Monday, 20 December 2021

On Facial Recognition Technology in Schools, Power Imbalance and Consent: European Data Protection Authorities Should Reexamine their Approach

 


 

 

Dr Asress Adimi Gikay, Lecturer in AI, Disruptive Innovation, and Law at Brunel Law School, Brunel University London with his research in Artificial Intelligence, Law, and Policy. Also teaches Artificial Intelligence and the Law, and Law, Policy and Governance of Artificial Intelligence (https://www.brunel.ac.uk/people/asress-gikay). Twitter: https://twitter.com/DrAsressGikay

 

Facial Recognition Technology in Schools

In today's world, our privacy and personal data are controlled by Big Tech companies such as Facebook, Google, Twitter, Apple, Instagram and many others. They  know  almost everything about us— our location, addresses, phone numbers, private email conversations and messages, food preferences, financial conditions and many other intimate details that we would otherwise not divulge even to our close friends. Children are not immune from this overarching surveillance power of Big Tech companies.  In the UK, children as young as 13 years old can give their consent to processing of their personal data including using some kind of Facial Recognition Technology (FRT) by these Big Tech companies that provide online services. Many of these companies likely know our children's preferences for movies, music, food and other details more than we do. But society has no meaningful way to influence these companies whose God-like presence in our lives epitomizes the dystopia of technology-driven world.  Surveillance is the rule than the exception and we have little tools to protect ourselves from pervasive privacy intrusion.    

But the advent of FRT in schools in Europe has alarmed citizens, advocacy groups, Data Protection Authorities (DPAs) far more than the pervasive presence of Big Tech companies in our lives. It has prompted a strong response from DPAs who have consistently blocked the deployment of the technology in schools on the grounds of privacy intrusion and the breach of the GDPR.

Facial recognition is a process by which a person can be identified or recognized by Artificial Intelligence (AI) software using their facial image or video.  The software compares the individual’s digital image or video captured by a camera to an existing biometric image to estimate the degree of similarity between two facial templates to identify a match. There have been multiple instances of use of this technology in schools — for attendance monitoring in Sweden, access control in France and taking payment in canteens in the UK.  According to Swedish Municipal School Board, monitoring attendance using FRT would save 17280 hours  per year at the school concerned. UK Schools wanted to reduce a queue in canteen by taking payment faster and safer.  But DPAs, and in case of France, the Administrative Court of Marseille stepped in to block the technology due, primarily, to privacy related concerns regardless of the appreciable benefits.  

While the school authorities relied on explicit consent of students and/or their legal representatives to use the technology, DPAs rejected that explicit consent is a valid ground for processing personal data using FRT due to the imbalance of power between the school authorities on the one hand and students and their guardians on the other. This raises a question whether public institutions including schools could ever use FRT with the explicit consent of the data subject and if not, whether that is an outcome society should aim for.  

The Concerns about FRTs in Schools and the Fix

Scholars and advocacy groups point out that FRTs poses certain risks, especially in the context of processing children's data ranging from misuse of biometric data by the companies involved in providing or using the technology as well as bad actors such as hackers to the normalization of surveillance culture, directly stemming from individuals giving up their privacy right. More generally, it is argued that FRT is “an unnecessary and disproportionate interference with the students’ right to privacy.” As such, DPAs call for the deployment of less privacy intrusive technology alterative and take strict approach in whether there is a valid legal basis for using the technology including a freely obtained consent.

In its 2019 decision to fine the secondary school board of  Skellefteå Municipality, the Swedish DPA argued that although FRT was employed to monitor student attendance based on explicit consent, consent cannot be a valid legal basis given the clear imbalance of power between the data subject and the controller. In France, the Administrative Court of Marseille in agreeing with the French DPA(CNIL), concluded that the school councils have not provided sufficient guarantees to obtain free and informed consent of students to use FRT to control access, despite the fact that specific written consent has been obtained. In October 2021 as nine schools in North Ayrshire (UK) were preparing to replace their method of taking payment in canteens from fingerprint to facial recognition, the Information Commissioner’s Office(ICO) wrote a letter urging the schools to use  a "less intrusive" tool. The School Councils were forced to pause rolling out the technology.  The content of the ICO’s letter is not public and the ICO has not responded to the author’s Freedom of Information (FOI) Request to access the letter.

But these decisions evidently suggest that the mere presence of a power relationship between data controller and the data subject renders explicit consent as the basis for processing biometric data invalid. The UK schools’ suspension of implementing FRT for the mere fact of receiving a letter from the ICO signals that the presumed power imbalance alone would defeat explicit consent — at the very least, schools are not willing to engage in the process of obtaining consents as that would likely be regarded as insufficient and entail sanctions for the breach of the GDPR.  

While documents obtained from North Ayrshire Council under FOR request do suggest there were flaws in obtaining consent (for instance attempting to obtain consent  directly from a child of 12 years old), the overall effort of the Council seemed reasonable in terms of complying with data protection law. If the Council wishes to obtain valid consent, it should not be effectively prohibited ex ante. But the ICO’s letter clearly had that effect. Subsequently, on November 4, 2021, the House Lords held a debate sponsored by Lord Clement-Jones who expressed his opposition to the use of FRT in schools stating that “we should not use children as guinea pigs.” There is overwhelming evidence of the pressure to categorically ban the use of FRT in schools and indeed it is now effectively banned in Europe, albeit there is no legislation to that effect.

Imbalance of Power under the GDPR

Despite banning the processing of the so-called special categories of personal data, including biometric data such as facial images as a rule, the GDPR provides exceptions under which such data can be processed. Under one of the exceptions, it allows processing of biometric data to uniquely identify a natural person, if the data subject has given explicit consent to the processing of such personal data for one or more specified purposes. Consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of personal data relating to her.

Where there is a power relationship, it is challenging to prove that consent has been obtained freely – the requirement which DPAs concluded was not met in Sweden and France. In this regard, the GDPR makes it clear that “consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.”

The GDPR allows DPAs and courts to consider an imbalance of power in assessing whether the consent has been obtained freely. But this is not a blanket prohibition of using explicit consent to process personal data by public authorities. This is consistent with the European Data Protection Board’s Guideline which states that “Without prejudice to these general considerations, the use of consent as a lawful basis for data processing by public authorities is not totally excluded under the legal framework of the GDPR.” Regulators and courts can, ex post facto, scrutinize if the explicit consent was obtained freely and in an informed manner but have no power to invalidate validly given consent based on the mere existence of imbalance of power that did not have actual effect. If a Member State of the European Union wishes to exclude consent as a basis for processing special categories of personal data, the GDPR allows such Member State to legislate that the prohibition of the processing of special categories of personal data may not be lifted based on explicit consent under any circumstance. Absent such legislation, the validity of consent in the context of the existence of power relationship can only be examined on case-by-case basis rather than in categorical terms. Thus, schools should be able to demonstrate that the presumed imbalance of power has not played a role in obtaining consent. 

The Current Approach should be Reexamined

The concerns raised by scholars and privacy advocates about the intrusive nature of FRT should be seen in the light of data protection and privacy safeguards provided by the GDPR which has a series of provisions guaranteeing that personal data is not used for a purpose different than originally intended, and that personal data be kept confidentially and securely. Furthermore, data controllers and processor have no right to share personal data with third parties unless consented to by the data subject. In the presence of these and a number of other safeguards, what seems a blanket prohibition of the use FRT in schools on the basis of unreasonable privacy anxiety and an irrebuttable presumption that power imbalance per se leads to a vitiated consent is not sensible.  There are several reasons this approach needs to be reexamined.

First and foremost, it puts small companies and public institutions at a disadvantage with regard to the use of FRT.  Big Tech companies can do almost as they please with our or our children’s personal data. Facebook’s opaque data sharing practice has frequently been exposed, but there is still no meaningful way to control what Facebook does. The same is true other Big Tech companies in the business of monetizing our personal data. Schools and companies providing FRTs should be the least of our concern. It is not difficult to make them abide by the GDPR, whereas Big Tech companies can hide behind complex legal and technical black boxes to get away with grossly illegal use of our personal data. The blanket prohibition of using FRTs by small institutions creates a system that unfairly disadvantages small data controllers.

Furthermore, data innovation would be deterred by over-zealous DPAs and courts who see superficial power imbalance without examining how it plays in reality while the real power imbalance society suffers from vis-à-vis Big Tech companies remain inadequately challenged.   The future depends on innovating with data and the use of FRT would be an essential component of it. To satisfy our excessive anxiety about privacy intrusion, we cannot prevent small companies and institutions from benefiting from AI technologies and data-driven innovation while we let Big Tech companies take control of our lives. Data innovation should be by all, for all, not just for the Big Tech.

Art credit: Peder Severin Krøyer, via Wikimedia Commons

Tuesday, 14 December 2021

Are "sovereign" decisions by Member States really above the law? Can Member States’ decisions on the seats of EU agencies be challenged?

 



 

Ezio Perillo, former judge on the EU General Court and EU civil service tribunal

 

Following the Sharpston-Council orders, declaring the former British Advocate General’s action against the appointment of a new AG inadmissible (cases C-684/20P and C-685/20P, 16 June 2021), even the decisions that the governments of the Member States claim to take by mutual agreement for determining the seats of the European agencies seem to fall outside the EU Court’s judicial review. This is, at least, the opinion expressed by AG Bobek, delivered on 6 October 2021, in joined cases, EMA (European Medicines Agency, relocated to Amsterdam) and ELA (European Labour Authority, located in Bratislava), C-59/18, C-182/18 and C-743/19, and in a parallel opinion in Cases C-106/19 and 232/19. According to the AG, these are "decisions taken by the Member States outside the framework of the Treaties" (paragraph 173).

 

(With reference to the Sharpston orders, see L. Gradoni, Unpersuasive but Wise: how the CJEU (Almost) Made the Right Call in Sharpston, in Verfassung Blog, 24 June 2021. On EMA and ELA cases see, T. Bucht, Sometimes less is more, a critical view on AG Bobek’s Opinion on the seats of the agencies, in European Law Blog, 14 October 2021.)

 

I will say right away, in tweet-mode, that the opposite solution is also true.

 

1.      “Sovereign” national decisions or obligations of European origin?

 

In establishing the Community’s institutions, the Masters of the Treaties decided at that time, for political and practical reasons, to “delegate” to their respective governments the task of determining their seats. Article 341 TFEU still provides, nowadays, that "the seats of institutions of the Union shall be determined by common agreement of the governments of the Member States".

 

These decisions are therefore taken by the national governments in their own name and on behalf of the authors of the Treaties but, substantially, in the exclusive interest of the European Union, since the seats to be determined are those of the institutions belonging to this new legal order.

 

It follows that, in this context, national governments fully act within the EU legal framework and not outside of it, as if they were actors of international law. In so acting, they shall therefore respect the limits attached to this delegation as well as the prerogatives which the Treaties confer in similar matters to the EU institutions.

 

In other words, if they extend, at their discretion, the scope of the delegation received by the Masters of the Treaties, national governments act ultra vires. In this event, the corresponding decisions must be subject to the judicial review of the Court of Justice which has indeed the duty to ensure the observance of the institutional balance between the prerogatives the treaties confer to the national governments and those conferred to the EU institutions.

 

These decisions are therefore "atypical Union law acts".

 

The same applies, by the way, also to the appointments of the members of the EU Court, which the Masters of the Treaties did not certainly intend to leave to the arbitrium (the free will) of their governments.

 

 

For instance, article 253 TFEU currently provides that “every three years there shall be a partial replacement of the Judges and Advocates-General”. Not timing that best suits their respective governments.                                                                                                                                                                                                                                                                                   

 

"The Community is a legal order and not a mere arrangement founded on convenience", stated Robert Lecourt, the eminent president of the EU Court, back in 1976, pointing his finger at certain governments lagging behind. Indeed, "the institutional provisions of the Treaties [those relating, in this case, to the appointment of the EU judges], and the dates when they are to be applied are binding and leave no room for discretion" (See, Curia, Formal Hearings, 1976, p. 27.).

 

2. Determining the seats of the institutions and agencies: two different procedures

 

First of all, there is no specific provision of EU law on the seats of European agencies similar to that of Article 341 TFEU on the seats of the institutions.

 

Instead, the general competence for establishing European agencies, on a sector-by-sector basis, is with the European Parliament and the Council, as EU lawmakers, and, in a specific case, solely with the Council.

 

Article 45 TEU specifically states that the "statute, seat and operational rules” of the European Defence Agency are established by the Council and, therefore, not by the governments of the Member States (see, in this regard, also current Articles 85(1) and 88(2) TFEU on Eurojust and Europol).

 

It follows that, according to the Lisbon Treaty, the basic, general rule on this matter is: "only who has the authority to establish an agency (the European Parliament and/or the Council), has the authority to determine its seat as well".

 

3. The location of the EU agencies and Protocol No. 6 to the Lisbon Treaty

 

Still, according to the Council, Protocol No. 6 to the Lisbon Treaty extended the scope of Article 341 TFEU to include the location of the seats of agencies.

 

However, unlike all the other 36 Protocols annexed to the Treaty (the introductory line of which is "The High Contracting Parties ... have agreed"), Protocol No. 6 begins with the words "The representatives of the Governments of the Member States", i.e.  legal entities which, in principle, are not entitled to adopt Protocols or amend or interpret the Treaties. It is worth noting that in the Treaty for European Constitution, Protocol No. 6 began with the words "the High Contracting Parties". After failure to ratify that Treaty, however, this sentence was replaced, as in the previous Treaties of Amsterdam and Nice, with the correct wording, namely "the representatives of the Governments of the Member States ...".

 

Therefore, regardless of the countless “practices”, which are certainly not customary, followed in recent years by the Council (sometimes, perhaps, even contra legem Unionis), Protocol No. 6 remains a mere implementation act pursuant to Article 341 TFEU and can in no way constitute an appropriate legal source allowing for an extensive interpretation of this article so as to include the location of the agencies. According to article 341 TFUE, the national governments are, indeed, “obliged” to implement the scope of this provision and not “authorised” to extend it. To quote, once again, president Lecourt, “the Community is a legal order and not a mere arrangement founded on convenience".

 

In the case, for instance, of the first regulation establishing the EMA, adopted at the time by the Council with the Parliament merely giving its opinion, Article 74 of that act provided: “This Regulation shall enter into force on the day following that on which the competent authorities have decided on the seat of the Agency”. The entry into force of a Community’s regulation cannot be affected by a decision resting with unidentified authorities not involved in the legislative process in question, such as the national governments. If that were the case, this would constitute a clear breach of the principle of legislative autonomy characterizing the Union's legal system. In any event, the rules governing the adoption of the legislative Union acts are not available to the institutions nor the national governments. The Court should therefore not go along with it, especially when the institutional balance’s observance is at stake.

 

 

4. The notion of “institutional balance” and the broad interpretation of Article 263 TFEU

 

In its Post-Chernobyl judgment dated 22 May 1990, C-70/88, the EU Court, reversing its own initial case-law, stated that the same was required to "ensure preservation of the institutional balance and, consequently, [to ensure, with respect to each institution, the necessary] judicial review", because this entails protection of the prerogatives which the Treaties expressly have conferred on each of them (paragraphs 21-23).

 

Thus, "the absence in the Treaties of any provision giving the Parliament the right to bring an action for annulment may constitute a procedural gap, but it cannot prevail over the fundamental interest in the maintenance and observance of the institutional balance laid down in the Treaties" (paragraph 26).

 

It follows that the list of challengeable acts in that article, just like the list of persons entitled to bring an action, is not comprehensive.

 

However, in Sharpston, EMA and ELA cases, the acts challenged before the Court were not acts by the institutions, as in the Post-Chernobyl case, but decisions taken, upon common accord, by the national governments.

 

Even considering this important difference, I believe that our jurisprudential framework remains unchanged.

 

Observance of the EU institutional balance is in fact an “autonomous”, European legal principle, which “requires that it should be possible to penalize any breach of that rule which may occur" (paragraph 22). Constitutionally speaking, institutional balance means “separation of powers”, i.e. a legal structure governed by constitutional “checks and balances”. So, if it is for the institutions and the national governments to respect the “EU Treaties balances”, it is for the EU Court to ensure, in case of breach of the institutional balance, the due “EU judicial checks”.

 

5. Three examples of national governments' decisions

 

Let’s suppose that the national governments were to appoint, upon common accord, not only some judges of the EU Court or of the EU General Court (see article 253 and 254 TFUE) but also, during the same intergovernmental meeting, certain judges of a specialised court, such as, for example, the European Civil Service Tribunal (before its abolishment a few years ago).

 

The difference is obviously not a formal one. According to article 257 TFUE, the appointment of the judges of a specialised court is a decision of the Council which, as such, is an act potentially subject to an action for annulment pursuant to Article 263 TFEU. On the contrary, any “all-in-one” appointment decision by the national governments, concerning all the three categories of EU Court members, would not, at least on paper (or according to the nomen auctoris criterion), be included among the acts specifically provided for by that article.

 

The EMA and ELA cases are not much different from this hypothesis.

           

In these cases, the national governments have in fact decided to transfer (in EMA) and set up (in ELA) the seat of two EU agencies despite the fact that (i) Article 341 TFEU verbatim limits such power to the determination of the seat of the EU “institutions”, and (ii) Protocol n. 6 does not allow the extension in the scope of the delegation under such Article.

 

In these three cases and in light of the Post-Chernobyl judgment, the institutional balance has clearly not been observed.

 

Therefore, the national governments, acting in compliance with the obligations referred to in Articles 253 and 341 TFEU, i.e. in “the fields covered by Union law” (Article 19 TEU), are fully subject to the EU Court judicial review process. And, in this context, it belongs only to the EU Court to ensure the crucial “effective judicial protection” (Article 19 TEU) against breach of the institutional balance at stake. Otherwise, such decisions would be deprived of any kind of judicial review, since no other Court, whether national or international, such as the European Court of Human Rights, could legitimately hold jurisdiction over the legality of EU collective national governments acts.

 

 

6. Conclusions

 

Observance of the institutional balance is a general rule designed to ensure the proper functioning of the entire system for the distribution of competences created within the Union's legal system. Accordingly, “any breach of that rule” shall be subject to a sanction by the EU Court for the purpose of ensuring an “effective legal protection”, notwithstanding any procedural shortcomings of Article 263 TFEU.

 

Ultimately, the combination of these two factors – i.e. observance of the institutional balance and effective judicial protection – also strengthens the legality of the intergovernmental decisions taken by the national governments according to articles 253 or 341 TFUE. Indeed, in Union law these decisions cannot constitute “les faits des princes”. On the contrary, they are acts taken in the exclusive interest of the Union and which shall therefore be adopted in compliance with rule-of-law and democracy values around which the entire legal structure of the Union revolves.

 

Reblogged from the Free Group blog and Verfassungsblog

Photo credit: Massimo Catarinella on wikicommons

Is the Passenger Name Record Directive Valid? Opinion on the pending CJEU case

 



Douwe Korff, comparative and international lawyer specialising in human rights and data protection


In Case-817/19, Belgium’s Constitutional Court has asked the EU Court of Justice whether the PNR Directive (2016/681) is compatible with the Charter of Fundamental Rights. An Advocate-General’s opinion in this case is expected in the New Year.

In my opinion, the appropriate tests to be applied to mass surveillance measures such as are carried out under the PNR Directive (and were carried out under the Data Retention Directive, and are still carried out under the national data retention laws of the EU Member States that continue to apply in spite of the CJEU case-law) are:

Have the entities that apply the mass surveillance measure – i.e., in the case of the PNR Directive (and the DRD), the European Commission and the EU Member States — produced reliable, verifiable evidence:

-          that those measures have actually, demonstrably contributed significantly to the stated purpose of the measures, i.e., in relation to the PNR Directive, to the fight against PNR-relevant crimes (and in relation the DRD, to the fight against “serious crime as defined by national law”); and

-          that those measures have demonstrably not seriously negatively affected the interests and fundamental rights of the persons to whom they were applied?

If the mass surveillance measures do not demonstrably pass both these tests, they are fundamentally incompatible with European human rights and fundamental rights law and the Charter of Fundamental Rights; this means the measures must be justified, by the entities that apply them, on the basis of hard, verifiable, peer-reviewable data.

The conclusion reached by the European Commission and Dutch Minister of Justice: that overall, the PNR Directive, respectively the Dutch PNR law, had been “effective” because the EU Member States said so (Commission) or because PNR data were quite widely used and the competent authorities said so (Dutch Minister) is fundamentally flawed, given that this conclusion was reached in the absence of any real supporting data. Rather, my analyses show that:

-          Full PNR data are disproportionate to the purpose of basic identity checks;

-          The necessity of the PNR checks against Interpol’s Stolen and Lost Travel Document database is questionable;

-          The matches against unspecified national databases and “repositories” are not based on foreseeable legal rules and are therefore not based on “law”;

-          The necessity and proportionality of matches against various simple, supposedly “suspicious” elements (tickets bought from a “suspicious” travel agent; “suspicious” travel route; etc.) is highly questionable; and

-          The matches against more complex “pre-determined criteria” and profiles are inherently and irredeemably flawed and lead to tens, perhaps hundreds of thousands of innocent travellers wrongly being labelled to be a person who “may be” involved in terrorism or serious crime, and are therefore unsuited (D: ungeeignet) to the purpose of fighting terrorism and serious crime.

The hope must be that the Court will stand up for the rights of individuals, enforce the Charter of Fundamental Rights, and declare the PNR Directive (like the Data Retention Directive) to be fundamentally in breach of the Charter.

For my full 149-page opinion, and an executive summary of it, see here.

 

Reblogged from the Data Protection and Digital Competition blog

Photo credit: Konstantin von Wedelstaedt, via wikicommons




Sunday, 5 December 2021

The external representation of the European Union in the International Maritime Organization: A Question of Labelling rather than of EU Competence

 



Cathleen Berg, doctoral student, University of Bayreuth

On 25 November 2021, Advocate General (‘AG’) Szpunar delivered his Opinion in an action for annulment brought by the Commission against the Council (Case C-161/20). The Opinion exemplifies the conflict of interests between the European Union (‘EU’) and the Member States when it comes to exercising their external competences within the framework of an international organisation in which the EU can participate neither as a member nor as an observer. If the Court of Justice follows AG Szpunar’s reasoning, the present Case will have the potential to change the assessment as to who (the Commission or the Member States) represents the Union interest in committees of the International Maritime Organization (‘IMO’). Moreover, it will presumably reinforce the Commission’s ambition to strive for a change of the IMO legal framework in order to allow the EU to become a member or at least an observer.

Background

The issue raised by the Commission concerns the power to submit proposals to a committee of an international organisation in which the EU can participate neither as a member nor as an observer. The EU cannot become an IMO member because, according to the IMO Convention, membership is open to States only. Usually, if the EU cannot exercise its external competence because the international organisation does not allow it to become a member or an observer, the Member States exercise the EU competence acting jointly in the EU interest (para 64 of the Opinion; cf. also Opinion 2/91). In particular, Member States must refrain from submitting a national proposal to an international committee when the proposal could affect common rules (see Case C-45/07).

Due to some Member States’ opposition to grant the European Community the status as IMO observer, only the European Commission became an IMO observer in 1974 when it concluded a Cooperation Agreement with the IMO (cf. Article 66 of the IMO Convention). As observer, the Commission has the right to participate in the work of the IMO and its committees. However, unlike the Member States which enjoy full IMO membership, the Commission has no right to vote. Yet, this does not prevent the Commission from acting as the Union representative with reference to the sixth sentence of Article 17(1) TEU, which reads: ‘With the exception of the common foreign and security policy, and other cases provided for in the Treaties, it [the Commission] shall ensure the Union's external representation.’ Therefore, the Commission consistently strives to coordinate the Member States’ positions when EU external competence is involved and to ensure that the common position is presented in IMO committees on the EU’s behalf. However, Member States in practice occasionally depart from the common position.

The Commission’s action: The Commission wants the EU interest to be included and the Member States to be excluded

In the present case, the Marine Environment Protection Committee (‘MEPC’) of the IMO instructed the Intersessional Working Group on Reduction of GHG Emissions from Ships in 2019 to develop life cycle greenhouse gas (‘GHG’)/carbon intensity guidelines for all relevant types of fuels. In the same year, the Intersessional Working Group ‘invited interested Member States and international organizations to cooperate and submit proposals for draft guidelines on life cycle GHG/carbon intensity for all relevant types of fuels’ (para 29). The submissions were supposed to function as an inspiration for future guidelines on life cycle GHG/carbon intensity which the MEPC considered as a preparation for an implementation programme for effective uptake of alternative low-carbon and zero-carbon fuels. In response to the invitation, the Permanent Representatives Committee (Coreper) endorsed, on 5 February 2020, a submission on behalf of the Member States and the European Commission. This submission was transmitted to the Intersessional Working Group by the Presidency of the Council shortly after. In doing so, Coreper did not follow a suggestion by the Commission to submit a proposal for guidelines ‘by the Commission on behalf of the European Union’, thereby leaving the Member States out. In particular, the Commission considered that the area addressed by the proposal was covered to a large extent by common rules of the EU and that the EU, therefore, had the exclusive external competence under Article 3(2) TFEU (‘ERTA doctrine’). According to the Commission, a proposal ‘on behalf of the Member States’ could not sufficiently demonstrate that the Member States act in the Union interest.

In Case C-161/20, the Commission challenged the Council decision endorsing the submission on two grounds. First, the Commission argued that the proposal was submitted in breach of the EU exclusive competence under Article 3(2) TFEU and that, therefore, the proposal should have been issued ‘by the European Commission on behalf of the European Union‘. The Council contended that EU exclusive competence only covered a part of the submission, while the remainder fell under shared competence of the EU and the Member States. Second, the Commission alleged a breach of its institutional prerogatives under Article 17(1) TEU insofar as the Council decision entrusted the Presidency of the Council with transmitting the proposal.

A triviality? By no means! Although the submission did not constitute a binding decision establishing the positions to be adopted on the Union's behalf within the meaning of Article 218(9) TFEU, the present case concerns the fundamental issue of the discrepancies between the international legal order and the European Union legal order. In his Opinion, AG Szpunar, first, addressed the alleged infringement of Article 17(1) TEU, before turning to the question of the nature of EU competence regarding the proposal.

Infringement of Article 17(1) TEU: EU interest vs. obligation to exercise EU external competence in observance of international law

The particularities of the external representation of the Union interest in the IMO arise from the twofold status of the Commission. On the one hand, the sixth sentence of Article 17(1) TEU, as such, only refers to the prerogatives of the Commission acting as an EU organ. On the other hand, the Commission has the status as IMO observer, however, without being considered to act as the representative of the EU.

AG Szpunar tried to resolve the discrepancy between, on the one hand, the IMO rules, preventing the EU from directly participating in the IMO, and on the other hand, the internal rules in the Treaties on the division of external powers and their exercise, by referring to the case-law of the Court of Justice, according to which the Union must exercise its powers in observance of international law (para 64; see Antarctica Cases). The AG examined whether the disputed submission could have been transmitted as a Union act in line with the IMO rules, the Union being represented by the Commission (para 72 et seq). However, the AG denied the admissibility of such course of action by strictly limiting the right to participate in the IMO to the Commission as observer. In particular, he rejected the Commission’s argument that it can be inferred from the Lisbon Treaty, which provided for the substitution of the European Community by the EU, that the Commission’s status as observer means that the Commission acts as an organ of the EU and that, therefore, proposals in the name of the Commission can be considered as proposals of the EU (para 74 et seq). According to the AG, the invitation from the Intersessional Working Group to submit proposals did not extend to international organisations without any rights in the IMO. In fact, the invitation required the power to participate effectively in the Working Group, which the EU lacks (para 78).

Having denied the possibility of submitting the proposal on behalf of the EU, the wording of Article 17(1) TEU suggests that it is not applicable in the case that the EU cannot act on its own behalf (para 81 et seq). AG Szpunar pointed out that there is a significant difference between, on the one hand, the Member States acting in the Union interest, but in their own name, and, on the other hand, the Member States acting as representatives of the EU (cf. Article 7 of the Vienna Convention on the Law of Treaties) (para 84). When the Member States act in their own name, they are free to choose whom they want to entrust with transmitting the proposal (in the present case, the Presidency of the Council and not the Commission) (para 85).

Nevertheless, the AG added that the Member States were obliged under the principle of sincere cooperation (see Article 4(3) TEU) and the principle of acting in good faith to inform the third parties involved that the Member States act in the Union interest (para 88). This follows from the fact that the Member States do not act ‘fully autonomous[ly]’ when they act in the Union interest (para 88). However, the obligation to act in the Union interest does not go as far as to oblige the Member States to include ‘on behalf of the EU’ in the heading of the submission as the external partners could reject such a submission (para 89). It is sufficient that the external partners can infer from the context that the Member States act in the Union interest (para 90).

The AG’s reasoning resembles the findings of the Court in the Antarctica Cases where the Court held that the EU did not enjoy a fully autonomous status in the Antarctic Treaty and that, therefore, it had to involve the Member States in submitting a proposal in the framework of the Canberra Convention. Yet, in contrast to the Antarctica Cases, AG Szpunar sought to restrict the scope of Member States’ action and not the exercise of EU external competence. The Court’s reasoning in the Antarctica Cases seems to evolve more and more into a generally applicable standard which does not seem to be restricted to specific cases with specific contexts (as was hoped for by many scholars). Arguably, it is also not restricted to favouring the Member States, but can also be applied in favour of the EU (cf. recently Opinion 1/19, where the risk of incurring international responsibility did not preclude the Union from exercising its competence without the consent of all Member States). The present case is based on the conflict between, on the one hand, the protection of the EU interest and, on the other hand, the obligation to exercise the EU external competences in observance of international law. Both principles govern the exercise of the EU external competences. The AG favoured the observance of international law over the protection of the EU interest (cf. para 92). Observing international law meant, therefore, that the proposal could not be submitted on behalf of the EU.

The (im)possibility to act on behalf of the EU does not depend on the nature of EU competence

The AG suggested that determining whether the EU competence was exclusive or shared with the Member States was not important to decide whether the proposal could have been submitted by the EU itself (paras 50, 97). Therefore, it is not a question of competence to determine whether a proposal can be submitted on behalf of the EU. It is rather a question of labelling a submission to the Intersessional Working Group the right way as to reconcile the IMO rules and the rules of the Treaties. AG Szpunar denied an ‘ERTA effect’, anyway, as there was no risk of common rules being affected by the mere prospect that future guidelines could inspire the EU to amend the common rules (para 153 et seq). Neither did he assume an exclusive competence under the second part of Article 3(2) TFEU (para 158 et seq). Consequently, he rejected the Commission’s plea alleging breach of exclusive EU competence under Article 3(2) TFEU.

The AG’s conclusion: Rather let the Member States represent the EU interest than the Commission?

The AG implied that the Union has only shared competence in the area covered by the disputed submission, without explicitly stating the legal basis for this competence (para 164). In line with settled case-law, he concluded that the Union can exercise the shared competence alone (para 164; see C-600/14). However, and this seems rather puzzling, he explained that ‘the Commission’s weaker status compared to that of the EU Member States in the IMO constitutes an argument in favour of the participation of the Member States in the exercise of the Union’s external competence.’ (para 164). He explicitly referred to the Antarctica Cases where the Court held that the Union could not submit a proposal in the framework of the Canberra Convention without the Member States due to special obligations and responsibilities of some Member States as parties to the Antarctic Treaty. However, comparing the status of the Member States in the IMO with their status in the Antarctic Treaty seems questionable. In the Antarctica Cases, the EU had acceded to the Canberra Convention whereas it cannot become an IMO member. Furthermore, it could be argued that the Commission as such has no right to vote in the IMO and that, therefore, it is not able to exercise the EU competence alone in the IMO in the first place.

AG Szpunar’s Opinion has surely dashed the Commission’s hopes of driving the Member States out of the representation of the Union interest in the IMO. In fact, the Commission’s status in the IMO appears to be even weaker than before. It is, therefore, for the Court to decide on who will represent the EU interest in the IMO in the future.

Barnard & Peers: chapter 24

Photo credit: Tagishsimon, via Wikicommons

Consumer law and the GDPR: Case C-319/20 Facebook Ireland - Opinion of the Advocate General


 


 

Lorna Woods, Professor of Internet Law, University of Essex

 

Facts

 

The Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Federation of German Consumer Organisations) sought to bring an action before the German courts arguing that Facebook, in the context of making free, third party games available on its platform, contravened data protection rules by not giving adequate information about the data collected and this also constituted a violation of rules on unfair competition and on consumer protection. It brought this action before the Bundesgerischtshof, which court had doubts as to whether the federation had standing given the entry into force of the GDPR. It referred questions on this issue to the CJEU.

 

As the Advocate General phrased the question, the issue was whether Article 80(2) GDPR

 

precludes consumer protection associations from retaining, following the entry into force of that regulation, the standing to bring proceedings that national law confers on them in order to obtain injunctions against conduct that constitutes both an infringement of the rights conferred by that regulation and an infringement of the rules designed to protect consumer rights and to combat unfair commercial practices [para 4]

 

In Germany, the standing of the federation would not have been in doubt prior to the introduction of the GDPR; the question is whether it has been altered by the GDPR and, specifically, whether the GDPR exhaustively provides for the mechanisms by which its provisions are enforced so that it precludes national legislation which allows consumer protection bodies to bring actions against those allegedly responsible for an infringement of personal data, relying on other causes of action.

 

Opinion

 

The Advocate General’s opinion commenced by noting that, since the Federation had not been mandated by a data subject to bring the action, the relevant provision was Article 80(2) GDPR. The Court has considered a similar question in relation to the data Protection Directive in Fashion ID. It found that Articles 22-24 of the Data Protection Directive “must be interpreted as not precluding national legislation which allows consumer-protection associations to bring … legal proceedings against a person allegedly responsible for an infringement of the protection of personal data” [para 63 Fashion ID, cited para 44]. The Directive neither required Member States to give such organisations standing to bring a data protection action, but nor did it expressly preclude it. Indeed, the provision of such a possibility contributed to the objectives of the Data Protection Directive.  So, the question is – has anything changed?

 

The Advocate General considered the characteristics of the GDPR. The fact that it is in the form of a regulation (by contrast to the previous directive) suggests a tendency towards full harmonisation rather than the minimum standards found in the Data Protection Directive. However, as the Advocate General pointed out, “[t]he truth is more complex” [para 51]. He pointed to the legal base for the GDPR: Art 16 TFEU which

 

“precludes the view that in adopting [the GDPR] the European Union would have pre-empted all the ramifications which the protection of personal data may have in other areas relating, in particular, to employment law, competition law or even consumer law, by depriving Member States of the possibility of adopting specific rules in those areas ….” [para 51]

 

Data protection has a cross-sectoral impact but the harmonisation does not cover all of these areas. Moreover, the intensity of the harmonisation is not uniform across the GDPR. The use of a regulation does not necessarily mean that Member States have no scope for action [para 53].

 

Against this background we seen that Article 80(2) is “optional” – it uses the word ‘may’ [para 54]. Interpreting the scope of Article 80(2) the Advocate General considered that the entities listed there could not be limited  to those entities whose sole and exclusive object is data protection, but “extends to all entities which pursue an objective in the public interest that is connected with the protection of personal data” [para 61]. He also argued that other aspects of Article 80(2) should not be interpreted restrictively, so that the entity should not be required to show specific existing cases of persons affected by the processing.

 

Rather, all that is required is an allegation of an infringement of the provisions designed to protect individual rights. The objective of the provision is to give the bodies the ability to have a competent body check whether the rights-granting provisions of the GDPR are being complied with; the emphasis is on the protection of the collective interests of consumers. This viewpoint is supported also by the approach in Directive 2020/1828 on consumer injunctions (see especially recital 15). This is the position in this case, in which the federation seeks an injunction against Facebook Ireland [para 70].

 

More generally, he argued that

 

“[i]t would be contrary to the objective of ensuring a high level of protection of personal data if the Member States were precluded from putting in place actions which, while pursuing an objective of protecting consumers, also help to achieve the objective of protecting personal data” [para 75].

 

The defence of collective interests of consumers is, in the view of the Advocate general, particularly suited to the establishment of a high level of data protection and a narrow interpretation of Article 80(2) would interfere with the preventative function of actions brought by such bodies. An injunction, as in issue here, contributes to the effective protection of rights.

 

While the laws pertaining to data protection and consumer law have developed separately, there are interactions between the two areas; a similar point can be made in relation also to competition law: the same conduct can simultaneously be covered by all three regimes. While consumers are different from data subjects, these also overlap. This leads to ‘complementarity and convergence’ between these different areas of law and these may mutually strengthen protection.

 

In sum, Article 80(2) did not preclude legislation that allowed these entities to bring an action in the interest of enforcement of data protection rights.

 

Comment

 

The end point in this, especially given Fashion ID, is not so surprising, though we will – of course – need to wait for the Court’s judgment on this. It is noticeable that the Advocate General goes to some lengths to emphasise that although the GDPR is a regulation, it is not closed, and especially not where the higher levels of protection for data are concerned.  The implication of the Advocate General’s reasoning is of course that each clause will need to be considered on its own terms, but always in the light of the objectives of the GDPR and the need to ensure a high level of protection. Here, the impact of the regulation’s legal base should be noted; the reference to high levels of protection is not just verbiage but has been used as a motivating force in the reasoning of the Advocate General.

 

Another point of interest is the recognition of the interplay between the different types of law: data protection, consumer and even competition law. The Advocate General has used this interplay to strengthen protection, rather than assigning types of law to silos, and potentially thereby undermining protection. The approach of the Advocate General seems right – as he notes, the same conduct may fall within each of these rules. There is overlap, but it raises the question more broadly of the need for cooperation between at least the regulators in each of the fields.  This approach is also noteworthy as it illustrates support for attempts to deal – using a range of different legal mechanisms -with problems relating to the super-dominant ICT business built on user data. This is particularly significant given the perceived weakness in effective data protection regulation in some Member States.

 

Photo credit: Johnscotaus, via Wikimedia Commons



Tuesday, 30 November 2021

The proposed EU regulation of political advertising


 

 Lorna Woods, Professor of Internet Law, University of Essex

 

As envisaged by the European Democracy Action Plan (EDAP), the European Commission has published a proposal for a Regulation on the Transparency and Targeting of Political Advertising (COM (2021) 731 final).  It contains two main sets of rules:

 

  • rules on transparency of political ads; and
  • rules on targeting and amplification of adverts based on use of personal data.

 

It applies to broadly two sets of actors:

  • those who are responsible for the ad campaign
  • those who publish, broadcast or otherwise make available the adverts.

 

While the proposal sits against the EDAP as well as the 2018 election package, it links specifically with two measures:

  • the General Data Protection Regulation (GDPR); and
  • the Digital Services Act (DSA).

 

The first chapter deals with the scope of the Regulation and includes definitions. Notably, Article 2(2) specifies that ‘political advertising’ means

 

the preparation, placement, promotion, publication or dissemination, by any means, of a message:

(a)        by, for or on behalf of a political actor, unless it is of a purely private or a purely commercial nature; or

(b)        which is liable to influence the outcome of an election or referendum, a legislative or regulatory process or voting behaviour.

 

In this, the definition is including the process of advertising in scope, though individual adverts will be caught as well.

 

Chapter II of the proposed regulation contains the provisions relating to transparency. Article 4 starts with a general principle:

 

Political advertising services shall be provided in a transparent manner in accordance with the obligations laid down in Articles 5 to 11 and 14 of this Regulation.

 

‘Political advertising service’ is defined (Art 2(5)) – essentially a service consisting of the provision of political ads (with the exception of online intermediary service within the meaning of the DSA). Recital 26 states that ‘providers of political advertising services should be understood as comprising providers involved in the preparation, placement, promotion, publication and dissemination of political advertising’ – and reflects the approach in Article 2(2). It would seem that Article 4 bites on all these actors. 

 

The specific obligations regarding transparency are:

 

  • identification of political advertising services (Art 5);
  • record keeping regarding (for five years) of the ad or campaign to which the services are connected; the services provided; the amounts received and the identity of the sponsor with its contact details and this information is to be transmitted to the ‘political advertising publisher’ (Art 6);
  • transparency requirements for each ad, including a transparency notice (and there are discrete obligations on ‘political advertising publishers’ to check this information is present and complete) (Art 7);
  • inclusion of data on benefits received for these services in annual financial statements (Art 8);
  • the making available by publishers of mechanisms to enable individuals to notify advertising publishers of advertisements which do not comply (Art 9);
  • transmission on their request to national authorities of the information in Articles 6-8 (Art 10); and
  • the transmission of the information in Article 6 to ‘interested entities’ where ‘interested entities’ means: vetted researchers (within the DSA’s meaning); members of a civil society organisation whose statutory objectives are to protect and promote the public interest; political actors as authorised under national law; or national or international electoral observers.

 

Chapter III focusses on the targeting and amplification of political advertising.  Article 2(8) provides a definition of ‘targeting or amplification techniques’ as

 

‘techniques that are used either to address a tailored political advertisement only to a specific person or group of persons or to increase the circulation, reach or visibility of a political advertisement’.

 

Targeting or amplification techniques that rely on the processing of special categories of personal data (with Article 9(1) GDPR) are (with limited exceptions) prohibited (Art 12(1)). For other types of targeting or amplification techniques additional requirements are introduced (Article 12(3)):

 

  • the adoption of an internal policy
  • the keeping of records on use, mechanisms used, techniques and parameters used and the source of the personal data used
  • provision of information to allow the individual to understand the logic involved and the main parameters concerns (as detailed in Annex II).

 

Chapter IV deals with supervision and enforcement. Article 14 requires service providers that do not have an establishment in the EU (but which are caught by the regulation) to appoint a legal representative. Member States are required to introduce effective yet proportionate fines - though what this means is left up to the individual Member States.

 

The regulation envisages that existing supervisory authorities shall have responsibility for supervision of the obligations, with responsibility being split between the data protection supervisory authorities under the GDPR and the authorities to be designated under the DSA. There are some provisions for coordination. This is, however, potentially a weak point unless the different supervisory authorities find a way to work together.

 

Some initial points to note. Once again, the Commission is opting for a Regulation, seeking to reduce fragmentation among Member States. The explanatory memorandum – in justifying the choice of Article 114 TFEU (concerning internal market regulation) as legal base – highlights the fact that the fragmentation is not just between approaches between Member States but also between technologies and types of actor. The scope of the regulation is thus broad both as regard to the definition of political advertising’s content but also the application to its creation and distribution.

 

The definition of advertising is worthy of some attention. Note that, unlike the definition of advertising elsewhere which links to the intention to sell goods or services, they keys factors are who is speaking – a political actor - or what the likely impact is on an election. Note – these are alternatives, not cumulative conditions. In this it is very different from the sort of definitions urged by the European Association of Communications Agencies, which referred to an American definition from the “Self-Regulatory Principles  of Transparency &  Accountability to Political Advertising” of the US-based Digital Advertising Alliance (DAA) which defines political advertising as: “… paid-for communications that unmistakably urge the election or defeat of one or more clearly identified candidate(s) for a federal or statewide election” (emphasis added).

 

The definition of political actors includes not just those who might come to mind on a common sense approach to the matter (see Art 2(4)(a)-(f)) but also ‘a political campaign organisation...established to achieve a specific outcome in an election or referendum’ ((g)) and ‘any natural or legal person representing or acting on behalf of an of the persons or organisations in points (a) to (g)’. There are, of course, questions about how we understand when someone acts on behalf on a political actor.  Note also that political actors may speak about other topics, but that speech is excluded only when they speak purely in a private capacity or purely for commercial purposes. 

 

The second category seems to be intended to tackle issue-based ads. It could include organic content.  While the definition of a political advertising service might imply service for remuneration (see recital 29), the definition of the type of content contained in political advertising itself does not include any element of remuneration.  Having said that, the transparency obligations only apply to ‘political advertising service’, and while that might include those which create content they seem only to come within the scope of that definition if there is remuneration.

 

Google notes in its response that this may be very broad; and also flags the possibility of different services taking different approaches to who is in scope and how they determine the answer to this question (and whether this is done automatically or by human supervision).  There are certainly resource questions here which are not dealt with by the proposal.

 

The definition of ‘political advertising service’ is broad and makes clear that obligations arise across the distribution chain.  This ‘pass through’ element is recognised in the obligations imposed as part of the transparency obligations. For example, Article 6(3) obliges providers of political advertising services to give political advertising publishers the information necessary to carry out their obligations (see conversely Art 7(3)).  This implies that the imposition of contractual obligations along the value chain will form part of this regime, but how those further down the value chain are in a position to verify what they are told is accurate or not is another question entirely. This might be particularly problematic where the content producer lies outwith the EU, especially where that advertising service provider makes no attempt at compliance; what are “reasonable efforts” in these circumstances?  In terms of these obligations, it is clear that the publisher – as the end point to the audience – fulfils a particular role and has specific obligations as a result to ensure that the labelling happens and that there is a mechanism for complaints. Further, the publisher needs to ensure that the labelling stays attached, so that when that content is shared by third parties, it is still apparent that it is an ad.

 

At this point it is worth noting that while these obligations seem to fit the online information sharing environment, the definition of ‘political advertising publisher’ is not limited to VLOPs within the DSA – or even to online platforms. The definition (Art 2(11)) is as follows:

 

‘a natural or legal person that broadcasts, makes available through an interface or otherwise brings to the public domain political advertising through any medium’.

 

Presumably this includes the traditional media (and bill boards).

 

While the proposal envisages that – as part of the transparency obligations – services providers should provide links to ad repositories, this only applies where relevant. This link back to the Digital Services Act which, as drafted, only imposed ad repository obligations on very large online platforms (VLOPs). Some therefore feel that this is a missed opportunity to mandate ad libraries generally, especially given the high threshold for VLOPs. Note the new proposal strengthen the rules in the DSA as regards political ads by making the period of retention 5 years, not 1 year. Beyond this we might question how effective transparency labels might be – especially given the history of bad behaviour by at least some actors in this industry. It remains unclear what – or how – the oversight regime for this would work so get an overall picture of what is going on. If part of the problem is that by targeting political actors can send different and potentially inconsistent messages to different groups of people, then telling a recipient that he or she has received an ad doesn’t necessarily solve that problem. It assumes that the user will go to the ad library and do a compare and contrast exercise, which is unlikely. It also overlooks those services which are not required to have an ad library. Further, it is not clear whether these obligations will operate in real-time. A number of actors -including ERGA (the European Regulators' Group for Audiovisual media) – have proposed the requirement for real-time, comprehensive ad libraries for political ads.

 

The proposal on not using certain data for political advertising is weak. This is partly because compliance with data protection and digital services is not good in general (as the range of challenges coming through the system demonstrates), but also because of the exceptions based on the GDPR provisions. Specifically, targeting could be allowed in the context of legitimate activities of foundations, associations or not-for-profit bodies with a political, philosophical, religious or trade union aim, when it targets their own members.  There are questions here about the scope of this exception, which might also arise in the context of the GDPR but is particularly salient here. While, on the one hand these seems reasonable (subject to how they are interpreted- as ever), Recital 47 of the proposed regulation suggests that “[a]dditional restrictions compared to Regulation (EU) 2016/679 [GDPR] and Regulation (EU) 2018/1725 [on EU bodies and data protection] should be provided” – yet it seems that there are no such additional restrictions. A stronger option would have been to prohibit the use of certain sorts of data absolutely (even when it is inferred) or to prohibit profiling at all.  The European Data Protection Board (EDPB) proposed ‘a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking’, and that in relation to ads more generally.  Note also that transparency may work for the initial choice of the ad sponsors, but may be much more problematic when we consider amplification by platforms – tools which are notoriously opaque but very impactful. This increases the importance of controls on use of data.

 

While the proposal is a start, there are clearly questions and gaps. Nonetheless, as the European Broadcasting Union (EBU) notes, this is an opportunity to improve the political advertising environment, especially the online context which currently seems to fall outside existing regimes.  The imposition of similar rules to elections across Member States will presumably be a relief to cross-border service providers. Given the lobbying around the DSA (and DMA, ie the Digital Markets Act), we can expect to see lobbying here, and some of the questions that have been the subject of intense debate – notably the proposed ban on behavioural advertising – may well be the subject of yet further discussion.

 

Photo credit: GilPe, via Wikimedia commons