Portfolio blogger

Tuesday, November 1, 2016

What happened to CETA?

Now that the CETA free trade deal is signed between the EU and Canada, one can investigate without the dramatic overtones what happened.
First, the European Commission promised - in a reaction to protests, some of which also saw CETA as a trojan horse to the TTIP - that CETA will be submitted to national parliaments for approval. Voices were heard already before that one way of giving legitimacy to the European political process could be to submit European decisions - mainly legislation - to national parliaments. It has to be known that the Lisbon treaty already foresees a right of protestation for national parliaments (see for example: https://www.researchgate.net/publication/271649945_After_Lisbon_National_Parliaments_in_the_European_Union or

Draft legislative acts sent to the European Parliament and to the Council shall be forwarded to national Parliaments (each parliament has two votes, if they are bicameral, each chamber holds one vote and it is up to the national Parliaments to consult the regional Parliaments - this is a duty by Belgian law). They may send a reasoned opinion the Presidents of the European Parliament, the Council and the Commission why they consider that the draft in question does not comply with the principle of subsidiarity Where these opinions represent at least one third (in the area of the area of freedom, security and justice, one quarter) of all national Parliaments the draft must be reviewed. If half of the national parliaments  protests, the Commission has to justify why it does not change the proposal. These opinions will be submitted to the European Parliament and the Council.
(Article 12 and Protocols 1 and 2 to the Treaty on the European Union.)

The EU has an exclusive right to sign trade agreements with third countries. If, however, an agreement is covering topics other than trade, this prerogative can be questioned. An analysis can be found here: A guide to EU procedures for the conclusion of intl. trade agreements.pdf
Thus, the Commission decided that the CETA will be submitted to national Parliaments for approval (it contains among others a mechanism for settling investment disputes. This system was subject to heated debates (although independent investment dispute resolution mechanisms already exist, like the MIGA associated to the World Bank. Left-wing groups, however,  were weary of the perspective that their state could be sued in front of a private court. The mechanism (both in CETA and in the future TTIP) has been improved but this was not enough for the protesters.

And so came that one regional Parliament of Belgium, that of socialist Wallonia, rejected the CETA. One small region (in a country having maybe the most complex political system in Europe, where the Flemish part would greatly profit from free trade while the French-speaking Wallon part's economy is ailing) almost torpedoed the deal of whole Europe - this caused a brouhaha abroad and frustrated the Canadian trade minister Chrystia Freeland (she was even said to be choking back tears - http://www.bbc.com/news/world-europe-37735409).

The background is more in Belgium's internal politics: "The reason why the Walloon Region is trying to block or at least delay the CETA is political only. The Belgian federal government is run by the right wing whereas the Walloon Region is dominated by the socialists. The problem for the Walloon socialists is that there are losing ground to the extreme left. Hence, it is critical for them to show that they are fighting the CETA whose benefits would only to large multinational corporations. All this fuss about the CETA has thus to be seen in the context of Belgian politics. Belgium has an extremely open economy and exports much more than it imports. We are net beneficiaries of free trade." says Damien Geradine, Founding Partner of EDGE | Legal Thinking, a Brussels-based boutique law firm specialized in EU competition law and intellectual property law and Professor of Competition Law & Economics at Tilburg University (the Netherlands) and at George Mason University School of Law (Washington, DC).

Anybody who followed the ups and downs while Belgium tried to form a government after recent elections (not just one but the last two anyway), can understand this.

The Commission finally succeeded to convince the Wallons to approve the deal. This is not the first time that  a vote first hindering EU actions is repeated  - it happened to Denmark on the Maastricht Treaty, Ireland on the Nice Treaty and Ireland again on the Lisbon Treaty. The Dutch and French no to the Constitutional treaty of the EU was accepted, but the project restarted and resulted in the (somewhat weaker and legally more complex but less strong) Lisbon treaty. It was, however, not just repeating the votes, the situation or the arguments have also changed, as explained in http://blogs.lse.ac.uk/europpblog/2015/10/19/asking-the-public-twice-why-do-voters-change-their-minds-in-second-referendums-on-eu-treaties/
There are two questions lingering: Will the Brexit vote also be repeated? What will happen to the TTIP? The latter question may be irrelevant, given that the TTIP faces much more resistance and that enthusiasm for it may fade in the U.S., too, if not already faded - and neither of the two presidential candidates is eager on it. No question that with Trump, we may bury it entirely but Clinton also treads carefully on it. 

Saturday, August 27, 2016

What changed in the new General Data Protection Regulation since the first position of the Council?

The new General Data Protection Regulation had a long history. It was maybe the regulation which attracted the biggest number of amendments in the Parliament and was one of those which were subject of the longest and most complicated negotiations. The EU regulations under the ordinary legislative procedure have to be approved by both the Parliament and the Council. There are several rounds until an agreement is found or a regulation is finally failing to be approved.
The negotiations centred around some new elements of the regulation, like the „one stop shop”, the possibility of a person and a company to have to deal only with one data protection authority (and the two, namely the one stop shop for a company and a person whose data that company uses, may be contradictory in an international setting), the extent of penalties, the liberty of member states to regulate further and the liberty of public services compared to economic actors in using personal data. The new concepts, „the right to be forgotten”, the concepts of „privacy by design” and „privacy by default” and mainly the „data portability” were also subject to long discussion concerning their definition, scope and practical applicability. The mechanical duty of notification to the data protection authority (which was actually required to a different extent in different countries) has given way in a lot of cases to a preliminary impact assessment.
I try to highlight here some of these aspects, comparing what the Council wanted (it published its position with a concrete text of the regulation the 24th February 2014) with the final text.
The final regulation contains 173 recitals which fix the main principles and considerations (and serve as a guidance concerning the „intention of the legislator” if interpretation of the text is needed).
First let’s examine the freedom of manoeuvre given to the member states:
In the Council position, the member states wanted to have the power to legislate ignoring some requirements if data are processed by public authorities. The new regulation frames this liberty: „Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.” Member state law can set out the circumstances for specific situations, „determining more precisely the conditions under which the processing of personal data is lawful”. This right extends also to processing of special categories of personal data (‘sensitive data’), i.e. data related to health, sexual orientation, religion, political views, membership in trade unions and similar data.
The regulation is not applicable for „activities which fall outside the scope of Union law, such as activities concerning national security” and also „when carrying out activities in relation to the common foreign and security policy of the Union”.
The most important exception is the „processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act... namely Directive (EU) 2016/680 of the European Parliament and of the Council”. If these authorities process data in the framework of other activities, the regulation is however applicable. An exemption for fraud prevention and detection, including tax evasion is also included in the regulation.
Limits to data portability were set in the new regulation: it „should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract. By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller. The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.”
A point in favour of economic actors – and deviating from the spirit of the old directive – was that direct marketing could be considered as legitimate interest. The new regulation formulated some limiting conditions to that: „the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.”
The impact assessment requirement was also sensitively limited to circumstances „where processing operations are likely to result in a high risk to the rights and freedoms of natural persons”. The result of this assessment will then determine whether consultation of the data protection authority is necessary (which was obligatory under the old regime for all processing operations involving „sensitive data”.
Special simplified requirements are applicable to small companies, and special codes of conduct can be issued by member states for these enterprises. In this the Council succeeded to make its position accepted.
Following the Schrems case, where the adequacy decision of the Commission about the Safe harbour agreement – which declared that persons have equivalent protection to that ensured by European legislation if their data are processed in the U.S. – was invalidated, the new regulation sets more precise conditions when the Commission can take such a decision.
The „one stop shop” , i.e. the possibility of persons to turn to one competent authority – preferably the one in their country - to deal with their complaints was also given precise conditions and the process described. There will be a “lead authority”, competent for the organisation processing the data, and other „concerned authorities” (among them the one with whom the complaint was lodged). Cooperation obligations are described. What is left from the power of the authority with whom the complaint was lodged is that „where the decision is to reject the complaint by the data subject in whole or in part, that decision should be adopted by the supervisory authority with which the complaint has been lodged.”
The Commission will participate in the new Data Protection Board's activities (which, as opposed to the solely consultative nature of its predecessor, the so-called „Article 29 working party” of national data protection authorities, can take binding decision (but these decisions are not binding on the European Data Protection Supervisor, who is the Data Protection Authority for EU institutions – this may change with the forthcoming regulation about processing of personal data in EU institutions which is now under preparation and should enter into force at the same time, i.e. May 2018, when the new GDPR enters into force) without voting rights and the European Data Protection Supervisor should have specific voting rights.
The amount of penalties and fines was fixed as a maximum of 4% (the Parliament proposed 5%) of turnover of the company infringing the rules but for certain offences only to 2%.
Specific rules for associations, in particular religious associations are also fixed.
There are of course a number of other changes compared to the system in force now, but here I only wanted to deal with some topics which were subject to discussion between the Commission (who prepared the original proposal), the Parliament (more prone to the interest of harmonisation and the fundamental rights of citizens – the rapporteur came from the Green faction) and the Council, representing more the interest of public administrations and enterprises.

Wednesday, July 27, 2016

The Schrems-Facebook saga continues

The Irish High Court turns to the European Court of Justice with a reference to preliminary ruling in the second case of the Austrian law student Maximilian Schrems against Facebook.
In the first, the European Curt of Justice invalidated in its judgment the "Safe Harbour" agreement between the U.S. and the EU. (Other "adequacy decisions" declaring that countries comply with European data protection principles, can be found here.)
This system enabled U.S. companies to self-certify and register at the U.S. Department of Commerce that they comply with EU data protection rules.
Based on the Snowden revelations, the European Court of Justice found that the "indiscriminate and mass surveillance" of the U.S. government agencies and the lack of legal redress for EU citizens (which redress was ensured for U.S. citizens) against illegitimate use of data by them is not compatible with EU data protection principles and therefore the Commission decision that companies participating in this arrangement don't have the right to use EU citizens' personal data based on this was invalidated.
An alternative was that the U.S. companies commit themselves through "standard contractual clauses" defined by the European Commission to ensure the same protection as if they were obliged by European Law. This is now also attacked before the Irish High Court, who decided to refer a question to the European Court of Justice. This was announced early June but the question is not available yet on the Court website.
Meanwhile the Irish High Court also endorsed some requests to testify in front of it as "Amicus Curiae". The U.S. also received this right. The representative of the U.S. will testify under oath and is not bound by U.S. secrecy laws.
The 8th June actually the European member states endorsed the "Privacy shield", the system intended to replace the "Safe Harbour". The U.S. ensured the adequate legal redress also for European citizens and thus - apart from the question of how indiscriminate and mass character the U.S. surveillance has - the main problem was declared solved.
The arrangement had no smooth ride neither in the U.S., where the republicans introduced last minute amendments to the bill, weakening its guarantees, nor in the EU, where the so-called "Article 29 working party", the community of national Data Protection Authority chiefs (which will become the European Data Protection Board, a much more powerful and institutionalised group after the entering into force in May 2018 of the new General Data Protection Regulation - a post about that will follow) and the European Data Protection Supervisor requested changes to the already agreed text and of course this was very difficult to make the U.S. swallow. Certainly, this "Privacy shield" will also be tested in courts. However, the changes in U.S. law will also influence the decision on the standard contract clauses, as their government environment has changed.
One interesting aspect of the U.S. rules on personal data access of the government is that they are valid in principle to subsidiaries of U.S. companies, even to companies outside the U.S. who have a subsidiary or important operations in the U.S.  This was, however weakened when Microsoft won a case in Ireland, and thus does not have to disclose data to U.S. authorities.
The opinion of the EDPS on the "Privacy shield" can be found here.

Tuesday, January 26, 2016

Why does the EU finance the Orban regime?

I hear this question more and more often. The Hungarian government plans to use all EU funds available for the 2014-2020 programming cycle till 2019 (mainly before the 2018 parliamentary elections and the 2019 municipal elections. This may mean 6 billion euros every year or even more
These amounts help to keep the system running. They amount to about 4% of GDP at the moment, may be as much as 6% according to the ambition plans, thus they are the source of the 2-3% growth (and may increase it to 4-5% per year in the future) with which the goverment boosts.
Apart from the legal problems which hinder the decrease or withdrawal of these funds, the workings and the logic of the EU does not enable to withdraw them.
I do not agree, by the way, that these funds should be withdrawn. These are used for good purposes, beyond some publicity actions like fancy pavements on the main squares of villages, fountains and other, well publicised useless projects. They make it possible to revamp the university clinics in Budapest, a lot of seqage and other utilities reconstruction in the slums and in rural cities, technology and building improvements for schools, transport reconstruction and renewal (all these are concrete projects taking place). And without the EU, the "small circles of liberty" we still have, would not excist or be much more limited. The Orbán (FIDESZ) government retreated on the media law, on forced premature retirement of judges, publicity taxes killing the biggest independent TV-station and much more.
It is still worth understanding, how the EU works. It is not a superstate (it is supranational, true, but neither a state, nor super), it is rather a co-operation framework. The Commission is more a regulatory agency then a government, inparticular not in the sense of the executive branch of most European parliamentary democracies (where the party or coalition giving the executive is also in majority in the Parliament and thus, as the goverment implements the party programme in theory, it is able to gain every vote in the parliament.
I do not think the basics need explanation here: the European Parliament has no governing party or coalition, all decisions require approval from the Council, which consists of the heads of state or government (the head of the executive according to the legal system of each country) of the member states, Commission implementing decisions (very limited and only possible when the directive or regulation voted by the Parliament and the Council foresees it) are reached through consultation with committees of experts of the member states and are subject to validation by the legislative (although ex post).
In my view the EU has three, relatively distinct coordination domains (not identical to the pre-Lisbon three pillars, though not unrelated):
First the common market - this requires a lot of harmonisation concerning product standards, like quality and security requirements. I would classify the land-based and porduction agricultural support and agricultural market regulation measures here. Trade and competition issues also belong here.
Secondly political co-operation which is first of all a way to increase the weight of Europe in the world compared to tis individual member states. Of course for this we have to talk with one voice- therefore a harmonisation of opinions is necessary, sometimes some countries have to accept that their opinions are not represented - of course this only works if there are common goals. This is the practical reason why this only works when there are shared values (of course all political co-operation requires common values an the values of Europe are noble and on the long term they ensure a lot of benefits, but let's stay on a practical ground.
Thirdly, the interest of good co-operation and the common values also lead to the recognition that too big deviations in the level of development are unfavourable and thus it is in the interest of the richer countries to help the poorer ones to develop, to approach them in living standards, technical and social level. The structural funds are the means for that. Let us not go into the debate how much of thesse funds are used in the donor countries as goods and services are provided in exchange and similarly an argument could be brought up that the awarding and managing authorities both also have an interest to favour local suppliers. Formally speaking there is no possibility to promote neither donor country nor local suppliers, but if one of these is possible, the other is also.
This interest of leveling is independent whether a country "behaves well" in the political arena. Legally it is clearly separated, but it is also not practical - a higher level of economic development and integration can also foster sharing of values but not the other way: cutting funds leads to resentment and even lower sharing of values.
We do not like the practice of the government in Hungary that economic support depends on whether someone agrees with the politics of the government - why do we expect that from the EU? We have to solve our problems ourselves, not rely on blackmail by outsiders to do it for us.

Sunday, January 10, 2016

Both the Council of the EU and the LIBE Committee of the European Parliament accepted the compromise text of the new General Data Protection Regulation which will be formally voted on plenary and then in the Council early 2016 to come into force in 2018.
The compromise text is available here.

Some important issues (based on the first analyses http://www.ashfords.co.uk/the-new-eu-general-data-protection-regulation-is-finally-here/; http://www.natlawreview.com/article/general-eu-data-protection-regulation-bullet-points)

The most publicised change is maybe the formal inclusion of the "right to be forgotten" : that even when processing (mainly in the case of publishing) date was legitimate originally, with time the interest of privacy of the data subject may override the interest of processing (the public to know, for example).
All companies processing data of residents of the EU are subject to the regulation, whether seated in the EU or not.
Some points enhance the responsibility of the controllers (who determine the prupose and means of the data processing and are primarily responsible for it and usually most interested also) and processors (who act on instructions of the controller). The latter are explicitly responsible for their actions and can directly (without instruction of the controller) be instructed by the courts or by the data protection authorities.
Nomination of a data protection officer, stricter rules for consent of the data subjects to processing their data, the risks to the data subjects must be assessed before processing their data - with reasonable limits of proportionality. This risk analysis gives companies the possibility on the other hand to define themselves what security measures are adequate.
The research community noticed with relief that those points which they thought would hinder scientific (mainly medical) research were softened. However, there are restrictions: pseudonymised data remain personal data, for example with the resulting responsibility and rules to be complied with.
The much heralded "one stop shop" - making it easier for the data subjects to complain in case of cross-boarder processing of their data - gave some way to convenience of the authorities but basically stayed in the text.
A compromise was found between the Parliament (who wanted 5% of turnover) and the Council (who wanted 2) about maximum fines: it will be 4%.
Privacy by design is another new concept enshrined in the new regulation.
Transfer of data, possibility to base processing personal data on legitimate interest of the controller and data portability (the possibility of the data subject to request transmitting his/her data to another controller, for example in the case of changing a service provider) is also better defined.