What is the role of the Court of Justice of the European Union (CJEU) on regulating the Internet?

The Court of Justice of the European Union (CJEU) has been performing an active role in regulating internet and technology companies in recent years. It has been judging several cases related to key issues, such as personal data, privacy and sharing economy. Explaining briefly, the CJEU is an judicial authority of the European Union whose purpose is to uniformly interpret and apply EU law, working together with national courts from Member-States. It is a supranational institution and its composed of three courts: the Court of Justice, the General Court, and the Civil Service Tribunal [1]. So the Court decides on the validity of the European Union law, of the treaties between their members, and about the secondary law. And the national courts have to judge their cases based on CJEU’s interpretations [2].

The CJEU has been questioned about which should be its limits on judging issues related to internet and by this way making regulation. This concern arises because the CJEU has been actively summoned in recent years to judge key aspects of internet and technology.

Critics to the Court

One critic is that the CJEU is overreaching its competence, regulating excessively European policies on technology which should be regulated by executive and legislative branches of government.

Another critic is made by David Hoffman, a global privacy officer at Intel: “the biggest problem is the ECJ doesn’t seem to take into consideration enough what the practical effects are.” [3] And that CJEU rarely calls experts to witness in their cases [4], diminishing legitimacy from the judgements.

Arguments in favor of the CJEU

You can defend the CJEU by saying that it only acts when provoked by others, on issues similar to hard cases where there is uncertainty on how to apply the law. It fills gaps left by the legislative and executive branches. Like Sophie in’t Veld, a Dutch liberal member of the European Parliament, “in security and data protection there is a tendency for legislators to shy away from decisions they don’t want to take or to take decisions they know are not legally sound” [5].

Cases

CJEU started to judge big case involving internet in 2014, mainly based on the protection of fundamental rights. That’s because in 2009 the Charter of Fundamental Rights became legally binding in UE.

So below are some of the main cases judge by the Court:

• Annulation of the Data Retention Directive [6] April 2014

In this case, the CJEU invalidated Data Retention Directive 2006/24/EC because it was considered incompatible with privacy rights, article 4º, and with protection to personal data, article 8º, both from the the Charter of Fundamental Rights. This Directive disproportionately stated  that companies should retain certain personal data for up to two years time, exposing European citizens to risky of having rights violated.

• Right to be forgotten case [7] May 2014

In this well know case, a Spanish citizen gained the right to be deindexed by Google’ search tool. He had trouble when people searched his name on Google, because the first results were about his home auction that wasn’t going to happen anymore. The CJEU decided that, for inaccurate, inadequate, irrelevant, or excessive information people has the right to have related links deindexed from the search tool. Courts must annalyse case by case in order to verify if there is a real need to deindex information, balancing this new right with freedom of speech and freedom of information.

• Invalidation of Safe Harbor agreement between US and EU [8] October 2015

Privacy activist Max Schrems sought CJEU questioning a weak protection of privacy in Safe Harbor. One of the main concerns was in relation to security agencies in the US having access to personal data on European citizens without due process. This distrust was reinforced by Edward Snowden’s revelations about US mass surveillance practices. The Court considered that the agreement was invalid and legal void was in place until the creation of the Privacy Shield new framework, with stronger protections, in February 2016. For example, one innovation brought by the new agreement is the ombudsperson mechanism, in which companies that deal with personal data must have someone to deal with complaints or enquiries raised by EU individuals regarding security agencies having access to their data [9].

• Pirate Party and IP as a personal data [10] October 2016

The main issue, in this case, was to determine whether Internet Protocols could be considered personal data. The author’s case was Patrick Breyer, Pirate Party member, which questioned the German Federal Government in court. That’s because some government’s sites, in his view, should ask for permission before storing the IP of its citizens. Article 2º from the Directive 95/46 defines personal data as “any information relating to an identified or identifiable natural person” [11], so IPs were acknowledged as personal data, since they can be used to identify users. In the case of dynamic IPs, the CJEU have considered that if the processor has means to use them with other types of information to identify its user then they are within personal data category [12].

• Model Clauses used by Facebook [13] To be judged in February 2017

The Irish Data Protection Commissioner is questioning model clauses’ legality in Ireland’s High Court, which are used by Facebook and other companies in Europe. These clauses are standard ones and are approved by the European Commission. They are used in international contracts to transfer personal data to countries that don’t have similar frameworks on data protection when compared with European Union’s system [14]. In this sense, the Commissioner have asked CJEU to judge if model clauses in use now are legally compatible with the Directive 95/46/EC, and with Article 47 of the Charter of Fundamental Rights, which states access to justice right.

This decision will have a big impact on great number of companies involved in US-EU transfers of personal data, and could oblige them to remake all their current contracts.

• Is Uber a transport company? [15] Judgment in progress

The main issue, in this case, is to determine whether Uber is a transport company (in which case it should comply with stricter regulations) or a digital intermediary. The final decision is expected to have a huge impact in other sharing economy companies in Europe, like Airbnb and Deliveroo. If their legal status is equal to other traditional business models it’s expected they will also be submitted to stricter regulations, rising their operational costs.

In this sense, it’s easy to observe that the CJEU has been making key decisions about internet’s regulation, with effects outreaching EU borders. Their judges are influencing a great number of countries in a process of extraterritorial extension of national jurisdiction. So it is fundamental that all actors involved with internet regulation follow the decisions made in other countries and how these jurisprudences can influence in their own States.

[1] EUROPEAN UNION. EU Case law. Available on: <https://goo.gl/jPymRm>. Accessed on: 02/01/2017.

[2] “The reference for a preliminary ruling is a procedure exercised before the Court of Justice of the European Union.This procedure enables national courts to question the Court of Justice on the interpretation or validity of European law. The reference for a preliminary ruling therefore offers a means to guarantee legal certainty by uniform application of EU law”. EUROPEAN UNION. The reference for a preliminary ruling. Available on: <https://goo.gl/iYguFv>.  Accessed on: 01/02/2017

[3] HIRST, Nicolas; CERULUS, Laurens. Europe’s gavel comes down hard on tech. POLITICO Magazine. 2016.  Available on: <https://goo.gl/6DGDgv>. Accessed on:: 01/02/2017

[4] Ibid.

[5] Ibid.

[6] EUROPEAN UNION. Court of Justice of the European Union. C-293/12 – Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner. Available on: <https://goo.gl/ffrJDi>.  Accessed on: 01/02/2017.

[7] EUROPEAN UNION.Factsheet on the “Right to be  Forgotten” ruling (C-131/12). Available on: <https://goo.gl/hCtJ21>.  Accessed on: 01/02/2017.

[8] EUROPEAN UNION. Court of Justice of the European Union. C‑362/14 – Maximillian Schrems v Data Protection Commissioner.  Available on: <https://goo.gl/8K2ICA>. Accessed on: 01/02/2017.

[9] EUROPEAN UNION. European Commission – Fact Sheet EU-U.S. Privacy Shield: Frequently Asked Questions.  Available on: <https://goo.gl/mrCiUb>. Accessed on: 01/02/2017.

[10] EUROPEAN UNION. Directive 95/46/EC. 1995.  Available on: <https://goo.gl/2vkZRa>. Accessed on: 03/02/2017.

[11] “IP address was dynamically allocated (i.e., each time he connects to the network, his device is issued with a new IP address). Ordinarily, a dynamic IP address does not provide a website operator with sufficient information to directly identify an individual user, unless additional information is also available (e.g., the user logs into the website and provides information that enables the website operator to identify that user)”. MUNZ, Martin; HICKMAN, Tim; GOETZ, Matthias. Court confirms that IP addresses are personal data in some cases. 2016. Available on: <https://goo.gl/uH3Abt>. Accessed on: 02/02/2017.

[12] Mason Hayes & Curran Law Firm. Behind the Headlines: DPC v Facebook and its Potential Impact on International Trade.  Available on: <https://goo.gl/Y74Llc>. Accessed on: 02/02/2017.

[13] EUROPEAN UNION. Model Contracts for the transfer of personal data to third countries.  Available on: <https://goo.gl/4oy71J>. Accessed on: 01/02/2017.

[14] EUROPEAN UNION. Court of Justice of the European Union. Case C-434/1 –  Asociación Profesional Élite Taxi v Uber Systems Spain, S.L.. Available on: <https://goo.gl/H1I8kI>.  Accessed on: 02/02/2017.