Wednesday, 22 October 2014

New EU human rights reporting requirements for companies: One step beyond the current UK rules



Anil Yilmaz (Lecturer in Law, University of Brighton) and Rachel Chambers (PhD candidate, University of Essex)  

Background

Among the core objectives of the EU set out in Article 3(3) of the Treaty on the European Union is the creation of an internal market and sustainable development of Europe “based on balanced economic growth and price stability, a highly competitive social market economy, aiming at full employment and social progress, and a high level of protection and improvement of the quality of the environment.” The Single Market Act 2011 fleshed out the features of a “highly competitive social market economy” and provided that it called for new business models where environmental and social concerns “take precedence over the exclusive objective of financial profit.” In this respect, the Act outlined the allocation of tasks for achieving this goal between itself and the industry. While the European asset management industry was asked to use their leverage to promote socially and environmentally responsible businesses, the EU would take action, inter alia, to ensure a level playing field by introducing new rules on environmental and social reporting. Stemming from the Act was also the adoption of the Commission’s 2011-2014 Corporate Social Responsibility Strategy, which reaffirmed the objective of establishing EU rules on social and environmental reporting.  Although CSR has been on the EU agenda for a decade, the 2011-2014 Strategy put forward a more rigorous definition of CSR and demanded better alignment with global approaches to CSR, including implementation of the UN Guiding Principles (UNGPs).  Within the Strategy, the Commission announced its intention to build on the existing reporting requirements for companies.

Prior to the adoption of the recent amendments to Directive 2013/34/EU on company reporting, EU law made the following requirement on companies, not necessarily including small and medium‐sized enterprises (SMEs): “To the extent necessary for an understanding of the company’s development, performance or position, the analysis [in the annual review] shall include both financial and, where appropriate, nonfinancial key performance indicators relevant to the particular business, including information relating to environmental and employee matters.” In November 2010, the European Commission had launched an online public consultation to gather views on the disclosure of non-financial information by enterprises. The consultation had sought both to expand the subjects of such disclosure and to make the requirements more effective.

In January 2013, following the adoption of the 2011-2014 CSR Strategy, the European Parliament adopted two resolutions reiterating the importance of company transparency on environmental and social matters and calling for specific measures to combat misleading and false information regarding commitments to CSR and relating to the environmental and social impact of products and services.   The resolutions expressly acknowledged the role of the UNGPs in improving standards of corporate practice. The European Commission went one step further in its proposal of 16 April 2013, by suggesting an amendment to existing accounting legislation to improve the transparency of certain large companies on social and environmental issues, in particular with regard to human rights impacts.  The European Parliament and the Council reached an agreement on 26 February 2014; the European Parliament adopted the amendments to Annual Financial Statements Directive 2013/34/EU on 15 April 2014; this was adopted by the Council of the European Union on 29 September 2014.

The Reforms

The amendments introduce compulsory reporting of non-financial information by certain large undertakings. Under the new Article 19a certain large undertakings governed by the law of a member state are required to include a non-financial statement in their annual management report, ‘to the extent necessary for an understanding of the undertaking’s development, performance and position and of the impact of its activity.’ Recital 14 determines the personal scope of the reporting requirement based on the number of employees, balance-sheet total and the net turnover. ‘Certain large undertakings’ within the meaning of Article 19a are public-interest entities which have 500+ employees (in the case of a group of companies with the parent governed by a member state law, number of employees will be calculated on a consolidated basis). Public interest entities are defined in Article 2(1) of the Directive as including listed companies, credit institutions, insurance companies and any other entity designated by member states as a public interest entity due to the nature or size of their business.  The press release announcing the adoption of the Directive by the Council says that some 6,000 public interest entities in the EU will fall under its scope.

 Non-financial information encompasses “as a minimum, environmental, social and employee matters, respect for human rights, anti-corruption and bribery matters”.  The statement will contain a brief description of the company’s business model, a description of the company policy in those areas and its outcome, main risks faced by the company, including those arising from its business relationships, and how these are managed and the due diligence processes it employs to identify, prevent and mitigate adverse impact. Companies can avoid reporting on one or more of these issues if they do not pursue policies on those issues and provide a ‘clear and reasoned’ explanation of this choice. There is an additional exemption from reporting in exceptional cases where disclosure of such information would seriously harm the commercial position of the company and non-disclosure does not prevent a fair assessment of company’s impact and risk.

Recitals provide some examples of what should be included in the report for each item and refer to a selection of national and international frameworks for further guidance that companies can rely on. In the meantime, the Commission will prepare general and sectoral non-binding guidelines for non-financial reporting.  Member states will have two years to incorporate the new provisions into domestic law, which will be applicable in 2017.  In terms of enforcement of these obligations, Recital 10 requires member states to establish effective national procedures to ensure compliance with non-financial reporting requirements. Finally, it is up to the member state implementing the directive to require independent verification of the non-financial information contained in the report.

Analysis

The adoption of this Directive was hard fought for, and can be seen as a major achievement –both in terms of the content of the reforms but also the symbolic step which their adoption represents.   These are a broad set of reporting requirements, wider than comparable UK law as they include anti-bribery and corruption as well as environmental, social and employee matters and human rights.  By requiring reporting “of the impact of [a company’s] activities” and of the “principal risks related to those matters linked to the undertaking's operations” these provisions focus effort on what is important – reporting the actual human rights risks/impacts to/on society of a company’s operations and prioritising the most severe risks.  This compares favourably to UK non-financial reporting which, as explained below, is focused essentially on providing information to shareholders on which they can assess the financial performance of the company.  The requirement for group reporting of these issues in consolidated statements will allow stakeholders to be informed about the impacts of subsidiaries as well as their parent companies. Business partners are also covered but reporting on risks from supply chains and business relationships is only required “if relevant and proportionate”. The inclusion of risk management processes such as due diligence is useful when trying to understand how companies are tackling the issues which they face in this realm.

However, there are a number of shortcomings in the new Directive.  It does not cover many companies: the original Commission proposal was for it to apply to around 18,000 companies – listed and non-listed – that were of a certain financial size and had 500 employees or more.  As stated above, the adopted proposal only covers around 6,000 “public interest” companies.  The failure to include listed SMEs (although member states can choose to include them) is particularly difficult to understand given that these companies already have to file annual reports, and that despite their size, these companies can have significant human rights impacts.  The methods for enforcement of the obligations and independent verification of the reports are left to member state discretion, which can create inconsistencies in the application of these rules, and ultimately a lack of “teeth” if companies fail to comply.

Does it improve existing UK requirements?
 
The new UK requirement to compile a strategic report which must, to the extent necessary for an understanding of the development, performance or position of the company’s business, include, amongst other requirements, information about social, community and human rights issues came into force in October 2013.  The inclusion of a test of materiality in the statutory guidance on the new statutory regime was controversial.  Under the heading of “Materiality” the guidance recommends that companies include human rights-related information “if its omission from or misrepresentation in the strategic report might reasonably be expected to influence the economic decisions shareholders make on the basis of the annual report as a whole” – as noted above the new European requirement takes a different, and from a human rights protection point of view better, stance by looking at impact on society.

Enforcement of the UK law is weak, a situation which will not be changed by the new EU law. In the UK, the Conduct Committee of the Financial Reporting Council is responsible for monitoring the compliance of the strategic report with the Strategic Report Regulations. It may investigate cases where it appears that required information has not been provided, and has the power to apply to the court for a declaration that a strategic report does not comply with the requirements and for an order requiring the directors to prepare a revised strategic report.  The equivalent powers under the previous statutory regime were seldom used.  Since compliance with the new EU non-financial reporting requirements will be overseen by member state regulators, it is crucial that they have qualified staff with the appropriate human rights expertise to draw on when assessing whether the information required has been provided.
 
 
Barnard & Peers: chapter 9, chapter 14

Friday, 17 October 2014

Cameron’s ‘emergency brake’: killing the free movement of persons, or saving it?


 

Steve Peers

Imagine that pro-Europeans in Britain had a time machine, but only enough power to use it once. Where (or rather, when) should they go? There’s only one possible answer: they should go back to 2004, and move heaven and earth to convince the British government of the day not to allow immediate free movement of workers from all of the new Member States about to join the European Union. For despite the economic benefits of this decision, it has been an unmitigated political disaster as regards public support for the UK’s EU membership (and, it should be added, for the UK Labour Party).
We don’t have a time machine – although I often wonder if Nigel Farage might have used one, to go back and somehow trick Tony Blair into making that fateful decision. Instead, we have to deal with a situation in which the free movement of people is being increasingly painted as a fundamental flaw with the EU, which the UK should either leave the EU to escape or demand to be renegotiated.

In his earlier discussion of his renegotiation strategy, such a major change in free movement of people was not foremost in David Cameron’s agenda. So, as I suggested at the time, it might be possible to address the UK’s renegotiation issues by a Decision of Heads of State and Government, as was the case for the Danish and Irish concerns about previous treaty amendments.

Now that significant change to the free movement rules is a ‘red line’ for the Conservative party in the renegotiations (if it is in a position to carry them out after next year’s general election), this would no longer be sufficient. So it’s time to take a fresh look at Cameron’s renegotiation positions, looking in turn at the free movement of people and the other issues he has raised. Then I will answer a critical political question:  should pro-Europeans support such changes?

Free movement of people
The basic rules on free movement of people appear both in the Treaties and in secondary legislation. Treaty provisions set out the basic right of EU citizens to move and reside freely, which is allied to a right of non-discrimination on grounds of nationality. There are also specific provisions on free movement of workers, the self-employed, service providers and recipients and (implicitly) students. In addition, there is secondary legislation, principally (but not only) the citizens’ Directive and the Regulation on social security coordination.

The legislation could be changed much more easily than the Treaties. In particular, it would need only a qualified majority vote in the Council and agreement in the European Parliament to change the legislation (the Commission would also have to be persuaded to propose the amendments).
However, there’s a limit to what legislative change could accomplish. For instance, some of the details of access to benefits could be changed in principle. But the underlying rule of the free movement of people is set out directly in the Treaties, which are directly effective and take priority over conflicting national law and conflicting EU secondary legislation. That means that EU legislative changes would be invalid if they restricted free movement rights too severely, or amounted to discrimination between EU citizens (for an example of a change to the social security rules which was struck down by the EU Court of Justice, see the Pinna case).
Some changes could come about by the Court’s own jurisprudence. Earlier this year, it gave a restricted reading of the free movement rights of convicted criminals. In November, it will deliver a potentially important ruling on EU citizens’ access to benefits. (I’ll blog later on both points). But again, this can’t affect the fundamental rules of free movement.

The citizens’ Directive and the Treaties allow for free movement to be restricted on grounds of public policy, public security and public health, but it’s clear from the Court’s case law (and the text of the Directive) that this can only apply in individual cases, and never on economic grounds.
 
So to overturn the core of free movement rights, the Treaty would have to be amended. This would entail ratification by all Member States of the treaty amendment (which would probably take the form of a protocol to the existing Treaties).

What could such a protocol include? There’s a wide range of options. It could simply establish a power to derogate from free movement rules, leaving the details to be agreed afterward. This would probably not be enough to satisfy the critics of free movement in the UK, who would question whether the limitations would ever actually be put in place.
It could, as Cameron has suggested, provide for an ‘emergency brake’ on the numbers of people. Some have compared this to the ‘emergency brakes’ already in the Treaty regarding the adoption of legislation in some areas, such as criminal law and social security. As a limitation on a substantive right, it should better be described as a safeguard clause. But let’s stick with Cameron’s phrase, to avoid any confusion.

There are prior examples of such clauses. One good example is the agreement between the EU and Norway, Iceland and Liechtenstein on the extension of the common market to those states – the European Economic Area (EEA) treaty.

That treaty allows safeguard measures to be taken unilaterally, if there are ‘serious economic, societal or environmental difficulties of a sectorial or a regional nature’ which are ‘liable to persist’. Those measures must be proportionate to the problem in question. A party which wants to invoke this clause must inform the other parties and consult with them, and wait one month after the notification before implementing them. The other parties can reciprocate with ‘proportionate rebalancing measures’. As far as I know, this clause has never been invoked.

Another example is the accession treaties with newer Member States. The  transitional clauses in these treaties permit the free movement of workers to be suspended during the transitional period of seven years after accession, if a Member State ‘undergoes or foresees disturbances on its labour market which could seriously threaten the standard of living or employment in a given region or occupation’. Its intention must be approved by the Commission, but any Member State could appeal the Commission’s decision to the Council, which can overturn it by qualified majority. This provision has been used by Spain.
The latter limitation is the best template for any new provisions, since it relates specifically to the free movement of workers. Of course, this begs the question as to whether any Treaty renegotiation should only permit limitations as regards workers, or other categories of persons as well. If the limits only apply to workers, what happens if a person enters as a student, and then gets a part-time job or drops out and seeks employment? Equally, how to count a family member of an EU citizen who was not economically active when he or she entered the country (or who was born there), but who looks for a job later on?  
There’s no need to follow the existing template exactly, of course. The notion that the Commission and/or Council is in charge of invoking the derogation might be a difficult ‘sell’ in the UK, for instance. Having said that, even if the Commission or Council has no role in approving the decision, the Commission would be able to challenge the use of the clause by means of an infringement action; equally the invocation of the safeguard could be challenged in the national courts.
Furthermore, other Member States might want the rules on invoking the derogation to be more precise, for instance referring to increased movement and/or rates of unemployment and lower rates of growth. There might be a rule on proportionality (as in the EEA provision). 
More radical suggestions are that Member States should be allowed to apply a points system for EU immigration, or apply immigration quotas (as suggested by Boris Johnson). Such approaches would entirely destroy the idea of free movement, and so are unlikely to be accepted by other Member States. After all, why should they sign up to a Treaty amendment which would effectively mean that (as far as free movement of people is concerned) the UK is not a member at all? What advantage does that have (for them) as compared to letting the UK leave the EU?
Other issues

David Cameron has also suggested changing the rules on ‘ever closer union’. There’s useful wording on this issue in the June European Council conclusions which could simply be inserted into the Treaties. As for equal treatment of non-eurozone States (another Cameron bugbear),the UK’s concerns on this front could also be addressed by amending the special Council voting rules, or by adapting the wording of the clauses governing the use of enhanced cooperation in the Treaties.
More generally, any Treaty amendments which the UK requests would raise questions of the quid pro quo that should be offered in return. Possibly, any use of the free movement derogation would trigger an obligation to make payments into the unemployment or welfare systems of other Member States, and the protection for non-eurozone States would have to be accompanied by treaty amendments permitting those States to go ahead more easily with further integration among themselves.

What should pro-Europeans do?
The initial reaction from pro-Europeans to any and all suggestions that free movement rules should be changed is to defend the status quo. In principle, this is understandable. Personally, I agree with the free movement of people: in the words of Rene Zellweger, the idea ‘had me at “hello”’. Objectively, there are sound economic reasons to support the concept.

However, as democrats we cannot simply ignore the widespread public concern about free movement. Pro-Europeans should therefore support some form of reform of the free movement rules – either the legislative amendments described above, or a limited possibility for an emergency brake.  Simply refusing to accept any change will allow the real enemies of free movement (and the EU more generally) to paint pro-Europeans as undemocratic elitists.
Some might argue that pro-Europeans should not in any way accept the arguments being made by Nigel Farage, given the racist and misogynistic attitudes of some members and supporters of the UK Independence party. But that’s not a reason to resist any reform of free movement law. Exactly the opposite: it’s the reason to embrace reform. A pro-European case can be made for limited legislative reform, or the imposition of a safeguard clause in exceptional circumstances, which keeps intact the core free movement rules. That way, pro-Europeans can still make the case for the value of these rules, while responding to public concern about those rules. A refusal to accept any reform increases the risk that there will soon be no free movement (and no EU membership) at all. Free movement of people, and the UK’s membership of the European Union, cannot be sustained without democratic consent.  

 
Barnard & Peers: chapter 2, chapter 13

Wednesday, 15 October 2014

The proposed General Data Protection Regulation: suggested amendments to the definition of personal data


Douwe Korff, Professor of International Law
I.                    Background

In a recent judgment (discussed previously on this blog) the third chamber of the CJEU has ruled that the concept of "personal data" in the 1995 data protection (DP) directive is limited to data directly relating to a person, and does not include legal analyses in the file on the person, on which the state (NL) relied in taking its decisions in relation to that person (Joined Cases C-141/12 and C-372/12). I believe the Court’s restriction of the concept is wrong and contrary to the intended purpose of data protection; and should be corrected in the new General Data Protection Regulation.

First of all, the Court based itself on the, in my opinion erroneous, view that the 1995 EC DP Directive was solely aimed at protecting privacy. In particular, it felt that the right of data subjects to access to their personal data should not extend to a legal analysis of their case, contained in a file on them, because (in the Court’s view) such an analyses “is not in itself liable to be the subject of a check of its accuracy by [a data subject]”, and data subjects should not be able to use data protection to seek a rectification of such an analysis (cf. para. 44 of the judgment).

Secondly, the Court also relied on the fact that data of the kind at issue in the joined cases was administrative data held by a public authority and, drawing a parallel with EU regulations on privacy and access to documents, held that access to the legal analysis should be addressed under the latter rules rather than the former. This failed to take into account the fact that the EU rules referred to apply only to public (i.e., EU) bodies, whereas the 1995 DP Directive applies also, and in indeed especially, to private-sector bodies (in particular companies) that are not subject to public-sector rules on access to administrative data.

The Court’s judgment, in sum, seriously limits the concept of personal data and the right of access to one’s personal data, and thus seriously limits the application of the entire EU data protection regime. It leaves individuals with seriously less rights in respect of data on them (or relating to them, or used to take decisions on them, or that affect them) than was previously thought.

Specifically,the judgment runs directly counter to the authoritative 2007 Article 29 Working Party (WP) Opinion on the concept of personal data (Opinion 4/2007, WP136, of 20 June 2007). This first of all noted that the purpose of data protection is not limited to a narrow concept of privacy – as is indeed also clear from the fact that data protection is guaranteed in the Charter of Fundamental Rights (CFR) as a separate right, sui generis, from the right to private life/privacy (data protection is guaranteed in Article 8 CFR; Privacy in Article 7 CFR). Astonishingly, given that the WP29 is expressly charged with providing guidance on the interpretation and application of the 1995 DP Directive, the Court did not even mention either the Working Party or this specific opinion.

In the opinion, the Working Party discussed four elements of the definition, from which it deduces the appropriate criteria for determining whether data should be regarded as personal data within the meaning of the directive. They can be paraphrased as follows:

-                      The first element: “any information”:

The WP concludes that these words indicate that the concept of personal data should be interpreted broadly, and not limited to matters relating to a person’s private and family life stricto senso (as has wrongly been done in the UK under the Durant decision, and as appears to also underpin the Court’s judgment). It also covers information in any form, including documents, photographs, videos, audio and biometric data, body tissues and DNA.

-                      The second element: “relating to”:

In general terms, information can be considered to “relate” to an individual when it is about that individual. However, data about “things” can also be personal data, if the object in question is closely associated with a specific individual (e.g., mobile phone location data). This is of increasing importance in the era of the Internet of Things. Important in relation to the CJEU judgment, the WP29 adds the following consideration, with reference to an earlier opinion, on radio frequency identification (RFID) tags, WP105 of 19 January 2005 (original italics and bold; underlining added):

In the context of discussions on the data protection issues raised by RFID tags, the Working Party noted that "data relates to an individual if it refers to the identity, characteristics or behaviour of an individual or if such information is used to determine or influence the way in which that person is treated or evaluated."
...
[I]n order to consider that the data “relate” to an individual, a "content" element OR a "purpose" element OR a "result" element should be present.
The “content” element is present in those cases where - corresponding to the most obvious and common understanding in a society of the word "relate" - information is given about a particular person, regardless of any purpose on the side of the data controller or of a third party, or the impact of that information on the data subject.
...
Also a "purpose" element can be responsible for the fact that information "relates" to a certain person. That “purpose” element can be considered to exist when the data are used or are likely to be used, taking into account all the circumstances surrounding the precise case, with the purpose to evaluate, treat in a certain way or influence the status or behaviour of an individual.
...
A third kind of 'relating' to specific persons arises when a "result" element is present. Despite the absence of a "content" or "purpose" element, data can be considered to "relate" to an individual because their use is likely to have an impact on a certain person's rights and interests, taking into account all the circumstances surrounding the precise case. It should be noted that it is not necessary that the potential result be a major impact. It is sufficient if the individual may be treated differently from other persons as a result of the processing of such data.
...
These three elements (content, purpose, result) must be considered as alternative conditions, and not as cumulative ones. In particular, where the content element is present, there is no need for the other elements to be present to consider that the information relates to the individual. A corollary of this is that the same piece of information may relate to different individuals at the same time, depending on what element is present with regard to each one. The same information may relate to individual Titius because of the "content" element (the data is clearly about Titius), AND to Gaius because of the "purpose" element (it will be used in order to treat Gaius in a certain way) AND to Sempronius because of the "result" element (it is likely to have an impact on the rights and interests of Sempronius). This means also that it is not necessary that the data "focuses" on someone in order to consider that it relates to him. ...
The “legal analyses” that the CJEU ruled were not personal data are clearly covered by the above: they are the very basis on which the data subjects in questions (asylum seekers) were “treated” and “evaluated”. To apply the reasoning of the Working Party: they determine whether Titius should be treated the same way as Gaius or not; and they may also have an impact on the rights and interests of Sempronius.
This is also crucially important in relation to “profiles”. Under the judgment, states and companies could argue that individuals should also not have a right to challenge the accuracy of a profile, any more than the accuracy of a legal analysis; and that, indeed, they are not entitled to be provided on demand with the elements used in the creation of a profile. After all, a profile, by definition, is also based on an abstract analysis of facts and assumptions not specifically related to the data subject – although both are of course used in relation to the data subject, and determine the way he or she is treated.
In my opinion, the above is the most dangerous limitation flowing from the Court’s judgment.
-                      The third element: “identified or identifiable”:
Although this issue did not arise in the CJEU cases, it is still crucial, in particular in relation to the ever-increasing and ever-more-widely-available massive sets of “Big Data”. In the opinion of the WP, the core issue is whether a person is, or can be, singled out from the data, whether by name or not. A name sometimes suffices for this, but often not, while a photograph or an identity number often does allow such singling out even if no other details of the person are known. In relation to pseudonymised or supposedly anonymised data, the WP concluded (with reference to the recitals in the 1995 directive) that the central issue is whether the person can be identified (singled out), whether by the data controller or by any other person, “taking account of all the means likely reasonably to be used either by the controller or by any other person to identify that individual.
-                      The fourth element: “natural person”:
In principle, personal data are data relating to identified or identifiable living individuals. There are some issues relating to data on deceased persons and unborn children: these can often still (also) relate to living individuals, in the way discussed above, and would then still be personal data in relation to those latter individuals. Data on legal entities can sometimes also, similarly, relate to living individuals associated with those entities. Also, in some contexts some data protection rights are expressly extended to legal persons (companies etc.) per se, in particular under the so-called “e-Privacy Directive”. But that is a special case. This too, however, was not an issue relevant to the CJEU judgment.

Until the CJEU judgment, it could be assumed that as long as the General Data Protection Regulation used the same definition of personal data as the 1995 DP Directive, the above elements and criteria could simply be read into the new instrument.

However, the judgment could result in the definition in the GDPR being read in accordance with the Court’s restricted views, rather than in line with the WP29 guidance.

In my opinion, if the EU wishes to retain a strong European data protection framework, as is often asserted, it is essential that the GDPR expressly (if of course briefly) endorses the WP29 view of the issue, rather than the CJEU’s one.

Below, I suggest amendments to the definition of the concept of personal data in the GDPR that would achieve that (some further amendments should be made to the recitals).
II.                  Proposed amendments to the GDPR
As can be seen from the Annexes, with the different definitions of personal data and data subject in the Commission text of the GDPR and in the amended version of the Regulation adopted by the EP (and with the corresponding definitions in the current 1995 DP Directive), the definitions all say in essence that:

'personal data' means any information relating to a data subject (with ‘data subject’ then defined as “an identified or identifiable natural person”), or:
'personal data' means any information relating to an identified or identifiable natural person -
which comes to the same thing (and is in accordance with the current directive).

The EP text adds clarification on when a person can be regarded as “identifiable”, on the lines of the views of the Article 29 Working Party (drawing on a recital in the current directive); and more specific provisions on “pseudonymous data” and “encrypted data”.

However, neither text adds clarification on the question of when data can be said to “relate” to a (natural, living) persons – which is the issue so badly dealt with in the CJEU judgment.

I propose that the definition of “personal data” in the GDPR be expanded to expressly clarify the question of when data can be said to “relate” to a person, by drawing on the guidance of the Article 29 Working Party set out above; and by also expressly clarifying that “profiles” always “relate” to any person to whom they may be applied. Specifically, I propose that an additional paragraph be added to Article 2(2), spelling out that:

“data relate to a person if they are about that person, or about an object linked to that person; or if the data are used or are likely to be used for the purpose of evaluating that person, or to treat that person in a certain way or influence the status or behaviour of that person; or if the use of the data is likely to have an impact on that person's rights and interests. Profiles resulting from ‘profiling’ as defined in [Article 20 in the Commission text/Article 4(3a) of the EP text] by their nature relate to any person to whom they may be applied.”

The Annexes indicate more specifically how such an amendment could be incorporated into the current (Commission and EP) texts of the Regulation.


Annex I

PROPOSED AMENDMENTS TO ARTICLE 4 OF THE GENERAL DATA PROTECTION REGULATION:

(Added or amended text in bold)

The proposed amendments if applied to the Commission text:

(1)        'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

(2)        'personal data' means any information relating to a data subject;

(2a)      data relate to a person if they are about that person, or about an object linked to that person; or if the data are used or are likely to be used for the purpose of evaluating that person, or to treat that person in a certain way or influence the status or behaviour of that person; or if the use of the data is likely to have an impact on that person's rights and interests. Profiles resulting from ‘profiling’ as defined in Article 20 by their nature relate to any person to whom they may be applied.

The proposed amendments if applied to the EP text:

(2)        'personal data' means any information relating to an identified or identifiable natural person ('data subject');

(2a)      an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, unique identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or gender identity of that person;

(2b)     data relate to a person if they are about that person, or about an object linked to that person; or if the data are used or are likely to be used for the purpose of evaluating that person, or to treat that person in a certain way or influence the status or behaviour of that person; or if the use of the data is likely to have an impact on that person's rights and interests. Profiles resulting from ‘profiling’ as defined in paragraph (3a) by their nature relate to any person to whom they may be applied.

(2c) 'pseudonymous data' means personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution;

(2d) ‘encrypted data’ means personal data, which through technological protection measures is rendered unintelligible to any person who is not authorised to access it;

NB: The actual Commission and EP texts are set out in Annex II


Annex II 

The definition of “personal data” in the original Commission text of the GDPR and in the amended version of the Regulation adopted by the European Parliament:

Text proposed by the Commission
Amendment
Definitions
Definitions
For the purposes of this Regulation:
For the purposes of this Regulation:
(1) 'data subject' means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

(2) 'personal data' means any information relating to a data subject;
(2) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, unique identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or gender identity of that person;

(2a) 'pseudonymous data' means personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution;

(2b) ‘encrypted data’ means personal data, which through technological protection measures is rendered unintelligible to any person who is not authorised to access it;

Cf. the following definition in the current 1995 DP Directive:
(a) 'personal data 'shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

Child abduction: a further extension of EU exclusive external powers




Steve Peers

It's every parent's worst nightmare: the abduction of their child. If the child is abducted by a stranger, there's obviously a grave threat to the child. But it's far more common for a child to be abducted by a parent who doesn't have custody of him or her, in the context of family law proceedings.

While it's fortunately much less likely that a parent is a threat to a child's welfare, such abductions are still problematic, since they are a breach of court decisions regarding custody. And if the child is taken to another country by the abducting parent, it is far harder for the parent with custodial rights to enforce them. Sometimes, the latter parent doesn't even get to see his or her children for years.

To address this problem, the Hague Conference (an international body) drew up an international treaty, the Hague Convention on the civil aspects of child abduction, back in 1980. All the EU Member States are party to this treaty. In fact, a total of 93 countries have ratified it. According to the latest available statistics, in 2008 the Convention was applied about 2300 times. Two-thirds of the parents taking children were the mothers, and the average age of the abducted children was six. 

Indeed, the very popularity of the Convention was at the heart of a dispute over the EU’s external power regarding it, which was resolved yesterday by the CJEU (Opinion 1/2013). This judgment concerned new States signing up to the Convention, which has an unusual rule on accession: it only applies to new States which ratify it to the extent that the existing signatories individually agree to this.

The EU is not itself a party to the treaty, and it can't be, since the treaty only permits States to be parties. But in the years since the treaty was drawn up, the EU has adopted legislation which addresses child abduction issues (Regulation 2201/2003). So arguably this means that the EU has external competence as regards the subject matter of the Convention, and Member States are only 'trustees' of that power.  In practice, that means that Member States cannot decide unilaterally whether to extend the Convention to new countries or not.

The Commission, believing that this interpretation was correct, proposed in 2011 that the Council adopt eight separate decisions permitting Member States to extend the Convention to third States, including Russia, Albania and Morocco. Most Member States disagreed. So the Commission invoked the special procedure set out in Article 218 TFEU, which allows the CJEU to decide on whether an envisaged international agreement would be in conformity with EU law.

Judgment

The CJEU had to address four arguments against the admissibility of this case.  First of all, the Court ruled that the decision on accession of a new State to the Convention was an 'agreement'. Secondly, it ruled that the impossibility of the EU itself becoming party to the Convention was irrelevant. As it had ruled before, it has jurisdiction under Article 218 TFEU even in 'trusteeship' cases.

Thirdly, the Court ruled that an agreement could still be considered as being 'envisaged' even if a large majority of the Member States in the Council were opposed to it, making its adoption improbable politically. Finally, the Court decided that it was irrelevant that a number of Member States had gone ahead and agreed to extend the Convention to the third States concerned. The possibility that the Commission could have sued those Member States for infringing EU law didn't stop the Commission from invoking the special jurisdiction of Article 218 TFEU.

As for the substance of the case, 19 Member States opposed the Commission view that the EU had external competence in this case. Only the European Parliament, along with Italy, supported the Commission. Nevertheless, the Court agreed with the Commission.

The Court began by noting that the EU has external competence not only when the Treaties expressly provide for it, but also when this is necessary to realise the internal objectives of the EU, even if the Treaties don't make express provision for this. Indeed, the Court stated that Article 216 TFEU now sets out this rule. In this case, the EU competence existed merely because Article 81(3) TFEU gives the EU internal power to adopt legislation on family law matters with cross-border implications.

However, the bigger issue is whether such competence is exclusive, or merely shared with the Member States. On this point, the Court reaffirmed that the EU would enjoy exclusive competence, as set out in its prior case-law and Article 3(2) TFEU, where an international treaty was liable to affect common EU rules or alter their scope. This was the case when the treaty fell within an area which was largely covered by the EU rules.

Applying that law to the facts, the main provisions of the Convention, dealing with return of the child and the right to visit a child, were also the subject of rules in the Regulation. There was a risk that patchwork extension of the treaty to third States by Member States would complicate application of the EU legislation, particularly where a dispute concerned a third State and two Member States, each of which had taken a different view on extending the treaty to the relevant third State. So it followed that the EU had exclusive external competence regarding the extension of the Convention to new countries. 

Comments

The Court’s judgment raises three issues: its impact upon child abduction in practice; the substantive scope of the EU’s external competence generally; and the process of litigating disputes about that competence.

On the first point, fortunately for the children concerned, the dispute regarding the EU’s external competence in this case doesn’t appear to have prevented Member States from extending the Convention to new countries in practice. However, since the new judgment resolves the issue, the Council now needs to move forward quickly to adopt the Commission’s earlier proposals (on family law issues, the Council votes unanimously, after consulting the European Parliament). Also, seven more States have ratified the Convention in the meantime, including Japan and Korea (see the full list of signatories here), so the Commission needs to propose further such measures straight away. A failure to act quickly will run the risk that a parent who has abducted a child to Russia (for example) might try to argue against the enforcement of a ruling issued by a Member State’s court on the return of a child, on the grounds that the Member State’s extension of the Convention to Russia was illegal.

The Court’s ruling also means that any amendment of the Convention in future will also fall within the scope of the EU’s exclusive external competence. This isn’t a purely hypothetical possibility, as there was some contemplation of a protocol to the Convention a few years ago (for the details, see here).  So it’s now clear that Member States will have to act together, or not at all, as regards any amendment to the Convention, and any extension of it to new countries.

As regards the EU’s external competence, there are two issues: the existence and nature of that competence. In fact, this is the first CJEU judgment since the entry into force of the Treaty of Lisbon which touched upon the existence of such competence. The Court’s judgment appears to assume that Article 216 TFEU simply reflects the prior case law; this issue had been debated in literature. And according to the Court, external competence exists where there is an internal legal base and the EU has adopted legislation on the subject in question. The Court didn’t rule on whether the existence of legislation on an issue was necessary before the EU could exercise its external competence. But on the facts of the case, it didn’t have to address that issue.

Moving on to the nature of the EU’s external competence, the Court’s ruling is not very surprising, following the pre-Lisbon judgment on the exclusivity of the EU’s external competence over civil jurisdiction issues (Opinion 1/03), and more recently the broadcasting rights judgment, confirming and elaborating a broad approach to finding that EU external competence is exclusive. In fact, EU exclusive competence as regards the child abduction Convention is more self-evident than as regards the planned broadcasters’ rights Convention, given that the two main aspects of the child abduction Convention clearly correspond to provisions of an EU Regulation, which moreover expressly incorporates or supplements some aspects of the Convention.

Finally, as regards the procedural aspects of this case, all four aspects of the Court’s ruling (the definitions of ‘agreement’ and ‘envisaged’, the application to ‘trusteeship’ cases and the relationship with infringement actions) take a broad approach to the scope of its jurisdiction pursuant to Article 218 TFEU. In effect, it’s now clear that all the Commission needs to do in order to trigger the possible use of Article 218 is to make a proposal for an external relations decision by (or on behalf of) the EU to the Council. Even if that proposal is ‘dead on arrival’ in the Council (as in this case), to the extent that Member States ignore the Commission’s proposal and begin ratifying the relevant treaty (or taking other external action) themselves, the Commission can still invoke the Court’s jurisdiction under Article 218. That special jurisdiction only ceases to apply if the Council approves the treaty concerned on the EU’s behalf, and the treaty then binds the EU. This precisely won’t ever be the case if the Council rejects the Commission’s proposal at the outset.

Having said that, the Court’s judgment does appear to draw a distinction between legal and political reasons for rejecting a Commission proposal, stating that in this case, the case was admissible because the Council’s reasons for rejection were purely legal. What if its objections were political – or both legal and political? And how can one tell the difference between those grounds?

Furthermore, does this reasoning also apply to the European Parliament? It has no veto right over family law treaties, but it does over most treaties concluded by the EU. The Commission passed up a chance to clarify this issue when it withdrew its request for a CJEU Article 218 ruling as regards the controversial Anti-Counterfeiting Trade Agreement, after the EP refused its consent to that treaty on political grounds. Arguably, the legal questions remain relevant even if a treaty has been rejected by either the Council or the EP on political grounds; but the Commission surely shows good judgment by accepting the political decision of either branch of the EU’s legislature and withdrawing applications for a Court ruling in such circumstances.


Barnard & Peers: chapter 24

Friday, 10 October 2014

Doktor U? The CJEU reconciles the right to a name with passport security



Steve Peers

Many people have a fluid sense of their personal identity. But this is anathema from the perspective of law enforcement bodies, who seek to fix individual identity in order to ensure certainty about each person they are collecting information on.

The CJEU had to reconcile these two conflicting principles in last week’s judgment in U. This was one of four separate CJEU judgments that week where the plaintiff was designated by a letter only (the others were E, Q and X). In my view, it’s long past time for the Court to borrow a good idea from journalism, and simply give the people in question assumed names. That’s because it’s harder to understand and recall a case which is designated by letters only, especially where the same letters are reused by the Court in other cases in the same field (such as asylum).

In particular, it’s confusing to use an initial only for the U case, because the whole point of the case is the designation of names. In fact, under German law Mr. U is also entitled to use ‘Doktor’ as part of his name. This makes it hard to resist the temptation to call him ‘Doktor U’. So I won’t resist it at all.
  
The judgment

Doktor U had the birth name ‘E’, but his official surname is now U. The German authorities placed in his passport that his name was ‘Dr. U, GEB E’. The ‘GEB’ stands for the German word ‘geboren’ (meaning ‘born’). In practice, this led to confusion about what his actual name was. So he challenged the authorities’ decision in the German courts, which asked the CJEU to interpret the EU’s passport security Regulation and the EU Charter of Rights.

According to the CJEU, first of all the EU legislation requires all passports to apply the recommendations of the ICAO on document security. This is an interesting example of EU law importing international soft law by reference (on the implications of this for EU external relations, see this week’s judgment in Germany v Council).

Secondly, the Court ruled that a Member State had flexibility to designate a person’s birth name as part of his name on a passport, even though the ICAO rules refer to national law, and the relevant German law on fixing of names (as distinct from the law on passports) does not include birth names as part of a person’s name. The rationale here was the interest of document security, which favoured the use of a fixed element (the name at birth).

Thirdly, the Court ruled that the birth name could not be included in the optional section of the passport. Finally, interpreting the Charter, it ruled that the right to a name, which forms part of the right to a private life set out in Article 7 of the Charter, means that any use of a birth name on a passport had to be clearly indicated. The abbreviation ‘GEB’ was not translated, so could not be comprehended by the authorities of other countries and was liable to lead to practical complications for the passport holder.  

Comments

It might be hard for some Germans to admit it, but their country’s enormous influence in the EU political system has not been accompanied by any predominance of the German language, either inside or outside the EU. So the insistence of a peculiar approach to inscribing names on passports, coupled with an absence of translation, will inevitably lead to complications for those German citizens whose name has changed since birth.

The CJEU goes some way to addressing that problem in this judgment, when it requires the German authorities to make it clear to the non-German speakers who make up most of the rest of the world that Doktor U’s birth name is just that, and that he now goes by a new name.  At least this will reduce the confusion about his name that the good Doktor experiences in practice.

But the Court could have gone much further. Doktor U didn’t merely want to reduce confusion about his current name; he wanted to be known only by his current identity. After all, his fictional namesake has not disclosed his Gallifreyan birth name in 50 years of screen time (or thousands of years in narrative time). And unlike that time-travelling Doctor, the real Doktor U has presumably not regenerated his body many times over, with consequent complications for using his passport.

While the Court was right to say that the EU legislation requires the application of ICAO soft law, it did not acknowledge the great ambiguity in those rules. Indeed, it is striking that the Advocate-General’s opinion arrives at precisely the opposite interpretation of them. The objective of ensuring passport security could still have been achieved by providing a precise record of Doktor U’s current identity. And the Court would have surely reached this conclusion if it had performed in this case – as it always ought to do – an assessment of whether the interference in Doktor U’s right to his private life was proportionate and necessary.



Barnard & Peers: chapter 9, chapter 26