MORE ON EU LAW LIVE

Advocate General (AG) Saugmandsgaard Øe delivered his Opinion in Deutsche Telekom and Slovak Telekom (C-152/19 P and C-165/19 P), proposing that the Court of Justice dismiss the appeals against the judgments of the General Court in Deutsche Telekom v Commission (T-827/14) and in Slovak Telekom v Commission (T851/14).

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

Choice of law in an individual employment contract under the Rome I Regulation: preliminary questions published

Court of Justice’s clariﬁcation on EU rules protecting pension rights of employees of insolvent undertakings

Wednesday 9 September

READ MORE ON EU LAW LIVE

Ofcial publication was made of a request for a preliminary ruling (C-218/20) concerning the interpretation of Article 8 of Rome I Regulation 593/2008, namely whether a choice of law clause in an employment contract excludes the application of the law of the country in which the employee has habitually worked, or whether the choice of law clause prevents that provision from applying.

The Court of Justice gave its judgment in TMD Friction (joined cases C-674/18 and C-675/18). The ruling provides guidance on the compatibility with Council Directive 2001/23 of certain practices leading reduced employee and ex-employee supplementary pension benets under German law that come into play when an undertaking is insolvent, and how this impacts the responsibilities of transferees.

General Court rejects Slovenia’s dispute over Croatia’s use of designation ‘Teran’ on wine

Court of Justice to rule on whether trademark opposition to commercialisation of a generic medicine after repackaging may lead to artiﬁcial partitioning of markets

Wednesday 9 September

READ MORE ON EU LAW LIVE

Slovenia’s annulment action (T-626/17) against the Commission’s Delegated Regulation 2017/1353 failed, meaning that the designation ‘Teran’ (a protected designation of origin product for a certain red wine in Slovenia) can, under strict conditions, be used to refer to a wine grape variety on the labels of wine produced in Croatia retroactively, dating back to its accession to the EU.

READ MORE ON EU LAW LIVE

Ofcial publication was made of a preliminary ruling request (C-253/20) concerning the interpretation of Articles 34 and 36 TFEU, as well as the BMS conditions. The case concerns the opposition of a trademark proprietor to the further commercialisation of a generic medicine by a parallel importer under the trademark in question, where such generic medicine and its branded medicine have already been put in the market.

AG’s Opinion in Grand Chamber case on the right to an effective remedy in the area of the common visa policy

Council agrees position on the 2021 EU draft budget

Wednesday 9 September

Thursday 10 September

READ MORE ON EU LAW LIVE

Advocate General Pikamäe delivered his Opinion in Minister van Buitenlandse Zaken (joined cases C-225/19 and C-226/19), on how the Grand Chamber of the Court of Justice should rule on the remedies available to challenge the objections to the issuing of a visa, under Article 47 of the Charter.

EULAWLIVE stay alert keep smart

READ MORE ON EU LAW LIVE

The Council of the EU adopted its position for next year’s EU budget, amounting to 162.9 billion euros in commitments and 164.8 billion euros in payments. The Council is expected to formally adopt its position at the end of September and will submit it to the Parliament on 1 October.

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

Young researchers chance to win APDE Award and attend the XXIX FIDE Congress

Early Intelligence: Report to be used to inform EU Strategy adopted

Thursday 10 September

READ MORE ON EU LAW LIVE

The Portuguese Association for EU Law, APDE, launched a call for young researchers to submit papers for a chance to win the 1st edition of the APDE award, and to attend the XXIX FIDE Congress (at APDE’s expense). Papers may be submitted in either Portuguese, French or English and the deadline for submissions is 31st December 2020.

READ MORE ON EU LAW LIVE

The European Commission adopted a ‘Strategic Foresight Report’ for the very rst time, which will be used to build early intelligence to inform decision-making for major policy initiatives and legislation, and in order to build resilience for future disruptions.

Can compensation be sought for online libel in all courts where the content was published? Preliminary question on EU jurisdiction law published

AG’s Opinion on how to determine the jurisdiction for civil liability actions based on a breach of competition law

Thursday 10 September

READ MORE ON EU LAW LIVE

Preliminary questions on the Brussels I (recast) Regulation 1215/2012, posed by the Cour de Cassation in France, were published for the case Gtix Tv v DR (C251/20). The referring court asks about the courts before which individuals may claim compensation for defamatory comments made on websites and in forums, in light of Article 7(2).

Advocate General Saugmandsgaard Øe advises the Court of Justice that a civil liability action based on a competition law breach falls within the scope of ‘matters relating to tort, delict or quasi-delict’ under Article 7(2) of Regulation 1215/2012 even where the claimant and the defendant are parties to a contract and the alleged anti-competitive conduct alleged by the former against the latter materialises in their contractual relationship.

Star Taxi App is an information society service according to Advocate General Szpunar

Council: emergency temporary derogations in support of the rail sector in light of COVID-19

Thursday 10 September

READ MORE ON EU LAW LIVE

A service that puts passengers using a mobile app in contact with taxi drivers, in this case Star Taxi App SRL, is an information society service under Article 2(a) of Directive 2000/31 read in conjunction with Article 1(1)(b) of Directive 2015/1535 according to Advocate General Szpunar.

EULAWLIVE stay alert keep smart

READ MORE ON EU LAW LIVE

The Council of the EU announced that additional temporary emergency (and retroactive) rules to mitigate the severe effects of the COVID-19 pandemic on the rail sector can be expected and that negotiations are underway on an urgent basis.

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

Vice-President of the Court of Justice quashes General Court’s order and rejects interim measures requested by Eleanor Sharpston

AG Szpunar: embedding copyrightprotected works freely available to the public is a ‘communication to the public’

Thursday 10 September

READ MORE ON EU LAW LIVE

Interim relief by a General Court order had been granted to Eleanor Sharpston, as Advocate General at the Court of Justice, suspending the termination of her ofce. The Court of Justice’s Vice President however overturned that decision, meaning the suspension lasted only three days, and leading to the appointment of Advocate General Rantos as her replacement. Ms Sharpston’s interim measures application was also ruled on by the VicePresident’s order in place of the General Court, and was dismissed in its entirety.

The Advocate General proposes that the Court’s case law on the assessment of hyperlinks from the point of view of copyright needs to be claried, and that the Court should draw a clearer link in the eld of copyright protection between ‘clickable links’ and ‘automatic links’. On automatic links that lead to works protected by copyright, he advises that there is an act of communication of the work in question that was not taken into account by the copyright holder when the work was initially made available.

EU’s Brexit response as 8th round of negotiations end: EU ‘will not be shy of addressing violations of Withdrawal Agreement Protocol’

Commission proposes interim Regulation to ﬁght child sexual abuse online

Friday 11 September

READ MORE ON EU LAW LIVE

Two statements were made: one by Commission VicePresident Maroš Šefčovič on the UK Internal Market Bill, warning that breach of the Withdrawal Agreement’s Protocol would be an extremely serious violation that seriously damages trust, and which the EU would not be shy to take action against as provided for in that Agreement, and the other a summary by chief Brexit negotiator Michel Barnier on the lack of progress of the eighth round of UK-EU negotiations which ended on Thursday.

A Regulation has been proposed to enable online communication services to continue their activities in order to detect child sexual abuse online, providing guarantees to safeguard privacy and protection of personal data. Its scope however is limited to allowing current voluntary activities to continue, subject to the GDPR.

AG Pitruzzella clariﬁes when construction contract cartels are deemed to have ceased

EU seeking to move beyond selfregulatory measures for online platforms ﬁghting disinformation

Friday 11 September

READ MORE ON EU LAW LIVE

In his Opinion, the Advocate General proposes that the Court of Justice rule that where the construction cartel, as in this case, is limited to the design and works contract, the competition infringement is deemed to have ceased on the date on which the infringer undertaking submitted a tender for the works concerned or entered into a contract for the execution of the works.

EULAWLIVE stay alert keep smart

READ MORE ON EU LAW LIVE

An assessment of the Disinformation Code of Practice, a voluntary framework for online platforms to ght disinformation (which Google, Microsoft, Facebook, Twitter, TikTok and more have signed up to), over its rst 12 months of existence was published and reveals shortcomings leading the EU to call for measures beyond merely self-regulation of online platforms.

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

Italian court seeks interpretation of free movement rights in context of discrimination and a driving penalty

Advocate General’s Opinion on the legal regime of dockworkers under EU law

Friday 11 September

READ MORE ON EU LAW LIVE

An Italian court’s questions relating to an EU citizen (resident in Italy for over 60 days) has been ned for driving the car of his spouse (resident in Slovakia) registered in another Member State (Slovakia), and the compatibility of the relevant legislation with free movement rights, were published.

READ MORE ON EU LAW LIVE

Advocate General Campos Sánchez-Bordona delivered his Opinion in Katoen Natie Bulk Terminals & General Services Antwerp and in Middlegate Europe (joined cases C-407/19 and C-471/19), on the compatibility with the freedom of establishment (Article 49 TFEU) of Belgian rules setting out a special employment regime for the recruitment and recognition of dockers in Belgian ports.

Analyses & Op-Eds Is A Criminal Conviction Sufﬁcient for a Refusal of Long-Term Resident Status? – Joined Cases C-503/19 and C-592/19 UQ and SI v Subdelegación del Gobierno en Barcelona

CELF is ever living but AG Kokott offers an approach for resolving the tension between the obligation to pay interest and guaranteeing services of general economic interest”

By Niovi Vavoula

By Piotr Bogdanowicz

READ MORE ON EU LAW LIVE

Analysis of a CJEU case clarifying that in refusing longterm residence to a third country national under Directive 2003/109, the factors to take into account include those applied to EU nationals: the severity or the type of offence, the danger that emanates from the person concerned, the duration of residence, and the existence of links with the country of residence - and not just the existence of a criminal record.

EULAWLIVE stay alert keep smart

READ MORE ON EU LAW LIVE

Analysis of Advocate General Kokott’s Opinion that a national court can order payment of interest on nonnotied aid (in breach of Article 108(3)TFEU)), even if that aid has subsequently been found compatible with the internal market under Article 106(2) TFEU.

Nº28 · SEPTEMBER, 12 2020

weekend

edition stay alert keep smart

The Court of Justice rules that an Italian law combatting dominant positions in the electronic communications sector is against the freedom of establishment By Johanna Jacobsson

Carreras Sequeros and Others – The Scope of the Fundamental Right to Paid Annual Leave By Daniela Krömer

Op-Ed on a case concerning EU Staff Regulations and the reduction of annual paid leave, and the Court of Justice’s nding that the fundamental right to paid annual leave effectively means four weeks of paid annual leave, so that a cut from 7.2 weeks to 4.8 weeks – however harsh for the individual – is not a violation of that fundamental right.

READ MORE ON EU LAW LIVE

Analysis of the CJEU’s ruling that an Italian law restricting the revenue of broadcasting and audiovisual media companies based on the objective of combatting the formation of dominant positions is a restriction to the freedom of establishment, that in the circumstances is not proportionate.

Library - Book Review JULIE RONDU

By Anastasia Iliopoulou-Penot

BRUYLANT, COLLECTION DROIT DE L’UNION EUROPÉENNE-THÈSES, BRUXELLES, 2020

L’INDIVIDU, SUJET DU DROIT DE L’UNION EUROPÉENNE

READ MORE ON EU LAW LIVE

A review that considers a work that explores ‘a major topic of European constitutionalism’ namely ‘the ways in which the individual is endowed with legal signicance and protection in the EU’, which ‘sheds light on the dynamics of inclusionexclusion and assimilation-differentiation that mark the European process of vesting individuals with subjective rights’, and which ‘demonstrates the centrality of the place of the individual in the European project’.

EULAWLIVE stay alert keep smart

READ MORE ON EU LAW LIVE

stay alert keep smart

NOW www.eulawlive.com