Skip to main content

The ‘Europeanisation’ of Data Protection Law

  • Orla LYNSKEY (a1)

EU data protection law has, to date, been monitored and enforced in a decentralised way by independent supervisory authorities in each Member State. While the independence of these supervisory authorities is an essential element of EU data protection law, this decentralised governance structure has led to competing claims from supervisory authorities regarding the national law applicable to a data processing operation and the national authority responsible for enforcing the data protection rules. These competing claims – evident in investigations conducted into the data protection compliance of Google and Facebook – jeopardise the objectives of the EU data protection regime. The new General Data Protection Regulation will revolutionise data protection governance by providing for a centralised decision-making body, the European Data Protection Board. While this agency will ensure the ‘Europeanisation’ of data protection law, given the nature and the extent of this Board’s powers, it marks another significant shift in the EU’s agency-creating process and must, therefore, also be considered in its broader EU context.

Hide All

1 European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/23.

2 Opinion of AG Jääskinen in Google Spain, C-131/12, EU:C:2013:424, para 13.

3 Leveson, Lord Justice, An Inquiry into the Culture, Practices and Ethics of the Press (London, 2012), p 999 .

4 European Union (EU), Treaty of Lisbon Amending the Treaty on European Union and the Treaty establishing the European Community [2007] OJ C306/01. Art 16, TFEU (EU, Consolidated Version of the Treaty on the Functioning of the European Union [2010] OJ C83/47).

5 Koops, BJ, ‘The Trouble with European Data Protection Law’ (2014) 4 International Data Privacy Law 250 .

6 Volker und Markus Schecke and Hartmut Eifert, Joined Cases C-92/09 and C-93/09, EU:C:2010:662. Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others, Joined Cases C-293/12 and C-594/12, EU:C:2014:238.

7 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.

8 European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’ COM(2012) 11 final.

9 A notable recent addition to this literature is: H Hijmans, The European Union as Guardian of Internet Privacy (Springer, 2016), pp 325–448. For instance, the UK Competition and Markets Authority (CMA) highlights in its report the perceived shift in power between individuals and data controllers (who determine the purposes and means of personal data processing) which respondents to its surveys was, in part, as a result of the ‘lack of effective enforcement of the current regime. CMA, ‘The commercial use of consumer data: Report on the CMA’s call for information’, CMA38, June 2015, p 169, para 5.51. The challenges to data protection enforcement are outlined by the European Data Protection Supervisor (EDPS). EDPS, Preliminary Opinion of the European Data Protection Supervisor, ‘Privacy and competitiveness in the age of big data: The interplay between data protection, competition law and consumer protection in the Digital Economy’, March 2014, paras 28 and 29.

10 Art 29 Data Protection Working Party, ‘Statement on the 2016 action plan for the implementation of the General Data Protection Regulation (GDPR)’, WP236, 2 February 2016, p 2.

11 Olsen, JP, ‘The Many Faces of Europeanisation’ (2002) 40(5) Journal of Common Market Studies 921 , p 921.

12 Ibid, p 932.

13 CM Radaelli, ‘Europeanisation: Solution or Problem?’ (2004) 8 European Integration online Papers (EIoP) no 16, p 3.

14 T Risse et al, ‘Europeanisation and Domestic Change. Introduction’ in M Cowles et al (eds), Transforming Europe: Europeanisation and Domestic Change (Cornell University Press, 2001), p 3.

15 See note 1 above, Art 1(1).

16 Ibid, Art 28(1).

17 Bennett, C and Raab, C, The Governance of Privacy: Policy Instruments in Global Perspective (MIT Press, 2006).

18 See note 1 above, Art 28(6).

19 Ibid, Art 28(6).

20 Ibid, Art 28(1).

21 Ibid, rec 62; Art 28(1).

22 Hüttl, T, ‘The content of “complete independence” contained in the Data Protection Directive’ (2012) 2(3) International Data Privacy Law 137 , p 138.

23 Shapiro, M, ‘The problems of independent agencies in the United States and the European Union’ (1997) 4(2) Journal of European Public Policy 276 , p 279.

24 European Commission v Federal Republic of Germany, C-518/07, EU:C:2010:125.

25 Ibid, para 15.

26 Ibid, para 16.

27 Opinion of AG Mazák in European Commission v Federal Republic of Germany, C-518/07, EU:C:2009:694, para 22.

28 Ibid, para 24.

29 Ibid, para 30.

30 Ibid, paras 31–35.

31 See note 24 above, para 19.

32 Ibid.

33 Ibid, para 36.

34 European Commission v Republic of Austria, Case C-614/10, EU:C:2012:631.

35 Ibid, para 43.

36 Ibid, para 48.

37 In an editorial, Kuner et al suggest that it is necessary to consider ‘the complete legal and political structure of a country before determining whether its data protection regulator is independent’ as in some countries a supervisory authority will have more ‘clout’ if situated within rather than outside a government ministry. Kuner, C et al, ‘The Intricacies of Independence’ (2012) 2(1) International Data Privacy Law 1 , p 1.

38 Commission v Hungary, C-288/12, EU:C:2014:237.

39 See note 24 above, para 35.

40 P Schütz, ‘Comparing Formal Independence of Data Protection Authorities in Selected EU Member States’, Conference paper for the 4th Biennial ECPR Standing Group for Regulatory Governance Conference 2012, p 13. See also, Szydło, M, ‘Principles Underlying Independence of National Data Protection Authorities: Commission v. Austria’ (2013) 50(6) Common Market Law Review 1809 , p 1819.

41 Maximillian Schrems v Data Protection Commissioner, C-362/14, EU:C:2015:650, para 41. See also note 24 above, para 25; note 34 above, para 48.

42 See note 40 above, p 1822.

43 Curtin, D, ‘Holding (Quasi-)Autonomous EU Administrative Actors to Public Account’ (2007) 13(4) European Law Journal 523 , p 525. See Schütz note 40 above, p 4.

44 Balthasar, A, ‘“Complete Independence” of National Data Protection Supervisory Authorities – Second Try’ (2013) 9(3) Utrecht Law Review 26 , p 34.

45 Zemánek, J, ‘Case C-518/07, European Commission v. Federal Republic of Germany, Judgment of the Court of Justice (Grand Chamber) of 9 March 2010 ECR I-1885’ (2012) Common Market Law Review 1755 , p 1767.

46 Hijmans, H, The EU as a Constitutional Guardian of Internet Privacy and Data Protection (2016) PhD thesis, University of Amsterdam, p 287 .

47 See note 41 above, para 57.

48 Foto-Frost v Hauptzollamt Lübeck-Ost, C-314/85, EU:C:1987:452.

49 See note 37 above, p 1.

50 See note 24 above, para 28.

51 See note 40 above, p 1818.

52 See note 24 above, para 32.

53 See note 45 above.

54 In Commission v Germany (see note 24 above, para 28) the Court held that the Regulation governing data processing by the EU Institutions and the Data Protection Directive must be interpreted homogenously as they are based on ‘the same general concept’. The Regulation governing data processing by the EU institutions provides the EDPS with a separate budget under the general budget of the EU. See note 34 above, para 58.

55 See note 34 above, para 36; para 29.

56 Schütz, suggests that if supervisory authority officials continue their careers later on in the civil service this may be ‘highly problematic in terms of the staffs’ de facto commitment, orientation and willingness to comply’. See note 40 above, p 14.

57 A notable exception is the UK’s Information Commissioner’s Office (ICO) which is funded through annual notification fees received from data controllers.

58 Edwards, E, ‘Independence of Data Protection Commissioner questioned’ (Irish Times, 28 January 2016).

59 See note 37 above, p 1.

60 Request for a preliminary ruling from the Raad van State (Netherlands), lodged on 24 April 2015 (Case C-192/15) [2015] OJ C236/26.

61 T. D. Rease and P. Wullems v College bescherming persoonsgegevens, C-192/15, EU:C:2015:861.

62 ICO, ‘How we deal with complaints and concerns: a guide for data controllers’, 1 April 2014.

63 Logue, F, ‘Data protection chief must not distance herself from complainants’ (Irish Times, 9 August 2016).

64 Ibid.

65 Art 29 Data Protection Working Party, ‘Statement on the Role of a Risk-based Approach in Data Protection Legal Frameworks’, adopted on 30 May 2014 (WP218), p 3. See Digital Rights Ireland, note 6 above, para 33.

66 See note 1 above, rec 131.

67 See Szydło, note 40 above, p 1825.

68 See note 45 above, p 1762.

69 Ibid above, p 1755.

70 See note 44 above, p 28 fn 9.

71 Bauman, Z and Lyon, D, Liquid Surveillance: A Conversation (Wiley, 2012).

72 See note 38 above, para 39.

73 Ibid, para 40.

74 See Szydło, note 40 above, p 1818.

75 See note 44 above, p 29.

76 Ibid, p 31.

77 See note 41 above, para 40.

78 See note 44 above, p 38.

79 See note 1 above, Art 28(1).

80 Art 41, Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [2001] OJ L8/1.

81 See note 1 above, Art 29(1).

82 Giurgiu, A and Larsen, TA, ‘Roles and Powers of National Data Protection Authorities2016 (3) European Data Protection Law Review 342 , p 344.

83 Art 29 Data Protection Working Party, Letter to Google Inc CEO Larry Page, 2 February 2012, Ref. Ares (2012)123126-02/02/2012.

84 Letter from CNIL President Isabel Falque-Pierrotin to Google Inc CEO Larry Page, 27 February 2012.

85 Art 29 Data Protection Working Party, Letter to Google Inc CEO Larry Page, 16 October 2012.

86 See note 1 above, Arts 10 and 11.

87 Ibid Art 6(b). According to this principle, data must be collected for specific purposes and cannot be processed for other incompatible purposes.

88 Art 29 Data Protection Working Party, Appendix: Google Privacy Policy: Main Findings and Recommendations.

89 For instance, the ICO informed Google that the changes did not comply with the UK Data Protection Act 1998 and Google therefore implemented changes in two stages, while in dialogue with the ICO, to conform to the UK law. ICO, ‘Google to change privacy policy after ICO investigation’, 30 January 2015.

90 Art 29 Data Protection Working Party, Letter to Google Inc CEO Larry Page, 23 September 2014, Ref. Ares(2014)3113072 - 23/09/2014.

91 For a timeline of the Google investigation see note 89 above.

92 ASNEF, C-468/10, EU:C:2011:777, para 29.

93 See note 84 above.

94 The criteria for direct effect (Van Gend en Loos v Administratie der Belastingen, C-26/62, EU:C:1963:1) – that a text is clear, precise and unconditional – are ostensibly difficult to satisfy for the open-textured principles set out in the Directive. However, the Court has recognised the direct effect of vaguely worded provisions of the Directive (Art 6(1)(c) and Art 7(c) and (e)) in Österreichischer Rundfunk and Others, C-465/00, EU:C:2003:294, para 101.

95 See note 1 above, Art 4(1)(a); Art 28(1).

96 Svantesson, D, ‘Article 4(1)(a) “establishment of the controller” in EU data privacy law – time to rein in this expanding concept’ (2016) 6(3) International Data Privacy Law , doi: 10.1093/idpl/ipw013 [first published online 10 August 2016]. Svantesson notes in regard to Article 4 that ‘[n]o one seems to have been quite certain as to exactly what the role of that Article is and how it relates to other provisions; especially how it relates to Article 28 dealing with jurisdiction’.

98 Data Protection Commissioner, ‘Report of Audit – Facebook Ireland Ltd’, 21 December 2011. No documentation on the latter point is available on the website of the Irish Data Protection Commissioner.

99 Essers, L, ‘EU data protection authorities get serious about Facebook’s privacy policy’ (PCWorld, 4 February 2015).

100 SPION and Emsoc, ‘From social media service to advertising network: A critical analysis of Facebook’s revised policies and terms’, 25 August 2015.

101 Commission de la Protection de la Vie Privée, Recommandation n° 04/2015 du 13 mai 2015.

102 Ibid, paras 25–31.

103 Ibid, paras 32–35.

104 Google Spain SL and Google Inc v Agencia Española de Protección de Datos and Mario Costeja González, C-131/12, EU:C:2014: 317, para 60.

105 Fioretti, J, ‘Facebook wins privacy case against Belgian data protection authority’ (Reuters, 29 June 2016).

106 For instance, in its 2014 investigation of the legality of Facebook’s psychological study of users without consent, the ICO stated that it planned to liaise with the Irish Data Protection Commissioner on the matter. K Fiveash, ‘British and European data cops probe Facebook user-manipulation scandal’ (The Register, 1 July 2014). The ICO has also previously stated that it recognises ‘the role of the Irish data protection authority in ensuring Facebook comply with European data protection rules’.

107 Graham, N and Bentham, J, ‘The slow death of EU forum shopping’ (Lexology, 7 August 2015).

108 Wirtschaftsakademie Schleswig-Holstein, C-210/16, [2016] OJ C260/18 (pending).

109 Weltimmo, C-230/14, EU:C:2015:639.

110 Ibid, para 24.

111 Ibid, para 28.

112 Ibid, paras 31 and 32.

113 Ibid, para 57.

114 Verein für Konsumenteninformation v Amazon EU Sàrl, C-191/15, EU:C:2016:612.

115 Ibid, paras 75–78.

116 Ibid, para 81.

117 Opinion of AG Saugmandsgaard Øe in Verein für Konsumenteninformation v Amazon EU Sàrl, C-191/15, EU:C:2016:388.

118 Ibid, para 110.

119 Ibid, para 109.

120 Ibid, para 112.

121 Ibid, para 124.

122 Ibid, para 125.

123 See note 96, p 10.

124 Szydło, note 40 above, p 1820.

125 Regulation (EU) 2016/679, note 7 above, Art 52.

126 Ibid, Art 55(2).

127 Ibid, Art 56(3); Art 56(2).

128 Ibid, Art 51(2).

129 Ibid, Art 56(1).

130 Ibid, Art 56(6).

131 Ibid, Art 60(2).

132 Ibid, Art 60(3).

133 Ibid, Art 56(4).

134 Ibid, Art 60(4).

135 Ibid, Art 63.

136 Ibid, Art 68; Art 68(3).

137 Ibid, Art 65(1)(a).

138 Ibid, Art 65(1)(b); Art 65(1)(c).

139 Ibid, Art 65(2).

140 Ibid, Art 65(2).

141 Ibid, Art 65(6).

142 Ibid, Art 65(6). It must also specify that the EDPB’s decision will be published on the EDPB website (Art 65(6)).

143 Ibid, Art 77(2). The supervisory authority with which a complaint has been lodged shall inform the complainant of the progress and outcome of a complaint.

144 Ibid, Arts 60(8) and (9).

145 Ibid, Art 57(1)(a); Art 58(2)(i).

146 Ibid, Art 83.

147 Ibid, Art 78(1).

148 Ibid, Art 78(4).

149 Art 258 TFEU.

150 Art 267 TFEU.

151 Art 29 Data Protection Working Party, ‘Opinion 01/2012 on the data protection reform proposals’, WP 191, 23 March 2012, p 20.

152 See note 9 above, CMA38, p 386.

153 See Szydło, note 40 above, p 1815.

154 Ibid, p 1816.

155 See Commission v Germany, note 24 above, para 25.

156 See note 45 above, p 1766.

157 See note 104 above, paras 30, 34, 38, 53, 58 and 84.

158 See note 24 above, paras 53 and 54.

159 Ibid, para 55.

160 See note 44 above, p 33.

161 Chiti, E, ‘An Important Part of the EU’s Institutional Machinery: Features, Problems and Perspectives of European Agencies’ (2009) 46 Common Market Law Review 1395 , p 1410.

162 Protocol (No 2) on the Application of the Principles of Subsidiarity and Proportionality [2004] OJ C310/07.

163 European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’ COM(2012) 11 final, Art 60(1); Art 62(1)(a).

164 Namely, the German Upper House, the Belgian House of Representatives, the French Senate, and the Italian Chamber of Deputies.

165 Busuioc suggests that European agencies which are largely composed of Member State representatives are ‘problematic in terms of possible risks of paralysis and conflict’ and ‘creates the potential for tremendous conflicts of interests’. Busuioc, M, ‘Rule-Making by the European Financial Supervisory Authorities: Walking a Tight Rope’ (2013) 19(1) European Law Journal 111 , p 120; fn 44.

166 Ibid, p 121.

167 Moloney, N, ‘Institutional Governance and Capital Markets Union: Incrementalism or “Big Bang”’ (2016) 13(2) European Company and Financial Law Review 376 , p 384.

168 See note 23 above, p 283.

169 See note 45 above, p 1767.

170 For instance, the purpose of the ‘European Union Agency for Fundamental Rights’ is to ‘provide the relevant institutions, bodies, offices and agencies of the Community and its Member States when implementing Community law with assistance and expertise relating to fundamental rights in order to support them when they take measures or formulate courses of action within their respective spheres of competence to fully respect fundamental rights’. Council Regulation (EC) No 168/2007 of 15 February 2007 establishing a European Union Agency for Fundamental Rights’ [2007] OJ L53/1. The Agency thus ‘follows the model of a European information and coordination agency’. Hinarejos, A, ‘A Missed Opportunity: the Fundamental Rights Agency and the Euro Area Crisis’ (2016) 22(1) European Law Journal 61 , p 63.

171 Busuioc, M, European Agencies: Law and Practices of Accountability (Oxford University Press, 2013), p 21 (emphasis removed).

172 Ibid, p 14.

174 See Schütz, note 40 above, p 2.

175 See note 171 above, p 38.

176 For instance, Maloney, notes that the use of Art 114 TFEU as a legal basis for the ESAs is a ‘somewhat shaky competence for a radical institutional reform’; Maloney, N, ‘The European Securities and Markets Authority and Institutional Design for the EU Financial Market – A Tale of Two Competences: Part (1) Rule-Making’ (2011) 12(1) European Business Organisation Law Review 41 , p 49.

177 Meroni, C559/14, EU:C:2016:349. Busuioc argues that the financial supervisory authorities’ rule-making powers ‘stretch the boundaries of the legal doctrine to the maximum’. See note 165 above, p 114.

178 See note 161 above, p 1421 and the references cited in fn 74.

179 See note 171 above, p 19.

180 As Curtin suggests, the ‘necessity to bring expertise into the public policy process, or to ensure its credibility, features prominently in the motivations attributed to those who promoted this new trend [of decentralised agencies] in Europe’. See note 43 above, p 527.

181 Romano, C-98/80, EU:C:1981:104, para 20.

182 United Kingdom v Parliament and Council (‘Short Selling’), C-270/12, EU:C:2014:18.

183 Ibid, paras 64 and 65.

184 See note 43 above, p 527.

185 See note 171 above, pp 14–15.

186 See note 165 above, p 112.

187 See note 161 above, p 1398.

188 Ibid, pp 1399–1400.

189 See Regulation (EU) 2016/679, note 7 above, Art 65(1)(b); Art 65(1)(a).

190 Ibid, Art 64(2).

191 Ibid, Art 64(3).

192 Ibid, Art 64(8); Art 65(1)(c).

193 Ibid, Art 70(1)(e). It can also issue guidelines, recommendations and best practice in a number of other situations (see Art 70(1)(d),(f),(g),(h),(i),(j) and (m)).

194 Chiti, for instance, states that even the instrumental powers conferred on EU agencies may be less notable than those granted to other EU administrations but not necessarily less relevant. See note 161 above, p 1405.

195 See note 23 above, p 284.

196 Florio, M, Network Industries and Social Welfare: The Experiment that Reshuffled European Utilities (Oxford University Press, 2013), p 351 . Similarly, Shapiro notes that ‘activities which in the abstract and/or most of the time are perceived as non-discretionary, managerial and technical will be reconstituted in the public perception as discretionary and political when they produce results that are significant to public policy choices or to the clash of political interests’; see note 23 above, p 284.

197 Ibid (Florio), p 351.

198 See note 40 above, p 1824.

199 See note 40 above, p 1826.

200 See note 24 above, para 23; note 23 above, para 37.

201 Principles relating to the Status of National Institutions (the Paris Principles), adopted by General Assembly resolution 48/134 of 20 December 1993. U.N.Doc. A/RES/48/134.

202 See note 170 above, pp 63–64.

203 See note 171 above, p 2.

204 See note 43 above, pp 528–529. Curtin identifies three problems in employing the principal-agent model of delegation to EU level agencies, including that ‘the tasks being “delegated” may be those of the Member States, not of the formal principals’.

205 Dehousse, R, ‘Misfits: EU Law and Transformation of European Governance’ in C Joerges and R Dehousse (eds), Good Governance in Europe’s Integrated Market (Oxford University Press, 2002) 207 , p 221.

206 See Regulation (EU) 2016/679, note 7 above, Art 69(1); Art 69(2).

207 See note 24 above, para 40.

208 Ibid, para 42.

209 See note 37 above, p 1.

210 See Regulation (EU) 2016/679, note 7 above, Art 71(1).

211 Ibid, Art 71(2).

212 Ibid, Art 68(5).

213 Zemánek queried, prior to the enactment of the GDPR, whether the independence of supervisory authorities provided an illustration of this tendency; see note 45 above, p 1762. Curtin suggests that ‘integrated administration’ encompasses ‘both European and national levels with now no rigid separation between these levels’; see note 43 above, p 523.

Recommend this journal

Email your librarian or administrator to recommend adding this journal to your organisation's collection.

Cambridge Yearbook of European Legal Studies
  • ISSN: 1528-8870
  • EISSN: 2049-7636
  • URL: /core/journals/cambridge-yearbook-of-european-legal-studies
Please enter your name
Please enter a valid email address
Who would you like to send this to? *



Altmetric attention score

Full text views

Total number of HTML views: 100
Total number of PDF views: 547 *
Loading metrics...

Abstract views

Total abstract views: 1439 *
Loading metrics...

* Views captured on Cambridge Core between 21st December 2016 - 20th July 2018. This data will be updated every 24 hours.