BEYOND CATEGORIES: THE COURT OF JUSTICE'S JUDGMENT IN C-154/21 AND ITS IMPACT ON PERSONAL DATA DISCLOSURE AND BUSINESS SECRETS
TIAGO SÉRGIO CABRAL
THIRD TIME'S THE CHARM? THE EU–US DATA PRIVACY FRAMEWORK FOR TRANSATLANTIC DATA TRANSFERS
�erecentCourtofJusticejudgmentinC-154/21againstAustrianpostalcompanyÖsterreichischePostAG(2) concerning the disclosure of the identity of recipients of personal data is a signi�cant judgment for the practice of ful�lling requests for personal data, and perhaps of signi�cance for the business environment in Europe �e Court of Justice ruled that the controller must provide the person exercising the right of access under Article 15(1)(c)oftheGDPRwiththeexactidentityoftherecipientsofthedata,ratherthanlimitingitselftoanexclusiveindicationofthecategoriesofdatarecipients.�ejudgmentmayhaveaprofoundimpactnotonlyonthesphere of personal data protection in the EU, but also on the disclosure of trade secrets and business ties of entities subjecttoEuropeanregulations.
A customer of the postal services company requested a range of information under the right of access to personal data, as provided for in Article 15 of the GDPR, including an indication of the identity of recipients in the event of disclosure to third parties. In response to the request, the company limited itself to a general indication that it processes the data to the extent legitimate, in the course of its business, and that it transfers the data to other entities for marketing purposes. For the rest, the postal company referred the requester to its website for more detailed information Both in its direct response to the request and on the website, the company did not provide the identityofthedatarecipients.
In the absence of an indication of the exact identity of the data recipients, the claimant �led a lawsuit in an Austrian court In it, he demanded to be provided with information on the identity of the recipient or recipients of his personal data. In the course of the lawsuit, Österreichische Post AG informed the claimant that his personal data had been processed for marketing purposes and forwarded to advertisers in the mail order and stationary tradesectors,ITcompanies,addressbookpublishersandassociationssuchascharities,non-governmentalorganizations (NGOs) and political parties. �e postal company has consistently used categories of data recipients withoutindicatingtheirexactidentities.
Both the court of �rst instance and the court of appeals dismissed the postal company ’ s client's lawsuit, pointing outthatArticle15(1)(c)oftheGDPR,insofarasitrefersto‘recipientsorcategoriesofrecipients,’containsaconjunctive alternative when using the conjunction ‘ or ’ , and thus grants the controller the choice of whether to indicate the exact identity of the recipients of the data or only their category. In the end, however, the Austrian Supreme Court (Der Oberste Gerichtshof), to which the plaintiff brought the review appeal, was unsure of the correctness of this ruling regarding the interpretation of Article 15(1)(c) of the GDPR. According to the referring court, the wording of this provision does not make it clear whether it grants the data subject the right of access to information regarding speci�c recipients of disclosed data, or whether the controller has discretion as to how it intends to accommodate a request for access to information about recipients �e court observed that the ratio legis of this provision tends to favour an interpretation that it is the data subject who can choose and request informationoncategoriesofrecipientsorspeci�crecipientsofhispersonaldata.
�e referring court addressed the question to the Court of Justice: ‘IsArticle15(1)(c)[oftheGDPR]tobeinterpreted as meaning that the right of access is limited to information concerning categories of recipient where speci�c recipients havenotyetbeendeterminedinthecaseofplanneddisclosures,butthatrightmustnecessarilyalsocoverrecipientsofthosedisclosuresincaseswheredata[have]alreadybeendisclosed?’(3)
3. Article 15(1)(c) of the GDPR: ‘�e data subject shall have the right to obtain �om the controller con�rmation as to whether or not personal data concerning him or her arebeingprocessed, and, wherethatisthecase,accesstothepersonaldataandthefollowinginformation: (…)(c)therecipientsorcategories ofrecipienttowhomthepersonal datahavebeenorwillbedisclosed,inparticularrecipientsinthirdcountriesorinternationalorganisations.’
In the Opinion of Advocate General Giovanni Pitruzzella, presented on 9 June 2022, a literal interpretation of Article (4) 15(1)(c) of the GDPR does not allow an answer to the question of whether the data subject's right of access provided for therein should necessarily be regarded as including access to information about individual recipients, or whether it can be limited only to access to information relating to categories of recipients
In this provision, as the Advocate General pointed out, the terms ‘recipients’ and ‘categories of recipients’ are used consecutively in a neutral manner, without the possibility of deriving an order of precedence between them However, with this issue in mind, the Advocate General in his Opinion emphasised interpreting the context into which the provision �ts, and the objectivespursuedbytheactofwhichitisapart.
�e Advocate General pointed out that it is up to the data subject, andnotthecontroller,tochoosebetweenthetwoalternatives it provides – the indication of the category of data recipients ortheirexactidentity.�eAdvocateGeneral'smainargumentation is based on systemic reasoning, for which an important guideline is Recital 63 of the GDPR, which provides that the data subject should ‘have the right to know and obtain communication, in particular with regard to the recipients of the personal data’ [...] .
(5) In addition, the Advocate General cited an unfathomable number of provisions in the nature of principles or interpretive guidance, such as, among others, the principle of transparency in the processing of personal data (Article 5(1)(a) of the GDPR) and the GDPR’s systemic goal of ensuring a high level of protection for individuals' data (Recital 10 of the GDPR).
�e Advocate General also pointed to the quasi-controlling powers of the data subject, i.e., that interpreting the provision in question that the data subject could learn about the categories of recipients by way of access to the data would not allow him or hertoverifythatthedatawassentonlytoauthorisedrecipients.
It should be pointed out that the obligation under Article 19 GDPR does not apply to exercise the right of access to data
Noteworthy is the argument shared by the Advocate General, and pointed out by the Court even before the verdict, that the lack of information about the speci�c recipients of the data exercises the rights to rectify data (Article 16 GDPR), the right to erasure (Article 17 GDPR) and the right to restrict processing (Article 18 GDPR), as well as the right to exercise remedies for the damage suffered and receive compensation (Articles 79 and 82 GDPR). Moreover, the Advocate General pointed out that the controller is obliged to inform the recipients of the data anyway under Article 19 of the GDPR when it realises the rights to recti�cation, erasure, or restriction of data processing. For the record, it should be pointed out that the obligation under Article 19 GDPR does not applytoexercisetherightofaccesstodata,asdiscussedlaterinthepaper(6)
It can be assumed, upon reading the judgment, that the arguments of the Advocate General were fully shared by theCourtofJustice.�us,theCourt'sreasoningcanbecondensedintothefollowingtheses:
1) �e interpretation of the wording of Article 15(1)(c) of the GDPR is questionable because the terms ‘recipients’ and ‘categories of recipients’ in this provision are used one a�er the other, without the possibility of inferringprecedencebetweenthem,andthereforeasystemicinterpretationshouldbeapplied;(7)
2) �e context of the GDPR – on the grounds of Recital 63 of the GDPR – indicates that the data subject shouldhavetherighttoknowledgeandinformation,inparticularregardingtherecipientsofsuchpersonaldata,anddoesnotspecifythatthisrightmaybelimitedonlytocategoriesofrecipients;
3) Unlike Articles 13 and 14 of the GDPR, Article 15 provides for an effective right of access in favour of the data subject, such that he or she can choose and obtain either information regarding the speci�c recipients to whomthedatahavebeenorwillbedisclosed,ifpossible,orinformationregardingcategoriesofrecipients;
4) �e exercise of the right of access should allow the data subject to verify not only whether the data concerning him is correct, but also whether it is being processed lawfully, in particular, whether it has been disclosed to authorised recipients; the right of access is necessary to allow the data subject to exercise, if necessary, his righttorecti�cation,therighttoerasureortherighttorestrictprocessing;
5) Since Article 19 of the GDPR stipulates that the controller shall, in principle, inform each recipient to whom personal data have been disclosed of any recti�cation or erasure of personal data or any restriction of processing,allthemoresothedatasubjecthastherighttobeinformedofthespeci�crecipientsofthedata.
6. Article 19 of the GDPR: ‘�e controller shall communicate any recti�cation or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionateeffort.�econtrollershallinformthedatasubjectaboutthoserecipientsifthedatasubjectrequestsit.’
7. in Autorité des marchés �nanciers (C-302/20): ‘the interpretation of a provision of EU law requires account Judgment of the Court of Justice of March 15, 2020 tobetakennotonlyofitswording,butalsoofitscontext,andtheobjectivesandpurposepursuedbytheactofwhichitformspart’
In the reasoning of the judgment, the Court reserved only two circumstances for derogating from the obligation to indicate the identity of the recipients of the data at the request of the data subject, i.e : 1) it is not possible to provide the identity of speci�c recipients, in particular when they are not yet known; or 2) the request is manifestlyunreasonableorexcessive,whichthecontrollermustdemonstrate
�e Court rightly noted that the right to the protection of personal data is not absolute and that this right must beviewedinlightofitssocialfunctionandweighedagainstotherfundamentalrights,bytheprincipleofproportionality However, apart from this paraphrase of Recital 4 of the GDPR , it is not apparent in the reasoning of (8) thejudgmentthattheseotherrights–withwhichtheexerciseoftherightofaccessasframedbytheCourtofJustice may come into con�ict – are in any way taken into account and weighed against other rights In this context, and in connection with the disclosure of information about entities with business relationships, one would have to take into account and weigh at least the freedoms associated with the conduct of business or the broad area of preventing and combating unfair competition in business, in particular the violation of trade secrets . As a si- (9) de note, it should be pointed out that the Court of Justice did not confront the issue of the impact of disclosing speci�c recipients against weakening the security and protection of personal data in a situation where the controller discloses the identity of IT service providers, which knowledge can signi�cantly facilitate the effective breachoftechnicalsafeguards(e g ,unabatedDDoSa�acks),butalsothepreparationofa�acksusingsocialengineeringtechniques(e.g.,phishing,pharming).
In the reasoning of the judgment, the Court reserved only two circumstances for derogating from the obligation to indicate the identity of the recipients of the data at the request of the data subject, i.e.: 1) it is not possible to provide the identity of speci�c recipients, in particular when they are not yet known; or 2) the request is manifestly unreasonable or excessive, which the controller must demonstrate
8. Recital 4 of the GDPR: ‘�e processing of personal data should be designed to serve mankind. �e right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamentalrights, in accordance with the principle of proportionality. �is Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expressionandinformation, freedomtoconductabusiness,therighttoaneffectiveremedyandtoafairtrial,andcultural, religiousandlinguisticdiversity’
9. EyupKun, ‘ ’ , KU Leuven - Centre for IT & IP Law
Inherent Role of the Freedom to Conduct a Business under GDPR: �e Tailored Liability of Search Engines (CiTiP), 2020, p 5.: ‘Any interference with the legitimate activities of the business can indeed be considered intervention in the context of the �eedom to exercise economic andcommercialactivities.Highcostsincurredduetotheimplementationofthelegislativeactsorcourt’sdecisionscanberegardedalimitationtothe�eedomtoconductbusinesssinceithasanimpactoneconomicinitiativeandtheabilitytoparticipateinamarket.’
Article 15(1)(c) of the GDPR contains an alternative revealed in the short phrase: ‘information about recipients or categories of recipients’ A similar alternative is contained in Articles 13 and 14(e) of the GDPR, according to which ‘�e controller (...) shall provide it with all of the following information (...) about the recipients of personal data or categories of recipients’ However, the Court of Justice notes the difference between the two sets of provisions – Articles 13 and 14 of the GDPR are obligations under which it is up to the controller to decide whether to disclose information about recipients or only about categories of recipients �e Court of Justice, on the other hand, pointed out that Article 15 of the GDPR constitutes an entitlement, and it is the right holder whodecideswhatscopeofinformationhewouldliketoobtain,usingasystemicinterpretation
In this context, the question should �rst be asked: given this basic formulation, assuming the rationality of the lawmakerandthewell-knownimplicationsassociatedwithusingtheconjunction‘ or ’ ,arenottheprinciplesoflegal logic sufficient here to interpret the norm? �e conjunctive alternative used in the provision when using the conjunction ‘or’ remains true (and therefore consistent with the disposition of the norm) if at least one of its components is true. Given the prevalence of the use and interpretation of the conjunction ‘or’ as a deliberate introduction of the conjunctive alternative into a legal act, it should not at �rst glance raise doubts. Possible (10) doubts and reaching for other methods of interpretation – at least in this case of an already seemingly obvious standard – should be justi�ed why the literal interpretation of the wording of the provision should be supplemented in this case by systemic interpretation. Only when one identi�es that the basic methods of interpretation, i e , those relating directly to the interpretation of the text, fail, then it is justi�able to reinforce extralinguistic methods. �e Court of Justice, in its reasoning, did not indicate why the ordinary alternative, allowing the controller to provide one of two pieces of information, proved to be insufficient and, for example, somehow harmedthesystemorthe‘biggerpicture’ofpersonaldataprotection.
Nonetheless, adopting the Court’s view that there was some con�ict of interpretation between the linguistic interpretation of the provision in Article 15(1)(c) of the GDPR and other rules of the personal data protection regime, the rationale, especially based on Recital 63 of the GDPR, already raises some doubts as to whether this is the right direction of interpretation Indeed, in the cited Recital treating the right of access to data, it is indicated that‘Everydatasubjectshouldthereforehavetherighttoknowandobtaincommunicationinparticularwithregard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on pro�ling, the consequences of such processing’ But what the Court, as well as the Advocate General, seemed to ignore was a further part of the Recital, according to which ‘�at right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in parti-
cular the copyright protecting the so�ware’. �e failure to take into account precisely the negative impact of the implementation of the right of access on issues relating precisely to trade secrets or intellectual property, essentially limits the context within which the Court conductsitsconclusion.
One cannot disagree that the European data protection regime is embedded in a context that should, in not infrequent cases, be taken into account in the interpretation of norms. However, this requires a broad balancing of the rights arising not only from the data protection regimebuttheentiresystemoflaw,withwhichthelawinquestionmaycome into con�ict. In the text of the GDPR itself, i.e., in its Recitals, and the Recital 63 cited by the Court, there is an indication of the need to take into account the possible negative impact on other legal values, and in the present case, in particular, on commercial con�dentiality. Given that Recital 63 of the GDPR refers explicitly to the exercise of the right of access, it is equally reasonable to assume that it was the intentionofthelawmakerfromtheoutsetthatothervalues,suchascommercial secrecy, should also be protected within the framework of the right of access, as re�ected in the wording of Article 15(1)(c) of the GDPR, which precisely allows the controller, to choose whether to disclose the recipients of the data or only the categories of those recipients,thusprotectingcorporatesecrecy (11)
Certainly, there is a need to reconcile both the possibility of knowing the identity of the recipients of the data in legitimate cases, is to allow virtually any data subject to know the speci�c recipients, and thus the providers of various services, then such a rule may constitute a signi�cant interference with at least trade secrets or know-how of the controller. Adopting an interpretation of the implementation of the right of access in accordance with the Court’s judgment may in practice lead to abuse of these rights and violate legally protected trade secrets. Nothing will prevent an individual from ‘becoming’ a customer in order to obtain information about the suppliers of a certain service or to develop a business relationship, and thus creating a situation in order toobtaintherighttoaccesspersonaldata.
�e failure to take into account precisely the negative impact of the implementation of the right of access on issues relating precisely to trade secrets or intellectual property, essentially limits the context within which the Court conducts its conclusion
�e judgment of the Court of Justice in Case C-154/21 leans on a particularly important ma�er from the point of view of data protection rights, but also signi�cantly affects economic ties and corresponding protection of competition.However,itisimpossibletofullysharethejudgment,givenseveraldoubtsonmanylevelsofthecase: from the legal system level and the lack of weighing of the principles to the interpretation of the GDPR provisions, to the practical consequences of the application of the provisions on socio-economic relations. �is judgment highlights the need to develop speci�c de lege ferenda proposals for a more harmonious reconciliation of therighttodataprotection,alongwiththeindividual'scontroloverpersonaldata,andtheprotectionoftradesecretsandeconomicties.
Data transfers to third countries and, in particular, to the United States of America (‘US’) have been one of the most discussed topics in the �eld of data protection for the last few years. �e economies of the US and the EU are deeply interconnected and the tech sector in the EU has yet to catch up with the US in terms of size and availabilityofcertainservices.
�erefore, enormous volumes of data, including personal data, �ow daily between the two economic blocs. �esedata�ows takeplaceinthecontextofregularbusinessbetweenorganisationsintheEU,andintheUSand also when EU organisations engage US service providers to obtain data-related services such as hosting or contentdeliverynetworkservices
A key question in managing transatlantic data �ows is balancing the protection of the fundamental rights to privacy and to the protection of personal data (both protected under the Charter of Fundamental Rights of the EuropeanUnion)witheconomic,businessandevengeopoliticalconsiderationsintheEU-USrelationship
�e European Commission made two previous a�empts to address this challenge by adopting Adequacy Decisions: Safe Harbour and Privacy Shield . Both Adequacy Decisions were invalidated by the Court of Justice of (2)
the European Union (‘the Court’ or ‘Court of Justice’) in the Schrems I and Schrems II judgments res- (3) (4) pectively. We will not address these judgments in depth because, for the purposes of this essay, it is sufficient to explain that the broad intelligence collection programmes existing in the US and the lack of adequate redress means for European citizens were the key arguments in support of Court’s decisions to invalidate the previous frameworkssupportingtransatlantictransfers.
1. Tiago Sérgio Cabral is a lawyer working on Technology, Privacy, Data Protection, Cybersecurity and Arti�cial Intelligence He is also a Researcher at the ResearchCentreforJusticeandGovernance–EULaw(UniversityofMinho,Portugal).Author’sopinionsarehisown.
2.�oughboththeseAdequacyDecisionswerelimitedinscope(i.e.entitieshavetobecerti�edtobene�tfromthem).�iswillalsobethecasewiththeDPF.
3.JudgmentoftheCourtofJusticeof6October2015,Schrems, ,EU:C:2015:650. C-362/14
4.JudgmentoftheCourtofJusticeof16July2020,SchremsII, ,EU:C:2020:559. C-311/18
A key question in managing transatlantic data �ows is balancing the protection of the fundamental rights to privacy and to the protection of personal data with economic, business and even geopolitical considerations in the EU-US relationship
With this third a�empt, named the EU – US Data Privacy Framework (‘DPF’) the European Commission and their US counterparts make a targeted effort to address the issues raised by the Court of Justice by, amongst others: a) restricting the basis and purposes that can be pursued through the collection of signals intelligence by US authorities; b) establishing certain purposes that can never serve as a basis for the collection of signals intelligence; and c) establishing new redress mechanisms for EU citizens, in particular through the creation of the new DataProtectionReviewCourt(‘DPRC’) (5)
�ese changes, which are cornerstones of the new adequacy framework, were introduced through two administrative initiatives: a) Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities (‘EO 14086’); and b) the Regulation issued by the A�orney General Merrick Garland establishing the DPRC. Certain stakeholders have questioned the stability of the amendments to the US legal framework, an in particular, as they have not been introduced through a law of Congress, whether a new administration could wipe out the assurances now given to EU citizens in regard to the protection of their personal data transferred to the US. However, the likelihood of this happening has to be considered taking into account the EU-US political and economic relationship and current legislative trends in the US towards more and stricter data protection rules(seethegrowingnumberofUSstates’dataprotectionlaws).
5. appear to be unconvinced by the scope of the changes introduced in the U.S legal framework and argue that the Herwig C.H. Hofmann and Lise�e Mustert ‘�e Commission’s problem in conducting adequacy assessments might be its “political capture”, i.e theCommission’s mixing of foreign trade concerns with fundamental rightsprotection’ On the scope of the changesthemselves, that the U.S appears to have made a good faith effort to addressEuropean we have previously defended concerns (the complete redesign of the redress mechanism and the introduction of new safeguards to intelligence collection activities are hardly a minor efforts).Additionally,onemustnotforgetthattherestrictions to‘foreigntrade’arisingfromdatatransferrestrictions alsohaveanimpacton‘freedomtoconduct a business’ which is, in itself, a fundamental right under Article 16 of the Charter of Fundamental Rights of the European Union and should be given due consideration inanyassessment(whetherbytheCommissionorbytheCourtofJustice).
Before adopting any Adequacy Decision, the European Commission is required to obtain the opinion of the EuropeanDataProtectionBoard(EDPB) WhiletheEDPBcouldnot‘veto’theAdequacyDecisionwithrespectto the DPF, its opinion is always highly in�uential on Member States representatives giving a central role in the process that culminated on the adoption of the Adequacy Decision with respect to the DPF on June 10, 2023 Pursuant to its analysis of the DPF, the EDPB issued its Opinion 5/2023 on the European Commission Dra� Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework (6) (the ‘EDPB’sOpinion’)on28February2023
One preliminary consideration to keep in mind, is that it is important to read the EDPB’s Opinion in light of previous opinions by this body in the context of similar Adequacy Decisions. For example, while the lack of speci�c measures on automated decision-making is an issue identi�ed by the EDPB, this is a shortcoming that the EDPB alsoraisedinpreviousAdequacyDecisionsandwasneverlikelytobeadealbreakerfortheDPF.(7)
In this extensive and detailed Opinion, the EDPB found both a number of positive and negative elements regarding the DPF Positive elements include: a) substantial improvements in the DPF, such as the introduction of the principles of necessity and proportionality; b) the new redress mechanism, which the EDPB considers superior to the rules existing under Privacy Shield; c) efforts by the US to prioritise targeted over bulk data collection intelligence purposes; d) legislative trends in the US with a growing number of state data protection/privacy lawsandeffortsatabipartisanleveltocreateafederaldataprotectionlaw
With respect to the DPRC, the EDPB has concluded that the independence and adequacy of the redress mechanism must not be assessed on purely formalistic criteria. In other words, the mere fact that it is an administrative entity is not an issue, provided that it offers guarantees that are similar to a judicial court It is important to note that the EDPB did ask for more information and certain clari�cations (for example, on access to information by judges). However, the fact that the set-up of the DPRC was not rejected by the EDPB outright is already a signi�cantvictoryandbodeswellforwhentheAdequacyDecisionischallengedbeforetheCourtofJustice.
On the other hand, the EDPB also raised some concerts, in its view, such as: a) the DPF’s complexity, which may make it difficult to understand by stakeholders, along with some conceptual shortcomings; b) the standard response by the DPRC; c) insufficient safeguards in the context of bulk collection of data; d) need for clari�cations or additional safeguards regarding certain data subjects’ rights, onward transfers, automated decision-making andthepracticalfunctioningoftheredressmechanism.
6. EDPB, Opinion 5/2023 on the European Commission Dra� Implementing Decision on the adequate protection of personal data under the EU-US Data PrivacyFramework,28February2023.
7. �e growing focus on automated decision-making is tied to the also growing use of arti�cial intelligence in our daily lives However, it is likely that an international agreement on acceptable uses of arti�cial intelligence, difficult and even improbable as it is, would be a more adequate mechanism to �nd international minimum standards on AI than the introduction of provisions on AI on some international data protection agreements (likely not all, as doing so would require reopeningoldagreements).
�e EDPB was also cautious about the fact that the practical implementation of EO 14086 required policies and procedures to be adopted by US authorities. Considering this, the EDPB recommended that the adoption and entryintoforceoftheDPFbemadeconditionalontheadoptionoftheabovementionedpoliciesandprocedures On this point, we would like to recall that as stated by the EDPB ‘EO 14086 provides US intelligence agencies with a maximum of one year to update their existing policies and procedures (i.e., by 7 October 2023) to bring them in line with the EO’s requirements’. U.S. authorities were particularly proactive on this point and on 3 July 2023, the U.S. Secretary of Commerce Gina Raimondo issued a statement con�rming that the that the U.S. Intelligence Community has already adopted the required policies and procedures pursuant to EO 14086, addressing the EDPB’s concerns. Followingthecon�rmationthattherequiredpoliciesandprocedureswereadoptedandthedesignation (8) of the EU along with Iceland, Liechtenstein and Norway as ‘qualifying States’ for the purposes of the DPF, Member States representatives quickly gave their seal of approval on 6 July 2023, opening the door for the Ade- (9) quacyDecisiontobepromptlyadoptedjust4dayslater,asalreadypointedabove
OnthissubjectitisimportanttonotethatthereviewoftheAdequacyDecisionjustoneyeara�eritentersintoforce appears to be an adequate tool to assess whether shortcomings in implementation exist and need to be addressedbytheEUandU S incooperation
�e review of the Adequacy Decision just one year a�er it enters into force appears to be an adequate tool to assess whether shortcomings in implementation exist and need to be addressed by the EU and U.S. in cooperation
On 11 May 2023, the European Parliament adopted a non-binding resolution arguing against the adoption (10) oftheAdequacyDecisioninrespecttotheDPFinitscurrentformandcallingforitsrenegotiation.Fromthisresolution it appears that MEPs were not satis�ed with the use of EO 14086 to introduce the necessary changes in the US’slegalframeworkandwiththeset-upoftheDPRC,amongstothers.�atsaid,theEuropeanParliament’sresolution, as stated, is not binding and the European Parliament does not have a formal say on whether an Adequacy Decision is adopted. �e European Commission appears to be quite con�dent in the DPF, a sentiment which appearstobesharedbyMemberStatesconsideringthestrongresultswhentheirrepresentativeswerecalledtovote (24 in favour, 3 abstentions and no votes against), and as such opted to adopt the Adequacy Decision with respecttotheDPFregardlessoftheEuropeanParliament’sreservations
�e European Parliament could, in theory, use its status as a privileged applicant under Article 263 TFEU to directly seek the annulment of the Adequacy Decision, but this would be highly unusual. It is more probable that the DPF will be challenged as a result of a reference for a preliminary ruling under Article 267 TFEU to the Court of Justice arising from a case brought to national court by a datasubject(likelyaprivacyactivist).
A potential future decision of the Court of Justice can be considered the second key test for the DPF (the �rst, its approval, was already passed) If the Court considers that the DPF provides sufficient safeguards to ensure an essentially equivalent level of protection for personal data transferred from the EU to the US, it can serve as the backbone (or one of the backbones) of transatlantic transfers for a signi�cant amount of time On the other hand, if the Court decides to strike down the Adequacy Decision with respect to the DPF, it is back to square one and the negotiating table. It is likely that any challenge will only be decided (11) in 1 or 2 years a�er the entry into force of the DPF and it will certainly be a complexandlandmarkdecisionfortheCourtofJustice.
�e �rst signs (arising from the EDPB’s Opinion and the substantial improvements existing in the DPF) are positive, however certain elements such as the actual day-to-day workings of the redress mechanism may also affect theCourt’s�nalassessmentontheDPF.
10. European Parliament, , European Parliament resolution of 11 May 2023 on the adequacy of the protection afforded by the EU-US Data Privacy Framework 11May2023.
11. argues,rightlywe believe, that ‘thenecessityofhavinginternationaldatatransfersinplacewillmake itimpossiblenotto�ndnewlegalmethodsto
SusanneDehmel’s secure the existing transfers and establish new ones’. In our view, while an Adequacy Decision is not strictly necessary to ensure that data can �ow (one has not existed since Privacy Shieldwas declared invalid) it certainlymakescompliance easierfor organizations andremoveslegal uncertainty In the DPF’s case, in addition to the Adequacy Decision itself, the changes implemented in the U.S legal framework will arguably also offer added safeguards and reinforce con�dence in transatlantictransferscarriedoutunderothertransfermechanisms(suchastheStandardContractualClauses).
A potential future decision of the Court of Justice can be considered the second key test for the DPF (the �rst, its approval, was already passed)
Monday 24 July
READ MORE ON EU LAW LIVE
Official publication was made of Regulation (EU) 2023/1525, enacted on 20 July 2023, which addresses the urgent need for supporting ammunition production (ASAP) in responsetoRussia'swarofaggressionagainstUkraine
Monday 24 July
READ MORE ON
Official publication was made of an action for annulment, broughtagainsttheEuropeanCommission,concerningitsexpress decision refusing access to Gestdem No. 2023/0263 and its implicit decision, by which it refused the request to con�rm that explicit decision: Acampora and Others v Commission(T-261/23)
Monday 24 July
Monday 24 July
READ MORE ON EU LAW LIVE
Official publication was made of a preliminary ruling request from the Verwaltungsgericht Stu�gart (Germany) concerning an action for granting of refugee status or, in the alternative, for granting of subsidiary protection status or, in the alternative, for establishment of the existence of a national prohibition of removal: HE v Federal Republic of Germany (Case C-288/23, ElBaheer)
READ MORE ON EU LAW LIVE
A request for a preliminary ruling from the Ustavni sud Republike Hrvatske (Croatia) lodged on 28 April 2023, concerning the prohibition of discrimination or the disproportionate nature of tax measures in relation to the mobility of Erasmus+ students throughout the EU, was published in the Official Journal:Ministarstvo�nancija(CaseC-277/23)
Monday 24 July
�e Court of Justice, si�ing in the Grand Chamber, delivered its judgment in Lin (C-107/23 PPU) concerning the applicability of the more lenient criminal law and the principle of effective and dissuasive penalties in cases of serious fraud affectingtheEU’s�nancialinterests
Monday 24 July
Official publication was made of an action for annulment, broughtagainsttheEuropeanCommission,concerningitsdecision C (2023) 1689, by which an inspection was ordered in connection to an alleged infringement of competition law rules, and any other measure ordered as part of that inspection: RedBullandOthersvCommission(T-306/23)
Court of Justice clari�ed the principles of dissuasive penalties in cases of serious fraud affecting the EU’s �nancial interests and the more lenient criminal law
Tuesday 25 July
�e Council approved three crucial regulations, namely the 'FuelEU maritime' initiative, the 'Alternative Fuel Infrastructure' regulation, and the 'Energy Efficiency Directive' aimed at tackling climate change and promoting sustainability in varioussectors.
Tuesday 25 July
Officialpublicationwasmadeoftwoactions,broughtbypharmaceutical companies against the European Commission, by which the applicants have sought the annulment of Commission Implementing Decision C(2023) 3067 amending the marketing authorization granted by Decision C(2014) 601 forTec�dera-Dimethylfumarate,amedicinalproductforhuman use: Hexal v Commission (T-299/23) and Aliud Pharma vCommission(T-309/23)
Wednesday 26 July
Official publication was made of a Communication from the Commission which outlines the path towards establishing a common European data space for tourism, involving various stakeholders such as Member States, local and regional authorities,theprivatesector,andEUinstitutions.
Tuesday 25 July
�e Council gave �nal approval for the Chips Act, which aims to create the conditions for the development of a European industrial base in the �eld of semiconductors, a�ract investment, promote research and innovation, and prepare Europe for any futurechipsupplycrisis
Tuesday 25 July
Cyprus joined the Schengen Information System (SIS), the largest information-sharing system for security and border management in Europe, which will enable law enforcement agencies in Cyprus to receive and exchange real-time information with all SIS participants regarding wanted or missing persons, third-country nationals with no legal right to stay in the Union, and lost or stolen objects such as cars, �rearms, boats,andidentitydocuments.
Wednesday 26 July
�e European Commission decided to initiate a formal investigation to determine whether, when acquiring Lagardère, Vivendi breached the noti�cation requirement and “standstill obligation” set out in the EU Merger Regulation, as well as the conditionsandobligationsa�achedtotheCommission'sdecisiontocleartheacquisition
Wednesday 26 July
�eGeneralCourtdelivereditsjudgmentsinPshonkavCouncil (T-243/22) and Pshonka v Council (T-244/22) concerning annulment actions brought against certain decisions and regulations adopted by the Council in March 2022, which maintained the name of the claimants on the list of persons andentitiessubjecttorestrictivemeasuresinrelationtothesituationinUkraine.
�ursday 27 July
Official publication was made of the Commission Notice Guidelines on Member States’ adaptation strategies and plans which aim to foster a more systemic and urgent response to climate change, ensuring comprehensive and integrated approachestoadaptationatalllevelsofgovernance.
�ursday 27 July
Wednesday 26 July
�e Commission introduced a new set of guidelines to aid Member States in updating and implementing robust national adaptationstrategies,plans,andpoliciesalignedwiththeEuropeanClimateLawandtheEUStrategyonclimatechangeadaptation.
�ursday 27 July
European Ombudsman Emily O’Reilly initiated an owninitiative inquiry to clarify Frontex's responsibilities in search and rescue operations in the Mediterranean following a tragic incident where hundreds of people drowned off the coast of GreeceonJune14.
READ MORE ON EU LAW LIVE
�e European Ombudsman made a series of suggestions to the European Investment Bank (EIB) to improve its handling of access to document requests by, consequently, ensuring greatertransparency
�ursday 27 July
READ MORE ON EU LAW LIVE
�e European Commission opened a formal investigation regarding a possible breach of EU competition rules, by Microso�, in relation to tying or bundling its communication and collaboration product Teams to its businesses suites Office365andMicroso�365.
Wednesday 26 July
�e EFTA Surveillance Authority (ESA) took Norway to the EFTA Court a�er investigating complaints and �nding that Norwegian national legislation and practice restrict individuals'rightstoseekhospitaltreatmentinotherEEAStates.
Wednesday 26 July
Official publication has been made of Regulation (EU) 2023/1543 on European Production Orders and European Preservation Orders for electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings and Directive (EU) 2023/1544 laying down harmonized rules on the designation of designated establishments and the appointment of legal representatives for the purpose of gathering electronic evidence in criminal proceedings.
C-6/21PandC-16/21P)
by Christopher StothersAnalysis of the importance of the Court of Justice’s judgment in joined cases Germany v Pharma Mar & Commission
C-6/21 P and Estonia v Pharma Mar & Commission
C-16/21P,wheretheCourtclari�edthattheEuropeanMedicines Agency can continue using the staff of universities and university hospitals for their expertise when evaluating applications for marketing authorizations of medicinal products, even where the institution has commercial operations, provided that the individual experts are themselves impartial and independent
by Silvia BartoliniAnalysis of the Court of Justice’s rulings in cases XXX (C-8/22), AA (C-663/21), and M.A. (C-402/22) where, according to the author, the Court took a step forward with regards to the protection of refugees by submi�ing the power of the Member States to deny refugee status to two sufficiently strictrequirements.
Impartiality of experts? Who exactly do you work for (or with) (Joined cases
Se�ing up the framework to avoid the (mis)application of the particularly serious crime exception to deny refugee status: the XXX, AA and M.A. cases beforetheCourtofJustice
Analysis of the Court of Justice’s ruling in Lin (Case C-107/23PPU),acasewhich,accordingtotheauthor,representsthelatestiterationofthetensionbetweentheprotection oftheUnion’s�nancialinterestsandtheprotectionofthefundamentalrightssetoutintheCharterofFundamentalRights.
Op-Ed, part of a Symposium on the Xella Magyarország case, a case which, according to the author, could lead to a paradoxicaleffectbyaugmentingabusesofscreeningactivitiesbynationalauthorities,therebyincreasinguncertaintyabouttheregulatory environment among foreign investors, which is one ofthesituationsthattheregulationaimstoreduce.
READ MORE ON EU LAW LIVE
Op-Ed, part of a Symposium on the Xella Magyarország case, acasewhere,accordingtotheauthor,theCourtprovidedusefulguidanceintermsofscopeofapplicationofEUrulestonational foreign direct investment screening mechanisms and substantive assessment of decisions to prohibit transaction undersuchscreening.
READ MORE ON EU LAW LIVE
Op-Ed on the Court of Justice’s judgment in Verband Sozialer We�bewerb (C-543/21), where the Court clari�ed, in an unprecedented decision according to the author, that the concept of ‘selling price’, in Directive 98/6/EC on consumer protection in the indication of the prices of products offered to consumers, does not include the deposit amount payable for returnablecontainersorpackages.
in between (un)solved con�icts and incoherencies (C-543/21 Verband SozialerWe�bewerb)
(C-106/22,XellaMagyarország)
READ MORE ON EU LAW LIVE
Op-Edonhowtheimpactofthedifferentconditionalitymeasures has been re�ected in the rule of law situation in Hungary and Poland according to the 2023 Annual Rule of Law Report, and whether the Commission’s assessment provides an accuraterepresentationofrecentdevelopments.
READ MORE ON EU LAW LIVE
Op-Ed on the Court of Justice’s judgment in Meta Platforms v Bundeskartellamt (C-252/21), where, according to the author, when answering the questions posed to it, the Court followed different perspectives: an open and �exible approach to the collaboration among national administrative authorities in relation to competition and personal data; and a narrow and rigorous approach to the legal bases for processing personal data at the core of the European data protection system.
Controla�erCKTelecoms(C-376/20)
by Justin LindeboomREAD MORE ON EU LAW LIVE
Op-Ed on the Court of Justice’s judgment in CK Telecoms (C-376/20), which, according to the author, constitutes an importantrulinginthatitcontainstheCourt’s�rstjudicialelaboration on application of the SIEC test in oligopolistic markets and it provides clarity on the extent of judicial review and theCommission’sdiscretioninitseconomicassessments.
�e
a
Op-Edontheemerginglegal‘contours’oftheEuropeanDisability Card, as a priority set by the Spanish Presidency of the Council,anditspotentialpitfalls
Permission to use this content must be obtained from the copyright owner
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publishers.
Editor-in-Chief: Daniel Sarmiento
In-Depth and Weekend Edition Editor
Sara Iglesias Sánchez
Editorial Board:
Maja Brkan, Marco Lamandini, Adolfo Martín, Jorge Piernas, Ana Ramalho, René Repasi, Anne-Lise Sibony, Araceli Turmo, Isabelle Van Damme, Maria Dolores Utrilla and Maria Weimer
Subscription prices are available upon request. Please contact our sales department for further information at
www.eulawlive.com