by Gabriela Zanfir Fortuna
There are currently two ongoing challenges of the Privacy Shield before the CJEU (one submitted by Digital Rights Ireland and one by a coalition of French NGOs). Before deciding on the merits of these cases, there is a risk that the Court may not consider them admissible based on legal standing rules. The Court is very strict when applying the rules under Article 263(4) TFEU, most of the actions for annulment initiated by natural or legal persons being declared inadmissible due to lack of legal standing.
European Commission’s adequacy decision for transfers of personal data between the EU and the US under the Privacy Shield framework was challenged directly before the Court of Justice of the EU – the Grand Chamber to be more precise, under the procedure for “actions for annulment” enshrined in Article 263 TFEU.
An “action for annulment” under Article 263 TFEU allows the CJEU to “review the legality of legislative acts, of acts of the Council, of the Commission and of the European Central Bank, other than recommendations and opinions, and of acts of the European Parliament and of the European Council intended to produce legal effects vis-à-vis third parties”.
Such actions can be brought by three categories of applicants.
The privileged applicants – any “Member State, the European Parliament, the Council or the Commission on grounds of lack of competence, infringement of an essential procedural requirement, infringement of the Treaties or of any rule of law relating to their application, or misuse of powers”, according to the second paragraph of Article 263.
A second category of challengers is defined in the third paragraph of Article 263: the Court of Auditors, the European Central Bank and the Committee of the Regions. They can bring actions for annulment before the Court only “for the purpose of protecting their prerogatives”.
Finally, a third category of challengers comprises “any natural or legal person”, according to the fourth paragraph of Article 263 TFEU. But for private parties to actually have legal standing for such actions, the conditions to be met are quite strict (this is why they are also known as “non-privileged applicants”). In fact, there are only three instances where such an action is declared admissible:
- if the act is addressed to that person or
- if the act is of direct and individual concern to them or
- if the act is “a regulatory act which is of direct concern to them and does not entail implementing measures”.
The third possibility was introduced by the Treaty of Lisbon, in 2009, and was meant to address the critique that individuals did not have a real possibility to challenge EU acts, due to the very strict application of the “direct and individual concern” test by the Court.
As it was explained by scholars, “particularly the requirement that the act be of individual concern proves in practice to be a hurdle that is virtually insurmountable” (1). According to the much criticised Plaumann test, the Court established that “persons other than those to whom a decision is addressed may only claim to be individually concerned if that decision affects them by reason of certain attributes which are peculiar to them or by reason of circumstances in which they are differentiated from all other persons and by virtue of these factors distinguishes them individually just as in the case of the person addressed” (Case 25/62 Plaumann v. Commission, 15 July 1963).
To understand how the Court applies the Plaumann test, a very good example is the Toepfer case (Case 106-107/63).
“The Court will however grant standing to those who can show that the category of applicant into which they fall is closed, that is, incapable of taking any new members; an example is Toepfer, where a certain decision of the German government to delay the granting of a licence to import grain only affected those who had applied for the licence on 1st October 1963. As this was a completed past event, the category of grain importers applying on that day (which of course included the applicant) was closed to any new members. Mr Toepfer was thus individually concerned.” – R. Lang, “Quite a challenge: Article 263(4) TFEU and the case of the mystery measures”, p. 4-5.
The Plaumann test survived decades of challenges, including a decision of the Court of First Instance (Case T-177/01 Jégo-Quéré, see particularly paragraph 51) that tried to reform it but that was quashed in appeal by the Court of Justice. The Court of First Instance argued that denying legal standing to the applicants in this case meant they would have no right to an effective remedy, due to their particular circumstance. The Court of Justice, in appeal, did not give merit to this argument.
Some nuances have been added to the Plaumann test for different areas of law, but the essence remained the same. For instance, the Court detailed additional conditions for private parties that could be individually concerned by provisions of regulations imposing anti-dumping duties (see Cases T-112/14 to T-116/14, T-119/14 Molinos Rio de la Palata from 15 September 2016, paras 43 to 45). These conditions, however, apply subsequently to the Plaumann test (see para 40 from the Molinos Rio de la Plata cases).
Therefore, it will be extremely difficult, if not impossible, for the NGOs that initiated the actions for annulment of the Commission’s adequacy decision to meet the Plaumann test. If they will manage to do it, this will come with a change of settled case-law.
However, there is another line of argumentation that the NGOs could use and that would have more chances of success. They could use the third limb of Article 263(4), the one introduced in 2009 by the Treaty of Lisbon that allows challenges by private parties of regulatory acts which are of direct concern to them and which do not entail implementing measures.
This way, the applicants will not have to prove they are individually concerned by the act, so the Plaumann test will not be applicable. However, they will enter a new, almost uncharted field: regulatory acts which do not entail implementing measures.
They will have to prove that:
- the adequacy decision is a regulatory act;
- the adequacy decision is of direct concern to them;
- the adequacy decision does not entail any implementing measures.
- Is the adequacy decision a regulatory act?
According to case-law following the entry into force of the Lisbon Treaty and the changes that were brought to Article 263(4), “the meaning of ‘regulatory act’ for the purposes of the fourth paragraph of Article 263 TFEU must be understood as covering all acts of general application apart from legislative acts” (Case T‑18/10 Inuit Tapiriit Kanatami and Others v Parliament and Council, 6 September 2011, para 56; Case T-262/10 Microban 25 October 2011, para 21).
In Microban, the Court found that the Commission Decision at issue was adopted “in the exercise of implementing powers and not in the exercise of legislative powers” (para 22), which confirmed its nature of a “regulatory act”. Further, the Court also took into account that “the contested decision is of general application in that it applies to objectively determined situations and it produces legal effects with respect to categories of persons envisaged in general and in the abstract” (para 23).
As the adequacy decision was adopted by the Commission in the exercise of implementing powers (following Directive 95/46), and as it is of general application, producing legal effects to categories of persons envisaged in general and in the abstract, it will most probably be classified as a “regulatory act” for the purposes of Article 263(4) TFEU.
However, there are two more conditions to be met cumulatively before the actions are declared admissible.
2. Are the applicants directly concerned by the act?
The Court uses several criteria to establish there is a “direct concern”.
The classic test the Court usually uses is the following: “firstly, the contested Community measure must directly affect the legal situation of the individual and, secondly, it must leave no discretion to its addressees, who are entrusted with the task of implementing it, such implementation being purely automatic and resulting from Community rules without the application of other intermediate rules” (Case C‑386/96 P Dreyfus v Commission, para 43, Joined Cases C‑445/07 P and C‑455/07 P Commission v Ente per le Ville vesuviane and Ente per le Ville vesuviane v Commission, para 45; Microban, para 27).
For instance, in Microban this test was met because the contested decision prohibited the marketing of materials containing triclosan. The applicants bought triclosan and used it to manufacture a product, which was further sold on for use in the manufacture of plastic materials. Therefore, the Court considered “the contested decision directly affects their legal position” (para 28).
On another hand, in a very recent case, the Court found that “no provision of the contested act is directly applicable to the applicants, in the sense that it would confer rights or impose obligations on them. Consequently, the contested act does not affect their legal position, and therefore the condition of direct concern, as referred to in the second and third situation referred to in the fourth paragraph of Article 263 TFEU, is not met” (Case T-600/15 Pesticide Action Network Europe, 28 September 2016, para 62).
This case concerned an action brought by an environmental NGO and different associations of beekepeers that challenged an Implementing Regulation approving the use of a substance called sulfoxaflor as pesticide. The Court dismissed all the arguments brought forward by the applicants to prove they were directly concerned by this act: starting with a claim that it touched the right of property and the right to conduct business of the beekeepers – due to the harmful effect of sulfoxaflor on bees, to the claim that the applicants participated in the decision making process for the Implementing Regulation, to the claim that refusing their legal standing breached their right to environmental protection under Article 37 of the Charter and their right to effective judicial remedy under Article 47 of the Charter (see paras 46 to 50).
Thus, it will not be easy to argue that the adequacy decision is of direct concern to the applicants. For instance, it could be argued that the decision primarily impacts the legal situation of controllers (and not that of data subjects) who are allowed to transfer personal data pursuant to this decision.
However, it will neither be impossible to argue the direct concern of data subjects, represented by the applicant NGOs. A first argument, perhaps of a general nature, would be that the purpose of the Decision is to establish that companies adhering to the Privacy Shield ensure an adequate level of protection of personal data with the level of protection afforded in the EU, having the consequence that transfers of personal data to those companies will automatically take place, without any further safeguard and without any additional scrutiny or authorisation. Therefore, it affects the legal situation of individuals in the EU whose data are transferred, as they will not be able to oppose the transfer before it takes place.
An objective argument could be the recognition of the rights of the data subject in Annex II of the Decision (the Privacy Shield Principles) – admitting therefore that the Decision, through its Annex, grants rights to individuals represented by the applicants.
Another argument could also be the finding of the Court in Schrems that legislation allowing mass-surveillance and access to content of communications touches the essence of the fundamental right to private life as enshrined in Article 7 of the Charter (see Schrems C-362/14, paras 93 and 94). Therefore, a regulatory act that has as direct consequence transfers of personal data to a legal system that allows such a fundamental breach of Article 7 of the Charter as directly affecting the legal situation of data subjects represented by the applicant NGOs. But for the Court to take this argument into account would mean to acknowledge the existence of mass-surveillance and access to content of communications in the US, at the time when the decision was adopted.
3. Does the adequacy decision entail implementing measures?
This will be the most difficult criterion to be met. The case-law of the Court regarding what can constitute implementing measures is very strict (from the point of view of granting legal standing), in the sense that the Court applies the concept of “implementing measures” for the purposes of Article 263(4) TFEU lato sensu.
For instance, in a landmark judgment in this area, T & L Sugars (case C-456/13, 28 April 2015), concerning an implementing regulation, “the measures at the Member States’ level consisted of receiving applications from economic operators, checking their admissibility, submitting them to the Commission and then issuing licences on the basis of the allocation coefficients fixed by the Commission” (as summarised here). So, even if AG Cruz Villalón “concluded that such non-substantive, or ‘ancillary’, measures […] by the national authorities […] in the exercise of a circumscribed power” or a “purely administrative activity” are not implementing measures (Opinion in Case C-456/13 P, T & L Sugars, para. 31 and 34)” (2), the Court found that “the decisions of the national authorities granting such certificates, which apply the coefficients fixed by Implementing Regulation No 393/2011 to the operators concerned, and the decisions refusing such certificates in full or in part therefore constitute implementing measures” (para 40).
Article 5 of the Privacy Shield adequacy decision states that “Member States shall take all the measures necessary to comply with this Decision”. Therefore, it allows further administrative measures by the Member States. But what are those measures in practice? Could the Court consider they are ancillary enough so as not to amount to “implementing measures”?
On another hand, it is also clear that before the adequacy decision takes effect, a US company must go through an administrative procedure which could amount to a certification procedure similar to the one in the T&L Sugars case. But in this case, will it matter that the alleged “implementing measures” must be taken by a third country and not by a Member State?
In conclusion, the problem of legal standing of the applicants in the two cases challenging the Privacy Shield decision is not at all an easy one. The odds (based on existing case-law) seem to be leaning more towards an inadmissibility of the actions for annulment. But this is why a “legal precedent” system is exciting: the Court can always nuance and, if necessary, change its case-law depending on the particular elements of each case.
However, if these actions will be declared inadmissible, it does not mean that the NGOs concerned will not be able to challenge the Privacy Shield decision in national courts, bringing the case to the CJEU afterwards via the preliminary ruling procedure based on Article 267 TFEU. In fact, even an inadmissible decision will help their subsequent actions at national level, considering that their request to submit preliminary ruling questions to the CJEU will not be able to be dismissed by the national courts due to the fact that they did not challenge the decision directly following Article 263 TFEU (considering the possibility they could have had legal standing).
Whatever the outcome of these two challenges, the decision of the Court will be very important for the “legal standing of natural and legal persons” doctrine in general, on one hand, and for the application of Article 263(4) TFEU to the different acts of the future European Data Protection Board (see Recital 143 of the GDPR), on the other hand.
(1) Jan H. Jans, On Inuit and Judicial Protection in a Shared Legal Order, European Environmental Law Review, August 2012, p. 189.
(2) Jasper Krommendijk, The seal product cases: the ECJ’s silence on admissibility in Inuit Tapiriit Kanatami II, available here.
Find what you’re reading useful? Consider supporting pdpecho.
Even if post Brexit-UK adopts the GDPR, it will be left without its “heart”
Gabriela Zanfir Fortuna
There has been lately a wave of optimism of those looking for legal certainty that the GDPR will be adopted by the UK even after the country leaves the European Union. This wave was prompted by a declaration of the British Secretary of State, Karen Bradley, at the end of October, when she stated before a Committee of the Parliament that “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public“. The information commissioner of the UK, Elisabeth Denham, welcomed the news. On another hand, as Amberhawk explained in detail, this will not mean that the UK will automatically be considered as ensuring an adequate level of protection.
The truth is that as long as the UK is still a Member of the EU, it can’t opt in or opt out, for that matter, from regulations (other than the ones subject to the exemptions negotiated by the UK when it entered the Union – but this is not the case for the GDPR). They are “binding in their entirety” and “directly applicable”, according to Article 288 of the Treaty on the Functioning of the EU. So, yes, quite normally, if the UK is still a Member State of the EU on 25 May 2018, then the GDPR will start applying in the UK just as it will be applying in Estonia or France.
The fate of the GDPR after Brexit becomes effective will be as uncertain as the fate of all other EU legislative acts transposed in the UK or directly applicable in the UK. But let’s imagine the GDPR will remain national law after Brexit, in a form or another. If this happens, it is likely that it will take a life of its own, departing from harmonised application throughout the EU. First and foremost, the GDPR in the UK will not be applied in the light of the Charter of Fundamental Rights of the EU and especially its Article 8 – the right to the protection of personal data. The Charter played an extraordinary role in the strengthening of data protection in the EU after it became binding, in 2009, being invoked by the Court of Justice of the EU in its landmark judgments – Google v Spain, Digital Rights Ireland and Schrems.
The Court held as far back as 2003 that “the provisions of Directive 95/46, in so far as they govern the processing of personal data liable to infringe fundamental freedoms, in particular the right to privacy, must necessarily be interpreted in the light of fundamental rights” (Österreichischer Rundfunk, para 68). This principle was repeated in most of the following cases interpreting Directive 95/46 and other relevant secondary law for this field, perhaps with the most notable results in Digital Rights Ireland and Schrems.
See, for instance:
Applying data protection law outside the spectrum of fundamental rights will most likely not ensure sufficient protection to the person. While the UK will still remain under the legal effect of the European Convention of Human Rights and its Article 8 – respect for private life – this by far does not equate to the specific protection ensured to personal data by Article 8 of the Charter as interpreted and applied by the CJEU.
Not only the Charter will not be binding for the UK post-Brexit, but the Court of Justice of the EU will not have jurisdiction anymore on the UK territory (unless some sort of spectacular agreement is negotiated for Brexit). Moreover, EU law will not enjoy supremacy over national law, as there is the case right now. This means that the British data protection law will be able to depart from the European standard (GDPR) to the extent desirable by the legislature. For instance, there will be nothing staying in the way of the British legislature to adopt permissive exemptions to the rights of the data subject, pursuant to Article 23 GDPR.
So when I mentioned in the title that the GDPR in the post-Brexit UK will in any case be left without its “heart”, I was referring to its application and interpretation in the light of the Charter of the Fundamental Rights of the EU.
Find what you’re reading useful? Please consider supporting pdpecho.
Interested in the GDPR? See the latest posts:
CNIL just published the results of their GDPR public consultation: what’s in store for DPOs and data portability? (Part I)
CNIL’s public consultation on the GDPR: what’s in store for Data Protection Impact Assessments and certification mechanisms? (Part II)
The GDPR already started to appear in CJEU’s soft case-law (AG Opinion in Manni)
Leave a comment
Posted in Comments, Europe, GDPR, News
Tagged Amberhawk, Article 288 TFEU, Article 8 Charter, Brexit, CJEU, data protection, Digital Rights Ireland, direct applicability, Elisabeth Denham, EU Charter, GDPR, GDPR and Brexit, Google v Spain, privacy, schrems