EU Law Enforcement

The July 2020 judgement of the Court of Justice of the European Union (CJEU) in the so-called Schrems II case has resulted in a great deal of uncertainty for organizations engaging in the transnational transfer of personal data and in particular when those transfers are to entities in the United States. This post will investigate the enforcement issues on which the Schrems II reasoning is based, and discuss the potential effects that the decision has for General Data Protection Regulation (GDPR) enforcement.

Schrems II is the most recent installation of an ongoing litigation that resulted from a complaint that Maximilian Schrems levied against Facebook with the Irish Data Protection Commissioner (DPC) in 2013. Schrems’ complaint objected to Facebook transferring personal data to the United States (US) as contrary to the protections provided by the GDPR. It was based in part on the US National Security Agency (NSA) documents leaked by Edward Snowden in the summer of 2013. These documents revealed a mass surveillance program run by the NSA under Sec. 702 of the Foreign Intelligence Surveillance Act (FISA). This surveillance included direct collection from major US telecommunication providers, internet service providers, and Internet content providers under a program code named PRISM. Schrems’ complaint was rejected by the DPC and Schrems sought judicial review. It eventually led to an assessment of data protection adequacy decisions specifically regarding transfers to the US. The CJEU twice in Schrems I and Schrems II struck down adequacy decisions with the United States.

Continue reading “Schrems II and the Data Protection Enforcement Gap”

Since 2012, the European Commission has taken numerous steps in order to shape to EU’s digital future. One of these steps included the adoption of the General Data Protection Regulation (GDPR) which entered into force in May 2018. The GDPR aims to protect, in particular, the right of natural persons to the protection of personal data. At the end of 2020, the Commission went a step further and published its proposal for the Digital Services Act (DSA). As part of the EU’s Digital Strategy, it contains provisions to update the e-commerce legal framework.

Infringements of both the GDPR and the DSA do not stop at the Member States’ borders. An incident at Twitter, for instance, led to a situation where Twitter users had their Tweets, dating back to 2014,  publicly accessible without their knowledge. This breach of the GDPR affected at least 88.726 EU and EEA Twitter users all across the continent. For this reason, it is essential that national authorities of different Member States cooperate in order to adequately enforce such breaches. Cooperation is fundamental here because it enhances the enforcement capacity and quality (van der Heijden 2016) – e.g., when investigating and sanctioning infringements that take place in multiple Member States, authorities can benefit from sharing resources and knowledge, which also speeds up the enforcement process. Keeping enforcement mainly the responsibility of national authorities, also respects the Member States’ desire to keep these competences at national level and it offers functional benefits since national authorities often have better access to information at national level (Hofmann 2008; Coen and Thatcher 2008; Eberlein and Grande 2005. Börzel and Heard-Lauréote 2009). Therefore, both the GDPR and the DSA provide that national  authorities of different Member States cooperate, under the coordination of an EU body. Nevertheless, the GDPR experience proved that enforcement of cross-border infringements is not an easy task and the complexity of such structures could even lead to under-enforcement.

This blogpost aims to shed light on the complex enforcement procedures and speculates as to whether the Commission has learnt any lessons from the enforcement challenges that materialize under the GDPR. In order to assess the potential of the DSA enforcement structure, we discuss the horizontal (national authorities cooperating) and vertical (national authorities cooperating with an EU body) enforcement procedures of both systems, and the challenges that arise under the GDPR system.

Continue reading “The DSA Enforcement Framework, Lessons Learned from the GDPR?”

On January 15, the Dutch government was forced to resign amidst a scandal around its child-care benefits scheme. Systems that were meant to detect misuse of the benefits scheme, mistakenly labelled over 20,000 parents as fraudsters. More crucially, a disproportionate amount of those labelled as fraudsters had an immigration background.

Amongst the upheaval, little attention was brought to the fact that the tax authority was making use of algorithms to guide its decision-making. In a report by the Dutch Data Protection Authority, it became clear that a ‘self-learning’ algorithm was used to classify the benefit claims. Its role was to learn which claims had the highest risk of being false. The risk-classification model served as a first filter; officials then scrutinized the claims with the highest risk label. As it turns out, certain claims by parents with double citizenship were systematically identified by the algorithm as high-risk, and officials then hastily marked those claims as fraudulent.  

It is difficult to identify what led the algorithm to such a biased output, and that is precisely one of the core problems. This blogpost argues that the Dutch scandal should serve as a cautionary lesson for agencies who want to make use of algorithmic enforcement tools and stresses the need for dedicated governance structures within such agencies to prevent missteps.

Continue reading “The Dutch benefits scandal: a cautionary tale for algorithmic enforcement”

It seems to be a given by now that shared administrations are increasingly used in the EU to ensure an effective implementation of Union law. However, the administrative reality of shared administrations still seems ahead of the legal and judicial reality. Shared administrations result in decisions based on often complex composite administrative procedures involving administrative authorities from both the EU and national legal orders. However, there is no single uniform set of EU administrative standards and the judicial orders are still relatively separate. The different administrative authorities involved may thus be subject to different administrative standards and, due to the relatively separate judicial orders, it is often uncertain in what manner effective judicial protection can be ensured. The extent to which an effective legal control is possible is thus questionable in case of composite administrative procedures. In this blog post, which is based on my new book ‘Effective Legal Protection in Banking Supervision. An Analysis of Legal Protection in Composite Administrative Procedures in the Single Supervisory Mechanism’ (Europa Law Publishing 2021), I will be addressing this question on the example of the Single Supervisory Mechanism (SSM). I have looked for a middle ground that ensures effective legal protection in composite procedures in such a way that persons’ rights are safeguarded without unnecessarily hampering the supervisors’ effectiveness. Although this is not such an easy task, it seems possible nonetheless.

Continue reading “Effective legal protection in the composite procedures of the SSM”

This blog post is based on the discussion that took place on January 29, 2021, within the JMN EULEN online lunch meetings.

Maciej Bernatt (chairing the discussion): The COVID 19 crisis has brought challenges to the proper functioning of the EU Single Market. These challenges include, among other things, export restrictions among the EU Member States and the closing of borders affecting the free movement of people, products, and food supply. While many of these measures were arguably justifiable, some of them could in practice be protectionist in nature and thus undermine the very foundation of the EU Single Market. The question is how the EU and the EU Member States should deal with the crisis situation and yet ensure the values and freedoms of the EU Single Market. In this context, it is also crucial to ask about the permissibility and the legality of the restrictions imposed by Member States.

Continue reading “To what extent is the EU Single Market resilient?”

On the 11th of January 2020, judges from 20 European countries marched with their Polish colleagues through Warsaw in a silent protest against repressive new measures aimed at Polish judges. The many EU flags rising above the crowd could be seen as cries for help to Brussels. We cannot defend our independence alone, we need the EU to step in and step it up. But the EU’s current rule of law toolbox has been painfully ineffective to enforce the principle of judicial independence (JI) in Poland. Concerned about the Polish government’s judicial reforms, the Commission has used every tool in the toolbox. But, after two years of unfruitful dialogue under the Rule of Law Framework – ending with launching the Article 7 procedure in 2017 – and four infringement proceedings (and counting) later, the first edition of the new Rule of Law Report in 2020 does not paint a flattering picture of the current state of the Polish judiciary’s independence. This blog post argues that these failures were quite predictable, as the rule of law toolbox fails to put the right tools in the right hands. Notwithstanding the blame rightly put on the EU institutions for failing to make effective use of the available mechanisms, the different tools all have inherent qualities that hinder their effectiveness to enforce the principle of JI upon a Member State (MS) – especially when threats are widespread and deliberate. The new rule of law budget conditionality mechanism can hopefully offer the Commission a more powerful tool to force MS compliance, but doubts remain whether it will be applied effectively.

Continue reading “How the rule of law toolbox fails to tighten the screws”

Post-accession, Bulgaria has proven to be a functioning member of the common market and has enjoyed the benefits of EU access. But while it has reaped success in the field of market integration, it has consistently underperformed in the rule of law domain. Part of the blame falls with domestic institutions and processes, but the rest seems the result of EU enforcement inadequacy. The importance of the rule of law enforcement issue is indisputable – and the recent examples of Poland and Hungary only highlight that window-dressing by governments and EU inaction can be nothing short of problematic. This blog post argues that the existing article 7 TEU and the Commission’s new rule of law enforcement toolkit, are insufficient to address these challenges. As the example of Bulgaria will show, “smaller sticks” such as temporary sanctions, appear essential to making the system more effective.

Continue reading “The EU’s Rule of Law Enforcement Framework Challenges in Bulgaria”

EU soft law typically serves as an interpretative tool helping with enforcement of EU hard law, especially when hard law provisions are indeterminate or open-textured. The power of soft law making brings with it the risk that an EU institution issues a soft law act going beyond the binding provisions that it is intended to interpret. In such a scenario, the soft law act does not ensure the enforcement of EU hard law, but rather sets new rules, which may be considered as circumventing the legislative process. This is just one of the reasons, why it seems vital to make EU soft law acts subject to judicial review by the CJEU.

Continue reading “Is preliminary reference procedure an adequate channel for the assessment of validity of EU soft law acts?”