June 18, 2021
Compliance: at the moment
📧 COMPLIANCE: LAW IS SLOW, BUT FIRM. BY ITS JUDGMENT OF JUNE 15, 2021, "FACEBOOK", THE EUROPEAN UNION COURT OF JUSTICE WIDELY INTERPRETS THE POWER OF NATIONAL AUTHORITIES SINCE IT SERVES THE PROTECTION OF PEOPLE IN THE DIGITAL SPACE
► Law is slow, but firm. By its judgment of June 15, 2021, Facebook , the European Union Court of Justice widely interprets the powers of National Authorities, since they serve the people protection in the digital space (➡️📝(CJEU, June 15, 2021, Facebook).
Law is slow. The reproach is so often made. But the bottom line is that, in the noise of changing regulations, it establishes clear and firm principles, letting everyone know what to stand for. The more the world is changing, the more Law is required.
When Law degenerates into regulations, then it is up to the Judge to make Law. "Supreme Courts" appear, de jure as in the United States, de facto as in the European Union by the Court of Justice of the European Union which lays down the principles, before everyone else, as it did for the "right to be forgotten" in 2014 (➡️📝CJEU, Google Spain, May 13, 2014), and then with the impossibility of transferring data to third countries without the consent of the people concerned (➡️📝CJEU, Schrems, October 6, 2015).
Facebook litigation is kind of a novel. The company knows that it is above all to the Courts that it speaks. In Europe, it is doing it behind the walls of the Irish legal space, from which it would like to be able not to leave before better dominating the global digital space, while national regulatory authorities want to take it to protect citizens.
There is therefore a technical question of "jurisdictional competence". The texts have provided for this, but Law is clumsy because it was designed for a world still anchored in the ground: the GDPR of 2016 therefore organizes cooperation between national regulatory authorities through a "one-stop-shop", forcing the authorities to relinquish jurisdiction so that the case is only handled by the "lead" National Authority. This avoids splintering and contradiction. But before the adoption of the GDPR, the Belgian data protection regulator had opened a procedure against Facebook concerning cookies. The "one-stop-shop" mechanism, introduced in 2016, is therefore only mentioned before the Brussels Court of Appeal, which is asked to relinquish jurisdiction in favor of the Irish Regulatory Authority, since the company has in Europe its head office in this country. The Court of Appeal referred to the CJEU for a preliminary ruling.
By its judgment of June 15, 2021 (➡️📝CJUE, Facebook, June 15, 2021), it follows the conclusions of its Advocate General and maintains the jurisdiction of the Belgian National Regulator because, even after the GDPR, the case still undergoes national treatment. In this decision, the most important is its reasoning and the principle adopted. The Court notes that the "one-stop-shop" rule is not absolute and that the national regulatory authority has the power to maintain its jurisdiction, in particular if cooperation between national authorities is difficult.
Even more, will it not one day have to adjust Law more radically? We need to consider the fact that the digital space is not bound by borders and that the ambition of "cross-border cooperation" is ill-suited. It is of course on this observation of inefficiency, consubstantial with the digital space, that the European Public Prosecutor's Office (EPPO) was designed and set up, which is not a cooperation, nor a "one-stop shop", but a body of the Union, acting locally for the Union, directly linked to Compliance concerns (➡️📝Frison-Roche, M.-A. "The European Public Prosecutor's Office is a considerable contribution to Compliance Law", 2021 and ., European Public Prosecutor's Office comes on stage: the company having itself become a private prosecutor, are we going towards an alliance of all prosecutors ?, 2021).
So that's what we should be inspired by.
Nov. 1, 2020
Newsletter MAFR - Law, Compliance, Regulation
Full reference: Frison-Roche, M.-A., Due process and Personal Data Compliance Law: same rules, one Goal (CJEU, Order, October 29, 2020, Facebook Ireland Ltd v/ E.C.), Newsletter MAFR - Law, Compliance, Regulation, 1st of November 2020
Read by freely subscribing other news of the Newsletter MAFR - Law, Compliance, Regulation
Summary of the news:
As part of a procedure initiated for anti-competitive behaviors, the European Commission has three times requested, between the 13th of March and the 11th of November 2019, from Facebook the communication of information, reitarated in a decision in May 2020.
Facebook contests it alleging that the requested documents would contain sensitive personal information that a transmission to the Commission would make accessible to a too broad number of observers, while "the documents requested under the contested decision were identified on the basis of wideranging search terms, (...) there is strong likelihood that many of those documents will not be necessary for the purposes of the Commission’s investigation".
The contestation therefore evokes the violation of the principles of necessity and proportionality but also of due process because these probatory elements are collected without any protection and used afterwards. Moreover, Facebook invokes what would be the violation of a right to the respect of personal data of its employees whose the emails are transferred.
The court reminds that the office of the judge is here constraint by the condition of emergency to adopt a temporary measure, acceptable by the way only if there is an imminent and irreversible damage. It underlines that public authorities benefit of a presumption of legality when they act and can obtain and use personal data since this is necessary to their function of public interest. Many allegations of Facebook are rejected as being hypothetical.
But the Court analyzes the integrality of the evoked principles with regards with the very concrete case. But, crossing these principles and rights in question, the Court estimates that the European Commission did not respect the principle of necessity and proportionality concerning employees' very sensitive data, these demands broadening the circle of information without necessity and in a disproportionate way, since the information is very sensitive (like employees' health, political opinions of third parties, etc.).
It is therefore appropriate to distinguish among the mass of required documents, for which the same guarantee must be given in a technique of communication than in a technic of inspection, those which are transferable without additional precaution and those which must be subject to an "alternative procedure" because of their nature of very sensitive personal data.
This "alternative procedure" will take the shape of an examination of documents considered by Facebook as very sensitive and that it will communicate on a separate electronic support, by European Commission's agents, that we cannot a priori suspect to hijack law. This examination will take place in a "virtual data room" with Facebook's attorneys. In case of disagreement between Facebook and the investigators, the dispute could be solved by the director of information, communication and medias of the Directorate-General for Competition of the European Commission.
We can draw three lessons from this ordinance:
Sept. 9, 2020
Newsletter MAFR - Law, Compliance, Regulation
Full reference: Frison-Roche, M.-A., Freedom&Media: when Italian Media Regulation's real "goal" is not Pluralism Protection, Freedom of Establishment prevails (CJEU, 3 Sept.2020,Vivendi), Newsletter MAFR - Law, Regulation, Compliance, 9th of September 2020
Read by freely subscribing other news of the Newsletter MAFR - Law, Regulation, Compliance
Summary of the news
The media sector is organized on an equilibrium between the principle of competition and other concerns like information pluralism. Generally, competition Law by making market accessible to many competitors ensures information pluralism. But, this is not the case if an operator get an excessive market power, running risk not only for competition but also for information pluralism. It is the reason why the Italian legal system forbids the constitution of an operator gathering more than 40% of the total income generated by the media sector or more than 10% of the total income generated by the Italian communication sector.
In 2016, Vivendi, a French media group, got more than 28% of the Mediaset Group's actions and around 30% of its voting right. The Italian communication regulation authority sized by Mediaset demands in 2017 to Vivendi to ends its participations in the group Mediaset. Vivendi contested this decision before the regional administrative court which referred to the Court of Justice of the European Union in order to know if freedom of establishment can legitimately be discarded in favor of information pluralism in this concrete case. The Court of Justice answered, in a decision of 3rd of September 2020, that the restriction of the freedom of establishment can in principle be justified by a general interest objective such as information pluralism protection but that in this concrete case, this is not justified because the fact that a firm is committed in the transmission of contents does not necessarily give it the power to control the production of such contents.
We can learn three lessons form this case:
June 27, 2018
Thesaurus : Doctrine
Référence complète : Potvin-Solis., L., Le dialogue entre la Cour européenne des droits de l'homme et la Cour de justice de l'Union européenne dans dans la garantie des droits fondamentaux, in Mélanges en l'honneur de Frédéric Sudre, Les droits de l'homme à la croisée des droits, LexisNexis, 2018, pp. 591-602.
Les étudiants de Sciences-Po peuvent consulter l'article via le Drive, dossier "MAFR- Régulation & Compliance".