Category: Uncategorized

Disclaimer: All opinions in this blog reflect the views of the author, not of the Dutch DPA.

In our digital markets, there are more and more concerns that big tech firms use their dominant position to conduct practices that could potentially be harmful to consumers and competitors. One of these practices is to present the consumer with a take-it-or-leave-it option before he or she is allowed to use a service: if you do not consent to the fact that the firm can combine and cross-use your personal data from the service with data from other services, you will not be allowed to use the service. Where firms use their dominant position to make such practices possible and when this makes the position of these firms even stronger so the market ‘tips’, the regulator could be inclined to prohibit the practice on the basis of competition law or other forms of market regulation. In the following, I introduce this practice (I). Then, I explain that the mainstream way of approaching the aforementioned practice under Article 102 TFEU has raised critique (II). Then I show how this critique could be taken away by another way of applying Article 102 TFEU, namely under the theory of harm of ‘privacy-policy tying’(III). Next, I explain that article 5 (2) of the DMA, which directly deals with the practice at hand, shows many similarities with the criticized approach of Article 102 TFEU (IV). Finally, I argue that the application of this article does not take away the critique that has been raised, which could potentially have negative consequences (V).  

Continue reading “Differences in substantive application of Article 102 TFEU and the DMA concretized: ‘Privacy policy tying’ under Article 102 TFEU or the opt-in rule for data combination and cross use in article 5 (2) of the DMA”

The recent events in Ukraine brought to light once again the difficulties faced by refugees at the beginning and during flight and resettlement. One of the main topics that are creating tension and increased solidarity is the fate and safety of the children separated from their families and parents. In this context, the first-time activation of the (TPD) for Ukrainian refugees sets an unprecedented step forward for the right of unaccompanied minors fleeing war and serious harm to family reunification. This bold political choice also draws attention to the urgent need for revision of the current legislation regulating family reunification for international refugees or beneficiaries of subsidiary protection.

Continue reading “EU law enforcement of the right to family reunification for unaccompanied minors fleeing conflict”

By Sonia, Shermane and Sandy

Positive conflicts of jurisdiction occur when two or more member states (MS) posses the right to investigate and prosecute the same alleged criminal offence. Within the context of the European Union, Eurojust aims to provide coordination among MSs when a conflict of jurisdiction emerges. In 2003 (updated in 2016), Eurojust issued guidelines to aid decision-making in the MS with the most competent jurisdiction. In 2005, the Commission launched the Green Paper on conflicts of jurisdiction and the principle of ne bis in idem in criminal proceedings. The Framework Decision 2009/948/JHA on prevention and settlement of disputes of exercise of jurisdiction in criminal proceedings appears to be the one legal instrument that covers this area, but what about the principle of legality? Neither the guidelines nor the Green Paper tackles the derogation of this principle when an individual is subject to multiple jurisdictions, resulting from parallel cross-border prosecutions. This post shows the limited role of the legality principle in parallel cross-border investigations and elaborates on the solutions that have been proposed so far. Finally, it looks at the most feasible way Eurojust could overcome the current shortcomings.

What is the role of the legality principle in parallel cross-border investigations?

Parallel proceedings are where two or more states claim criminal jurisdiction of the same suspicious criminal conduct. Parallel proceedings can involve parallel investigations or parallel prosecutions, or both. In its communication on a new EU framework to strengthen the rule of law, the Commission included the principle of legality as one of the main principles expressing the core meaning of the rule of law. Ever since, the concept has been further developed. The relevance of the principle is reiterated in the Commissions 2019 communication as an essential element of the rule of law. The principle of legality has also been described as an “umbrella” principle, as it covers multiple other principles. However, this post focuses on the foreseeability of laws (legal certainty), which is understood as a requirement of predictability and accessibility of the law so that a subject of law can reasonably foresee the consequences of its actions. This is ascertained by sufficiently precise formulation of laws.

In case a crime affects different states, parallel proceedings may emerge, as, in principle, each state possesses jurisdiction (see infographic). Jurisdiction may arise from jurisdiction ratione loci or jurisdiction ratione personae. The latter includes whether active personality or passive personality jurisdiction. The individual may be the subject of parallel proceedings, each following different substantive and procedural rules. In addition, it could also be possible that no Member States want to investigate or prosecute, which would entail a negative conflict of jurisdiction

For instance, in a case of an assault taking place in Belgium. Where the perpetrator is a French national residing in Belgium, the victim is a Dutch national having a permanent habitual residence in Germany. Consequently, several states may possess jurisdiction. Conversely, Belgium may start proceedings based on jurisdiction ratione loci. On the other hand, the Netherlands may start parallel proceedings based on jurisdiction ratione personae, more precisely by the passive personality principle. Finally, France possesses jurisdiction ratione personae, specifically passive personality jurisdiction.

Consequently, the violation of the ne bis in idem principle is at risk, which refers to the notion that a person shall not be punished multiple times or be subject to various proceedings for the same conduct. Furthermore, arbitrariness may appear, ultimately resulting in forum shopping. Forum shopping in this context is understood as when the Member States choose a particular jurisdiction for the case to be heard because it is more likely to provide a favourable outcome. For example, where the conduct is more severely punished.

Eurojust to the rescue? The Competence of Eurojust to enforce the principle of legality in parallel investigations.

Art. 4(1) c and 4(2)b of Regulation (EU) 2018/1727 states that Eurojust is competent to assist the competent authorities of the Member States (MS) in ensuring the best possible coordination of investigations and prosecutions. Moreover, Eurojust may issue a written opinion to indicate that the MS is most competent to prosecute. Hence, Eurojust is more suited to tackle this issue both in the early stages of the investigation through assistance and cooperation and ultimately recommending competent jurisdiction. For instance, there is a growing number of parallel proceedings detected by Eurojust via Article 13(7)(a), from 10 notifications received by Eurojust to 49 in 2017. This increase shows that dialogue and mutual trust are the main elements that Member States value to find a standard solution. Thanks to Eurojust, relevant details can be brought to the attention of the competent national authorities, which may decide to open an investigation. In complex cases, Eurojust proposes the creation of a JIT, which facilitates and coordinates further studies.

In 2017, the European Law Institute published a Draft Legislative Proposals aiming to prevent parallel proceedings and resolve conflicts of jurisdiction, thereby ensuring the protection of the above-mentioned ne bis in idem principle. The focus was drawn on guaranteeing legal certainty and foreseeability to achieve this. The reports include substantive legality as a relevant aspect of Article 47 CFR, which provides, among other things, that “everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal previously established by law. We consider that the last part “concerning the tribunal established by law” renders problematic in parallel investigations and prosecutions because the jurisdiction in which a suspect is to be prosecuted is unclear and may remain undecided for an unacceptably period.  Moreover, it enshrines the principles of legality and proportionality. Some legal scholars, such as Luchtman, already predicted in many articles this shortcoming. He relates the substantive legality principle, foreseeability and choice of forum. He argues that insofar as the specific jurisdiction determines the applicability of different national substantive provisions, a new framework to provide for that choice would support the foreseeability of the law for the individual.

Alternative solutions

The European Law Institute distinguishes three alternative approaches that would provide the principle of legality the granted role in the CFR in parallel cross-border investigations.

1. The so-called horizontal mechanism, in which the conflicts of jurisdiction and parallel investigations are solved via consultation between MS, shall eventuate in an agreement.
2. The vertical mechanism is characterised by a binding supranational decision (issued by Eurojust) in cases where coordination between the national criminal justice authorities has failed.
3. The model for the allocation of criminal jurisdiction in the AFSJ aims to prevent the emergence of conflict of jurisdictions by establishing uniform European rules on the allocation of the exercise of criminal jurisdiction in the AFSJ.

From the three choices, we consider the second one the most suitable. On the one hand, the horizontal mechanism, the current practice between MS, has proven non-efficient. This is because there is no uniform procedure that would allow the individual to foresee the consequences of their conduct or which law, they are subject to.  On the other hand, a complete regulatory mechanism that would force MS to accept which jurisdiction is better suited would render it too complex to enforce. This complexity derives from the fact that there are too many factors to assess, which have to be considered in all three models to decide which jurisdiction is more suitable. For example, the nationality and current location of the suspect, the place where most evidence is located, the interest and protection of victims and witnesses etc. Depending on the specific circumstances of the case at hand, these factors make it challenging to establish that one is more important than the other; therefore, each case needs a particular assessment.

So, what can be done now?

Currently, the legal certainty problems that derive from parallel investigations should be acknowledged, taking Eurojust as an example. Eurojust tackles in its reports the importance of detecting parallel investigations at the earliest possible stage.

There is the need to acknowledge more significant the legal certainty problems that derive from parallel investigations, and Eurojust should be an example. Currently, Eurojust considers that parallel proceedings can be beneficial in combating crime if they are performed in a coordinated manner. They assess questions regarding parallel investigations in their plenary meetings and tackle the issue in the yearly coordination meetings. Indeed, this is a positive attempt for these issues to be addressed in coordination meetings and strategic seminars solely to tackle parallel investigations and their consequences for individuals as it increases understanding regarding the issues related to legality that may arise in parallel investigations and prosecutions. The gentle mandate of Eurojust to support cooperation and coordination between the Member States is without doubt, enhanced in such a way even without the use of punitive sanctions to achieve compliance. To conclude, policy documents as guidelines on coordinated and safeguarded parallel investigations would significantly benefit Eurojust.

By Ana, Natalie and Marceau

Both the Office Européen de Lutte Antifraude (OLAF) and the European Public Prosecutor’s Office (EPPO) share the goal of enforcing the European Union (EU) anti-fraud agenda. Although OLAF is an administrative agency and the EPPO falls more under the field of criminal law, they both act against offences affecting the financial interests of the Union. Hence, the substantive scope covered by the two is in essence the same. However, although the objectives of the two agencies are strikingly close, the approach they use to fight fraud differs. In that sense, one can look at the two as complementing each other at work. While previous research on OLAF and the EPPO focused on the working of the agencies separately (e.g. the issue of the EPPO’s ‘forum shopping’ and OLAF’s accountability), in this blog post we aim to view the two together.

In the following we show both how they may be viewed as complementary to one another as well as what gaps and issues still remain in fighting fraud efficiently with the two enforcement agencies. To fight fraud, two steps have to take place: first, the authorities need to investigate the case, and second, if they find the case fraudulent, the perpetrators need to be prosecuted. Additionally, an effective infrastructure has to be put in place on the EU as well as the Member State’s level to prevent future fraud from occurring in the first place. In the following we discuss those issues in view of the EPPO and OLAF complementarity.

If you are unfamiliar with the roles of OLAF and the EPPO, you can familiarize yourself with their work by watching the above videos.

COMPLEMENTARITY IN INVESTIGATIONS AND GATHERED EVIDENCE

When it comes to investigation, OLAF has strong investigatory powers to gather evidence on cases involving potential fraud. It conducts the so-called ‘internal’ and ‘external’ investigations, overviewing the use (or misuse) of EU funds by the EU as well as its Member States respectively. While in the internal investigations OLAF enjoys a great deal of independence (e.g. it has the right to immediate and unannounced access to information), when investigating potential fraud in the Member State’s context, it is dependent in law and in practice on the Member State concerned. However, Member States are obliged to cooperate with OLAF, ensuring that OLAF has access to relevant information (e.g. databases) under the same conditions as national authorities. In order for OLAF to be effective and efficient in conducting, for example, its ‘on-the-spot’ checks in Member States, such cooperation is essential.

On the other hand, in gathering evidence for prosecution, the EPPO relies on the work of the European Delegated Prosecutors (EDPs) who represent the European Prosecutor of every participating Member State. Upon the instruction by the EPPO’s Permanent Chamber, the relevant EDP may initiate investigations to gather evidence for prosecution. Having the same investigatory powers as their national counterparts, EDPs may, for example, tap phones, search premises and request for information to build up a file. Similarly to OLAF, the EPPO should ALSO be aided by the national authorities when investigating a case

Considering the powers of both agencies, the investigative powers seem to overlap. However, instead of disqualifying one because the other may conduct similar investigations, the two can be viewed as complementing or enhancing the role of one another. With OLAF fighting fraud in the EU for over two decades, the agency has a lot of relevant know-how as well as legitimacy to gather evidence on a case. That evidence may subsequently be used by the EPPO, with OLAF becoming the main investigative body of the EPPO. In fact, such cooperation has recently been put into law, namely by amending the OLAF Regulation. Because of this change, OLAF is obliged to submit its report on any criminal conduct to the EPPO without delay. At the same time, while the EPPO might enhance the role of OLAF by making it its main investigative body, the role of OLAF may be viewed as subdued to that of the EPPO. That is exemplified by the fact that OLAF can no longer continue its investigations once it has handed the file to the EPPO and the EPPO opened its own investigations of the case. On a different note, when the EPPO itself lacks competence to act on a case it considers potentially illegal, it has the duty to report the case to OLAF. In that sense, it is obliged to present OLAF with the information it gathered too, enhancing its role in some cases.

COMPLEMENTARITY IN FURTHER ACTION – RECOMMENDATIONS AND PROSECUTION

While in the investigation phase more overlaps can be found between OLAF and the EPPO, the possible subsequent steps differ. That is so mostly because OLAF is in essence an administrative agency while the EPPO is primarily a prosecution body.

OLAF’s main outputs following an investigation are drawing up a report presenting evidence and issuing recommendations suggesting further action by other EU or Member States’ authorities. However, as the recommendations are not legally binding, the enforcement powers of OLAF in this regard are quite weak. At the same time, recommendations carry political weight which make the authorities take them into account. The actions recommended may vary from disciplinary and administrative actions to financial and judicial ones, aiming to deter the future misuse of EU funds and remedy the ones that already took place.

Differently from OLAF, the task of the EPPO after the investigation is to prosecute. When the EPPO comes to consider that an allegation of an offence is supported by evidence, and when the case falls under its competence, the EPPO can open a trial before a national court. Because the mandates of the two are so different, it is hard to say that the two complement each other’s work directly. However, in the overall picture of fighting the misuse of EU funds, OLAF’s substantiated recommendations (backed up with evidence from the report) and the EPPO’s prosecution powers jointly contribute to two different fields of law addressing the issue of fraud. With the EPPO’s power to prosecute in front of a judicial body, there is also a possibility that the court will recognize the case as criminal also judicially, issuing a decision that is legally binding.  

The fact that both enjoy some powers following-up an investigation phase is important, particularly because the two cover different territories when enforcing their anti-fraud agenda. It is important to note that while the EPPO is established on the basis of enhanced cooperation, meaning that it only applies to the 22 participating Member States, OLAF can act in all 27 Member States of the EU. While the limited scope of the EPPO’s enforcement might be an issue in a territorial sense, the situation can be remedied by the presence of OLAF. Namely, OLAF can step in with its investigations and recommendations where the EPPO has no territorial jurisdiction to do so. In that sense, OLAF and the EPPO may again be viewed as complementary.

At the same time, because the EPPO with more coercive prosecution powers may only operate in certain Member States and not just everywhere, anti-fraud enforcement across the EU may differ in the intensity. This might affect the extent to which fraud is addressed in different Member States, creating differences in policing the use of funds which may lead to abuse (e.g. cross border fraud). While this issue goes beyond the scope of this blog post, it would be a relevant topic for future research.

Lastly, it is important to state that OLAF also functions as an advisory body, developing anti-fraud policies and “fraud proofing” legislation which contributes to the fight against fraud also ex-ante. In that way it contributes to the anti-fraud agenda of the EU in a preventative way.

CONCLUDING REMARKS

In conclusion, we summarize the points made above in the table below. By outlining the different powers held by OLAF and the EPPO, we showed how and why they may be viewed as complementary. Overall, the authors believe that with the current system in place, OLAF and the EPPO can fight fraud and abuse of EU funds effectively together. However, some gaps still remain and could be addressed by strengthening the competences and the scope of both OLAF’s and the EPPO. Who would be hurt by stronger common anti-fraud fighting anyways?

The table shows the complementarity of OLAF and the EPPO in the fight against the misuse of EU funds by the two agencies.

By Lauren, Florentina, Maria and Rei

Enforcing EU environmental law is essential in combatting climate change and protecting the environment. Yet, non-compliance with environmental law is the leading cause of the commencement of infringement actions every year. Since the start of this year alone, the Commission has opened 85 infringement actions against Member States (“MS”) for non-compliance with environmental law. Infringement actions are lengthy and costly. Given the shortcomings of ex post enforcement, the question arises of how environmental enforcement can be improved ex ante. This blog post looks at four ways in which the European Environment Agency (‘EEA’) can help to plug information gaps in environmental enforcement at the national level, thus potentially reducing infringement actions by the Commission and preventing environmental harm.

The EEA is an information-providing agency. Some of its roles listed in its founding regulation include 

• Providing information needed for sound environmental policy to MS and the Commission (DG Environment, in particular);
• Ensuring that the public is properly informed about the state of the environment;
• Assisting the monitoring of environmental measures and recording and assessing data on the environment, ensuring that the data is comparable at a European level.

It has been argued that in the past the agency has acted as more of a ‘loyal lapdog’ to DG Environment, whereas it has the potential to act as more of a ‘barking watchdog’. Given its roles and powers assigned in its founding regulation, we argue that the EEA could improve enforcement of environmental law in the four following scenarios:

(1) First possibility: EEA information gathering on criminal law enforcement by MS

Inspections are crucial in preventing environmental harm. Blanc and Faure (2018) discuss current problems with environmental inspections in MS. The first one is that the Commission may only carry out an inspection on MS soil if the MS gives permission for the Commission to inspect. This problem arises with Directive 2008/99, which obliges MS to enforce criminal law for certain environmental crimes. For example, Article 3 of the Directive requires MS to criminalise the destruction of protected habitats and to criminalise the discharge of potentially deadly materials into the air, soil or water. However, once the Directive is transposed into national law, the MS may enforce the law in a weak manner. Faure (2017) gives the example of how this happened in the case of Sweden’s transposition of the Directive. The Swedish sanctions in place for corporate environmental crime were considered to be too low, and therefore not considered effective, proportionate and dissuasive.

The core enforcement problem with the Directive is that the Commission lacks information with respect to penalties imposed by MS. In particular, Blanc and Faure note that the Commission lacks information with regard to the capacity of environmental inspectorates and prosecutors, and on prosecutions and sanctions at the national level. A recommendation was made for the Commission to introduce legally binding minimum criteria and guidelines for inspections carried out by MS to ensure better enforcement of environmental law. This remained, however, a recommendation, as the Commission refused to make the minimum criteria and guidelines legally binding. This is where the EEA could step in, given that the agency already collects data from the national level to present at the EU level. The EEA manages the EIONET network, a forum whereby MS share environmental information and set common data reporting standards. One could imagine a scenario wherein MS report data on environmental criminal sanctions via this forum, with minimum reporting standards. However, a potential drawback for this is that the EEA has no powers to oblige MS to deliver up the necessary information. 

(2)Second Possibility: The information-gathering role can be enhanced

Figure 1: Infringement cases opened January 2022 – April 2022, per legislative instrument breach

When discussing which powers EEA has and which problems it encounters, the first thought that comes to mind is to give it more powers. However, this section investigates if the current powers that it has can solve, at least partially, the underenforcement problem.

As mentioned, a high number of infringement cases on environmental law exist. Adopting  a qualitative legal research method, the main causes of these infringements will be investigated, based on which Directives are breached. Further, it will be assessed whether EEA, if given more powers, could have prevented, at least partially, these infringements from happening.

It was determined that from the beginning of 2022, more than 80% of infringements were with regard to four directives and three major problems: noise pollution, failure to prevent the spread of invasive alien species (IAS), and failure to comply with sustainability measures.

Almost 21% of infringement cases concern Regulation 1143/2014 on the spreading prevention of invasive alien species (IAS). It requires MS to manage the pathways by which IAS are introduced and spread. However, MS  have failed to establish an action plan under the Regulation. Most of the infringements in this sector are due to a lack of knowledge. Since the EEA is an information-gathering agency, it could have informed the MS about all IAS, how to identify which IAS are dangerous and how to deal with them. The list in the regulation ‘accounts for just 3% of all IAS’. Thus, updated annexes by EEA to the Regulation can mitigate this problem and avoid future infringements.

Directive 2019/904 EU promotes circular approaches that give priority to sustainable products. Many MS failed to transpose this Directive by missing the deadline, leading to 20% of infringement cases. Why is there such a high number infringement cases? This Directive is addressed to market players who need to change their behavior. MS act more as ‘supervisors’. After a substantial scrutiny of all these cases and their context, it was identified that  little time given to MS, and the lack of a clear strategy on how to switch to sustainable products are among the causes of non-compliance. Thus, if the EEA could have helped industry actors with an action plan on how to make this change, some infringement cases could have been prevented.

Either way, when such important legislative acts are enacted, governments and market players should be assisted by a European agency to make sure the legislative goal is attained. The first objective of the Lisbon Action Plan is to achieve effective transposition. The EEA has enough information and expertise to be able to assist Member States to comply with environmental law. Even though it is acknowledged that now, it may be difficult to give EEA supervisory or enforcement powers, if it could mitigate information asymmetry problems more efficiently, it would have already been a success.

(3) Third Possibility: Promoting the collection of timely information

National authorities have not been able to sufficiently obtain timely information for effective enforcement. The following bar chart indicates the reporting performance of each country in EIONET in 2021.

Figure 2: Reporting Performance by each EU country in EIONET, 2021. Source: Eionet core data flows 2021

This chart indicates how often there was timely and high-quality data sharing from each country, with 100% being the best possible result. According to this chart, many countries achieved a high percentage in sharing timely data, however, in some countries such as Germany, the rate was only about 60%, a large gap compared to countries like Poland. This gap could generate a risk of ineffective enforcement in some countries because of insufficient timely information to address environmental challenges and this can affect the total quality of enforcement in the EU.

EEA can take measures to reduce the risk of the gap in some ways. One way is to improve the technical aspect of EIONET itself. This information portal site has an enormous amount of data, thus specific data may not be picked up immediately. The development of this database would increase the quality of information sharing to users. Also, the EEA can recommend authorities who have not offered much data compared to other countries to provide data regarding the enforcement situation of EU environmental law to EU institutions. This can put pressure on countries in cases where authorities in the EU have to address problems rapidly. Moreover, the process of sharing data can be improved. EIONET has an infrastructure called Reportnet, and it has a reporting process in 10 steps, but there are no limited periods in each step and this can lead to less timely information sharing. A new version developed in 2018 makes the process without external systems, but a specific period in each step should be also set.

(4) Fourth Possibility: Self-monitoring Scheme

Environmental competences are shared between MS and the EU. The EEA already has important information gathering powers. Objectives delegated to EEA could be enhanced by strengthening cooperation between the EEA and national environmental authorities. 

It is possible to achieve the aforementioned target, by establishing a self-monitoring scheme. Based on this scheme, the EEA cooperates with national authorities for the purpose of monitoring compliance and gathering information regarding EU Environmental Law infringements. Main polluters of each MS by sector are obliged to provide information regarding compliance with EU environmental law to national authorities. The latter are responsible for referring this information to the EEA. Due to the fact that higher fines would not result in higher compliance, since companies would adjust their budgetary strategies accordingly, enterprises which cooperate would benefit with a reduction on the fine imposed for non-compliance. 

By reducing fines imposed, enterprises would have a greater incentive not only to cooperate with the authorities and the Agency, but also to comply with EU environmental law. Consequently, the risk is reduced, considering that they bear certain rather than uncertain sanctions in case of non-compliance.  

Through this Scheme it is not only enterprises who benefit, but the national authorities and the European Commission as well since it would result in saving enforcement resources. Those who report their harmful act, no longer require detection. 

Such schemes already exist in many MS, though there is nothing as such at EU-level. Our proposal is for an obligatory self-monitoring scheme for main polluters at national level with a further obligation for national authorities to cooperate with the EEA. 

By Giorgia, Lisa-Marie, Shivani, and Emilia

You take the blue pill—the story ends, you wake up in your bed and data protection enforcement stays the same. You take the red pill—we make a new agency, and I show you what it could look like.

(Lana Wachowski and Lilly Wachowski, The Matrix, 1999)

In ‘The Matrix’, when the reality of Thomas Anderson begins to fall apart, he is presented with a choice: to take the blue pill which allows him to continue living in contended ignorance, or to take the red pill to learn about reality and express his full potential by becoming his alter ego Neo. It is a risky option which yields challenges, yet ultimately beneficial consequences. Similarly, whilst leaving the status-quo of the enforcement system of the General Data Protection Regulation (‘GDPR’) provides a comforting yet ineffective blue pill, taking the red pill and converting the European Data Protection Board (‘EDPB’) into a European Data Protection Agency (‘EDPA’) could disrupt yet enhance enforcement of data protection law in the European Union (‘EU’).

In today’s digital economy, companies process a significant amount of personal data. Individuals can benefit from this, for instance by receiving more targeted and relevant information. However, there are also inherent risks to data protection, a fundamental right of every EU citizen. For example, in cases of a data breach, individuals can be harmed by identity theft or fraud (Bergkamp, Hunton, and Williams, 2002). The GDPR, therefore, imposes certain limitations on personal data processing. These are enforced through a hybrid system composed of the EDPB and national supervisory authorities (‘SAs’). The SAs investigate and enforce companies’ compliance with the GDPR in their respective Member States, while the EDPB functions as a dispute resolution body in cases of conflicts between SAs, but has no investigative or corrective powers itself. Yet, the EDPB does enjoy corrective powers to a certain extent: It can impose duties on the SAs that require the implementation of EDPB’s decisions, including the adoption of corrective measures. Furthermore, the EDPB can adopt legally binding decisions.

Nevertheless, the GDPR’s enforcement, particularly in cross-border cases, has been criticized for being too complex, slow, and ineffective, leading to its underenforcement. For this reason, the Commission Vice President Věra Jourová announced that the GDPR enforcement system might be reformed, moving towards a more centralized enforcement. This blog post investigates whether converting the existing EDPB into a EDPA modeled after the Single Supervisory Mechanism (‘SSM’) could solve the current enforcement deficits.

Blue pill: The Gordian knot of the current GDPR cross-border enforcement

In situations where companies control and process personal data across several Member States, the one-stop-shop mechanism applies: the SA in the Member State of the companies’ main establishment takes the lead but must cooperate with SAs of other affected Member States through information exchanges, in order to reach consensus in the investigation and sanctioning. However, this cooperation mechanism exhibits major deficits, in particular in cases where companies, such as Google, Facebook, and Twitter, process data from individuals across the EU.

There are two major drawbacks to the current system:

1. The one-stop-shop mechanism places an unproportionate burden on SAs of Member States where many big companies are located (e.g., Ireland) which, combined with a lack of resources and possible political unwillingness to investigate violations sufficiently, leads to enforcement bottlenecks;
2. The EDPB and concerned SAs are highly dependent on the lead SA to investigate sufficiently and share its information. If this is not done in goodwill, then the EDPB does not possess enough evidence to decide disputes between SAs (see Decision 01/2020, paras 132-133).

Together, these deficits contribute to the underenforcement of the GDPR (Mustert and Bledoeg, 2021). Could the transformation of the EDPB, empowered with direct enforcement powers, be the bold step necessary to solve this Gordian knot?

Red pill: Creating an EDPA modeled after the SSM?

EU agencies play a crucial role in the shared administration of the EU by executing information-gathering, regulatory, and direct enforcement tasks (Scholten, Strauss, and Brenninkmeijer, 2021). There are pros and cons of a centralized agency that enjoys investigative and legally-binding enforcement powers overruling national authorities (Scholten and Ottow, 2014). Most importantly, a centralized EDPA could increase harmonization and reduce the risks of enforcement bottlenecks, ensuring a cohesive observance of the GDPR throughout the EU. However, optimal results will still only be achieved when national SAs are incentivized to cooperate with a centralized EDPA. This could be achieved if the EDPA is modeled following the role that the European Central Bank (‘ECB’) undertakes in the SSM.

The Regulations governing the SSM ensure the soundness of the European banking system. This mechanism confers specific tasks on the ECB regarding policies on the prudential supervision of banks and credit institutions. It functions through a centralized system of enforcement between the ECB and SAs, with the former being ultimately responsible for the effective functioning of the SSM. Although the ECB and SAs enjoy similar powers, the ECB is exclusively competent for supervising and investigating significant banks, whilst SAs are entrusted with the monitoring and investigation of less-significant banks. The significant status is decided by the ECB based on banks’ sizes, their economic importance, their cross-border activities, and whether they have requested direct public support. The ECB must cooperate through a system of shared enforcement which permits the ECB to take over institutions overseen by SAs at any time (Karagianni and Scholten, 2018).

The solution of an EDPA and SSM model of enforcement

In light of the considerations on centralizing the GDPR enforcement, the EDPB could be transformed into the EDPA by firstly adopting a regulation on the basis of the fundamental right to data protection, and secondly by endowing it with similar supervisory and investigative powers as the ECB has within the SSM for ‘significant’ banks. Accordingly, the EDPA will have direct enforcement powers regarding large data processing companies. The legal basis allows for ensuring the GDPR compliance of companies harvesting personal data of EU citizens, while the SSM-like powers allow to share the task of overseeing the personal data processing companies with the supervisory authorities and supervise the overall system. Otherwise, allocating the entire supervision to the EDPA might prove detrimental, especially when comparing the large number of companies controlling and processing personal data in the EU with the few significant banks supervised by the ECB. While the criteria of significance in the data-processing field cannot be directly transposed from what is used to determine significant banks, new considerations in terms of the quantity and quality of data a company processes (i.e. strategic importance) will prove pivotal to determining which entities are supervised by the EDPA.

By Anna, Bart, Francesca and Natália

With new technologies on the rise and the ensuing evolution of many transnational crimes, the importance of the European Union Agency for Law Enforcement Cooperation (Europol) in preventing and countering serious crime has become even more apparent. For example, in January 2021, Europol helped to disrupt one of the world’s most dangerous and longer lasting cybercrime services. It did so by supporting, among others, the Dutch, German and French law enforcement authorities with its technical capabilities and by setting up joint investigation teams.

Europol’s assistance to the Member States is crucial as, today more than ever, criminal information is found in the hands of private companies. This is evident from recent cases where Europol assisted in busting criminal networks specialised in the distribution of counterfeit documents via instant messaging apps such as the one in France, Spain and other Member States. Although Europol can already receive data from private service providers, this is only on exceptional bases and most notably through the intermediary of a national unit or contact point. Hence, extending Europol’s powers in this field could help law enforcement authorities to combat these crimes more effectively. This may become true, should the 2020 Proposal for a new Europol Regulation be adopted. Europol is now one step closer to gaining such power since the European Parliament and the Council have reached a preliminary agreement on the matter on 1st February 2022. In light of this recent development, we aim to shed more light on the Commission’s Proposal and ensure you do not miss out on the three main changes it may bring about. Specifically, these include: (1) the cooperation with private parties; (2) the big data challenge; and (3) Europol´s role in research and innovation. Naturally, no reforms are ever fully welcomed and thus we also aim to highlight some of the concerns raised by different stakeholders with respect to the proposed changes.

Time for a Change

Shortly after the entry into force of Europol’s current Regulation, the Council and Parliament had already called for strengthening of the agency’s mandate. In December 2020, this led to the new Proposal. If enacted, it would further enhance Europol’s powers. The three main changes mentioned above will now be addressed in turn.

1.     Cooperation with private parties

Currently, Europol may only process personal data obtained from private parties indirectly, via the intermediary of a national unit or a third country´s contact point (Article 26(1) Regulation 2016/794). Additionally, the agency cannot address private parties to retrieve (additional) personal data (Article 26(9)). However, this would change with the Proposal´s adoption. Europol would be in fact able to receive personal data directly from private parties while also being allowed to contact them for any potential missing information (proposed Article 26(2) and (5)(d)). In this connection, Europol could also request Member States to obtain data from private parties that are established on their territory on its behalf. Finally, the agency’s technical infrastructures could also be used by competent national authorities and private parties for personal data exchanges (proposed Article 26(6a) and (6b)). In this way, Europol would be able to interact with private parties more regularly, both directly and indirectly.

2.     Big data challenge

Article 18 of the current Regulation stipulates that Europol may process personal data for a number of specific purposes and only in relation to certain categories of data subjects falling within Annex II. Over the past years, however, Europol started receiving large, complex, and unfiltered datasets from national law enforcement authorities. For example, Europol’s analytical and technical support turned out to be crucial for the French and Dutch law enforcement authorities in the dismantling of EncroChat, an “encrypted phone network”, used by criminals for violent crimes and drug transports. However, as the European Data Protection Supervisor (EDPS) observed, these extensive processing activities ultimately led to compliance issues. Therefore, to address the agency’s “big data challenge”, Europol would eventually be able to pre-analyse the data received to determine whether the information may indeed be lawfully processed (proposed Article 18(5a)).

3.     A role in research and innovation

Europol does not currently have a legal mandate to foster innovation and research activities in support of Member States’ law enforcement efforts. This is problematic as not all Member States have the necessary resources and skills to fight crimes carried out through new technological means, such as encrypted mobile devices or artificial intelligence (AI) tools. Therefore, under the new Regulation, Europol would not only be involved in the drafting of the Union framework programs for emerging technologies, but it would also be able to support Member States in the development of AI projects (proposed Article 4(4a) and 1(t)).

The following figure sums up the three issues and how the new Proposal would tackle them.

The half-empty glass?

The strengthening of Europol´s mandate seems to be widely supported, yet, the Proposal has not escaped criticism from some of its stakeholders. The most voiced criticism entails the Proposal´s timing, which some referred to as dubious, premature and hasty. This is because it came almost one-and-a-half years before the planned Europol´s evaluation as required under Article 68 of its current Regulation. Without such evaluation, there is limited information to really assess Europol´s effectiveness and impact.

Furthermore, some stakeholders like Statewatch, argued there is ´no need to expand Europol´s mandate to increase its engagement with private parties´. Others, including scholars like Mitsilegas, questioned the private entities´s ability to effectively assess the fundamental rights implications of their personal data transfers to Europol. Concerns also exist about the risk of such transfers occurring without a prior judicial authorization. Additionally, 26 civil society organisations addressed an open letter to the European Parliament members, calling them to not support the proposal due to various fundamental issues. These range from insufficient democratic oversight and lack of defence rights guarantees to potential invalidation of the reform by the European Court of Justice since Article 88 TFEU does not entail the proposed powers.

The EDPS has also expressed concerns about the current exceptions to data protection rules potentially becoming ´reality in practice´. Hence it called for a better definition of the circumstances in which Europol may apply the proposed derogations to processing large and complex data sets. It further criticised that additional safeguards only apply to data transfers with private parties located outside the EU. According to it, the special safeguards should apply irrespective of the private parties´ location within or outside the EU. Lastly, the EDPS pointed out the scope of Europol´s research and innovation activities is currently defined too broadly. To prevent any potential breaches of the rights to privacy and data protection, the scope shall have to be further clarified.

All in all, you can see that the Proposal, while necessary, may have come a little too early, certainly with the evaluation so close around the corner. There is still room for improvement before the co-legislators come to a final decision on the Proposal. We shall have to wait for the new developments.