New Technologies and EU Law (Collected Courses of the Academy of European Law) [1 ed.] 019880721X, 9780198807216


137 24 18MB

English Pages 272 [281] Year 2017

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Cover
Series
New Technologies and EU Law
Copyright
Contents
Table of Cases
Table of Legislation
List of Abbreviations
Notes on Contributors
1. Introduction
I. The EU, Scientific Risk, and Regulatory Design
2. Medical Technologies and EU Law: The Evolution of Regulatory Approaches and Governance
3. EU Law and Bioethics
4. Regulating New Technologies: EU Internal Market Law, Risk, and Socio-​Technical Order
II. EU Law and New Technologies— Challenge and Response
5. EU Data Protection Law: The Review of Directive 95/​46/​EC and the General Data Protection Regulation
6. Liabilities of Internet Users and Providers
7. Brave New Borders: The EU’s Use of New Technologies for the Management of Migration and Asylum
Index
Recommend Papers

New Technologies and EU Law (Collected Courses of the Academy of European Law) [1 ed.]
 019880721X, 9780198807216

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

 i

The Collected Courses of the Academy of European Law

Series Editors: Professor Loïc Azoulai Professor Nehal Bhuta Professor Marise Cremona European University Institute, Florence Assistant Editor: Anny Bremner European University Institute, Florence

VOLUME XXIV/​2

New Technologies and EU Law

ii

The Collected Courses of the Academy of European Law Edited by Professor Loïc Azoulai, Professor Nehal Bhuta, and Professor Marise Cremona Assistant Editor: Anny Bremner Each year the Academy of European Law in Florence, Italy, invites a group of outstanding lecturers to teach at its summer courses on Human Rights law and European Union law. A ‘general course’ is given in each of the two fields by a distinguished scholar or practitioner, who examines the field as a whole through a particular thematic, conceptual, or philosophical lens, or looks at a theme in the context of the overall body of law. In addition, a series of ‘specialized courses’ brings together a group of highly qualified scholars to explore and analyse a specific theme in relation to Human Rights law and EU law. The Academy’s mission, to produce scholarly analyses which are at the cutting edge of the two fields, is achieved through publication of this series, the Collected Courses of the Academy of European Law.

 iii

New Technologies and EU Law Edited by

M A R I SE C R E MON A

1

iv

1 Great Clarendon Street, Oxford, OX2 6DP, United Kingdom Oxford University Press is a department of the University of Oxford. It furthers the University’s objective of excellence in research, scholarship, and education by publishing worldwide. Oxford is a registered trade mark of Oxford University Press in the UK and in certain other countries © The several contributors 2017 The moral rights of the authors‌have been asserted First Edition published in 2017 Impression: 1 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior permission in writing of Oxford University Press, or as expressly permitted by law, by licence or under terms agreed with the appropriate reprographics rights organization. Enquiries concerning reproduction outside the scope of the above should be sent to the Rights Department, Oxford University Press, at the address above You must not circulate this work in any other form and you must impose this same condition on any acquirer Crown copyright material is reproduced under Class Licence Number C01P0000148 with the permission of OPSI and the Queen’s Printer for Scotland Published in the United States of America by Oxford University Press 198 Madison Avenue, New York, NY 10016, United States of America British Library Cataloguing in Publication Data Data available Library of Congress Control Number: 2017931327 ISBN 978– ​0 –​19– ​880721– ​6 Printed and bound by CPI Group (UK) Ltd, Croydon, CR0 4YY Links to third party websites are provided by Oxford in good faith and for information only. Oxford disclaims any responsibility for the materials contained in any third party website referenced in this work.

 v

Contents Table of Cases Table of Legislation List of Abbreviations Notes on Contributors 1. Introduction Marise Cremona

vii xiii xxv xxix 1

I .   T H E E U, S C I E N T I F IC R I S K , A N D R E GU L AT OR Y   DE S IG N 2. Medical Technologies and EU Law: The Evolution of Regulatory Approaches and Governance Mariachiara Tallacchini 3. EU Law and Bioethics Stéphanie Hennette Vauchez 4. Regulating New Technologies: EU Internal Market Law, Risk, and Socio-​Technical Order Mark L. Flear

9 38

74

I I .  E U L AW A N D N E W T E C H N OL O G I E S — CH A L L ENGE A ND R E SPONSE 5. EU Data Protection Law: The Review of Directive 95/​46/​EC and the General Data Protection Regulation Peter Hustinx 6. Liabilities of Internet Users and Providers Giovanni Sartor

123 174

7. Brave New Borders: The EU’s Use of New Technologies for the Management of Migration and Asylum Jorrit J. Rijpma

197

Index

243

vi

 vi

Table of Cases n = footnote. EU C A SE S CJEU Cases (in number order) 26/​62, Van Gend & Loos v. Nederlandse Administratie der Belastingen, [1963] ECR 1 (ECLI:EU:C:1963:1)����������������������������������������������������������������������������������������������� 77n 7/​68, Commission v. Italy (Art Treasures case), [1968] ECR 423 (ECLI:EU:C:1968:51)�����������80n 11/​70, Internationale Handelsgesellschaft mbH v. Einfuhr-​und Vorratsstelle für Getreide und Futtermittel, [1970] ECR 1125 (ECLI:EU:C:1970:114)����������������������������������������������� 77n 39/​72, Commission v. Italy, [1973] ECR 101 (ECLI:EU:C:1973:13) ���������������������������������������106n 2/​73, Geddo v. Ente Nazionale Rizi, [1973] ECR 865 (ECLI:EU:C:1973:89) �����������������������������84 8/​74, Procureur de Roi v. Dassonville, [1974] ECR 837 (ECLI:EU:C:1974:82)���������������������������84 71/​74, Van Duyn v. Home Office, [1974] ECR 1337 (ECLI:EU:C:1974:133) �������������������������106n 36/​75, Rutili v. Ministre de l’intérieur, [1975] ECR 1219 (ECLI:EU:C:1975:137)������������������� 212n 118/​75, Watson and Belmann, [1976] ECR 1185 (ECLI:EU:C:1976:106)�������������������������220–​221 106/​77, Italian Minister of Finance v. Simmenthal SpA, [1978] ECR 629 (ECLI:EU:C:1978:49)��������������������������������������������������������������������������������������������������������� 77n 7/​78, R v. Thompson and others, [1978] ECR 2247 (ECLI:EU:C:1978:209)�������������������������������88 120/​78, Rewe-​Zentrale AG v. Bundesmonopolverwaltung für Branntwein (Cassis de Dijon), [1979] ECR 649 (ECLI:EU:C:1979:42)�������������������������������������� 84–​85, 88 148/​78, Pubblico Ministero v. Tullio Ratti, [1979] ECR 1629 (ECLI:EU:C:1979:110) �����������106n 34/​79, R v. Henn and Darby, [1979] ECR 3795 (ECLI:EU:C:1979:295)�����������������������������86, 90n 272/​80, Frans-​Nederlandse Maatschappij voor Biologische Producten, [1981] ECR 3277 (ECLI:EU:C:1981:312)���������������������������������������������������������������������������������90, 91 40/​82, Commission v. United Kingdom (Turkeys), [1984] ECR 0283 (ECLI:EU:C:1984:33)���������������������������������������������������������������������������������������������������������90n 174/​82, Sandoz, [1983] ECR 2445 (ECLI:EU:C:1983:213) ���������������������������������������������������90–​91 C-​286/​82 and 26/​83, Luisi and Carbone v. Ministero del Tesoro, [1984] ECR 377 (ECLI:EU:C:1984:35)�����������������������������������������������������������������������������������������������������������44 177/​83, Theodor Kohl KG v. Ringelhan & Rennett SA and Ringelhan Einrichtungs GmbH [1984] ECR 3651 (ECLI:EU:C:1984:334) ���������������������������������������������������������������88 178/​84, Commission v. Germany (Beer Purity), [1987] ECR 1227 (ECLI:EU:C:1987:126)������������������������������������������������������������������������������ 88–​89n 121/​85, Conegate v. HM Customs and Excise, [1986] ECR 1007 (ECLI:EU:C:1986:114) ���������86 C-​300/​89, Commission v. Council (Titanium Dioxide), [1991] ECR I-​2867 (ECLI:EU:C:1991:244)�������������������������������������������������������������������������������������������������������93n C-​367/​89, Richardt and others, [1991] ECR I-​4621 (ECLI:EU:C:1991:376)������������������������ 86– ​87 C-​59/​90, Society for the Protection of Unborn Children Ireland Ltd v. Stephen Grogan and Others, [1991] ECR I-​04685 (ECLI:EU:C:1991:378)�������������������������44 C-​155/​91, Commission v. Council (Waste Directive), [1993] ECR I-​939 (ECLI:EU:C:1993:98)���������������������������������������������������������������������������������������������������������93n C-​267/​91 and 268/​91, Keck and Mithouard, [1993] ECR I-​6097 (ECLI:EU:C:1993:905) ���������84 C-​275/​92, Customs Excise v. Schindler, [1994] ECR I-​1039 (ECLI:EU:C:1994:119)���������80n, 87n C-​292/​92, Hünermundand others v. Landesapothekerkammer Baden-​Württemberg, [1993] ECR I-​6787 (ECLI:EU:C:1993:932)�������������������������������������84n C-​315/​92, Verband Sozialer Wettbewerb e.V. v. Clinique Laboratoires SNC and Estée Lauder Cosmetics GmbH, [1994] ECR I-​317 (ECLI:EU:C:1994:34)�������������������������� 88–​89n C-​401/​92 and C-​402/​92, Tankstation, [1994] ECR I-​2199 (ECLI:EU:C:1994:220)�����������������84n

vi

viii

Table of Cases

C-​69/​93 and 258/​93, Punto Casa SpA v. Sindaco del Comune di Capena et Comune di Capena i Promozioni, [1994] ECR I-​2355 (ECLI:EU:C:1994:226) �����������������������������������84n C-​412/​93, Société d’Importation Edouard Leclerc-​Siplec v. TF1 Publicité SA and M6 Publicité SA, [1995] ECR I-​179 (ECLI:EU:C:1995:26) �����������������������������������������������������84n C-​470/​93, Verein gegen Unwesen in Handel und Gewerbe Köln e.V. v. Mars GmbH, [1995] ECR I-​1923 (ECLI:EU:C:1995:224)���������������������������������������������������������������� 88–​89n C-​418/​93 to 421/​93, 460/​93 to 462/​93, 464/​93, 9/​94 to 11/​94 and 14/​94 to 15/​ 94, Semeraro Casa Uno v. Sindaco del Comune di Erbusco, [1996] ECR I-​2975 (ECLI:EU:C:1996:242)�������������������������������������������������������������������������������������������������������84n C-​70/​94, Fritz Werner Industrie-​Ausrüstungen GmbH v. Federal Republic of Germany, [1995] ECR I-​3189 (ECLI:EU:C:1995:328) �������������������������������������������������������������������������86 C-​34/​95 to 36/​95, Konsumentombudsmannen (KO) v. De Agostini (Svenska) Förlag AB, [1997] ECR I-​3843 (ECLI:EU:C:1997:344)�����������������������������������������������������������������������84n C-​378/​96, Rijksdienst voor Pensioenen v. René van Looveren (Aher-​Waggon), [1998] ECR I- ​4 473 (ECLI:EU:C:1998:357)�������������������������������������������������������������������������������������������89n C-​269/​97, Commission and Parliament v. Council (Beef Labelling), [2000] ECR I-​2257 (ECLI:EU:C:2000:183)�������������������������������������������������������������������������������������������������������93n C-​97/​98, Jägerskiöld v. Gustafsson, [1999] ECR I-​7319 (ECLI:EU:C:1999:515) �����������������������80n C-​209/​98, Entreprenørforeningens Affalds/​Miljøsektion (FFAD) v. Københavns Kommune, [2000] ECR I-​3743 (ECLI:EU:C:2000:279)���������������������������������������������������89n C-​254/​98, Schutzverband gegen unlauteren Wettbewerb v. TK-​Heimdienst Sass GmbH, [2000] ECR I-​151 (ECLI:EU:C:2000:12)���������������������������������������������������������������������������84n C-​376/​98, Germany v. European Parliament and Council (Tobacco Advertising I), [2000] ECR I-​8419 (ECLI:EU:C:2000:544) �����������������������������������������������������������������������������93–​94 C-​377/​98, Netherlands v. Parliament and Council (Biotechnology), [2001] ECR I-​7079 (ECLI:EU:C:2001:523)�������������������������������������������������������������� 4–​5, 66, 99–​100 C-​379/​98, PreussenElektra AG v. Schleswag AG, [2001] ECR I-​2099 (ECLI:EU:C:2001:160)�������������������������������������������������������������������������������������������������������89n C-​405/​98, Konsumentombudsmannen (KO) v. Gourmet International Products AB (GIP), [2001] ECR I-​1795 (ECLI:EU:C:2001:135)�������������������������������������������������������84n C-​112/​0 0, Schmidberger v. Austria, [2003] ECR I-​05659 (ECLI:EU:C:2003:333)���������������������71 C-​465/​0 0, 138/​01, and 139/​01, Rechnungshof v. Österreichischer Rundfunk and others, [2003] ECR I-​04989 (ECLI:EU:C:2003:294) ������������134–​135, 144, 152, 218–​219, 221–​222 C-​101/​01, Bodil Lindqvist, [2003] ECR I-​12971 (ECLI:EU:C:2003:596)�����������������134–​135, 136 C-​192/​01, Commission v. Denmark, [2003] ECR I-​9693 (ECLI:EU:C:2003:492) ��������������������� 91 C-​322/​01, Deutscher Apothekerverband e.V. v. 0800 DocMorris NV and Jacques Waterval, [2003] ECR I-​14887 (ECLI:EU:C:2003:664) ���������������������������������84n, 88, 89, 95 C-​491/​01, British American Tobacco (Investments) Ltd and Imperial Tobacco Ltd, [2002] ECR I-​11453 (ECLI:EU:C:2002:741)�����������������������������������������������������������������������������������93 C-​36/​02, Omega Spielhallen-​und Automatenaufstellungs-​GmbH v. Oberbürgermeisterin der Bundesstadt Bonn, [2004] ECR I-​09609 (ECLI:EU:C:2004:614)���������������������������������71 C-​434/​02, Arnold André GmbH & Co. KG v. Landrat des Kreises Herford, [2004] ECR I-​11825 (ECLI:EU:C:2004:800)�����������������������������������������������������������������������������������������93n C-​20/​03, Burmanjer and others, [2005] ECR I-​4133 (ECLI:EU:C:2005:307)�������������������������85n C-​210/​03, R (on the application of Swedish Match AB and Swedish Match UK Ltd) v. Secretary of State for Health, [2004] ECR I-​11893 (ECLI:EU:C:2004:802) ���������������������93n C-​380/​03, Germany v. European Parliament and Council (Tobacco Advertising II), [2006] ECR I-​11573 (ECLI:EU:C:2006:772)����������������������������������������������������������������43–​4 4, 93–​94 C-​317/​04 and 318/​04, European Parliament v. Council and Commission, [2006] ECR I-​9171 (ECLI:EU:C:2006:609)������������������������������������������������������������������������������������� 88, 210 C-​366/​04, Schwarz v. Bürgermeister der Landeshauptstadt Salzburg, [2005] I-​10139 (ECLI:EU:C:2005:719)���������������������������������������������������������������������������������������������������95–​96 C-​434/​04, Ahokainen and Leppik, [2006] ECR I-​9171 (ECLI:EU:C:2006:609) �����������������������88

 ix

Table of Cases

ix

C-​4 41/​04, A-​Punkt Schmuckhandels GmbH v. Claudia Schmidt, [2006] ECR I-​2093 (ECLI:EU:C:2006:141)�������������������������������������������������������������������������������������������������������84n C-​77/​05, United Kingdom v. Council, [2007] ECR I-​1145 (ECLI:EU:C:2007:803)�����������������200 C-​110/​05, Commission v. Italy (Trailers), [2009] ECR I-​519 (ECLI:EU:C:2009:66)�����������������85n C-​137/​05, United Kingdom v. Council, [2007] ECR I-​11593 (ECLI:EU:C:2007:805) �������������200 C-​142/​05, Åklagaren v. Mickelsson and Roos, [2009] ECR I-​4273 (ECLI:EU:C:2009:336) ���������������������������������������������������������������������������������������������85n, 89n C-​150/​05, Van Straaten v. Staat der Nederlanden and Republiek Italië, [2006] ECR I-​9327 (ECLI:EU:C:2006:614) ������������������������������������������������������������������������������� 217n C-​301/​06, Ireland v. European Parliament and Council, [2009] ECR I-​593 (ECLI:EU:C:2009:68) �����������������������������������������������������������������������������������������������������223n C-​524/​06, Huber v. Bundesrepublik Deutschland, [2008] ECR I-​9705 (ECLI:EU:C:2008:724)�������������������������������������������������������������������������������������152n, 220–​221 C-​73/​07, Tietosuojavaltuutettu v. Satakunnan Markkinapörssi Oy and Satamedia Oy, [2008] ECR I-​09831 (ECLI:EU:C:2008:727) ������������������������������������������� 135 C-​88/​07, Commission v. Spain (Medicinal Herbs), [2009] ECR I-​1353 (ECLI:EU:C:2008:567)���������������������������������������������������������������������������������������������������������90 C-​518/​07, Commission v. Germany, [2010] ECR I-​01885 (ECLI:EU:C:2010:125)������������������������������������������������������������������������������������� 134, 137n, 142 C-​553/​07, College van burgemeester en wethouders van Rotterdam v. M. E. E. Rijkeboer, [2009] ECR I-​03889 (ECLI:EU:C:2009:293)������������������������������������136 C-​482/​08, United Kingdom v. Council, [2010] ECR I-​10413 (ECLI:EU:C:2010:631)���������������������������������������������������������������������������������������������200, 216n C-​92/​09 and 93/​09, Volker und Markus Schecke GbR and Hartmut Eifert, [2010] ECR I-​11063 (ECLI:EU:C:2010:662)����������������������������������������������������������������� 143–​145, 220 C-​108/​09, Ker-​Optika bt v. ÀNTSZ Dél-​dunántúli Regionális Intézete, [2010] ECR I-​12213 (ECLI:EU:C:2010:725)�������������������������������������������������������������������������� 84–​85n C-​439/​09, Pierre Fabre Dermo-​Cosmétique SAS v. Président de l´Autorité de la Concurrence, [2011] ECR I-​9419 (ECLI:EU:C:2011:649)������������������������������������������ 84–​85n C-​543/​09, Deutsche Telekom AG v. Bundesrepublik Deutschland, [2011] ECR I-​3441 (ECLI:EU:C:2011:279)�������������������������������������������������������������������������������������������������������220 C-​34/​10, Brüstle v. Greenpeace e.V., [2011] ECR I-​09821 (ECLI:EU:C:2011:669)������������ 4–​5, 41, 62–​68, 100, 100–​101n C-​188/​10 and 189/​10, Melki and Abdeli, [2010] ECR I-​05667 (ECLI:EU:C:2010:363)�����������206 C-​355/​10, European Parliament v. Council, 5 September 2012, not yet published (ECLI:EU:C:2012:516)�������������������������������������������������������������������������������������������� 206, 206n C-​468/​10 and 469/​10, Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) and Federación de Comercio Electrónico y Marketing Directo (FECEMD) v. Administración del Estado, [2011] ECR I-​12181 (ECLI:EU:C:2011:777)�����������������������4–​5 C-​614/​10, Commission v. Austria, 16 October 2012, not yet published (ECLI:EU:C:2012:631)������������������������������������������������������������������� 134, 142–​143, 146n, 167n C-​617/​10, Åkerberg Fransson, 26 February 2013, not yet published (ECLI:EU:C:2013:280)������������������������������������������������������������������������������������������������������� 142 C-​399/​11, Melloni v. Ministerio Fiscal, 26 February 2013, not yet published (ECLI:EU:C:2013:107)������������������������������������������������������������������������������������������������������� 142 C-​131/​12, Google Spain SL and Google Inc v. Agencia Española de Protección de Datos and González, judgment of 13 May 2014, not yet published (ECLI:EU:C:2014:317)����������������5, 133, 134n, 136, 153, 155n, 159n, 163n, 193–​195 C-​288/​12, Commission v. Hungary, 8 April 2014, not yet published (ECLI:EU:C:2014:237)������������������������������������������������������������������� 134, 142–​143, 146n, 167n C-​291/​12, Michael Schwarz v. Stadt Bochum, 17 October 2013, not yet published (ECLI:EU:C:2013:670)���������������������������������������������������������������������������������������143, 220–​222

x

x

Table of Cases

C-​293/​12 (Digital Rights Ireland v. Minister for Communications, Marine and Natural Resources) and C-​594/​12 (Kärtner Landesregierug), Judgment of 8 April 2014, not yet published (ECLI:EU:C:2014:238) ���������������������� 142–​143, 145–​146, 166n, 211, 222–​226 C-​4 46/​12 to 449/​12, Willems and Others v. Burgemeester van Nuth and Others, (ECLI:EU:C:2015:238)�������������������������������������������������������������������������������������������������������220 C-​473/​12, IPI (Institut Professionnel des Agents Immobiliers) v. Englebert and Others, Judgment of 7 November 2013, not yet published (ECLI:EU:C:2013:715) �����������������������223 C-​364/​13, International Stem Cell Corporation v. Comptroller General of Patents, Judgment of 18 December 2014, not yet published (ECLI:EU:C:2014:2451)����������������������������������������������������������������������������������������� 100–​101nn European Court of Human Rights A, B and C v. Ireland (Application no. 25579/​05), 16 December 2010��������������� 69, 70, 70n, 71–​73 Amann v. Switzerland (Application no. 27798/​95), 16 February 2000����������������������������� 129n, 219 Amuur v. France (Application no. 19776/​92), 25 June 1996�����������������������������������������������������205n Godelli v. Italy (Application no. 33783/​09), 25 September 201 �������������������������������������������������269 Goodwin v. United Kingdom (Application no. 28957/​95), 11 July 200�������������������������������������269 Haas v. Switzerland (Application no. 31322/​07), 20 January 2011�����������������������������������������������69 Halford v. United Kingdom (Application no. 20605/​92), 25 June 1997�����������������������������������129n Hämäläinen v. Finland (Application no. 37359/​09), 6 July 2014 �������������������������������������������������69 Khelili v. Switzerland (Application no. 16188/​07), 18 October 2011 �������������������������������129–​130n Klass v. Germany (Application no. 5029/​71), 6 September 1978 ���������������������������������������������129n Knecht v. Romania (Application no. 10048/​10), 2 October 2012�������������������������������������������������69 Koch v. Germany (Application no. 497/​09), 19 July 2012������������������������������������������������������� 69, 71 K.U. v. Finland (Application no. 2872/​02), 2 December 2008�������������������������������������������������130n Leander v. Sweden (Application no. 9248/​81), 26 March 1987��������������������������������� 129n, 218, 219 Malone v. United Kingdom (Application no. 8691/​79), 2 August 1984�����������������������������������129n Niemietz v. Germany (Application no. 13710/​88), 16 December 1992�������������������������������������129n P and S v. Poland, (Application no. 57375/​08), Judgment of 30 October 2012 ���������������������������71 Pretty v. United Kingdom (Application no. 2346/​02), 29 April 2002 �����������������������������������������69 Rotaru v. Romania (Application no. 28341/​95), 4 May 2000���������������������������������������������������129n R.R. v. Poland (Application no. 27617/​04), 26 May 2011������������������������������������������������������� 69, 71 S and Marper v. United Kingdom (Application nos 30562/​04 and 30566/​04), 4 December 2008 ������������������������������������������������������������������������������������������������145, 219, 223 S.H. and Others v. Austria (Application no. 57813/​0 0), 3 November 2011 ��������������������� 69, 71–​73 Tysiac v. Poland (Application no. 5410/​03), 20 March 2007 �������������������������������������������������������70 Von Hannover v. Germany (Application no. 59320/​0 0), 24 June 2004 �����������������������������������130n Z v. Finland (Application no. 22009/​93), 25 February 1997�����������������������������������������������������129n European Patent Office T 19/​90, EPO Board of Appeals, 3 October 1990 (Harvard Oncomouse)����������������������������������� 55 T 0272/​95, EPO, 8 December 1994, OJ EPO 6/​1995 (Howard Florey Institute) �����������55–​56, 58 N AT ION A L C A SE S France Conseil d’État, case 313568, 27 January 2010 ���������������������������������������������������������������������� 44–​45 Cour administrative d’Appel de Lyon, case 03LY01329, 20 December 2007������������������������ 44–​45 Germany Volkszählung, Judgment of 15 December 1983, BVerfGE 65, 1–​71�������������������������������������������130

 xi

Table of Cases

xi

Italy Google-​Vividown, Tribunal of Milan, 24 February 2010, sentenza n. 1972/​2010 ������������������� 179n United Kingdom A v. National Blood Authority, The Times, 4 April 2001 (QB)��������������������������������������������������117n R v. Human Fertilisation and Embryology Authority, ex parte Blood, Court of Appeal (Civil Division) [1997] 2 All ER 687�������������������������������������������������������������������������������������44 United States Association for Molecular Pathology v. Myriad Genetics Inc, US Supreme Court, No. 12-​ 398 (13 June 2013) ���������������������������������������������������������������������������������������������������������������56 Diamond v. Chakrabarty, 447 US 303 (1980)������������������������������������������������������������������������������ 55

xi

 xi

Table of Legislation n = footnote. t = table. EU ROPE A N U N ION Treaties and Conventions Accession Treaty of Malta to the EU 2003 Protocol������������������������������������������������ 45–​6 Amsterdam Treaty 1997 �������������������� 199–​200 Charter of Fundamental Rights 2000 ������������� 31–​2, 47, 125, 138–​41, 211 Preamble���������������������������������������������� 138n Art. 3�������������������������������������������������������� 47 Art. 7��������������� 3, 138–​9, 143–​6, 164n, 167, 172, 218–​19, 223 Art. 8������������� 3, 138–​41, 143–​6, 149, 164n, 165, 167, 172–​3, 218–​19, 223 (1) ��������������������������������������� 140, 167, 172 (2) ������������140, 143–​4, 153, 167, 172, 219 (3) ��������������140, 141n, 142, 146, 167, 172 Art. 47��������������������������������������������� 161, 166 Art. 52���������������������������������������������139, 144 (1) ��������������������������������������� 143, 145, 219 (3) �����������������������������������������������������212n Convention Implementing the Schengen Agreement 1990 (CISA) �����199 Title IV (Arts 92–​119)�����������������������������212 Art. 115������������������������������������������������� 217n Convention on Human Rights and Biomedicine Art. 28������������������������������������������������������ 24 Data Protection Convention 1981 (Convention 108) ����������������126–​31, 139, 171, 172, 238t, 240t Preamble, para 4 ������������������������������������ 127 Art. 1������������������������������������������������������ 127 Art. 2(a)�������������������������������������������������� 127 Art. 4������������������������������������������������������ 127 Art. 5������������������������������������������������������ 127 Art. 6������������������������������������������������������ 127 Art. 7������������������������������������������������������ 128 Art. 8������������������������������������������������������ 128 Art. 9������������������������������������������������������ 128 Art. 14�������������������������������������������������� 129n Additional Protocol Art. 1�������������������������������������������������� 128 European Convention on Human Rights and Fundamental Freedoms 1950 Art. 2�������������������������������������������������������� 69

Art. 3�������������������������������������������������69, 69n Art. 5(1)(d)������������������������������������������������ 24 Art. 6�������������������������������������������������������� 69 (1) �������������������������������������������������������161 Art. 8�������������������������24, 70–​1, 125–​6, 128, 129–​30, 135, 139, 143, 171, 218–​19 Art. 13�����������������������������������������������������161 European Patent Convention 2000 Art. 53(a)���������������������������������������������� 100n Europol Convention (Treaty on the Establishment of a European Police Office) 1995 Art. K.3������������������������������������������������ 129n Lisbon Treaty 2009�����������������125, 141–​2, 200 Maastricht Treaty 1992����������������������� 137, 199 Art. 130 R�������������������������������������������������14 Protocol 17 ���������������������������������������������� 46 see also Treaty on European Union 2007 Oviedo Convention on Human Rights and Biomedicine 1997 Art. 18�������������������������������������������������� 48–​9 Schengen Agreement 1986 �������������������������199 Single European Act 1986���������������������������� 95 Treaty on European Union 2007 (TEU, formerly Maastricht Treaty) Art. 3(3)������������������������������������������ 80n, 97n Art. 5�����������������������������������������������������158n (4) ������������������������������������������������������ 226 Art. 6(1)���������������������������������������������������141 Art. 17(3)�������������������������������������������������170 Art. 39���������������������������������������������������141n Declaration 20���������������������������������������141n Declaration 21���������������������������������������141n Treaty on the Functioning of the European Union 2007 (TFEU, formerly Rome Treaty/​EC Treaty) Art. 4 (2)(a) ���������������������������������������������������� 92 (k)�������������������������������������������������� 106 (3) �������������������������������������������������97, 98n Art. 6������������������������������������������������������ 100 (2)(c) �������������������������������������������������� 100 (a) ���������������������������������������������77, 98n Art. 16������������� 3–​4, 149, 152, 166, 172, 218

xvi

xiv

Table of Legislation

TFEU (cont.) (1) ����������������������������������������������������� 141 (2) ����������������������������������������� 141–​2, 167 Art. 26����������������������������������������������������� 95 (2) ����������������������������������������������� 80, 97n Art. 28��������������������������������������������������� 83n Arts 28–​36 ���������������������������������������������80 Art. 34������������������ 83–​4, 84n, 86, 87, 95–​6 Art. 35���������������������������������������������������86n Art. 36������85–​6, 88, 89–​90, 92, 95–​6, 114 Arts 45–​48 ������������������������������������������� 83n Arts 49–​55��������������������������������������������� 83n Arts 56–​62 ������������������������������������������� 83n Arts 63–​66 ������������������������������������������� 83n Art. 110������������������������������������������������� 83n Art. 114����������������������� 52, 56, 76–​8, 92–​5, 99–​100, 106, 112, 115 (1) �����������������������������������������������43, 95n (3) �������������������������������������������43, 92, 94 (4) ������������������������������������������������� 93, 94 (5) ������������������������������������������������� 93, 94 (6)����������������������������������������������������� 93n (7)������������������������������������������������������� 93 (8) �������������������������������������������������������43 (10) �������������������������������������43, 92–​3, 94 Art. 115������������������������������������������������� 95n Art. 168����������������������� 41–​2, 52, 77–​8, 115 (1) ��������������������������������������������������� 41–​2 (2) �������������������������������������������������������42 (4) �������������������������������������������������������42 (c)�����������������������������������������������106–​7 (5) �������������������������42, 42n, 77, 94, 97–​8 (6)�����������������������������������������������42, 42n (7)���������������������������������� 42, 42n, 77–​8n Art. 173(3)��������������������������������������������� 97n Art. 174��������������������������������������������������� 14 Art. 179(1)�����������������������������������������������97 Art. 182���������������������������������������������������40 (1) ���������������������������������������������������96–​7 Art. 191��������������������������������������������������� 14 Art. 286������������������������������������� 136–​7, 139 Art. 288���������������������������������������95n, 106n Art. 294������������������������������������������������� 95n Art. 346(1)(b) ��������������������������������������� 87n Directive 2008/​115/​EC, OJ 2008 L 348/​98 (Return Directive) Art. 11������������������������������������������������� 215n Directives (in number order) Directive 65/​65/​EEC on the Approximation of Provisions Laid Down by Law, Regulation or Administrative Action Relating to Proprietary Medicinal Products, OJ 1965 L 22/​369�������������������111

Directive 85/​374/​EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products, OJ 1985 L 210/​29�������44–​5, 117 Directive 90/​385/​EEC on the Approximation of the Laws of the Member States Relating to Active Implantable Medical Devices, OJ 1990 L 189/​17 Art. 1(2)(a)������������������������������������113, 113n Art. 10(c)��������������������������������������������� 114n Directive 93/​42/​EEC Concerning Medical Devices, OJ 1993 L 169/​1 � 113n Art. 1(2)������������������������������������������������� 78n Art. 8��������������������������������������������������� 114n Directive 95/​46/​EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1005 L 281/​31 (Data Protection Directive)�������������������� 108n, 124, 131–​8, 146–​51, 157, 164, 165, 171, 172, 179–80, 216–​17, 218–​19, 232, 238–​41t Recital 7������������������������������������������������ 131 Recital 8������������������������������������������������ 131 Recital 9���������������������������������������� 131, 132 Recital 10����������������������������������������������� 131 Recital 11����������������������������������������������� 131 Art. 1����������������������������������������������������� 131 Art. 2 (a)�������������������������������������������������� 132 (b) ������������������������������������������������� 132 (d) ������������������������������������������������� 180 (f)�������������������������������������������������� 180 Art. 3����������������������������������������������������� 180 (1) ����������������������������������������������������� 132 (2) ����������������������������������������������������� 132 Art. 5����������������������������������������������������� 132 Art. 7����������������������������������������������������� 132 (b) ������������������������������������������������� 152 (e)��������������������������������������������������� 152 (f)�������������������������������������������135, 152 Art. 8����������������������������������������������������� 132 Art. 9�����������������������������������������������������134 Art. 10��������������������������������������������������� 133 Art. 11��������������������������������������������������� 133 Art. 12������������������������������������������������� 164n (1)(d) ������������������������������������������������� 186 Art. 14������������������������������������������������� 164n

 xv

Table of Legislation Art. 18������������������������������������������� 133, 168 Art. 19������������������������������������������� 133, 168 Art. 20������������������������������������������� 133, 168 Art. 23��������������������������������������������������� 191 Art. 25��������������������������������������������������� 133 Art. 26��������������������������������������������������� 133 (2) ���������������������������������������������������134n Art. 28��������������������������������������������������� 133 (6)������������������������������������������������� 161–​2 Art. 29����������������������������������������� 132n, 133 Art. 30��������������������������������������������������� 133 Art. 33��������������������������������������������������� 146 Directive 98/​43/​EC on the Approximation of the Laws, Regulations and Administrative Provisions of the Member States Relating to the Advertising and Sponsorship of Tobacco Products, OJ 1998 L 213/​9 �����������������������������93–​4 Directive 98/​44/​EC of 6 July 1998 on the protection of biotechnological inventions, OJ 1998 L 213/​ 13 (Biotechnology Directive/​Patents Directive)�������������� 5–​6, 40, 52–​4, 56–​9, 61 Recital 1�������������������������������������������������� 57 Recital 2�������������������������������������������� 57, 99 Recital 5��������������������������������������������������99 Recital 6��������������������������������������������������99 Recital 7������������������������������������������99–​100 Recital 16�������������������������������������������58, 66 Art. 4���������������������������������������������������100n Art. 5������������������������������������������� 57, 58, 59 (1) ���������������������������������������������������100n Art. 6���������������������������������������������57–​8, 59 (2)(c) ���������������������������������������������� 64– ​6 Directive 98/​79/​EC on In Vitro Diagnostic Medical Devices, OJ 1998 L 331/​1������������������������������������� 113 Art. 8��������������������������������������������������� 114n Directive 2000/​31/​EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, OJ 2000 L 178/​ 1 (E-​Commerce Directive) ����������177–​81, 195 Art. 1(5)������������������������������������������������� 180 (a)�������������������������������������������������� 183 Art. 14��������������������������������������������������� 178 (1) ����������������������������������������������������� 181 Art. 15��������������������������������������������������� 178 Directive 2001/​18/​EC of the European Parliament and of the Council of 12 March 2001 on the Deliberate

xv

Release into the Environment of Genetically Modified Organisms and Repealing Council Directive 90/​220/​EEC, OJ 2001 L 106/​1���������������������������������� 25–​6, 36, 110 Recital 7������������������������������������������������ 110 Art. 5����������������������������������������������� 110–​11 Directive 2001/​20/​EC of the European Parliament and of the Council of 4 April 2001 on the Approximation of the Laws, Regulations and Administrative Provisions of the Member States Relating to the Implementation of Good Clinical Practice in the Conduct of Clinical Trials on Medicinal Products for Human Use, OJ 2001 L 121/​34������������ 25–​7, 40, 52, 104– ​8 , 109n Art. 2(2)(1)������������������������������������������� 105n Art. 6�������������������������������������������������������26 Art. 9�������������������������������������������������������26 Council Directive 2001/​51/​EC, OJ 2001 L 187/​45�����������������������������������205 Directive 2001/​83/​EC of the European Parliament and of the Council of 6 November 2001 on the Community Code Relating to Medicinal Products for Human Use, OJ 2001 L 311/​67������������������������25–​6, 78n, 104, 111 Recital 4�������������������������������������������115–​16 Art. 35(1)��������������������������������������������� 112n Arts 101–​108b��������������������������������������� 116 Directive 2001/​84/​EC Amending, as Regards Pharmacovigilance, Directive 2001/​83/​EC on the Community Code Relating to Medicinal Products for Human Use, OJ 2010 L 348/74 Recital 4������������������������������������������������ 116 Directive 2001/​95/​EC on General Product Safety, OJ 2002 L 11/​4��������� 113 Directive 2002/​58/​EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, OJ 2002 L 201/​37��������������������������� 136, 156, 179n, 222 Art. 1���������������������������������������������������136n Art. 4(3)-​(5)������������������������������������������� 151 Directive 2002/​98/​EC on Setting Standards of Quality and Safety for the Collection,

xvi

xvi

Table of Legislation

Testing, Processing, Storage and Distribution of Human Blood and Blood Components and Amending Directive 2001/​83/​ EC, OJ 2002 L 33/​30 (Blood Directive)��������������������������40, 52, 59, 115 Directive 2004/​9/​EC on the Inspection and Verification of Good Laboratory Practice, OJ 2004 L 50/​28����������������������������������� 102n Directive 2004/​10/​EC on the Harmonization of Laws, Regulations and Administrative Provisions Relating to the Application of the Principles of Good Laboratory Practice and the Verification of their Applications for Tests on Chemical Substances, OJ 2004 L 50/​4 4������������������������������� 102 Recital 4���������������������������������������������� 114n Recital 8���������������������������������������������� 102n Art. 1(1)����������������������������������������������� 102n Art. 5(2)������������������������������������������������� 102 Annex 1����������������������������������������������� 102n Directive 2004/​23/​EC of the European Parliament and of the Council of 31 March 2004 on the Donation, Procurement, Testing, Processing, Preservation, Storage and Distribution of Human Tissues and Cells, OJ 2004 L 102/​48 (Tissues Directive)������������28, 40, 52, 59, 61–​2, 115 Recitals 1–​5������������������������������������������115n Recital 8�����������������������������������������������115n Recital 11����������������������������������������������115n Recital 13����������������������������������������������115n Recital 15����������������������������������������������115n Recital 19����������������������������������������������115n Recital 28 ��������������������������������������������115n Recital 31����������������������������������������������115n Recital 32����������������������������������������������115n Art. 1����������������������������������������������������115n Art. 8����������������������������������������������������115n Art. 9����������������������������������������������������115n Art. 11��������������������������������������������������115n Arts 16–​24��������������������������������������������115n Directive 2004/​38/​EC, OJ 2004 L 158/​77 Art. 2(2)����������������������������������������������� 214n Directive 2004/​82/​EC on the obligation of carriers to communicate passenger data, OJ 2004 L 261/​24�����������������������������������207

Directive 2005/​28/​EC Laying down Principles and Detailed Guidelines for Good Clinical Practice as regards Investigational Medicinal Products for Human Use, OJ 2005 L 91/​13����������������������� 107 Directive 2006/​24/​EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/​58/​ EC, OJ 2006 L 105/​54  Data Retention Directive���������������������145– ​6, 220, 222– ​6 Directive 2006/​121/​EC Amending Directive 67/​548/​EEC on the Approximation of Laws, Regulations and Administrative Provisions Relating to the Classification, Packaging and Labelling of Dangerous Substances, OJ 2006 L 136/​281 ��������� 79 Directive 2009/​41/​EC on the Contained Use of Genetically Modified Micro-​Organisms, OJ 2009 L 125/​75����������������������������������� 110 Art. 2(b)����������������������������������������������� 110n Directive 2009/​120/​EC of 14 September 2009 amending Directive 2001/​83/​EC, OJ 2009 L 242/​3 �����������������������������������������������28 Directive 2010/​45/​EU of 7 July 2010, OJ 2010 L 207/​14 ������������������������� 40, 52 Directive 2010/​53/​EU on Standards of Quality and Safety of Human Organs Intended for Transplantation, OJ 2010 L 207/​14 ������115 Directive 2010/​63/​EU on the Protection of Animals Used for Scientific Purposes, OJ 2010 L 276/​33����������������������������������������������� 109 Recital 42 ��������������������������������������109, 110 Art. 2(2)������������������������������������������������� 110 Art. 20(1)����������������������������������������������� 109 Art. 34(1)����������������������������������������� 109–​10 Art. 46��������������������������������������������������� 110 Art. 59��������������������������������������������������� 109 Art. 62������������������������������������������������� 109n Art. 63������������������������������������������������� 109n

 xvi

Table of Legislation Directive 2011/​24/​EU on the Application of Patients’ Rights in Cross-​Border Healthcare, OJ 2011 L 88/​4 (Patients’ Rights Directive) Art. 3(1)��������������������������������������������������� 78 Art. 15(2)(b)������������������������������������������117n Directive 2011/​62/​EU amending Directive 2001/​83/​EC on the Community Code Relating to Medicinal Products for Human Use, as regards the Prevention of the Entry into the Legal Supply Chain of Falsified Medicinal Products, OJ 2011 L 174/​74 Recital 3�����������������������������������������������115n Recital 4�����������������������������������������������115n Recital 7�����������������������������������������������115n Recital 11����������������������������������������������115n Directive (EU) 2015/​412 of the European Parliament and of the Council of 11 March 2015 amending Directive 2001/​18/​EC, OJ 2015 L 68/​1 �����������������������������������34 Regulations (in number order) Regulation (EC) 141/​2000 on Orphan Medicinal Products, OJ 2000 L 18/​1 Recital 2������������������������������������������������ 109 Recital 3������������������������������������������������ 109 Recital 8������������������������������������������������ 109 Art. 3����������������������������������������������������� 109 Council Regulation (EC) 2725/​2000 of 11 December 2000 Concerning the Establishment of ‘Eurodac’ for the Comparison of Fingerprints for the Effective Application of the Dublin Convention, OJ 2000 L 316/​1 (Dublin II Regulation)��������� 137 Art. 20��������������������������������������������������217n Regulation (EC) 45/​2001 of the European Parliament and of the Council of 18 December 2000 on the Protection of Individuals with Regard to the Processing of Personal Data by the Community Institutions and Bodies and on the Free Movement of Such Data, OJ 2001 L 8/​1 ����������136–​7, 216–​17, 238–​41t Arts 41–​48��������������������������������������������� 137 Council Regulation (EC) 539/​2001, OJ 2001 L 81/​1 ���������������������������������205 Regulation (EC) 2424/​2001 on the Development of the Second Generation Schengen Information

xvii

System, OJ 2001 L 328/​4 (SIS II Regulation)��������������������������212, 217–​18 Recital 2������������������������������������������������ 212 Recital 3������������������������������������������������ 212 Council Regulation (EC) 1030/​2002, OJ 2002 L 157/​1 (third country national residence permits) �����������202–​3 Council Regulation (EC) 377/​2004, OJ 2004 L 141/​13�����������������������������205 Regulation (EC) 726/​2004 Laying Down Community Procedures for the Authorization and Supervision of Medicinal Products for Human and Veterinary Use and Establishing a European Medicines Agency, OJ 2004 L 311/​67����������������������������������� 112 Recital 13��������������������������������������������� 112n Annex, s 1�����������������������������������������78–​9n Council Regulation (EC) 871/​2004, OJ 2004 L 162/​29����������������������������� 215 Council Regulation (EC) 2007/​ 2004 Establishing a European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union, OJ 2004 L 349/​1 (Frontex Regulation) ������������������������������������ 201 Art. 2�����������������������������������������������������228 Art. 11c ������������������������������������������������� 232 Art. 11ca ����������������������������������������������� 232 Council Regulation (EC) 2252/​2004, OJ 2004 L 385/​1 (Passport Regulation)�����������������������������������202–​3 Art. 1(2)�������������������������������������������������220 Regulation (EC) 562/​2 006, OJ 2006 L 105/​1 (Schengen Borders Code)����������������������������� 200 Art. 2(11)�����������������������������������������������206 Art. 10��������������������������������������������������� 214 Art. 12���������������������������������������������������206 Art. 21���������������������������������������������������206 Regulation (EC) 1901/​2006 on Medicinal Products for Paediatric Use, OJ 2006 L 378/​1�������������������108–​9 Recital 8���������������������������������������������� 109n Art. 30��������������������������������������������������� 109 Art. 31����������������������������������������� 109, 109n Art. 35��������������������������������������������������� 109 Art. 40��������������������������������������������������� 109 Art. 41������������������������������������������������� 109n Art. 44��������������������������������������������������� 109

xvi

xviii

Table of Legislation

Regulation (EC) 1906/​2006 Laying down the Rules for the Participation of Undertakings, Research Centres and Universities in Actions under the Seventh Framework Programme and for the Dissemination of Research Results (2007–​2013), OJ 2006 L 391/​1 Art. 39(1)����������������������������������������� 101–​2n Art. 41��������������������������������������������������� 102 Art. 42��������������������������������������������������� 102 Art. 43��������������������������������������������������� 102 Art. 44(3)����������������������������������������������� 102 Art. 46��������������������������������������������������� 102 Art. 47��������������������������������������������������� 102 Art. 48��������������������������������������������������� 102 Art. 49��������������������������������������������������� 102 Regulation (EC) 1907/​2006 Concerning the Registration, Evaluation, Authorization and Restriction of Chemicals (REACH), Establishing a European Chemicals Agency, OJ 2006 L 136/​3��������������������������������������� 79 Art. 2 (5)(a) ������������������������������������������������� 79n (6)����������������������������������������������������� 79n Regulation (EC) 1987/​2006, OJ 2006 L 381/​4 (SIS II Regulation)������������ 212, 238t Art. 10��������������������������������������������������� 225 Art. 21������������������������������������������������� 215n Art. 24 (3) ��������������������������������������������������� 215n (5) ��������������������������������������������������� 215n Art. 27��������������������������������������������������� 215 Art. 28��������������������������������������������������� 215 Art. 29��������������������������������������������������� 225 Art. 31(8)�����������������������������������������������224 Art. 39���������������������������������������������������224 Art. 40��������������������������������������������������� 215 Art. 41��������������������������������������������215, 217 Art. 42��������������������������������������������215, 217 Art. 43��������������������������������������������������� 217 (2) ����������������������������������������������������� 217 Art. 45��������������������������������������������������� 217 Art. 48��������������������������������������������������� 217 Art. 49��������������������������������������������������� 217 Regulation (EC) 863/​2007 of the European Parliament and of the Council of 11 July 2007 establishing a mechanism for the creation of Rapid Border Intervention Teams, OJ 2007 L 199/​30����������������������������������������������� 232

Regulation (EC) 1394/​2007 of the European Parliament and of the Council of 13 November 2007 on Advanced Therapy Medicinal Products, OJ 2007 L 324/​121�������������28–​30, 32–​3, 78–​9n, 115 Recital 7���������������������������������������������� 112n Art. 14(1)����������������������������������������� 116–​17 Art. 15��������������������������������������������� 116–​17 Art. 23b��������������������������������������������������� 29 Regulation (EC) 300/​2008 on common rules in the field of civil aviation security, OJ 2008 L 97/​72 ���������������������������������������������209 Regulation (EC) 767/​2008 of the European Parliament and of the Council of 9 July 2008 Concerning the Visa Information System (VIS) and the Exchange of Data Between Member States on Short-​Stay Visas, OJ 2008 L 218/​ 60 (VIS Regulation)�������������� 137, 212–​13 Art. 6(3)�������������������������������������������������224 Art. 19��������������������������������������������������� 215 Art. 20��������������������������������������������������� 215 Art. 23��������������������������������������������������� 225 Art. 25��������������������������������������������������� 225 Art. 31��������������������������������������������������� 215 (2) �����������������������������������������������������224 Art. 32��������������������������������������������������� 225 Art. 33��������������������������������������������������� 217 Art. 36��������������������������������������������������� 217 Art. 37��������������������������������������������������� 217 Art. 38����������������������������������������������217–​18 Art. 40��������������������������������������������������� 217 Regulation (EC) 810/​2009, OJ 2009 L 243/​1 (Visa Code)�����������������������������200 Regulation (EC) 1211/​2009 of the European Parliament and of the Council Establishing the Body of European Regulators for Electronic Communications (BEREC) and the Office (1), OJ 2009 L 337/​1������������������������������������� 211 Regulation (EU) 439/​2010 Establishing a European Asylum Support Office (EASO), OJ 2010 L 132/​11 ������������������������������������������� 201 Regulation (EU) 1235/​2010 Amending, as Regards Pharmacovigilance of Medicinal Products for Human Use, Regulation (EC) 726/​2004, OJ 2010 L 348/​1������������������������������� 116–​17

 xi

Table of Legislation Regulation (EU) 1077/​2011 Establishing a European Agency for the Operational Management of Large-​Scale IT Systems in the Area of Freedom, Security and Justice, OJ 2011 L 286/​1 (eu-​LISA Regulation)���������������� 201, 213 Commission Regulation (EU) 1141/​ 2011 amending Regulation (EC) No. 272/​2009 supplementing the common basic standards on civil aviation security as regards the use of security scanners at EU airports, OJ 2011 L 293/​22���������������209 Regulation (EU) 1168/​2011 of the European Parliament and of the Council of 25 October 2011 amending Council Regulation (EC) No. 2007/​2004, OJ 2011 L 304/​1������������������������������������������������� 232 Regulation (EU) 603/​2013, OJ 2013 L 180/​1 (EURODAC Regulation)���������������� 212, 215–​16, 239t Art. 2(1) (j)���������������������������������������������������224 (k) �������������������������������������������������224 Art. 3(2)�����������������������������������������������224n Art. 5(2)�����������������������������������������������224n Art. 12��������������������������������������������������� 225 Art. 13��������������������������������������������������� 225 Art. 20���������������������������������������������������224 Art. 21������������������������������������������� 215, 224 Art. 29 (1)-​(3)������������������������������������������������� 217 (4)-​(13)���������������������������������������������� 217 (14) ��������������������������������������������������� 217 (15) �������������������������������������������� 217, 218 Art. 31��������������������������������������������������� 217 Art. 33��������������������������������������������������217n Art. 34��������������������������������������������������� 225 Art. 35���������������������������������������������������224 Art. 37��������������������������������������������������� 217 Art. 51��������������������������������������������������� 217 Regulation (EU) 604/​2013, OJ 2013 L 180/​31 (recast, Dublin III Regulation)���������������������������200–​1, 212 Regulation (EU) 1052/​2013 Establishing the European Border Surveillance System (Eurosur), OJ 2013 L 295/​11 (EUROSUR Regulation)���������������������� 230–​2, 234–​5 Art. 1�����������������������������������������������������228 Art. 7����������������������������������������������������� 231 Art. 9����������������������������������������������������� 231

xix

Art. 10��������������������������������������������������� 231 Art. 11��������������������������������������������������� 231 Art. 12��������������������������������������������������� 231 Art. 13(1)����������������������������������������������� 232 Art. 15�����������������������������������������208n, 231 Art. 16��������������������������������������������������� 232 Regulation (EU) 1291/​2013 Establishing Horizon 2020— the Framework Programme for Research and Innovation (2014–2020) and Repealing Decision 1982/​2006/​EC, OJ 2013 L 347/​104�������������������������������96–​7 Art. 2(1)(19)������������������������������������� 101–​2n Regulation (EU) 282/​2014 on the Establishment of a Third Programme for the Union’s Action in the Field of Health (2014–​2020) and Repealing Decision 1350/​2007/​EC, OJ 2014 L 86/​1 ���������������������������������������������97–​8 Recital 2��������������������������������������������������97 Recital 5��������������������������������������������������97 Recital 21�������������������������������������������������98 Regulation (EU) 515/​2014 Establishing, as Part of the Internal Security Fund, the Instrument for Financial Support for External Borders and Visa, OJ 2014 L 150/​143 Art. 8���������������������������������������������������208n Regulation (EU) 536/​2014 of the European Parliament and of the Council of 16 April 2014 on Clinical Trials on Medicinal Products for Human Use, and Repealing Directive 2001/​20/​EC ������������������������������������������������ 27, 104–​8 Recital 4������������������������������������������������ 105 Recital 5������������������������������������������������ 106 Recital 8������������������������������������������������ 107 Recital 15����������������������������������������������� 107 Recital 17����������������������������������������������� 107 Recital 27���������������������������������������������� 107 Recital 44 ��������������������������������������������� 107 Recital 76����������������������������������������������� 107 Recital 80 ��������������������������������������������� 107 Recital 82������������������������������������������106–​7 Chapter V ��������������������������������������������� 107 Chapter IX��������������������������������������������� 108 Chapter X ��������������������������������������������� 108 Chapter XI��������������������������������������������� 108 Art. 2(2) (1) �������������������������������������������������104–​5

x

xx

Table of Legislation

(2) �����������������������������������������������104–​5n (30) ��������������������������������������������������� 107 Art. 3(a)������������������������������������������������� 107 Art. 5������������������������������������������� 105, 105n Art. 8����������������������������������������������������� 105 Art. 16��������������������������������������������������� 105 Art. 32��������������������������������������������������� 107 Art. 80��������������������������������������������������� 105 Art. 81��������������������������������������������������� 105 Art. 98������������������������������������������������� 104n Art. 99������������������������������������������������� 104n Regulation (EU) 656/​2014 of the European Parliament and of the Council of 15 May 2014 establishing rules for the surveillance of the external sea borders in the context of operational cooperation, OJ 2014 L 189/​93 ���������������������������������206n, 234 Regulation (EU) 2016/​679 of the European Parliament and of the Council of 27 April 2016, OJ 2016 L 119/​1 (General Data Protection Regulation) ��������������4, 108n, 125, 151–​71, 172, 174, 183–​6, 195 Art. 1������������������������������������������������� 157–​8 Art. 2(4)������������������������������������������������� 183 Art. 6(1)������������������������������������������������� 157 Art. 7(3)������������������������������������������������� 185 Art. 14��������������������������������������������������� 184 (5)(b)������������������������������������������������� 184 Art. 17(1)�����������������������������������184, 185–​6 Art. 20��������������������������������������������������� 185 Art. 82 (1) ����������������������������������������������������� 189 (3) ����������������������������������������������������� 189 Art. 83�����������������������������������������������185–​6 (5) ��������������������������������������������� 188, 196 Art. 94��������������������������������������������������� 183 Decisions (in chronological order) Council Decision 1999/​435/​EC Concerning the Definition of the Schengen Acquis, OJ 1999 L 176/​1������� 199 Council Decision 1999/​436/​EC Determining the Legal Basis for Each of the Provisions or Decisions which Constitute the Schengen Acquis, OJ 1999 L 176/​17����������������������199 Decision 2001/​886/​JHA on the Development of the Second Generation Schengen Information System, OJ 2001 L 328/​1������������������ 212

Council Decision 2002/​187/​JHA of 6 April 2009 (Eurojust), OJ 2002 L 63/​1��������������������������������������� 217 Decision 1513/​2002/​EC of the European Parliament and of the Council of 27 June 2002 Concerning the Sixth Framework Programme of the European Community for Research, Technological Development and Demonstration Activities, OJ 2002 L 232/​1 (FP6)������������������� 60, 61–​2 Council Decision 2005/​211/​JHA, OJ 2005 L 68/​4 4������������������������������������� 215 Commission Decision 2005/​383/​EC of 11 May 2005, OJ 2005 L 127/​17���������40 Decision 1982/​2006/​EC of the European Parliament and of the Council of 18 December 2006 Concerning the Seventh Framework Programme of the European Community for Research, Technological Development and Demonstration Activities (2007–​2013), OJ 2006 L 412/​1 (FP7) ���������������������60, 81, 96–​7 Council Decision 2007/​533/​JHA, OJ 2007 L 205/​63 (SIS II Decision) ������������������������������������������212, 217, 238t Art. 57��������������������������������������������������� 217 Council Decision 2008/​633/​JHA, OJ 2008 L 218/​129 (VIS Decision) ������� 215 Art. 5�����������������������������������������������������224 Art. 7����������������������������������������������������� 215 (c)���������������������������������������������������224 (d) �������������������������������������������������224 Art. 8(4)���������������������������������������������224–​5 Council Framework Decision 2008/​ 977/​JHA of 27 November 2008 on the Protection of Personal Data Processed in the Framework of Police and Judicial Cooperation in Criminal Matters, OJ 2008 L 350/​60�������������137–​8, 217, 232, 238–​40t Council Decision 2009/​371/​JHA of 6 April 2009 Establishing the European Police Office (Europol), OJ 2009 L 121/​37�������������� 137, 215, 217 Recital 14��������������������������������������������� 129n Council Decision 2009/​426/​JHA of 16 December 2008 on the Strengthening of Eurojust, OJ 2009 L 138/​14����������������������������������� 137

 xxi

Table of Legislation Decision 1082/​2013/​EU on serious cross-​border threats to health and repealing Decision 2119/​98/​EC, OJ 2013 L 293/​1 ������������������������������� 89n Resolutions (in chronological order) Council Resolution (73) 22 on the Protection of the Privacy of Individuals vis-​à-​vis Electronic Data Banks in the Private Sector, 26 September 1973 ���������������������������126 Council Resolution (74) 29 on the Protection of the Privacy of Individuals vis-​a-​vis Electronic Data Banks in the Public Sector, 20 September 1974 ���������������������������126 Council Resolution 85/​C 136/​01 of 7 May 1985 on a New Approach to Technical Harmonization and Standards; European Commission, Communication on Enhancing the Implementation of the New Approach Directives, COM(2003) 240 final  ����������������������� 95 EP Resolution of 16 March 1989 on the ethical and legal problems of genetic engineering, OJ 1989 C 96/​165���������������40 EP Resolution of 16 March 1989 on Artificial Insemination In Vivo and In Vitro, OJ 1989 C 96/​171���������40 EP Resolution of 7 September 2000 on the Cloning of Human Beings, OJ 2001 C 135/​2 63 ������������� 40 EP Resolution of 3 July 2002 on Sexual and Reproductive Health and Rights, OJ 2003 C 271 E/​369 ������������ 40 EP Resolution of 10 March 2005 on Planned Egg Cell Trade, OJ 2005 C 320 E/​251 ���������������������������������������40 EP Resolution of 25 November 2014, P8_​TA(2014)0058���������������������209–​10n Communications and other non-​binding instruments Communication from the Commission on the Protection of Individuals in Relation to the Processing of Personal Data in the Community and Information Security, COM (90) 314 final, 13 September 1990��������������������������������131 Communication from the Commission on the Community Marketing

xxi

Authorisation Procedures for Medicinal Products, OJ 1998 C 229/​4���������������������������������������26 Communication from the Commission on the Precautionary Principle, COM(2000) 1 final, 2 February 2000 ��������������������������������������������� 14–​15 Communication from the Commission, ‘European Governance—​A White Paper,’ COM(2001) 428 final, 25 July 2001���������������������������������������������� 15, 33 Commission Communication on Improved Effectiveness, Enhanced interoperability and synergies among European Databases in the Area of Justice and Home Affairs, COM(2005) 597 final ������������������������������������������� 214 Commission Communication on Policy Priorities in the Fight Against Illegal Immigration of Third-​ country Nationals, COM(2006) 402 final, 19 July 2006������������������������ 214 Commission Communication, Reinforcing the Management of the European Union’s Southern Maritime Borders, COM(2006) 733 final, 30 November 2006�����������229 Communication from the Commission to the European Parliament and the Council on the Follow-​up of the Work Programme for Better Implementation of the Data Protection Directive, 7 March 2007, COM (2007) 87 final ������������� 147 Communication from the Commission, Examining the Creation of a European Border Surveillance System (EUROSUR), COM(2008) 68 final, 13 February 2008���������������229–​30 Communication from the Commission, Preparing the Next Steps in Border Management in the European Union, COM(2008) 69 final, 13 February 2008 ����������� 201, 204, 207n, 214, 229n Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee

xxi

xxii

Table of Legislation

of the Regions, A Comprehensive Approach on Personal Data Protection in the European Union, 4 November 2010, COM (2010) 609 final������������������� 137–​8n, 148 Commission Communication, The EU Internal Security Strategy in Action: Five Steps Towards a More Secure Europe, COM(2010) 673 final, 22 November 2010 �����������209 Commission Communication on Migration, COM(2011) 248 final, 4 May 2011����������������������������������� 201–​2 Commission Communication on Smart Borders—​Options and the Way Ahead, COM(2011) 680 final, 25 October 2011������������� 207n, 214 Commission Communication, The Global Approach to Migration and Mobility, COM(2011) 743 final���������������������������������������������205 Commission Communication, Safeguarding Privacy in a Connected World: A European Data Protection Framework for the 21st Century, COM(2012) 9, 25 January 2012 ������������������������������� 218 Commission Communication, An Open and Secure Europe: Making It Happen, COM(2014) 154 final, 11 March 2014���������������������������������������������������204 Commission Communication, Better Situational Awareness by Enhanced Cooperation across Maritime Surveillance Authorities: Next Steps Within the Common Information Sharing Environment for the EU Maritime Domain, COM(2014) 451 final, 8 July 2014�������������������������229 Guideline on Xenogeneic Cell-​based Medicinal Products, EMEA/​ CHMP/​CPWP/​83508/​2009, 22 October 2009 ������������������������������� 29, 34 Guidelines on Good Clinical Practice Specific to Advanced Therapy Medicinal Products (Commission, 2009)�����������������������30–​1 para 2.4��������������������������������������������������� 31 para 3.9������������������������������������������������� 31n para 7.2 ��������������������������������������������������� 31 para 8.2��������������������������������������������������� 31

para 8.2.45����������������������������������������������� 31 Annex 2������������������������������������������������� 31n Proposal for a Regulation, Establishing the European Border Surveillance System (EUROSUR), COM(2011) 873 final, 12 December 2001 ����������� 230, 231, 232 Proposal for a Directive of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data by competent authorities for the purposes of prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and the Free Movement of Such Data, 25 January 2012, COM(2012) 10 final������������������� 149–​50 Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM(2012) 11 final, 25 January 2012����������������� 108n, 149–​56, 218 Art. 2��������������������������������������������������151–​2 (2)(b)������������������������������������������������� 151 Art. 3��������������������������������������155, 164, 165 Art. 4 (1)(a) ������������������������������������������������� 156 (8) ����������������������������������������������150, 153 Art. 5 (c)��������������������������������������������������� 150 (f)�������������������������������������������������� 154 Art. 7����������������������������������������������������� 150 (1) ����������������������������������������������������� 154 Arts 11–​19������������������������������������������� 153n Art. 12��������������������������������������������������� 153 Art. 17��������������������������������������������������� 153 Art. 18��������������������������������������������������� 153 Art. 19��������������������������������������������������� 153 Art. 21��������������������������������������������������� 157 Art. 22������������������������������������������� 154, 168 (1) ����������������������������������������������������� 154 (2) ����������������������������������������������������� 154 Arts 22–​37��������������������������������������������� 159 Art. 23��������������������������������������������������� 150 Art. 24��������������������������������������������������� 164

 xxi

Table of Legislation Art. 28��������������������������������������������������� 154 Art. 33��������������������������������������������151, 154 Art. 34��������������������������������������������������� 151 Arts 35–​37��������������������������������������������� 154 Art. 39��������������������������������������������������� 169 Arts 40–​45 ����������������������������������� 156, 164 Art. 45������������������������������������������� 155, 164 Arts 46–​49 ������������������������������������������� 157 Art. 47��������������������������������������������������� 151 Art. 51(2)�������������������������������� 151, 155, 160 Art. 53��������������������������������������������151, 168 Art. 55��������������������������������������������������� 155 Art. 56��������������������������������������������������� 155 Arts 57–​61��������������������������������������������� 155 Art. 58��������������������������������������������������� 169 Arts 59–​62 ������������������������������������������� 170 Arts 64–​72�������������������������������������������� 155 Art. 73��������������������������������������������������� 162 Arts 73–​76��������������������������������������������� 153 Art. 74(3)����������������������������������������������� 162 Art. 75��������������������������������������������������� 162 Art. 79��������������������������������������������151, 168 Arts 80–​85 ������������������������������������������� 157 Proposal for a Regulation of the European Parliament and of the Council Establishing an Entry/​ Exit System (EES) to Register Entry and Exit Data of Third Country Nationals Crossing the External Borders of the Member States of the European Union, COM(2013) 95 final, 28 February 2013 (EES Proposal) ���������������������������������������������211, 213–​15 Art. 4����������������������������������������������� 214–​15 Art. 7(2)�������������������������������������������������224 Art. 12��������������������������������������������������� 214 Art. 22��������������������������������������������������� 225 Art. 27���������������������������������������������������224 Art. 28��������������������������������������������������� 225 Art. 46(5)����������������������������������������������� 216 Proposal for a Regulation of the European Parliament and of the Council Establishing a Registered Traveller Programme, COM(2013) 97 final, 28 February 2013����������������������������������� 214 Recommendation No. R (83) 10 of the Committee of Ministers to Member States on the Protection of Personal Data Used for Scientific Research and Statistics of 23 September 1983 ��������������������� 129n

xxiii

Recommendation No. (87) 15 of the Committee of Ministers to Member States on the Use of Personal Data in the Police Sector of 17 September 1987������������ 129n, 238t, 240t Recommendation 15/​1997 of the Committee of Ministers on Xenotransplantation ��������������������������� 21 Recommendation 1399/​1999 of the Committee of Ministers Pleading for a Moratorium on All Clinical Xenotransplantation ��������������������������� 21 Recommendation Rec(2003)10 of the Committee of Ministers to Member States on Xenotransplantation (2003) �����������22–​5 Art. 1�������������������������������������������������������24 Art. 21�����������������������������������������������������24 Art. 30�����������������������������������������������������24 Strategic Guidelines, European Council Conclusions, EUCO 79/​ 14, 27 June 2014�������������������30–​31, 202 I N T E R N AT ION A L AGR E E M E N TS Rio Declaration on Environment and Development 1992 Principle 15��������������������������������������������� 14 Universal Declaration of Human Rights 1948 Art. 12��������������������������������������������������� 125 BI L AT E R A L AGR E E M E N TS EU–​Australia Agreement on the use and transfer of passenger name records, OJ 2012 L 186/​4 �����������������209 EU–​Canada Agreement on the use and transfer of passenger name records, OJ 2006 L 82/​15 �����������������209 EU–​US Agreement on the use and transfer of passenger name records, OJ 2012 L 215/​5�������������������209 N AT ION A L L EGISL AT ION Austria Artificial Procreation Act 1992������������������� 72

xvi

xxiv

Table of Legislation

France Laws on Bioethics 1994�������������������������������� 48 Germany Constitution Art. 2(1)�������������������������������������������������� 130 Italy Act no. 196 of 30 June 2003 Codice in materia di protezione dei dati personali/​Personal data protection code [2003], OJ 174/​03 Art. 15(2)�������������������������������������������������191 Sweden Data Act 1972�������������������������������������������� 126 United Kingdom Human Fertilization and Embryology Act 1990 ���������������������������������������������� 48

Medicines for Human Use (Clinical Trials) Regulations 2004, Statutory Instrument No. 1031/​2004�������������������106 United States Communication Decency Act 1996 ���������������������������������177, 178–​9 s 230 �������������������������������������������������������179 Digital Millennium Copyright Act 1998 ���������������������������������177, 178–​9 s 521��������������������������������������������������������179 Illegal Immigration Reform and Immigration Responsibility Act 1996 ��������226 Privacy Act 1974�������������������������������������� 126n

 xv

List of Abbreviations AFSJ API ATMP BCR BSE CAT CDA CDBI CDSP CEAS CFR CHMP CISA CISE CJEU CoE CPHA CPMP CTD CTR DEHP DG DHHS DMCA DPA ECHR ECtHR EDPO EDPS EDQM EEA EES EGE EIXM EMA EMEA EMSA EP EPN EPO ESRC

Area of Freedom, Security and Justice Advanced Passenger Information advanced therapy medicinal products binding corporate rules bovine spongiform encephalopathy Committee for Advanced Therapies Communication Decency Act of 1996 (US) Steering Committee on Bioethics European Health Committee Common European Asylum System Charter of Fundamental Rights Committee for Medicinal Products for Human Use Convention Implementing the Schengen Agreement common information sharing environment Court of Justice of the European Union Council of Europe Canadian Public Health Association Committee for Proprietary Medicinal Products Clinical Trials Directive (2001/​20/​EC) Clinical Trials Regulation (536/​2014) di (2-​ethyhexyl) phthalate Directorate General Department of Health and Human Services Digital Millennium Copyright Act of 1998 (US) Data Protection Authority European Convention on Human Rights European Court of Human Rights European Data Protection Officer European Data Protection Supervisor European Directorate for the Quality of Medicines & HealthCare European Economic Area European Environmental Agency Entry-​Exit System European Group on Ethics in Science and New Technologies European Information Exchange Model European Medicines Agency European Agency for the Evaluation of Medicinal Products European Maritime Safety Agency European Parliament European Patrol Network European Patent Office Economic and Social Research Council

xvi

xxvi eu-​LISA EUROSUR FDA FP FSC GAEIB GCP GLP GM GMMO GMO GPEN HUG ICH ISS IXA JHA LCT LIBE MEQR NCC NHC NHMRC NHT NMG NRC NSA OECD OTA PAC PERV PHS PNR PP QR REACH RRI RTP SARS SIS STS TEU TFEU TRIPS

List of Abbreviations EU Agency for the Operational Management of Large Scale IT-​Systems in the Area of Freedom, Security and Justice European Border Surveillance System Food and Drug Administration Framework Programme Frontex Situation Centre Group of advisers to the European Commission on the ethical implications of biotechnology good clinical practice good laboratory practice genetically modified genetically modified micro-​organisms genetically modified organism global network of privacy enforcement authorities Hôpitaux Universitaires de Genève International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use Internal Security Strategy International Xenotransplantation Association Justice and Home Affairs Living Cells Technology Civil Liberties, Justice and Home Affairs measures having equivalent effect to quantitative restrictions National Coordination Centre National Health Committee National Health and Medical Research Council new health technologies New Modes of Governance National Research Council National Supervisory Authority Organisation for Economic and Co-​operation and Development Office of Technology Assessment Public Advisory Committee porcine endogenous retrovirus Public Health Services Passenger Name Records precautionary principle quantitative restriction Registration, Evaluation, Authorization and Restriction of Chemicals Responsible Research and Innovation Registered Traveller Programme severe acute respiratory syndrome Schengen Information System Science and Technology Studies Treaty on European Union Treaty on the Functioning of the European Union Agreement on Trade-​Related Aspects of Intellectual Property Rights

 xxvi

List of Abbreviations UKXIRA

United Kingdom Xenotransplantation Interim Regulatory Authority USPTO United States Patents & Trade Office VIS Visa Information System WHO World Health Organization WPx Working Party on XT XT xenotransplantation

xxvii

xxivi

 xi

Notes on Contributors Marise Cremona has been a Professor in the Law Department of the European University Institute since January 2006. Between 2009 and June 2012 she was Head of the Law Department and between June 2012 and August 2013 she was President ad interim of the EUI. She is a co-​Director of the Academy of European Law and a series editor of the Collected Courses of the Academy of European Law. Prior to joining the EUI she was Professor of European Commercial Law, Centre for Commercial Law Studies at Queen Mary University of London. Professor Cremona is also a member of the International Advisory Board of the Centre for European Research, University of Göteborg; member of the Scientific Advisory Board of the Lichtenberg-​Kolleg Institute for Advanced Study in Humanities and Social Sciences, University of Göttingen; member of the Advisory Board of the European Foreign Affairs Review; member of the Editorial Board of the European Law Review; member of the Editorial Board of Studies in EU External Relations. Mark L. Flear is a lecturer at the School of Law, Queen’s University Belfast. His research focuses on the law and biopolitics of public health and new health technologies. Mark has published widely, including by invitation, in a number of leading edited collections and journals. He is the author of Governing Public Health (2015) and the lead editor of, and a key contributor to, European Law and New Health Technologies (2013). Mark has been a visiting scholar at the Faculty of Law, University of Cambridge and the Faculty of Law and Criminology, Vrije Universiteit Brussels. He has provided his expert view to the European Group on Ethics in Science and New Technologies, and has given invited lectures on a number of topics within his research areas, including at the Mason Institute, University of Edinburgh. He also has a regulatory role as a Member of the Northern Ireland DNA Database Governance Board. Stéphanie Hennette Vauchez is a Professor of Law at the Université Paris Ouest Nanterre La Défense, where she directs the Masters degree course in human rights law. She is also the deputy director of the research unit, UMR 7074 Centre de théorie et analyse du droit. Her research interests lie mainly in the fields of bioethics, gender, and religious freedom. She has written widely in these fields, including L’Affaire Baby Loup ou la Nouvelle Laïcité (with Vincent Valentin, 2014). Peter Hustinx served as the first European Data Protection Supervisor from January 2004 until December 2014. From 1991 until 2004, he was president of the Dutch Data Protection Authority, and from 1996 until 2000, he was also chairman of the Article 29 Working Party. He has been closely involved in the development of data protection law from the start, both at national and various international levels. He received law degrees in Nijmegen, the Netherlands, and in Ann Arbor, Michigan, United States. In July 2015 he received an honorary doctorate from the University of Edinburgh for his work in the field of information privacy and data protection. Jorrit J. Rijpma is Associate Professor of EU Law at Leiden Law School, the Netherlands. His research focuses on European cooperation in Justice and Home Affairs. In particular, he looks at the EU’s migration and asylum policy and institutional developments in this field. Rijpma is a member of the standing committee of experts on international immigration, refugee, and criminal law (Meijers Committee). He currently coordinates the Leiden Law School’s research project ‘Policing the High Seas’ on maritime security.

x

xxx

Notes on Contributors

Giovanni Sartor is part-​time Professor in Legal Informatics at the University of Bologna and part-​time Professor in Legal Informatics and Legal Theory at the European University Institute. He obtained a PhD at the European University Institute, was a researcher at the Italian National Council of Research (ITTIG, Florence), held the chair in Jurisprudence at Queen’s University Belfast, and was a Marie Curie professor at the EUI. He has been President of the International Association for Artificial Intelligence and Law. He has published widely in legal philosophy, computational logic, legislation technique, and computer law. He is co-​director of the Artificial Intelligence and Law Journal and co-​editor of the Ratio Juris Journal. His research interests include legal theory, logic, argumentation theory, modal and deontic logics, logic programming, multiagent systems, computer and internet law, data protection, e-​commerce, law and technology, aviation law, and human rights. Mariachiara Tallacchini is Professor of Philosophy of Law at the Università Cattolica del Sacro Cuore in Piacenza, Italy. She also teaches Science and Law at the International School for Advanced Studies in Trieste, Italy. After earning a degree in Law and a PhD in Legal Philosophy at the University of Padua, Professor Tallacchini was a postdoctoral fellow in the STS programme at the Kennedy School of Government, Harvard University. She has been a consultant for the Italian Parliament and the Italian Commission of Bioethics in matters concerning patentability of biotechnological inventions, the precautionary principle, environmental and animal protection, and has also collaborated with the WHO Regional Office of Rome on Environment and Health. Between 2006 and 2008 she chaired the European Advisory Group on Science in Society for FP7. From 2013 to 2015 she worked at the Joint Research Centre (JRC—​Institute for the Protection and Security of the Citizen) of the European Commission. Professor Tallacchini’s interests concern the legal regulation of science and technology and the relationships between science and democracy, especially in the domain of the life sciences and their interfaces with ICT. She is a member of several scientific and ethics committees in the fields of research ethics, genetics, xenotransplantation, and animal and environmental protection. She has written widely in these areas, including Emerging ICT for Citizens’ Veillance: Theoretical and Practical Insights, European Commission Policy Report (with Philip Boucher and Susana Nascimento, 2014); Trattato di Biodiritto (edited with Stefano Rodotà, 2010), Volume 1.

 1

1 Introduction Marise Cremona

The genesis of this book is a series of lecture courses given as part of the Academy of European Law’s annual summer programme on the theme of New Technologies and EU Law. The lectures have been substantially revised, and we have added a chapter which examines new health technologies in the internal market. New technology and EU law are of course both enormous and hugely varied fields and we have had to be selective in the types of new technology addressed and in the domains of EU law covered. We have attempted to choose fields in which the impact is clear (if not the precise modalities of interaction) and to offer a combination of more generalizable findings and some more subject-​specific analysis. The book is organized into two parts. The first part, ‘The EU, Scientific Risk, and Regulatory Design’, addresses some of the more horizontal questions, helping us to unpack and to understand the EU’s approach to the regulation of scientific/​ technological risk and the impact on regulatory design of the close link between the regulation of technology and the internal market. The chapters by Tallacchini, Hennette Vauchez, and Flear do this by taking different approaches, one might say a progressively more focused lens, to the interaction between EU law, bioethics, and medical and health technologies. The second part, ‘EU Law and New Technologies—​Challenge and Response’, contains three chapters by Hustinx, Sartor, and Rijpma which use different policy fields to exemplify the different ways in which technology and EU policy interact, by (i)  posing new regulatory challenges (data protection; internet governance), and (ii) shaping the regulatory response to new challenges (the use of technology for border management and migration control). The aim of the book as a whole is to address two linked questions. First, how does EU law approach the relation between science and regulation and what part do conceptions of risk play in this approach; is there a distinctive character to EU law in this domain? And second, what challenges do new technologies pose for the EU internal market and for fundamental principles of EU law, including fundamental rights; do new technologies represent potential new barriers to freedom of movement? How are EU instruments used to direct and orientate EU policy on new technologies, and how do new technologies shape EU policy, including—​but not only—​EU policy on privacy and data protection? Introduction, First Edition, Marise Cremona © Marise Cremona 2017. Published 2017 by Oxford University Press

2

2

Introduction

EU Law and New Technologies: Three Models and Three Characteristic Features Tallacchini argues in Chapter 2 that the EU’s approach to the relation between science and law contains elements of three models (which are indeed not generally mutually exclusive). The first model is based on the idea that it is possible to maintain a clear division between science as neutral fact and policy as representing value-​choices. Such a separation may then allow a separation of decision-​ making: decisions on the science may be presented as objective and technocratic (handled for example by EU-​level agencies), separated from policy preferences. The second model confronts scientific neutrality with scientific uncertainty, and the need for political judgment about acceptable levels of risk, which has taken regulatory shape in the precautionary principle. The third model is the ‘extended participatory’ or ‘extended peer-​review’ model, emphasizing the involvement of civil society as well as scientific communities in the regulation of risk. What features can we identify in order to describe the EU’s particular ‘mix’ of these possible models? Despite the varying policy fields addressed in the following chapters, there is a degree of convergence in the conclusions drawn. First is the dominance of a procedural over a substantive approach. EU law will seek to regulate or control specific technologies or activities, ranging from data collection and transfer to biomedicine and genetically modified organisms (GMOs), rather than prohibiting them. Substantive policy (value-​based) choices—​whether on legal migration or biomedicine—​may then be left to Member States in an exercise of subsidiarity. Second, the EU has embraced a risk-​based approach to science or technology-​ based regulation, coupled with the precautionary principle, in a wide variety of contexts, from assessing the risk posed by different categories of persons crossing borders, to assessing different levels of risk attached to different types of data processing, or the environmental risks of GMOs. A risk-​based approach carries a number of implications and questions. It is based on an assumption that risk can be controlled if the appropriate procedures are identified and followed, and thus perhaps naturally tends towards privileging risks which are readily assessable and potentially containable. It does not itself provide an answer to who should decide on the acceptable level of risk, and more importantly does not of itself answer the questions: with what types of risk are we concerned (environmental? ethical? social? economic?), and who or whose interests (users? consumers? service providers? public security? individual rights?) are at stake. And third, flowing from these features of EU policy-​making, there is a tendency to depoliticize debate over new technologies, to present the problems they may raise as essentially technocratic and procedural or as primarily concerned with managing access to markets. Hennette Vauchez argues in Chapter 3 that biomedical issues ‘have become issues of circulation and globalization of goods and services, thus becoming technical (and no longer ontological) questions’. In the very different context of migration management, Rijpma in Chapter 7

 3

Marise Cremona

3

points to the way in which treating technology as value-​neutral has allowed policy-​making (including the use of new technologies) to be perceived as a technocratic process, ‘in which the use of technology has been able to conceal or even substitute political agreement on substantive policy, and even influence its direction’. Thus the procedural emphasis may nevertheless imply substantive integration.

Rationales for EU Regulation Why do the Member States accept that EU law may regulate new technologies? The issue of competence—​of the need to justify EU action—​is a thread running through the accounts presented here of the relation between EU law and new technologies. We can see it working in three different dynamics: (i) the requirements of market integration; (ii) the challenge of fundamental rights; and (iii) the logic of large-​scale technological infrastructures and technology as a driver of regulatory choice. The EU has a limited competence in relation to health policy but the EU law on biomedicine and health technologies is now extensive. It ranges from the patent protection of biotechnological inventions to cell and gene therapy, from the clinical testing of pharmaceuticals to safety standards for blood, human tissues, and organs for donation. The internal market provides the possibility of EU-​level regulation, given the potential barriers to market integration caused by the regulation of new technologies at national level. The internal market is also central to the EU’s self-​perception as a market economy embracing new technologies as essential to global competitiveness. This internal market-​based foundation for EU action has affected the approach taken: in Chapter 4, Flear argues that it has led to a market-​based orientation, a focus on the removal of obstacles to free movement and distortions of competition, and a corresponding narrowing of focus onto a specific type of risk: product safety risk. Alternative conceptions of risk (environmental, social, moral, or political) are comparatively marginalized. The internal market has also provided an initial basis for data protection regulation and internet governance (e-​commerce). Again, this has influenced the regulatory choices made, the emphasis being on establishing the specific conditions necessary to ensure the movement of data. However, as Hustinx points out in Chapter 5, in tracing the rationale for and development of EU data protection law, the recent reform of the EU’s regulatory structures for data protection has been influenced by the new and specific basis in primary law granted by the Lisbon Treaty: Article 16 of the Treaty on the Functioning of the European Union (TFEU) and Articles 7 and 8 of the Charter of Fundamental Rights. These data protection rights are no longer limited to the internal market context but apply in principle to all EU policy fields, including those within the former ‘third pillar’ such as migration and criminal justice policies. Fundamental rights may indeed provide a point of convergence for law and new technologies, as Hennette Vauchez suggests, and a justification

4

4

Introduction

for EU regulation which allows a place for non-​market values. The risk-​based approach (with considerable responsibility for risk assessment placed on data controllers by the new General Data Protection Regulation) is a mechanism for balancing the different rights and interests involved. Although tensions may arise between the internal market objectives of data protection legislation and the fundamental rights requirements deriving from the Charter, that legislation must itself comply with Article 16 TFEU, which establishes both a legal basis and a constraint on regulatory choice, and the Charter. Here too, as some of the recent internet governance cases discussed by Hustinx and Sartor in Chapters 5 and 6 have demonstrated, we may see how fundamental rights reasoning may derive substantive policy choices from essentially procedural regulatory frameworks. New technologies not only create challenges for market integration, prompting regulatory intervention, but may also help to shape the EU’s response to policy challenges, especially those with a security dimension. In this sense, technology—​a s well as being the target of regulation—​may operate as a cause of a particular regulatory choice. Rijpma’s chapter shows convincingly that the EU’s approach to border management has been shaped by the availability and use of large-​scale databases, and that technology developed for one purpose (migration) may be used for others (criminal law enforcement, security). The ‘risk logic’ that is applied to management of borders, migration, and asylum is linked to the diversification of the border and the securitization of migration, and results in allocating border-​crossers to ‘risk categories’. As a result, the same technology is used not only to manage migration but also to manage security risks, such as terrorism. ‘[N]‌e w technologies are not merely the result of a risk-​based approach to migration and asylum. They also enable it.’ Technology here works to justify and shape action at EU level. In addition to providing the regulatory framework governing the use of new technologies, the EU provides the technological infrastructure (large databases) and the agencies needed to manage that infrastructure and networks of cooperation. Technology may thus help to move the site of regulation from national to EU level, but, Rijpma points out, without necessarily providing the political agreement necessary to adopt a common policy.

The Interplay of Actors and Interests Tallacchini’s third model emphasizes the need for broader participation in the governance of technology. A subsidiary theme in this collection concerns the roles of the different actors involved and the interplay of their different interests: users, developers, national and EU regulators, supervisory authorities, courts. Hennette Vauchez highlights the role of the Court of Justice in mediating between national regulation and common rules in the context of the Biotechnology Directive (Directive 98/​44/​EC), comparing its emphasis on the national room for manoeuvre

 5

Marise Cremona

5

in Netherlands v. European Parliament and Council,1 with its insistence in Brüstle that the concept of a human embryo in the same directive is ‘an autonomous concept of European Union law’, one which should therefore be defined by the Court itself.2 As she suggests, the Brüstle case illustrates the Court’s attempt to combine a ‘concept of EU law’ with reliance on ‘objective scientific information’, resulting in a legal definition the practical application of which (by no means obvious) is then left to the national court. Flear uses the same directive as an example of the significance of the commercial actor in an EU instrument designed to encourage research and innovation in new technologies; the Directive, he argues, is intended primarily to benefit the developer: hence the need for a uniform scope to the exceptions to patent protection and a uniform definition of human embryo. One of the functions of a proceduralized approach is the allocation of tasks and responsibilities to different actors. As Brüstle illustrates, the process of allocation may in itself carry clear substantive as well as procedural implications. Hustinx’s analysis of the new General Data Protection Regulation assesses the impact of the changes on the different actors and interests in play: the user, the increased responsibilities placed on data controllers, and the role of supervisory authorities. The ‘one-​stop shop’ approach, for example, identifies a lead supervisory authority for data controllers operating across internal market borders, benefiting the controller but arguably at the expense of the user’s rights of access to justice. Sartor addresses another dimension of the balance between users’ and controllers’ interests, in the context of the so-​called ‘right to be forgotten’:3 should web service providers be seen as data controllers, with corresponding obligations to the users of those services? The legislative choice may prioritize the needs of service providers within the internal market, but the Court of Justice reminds us not only of the need to protect the fundamental rights of individual users but also of its own role in balancing those different interests. In the (technological) management of migration the agencies come to the fore, not only the border agency Frontex, linked through the European Border Surveillance System (EUROSUR) to national border agencies, but also eu-​LISA (the EU Agency for the Operational Management of Large Scale IT-​Systems in the Area of Freedom, Security and Justice) and Europol. As Rijpma argues, this ‘bureaucracy of quasi-​independent agencies’ which manage large-​scale database technologies have ‘become central to the information exchange between national agencies’, and ‘actively support the use of modern technology’. The border management systems create synergies between users and suppliers of information which serve to encourage reliance on technological solutions based on surveillance and intelligence sharing. Agencies of course have their own data protection and fundamental rights obligations. While new technologies may appear to offer 1  Case C-​377/​98, Netherlands v.  Parliament and Council, [2001] ECR I-​ 07079 (ECLI:EU:C:2001:523). 2  Case C-​34/​10, Brüstle v. Greenpeace eV, [2011] ECR I-​09821 (ECLI:EU:C:2011:669). 3  See Case C-​131/​12, Google Spain, judgment of 13 May 2014, not yet published (ECLI:EU:C:2014:317).

6

6

Introduction

solutions to ever more complex policy challenges, law imposes both procedural and substantive constraints on their use. The following chapters in this book each offer a different and rich perspective on the interaction between EU law and new technologies. This Introduction has not attempted to summarize the individual contributions, but has rather tried to outline the broader picture to which they contribute. The subject is one which deserves ongoing and further reflection; it is hoped that this book provides a stimulating start.

 7

PA RT   I T H E E U, S C I E N T I F IC R I S K , A N D R E GU L ATORY   DE S IG N

8

 9

2 Medical Technologies and EU Law: The Evolution of Regulatory Approaches and Governance Mariachiara Tallacchini

1. Introduction The regulatory evolution of medical technologies in the EU offers a unique perspective with regard to highlighting significant elements of both European science policy and the development of European institutions, especially regarding the passage from their (primarily) economic to their political phases. Since the early 1990s, while establishing a market for biotechnology, the European Communities have been developing some policy-​related visions of technoscience and its potential risks, and framing the concept of European citizenship through European values and rights. From this perspective, risks do not represent a mere technical dimension, a value-​free, allegedly neutral combination of science and norms. Instead, ‘regulatory science’ appears as a complex activity where facts cannot be purified of values, but require discussion and negotiation. The concept that provides an adequate account of the relationship between science, technology, law, policy, and politics is co-​production. According to this notion, knowledge and regulation should be looked at as processes generating and influencing each other.1 The medical technology analysed in this chapter, and followed throughout its regulatory history of changes and metamorphoses, is xenotransplantation (XT): the clinical use of cells, tissues, and organs between species. This biomedical technique has evolved from its primary focus on organs to (what is legally defined in the European context as) advanced therapy medicinal products (ATMPs), namely cell therapy, gene therapy, and tissue-​engineered products.

1  S. Jasanoff (ed.), States of Knowledge: The Co-​production of Science and Social Order (2004). Medical Technologies and EU Law: The Evolution of Regulatory Approaches and Governance, First edition, Mariachiara Tallacchini © Mariachiara Tallacchini 2017. Published 2017 by Oxford University Press

10

10

Medical Technologies and EU Law

Until recently, due to its specific features, the safe implementation of XT implied heavily normative constraints for patients and all subjects involved. The tension between potential benefits for individuals and potential risks for the population at large through the transmission of infectious agents from animals to humans remained a major concern. For a long time there was no strong scientific evidence concerning safety or efficacy that could counterbalance the burdens imposed on patients in order to minimize risks to the public. The potential for cells and tissues to be used as standardized products through the creation of a harmonized European legal environment has become a key element with regard to normalizing risks, or more specifically with regard to reducing them to socially acceptable practices. This chapter starts by introducing the concept of co-​production of science and regulation and the main existing models for science policy (Section 2). In these models, knowledge and normativity are combined and adjusted to each other as strategies to legally frame emerging technologies, to cope with their unforeseeable impacts and ethically sensitive aspects, and to make legitimate decisions about innovation in democratic societies. These heterogeneous regulatory science models are not mutually exclusive. Despite their providing different rationales in connecting knowledge and normativity, and different forms of validation and legitimacy, they de facto coexist in the regulatory history of several biomedical technologies. In the case of animal cells and tissues, the goal of making alternative epistemic visions normatively non-​incompatible has been pursued and achieved by compartmentalizing them in separate institutions, by applying them in different normative contexts, and by allocating powers to Member States. The case for animal cells, tissues, and organs from xenotransplants to advanced pharmaceutical products is then discussed (Section 3) as a significant example of an emerging (and re-​emerging) technology which, in challenging some well-​established scientific and regulatory notions and boundaries about safety and individual rights, obliges us to rethink not only specific concepts (such as informed consent, third party consent, and measures for risk containment) but has also triggered international competition for specific science policy models. The main focus of this chapter concerns the European policy models (Section 4), more precisely those models utilized within the EC/​EU and Council of Europe (CoE) in relation to animal cells, tissues, and organs. In particular, the focus is on how and why the European regulatory approaches have moved in certain directions, and have been reframed over time. Indeed, the evolution of the European scientific and normative gaze on this controversial biotechnology provides some interesting insights about the intertwined, conflicting, and coexisting European strategies to promote innovation, deal with the unknown, balance individual and collective rights to health, and build social acceptance of new technologies through different forms of citizen involvement.

 1

Mariachiara Tallacchini

11

2.  Co-​Production and Three Models of Science Policy The leading role played by science in economic and social development has caused politics and the law, on the one hand, to be colonized by an increasing amount of scientific knowledge and, on the other hand, to directly engage in technoscience regulation. Most decisions in public policy depend on scientific knowledge, requiring the state’s powers—​the organs of government, legislative power, and the judiciary—​to be directly involved in science-​related regulatory choices, and to equip themselves with experts and specialized knowledge (committees and boards of experts, expert witnesses, and risk assessors). Furthermore, in connection with the increasing impact of science and technology on society, legal systems have initiated broad regulatory activities in relation to scientific products and procedures. The interplay between science and, or in, society deeply affects institutional dynamics and the very meaning of citizenship. Science dealing directly with public policy was recognized relatively early as being a distinct activity from both pure science and applied science.2 While pure science is mainly guided by the researcher’s curiosity, and applied science is guided by a project and particular outcomes, policy-​related science must help to define problems with a social application. As such, it depends on broad judgments and political choices even when it is framed mostly in scientific or technical terms. Since policy-​makers have to be better informed about science, experts involved in policy-​making (including advisors, members of technical boards, expert witnesses in trials) form an integral part of the political–​scientific process. The complexities resulting from the mixing of science and the rules that govern civil life have given rise to concerns about the most appropriate ways of governing science in democratic societies, resulting in a rethinking of the idea of the state under the rule of law. Regulatory science, namely science framed for regulatory purposes, can hardly be seen as technical and neutral. As one commentator has stated: Regulatory science is particularly susceptible to divergent, socially conditioned interpretations… . In regulatory science … standards for assessing quality tend to be more fluid, controversial and sensitive to political factors… . Further, regulatory science is often constrained by strict time limitations that impede scientific consensus-​building. At the same time, the stakes are so much higher in regulatory than in research science that different interest groups have incentives to press for divergent, politically congenial interpretations of the available facts.3

In this context of blurred boundaries between science and normativity, the term co-​production has been used, primarily by Sheila Jasanoff, to suggest that

2 OTA (Office of Technology Assessment), The Regulatory Environment for Science—​A Technical Memorandum (1986); I. Shepherd (ed.), Science and Governance in the European Union. A Contribution to the Debate (2000). 3  S. Jasanoff, Science at the Bar (1995), at 281–​282.

12

12

Medical Technologies and EU Law

knowledge and regulation should be seen as processes generating and influencing each other.4 Far from representing separate languages, at least in the policy domain, scientific and legal concepts influence and nurture each other. In the deployment of emerging technologies and normative processes, this means that shared background narratives and imagined reasons are exchanged; that what is deemed to count as facts-​and-​values is jointly negotiated by scientific experts and policy-​makers; that knowledge and norms constantly and recursively redefine, validate, and legitimize each other. Through the evolving strategies adopted to deal with the complexities of technoscience governance, co-​ production has shown itself to be a powerful interpretive tool. In recent years, in order to overcome and justify some past crises in coping with technoscience, European institutions have increasingly proposed the idea of the role of law in the face of technoscientific developments as a ‘learning process’: regulation is ‘learning’ how to govern science. To this end, law is required to become more self-​reflexive and smart(er) in keeping pace with innovation.5 After the major failures of European legislation in managing biotechnology, and especially in gaining public confidence and compliance,6 normative instruments have been increasingly designed and proposed as open-​ended, soft, and flexible knowledge processes. While certainty and effectiveness represented the values traditionally attached to the law, now the regulatory process is proposed as a trial-​and-​error endeavour. The overall ‘normative learning process’ consists in the effort to build flexible scenarios anticipating unknown future outcomes. Funtowicz and Strand have described three main models that have been developed and applied in the relations between science and policy. These are the ‘science-​based’, the ‘precautionary’, and the ‘extended participatory’ (or extended peer-​reviewed) models.7 As stated above, these models, while showing the historical development of the relationships between science and policy, are not mutually exclusive and can coexist within the same regulatory environment. The science-​based model stands alone in assuming and maintaining a strong division between science and policy: the former representing facts and the latter dealing with values. The precautionary and extended participatory models share some basic assumptions about how the interactions between scientific and normative languages blur the boundaries of facts and values.

4  S. Jasanoff, Designs on Nature: Science and Democracy in Europe and the United States (2005); S. Jasanoff, Science and Public Reason (2012). 5 R. Von Schomberg and S. Davies (eds), Understanding Public Debate on Nanotechnologies. Options for Framing Public Policy (2010). 6  N. Jaspers, Not Another GMO. Explaining Europe’s Approach to Nanotechnologies (2012), available at http://​userpage.fu-​berlin.de/​k fgeu/​k fgwp/​w pseries/​WorkingPaperKFG_​4 4.pdf (last visited 20 September 2016). 7  Funtowicz and Strand, ‘Models of Science and Policy’, in T. Traavik and L. C. Lim (eds), Biosafety First: Holistic Approaches to Risk and Uncertainty in Genetic Engineering and Genetically Modified Organisms (2007) 263.

 13

Mariachiara Tallacchini

13

The main characteristic of the science-​based idea of policy lies in its claim to be more rigorously and objectively informed by scientific facts and knowledge, and its claim that decisions can be made legitimate by assuming and referring to the validity of science. Since the origins of modern thought, political and legal philosophy has emphasized the neutrality and objectivity of scientific method, which seems to be irremediably lacking in political and legal thought. The unique opportunity and example that science has offered social disciplines in order to free them from values and subjective opinions have been widely explored by legal scholars and political scientists as ways to both shape legal systems in accordance with the rules of logic and to root the social contract on scientific bases. From this perspective, science is considered both as a methodological idea and a reality separated from society, a self-​contained form of knowledge with no links to social practices.8 By and large, this approach has also influenced the legal regulation of scientific activities and products. Law related to science has been framed as technical rules, with science giving content to such norms (meaning that they are validated by the scientific community) and law playing a neutral role in science, acting rather as a mechanism for enforcement. In accordance with this conception, ‘science speaks truth to power’.9 To elaborate, in this case science is a precondition for legitimate politics and can only thrive in an environment free from politics. However, the assumption incorporated in this model that science can be separated from the other social systems founders when applied to institutional procedures and social practices where science, policy, and the law merge and reciprocally legitimize their respective forms of knowledge. This model was first constructed as part of the post-​Second World War US policy10 and almost ‘codified’ in the early 1980s with the institutionally prescribed separation between risk assessment and risk management.11 Despite being applied and constantly revived, the limitations of this approach began to be revealed in the early 1970s when uncertainty became a delicate issue in regulating science, as scientific positions and prediction became more divided and controversial. Scientific uncertainty represented a major challenge for the ‘positivistic’ vision of decision-​making, which has led to the framing of a different model for science policy: the precautionary model.

8 Tallacchini, ‘Epistemology of the European Identity’, The Journal of Biolaw & Business, Supplement Series Bioethix (2002) 60. 9  A. Wildavsky, Speaking Truth to Power (1979). 10  V. Bush, Science—​The Endless Frontier. A Report to the President by Vannevar Bush, Director of the Office of Scientific Research and Development (1945), available at http://​w ww.nsf.gov/​od/​lpa/​ nsf50/​vbush1945.htm (last visited 20 September 2016). 11  Through the so-​called Red Book, the NRC (National Research Council), Risk Assessment in the Federal Government: Managing the Process (1983), available at http://​w ww.nap.edu/​openbook. php?record_​id=366&page=2 (last visited 20 September 2016). The main goal of the report was ‘to assess the merit of separating the analytic functions of developing risk assessment from the regulatory functions of making policy decisions’ (at 2).

14

14

Medical Technologies and EU Law

The uncertainties arising first from environmental problems and later from the unforeseen consequences of new technologies12 (with scientific positions and predictions becoming more divided and controversial) constituted the major political reasons for a different vision, where science characterized by uncertainty is the daily condition that shapes scientific work and affects technologies and their social consequences. As scientific data proves uncertain, insufficient, or susceptible to sharply diverging interpretations, law bears the responsibility of filling the gaps left by science. The intrinsic incompleteness and indeterminacy of scientific knowledge clashes with the need to adopt social choices, public policies, and legal decisions.13 The legal framing of uncertainty was at the root of the idea of precaution when it was first internationally established in 1992—​as the precautionary approach—​ by Principle 15 of the Rio Declaration on Environment and Development which states that: Where there are threats of serious or irreversible damages, lack of full scientific certainty shall not be used as a reason for postponing cost-​effective measures to prevent environment degradations.

Since the Maastricht Treaty (Art. 130 R, para. 2, and later Art. 174 EC Treaty), precaution has been shaped as an autonomous concept, distinct from prevention (associated with the idea of risk assessment)—​a nd now embedded in the Treaty on the Functioning of the European Union (TFEU) (Title XX, Environment, Art. 191). The European interpretation of precaution was developed under the assumption that the law may protect against potential risk even before a causal link for a risk has been established. As scientific evidence may be achieved too late, and since risk acceptability is primarily a political decision, the law is not exclusively bound to quantifiable scientific evidence in order to protect citizens. In 2000, the European Commission Communication on the Precautionary Principle openly framed the concept as a ‘general principle’ governing all European health policies (‘environment, human, animal or plant health’) and

12  EEA (European Environmental Agency), Late Lessons from Early Warnings: The Precautionary Principle 1896–​2002 (2002), available at http://​w ww.eea.europa.eu/​publications/​environmental_​ issue_​report_ ​2001_ ​22 (last visited 20 September 2016). 13  The expression ‘scientific uncertainty’ has been used to refer to different cognitive conditions and concepts: risk, uncertainty in strict sense, ignorance, and indeterminacy. In decisions under conditions of risk, the main variables of a problem are known and the respective probability of different outcomes is quantified. In contrast, in decisions under conditions of uncertainty, even if the main variables of a system are known, the probability of an event cannot be quantified. Ignorance is the situation dealing with ‘unknown unknowns’. As the variables of a problem are not identified, the potential negative outcomes remain unknown and unpredictable unless new cognitive elements emerge. Finally, indeterminacy is the concept summarizing the fundamentally open and conditional character of all knowledge, particularly its contextual meaning and its socio-​cultural determination. See B. Wynne et  al., Taking European Knowledge Society Seriously (2007), available at http://​ec.europa.eu/​ research/​science-​society/​document_​library/​pdf_​06/​european-​knowledge-​society_​en.pdf (last visited 20 September 2016).

 15

Mariachiara Tallacchini

15

as an ‘eminently political responsibility’ about ‘what is an “acceptable” level of risk for society’ in connection with ‘the high level of protection chosen for the Community’.14 Despite its political importance, the Commission Communication’s version of precaution was widely criticized for its paternalistic and top-​down approach, as well as for the ambiguities inherent in the principle and its applications. In 2001, while struggling with several public health crises, the European Commission adopted an Action Plan to promote a closer relationship between science and society. European citizens’ distrust towards science and technology had become apparent and a different foundation for precaution, based on a more democratic and participatory approach to science policy, was deemed necessary.15 Uncertainties linked to the social implementation of new technologies increased the visibility and urgency of some unresolved political issues, including the need to widen consultation with experts and the importance of deepening dialogue with citizens as both subjects of potentially relevant knowledge for decision-​making, and as responsible individuals in society. The ‘extended participatory’ or ‘extended peer-​review’ model is based on a more general democratization of scientific expertise and public participation in knowledge-​based public policies. From this perspective, the governance of science is a matter of democracy where the ‘ideal of rigorous scientific demonstration is … replaced by an ideal of open public dialogue’, and where ‘every scientific aspect may be the object of a dialogue’. Commentators have stated that ‘[t]‌h rough this co-​production of knowledge, the existence of a wide community of experts and revisers may be the source of a kind of “experience democracy” ’.16 The European Commission endorsed this approach in its 2001 White Paper on Governance, and has since intermittently worked on the precise meaning and contents of public participation and engagement.17 The reference to governance expressed the need to deepen democracy in Europe. Indeed, the European reflection about scientific governance was meant at the same time to address the political need to re-​e stablish citizens’ trust in (the institutional use of ) science, to increase public knowledge and transparency about institutional procedures and decision-​making, and to aid in establishing European citizenship.

14  Communication from the Commission on the Precautionary Principle, COM(2000) 1 final, 2 February 2000, at 1. 15  European Commission, Science and Society Action Plan (2002). 16 Liberatore and Funtowicz (eds), ‘Special Issue on Democratising Expertise, Expertising Democracy’, 3 Science and Public Policy (2003) 146, at 147; Stirling, ‘Keep It Complex’, 468 Nature (2010) 1029. 17 Communication from the Commission, ‘European Governance—​ A White Paper’, COM(2001) 428 final, 25 July 2001, OJ 2011 C 287/​1.

16

16

Medical Technologies and EU Law

3.  Governing and Regulating Emerging (and Re-​Emerging) Risky Technologies: The Case for Animal Cells, Tissues, and Organs The scientific and clinical interest in XT, namely the use of cells, tissues, or organs from one species to another, emerged in response to the shortage of human organs in the 1960s, when the first partially successful vascularized organ xenotransplants were performed on humans by pioneering surgeons including Keith Reemtsma and Thomas Starzl.18 All procedures made use of chimpanzees or baboons—​due to their phylogenetic proximity to humans—​and survival was limited to days or weeks. Public awareness about XT, however, was raised in 1984 when a newborn baby with severe heart failure, Baby Fae, received a baboon heart transplant and survived 21 days.19 The negative reactions, both from scientists and the public, following the experiment stopped research for a number of years afterwards. Moreover, while non-​human primates were initially considered the most promising source of tissues and organs for XT experimentation, given their phylogenetic proximity to humans, HIV reignited fears of infectious diseases in the mid-​1980s.20 This development occurred notwithstanding the fact that the ‘book of pandemics’ had been declared officially ‘closed’ in the late 1960s in consideration of the effectiveness of antibiotics and vaccines.21 As a consequence, pigs suddenly became the most suitable source species for XT due to the fact that their organs are similar in size to human organs, they have large litters and are easy to rear, and they have long been kept by humans without creating health problems. New trials concentrated on swine tissues and cells, particularly after the creation of transgenic animals had shown the potential for overcoming hyperacute rejection. In 1997, however, after studies in Europe reported that human cells could be infected in vitro by pig retroviruses—​porcine endogenous retroviruses (PERVs) integrated into the pig genome22—​X T attracted attention from international

18 Reemtsma et  al., ‘Renal Heterotransplantation in Man’, 60 Annals of Surgery (1964) 384; Starzl et  al., ‘Renal Heterotransplantation from Baboon-​ to-​ Man:  Experience with 6 Cases’, 2 Transplantation (1964) 752. See also:  D. K.  C. Cooper and R. P. Lanza, Xeno:  The Promise of Transplanting Animal Organs into Humans (2000); S. McLean and L. Williamson, Xenotransplantation: Law and Ethics (2005); S. Fovargue, Xenotransplantation and Risk. Regulating a Developing Technology (2012). 19 Bailey et  al., ‘Baboon-​to-​Human Cardiac XT in a Neonate’, 254 Journal of the American Medical Association (1985) 3321. 20 Hahn et  al., ‘AIDS as a Zoonosis:  Scientific and Public Health Implications’, 287 Science (2000) 607. 21  In 1967, William H. Stewart, at the time US Surgeon General, famously suggested that it was ‘time to close the book on infectious diseases’ and ‘declare the war against pestilence won’; see Spellberg and Taylor-​Blake, ‘On the Exoneration of Dr William H. Stewart: Debunking an Urban Legend’, 2 Infectious Diseases of Poverty (2013) 3. 22  Patience, Takeuchi, and Weiss, ‘Infection of Human Cells by an Endogenous Retrovirus of Pigs’, 3 Nature Medicine (1997) 282.

 17

Mariachiara Tallacchini

17

organizations.23 In 1998, a call for a moratorium by some leading XT scientists in the United States fractured the scientific community between supporters and critics,24 thus making regulation an essential step for further developments. Leaving aside its technical feasibility and efficacy, among the normative issues that XT raises, such as debates over the use of animals and the ethical acceptability of informed consent, safety was and remains the major concern.25 The possibility that an infection transmitted from an animal source to a human recipient and to the public at large could cause a novel and potentially untreatable pandemic represented an unprecedented normative challenge in implementing a new technology. Because of its potential risks, XT broke the rules of individual informed consent by introducing an anomaly into it. Individual consent to xenotransplant was widely felt to be inadequate in managing the risks to which healthcare personnel, close contacts, and the general public would be exposed. On the one hand, a lack of adequate information made informed consent contradictory; on the other hand, threats of novel infectious agents (i.e. xenogeneic infections) called for the harmonization of individual and collective rights, thus challenging the post-​ Second World War individually-​oriented paradigm for medical ethics. At the beginning of the 21st century, as conditions for the delicate passage from preclinical to clinical experimentation seemed near, the US government, rapidly followed by other countries, started framing dedicated policies and regulations to normalize and legitimize XT, namely to make it socially acceptable, primarily by mitigating the potential risks of infections while protecting involved subjects.26 Different legal approaches have combined science and norms to create a credible, legitimate environment to experiment with governance of emerging and controversial biomedical technologies. The factual and normative elements of the resulting regulatory regimes not only reveal their interdependency and mutually influential character, but also their connection to broader conceptions of sovereignty and legitimate government. In each set of co-​produced facts-​and-​norms particular schemes of cognitive and social orders are designed, new roles and identities for citizens are established, and new social relationships are created. As has been shown in the history of biotechnology, different regulatory regimes represent contextualized forms of public reason(s), where visions of scientific knowledge, societal and institutional relationships, as well as economic and political needs merge in specific ways.27

23 WHO, Xenotransplantation:  Guidance on Infectious Disease Prevention and Management (1998); Organisation for Economic and Co-​operation and Development (OECD), Xenotransplanta tion: International Policy Issues (1999). 24 Bach et al., ‘Uncertainty in XT: Individual Benefit versus Collective Risk’, 4 Nature Medicine (1998) 141; Bach and Fineberg, ‘Call for Moratorium on Xenotransplants’, 391 Nature (1998) 326. 25  Nuffield Council on Bioethics, Animal-​to-​Human Transplants: The Ethics of Xenotransplantation (1996). 26  Tallacchini, ‘Risks and Rights in Xenotransplantation’, in S. Jasanoff (ed.), Reframing Rights. Bioconstitutionalism in the Genetic Age (2011) 170. 27  S. Jasanoff, Designs on Nature: Science and Democracy in Europe and the United States (2005).

18

18

Medical Technologies and EU Law

Following publication of draft guidelines in 1996 for public comment,28 the US Public Health Services (PHS) in 2001 released the first regulation of risks related to XT to support and back up US technoscientific developments.29 The guideline adopted a contractual and liberal vision of the potential risks involved in XT, based on the normative assumption that the most likely potential form of infectious disease to be taken into account in framing regulation would be a sexually transmissible pathogen such as HIV, an infection which is easily controllable through patients’ responsible behaviour. The credibility of this assumption was clearly crucial to the regulatory model, as an airborne infectious disease would not have been compatible with a regime of freely endorsed individual responsibility. As a response and on the contrary, between 2001 and 2004 Canada30 and Australia31 interpreted the public health challenges posed by XT as serious enough to involve their societies at the constitutional level and to require the population’s involvement in a decision. To that end, both governments launched extended forms of public consultation (through post, the web, and town meetings), thereby introducing a new domain of scientific citizenship (the citizen as lay scientist). Later, in the mid-​2000s, a similar participatory model was endorsed by New Zealand, where the Maori population was consulted about XT as their different cultural values mattered in technoscientific innovation.32 The results of these participatory exercises were disparate. After Canadians asked the government not to proceed with XT, an expert Working Group was set up to further analyse the situation. Although a moratorium was never adopted, no protocols for clinical trials have ever been proposed in Canada.33 Currently, only

28  DHHS (Department of Health and Human Services), Draft Public Health Service Guidelines for Xenotransplantation, 61 Federal Register (1996), at 49919. 29 PHS, Guideline on Infectious Disease Issues in Xenotransplantation (2001), available at http://​ www.fda.gov/​biologicsbloodvaccines/​g uidancecomplianceregulatoryinformation/​g uidances/​xenotransplantation/​ucm074727.htm (last visited 20 September 2016). 30 CPHA (Canadian Public Health Association), Animal-​to-​Human Transplantation:  Should Canada Proceed? A Public Consultation on Xenotransplantation (2001), available at http://​w ww.cpha. ca/​uploads/​progs/​_ ​/​xeno/​execsum_​e.pdf (last visited 20 September 2016). 31  NHMRC (National Health and Medical Research Council), Xenotransplantation Working Party, Animal-​to-​Human Transplantation Research: How Should Australia Proceed? Response to the 2002 Public Consultation on Draft Guidelines and Discussion Paper on XT (2003), available at http://​ www.nhmrc.gov.au/​_​fi les_​n hmrc/​fi le/​health_​ethics/​human/​issues/​a nimal_​human_​t ransplantation_​how_​aust_​proceed_​e55.pdf (last visited 20 September 2016). 32 NHC (National Health Committee), National Health Committee’s Advice on Living Cell Technologies Application for Xenotransplantation Clinical Trials in New Zealand (2008), available at http://​nhc.health.govt.nz/​system/​fi les/​documents/​publications/​nhc-​living-​cell-​technologies-​report-​ oct082.pdf (last visited 20 September 2016); Toi te Taiao, The Bioethics Council, The Cultural, Ethical and Spiritual Aspects of Animal-​to-​Human Transplantation. A Report on Xenotransplantation by Toi te Taiao: The Bioethics Council (2005), available at http://​bprlib.kr/​_ ​attech/​uploadFiles/​patent/​h6.pdf (last visited 20 September 2016). 33  In 2002 the Public Advisory Committee (PAC), a forum providing advice from the consumer/​ public perspective, was established to supply Canada with ‘new “risk communication products” ’. In 2005 a new committee was formed, the Committee for Biologics, Radiopharmaceuticals and Genetic Therapies, which deals with cells and tissues, including xenografts (living cells, tissues, and organs from animal sources), see http://​w ww.hc-​sc.gc.ca/​d hp-​mps/​brgtherap/​index-​eng.php (last visited 20 September 2016).

 19

Mariachiara Tallacchini

19

human cell-​based therapies are explicitly regulated in Canada, and xenogeneic products do not seem to be on the policy agenda. Australia agreed to follow its citizens’ overwhelming concerns about XT and, in 2004, adopted a five-​year moratorium. At the end of 2009, however, the Australian government expressed a favourable inclination towards proceeding with xeno-​cell therapies, looking at the EU framework as a source of inspiration.34 Finally, in New Zealand—​where the consultation only addressed the Maori population, and only focused on the acceptability of a single clinical trial proposed by Living Cells Technology (LCT, a biotech company)—​the results were quite favourable towards XT. Eventually, and despite a long international controversy, the experimentation took place in 2009.35 The regulatory choices made by the United States, Canada, Australia, and New Zealand can be interpreted in the light of the science policy models described in the previous section. The US approach reflected a science-​based model, where the separation between science and policy-​making is deliberately constructed to avoid the complexities of the actual entanglements of facts and values. Canada and Australia’s concerns for both safety and democracy developed in the direction of an experimental form of democracy as expressed in the extended-​ participatory model. Finally, the New Zealand case was an expression of how participatory procedures have become instrumental practices involving democratic participation, rather than ways to mobilize societal debate around ambiguous forms of innovation. At the international level the World Health Organization (WHO) has since the late 1990s expressed concerns about XT. In the last decade, with the severe acute respiratory syndrome (SARS) episode in 2003, bird flu threats,36 and the risks of ‘xeno-​tourism’ (patients travelling to countries where transplants can be easily performed without controls), the WHO has taken some steps in the field. Indeed, while a small number of legal systems have directly addressed XT and established some safety rules, several countries around the world have no regulations in place, and unauthorized experimentation has been extensively performed.37

34 NHMRC, Communiqué from the NHMRC’s 154th Session (2004), available at http://​w ww. nhmrc.gov.au/​media/​releases/​2004/​communique-​nhmrcs-​154th-​session-​perth (last visited 20 September 2016); NHMRC, Xenotransplantation. A Review of the Parameters, Risks and Benefits, Discussion Paper (2009), available at http://​w ww.nhmrc.gov.au/​_​fi les_​nhmrc/​fi le/​about/​committees/​expert/​g trap/​nhmrc_ ​xeno_​discussion_​paper_​website.pdf (last visited 20 September 2016). Manifesting confidence in the recent scientific developments in the field of xeno-​cells, and providing evidence that ‘risks, if appropriately regulated, are minimal and acceptable’, the NHMRC expressed confidence in global regulatory developments—​notably the WHO and the guidelines developed by the EMA. 35  See Living Cells Technology Announcement, First Patient In Living Cell Technologies’ New Zealand DIABECELL® Trial Drops Insulin Dose Without Ill Effects, available at http://​w ww.asx.com. au/​a sxpdf/​20120926/​pdf/​428z0ty9pjdq55.pdf (last visited 20 September 2016). 36 Jones et al., ‘Global Trends in Emerging Infectious Diseases’, 451 Nature (2008) 990. 37 See the joint International Xenotransplantation Association (IXA), WHO, and Hôpitaux Universitaires de Genève (HUG) website at http://​w ww.humanxenotransplant.org (last visited 20 September 2016).

20

20

Medical Technologies and EU Law

In November 2008, the WHO explicitly endorsed democratic governance of emerging technology in its Changsha Communiqué.38 This followed the first ‘Global Consultation on Regulatory Requirements for Xenotransplantation Clinical Trials’ held in China, where controversial xeno-​trials are likely to have taken place. After declaring that effective regulation by individual governments is an essential condition to legitimately proceed with XT, the WHO added that ‘the regulatory system should be transparent, must include scientific and ethical assessment and should involve the public’ (Point 4).

4.  Harmonizing Contradictions: The European Regulatory Framework for Animal Cells, Tissues, and Organs In the previous sections it has been shown how regulatory models on XT reflect peculiar visions of the relationship between science, law, and the processes to legitimize innovation. In the case of Europe, the approaches to regulation have depended on the specific institutions involved and, to a greater extent, on their historical phases and transitions. Whilst the countries which established a normative framework for XT generally adopted a single policy model, the European regulatory approach to XT was the result of the intertwined actions of the (then) EC institutions and the CoE, which led to the adoption of all available science policy models, both combining them and shifting from one to another. The ‘harmonized contradictions’ of the European regulatory framework for XT reflect the passage from the economic to the political treaties, the challenges and opportunities offered by biotechnology in Europe, the construction of a European vision of policy-​related science to symbolically evoke the specific European identity, the tensions between European institutions and the Member States as to the risks of the development of emerging technologies, and, in the late 2000s, the expansion of the EU’s jurisdiction on fundamental rights. Within this landscape, some external relationships have also played a role, especially in the case of the United States. Europe’s attitude towards US science and regulation has continually oscillated throughout the history of biotechnology. Whilst Europe was trying internationally to enforce the precautionary principle (eventually being defeated in the GMO trial before the WTO),39 it remained deferential towards the prominent US science in the field of risk related to XT. In relation to Canada and Australia, due to their willingness to emphasize their distance and difference from the US science policy, they both explicitly made 38 First WHO Global Consultation on Regulatory Requirements for Xenotransplantation Clinical Trials, Changsha, China, 19–​21 November 2008. The Changsha Communiqué is available at http://​w ww.who.int/​transplantation/​xeno/​ChangshaCommunique.pdf (last visited 20 September 2016). 39 Winickoff et  al., ‘Adjudicating the GM Food Wars:  Science, Risk, and Democracy in the World Trade Law’, 30 Yale Journal of International Law (2005) 81.

 21

Mariachiara Tallacchini

21

reference to Europe in designing their own normative framework,40 in a rather idealized way. As a matter of fact, European institutions, notwithstanding their self-​professed commitment to governance, only introduced public consultations during the debate on advanced cell therapies (ATMPs). Furthermore, on this point, the EU’s late adoption of participatory procedures has been more a strategy to mitigate citizens’ unease with science embedded in some European policies—​ as was openly admitted in the 2001 Action Plan for Science and Society following several crises in Europe (especially in the food and health sectors)41—​rather than a serious attempt to overcome the democratic deficit.

A.  Th  e Council of Europe: Mediating Between Emerging Medical Technologies and Public Health by Precautionary Waiving of Rights A strong link connects the precautionary principle (PP) and XT. The history of the PP in the field of XT is not only part of the history of the precautionary principle itself but also allows us to understand the shift from the ‘public health approach’ and the ‘public involvement approach’ to health protection. In 1996, during the debate following the publication of the US draft guidelines on the safety aspects of XT, the Nuffield Council on Bioethics was the first to extend the PP from environmental issues (where it was initially framed) to (environmentally-​related) health matters. The PP was described by the Nuffield Council as an ‘alternative method of risk analysis’ that implies either that ‘the burden of proof should lie with those developing the technology’ or that ‘the development of some technologies simply should not be pursued’.42 The Nuffield Council’s voice remained initially isolated, however. Following publication of the 1996 draft guidelines, the European institutions became actively involved in discussing the risks and the feasibility of XT. In 1997, the Committee of Ministers of the CoE adopted Recommendation No. R (97) 15 on XT,43 asking Member States to establish mechanisms for the registration and regulation of certain aspects of XT. Moreover, in 1999 the Parliamentary Assembly of the CoE unanimously adopted, in the name of the precautionary principle, Recommendation 1399(1999) on XT44 calling for a legally binding moratorium on all clinical trials. In response, while some European countries adhered to the moratorium, the Committee of Ministers of the CoE set up, under the joint responsibility of the Steering Committee on Bioethics (CDBI) and the

40  The Canadian and CoE reports on XT repeatedly cross-​referenced each other (see CPHA, supra note 30); and the Australian 2009 revision of its XT policy refers to the European regulatory framework on ATMP as a model to imitate (see NHMRC (2009), supra note 34). 41  Science and Society Action Plan, supra note 15. 42  Nuffield Council on Bioethics, supra note 25, at 74–​75. 43  CoE, Recommendation 15/​1997 of the Committee of Ministers on Xenotransplantation. 44  CoE, Recommendation 1399/​1999 of the Committee of Ministers Pleading for a Moratorium on All Clinical Xenotransplantation.

2

22

Medical Technologies and EU Law

European Health Committee (CDSP), a multidisciplinary Working Party on XT (WPx) composed of specialists in ethics, law, medical research, clinical practice, epidemiology, immunology, and animal protection. The WPx was established to prepare a report on the state of the art in the field of XT, taking into account the CoE Convention on Human Rights and Biomedicine.45 In 2000 a first report was published, with a view to the preparation of a new recommendation.46 A willingness to maintain the connections between the technical and the normative aspects of XT characterized this early European approach to XT as a prominent feature of science policy in Europe. Solidarity was presented as a distinctive element of the European vision of bioethics that was capable, unlike the individualistic US approach, of more organically connecting individuals and the society more generally. While the explicitly ethical language in matters of science would have sounded improper from the perspective of a US agency, the European WPx was at ease in mixing descriptive and normative terminology, raising ethical questions, for instance about the persistence in transplant patients of microchimerism, the coexistence of human and porcine stem cells.47 This holistic approach was clearly established in connecting individual consent, family consent, and societal acceptance. Each step was perceived as problematic due to restrictions on individual freedom, the risks for health workers and family members, and the creation of new hazards for society. Only the network of safeguards and social cohesion resulting from the participation of all parties involved would make clinical experimentation acceptable. Informed consent from relatives was not discussed as a challenge or potential ‘veto’ on patient consent. Instead, it was considered an element of a broad negotiation of the acceptance of a high-​risk procedure. Inspiring the entire European document was the conviction that high-​impact technologies such as XT need the approval of society. For a new biotechnology to be legitimate, citizens have to show that they are ready to accept certain risks while institutions actively contribute to creating and safeguarding initiatives of public importance. However, when the final report was completed in 2003,48 and Recommendation 10(2003)49 on XT was approved, wide-​ranging changes had been introduced. The 2003 WPx report gave greater attention to public health than the initial 2000

45  CoE, Convention for the Protection of Human Rights and Dignity of the Human Being with Regard to the Application of Biology and Medicine (‘Convention on Human Rights and Biomedicine’) (1997). 46  CoE, Working Party on Xenotransplantation, State-​of-​t he-​A rt Report on Xenotransplantation, 7 July 2000. 47  CoE, Working Party on Xenotransplantation, Interim Report on the State of the Art in the Field of XT, 25 October 2000, at 4.3.5. 48  CoE, Working Party on Xenotransplantation, Report on the State of the Art in the Field of Xenotransplantation, 21 February 2003. 49  CoE, Recommendation Rec(2003)10 of the Committee of Ministers to Member States on Xenotransplantation (2003).

 23

Mariachiara Tallacchini

23

report. According to the 2003 final report, several national and international surveys had shown that XT posed more problems than expected. Furthermore, such surveys recalled how several health emergencies in Europe (namely bovine spongiform encephalopathy (BSE), Creutzfeldt-​Jakob disease, and anxiety over genetically modified (GM) food) had created ‘an atmosphere of distrust of science and scientists in the public mind’, so that ‘no one is really “in control” or “knows what will happen” ’.50 Neither the interim nor the final report directly supported the precautionary principle as it would have required that ‘all those involved in deciding about XT must be satisfied that the risk to the individual recipient, their families, the medical and nursing teams, and the general public are minimal and controllable’.51 Despite the increased awareness of the potential risks involved in XT and of the public resistance to several aspects of biotechnology, the WPx suggested proceeding and applying more restrictive precautionary rules to patients and their relatives. The PP reappeared to be interpreted as cautious risk management. Originally conceived as a principle concerning the unknown effects of new technologies, the PP was redirected towards the patient as the most effectively controllable source of risk. Precaution in relation to XT became precaution in relation to xenotransplanted patients. The CoE regarded the risks associated with XT as so unpredictable as to require that some fundamental rights be waived.52 For its part, the European Commission Scientific Committee on Medical Products and Medical Devices had already endorsed a similar position, suggesting that in order to proceed with xenotransplants some fundamental human rights (of the patient and ‘others’) might be ‘suspended’. The Committee stated: Some of the measures that may need to be taken in a surveillance system may have legal implications as they could be in violation of the Declaration of Helsinki and other guidelines for research on human subjects. In the recent EC directive for conduct of clinical trials, the right of a subject to withdraw from a clinical trial is explicitly stated (Directive 2001/​20/​EC), and this could be a problem for prolonged surveillance in xenotransplantation clinical trials. As XT has implications for public health, it may be that certain rights may have to be modified in such a way that surveillance can be continued. Patients (and others?) could therefore have to agree to waive some of their human rights.53 50 CoE, supra note 48, at 53. 51  Ibid., at 68. 52 CoE, Explanatory Memorandum to Recommendation Rec(2003)10 of the Committee of Ministers to Member States on Xenotransplantation (2003), at 69–​70: ‘It is hard to see how the normal pattern of a freedom to withdraw can be allowed in the case of XT… . The risks of XT are considered potentially so significant that informed consent should be obtained from relatives and family. It is hard to see how such people are able freely to give consent, but it is important that those in close personal relationships with the recipient are as fully informed and educated as possible’. 53  Commission of the European Communities, DG Health & Consumer Protection, Scientific Committee on Medicinal Products and Medical Devices, Opinion on the State of the Art Concerning Xenotransplantation, SANCO/​ SCMPMD/​ 2001/​ 0 002 Final (2001), at 11, available at http://​ ec.europa.eu/​health/​a rchive/​ph_​risk/​committees/​scmp/​documents/​out38_​en.pdf (last visited 15 January 2017).

24

24

Medical Technologies and EU Law

Although its stated goal was ‘to protect all persons involved in XT … as well as public health’ (Art. 1), Recommendation (2003)10 reversed the priority of individuals and their consent over the state in biomedical matters. From this perspective, patients do not choose but are chosen if they are reliable. As the Council stated, ‘those engaged in transplant work stress that the recipients will be well known and therefore it will be easy to assess how willing they will be to conform. Transplant patients are historically conformist’.54 Chapter IV of the Recommendation, entitled ‘Protection of patients and close personal contacts’, describes the available measures for non-​compliant patients: If, after the XT has been carried out, the recipient or his or her close personal contacts refuse to comply with the constraints associated with XT, public authorities should intervene and take appropriate measures, where public health protection so requires, in conformity with principles of necessity and proportionality. Depending on the circumstances and in accordance with the procedures provided for by national law, such measures might include registration, compulsory medical follow-​up and sampling. (Art. 21)

Having subordinated individuals to public welfare, the Recommendation replaces the concept of ‘patient’s individual rights’ with that of ‘patient protection’. Instead of being a subject of rights, the patient is reframed as an object of protection. In accordance with the principles stated in Article 28 of the Convention on Human Rights and Biomedicine, Article 30 suggests, ‘member states should take active steps to ensure that the fundamental questions raised by xenotransplantation are the subject of appropriate public discussion, particularly in light of relevant medical, psychological, cultural, ethical, legal, social and economic implications’. Although the European legal construction of XT apparently violated the European Convention on Human Rights, representatives from the European Court of Human Rights (ECtHR), when asked to give an opinion, reassured the CoE about the legitimacy of the constraints.55 In clarifying their interpretation they made it clear that the expression ‘compulsory constraints’—​or ‘interferences’—​referred to ‘detention’, but crucially that this was a ‘lawful’ detention: [T]he Convention in Article 5(1)(d) permitted the lawful detention of persons to limit the spreading of infectious diseases. With regard to Article 8 of the Convention, which guarantees respect for, inter alia, private and family life, it was explained that interferences could be justified, provided they were necessary in a democratic society. Moreover, in certain circumstances it might be assumed that an individual, by giving consent to a particular interference, had thereby already waived his or her rights.56

While acknowledging the novelty of legal issues raised by XT, the authoritative opinion failed to consider one essential aspect. XT was not an unpredictable ‘natural’ event potentially causing an epidemic, and therefore requiring public health restrictions, but a planned new technology to be implemented in society, with unforeseeable consequences.

54 CoE, supra note 46, at 6.5.2.    55 CoE, supra note 52, at 27.    56  Ibid., Appendix.

 25

Mariachiara Tallacchini

25

The ‘public dimension’ evoked in Recommendation 10(2003) does not refer to citizens but instead to public health. At the turn of the millennium, public health issues endangered the credibility of European science and policy. Although the precautionary principle later evolved towards more participatory interpretations, its application in the context of XT revealed a compulsory vision of innovation in the name of public health protection.57

B. EC/​EU: Promoting Innovation and Acknowledging Subsidiarity While Taming the Public In 1999, after the Parliamentary Assembly of the CoE asked Member States to consider a moratorium on all clinical trials with XT, some countries (including Denmark, the Netherlands, and Norway) agreed while others set up dedicated institutions (such as the United Kingdom Xenotransplantation Interim Regulatory Authority (UKXIRA)) or technology assessment procedures (for instance, Switzerland later passed a law on all transplants) to improve control or understanding of the implications of XT.58 Even after Recommendation 10 (2003), however, not all European countries engaged in preparing dedicated provisions or in setting up specific authorities for XT. By 2001, however, three European directives relevant to XT were already in place, making it possible for all Member States to have some direct provisions on XT. The broad framework provided by the European legislation encompassed Directive 2001/​18/​EC on the deliberate release of GMOs (replacing the former Directive 90/​220/​EEC), Directive 2001/​20/​EC on clinical trials (later repealed by Regulation EU 536/​2014), and Directive 2001/​83/​EC on medicinal products for human use.59

57  The compulsory vision of public health still pervades most regulations:  see Gainotti et  al., ‘Ethical Models Underpinning Responses to Threats to Public Health: A Comparison of Approaches to Communicable Disease Control in Europe’, 22 Bioethics (2008) 466. 58  See Cozzi et  al., ‘The International Xenotransplantation Association Consensus Statement on Conditions for Undertaking Clinical Trials of Porcine Islet Products in Type 1 Diabetes’, 16 Xenotransplantation (2009) 203. In 1997 the UK government set up the UKXIRA, a national body to govern XT, which was discontinued in December 2006 due to the lack of applications for clinical trials in XT in the UK. See http://​webarchive.nationalarchives.gov.uk/​+/​w ww.dh.gov.uk/​ab/​ Archive/​U KXIRA/​index.htm (last visited 20 September 2016). 59  Directive 2001/​18/​EC of the European Parliament and of the Council of 12 March 2001 on the Deliberate Release into the Environment of Genetically Modified Organisms and Repealing Council Directive 90/​ 220/​ EEC, OJ 2001 L 106/​ 1; Directive 2001/​ 20/​ EC of the European Parliament and of the Council of 4 April 2001 on the Approximation of the Laws, Regulations and Administrative Provisions of the Member States Relating to the Implementation of Good Clinical Practice in the Conduct of Clinical Trials on Medicinal Products for Human Use, OJ 2001 L 121/​34 (now replaced by Regulation (EU) 536/​2014 of the European Parliament and of the Council of 16 April 2014 on Clinical Trials on Medicinal Products for Human Use, and Repealing Directive 2001/​20/​EC); and Directive 2001/​83/​EC of the European Parliament and of the Council of 6 November 2001 on the Community Code Relating to Medicinal Products for Human Use (Consolidated version: 16 November 2012), OJ 2001 L 311/​67.

26

26

Medical Technologies and EU Law

Directive 2001/​18/​EC introduced common procedures and safety requirements for the approval of GMOs—​such as engineered pigs for XT—​and involved the public in a variety of ways (as a recipient of information, as a subject to be consulted, and as a source of comments). Directive 2001/​20/​EC on clinical trials directly established some restrictive provisions on xeno-​cell therapies and GMOs. Finally, Directive 2001/​83/​EC included rules about the approval of trials involving animal cells and tissues. The GMOs Directive has been generally considered the most relevant normative context for XT. However, its primary effect concerned the new procedures of public consultations about genetically engineered organisms that some countries launched at the national level.60 The other two directives have been more powerful in establishing common provisions in relation to XT, as most cell therapies are based on non-​engineered animal materials. Moreover, at the time the European Communities could only have an ‘indirect approach’ to XT, namely related to safety aspects for products to be placed in the market. As early as 1998, the European Commission Communication (98/​C 229/​3) defined a xenogeneic cell therapy as a medical product.61 Directive 2001/​ 20/​EC addressed xeno-​cells in the context of clinical trials as a special issue to be addressed by ethics committees in delivering their opinions about a proposed experimentation. According to the Directive, ‘[i]‌n the case of xenogenic cell therapy, there shall be no time limit to the authorisation period’ (Art. 6 and Art. 9). Almost all national implementing measures followed this provision, stating that whenever a trial involved the use of xeno-​cells the ethics committee authorization would have no time limits, meaning that the authorization would not have to be delivered within a determined period of time. Relatively few legal systems (such as Hungary and France) have departed from this rule, requiring the authority or the committee to deliver their opinion within an established period, while the Austrian regulation has empowered the competent national agency to overrule the negative decision of the ethics committee. Some legislation has received the European Directive without mentioning xenogeneic materials, only referring to gene therapy and genetically modified materials (such as Estonia and Lithuania). The Netherlands, where XT was banned in 2002, referred to xeno-​cell therapy in its updated implementing measure of the EU Directive on clinical trials, in 2006, also establishing the rule of no time limitation for the agency or committee’s opinion to be delivered.62 This provision, allowing Member States to make their own decisions about the acceptability of XT, legitimized potential tacit moratoriums, not only as part of

60 E. Griessler et  al. (eds), The Challenge of Public Participation in a Multilevel System:  EU Xenotransplantation Policies (2012), available at http://​w ww.ihs.ac.at/​publications/​soc/​rs101.pdf (last visited 20 September 2016). 61  Commission Communication on the Community Marketing Authorisation Procedures for Medicinal Products, OJ 1998 C 229/​4. 62  See Cozzi et al., supra note 58, illustrating the different Member State legislations.

 27

Mariachiara Tallacchini

27

the discretionary power in implementing a directive but also in relation to the principle of subsidiarity in ethically sensitive matters. Currently, while the transition from Directive 20/​2001/​EC to Regulation 536/​ 2014 on clinical trials is taking place the new rules about advanced therapies, including xenogeneic cells, are still surrounded by uncertainty.63

C. Normalizing Risks and Resurrecting Rights in Europe: The New Ontologies of ATMPs Cell-​based therapies and tissue-​engineering products have been developed separately from xenotransplants both from the scientific and regulatory points of view,64 even though animal cells have been widely used as feeder-​layers in growing human cell lines for a long time. However, as several cell therapies and tissue-​engineered products make use of both human and animal biological materials, the regulatory issues in the two fields have necessarily overlapped and become intertwined. The opportunity to reframe and normalize XT was certainly offered by the main scientific research shift from organs to animal cells and tissues as more promising and feasible therapies, widely applicable to diseases involving large populations (such as diabetes and Parkinson’s disease). Xenobiotic materials for cell therapies may become widely applied for chronic diseases, such as the implant of swine pancreatic islets to treat diabetes, for instance.65 However, economic and political factors have also played a relevant role within the scientific community, industry and institutions, and society at large. The reshaping of XT as a pharmaceutical product creates an attractive market for it,66 has made its public image more acceptable (for instance with regard to animal ethics), and has resized and reduced the impact of potential risks. The reframing of a delicate and controversial technology such as XT from organs to cells has been the catalyst for a rethinking of the scientific policy models previously applied, generating a completely different scenario. Not only are cells considered much less dangerous than organs in transmitting potential infections, but the potential benefits derived from the new treatments, including an improvement in the lives of millions of patients at lower costs, appear to significantly outweigh the risks.

63  As shown by the results of the European Commission, DG Health and Consumers, Regulation (EC) 1394/​2007 on Advanced Therapy Medicinal Products. Summary of the Responses to the Public Consultation, SANCO/​D5/​R SR/​iv(2013)ddg1.d5 (2013). 64  A document dealing with ‘Points to Consider (PTC) in Human Somatic Cell Therapy and Gene Therapy’ was released by the US Food and Drug Administration (FDA) in 1991, followed in 1998 by the first FDA Guidance for Human Somatic Cell Therapy and Gene Therapy, available at http://​w ww.fda.gov/​BiologicsBloodVaccines/​GuidanceComplianceRegulatoryInformation/​ Guidances/​C ellularandGeneTherapy/​ucm072987.htm#over (last visited 20 September 2016). 65  Groth and Korsgren, ‘Proceedings of “Pig-​to-​Man Islet Transplant Summit” held at the Nobel Forum, Stockholm, June 4–​5, 2007’, 15 Xenotransplantation (2008) 77; Cozzi et al., supra note 58. 66 Beckwith et  al., ‘A Health-​Economic Analysis of Porcine Islet Xenotransplantation’, 17 Xenotransplantation (2010) 233.

28

28

Medical Technologies and EU Law

While xeno-​organs remained scientifically and ethically problematic, cells (and tissues) appear to be a more easily standardized, less invasive, and less ethically troubling technology. In this process of regulatory normalization, XT has come to resemble ordinary forms of risk, associated with well-​k nown and well-​characterized hazards, and is no longer perceived as an unknown. As a consequence, the precautionary principle has almost disappeared from policy agendas as the main legitimizing discourse on safety, replaced with other more defined and operationalized concepts such as traceability—​keeping track of all elements involved, from subjects to processes to products—​and responsible innovation. As individual risks are thought to have been reduced and dispersed, individual rights have regained momentum, accompanied by detailed lists of safe behaviours to protect the collectivity from the potential spread of epidemics. Moreover, EU competencies in the field of marketable products and their harmonization, and the direct role of the Charter of Fundamental Rights after 2009, have also created a different regulatory environment. Since the late 1990s, the EU institutions have provided normative grounds for a controlled and harmonized use of cell and tissue-​based therapies, whereas a variety of different regulatory approaches existed in European countries.67 The normative ontologies of Member States ranged from biological product (such as in France) to medical device (such as in Germany), thus generating uncertainty both for safety and the market. In the context of the creation of a general regulatory framework for cells and tissues, two main documents have been enacted by the Parliament and the Council. Directive 2004/​23/​EC set standards of quality and safety for the donation, procurement, testing, processing, preservation, storage, and distribution of human tissues and cells,68 and Regulation (EC) 1394/​2007 standardized the approval for the production and placing on the market of gene therapy, somatic cells therapy, and tissue-​engineered products, legally unified and qualified as ATMPs.69 The main rationale of the Regulation (in force since the end of 2008) was the establishment of a centralized authorization procedure for all ATMPs, with the appointment within the European Medicines Agency (EMA) of the Committee for Advanced Therapies (CAT) as the main responsible body for the approval 67  In 1998 the European Group on Ethics in Science and New Technologies (EGE) referred to the issue of cell and tissue-​based therapies as a ‘moral imperative’ (EGE, Ethical Aspects of Human Tissue Banking. Opinion of the European Group on Ethics in Science and New Technologies to the European Commission, 21 July 1998). 68  Directive 2004/​23/​EC of the European Parliament and of the Council of 31 March 2004 on Setting Standards of Quality and Safety for the Donation, Procurement, Testing, Processing, Preservation, Storage and Distribution of Human Tissues and Cells, OJ 2004 L 102/​48. 69  Regulation (EC) 1394/​2007 of the European Parliament and of the Council of 13 November 2007 on Advanced Therapy Medicinal Products and Amending Directive 2001/​ 83/​ EC and Regulation (EC) 726/​2004, OJ 2007 L 324/​121. The Regulation has been complemented by Directive 2009/​120/​EC of 14 September 2009 amending Directive 2001/​83/​EC of the European Parliament and of the Council on the Community Code Relating to Medicinal Products for Human Use as Regards Advanced Therapy Medicinal Products, OJ 2009 L 242/​3.

 29

Mariachiara Tallacchini

29

of all products. The CAT has been given jurisdiction in defining all ATMPs, while providing advice ‘on whether a product falls within the definition of an advanced therapy medicinal product’ (Art. 23b). The innovative character of the Committee lies in its interdisciplinary nature, as its competencies include gene therapy, cell therapy, tissue engineering, medical devices, pharmacovigilance, risk management, and ethics. Moreover, some of its members—​partially designated within the EMA, partially nominated by Member States—​a lso embody and represent other forms of expertise, being chosen amongst clinicians and patients’ associations.70 When the European Commission Directorate General (DG) for Enterprise and Industry first launched, in 1998, its Proposal for a harmonized regulatory framework in human tissue-​engineered products, it was not intended that xenogeneic products would be included in the Regulation.71 However, they were eventually, and controversially, added to Regulation 1394/​2007, as were human embryos. The EU made a peculiar choice in deciding to keep both human and non-​ human cells and tissues within a single regulatory framework. Somatic cell therapy and tissue-​engineered products may contain cells of human and/​or animal origin; and in tissue-​engineered products, allogeneic and xenogeneic cells can be associated with medical devices ex vivo or in vivo (such as microcapsules, intrinsic matrix scaffolds, biodegradable or not).72 This is an important difference when compared to the US approach, where allogeneic and xenogeneic cells are regulated by separate provisions (and bodies), even when animal cells are used in the product only as feeders (such as growth factors, for instance).73 It also represents a demanding choice as risks of infection 70  CAT and CAT Scientific Secretariat, ‘Challenges with Advanced Therapy Medicinal Products and How to Meet Them’, 9 Nature Reviews (2010) 195. 71  European Commission, Proposal for a Harmonized Regulatory Framework in Human Tissue Engineered Products, DG Enterprise Consultation Paper, 6 April 2004, at 6: Xenogeneic TEPs for human use may be developed in the future, meaning that there could be a need to regulate this more complex category of products. However, such products are still in their infant phase of development, so that they may be difficult to regulate at this early stage (notably due to the complex safety and ethical issues associated with them). It is therefore proposed that the future Regulation should not, for the time being, cover xenogeneic tissues intended for human use. This would not exclude the use of xenogeneic cells or tissues used for the production of human tissue engineered products, as long as these xenogeneic materials are not present in the final product. The use of such tissues and cells could be addressed in the framework of the risk management requirements. 72  EMA, Committee for Medicinal Products for Human Use (CHMP), Guideline on Xenogeneic Cell-​ based Medicinal Products, EMEA/​ CHMP/​ CPWP/​ 83508/​ 2009, 22 October 2009, available at http://​w ww.ema.europa.eu/​docs/​en_​GB/​document_​library/​Scientific_ ​g uideline/​2009/​12/​ WC500016936.pdf (last visited 20 September 2016): ‘Xenogeneic cell-​based medicinal products contain viable animal cells or tissues as the active substance. Xenogeneic materials might be sourced either from non-​transgenic or transgenic animals. The animal cells can also be genetically modified’. 73  US Department of Health and Human Services, FDA, and Center for Biologics Evaluation and Research, Guidance for FDA Reviewers and Sponsors Content and Review of Chemistry, Manufacturing, and Control (CMC) Information for Human Somatic Cell Therapy Investigational New Drug Applications (INDs), April 2008, available at http://​w ww.fda.gov/​BiologicsBloodVaccines/​ GuidanceComplianceRegulatoryInformation/​Guidances/​C ellularandGeneTherapy/​ucm072587.

30

30

Medical Technologies and EU Law

and potential epidemics have increasingly become a worldwide concern in recent years.74 The rationale for treating human and non-​human materials equally has been justified by European regulators due to the unique nature of each advanced therapy product and the connected risks. In a 2013 Guideline on the so-​called ‘risk-​based approach’ to ATMP, the CAT explained how the clinical use of these products ‘may be associated with specific risks to the patient and to third parties. These risks are determined by various risk factors, which are related to the quality, biological activity and application of the ATMP. Since ATMPs are very diverse in nature … a flexible approach to address and evaluate potential risks’ is needed.75 The actual normative framework for ATMP, therefore, consists of the standardized procedures established by Regulation 1394/​2007 and of the case-​by-​case tailored decisions adopted by the CAT. Due to the special safety requirements needed, the Regulation authorizes strict rules, encompassing the complete traceability of donors, recipients, tissues, and products in order to prevent potentially negative public health events. In fact, not only products but also clinical trials with all ATMP are regulated together. While waiting for the new directive on clinical trials to be finalized, the European Commission published guidelines in 2009 on good clinical practice specific to ATMPs, which set the standards for all clinical trials with allogeneic and xenogeneic cells.76 Here, a strong intention to unify the field is apparent. The

htm (last visited 20 September 2016): ‘[I]‌f a feeder cell line of animal origin is used to propagate human cells (i.e., human and non-​human animal cells are co-​cultivated), the final product falls within the definition of a xenotransplantation product’. 74  According to the US NRC, Sustaining Global Surveillance and Response to Emerging Zoonotic Diseases (2009), available at http://​w ww.nap.edu/​catalog.php?record_​id=12625 (last visited 20 September 2016), zoonoses pose so many threats—​t hey are mostly novel diseases; they are unpredictable and increasing in number; because of increasing international exchanges, they can emerge anywhere and spread rapidly around the globe; they can have a major economic impact—​that ‘a global zoonotic disease surveillance system’ should be conceived of as ‘a global public good’ (at 4). See also Fishman, Scobie, and Takeuchi, ‘Xenotransplantation-​A ssociated Infectious Risk: A WHO Consultation’, 19 Xenotransplantation (2012) 72; Noel, ‘Global Regulatory Requirements for Xenotransplantation Clinical Trials: Commentary’, 19 Xenotransplantation (2012) 71; WHO, International Health Regulations (2005) 3rd ed., Geneva 2016, available at http://​apps.who.int/​iris/​ bitstream/​10665/​246107/​1/​9789241580496-​eng.pdf?ua=1 (last visited 15 January 2017). 75  CAT-​EMA, Guideline on the Risk-​Based Approach According to Annex I, Part IV of Directive 2001/​83/​EC Applied to Advanced-​therapy Medicinal Products, EMA/​C AT/​CPWP/​686637/​2011, 11 February 2013, available at http://​w ww.ema.europa.eu/​docs/​en_​GB/​document_​library/​Scientific_​ guideline/​2013/​03/​WC500139748.pdf (last visited 20 September 2016), at 3:  ‘The concept of a “Risk-​based approach” has been introduced to the legislation with the revision of Annex 1, part IV of Directive 2001/​83/​EC as amended by Directive 2009/​120 EC… . The risk-​based approach is based on the identification of various risks associated with the clinical use of an ATMP and risk factors inherent to the ATMP with respect to quality, safety and efficacy. The risk factors associated with a specific risk (e.g. tumorigenicity, treatment failure) are likely to be product specific and multifactorial’. 76  European Commission, DG Enterprise and Industry, Detailed Guidelines on Good Clinical Practice Specific to Advanced Therapy Medicinal Products (2009), available at http://​ec.europa.eu/​ health/​fi les/​eudralex/​vol-​10/​2009_​11_​03_​g uideline.pdf (last visited 20 September 2016).

 31

Mariachiara Tallacchini

31

same principles and criteria for risk assessment apply to human and animal cells;77 and the same word ‘donor’ applies to both humans and non-​humans: ‘ “donor” shall mean any human or animal source, whether living or deceased, of cells or tissues; “donation” shall mean donating human or animal tissues or cells intended for human applications’ (at 2.4). The most innovative aspect of the guidelines concerns the patient’s informed consent. As all experimental products can be equally potentially dangerous, xenogeneic materials are no longer seen as a source of unique risks. This means that safety measures earlier confined to XT have now been extended to all clinical trials with ATMPs. In particular, the patient has to be informed of, and agree to, a wide range of issues. To name but a few, the patient must consent to: the arrangements for traceability, including provisions for subject data protection and confidentiality; the arrangements for follow-​up before and following the trial (including after subjects withdraw from the study); an alert card to be provided to the subject for use in the event of problems arising after the end of the trial; the inconveniences of long-​term follow-​up, where applicable; the irreversible nature of the ATMP, where applicable; guidance on how to communicate risks to close contacts and offspring where they could be at risk and information on any follow-​ up involving them (at 8.2). However, whilst XT safety measures have become, to some extent, the rule, the compulsory measures originally established by Recommendation 10(2003) have been rethought. Informed consent from the subject of the trial is now needed in order to legitimately perform the follow-​up: ‘Where a subject is withdrawn from a trial at their own request or based on a decision of the investigator’ the Guideline recites, ‘the follow up should be maintained, subject to the consent of the subject’ (emphasis added) (at 8.2.45). All actors involved in the trials—​sponsors, cell/​tissues establishments, or animal facilities, manufacturers, investigators, or institutions—​are given specific responsibilities (at 7.2). Similarly, patients involved in ATMP trials are more likely be considered as ‘expert patients’, a concept that stresses the importance of making patients who are affected by chronic conditions directly engaged, aware, and responsible in the management of their health (as most patients with chronic diseases are). The epistemological background of this major change can be envisaged in the increased awareness that emerging technologies require a safe, but ethically and socially acceptable, way to proceed. The EU decision to respect the normal conditions for informed consent—​and to adopt public consultations as ordinary procedures—​reflects this epistemological awareness. Even more significantly, these new trends regarding risks and emerging therapies reflect important changes within the EU. As stated earlier, the entry into

77  Although where tissues or cells are sourced from an animal origin ‘the processes related to donation are covered by the Annex 2 to the Good Manufacturing Practice (“GMP”) Guidelines and the guideline on xenogenic cell-​based medicinal products’ (ibid., at 3.9).

32

32

Medical Technologies and EU Law

force of the Charter of Fundamental Rights has triggered new dynamics, and a new direct role of the EU institutions in relation to citizens’ rights. Moreover, the new concept of responsible innovation has become pervasive in EU policies and is a pillar of Horizon 2020. This vision of Europe, building on and developing post-​Lisbon Treaty strategies for creating a European knowledge society—​rectius, the Innovation Union—​looks at research and innovation not as ‘ends in themselves but anchored in human rights and linked to public goods’.78 Therefore, the ideal of Responsible Research and Innovation (RRI), ‘a combination of the three themes of ethical acceptability, risk management, and human benefit’,79 ‘is a transparent, interactive process by which societal actors and innovators become mutually responsive to each other with a view to the (ethical) acceptability, sustainability and societal desirability of the innovation process and its marketable products’.80 Despite all these normative changes and the regulatory effort towards harmonization, animal cells and tissues, together with embryos, are still governed as sensitive ethical issues by the principle of subsidiarity. In fact, as stated in the ATMP Regulation, the provisions: should not interfere with decisions made by member states on whether to allow the use of any specific type of human cells, such as embryonic stem cells, or animal cells. This means that member states can prohibit or restrict the sale, supply or use of medicinal products containing, consisting of, or derived from these cells. (Whereas 7)81

The discussion about placing animal and embryonic cell-​based products in the market was at the centre of fierce debate during the parliamentary approval of Regulation 1394/​2007. The issue was dealt with in the European Parliament during the approval of the regulation on cells and tissues. Throughout the legislative process, the discussion concerning the boundaries between ethics, law, and the market made it clear that the Parliament had no power to express European citizens’ values. MEPs’ opinions, the majority argued, were ‘subjective’, i.e. they were

78 See http://​ec.europa.eu/​research/​innovation-​union/​index_​en.cfm (last visited 20 September 2016): ‘Innovation Union is the European Union strategy to create an innovation-​friendly environment that makes it easier for great ideas to be turned into products and services that will bring our economy growth and jobs’. 79  European Commission, ‘Ethical and Regulatory Challenges to Science and Research Policy at the Global Level’ (2012), at 4–​8. 80 Von Schomberg, ‘Prospects for Technology Assessment in a Framework of Responsible Research and Innovation’, in M. Dusseldorp and R. Beecroft (eds), Technikfolgen abschätzen lehren: Bildungspotenziale transdisziplinärer Methoden (2012) 39, at 51. See also Tallacchini, ‘Between Uncertainty and Responsibility: Precaution and the Complex Journey toward Reflexive Innovation’, in E. Vos, M. van Asselt, and M. Everson (eds), Trade, Health and the Environment: The European Union Put to the Test (2014) 74. 81  Regulation (EU) 536/​2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/​20/​EC has not modified the subsidiarity related to animal cells: “This Regulation shall not affect the application of national law prohibiting or restricting the use of any specific type of human or animal cells or the sale, supply or use of medicinal products containing, consisting of or derived from those cells ” (Art. 90).

 3

Mariachiara Tallacchini

33

an expression of subjective personal views; and thus they could not ‘objectively’ represent ‘public morality’, which only Member States are entitled to embody. The ethical decisions concerning the inclusion or exclusion of xenobiotic materials, as well as embryos, within the Regulation only belonged to the Commission and Member States as a matter of subsidiarity.82 In the public controversies that have accompanied the development of biotechnology in Europe, since 1991 (when the Group of advisers to the European Commission on the ethical implications of biotechnology (GAEIB) was first appointed)83 efforts have consistently been made to replace democratic discussion with the opinions of ethics committees.84 Through the White Paper on European Governance and the Action Plan for Science and Society the Commission began to actively search for public consensus on science and technology in order to overcome the ‘unease’ of some Europeans with science and to improve trust towards EU institutions.85 However, the actual meaning of these exercises remains unclear. Before implementing Regulation 1394/​ 2007 the European Commission addressed European citizens. Between 2007 and 2009, the European Commission launched several short-​term and narrowly advertised public consultations on the internet asking for public comments on very technical aspects of guidelines in relation to, for instance, risk management and good clinical practices in relation to advanced therapies.86 These pre-​implementation forms of public involvement certainly represented an important change in the EU science policy model, increasingly oriented towards extended participation. Public involvement in science-​based policy decisions has become an institutional commitment in Europe not only in order to avoid negative attitudes amongst European citizens, but also to maximize the relevant knowledge that can be acquired in relation to the decision-​making process. The model of dialogue between experts and the public has become the dominant paradigm in European institutional discourses, which has recently evolved towards the development of different forms of public engagement. However, these exercises have been mostly framed through highly specialized languages, with no concern for ordinary citizens and accessibility of the contents of the consultation. Their primary goal has consisted of acquiring relevant knowledge from specialized stakeholders—​industry, researchers, some patients’ organizations—​in an emerging field with scarce expertise. As Funtowicz and Liberatore have argued, the institutional openness towards collecting all relevant 82  Tallacchini, ‘Governing by Values, EU Ethics: Soft Tool, Hard Effects’, 47 Minerva (2009) 281. See also http://​w ww.europarl.europa.eu/​oeil/​popups/​ficheprocedure.do?lang=en&reference=2005/​ 0227 (COD) (last visited 20 September 2016). 83 See the mandate at http://​ec.europa.eu/​bepa/​european-​group-​ethics/​a rchive-​mandates/​ mandate-​1991-​1997/​index_​en.htm (last visited 20 September 2016). In 1997, the EGE was appointed and has been dealing with ethics at the EU level since. 84 Tallacchini, supra note 82. 85  Science and Society Action Plan, supra note 15. 86 See http://​ec.europa.eu/​health/​human-​use/​advanced-​t herapies/​developments/​index_​en.htm (last visited 20 September 2016).

34

34

Medical Technologies and EU Law

information from all interested citizens is a way to democratize technoscience and increase expertise with regard to democratic policy-​making.87 However, the case for ATMPs looks more like an extended form of technocratic lobbying:  public consultations failed to reach all relevant parties, lasted only a few weeks, and received relatively few comments. The overall organization of these public exercises does not reflect either a serious commitment towards citizens or awareness about transparency and accountability when the relations between institutions and citizens are primarily digitally mediated.88 For all these reasons, there is very little scope for arguing that European citizens have been seriously involved in the debate surrounding ATMPs, especially as far as animal-​based products are concerned. With regard to XT, the resistance generated in Europe by biotechnology has left relevant traces (and traumas) within the EU regulatory context, as Directive 412/​2015/​EU on restrictions on GMOs continues to reveal.89 Throughout the whole legislative process, xeno-​products have had a somewhat low profile. The EMA published an initial document with the ‘points to consider for xenogeneic cell therapy medicinal products’ in 2003.90 After a short update prepared in 2007, the final Guideline on Xenogeneic Cell-​based Medicinal Products, establishing the main safe practices in using xeno-​cells, was approved in 2009, more than one year later than expected.91 The document was never posted on the Advanced Therapies website but immediately buried in a large pile of scientific guidelines.92 More importantly, none of the public consultations launched by the Commission touched on xenogeneic cells. Advanced therapies based on animal materials have been discussed largely behind closed doors, far from public accessibility (and with little contact with the XT scientific community).93 Despite this apparent attempt to minimize the relevance of the topic, the safety issues surrounding xenogeneic materials are still central to the development of 87  Liberatore and Funtowicz, supra note 16. 88  The numerous consultations launched received in general less than 20 comments, and in some cases only two:  see http://​ec.europa.eu/​health/​human-​use/​clinical-​trials/​developments/​index_​ en.htm (last visited 20 September 2016). 89  Directive (EU) 2015/​412 of the European Parliament and of the Council of 11 March 2015 amending Directive 2001/​18/​EC as Regards the Possibility for the Member States to Restrict or Prohibit the Cultivation of Genetically Modified Organisms (GMOs) in Their Territory, OJ 2015 L 68/​1. See Jaspers, supra note 6. 90 European Agency for the Evaluation of Medicinal Products (EMEA), Committee for Proprietary Medicinal Products (CPMP), Points to Consider on Xenogeneic Cell Therapy Medicinal Products (2003), available at http://​w ww.ema.europa.eu/​docs/​en_​GB/​document_​library/​Scientific_​ guideline/​2009/​09/​WC500003893.pdf (last visited 20 September 2016). 91 EMA, supra note 72. 92 See http://​w ww.ema.europa.eu/​ema/​index.jsp?curl=pages/​regulation/​general/​general_​c ontent_​0 00405.jsp&murl=menus/​regulations/​regulations.jsp&mid=WC0b01ac058002958a&jsenab led=true (last visited 20 September 2016). 93  See the comments from the FP6 XENOME project to the Public Consultation on the Revised Clinical Trial Application Form as Regards Advanced Therapy Investigational Medicinal Products, 22 October 2008, available at http://​ec.europa.eu/​health/​fi les/​clinicaltrials/​ct_​resp_​2008_​10/​xenome_​project.pdf, and of the IXA at http://​ec.europa.eu/​health/​fi les/​clinicaltrials/​ct_​resp_​2008_​ 10/​internat_ ​xenotransplantation_ ​a ssociation.pdf (last visited 20 September 2016).

 35

Mariachiara Tallacchini

35

ATMP. In fact, animal materials are not only involved in xenogeneic cell-​based products, they can be potentially used as raw materials, namely substances of biological origin used for manufacturing or extracting an active substance, in the preparation of all ATMPs. In recent years regulatory agencies have recognized the need for guidance to mitigate the risks from raw materials of animal origin in the production of ATMPs.94 The draft guideline published by the European Directorate for the Quality of Medicines & HealthCare (EDQM), the EMA, and the CoE outlines that ‘due to the inherent risk of transmitting adventitious agents or inducing adverse immune reactions, it is recommended to minimise, wherever possible, the use of raw materials of human or animal origin’.95 The games continue, but the increased concerns regarding transmissible diseases of zoonotic origin, intensified by the Ebola outbreak in 2014, showed the need for more reflection both on appropriate regulation and on schemes for legal preparedness, especially when coping with health emergencies may have an impact on fundamental rights.

5. Conclusions This chapter has examined the evolution of the technological and regulatory process for animal cells, tissues, and organs as a relevant example of co-​production in the relationships between science, policy, and law. ‘Xeno’ provides an opportunity to simultaneously reflect on the developments of technoscience in Europe and on political changes within the European institutions. The way the European normative framework has evolved is unique compared with other regulatory approaches. Through time, European institutions have adopted different policy models, either tactically shifting from one to the other, or simultaneously maintaining conflicting models. The harmonized contradictions of the European framework on animal cells, tissues, and organs have resulted from several conflicting elements. The willingness of European institutions to support innovation while minimizing its risks, to support a precautionary approach to public health while balancing individual

94 In 2012 the EDQM, the EMA, and the CoE started a joint collaboration on risks from raw materials to be used in ATMPs. This produced a report in 2013 and a draft guideline at the end of 2014: EMA and CoE, Raw Materials for the Production of Cell-​Based and Gene Therapy Products, Symposium Report, 3 April 2013, available at http://​w ww.ema.europa.eu/​docs/​en_​GB/​document_​library/​Report/​2013/​11/​WC500153798.pdf (last visited 15 January 2017). The European Pharmacopoeia (Ph. Eur.), Europe’s legal and scientific benchmark for pharmacopoeial standards, established guidelines on raw materials that entered into force on 1 January 2017 (EDQM, European Pharmacopoeia (9th edn, 2016), ‘Raw Materials for the Production of Cell-​Based and Gene Therapy Medicinal Products’, Chapter 5.2.12 available at https://​w ww.edqm.eu/​en/​european-​ pharmacopoeia-​9th-​edition (last visited 15 January 2017).) 95 Raw Materials for the Production of Cell-​based and Gene Therapy Medicinal Products, Chapter 5.2.12, supra note 94, at 2.

36

36

Medical Technologies and EU Law

and collective rights, and to respect Member States’ subsidiarity produced quite a complex scenario which has proven difficult to govern. After having proposed a European (value-​laden) vision of science, the CoE opted for a supposedly more neutral, science-​based position. The precautionary model was de facto used by the CoE following the US meaning of precaution. Indeed, while the original meaning of the concept, as framed by the European Commission in its Communication, referred to a cautious behaviour towards a critical technology, the term in the United States applies to all safety measures adopted to control risks of infection, including ‘isolation precautions’ and ‘the most restrictive level of isolation’ for the patient.96 For its part, the EU endorsed precaution, instead, to create room for subsidiarity and for Member States to make their own choices. For a long time citizens and their rights were rarely invoked and never given a voice in XT. The European institutions did not involve Europeans when XT first appeared as an unprecedented challenge at the turn of the millennium. The Directive on GMOs established that some forms of public consultation should be performed by Member States, but no public consultation was launched on XT at the EU level. Similarly, the CoE did not carry out any consultations, instead adopting a sort of paternalistic or draconian vision of safety measures. In working out its position in agreement with the European Commission, the CoE started by framing informed consent as including third parties (family and close contacts), but ended by authoritatively requiring patients and their contacts to waive some fundamental rights. Instead of concluding that XT was not an acceptable technology if rights had to be waived, the CoE accepted that the potential costs for innovation would be paid by citizens. This polarized and controversial regulatory landscape has gradually faded away while the discursive legal–​political identity of XT has been transformed into a more neutral form of innovation. The concept of ‘technoscientific imaginary’, as used in Science and Technology Studies (STS) is relevant here. According to STS scholars, scientists and engineers are key participants in propagating ideas about the nature, purpose, and social significance of their work. These collective visions, encompassing both tacit and explicit assumptions about what gives science its moral and epistemic authority as well as about what makes science worth pursuing, are referred to as technoscientific imaginaries. These imaginaries provide a common understanding of controversial technologies, such as XT, that can make them more easily accepted and legitimate.97 Over time, the imaginary surrounding XT has been radically reframed, shifting from animal spare parts to pharmaceutical products, with a complete rearrangement of the relevant scientific and regulatory issues. Although infectious diseases have become an even more severe threat in a globalized, highly connected world, the reframing of XT as cell therapy provided a

96 PHS, Guideline on Infectious Disease Issues in Xenotransplantation (2001). 97 Jasanoff, supra note 1.

 37

Mariachiara Tallacchini

37

rebranding of its image and the imaginary connected with it, redefined the normative landscape, and re-​established (or effectively waived) rights. In this renewed context, the EU finally adopted some forms of public participation, though primarily framed for experts and well-​defined stakeholders—​industry, researchers in the field, patients’ associations. The overall impression is that, notwithstanding its political evolution, the EU is still shifting from the old market-​based and state-​based foundations to the polity-​ based and citizen-​based union. After the Charter of Fundamental Rights of the EU acquired legally binding status, ethical values and their roles in defining the path and pace of innovation should be given more directly to European citizens as an expression of their rights. In disentangling the complex evolution of an emerging, and re-​emerging, medical technology, the significant co-​production dynamic of technoscientific and regulatory processes allows a nuanced portrait of Europe to appear, while at the same time raising questions about the future role of democracy in these processes.

38

3 EU Law and Bioethics Stéphanie Hennette Vauchez *

In 2004, Tamara Hervey and Jean McHale authored an important volume on Health Law and the European Union.1 One of the book’s opening observations was that ‘health is not an area which is traditionally regarded as falling within the remit of EU law’.2 It is both easy and tempting to borrow their opening line and apply it to bioethics: as ‘bioethics’ is generally understood to be a subfield of health law, it would then follow that bioethics, even more so than health law, really is outside or beyond the remit of EU law. But, of course, appearances are deceiving—​a nd the whole purpose of this chapter (as well as that of Hervey and McHale’s book) is to establish that a body of EU biomedical law does indeed exist. Of course, there is no definition—​and, in particular, no legal definition—​of what exactly ‘bioethics’ are. There is, however, a rather consensual understanding that the term refers to a set of issues that are linked to the development of biomedicine (i.e. medicine that takes life as its object, so as to produce and control it, as opposed to other or previous understandings of medicine as a science of diseases or of the body3). Indeed, as medicine (the medical technology) increasingly concerns the production and conditions of life itself, there is growing reflection on whether and how rules should be adapted. This is clearly a historical evolution; the scope of medicine has evolved over time and has not always been so tightly connected to the production and regulation of life itself. Whereas historically physicians actually withdrew as life was clearly coming to an end,4 today they are increasingly present at this stage as the end of life takes place more frequently in hospitals or other medical settings. In fact, some countries have even decided to

*  This chapter was finalized in January 2014. 1  T. Hervey and J. McHale, Health Law and the European Union (2004). 2  Ibid., at 2. 3  There is a rich literature on this fundamental evolution of the very object of modern medicine (and indeed political power) and on the centrality of ‘life’ among its objects, ranging from the work of Michel Foucault to that of Giorgio Agamben, Nicholas Rose, or Roberto Esposito. 4 Pernick, ‘Back from the Grave:  Recurring Controversies about Defining and Diagnosing Death in History’, in R. M. Zaner (ed.), Death: Beyond the Whole-​Brain Criteria (1998) 17. EU Law and Bioethics, First Edition, Stéphanie Hennette Vauchez © Stéphanie Hennette Vauchez 2017. Published 2017 by Oxford University Press

 39

Stéphanie Hennette Vauchez

39

adopt legislation on the end of life, and more and more cases are being brought before courts.5 Reproduction is also an area that has been dramatically altered by the development of biomedicine; in fact, its very anthropological meaning seems to have evolved as sex and procreation have been distinguished, and as the technology has developed in order to keep embryos and foetuses alive outside women’s bodies.6 For most of recorded human history, reproduction depended on fate or destiny more than it did on choice; it was also an intimate event par excellence. Today, however, reproduction is also an issue on which the state intervenes, including through legislation. The legal regulation of reproduction tends to construct it as an optional event that can be avoided (through contraception or abortion) or, on the contrary, accessed artificially when medically or otherwise impossible (in cases of infertility or homosexuality for example). One could also mention the extraordinary increase and diversification in uses of elements of the human body. For instance, through tissues, cells, organs, and blood the human body has largely become a source of value7 for therapeutic purposes (as a source of medication or treatment), for scientific purposes (as a source of research material), and increasingly, for other purposes (such as biobanks and increasingly the notion of autologous conservation of biological material, including umbilical cord blood cells in order to have self-​tailored material for future cures). For our purposes, then, it will be understood here that the term ‘bioethics’ refers to a set of issues raised by the development of biomedicine: either the conquest of new fields of practice by medicine (organ transplantation, assisted reproduction) or the technicization and medicalization of phenomena and processes that have long been understood to be beyond human mastery (such as end-​of-​life issues). This chapter aims to analyse the legal responses these issues have triggered in recent decades. The focus here will be on the interplay between national and European levels of regulation in this field. This will allow us to address wider issues pertaining to trends and evolutions in European modes of legal regulation in general, as well as on transformations of issues of bioethics themselves. How important are legal responses to bioethics at the EU level? Does such a body of law even exist? These questions are not merely rhetorical, for the EU could well be said to lack both the competence and the legitimacy to regulate biomedicine. That said, Tamara Hervey’s answer to comparable arguments with respect to health law more generally is once more inspiring. She argues, from an empirical standpoint, that technical legal answers ought to be more closely evaluated:

5  For a comparative overview, J. Griffiths et al. (eds), Euthanasia and the Law in Europe (2008). 6 See, e.g., S. Franklin and H. Ragone (eds), Reproducing Reproduction:  Kinship, Power and Technological Innovation (1998). 7  Waldby and Mitchell coined the term ‘biovalue’: C. Waldby and R. Mitchell, Tissue Economies (2006).

40

40

EU Law and Bioethics

Diane Blood relies on free movement of rights in Community law to seek fertility treatment in Belgium. A  Community body—​ the Committee for Proprietary Medicinal Products—​ recommends that Viagra be approved for marketing across Europe. The European Commission responds to food-​related threats to public health, such as BSE, by proposing a new European Food Agency. The Commission proposes the prohibition of tobacco advertising across the EU. These events, along with many others of a less high profile, illustrate how the European Union is playing an increasing role in the determination of both individual and collective health entitlements. It might be said that the EU is developing a health policy.8

Similarly, a number of elements could be listed in support of the notion that a body of EU biomedical law does exist. There are, indeed, a number of EU directives in the field such as those relating to patents,9 blood,10 tissue,11 clinical trials,12 and organs.13 There are also several resolutions that have been passed by the European Parliament regarding the trade in oocytes,14 assisted reproduction techniques,15 cloning,16 and abortion.17 Furthermore, the European Group on Ethics in Science and New Technologies (EGE) has now delivered numerous opinions. Initially created as the Group of advisers to the European Commission on the ethical implications of biotechnology (GAEIB) in 1991, the EGE now advises ‘the Commission on ethical questions relating to sciences and new technologies, either at the request of the Commission or on its own initiative. The Parliament and the Council may draw the Commission’s attention to questions which they consider to be of major ethical importance’.18 One should also add to this tentative list of EU biomedical norms Article 182 of the Treaty on the Functioning of the European Union (TFEU) (ex Art. 166 EC Treaty) decisions, as they establish the Framework Programmes of the EU’s research policy and thereby determine what, in the field of biomedical research, can be funded. Finally there is the case law: however surprising, abortion, assisted reproduction, and even the very definition of the embryo count among the topics that the Court of Justice of the European Union has been dealing with. In other words, and once again to borrow

8 Hervey, ‘Mapping the Contours of EU Health Law and Policy’, 8 European Public Law (2002) 69. 9  Directive 98/​4 4/​EC of 6 July 1998, OJ 1998 L 213/​13. 10  Directive 2002/​98/​EC of 27 January 2003, OJ 2003 L 33/​30. 11  Directive 2004/​23/​EC of 31 March 2004, OJ 2004 L 102/​48. 12  Directive 2001/​20/​EC of 4 April 2001, OJ 2001 L 121/​34. 13  Directive 2010/​45/​EU of 7 July 2010, OJ 2010 L 207/​14. 14  EP Resolution of 10 March 2005 on Planned Egg Cell Trade, OJ 2005 C 320 E/​251. 15  EP Resolution of 16 March 1989 on the ethical and legal problems of genetic engineering, OJ 1989 C 96/​165 and Resolution of 16 March 1989 on Artificial Insemination In Vivo and In Vitro, OJ 1989 C 96/​171. 16  EP Resolution of 7 September 2000, on the Cloning of Human Beings, OJ 2001 C 135/​263. Note that this Resolution follows five others on similar topics that had been adopted by the EP between 1989 and 2000. 17  EP Resolution of 3 July 2002 on Sexual and Reproductive Health and Rights, OJ 2003 C 271 E/​369. 18  Commission Decision 2005/​383/​EC of 11 May 2005, OJ 2005 L 127/​17.

 41

Stéphanie Hennette Vauchez

41

from Hervey’s analysis in the broader field of health law: ‘it might be said that the EU is developing a biomedical policy’. As such, this chapter will analyse this body of EU biomedical law. It will do so by addressing three questions. First, it will attempt to look back at the ways in which this body of EU biomedical law has come into existence. Arguably, EU biomedical law is an unlikely legal object and it is thus worthwhile to explore the ways in which possible limitations of competence and issues of legitimacy have been circumscribed and overcome in order for these directives, European Parliament (EP) resolutions, and other measures to come into being. Second, the chapter will ask what this body of EU biomedical law consists of. Examination of a number of examples will suggest that by and large EU biomedical law is about procedures and methods more than it is about substance or content. Third, the chapter aims to identify the most salient difficulties and what is at stake today for EU biomedical law. In particular, it will focus on two recent developments: the Brüstle decision of the Court of Justice of the European Union (CJEU) (in which the Court undertook to provide a legal definition of the human embryo) and two decisions of the European Court of Human Rights (ECtHR), which raise important questions for the future of biomedical law in Europe at large since they are related to the interaction between EU and European Convention on Human Rights (ECHR) standards.

1.  A Body of EU Biomedical Law? Solving the Puzzle A. The Original Puzzle: Few Competences, No Legitimacy The very existence of a body of EU biomedical law is puzzling indeed, for the EU seems to have very few legal grounds for action in this field. Additionally, the creation of conditions of political legitimacy for such action seems rather unlikely.

1. Competence and Legal Basis With regard to competences, it is striking to see that the EU has very little competence in fields that overlap with the regulation of biomedicine. Article 168 TFEU (ex Art. 152 EC Treaty) encapsulates the general position as it awards the EU sector-​specific competences in the field of public health and thus provides it with a legal basis for some forms of action. It does provide a general framework for mainstreaming health in all EU policies (in Art. 168(1));19 this, however, does 19  Art. 168(1) TFEU: Union action, which shall complement national policies, shall be directed towards improving public health, preventing physical and mental illness and diseases, and obviating sources of danger to physical and mental health. Such action shall cover the fight against the major health scourges, by promoting research into their causes, their transmission and their prevention, as well as health information and education, and

42

42

EU Law and Bioethics

not encompass regulatory action and part of this general policy recommendation invites the EU to complement action by the states and not to act proprio motu. Article 168’s second paragraph encourages cooperation and coordination between Member States in the field of health (and therefore does not serve as a possible legal basis for EU regulatory action as such), while the third paragraph is about cooperation with third countries. Further, paragraphs 5–​7 are only about incentive measures and recommendations.20 Harmonization competences are only mentioned in paragraph 4: By way of derogation from Article 2(5) and Article 6(a) and in accordance with Article 4(2)(k) the European Parliament and the Council, acting in accordance with the ordinary legislative procedure and after consulting the Economic and Social Committee and the Committee of the Regions, shall contribute to the achievement of the objectives referred to in this Article through adopting in order to meet common safety concerns: (a) measures setting high standards of quality and safety of organs and substances of human origin, blood and blood derivatives; these measures shall not prevent any Member State from maintaining or introducing more stringent protective measures; (b) measures in the veterinary and phytosanitary fields which have as their direct objective the protection of public health; (c) measures setting high standards of quality and safety for medicinal products and devices for medical use.

In other words, harmonization measures in the field of health are limited. They are limited in principle because they are defined as exceptions; and they are limited in scope for they must relate to safety concerns and issues. It is often the case in fields where sector-​specific competences are awarded to the EU (see, for

monitoring, early warning of and combating serious cross-​border threats to health. The Union shall complement the Member States’ action in reducing drugs-​related health damage, including information and prevention. 20  Art. 168(5)–​(7) TFEU: 5. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure and after consulting the Economic and Social Committee and the Committee of the Regions, may also adopt incentive measures designed to protect and improve human health and in particular to combat the major cross-​border health scourges, measures concerning monitoring, early warning of and combating serious cross-​border threats to health, and measures which have as their direct objective the protection of public health regarding tobacco and the abuse of alcohol, excluding any harmonization of the laws and regulations of the Member States. 6. The Council, on a proposal from the Commission, may also adopt recommendations for the purposes set out in this Article. 7. Union action shall respect the responsibilities of the Member States for the definition of their health policy and for the organization and delivery of health services and medical care. The responsibilities of the Member States shall include the management of health services and medical care and the allocation of the resources assigned to them. The measures referred to in paragraph 4(a) shall not affect national provisions on the donation or medical use of organs and blood.

 43

Stéphanie Hennette Vauchez

43

instance, the fields of culture or education) that they go hand in hand with a narrowing down of possible harmonization measures. As a consequence, Article 168 does not challenge the notion that, as a general rule, EU action in the field of health is mostly one of incentivization. With regard to harmonization, Article 168 only awards the competence to regulate quality and safety standards for human blood and other substances of human origin at the European level. There is, however, another route that has historically proved important for EU regulatory action in the field of bioethics, namely Article 114 TFEU (ex Art. 95 EC Treaty). Article 114 relates to the internal market and, for our purposes, paragraphs 1, 3, 8, and 10 are the most relevant: 1. The European Parliament and the Council shall, acting in accordance with the ordinary legislative procedure and after consulting the Economic and Social Committee, adopt the measures for the approximation of the provisions laid down by law, regulation or administrative action in Member States which have as their object the establishment and functioning of the internal market. 3. The Commission, in its proposals envisaged in paragraph 1 concerning health, safety, environmental protection and consumer protection, will take as a base a high level of protection, taking account in particular of any new development based on scientific facts. Within their respective powers, the European Parliament and the Council will also seek to achieve this objective. 8. When a Member State raises a specific problem on public health in a field which has been the subject of prior harmonisation measures, it shall bring it to the attention of the Commission which shall immediately examine whether to propose appropriate measures to the Council. 10. The harmonisation measures referred to above shall, in appropriate cases, include a safeguard clause authorising the Member States to take, for one or more of the non-​ economic reasons referred to in Article 36, provisional measures subject to a Union control procedure.

This Article has been an important legal basis for at least two sets of reasons. First, EU actors have often put forth the rationale according to which variation in the legislation of Member States on topics relevant to the regulation of biomedicine was detrimental to the realization of the internal market. In this vein, the 2001 Clinical Trials Directive or the 1998 Patents Directive are both grounded in Article 114. Such analyses are only reinforced by evolutions contemporary with what I shall call the very structure of biomedical issues themselves—​and mostly by the fact that, increasingly, there is an economy of elements of human origin and related (bio)-​technologies. To that extent, variation in national legislation can indeed be construed as an impediment to the realization of the internal market. Second, the European Court of Justice has encouraged this understanding of the diversity of national legislation as an impediment to the internal market by developing a rather loose line of reasoning according to which EU legislation could be viewed and assessed as internal market legislation as long as the measure’s ‘centre of gravity’ was the approximation of national legal regimes otherwise thought to be detrimental to the market. This results from the much-​debated

4

44

EU Law and Bioethics

Tobacco Advertising ruling of 2006.21 In this case, although the aim of the contested measure was clearly to pursue public health objectives, the Court agreed to view it as one concerned primarily with internal market considerations ‘provided that the conditions for recourse to Article 95 EC as a legal basis are fulfilled, the Community legislature cannot be prevented from relying on that legal basis on the ground that public health protection is a decisive factor in the choices to be made’. Additionally, the Court has considered that the legal categories that form the grammar of internal market legislation and policies (‘goods’, ‘services’, etc.) can be plainly (in the sense of mechanically or technically) applied to biomedical issues. After it ruled in 1984 that medical services in general were ‘services’ under EU law, the Court went on to deny any specificity of abortion services in that respect in a 1991 ruling.22 In Grogan v Society for the Protection of Unborn Children, the Court declared that whatever the nature and legitimacy of moral debates over abortion, there was no reason not to consider that abortion, as a medical service, was a service under EU law.23 This mode of reasoning, based on the universal scope of the economics-​oriented categories that the internal market rests upon, is not specific to the European Court; in fact, several of its national counterparts have similarly used internal market categories to decide upon biomedical issues. For instance, the Court of Appeal in the UK ruled in 1997 that assisted reproduction constituted a medical service and that, as a result, freedom of circulation required that sperm samples detained in a British clinic were to be exported to Belgium where they were wanted for insemination.24 More recently, several

21  Case 380/​03, Germany v. Parliament and Council (Tobacco Advertising), [2006] ECR I-​11573 (ECLI:EU:C:2006:772). 22  Joined Cases 286/​82 and 26/​83, Luisi and Carbone v. Ministero del Tesoro, [1984] ECR 377 (ECLI:EU:C:1984:35). 23  Case 159/​90, The Society for the Protection of Unborn Children Ireland Ltd v. Stephen Grogan and Others, [1991] ECR I-​04685 (ECLI:EU:C:1991:378), in particular paras 18–​21: It must be held that termination of pregnancy, as lawfully practised in several Member States, is a medical activity which is normally provided for remuneration and may be carried out as part of a professional activity. In any event, the Court has already held in the judgment in Luisi and Carbone (Joined Cases 286/​82 and 26/​83 Luisi and Carbone v Ministero del Tesoro [1984] ECR 377, paragraph 16) that medical activities fall within the scope of Article 60 of the Treaty. SPUC, however, maintains that the provision of abortion cannot be regarded as being a service, on the grounds that it is grossly immoral and involves the destruction of the life of a human being, namely the unborn child. Whatever the merits of those arguments on the moral plane, they cannot influence the answer to the national court’s first question. It is not for the Court to substitute its assessment for that of the legislature in those Member States where the activities in question are practised legally. Consequently, the answer to the national court’s first question must be that medical termination of pregnancy, performed in accordance with the law of the State in which it is carried out, constitutes a service within the meaning of Article 60 of the Treaty. 24  R. v. Human Fertilisation and Embryology Authority, ex parte Blood, Court of Appeal (Civil Division) [1997] 2 All ER 687.

 45

Stéphanie Hennette Vauchez

45

administrative courts in France have applied the 1985 Directive on liability for defective products to organ transplantation, conflating organ retrieval with ‘manufacturing’.25

2. Legitimacy The puzzle about the very existence of a body of biomedical law is not merely a legal one. Indeed, one wonders how it can be the case that EU action appears legitimate and thus acceptable (or even desirable) for Member States in the field of biomedicine. This is a truly daunting question because bioethics is likely, more than most, to be a field in which states will try to retain their autonomy and competence due to the fact that there is a strongly identitarian dimension in political choices on issues such as stem cell research, abortion, or end of life. As Herbert Nys put it some time ago: [T]here undoubtedly are some vexed themes in medical law—​such as abortion and euth­ anasia—​where the ideas of various MS—​but also within the States—​are so far apart due to religious, philosophical, ethical and other reasons that a common European regulation would simply be unthinkable.26

As such, bioethics is traditionally understood to be a topic on which states will most likely try to retain their discretion to choose and be reluctant to engage in harmonization or transnationalization. This should play out against EU action in the field of biomedicine. The attachment of states to the possibility of sovereign choice in this field echoes the insistence on pluralism at the European level. In fact, this notion of pluralism is significantly and repeatedly advocated by the EGE. It declares, for instance, in its Opinion 12 of 1998 on legal aspects of research on human embryos, that ‘[p]‌luralism may be seen as a characteristic of the European Union, mirroring the richness of its tradition and asking for mutual respect and tolerance’.27 Another example of the true purchase of the notion of pluralism in the field of bioethics at the European level can be found in the protocols to the founding Treaties that several Member States have asked for (and indeed even obtained), which express the notion that the national regulatory equilibrium in the field of bioethics will not be threatened. For instance, when Malta became a member of the EU in 2003, the accession treaty was complemented by a Protocol that reads: ‘nothing in the treaty on European Union, or in the Treaties establishing the European Communities, or in the Treaties or Acts modifying or supplementing those Treaties, shall affect

25  Directive 85/​374/​EEC of 25 July 1985, OJ 1985 L 210/​29. See, e.g., Cour administrative d’Appel de Lyon, case 03LY01329, 20 December 2007; and the more cautious stance of the Conseil d’Etat, case 313568, 27 January 2010. 26 Nys, ‘Comparative Health Law and the Harmonisation of Patients’ Rights in Europe’, 8 European Journal of Health Law (2001) 325. 27 EGE, Opinion no. 12, Ethical Aspects of Research Involving the Use of Human Embryo in the Context of the 5th Framework Programme, 23 November 1998, at para. 1.27.

46

46

EU Law and Bioethics

the application in the territory of Malta of national legislation relating to abortion’. Ireland had obtained a similar protocol to the Maastricht Treaty in 1992 and, as Tamara Hervey explains, it is probably only because the association of the very sensitive issue of abortion with membership of the EU would have complicated the accession process that Poland did not ask for a similar one.28 These examples illustrate the notion that biomedical issues (in this case abortion) are so sensitive that states are more likely to do what it takes to retain their competence than to accept EU (or other transnational) action. How, then, have events transpired in such a way that serious technical (with no clear legal grounds for action) and political (with the unlikeliness of the conditions for EU action being deemed legitimate) impediments have been overcome? In other words, how exactly has the current and relatively thorough body of EU biomedical law come into existence?

B. Contextual Factors for Puzzle Solving There are two main factors that I wish to emphasize here. The first is the increasingly prevalent and central role of fundamental rights within the EU legal order. This development has played an important role in the emergence of a body of biomedical law due to the close connections between ‘bioethics’ and ‘fundamental rights’. However, this has been complemented by a second, less conspicuous but equally crucial, evolution—​that of the very structure of biomedical issues themselves. These issues have become issues of circulation and globalization of goods and services, thus becoming technical (and no longer ontological) questions.

1. Fundamental Rights and Non-​Market Values in the EU Legal Order Generally speaking, fundamental rights have largely framed the discourse on biomedical issues such as abortion, reproduction, end-​of-​life decision-​making, genetics, and predictive medicine. All of these issues have come to be thought of in terms of the rights to autonomy, privacy, and bodily integrity, for instance. As such, fundamental rights have become one of the main ‘languages’ of EU law. It is contended here that this has been an important factor in bringing about the convergence of biomedical issues and EU law, one that ought to be taken into consideration when reflecting on the reasons for which a body of EU biomedical law has developed. It is well known that the initial absence of any reference to fundamental rights in the EU legal order soon found itself at the centre of a form of conflict between the European legal order and national supreme courts which threatened to ignore the principles of direct applicability and primacy of the EU over national law as long as the EU legal order did not guarantee a level of fundamental rights 28  T. Hervey and J. McHale, Health Law and the European Union (2004), at 401–​402.

 47

Stéphanie Hennette Vauchez

47

protection comparable to that granted by national legal orders.29 The European Court of Justice thus made instrumental moves, from the end of the 1970s onwards, in affirming that EU acts and Member States alike ought to comply with fundamental rights when either implementing or derogating from EU law. Subsequently, fundamental rights became explicitly binding within the Treaties themselves, and the EU’s commitment to fundamental rights was formalized at Nice in 2000 with the proclamation of the EU Charter; the Lisbon Treaty has since elevated the Charter to the same normative strength as the Treaties themselves.30 Notably, the EU Charter locates the principle of human dignity at the forefront of its commitment and proclaims general fundamental rights that are intended to speak to issues raised by the development of biomedicine such as freedom of arts and sciences or the prohibition of all forms of discrimination, including on grounds of genetics. It also devotes a specific provision—​A rticle 3 of the Charter—​to the ‘right to integrity of the person’ in particular vis-​à-​vis medicine: 1. Everyone has the right to respect for his or her physical and mental integrity. 2. In the fields of medicine and biology, the following must be respected in particular: (a) the free and informed consent of the person concerned, according to the procedures laid down by law; (b) the prohibition of eugenic practices, in particular those aiming at the selection of persons; (c) the prohibition on making the human body and its parts as such a source of financial gain; (d) the prohibition of the reproductive cloning of human beings.

It thus appears quite clearly that the rise of fundamental rights within the EU legal order has been a crucial basis for the emergence of a body of EU biomedical law. At any rate, this ever-​g rowing importance of fundamental rights in the EU legal order has only confirmed the indisputable (albeit implicit) tendency of EU law to incorporate non-​market values in internal market legislation. Despite its fundamentally and intrinsically economic origins, the EU legal order has arguably always been open to non-​market values. From that perspective, the all-​market image of the EU legal order has probably always been a misconstrued caricature. As Bruno de Witte wrote in 2006: ‘internal market legislation is always also about something else’.31 This can be seen in the number of sector-​specific policies that do not immediately relate to the market (such as culture, the environment, health) and can also be seen in the fact that internal market legislation very often incorporates non-​market values such as

29  K. Alter, Establishing the Supremacy of European Law (2003). 30  Charter of Fundamental Rights of the European Union, OJ 2000 C 364/​1. 31  De Witte, ‘Non-​Market Values in Internal Market Legislation’, in N. Nic Shuibhne (ed.), Regulating the Internal Market (2006) 76.

48

48

EU Law and Bioethics

goals of social policy in the form of workers’ rights and the goals of public health policy.

2. The Structure of Biomedical Issues: From Ontologies to Commodities In parallel with these elements that explain the presence of both non-​market values and fundamental rights within the EU legal order and their role in bridging EU law and policies with biomedical issues, there has been another development that has contributed to this ‘unlikely encounter’.32 This development is one that has affected the very structure of biomedical issues between the 1980s and the first decade of the 21st century. In the 1970s and 1980s as it started becoming an important social and technological issue, bioethics was mostly framed in what one might call ontological terms. Bioethics were said to raise ‘fundamental ontological questions’ about ‘humanity’, and the ‘essence of man’.33 In fact, for a long time the political and legal conversation about bioethics was aimed at elaborating true, permanent, and possibly universal ‘founding principles’. Institutionally, this most notably translated into the development and generalization (at a rapid pace) of ethics committees at the national as well as the international level. These committees were presented as means of securing a deliberative, consensual, and pluralistic model of rule making. The 1990s, however, were a decade during which there was a growing sense that the consensus strategy typical of that first ‘ethical’ phase had failed, and that it was therefore necessary to acknowledge its chimerical dimension and return to majoritarian law-​making processes.34 Indeed, on a variety of topics it became increasingly clear that consensus was simply out of reach. National legislative endeavours such as those that resulted in the 1990 adoption of the Human Fertilization and Embryology Act in the United Kingdom, or in the 1994 Laws on Bioethics in France, were proving to be highly contentious. And similar obstacles were encountered on the international plane. Emblematically the Council of Europe’s 1997 Oviedo Convention35 symbolized the near impossibility of reaching clear-​cut normative positions transnationally.36 While embryonic research counted among the topics that were much debated at the time the Convention was being crafted, expectations were high that the final text would settle the issue. However, Article 18 of the Convention 32 Hennette Vauchez, ‘EU Law and Biomedicine:  Unlikely Encounters?’, 38 Legal Issues of European Integration (2011) 5. 33  See, e.g., the seminal books by H. T. Engelhardt, The Foundations of Bioethics (1986) and T. L. Beauchamp and J. F. Childress, Principles of Biomedical Ethics (1979). 34  H. T. Engelhardt, Global Bioethics: The Collapse of Consensus (2006). 35  Convention for the Protection of Human Rights and Dignity of the Human Being with Regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine 1997, CETS No. 164. 36  Girard, ‘Le droit international de la bioéthique:  l’universalisation à visage humain?’, in S. Hennette Vauchez (ed.), Bioéthique, biodroit, biopolitique. Réflexions à l’occasion de la loi du 6 août 2004 (2006) 51.

 49

Stéphanie Hennette Vauchez

49

was soon criticized for its failure to say anything truly normative. Rather than making a clear statement on whether embryonic research should or should not be legal, it rules that research should only be authorized under precise conditions.37 However, there are other examples that show that the international level is no more favourable to consensus than the national level; suffice it to recall how the ambitious project of a UN convention on bioethics eventually ended in the form of a mere declaration which simply called on all states to adopt ‘all measures necessary to prohibit all forms of human cloning inasmuch as they are incompatible with human dignity’ (without clarifying what ‘inasmuch’ really meant. Are all forms of cloning incompatible with human dignity, or only certain forms?). Consequently, something like a ‘pragmatic turn’ seems to have been taken by those individuals and institutions in charge of regulation in the field of bioethics. In recent times they have indeed engaged in more pragmatic forms of intervention: more attention seems to be paid to the exact shape and structure of the issues at stake and, generally speaking, normative regulatory initiatives seem to depart more readily from ‘grand’ or abstract principles. This of course relates to actual evolutions in the contemporary reality of bioethical issues. As a globalized ‘tissue economy’38 has developed on a worldwide scale, numerous substances of human origin (including tissues, organs, and blood) circulate, are imported and exported, and serve various purposes (including scientific research, experimental protocols, and autologous forms of conservation). What is interesting from a legal perspective is that this tissue economy is an economy of circulation and retribution, regardless of the persistent (if at times deceiving) insistence of many legal narratives according to which substances of human origin may not be commodified or lead to remuneration. As some commentators have convincingly argued, it is precisely the ambiguity of many of the central legal concepts on which biomedical law was built, including non-​ marketability of substances of human origin, informed consent, and the like, that has actually allowed (and not opposed or prevented) the transformation of gifts (through donation) into property (through acquisition). This has led to a situation such that ‘while persons have no property rights in their own body parts, it is possible for a second party to establish property rights in tissues once they have left the donor’s body’.39 Several examples show how this process has played out. Blood is no longer a simple and stable product circulating only from donor to recipient as was the case when the medical practice of blood transfusion first triggered legal40 and sociological41 reflections on the status of the human body and of body parts. Blood is now fractioned, transformed, interests multiple users, and 37  Art. 18 of the Convention, see supra note 35, reads: 1. Where the law allows research on embryos in vitro, it shall ensure adequate protection of the embryo. 2. The creation of human embryos for research purposes is prohibited. 38  Waldby and Mitchell, supra note 7. 39  Ibid., at 71. 40  M.-​A . Hermitte, Le sang et le droit: essai sur la transfusion sanguine (1986). 41  R. Titmuss, The Gift Relationship: From Human Blood to Social Policy (1970).

50

50

EU Law and Bioethics

plays a crucial role in the pharmaceutical industry. Consequently, it circulates, both nationally and internationally, and has a price. Stem cells (and other biological materials) are now increasingly commonly stored in ‘banks’.42 Further, venture capital plays an important role in the globalized world of stem cell research43 and the fear of ‘brain drain’, i.e. researchers tempted to move to other parts of the world where embryonic research is not forbidden, has heavily influenced more than one piece of national legislation to renounce initial plans for bans on stem cell research.44 In addition, most of what was until recently considered to be hospital waste has been turned into biovalue.45 In other words, substances of human origin circulate as products between a diverse set of actors; their circulation creates areas of exchange that strongly resemble markets and they generate investments and profits. Moreover, their circulation is truly global: stem cell lines are imported and exported throughout the globe, Indian and Ukrainian fertility clinics are experiencing a significant boom in demand, and academic researchers as well as biotechnology companies routinely change national settings in order to take advantage of the most beneficial regulatory environment. In the face of such radical developments, one might well take a critical look back at the kind of fundamental rights-​inspired concepts and paradigms that have historically governed regulatory narratives in the field of biomedicine. Are they still relevant and appropriate? Do they actually allow us to solve the questions that arise as a result of the development of biomedicine? Are rights such as ‘privacy’ and ‘dignity’ not much better suited to Hollywood stars in the management of the amount of information they want to make public about their recourse to surrogate motherhood than to the anonymous Indian midwife who is considering acting as a surrogate for the second time in order to provide her son not only with shelter but also an education? Is the whole idea of reproductive rights not flawed when ethnographic studies tend to underlie that ‘choice’ on these issues is often but a mirage?46 How viable are legislative options in the field of reproductive medicine that rely on publicly controlled and subsidized systems (such as in France for instance) or the exclusion of profit (such as in the British approach to surrogate motherhood), when at the same time privately driven markets develop at a rapid pace for oocytes donation and surrogate motherhood contracts provide women with significant revenues? 42 This model seems to be more developed in some countries (such as Spain or the United Kingdom) than others; but it is certainly developing. See F. Bellivier and C. Noiville, Les biobanques (2009). 43  H. Gottweis, B. Salter, and C. Waldby, The Global Politics of Stem Cell Science (2009). 44  Germany here probably provides the most telling example of the originality and awkwardness of the option that finally prevailed: as the German legislator did wish to ban stem cell research, it included a provision that limits the ban to ‘German’ embryos. Consequently, German researchers can still practise embryonic and stem cell research provided they import biological material. See Halliday, ‘A Comparative Approach to the Regulation of Human Embryonic Stem Cell Research in Europe’, 12 Medical Law Review (2004) 40. 45  Waldby and Mitchell, supra note 7. 46 Murphy, ‘The Texture of Reproductive Choice:  Law, Ethnography and Reproductive Technologies’, in T. Murphy (ed.), New Technologies and Human Rights (2009) 195.

 51

Stéphanie Hennette Vauchez

51

These are contextually sensitive questions that are formulated in a way that prevents us from looking away from the increasingly market-​governed modes of operation of biomedicine. This development and consolidation of ‘tissue economies’ thus raise a daunting question: should normative responses accompany this shift in the shape and structure of biomedical issues? To be sure, the legitimacy of market-​oriented approaches to biomedical issues seems greater today than it was several decades ago. Consider, for instance, the stark contrast between the outcries that surrounded Elisabeth Landes and Richard Posner’s famous piece on a market for babies in 197847 and the policy proposal voiced in 2008 by the British Economic and Social Research Council according to which incentivization measures intended to attract organ donors in greater numbers could include ‘the provision of vouchers, for example, to obtain white or electronic goods (e.g., iPods, music CDs or DVDs, etc.)’.48 Should these elements lead us to think that principled positions upon which the bioethical debate was based until recently are outdated? Should more pragmatic modes of reasoning triumph? And what then would be the consequences of such developments as far as legal tools go? Are ‘fundamental rights’ no longer the only and comprehensively relevant paradigm for the effective regulation of biomedical issues? Although normative answers to this series of questions are bound to be too complex to deal with here, it can nonetheless be acknowledged that the evolution of biomedical law and the emergence of a significant body of EU biomedical law would appear to suggest that they are relevant questions. At any rate, in terms of the ways in which a body of EU biomedical law has come into existence, this chapter has thus far affirmed that a greater openness of EU law on the one hand (both to fundamental rights and to non-​market values generally) and developments in the very nature of biomedical issues that justify complementing the traditional fundamental rights approach with one that is capable of better adapting to the now undisputedly market-​oriented dimension of biomedical issues on the other hand, form potentially viable explanations for the emergence of a body of biomedical law at the EU level.

2.  What Does the EU Body of Biomedical Law Consist Of? Reflections on Form and Substance I now wish to turn to a second question:  what does this body of EU biomedical law consist of? What are its main features and characteristics? Of course, the answer to this question must take into account the great diversity and even

47  Landes and Posner, ‘The Economics of Baby Shortage’, 7 Journal of Legal Studies (1978) 323. 48  ESRC (Economic and Social Research Council), Transplantation and Organ Deficit in the UK: Pragmatic Solutions to Ethical Controversy, Final Report (2008), at 7.

52

52

EU Law and Bioethics

heterogeneity of this body of law; in fact, it only grudgingly fits into traditional academic taxonomies. Some norms of EU law directly concern biomedical issues. This is the case with most of the directives and regulations in the field, such as the directives on the protection of biomedical inventions,49 clinical trials,50 blood,51 tissue,52 and organs53 quality and safety requirements, or the regulation on advanced therapy medicinal products.54 Among these measures it is worth noting that some directives have Article 168 TFEU as their legal basis; the directives on tissues or on organs seek to determine minimal standards in terms of sanitary safety. Others are based on Article 114 TFEU such as the directives on clinical trials or patents which favour the convergence of national legal rules that have an effect on the functioning of the internal market. As mentioned earlier, there also are a number of soft law acts ranging from EP resolutions to EGE opinions. However, other parts of this body of biomedical law at the EU level only indirectly deal with biomedical issues. This is the case, for instance, with the EU’s research policy as defined in the five-​year Framework Programmes (FPs), in which topics such as embryonic research and cloning have become prominent. It is also the case throughout patent law since ‘by making patents available within certain types of gene technology, and not others, regulatory bodies are capable if not to forbid certain types of research activity, at least to provide a strong steer to what actually happens on the ground’.55 A close analysis of this body of EU biomedical law seems to support the hypothesis according to which EU biomedical law is by and large about procedures and methods—​more than it is about substantive options. More precisely, it seems that the notion of ‘ethics’ has played an instrumental if ambivalent role in crafting the present body of EU biomedical law. Its role is ambivalent to the extent that, although it is an apparently essentially substantive notion, ‘ethics’ is in fact mid-​ way between form and substance. Similarly, it has been instrumental precisely for that reason, for ‘ethics’ has provided a means of overcoming many difficulties and obstacles that have occurred in the elaboration processes of several directives, decisions, and resolutions. Indeed, its strength lies in the fact that it does not say a great deal and yet still allows many actors to believe that the interpretations or understandings they favour will eventually prevail.56 The history of the elaboration of the 1998 Patents Directive is very telling in this respect, and recalling its main steps will allow us to substantiate this analytical hypothesis about form and substance in EU biomedical law.

49  Directive 98/​4 4/​EC, supra note 9. 50  Directive 2001/​20/​EC, supra note 12. 51  Directive 2002/​98/​EC, supra note 10. 52  Directive 2004/​23/​EC, supra note 11. 53  Directive 2010/​45/​EU, supra note 13. 54  Regulation (EC) 1394/​2007 of the European Parliament and the Council, OJ 2007 L 324/​121. 55  Hervey and Black, ‘The European Union and the Governance of Stem Cell Research’, 12 Maastricht Journal of European and Comparative Law (2005) 33. 56  I also develop this idea in Hennette Vauchez, supra note 32.

 53

Stéphanie Hennette Vauchez

53

A. The Patents Directive of 1998 The Patents Directive (the official title of which is the ‘Directive on the protection of biotechnological inventions of 1998’) is highly emblematic of several aspects of the analytical hypothesis presented here about the dominance of form over substance as a key feature of EU biomedical law, both with respect to the history of its adoption and its contents. Additionally, this particular Directive has played an important role in the history of the emergence and consolidation of a body of EU biomedical law due to the fact that it has operated as a lever for many subsequent regulatory enterprises at the EU level in the field of biomedicine. The aim of the present section is twofold: (i) after recalling how complex the Directive’s adoption process was, it will (ii) underline how substantively minimal the content in fact is.

1. Highly Contentious Negotiations over the Patents Directive’s Adoption Process The main feature of the Patents Directive’s adoption process is how complex, contentious, and conflicted it was. The negotiations over the Directive lasted for no less than ten years: it was only adopted in July 1998, while the initial draft proposal was circulated as early as 1988. Symbolically, this text gave the EP the opportunity to use its new co-​decision powers for the very first time: indeed, in 1995 a first version of the directive was rejected by the Parliament.57 Interestingly, the inter-​institutional conflict led to the EGE being called upon to intervene. A couple of months later, it delivered an important Opinion.58 The initial version of the Directive was subsequently amended on several points and after three more years of debates and parliamentary processes it was eventually adopted in July 1998. However, it was then challenged before the European Court of Justice by a number of states on the grounds that it violated several ethical principles, most notably the principle of human dignity.59 The Court, however, decided to uphold it. The Directive’s life had still more tortuous turns ahead, for it then encountered significant resistance from several Member States which, despite its having been upheld by the Court, were slow to transpose it, to the extent that the Commission was forced to initiate the failure to act procedure. What was at the root of all these obstacles? Why were there so many attempts to block and reject the Patents Directive? In a nutshell, all the arguments that were made against the Directive had to do with the insufficient importance given to ‘ethical principles’. The Directive aimed to create common rules and standards for the delivery of patents in European Member States. Recital 3 of the final text thus

57  Co-​decision powers were awarded to the EP by the Maastricht Treaty of 1992. 58 EGE, Opinion no.  8, Ethical Aspects of Patenting Inventions Involving Elements of Human Origin, 25 September 1996. 59  Case C-​377/​98, Netherlands v.  Parliament and Council, [2001] ECR I-​ 07079 (ECLI:EU:C:2001:523).

54

54

EU Law and Bioethics

reads: ‘… effective and harmonized protection throughout the Member States is essential in order to maintain and encourage investment in the field of biotechnology’. As we have already seen, this further explains why the Directive’s legal basis is Article 114. However, as the issue of the patentability of genetic sequences gained momentum the tension between the market and ethics crystallized around the question of the patentability of human genes. Technical clarifications are in order before the legal dimensions of the question are examined, both in order to understand the crux of the matter and to understand how developments in the field of patents law in general were contemporaneous to the (long) negotiation process over the Directive. Patent law generally is intended to reward and protect inventions. Inventions must be distinguished from discoveries: in principle, the mere discovery of something that exists naturally cannot be patented, whereas an invention can be patented because it is the result of human ingenuity and is capable of industrial application. These principles are clearly set forth in Article 52 of the European Patent Convention of 197360 (the Munich Convention) which states that ‘European patents shall be granted for any inventions, in all fields of technology, providing that they are new, involve an inventive step, and are susceptible of industrial application’. It follows from this basic definition of the conditions for patentability that, in principle, all inventions in all fields are patentable. There are some limits, however, as traditionally patent law has allowed for what are called ‘exclusions of patentability’. In particular, inventions contrary to ordre public or morality, as well as those relating to vegetal varieties or animal ‘races’, are excluded from patentability.61 Within this framework, the question of the patentability of living material has been very sensitive ever since it emerged. Although this is not the place to go into the details of the many landmark episodes that have contributed to framing the legal responses to this issue,62 it is necessary to understand the basic questions in order to grasp the nature of the problem as it occurred during negotiations over the 1998 Patents Directive in Europe.

60  European Patent Convention 1973, 13 ILM 268. Although all EU Member States are signatories to the Convention, it is not an EU convention but a wider one (there are 38 Contracting Parties). In short, the European Patent Convention created a unified procedure for application to the patents. It further creates an institution that delivers patents, the European Patent Office (EPO), and organizes the recognition by all states of patents it delivers. In principle, a patent delivered by the EPO will be considered equal to one delivered by French patent authorities under French law, Polish patent authorities under Polish law, etc. There have been ongoing discussions within the EU for several decades regarding the creation of an authentically EU patent. In fact, in December 2012 the EP approved legislation for enhanced cooperation on the topic, but the project was met with strong resistance by Italy and Spain in particular, and it is not clear what will become of the project. 61 See, e.g., the Munich Convention of 1973, supra note 60, or the Agreement on Trade-​ Related Aspects of Intellectual Property Rights (TRIPS), Annex 1C of the Marrakesh Agreement Establishing the World Trade Organization 1994, 1867 UNTS 154. 62  See D. Kevles, A History of Patenting Life in the United States with Comparative Attention to Europe and Canada, Report for the EGE (2002).

 5

Stéphanie Hennette Vauchez

55

Patent Law in Brief—​The Question of the Patentability of Human Genes in Five Steps 1. The US Supreme Court Chakrabarty ruling of 1980.63 Ananda Chakrabarty was a biologist working for the General Electric Company; he had manipulated a bacterium and conferred upon the bacterium the capacity to eliminate hydrocarbons. Such an invention proved to be useful for a variety of purposes, particularly the fight against black tides causes by oil spills at sea. Initially the United States Patents & Trade Office (USPTO) refused to grant a patent, on the basis that the bacterium was a natural living organism, and not an invented one. The US Supreme Court, however, ruled that the patent should be granted, because although bacteria do exist naturally, they do not naturally have the proprieties of the ones manipulated by Chakrabarty. The conferring of those properties to a bacterium that is naturally devoid of them was an invention that deserved to be patented. By this important ruling, the Supreme Court opened up the possibility of patenting living organisms, on condition that some feature or propriety invented by man has modified them. 2. The Harvard Oncomouse case.64 This is a case that confirmed the 1980 initial legal move towards the patentability of living material: in this case, researchers had genetically modified an animal (a mouse) in order for it to develop cancer cells—​and thus, hopefully, to improve their understanding of the development of cancers. This time, the USPTO agreed to deliver the patent, but the European Patent Office (EPO) initially did not. In a 1989 decision, it considered that such a patent would be a violation of ordre public and morality. This initial decision was challenged, however, and on appeal the EPO eventually granted the patent. 3. Craig Venter’s express sequenced tags. Finally, issues concerning human living organisms arose. In 1991, Craig Venter, one of the US leaders of the worldwide Human Genome Project for the National Health Institute, applied to the USPTO for patents covering no less than 337 human genetic sequences. It is important to understand here that he was asking for the patenting of the sequences themselves, as they had merely been isolated; he did not, however, know what function (protein) these sequences coded for. This raised the question of the definition of ‘inventions’ as far as patent law goes when applied to human genetics: are human genetic sequences patentable inventions or are they mere discoveries? He was denied the patents, which seemed to indicate that the mere isolation of human genetic sequences could not be labelled an ‘invention’ under patent law; but his application and the media coverage it received did cause the question of the patentability of

63  Diamond v. Chakrabarty, 447 US 303 (1980). 64  EPO Board of Appeals, 3 October 1990, Case T 19/​90, available at http://​w ww.epo.org/​law-​ practice/​case-​law-​appeals/​pdf/​t900019ep1.pdf (last visited 22 April 2015).

56

56

EU Law and Bioethics human genetic material to become a salient issue in the public debate over bioethics, and the source of many anxieties. 4. The Howard Florey Institute case.65 Shortly afterwards, the EPO was called to intervene on a very similar topic. In the Howard Florey Institute case of 1994, it allowed patents to be awarded for human DNA sequences whenever their genetic function (for what protein they coded) was known.66 In other words, the EPO considered that although human genetic sequences as such were not inventions, the understanding of their function could be coined an ‘invention’—​as long as the other criteria were met (innovation and a potential for industrial applications). 5. The Myriad Genetics case.67 More recently, this saga of the adaptation of patent law to human genetics was complemented by another crucial intervention of the US Supreme Court. Myriad Genetics is the name of a company that obtained patents covering two human genetic sequences (BRCA1 and BRCA2 genes) that are claimed to indicate a predisposition to certain forms of breast cancer. These patents allowed the company to craft and commercialize kits in order for physicians to test their patients for that predisposition; because of the scope of the patents, though, the company found itself in a position of monopoly over prognosis for those forms of cancer—​ and took advantage of it by selling those kits at very high prices. It is thus for reasons of principle as well as of economic injustice that Myriad Genetics’ patents were contested in many legal fora (in particular, in Europe as well as in the United States). In June 2013, the US Supreme Court ruled that as a matter of principle, genetic sequences, because they exist naturally, cannot be patented—​even if or even when their function has been fully elaborated.

It is important to keep in mind the fact that these legal developments took place between 1980 and 2013; they occurred, in other words, contemporaneously with the negotiations over the European Patents Directive which were ongoing between 1988 and 1998. This is an important point of context as it allows us to underline that not only are these questions extremely complex, but they take place in a constantly changing environment. Further, these issues became significantly more prominent in the 1990s. This also is important for understanding that, in Europe, although the proposed directive was initially based on Article 114 and the initial impetus for legislation was the removal of disparities in national legislation that were thought to be obstacles to trade and to the realization of the internal 65  EPO, 8 December 1994, Case T 0272/​95, OJ EPO 6/​1995: 388; see Galloux, ‘La brevetabilité de fragments d’ADN humain sous la Convention sur le Brevet Européen’ Recueil Dalloz (1996) 44. 66  In the particular case, the DNA sequence referred to in the patent application coded for the production of a protein called Relaxine, which was described as having the function of alleviating muscular pain and contractions. In this case, the potential for industrial applications accompanying the patent application was the production of medicinal treatment for women giving birth in order to alleviate associated pain. 67  Assn for Molecular Pathology v. Myriad Genetics, Inc., No. 12-​398 (13 June 2013).

 57

Stéphanie Hennette Vauchez

57

market, subsequently there was growing concern that the application of patent law to human genetics would present major ethical issues. While such issues could well have been in good faith ignored or set aside as the initial draft of the text was written by the end of the 1980s, the issue became unavoidable during the 1990s. In fact, most of the tensions that arose during the negotiations over the Directive can thus be described as resulting from the opposition between a market-​oriented impetus for legislation and an ethical concern over the patenting of human DNA. Although there are many other illustrations of the former, Recitals 1 and 2 of the Directive are illustrative in this regard: (1) Whereas biotechnology and genetic engineering are playing an increasingly important role in a broad range of industries and the protection of biotechnological inventions will certainly be of fundamental importance for the Community’s industrial development; (2) Whereas, in particular in the field of genetic engineering, research and development require a considerable amount of high-​risk investment and therefore only adequate legal protection can make them profitable;

An ‘ethical concern’ that opposed this market-​oriented approach to the question of patents started to become particularly vocal within the EP in the 1990s. Again, the context in which these debates took place must be considered here. In particular, it is worth noting that the mid-​1990s correspond to the moment in time when, as the issue of DNA sequence patenting was becoming more important, so too were the Green groups gaining in importance within the EP. Eventually, the provisions of the Directive tentatively reconciled these two approaches, and codified the agreement over ways to overcome these anxieties. Articles 5 and 6 in particular can be read as the result of these necessary compromises: Article 5 1. The human body, at the various stages of its formation and development, and the simple discovery of one of its elements, including the sequence or partial sequence of a gene, cannot constitute patentable inventions. 2. An element isolated from the human body or otherwise produced by means of a technical process, including the sequence or partial sequence of a gene, may constitute a patentable invention, even if the structure of that element is identical to that of a natural element. 3. The industrial application of a sequence or a partial sequence of a gene must be disclosed in the patent application. Article 6 1. Inventions shall be considered unpatentable where their commercial exploitation would be contrary to ordre public or morality; however, exploitation shall not be deemed to be so contrary merely because it is prohibited by law or regulation. 2. On the basis of paragraph 1, the following, in particular, shall be considered unpatentable: (a) processes for cloning human beings; (b) processes for modifying the germ line genetic identity of human beings; (c) uses of human embryos for industrial or commercial purposes;

58

58

EU Law and Bioethics (d) processes for modifying the genetic identity of animals which are likely to cause them suffering without any substantial medical benefit to man or animal, and also animals resulting from such processes.

2. Substantively Minimal Content Article 6 can be viewed as a relatively classical provision of a patents treaty on exclusions of patentability. It does express some modern concerns that emerged as a result of the surge of biotechnologies; in particular, Article 6, paragraph 2(b) or (c) can be read in that respect. But the rest of the provision is relatively classical in its exclusion of inventions that are contrary to ordre public from the scope of patentability. It is Article 5 therefore that really appears to be the more specific outcome or result of the various conflicts over the Directive’s ten-​year adoption process. The first paragraph of Article 5 contains the major ethical affirmation of the Directive; it rules that neither the human body nor the sole discovery of some of its elements can be patented. Paragraph 2 of Article 5 is the transcription of the aforementioned approach of the EPO to the issue of patentability of human genes as it follows from the Howard Florey Institute decision in that it does not rule out the patentability of genetic material. In particular, as long as DNA sequences are not only isolated but also characterized as to their function, the EPO has accepted their patentability. The expression of this concern for ethics also stems from other parts of the Directive. Several of the Directive’s recitals, such as Recital 16, express Europe’s concern for the ethical implications of patents in the field of biotechnology: (16) Whereas patent law must be applied so as to respect the fundamental principles safeguarding the dignity and integrity of the person; whereas it is important to assert the principle that the human body, at any stage in its formation or development, including germ cells, and the simple discovery of one of its elements or one of its products, including the sequence or partial sequence of a human gene, cannot be patented; whereas these principles are in line with the criteria of patentability proper to patent law, whereby a mere discovery cannot be patented.

Because such provisions are more numerous in the recitals than in the actual binding provisions of the text, some authors have called this ‘backdoor legislation’.68 In doing so, they have criticized the somewhat hidden or surreptitious fashion in which ethical principles make their way into EU legislation. Indeed, given that these principles are located in the recitals and not in the main (and normatively binding) body of the Directive, nothing prevents legal actors from strengthening the notions, concepts, and ideas expressed in the recitals. At any rate, the adoption process of the 1998 Patents Directive was particularly complex; this example also substantiates the notion that whereas actual

68  Holm, ‘Regulating Stem Cell Research in Europe by the Back Door’, 29 Journal of Medical Ethics (2003) 203, cited by Hervey and McHale, supra note 1, at 281.

 59

Stéphanie Hennette Vauchez

59

substantive choices are rather unlikely in the field of biomedicine at the EU level, ‘empty’ notions such as ‘ethics’ and ‘ethical principles’ do a very good job of allowing legislation to come into existence. In other words, it is a focus on formal notions that has often allowed for EU legislation in the field to be enacted, with form serving as a useful derivative of conflicts over substance. In that sense, ‘ethics’ counts among those forms (those empty notions69) that have played a significant role in the emergence and consolidation of a body of EU biomedical law. It is indeed striking that apart from Articles 5 and 6 there is not much to be said about substance in the 1998 Patents Directive. The rest of the Directive’s provisions concern form and procedure (for instance, how European patents correlate with national ones)—​and this is illustrative of EU biomedical law in general. In fact, other directives can be read along the same lines. Take, for instance, the Blood Directive. This Directive clearly favours one model of ethical donation (unpaid donation) over another. However, this is in fact all that the Directive says on substantial options; the remainder of the Directive is formal and technical. Similarly, the Tissues Directive painstakingly maps the contours of the legal category of ‘tissues’. This was a big issue at the moment the Directive was being negotiated since the question of whether embryonic material, and in particular embryonic stem cells, would fall into the remit of the Directive was very controversial. However, there is similarly scant substance in this Directive: other than the controversial issue of embryonic material, there is no significant substantive choice made by the Directive which mostly coordinates forms and procedures and the articulation of diversity in national approaches. As such, in both cases intense and rather long and heated political debates over the negotiating and drafting of the directives ultimately came down to these minimal substantive choices, framed in the vocabulary of ethics. This is actually congruent with the fact that the very notion of ‘ethics’ has undergone significant change over the past decades. It could be said that ‘ethics’—​and even more so ‘bioethics’—​have thus tended to appear as a sort of ‘third way’ between impossible hard and insufficient soft law, between moral pluralism and the search for core common values. Whereas initially (mainly in the 1980s when it first caught the attention of political theorists and received its first institutional translations), ‘ethics’ were thought to produce consensus, it is now only expected that they allow for means of overcoming dissent. It is this particular formal or functional quality of the notion of ‘ethics’ that I wish to stress here. As it allows political conflict to be contained outside the law-​making process it has become an interesting device for law-​makers. As far as EU biomedical law goes, it confirms the technological (as opposed to ontological) function of ‘ethics’ in the law-​making process. With regard to EU law-​making, ‘ethics’ can be said to alternatively assume one of the three following functions: (i) transform vague

69  Not that ethics is necessarily an empty notion; rather, what I mean here is that it has been kept empty (i.e. undefined) because that was the condition for the notion to allow for the necessary agreements.

60

60

EU Law and Bioethics

and open-​ended notions into possible common grounds between opposing views, and thus enable compromise; (ii) act as a mode of deliberation external to the law-​making process itself and thus either postpone or take the heat off political conflict (and thus enable compromise); or (iii) justify a renewed approach to law-​ making such as recourse to new modes of governance (and thus enable a higher likelihood of compromise). Some additional examples will illustrate these functions of ethics in the making of EU biomedical law.

B. ‘Ethics’ in the Making of EU Biomedical Law A first way in which ‘ethics’ have played a role in the making of EU biomedical law has been through direct incorporation of the concept in EU legal acts. As we have seen, this occurred with the Patents Directive as provisions and recitals expressing the concerns over the ethical dimensions of patenting living and especially human material were gradually included. Another example can be found in the decisions grounding the EU’s research policy. The decision founding FP6, for instance, reads as follows: ‘fundamental ethical principles are to be respected. These include the principles reflected in the Charter of Fundamental Rights of the European Union’. This decision thus expresses the EU’s general adherence to the normativity of ‘ethics’ in research. More specifically, many of the decisions that have been made regarding the eligibility criteria for funding under the most recent FPs are the direct consequences of ethical evaluations. FP6 was only adopted after the exclusion of ‘research aiming at human cloning for reproductive purposes’ and of ‘research activities intended to create human embryos solely for the purpose of research or for the purpose of stem cell procurement’ (i.e. therapeutic cloning) was agreed upon70 and similar provisions have survived in FP7.71 In fact, ‘the conflict between the cultures of science and industry, on the one hand, and some parts of civil society, on the other, was formalized (and to a degree normalized) through the referencing of “ethics” as a suitable and legitimate vehicle for the conduct of continuing political bargaining’ during FP6 negotiations.72 These are very important parts of the FP decisions—​and further, of the EU’s research policy. Indeed, the exclusion of therapeutic cloning from the scope of EU funding was an even bigger issue (and thus a very important decision) that at the same time was being debated and decided in several EU Member States.73 In fact, 70  Decision 1513/​2002/​EC of the European Parliament and of the Council of 27 June 2002 Concerning the Sixth Framework Programme of the European Community for Research, Technological Development and Demonstration Activities, OJ 2002 L 232/​1. 71  Decision 1982/​2006/​EC of the European Parliament and of the Council of 18 December 2006 Concerning the Seventh Framework Programme of the European Community for Research, Technological Development and Demonstration Activities (2007–​2013), OJ 2006 L 412/​1. 72 B. Salter, Transnational Governance and Cultural Politics:  The Case of Human Embryonic Stem Cells and the European Union’s 6th Framework Programme (2004), at 8, available at http://​ www.york.ac.uk/​res/​iht/​projects/​l218252005/​SalterTransnationalGovernance.pdf (last visited 28 January 2016). 73  Namely, the production of embryos for the sole purpose of making embryonic stem cells available in order to cultivate them as neural, muscular, or blood (or other …) cells.

 61

Stéphanie Hennette Vauchez

61

countries such as the United Kingdom and Belgium were in the process of deciding to legalize therapeutic cloning. Those countries were thus battling hard in the EU negotiations over these FPs because it was important for researchers there to access funding. Eventually, the decisions finally reached were the contrary of moral pluralism, as the EU opted to exclude any funding for research involving human embryonic stem cells. As such, one can see that hard binding ethical choices are made. Such instances of direct incorporation of ‘ethical’ principles within EU biomedical law also deserve attention due to the fact that they contradict the otherwise generally accepted notion that ‘moral integration’ should remain outside the European integration process (if only because of the principle of subsidiarity that requires that moral (ethical) options remain a matter of national decision-​ making). When asked to deliver an opinion at the peak of the inter-​institutional conflict over the Patents Directive, the EGE underlined the fact that ‘the appropriate place to address and resolve some of the [ethical] considerations seems to be the recitals of the directive’,74 thus expressing the view that it was better to maintain a hands-​off approach to ‘ethics’ within (hard) EU law. In a similar vein, Research Commissioner Philippe Busquin in 2003 insisted, when presenting the report he had commissioned on stem cell research, that it ‘was not about establishing EU legislation on ethical questions [because] regulating on ethical matters is the competence of Member States’.75 In other instances ‘ethics’ have played an important role in the emergence of a body of EU biomedical law by allowing political conflict to be externalized during the law-​making process. In the course of the elaboration of the Tissues Directive, institutional actors sought to externalize the ethical debates from the legislative process in the hope of mitigating or watering down the political conflict. There was a specific contextual element, of course, for the partial chronological overlap between the law-​making processes of both the Tissues Directive on the one hand and the FP6 decision on the other hand was threatening to jeopardize both. Indeed, the question of the legitimacy of embryonic stem cell research saw constant intrusion of one debate into another. While it was necessary to approach the issue in developing legislation from a principled perspective (the question being whether embryonic research should be authorized), its containment within negotiations over the EU’s research policy notably simplified it (changing the question to whether embryonic research should be funded). Unsurprisingly, this second route was taken and ‘ethics’ played an instrumental role in allowing this to happen, providing the means to remove the controversial question from the legislative process. It is because of the ‘ethical’ treatment of the question of human embryonic stem cells under FP6 that

74 EGE, Opinion no. 3 on Ethical Questions Arising from the Commission Proposal for a Council Directive on Legal Protection for Biotechnological Inventions, 30 September 1993. 75 Commission Staff Working Paper, Report on Human Embryonic Stem Cell Research, SEC(2003)441, at 12.

62

62

EU Law and Bioethics

the legislative process for the Directive was successfully separated from the tough question. On other occasions, this externalization process occurs under the guise of requesting the EGE to produce an Opinion. This has been common practice since the very first legislative incursions into the field of biotechnologies in the early 1990s (during negotiations over the Patents Directive) and has repeatedly been confirmed since then. In other words, EU institutions have the possibility of asking the EGE to produce an Opinion in the midst of political debate over directives or research framework programmes. This functions as a guarantee that ‘ethics’ will be taken into account and incorporated into EU legislation. It can, however, be viewed as a form of political manoeuvre aimed at ensuring the success of the law-​making process—​rather than a testimony to any genuine belief in (let alone achievement of) the possibility of truly European ethical standards. Finally, ‘ethics’ can also take the procedural form of New Modes of Governance (NMG); the crafting of the more recent Organs Directive serves as an example here. In its 2007 Communication announcing the project of a Directive on Organs, the Commission had indicated its desire to have recourse to the Open Method of Coordination. Consultation meetings took place involving a variety of stakeholders and led to the publication of a second Communication that very much reflected this NMG approach. The Commission presented the upcoming actions to be taken as aiming at the ‘identification and development of common objectives and guidelines, jointly agreed indicators and benchmarks, and identification and sharing of best practices’.76 Soon after, a proper directive proposal was published and eventually adopted. One might be tempted to ask, did EU institutions draw a lesson from their earlier legislative experiences in the field of biomedicine? Are those past experiences of political conflict the reason that NMGs were used as an upstream ethical guarantee? Since NMGs are often associated with soft(er) normativity and perceived as allowing for more diversity, they might well have appeared as trump cards susceptible of silencing (or at least watering down) foreseeable political conflict (over such issues as presumed consent of the dead to donation and restrictive definitions of living donors).

3.  Contemporary Issues In this final section of the chapter, I will turn to some of the most salient difficulties that EU biomedical law is currently facing. In doing so, I wish to focus on two recent developments of biomedical law in Europe: the Brüstle decision of the CJEU (in which the Court undertook to provide a legal definition of the human embryo) and several decisions of the ECtHR which I  believe raise important 76  Commission Communication, Action Plan on Organ Donation and Transplantation (2009–​ 2015): Strengthened Cooperation between Member States, COM(2008)819/​3 final.

 63

Stéphanie Hennette Vauchez

63

questions for the future of biomedical law in Europe at large as they are related to the relationship between EU and ECHR standards.

A. The CJEU’s 2011 Brüstle Decision The CJEU ruling of October 201177 in the Brüstle case is a very technical one. It is the Court’s answer to a preliminary reference from German courts that were seeking to obtain guidance as to the interpretation of Article 6 of the 1998 Patents Directive (the provision pertaining to exclusions of patentability). It is, however, a very important decision for all lawyers interested in bioethics due to the fact that the Court in this case chose to do nothing less than provide a legal definition of the embryo. The legal definition that the CJEU gave is the following: Accordingly, any human ovum must, as soon as fertilised, be regarded as a ‘human embryo’ within the meaning and for the purposes of the application of Article 6(2)(c) of the Directive, since that fertilisation is such as to commence the process of development of a human being.78

What is particularly interesting here is the fact that, remarkably, the Court takes precisely the path that most courts and law-​makers worldwide have been seeking to avoid for the past three decades: that of providing a legal definition of the human embryo. As it has now done so, the question that remains is whether or not this definition will be expanded beyond the technical field of patent law. Let us turn to the facts of the case. Mr Brüstle was the holder of a German patent which covered: (i) neural cells (brain cells) (ii) produced on the basis of human embryonic stem cells (the patent application also included the processes for their production) (iii) with the potential for industrial application in the field of regenerative medicine. In technical terms, his claim to the production of neural cells through the use of human embryonic material was very important. Indeed, if physicians in the future are to cure illnesses such as Parkinson’s disease through the transplantation of neural cells an obstacle will first need to be overcome: neural cells cannot be harvested from people and access to them for research is possible only if they are produced in vitro. The point of Mr Brüstle’s patented invention is that it uses human embryonic stem cells for the production of cells for transplantation,79 thus potentially overcoming this obstacle. As such, the patent at issue seeks to make it possible to produce an almost unlimited quantity of such cells. However, after an application by Greenpeace the German Bundespatentgericht (Federal Patent Court) ruled that the patent at issue was invalid because it covered 77  Case 34/​10, Oliver Brüstle v. Greenpeace e.V., [2011] ECR I-​09821 (ECLI:EU:C:2011:669). 78  Ibid., at para. 35. 79  Human embryonic stem cells are cells that form the embryo in its very early stages. Six to eight days after fertilization, the embryo is at the blastocyst stage: it is composed of eight to 10 cells, all of which are pluripotent, which means that if detached from the embryo and cultivated they can be programmed to develop into lines of specific cells such as neural, muscular, blood (…) cells. The discovery of these cells and the possibility of their isolation and cultivation, at the end of the 1990s, has since triggered great hope for regenerative medicine.

64

64

EU Law and Bioethics

cells obtained from human embryonic stem cells. The defendant appealed against that judgment to the Bundesgerichtshof (Federal Court of Justice)—​the referring court. At this stage the question at stake was narrowed down to whether neural cells obtained from human embryonic stem cells should be excluded from patentability. The answer to that question, in turn, depended on whether Article 6(2)(c) of the 1998 Patents Directive is interpreted to exclude the patentability of inventions involving human embryonic stem cells. The provision declares that patents cannot cover the use of ‘human embryos for industrial or commercial purposes’. But are human embryonic stem cells which serve as base material for the patented processes ‘embryos’ within the meaning of Article 6(2)(c) of the Directive? Hence the preliminary ruling, by which the German court asked the CJEU the following questions: 1. What is meant by the term ‘human embryos’ in Article 6(2)(c) of [the Directive]? (a) Does it include all stages of the development of human life, beginning with the fertilisation of the ovum, or must further requirements, such as the attainment of a certain stage of development, be satisfied? (b) Are the following organisms also included: • unfertilised human ova into which a cell nucleus from a mature human cell has been transplanted; • unfertilised human ova whose division and further development have been stimulated by parthenogenesis? (c) Are stem cells obtained from human embryos at the blastocyst stage also included? 2. What is meant by the expression ‘uses of human embryos for industrial or commercial purposes’? Does it include any commercial exploitation within the meaning of Article 6(1) of [the Directive], especially use for the purposes of scientific research? 3. Is technical teaching to be considered unpatentable pursuant to Article 6(2)(c) of the Directive even if the use of human embryos does not form part of the technical teaching claimed with the patent, but is a necessary precondition for the application of that teaching: • because the patent concerns a product whose production necessitates the prior destruction of human embryos, • or because the patent concerns a process for which such a product is needed as base material?

It was suggested earlier that it is surprising that the CJEU now finds itself to be the one legal actor in Europe (and maybe even globally) to have provided a legal definition of the embryo. It is surprising because the question of the legal status of the embryo is the quintessential ‘hard question’ of bioethics—​the precise question that constitutional courts and legislators across the globe have painstakingly tried to avoid. The Brüstle ruling is also surprising because ultimately the Court does not answer the question of the patentability of human embryonic stem cells. In relation to that particular aspect of the case, the Court ruled that it is for the referring court to ascertain, in the light of scientific developments, whether a stem cell obtained from a human embryo at the blastocyst stage constitutes a ‘human embryo’ within the meaning of Article 6(2)(c) of Directive 98/​44/​EC. These

 65

Stéphanie Hennette Vauchez

65

factors need to be taken into account in order to properly underline the boldness of the CJEU’s move. It is important to stress that the Court was not required to give a positive definition of the embryo in order to answer the particular referral; it could have limited itself to saying that neural cells are (or are not) embryos under the Directive without engaging in the production of a positive definition of what an embryo is. In this respect, it is illuminating to read Advocate General Yves Bot’s Opinion.80 One then understands that the Advocate General set the stage from the outset of his Opinion by claiming that the issue at stake was of a ‘fundamental’ (perhaps as opposed to technical) nature and that there ought to be a common understanding throughout the EU of what an embryo is. The Advocate General’s Opinion reads: 4. In specifically asking the Court about the meaning and the scope of that exclusion from patentability, the Bundesgerichtshof (Federal Court of Justice, Germany) is in reality raising the fundamental question of the definition of the human embryo, even though that definition must be given only for the purposes of Directive 98/​44, that is to say for the needs of the protection of biotechnological inventions. 7. In this Opinion I  will explain the reasons why I  consider that the concept of a human embryo must be the subject of a common understanding in all the Member States of the European Union. I will then argue that Article 6(2)(c) of Directive 98/​44 must be interpreted to the effect that the concept of a human embryo applies from the fertilisation stage to the initial totipotent cells and to the entire ensuing process of the development and formation of the human body. That includes the blastocyst …

These claims by the Advocate General translate, in the Court’s ruling, into an invocation of the legal concept of ‘autonomous notion’. The judgment’s paragraph 26 clearly expresses this view: Although the text of the Directive does not define human embryo, nor does it contain any reference to national laws as regards the meaning to be applied to those terms. It therefore follows that it must be regarded, for the purposes of application of the Directive, as designating an autonomous concept of European Union law which must be interpreted in a uniform manner throughout the territory of the Union.

It is interesting to ruminate on the idea that there ought to be an autonomous notion of an embryo under EU law. At paragraph 21 of the Brüstle ruling,81 the 80  Case 34/​10, supra note 77, Opinion of Advocate General Bot (ECLI:EU:C:2011:138). 81  Case 34/​10, supra note 77. Para. 21 reads: According to the referring court, having regard to the fact that Article 6(2) of the Directive does not allow the Member States any discretion as regards the fact that the processes and uses listed therein are not patentable (see Case C-​377/​98 Netherlands v Parliament and Council [2001] ECR I-​7079, paragraph 39, and Case C-​456/​03 Commission v Italy [2005] ECR I-​5335, paragraph 78 et seq.), the reference made in the second sentence of Paragraph 2(2) of the PatG to the ESchG, particularly to the definition of an embryo which Paragraph 8(1) of that Law gives, cannot be regarded as the fruit of the task left to Member States to put Article 6(2)(c) of the Directive into concrete terms in that regard, even though the Directive did not expressly define the concept of embryo. The only possible interpretation of that concept is European and unified. In other words, the second

6

66

EU Law and Bioethics

CJEU justifies this possibility by ruling that the Directive excludes national margins of appreciation in the interpretation of Article 6 of the Directive—​in particular Article 6(2)(c). However, in 2001, when it upheld the 1998 Patents Directive that was being challenged by the Netherlands and dismissed the notion that it was contrary to the human dignity principle, the CJEU had clearly insisted that the Directive did indeed grant national authorities a wide margin of appreciation. The 2001 ruling read: as regards … Article 6 of the Directive, which rules out the patentability of inventions whose commercial exploitation would be contrary to ordre public or morality, it is common ground that this provision allows the administrative authorities and courts of the Member States a wide scope for manœuvre in applying this exclusion;

and: that scope for manœuvre is necessary to take account of the particular difficulties to which the use of certain patents may give rise in the social and cultural context of each Member State, a context which the national legislative, administrative and court authorities are better placed to understand than are the Community authorities.82

It is thus surprising that in Brüstle the Court would convey this understanding of the embryo as an autonomous notion of EU law, in the light of this previous interpretation that on the contrary insisted on a national margin of appreciation. Similarly interesting in this respect is the insistence of Advocate General Bot on the fact that the definition he proposes is a ‘purely legal definition’. Paragraph 45 of his Opinion is very interestingly phrased: 45. The question which the Court is asked is certainly a difficult one. However, it is exclusively legal in nature. The intrinsic difficulty in the question asked is accompanied by a reference, which is ever present in law but is particularly pregnant here, to the notions of ordre public, morality and ethics, as a result of the clarifications made by the legislature itself, for example in recital 16 in the preamble to Directive 98/​44 or Article 6 of that directive, irrespective of the principles laid down in the Charter of Fundamental Rights which feed into all Union law.

It is not clear, however, what the Advocate General means by saying that the question at stake is ‘exclusively legal in nature’. To be sure, the remainder of the Opinion makes it clear that he does not mean to say that it is technical in the sense that it would be detached from ethics or values. On the contrary, Yves Bot further argues that the ‘Union is not only a market to be regulated, but also has values to be expressed’83 and then recalls the principle of human dignity. Consequently, the path the Advocate General seems to be taking is to consider that because the issue at stake is ‘fundamental’ and calls on the EU to express its sentence of Paragraph 2(2) of the PatG and, in particular, the concept of embryo which it uses cannot be interpreted differently from that of the corresponding concept in Article 6(2)(c) of the Directive. 82  Case C-​377/​98, supra note 59, at paras 37 and 38. 83  Opinion of Advocate General Bot, supra note 80, at para. 46.

 67

Stéphanie Hennette Vauchez

67

founding values, it is necessary to reason in terms of objective norms. However, the only available source that the Advocate General seems to consider sufficiently objective is science: In my view, against this background only legal analyses based on objective scientific information can provide a solution which is likely to be accepted by all the Member States. The same concern for objectivity leads me to say that science’s silences or its failure to provide proof are also objective information which can form the basis for a legal analysis.84

This reasoning raises many questions, including perhaps most prominently: is science ‘objective’? The sociology of science, legal epistemology, and most notably Science and Technology Studies (STS) all have considered this issue and respond in the negative to this question. In fact, STS is based on the premise that science is in part a social construct and that the very notion of scientific ‘truth’ or ‘objectivity’ needs to be seriously challenged or questioned. Patent law, of course, is amenable to these theoretical interrogations. Its core distinction between discoveries and inventions is highly dependent on what patenting and legal authorities understand to be nature or culture—​not to mention that contemporary science calls into question the very concept of the gene itself, thus challenging another core concept upon which the whole issue of the patentability of living and human material has been based. Thus, the Advocate General’s reliance on science as an objective normative order that one ought to rely on for legal reasoning may well be called into question. Events that have transpired since the Advocate General’s Opinion are very interesting as they show how problematic it is to derive legal norms from biology. Much of the Opinion is indeed premised on the legal relevance of the distinction between totipotent cells85 and pluripotent cells.86 Bot considers this distinction in the biological potency of embryonic cells to be telling in legal terms. In fact, he proposes that totipotent cells should be given the same status as the human embryo because they have the potential to evolve into human embryos—​while the pluripotent cells should not.87 Another striking passage of this Opinion is the argument that legal categories and norms should discard human intent and follow only biological processes. He thus refuses the relevance of any legal distinction between embryos according to whether fertilization occurred in utero (‘naturally’) or in vitro (‘artificially’). He contends that ‘intent’ should not be taken into

84  Ibid., at para. 47. 85  Totipotence is the feature of embryonic cells immediately after fertilization, i.e. before the cell division process has really started; each totipotent cell has the capacity to evolve into an embryo of its own. 86  Pluripotence is the feature of embryonic cells at the blastocyst stage, i.e. after the first cell divisions have occurred and the embryo is composed of eight to 10 cells; each cell can be isolated and programmed to develop into specific human cells (blood, neural, muscular …), but they no longer individually have the capacity to develop into an embryo. 87  See Opinion of Advocate General Bot, supra note 80, at para. 85 or 94; conversely, para. 98, where the Advocate General explains that pluripotent cells cannot be coined ‘embryos’.

68

68

EU Law and Bioethics

account, and as such that the legal definition of embryo ought to be dictated by the sole biological fact of the totipotence of the cells. These elements are crucial because they allow us to understand that due to the fact that it followed the Advocate General, the Court crafted a solution (a legal definition of the human embryo) that amounts to fitting different realities into one single legal category. Interestingly, this goes against much of what has been happening over the last decade as far as legal apprehension of the embryo goes. Indeed, the idea that there could be a single valid notion of the human embryo—​ one that holds true and is relevant always and everywhere—​no longer carries weight. On the contrary, recent years have seen the notion of a multiplicity of regimes applying to the human embryo gain purchase. It is increasingly accepted that depending on the circumstances (and in particular depending on whether embryos are stored, implanted, distributed for scientific research, destroyed, or given out for procreative purposes) different regimes should apply.88 In that sense, the CJEU ruling in the Brüstle case seems partially outdated or influenced by an outdated way of thinking about the legal categories relevant to the human embryo. Additionally, the Brüstle case raises a number of questions due to the fact that it is boldly substantive. As a strongly integrationist ruling, it affects the extent to which Member States may vary on this issue. In fact, legal regimes such as those stemming from the British or Belgian legislation which authorize therapeutic cloning are considerably threatened or weakened by the ruling. Indeed, if patentability is excluded, one wonders what the legalization of therapeutic cloning really brings to researchers and other stakeholders. Some problems and frictions between European and national regimes are foreseeable as a result of this ruling.

B. Trends in the Interaction between ECHR Law and EU Law The second salient issue that this chapter wishes to underline is not stricto sensu an EU law issue. Rather, it invites us to reflect on what EU law does (or seems to be doing) to ECHR law. The interaction between the two European legal orders is certainly an important issue, but some of the recent ECtHR cases relating to bioethics have led the Strasbourg Court to develop intriguing and potentially worrisome modes of reasoning. Some have to do with the avoidance of substantive issues, and others with peculiar ways of articulating the EU market and the Council of Europe’s human rights paradigms.

1. Avoidance of Substantive Issues Until ten years ago, bioethics was a minor topic in ECtHR case law. However, this has changed quite drastically over the course of the last decade. In fact, several ECtHR bioethics cases count among those that are the most visible and widely 88  See Bellivier and Egéa, ‘L’être humain sans qualités’, in Hennette Vauchez, supra note 36, 121.

 69

Stéphanie Hennette Vauchez

69

discussed cases, concerning issues including: end of life,89 assisted reproduction,90 gender identity,91 the right to know one’s origins,92 and abortion.93 All of these topics have now been addressed several times by the Court. Although it is beyond the scope of this chapter to make sense of this very rich line of case law, I do wish to stress two trends in modes of reasoning by European judges that are illustrative of contemporary problems in legal approaches to bioethics. One is the proceduralization of substantive rights and the other has to do with the Strasbourg Court’s reliance on the EU’s four freedoms of circulation. Traditionally, ECHR rights have at times been divided into two main categories: procedural rights and substantive rights. Article 6 of the ECHR on the right to a fair trial would appear to be the paragon of the former (although some others could probably be listed here), while Articles 2 (right to life) and 3 (prohibition of torture) are emblems of the latter category. During the 1970s and much of the 1980s, as the ECtHR was growing in importance and strengthening its authority and legitimacy,94 it famously undertook to ‘substantialize procedural rights’. Article 6 has thus been interpreted to mean and encompass many more guarantees and prerogatives than the letter of the provision would allow one to think. The right to a translator, the right to financial help within the course of judicial proceedings, and the applicability of fair trial standards in all sorts of quasi-​judicial proceedings, for instance, have given substance to a provision that could otherwise have remained an essentially technical one, relating ‘only’ to the strictly procedural aspects of a fair trial. Interestingly, over the course of the 1990s and even more so since the year 2000, an opposite trend has found its way into ECtHR case law. In short, there are some indications that the Court has begun to proceduralize the more substantive rights. Rights that were initially or traditionally understood to be substantive are thus being redefined (or reoriented in the Court’s interpretation) as also being procedural. In fact, it is not uncommon now to see the Court determine precisely which aspect (substantive or procedural) of a given right has been violated.95

89 See, e.g., ECtHR, Pretty v.  United Kingdom (Application no.  2346/​02), 29 April 2002; ECtHR, Haas v.  Switzerland (Application no.  31322/​ 07), 20 January 2011; ECtHR, Koch v. Germany (Application no. 497/​09), 19 July 2012. All ECtHR decisions are available at http://​ hudoc.echr.coe.int/​. 90 See ECtHR, S.H.  and Others v.  Austria (Application no.  57813/​0 0), 3 November 2011; ECtHR, Knecht v. Romania (Application no. 10048/​10), 2 October 2012. 91 ECtHR, Christine Goodwin v.  United Kingdom (Application no.  28957/​95), 11 July 2002; ECtHR, Hämäläinen v. Finland (Application no. 37359/​09), 6 July 2014. 92 ECtHR, Godelli v. Italy (Application no. 33783/​09), 25 September 2012. 93 ECtHR, Case of A, B and C v.  Ireland (Application no.  25579/​05), 16 December 2010; ECtHR, R.R. v. Poland (Application no. 27617/​04), 26 May 2011. 94  Madsen, ‘From Cold War Instrument to Supreme European Court: The European Court of Human Rights at the Crossroads of International and National Law and Politics’, 32 Law and Social Inquiry (2007) 137. 95  This is particularly conspicuous in Art. 3 case law, where the fact that public authorities do not seriously and independently investigate allegations of torture or degrading treatment may suffice for the Court to conclude that there has been a breach of Art. 3.

70

70

EU Law and Bioethics

This mode of reasoning appears to be gaining traction in ECtHR bioethics case law and this is worth noting because it echoes the relative precedence of form over substance that the preceding sections of this chapter have identified as features of the EU’s approach to the legal regulation of biomedicine. For instance, the Tysiac v. Poland case is very interesting in this respect.96 Ms Tysiac was already the mother of two when she discovered she was pregnant again. She had been informed that a new pregnancy would pose a serious threat to her health as she had a condition that would lead her to become totally blind if she did so. Poland is one of the European states in which the abortion regime is most restrictive. A 1993 Polish statute foresees that abortion is allowed under very narrowly defined circumstances; in particular, it requires that there be an actual and serious threat to the woman’s health or life. Although there were reasons to believe that Ms Tysiac was in a situation in which, even under the rigours of Polish law, she should have been allowed to terminate her pregnancy, the physicians she turned to repeatedly denied her access to abortion. She was thus put in a situation where she was forced to give birth to her third child and eventually did become blind. The ECtHR has never held the right to abortion to be protected under ECHR law. In fact, it even expressly ruled (in a later 2010 case) that ‘Article 8 cannot … be interpreted as conferring a right to abortion’.97 As such, the Court’s position appears to be rather conservative in the European landscape and strongly contrasts with both the existence of a ‘consensus’ (to take the Court’s vocabulary) among Council of Europe Member States98 and the very clear positions held both by the EP and the Parliamentary Assembly of the Council of Europe. However, besides this issue of substantive ECHR law, the Tysiac case is interesting for what it reveals about the Court’s mode of reasoning. As it is essentially troubled by what has proven to be a very touchy subject in many national political settings (namely abortion), the Court chose to avoid the substantive issue and rather position itself on procedural ground. Consequently, the Court did find a violation in the Tysiac case, but not one due to the overly restrictive nature of the Polish abortion regime. Rather, the violation was found to be a consequence of the absence of a remedy against the physicians’ decision not to grant a particular woman an abortion.99 What is truly interesting here is that evidence of this mode of reasoning extends well beyond the particulars of the Tysiac case. In fact, it seems to be increasingly used in biomedical case law in general as there are several other cases in which the Court has simultaneously chosen to avoid saying anything bold on substantive grounds and has found refuge in the procedural dimension of Article 8’s right to 96 ECtHR, Tysiac v. Poland (Application no. 5410/​03), 20 March 2007. 97  A, B and C v. Ireland, supra note 93, at para. 214. 98  Ibid., at paras 235–​236: ‘In the present case, and contrary to the Government’s submission, the Court considers that there is indeed a consensus amongst a substantial majority of the Contracting States of the Council of Europe towards allowing abortion on broader grounds than accorded under Irish law… . However, the Court does not consider that this consensus decisively narrows the broad margin of appreciation of the State’. 99  Roman, ‘L’avortement devant la Cour européenne, A propos de l’arrêt CEDH, 20 mars 2007, Tysiac c/​Pologne’, 4 Revue de droit sanitaire et social (2007) 643.

 71

Stéphanie Hennette Vauchez

71

private and family life. One finds this reasoning in R.R. v. Poland (dealing with the denial of access to genetic tests until it is too late for abortion and a child being born with severe genetic abnormalities), P.S.  v.  Poland100 (relating to teenage rape), A, B and C v. Ireland (concerning the Irish constitutional ban on abortion), and also in Koch v. Germany (on assisted suicide) for instance. As such, this line of case law indicates that further research and investigation on the implications, both technical and theoretical, of this proceduralization of Article 8 are merited.

2. Fundamental Rights and Fundamental Economic Freedoms: Competing Paradigms? Finally, I wish to draw attention to some very contemporary aspects of the relationship between what the EU and the ECHR stand for; that is, between fundamental economic freedoms on the one hand (including the four freedoms of circulation that apply to persons, capital, goods, and services) and fundamental rights on the other hand. This has been a recurring issue for those EU lawyers interested in fundamental rights generally over the course of the 2000s. Rulings such as the Schmidberger101 or the Omega102 cases have famously clarified that fundamental rights within EU law are capable of trumping economic freedoms. In fact, there is much to be said about this rapid and simplistic presentation of the case law, for it tends to obfuscate a crucial element of the Schmidberger/​Omega case law: the fact that in accordance with the European Court of Justice’s reasoning, fundamental rights remain ancillary to economic freedoms. Their capacity to found derogations from or exceptions to what thus is only confirmed as ‘the rule’ (the common principle, i.e. economic freedoms) is only admitted.103 This, however, is not what I wish to focus on here. Rather, I shall insist that this rather classic question of the relationship between fundamental economic freedoms on the one hand and fundamental rights on the other hand is tentatively renewed by a series of what can be considered to be highly problematic affirmations by the ECtHR. In a number of cases, the Court has indeed relied on the freedom of movement of people within the EU in its assessment of particular national regulatory regimes, thus developing the notion that the availability (or in other words the legality) of particular services in a given country was a factor to be taken into account in the assessment of the conformity of another country’s legislation with ECHR requirements. In both the A, B and C v.  Ireland104 and the S.H.  and Others v.  Austria105 cases, the ECtHR indeed included in its rulings the idea that the women who

100 ECtHR, Case of P and S v. Poland (Application no. 57375/​08), Judgment of 30 October 2012. 101  Case 112-​0 0, Eugen Schmidberger v. Austria, [2003] ECR I-​05659 (ECLI:EU:C:2003:333), esp. at para. 74. 102  Case 36/​02, Omega Spielhallen GmbH, [2004] ECR I-​09609 (ECLI:EU:C:2004:614). 103  Brown, ‘Case-​Note: Schmidberger’, 40 Common Market Law Review (2003) 1499. 104  Case of A, B and C v. Ireland, supra note 93. 105  S.H. and Others v. Austria, supra note 90.

72

72

EU Law and Bioethics

wanted to terminate their pregnancies and the couples who wanted to access assisted reproduction techniques, respectively, retained the possibility of obtaining those services abroad. This can be seen through a careful reading of excerpts from both cases: Accordingly, having regard to the right to travel abroad lawfully for an abortion with access to appropriate information and medical care in Ireland, the Court does not consider that the prohibition in Ireland of abortion for health and well-​being reasons, based as it is on the profound moral views of the Irish people as to the nature of life (paragraphs 222–​227 above) and as to the consequent protection to be accorded to the right to life of the unborn, exceeds the margin of appreciation accorded in that respect to the Irish State. In such circumstances, the Court finds that the impugned prohibition in Ireland struck a fair balance between the right of the first and second applicants to respect for their private lives and the rights invoked on behalf of the unborn.106 The fact that the Austrian legislature, when enacting the Artificial Procreation Act which enshrined the decision not to allow the donation of sperm or ova for in vitro fertilisation, did not at the same time prohibit sperm donation for in vivo fertilisation—​a technique which had been tolerated for a considerable period beforehand and had become accepted by society—​is a matter that is of significance in the balancing of the respective interests and cannot be considered solely in the context of the efficient policing of the prohibitions. It shows rather the careful and cautious approach adopted by the Austrian legislature in seeking to reconcile social realities with its approach of principle in this field. In this connection the Court also observes that there is no prohibition under Austrian law on going abroad to seek treatment of infertility that uses artificial procreation techniques not allowed in Austria and that in the event of a successful treatment the Civil Code contains clear rules on paternity and maternity that respect the wishes of the parents (see, mutatis mutandis, A. B. and C. v. Ireland, cited above, § 239).107

These lines of reasoning can be deemed highly problematic for at least one principled and one technical reason. As a matter of principle, this mode of reasoning raises the question of what is left of the project of international human rights norms if individual states are in a position to rely on rights, services, or protections granted by fellow states in order to be relieved of the burden of the human rights obligations they have contracted. This line of reasoning does indeed allow states to somehow shift the burden of international control onto neighbours, provided there is freedom of movement.108 This runs contrary to what have long been understood to be the premises of international human rights law and, particularly, the notion that each state should be judged, and sanctioned, on the basis of its own acts or omissions. In that respect, one may find it very disturbing that the fact that abortion would have been available to A, B, and C under British law (or that assisted reproduction would have been accessible to S and H in Hungary, for

106  Case of A, B and C v. Ireland, supra note 93, at para. 241. 107  S.H. and Others v. Austria, supra note 90, at para. 114. 108 In this respect, see the Joint Dissenting Opinion of Judges Tulkens, Hirvelä, Lazarova Trajkovska, and Tsotsoria in the S.H. and Others v. Austria case, supra note 90.

 73

Stéphanie Hennette Vauchez

73

instance) has anything to do with what the Court needs to decide when it rules against Ireland or Austria. Furthermore, this line of reasoning poses a technical question—​one that directly relates to the more classic issue of the relationship between EU and ECtHR law. There are many reasons to believe that the ECtHR ruled as it did (or included these sentences in its rulings) because of the pervasiveness of the freedom of movement paradigm throughout Europe. As a matter of fact, the Court relied on the freedom of movement that is granted to applicants based in Ireland and Austria. The fact that these two states belong to the EU certainly is no coincidence, but then one wonders whether the Court would have reasoned along the same lines in rulings against, say, Turkey, Ukraine, or any other non-​EU Member State. If the answer is a negative one, then what these sentences mean is that the Court is at risk of creating a double standard of human rights protection within the Council of Europe. Indeed, and quite paradoxically, this line of reasoning would amount to the Strasbourg Court saying here that applicants bringing cases against EU Member States might not find satisfaction in Strasbourg because what they cannot find or are denied in a particular country can be found in another EU Member State. If, however, the answer to that question is positive, it is also problematic, in that it amounts to subordinating the enjoyment of human rights protection by the ECHR to the specific category of those individuals who are able to travel. That category is, however, a relatively narrow one, for it is restricted to those who can afford to travel and who are in a position, socially and legally, to do so. In other words, this would be an extraordinarily discriminatory interpretation of the ways in which EU and ECtHR law should be combined, on many possible grounds including race and class, not to mention a gender component in those cases where reproductive rights are at stake.

74

4 Regulating New Technologies: EU Internal Market Law, Risk, and Socio-​Technical Order Mark L. Flear*

1. Introduction New and innovative technologies appear in the news on a daily basis and encompass ‘red’ and ‘green’ technologies,1 information and communications technology, and those that have largely yet to become a reality such as nanotechnology.2 New technologies have the potential to meet pressing public needs such as growing sufficient or more nutritious food or the treatment of persistent or rare diseases (or indeed meeting private desires for new products and services). But they also give rise to concerns that science and technology are moving forward at such a fast pace that law and morality seemingly find it hard to keep pace, connect, and regulate. These concerns are reflected in much scholarly discussion on new technologies.3 In this chapter I challenge the latter account by arguing that, more than playing catch up with and being determined by technoscientific innovation, law also plays a leading role in the regulation of new technologies by variously orchestrating, orienting, shaping, and directing the conditions of possibility for their development and market availability.4 Specifically, I chart some of the main ways in *  This chapter was written with the support of ESRC Seminar Series RES-​451-​26-​0764 (for which I was Principal Investigator). Thanks to Philip Leith and Dagmar Schiek for their insights and to Marise Cremona for encouraging me to write this chapter—​a nd for her wonderful support throughout the process. The law cited in this chapter is accurate as of 22 December 2016. 1  ‘Red’ new technologies intervene in human biology whereas so-​called ‘green’ new technologies intervene in the environment. 2  McHale, ‘Nanomedicine and the EU: Some Legal, Ethical and Regulatory Challenges’, 16(1) Maastricht Journal of European and Comparative Law (2009) 65. 3 For an overview see Brownsword, ‘So What Does the World Need Now? Reflections on Regulating Technologies’, in R. Brownsword and K. Yeung (eds), Regulating Technologies:  Legal Futures, Regulatory Frames and Technological Fixes (2008). 4  In this sense internal market law is understood as part of and integrated within, while also being underpinned by, that which determines the conduct of conduct or what Foucault termed Regulating New Technologies: EU Internal Market Law, Risk, and Socio-Technical Order, First Edition, Mark L. Flear © Mark L. Flear 2017. Published 2017 by Oxford University Press

 75

Mark L. Flear

75

which European Union (EU) internal market law retains its regulatory capacity and efficacy by centralizing the harms or hazards relating to product safety as ‘the’ risks posed by new technologies through complementary techniques of negative integration and positive integration. I explain how the centralization of this notion of risk in EU-​level regulation has several linked purposes and consequences. In particular, designing regulation and limiting the understanding of risk (through it) marginalizes and obscures other kinds of harms or hazards to which risk might pertain (be they physical, environmental, social, economic, moral, or political), as well as alternative (and probably wider) understandings of risk and framings of regulation (such as by human rights and bioethics, both of which are particularly prominent and important discourses in relation to new technologies—​as underlined in my own work and that of others, both noted later in the chapter). The current regulatory design also depoliticizes and naturalizes the approach taken and its related (de)prioritizations of norms, values, and ends5—​and this in turn helps to quell contestation about the focus and direction of scientific and technological development.6 In making that argument I point out how the focus and operation—​and therefore the continued salience—​of internal market law to risk regulation and its shaping of technoscientific trajectories relates to the EU’s broader strategic priorities. In these priorities new technologies are useful to the generation of a competitive and innovative market-​based economy, and through it the construction and legitimation of the EU’s identity, socio-​technical order and ultimately the project of European integration.7 The discussion in this chapter therefore adds to extant scholarly discussion of new technologies, including that within this collection. Others have looked at certain categories of new technologies8 or centralized alternative actors or concerns.9 My own work has examined aspects of EU positive integration techniques in relation to new health technologies10 and has brought together scholars from law and cognate disciplines to reflect on specific

‘governmentality’. See M. Foucault, Power, Essential Works of Foucault 1954–​1984, Volume 3 (2002), esp. ‘Governmentality’. 5  Depoliticization refers to the way in which the construction of governance and regulatory arrangements is masked, which means that they appear instead as natural occurrences. For discussion see W. Brown, Regulating Aversion: Tolerance in the Age of Identity and Empire (2006), at 15. 6  For reflection on the ongoing relevance of EU law, see, e.g., T. Tridimas, European Union Law for the Twenty-​First Century: Volume 1: Rethinking the New Legal Order (2004). 7  For a similar argument on the relationship between law and identity, see Harding, ‘The Identity of European Law: Mapping Out the European Legal Space’, 6 European Law Journal (2000) 128. 8  S. Fovargue, Xenotransplantation and Risk: Regulating a Developing Biotechnology (2011); M. Lee, EU Regulation of GMOs: Law and Decision-​Making for a New Technology (2008). Within this collection see Chapter 2. 9  F. Francioni (ed.), Biotechnologies and International Human Rights (2007); T. Murphy (ed.), New Technologies and Human Rights (2009). Within this collection see Chapters 3, 5, and 7. 10 Bache, Flear, and Hervey, ‘The Defining Features of the European Union’s Approach to Regulating New Health Technologies’, in M. L. Flear et al. (eds), European Law and New Health Technologies (2013); Flear, ‘Clinical Trials Abroad: The Marketable Ethics, Weak Protections and Vulnerable Subjects of EU Law’, in A. Albors-​Llorens et al. (eds), Cambridge Yearbook of European Legal Studies, Volume 16 2013–​2014 (2014); M. L. Flear, Governing Public Health (2015), esp. chs

76

76

Regulating New Technologies

examples.11 In wider EU legal scholarship there has been a focus on negative integration, but it has given little attention to new technologies as a specific case study, or the joint workings of positive and negative integration techniques in that field. This chapter is therefore the first attempt to provide a comprehensive overview of those joint workings in the field of new technologies. It is also the first attempt to discuss how those specific techniques relate to the European integration project. The argument I put forward in this chapter is built and advanced in the following way. In Section 2 I  situate law within the EU’s wider governance and in particular the programmatic concerns found in the EU’s overarching architecture.12 This is the starting point for explaining how EU internal market law comes to be concerned with the regulation of technological risk.13 In particular, it is by attention to the EU’s programmatic concerns that it becomes clearer how the tightening relations between new technologies and internal market law not only demonstrate the EU’s role in risk regulation but also the broader use and significance of that involvement. Subsequently, I deepen the analysis in two moves, first, in Section 3, by outlining the three key regulatory principles underpinning the negative integration mode of internal market law. The first principle is a focus on removing restrictions to free movement that subjects almost any national measures to scrutiny, supplemented by the second principle, which is that of mutual recognition. The final principle is the justification of national measures subject to a proportionality assessment, which actually operates to constrain the type, scope, and nature of permissible risk regulation at Member State level, albeit not yet so far as to narrow it to product safety. In the course of the discussion on regulatory principles, the link with the positive integration mode of internal market law is made and this is elaborated in Section 4 through the second move that aims to deepen the analysis.14 In addition to legislation adopted under Article 114 of the Treaty on the Functioning of

2, 7, and 8; Flear, ‘The EU Clinical Trials Regulation: Key Priorities, Purposes and Aims and the Implications for Public Health’, 42 Journal of Medical Ethics (2016) 192. 11 See, esp. the other chapters in M. L. Flear et  al. (eds), European Law and New Health Technologies (2013). 12  This chapter is therefore focused on the EU’s regulatory order, which is one level of the multilevel system of governance. Within that system the EU level interacts with a range of other regulatory orders including those at the national level. See further L. Hooghe and G. Marks, Multilevel Governance and European Integration (2001). 13  Black’s definition of regulation is ‘the intentional use of authority to affect behaviour of a different party according to set standards, involving instruments of information-​gathering and behaviour modification’ (Black, ‘Critical Reflections on Regulation’, 27 Australian Journal of Legal Philosophy (2002) 1). As suggested earlier, I  understand regulation as part of governmentality. Negative integration is deregulatory in the sense that it disapplies national laws that are deemed unjustifiably restrictive of free movement. But negative integration is also regulatory in that the disapplication of incompatible national laws affects the behaviour of market actors. 14  For further discussion of positive and negative integration see C. Barnard, The Substantive Law of the EU: The Four Freedoms (5th edn, 2016), chs 1 and 16; Scharpf, ‘Negative and Positive Integration in the Political Economy of European Welfare States’, in G. Marks et al. (eds), Governance in the European Union (1996).

 7

Mark L. Flear

77

the European Union (TFEU) positive integration is facilitated through several other kinds of supplementary regulatory techniques, including soft law, guidance, ‘steering’ through funding, and reliance on intellectual property rights. The first of these techniques pre-​empts Member State responses to the regulation of technological risk only to some extent. The other techniques work with legislative harmonization under Article 114 TFEU in order to extend the reach of EU-​level regulation—​including its normative orientation, understanding, and framing of ‘risk’—​but without pre-​emptive effects (indeed, EU funding is founded on legal bases that preclude such effects).15 Taken together these techniques of positive integration promote uniformity in technoscientific development trajectories within the EU. The techniques narrow the meaning and framing of technological risk to being principally about product safety at different stages of product development and ultimately marketing within the internal market. At the same time the techniques bracket off and marginalize the other kinds of harms or hazards to which risk might pertain. These processes of centralization and marginalization in turn help to serve broader programmatic priorities and aims, most importantly for this chapter, the production, stabilization, anchoring, and legitimation of the EU’s identity, socio-​technical order, and project of integration. I consider the techniques of negative and positive integration in terms of their role in the development of new health technologies from an idea through to circulation in the internal market. To keep the chapter manageable, the discussion is limited in several ways. The chief limitation is a focus on just one category of new technologies; those related to health, or new health technologies (NHTs). A focus on novel and innovative health technologies is useful in that it underscores the weakness of Article 168 TFEU, the EU’s legal competence in the public health field, which is an area of supporting, coordinating, or supplementary competence under Article 6(a) TFEU, and essentially permits limited action in order to tackle serious cross-​border threats to health. Although Article 168(5) TFEU provides that the EU legislature may ‘adopt incentive measures’ that are designed to, inter alia, ‘protect and improve human health and in particular to combat the major cross-​border health scourges’, this specifically excludes ‘any harmonization of the laws and regulations of the Member States’.16 As we shall see later in this chapter, Article 114 TFEU provides far greater scope for the adoption of harmonization measures and these must

15  Noted later in this chapter. Further consideration of pre-​emption, and its relationship with the supremacy of directly effective EU law, is beyond the scope of this chapter. The relevant Treaty provisions (and applicable secondary legislation) discussed later in this chapter are (in the absence of specific decision by the CJEU arguably) directly effective (Case 26/​62, Van Gend & Loos, [1963] ECR 1 (ECLI:EU:C:1963:1)) and therefore take precedence over conflicting national laws and administrative practices (Case 11/​70, Internationale Handelsgesellschaft, [1970] ECR 1125 (ECLI:EU:C:1970:114); Case 106/​77, Simmenthal SpA, [1978] ECR 629 (ECLI:EU:C:1978:49). For a discussion of these doctrines and their relationship to pre-​emption, see S. Douglas-​Scott, Constitutional Law of the European Union (2002), at 169–​171. 16  In addition, Art. 168(7) TFEU provides the responsibility of the Member States for the ‘definition of their health policy and for the organization and delivery of health services and medical

78

78

Regulating New Technologies

relate to the establishment and functioning of the internal market. The weakness of Article 168 as compared to Article 114 helps to explain the continuing salience of internal market law to new technologies as well as how that in turn facilitates the achievement of the EU’s broader programmatic priorities and aims (although, as we shall see, in at least one instance—​clinical trials—​internal market legislation gains support from Art. 168). NHTs are not a single category in EU law. The Patients’ Rights Directive is the only piece of legislation that refers to ‘health technologies’, identifying them as including medicinal products, medical devices, or medical and surgical procedures as well as measures for disease prevention, diagnosis, or treatment used in healthcare.17 Elsewhere EU marketing legislation distinguishes between ‘medicinal products’18 and ‘medical devices’.19 A  range of sub-​ c ategories exist—​ encompassing ‘biotechnology medicine’, ‘biotechnology-​ derived pharmaceutical’,20 ‘advanced therapy medicinal products’ (ATMPs),21 and

care’ is respected. Legislation under Art. 114 TFEU and Art. 168 TFEU is adopted using the ordinary legislative procedure set out in Art. 294 TFEU. 17 Art. 3(1) Directive 2011/​24/​EU on the Application of Patients’ Rights in Cross-​Border Healthcare, OJ 2011 L 88/​45. 18  Directive 2001/​83/​EC on the Community Code Relating to Medicinal Products for Human Use, OJ 2001 L 311/​67 (Community code (as amended)), has two limbs to its definition of ‘medicinal product’. These are medicinal product by ‘presentation’ (‘any substance or combination of substances presented for treating or preventing disease in human beings’—​A rt. 1(2) Community code) and by ‘function’ (‘any substance or combination of substances which may be used in or administered to human beings either with a view to restoring, correcting or modifying physiological functions by exerting a pharmacological, immunological or metabolic action, or to making a medical diagnosis’). 19  Defined by Directive 93/​42/​EEC Concerning Medical Devices, OJ 1993 L 169/​1 to include ‘any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/​or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings’ for one or more of several purposes. Art. 1(2) provides that these purposes are:  ‘diagnosis, prevention, monitoring, treatment or alleviation of disease; diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap; investigation, replacement or modification of the anatomy or of a physiological process; [or] control of conception’. To fall within this definition, the device must ‘not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means’, but it ‘may be assisted in its function by such means’. 20  The terms ‘biotechnology medicine’ or ‘biotechnology-​derived pharmaceutical’ are generally used (EMA, S6 Preclinical Safety Evaluation of Biotechnology-​Derived Pharmaceuticals, CHMP/​ ICH/​302/​95) to cover the medicines derived from the processes listed in section 1 of the Annex (recombinant DNA technology, controlled expression of genes coding for biologically active proteins in prokaryotes and eukaryotes including transformed mammalian cells, hybridoma, and monoclonal antibody methods) to Regulation (EC) 726/​2004 Laying Down Community Procedures for the Authorization and Supervision of Medicinal Products for Human and Veterinary Use and Establishing a European Medicines Agency, OJ 2004 L 311/​67. 21  ATMPs are still classed as medicinal products and are included in section 1a of the Annex to Regulation (EC) 726/​2004, ibid. The definition of ATMPs, under Regulation (EC) 1394/​2007 on Advanced Therapy Medicinal Products and Amending Directive 2001/​83/​EC and Regulation (EC) 726/​2004, OJ 2007 L 324/​121, includes gene therapy medicinal products, somatic cell therapy medicinal products, tissue-​engineered products, and combined ATMPs. It appears that only

 79

Mark L. Flear

79

‘nanomedicine’22—​a nd the ensuing discussion refers to all of these categories (some of which are not especially ‘new’23). A key reason for the focus on NHTs is the need to provide a sufficiently detailed discussion and analysis of the complementary techniques of negative integration and positive integration in order to make the chapter’s core argument. As such the discussion does not provide a detailed substantive analysis of the application of internal market law to specific NHTs or other new technologies.24 In addition, some legislation that is obviously centrally related to technological risk (and not simply product safety matters), such as the so-​called REACH legislation,25 and which is applicable to some new technologies, is not discussed because it is not applicable to NHTs.26 Other areas of law that are only very indirectly related to the regulation of NHTs and technological risk, such as competition law, are also not discussed.27 There is a related limitation in terms of what is included in the discussion on positive integration techniques. The analysis does not encompass all applicable EU legislation or indeed all techniques of positive integration. Instead, the discussion focuses on some of the most important techniques clustered around particular types of regulatory activity from the inception of an idea through to its development and ultimately marketing in the internal market: stimulating and steering innovation through funding; intellectual property law and the fostering of technological development; regulating research processes; and finally product

one ATMP has been authorized by the EMA, ChondroCelect (this is a tissue-​engineered product for which TiGenex gained EU marketing authorization on 5 October 2009). For discussion, see Mahalatchimy, ‘Access to Advanced Therapy Medicinal Products in the EU: Where Do We Stand?’, 18 European Journal of Health Law (2011) 305. 22 EMA, Reflection Paper on Nanotechnology-​Based Medicinal Products for Human Use, EMEA/​ CHMP/​79769/​2006, uses the term ‘nanomedicinal product’. Moreover see Dorbeck-​Jung et  al. (eds), ‘Governing Nanomedicine:  Lessons from within, and for, the EU Medical Technology Regulatory Framework’, 33 (Special Issue 2) Law and Policy (2011) 215–​303. 23  E.g. recombinant insulin and growth hormone (defined as ‘biotechnology medicines’) have been on the market in the EU since the 1980s. 24  For examples, see N. Hoppe, ‘Human Tissue-​Derived Health Products: The Problems of EU Law’ and B. Dorbeck-​Jung, ‘Therapeutic Nanoproducts as Drivers of Legal Governance Innovation in the European Union’, both in Flear et al. (eds), supra note 11. 25 Regulation (EC) 1907/​2006 Concerning the Registration, Evaluation, Authorization and Restriction of Chemicals (REACH), Establishing a European Chemicals Agency, Amending Directive 1999/​45/​EC and Repealing Regulation (EEC) 793/​93 and Regulation (EC) 1488/​94 as well as Directive 76/​769/​EEC and Directives 91/​155/​EEC, 93/​67/​EEC, 93/​105/​EC and 2000/​ 21/​EC, OJ 2006 L 136/​3; Directive 2006/​121/​EC Amending Directive 67/​548/​EEC on the Approximation of Laws, Regulations and Administrative Provisions Relating to the Classification, Packaging and Labelling of Dangerous Substances in order to Adapt it to Regulation (EC) 1907/​ 2006 Concerning the Registration, Evaluation, Authorization and Restriction of Chemicals (REACH) and Establishing a European Chemicals Agency, OJ 2006 L 136/​281. 26  See Art. 2(5)(a) Regulation (EC) 1907/​2006, ibid., which states that the REACH legislation does not apply to the extent that a substance is used in medicinal products and Art. 2(6), which states that it does not apply to medical devices, covered by the leges speciales discussed in this chapter. 27  E.g. anti-​monopoly laws can determine the feasibility of research into NHTs, see Hancher, ‘The EU Pharmaceuticals Market: Parameters and Pathways’, in E. Mossialos et al. (eds), Health Systems Governance in Europe: The Role of EU Law and Policy (2010).

80

80

Regulating New Technologies

safety as a continuing concern.28 The techniques falling within these types of activity (which are to some extent overlapping and mutually supportive) are most directly related to regulating technological risk instantiated as product safety or supporting those efforts in order to optimize the internal market. The techniques deployed at these points of technoscientific development and market availability demonstrate and highlight the continuing importance of internal market law to the regulation of new technologies. Overall, in what follows I  underline the way in which internal market law continues to play a leading role in the regulation of new and innovative technologies. In reflection on this core finding, in Section 5 I point to a concern that has seemingly been overlooked in extant legal scholarship on new technologies. That is, I highlight the (re)alignment, (re)configuration, and (re)orientation of EU law to and within market-​oriented norms, values, and rationalities that shape technoscientific innovation and trajectories. I suggest that this can in turn be explained by the way in which EU law and innovation are increasingly tied to the pursuit and legitimation of the EU’s project of European integration. In short, EU law is connecting with and shaping new technologies, but its focus on product safety is about increasing market availability and through it producing a particular market-​oriented identity for the EU, rather than meeting pressing health needs.

2.  Internal Market Law, the Regulation of Technological Risk, and the Programmatic Level of Governance Internal market law remains of central importance to the EU’s regulation of new technologies—​and that in turn relates to and facilitates the EU’s broader programmatic priorities. The internal market is defined by Article 26(2) TFEU as ‘an area without internal frontiers in which the free movement of goods, persons, services and capital is ensured’.29 New technologies fall principally within the free movement of goods.30 Moreover, the internal market is described as ‘one of the pillars of the European Union’ and it is situated within the EU’s overarching

28 There are seven broad types:  funding; protection of intellectual property; regulation of research processes; data protection; marketing and product safety legislation; post-​market monitoring and surveillance, and product liability; and pricing, reimbursement, and coverage in national healthcare systems. The selection is drawn from and reorganizes material from across these types. See further Bache, Flear, and Hervey, ‘The Defining Features of the European Union’s Approach to Regulating New Health Technologies’, in Flear et al. (eds), supra note 11. 29 The establishment of the internal market is required by Art. 3(3) Treaty on European Union (TEU). 30  Arts 28–​36 TFEU. E.g. pharmaceuticals are a good for these purposes, i.e. ‘products which can be valued in money and which are capable, as such, of forming the subject of commercial transactions’ (Case 7/​68, Commission v. Italy (Art Treasures case), [1968] ECR 423 (ECLI:EU:C:1968:51)). Goods must also ‘possess tangible physical characteristics’ (Advocate General Fennelly in Case C-​ 97/​98, Jägerskiöld v. Gustafsson, [1999] ECR I-​7319 (ECLI:EU:C:1999:515)). So, the organization of lotteries does not constitute an activity relating to goods (Case C-​275/​92, Customs Excise v. Schindler, [1994] ECR I-​1039 (ECLI:EU:C:1994:119)).

 81

Mark L. Flear

81

architecture and objectives that are reflective of its imagined socio-​technical order and directed at perpetuating its integration project: ‘[t]‌he internal market is essential for prosperity, growth and employment in the EU, contributing to the achievement of its objectives under the Lisbon strategy. As an integrated, open and competitive area, it in fact promotes mobility, competitiveness and innovation, interacting in particular with the EU sectoral policies’.31 Under the Lisbon Strategy32 research was presented as ‘the driver for the production and exploitation of knowledge [making it] above all a linchpin in the implementation of the Lisbon strategy to make Europe the most dynamic and competitive, knowledge-​based economy in the world, capable of sustaining economic growth, employment and social cohesion’33 by 2010. EU funding of projects in new technologies, especially in relation to research and development was, and as I discuss later continues to be, seen as integral to the creation of a European Research Area, which aims to ‘reinvigorate research in Europe’,34 and is linked to the Lisbon Strategy as part of the so-​called ‘knowledge triangle’ of research, education, and innovation.35 Importantly, while EU funding is limited by the principle of ‘European added value’,36 it is directed at enabling discourse between researchers in different Member States in order to foster economic competitiveness of European industry, and integration.37 The Lisbon Strategy was subsequently refocused on growth and jobs,38 linking research and development of new technologies even more closely to the central goal of economic optimization. In 2010 this refocusing was intensified in the light of the recent global (and European) financial and economic crisis in the European Commission’s ‘Europe 2020’ strategy for economic growth.39 Further, references to health in Europe 2020 bolster the link between it and the economy.

31  Internal Market:  General Framework, available at http://​europa.eu/​legislation_​summaries/​ internal_​market/​internal_​market_ ​general_​framework/​index_​en.htm (last visited 22 December 2016) (emphasis added). 32  Council of the European Union, Presidency Conclusions—​Lisbon European Council, 23rd and 24th March (2000). See Armstrong, ‘Governance and Constitutionalism After Lisbon’ in JCMS Symposium: EU Governance After Lisbon, 46 Journal of Common Market Studies (2008) 413, at 413–​414. 33  European Commission, Building the ERA of Knowledge for Growth, COM(2005) 118 final, at 2 (emphasis added). 34  European Commission, Towards a European Research Area, COM(2000) 6 final, at 5. 35  European Commission, Putting Knowledge into Practice: A Broad-​based Innovation Strategy for the EU, COM(2006) 502 final. 36  E.g. Decision 1982/​2006 Concerning the Seventh Framework Programme of the European Community for Research, Technological Development and Demonstration Activities (2007–​2013), OJ 2006 L 412/​1. 37  Gusma’o, ‘Research Networks as a Means of European Integration’, 23 Technology in Science (2003) 386. 38  W. Kok, Facing the Challenge: The Lisbon Strategy for Growth and Employment. Report from the High Level Group Chaired by Wim Kok (2004). 39  See, generally Europe 2020, available at http://​ec.europa.eu/​europe2020/​index_​en.htm (last visited 22 December 2016). Also see European Commission, Smart Regulation in the European Union, COM (2010) 543 final; European Commission, Europe 2020 Flagship Initiative Innovation Union, COM (2010) 546 final.

82

82

Regulating New Technologies

In particular, given its importance in terms of the discussion to which we will return in due course, health is given a specific mention in the strategy’s broad objectives. For example, health is integral to smart and inclusive growth because, inter alia, ‘keeping people healthy and active for longer has a positive impact on productivity and competitiveness’. Moreover, the drive for innovation is noted as helping to ‘make the healthcare sector more sustainable and find new cures for health conditions’. In addition, as health ‘employs 1 in 10 of the most qualified workers in the EU’, it contributes to improving work skills and creating employment. Finally, the potential impact of the increase in older people also justifies the emphasis on health, since ‘financing rising healthcare costs and access to a dignified and independent life for the aging population will be central to the political debate’.40 The Innovation Union,41 one of Europe 2020’s flagship initiatives, is particularly revealing in that it ‘aims to maximise the EU’s capacity for innovation and research and channel it towards societal challenges. The Commission aims to make the EU a world-​leader in developing innovative ways to promote active and healthy ageing—​a challenge common to all European countries.’42 Noteworthy here is how innovation is linked to research, and this is then directed at societal challenges, but these are used to promote the optimization of ageing; i.e. an ageing population is to be an economically active one that contributes towards the wider economy. Improving the sustainability of social and healthcare systems is part of this set of linked objectives, but the direct link to economic optimization reveals this to be the ultimate aim of societal optimization including in relation to health. It is to: ‘boost and improve the competitiveness of the markets for innovative products and services that respond to the ageing challenge both at EU and global level, thus creating new opportunities for businesses’.43 Returning to internal market law, these efforts are clearly directly relevant. In furthering the goal of economic optimization, so that EU citizens and businesses ‘can make the most of the advantages of the single market’, the EU ‘concentrates on dismantling barriers still impeding its operation. It seeks to harmonize legislation in order to improve its response to the challenges of globalisation and to adapt to advances, such as the new technologies’.44 The barriers that are the subject of this drive towards harmonization arise principally from laws and wider measures promulgated and produced at the Member State level. All EU Member States regulate new technologies in order to reduce their attendant risks and maximize their benefits. As Brownsword explains, regulators ‘need to tailor their interventions to the perceived risk profile presented by a particular technology.’45 This involves determining matters such as when risk 40  Europe 2020—​ for a Healthier EU, available at http://​ec.europa.eu/​health/​europe_​2020_​ en.htm (last visited 22 December 2016). 41  Innovation Union, available at http://​ec.europa.eu/​research/​innovation-​union/​index_​en.cfm (last visited 22 December 2016). 42  Europe 2020—​for a Healthier EU, supra note 40 (emphasis added).    43  Ibid. 44  Internal Market: General Framework, supra note 31 (emphasis added). 45  R. Brownsword, Rights, Regulation and the Technological Revolution (2008), at 118.

 83

Mark L. Flear

83

arises (whether it is when the technology fails, or is abused—​or works); the degree of risk (low or high); the kind of harms or hazards to which the risk pertains (physical, environmental, social, economic, moral, and political) and the potential for their ranking as more or less serious; and, finally, how risk relates to precaution (whether precaution occurs at risk assessment or somehow operates in risk management).46 Generating a risk profile for new technologies depends on the specific technology in question and there are related questions about whether to regulate at all and, if so, the form, type, and extent of regulation. The problems for legal and regulatory decision-​making are exacerbated where there is scientific uncertainty or even a lack of knowledge as well as (and often related to) broader disagreement about the factors that can or should go together in building a risk profile—​raising questions about how risks ‘should be framed, which methodologies should be adopted, [and] which values prioritized’.47 The central problem for internal market law is the potential for disparate national attempts to regulate the risks posed by new technologies, which would erect barriers, fragment the internal market, and undermine the interpenetration of trade—​and ultimately the production and legitimation of the EU’s identity, socio-​technical order based on a competitive and innovative economy, and its core project of European integration. Consequently, the EU seeks to dismantle barriers through complementary techniques of negative integration and positive integration, and as we shall see in different albeit related ways both of these engage with the risk posed by new technologies.

3.  Negative Integration: Free Movement, Mutual Recognition, Justification of National Measures Subject to Proportionality, and the Necessity of (Minimum) Harmonization A. Free Movement In terms of negative integration, the relevant Treaty provisions target and prohibit both fiscal48 and non-​fiscal barriers. The latter are more important for this chapter given that outright bans on products or regulation of their salient features, means of distribution, and marketing are more likely (as demonstrated by the examples noted below). In that regard Article 34 TFEU provides that ‘[q]‌uantitative restrictions on imports and all measures having equivalent effect shall be prohibited between Member States’. In interpreting this provision, and indeed the others that relate to internal market law,49 the Court of Justice of the European Union

46  Ibid., at 118–​119. 47  Ibid., at 119–​120. 48  These include ‘customs duties and charges having equivalent effect’ prohibited under Art. 28 TFEU and in order to underpin a customs union with a common external tariff barrier and the prohibition on ‘discriminatory internal taxation’ under Art. 110 TFEU. 49  Arts 56–​62 TFEU for services, Arts 45–​48 TFEU for workers, Arts 49–​55 TFEU for establishment, and Arts 63–​66 TFEU for capital.

84

84

Regulating New Technologies

(CJEU) has been mindful of its significance for the telos of European integration project in terms of both its production and its legitimation,50 and with that in mind has adopted a purposive or teleological interpretation,51 i.e. one that literally seeks to engender integration through law.52 This can be seen in the CJEU’s expansive definition of quantitative restrictions (QRs) as ‘measures which amount to a total or partial restraint of, according to the circumstances, imports, exports, or goods in transit’.53 This was followed by the even more wide-​ranging and all-​encompassing definition of measures having equivalent effect to quantitative restrictions (MEQRs) with the Dassonville judgment ruling that they comprise ‘all trading rules enacted by Member States which are capable of hindering, directly or indirectly, actually or potentially, intra-​Community trade’.54 Subsequently Cassis de Dijon clarified what Dassonville implied: MEQRs include national measures that make no distinction between domestically produced and imported goods, i.e. product requirements, in particular because they can impose a further regulatory burden on goods imported from another Member State and produced in accordance with its standards.55 In Keck there was a further refinement of the scope of Article 34 TFEU such that ‘certain selling arrangements’56 were found to fall outside it.57 50  M. Adams and H. de Waele (eds), Judging Europe’s Judges: The Legitimacy of the Case Law of the European Court of Justice (2013). 51  Koopmans, ‘The Theory of Interpretation and the Court of Justice’, in D. O’Keeffe and A. Bavasso (eds), Judicial Review in EU Law (2000); A. Stone Sweet, The Judicial Construction of Europe (2004). 52  M. Cappelletti et al. (eds), Integration through Law: Europe and the American Federal Experience (1986). 53  Case 2/​73, Geddo v. Ente Nazionale Rizi, [1973] ECR 865 (ECLI:EU:C:1973:89). 54  Case 8/​74, Procureur du Roi v. Dassonville, [1974] ECR 837 (ECLI:EU:C:1974:82). 55  Case 120/​78, Rewe-​Zentrale AG (Cassis de Dijon), [1979] ECR 649 (ECLI:EU:C:1979:42). 56 Joined Cases C-​ 267 and 268/​ 91, Keck and Mithouard, [1993] ECR I-​ 6097 (ECLI:EU:C:1993:905), at para. 16 (emphasis added). 57 That is, provided the measures applied universally and are neutral in effect. The measures in question must ‘apply to all relevant traders operating within the national territory and so long as they affect in the same manner, in law and in fact, the marketing of domestic products and of those from other Member States’ (ibid.). See, e.g., Joined Cases C-​401 and C-​402/​ 92, Tankstation, [1994] ECR I-​ 2199 (ECLI:EU:C:1994:220); Case C-​ 292/​ 92, Hünermund, [1993] ECR I-​6787 (ECLI:EU:C:1993:932); Joined Cases C-​69 and 258/​93, Punto Casa, [1994] ECR I-​2355 (ECLI:EU:C:1994:226); Joined Cases C-​418–​421, 460–​462 and 464/​93, 9–​11 and 14–​15/​94, Semeraro Casa Uno, [1996] ECR I-​2975 (ECLI:EU:C:1996:242). An alternative market access-​based test was put forward in the opinion of Advocate General Jacobs in Case C-​412/​ 93, Leclerc-​Siplec, [1995] ECR I-​ 179 (ECLI:EU:C:1995:26). However, CJEU judgments have pursued a related route of ensuring neutrality in the effects of selling arrangements, which leads to an analysis of whether relevant national measures inhibit market access, and if they do, the measure falls back within Art. 34 TFEU as an MEQR that might be saved in the usual way. See, e.g., Cases C-​34–​36/​95, De Agostini, [1997] ECR I-​3843 (ECLI:EU:C:1997:344); Case C-​405/​ 98, Gourmet International Products, [2001] ECR I-​1795 (ECLI:EU:C:2001:135); Case C-​254/​98, TK-​Heimdienst, [2000] ECR I-​151 (ECLI:EU:C:2000:12); Case C-​322/​01, DocMorris, [2003] ECR I-​14887 (ECLI:EU:C:2003:664). There are, however, exceptions where the market access test has been preferred: Case C-​4 41/​04, A-​Punkt, [2006] ECR I-​2093 (ECLI:EU:C:2006:141) (catching (truly because not just legally, but also factually) non-​discriminatory selling arrangements) and cf. Case C-​108/​09, Ker-​Optika, [2010] ECR I-​12213 (ECLI:EU:C:2010:725) and Case 439/​09, Pierre Fabre Dermo-​Cosmétique SAS, [2011] ECR I-​9419 (ECLI:EU:C:2011:649), both concerning Member State rules on distribution contracts, which were deemed contrary to the Treaty provisions

 85

Mark L. Flear

85

In addition, the CJEU developed mutual recognition as the central regulatory principle in Cassis de Dijon.58 There were several drivers behind this development, inter alia economic malaise and disaffection with the slow pace of European market integration, and the limited capacity of the CJEU and national courts (adjudicating on EU law matters) to deal with a potentially burdensome caseload prompted by the wide range of measures falling foul of the Treaty. Mutual recognition provides that goods that are lawfully marketed in one Member State are to be allowed to circulate throughout the internal market; in other words, there is a presumption in favour of free movement. This regulatory approach maximizes the autonomy of national regulators, but they must also have regard to and trust their counterparts in other Member States, with whom they must cooperate.59 Mutual recognition also provides the scope for regulatory competition and a wider range of new technologies (with different risk profiles) to be produced and sold within the internal market.60 That is because the principle of mutual recognition permits a multiplicity of national approaches to regulating technological risk. The approaches adopted might go beyond product safety to encompass different kinds and understandings of harms or hazards that are not necessarily focused on product safety.

B. Derogations and Justifications Nevertheless, the principle of mutual recognition is subject to limitation and that is because it remains possible for national regulators to limit the free movement of goods from other Member States where there are acceptable reasons for doing so (from the point of view of internal market law). In this regard national regulators can use the Treaty-​based derogations in Article 36 TFEU to justify and preserve measures that are found to be QRs or MEQRs. In addition, objective public interest justifications created by the CJEU in Cassis de Dijon and added to in subsequent cases are available to save MEQRs that constitute either indistinctly applicable (and often indirectly discriminatory) or non-​discriminatory hindrances to market access.61 As such, it remains possible for national regulators on goods because they undermined free movement. For a potential remoteness test, i.e. a measure that has an insignificant effect on market access, see Case C-​20/​03, Burmanjer, [2005] ECR I-​4133 (ECLI:EU:C:2005:307). There appears to be a recent move to capture ‘any other measure’ which is neither a product requirement nor a selling arrangement, but prohibiting or (severely) restricting the use of goods, see Case C-​110/​05, Commission v. Italy (Trailers), [2009] ECR I-​519 (ECLI:EU:C:2009:66) (concerning the prohibition of motorcycles from pulling trailers); Case C-​ 142/​05, Mickelsson, [2009] ECR I-​4273 (ECLI:EU:C:2009:336) (a limitation on the use of personal watercraft only on general navigable waterways). 58  Case 120/​78, Cassis de Dijon, supra note 55. 59  The ‘principle of sincere cooperation’ in Art. 4(3) TEU. 60  Armstrong, ‘Mutual Recognition’, in J. Scott and C. Barnard (eds), Law of the Single European Market: Unpacking the Premises (2002). 61  The move from a discrimination model to a market access model of what constitutes a ‘restriction’ is indicative of the CJEU’s choice to regulate the internal market in a particular way via negative integration. For discussion see M. P. Maduro, We the Court: The European Court of Justice and the European Economic Constitution (1998).

86

86

Regulating New Technologies

to regulate technological risk, but only to the extent that their free movement restrictive measures can be justified by grounds found in these derogations and justifications. Importantly, this means that the reasons for the adoption of a measure at the national level might not fit into the accepted categories of derogations and justifications: for the purposes of EU internal market law, national reasons are not necessarily acceptable justifications for restrictions on free movement. In addition, successful recourse to the derogations and justifications is subject to an assessment that the national measures adopted and that are restrictive of free movement are proportionate to the regulatory aims pursued. Since a national measure that conflicts with directly effective EU free movement law must be disapplied unless it can be saved by a derogation or justification, the kinds of harms or hazards that can be subject to (legitimate) regulation by the Member States is effectively constrained. To summarize the derogations and justifications, Article 36 TFEU provides that Article 34 TFEU:62 ‘shall not preclude prohibitions or restrictions on imports, exports or goods in transit justified on grounds of public morality, public policy or public security; the protection of health and life of humans, animals or plants’.63 It is conceivable that national regulation of new technologies might be justified on any of these finite grounds—​and in the following I assume for the moment that there are no legislative harmonization measures. To focus on NHTs, the ground of public morality is in principle available to Member States in order to justify a prohibition on the marketing of products containing, consisting, or derived from, for example, embryonic stem cells.64 In relation to the latter ground, it remains ‘for each Member State to determine in accordance with its own scale of values and in the form selected by it the requirements of public morality in its territory’.65 Consistency in the treatment of domestically and imported goods is essential for the successful use of this derogation66 (just as it is for the others). Although not necessarily useful as a way of justifying national measures regulating NHTs that are restrictive of free movement, public security remains important for the justification of national regulation of wider new technologies. Indeed, it is conceivable that, for instance, new information and communication technologies might have a ‘dual use’ (i.e. having both military and civilian uses)67 and could therefore be strategically sensitive to both the internal and external security of the state. Hence in Richardt the CJEU found that bubble memory circuits imported from the United States (US) into one Member State and then another,

62  As well as Art. 35 TFEU which prohibits quantitative restrictions on exports and all measures having equivalent effect. 63  It continues ‘the protection of national treasures possessing artistic, historic or archaeological value; or the protection of industrial and commercial property’. 64  Cf. the discussion on marketing and product safety and public morality as an exceptional ground for limiting free movement under harmonization, see Section 4D. 65  Case 34/​79, Henn and Darby, [1979] ECR 3795 (ECLI:EU:C:1979:295), at para. 15 (emphasis added). 66  Case 121/​85, Conegate, [1986] ECR 1007 (ECLI:EU:C:1986:114). 67  Case C-​70/​94, Fritz Werner, [1995] ECR I-​3189 (ECLI:EU:C:1995:328).

 87

Mark L. Flear

87

where they would then be exported to Russia, could be subject to inspection in the second Member State in order to verify the nature of the goods.68 To take a contemporary example, in the wake of the massacre of journalists of the Charlie Hebdo satirical magazine in Paris, the British Prime Minister suggested that in his view it was not acceptable that ordinary people could use mobile applications or ‘apps’ and other devices in order to have conversations on which the security services were unable to eavesdrop. A national measure to overcome this problem could involve requiring app developers to build backdoors into their software that permit the interception of messages by authorities or an outright ban on the app.69 Public security might be put forward in order to justify such measures where they produce barriers to the free movement of apps between Member States.70 Moving to consider the potential use of public health to save measures that regulate NHTs and fall foul of Article 34 TFEU (and again assuming the absence of EU harmonization legislation), one example is a ban on the use of the plastic di (2-​ethyhexyl) phthalate (DEHP) in medical devices due to fears that it is likely to be carcinogenic (i.e. that it causes cancer). France in fact banned such products where used on paediatric, neonatal, and maternity units through a law that came into force on 1 July 2015 and (at the time of writing) the United Kingdom (UK) is considering the evidence for introducing a ban.71 To give one other example, Member States might seek to ban direct-​to-​consumer genetic testing products that do not involve supervision by a medical professional (a ban on the provision of services based on the data produced by such products would likely fall to be considered within the free movement of services72). For instance, one such product, 23andme, has been banned in the US by the Food and Drug Administration on the grounds of public health,73 but after a number of changes to deal with those concerns this product is now being marketed in the UK.74 Other EU Member States might argue that such products lead to, say, excessive, irrational, or wasteful use of public resources, or incorrect diagnosis when (as such products usually promise) diagnosis can be carried out without the supervision of the medical profession. 68  Case C-​367/​89, Richardt, [1991] ECR I-​4621 (ECLI:EU:C:1991:376). 69 ‘David Cameron in “Cloud Cuckoo Land” Over Encrypted Messaging Apps Ban’, The Guardian, 13 January 2015. 70  In addition to public security, Art. 346(1)(b) TFEU provides that Member States can take measures in the interests of their security where they relate to the production of or trade in arms, munitions, and war material. Such measures must not adversely affect the conditions of competition in the internal market for goods that are not intended for military purposes. 71  Warning Over Plastics Used in Treating Premature Babies, BBC News, 13 November 2014, available at http://​w ww.bbc.co.uk/​news/​health-​30034760 (last visited 22 December 2016). 72  Here the provision of services is likely to be seen as the main activity, with the free movement of goods being ancillary (on this point see Case C-​275/​92, Customs Excise v. Schindler, supra note 30). 73 Food and Drug Administration, 23andMe, Inc. 11/​22/​13, available at http://​w ww.fda. gov/​ICECI/​EnforcementActions/​WarningLetters/​2013/​ucm376296.htm (last visited 22 December 2016). 74  Controversial DNA Test Comes to UK, BBC News, 2 December 2014, available at http://​w ww. bbc.co.uk/​news/​science-​environment-​30285581 (last visited 22 December 2016).

8

88

Regulating New Technologies

Public health grounds were argued in DocMorris where the CJEU stated that ‘the health and life of humans rank foremost among the assets or interests protected by [Art. 36 TFEU]’ and ‘it is for the Member States, within the limits imposed by the Treaty, to decide what degree of protection they wish to assure’.75 In DocMorris that meant a prohibition on internet sales of non-​prescription drugs could not be justified. In contrast, a prohibition could be justified with respect to prescription drugs since there was a need to check the authenticity of doctors’ prescriptions to ensure the medicine reached the patient either directly or via an authorized person, and to prevent problems arising from the use of different languages (such as purchasing the wrong medicine or incorrect use). Concerns over DEHP or the unsupervised use of genetic testing technologies and the interpretation of their results are therefore likely to provide reasonable grounds for regulatory interventions at the Member State level and attempts to justify them on public health grounds. Public policy (which is not the same as the public interest justifications available as mandatory requirements) is restrictively interpreted76 and has not usually succeeded as a stand-​a lone defence, except in order to ‘protect … the fundamental interests of the State’,77 and has instead been more successful when used in combination with other derogations, such as public health.78 Further concerns about genetic testing technologies may arise and be articulated in terms of public policy, such as where the capacity to test for certain diseases is deemed problematic because it might produce genetic discrimination or compound existing different treatment of affected individuals or groups.79 As for the objective public interest justifications, the CJEU has, for example, identified the ‘effectiveness of fiscal supervision, protection of public health, fairness of commercial transactions, [and] defence of the consumer’80 as starting points for the non-​exhaustive range of mandatory requirements (with similar objective public interests being developed in relation to the other freedoms81). Consequently, where Member State measures such as the examples noted earlier are indistinctly applicable or non-​discriminatory it becomes possible to justify them on the basis of objective public interest justifications that overlap with the derogations in Article 36 TFEU or on additional public interest grounds. Consumer protection is one such ground, yet while it might seem an appropriate justification for measures that aim to regulate technological risk, the protection of public health has been more widely used in such cases.82 In addition, the environment 75  Case C-​322/​01, DocMorris, supra note 57, at para. 103 (emphasis added). 76  Case 177/​83, Ringelhan, [1984] ECR 3651 (ECLI:EU:C:1984:334). 77  Case 7/​78, Thompson, [1978] ECR 2247 (ECLI:EU:C:1978:209), at para. 34. 78  Case C-​434/​04, Ahokainen, [2006] ECR I-​9171 (ECLI:EU:C:2006:609), at para. 28. 79  For discussion see Montgomery, ‘Strategies of Regulation: Illustrations from the Work of the Human Genetics Commission’, in Flear et al., supra note 11. 80  Case 120/​78, Cassis de Dijon, supra note 55, at para. 8. 81  See further: Barnard, supra note 14, ch. 13. 82  The following cases were not concerned with safeguarding consumers against technological risk but demonstrate its potential to justify national measures by analogy: Case 178/​84, Commission v. Germany (Beer Purity), [1987] ECR 1227 (ECLI:EU:C:1987:126) (ensuring beer purity); Case

 89

Mark L. Flear

89

has been recognized as an objective public interest that is worthy of protection as a mandatory requirement,83 although it is less clear whether it is protected under Article 36 TFEU (in terms of animal or plant health).84 Given that several EU Member States have banned the growth of seeds that are classed as genetically modified organisms (often simply referred to as GMOs) and most often used in food production, it is not inconceivable that protection of the environment or indeed public health might be used to justify a ban on the importation of products derived from those sources such as vaccines produced by specially engineered plants.85

C. Proportionality The limitations on the prohibition of restrictions on the free movement of goods are, as noted earlier, subject to the principle of proportionality. In DocMorris the CJEU described proportionality in the following way: national rules or practices likely to have a restrictive effect, or having such an effect, on the importation of pharmaceutical products are compatible with the Treaty only to the extent that they are necessary for the effective protection of health and life of humans. A national rule or practice cannot benefit from the derogation provided for in [Art. 36 TFEU] if the health and life of humans may be protected just as effectively by measures which are less restrictive of intra-​Community trade.86

Thus, even where the risk profile of the specific technology at issue provides reasons for its regulation on the grounds of the protection of public health, the measures adopted by national regulation must be the least restrictive to free

C-​315/​92, Clinique, [1994] ECR I-​317 (ECLI:EU:C:1994:34) (preventing consumers from being misled into believing that Clinique was selling medicinal as opposed to cosmetic products); Case C-​470/​93, Mars, [1995] ECR I-​1923 (ECLI:EU:C:1995:224) (similar to the latter case, this one was to do with preventing consumers from being misled into believing a chocolate bar was bigger than it was, i.e., due to a ‘+10 free’ that was larger than the size of the chocolate bar it covered). Decision 1082/​2013/​EU on serious cross-​border threats to health and repealing Decision 2119/​98/​ EC, OJ 2013 L 293/​1 applies and further shapes the exercise of Member State discretion in terms of the regulatory interventions adopted in order to tackle and ameliorate the threat. Member States are required to communicate their plans prior to serious cross-​border threats, notify any changes to their plans especially in the event of the emergency arising, and finally to explain and justify their responses (entailing consideration of their proportionality). 83  E.g. see Case 142/​05, Mickelsson, supra note 57 (restricting the use of jet skis on inland waterways seemed to be justified on environmental protection grounds). 84  E.g. contrast the justification of stricter standards for aircraft registered in another Member State than for domestic aircraft on the basis of ‘public health and environmental protection’ (Case C-​378/​96, Aher-​Waggon, [1998] ECR I-​4 473 (ECLI:EU:C:1998:357), at para. 19; see also Case C-​379/​98, PreussenElektra, [2001] ECR I-​2099 (ECLI:EU:C:2001:160)) with the finding that ‘the protection of the environment cannot serve to justify any restriction on exports, particularly in the case of waste destined for recovery’ (Case C-​209/​98, FFAD, [2000] ECR I-​3743 (ECLI:EU:C:2000:279), at para. 48). 85  Paul and Ma, ‘Plant-​Made Pharmaceuticals: Leading Products and Production Platforms’, 58 Biotechnology and Applied Biochemistry (2011) 58. 86  Case C-​322/​01, DocMorris, supra note 57, at para. 104.

90

90

Regulating New Technologies

movement. Public health is particularly salient to the regulation of technological risk. The enduring concern of the CJEU in shaping and applying the proportionality assessment in relation to this reason for limiting free movement, perhaps more so than for the other possible reasons, has been its possible misuse. In other words, the CJEU has been careful to ensure that public health and the other justifications available under Article 36 TFEU or as mandatory requirements are not used, in the words of that provision, as ‘a means of arbitrary discrimination or a disguised restriction on trade between Member States’.87 Consequently, resort to public health as a reason for maintaining Member State regulation of technological risk requires evidence of genuine health concerns that in the case of challenge is carefully scrutinized by the CJEU. In Medicinal Herbs the CJEU explained it needed a ‘detailed assessment, on a case by case basis, of the risk alleged by the Member State invoking [Art. 36 TFEU]’.88 In the case of medical devices containing DEHP, for instance, any challenge to and defence of the French ban on such products (again assuming the absence of EU harmonization legislation) could make use of the EU’s own assessment, which classifies DEHP as possibly carcinogenic to humans.89 In Frans-​Nederlandse Maatschappij voor Biologische Producten (Frans-​Nederlandse) the CJEU found that, in the absence of harmonization, where there are uncertainties in the present state of scientific research it is for the Member States to decide what degree of protection of the health and life of humans they intend to assure. As such, in that case ‘a Member State is not prohibited from requiring plant protection products to be subject to prior approval, even if those products have already been approved in another Member State’.90 Sandoz concerned the addition of certain vitamins, in particular vitamins A and D, to muesli bars and analeptic beverages. The CJEU found the internal market principles also applied to them as: substances … which are not as a general rule harmful in themselves but may have special harmful effects solely if taken to excess as part of the general nutrition, the composition of which is unforeseeable and cannot be monitored. In view of the uncertainties inherent in the scientific assessment, national rules prohibiting, without prior authorisation, the marketing of

87 Seen in Case 40/​ 82, Commission v.  United Kingdom (Turkeys), [1984] ECR 0283 (ECLI:EU:C:1984:33) in which the CJEU held the ‘real aim of the 1981 measures [in which there was a slaughter policy applied to flocks infected with Newcastle disease and a ban on the importation of poultry meat and eggs from all other Member States except Denmark and Ireland] was to block, for commercial and economic reasons, imports … in particular from France’, from where there has been a huge increase in imports (at para. 37). In relation to public morality, see Case 34/​ 79, Henn and Darby, supra note 65. 88  Case C-​88/​07, Commission v.  Spain (Medicinal Herbs), [2009] ECR I-​ 1353 (ECLI:EU:C:2008:567), at para. 93 (emphasis added). 89  Scientific Committee on Emerging and Newly-​Identified Health Risks, Preliminary Opinion on the Safety of Medical Devices Containing DEHP Plasticised PVC or Other Plasticisers on Neonates and Other Groups Possibly At Risk (2014 update), available at http://​ec.europa.eu/​health/​scientific_​committees/​emerging/​docs/​scenihr_​o_​047.pdf (last visited 22 December 2016). 90  Case 272/​80, Frans-​Nederlandse Maatschappij voor Biologische Producten, [1981] ECR 3277 (ECLI:EU:C:1981:312), at para. 16.

 91

Mark L. Flear

91

foodstuffs to which vitamins have been added are justified on principle within the meaning of Art. 36 of the Treaty on grounds of the protection of human health.91

As this example illustrates, a precautionary approach can be adopted for the justification of measures under public health.92 Following a detailed assessment that reveals the persistence of uncertainty regarding the extent of the risk to human health, Member States do not have to wait for the reality and seriousness of technological risk to be fully demonstrated before protective measures can be taken.93 However, in departing from the prohibition on restrictions on the free movement of goods (or indeed the other freedoms) Member States must have continuing regard to the requirements of free movement, in particular that in order to be justified the measure in question must be proportionate to the objective pursued. As the CJEU put it in Frans-​Nederlandse: The authorities of the importing state are however not entitled unnecessarily to require technical or chemical analyses or laboratory tests when the same analyses and tests have already been carried out in another Member State and their results are available to those authorities or may at their request be placed at their disposal.94

In this way, mutual recognition requires that Member States do not duplicate the regulatory interventions of other Member States. Where there is such duplication it is likely to be found disproportionate—​or even a disguised restriction on trade. The importance of free movement subject to proportionate limits was also echoed in the CJEU’s affirmation of this ruling in Sandoz, where it held that scientific uncertainty did not provide Member States with unlimited discretion. Rather, proportionality ‘requires that the power of the Member States to prohibit imports of the products in question from other Member States should be restricted to what is necessary to attain the legitimate aim of protecting health’.95 That meant that there must remain scope for authorizations to market where they are compatible with the need to protect health, that is, where ‘when the addition of vitamins to foodstuffs meets a real need, especially a technical or nutritional one’.96

D. Necessity of (Minimum) Harmonization Negative integration has proven essential in bringing down barriers to the free movement of new technologies (and other goods), not least through mutual recognition as a central regulatory principle. The limited possibility of justifying national measures that are restrictive of free movement subject to proportionality means that the scope of permissible risk regulation is effectively constrained.

91  Case 174/​82, Sandoz, [1983] ECR 2445 (ECLI:EU:C:1983:213), at para. 17 (emphasis added). 92  European Commission, Communication on the Precautionary Principle, COM(2000) 1 and Art. 191 TFEU on the environment. 93  Case C-​192/​01, Commission v. Denmark, [2003] ECR I-​9693 (ECLI:EU:C:2003:492). 94  Case 272/​80, Frans-​Nederlandse, supra note 90, at para. 16 (emphasis added). 95  Case 174/​82, Sandoz, supra note 91, at para. 18 (emphasis added). 96  Ibid., at para. 19.

92

92

Regulating New Technologies

But this constraint on regulation is not to the extent that the measures adopted cannot regulate a more diverse range of harms or hazards than those that pertain to product safety. Negative integration would be insufficient on its own for the achievement of a truly integrated internal market. Indeed, as highlighted by the examples noted earlier, although the CJEU has limited the circumstances in which Article 36 TFEU and mandatory requirements can be invoked by Member States, their use threatens to fragment the internal market. In addition, where national regulation is found to be incompatible with free movement law and cannot be saved, regulatory gaps can emerge. Consequently, national measures that survive scrutiny under negative integration as well as those that do not are subject to the complementary mode of positive integration. This is classically understood as entailing the adoption of legislation at the EU level. However, for the purposes of this chapter positive integration encompasses several regulatory techniques in addition to legislation. Before detailing those techniques in Section 4 let us briefly outline legislation, as the core technique. As mentioned earlier, Article 114 TFEU provides the main basis for the adoption of legislation aimed at the establishment and functioning of the internal market. The concerns noted earlier over the need to tailor regulatory interventions to the perceived risk profile presented by a particular technology therefore also arise at the EU level. However, EU interventions are circumscribed by the conditions for the use of Article 114 TFEU or indeed any other legal base. These comprise the question of whether the competence to regulate is in principle applicable, and the application of the principles of subsidiarity (relevant to this as an area of shared competence under Article 4(2)(a) TFEU97) and proportionality,98 which pertain to the matters of whether the competence can in fact be used and, if so, the extent of permissible regulation. In using Article 114 TFEU to regulate technological risk there is a subsidiary requirement in Article 114(3) TFEU which provides that the Commission ‘in its proposals … concerning health, safety, environmental protection and consumer protection, will take as a base a high level of protection, taking account in particular of any new development based on scientific facts’ (emphasis added). In this way scientific and technical knowledge and expertise are underscored and valorized as the foundation and a key justification for EU legislation, which is a key technique for regulating the dangers or threats attendant on the circulation of products. Article 114(3) is a more specific instantiation of the general requirement under, in particular, Article 9 TFEU that the ‘the Union shall take into account requirements linked to … a high level of … protection of human health’ (emphasis added) in the definition and implementation of its policies and activities. Article 114(10) TFEU provides that legislation adopted under that legal basis must include a ‘safeguard clause’ in ‘appropriate cases’ that authorizes the Member States to take provisional measures subject to EU control ‘for one or more of the non-​economic reasons referred to in Art. 36’. In addition, it remains possible for a Member State to maintain a measure ‘on grounds of major needs referred to in 97  Art. 5(3) TEU.

98  Art. 5(4) TEU.

 93

Mark L. Flear

93

Art. 36 [TFEU], or relating to the protection of the environment or the working environment’ on a temporary basis under Article 114(4) TFEU,99 or even introduce ‘after the adoption of the harmonization measure’ a new temporary measure based on ‘new scientific evidence relating to the protection of the environment or the working environment on grounds of a problem specific to that Member State’ under Article 114(5) TFEU.100 In the event that either Article 114(4) or 114(5) applies, Article 114(7) TFEU requires the Commission to ‘immediately examine whether to propose an adaptation to that [harmonization] measure’. However, as mentioned above, before Article 114 TFEU can be used it is first necessary to demonstrate that the legal base is indeed applicable. In Tobacco Advertising I the CJEU found that Article 114 can only be used to adopt a measure where it is genuinely intended to improve the conditions for the establishment and functioning of the internal market and had that effect. Provided that is the case, the legislation adopted must either contribute to the elimination of obstacles to the exercise of the fundamental freedoms constitutive of the internal market or contribute to the removal of distortions of competition arising from diverse national rules (a broader ground which can serve to justify legislation where one Member State regulates but another does not, generating additional costs and market fragmentation).101 Since several of the measures regulated by the directive at issue in the case did not meet these criteria and the relevant provisions could

99  Further, in this case the Member State ‘shall notify the Commission of these provisions as well as the grounds for maintaining them’. 100  The Member State must ‘notify the Commission of the envisaged provisions as well as the grounds for introducing them’. Art. 114(6) TFEU provides that the Commission ‘shall, within six months of the notifications as referred to in paragraphs 4 and 5, approve or reject the national provisions involved after having verified whether or not they are a means of arbitrary discrimination or a disguised restriction on trade between Member States and whether or not they shall constitute an obstacle to the functioning of the internal market’. Approval is automatic where the Commission does not make a decision within this period. The Commission is permitted to extend the six-​month period for a further six months, but only when it is ‘justified by the complexity of the matter and in the absence of danger for human health’. 101  Case C-​376/​98, Germany v. European Parliament and Council (Tobacco Advertising I), [2000] ECR I-​8419 (ECLI:EU:C:2000:544), which was applied in the follow-​up Case C-​380/​ 03, Germany v. European Parliament and Council (Tobacco Advertising II), [2006] ECR I-​11573 (ECLI:EU:C:2006:772) and affirmed in Case C-​491/​01, British American Tobacco (Investments) Ltd and Imperial Tobacco Ltd, [2002] ECR I-​11453 (ECLI:EU:C:2002:741). Tobacco Advertising I was widely seen as a response to Case C-​300/​89, Commission v. Council (Titanium Dioxide), [1991] ECR I-​2867 (ECLI:EU:C:1991:244) in which the CJEU preferred Art. 114 TFEU as the basis for environmental legislation instead of Art. 192 TFEU (although in other choice of legal bases cases the CJEU opted for the more specific basis over Art. 114 TFEU: Case C-​155/​91, Commission v. Council (Waste Directive), [1993] ECR I-​939 (ECLI:EU:C:1993:98); Case C-​269/​97, Commission and Parliament v. Council (Beef Labelling), [2000] ECR I-​2257 (ECLI:EU:C:2000:183)). This implied an expansive definition of the internal market (through the marginalization of more specific legal bases) and arguably usurped the wishes of the Member States as masters and drafters of the Treaties, who had denoted Art. 114 TFEU a residual legal basis (with Art. 114(1) TFEU stating the provision applies ‘[s]‌ave where otherwise provided in the Treaties, the following provisions shall apply for the achievement of the objectives set out in Art. 26’). However, subsequent cases indicate the CJEU might be relaxing its interpretation of when Art. 114 TFEU can be used to regulate economic life, see e.g., Case C-​210/​03, Swedish Match, [2004] ECR I-​11893 (ECLI:EU:C:2004:802); Case C-​434/​02, Arnold André, [2004] ECR I-​11825 (ECLI:EU:C:2004:800).

94

94

Regulating New Technologies

not be severed, the directive had to be annulled.102 More importantly for the present discussion, under this approach disparate national measures that regulate new technologies and their various risks (be they physical, environmental, social, economic, moral, or political) can easily justify and trigger EU-​wide harmonizing legislation (particularly where the CJEU has ruled that a restriction on free movement or distortion of the conditions of competition exists). The CJEU noted that exclusion on the adoption of harmonizing legislation in the public health field under Article 168(5) TFEU does not mean that legislation adopted under other legal bases (such as Art. 114) could not have any impact on the protection of human health. The ease with which legislation can be adopted under Article 114 has been demonstrated by a subsequent ruling that a revised tobacco advertising directive that omitted the problematic provisions met the criteria for legislation under Article 114.103 Such harmonizing legislation is important for the achievement of broader regulatory aims: diverse Member State measures would not only put at risk the internal market itself, but they would in turn imperil the production and legitimation of the EU’s socio-​technical order and project of European integration. The subsidiary aim of Article 114 TFEU of protecting certain public interests (especially health and safety) ensures that EU (re)regulation might not provide an exact replacement for diverse Member State measures.104 EU (re)regulation is focused on removing obstacles to free movement and distortions of competition, and only a narrow range of harms or hazards need to be given particular consideration in proposals for legislation (under Art. 114(3) TFEU), or can remain regulated either by Member State measures adopted as a ‘safeguard’ (under Art. 114(10) TFEU), or can be maintained or introduced on a temporary basis where the harmonization legislation does not provide the requisite protection (under Art. 114(4) TFEU and Art. 114(5) TFEU respectively). But these special measures can typically be justified only on the non-​exhaustive grounds provided for under Article 36 TFEU rather than the objective public interests protected by the mandatory requirements. Overall, therefore, Article 114 TFEU reduces the scope of permissible EU risk regulation within the internal market. Article 114 essentially provides the foundation for the narrowing of technological risk to product safety matters and renders this as the dominant frame for the legislative instruments eventually

102  Directive 98/​43/​EC on the Approximation of the Laws, Regulations and Administrative Provisions of the Member States Relating to the Advertising and Sponsorship of Tobacco Products, OJ 1998 L 213/​9. 103  Case C-​380/​03, Tobacco Advertising II, supra note 101, concerning the validity of using Art. 114 TFEU in order to adopt Directive 2003/​33 on the Approximation of the Laws, Regulations and Administrative Provisions of the Member States Relating to the Advertising and Sponsorship of Tobacco Products, OJ 2003 L 152/​16. 104  Reregulation might occur where the EU legislature produces instruments that replace Member State measures—​simple regulation would occur where there are no such measures to replace. Reregulation might be required where the CJEU finds Member State measures in contravention of the free movement provisions and incapable of being saved by a derogation and/​or justification (or capable of being saved but disproportionate), which means that they must be set aside, but with the potential effect of creating a regulatory gap (e.g. where proportionate measures are not put in place or cannot be crafted).

 95

Mark L. Flear

95

adopted by the EU legislature (as well as the supplementary techniques discussed in Section 4). This legal basis also thereby supports the particular market-​based orientation of the EU’s identity. In the case of ‘full’ or ‘pre-​emptive’ legislative harmonization measures, the EU is said to ‘occupy the field’, further national legislation is automatically precluded, and pre-​existing national measures are automatically superseded by the new EU law. Yet this approach is now quite rare. The advent of mutual recognition in the CJEU’s jurisprudence in the 1980s became a central component of the Commission proposal105 for the insertion of both the aforementioned Article 26 TFEU and Article 114 TFEU into the Treaty by the Single European Act, as well as a new approach to harmonization that focused on essential technical and safety standards106 (and increased choice over the type of legislative instrument available, albeit with a long-​running preference for the flexibility provided by directives over the rigidity of regulations—​a preference that is beginning to change, most notably in relation to the legislation on clinical trials and medical devices).107 Given this regulatory preference it remains for the CJEU to determine the extent to which harmonization covers the field in question and pre-​empts Member State regulation. In other words, it is for the CJEU to decide whether there is space left for autonomous Member State regulation and therefore the continued application of (and the necessity of ensuring compliance with) the Treaty principles. As the CJEU explained in DocMorris: [Art. 34] continues to apply in relation to the manufacture and marketing of specialised pharmaceutical products as long as harmonization of national rules has not been fully achieved in those areas … In that regard, it should be noted that the sale of medicinal products to end consumers has not been subject to full Community harmonization.108

Nevertheless, the limits on the application of Article 34 TFEU remain important. Elsewhere, in Schwarz the CJEU affirmed its previous rulings on limitations by reference to Article 36 TFEU: ‘in the absence of harmonization, [it is for Member 105  In the following:  European Commission, Completing the Internal Market:  White Paper, COM(85) 310. 106 Council Resolution 85/​ C 136/​ 01 of 7 May 1985 on a New Approach to Technical Harmonization and Standards; European Commission, Communication on Enhancing the Implementation of the New Approach Directives, COM(2003) 240 final. For commentary see Pelkmans, ‘The New Approach to Technical Harmonization and Standardization’, 25(3) Journal of Common Market Studies (1987) 249. Legislation is now most commonly adopted under Art. 114 TFEU. It is easier to adopt legislation under the latter than the alternative (and original) legal basis of Art. 115 TFEU, which requires unanimity in the Council of the European Union (by contrast Art. 114 TFEU provides for the adoption of legislation under Art. 294 TFEU, the ordinary legislative procedure, which requires a qualified majority in the Council of the EU and therefore makes it easier to adopt legislation). 107  Under Art. 288 TFEU a directive ‘shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods’ whereas a regulation ‘shall have general application. It shall be binding in its entirety and directly applicable in all Member States’. Art. 114(1) TFEU provides the EU legislature with the scope to ‘adopt measures for the approximation’ of Member State measures and therefore includes directives and regulations. 108  Case C-​322/​01, DocMorris, supra note 57, at para. 102.

96

96

Regulating New Technologies

States] to decide on their intended level of protection of human health and life, always taking into account the requirements of the free movement of goods within the Community’.109 In other words, proportionality remains central, which in this case meant that a requirement that goods sold from vending machines had to be packaged was proportionate to the objective of protecting public health, since there was a risk of ‘contamination of the delivery tray by pathogenic germs and their transmission onto the goods removed by the customer … [which was] by no means merely theoretical’.110

4.  Techniques of Positive Integration: Some Examples in the Field of New Health Technologies A. Stimulating and Steering Innovation through Funding As noted earlier, legislation adopted under Article 114 TFEU is a key technique of positive integration, particularly in relation to marketing within the internal market. However, there are several others that are salient to the regulation of technological risk prior to marketing and earlier in the technoscience product development pipeline. These additional techniques support the centralization of harms or hazards relating to product safety in legislation, while facilitating the marginalization of other kinds of harms or hazards to which risk might pertain (physical, environmental, social, economic, moral, or political), as well as alternative understandings of risk and framings of regulation. In that regard, shaping knowledge through involvement in research is foundational to steering the trajectory of technoscience; knowledge is the foundation for the exercise of power and the basis for the production of products and services and their regulation. Consequently shaping knowledge through funding is a core priority within the overarching architecture of EU governance, as I mentioned earlier. Indeed, in the seventh (and final) Framework Programme (FP), FP7,111 even basic research—​including on health and medical treatments112—​was framed as a driver of future growth instead of as a means of increasing knowledge and understanding per se. The same frame is found in (the current) Horizon 2020.113 And this common frame is reflective of the legal basis of each in the EU’s competence

109  Case C-​366/​04, Schwarz, [2005] I-​10139 (ECLI:EU:C:2005:719), at para. 32 (emphasis added). 110  Ibid., at para. 35. 111  Decision 1982/​2006/​EC, supra note 36. 112  E.g. nanotechnologies are highlighted in the FP7 objectives, in such references as ‘the development and validation of new therapies … diagnostic tools and medical technologies’. See Proposed Priorities for Innovative Health Research 2012, available at http://​ec.europa.eu/​research/​health/​pdf/​ fp7-​health-​2012-​orientation-​paper_​en.pdf (last visited 22 December 2016). 113 Regulation (EU) 1291/​2013 Establishing Horizon 2020—​the Framework Programme for Research and Innovation (2014–​2020) and Repealing Decision 1982/​2006/​EC, OJ 2013 L 347/​104.

 97

Mark L. Flear

97

for research and technological development in Article 182(1) TFEU,114 which under Article 4(3) TFEU is shared with the Member States. This basis is directed at ‘encouraging … [EU research] to become more competitive, including in its industry, while promoting all the research activities deemed necessary by virtue of other Chapters of the Treaties’,115 such as those relating to the internal market and public health. Within Horizon 2020 (and FP7 before it), the ‘added value’ (and justification) of EU funding is constructed as supporting translational research; i.e. bringing innovations into the internal market.116 In terms of basic research, ‘[r]‌esearch on the brain and related diseases’, nanotechnology, and research on the genes behind kidney disease risk,117 are noted as key areas for funding.118 Moreover, EU funding is partly about reducing the risks attendant to research in new technologies (such as the high costs involved), rather than the risk posed by new technologies to consumer safety, and helping to support the translation of research into products. It is Article 168(5) TFEU that provides the legal basis for funding provided under the EU’s health programme. Health programme funding is now in its third iteration (for 2014–​2020)119 and is limited to supporting actions under Together for Health and in turn the priorities of Europe 2020, for which it is noted that the ‘promotion of good health at Union level is also an integral part’.120 The focus on economic optimization is underlined in statements such as, ‘[i]‌n line with the objectives of the Europe 2020 Strategy, the Programme should focus on a set of well-​defined objectives and actions with clear, proven Union added value, and concentrate support on a smaller number of activities in priority areas’.121 Those priority areas include: promoting health; protecting EU citizens from cross-​border threats to their health; contributing to the development of health systems that are innovative, efficient, and sustainable; and finally, facilitating improvements to

114  Art. 173(3) TFEU (industry) forms the second basis for Regulation (EU) 1291/​2013 ibid., and Art. 166(1) European Community Treaty (replaced by Art. 182(1) TFEU) forms the sole basis for Decision 1982/2006, supra note 36 above. 115  Art. 179(1) TFEU (emphasis added). 116  Defined in Art. 26(2) TFEU as, ‘an area without internal frontiers in which the free movement of goods, persons, services and capital is ensured’. The establishment of the internal market is required by Art. 3(3) amended TEU. 117  A number of projects contributed towards this research, including ANEUPLOIDY (understanding the importance of gene dosage imbalance in human health using genetics, functional genomics, and systems biology), EUROSPAN (European special populations research network:  quantifying and harnessing genetic variation for gene discovery), GENECURE (applied genomic strategies for treatment and prevention of cardiovascular death in uraemia and end-​stage renal disease), and EPIC (European prospective investigation into cancer, chronic diseases, nutrition, and lifestyle). 118 European Commission, Amended Proposal for a Council Decision Concerning the 7th Framework Programme of the European Atomic Energy Community (Euratom) for Nuclear Research and Training Activities (2007–​2011) (Presented by the Commission Pursuant to Art. 250(2) of the EC Treaty), COM/​2006/​0364 final. 119 Regulation (EU) 282/​2014 on the Establishment of a Third Programme for the Union’s Action in the Field of Health (2014–​2020) and Repealing Decision 1350/​2007/​EC, OJ 2014 L 86/​1. 120  Rec. 2, ibid. 121  Rec. 5, ibid. (emphasis added).

98

98

Regulating New Technologies

the safety of and access to healthcare.122 These priorities are, however, framed by Europe 2020, and as with Horizon 2020 funding, this is seen in the focus on promoting translational research: ‘The Programme should promote synergies, while avoiding duplication with related Union programmes and actions, by promoting, where relevant, the uptake of innovative breakthroughs resulting from research in the health sector’.123 The European Group on Ethics in Science and New Technologies (EGE) plays an important role in justifying funding.124 For example, in its Opinion on the Ethical Aspects of Nanomedicine the EGE justifies EU funding and investment into research and development and seeks to develop the EU’s nanoregulation through the leveraging of risk and scientific uncertainty.125 As Harvey and Salter point out, novel science ‘gives bioethical expertise access to new governance territory; bioethical expertise gives sciences access to political acceptability’.126 The EGE’s focus has been on providing bioethical justification for risk-​orientated regulation that aims to foster and direct, rather than circumscribe, innovation in new technologies in general. Indeed, the EGE is an important actor and means of providing legitimacy and generating support and the more general social licence for innovation, especially in areas where social and broader ethical implications of new technologies—​and not just technological risk defined narrowly as product safety—​is a pressing public concern.127 The EGE’s role points to the role of expert deliberation around bioethics in facilitating the narrowing of the scope and type of harms and hazards that are the focus of technological risk regulation to product safety. Overall, funding is a way of regulating through ‘steering’128 rather than ‘command and control’, in that it is used to stimulate and support the development of certain types of NHTs (rather than others), which is particularly important since the exercise of EU competence in respect of funding considered here does not pre-​empt Member State action.129 Funding helps to shape and support research priorities throughout the EU and therefore the trajectory of technoscientific product development and market availability. Research funding is in turn embedded

122  Summarized in European Commission, The Third Health Programme 2014-​2020 Funding Health Initiatives, available at http://​ec.europa.eu/​health/​programme/​docs/​factsheet_​healthprogramme2014_ ​2020_​en.pdf (last visited 22 December 2016). 123  Rec. 21, supra note 119 (emphasis added). 124  E.g. EGE, The Ethics Review of hESC FP7 Research Projects (Opinion No. 22). 125  See, e.g., EGE, Ethical Aspects of Nanomedicine (Opinion No. 21). 126 Harvey and Salter, ‘Anticipatory Governance:  Bioethical Expertise for Human/​A nimal Chimeras’, 21 Science as Culture (2012) 291, at 309 (emphasis added). 127  Busby, Hervey, and Mohr, ‘Ethical EU Law? The Influence of the European Group on Ethics in Science and New Technologies’, 33 European Law Review (2008) 803. 128 This ‘steering’ is what Daintith calls ‘government by dominium’. See:  Daintith, ‘The Techniques of Government’, in J. Jowell and D. Oliver (eds), The Changing Constitution (1994). 129  As a reminder, in respect of Horizon 2020 funding, Art. 4(3) TFEU states ‘the exercise of … [EU] competence shall not result in Member States being prevented from exercising theirs’. Similarly, in respect of health programme funding, Art. 6(a) TFEU provides that it is limited to providing support to the Member States.

 9

Mark L. Flear

99

within a network that constructs the EU’s identity, and its narrative about itself (including in terms of what it regulates, how, and why).130

B. Intellectual Property Law and the Fostering of Technoscientific Development The EU’s intellectual property law helps to mediate and manage technological risk and steer behaviour and the trajectory of technoscience, and it does so through the incentive of exclusive intellectual property rights, such as patent protection.131 By regulating technological risks that relate to harms and hazards highlighted by bioethics (and linked to human rights), EU law in this area supports the focus on technological risk rendered as product safety seen elsewhere in the product development pipeline. A  central objective of patent protection under the Legal Protection of Biotechnological Inventions Directive is the stimulation of innovation that, like research funding, recognizes the risks of developing new technologies and seeks to minimize them. For example, it is noted that ‘in the field of genetic engineering, research and development require a considerable amount of high-​risk investment and therefore only adequate legal protection can make them profitable’.132 In other words, pre-​emption of diverse Member State patent protection regimes and the establishment of a single EU regime for biotechnological inventions is about trying to mitigate risks to developers rather than to, for example, health and safety, i.e. ensuring that those developing inventions have their investment of time and research safeguarded, in order that it can be justified (usually to private investors or shareholders), and that they rather than a competitor derive the reputational and (especially) the economic benefits (profits). With Article 114 TFEU as the legal basis of this legislation, patent protection is ultimately oriented towards markets and the Directive is justified by the idea that differences in the legal protection of biotechnological inventions between Member States would create barriers to trade in the internal market.133 Although this rationale was challenged in Netherlands v. Parliament and Council (Biotechnology)134 the CJEU found that the Directive ‘in fact aims to protect damage to the internal market’.135 In particular, the main justification for harmonization is the need to foster and shape the technoscientific development pipeline and through it the

130  Tourney, ‘Narratives for Nanotech:  Anticipating Public Reactions to Nanotechnology’, 8 Techne (2004) 88. 131  Odell-​West, ‘Multilevel European Patent Law as an Indirect Form of Regulation of New Health and Enhancement Technologies’, in M. L. Flear et al., supra note 11; Hervey and Black, ‘The European Union and the Governance of Stem Cell Research’, 12 Maastricht Journal of European and Comparative Law (2005) 3. 132  Rec. 2 Directive 98/​4 4/​EC on the Legal Protection of Biotechnological Inventions, OJ L 213/​13 (emphasis added). 133  Recs 5, 6, and 7, ibid. 134  Case C-​377/​98, Netherlands v. Parliament and Council (Biotechnology), [2001] ECR I-​7079 (ECLI:EU:C:2001:523). 135  At para. 18.

01

100

Regulating New Technologies

internal market and to protect against risks to the economy and legal integration rather than to health and safety or the environment: ‘uncoordinated development of national laws on the legal protection of biotechnological inventions in the [EU] could lead to further disincentives to trade, to the detriment of the industrial development of such inventions and of the smooth operation of the internal market’.136 Hence, the Directive also provides that it is not possible to patent certain products and processes.137 Under Article 6 that includes where commercial exploitation would be contrary to ordre public or morality.138 Article 6(2)(c) provides an indicative list of processes to which the exclusion applies and that includes ‘the use of human embryos for industrial or commercial purposes’. Consistent with its earlier decision, in Brüstle the CJEU observed that while the ‘the text of the Directive does not define human embryo’, the term ‘must be regarded, for the purposes of application of the Directive, as designating an autonomous concept of European Union law which must be interpreted in a uniform manner throughout the territory of the Union’.139 Having determined that there must be an EU-​specific meaning of ‘human embryo’, the CJEU built on the indicative list in Article 6(2) (c) by referring to the rationale for the Directive, including the specific reference in its recitals that ‘processes, the use of which offend against human dignity … are obviously also excluded from patentability’,140 to hold that the Directive’s ‘context and aim … show that the EU legislature intended to exclude any possibility of patentability [of human embryos] where respect for human dignity could thereby be affected’.141 Consequently, the CJEU ruled that it ‘follows that the concept of “human embryo” within the meaning of Art. 6(2)(c) of the Directive must be understood in a wide sense’.142 Of course, the creation of a definition of ‘human embryo’ in EU internal market law is an important consequence of the Directive.143 But the CJEU’s insistence that there had to be such a definition, and one that it has revisited and refined in International Stem Cell Corporation,144 is also important in that it indicates the 136  Rec. 7 Directive 98/​4 4/​EC, supra note 132. 137  Art. 4 mentions plant and animal varieties, essentially biological processes and Art. 5(1) mentions simple discovery of genes, both ibid. 138  Art. 6, ibid. The morality clause in Art. 53(a) European Patent Convention has been revised so that it corresponds to the Directive, see Rules 23b–​23e of the Implementing Regulations. For critical comment on this change, see D. Beyleveld and R. Brownsword, Human Dignity in Bioethics and Biolaw (2001), 197–​199. 139  Case C-​34/​10, Oliver Brüstle v. Greenpeace, [2011] ECR I-​9821 (ECLI:EU:C:2011:669), at para. 26 (emphasis added). 140  Rec. 38 Directive 98/​4 4/​EC, supra note 132. 141  Case C-​34/​10, Oliver Brüstle, supra note 139, at para. 34 (emphasis added). 142  Ibid., at para. 34. 143  Ibid., at para. 27, citing Recs 3 and 5–​7 Directive 98/​4 4/​EC, supra note 132. 144  Ibid., at para. 36, the CJEU held that the classification ‘human embryo’ applies to, e.g., ‘a non-​fertilized human ovum into which the cell nucleus from a mature human cell has been transplanted and a non-​fertilized human ovum whose division and further development have been stimulated by parthenogenesis’. The criterion for determining whether these fall within the term ‘human embryo’ is that they are ‘capable of commencing the process of development of a human being just as an embryo created by fertilization of an ovum can do so’. In Case C-​364/​13, International Stem

 10

Mark L. Flear

101

way in which internal market law continues to connect with and regulate NHTs. Specifically, this exception to the Directive centralizes human dignity as a key concern and leverages it as a legitimating support for EU involvement in the field and, therefore, the market-​oriented approach aimed at fostering the competitiveness of its domestic biotechnology industry. In terms of the latter, this decision seems to steer the EU’s domestic industry towards certain types of research such as that using adult stem cells,145 as well as certain kinds of behaviour like secrecy over manufacturing processes,146 and investment in companies based outside the EU, i.e. which are not subject to the Directive.147 The EU’s intellectual property law supports the narrowing of technological risk to product safety by providing goods with a ‘bioethical stamp’ that ensures they are deemed respectful of human dignity and can, therefore, be legitimately marketed within the internal market. In addition, the EU also regulates research through intellectual property148 by providing rights to the results (now known as the ‘results’149). There are detailed provisions on Cell Corporation v. Comptroller General of Patents, judgment of 18 December 2014, not yet published (ECLI:EU:C:2014:2451), the CJEU followed the opinion of its Advocate General in order to qualify this criterion further. The CJEU held that the criterion must be understood as meaning a non-​fertilized human ovum must have the ‘inherent capacity to develop into a human being’ (at para. 28). As such ‘where a non-​fertilized human ovum does not fulfil that condition, the mere fact that that organism commences a process of development is not sufficient for it to be regarded as a “human embryo” ’ (at para. 29). Thus, where ‘an unfertilised human ovum whose division and further development have been stimulated by parthenogenesis did have the capacity to develop into a human being’ it is to be classified as a ‘human embryo’ and cannot be patented (as in Case C-​34/​ 10, Oliver Brüstle, supra note 139, at para. 31). But where ‘according to current scientific knowledge, a human parthenote, due to the effect of the technique used to obtain it, is not as such capable of commencing the process of development which leads to a human being’, it is not to be classified as a ‘human embryo’ and can be patented (as in Case C-​364/​13, International Stem Cell Corporation, at para. 33 and para. 37). 145  Abbott, ‘Stem Cells: The Cell Division’, 480 Nature (2000) 7377. 146  Stem Cells Unpatentable if an Embryo is Destroyed, available at http://​w ww.patentbaristas. com/​a rchives/​2011/​10/​24/​eus-​court-​of-​justice-​stem-​cells-​unpatentable-​if-​a n-​embryo-​is-​destroyed/​ (last visited 22 December 2016). Cf. Langer, ‘The European Court of Justice Bars Stem Cell Patents in Land Mark Decision’, The Bolt, Berkeley Technology Law Journal (2012), who argues that the ruling may not have much effect at all (see http://​btlj.org/​2012/​01/​05/​t he-​european-​court-​of-​justice-​ bars-​stem-​cell-​patents-​in-​landmark-​decision/​ (last visited 22 December 2016)). 147  E.g. the wide definition of ‘human embryo’ precludes the grant of patents on any products or therapies that rely on human embryonic stem cells derived from the destruction of a human embryo, however far removed from the original cell line. Such products might include those developed in order to treat incurable diseases of the eye and the cornea by the Institute of Ophthalmology at University College London. By contrast, the US-​based company that brought Case C-​364/​13, International Stem Cell Corporation, supra note 144, and which has developed similar products from a non-​fertilized human ovum that, due to the effect of the technique used to obtain it, is not as such capable of commencing the process of development which leads to a human being, will be able to obtain a patent and generate a return on their investment (assuming the products are purchased in the internal market). 148  For a discussion of intellectual property as an indirect mode of regulation in this area see Hervey and Black, ‘The European Union and the Governance of Stem Cell Research’, 12 Maastricht Journal of European and Comparative Law (2005) 3. 149  Under Horizon 2020 ‘results’ ‘means any tangible or intangible output of the action, such as data, knowledge or information, that is generated in the action, whatever its form or nature, whether or not it can be protected, as well as any rights attached to it, including intellectual property

021

102

Regulating New Technologies

ownership,150 dissemination and use,151 and access rights.152 One way in which these are important is in the situation which arises when the Commission objects to the transfer of ownership or grant of exclusive licence of ‘results’ to ‘third parties established in a third country not associated with Horizon 2020’.153 Overall, therefore, internal market law is shaping and supporting technoscientific trajectories and the behaviour of those involved in research and development—​a nd it continues to do so by engaging with and regulating research processes.

C. Engaging with Research Processes EU legislation also concerns research processes and like other stages in the product development pipeline it is primarily concerned with product safety through risk assessment and risk monitoring, licensing, and inspection carried out by EU-​mandated competent authorities of the Member State, and these focus on harmonizing Member State regimes and pre-​empting divergences in approaches in relation to certain matters (i.e. it appears harmonization is not exhaustive). Two particularly important areas of engagement are the regulation of preclinical research through ‘good laboratory practice’154 (GLP) and clinical research through ‘good clinical practice’ (GCP), and together these strengthen the role of internal market law in shaping and directing innovation in technoscience. Specifically, this legislation requires Member States to set standards for the planning, performance, reporting, and archiving of research and to establish systems of monitoring and inspection. In terms of GLP, EU law155 draws on the Organisation for Economic Co-​operation and Development’s (OECD’s) work on good laboratory and clinical practice156 and on International Standards for audit, accreditation, and technical competence.157 In practice, much regulation is carried out through rights’. See Art. 2(1)(19) Regulation (EU) 1290/​2013 Laying Down the Rules for Participation and Dissemination in ‘Horizon 2020—​the Framework Programme for Research and Innovation (2014–​2020)’ and Repealing Regulation (EC) 1906/​2006, OJ 2013 L 347/​81. Under FP7 ‘results’ were known as ‘foreground’, see Art. 39(1) Regulation (EC) 1906/​2006 Laying down the Rules for the Participation of Undertakings, Research Centres and Universities in Actions under the Seventh Framework Programme and for the Dissemination of Research Results (2007–​2013), OJ 2006 L 391/​1. 150  Arts 41–​42, ibid. 151  Art. 43, ibid. 152  Arts 46–​49, ibid. 153  Art. 44(3), ibid. 154 Directive 2004/​10/​EC on the Harmonization of Laws, Regulations and Administrative Provisions Relating to the Application of the Principles of Good Laboratory Practice and the Verification of their Applications for Tests on Chemical Substances, OJ 2004 L 50/​4 4. 155  Art. 1(1), ibid., provides that Member States ‘shall take all measures necessary to ensure that laboratories carrying out tests on chemical products … comply with the principles of [GLP] … as laid down in Annex I to this Directive’. See also Rec. 8, ibid. Also see Directive 2004/​9/​EC on the Inspection and Verification of Good Laboratory Practice, OJ 2004 L 50/​28. 156 See Good Laboratory Practice, available at http://​w ww.oecd.org/​countries/​a rgentina/​goodlaboratorypracticeglp.htm (last visited 22 December 2016). 157 E.g. ISO/​ IEC 17000:2004, Conformity Assessment—​Vocabulary and General Principles, available at http://​w ww.iso.org/​iso/​catalogue_​detail?csnumber=29316); ISO 9000:  2005, Quality Management System—​Fundamentals and Vocabulary, available at http://​w ww.iso.org/​iso/​iso_​

031 

Mark L. Flear

103

soft law guidance158 and includes preclinical safety evaluation of biotechnology-​ derived pharmaceuticals, or ICH S6 (produced in collaboration between the EU, US, and Japan),159 and further guidance applicable to clinical safety.160 Although compliance with these standards is not mandatory it is normally required for the studies that are used to support applications for clinical trial authorization or market authorization. In either case (and in the former case because clinical trials are also required for the latter), the focus is on regulating harms or hazards pertaining to safety in order to get (safe) new products to market. All laboratories carrying out tests on chemical products must comply with the OECD’s principles of GLP.161 The European Medicine Agency’s (EMA’s) instantiation of the latter principles162 focus on ensuring product safety by seeking to ‘define a set of rules and criteria for a quality system concerned with the organisational process and the conditions under which non-​clinical health and environmental safety studies are planned, performed, monitored, recorded, reported and archived’.163 Member States are permitted to ‘provisionally prohibit or make subject to special conditions the marketing of that substance on its territory’ where application of the GLP principles demonstrates a chemical substance examined under the Directive nevertheless ‘presents a danger to man and the environment’,164 which again underlines the importance of only certain harms or hazards as the subject of technological risk regulation. Exceptions from GLP are permitted for studies employing specialized test systems. These are often needed

catalogue/​catalogue_​ics/​catalogue_​detail_​ics.htm?csnumber=42180); ISO 15189:  2007, Medical Laboratories—​Particular Requirements for Quality and Competence, available at http://​w ww.iso.org/​ iso/​iso_​catalogue/​catalogue_​ics/​catalogue_​detail_​ics.htm?csnumber=42641) (all last visited 22 December 2016). 158  Produced by the International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use (the guidance in the immediately previous footnote is likewise produced by this international body). Guidance includes: Non- ​Clinical Safety Studies for the Conduct of Human Clinical Trials for Pharmaceuticals, (ICH M3[R2]) CPMP/​ICH/​ 286/​95; Non-​Clinical Safety Studies for the Conduct of Human Clinical Trials for Pharmaceuticals, (ICH M3[R2]) CPMP/​ICH/​286/​95; Safety Pharmacology Studies for Human Pharmaceuticals, (ICH S7A) CPMP/​ICH/​539/​0 0; Duration of Chronic Toxicity Testing in Animals (Rodent and Non-​Rodent Toxicity Testing), (ICHS4A) CPMP/​ICH/​300/​95; Carcinogenicity:  Testing for Carcinogenicity of Pharmaceuticals, (ICH SIB) CPMP/​ICH/​299/​95. 159 See further Clinical Efficacy and Safety Guidelines, available at http://​w ww.ema. eu ropa .eu / ​ e ma / ​ i nde x.jsp?cu rl=pa ge s/ ​ r eg u lat ion / ​ g enera l / ​ g enera l _ ​ c ontent _ ​ 0 0 0 085. jsp&mid=WC0b01ac0580027549 (last visited 22 December 2016). 160  Guidance on Quality, Pre-​Clinical and Clinical Aspects of Gene Transfer Medicinal Products, CHMP/​GTWP/​234523/​09; Non-​Clinical Studies Required before First Clinical Use of Gene Therapy Medicinal Products, EMEA/​CHMP/​GTWP/​125459/​2006; Biological Active Substances Produced by Stable Transgene Expression in Higher Plants, EMEA/​CHMP/​BWP/​48316/​2006; Guidance on Human Cell-​Based Medicinal Products, EMEA/​CHMP/​410869/​2006; EMA, Reflection Paper on Stem Cell-​Based Medicinal Products, CAT/​571134/​09; EMA, Reflection Paper on In-​Vitro Cultured Chondrocyte Containing Products for Cartilage Repair of the Knee, CAT/​CPWP/​568181/​2009. 161  These are appended to Directive 2004/​10/​EC, supra note 154, in Annex 1. 162  Defined in ibid., 2.1 of Annex 1. 163  Good Laboratory Practice, available at http://​w ww.ema.europa.eu/​ema/​index.jsp?curl=pages/​ regulation/​general/​general_​content_​0 00158.jsp (last visited 22 December 2016). 164  Art. 5(2) Directive 2004/​10/​EC, supra note 154.

041

104

Regulating New Technologies

for biopharmaceuticals and the exception from GLP facilitates speedier progress to marketing authorization. Even then the justification can be made that safety is not jeopardized and that, overall, preclinical trials place safety centre stage. Prompted by disasters like the TGN1412 incident in which six first-​in-​human (Phase I) trial participants had to be placed in intensive care after suffering multiple organ failure,165 a precautionary approach to risk is likely to be adopted before moving to clinical research and seeking permission for trials from research ethics committees.166 As such, although the guidance works to steer preclinical research, it has ‘hard’ (and pre-​emptive) effects in practice. Compliance with GLP (and the costs incurred) is justified by the need to ensure quality, efficacy, and safety of products—​that is, technological risk is regulated (prior to and) in order to permit market circulation. Clinical research, like GLP, is closely aligned to market authorization, discussed further later, in relation to which the relevant legislation mentions clinical trials data as the basis for the market authorization of pharmaceutical treatments on the grounds of their quality, safety, and efficacy.167 In other words, through these criteria technological risk pertains to a narrow range of harms or hazards and this provides the focus of the legislation rather than ‘comparative therapeutic efficacy’ of the medicine and a genuine need for it. Clinical trials are subject to specific regulation, with the Clinical Trials Directive168 (CTD) dating from 2001 being replaced by the new Clinical Trials Regulation169 (CTR), which entered into force on 16 June 2014 but could not apply at the earliest before 28 May 2016, and is due to come into operation in 2018.170 The CTR (like the CTD before it) requires Member States to set standards for the planning, performance, reporting, and archiving of research. The very definition of clinical trials in the CTR (and the CTD) highlights their alignment to the requirements for market authorization and the importance of its focus on the specific instantiation of technological risk (focusing on product safety) for the creation of biomedical knowledge and the technoscientific development it enables. Under the CTR, clinical trials are clarified as being a type of clinical study171 that is an investigation: 165  Kmietowicz, ‘Rules for Drug Trials Should Be Tightened, Say Experts’, 333 British Medical Journal (2006) 276. 166  This is apparent from the long time it has taken Geron to progress to clinical development, even though it has substantial preclinical data for its human embryonic stem cell derived products; see http://​w ww.geron.com/​ (last visited 22 December 2016). 167  Directive 2001/​83/​EC, supra note 18. 168  Directive 2001/​20/​EC on the Approximation of the Laws, Regulations and Administrative Provisions of the Member States Relating to the Implementation of Good Clinical Practice in the Conduct of Clinical Trials on Medicinal Products for Human Use, OJ 2001 L 121/​34. This requires the Commission to establish principles relating to GCP and detailed rules in line with those principles. 169  Regulation (EU) 536/​2014 on Clinical Trials on Medicinal Products for Human Use, and Repealing Directive 2001/​20/​EC, OJ 2014 L 158/​1. 170  Art. 99, ibid. Directive 2001/​20/​EC, supra note 168, continues to apply in a transitional period, see Art. 98, ibid. 171  Art. 2(2)(2), ibid. provides ‘clinical study’ ‘means any investigation in relation to humans intended: (a) to discover or verify the clinical, pharmacological or other pharmacodynamic effects of one or more medicinal products; (b) to identify any adverse reactions to one or more medicinal

051 

Mark L. Flear

105

in relation to humans intended: (a) to discover or verify the clinical, pharmacological or other pharmacodynamic effects of one or more medicinal products; (b) to identify any adverse reactions to one or more medicinal products; or (c) to study the absorption, distribution, metabolism and excretion of one or more medicinal products; with the objective of ascertaining the safety and/​or efficacy of those medicinal products.172

The reasons for the adoption of the CTR underline the salience and centrality of safety as the focus of technological risk regulation, as well as the marginalization of other kinds of harms or hazards within the development pipeline. Experience under the CTD gave rise to concerns that differences in its application in the EU’s (now) 28 Member States (up from 15 in 2001) would undermine scientific research.173 These differences were exacerbated by the ‘cumbersome procedures for multi-​centre clinical trials in different Member States’ leading to an ‘impact on academic as well as non-​academic research’.174 In particular, ‘Scientific development … suggests that future clinical trials will target more specific patient populations, such as subgroups identified through genomic information. In order to include a sufficient number of patients for such clinical trials it may be necessary to involve many, or all, Member States’.175 Attention here is on generating more specific safety data as the basis for the production and marketing of pharmaceuticals that are aimed at specific populations. Consequently, it became necessary to revise the applicable law, such as through the introduction by the EMA of an EU portal176 that serves as a single entry point for the submission of an application for the authorization of clinical trials to the reporting Member State177 and an EU database for the storage of the application and related data.178 The EU portal also provides the means for communication of, inter alia, the result of the application.179 products; or (c)  to study the absorption, distribution, metabolism and excretion of one or more medicinal products; with the objective of ascertaining the safety and/​or efficacy of those medicinal products’. 172  Art. 2(2)(1) Regulation (EU) 536/​2014, supra note 169 (emphasis added). This definition is very similar to that under Art. 2(a) Directive 2001/​20/​EC, supra note 168, particularly the objective: a ‘clinical trial’ means ‘any investigation in human subjects intended to discover or verify the clinical, pharmacological and/​or other pharmacodynamic effects of one or more investigational medicinal product(s), and/​or to identify any adverse reactions to one or more investigational medicinal product(s) and/​or to study absorption, distribution, metabolism and excretion of one or more investigational medicinal product(s) with the object of ascertaining its (their) safety and/​or efficacy’ (emphasis added). 173  Since around the mid-​1980s the preference was to opt for the adoption of directives rather than regulations, and yet the increase in the number of Member States and diversity in their legal cultures (including in implementation and compliance with EU law) has led to a more general growing preference for regulations. 174  European Commission, Safe, Innovative and Accessible Medicines: A Renewed Vision for the Pharmaceutical Sector, COM(2008) 666 final, 8. Reflected in Rec. 4 Regulation (EU) 536/​ 2014, supra note 169. 175  Rec. 4 Regulation (EU) 536/​2014, supra note 169. 176  Arts 5, 16, and 80, ibid. 177  In the first instance the trial sponsor shall propose the reporting Member State. In the event that this proposal is declined, more detailed rules determine which Member State shall report: see Art. 5, ibid. 178  Art. 81, ibid. 179  Art. 8, ibid.

061

106

Regulating New Technologies

In order to introduce these changes and reinforce their utility so as to make it easier to generate safety data it was also necessary to reconsider the legal form or instrument in respect of clinical trials.180 As summarized in the CTR, the adoption of a regulation ‘would present advantages for sponsors and investigators, for example in the context of clinical trials taking place in more than one Member State, since they will be able to rely on its provisions directly [before national courts]’.181 By contrast, the CTD (as a directive) could only be relied upon directly in very specific circumstances;182 which meant that in most cases domestic implementing legislation was applicable. In the case of the UK, for example, the CTD was adopted into domestic law by its transposition through the Medicines for Human Use (Clinical Trials) Regulations 2004.183 In short, the adoption of an EU regulation (the CTR) more uniformly harmonizes and enhances the efficacy and uniformity of EU law. Further, under the CTR the link between clinical trials and product marketing, and the continuing focus on product safety as the specific instantiation of technological risk, is specified and tightened through its foundation on the dual legal basis of Article 114 TFEU and Article 168(4)(c) TFEU. These provisions provide objectives that are ‘pursued simultaneously’ and ‘one is not secondary to another’.184 As regards Article 114 TFEU, the CTR: harmonizes the rules for the conduct of clinical trials in the Union, therefore ensuring the functioning of the internal market in view of the conduct of a clinical trial in several Member States, the acceptability throughout the Union of data generated in a clinical trial and submitted in the application for the authorisation of another clinical trial or of the placing on the market of a medicinal product, and the free movement of medicinal products used in the context of a clinical trial.185

In a derogation from the limits on EU competence for the protection and improvement of health, Article 168(4)(c) TFEU builds on the shared competence in respect of common safety concerns relating to public health matters.186 With this provision as a legal basis, the CTR is used to set ‘high standards of quality and 180  Consistent with the legal basis for internal market legislation under Art. 114 TFEU. 181  Rec. 5 Regulation (EU) 536/​2014, supra note 169 (emphasis added). Art. 288 TFEU defines directives and regulations. A directive is ‘binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods’. By contrast a regulation has ‘general application. It shall be binding in its entirety and directly applicable in all Member States.’ 182  Under the doctrine of direct effect. The CJEU has found that provided they are sufficiently clear, precise, and unconditional the provisions of directives can be relied upon before Member State courts as against the Member State only (that is, not individuals), but only where their deadline for implementation has passed and the Member State has not properly implemented them (Case 71/​74, Van Duyn v.  Home Office, [1974] ECR 1337 (ECLI:EU:C:1974:133); Case 148/​78, Pubblico Ministero v. Tullio Ratti, [1979] ECR 1629 (ECLI:EU:C:1979:110)). By contrast the CJEU has found that regulations are capable of being relied upon before Member State courts as against the Member State and individuals, as appropriate, from the date they enter into force and become applicable (as specified in the specific instrument) (Case 39/​72, Commission v. Italy, [1973] ECR 101 (ECLI:EU:C:1973:13)). 183  Statutory Instrument No. 1031/​2004. 184  Rec. 82 Regulation (EU) 536/​2014, supra note 169. 185  Rec. 82, ibid. (emphasis added). 186  Art. 4(2)(k) TFEU.

071 

Mark L. Flear

107

safety for medicinal products by ensuring that data generated in clinical trials are reliable and robust’.187 Overall, founded upon this dual legal basis, the CTR is focused on regulating technological risk instantiated as product safety. All clinical trials falling within the scope of the CTR (and CTD before it) must be designed, conducted, and reported in accordance with GCP, with Member States being required to establish systems of monitoring and inspection. Many of the GCP rules are further concretized in other legislation,188 which will be replaced in line with the application of the CTR.189 Detailed guidance established by the EMA, in accordance with the International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals for Human Use (ICH), supplements EU legislation on GCP.190 GCP is: a set of detailed ethical and scientific quality requirements for designing, conducting, performing, monitoring, auditing, recording, analysing and reporting clinical trials ensuring that the rights, safety and well-​being of subjects are protected, and that the data generated in the clinical trial are reliable and robust.191

GCP frames the rights of individual trial subjects as concerning their protection from the risk of whatever is being trialled. In particular, at the heart of GCP is the requirement that ‘the rights, safety, dignity and well-​being of subjects are protected and prevail over all other interests’.192 The relationship between risk and markets reappears here: the CTR (and the CTD) (and thus the detailed guidance based thereon) refers to the marketing of medicinal products as its underlying basis and highlights how risk articulates to markets, which is of course a consequence of the legal basis for the regulation (Art. 114 TFEU).193 The CTR (like the CTD) makes reference to the ‘protection of trial subjects’.194 Protection of the research subject is safeguarded through risk assessment based on the results of toxicological experiments prior to any clinical trial, screening by research ethics committees and Member States’ competent authorities, and rules on the protection of personal data.195 References to consent occur through the CTR,196 and it is connected with the protection of clinical research subjects ‘such as the 2008 version of the World Medical Association’s Declaration of Helsinki’.197 Further protections are provided in the CTR, including for those who are incapable of giving legal consent to clinical trials.198 The EU database

187  Rec. 82 Regulation (EU) 536/​2014, supra note 169 (emphasis added). 188  Directive 2005/​28/​EC Laying down Principles and Detailed Guidelines for Good Clinical Practice as regards Investigational Medicinal Products for Human Use, as well as the Requirements for Authorization of the Manufacturing or Importation of Such Products, OJ 2005 L 91/​13. 189  For the state of play at time of publication, see Implementation Measures by the Commission in the Context of Regulation (EU) No 536/​2014—​Overview and State of Play, available at http://​ ec.europa.eu/​health/​fi les/​clinicaltrials/​overview_​clinical_​trials.pdf (last visited 22 December 2016). 190 EMA, E6: Guideline for Good Clinical Practice, CPMP/​ICH/​135/​95. 191  Art. 2(2)(30) Regulation (EU) 536/​2014, supra note 169 (emphasis added). 192  Art. 3(a), ibid. 193  Rec. 8, ibid. 194  Ch. V, ibid. 195  Rec. 67, ibid. 196  Embedded throughout and including: Recs 15, 17, 27, 44, 76, and 80, Art. 3, and Ch. V (on protection of subjects and informed consent) ibid. 197  Rec. 80, ibid. 198  Especially Art. 31 and Art. 32, ibid.

081

108

Regulating New Technologies

noted earlier brings together information on the content, commencement, and termination of clinical trials, which is subject to protections for confidentiality and invokes the right to privacy. Cross-​references to the Data Protection Directive (that will have to be revised upon the adoption of the new EU data protection legislation)199 are also embedded throughout EU clinical trials regulation—​but this protection of individual privacy essentially serves to legitimate the focus on regulating for product safety. The CTR maintains additional risk-​related requirements in order to ensure product safety is central to the manufacture and import of investigational medicinal products,200 labelling,201 the verification of compliance of investigational medicinal products with good clinical and manufacturing practice through inspections,202 and finally notification of adverse reactions.203 Where the latter are fatal or life-​threatening they must be notified to the competent authorities in the Member States. Overall, therefore, the CTR (like the CTD before it) and the detailed guidance upon which it is based are concerned with the regulation of technological risk in order to ensure the safety and marketability of products. Special provision is made for research into paediatric and orphan products so as to facilitate their development, which is undermined by, inter alia, the generally more difficult research process, a potentially higher cost-​to-​benefit ratio than for other medicines, and the resulting reduced incentive to invest in them in the first place, all of which can relate to the often smaller numbers of people who can be research subjects and who might benefit from the availability of more specialist products in individual Member States. As in relation to intellectual property safeguards, therefore, specific regulation on paediatric and orphan products seeks to mitigate the risks (especially financial) to developers. Paediatric clinical research is supported by the EU’s legislation on medicinal products for paediatric use.204 199  EU legislation currently comprises Directive 95/​46/​EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, OJ 1995 L 281/​31 (Data Protection Directive). This includes data in healthcare settings, such as that in research and development of pharmaceuticals and medical technologies more broadly. Regulation (EU) 2016/​679 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/​46/​EC (General Data Protection Regulation), OJ 2016 L 119/​1 entered into force on 24 May 2016, but will not apply until 25 May 2018. Like the CTR and the proposed new medical devices legislation, the replacement of the Data Protection Directive with the General Data Protection Regulation is notable for adoption of the latter legislation in the form of a regulation. The General Data Protection Regulation will (by its nature) better ensure the uniformity of EU law in relation to the protection of personal data (in addition there will be a new directive on the protection and free movement of data in relation to criminal offences and penalties—​this is less important for present purposes). See further: European Commission, Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM(2012) 11 final; European Commission, Agreement on Commission’s EU Data Protection Reform Will Boost Digital Single Market, IP/​15/​6321. On the revision of EU data protection law, see Hustinx, supra note 9. 200  Ch. IX Regulation (EU) 536/​2014, supra note 169. 201  Ch. X, ibid. 202  Ch. XIII, ibid. 203  Ch. VII, ibid. 204 Regulation (EC) 1901/​2006 on Medicinal Products for Paediatric Use and Amending Regulation (EEC) 1768/​92, Directive 2001/​20/​EC, Directive 2001/​83/​EC and Regulation (EC) 726/​2004, OJ 2006 L 378/​1.

0 19

Mark L. Flear

109

This provides for, inter alia, EU-​wide data collection of paediatric studies,205 an EU ‘network of excellence’,206 and a Paediatric Committee, operating within the general EU and ICH framework.207 The network ‘should contribute to the work of strengthening the foundations of the European Research Area in the context of Community Framework Programmes for Research, Technological Development and Demonstration Activities, benefit the paediatric population and provide a source of information and expertise for industry’.208 The network, as well as other incentives, such as the assessment by the EMA of paediatric investigation plans, fee waivers for scientific advice, information and transparency measures, and research funding under the FP and now Horizon 2020,209 are supported by EU funds.210 The focus of these efforts is on facilitating the market authorization of products for paediatric use. In other words, nevertheless the focus remains on regulating risk instantiated as being about product safety. The same can be said about legislation on paediatric clinical research. The latter is carried out in relation to so-​called ‘orphan’ medicines, that is, those intended for a rare disease or if the product’s development would not be commercially viable without incentives.211 As with other internal market legislation, a key justification for specific legislation for orphan products is the avoidance of distortions of competition and barriers to cross-​border trade within the EU.212 EU-​level action was also justified ‘in order to take advantage of the widest possible market and to avoid the dispersion of limited resources’,213 as well as the need to foster the development of EU-​based companies that can compete with companies based in the US and Japan; places that already had in place systems that incentivized the development of orphan drugs.214 In addition to GLP and GCP, and legislation on clinical trials and research into paediatric and orphan products, EU law also regulates the use of animals in the context of scientific research215 which includes research into NHTs.216 This is subject to licensing, inspection, and oversight by a competent authority of the Member State,217 which is responsible for ensuring that all breeders, suppliers, and users of animals in scientific research are authorized and registered and that they comply with the Directive.218 In order to facilitate compliance, 205  Rec. 31 and Art. 41, ibid., provide that the database on clinical trials established by Directive 2001/​20/​EC ‘should include a European register of clinical trials of medicinal products for paediatric use comprising all ongoing, prematurely terminated, and completed paediatric studies conducted both in the Community and in third countries’. 206  Rec. 31 and Art. 44, ibid. 207  Directive 2001/​20/​EC, supra note 168, and ICH guideline E11 on the Development of Medicinal Products for the Paediatric Population, are noted as important reference points for the Committee’s work. See Rec. 8 Regulation (EC) 1901/​2006, supra note 204. 208  See Rec. 31 and Art. 44, ibid. 209  Rec. 30 and Art. 40, ibid. 210  Rec. 35, ibid. 211  Art. 3 Regulation (EC) 141/​2000 on Orphan Medicinal Products, OJ 2000 L 18/​1. 212  Rec. 3, ibid. 213  Rec. 3, ibid., also see Rec. 4. 214  Rec. 2 and Rec. 8, ibid. 215  Directive 2010/​63/​EU on the Protection of Animals Used for Scientific Purposes, OJ 2010 L 276/​33. Art 62 provides that the Directive repeals Directive 86/​609/​EEC from 2013 and Art. 63 provides that the Directive replaces point (a)(iv) of Art. 8 Regulation (EC) 1069/​2009. 216  Rec. 42, ibid. 217  Art. 59, ibid. 218  Art. 20(1), ibid.

10

110

Regulating New Technologies

regular inspections are also required.219 Member States are required to recognize test data that complies with EU legislation on testing methods—​without such a requirement Member States might create barriers to trade in the products that were tested.220 Moreover, although concern for animal welfare is reflected in the legislation, the rationale is similar to that for concern over human research subjects: protection in order to satisfy ethics and rights-​based concerns, but so as to support consumption of products that are deemed safe since they meet the criteria for market authorization. EU law on genetically modified micro-​organisms (GMMOs)221 and the harmful release into the environment of genetically modified organisms (GMOs)222 is the final example of the regulation of technological risk. Like the other examples considered here, product safety provides a key rationale for the applicable legislation. For instance, GMO legislation is founded on the idea that it is ‘necessary to approximate the laws of the [Member States] … concerning the deliberate release into the environment of GMOs and to ensure the safe development of industrial products utilising GMOs’.223 Underpinning this legislation is the assumption that the harms or hazards that may arise from GMMOs or GMOs can be controlled. This is, of course, a matter of heated debate.224 In this way the legislation makes an implicit assumption about the nature and level of risk (in short, its focus) that are not necessarily shared by all—​and far from being technical and neutral acts, they are actually intensely political. To give another example, Member States must ensure that a risk assessment is carried out by anyone using GMMOs.225 Competent authorities in the Member States are required to monitor, inter alia, the suitability of containment and other protective measures, waste management, and emergency response measures. In short, legislation on GMOs and GMMOs is intended to prevent the harmful release of such organisms. Although particularly applicable to food, the legislation is also relevant to medicines that use GMMOs and GMOs which are developed and marketed within the EU. NHTs that are, or consist of, GMMOs or GMOs as defined in these directives have yet to be developed, but as mentioned earlier they are likely to become a reality. Such products would be covered by medicinal products

219  Art. 34(1), ibid. 220  Rec. 42, Art. 2(2) and Art. 46, ibid. (with an exception for data that needs further testing for the protection of public health, safety, or the environment). 221  Directive 2009/​41/​EC on the Contained Use of Genetically Modified Micro-​Organisms, OJ 2009 L 125/​75. 222 Directive 2001/​ 18/​ EC on the Deliberate Release into the Environment of Genetically Modified Organisms and Repealing Directive 90/​220/​EEC, OJ 2001 L 106/​1. 223  Rec. 7, ibid. 224  For discussion see Lee, supra note 8. 225  Defined in Art. 2(b), Directive 2009/​41/​EC, supra note 221, as ‘a micro-​organism in which the genetic material has been altered in a way that does not occur naturally by mating and/​or natural recombination; within the terms of this definition’. Further specification is provided in Annex I. They do not include, e.g., in vitro fertilization.

 1

Mark L. Flear

111

legislation (which is considered next) rather than GMMO or GMO legislation, subject to the requirement for an equivalent environmental risk assessment.226 Relatedly, one EU-​funded project, TERPMED, hopes to ‘pharm’, that is, derive new bioactive molecules from genetically modified plants. ATryn, a product which was authorized for marketing in 2007, is expressed in the milk of transgenic goats. According to the EGE such animals are, therefore, potentially important ‘[i]‌n fundamental bio-​medical research to improve our genetic and physiological knowledge; [t]o make models of human diseases; [and] [a]s an alternative source of tissues and organs for “xenotransplantation” ’.227

D. Marketing and Product Safety As already pointed out, technological risk is a central concern of EU marketing legislation and related guidance, and like the other techniques deployed through the development pipeline the focus is on regulating the harms or hazards that pertain to product safety of pharmaceuticals and medical devices. Just as in relation to other types of regulatory activity, this focus marginalizes and obscures other kinds of harms or hazards to which risk might pertain as well as alternative understandings of risk and framings of regulation. In this way marketing legislation is the culmination of the EU’s various efforts to shape technoscientific trajectories, in that it ensures market availability and a return on the investment of time and money in development. As such, this type of regulatory activity is vital to market optimization and through it the production and legitimation of the EU’s identity and project of integration. This legislation is concerned with ensuring pharmaceuticals and medical devices can be put onto the market, i.e. granted market authorization, but only when they are safe, efficacious, and of the correct quality, and it is to this extent that the legislation pre-​empts Member State measures. EU legislation on medicinal products dates from the 1960s and is the oldest on product safety. The legislation has been significantly revised228 and is now assembled into the 2001 Community code.229 Under the Community code, medicinal products are defined by ‘presentation’230 and by ‘function’231 and that includes most pharmaceuticals except those that are ATMPs.232 There are several types of procedure for the marketing of pharmaceuticals,233 but it is the centralized procedure involving the EMA that 226  Art. 5 Directive 2001/​18/​EC, supra note 222. Also see EMA, Guideline on Environmental Risk Assessments for Medical Products Consisting of, or Containing, Genetically Modified Organisms (GMOs), EMEA/​CHMP/​BWP/​473191/​2006—​Corr. 227  Group of Advisors on the Ethical Implications of Biotechnology (now EGE), Ethical Aspects of Genetic Modification of Animals (Opinion No. 7). 228  E.g. Directive 65/​65/​EEC on the Approximation of Provisions Laid Down by Law, Regulation or Administrative Action Relating to Proprietary Medicinal Products, OJ 1965 L 22/​369. 229  Directive 2001/​83/​EC, supra note 18. 230  For more detail see supra note 18. 231  Likewise, see supra note 18. 232  Regulation (EC) 1394/​2007, supra note 21. 233 For an overview see Authorization Procedures for Medicinal Products, available at http://​ ec.europa.eu/​health/​authorisation-​procedures_​en.htm (last visited 22 December 2016). Mutual recognition applies to most conventional products and means that a manufacturer can obtain market authorization in one Member State after which it is recognized in all others—​producing competition between Member State regulators. There is also the less well-​used decentralized procedure,

12

112

Regulating New Technologies

is most applicable to NHTs. This is the case since this procedure is compulsory for products derived from biotechnology (which obviously includes ATMPs) and includes vaccines produced by specially engineered plants noted earlier, orphan medicinal products, and products for human use containing an active substance authorized and intended for the treatment of HIV/​A IDS, cancer, neurodegenerative disorders, or diabetes.234 Products that represent a significant scientific, therapeutic, or technical innovation or that benefit public health can also make use of this route to the market. Consistent with Article 114 TFEU the Community code and the legislation on the centralized procedure include safeguard clauses that permit temporary measures by Member States, but these focus on public health grounds.235 Public policy and public morality grounds are available to prohibit medicinal products including ATMPs, but they can be used only exceptionally.236 The latter is therefore available to prohibit ATMPs that make use of, for example, embryonic stem cells. The narrow scope of these grounds for temporary national measures underscores the narrowing of regulatory attention to ensuring product safety, and the marginalization of other harms or hazards to which risk regulation might pertain. EU legislation on medical devices currently takes the form of three directives, but these will (likely) be replaced by two new regulations.237 The reason for the replacement (like the replacement of the CTD by the CTR noted earlier) further

which allows for simultaneous approval in several Member States and is applicable to the majority of conventional medicinal products. 234  Regulation (EC) 726/​2004, supra note 20. 235  Specifically, Art. 35(1) Directive 2001/​83/​EC, supra note 18, states: ‘Where a Member State considers that the variation of a marketing authorization which has been granted in accordance with the provisions of this Chapter or its suspension or withdrawal is necessary for the protection of public health, the Member State concerned shall forthwith refer the matter to the Agency’ (emphasis added). Art. 35(2) continues in a similar vein: ‘in exceptional cases, where urgent action is essential to protect public health, until a definitive decision is adopted a Member State may suspend the marketing and the use of the medicinal product concerned on its territory. It shall inform the Commission and the other Member States no later than the following working day of the reasons for its action’ (emphasis added). Art. 20(4) Regulation (EC) 726/​2004, supra note 20, on the centralized procedure states: ‘Where urgent action is essential to protect human health or the environment, a Member State may, on its own initiative or at the Commission’s request, suspend the use in its territory of a medicinal product for human use which has been authorised in accordance with this Regulation’ (emphasis added) and there are similar reporting procedures as under the Community code. 236  Rec. 13 Regulation (EC) 726/​2004, supra note 20 states: ‘Member States should be able exceptionally to prohibit the use in their territory of medicinal products for human use which infringe objectively defined concepts of public policy and public morality’ (emphasis added). More specifically, Rec. 7 Regulation (EC) 1394/​2007, supra note 21, states: ‘The regulation of advanced therapy medicinal products at Community level should not interfere with decisions made by Member States on whether to allow the use of any specific type of human cells, such as embryonic stem cells, or animal cells. It should also not affect the application of national legislation prohibiting or restricting the sale, supply or use of medicinal products containing, consisting of or derived from these cells’ (emphasis added). 237  At the time of writing, and by contrast to the regulation of clinical trials, the new medical devices legislation has yet to be adopted and so further consideration of the possible changes to EU regulation in this area will not be considered. See further Revision of the Medical Device Directives, available at http://​ec.europa.eu/​growth/​sectors/​medical-​devices/​regulatory-​framework/​revision/​ index_​en.htm (last visited 22 December 2016).

1 3

Mark L. Flear

113

underscores the salience and centrality of product safety as the focus of technological risk regulation. Indeed, it is noted that against: constant technological and scientific progress, substantial divergences in the interpretation and application of the rules have emerged, thus undermining the main objectives of the Directives, i.e. the safety of medical devices and their free movement within the internal market. Moreover, regulatory gaps or uncertainties exist with regard to certain products (e.g. products manufactured utilising non-​viable human tissues or cells; implantable or other invasive products for cosmetic purposes).238

The (proposed) new regulatory framework ‘aims to overcome these flaws and gaps and to further strengthen patient safety’.239 Significantly, safety is explicitly tied to the achievement of programmatic priorities, in that it is noted that the framework ‘should be supportive of innovation and the competitiveness of the medical device industry and should allow rapid and cost-​efficient market access for innovative medical devices, to the benefit of patients and healthcare professionals’.240 The current legislation on medical devices (at the time of writing) is (unusually) explicitly presented as ‘Based on the New Approach’241 to harmonization and is applicable to the cluster of examples referred to above, i.e. apps that monitor health and lifestyle, self-​diagnosis kits like 23andme, and medical devices using DEHP. In addition to the Medical Devices Directive that in all likelihood applies to these examples, since it is applicable to devices that are used in the diagnosis, prevention, monitoring, treatment, or alleviation of disease that do not achieve their intended purpose by pharmacological, immunological, or metabolic means (the definition of medical devices), there is also the Active Implantable Medical Devices Directive.242 There is a separate In Vitro Diagnostic Medical Devices Directive.243 Medical devices legislation is important for marketing in that it requires and leads to ‘CE’ product safety certification, which is otherwise regulated in the EU by the Directive on General Product Safety.244 This system contrasts with that applicable to medicines, in that the CE system is more industry-​based.245 These marketing 238 European Commission, Proposal for a Regulation on Medical Devices, and amending Directive 2001/​83/​EC, Regulation (EC) No 178/​2002 and Regulation (EC) No 1223/​2009, COM(2012) 542 final, at 2 (emphasis added). 239  Ibid. (emphasis added). 240  Ibid. (emphasis added.) 241  Medical Devices, available at http://​ec.europa.eu/​health/​medical-​devices/​regulatory-​ framework/​index_​en.htm (last visited 22 December 2016). Original capitalization. 242  See Directive 93/​42/​EEC, supra note 19 on Medical Devices and Art. 1(2)(a) Directive 90/​ 385/​EEC on the Approximation of the Laws of the Member States Relating to Active Implantable Medical Devices, OJ 1990 L 189/​17. The latter Directive also covers devices used in ‘diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap, investigation, replacement or modification of the anatomy or of a physiological process’ and to ‘control conception’. Under Art. 1(2)(c) an ‘active implantable medical device’ is defined as ‘any active medical device which is intended to be totally or partially introduced, surgically or medically, into the human body or by medical intervention into a natural orifice, and which is intended to remain after the procedure’. 243  Directive 98/​79/​EC on In Vitro Diagnostic Medical Devices, OJ 1998 L 331/​1. 244  Directive 2001/​95/​EC on General Product Safety, OJ 2002 L 11/​4. 245  Dorbeck-​Jung and Chowdhury, ‘Is the European Medical Products Authorization Regulation Equipped to Cope with the Challenges of Nanomedicines?’, 33 Law and Policy (2011) 276, at 282.

14

114

Regulating New Technologies

rules are also pertinent to the law and regulation of research processes discussed earlier in that marketing authorizations cannot be granted without compliance with principles of good laboratory and clinical practice.246 Similar to the pharmaceuticals legislation, medical devices legislation includes safeguard clauses that permit Member States to introduce temporary measures derogating from the free movement of goods, typically expressed in these or similar terms: ‘in order to ensure protection of health and safety and/​or to ensure that public health requirements are observed’.247 A little wider than the temporary derogation on (essentially) public health grounds in relation to pharmaceutical products under the Community code, these temporary derogations again underline the narrow focus on product safety as the central concern of risk regulation through internal market law. The French ban on the use of tubes containing DEHP from paediatric, neonatal, and maternity units on public health grounds (again, which was noted in relation to negative integration) might therefore be permitted on a temporary basis.248 Further, this ban has in fact prompted attempts to ensure that future revisions of the applicable legislation contain a similar ban (which would of course be an EU-​wide ban). This move underscores the interactive relationship between justifications for restrictions on free movement (here found in harmonization measures and to some extent duplicating those found in Article 36 TFEU) and legislative revision in an effort to maintain a connection with and

246  E.g. Rec. 4 Directive 2004/​10/​EC, supra note 154 provides that the EU’s marketing legislation lays down ‘that non-​clinical tests on pharmaceutical products are to be carried out in accordance with the principles of … [GLP] in force in the Community for chemical substances, compliance with which is also required by other Community legislation’. Also see Rec. 3 Directive 2005/​28/​EC, supra note 188. 247  Art. 10(c) Directive 90/​385/​EEC, supra note 242: ‘Where a Member State considers in relation to a given product or group of products that, in order to ensure protection of health and safety and/​ or to ensure that public health requirements are observed, such products should be withdrawn from the market, or their placing on the market and putting into service should be prohibited, restricted or subjected to particular requirements, it may take any necessary and justified transitional measures’ (emphasis added) and ‘The Member State shall then inform the Commission and all the other Member States of the transitional measures, giving the reasons for its decision’. Elsewhere Art. 8 Directive 93/​42/​EEC, supra note 19 on Medical Devices states: Where a Member State ascertains that the devices … when correctly installed, maintained and used for their intended purpose, may compromise the health and/​or safety of patients, users or, where applicable, other persons, it shall take all appropriate interim measures to withdraw such devices from the market or prohibit or restrict their being placed on the market or put into service. The Member State shall immediately inform the Commission of any such measures, indicating the reasons for its decision and, in particular, whether non-​compliance with this Directive. (Emphasis added) Finally, Art. 13 Directive 98/​79/​EC, supra note 243, ‘Where a Member State considers … that, in order to ensure protection of health and safety and/​or to ensure that public health requirements are observed pursuant to Art. 36 of the Treaty, the availability of such products should be prohibited, restricted or made subject to particular requirements, it may take any necessary and justified transitional measures. It shall then inform the Commission and all the other Member States, giving the reasons for its decision’ (emphasis added). Once any of these safeguard clauses has been triggered the Commission goes on to consult the other Member States and decide on new or amended legislation in order to address the regulatory challenge. 248  Most likely under Art. 8 Directive 93/​42/​EEC, supra note 19.

5 1

Mark L. Flear

115

shape technoscientific trajectories (but in ways that continue to centralize product safety concerns over other possible matters as the focus of technological risk regulation). However, further underlining the implications of the focus on product safety, a ban on 23andme for reasons beyond a failure to meet essential health and safety requirements would not seem to be permitted under this legislation—​and since those requirements have been met the Medicines and Healthcare products Regulatory Agency has authorized this product’s marketing in the UK.249 There is additional product safety legislation relating to human tissue,250 blood,251 and organs.252 However, this legislation is not based on Article 114 TFEU; instead it is based on (what is now) Article 168 TFEU (which as noted earlier is the legal basis for EU action in the field of public health), since these things are not commonly recognized as ‘products’ in European cultures.253 The focus of this legislation is still on the regulation of risk, including in the case of NHTs. Yet, the fact that the basis of this legislation is Article 168 TFEU suggests that the market frame must sometimes recede from view or be supported by others—​such as bioethics, as exemplified in references to EGE opinions in the recitals introducing and justifying legislation,254 or elsewhere through assurances of compliance with human rights protections, for instance in relation to clinical trials. Overall, product safety legislation focuses on a narrow set of harms or hazards and it is these that form the focus of technological risk regulation understood as being about product safety and quality.255 The underpinning rationale of this focus is the internal market and the generation of economic optimization. As stated in the Community code: ‘Trade in medicinal products within the [EU] is hindered by disparities between certain national provisions, in particular between provisions relating to medicinal products … , and such disparities directly affect

249  Again, in this case the legislation that is likely to apply is Directive 93/​42/​EEC, supra note 19. For authorization of ‘23andme’ see supra note 73. 250 Directive 2004/​ 23/​ EC on Setting Standards of Quality and Safety for the Donation, Procurement, Testing, Processing, Preservation, Storage and Distribution of Human Tissues and Cells, OJ 2004 L 102/​48. 251 Directive 2002/​98/​EC on Setting Standards of Quality and Safety for the Collection, Testing, Processing, Storage and Distribution of Human Blood and Blood Components and Amending Directive 2001/​83/​EC, OJ 2002 L 33/​30. 252  Directive 2010/​53/​EU on Standards of Quality and Safety of Human Organs Intended for Transplantation, OJ 2010 L 207/​14. 253  A.-​M. Farrell, The Politics of Blood: Ethics Innovation and the Regulation of Risk (2012); Farrell, ‘The Politics of Risk and EU Governance of Human Material’, 16(1) Maastricht Journal of European and Comparative Law (2009) 41. 254  E.g. Directive 2004/​23/​EC, supra note 250 and Regulation (EC) 1394/​2007, supra note 21. 255  See, e.g., Recs 1–​5, 8, 11, 13, 15, 19, 28, 31, and 32 and Arts 1, 8, 9, 11, and 16–​24, and of course the title of Directive 2004/​23/​EC, supra note 250; Recs 3, 4, 7, and 11 Directive 2011/​62/​ EU amending Directive 2001/​83/​EC on the Community Code Relating to Medicinal Products for Human Use, as regards the Prevention of the Entry into the Legal Supply Chain of Falsified Medicinal Products, OJ 2011 L 174/​74. This Directive aims to prevent falsified medicines, which can include NHTs, such as the monoclonal antibody, Avastin, see the report to the effect that some samples of Avastin had salt, starch, and various chemicals, but none of the life-​saving active ingredients, see http://​w ww.reuters.com/​a rticle/​2012/​02/​27/​us-​avastin-​idUSTRE81Q29X20120227 (last visited 22 December 2016).

16

116

Regulating New Technologies

the functioning of the internal market’.256 So, for example, the need to ‘safeguard public health’ articulated as a patient or consumer safety matter is mentioned (and is the central ground for a temporary derogation from the legislation and the free movement of goods), but the rationale is protecting and promoting the market in those products.257 The Community code is exemplary of this: ‘[w]‌hile the fundamental objective of the regulation of medicinal products is to safeguard public health, this aim should nevertheless be achieved by means that do not impede the free movement of safe medicinal products within the Union’.258 An important consequence of the focus on safety and quality is that new products do not have to constitute improvements over and above what is already available. For example, as the EMA explains in its ‘soft law’ guidance on ‘medicinal products’, ‘it is not necessary for the benefit-​risk profile of an experimental medicine [in clinical trials] to [be] at least as favourable as the benefit-​risk profile of any or all established medicines in order to receive marketing authorisation’.259 For example, producing a new pharmaceutical that has fewer side effects can be useful, as can having multiple equally effective medicines available as a way of tackling resistance to medication. However, consistent with the criteria for market authorization under the Community code, clinical trials need only at the bare minimum ensure that pharmaceuticals are as good as or at least no worse than existing products. In short, the focus is on bringing goods to market rather than improvements in health outcomes. Regulating technological risk instantiated as product safety is of continuing importance in that it extends beyond market authorization into post-​marketing monitoring and surveillance. In relation to medicinal products or pharmaceuticals, for example, this occurs through so-​called pharmacovigilance,260 a system that requires those who hold the authorizations and medical professionals to be watchful for and report adverse reactions (a similar system operates under the medical devices legislation). The efficacy of ATMP products must also be

256  Rec. 4 Directive 2001/​83/​EC, supra note 18. 257  The EU is not alone in focusing on markets, see R. C. Eccleston, A Model Regulatory Program for Medical Devices: An International Guide (2001), at 3–​4. 258  Rec. 4 Directive 2010/​84/​EU Amending, as Regards Pharmacovigilance, Directive 2001/​ 83/​EC on the Community Code Relating to Medicinal Products for Human Use, OJ 2010 L 348/​ 74 (emphasis added). 259 EMA, Reflection Paper on the Need for Active Control in Therapeutic Areas Where Use of Placebo is Deemed Ethical and One or More Established Medicines are Available, EMA/​759784/​2010, at 3–​4 (emphasis added). Art. 82 Regulation (EU) 536/​2014, supra note 169 states that on the basis of Art. 168(4)(c) TFEU the new regulation helps to ensure ‘that treatments and medicines which are intended to be an improvement of a treatment of patients build on reliable and robust data’ (emphasis added). This basis implies that clinical trials data is also intended to demonstrate that a new pharmaceutical is an improvement over what is already available. However, the criteria for market authorization ensure that this is not necessarily the case. 260 Regulation (EU) 1235/​ 2010 Amending, as Regards Pharmacovigilance of Medicinal Products for Human Use, Regulation (EC) 726/​2004, OJ 2010 L 348/​1; Directive 2010/​84/​ EU Amending, as Regards Pharmacovigilance, Directive 2001/​83/​EC on the Community Code Relating to Medicinal Products for Human Use, OJ 2010 L 348/​74; Arts 101–​108b Directive 2001/​ 83/​EC, supra note 18.

17 

Mark L. Flear

117

followed up261 and there is a requirement to ensure the traceability of ATMPs.262 Member States share pharmacovigilance information through the EMA and its Pharmacovigilance Risk Assessment Committee, using the ‘Eudravigilance’ database.263 In addition, the Product Liability Directive264 provides that producers are liable for damage caused by a defect in products, except where it is possible to show that the state of scientific and technical knowledge at the time when the product was put into circulation was not such as to enable the defect to be discovered.265 In these main ways EU post-​marketing legislation extends the pre-​ emptive effects of EU internal market law (in relation to Member State measures). Although there is no harmonization of a ‘basket of healthcare goods’ across the EU’s internal market, there are additional post-​marketing techniques aimed at facilitating take-​up and consumption by healthcare systems. For example, there are efforts to develop common EU-​level health technology methodologies for assessing NHTs.266 This occurs through the sharing of national health technology assessments.267 These efforts are risk-​based: they are concerned with assessing, inter alia, the product safety risks posed by NHTs and putting that knowledge forward for consideration in funding decisions.

5. Conclusions It should be apparent by now that the EU’s internal market law remains of ongoing relevance to the regulation of new and innovative technologies. Internal market law plays a leading role by engaging with and seeking to regulate technological risk through the complementary modes of negative integration and positive integration that have been traced in Sections 3 and 4 of this chapter. In terms of negative integration, regulation principally occurs through the engagement of internal market provisions and principles with national measures that seek to regulate new technologies. In this mode EU law disapplies national laws that are deemed unjustifiably restrictive to free movement. This does not go so far as to narrow the range of national regulation to product safety, but there is a narrowing of the scope of permissible risk regulation. The interpenetration of trade through the facilitation 261  Art. 14(1) Regulation (EC) 1394/​2007, supra note 21. For other medicinal products, generally only safety studies are requested. 262  Art. 15, ibid. 263  Regulation (EU) 1235/​2010, supra note 260. 264  Directive 85/​374/​EEC on the Approximation of the Laws, Regulations and Administrative Provisions of the Member States Concerning Liability for Defective Products, OJ 1985 L 210/​29. 265  Knowledge of the possibility of a defect is likely to make the defence inapplicable: A v. National Blood Authority, The Times, 4 April 2001 (QB). 266  This is a ‘toolkit’ that assists in making specific technology appraisal decisions (such as made by NICE in England). 267  Art. 15(2)(b) Directive 2011/​24/​EU, supra note 17 provides that one of the objectives of the health technology assessment network shall be to support Member States in the provision of objective, reliable, timely, transparent, comparable, and transferable information on the relative efficacy as well as on the short-​and long-​term effectiveness, when applicable, of health technologies and to enable an effective exchange of this information between the national authorities or bodies.

18

118

Regulating New Technologies

of free movement is in turn tied to the production and legitimation of the EU’s identity, socio-​technical order, and the project of integration. Through the complementary and necessary mode of positive integration the EU becomes even more clearly involved in the regulation of technological risk. This occurs through the use of various techniques, foremost among them internal market legislation, but also encompassing a range of supporting measures. These positive integration techniques are all directed at regulating technological risk instantiated narrowly as product safety, occasionally with references to guarantees of compliance with ethical standards and protections (and human rights usually through those). The central aim of these techniques is to prevent fragmentation of the internal market and the conditions of competition by steering, limiting, and, in the case of legislative measures, pre-​empting diverse national approaches and responses to technological risk—​and this actually underscores the complexity of risk and the scope for contestation. In these ways the EU engages with technological risk, and that engagement becomes central to more than the continued application, efficacy, and legitimation of its internal market law. Through its engagement the EU comes to present, produce, and legitimate itself—​and its identity—​in quite specific ways. The regulation of risk provides the EU with a key opportunity to delineate the boundaries of its responsibility and accountability (i.e. for new technologies that are determined to be ‘safe’ within the narrow framing of risk), while sidelining notions of risk that pertain to alternative harms and hazards (besides product safety) and key normative questions about technoscientific trajectories, including what is being done, why, how, who benefits, and who is hurt. These matters are decided at the overarching level of governance, but through the subsequent framing of EU regulation as being about regulating a particular kind of risk they are effectively removed as topics of democratic debate. This is despite those dimensions being key biopolitical issues for the EU’s citizenry, as well as those who are enfolded in the regime or consume its products,268 but who are thereby reduced to and governed as a very particular kind of European ‘risk society’.269 This analysis points to the role of technological risk regulation in extending existing power relations, technoscientific, and ultimately sociopolitical trajectories. Far from simply following technoscientific development and struggling to keep up, internal market law is of central importance to attempts at steering its path and direction, engaging as it does through tightening relations with research and knowledge creation, manufacturing processes, and marketing.270 In these ways the analysis in this chapter also alludes to the ways in which internal market

268  M. Foucault, Security, Territory, Population:  Lectures at the Collège de France, 1977–​1978 (2007). 269  U. Beck, Risk Society:  Towards a New Modernity (1986); U. Beck, World at Risk (2009); Giddens, ‘Risk Society:  The Context of British Politics’, in J. Franklin (ed.), The Politics of Risk Society (1998). 270 Resonant with work in Science and Technology Studies:  Jasanoff, ‘The Idiom of Co-​ Production’, in S. Jasanoff (ed.), States of Knowledge (2004); S. Jasanoff, Designs on Nature (2005).

1 9

Mark L. Flear

119

law is itself representative of (re)configurations between power and responsibility (through the extension of EU power through its market orientation and beyond the formal Treaty-​based boundaries), governance and the governed (with the latter extending beyond EU citizens to encompass consumers of internal market law-​compliant products and those enrolled as biomedical labour in regulatory processes), knowledge and power (seen in tightening and co-​productive relations), and sovereignty and territoriality (through the EU’s regulation of free movement across the territory of its Member States), in order to ensure market circulation of products and generate economic optimization.271 Overall, the chapter underlines a concern that has been largely overlooked in legal scholarship on new technologies: the alignment, (re)configuration, and (re) orientation of law to and within market-​oriented norms, values, and rationalities, as part of political projects of rule (here, the EU’s) that seek to shape technoscientific innovation and trajectories in order to serve their particular priorities and aims. In other words, through engagement with technological risk, internal market law is itself being (re)articulated, (re)imagined, (re)oriented, and harnessed as part of a broader strategy of building and (re)legitimating the EU’s identity as a supranational entity.272 In this strategy the EU’s socio-​technical order and ultimately the project of European integration are to be established upon and legitimated through the achievement of a competitive, innovative, and optimized economy. The focus of the strategy, in short, is on increasing the market availability of goods rather than ensuring that they are comparatively better than existing options, meet genuine health needs, and improve health outcomes. Despite the masking of these normative dimensions, and the marginalization of other kinds of harms or hazards to which risk might pertain, the EU’s dominant market-​based identity, order, and model of integration can be challenged. The downplaying of other possible responses to technological risk occurs through constraints on the type, scope, and nature of risks that can feasibly be regulated at Member State level by negative integration and the further limiting of national diversity in technoscientific development by various complementary positive integration techniques that in the case of legislation have pre-​emptive effects. The downplaying of other responses marks an attempt to influence technoscientific trajectories by limiting contestation. However, crucially, that same attempt also points to the existence of, and potential for the recognition of, wider understandings of risk and alternative framings of regulation. In particular, although currently inflected in places and seeming to operate more as legitimating devices, it is possible to use human rights and bioethics in order to contest and (re)frame regulation, especially harmonization legislation and supporting measures. For example, there could be an increased stress on the 271 Foucault, supra note 4; A. Ong, Neoliberalism as Exception:  Mutations in Citizenship and Sovereignty (2006). Cf. W. Walters and J. H. Haahr, Governing Europe: Discourse, Governmentality and European Integration (2006). 272  B. Anderson, Imagined Communities (1983); Y. Ezrahi, The Descent of Icarus (1990); J. C. Scott, Seeing Like a State (1998).

201

120

Regulating New Technologies

EU’s responsibility to ensure a high level of human health protection in order to ensure the development of products that are safe, genuinely needed in order to meet pressing health needs, and comparatively better than existing options. These (and other possible) framings can bring into view and regulate for a more diverse set of aims and concerns, recognize contestation about the focus and direction of scientific and technological development, and facilitate democratic debate.273 Far from lagging behind technoscientific development, the way in which the EU keeps up—​via internal market law and supplementary techniques that are steered by the aims and priorities set at the overarching level of governance—​leads to a particular economic and market identity and orientation and the downplaying of other possible responses.

273  For discussion see Flear, Governing Public Health, supra note 10.

1 2

PA RT   I I EU L AW A N D N E W T E C H NOL O G I E S — ​C H A L L E NG E A N D R E S P ONSE

21

231 

5 EU Data Protection Law: The Review of Directive 95/​46/​EC and the General Data Protection Regulation Peter Hustinx*

1. Introduction The concept of ‘data protection’ was developed almost four decades ago in order to provide legal protection to individuals against the inappropriate use of information technology in processing information relating to them. It was not designed to prevent the processing of such information or to limit the use of information technology per se. Instead, it was designed to provide safeguards whenever information technology would be used for processing information relating to individuals. This was based on the early conviction that the extensive use of information technology for this purpose could have far-​reaching effects for the rights and interests of individuals.1 In other words, data protection was about the rights and interests of individuals and—​in spite of the terminology used—​not mainly about the data relating to those individuals. This notwithstanding, the concept was developed at a point in time when it was still early days in terms of the ubiquitous use of information technology. The situation is rather different now due to the internet and mobile devices which are all around us, every minute of every day, both in our personal and in our professional lives. This situation is likely to increase even further in *  This chapter, finalized in June 2014, is based on the lectures given at the Law of the European Union summer course, 1–​12 July 2013. It also draws on material used in multiple articles and speeches published by the author during recent years, such as ‘Gegevensbescherming in de informatiemaatschappij’, in E. J. Numan et al. (eds), Massificatie in het privaatrecht (2010) 77, and ‘EU Data Protection Law—​Current State and Future Perspectives’, speech at High Level Conference on ‘Ethical Dimensions of Data Protection and Privacy’, Centre for Ethics, University of Tartu/​Data Protection Inspectorate, Tallinn (Estonia), 9 January 2013, available at https://​secure.edps.europa. eu/​EDPSWEB/​webdav/​site/​mySite/​shared/​Documents/​EDPS/​Publications/​Speeches/​2013/​13-​01-​ 09_ ​Speech_​Tallinn_ ​EN.pdf (last visited 20 September 2016). The author is grateful for comments made on a draft version by C. Docksey. 1 See infra Section 2. EU Data Protection Law: The Review of Directive 95/46/EC and the General Data Protection Regulation, First Edition, Peter Hustinx © Peter Hustinx 2017. Published 2017 by Oxford University Press

214

124

EU Data Protection Law

the future. It is therefore appropriate to consider the current state of EU data protection law. Another reason for the relevance of EU data protection law is that, at the moment, its main instrument Directive 95/​46/​EC, also known as the Data Protection Directive, has become the subject of a wide-​ranging review to make it more effective in a world where information technology is playing a prominent role in all fields of life. This review is approaching the final stage of political decision-​making: the European Parliament and the Council are preparing for negotiations to establish the future EU legal framework for data protection, which could last for several decades. For this reason, it is also the right moment to take stock of where we stand in terms of EU data protection law and to take a closer look at some of the key issues.2 The context of the review only adds to the relevance of this exercise. Apart from the dynamic character of our digital environment and the ambition to benefit from these developments in a Digital Agenda that contributes to economic growth, we have also recently discovered that this environment is more vulnerable than most people had assumed. The revelations of large-​scale monitoring of our online behaviour by the US National Security Agency and other intelligence services have rightly sent shock waves around the world. At the same time, it is now clear that many business practices online, including some of the most popular ones, are also based on extensive monitoring of consumer behaviour, and that the growing practice of providing ‘free’ services in exchange for monitoring has created opportunities for large-​scale spying by other actors. The review of the EU legal framework for data protection is therefore taking place within a context in which both the need for more effective protection and the challenge of delivering that protection in practice have increased enormously. Although we will not be able to answer all relevant questions, it is nevertheless useful to consider some of the solutions that are being developed to address those challenges. In this chapter we will also look at the origins of EU data protection law and the distinctions between ‘privacy’ and ‘data protection’ that have contributed to its further development. It is necessary to better understand these points so as to appreciate the issues that may arise in the context of the present and future legal frameworks. There are also important connections between both concepts. Privacy and data protection—​more precisely, the right to respect for private life and the right to the protection of a person’s personal data—​are both fairly recent expressions of a universal idea with quite strong ethical dimensions: the dignity, autonomy, and unique value of every human being. This also implies the right of every individual to develop their own personality and to have a fair say on matters that may have a direct impact on them. It explains two features that frequently appear in this context: the need to prevent undue interference in private matters and the need to ensure adequate control for individuals over matters that may affect them. 2 See infra notably Sections 5–​7.

 152

Peter Hustinx

125

Privacy and data protection as a specific field of law have developed over the last four decades at the European level, notably first of all in the context of the Council of Europe, and at a later stage mainly in the context of the EU. However, as the EU has continued on the basis of the work done by the Council of Europe, it is necessary to look at both in order to get a complete picture. In this overview we will see two main lines: the first having to do with the development of stronger privacy and data protection rights as such, and the second with the need to ensure more consistent application of those rights across the EU. Both aim to promote more effective protection in practice and less unhelpful diversity in the way protection is delivered in Member States. In both lines we will see a gradual development in different stages, which now also involves the increasing impact of the Charter of Fundamental Rights, both in the case law of the Court of Justice and in the review of the current legal framework. The fact that ‘privacy’ and ‘data protection’ are mentioned separately in the Charter also leads to issues as to the distinction between the two. This chapter will largely follow the historic timeline: the origins of data protection and the role of the Council of Europe will be discussed in Section 2 and the main lines of the current EU Directive in Section 3. After an intermezzo in Section 4 on different institutional aspects, including the Charter and the impact of the Lisbon Treaty, we will turn to the background and the main lines of the proposed General Data Protection Regulation in Section 5. In Section 6 we will highlight some of the key issues in the current legislative debate and in Section 7 we will address other issues which may require further reflection and discussion. Finally, some concluding remarks will be made in Section 8.

2.  The Origins of Data Protection A. Privacy and Private Life It was only after the Second World War that the concept of a ‘right to privacy’ emerged in international law. This first arose in a rather weak form in Article 12 of the Universal Declaration of Human Rights according to which no one shall be subjected to arbitrary interference with their privacy, family, home, or correspondence.3 More substantive protection followed in Article 8 of the European Convention on Human Rights (ECHR) according to which everyone has the right to respect for their private and family life, their home and correspondence, and no interference by a public authority with regard to the exercise of this right is allowed except in accordance with the law and where necessary in a democratic society for certain important and legitimate interests.4

3  Universal Declaration of Human Rights 1948, GA Res. 217 A(III). 4  European Convention on Human Rights 1950, ETS 5.

216

126

EU Data Protection Law

The reference to ‘home’ and ‘correspondence’ could be seen as building on constitutional traditions in many countries around the world (as a common heritage of perhaps centuries-​long tradition). However, the focus on ‘privacy’ and ‘private life’ was new and an obvious reaction to the events of the Second World War. The scope and consequences of this protection have been fleshed out by the European Court of Human Rights (ECtHR) in a series of judgments.5 In all such cases the Court considers, in short, whether there was an interference with the right to respect for private life, and if so whether it had an adequate legal basis (i.e. clear, accessible, and foreseeable) and whether it was necessary and proportionate for the legitimate interests at stake.

B. Data Protection In the early 1970s the Council of Europe concluded that Article 8 ECHR had a number of shortcomings in the light of new developments, particularly in view of the growing use of information technology:  the uncertainty as to what was covered by ‘private life’, the emphasis on protection against interference by ‘public authorities’, and the lack of a more proactive approach, also in view of the possible misuse of personal information by companies or other relevant organizations in the private sector.6 This resulted in two recommendations of the Committee of Ministers to Member States to take all necessary steps to give effect to certain principles on the protection of the privacy of individuals in the private and the public sectors.7 This coincided with the first initiatives at national level in countries such as Germany and Sweden.8 The positive experiences with these first initiatives prompted the Council of Europe to invest time in the preparation of an international agreement which would be the first binding instrument on the subject. After four years this resulted in the adoption of the Data Protection Convention, also known as Convention 108,9 which has now been ratified by 46 countries, including all EU Member States, most Member States of the Council of Europe, and one non-​Member State.10

5  See, e.g., infra Section 2D. 6  Explanatory Report to Convention 108 (see infra note 9), at para. 4. 7  Council of Europe, Committee of Ministers, Resolution (73) 22 on the Protection of the Privacy of Individuals vis-​à-​vis Electronic Data Banks in the Private Sector, 26 September 1973, and Resolution (74) 29 on the Protection of the Privacy of Individuals vis-​a-​vis Electronic Data Banks in the Public Sector, 20 September 1974. 8  The first national law was adopted in Sweden in 1972. The German State of Hessen adopted the world’s first law on data protection in 1971. The United States also played a leading role at that stage with the formulation of ‘fair information principles’ which had a great influence on the international debate. See the report Records, Computers and the Rights of Citizens, US Department of Health, Education and Welfare (1973), and the Privacy Act adopted in 1974, Pub. L. 93-​579. 9  Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981, ETS 108. 10  Uruguay was the first non-​Member State to ratify the Convention in April 2013.

2 17

Peter Hustinx

127

The purpose of the Convention is to secure for every individual in the territory of each party, whatever their nationality or residence, respect for their rights and fundamental freedoms (in particular the right to privacy) with regard to automatic processing of personal data relating to them (‘data protection’).11 The concept of ‘personal data’ is defined as ‘any information relating to an identified or identifiable individual (“data subject”)’.12 This means that ‘data protection’ is broader than ‘privacy protection’ because it also concerns other fundamental rights and freedoms and all kinds of data regardless of their relationship with privacy. At the same time it is more limited because it merely concerns the processing of personal information, with other aspects of privacy protection being disregarded. In this context, it should be noted that today many activities in the public or the private sector are connected in one way or another with the collection and processing of personal information. The real objective of the Convention is therefore to protect individuals (namely citizens, consumers, and workers amongst others) against unjustified collection, recording, use, and dissemination of their personal details. This may also concern their participation in social relations, whether in public or otherwise, and involve protecting freedom of expression, preventing unfair discrimination, and promoting ‘fair play’ in decision-​making processes. Finally, the Convention also aimed to reconcile respect for privacy and the free flow of information.13

C. Structural Safeguards The Convention contains a number of basic principles for data protection to which each party must give effect in its domestic law before it enters into force in respect of that party.14 These principles still form the core of any national legislation in this area. According to the Convention, personal data are to be ‘obtained and processed fairly and lawfully’ and ‘stored for specified and legitimate purposes and not used in a way incompatible with those purposes’, as well as ‘preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored’. Personal data should also be ‘adequate, relevant and not excessive in relation to the purposes for which they are stored’ and ‘accurate and, where necessary, kept up to date’.15 The Convention provides for stricter conditions as to ‘special categories of data’.16 Under this provision ‘personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life’ may not be processed, unless domestic law provides appropriate safeguards. The same applies to personal data relating to criminal convictions.

11  Art. 1 Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, supra note 9. 12  Ibid., Art. 2(a). 13  Ibid., Preamble, para. 4. 14  Ibid., Art. 4. 15  Ibid., Art. 5. 16  Ibid., Art. 6.

218

128

EU Data Protection Law

Other basic principles of the Convention call for ‘appropriate security measures’17 and ‘additional safeguards for the data subject’, such as the right to have access to his or her own personal data, the right to obtain rectification or erasure, as the case may be, of such data, and the right to remedy if such rights are not respected.18 The concept of ‘independent supervision’ was initially not incorporated in the Convention but nevertheless followed widely in practice and at a later stage was added to the Convention via a Protocol.19 To be clear, the Convention’s approach is not that the processing of personal data should always be considered as an interference with the right to privacy, but rather that for the protection of privacy and other fundamental rights and freedoms, any processing of personal data must always observe certain legal conditions. Such conditions include the principle that personal data may only be processed for specified legitimate purposes, and only where it is necessary for these purposes, and not used in a way incompatible with those purposes. Under this approach, the core elements of Article 8 ECHR, such as interference with the right to privacy only on an adequate legal basis, and where required for a legitimate purpose, have been expanded to the broader context. In addition, under the Convention, no exceptions to these principles are allowed, except under similar conditions as the right to privacy itself.20 It should be clear that this approach only works well in practice if the system of checks and balances set out in the Convention—​consisting of substantive conditions, individual rights, procedural provisions, and independent supervision—​is sufficiently flexible to take account of different contexts and is applied with pragmatism and an open eye for the interests of data subjects and other relevant stakeholders. In this approach, the right to respect for private life set out in Article 8 ECHR continues to play an important role in the background, inter alia, to determine the legitimacy of specific, more intrusive measures. The Convention has played a major role in most Member States of the Council of Europe in setting out legislative policy. In this context, the issue of ‘data protection’ has been regarded from the outset as a matter of great structural importance for a modern society in which the processing of personal data is assuming an increasingly important role. The Convention is currently also under revision and we will briefly return to this theme at a later stage.

17  Ibid., Art. 7. 18  Ibid., Art. 8. 19 Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Regarding Supervisory Authorities and Transborder Data Flows 2001, ETS 181; see notably Art. 1. This was mainly due to the relevant provisions in Directive 95/​46/​EC (see Section 3B). 20  Art. 9 Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, supra note 9.

291 

Peter Hustinx

129

D. Other Aspects After the adoption of Convention 108, the Council of Europe continued to play an active role in the development of a series of recommendations of the Committee of Ministers about its application in different sectors. This resulted in important clarifications of some of the key provisions.21 These recommendations have prepared the way for national legislation and also provided useful benchmarks for other international agreements.22 The provisions of the Convention were not intended to be directly applicable or included in judicial supervision of the ECHR. However, since 1997 the ECtHR has ruled in a number of cases that the protection of personal data is of ‘fundamental importance’ for a person’s enjoyment of the right to respect for private life under Article 8 ECHR, and has derived yardsticks from the Convention for determining the extent to which that right had been infringed.23 This suggests that the Court is increasingly inclined to assess compliance with the Convention—​or at least for ‘sensitive data’—​within the context of Article 8 ECHR. This also leads to the question of the extent to which the shortcomings of Article 8 ECHR that led to the adoption of Convention 108 still exist. The concept of ‘private life’ in Article 8 is still not entirely clear, but its scope has increased considerably.24 According to the case law of the Court, it is not limited to ‘intimate’ situations but also covers certain aspects of professional life and behaviour in public, either in the past or otherwise. On the other hand, those cases still often concern specific situations which involve sensitive information (relating to medical or social services), justified expectations of privacy (including the confidential use of the telephone or email at work), or inquiries by police or secret services. The Court has so far never ruled that any processing of personal data—​regardless of its nature or context—​falls within the scope of Article 8.25 The Convention therefore 21  E.g. Recommendation No. R (83) 10 of the Committee of Ministers to Member States on the Protection of Personal Data Used for Scientific Research and Statistics of 23 September 1983, clarified the concept of ‘personal data’ in point 1.2 stating that an individual should not be regarded as ‘identifiable’ if the identification requires ‘an unreasonable amount of time, cost and manpower’. The explanatory report to the Convention had said rather ambiguously that an ‘identifiable person’ was a person who could be ‘easily identified: it does not cover identification of persons by means of very sophisticated methods’ (at para. 28). 22  Recommendation No. (87) 15 of the Committee of Ministers to Member States on the Use of Personal Data in the Police Sector of 17 September 1987 has served as a benchmark for the level of data protection with regard to Europol (see Art. 14 of the Convention based on Art. K.3 of the EU Treaty on the Establishment of a European Police Office (Europol Convention) 1995, OJ 1995 C 316/​2 and Rec. 14 of the current Europol Council Decision 2009/​371/​JHA). 23  See, e.g., ECtHR, Z v. Finland (Application no. 22009/​93), 25 February 1997, at para. 95. All ECtHR decisions are available online at http://​hudoc.echr.coe.int/​. 24  See, e.g., ECtHR, Klass v. Germany (Application no. 5029/​71), 6 September 1978; Malone v.  United Kingdom (Application no.  8691/​79), 2 August 1984; Leander v.  Sweden (Application no. 9248/​81), 26 March 1987; Gaskin v. United Kingdom (Application no. 10454/​83), 7 July 1989; Niemietz v. Germany (Application no. 13710/​88), 16 December 1992; Halford v. United Kingdom (Application no. 20605/​92), 25 June 1997; Amann v. Switzerland (Application no. 27798/​95), 16 February 2000; and Rotaru v. Romania (Application no. 28341/​95), 4 May 2000. 25  In spite of sometimes ambiguous language, e.g. in ECtHR, Khelili v. Switzerland (Application no. 16188/​07), 18 October 2011, at para. 56: ‘The storage of data concerning the applicant’s private

310

130

EU Data Protection Law

merely serves as an additional source of standards for the assessment of conduct within the scope of that provision. The Court has now also ruled that Article 8 ECHR may give rise to positive obligations for the Member States and that they may consequently be held liable for a breach of privacy committed by a private party.26 However, the number of relevant cases is still limited and does not amount to a general obligation for the Member States to ensure protection of personal data in horizontal relations. The Convention therefore continues to play a useful complementary role in this respect. Only a few years after Convention 108 had been adopted, the German Constitutional Court delivered a decision in which it formulated a right to ‘informational self-​determination’ as an expression of the right to free development of the personality as laid down in Article 2(1) of the German Constitution.27 In accordance with this approach, any processing of personal data is in principle regarded as an interference with the right to informational self-​determination, unless the data subject has consented. This decision has been very influential, not only in Germany but also elsewhere in Europe. However, it should be clearly distinguished from the approach followed in Convention 108, and on that basis, as we will see, in Directive 95/​46/​EC and the relevant provisions of the EU Charter. A few months before Convention 108 was adopted, the Organisation for Economic Co-​operation and Development (OECD) adopted Privacy Guidelines which, although non-​binding, have also been very influential, particularly in countries outside Europe, such as the United States, Canada, Australia, and Japan.28 The Guidelines contained a set of basic principles drawn up in close coordination with the Council of Europe and were therefore consistent with the principles for data protection in Convention 108. However, there were also subtle but meaningful differences in detail. The scope of the Guidelines was limited to personal data ‘which because of the manner in which they are processed, or because of their nature or the context in which they are used, pose a danger to privacy and individual liberties’.29 This implied the notion of ‘risk’ as a threshold

life, including her profession, and the retention thereof, amounted to an interference within the meaning of Article 8, because it was personal data relating to an identified or identifiable individual ’ (emphasis added). However, the case was about the conservation of data, including a reference to the applicant as a prostitute, for a long period by the police, without a sufficient factual basis. Moreover, in the same judgment, the Court also said that whether the conservation of personal data raises any aspect of private life depends on the particular context in which these data have been collected and retained, the nature of the relevant data, the way in which they are used and processed, and the consequences this may have (see at para. 55). 26  See, e.g., ECtHR, Von Hannover v. Germany (Application no. 59320/​0 0), 24 June 2004, and K.U. v. Finland (Application no. 2872/​02), 2 December 2008. 27  Judgment of 15 December 1983, BVerfGE 65, 1–​71, Volkszählung. 28 OECD, Council Recommendation Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, Paris, 23 September 1980, available at http://​w ww.oecd. org/​i nternet/​ieconomy/​oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm (last visited 20 September 2016). 29  Ibid., para. 2.

1 3

Peter Hustinx

131

condition for protection which was not entirely compatible with the fundamental rights-​based approach of the Council of Europe. Moreover, the need for a legitimate purpose and a lawful basis for processing of personal data per se was absent in the Guidelines.30 Both points relate to issues which are still highly relevant in global discussions.

3.  Directive 95/​46/​EC A. Harmonization Although the Council of Europe was very successful in putting ‘data protection’ on the agenda and setting out the main elements of a legal framework, it was less successful in terms of ensuring sufficient consistency across its Member States. Some Member States were late in implementing Convention 108, and those who did so arrived at rather different outcomes, in some cases even imposing restrictions on data flows to other Member States. The European Commission was therefore quite concerned that this lack of consistency could hamper the development of the internal market in a range of areas—​involving free movement of people and services—​where the processing of personal data was to play an increasingly important role. At the end of 1990 it therefore submitted a proposal for a directive in order to harmonize the national laws on data protection in the private sector and most parts of the public sector.31 After four years of negotiation this resulted in the adoption of the current Directive 95/​46/​EC which has a twofold objective.32 First, it requires all Member States to protect the fundamental rights and freedoms of natural persons, and in particular the right to privacy with respect to the processing of personal data, in accordance with the Directive. Second, it requires them not to restrict or prohibit the free flow of personal data between Member States for reasons connected to such protection.33 Both obligations are closely interrelated. They aim to bring about an equally high level of protection in all Member States with a view to achieving a balanced development of the internal market. In that respect, the Directive started from the basic principles of data protection, as set out in Convention 108 of the Council of Europe.34 At the same time, it 30  Ibid., para. 7: ‘data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject’ (emphasis added). 31  Commission Communication on the Protection of Individuals in Relation to the Processing of Personal Data in the Community and Information Security, COM (90) 314 final—​SYN 287 and 288, 13 September 1990, at 4: ‘The diversity of national approaches and the lack of a system of protection at Community level are an obstacle to completion of the internal market. If the fundamental rights of data subjects, in particular their right to privacy, are not safeguarded at Community level, the cross-​border flow of data might be impeded …’. 32  Directive 95/​46/​EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, OJ 1995 L 281/​31. 33 See ibid., Recs 7–​10 and Art. 1. 34 See ibid., notably Rec. 11.

312

132

EU Data Protection Law

specified those principles and supplemented them with further requirements and conditions. However, since the Directive adopted generally formulated concepts and open standards, it still allowed Member States fairly broad discretion on its transposition.35 The result is that the Directive has led to a much greater consistency between Member States, but certainly not to identical or fully consistent solutions.

B. Scope and Substance The current Directive is broad in scope: it applies to all processing of personal data wholly or partially by automatic means, and to the processing by other means of personal data in or intended for a filing system.36 There are two exceptions: first, processing outside the scope of Community, now Union, law and in any event where it concerns public security, defence, state security, or criminal law enforcement, and second, processing by a natural person in the course of a purely personal or household activity.37 The definitions of terms like ‘processing’ and ‘personal data’ are very close to those in Convention 108.38 The Directive also follows the basic principles of data protection set out in the Convention, but includes six criteria for the legitimacy of data processing which are not specified in the Convention.39 In this respect, personal data may be processed only in the following cases: if the data subject has unambiguously consented, or if processing is necessary for the performance of a contract to which the data subject is party, for compliance with a legal obligation, for the performance of a government task, to protect the vital interests of the data subject, or to protect the legitimate interests of the controller, except where such interests are overridden by the interests of the data subject. This requires a subtle examination of the different phases of data processing and makes it necessary for data controllers to take this analysis into account at the right time. The Directive also specifies the conditions for the processing of special categories of sensitive data.40 The starting point is a prohibition with certain exceptions:  either explicit consent of the data subject, or compliance with specific conditions, such as for the use of health data in healthcare. Other exceptions can be made at the national level, but only for reasons of ‘substantial public interest’ 35 See ibid., Rec. 9 and Art. 5. 36  Ibid., Art. 3(1). 37  Ibid., Art. 3(2). 38  Ibid., Art. 2(a) and (b). See on the second subject in more detail Article 29 Working Party, Opinion 4/​2007 on the Concept of Personal Data, adopted on 20 June 2007 (WP 136), available at http://​ec.europa.eu/​justice/​policies/​privacy/​docs/​w pdocs/​2007/​w p136_​en.pdf (last visited 20 September 2016). 39  Ibid., Art. 7. See in this context Article 29 Working Party, Opinion 15/​2011 on the Definition of Consent, adopted on 13 July 2011 (WP 187) and Opinion 6/​2014 on the Notion of Legitimate Interests of the Data Controller under Art. 7 of Directive 95/​46/​EC, adopted on 9 April 2014 (WP 217), available at http://​ec.europa.eu/​justice/​data-​protection/​a rticle-​29/​documentation/​opinion-​ recommendation/​fi les/​2011/​w p187_​en.pdf (last visited 20 September 2016), and http://​ec.europa. eu/​justice/​data-​protection/​a rticle-​29/​documentation/​opinion-​recommendation/​fi les/​2014/​w p217_​ en.pdf (last visited 20 September 2016). 40  Directive 95/​46/​EC, supra note 32, Art. 8.

3 1

Peter Hustinx

133

and ‘subject to suitable safeguards’. The Directive provides for a notification to the Commission to ensure the restrictive use of this option. Another feature of the Directive is the obligation placed on the controller to provide the data subject with adequate information, except where he already has it, on its identity, the purposes of the processing, and other relevant matters, insofar as such further information is ‘necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing’ in respect of the data subject.41 Failing to provide such transparency may lead to the data being obtained unlawfully, with all the relevant consequences. The Directive also provides for the establishment of supervisory authorities for monitoring compliance with national legislation on their territory. These supervisory authorities possess a number of specific functions and powers which they must exercise ‘with complete independence’.42 These may involve prior verification or consultation,43 complaint handling, inspections, and other enforcement activities, depending on how the Directive has been implemented in national law. These authorities cooperate in the exercise of their functions, either bilaterally or in the context of the ‘Article 29 Working Party’ which has independent advisory status at EU level.44 The territorial scope of the Directive applies to the processing of personal data carried out ‘in the context of the activities of an establishment’ of the controller on the territory of an EU Member State.45 The location where the data are processed is not relevant in this respect. This criterion is also decisive for the scope of national law within the EU. Where the controller is not established in the EU, the applicable law is that of the Member State where the means used for the processing are located.46 The Directive also applies the principle that personal data may only be transferred to third countries that ensure an adequate level of protection. In the absence of such protection, transfer is only permitted in certain situations, either on the basis of an exception, or where adequate safeguards have been provided in contracts or other relevant instruments.47 These provisions now apply to a complex reality in which, both within the EU and in relation to third countries, the question arises increasingly frequently as to what law applies and who is responsible for ensuring compliance with it. This also 41  Ibid., Arts 10–​11. 42  Ibid., Art. 28. 43  Ibid., Arts 18–​20. 44  Ibid., Arts 29–​30 which also refer to the European Data Protection Supervisor as a member of this group. 45  Ibid., Art. 4. See the CJEU in Case C-​131/​12, Google Spain, 13 May 2014, not yet published (ECLI:EU:C:2014:317), at paras 55–​56. See also Section 6D. 46  See in more detail Article 29 Working Party, Opinion 8/​2010 on Applicable Law, adopted on 16 December 2010 (WP 19), available at http://​ec.europa.eu/​justice/​policies/​privacy/​docs/​w pdocs/​ 2010/​w p179_​en.pdf (last visited 20 September 2016). 47  Directive 95/​46/​EC, supra note 32, Arts 25–​26. On this basis the European Commission has recognized a number of third countries with an adequate level of protection, and approved contractual clauses which can provide adequate protection in specific cases. For further information, see website of the European Commission and the Article 29 Working Party at http://​ec.europa.eu/​ justice/​data-​protection/​index_​en.htm (last visited 20 September 2016).

314

134

EU Data Protection Law

raises new questions concerning the internet—​on the position of websites, search engines,48 social networks, and modern advertising technology—​and relating to data flows within multinational companies, outsourcing of services, and cloud computing. In practice, adequate protection is increasingly frequently delivered in ‘binding corporate rules’, codes of conduct endorsed by enterprises that meet specific requirements and which competent supervisory bodies accept as sufficiently effective.49 The need to reconcile respect for privacy and the free flow of information—​one of the aims of Convention 108 and also visible in the objectives of the Directive—​ finally resulted in a more specific provision requiring Member States to provide for potentially very broad exemptions or derogations from certain provisions for the processing of personal data ‘carried out solely for journalistic purposes or the purpose of artistic or literary expression’ where necessary to reconcile the right to privacy with the rules governing freedom of expression.50

C. Relevant Case Law All EU Member States have transposed the Directive into national law, including the new Member States for which transposition was a condition of accession, as well as the non-​EU parties to the European Economic Area (EEA). The Commission has also launched several legal actions for improper implementation of the Directive. The first action involved the Member State with the longest experience in this area: Germany. In March 2010 the Court of Justice ruled that the requirement of ‘complete independence’ of a supervisory authority means that it should be free from any external influence.51 This position has more recently been confirmed and elaborated in cases against Austria and Hungary.52 The Court of Justice has also issued important judgments on other aspects of the existing legal framework for the protection of personal data. In its first judgments on Directive 95/​46/​EC for example, the Court ruled that it has a very broad scope which is not dependent in each case on a direct link with the internal market.53 This meant that the Directive also applies to a dispute in the public sector of a single Member State, or to the website of a church or charitable foundation. In the latter case, it also became clear that the Directive applies in principle to the 48  See, e.g., Google Spain, supra note 45, ruling that a search engine operator is a controller and has to ensure compliance with EU data protection law (see at 33 and 38). See also Section 6D. 49  Directive 95/​46/​EC, supra note 32, Art. 26(2) provides that adequate safeguards may ‘in particular’ result from appropriate contractual clauses, but does not exclude other instruments. 50  Ibid., Art. 9. 51  Case C-​518/​07, Commission v.  Germany, [2010] ECR I-​01885 (ECLI:EU:C:2010:125), at para. 30. 52  Case C-​614/​10, Commission v.  Austria, 16 October 2012, not yet published (ECLI:EU:C:2012:631), and Case C-​288/​12, Commission v. Hungary, 8 April 2014, not yet published (ECLI:EU:C:2014:237). 53  Joined Cases C-​465/​0 0, 138/​01, and 139/​01, Österreichischer Rundfunk, [2003] ECR I-​04989 (ECLI:EU:C:2003:294), at paras 41–​43, and Case C-​101/​01, Bodil Lindqvist, [2003] ECR I-​12971 (ECLI:EU:C:2003:596), at paras 39–​41.

 153

Peter Hustinx

135

internet, although the mere fact that personal data are available on a website does not mean that the provisions governing data traffic with third countries apply.54 The precise consequences of this conclusion are not yet entirely clear. Where the Directive applies to an area within the scope of Article 8 ECHR, it must be interpreted in accordance with that provision.55 In that context, the Court distinguished between processing operations that may—​or may not—​ breach Article 8 ECHR. The former applied to a national law compelling employers to supply certain data relating to salaries to a government body. Processing of the same data by the employer for employment purposes did not raise any issue of principle, as long as data protection rules were respected.56 This fits well in the distinction between ‘privacy’ and ‘data protection’ in the development of the law, as referred to earlier. The exception for data processing concerning public security and criminal law enforcement was applied by the Court in a major case about the transfer of airline passenger data to the United States for the purpose of border protection following the terrorist attacks on 11 September 2001.57 In other cases, the Court held that the exception for data processing by a natural person in the course of a purely personal or household activity only applies to activities which are carried out in the course of private or family life of individuals, which is clearly not the case where personal data are made accessible to an indefinite or unrestricted number of people.58 In one of those cases, the Court also ruled that the exception for journalistic purposes should be applied broadly, so as to include all activities with the sole object to disclose information, opinions, or ideas to the public.59 In a case about the criteria for legitimate data processing, the Court ruled that Spain had not transposed Article 7(f) of the Directive correctly, by requiring that, in the absence of the data subject’s consent, any data processed should appear in public sources.60 The Court also held that Article 7(f) has direct effect.61 The judgment limits the margin of discretion that Member States have in implementing Article 7(f). In particular, they must not overstep the fine line between specification or clarification, on the one hand, and imposing additional requirements which would amend the scope of Article 7(f), on the other hand. In a case on the scope of the right of access to automated population files in the Netherlands, the Court ruled that Member States are required to ensure a right 54  Bodil Lindqvist, supra note 53, at paras 24–​27 and 56–​71. 55  Österreichischer Rundfunk, supra note 53, at paras 68–​72. 56  Ibid., at paras 73–​74. 57  Joined Cases C-​317 and 318/​04, PNR, [2006] ECR I-​04721 (ECLI:EU:C:2006:346), at paras 56–​59 and 67–​69. See for critical analysis of this judgment:  Docksey, ‘The European Court of Justice and the Decade of Surveillance’, in H. Hijmans and H. Kranenborg (eds), Data Protection Anno 2014: How to Restore Trust? (2014) 97. 58  Bodil Lindqvist, supra note 53, at paras 46–​47, and Case C-​73/​07, Satamedia, [2008] ECR I-​09831 (ECLI:EU:C:2008:727), at paras 43–​4 4. 59  Satamedia, supra note 58, at paras 56 and 61. 60  Joined Cases C-​468 and 469/​10, ASNEF, [2011] ECR I-​12181 (ECLI:EU:C:2011:777), at paras 32–​39 and 49. 61  Ibid., at paras 51–​54.

361

136

EU Data Protection Law

of access to information on past processing, notably on the recipients of personal data and on the content of the data disclosed in the past. It is for Member States to fix a time limit for storage of that information and to provide for access which constitutes a fair balance between, on the one hand, the interest of the data subject in protecting their privacy, and on the other, the burden which the obligation to store that information represents for the controller. However, rules limiting the storage of information on processing to one year, while the basic data themselves are stored for a much longer period, do not strike a fair balance between the interest and obligation at issue, unless longer storage would put an excessive burden on the controller.62 This ruling shows a clear understanding of the key role of the data subject’s right of access and the complex environment in which it may have to be exercised in practice.

4.  Institutional Aspects A. Other Instruments So far we have focused on Directive 95/​46/​EC, but this is not the only relevant instrument of EU data protection law. There are at least three other categories of instruments—​namely acts specifying the rules in a particular area, applying the rules at EU level, and applying them in the law enforcement area—​which should be mentioned briefly. An example of the first category is Directive 2002/​58/​EC on privacy and electronic communications, which specified Directive 95/​46/​EC in the area of publicly available electronic communications services and public communications networks.63 It deals with issues ranging from security and confidentiality of communications to the storage and use of traffic and location data, and unsolicited communications, regardless of the technology used. Although the Directive therefore also applies to the internet, it does so only within its own scope. Some important data processing around websites continues to fall under the scope of Directive 95/​46/​EC.64 An example of the second category is Regulation (EC) 45/​2001 which implemented Directive 95/​46/​EC and Directive 97/​66/​EC, the predecessor of Directive 2002/​58/​EC, for EU institutions and bodies.65 Article 286 EC Treaty, adopted in 1997 as part of the Treaty of Amsterdam, provided that ‘Community acts’ on the protection of individuals with regard to the processing of personal data and the free movement of such data should also apply at the EU level, and laid down 62  Case C-​553/​07, Rijkeboer, [2009] ECR I-​03889 (ECLI:EU:C:2009:293), at paras 56–​70. 63  Directive 2002/​58/​EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, OJ 2002 L 201/​37. See notably Art. 1 on the scope and aim of the Directive. 64  See, e.g., Lindqvist, supra note 53, and Google Spain, supra note 45. 65  Regulation (EC) 45/​2001 of the European Parliament and of the Council of 18 December 2000 on the Protection of Individuals with Regard to the Processing of Personal Data by the Community Institutions and Bodies and on the Free Movement of Such Data, OJ 2001 L 8/​1.

371 

Peter Hustinx

137

the legal basis for the establishment of an independent supervisory authority. This would not have been possible without such a specific legal basis. Regulation 45/​ 2001 lays down a complete set of rules in one instrument and establishes the European Data Protection Supervisor (EDPS) with a number of tasks and powers based on those set out in Directive 95/​46/​EC.66 The third category is a little different. So far we have essentially dealt with the internal market legal basis in what used to be the ‘first pillar’ of the EU. This obviously did not apply to the other pillars, such as the common foreign and security policy (the ‘second pillar’) and the police and judicial cooperation in criminal matters (the ‘third pillar’), both introduced in the Treaty of Maastricht in 1992. The Treaty of Amsterdam transferred some of the areas covered by the third pillar—​such as immigration, asylum, and border control—​to the first pillar, thus bringing those areas within the scope of Directive 95/​46/​EC. A few regulations with considerable relevance for data protection have been adopted against this background.67 The third pillar provisions of the EU Treaty nevertheless contained some specific legal bases for legislation on data protection. The approach here was that common action in the field of police cooperation or judicial cooperation in criminal matters should be subject to appropriate safeguards on the protection of personal data, and that common standards on data protection could also contribute to the efficiency and legitimacy of the cooperation.68 This led to a number of decisions on specific subjects, including Eurojust and Europol,69 and in 2008 also to Council Framework Decision 2008/​977/​JHA with general rules on the protection of personal data processed in the context of police and judicial cooperation in criminal matters.70 The content of these rules was inspired by Directive 95/​46/​ EC and the Council of Europe Convention 108, but the level of protection was much lower in terms of scope and substance.71 As to the scope, the Decision only 66 See ibid., Arts 41–​48 on the EDPS. These provisions have served as a benchmark in the CJEU judgments on the independence of supervisory authorities (see supra notes 51 and 52, and notably Commission v. Germany, supra note 51, at paras 26–​28). 67  E.g. Council Regulation (EC) 2725/​2000 of 11 December 2000 Concerning the Establishment of ‘Eurodac’ for the Comparison of Fingerprints for the Effective Application of the Dublin Convention, OJ 2000 L 316/​1 (see notably Recs 15–​17), and Regulation (EC) 767/​2008 of the European Parliament and of the Council of 9 July 2008 Concerning the Visa Information System (VIS) and the Exchange of Data Between Member States on Short-​Stay Visas (VIS Regulation), OJ 2008 L 218/​60 (see notably Recs 17–​20, also mentioning coordinated supervision by national DPAs and EDPS). 68  See Arts 30–​31 TEU before entry into force of Lisbon Treaty. 69  Council Decision 2009/​426/​JHA of 16 December 2008 on the Strengthening of Eurojust and Amending Decision 2002/​187/​JHA Setting up Eurojust with a View to Reinforcing the Fight Against Serious Crime, OJ 2009 L 138/​14, and Council Decision 2009/​371/​JHA of 6 April 2009 Establishing the European Police Office (Europol), OJ 2009 L 121/​37. 70  Council Framework Decision 2008/​977/​JHA of 27 November 2008 on the Protection of Personal Data Processed in the Framework of Police and Judicial Cooperation in Criminal Matters, OJ 2008 L 350/​60. 71  See the Commission’s own assessment when explaining the need to replace the Decision in Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, A Comprehensive Approach on Personal Data Protection in the European Union, 4 November 2010, COM (2010) 609 final, at 14, and

381

138

EU Data Protection Law

applies when personal data are transmitted or made available to other Member States, and therefore does not extend to ‘domestic’ processing, unlike Directive 95/​46/​EC.72

B. Charter of Fundamental Rights Fundamental rights as guaranteed by the ECHR or resulting from the constitutional traditions common to the Member States have long been recognized and applied by the European Court of Justice as general principles of EU law. In June 1999, the European Council nevertheless decided that it was time to draw up a Charter of fundamental rights of the EU, in order ‘to make their overriding importance and relevance more visible to the Union’s citizens’.73 This resulted, in December 2000 at the European summit in Nice, in the proclamation of the Charter of Fundamental Rights of the European Union, initially only as a political document.74 One of the novel elements of the Charter was that, in addition to the right to respect for private life, it also contained an explicit recognition of the right to the protection of personal data in a separate provision. Article 7 concerning ‘Respect for private and family life’ states that ‘everyone has the right to respect for his or her private and family life, home and communications’. Article 8 on ‘Protection of personal data’ provides, in its first paragraph, that ‘everyone has the right to the protection of personal data concerning him or her’. In the second paragraph, it provides that ‘such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’, and that ‘everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified’. In the third paragraph, it states that ‘compliance with these rules shall be subject to control by an independent authority’.

Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, Safeguarding Privacy in a Connected World—​A European Data Protection Framework for the 21st Century, 25 January 2012, COM (2012) 9 final, at 9. 72  See notably Council Framework Decision 2008/​977/​JHA, supra note 70, Rec. 7 and Art. 1. 73  Cologne European Council, 3–​4 June 1999, Conclusions of the Presidency, at points 44–​45 and Annex IV. A convention made up of 15 representatives of the heads of state and government, 30 representatives of the national parliaments, 16 representatives of the European Parliament, and 1 representative of the Commission, chaired by Mr Roman Herzog, former President of the Federal Republic of Germany and of the German Constitutional Court, was established to draw up the Charter. 74  Charter of Fundamental Rights of the European Union, OJ 2000 C 364/​1. The Charter was solemnly proclaimed by the European Parliament, the Council, and the Commission, which committed to respecting it in their activities. The Preamble highlights that the Charter reflects ‘common values’ and ‘reaffirms … the rights as they result, in particular, from the constitutional traditions and international obligations common to the Member States, the Treaty on European Union, the Community Treaties, the European Convention for the Protection of Human Rights and Fundamental Freedoms, … and the case-​law of the Court of Justice of the European Communities and of the European Court of Human Rights’ (emphasis added).

3 19

Peter Hustinx

139

According to the explanatory notes, the rights guaranteed in Article 7 of the Charter correspond to those guaranteed by Article 8 ECHR.75 Both are typical examples of classical fundamental rights, where interference is subject to strict conditions. The only difference between them is that Article 52 of the Charter contains a more general exception clause. The explanation for Article 8 mentions that it is based on Article 286 EC Treaty and Directive 95/​46/​EC as well as on Article 8 ECHR and on the Council of Europe Convention 108. It also observes that ‘the right to protection of personal data is to be exercised under the conditions laid down in the above Directive, and may be limited under the conditions set out by Article 52 of the Charter’.76 This leads to questions about the nature of the new right and its different elements as set out in Article 8, and about the distinction between conditions for the ‘exercise’ of the right laid down in Directive 95/​46/​EC and conditions for the ‘limitation’ of the right set out in Article 52. As we have seen, the right to the protection of personal data was conceived by the Council of Europe and developed in Convention 108 in order to provide proactive protection of the rights and freedoms of individuals with regard to all processing of personal data, regardless of whether such processing was an interference with the right to respect for private life or not. This was intended as a system of ‘checks and balances’ to provide structural protection to individuals in a wide range of situations, both in the public and the private sectors. Directive 95/​46/​EC has used Convention 108 as a starting point for the harmonization of data protection laws in the EU, and specified it in different ways.77 This involved the substantive principles of data protection, the obligations of controllers, the rights of data subjects, and the need for independent supervision as main structural elements of data protection. However, the nature of data protection as a system of ‘checks and balances’ to provide protection whenever personal data are processed was not changed. In other words, Articles 7 and 8 do not have the same character and must be clearly distinguished.78

75  Explanations relating to the Charter of Fundamental Rights of the European Union, Document CONVENT 49 of 11 October 2000, explanation on Art. 7. The Bureau of the Convention prepared these explanations for each article of the Charter. They were intended to clarify the provisions of the Charter, indicating the sources and scope of each of the rights set out therein. They had initially no legal value and were only published for information. However, the third subpara. of Art. 6(1) TEU has changed their status. A slightly revised version was published in OJ 2007 C 303/​17 and referred to in the Preamble of the final version of the Charter in OJ 2007 C 303/​1. See also later publications of the Charter in OJ 2010 C 83/​389 and OJ 2012 C 326/​391. 76 See supra note 75, explanation on Art. 8. The revised version has inserted a reference to Art. 16 TFEU and Regulation 45/​2001, supra note 65, and now states that ‘[the] above-​mentioned Directive and Regulation contain conditions and limitations for the exercise of the right to the protection of personal data’. The reference to Art. 52 has now disappeared. 77  See Sections 3A and 3B. 78  This position goes further than the analysis by Kokott and Sobotta, ‘The Distinction between Privacy and Data Protection in the Jurisprudence of the CJEU and the ECtHR’, in Hijmans and Kranenborg, supra note 57, at 83 and an earlier version in 3 International Data Privacy Law (2013) 222.

401

140

EU Data Protection Law

The Convention that prepared the Charter before it was adopted at the summit in Nice had also considered including a right to informational self-​determination in Article 8, but this was rejected. Instead, it decided to include a right to the protection of personal data, to preserve the main elements of Directive 95/​46/​EC, as the explanation briefly highlights.79 Thus the essential elements set out in Article 8(2) and (3) correspond to the key principles of Directive 95/​46/​EC, such as fair and lawful processing, purpose limitation, rights of access and rectification, and independent supervision. This suggests that a ‘limitation’ of the right to data protection only arises where these main elements of data protection are not respected. Directive 95/​46/​EC and Convention 108 already provide for certain exceptions from the basic principles, where these are necessary for legitimate reasons. The distinction between conditions for the ‘exercise’ and conditions for the ‘limitation’ of the right to data protection is therefore already incorporated in the current legal framework. Moreover, it cannot be excluded that the Court of Justice might find other main elements of data protection which have not been expressed in Article 8(2) and (3), but are available in Directive 95/​46/​EC and may be seen as implied in Article 8(1) of the Charter. Such elements might also help to reinforce the elements which have already been made explicit and further develop the impact of the general right expressed in Article 8(1).80 In any case, this means that the scope of Article 8—​involving all processing of personal data—​should not be confused with the question whether the fundamental right of Article 8 has been interfered with. An interference with Article 8 does not arise from the mere fact that personal data are processed. Such interference can only be established if one or more of the main elements of the right to data protection, such as the need for a ‘legitimate basis laid down by law’ or ‘independent supervision’, have not been respected. Any limitation of the right should be addressed under Article 52 and not read in the requirement of Article 8(2) for a legitimate basis in law. This requirement is not an exception clause, but an element of the right to data protection itself. It may be that the drafters of the

79 See supra note 76. It should be noted that the Article 29 Working Party was indirectly involved in the work of the Convention. Its vice-​chairman (1998–​2000) and chairman (2000–​2004), Professor Stefano Rodotà, was also a member of the Convention. At an early stage, the Working Party adopted a recommendation to include a fundamental right to data protection in the Charter (see Recommendation 4/​99 on the Inclusion of the Fundamental Right to Data Protection in the European Catalogue of Fundamental Rights, adopted on 7 September 1999 (WP 26), available at http://​ec.europa.eu/​justice/​data-​protection/​a rticle-​29/​documentation/​opinion-​recommendation/​ files/​1999/​w p26_​en.pdf (last visited 20 September 2016)). Finally, the chairman of the Convention, as former president of the German Constitutional Court, must have highlighted the right to ‘informational self-​determination’, see supra note 73. 80  An example could be the principle of ‘purpose limitation’, which has been expressed only partly in Art. 8(2) (‘processed … for specified purposes’), but plays a crucial role in practice. See more in detail Article 29 Working Party, Opinion 3/​2013 on Purpose Limitation, adopted on 2 April 2013 (WP203), available at http://​ec.europa.eu/​justice/​data-​protection/​a rticle-​29/​documentation/​opinion-​recommendation/​fi les/​2013/​w p203_​en.pdf (last visited 20 September 2016).

41 

Peter Hustinx

141

Charter were not fully aware of this, but the explanatory note is fully in line with the approach suggested here.81

C. Impact of the Lisbon Treaty The entry into force of the Lisbon Treaty in December 2009 had an enormous impact on the development of EU data protection law. In the first place, the Charter was given the same legal value as the Treaties in Article 6(1) of the Treaty on European Union (TEU). It thus became a binding instrument, not only for the EU institutions and bodies, but also for the Member States acting within the scope of EU law.82 Moreover, the right to the protection of personal data was specifically mentioned in Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) among the general principles of the EU.83 This meant that some of the main elements of Directive 95/​46/​EC have now reached the level of primary EU law. This is also relevant for the current reform, as we will see at a later stage.84 In the second place, Article 16(2) TFEU now provides a general legal basis for the adoption of rules by the European Parliament and the Council, acting in the normal legislative procedure, ‘relating to the protection of individuals with regard to the protection of personal data’ by EU institutions and bodies and by the Member States acting within the scope of EU law, and ‘the free movement of such data’. Finally, like Article 8(3) of the Charter, Article 16(2) also underlines that compliance with these rules should be subject to the control of independent authorities.85 The terminology used in the main text recalls Directive 95/​46/​EC, but the scope of this new legal basis, which has been formulated as an obligation, in reality goes far beyond the internal market and covers in principle all EU policy areas.86 The term ‘rules’ allows the use of directives and directly applicable regulations, and the choice between the two now largely seems a political one. At a later stage, we will consider how much discretion the legislator enjoys under Article 16(2) TFEU in the light of the Charter.87 81  See also the slight differences between the original and the revised versions of the explanations on Art. 8 as highlighted in supra note 76. 82  See Art. 6(1)–​(2) TEU and Art. 51 of the Charter. See also Section 4D, on relevant case law. 83  Art. 16(1) TFEU: ‘Everyone has the right to the protection of personal data concerning them’ (emphasis added to highlight a small linguistic difference). 84  See notably in Section 7A. 85  The small linguistic difference with Art. 8(3) of the Charter (‘authority’ or ‘authorities’) does not appear to have any consequences. 86  Art. 39 TEU provides a specific legal basis for the Common Foreign and Security Policy, according to which ‘the Council shall adopt’ any relevant rules on data protection without the involvement of the Parliament. Declaration 20 adds that whenever ‘rules … to be adopted on the basis of Art. 16 could have direct implications for national security, due account will have to be taken of the specific characteristics of the matter’. Moreover, Declaration 21 acknowledges that ‘specific rules on the protection of personal data and the free movement of such data in the fields of judicial cooperation in criminal matters and police cooperation … may prove necessary because of the specific nature of these fields’. 87  See Section 7A.

421

142

EU Data Protection Law

In the third place, and in a much wider sense, the Lisbon Treaty also reshaped the institutional structure of the EU.88 It largely did away with the old pillar structure and introduced the proven Community method for decision-​making in areas where unanimity had been the practice in the Council, and the Parliament only had an advisory role. Instead, the Commission now plays its usual role as initiator for new legislation to be adopted by Parliament and Council through the co-​decision procedure, each of them acting with majorities depending upon the subject. After a period of transition, the Court of Justice would also be able to fully exercise its judicial role and the Commission its role as guardian of the Treaties in the enforcement of EU laws.89 This also meant that legislation on data protection in the former third pillar which had been adopted by the Council acting alone—​sometimes even just before the Lisbon Treaty entered into force90—​would have to be replaced by rules adopted by Parliament and Council in co-​decision so as to be in line with Article 16(2) TFEU. This has added to the dynamic context of the current review of the EU legal framework for data protection.

D. Relevant Case Law In the meantime, the Charter is playing an increasingly important role in the case law of the Court of Justice. As to the scope of the Charter, the Court has ruled that it applies whenever Member States are acting within the scope of EU law.91 National law will in those cases have to respect the level of protection provided for in the Charter and the primacy, unity, and effectiveness of the EU law at stake.92 This may even imply that a constitutional provision at national level will no longer be applicable.93 However, it also means that the Charter will fully apply within the scope of EU data protection law, both for the legislator itself and at a later stage. As for the requirement of ‘complete independence’ for a supervisory authority, the first ruling on the subject was handed down a few months after the entry into force of the Lisbon Treaty, but the Court did not make specific reference to the Charter.94 However, in three subsequent cases it underlined that the requirement of independent supervision is an ‘essential component’ of the protection of personal data and derives from Article 8(3) of the Charter and Article 16(2) TFEU.95 88  This paragraph is obviously a very brief summary of the main changes in the Treaties, relevant in this context. 89  The transitional period ended on 1 December 2014 (see Art. 10 of Protocol 36 on transitional provisions, attached to the Lisbon Treaty). 90  See, e.g., the Council Decisions, supra notes 69 and 70. 91  Case C-​617/​10, Åkerberg Fransson, 26 February 2013, not yet published (ECLI:EU:C:2013:280), at paras 17–​21. 92  Case C-​399/​11, Melloni, 26 February 2013, not yet published (ECLI:EU:C:2013:107), at paras 59–​60, and Åkerberg Fransson, supra note 91, at para. 29. 93  Melloni, supra note 92, at para. 64. 94  Commission v. Germany, supra note 51. 95  Commission v. Austria, at paras 36–​37, and Commission v. Hungary, at paras 47–​48, see for both supra note 52, as well as Joined Cases C-​293 and 594/​12, Digital Rights Ireland and Seitlinger, 8 April 2014, not yet published (ECLI:EU:C:2014:238), at para. 68.

4 13

Peter Hustinx

143

It must therefore be assumed that the Court has now also expressed a view on the meaning of those provisions of primary law. In recent years, the Court has twice ruled that provisions of EU law were invalid as a result of unjustified interference with Articles 7 and 8 of the Charter. In November 2010, this was the case with provisions on the publication of information on beneficiaries of agricultural aid on a website.96 A similar case occurred in April 2014 in relation to the mandatory retention of communication data for law enforcement purposes in the context of Directive 2006/​24/​EC.97 In a third case, however, in October 2013, the Court ruled that an obligation to provide for fingerprints to be stored in a passport was valid.98 All these cases involved requests for preliminary rulings from national courts on the validity of EU laws. Although the outcome of these three cases is sound and convincing, they also illustrate a clear tendency of the Court towards a ‘combined reading’ of Articles 7 and 8 of the Charter. This approach does not, however, take account of the essential difference in character between these two provisions and thus may prevent Article 8 from reaching its full potential.99 The first of the three cases was initiated by German farmers who objected to the publication of their contact details and annual amounts in agricultural aid received. The referring court considered that the obligation to publish those data on a website constituted an unjustified interference with the fundamental right to the protection of personal data, which it felt was essentially covered by Article 8 ECHR.100 The Court of Justice noted that since the Lisbon Treaty had entered into force, the validity of the obligation had to be assessed in the light of the Charter.101 It also observed that the right to the protection of personal data, as set out in Article 8 of the Charter, was closely connected to the right to respect for private life expressed in Article 7 of the Charter, although at the same time noting that this was not an absolute right. This follows from Article 8(2) which authorizes the processing of personal data if certain conditions are satisfied, and from Article 52(1) of the Charter which accepts that limitations may be imposed on the exercise of rights as set out in Articles 7 and 8 of the Charter, as long as the limitations are provided for by law, respect the essence of those rights, and, subject to the principle of proportionality, are necessary and meet objectives of general interest or the need to protect the rights and freedoms of others. It also observed that these limitations correspond to those tolerated in relation to Article 8 ECHR.102

96  Joined Cases C-​92 and 93/​09, Volker und Markus Schecke GbR and Hartmut Eifert, [2010] ECR I-​11063 (ECLI:EU:C:2010:662). 97  Digital Rights Ireland, supra note 95. 98  Case C-​291/​12, Michael Schwarz v.  Stadt Bochum, 17 October 2013, not yet published (ECLI:EU:C:2013:670). Unlike Schecke and Digital Rights Ireland, this judgment was not delivered by the Grand Chamber. 99  For a critical analysis, see also Kranenborg, ‘Commentary on Art. 8’, in S. Peers et al. (eds), The EU Charter of Fundamental Rights: A Commentary (2014) 223, at 229–​231 and 260–​262. 100  Schecke, supra note 96, at paras 30–​31 and 44. 101  Ibid., at paras 45–​46. 102  Ibid., at paras 47–​52.

41

144

EU Data Protection Law

The Court then set out to ascertain whether the relevant provisions of EU law interfere with the rights guaranteed by Articles 7 and 8 of the Charter and, if so, whether such interference is justified having regard to Article 52 of the Charter. As for the first question, relying on the case law of the ECtHR on Article 8 ECHR and its own position in Österreichischer Rundfunk, it concluded that the publication of precise income data on a website constitutes an interference with the right to respect for private life within the meaning of Article 7 of the Charter.103 It also found that the publication was processing personal data within the scope of Article 8(2) of the Charter, and that the farmers had not consented to the publication, so that there had also been an interference with the right to the protection of personal data in Article 8 of the Charter.104 In relation to the second question the Court essentially found that the interference was not justified as there was no real evidence that the legislator had considered any less intrusive alternatives.105 This last conclusion sends a powerful message about the need for an empirical basis for any intrusive measures. However, the conclusion that the publication interfered with both Article 7 and Article 8 of the Charter does not seem fully convincing. The absence of consent was in any case more relevant for Article 7 than for Article 8, in spite of the fact that Article 8(2) specifically mentions consent as one example of a legitimate basis for processing of personal data. The point is that valid consent would very likely have prevented a finding that Article 7 had been interfered with, whereas the Court did not pay any attention to the second option set out in Article 8(2), namely ‘some other legitimate basis laid down by law’. It would then have found that the answer to the question whether this option applied could only depend on its analysis of Article 7 and not at the same time on Article 8. Indeed, the fact that the publication was processing personal data within the scope of Article 8(2) did not make it an interference with Article 8 in the absence of only one of a number of alternative options for legitimacy. However, it is clear that the very fact that the publication was an unjustified interference with Article 7 also demonstrated that it did not comply with the requirements of Article 8(2), and that is what the Court perhaps should have said. The approach of the Court is even more explicit and sweeping in its second ruling mentioned earlier concerning the storage of fingerprints in a passport. In this case a German national refused to have his fingerprints taken and disputed the validity of the relevant provisions as an infringement of the rights laid down in Articles 7 and 8 of the Charter.106 In response, the Court started from a ‘joint reading’ of those Articles, while saying that, as a general rule, any processing of personal data by a third party may constitute a threat to those rights.107 Apart from the term ‘threat’ which is much wider than ‘infringement’, this starting point seems to confuse the wide scope of Article 8—​in principle covering all processing of personal data—​with the substantive question when Article 7 or Article 8 has been interfered with.

103  Ibid., at paras 56–​59. 106  Ibid., at para. 12.

104  Ibid., at paras 60–​6 4. 107  Ibid., at paras 23–​25.

105  Ibid., at paras 81–​86.

451 

Peter Hustinx

145

Moreover, given that taking a person’s fingerprints and storing those fingerprints in a passport can be viewed as processing of personal data, the Court subsequently concludes that the taking and storing of fingerprints on the basis of the relevant provisions constitutes a threat to the rights to respect for private life and the protection of personal data.108 In its analysis of the justification of this ‘twofold threat’, the Court first observes that persons are not free to object to the processing of their fingerprints and that persons applying for passports cannot therefore be deemed to have consented to that processing.109 The Court then considers whether the processing of fingerprints can be justified ‘on the basis of some other legitimate basis laid down by law’. After substantial analysis in the light of Article 52(1) of the Charter, the Court concludes that this is indeed the case for the relevant provisions as to both Article 7 and Article 8 of the Charter.110 It is striking to see how this analysis was entirely focused on the processing of personal data and the conditions of Article 8 and Article 52(1) of the Charter. A more convincing alternative approach would have been that the Court—​fully in line with the case law of the ECtHR111—​would have found that the taking and storing of fingerprints was an interference with the right to respect for private life in Article 7, but was justified according to the criteria of Article 52(1). Instead the Court apparently saw an interference with Article 8 before it had verified whether there was ‘another legitimate basis laid down by law’. Paradoxically, the conclusion that the relevant provisions were indeed valid only confirms that the finding of an infringement of Article 8 had been premature. In the third ruling mentioned earlier concerning the mandatory retention of communication data for law enforcement purposes, the Court was asked to examine the validity of the Data Retention Directive112 in the light of Articles 7 and 8 of the Charter. In this case, the Court focused much more on Article 7 on the right to respect for private life and found that the interference with this right had been ‘wide-​ranging’ and ‘particularly serious’, and could not be justified.113 However, it also mentioned Article 8 on the right to the protection of personal data in that context. In its preliminary remarks the Court first observed that ‘such retention of data also falls under Article 8 of the Charter because it constitutes the processing of personal data within the meaning of that article and, therefore, necessarily has to satisfy the data protection requirements arising from that article’.114 The Court then observed that: 108  Ibid., at paras 26–​30. 109  Ibid., at para. 32. 110  Ibid., at paras 33–​34 and 63. 111  See, e.g., ECtHR, S and Marper v. United Kingdom (Application nos 30562/​04 and 30566/​ 04), 4 December 2008, at paras 78–​86. 112  Directive 2006/​24/​EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/​58/​EC, OJ 2006 L 105/​54. 113  Digital Rights Ireland, supra note 95, at paras 37 and 70. 114  Ibid., at para. 29.

461

146

EU Data Protection Law

whereas the references for a preliminary ruling in the present case raise, in particular, the question of principle as to whether or not, in the light of Article 7 of the Charter, the data of subscribers and registered users may be retained, they also concern the question of principle as to whether Directive 2006/​24 meets the requirements for the protection of personal data arising from Article 8 of the Charter.115

Both statements correctly reflect a particular view of the role of Article 8: it is seen as a source of requirements for the processing of personal data within its scope. However, a few paragraphs later the Court suddenly observes: Likewise, Directive 2006/​24 constitutes an interference with the fundamental right to the protection of personal data guaranteed by Article 8 of the Charter because it provides for the processing of personal data.116

This last observation is not compatible with the two previous statements and with the difference in character between Articles 7 and 8.  Once again the Court concludes that there has been an interference with Article 8 before verifying whether ‘the requirements arising from that article’ have been fulfilled. In effect, Article 8 permits the processing of personal data so long as its requirements are satisfied. In this case, the answer would have been that the ‘legitimate basis laid down by law’ was missing, but that conclusion could only be drawn after an analysis of the possible justification of the interference. In any event, the Court’s ruling makes abundantly clear that such a justification was lacking. These three cases therefore illustrate that the Court still seems to be struggling with the proper role of Article 8 of the Charter. In the cases on the independence of supervisory authorities, this role was obvious: an ‘essential component’ of the protection of personal data in Article 8(3) was missing.117 Similarly there could be an interference with Article 8 if one or more of the other essential elements in that Article—​such as fair processing, purpose limitation, rights of access, and rectification—​was not complied with. Whether such a limitation is justified or not will subsequently depend on an assessment in the light of Article 52.

5.  The Review of Directive 95/​46/​EC A. Origin of the Review Article 33 of Directive 95/​46/​EC requires the Commission to report at regular intervals on the implementation of the Directive and to submit suitable proposals for amendments if needed.

115  Ibid., at para. 30. 116  Ibid., at para. 36. 117  See notably Commission v. Austria, supra note 52, at paras 36–​37, and Commission v. Hungary, supra note 52, at paras 47–​48. However, in these cases, ‘interference’ with Art. 8(3) of the Charter was not explicitly mentioned.

471 

Peter Hustinx

147

The first report was published in May 2003, after an extensive open review process.118 This report highlighted a number of problems, including considerable divergences between Member States, either due to incorrect implementation or different policy choices within the margins of the Directive. However, as practical experience with the Directive was limited, the Commission felt it was too early for amendments. It preferred a work programme for better implementation, with different tasks for the Commission, the Member States, supervisory authorities, and other interested parties. The report also called on the Article 29 Working Party to encourage better enforcement and joint investigations in relevant sectors. In a second report, on the follow-​up of the work programme in March 2007,119 the Commission mentioned that some of the problems highlighted still existed, but did not pose a real problem for the internal market. As the legal solutions provided by the Directive remained appropriate and could also be applied to new technologies, the Commission again considered that it was too early for amendments and encouraged all actors to continue their efforts in the context of the work programme. In July 2007, the EDPS agreed that it was still not the right time to amend the Directive, but also took the position that change was unavoidable and should be prepared well.120 Shortly afterwards, and with some reluctance, the Commission started its preparations. In May 2009, it launched a public consultation about the need for change of the legal framework for data protection.121 This resulted in a very large number of reactions from a wide range of stakeholders, including a substantial contribution from the Article 29 Working Party on the ‘Future of Privacy’.122 This coincided with the entry into force of the Lisbon Treaty in December 2009, which introduced a new horizontal legal basis for data protection, and with the appointment of a new Commission with a stronger human rights agenda.123

118  Report from the Commission, First Report on the Implementation of the Data Protection Directive (95/​46/​EC), 15 May 2003, COM (2003) 265 final. See also the very informative technical annex ‘Analysis and Impact Study on the Implementation of Directive EC 95/​46 in Member States’. Both documents are available at http://​ec.europa.eu/​justice/​data-​protection/​document/​transposition/​index_​en.htm (last visited 20 September 2016). 119  Communication from the Commission to the European Parliament and the Council on the Follow-​up of the Work Programme for Better Implementation of the Data Protection Directive, 7 March 2007, COM (2007) 87 final, available at http://​ec.europa.eu/​justice/​data-​protection/​law/​ follow-​up-​work-​programme/​index_​en.htm (last visited 20 September 2016). 120  Opinion of the EDPS of 25 July 2007 on the Communication from the Commission to the European Parliament and the Council on the Follow-​up of the Work Programme for Better Implementation of the Data Protection Directive, OJ 2007 C 255/​1. 121  See information available at http://​ec.europa.eu/​justice/​newsroom/​data-​protection/​opinion/​ 090501_​en.htm (last visited 20 September 2016). 122  Article 29 Working Party and Working Party on Police and Justice, ‘The Future of Privacy’, Joint contribution to the Consultation of the European Commission on the Legal Framework for the Fundamental Right to Protection of Personal Data, adopted on 1 December 2009 (WP 168), available at http://​ec.europa.eu/​justice/​policies/​privacy/​docs/​w pdocs/​2009/​w p168_​en.pdf (last visited 20 September 2016). 123  Ms Viviane Reding, Vice-​President of the Commission, responsible for Justice, Fundamental Rights and Citizenship, made the data protection reform one of her top priorities.

418

148

EU Data Protection Law

In November 2010, the Commission published the outline of a ‘comprehensive approach on data protection in the EU’, which it intended to build on this new legal basis.124 Its approach was to ‘strengthen the rights of individuals’, to ‘enhance the internal market dimension’, to ‘ensure better enforcement of data protection rules’, and also to cover ‘the global dimension of data protection’. Proposals for a new framework were expected to be submitted in 2011.125 As a second step, the Commission would assess the need to adapt other legal instruments to this new general framework, in which it would also involve Regulation 45/​2001 applying to EU institutions and bodies.126 In January 2011, the EDPS expressed support for the main lines of the Communication, but asked for a more ambitious approach on a number of points.127

B. Main Lines of the Review In January 2012, only slightly later than announced, the Commission presented a package of proposals in order to update and modernize the present EU legal framework.128 This package has since then been the subject of intense discussion, both inside and outside the European Parliament and the Council, and the review is now approaching the final stage of political decision-​making:  negotiations between the Parliament and the Council regarding the first tangible outcomes.129 Before going further into the substance, it is helpful to briefly sum up why the current review is taking place. There are three main reasons. The first reason is that there is a clear need to update the present framework, more specifically Directive 95/​46/​EC as its central element. The term ‘updating’ in this case means, most of all, ensuring its continued effectiveness in practice. When the Directive was adopted, the internet barely existed, whereas we now live in a world where data processing has become ubiquitous, so that we also need stronger safeguards that deliver acceptable results in practice. The challenges of new technologies 124 Communication from the Commission, A Comprehensive Approach on Personal Data Protection in the European Union, 4 November 2010, COM(2010) 609 final. See also Reding, ‘The Upcoming Data Protection Reform for the European Union’, 1 International Data Privacy Law (2011) 3. 125  Communication from the Commission, supra note 124, at 18. 126  Ibid., at 18–​19. 127  Opinion of the EDPS of 14 January 2011 on the Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions—​‘A Comprehensive Approach on Personal Data Protection in the European Union’, OJ 2011 C 181/​1. 128  See Communication from the Commission, Safeguarding Privacy in a Connected World, 25 January 2012, COM(2012) 9 final. See also Reding, ‘The European Data Protection Framework for the Twenty-​First Century’, 2 International Data Privacy Law (2012) 119, and Kuner, ‘The European Commission’s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law’, Bloomberg BNA Privacy and Security Law Report (2012) 1. 129  In March 2014, the European Parliament adopted its positions on the proposed Regulation and the proposed Directive in first reading with overwhelming majorities. Discussions in Council have made less progress. The Council followed a ‘partial general approach’ on various subjects and, in June 2014, it adopted a ‘partial general approach’ on the territorial scope and Ch. V of the Regulation concerning transfer of personal data to third countries or international organizations.

491 

Peter Hustinx

149

and globalization require some imaginative innovation to ensure more effective protection. The second reason is that the present framework has led to some degree of harmonization, but also to increasing diversity and complexity, if only for the reason that a directive—​according to its legal nature—​must be transposed into national law and we now are confronted with 28 potentially very different versions of the same basic principles. That is obviously too diverse and results not only in unnecessary costs, but also in a loss of effectiveness. The first report on the implementation of the Directive documented a series of differences between national laws in scope and definitions as well as in practices for application and enforcement.130 The efforts to reduce those differences have clearly not been sufficiently productive. At the same time, the need for more harmonized rules has increased as a result of technological change and globalization. In other words, there is a need to scale up harmonization and to make the legal system not only stronger and more effective but also more consistent. This should lead to a reduction in the current unhelpful diversity and complexity. The third reason has to do with the new institutional framework of the EU. As we have seen, the Lisbon Treaty has placed considerable emphasis on the protection of fundamental rights, and especially on the right to data protection. A separate right to the protection of personal data was laid down in Article 8 of the Charter, and a new horizontal legal basis in Article 16 TFEU for the adoption of rules on data protection, providing for comprehensive protection in all policy areas, regardless of whether this relates to the internal market, law enforcement, or almost any other part of the public sector.131 The current review is therefore about stronger, more effective, more consistent, and more comprehensive protection of personal data. The term ‘comprehensive’ was also used by the Commission in its strategy for the reform, albeit in a much more general way:  it mentioned a comprehensive ‘approach’ to be delivered in different stages.132 The package of proposals presented by the Commission in January 2012 consists of two main elements: a proposal for a General Data Protection Regulation to replace the current Directive 95/​46/​EC for the private sector and most of the public sector in the Member States, and a proposal for a Directive to replace the current Council Framework Decision 2008/​977/​JHA for the area of criminal law enforcement.133

130  See especially the annex mentioned in supra note 118. 131  See Section 4C. 132 See supra note 124. 133  Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), 25 January 2012, COM(2012) 11 final, and Proposal for a Directive of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data by competent authorities for the purposes of prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and the Free Movement of Such Data, 25 January 2012, COM(2012) 10 final.

501

150

EU Data Protection Law

The proposal for a Regulation has been welcomed as a ‘huge step forward’134 towards more effective and consistent protection of personal data across the EU, but it also required some clarification and improvement on a number of important details. These points have been developed in the detailed Opinion of the EDPS of March 2012.135 The fact that the proposed Regulation would be directly binding in all Member States made it all the more important to ensure sufficient clarity of its provisions. However, the architecture of the package itself—​a Regulation and a Directive—​ also signalled that there was a problem with its comprehensiveness. And indeed, this is where the main weaknesses of the package could be found. The level of protection in the proposed Directive is much lower than in the proposed Regulation.136 This problem can be analysed on different levels. The option of a Regulation also covering the area of criminal law enforcement was apparently a bridge too wide for most Member States, even with the inclusion of appropriate limitations and exceptions. The second option of a Directive with the same substance as the Regulation, but subject to the necessary limitations and exceptions, and leaving more space for domestic implementation, was quite conceivable. Yet this is not what the Commission proposed. The resulting discrepancies can be considered on their own merits, but exchange of information between public and private entities (such as law enforcement and banks) is increasing, and a lack of balance and consistency at this interface will have serious practical consequences in a wider field. It should also be noted that related areas, such as taxation, customs and border control, are already within the scope of Directive 95/​ 46/​EC and would therefore be covered by the proposed Regulation. With regard to the Regulation, there are a few general points to keep in mind. The first one is that, in spite of all innovation, there is also a lot of continuity. All the familiar basic concepts and principles will continue to exist, subject to some clarification and smaller changes in details. An example of innovation is a much stronger emphasis137 on ‘data minimization’—​briefly put: ‘no more data than strictly necessary’ or ‘the best protection is to process as few data as possible’. Another example is the explicit recognition of ‘Privacy by Design’—​briefly put: ‘taking privacy into account from the start’ as a general principle.138 There is also a welcome clarification of ‘consent’: when you need it, it must be real and robust consent.139 134 Press release of the EDPS, 25 January 2012, available at https://​secure.edps.europa.eu/​ EDPSWEB/​webdav/​site/​mySite/​shared/​Documents/​E DPS/​PressNews/​Press/​2012/​E DPS-​2012-​ 02_​EC_​DP_​Proposal_​EN.pdf (last visited 20 September 2016). 135  Opinion of the EDPS of 7 March 2012 on the data protection reform package, available at https://​secure.edps.europa.eu/​EDPSWEB/​webdav/​site/​mySite/​shared/​Documents/​C onsultation/​ Opinions/​2012/​12-​03-​07_​EDPS_​Reform_​package_​EN.pdf (last visited 20 September 2016). See also executive summary in OJ 2012 C 192/​7 and press release, available at https://​secure.edps. europa.eu/ ​E DPSWEB/​webdav/​site/​mySite/​s hared/ ​D ocuments/ ​E DPS/ ​PressNews/ ​Press/​2 012/​ EDPS-​2012-​07_​DPReform_​package_​EN.pdf (last visited 20 September 2016). 136  See EDPS Opinion, supra note 135, at 49–​74. 137  Proposal for a General Data Protection Regulation, supra note 133, Art. 5(c). 138  Ibid., Art. 23 on ‘Data Protection by Design and by Default’. 139  Ibid., Art. 4(8) and Art. 7.

51 

Peter Hustinx

151

The real innovation mainly concerns ‘making data protection more effective in practice’. This implies, as we will see, a strong emphasis on implementation of principles, and on enforcement of rights and obligations, in order to ensure that protection is delivered where it is needed in practice. At the same time, the Regulation provides for simplification and reduction of costs. A clear example is that prior notification of processing operations to a data protection authority has been largely eliminated. This will only be required in situations of specific risks.140 The proposed Regulation also provides for a ‘one-​stop shop’ for companies with establishments in different Member States. This involves the introduction of a lead Data Protection Authority (DPA), which is to act in close cooperation with other competent authorities involved.141 A directly binding Regulation will also bring greater harmonization, in principle: one single applicable law, and greater consistency in all Member States. In itself, this will also bring an important simplification and reduction of costs for companies operating in different Member States. At the same time, this is bound to raise political issues as it will be at the expense of national perceptions and preferences as to what is the best approach in data protection. At a more detailed level, there are also issues as to how exactly the Regulation will relate to domestic law, and how exactly the one-​stop shop feature will function. We will come back to these issues at a later stage.142

C. General Data Protection Regulation It is now time to take a closer look at the main lines of the proposed General Data Protection Regulation itself. As this is a very substantial and rather complicated document, it is helpful to approach it from different angles and to look at its scope, its main points of substance, and finally at the international dimensions of the Regulation.

1. General Scope The material scope of the Regulation closely resembles that of the current Directive: it applies to all processing of personal data wholly or partly by automated means, and to the processing by other means of personal data in or intended for a filing system, except in a few situations which in substance correspond with those mentioned in the Directive.143 However, these exceptions also cover the processing of personal data by EU institutions and bodies. Although this was intended as a technical exception to be followed by a separate proposal at a later stage, it has rightly raised the question of why the EU level itself should be left to the second phase.144 140  Ibid., Arts 33 and 34. 141  Ibid., Art. 51(2). 142  See Sections 6A and 6C. 143  Proposal for a General Data Protection Regulation, supra note 133, Art. 2. 144  Ibid., Art. 2(2)(b). Both Parliament and Council have threatened to delete the exception, unless the Commission comes up with a separate proposal which is fully consistent.

512

152

EU Data Protection Law

In any case, it should be underlined that the Regulation is general in scope: it will apply both in the private and public sectors.145 This is completely consistent with the situation under the present Directive. The possibility of a systematic distinction in this Directive between the public sector and the private sector was explicitly considered and rejected.146 This approach has proved to be feasible in practice, as some of its provisions—​especially those on lawful processing, referring to ‘public tasks’—​are obviously more relevant for public bodies, and other provisions—​referring to ‘contracts’ or ‘legitimate interests’—​are more relevant for private actors.147 The Court of Justice has confirmed that the present Directive also applies in the public sector of a Member State.148 However, it also emphasized that national law can only serve as a legitimate ground for processing if it fully complies with fundamental rights.149 This position is reinforced by the fact that Article 8 of the Charter now also contains an explicit recognition of the right to the protection of personal data, and that Article 16 TFEU provides for an explicit horizontal legal basis for the adoption of rules on the protection of personal data, both at EU level and in the Member States, when they are acting within the scope of EU law, regardless of whether it relates to the private or the public sector. At the same time, it is necessary to undertake a closer analysis of the relationship between EU law and national law on the basis of the proposed Regulation. The impression that the Regulation will simply replace all relevant national law is not correct. This depends also on the way in which the Regulation itself deals with this relationship. In this respect, there are different ways in which national and EU law will coexist and interact. For example, the Regulation will build on national laws that fully comply with fundamental rights.150 In addition, careful consideration should also be given to whether—​and if so, where and how—​the Regulation should allow more space for specification of its provisions in national law. However it would not be useful to consider a splitting up of the Regulation into two different instruments—​one for the public sector and another one for the private or commercial sector. On the contrary, such a change would have a disastrous impact, both on the effectiveness and on the consistency of the new framework, particularly for services at or across the dividing line between the two areas. The distinction would probably also work out differently for different Member States, and thus easily lead to new discrepancies and undermine the internal market in cross-​border situations. With regard to the substance of the Regulation, it strengthens the roles of the key players: the individual (data subject), the responsible organization (controller), 145  Ibid., Art. 2 and all other general provisions do not distinguish between public and private sector. 146  The first Commission proposal on the Directive, see supra note 31, was based on a systematic distinction, but was later replaced by a revised proposal with a more general scope. 147  See Art. 7(b), (e), and (f) of Directive 95/​46/​EC, supra note 32. 148  Österreichischer Rundfunk, supra note 53, at para. 47. See also Case C-​524/​06, Huber, [2008] ECR I-​09705 (ECLI:EU:C:2008:724), and Rijkeboer, supra note 62. 149  Österreichischer Rundfunk, supra note 53, at paras 68–​72. 150  See Section 6A.

5 13

Peter Hustinx

153

and the supervisory authorities. This leads to three different perspectives which together amount to stronger data protection.

2. User Control The first perspective may also be seen as enhancing the control of data subjects over the processing of their personal information. There is no doubt that ensuring effective control for data subjects is an important objective of data protection law, even if this is not the same as endorsing the formal right to informational self-​ determination. Article 8(2) of the Charter also underlines the importance of this control by referring to the rights of access and rectification. It should be noted that the current rights of the data subject have all been confirmed in the Regulation, and at the same time strengthened or even extended.151 The requirement for free, specific, informed, and unambiguous consent has been clarified and slightly reinforced by the condition that it should also be ‘explicit’. This is a welcome reaction to a widespread practice on the internet, building on consent under very ambiguous circumstances. At the same time, the Regulation is flexible enough to be satisfied with a clear affirmative action.152 There is also a stronger right to object: it does not require the data subject to show a compelling legitimate ground to object and instead requires the controller to justify the compelling need for the processing.153 In addition, there are stronger means to ensure that the rights of the data subject are respected in practice.154 There is more emphasis on transparency,155 and there is a provision introducing collective action, which although not amounting to class action in the US style, nevertheless opens up the possibility of organizations acting on behalf of their members or constituencies.156 There has also been much discussion about the ‘right to be forgotten’, but on closer inspection, there is mainly a greater emphasis on deletion of data when there is ‘not a good reason to keep them’,157 together with a duty to make reasonable efforts to contact third parties so as to undo the effects of publication of data on the internet.158 The right to ‘data portability’ is essentially a specification of the present right to require communication of any personal data in an intelligible form, but now also in a particular format.159

151  See notably Proposal for a General Data Protection Regulation, supra note 133, Arts 11–​19, now also providing uniform rules across the EU. 152  Ibid., Art. 4(8). 153  Ibid., Art. 19. 154  Ibid., Art. 12 provides, e.g., for an adequate ‘infrastructure’: it requires the controller to ‘pro-​ actively’ establish procedures for the exercise of the data subject’s rights. 155 See ibid., Art. 11 on transparent and easily accessible policies, and transparent information and communication. 156  Ibid., Arts 73–​76. 157 In Google Spain, supra note 45, at paras 73–​74, 88, 93–​94, and 98–​99 the Court goes in the same direction. 158  Proposal for a General Data Protection Regulation, supra note 133, Art. 17. 159  Ibid., Art. 18.

541

154

EU Data Protection Law

3. Responsibility The biggest emphasis is on real responsibility of responsible organizations. Responsibility is not a concept that only comes at the end, when something has gone wrong. Instead, it comes as a proactive obligation to develop adequate data management in practice. This appears in language such as ‘taking all appropriate measures to ensure compliance’, and ‘verifying and demonstrating that those measures continue to be effective’.160 This is one of the major shifts in data protection law. It implies that the burden of proof is in many cases on the responsible organization:  to demonstrate that there is an adequate legal basis for processing, that consent is real consent, and that measures continue to be effective.161 It also explains the frequent use of the term ‘accountability’ in relevant discussions.162 The Regulation also provides for a number of specific requirements, such as the need for a privacy impact assessment, the keeping of documentation, and the appointment of a data protection officer.163 Some of those provisions, especially on documentation, were according to many observers overly detailed and have therefore given rise to much discussion, both in the Parliament and the Council. Some exceptions in the same provisions may not have been fully justified, including those for small and medium enterprises. A better balance in this part of the proposal may solve both problems. In this context, it is essential that general provisions in the current and future frameworks are inherently scalable. Inappropriate specifications may call for unnecessary exceptions. This search for the right balance is now taking place under the term ‘risk-​based approach’.164 A general provision on security breach notification is also included.165 EU law now provides for such a notification only in the case of telecommunication providers.166 This could be seen as a mechanism of accountability ‘at the end’, reinforcing ‘life cycle’ data management.

4. Supervision and Enforcement A third main emphasis in the Regulation is on the need for more effective supervision and enforcement. The safeguards for complete independence of supervisory authorities have been strengthened in line with the case law of the Court.167 The Regulation also provides for supervisory authorities with strong enforcement powers in all Member States.168 Administrative fines of millions of

160  Ibid., Art. 22. 161  Ibid., Art. 5(f), Art. 7(1) and Art. 22(1). 162  See Article 29 Working Party, Opinion 3/​2010 on the Principle of Accountability, adopted on 13 July 2010 (WP 173). For more on accountability and compliance, see Section 7B. 163 Proposal for a General Data Protection Regulation, supra note 133, Arts 22(2), 28, 33, and 35–​37. 164  See Section 6B. 165  Proposal for a General Data Protection Regulation, supra note 133, Art. 31. 166  Ibid., Art. 4(3)–​(5) of Directive 2002/​58/​EC, see supra note 63, as revised in 2009. 167  Ibid., Art. 47. 168  Ibid., Arts 53 and 79.

51 

Peter Hustinx

155

euros—​competition-​size fines—​have attracted a lot of attention but the message is: ‘if this is important, it should be dealt with accordingly’. This will drive ‘data protection’ much higher on the agenda of corporate boardrooms, which is very welcome. In reality, we already observe a rapidly developing practice of more vigorous enforcement, with different tools at national level: remedial sanctions, administrative fines, and also increased liabilities. This trend will no doubt continue in the near future, if possible enhanced on the basis of the Regulation. International cooperation among data protection authorities is also strongly encouraged and facilitated in the Regulation.169 The introduction of a lead authority for companies with multiple establishments is welcome, but again, this lead authority will not be acting on its own, but will be part of a network of close cooperation with other competent authorities.170 A very important additional element is the introduction of a consistency mechanism in the context of a European Data Protection Board, which is to be built on the basis of the present Article 29 Working Party. This mechanism is to ensure consistent outcomes of supervision and enforcement across all the Member States.171

5. Global Privacy A final element is the wider international dimension of the Regulation. The territorial scope of the new legal framework has been clarified and extended. These provisions now apply not only to all processing in the context of an establishment of the controller in the EU,172 but also when goods or services from an establishment in a third country are offered to the European market or the behaviour of data subjects in the EU is monitored.173 This is a growing reality on the internet today. At the same time, it is a realistic approach that builds on an increasing synergy as to data protection in many relevant countries around the world.174 Directive 95/​46/​EC has exercised a major influence on global standards and there is no reason to think that this will be different for the Regulation. The combined market power of 500 million consumers in the EU market will also help to ensure compliance. In this respect, it is relevant to mention that the international cooperation of data protection authorities is also developing in a wider context—​such as between the Federal Trade Commission in the United States and supervisory authorities in the EU—​in a global network of privacy enforcement authorities (GPEN).175 This 169  Ibid., Arts 45 and 55–​56. 170  Ibid., Art. 51(2) and Section 6C. 171  Ibid., Arts 57–​61 and 64–​72. 172  As recently explained in Google Spain, supra note 45. 173  Proposal for a General Data Protection Regulation, supra note 133, Art. 3. 174  See Section 6D. 175 Global Privacy Enforcement Network (https://​w ww.privacyenforcement.net (last visited 20 September 2016)), established further to OECD Recommendation of 12 June 2007 on Cross-​ border Co-​operation in the Enforcement of Laws Protecting Privacy, available at http://​w ww.oecd. org/​internet/​ieconomy/​38770483.pdf (last visited 20 September 2016).

561

156

EU Data Protection Law

will make it possible to deal more effectively with global actors on the internet. This development benefits from a growing convergence of data protection principles and practices around the world, also encouraged by the partly overlapping frameworks of the Council of Europe and the OECD.176 Finally, it should be mentioned that provisions on transborder data flows in the present Directive have also been further developed and where possible simplified. There is now also a specific provision on binding corporate rules (BCR), with a number of simplifications.177

6.  Key Issues in the Legislative Debate A. One Single Set of Applicable Rules? In Section 5B, we mentioned that the Regulation will bring greater harmonization—​in principle: one single applicable law—​and greater consistency in all Member States. This is no doubt an important achievement. In the present system, the national law of a Member State usually applies to the processing of personal data carried out ‘in the context of the activities of an establishment’ of the controller on the territory of that Member State.178 This leads to the result that any Member State may be confronted with different national laws on its territory, depending upon the context in which personal data are being processed. Data subjects may also be confronted with other national laws than their own. In the future, the Regulation will in principle not only determine the external scope of EU law, but also the applicable law anywhere in the EU. But does this mean that there will be only one single set of applicable rules? The Commission has used this message repeatedly to generate support for the Regulation and it has also been an important argument for the Parliament and other stakeholders to provide that support. Yet this claim does not seem entirely justified for at least two reasons. The first reason is that the Regulation may be an important part of a comprehensive approach, but it is by no means the only part. In fact, it seems to be part of a comprehensive approach in different steps, but neither in the short or mid term, nor in the long term, is there any certainty that the Regulation would provide the only set of applicable rules for any relevant subject of data protection.179 Instead, it is more likely that other, perhaps more specific rules—​such as the current Directive 2002/​58/​EC on privacy and electronic communications—​will also be applicable. It would be a good result if those other rules were completely consistent with the requirements of the Regulation.

176  See Section 6D. 177  Proposal for a General Data Protection Regulation, supra note 133, Arts 40–​45 (see Art. 43 on BCR). 178  Ibid., Art. 4(1)(a). See also supra note 45. 179 See supra note 124.

571 

Peter Hustinx

157

The second reason is more fundamental. As mentioned in Section 5C, the impression that the Regulation will replace all relevant national law is not correct. This also depends on the way in which the Regulation deals with the relationship between EU law and national law. In this respect, there are at least four different ways in which national and EU law will coexist and interact. It may happen that the Regulation builds on national law, or conversely allows or mandates national law to build on and give effect to the Regulation. There are also examples of provisions where the Regulation allows or even requires national law to specify or further develop its rules in certain areas or even to depart from its provisions under certain conditions.180 Examples of the first category—​building on national law—​can be found in the provisions on the grounds for lawful processing. According to Article 6(1) of the Regulation, processing of personal data shall be lawful if and to the extent that such processing is (c) necessary for compliance with a legal obligation to which the controller is subject, or (e) necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In both cases, the Regulation builds on grounds for processing which are in most cases essentially provided under national law. In the last two categories—​specifying or departing from—​the Regulation gives different degrees of flexibility to adopt national rules on certain subjects.181 In some situations, this flexibility is considerable, which implies that there will be considerable scope for diversity and thus also for different applicable rules in those areas. It may well be that this simply shows the limits of harmonization and consistency in the EU context. In most Member States, there will be a number of national laws that may not deal with data protection explicitly, but still contain a variety of provisions on the collection, storage, exchange, or publication of personal data, or on the way in which the rights of data subjects should be exercised or respected in a specific field. Many of these laws may come within the scope of Directive 95/​46/​EC and may have been part of its implementation into national law.182 In most Member States, such laws will be consistent with the national data protection law. They will be more frequent in the public sector, but may also be relevant in other areas. It is clear that such laws must be amended if they are not compatible with the Regulation in its final shape, to the extent in which their provisions would not provide a basis for lawful processing of personal data (as in the first category) and are not somehow provided for in the Regulation. This would require that such national laws be aligned with the provisions of the Regulation, including

180  See EDPS Opinion of 7 March 2012, supra note 135, at points 50–​55. Arts 46–​49 of the proposed Regulation require Member States to establish one or more independent supervisory authorities according to these provisions. Examples of the other three categories follow immediately below. 181 See notably Proposal for a General Data Protection Regulation, supra note 133, Art. 21 (restrictions) and Arts 80–​85 (specific situations). 182  This may involve social security, taxation, population files, civil registry, etc. See also the Court judgments mentioned in supra note 148.

518

158

EU Data Protection Law

the general principle of free movement of personal data within the EU as now expressed in Article 1 thereof. This brief analysis shows that there will not be one single set of applicable rules and that the establishment of the precise relationship of EU and national law will require careful study and fine-​tuning, both at EU and at national level. This is even more the case if the Regulation continues to apply to the private and public sectors. On the other hand, the Regulation will have accomplished an enormous and desirable step forward in ensuring greater harmonization and consistency if these efforts are successful.

B. Administrative Burdens and Innovation The proposed Regulation has not only been welcomed, but also heavily criticized by business organizations and it has been the subject of unprecedented lobbying campaigns. In a way, this only confirms the relevance of the subject for our digital economies, and for our increasingly ICT-​dependent societies as a whole. Two partially overlapping themes prevail in the critical reactions: first, the Regulation will create heavy administrative burdens for data controllers, particularly in small and medium enterprises, and second, it may stifle innovation in areas which are crucial for the development of our economies. Both themes are remarkable because the Commission has been very keen to highlight that the proposed Regulation also provides for simplification and reduction of costs. In Section 5B, three examples were mentioned: the sharp reduction of prior notification to data protection authorities, the introduction of a one-​ stop shop for companies with establishments in different Member States, and a directly binding Regulation to ensure greater harmonization and greater consistency in all Member States. It should also be noted that privacy and trust are key themes in the Commission’s Digital Agenda which is an essential part of the EU 2020 strategy for a smart, sustainable, and inclusive Europe.183 Strong and effective safeguards for the protection of personal data indeed also aim to contribute to economic growth and more jobs. This discussion therefore seems to show two sides of the same coin and fits well in the search for the right balance between means and ends, and between costs and benefits. The need for proportionality is also an important, more general principle of EU law.184 Three comments should be made in this context. First, nobody would like to see innovation stifled, but at the same time it would be foolish to close our eyes to the fact that innovation may have negative sides which public policy-​makers need to address. This is particularly true for the development of information technology which has now become so pervasive in our societies. The concept of data protection was conceived in order to provide legal protection of individuals against the 183 See http://​ec.europa.eu/​digital-​agenda and http://​ec.europa.eu/​europe2020/​europe-​2020-​in-​ a-​nutshell/​flagship-​initiatives/​index_​en.htm (last visited 20 September 2016). 184  See Art. 5 TEU and Protocol No. 2 on the Application of the Principles of Subsidiarity and Proportionality Annexed to the Treaties.

591 

Peter Hustinx

159

improper or excessive use of information technology for the processing of information relating to them. The right to protection of personal data has now become a fundamental right, and has been reinforced by a compulsory legal basis for rules designed to ensure its continued effectiveness in a modern society. However, the content of these rules must always be in keeping with the aim pursued and not go beyond that aim. At the same time, more innovation should be encouraged to take account of data protection requirements at the outset (‘Privacy by Design’), which is cheaper and more effective than subsequently retrofitting technology to make it more compliant. Second, it is necessary to make a clear distinction between measures to ensure compliance with existing rules and new legal requirements. It may well be that organizations that have so far underestimated or even ignored the relevance of existing rules on data protection for their particular activities185—​either online or offline—​and may therefore be in a state of non-​compliance with existing law, will find themselves unpleasantly surprised by efforts to give more force and effectiveness to principles that have been around for some time. Some of the heavy lobbying against the proposed Regulation suggests that this is indeed the case for newcomers and perhaps also some successful operators on the internet. However, that is no reason to disregard the legitimate purpose of providing better safeguards so as to ensure the continued effectiveness of a fundamental right. Third, what therefore remains is the search for the right balance between the need to ensure effective protection of individuals in an often dynamic environment and the need to avoid unnecessary administrative burdens. The discussion about this subject has largely been triggered by the fact that the relevant provisions in the proposal for the Regulation did not put enough emphasis on the general principles of responsibility and accountability for controllers, but instead went too fast into specific requirements, which in turn led to a number of specific exceptions, inter alia to protect small and medium enterprises from undue administrative burdens.186 It is true that some specifics were unavoidable to ensure a consistent application of the Regulation across the EU, but greater emphasis on the general principles of responsibility would have provided a better framework for the analysis. For example, one relevant question is what the controller’s general obligation to take ‘appropriate measures’ entails in cases where the specific requirements do not apply. This problem is now addressed in the context of the ‘risk-​based approach’. This should be carefully distinguished from the notion of ‘risk’ as a threshold condition for any protection to apply, and even more from an approach in which protection would only apply to the most risky processing operations. Indeed, it should be taken into account that risk is inherent to any data processing. A  ‘progressive’ risk-​based approach would suggest instead that more detailed 185  In this respect, Google Spain, supra note 45, may have served as a ‘wake up call’ for operators to rethink their current business cases and related legal arrangements. 186  See Proposal for a General Data Protection Regulation, supra note 133, Arts 22–​37 and Section 5C.

601

160

EU Data Protection Law

obligations should apply where the risk is higher and less burdensome obligations where it is lower. This approach has two important advantages:  first, it means that compliance efforts should be primarily directed at areas where this is most needed, having regard, for example, to the sensitivity of the data or the risk involved in a specific processing operation, rather than at a ‘box-​ticking’ exercise to satisfy bureaucratic requirements. Second, it means that areas of minimal risk could be addressed in a more ‘light touch’ fashion. It should be emphasized, however, that general provisions in the current and future frameworks are inherently scalable and should therefore always be respected. The specific rights of the data subject should also be available regardless of the risk involved. Efforts are being made to further describe the notion of ‘risk’, which necessarily involves a measure of judgment. In the interest of legal certainty, the Regulation should provide for sufficiently clear criteria according to which such risk assessment should be performed by controllers, including both objective factors (such as the number of individuals affected by a specific processing operation), and more subjective notions (such as the likely adverse effects on an individual’s privacy).187 On the basis of these general criteria set out in the Regulation, further guidance could be given, either by the European Data Protection Board or in delegated acts, both subject to appropriate supervision and enforcement. Such an approach would allow for more legal certainty for controllers, more effective protection for individuals, and sufficient flexibility to stand the test of time.

C. One-​Stop Shops for Citizens and Business One of the new elements of the proposed Regulation is the introduction of a one-​ stop shop for companies with establishments in different Member States.188 Put simply, this means that when the processing of personal data takes place in more than one Member State, one single supervisory authority should be responsible for monitoring the activities of the controller or processor throughout the EU and taking the related decisions. According to the proposal, this would normally be the national DPA of the Member State where the ‘main establishment’ of the data processing entity is located, also referred to as a ‘lead authority’. The role of a lead authority should not be seen as an exclusive competence, but as a structured way of cooperating with other locally competent supervisory authorities. Indeed, the lead authority will depend heavily on input and support of other DPAs at different stages of the process.

187  A completely different element of risk is which consequences non-​compliance may have for the controllers themselves in terms of sanctions, liability, and loss of customers’ trust. 188  See notably Proposal for a General Data Protection Regulation, supra note 133, Art. 51(2). See also point 2 of the EDPS letter of 14 February 2014 to the Council Regarding Progress on the Data Protection Reform Package, available at https://​secure.edps.europa.eu/​EDPSWEB/​webdav/​ site/​mySite/​shared/​Documents/​Consultation/​Comments/​2014/​14- ​02-​14_​letter_​Council_​reform_​ package_​EN.pdf (last visited 20 September 2016).

1 6

Peter Hustinx

161

The proposed Regulation was rather ambiguous on this point. The Commission seemed to suggest that the role of a lead authority was an exclusive competence. On the other hand, the Regulation did not explicitly provide for adequate powers of the lead authority outside its own jurisdiction. At the same time, it provided for a strong link with the provisions on mutual cooperation with other supervisory authorities, which should indeed enable the lead authority to exercise its role effectively. Moreover, any decision of the lead authority would only be enforceable across the EU if the matter had been dealt with in a consistency mechanism involving all other national supervisory authorities in the European Data Protection Board.189 In this way, other (locally competent) supervisory authorities would be able to participate in and influence the outcome of the cooperation and the final decision of the lead authority in all relevant cases. The one-​stop shop principle is an important element of the harmonization of the EU legal framework for data protection. It was proposed by the Commission in order to increase consistent application, provide legal certainty, and reduce the undue administrative burden for controllers and processors that are active in more than one Member State. It also reduces the fragmentation of the data protection landscape. It is important for business to be able to deal with (ideally) one interlocutor instead of (potentially) 28 national regulators. Although the Council endorsed the principle in October 2013, it subsequently also considered a number of objections against the one-​stop shop principle raised by its own Legal Service.190 These questioned its compatibility with the Charter of Fundamental Rights, in particular with Article 47, which provides for the right to an effective remedy before a tribunal and the right to a fair trial, in substance corresponding to Articles 13 and 6(1) ECHR. The key concern seemed to be the issue of ‘proximity’ between the lead DPA taking a decision in a particular case and the individual citizen, which is perceived as an important aspect of the protection of individual rights. More generally, the one-​stop shop principle was seen as benefiting multinational businesses at the expense of individual citizens. This interpretation of the one-​stop shop principle paints an unduly negative picture of the proposals currently on the table. Indeed, it is possible to reconcile the principle with a high standard of protection for citizens’ fundamental rights, including those protected by Article 47 of the Charter. This position is based on a number of considerations. First and foremost, it is important to underline that at present, pursuant to Article 28(6) of Directive 95/​46/​EC, a DPA is always competent to exercise its powers, including those with regard to the investigation of complaints, within the territory of its own Member State. However, unless the complaint concerns a controller (or a processor) with an establishment or equipment in that Member State, the effective powers of that DPA to enforce the data protection law may in 189  Proposal for a General Data Protection Regulation, supra note 133, Art. 63. 190  See Note of the Presidency of 26 May 2014 to the Council on the One-​Stop-​Shop Mechanism, available at http://​register.consilium.europa.eu/​doc/​srv?l=EN&f=ST%2010139%202014%20INIT (last visited 20 September 2016).

621

162

EU Data Protection Law

practice be limited. Indeed, the necessity to apply, in a specific case, the national law of a different Member State and the lack of possibilities to conduct investigations or to impose sanctions where there is no physical presence of the controller or processor may render the recourse to the local DPA purely theoretical and largely ineffective. In contrast, the proposed Regulation would ensure a uniform legal framework and put in place different mechanisms to ensure effective enforcement in practice. Citizens would be explicitly given the right to lodge a complaint with the local DPA or any other DPA in order to exercise their rights.191 In practice, the local DPA will probably function as the one-​stop shop for citizens in that jurisdiction. However, in cases where today a DPA has limited options, the new Regulation would ensure effective enforcement by the lead authority in the context of the one-​stop shop for companies (and with the support of the consistency mechanism), and where necessary with the involvement of the locally competent DPA. In addition, affected individuals will always have the possibility to bring legal proceedings against a company established in their country before their national courts for an alleged violation of the Regulation.192 From this perspective, the Regulation will have a very positive impact on the possibilities for individuals to enforce their data protection rights, and thus bring about a significant improvement for data subjects in their right to an effective remedy as guaranteed under Article 47 of the Charter. The Regulation also provides for a review by the courts of decisions taken by a DPA. In cases where the one-​stop shop principle applies, an individual wishing to challenge a decision taken by the lead DPA would have to do so before a court in the Member State of the lead DPA,193 which in many cases would in practice mean having to initiate legal proceedings in another Member State. In this context, the sole fact that courts in a Member State other than the country of residence of a citizen must be called upon does not in itself deprive that citizen of effective judicial protection. Under the current Directive 95/​46/​EC it is also possible that citizens who wish to complain about the processing of personal data by a company operating in numerous Member States must address themselves to one specific DPA and, if they wish to contest its decisions, must pursue litigation in that same Member State. So far, there has been no reason to call this feature of the current system into question with the Charter. The proposed one-​stop shop principle is also criticized for creating excessive obstacles for citizens seeking judicial remedies due to geographical distance involved, unfamiliarity with a foreign legal system, the need to initiate and conduct proceedings in a foreign language, or the costs of such a procedure. The alternative solution proposed in that respect appears to be the creation of an EU body with legal personality which would play the role of the one-​stop shop, both for citizens and for companies. This would require a fundamental

191  Proposal for a General Data Protection Regulation, supra note 133, Art. 73. 192  Ibid., Art. 75. 193  Ibid., Art. 74(3).

6 13

Peter Hustinx

163

centralization of the existing decentralized structure of data protection supervision, which would not necessarily facilitate the decision-​making process within a reasonable time limit, and would certainly not ensure more ‘proximity’ for citizens and companies alike. More importantly, it does not seem necessary in order to ensure better protection of fundamental rights of citizens. It is important to keep in mind that in most cases all relevant actors—​ data subjects, controller, and DPAs—​will continue to reside in one country. Consequently, the one-​stop shop principle for companies would only apply in a relatively limited number of situations. It might further be possible to exclude issues of a predominantly local nature, such as issues arising under local laws. In other words, although some of the remaining cases may have a large impact, the instances in which citizens are affected by decisions of a lead DPA located in a Member State other than their own country of residence would in practice be much less numerous than the ‘ordinary’ cases in which decisions are taken by the ‘home’ DPA. Finally, the one-​stop shop principle for companies must be seen in its proper context as an important element contributing to the overall effectiveness and consistency of the future data protection framework. Undoubtedly, a much more uniform data protection system and reduced litigation costs—​as litigation would in principle be limited to the jurisdiction of the lead DPA or the main establishment—​would be advantageous for business across the EU. However, citizens will also benefit from a more consistent application of a uniform set of data protection rules under the proposed Regulation. For instance, where a citizen is affected by data processing by a controller established in different countries, but all decisions are effectively taken by the main establishment of the controller in another Member State, the possibility to obtain a single decision of a DPA or a court ruling which would be valid and enforceable in all Member States would constitute a considerable improvement compared to the current situation. By the same token, the one-​stop shop for companies also reduces the likelihood of parallel proceedings and the resulting conflicts of jurisdiction, since a procedure in the Member State of the lead authority would normally be sufficient to enforce one’s rights across the EU. As this discussion illustrates, the one-​stop shop concept, either for companies or citizens, gives rise to questions which may require some fine-​t uning of the proposed Regulation. This is why different options are still being considered. However, it is clear that the outcome will be based on close cooperation between authorities rather than on exclusive competences, while the need for effective protection and greater efficiency will no doubt also be given adequate weight.

D. More Global Privacy and ‘Interoperability’ The digital environment has increasingly a global character, as the internet and other global networks allow data to move around the world every moment of

641

164

EU Data Protection Law

every day. The international dimensions of the Regulation have therefore also received considerable attention. In this context, the Regulation—​as was the case with Directive 95/​46/​EC, but even more so—​does not primarily focus on where the data are, but rather on the responsibility for the data processing and the impact of the data processing on the data subjects. This is most obvious in the territorial scope of the Regulation, which will apply not only to all processing in the context of an establishment of the controller in the EU, but also when goods or services are offered on the European market, or the behaviour of data subjects in the EU is monitored, regardless from where.194 In all those situations, the controller will be responsible for compliance with the basic principles of data protection and the rights of the data subject, and will be subject to the control of independent supervisory authorities.195 To the extent that the Regulation applies, it will also require that personal data are not transferred to a third country, unless that destination ensures an adequate level of protection, or adequate safeguards are provided by other means. Those provisions have been elaborated and simplified, so that there will be more options to provide adequate protection in specific situations.196 The underlying idea is that personal data should only be transferred to a third country, if the rights of data subjects are safeguarded. At the same time, these provisions are based on a reasonable degree of pragmatism in order to allow interaction with other parts of the world. They will therefore also apply if personal data are transferred to service providers in third countries in the context of cloud computing. In those cases, the controller will remain at least co-​responsible for compliance with data protection requirements.197 A third element is that the Regulation will also encourage cooperation with data protection authorities in other parts of the world.198 This is important to

194 See ibid., Art. 3. The CJEU has recently ruled in Google Spain, see supra note 45, that Directive 95/​46/​EC already applies to a search engine operating from a third country via its subsidiary in an EU Member State. In this respect, the Court ruled that the search engine operator was a controller as regards the processing of personal data carried out by the search engine and that the activities of the subsidiary—​a lthough limited to the sales of advertising—​were inextricably linked to the processing of personal data derived from searches which made the advertising more valuable (see Google Spain, at paras 33 and 55–​56). In this way, the Court has taken an important step in the direction also aimed at by the Regulation. 195  In its ruling the Court observed that the controller must ensure—​within the framework of its responsibilities, powers, and capabilities—​t hat its activity complies with the requirements of the Directive (see Google Spain, supra note 45, at para. 38). This also applies where this activity is performed by computers on the basis of computer programs: a welcome endorsement of the responsibility of controllers and the scope of their obligations on the internet. A key consideration of the Court is the need to ensure ‘effective and complete protection’ to fundamental rights (ibid., at paras 34, 38, 53, and 58). An important detail is that the Court again confirmed that the Directive applies to personal data which have been published (ibid., at para. 30). In determining the rights of the data subject under Arts 12 and 14 of the Directive—​notably the right to erasure and the right to object to processing of personal data—​t he Court specifically referred to Arts 7 and 8 of the Charter (ibid., at paras 69, 81, and 97). The ruling can therefore also be seen as further evidence of the growing impact of the Charter on the application of existing law. 196  Proposal for a General Data Protection Regulation, supra note 133, Arts 40–​4 4. 197  Ibid., Art. 24. 198  Ibid., Art. 45.

651 

Peter Hustinx

165

effectively deal with global actors on the internet. As already highlighted in Section 5C, this development benefits from a growing convergence of data protection principles and practices around the world, and is encouraged by the partly overlapping frameworks of the Council of Europe and the OECD. The OECD has recently published revised Privacy Guidelines, which essentially confirm the approach followed so far.199 The revised Guidelines also emphasize the need for practical measures to ensure compliance with data protection principles, and the need for cooperation of privacy enforcement authorities.200 The revision of Convention 108 of the Council of Europe goes in a similar direction.201 All these elements together will facilitate a gradual development towards global ‘interoperability’ of privacy and data protection frameworks. Although it would be fairly easy to identify many differences in terms of detail, there is also a growing scope for synergy and convergence among those frameworks. The Regulation would be the most developed framework in the world—​in line with the recognition of the right to data protection as a fundamental right in Article 8 of the Charter—​but it would also be consistent with developments elsewhere. Moreover, it may well have a strong influence on those developments in due course, much like Directive 95/​46/​EC exercised in the past. The review of the Directive therefore also offers a major opportunity to ensure more global privacy and interoperability. Finally, the Regulation does not apply to surveillance activities undertaken by third countries or by the relevant services of an EU Member State. However, it does apply to operators and other service providers that offer their services on the European market or monitor the behaviour of data subjects in the EU, and may thus also provide opportunities for spying by other actors.202 The controller’s obligations under the Regulation would in this respect serve as an important countervailing power. Against this background and in a wider context, it would be helpful if the Regulation also contained a provision addressing the situation where a legal obligation imposed by a third country would require activities which are not in conformity with EU law.203 In principle, such activities should not be allowed, except where an international agreement allows them or an independent judicial or supervisory authority has granted an exemption. Such a provision could serve as a necessary regulator in cases where international conflicts of law or public

199 Available at http://​w ww.coe.int/​t/​dghl/​standardsetting/​dataprotection/​modernisation_​ en.asp (last visited 20 September 2016). 200  Part Three on ‘Implementing Accountability’ and Part Six on ‘International Cooperation and Interoperability’. 201  See information available at http://​w ww.coe.int/​t/​dghl/​standardsetting/​dataprotection/​modernisation_​en.asp (last visited 20 September 2016). 202  Proposal for a General Data Protection Regulation, supra note 133, Art. 3. 203  Such a provision was part of the Commission proposal for the Regulation before it was deleted at a late stage. The Parliament and the Council are also considering different versions of a similar provision. Its benefits would go beyond surveillance and could also involve other areas where international conflicts of law or public policy might arise, typically including legal obligations requiring access to information in other jurisdictions.

61

166

EU Data Protection Law

policy could otherwise only put economic operators in an impossible position or go at the expense of general interests and possibly both.

7.  Other Issues A. Internal Market and Fundamental Rights Directive 95/​46/​EC has been adopted on an internal market legal basis in order to provide a harmonized legal framework for data protection in the EU. However, the fundamental rights perspective has been visible from the beginning. The Court of Justice has highlighted that the Directive has a very broad scope and the Charter has a growing impact on its application in practice. The review of the Directive is now taking place from a different perspective. Article 16 TFEU has provided a general legal basis for comprehensive protection of personal data in all policy areas and the Charter applies to the EU institutions and the Member States whenever they act within the scope of EU law. This different perspective does not mean that internal market considerations and other public policy principles could no longer play a role in the way in which the review of the current EU legal framework for data protection is undertaken, and indeed in the structure and the content of the new legal framework itself. It is obvious that the choice for the proposed Regulation and many of its main features are based on the need for greater harmonization to provide stronger, more effective, and more consistent protection of personal data across the EU. In other words, the impact of the Charter and the need for harmonization and consistency across the EU are not only compatible and complementary, they are mutually reinforcing. Strong and consistent data protection is also in the interest of the internal market. However, one could still raise the question of how much flexibility Article 16 TFEU allows and where the impact of the Charter might pose certain limits which public policy developers and the EU legislator have to respect. This is not a purely theoretical question as the discussion in the Council about the one-​stop shop for companies has highlighted.204 Legal objections to the one-​stop shop principle have been raised to question its compatibility with the Charter and in particular with Article 47 on the right to an effective remedy and a fair trial. Although these objections are not fully convincing, they suggest that there are indeed different limits that the EU legislator has to respect.205

204  See Section 6C. 205  See also, in a different context, Digital Rights Ireland, supra note 95, at para. 47: ‘With regard to judicial review of compliance with those conditions, where interferences with fundamental rights are at issue, the extent of the EU legislature’s discretion may prove to be limited, depending on a number of factors, including, in particular, the area concerned, the nature of the right at issue guaranteed by the Charter, the nature and seriousness of the interference and the object pursued by the interference’.

6 17

Peter Hustinx

167

The Court of Justice has also demonstrated that such limits exist. The clearest example of this is the case law on the requirement of ‘complete independence’ for supervisory authorities. On various occasions, the Court has stated that the requirement of independent supervision is an ‘essential component’ of the protection of personal data, and also derives from Article 8(3) of the Charter and Article 16(2) TFEU.206 This means that the EU legislator would not be free to revise the current framework in a way that would not be compatible with those provisions of primary law. Something similar could be deduced from the recent ruling of the Court about the position of search engine operators. As the scope of the data subject’s right to erasure and to object to processing of personal data, under the current Directive, were set out with specific references to Articles 7 and 8 of the Charter,207 it would be inconceivable to limit the scope of those rights without due regard to the requirements in the Charter for any limitation on the exercise of the rights explicitly recognized in Article 8(2) or implicit in Article 8(1) of the Charter. Indeed the Court came very close to saying that these rights are (also) ‘essential components’ of the protection of personal data under Article 8.  The same might happen in future cases in relation to other parts of Article 8. More generally, this means that Articles 7 and 8, as well as other relevant provisions of the Charter have to be kept in mind when the details of the Regulation are discussed and adopted, and eventually applied in practice. It is here that the difference in character between the right to respect for private life and the right to the protection of personal data may once again play an important role. Article 7 would then primarily serve to guard against undue interference with the private life of individuals, while Article 8 would serve as a positive guarantee that the essential elements of the protection of personal data, as set out in this provision, are adequately delivered in practice. This implies that the Regulation should be designed and applied in such a way that the processing of personal data, either by public or private actors, does not amount to undue interference in the private life of individuals, and that the essential elements of data protection are provided both in the public and in the private sector. Any reduction in the scope or the level of protection under the current Directive therefore might well face justified challenges under Articles 7 and 8 of the Charter.

B. Accountability and Compliance In Sections 5B and 5C we mentioned that one of the most important elements of the Regulation is the shift from prior control to ex-​post control by data protection authorities and from nominal responsibility to enhanced responsibility

206  See notably Commission v. Austria, supra note 52, at paras 36–​37, and Commission v. Hungary, supra note 52, at paras 47–​48. 207  Supra note 195.

681

168

EU Data Protection Law

or accountability for controllers. One commentator has referred to this shift as a ‘Copernican revolution in European data protection law’.208 Although this terminology may be overstated, it certainly underscores a major change of approach with a view to making data protection more effective in practice. It is important to further clarify what this shift entails. First of all, it does not change the existing responsibility of controllers to ensure compliance with the substantive principles of data protection and certain specific rights of data subjects. All these essential elements will remain unaffected, subject to some clarifications and improvements in the Regulation. In the current Directive, this is complemented by a general obligation for prior notification of data processing operations to the competent DPA, which may be subject to exemptions, or by an obligation for prior checking in the case of risky processing operations.209 In practice, this has not only led to very great diversity among the Member States, both as to the scope for notification or exemption, and with regard to the national practices under each of the relevant categories. More importantly, responsible organizations are inclined to see formal notification as the main obligation, rather than the obligation to comply with data protection principles. This has put undue emphasis on the role of data protection authorities at the expense of the key role of controllers to provide good data protection in their organizations. The obligation of prior notice in relation to individual processing operations is now widely perceived as an ineffective and unnecessary administrative burden. Instead, the Regulation has placed more emphasis on the responsibility of controllers. As a result they will not only have to comply with substantive principles and data subject’s rights, but also to take all appropriate measures to ensure compliance, and to verify and demonstrate that those measures exist and continue to be effective.210 This principle of accountability should lead to better data management in practice, subject to the ‘progressive’ risk-​based approach, as referred to in Section 6B. The powers of data protection authorities to enforce, and to impose sanctions for non-​compliance, have also been increased substantially.211 The separate obligation to take appropriate measures and to demonstrate their existence and continued effectiveness is designed to work as an incentive for controllers and a tool for data protection authorities to supervise data management practices, without necessarily having to go into time-​consuming analysis of substantive issues. A  ‘progressive’ risk-​based approach, as mentioned above, would work well in this context, both for controllers and for data protection authorities. This will also require some practical guidance from those authorities, preferably in the context of the European Data Protection Board, so as to ensure sufficient consistency across the EU.

208  See Kuner, supra note 128. 209  Directive 95/​46/​EC, supra note 32, Arts 18–​20. 210  Proposal for a General Data Protection Regulation, supra note 133, Art. 22. 211  Ibid., Arts 53 and 79.

691 

Peter Hustinx

169

It is not difficult to predict that controllers will be inclined to seek expert advice on how to best ensure compliance in their organizations. This will lead to a growing demand for privacy professionals and privacy-​relevant products and services, possibly subject to certification on the basis of the Regulation.212 On the other hand, the Regulation will provide for a more diverse menu of options for enforcement, ranging from individual or collective actions by interested parties, to different interventions by data protection authorities, either or not in the context of a one-​stop shop, backed up by the consistency mechanism and the role of the European Data Protection Board. In other words, controllers will be able to carry their responsibilities, where necessary with the help of others, and may be the subject of different enforcement actions, depending upon whether they are more or less successful. In this way, the Regulation will lead to a better allocation of responsibilities and create some powerful incentives for compliance, which are likely to result in more effective protection in practice.

C. Independent Supervision and Consistency The requirement of independent supervision has been mentioned earlier repeatedly as an ‘essential component’ of the right to data protection, and the need for greater consistency has also been mentioned as a condition for greater effectiveness of that right across the EU. But are these requirements fully compatible with each other? At first sight, this may well be a true paradox in the governance of EU data protection. According to the case law of the Court of Justice, the requirement of ‘complete independence’ for a supervisory authority means that it should be free from any external influence.213 This obviously does not exclude the possibility that those authorities may cooperate with each other and may develop a consensus on certain issues. However, in case of disagreement, the question of who is to take a binding decision is bound to raise difficult issues. If a minority were bound by the views of a majority, this would amount to direct external influence and would hardly be compatible with complete independence. If, on the other hand, each supervisory authority were free to follow its own views, it would be impossible to achieve real consistency on any subject. It should be noted that the consistency mechanism in the proposed Regulation would not lead to a binding decision but would rather result in an advisory opinion, in the light of which the competent DPA would have to reconsider its position.214 If the advisory opinion is followed there would be no problem. If the competent DPA disagrees, there are in theory two main options. The first option is that the competent DPA would have to motivate its position and explain why it did not follow the advisory opinion. This would no doubt

212  Ibid., Art. 39. 213 See supra notes 51 and 52. 214  Proposal for a General Data Protection Regulation, supra note 133, Art. 58.

701

170

EU Data Protection Law

lead to closer scrutiny of the measure by interested parties and any subsequently involved court. This option would fully respect independence, only create procedural pressure, but possibly also lead to very limited consistency, perhaps only after a final decision of the Court of Justice. The second option is that the consistency procedure enter a new phase. In that context, the Commission had envisaged an increasingly active role for itself, first by submission of an opinion which would require the competent authority to reconsider its position even more seriously, second by suspension of the contemplated measure, and finally settling the matter more generally in a binding way by adoption of an implementing act.215 This approach has been widely criticized as inappropriate. Although the Commission is also required to act with full independence according to the Treaties,216 this requirement has a different aim and would not be sufficient to justify a direct intervention in a case before an independent authority. This state of play has encouraged a rethink of how independent authorities might cooperate in reaching good and consistent outcomes. It has been suggested that issues which are purely or predominantly local in nature—​with all actors residing in one country or issues arising under local laws—​should be left entirely to locally competent data protection authorities. If more than one jurisdiction is involved—​either because the controller has establishments in different jurisdictions or individuals in different jurisdictions are affected—​then the first rule should be that the competent authorities should cooperate in reaching a solution to the issue which can be supported by all. In this context, there might be a good reason to designate a lead authority also in cases where a controller is established in only one jurisdiction, while individuals in other jurisdictions are affected. Indeed, it may be that the controller has no establishment at all in the EU and individuals in all Member States are affected. Different scenarios for the designation of such a lead authority could therefore be envisaged. However, as long as the outcome of the cooperation is reached by consensus within a reasonable time, there will be no problem with independence. If the cooperation between the data protection authorities involved does not lead to consensus within a reasonable time, the issue should be ‘pushed up’ for discussion by the European Data Protection Board. If the outcome of that discussion is adopted by consensus, there will again be no problem with independence. However, if a majority prevails, there are two potential scenarios. The first one is that the majority view would only be an advisory opinion, which the competent DPA should at least consider very carefully. In case of continued disagreement there would be the possibility of a second advisory opinion which would have to be adopted with a qualified majority. This would follow the approach of increasing procedural pressure, without limiting the decision-​making power of the competent DPA. It would also build on the assumption that a second advisory opinion would be very influential, but without completely deciding all details of a case. 215  Ibid., Arts 59–​ 62.   216  See Art. 17(3) para. 3 TEU.

71 

Peter Hustinx

171

The second scenario would introduce a decision-​making mechanism at a different level, for instance in the context of the European Data Protection Board itself. This option might also have consequences for the judicial review of any decisions, and might result in an undesirable centralization. Other possible solutions have also been suggested, without however being able to fully address the problem of a dissenting minority and a possible lack of consistency. This explains why the governance issues relating to the consistency mechanism, together with the architecture of the one-​stop shop for companies, are among the most complicated issues currently still under discussion, and for which different solutions are being analysed in order to find an acceptable compromise.

8.  Concluding Remarks The outcome of the current review of Directive 95/​46/​EC—​and of the EU legal framework for data protection more generally—​is not yet entirely clear, but its main direction now seems well beyond the point of no return. A number of conclusions may be drawn at this stage. Privacy and data protection—​more precisely, the right to respect for private life and the right to the protection of personal data—​have important connections. They are both fairly recent expressions of a universal idea with strong ethical dimensions: the dignity, autonomy, and unique value of every human being. However, there are also crucial differences. The concept of ‘data protection’ was developed in order to provide structural legal protection to individuals against the inappropriate use of information technology for processing information relating to them, regardless of whether that processing would be within the scope of the right to respect for private life or not. The resulting set of safeguards—​in essence a system of checks and balances, consisting of substantive conditions, individual rights, procedural provisions, and independent supervision—​applies in principle to all processing of personal data. This approach was developed by the Council of Europe in Convention 108 and further developed by the EU in Directive 95/​46/​EC, alongside the right to respect for private life as set out in Article 8 ECHR. Both must be distinguished from, on the one hand, the German concept of ‘informational self-​determination’ (with a strong emphasis on the data subject’s consent) and on the other hand the approach followed by the OECD Guidelines, based on the notion of ‘risk’ as a threshold condition for protection, and assuming that all processing of personal data is in principle legitimate. These distinctions play an important, but often only implicit and insufficiently recognized, role in international discussions. The EU has gradually taken over the role of the Council of Europe as a building platform for data protection. In this respect, we have seen two lines of development: the first having to do with making privacy and data protection rights stronger, and the second with ensuring a more consistent application of those rights across the EU. Both lines aim to ensure more effective protection in practice

721

172

EU Data Protection Law

and less unhelpful diversity in the way this protection is delivered in the Member States. The increasing impact of the Charter of Fundamental Rights, both in the case law of the Court of Justice and in the review of the current legal framework, is in accordance with this long-​term trend. This is obviously very welcome, as the need for effective protection of personal data has never been greater than today. The distinction between ‘privacy’ and ‘data protection’ is also relevant for the Charter. Article 7 on the right to respect for private life is a typical example of a classical fundamental right, where interference is subject to strict conditions. Article 8 on the protection of personal data follows Convention 108 and Directive 95/​46/​EC in providing a system of more proactive protection. This means that the scope of Article 8, involving all processing of personal data, should not be confused with the question of whether the fundamental right to data protection has been interfered with. Such interference normally only occurs if one or more of the main components of Article 8(2) and (3) have not been respected. However, it should not be excluded that Article 8(1) might serve as a source of other requirements, already set out in EU data protection law, but not yet made explicit in the Charter. In its recent case law, the Court of Justice shows a tendency towards a ‘combined reading’ of Articles 7 and 8 of the Charter. As explained earlier, this approach does not take account of the essential difference in character between the two provisions and may prevent Article 8 from reaching its full potential. However, the Court still seems to be struggling with the proper role of Article 8 and sometimes uses different terminology. The general basis for the review of the current legal framework in Article 16 TFEU offers a historic opportunity to deliver the main components of Article 8 of the Charter in a more effective and consistent set of rules across the EU. The General Data Protection Regulation, which is to replace Directive 95/​46/​EC in due course, is a combination of continuity and innovation. A  directly binding Regulation will in principle bring much greater consistency, but in practice probably also allow some flexibility for interaction with national law, especially in the public sector. The greatest innovation is expected in giving controllers greater responsibilities, although the impact of this shift will depend on the ‘progressive risk-​based approach’ currently under discussion. Innovation can also be expected in the area of supervision and enforcement, especially in relation to the details of one-​stop shops for citizens and business and in other mechanisms to ensure consistent outcomes of independent supervisory authorities. Finally, the territorial scope of the Regulation is likely to also include companies that are operating on the European market from an establishment elsewhere in the world. As the Charter is always applicable within the scope of EU law, it will also apply to the legal framework that will eventually be adopted on the basis of Article 16 TFEU. This raises the question of how much discretion the legislature will have in the adoption of those rules. In our discussion, we have seen different examples of a limited discretion, either because Article 8 of the Charter has already set certain positive requirements or because the Charter also needs to be respected whenever rules of data processing may serve as a

731 

Peter Hustinx

173

basis for interference with the right to respect for private life. Problems with the Charter might also arise in the event that the scope or the level of protection of the new rules turns out to be more limited or lower than under the current legal framework. Finally, we have seen that the governance issues relating to the one-​stop shop for companies and the consistency mechanism are among the most complicated issues that are currently still under discussion. Creativity and pragmatism will both be needed here in order to ensure that the essential components of Article 8 of the Charter can be effectively delivered in practice.

174

6 Liabilities of Internet Users and Providers Giovanni Sartor

This chapter explores the connection between host providers’ liability and data protection, in particular with regard to the right to be forgotten. First, a conceptual analysis is provided of some basic ideas including privacy, publicity, and neutrality. Subsequently, host providers’ immunities in EU law are presented and compared with safe harbour provisions in US law. The issue of data protection exceptionalism is considered, namely, whether providers’ immunities under EU law also apply to violations of data protection law. Knowledge of illegality of hosted content as a condition for providers’ liability is also examined, considering how this requirement should be understood to prevent collateral censorship. The EU General Data Protection Regulation1 (‘the DP Regulation’) is then assessed, focusing on the way in which it defines the interface between data protection and providers’ liabilities. Finally, the right to be forgotten is scrutinized, providing an analysis of how the passage of time affects the legally relevant interests involved in data protection.

1.  Privacy, Publicity, and Neutrality in Web and Cloud Hosting Over the last decade, hosting services have become ubiquitous, polymorphous, and interconnected, thanks to web and cloud services. On the one hand, in the context of the web, we store pages on the servers of host providers and produce and distribute content in multiple ways. We upload our content—​documents, music, pictures, and suchlike—​to various online repositories, making it available to a worldwide audience. We build our public image on social networks, where we disclose aspects of our personalities, interact with 1  Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/​46/​EC (General Data Protection Regulation). The Regulation will apply from 25 May 2018. Liabilities of Internet Users and Providers, First Edition, Giovanni Sartor © Giovanni Sartor 2017, Published 2017 by Oxford University Press

7 15

Giovanni Sartor

175

others, advertise social and work-​related information, build and map relationships with others. We present our work, tell our stories and publicize our initiatives through blogs, and express our opinions by contributing to online forums and commenting on web pages. On the other hand, in the context of the cloud, we store our data in remote data farms (infrastructure as a service), we access remotely located software programs (software as a service), and use virtual computers activated by providers’ hardware and software (computing as a service). Web hosting and cloud hosting have, in principle, different functions, the former mainly pertaining to the public sphere and the latter to the private sphere. The former enables us to make content accessible to others, while the latter offers a remote substitute for our computers (providing, e.g., memory, software, or computing power). The former provides us with a publicly accessible space for sharing and communicating, the latter with a privately accessible remote space for storing and using data and programs. This difference is also reflected in the different rights which are relevant to the web and the cloud. When we upload or access content on the web, we exercise the freedom of expression and freedom of information as well as other economic and political freedoms. When we use the cloud for storing documents and performing computations, we exercise our property and contractual rights, but also our rights to autonomy, to work, and even maybe to the ‘security of the person’, given that our personal computer space has become, in a way, our ‘external mind’, where we keep our memories and the outcomes and tools of our work. However, the dividing line between what is public and what is private has become increasingly blurred, and so is the distinction between the web and the cloud. On the one hand, users of a web service open to the public can restrict their audiences to particular groups of people. On the other hand, users of cloud services can instantaneously move content from their private space on the cloud into the open web, uploading the content to a web hosting platform, or simply linking it to publicly accessible web pages. Before analysing this new scenario from a normative point of view, we need to make some conceptual distinctions, concerning three different dimensions of the divide between the private and the public. A first private–​public divide opposes privately retained information and publicly available information, according to the existing factual or legal controls over it. We may say that a piece of information is factually private when accessing that information under normal conditions (i.e. without violating the system storing the information) would require the cooperation of the person having physical control over it. On the other hand, we may say that such information is legally private when access to it is governed by a property rule, so that such access would be illegal without the rightholder’s authorization. For instance, the draft of my article which is stored on my computer is factually private to me before I make the choice to send it to other people. In fact, since the only embodiment of

761

176

Liabilities of Internet Users and Providers

this information is stored on my computer, I can effectively prevent others from accessing my work by keeping the computer with me. With regard to legally private information, we can distinguish between information that is legally private on contextual grounds, and information that is legally private on intrinsic grounds. In the first case, the prohibition on access without authorization results from the owner’s rights over the embodiment of the information or over the container for such an embodiment (such as my property right over my computer). In relation to the second case, this prohibition results from the owner’s rights over the information itself (such as copyright or data protection rights). Factually private information loses this status when it is transmitted to others, since recipients can store this information on devices over which they have factual control. Information that is legally private on contextual grounds ceases to be legally private when others have legal permission to use the embodiment or container of the information (e.g. works in the public domain that are stored in the computer you have purchased). Information that is legally private on intrinsic grounds may cease to be legally private to the extent that access to it is authorized by the rightholder or by the law (e.g. personal data that can be processed on the basis of the data subject’s consent, or on other legitimate grounds, such as freedom of expression). This private/​public distinction overlaps with a second distinction, namely the distinction between personal and anonymous information. Personal information concerns identified or identifiable persons and in this regard we need to distinguish two ways in which information can be personal. First, a piece of information can be intrinsically (or semantically) personal, in the sense that the information itself concerns an individual; second, it can be contextually (or pragmatically) personal, in the sense that the context where it appears provides information about a specific individual. In particular, the very fact that a piece of information has been created or even merely collected or distributed by an individual may provide some clues about who that individual is or may be. To give one example, an Italian political activist used the social media platform Twitter to publish a statement—​k nown as a ‘tweet’—​expressing a derogatory and homophobic view of a politician, using highly vulgar and offensive language. The tweet arguably was public because it was publicly accessible through the web, yet it embodied personal information both with regard to its object (the politician being attributed a a certain sexual orientation and attitude) and with regard to its issuer (the activist making the statement), whose impoliteness and homophobia it revealed. Similarly, while pornographic footage contains personal information concerning the people involved, the fact that an individual has distributed pornographic footage or even just stored it on a computer may give a clue as to that individual’s interests and attitudes. My inquiry here concerns information uploaded by users to online platforms. As a matter of fact, the extent to which such information is factually private depends on what the technological infrastructure enables. Here factual accessibility ranges from maximal (e.g. indexed, freely searchable, and downloadable

71 

Giovanni Sartor

177

materials) to minimal (e.g. encrypted information stored on a strongly protected cloud space). The extent to which such information is legally private depends on: (i) the extent to which access to the container of the information is prohibited, so that access involves trespass or other illegal acts (contextual limitation) and (ii) the extent to which the use of the information itself is prohibited, in particular by intellectual property or data protection rules (intrinsic limitation). Finally, there is a further distinction to be considered, namely, the distinction between neutral and non-​neutral information processing. This is particularly relevant when, as in the context of web or cloud hosting, information is uploaded by users and is processed (and, in particular, distributed) through infrastructures provided by third parties. In this context, the neutrality of the information processing carried out by a third party infrastructure seems to be based on two related conditions: (i) the infrastructure can be used for different items of information according to the choices of its users (though possibly within the limits of the infrastructure’s function, e.g. limitations placed on the subject matter of a blog); and (ii) the processing is designed to achieve the objectives of the users, in particular, the objective of making this information accessible to the public. Through serving the aims of their users—​ e.g. facilitating access to user-​ generated content through indexes and interfaces—​host providers also achieve their own goals, such as augmenting visits to their websites, to increase revenue from advertisers. However, this result is consistent with, and even consequential upon, the outcome which is sought by the users, i.e. the information-​sharing functions for the sake of which users have uploaded content. Neutrality does not cover activities by providers that are not primarily meant to serve their users, such as using the information which they hold on users for administrative purposes, or for their own commercial interests, e.g. to profile users and provide them with personalized advertising.

2.  E-​Commerce Immunities Web hosting of user-​generated information is governed in the EU by the E-​ Commerce Directive,2 which exempts providers from liability for hosting illegal content, while maintaining the liability of the users who have uploaded such content. The usual justification for providers’ immunities is based on a simple counterfactual argument, namely, by considering what would happen if providers were held liable under criminal and civil law for the illegal information hosted on their 2  Directive 2000/​31/​EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in particular Electronic Commerce, in the Internal Market (‘Directive on electronic commerce’), OJ 2000 L 178/​1. In the United States, similar immunities are provided by the US Digital Millennium Copyright Act, Pub. L. No. 105-​304, 112 Stat. 2860 (1998), and the Communication Decency Act, Pub. L. No. 104-​104 (Tit. V), 110 Stat. 133 (1996).

718

178

Liabilities of Internet Users and Providers

platforms. The risk of incurring liability would force providers to police their platforms, in order to filter out or remove content. In fact, providers would have to be proactive to limit their liabilities. To keep their huge web premises free of illegal data they would need to monitor and possibly interfere with content uploaded by their users. In fact, providers could minimize false positives (the distribution of illegal information, as a consequence of its mistaken classification as legal) only by increasing false negatives (the removal of legal information, as a consequence of its mistaken classification as illegal). Thus, unlimited providers’ liability would lead to collateral censorship by the providers themselves.3 which would, on the one hand, undermine users’ freedom and, on the other hand, involve significant costs, possibly to the detriment of current business models (free user access supported by advertising), and of the usage of the internet.4 Nevertheless, shielding providers from every legal liability would deprive the victims of illegal activities of any effective protection, in all those cases in which the author of illegal content cannot be identified, or could avoid legal sanctions, for example by operating from a location where no effective legal enforcement is available. The regulation of providers’ immunities must balance multiple interests and rights: third parties’ interests in preventing the distribution of certain data (interests concerning intellectual property, reputation, privacy, hate speech, etc.); users’ interests in distributing information (freedom of speech and expression, political and social participation, artistic freedom, economic freedom) and in accessing information (such as participation in knowledge and in the production and sharing of culture); economic interests of providers (their market freedoms); and public interests (preventing illegal activities and promoting creativity, innovation, access to knowledge, and economic progress). In EU law, Articles 14 (hosting) and 15 (no general obligation to monitor) try to strike such a balance. In accordance with Article 14, providers are immune as long as they do not have actual knowledge of the fact that they are hosting illegal materials. As soon as they acquire any such knowledge, to remain immune they have to act expeditiously to remove or to disable access to such information. Moreover, under Article 15, Member States may not impose general obligations on providers to monitor information, that is, to actively seek facts or circumstances indicating illegal activity. I shall not provide an overall analysis of providers’ immunities here; I shall rather limit myself to considering how such immunities bear upon data protection with regard to user-​generated content. It may, however, be useful to recall 3  Balkin, ‘The Future of Free Expression in a Digital Age’, 36 Pepperdine Law Review (2008) 101. 4  There exists a vast literature on providers’ immunities. See among others: Lichtman and Posner, ‘Holding Internet Service Providers Accountable’, 14 Supreme Court Economic Review (2006) 221; Lemley, ‘Rationalizing Internet Safe Harbors’, 6 Journal on Telecommunication and High Technology Law (2007) 101; Hylton, ‘Property Rules, Liability Rules and Immunity: An Application to Cyberspace’, 87 Boston University Law Review (2007) 1; Grimmelmann, ‘The Google Dilemma’, 53 New York School Law Review (2009) 939. For European law, a detailed analysis can be found in G. Spindler, G. M. Riccio, and A. Van der Perre, Study on the Liability of Internet Intermediaries (2006).

791 

Giovanni Sartor

179

that the immunities in the E-​Commerce Directive correspond to the provisions of two instruments in US law, namely the Communication Decency Act (CDA) of 1996 and the Digital Millennium Copyright Act (DMCA) of 1998. Section 230 of the CDA covers all kinds of illegal acts (not pertaining to federal crimes or to the infringement of intellectual property). The CDA grants providers almost absolute immunity from liability. Moreover, it encourages self-​regulation through the so-​called ‘good Samaritan’ clause, which makes it permissible (though not compulsory) for providers to remove ‘objectionable’ materials. Section 521 of the DMCA provides more limited protection to providers hosting copyrighted content. It shields them from liability for infringing content, under the following conditions: (i) they did not know, nor should have known, of the infringing material or activity; (ii) they did not receive financial benefit from an infringing activity that they can control; and (iii) upon notification from an alleged rightholder, they removed the allegedly illegal material, following the ‘notice and take down’ procedure established by the DMCA. According to this procedure, the material must be put back online if the publisher objects to the removal and the alleged rightholder does not bring the case to court.

3.  Providers’ Immunities and Data Protection Exceptionalism It is unclear whether e-​commerce immunities also apply to data protection, which is governed by the Data Protection Directive5 (‘the DP Directive’) and its national implementing measures.6 National judges and data protection authorities have adopted different approaches,7 and even recent EU documents directly addressing data protection with regard to user-​generated content (such as Art. 29 of the Working Party’s Opinion 5/​2009 on online social networking8) seem wary of

5  Directive 95/​46/​EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data, OJ 1995 L 281/​31. 6  The DP Directive is complemented by the Directive on Privacy and Electronic Communications (Directive 2002/​58/​EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, OJ 2002 L 201/​37), recasting Directive 97/​66/​EC of the European Parliament and of the Council of 15 December 1997 concerning the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector, OJ 1998 L 24/​1. 7  E.g. the e-​commerce immunities are not even mentioned in the Italian judgment where three Google executives were condemned as a consequence of the distribution of a video containing sensitive personal data over YouTube (case Google-​Vividown, Tribunal of Milan, 24 February 2010, sentenza n.  1972/​2010). For a critical analysis, see Sartor and Viola de Azevedo Cunha, ‘The Italian Google-​case:  Privacy, Freedom of Speech and Responsibility of Providers for User-​ generated Contents’, 18 International Journal of Law and Information Technology (2010) 1. For a review on cases on web hosting and data protection, see Viola de Azevedo Cunha, Marin, and Sartor, ‘Peer-​to-​peer Privacy Violations and ISP Liability: Data Protection in the User-​generated Web’, 2 International Data Privacy Law (2012) 1. 8  Article 29 Data Protection Working Party, Opinion 5/​2009 on online social networking, 12 June 2009, 01189/​09/​EN (WP 163).

810

180

Liabilities of Internet Users and Providers

making reference to the E-​Commerce Directive. This view may be supported by a literal reading of Article 1(5) of the E-​Commerce Directive, according to which the E-​Commerce Directive does not apply to ‘questions relating to information society services covered by Directives 95/​46/​EC and 97/​66/​EC’ (the DP Directive and the Directive on data protection in the telecommunication services). Failure to apply the e-​commerce immunities to data protection might lead to ‘data protection exceptionalism’: while the immunities would cover every other liability for user-​generated content—​ranging from infringements of intellectual property to defamation, hate speech, incitement to crime, etc.—​they would not apply to user-​generated violations of data protection. According to this view, data protection law alone, insulated from any other legal norms, would determine providers’ liabilities for personal data illegally uploaded by their users: only the DP Directive and its implementing measures would regulate the illegal processing of user-​generated personal information. I believe that data protection exceptionalism should be rejected. To elaborate, even the existing law allows us to argue that—​contrary to the literal reading of Article 1(5) of the E-​Commerce Directive—​the e-​commerce exemption applies horizontally, covering any kind of illegal content, including illegally uploaded personal data. We can achieve this outcome through a restrictive interpretation of Article 1(5), namely, by arguing that this Article refers to the DP Directive only as concerns the ‘questions related to information society services covered by Directives 95/​46/​EC’, which do not include providers’ immunities with regard to user-​generated data. In other terms, under this interpretation, the E-​Commerce Directive would refer to data protection law for the specification of what processings of personal data are illegal, while the Data Protection directive would refer to e-​commerce law for the specification of providers’ immunity from illegal processings taking place on their platform, including processings which are illegal as a result of violations of data protection law. However, certain limitations of the liability of host providers can be argued for independently of the E-​Commerce Directive, on the basis of the DP Directive. First, Article 3 excludes from the DP Directive the use of personal data in ‘purely personal or household activity’. Thus, as long as users’ activities, supported by providers’ infrastructure, can be considered purely personal, data protection rules do not apply. This would be the case when information about third parties is made accessible only to a restricted circle of people, for non-​professional purposes. Second, the DP Directive provides for the distinction between two addressees of the data protection rules, the controller and the processor: the first ‘determines the purposes and means of the processing of personal data’ (Art. 2(1)(d) of the DP Directive); the second implements the choices of the first, processing personal data ‘on behalf of the controller’ (Art. 2(1)(f)). We could limit the data protection liabilities of the provider by assuming that when engaged in a neutral activity with regard to user-​generated data, the provider only acts as a processor, and consequently has no general obligation to monitor or check the inputs received from the controller, with regard both to the uploaded data and to the ways in which such data are neutrally processed in the provider’s platform. This chacterization

8 1

Giovanni Sartor

181

of the provider’s activity would allow us to map the provider–​user distinction in the E-​Commerce Directive into the controller–​processor distinction in the DP Directive.

4.  Knowledge of Illegality and Online Censorship After having argued that the e-​commerce immunities should also be applied to the hosting of user-​generated data which violates data protection, we need to consider how such immunities should be understood in order to best balance all interests at stake, namely, the interests of possible victims (data subjects), but also the interests of online speakers (uploaders), listeners (downloaders), and providers (enablers). In particular, we have to examine the provision of Article 14(1) of the E-​Commerce Directive, according to which a provider is immune only as long as he ‘has no actual knowledge of illegal material, or upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information’. Knowledge of the illegality of certain data involves two aspects:  the factual knowledge that the data are hosted on the provider’s server and the legal knowledge that the distribution of these data violates the law. This means that in order to examine the interpretive issues emerging from this provision we need to focus on the concept of knowledge. According to the most common understanding of this concept, we have knowledge when we believe something which happens to be true; the concept of knowledge includes two elements: belief and truth.9 A person knows a fact p when both of the following hold: the person believes that p is the case, and p is indeed the case. The fact that a provider hosts illegal data includes two components: (i) the data are on the provider’s platform and (ii) the data are illegal. Let us assume that both components hold true: the provider is hosting data that are illegal. We need to consider whether, for the provider to be liable for hosting these data, it is only required that he believes that the data are on the platform or whether it is additionally required that believes that the data are illegal. According to the first perspective (which corresponds to the principle according to which ignorance of the law is no excuse), providers hosting illegal data lose their immunity as soon as they come to know that the illegal data are on their platform, even though they are not yet aware that the data are illegal. Thus, for liability to be triggered under this interpretation all of the following should hold: (a1) the provider believes that certain data are on the platform; (b1) the data actually are on the platform; and (b2) the data are illegal. 9  For the idea of knowledge as true belief, see Goldman, Knowledge in the Social Word (1999), ch. 1. According to other authors, knowledge also includes justification (a true belief held without a plausible ground would not constitute knowledge), as famously argued by Plato in the dialogues Meno and Theaetetus. Therefore, only true and justified belief would provide knowledge. Others have argued that even belief, truth, and justification are still insufficient, and have provided conceptions of knowledge that include additional conditions.

821

182

Liabilities of Internet Users and Providers

According to the second perspective, the provider would be liable only when he is aware both that the data are on the platform and that they are illegal. Thus, all of the following should hold: (a1) the provider believes that the illegal data are on the platform; (a2) the provider believes that the data are illegal; (b1) the data actually are on the platform; and (b2) data are illegal. Note the difference: for the liability to be triggered, the first interpretation does not require an element which is included in the second interpretation, namely (a2), the provider’s belief that the hosted data are illegal. Consequently, according to the first interpretation a provider would also be liable for leaving online data that he considers in good faith the data to be legal (or more probably so, or possibly so), should his judgment be considered to be wrong by the competent authority. Thus, the first interpretation puts providers in a difficult situation, and would presumably lead them to carry out collateral censorship, i.e., to remove data uploaded by their users whenever the lawfulness of such data is or may be challenged. We have to distinguish here different situations on the basis of the nature of data at issue. In some cases, the only difficulty consists in knowing whether the data are on the platform, since establishing whether the data are illegal is straightforward. This may be the case, for instance, when a rightholder complains about a copyright violation consisting in duplication of the rightholder’s registered work, though in some cases it may be doubtful whether the rightholder has consented to the publication, or whether the use of the work may be considered as a fair use, or whether it might fall into a copyright exception. In other cases, on the contrary, assessing illegality is much more difficult. The provider, while knowing that certain data are on the platform, may remain in doubt—​and thus fail to form a precise belief—​on the illegality of the data. This is the case in particular when competing rights are involved. Consider, for instance, how difficult it may be to assess whether a person’s data protection rights are infringed through statements made about that person’s character or activities (data protection versus freedom of expression). In fact, in such cases we may wonder whether there are objective standards conclusively determining whether the data are legal or illegal, or whether this qualification depends upon a discretionary decision by the competent authority. However, this would take us into the legal theory debate on the objectivity of legal knowledge and on the determinacy of the law, i.e. whether there is only one correct answer to each legal issue, or whether the law may sometimes be incomplete or undetermined, and whether such an answer, if it exists, is accessible to the average lawyer or person. Without going into this debate, I assume that our cognitive skills, in many cases, allow us to affirm or deny the legality of online content only with degrees of doubt. It may also be argued that what is at issue here is not so much the truth of the proposition that a certain content is legal or illegal, but rather the forecast that the competent authority will consider the content to be legal or illegal—​a forecast that we often can (and, indeed, do) make only with degrees of uncertainty. Under such circumstances, a legal regime which makes the provider liable for hosting illegal information would provide the provider with a strong incentive

831 

Giovanni Sartor

183

to remove any piece of material for which there is even a small hint of doubt regarding its legality. Even when a particular item of information appears to be most probably legal, the potential loss may outweigh the marginal benefit that the provider derives from keeping the item online, alongside all other materials on the platform.10

5.  The EU General Data Protection Regulation: Overcoming Privacy Exceptionalism? Let us now address the changes that the DP Regulation11 introduces with regard to providers’ liability. First, we need to ask ourselves whether all doubts concerning privacy exceptionalism—​i.e. the idea that commerce immunities do not apply to data protection—​will be removed. Indeed, this seems to be the case, according to Article 2(4), which clearly states that the DP Regulation ‘shall be without prejudice to the application of Directive 2000/​31/​EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive’. Thus, it seems that providers’ immunities also apply to data protection, their general coverage not being limited by the DP Regulation. Some residual uncertainty may arise in connection with Article 94 of the DP Regulation, according to which references to the DP Directive ‘shall be construed as references to this Regulation’. In fact, such references also include Article 1(5)(a) of the E-​C ommerce Directive, which should therefore be read as: ‘This Directive does not apply to … questions relating to information society services covered by Data Protection Regulation’. Thus, on the one hand, the DP Regulation is without prejudice to the application of the E-​C ommerce Directive—​whose immunities should therefore also cover user-​generated data involving data protection violations—​but, on the other hand, the E-​C ommerce Directive does not apply to questions covered by the DP Regulation. This point, however, may be addressed through interpretation. Specifically, it may argued (as above) that the DP Directive only establishes what kinds of data processing violate data protection law, while the E-​C ommerce Directive exonerates providers from liabilities for hosting illegal content provided by third parties, including content being published and distributed in violation of data protection law.

10 For further discussion, see Sartor, ‘Providers’ Liabilities in the New EU Data Protection Regulation: A Threat to Internet Freedoms?’, 3 International Data Privacy Law (2013) 3. 11  Supra note 1.  For a precise analysis of the Regulation, see Kuner, ‘The European Commission’s Proposed Data Protection Regulation:  A  Copernican Revolution in European Data Protection Law’, 11 Privacy and Security Law Report (2012) 1. See also De Hert and Papakonstantinou, ‘The Proposed Data Protection Regulation Replacing Directive 95/​ 4 6/​ EC: A Sound System for the Protection of Individuals’, 28 Computer Law and Security Review (2012) 130.

814

184

Liabilities of Internet Users and Providers

6.  Are Providers Controllers? Moving to specific provisions, we need to consider certain data protection rights of the data subjects, which entail corresponding obligations on data controllers. Whether such obligations apply to providers neutrally processing user-​generated data depends on whether such providers, when they carry out this activity, can be considered as controllers. If providers were considered to be controllers, they would be charged with burdensome tasks. For instance, according to Article 14 of the DP Regulation, they would be required to pursue any persons mentioned on a blog, social network, or forum to inform such persons that data concerning them are present on the platform and provide them with any ‘information needed to guarantee fair processing’. There is a limitation to this requirement, namely, the provision of Article 14(5)(b), according to which the controller is exonerated from this obligation when ‘the provision of such information proves impossible or would involve a disproportionate effort’. However, it remains to be established when an effort may be considered ‘disproportionate’, a qualification that invites highly discretionary evaluations by data protection authorities and judges. Article 17(1) of the DP Regulation grants data subjects the ‘right to erasure (“to be forgotten”)’, namely, the power to obtain ‘from the controller the erasure of personal data concerning him or her without undue delay’. The definition of this right fails to distinguish two kinds of user-​generated personal information: (i) information about a data subject that the same data subject has transferred onto a provider’s platform; and (ii) information about a data subject that other users have put onto a provider’s platform.12 The first situation appears to be uncontroversial: data subjects should have the right to eliminate whatever personal data about themselves they have chosen to upload onto the provider’s platforms. Such a right may, however, be approached from different perspectives. We need to distinguish whether the initiative and the primary interest in processing such data pertains to users or to providers. When the data are processed upon the users’ initiative, the idea of neutral processing of user-​generated data requires that users must be able to withdraw such data regardless of whether the data concern the users themselves or other people; in other words, users should maintain full ownership of all data they have transferred onto a platform.

12  Rosen, ‘The Right to Be Forgotten’, 64 Stanford Law Review Online (2012) 88. On the right to be forgotten, and also for references to the literature, see Korenhof et al., ‘Timing the Right to be Forgotten: A study into “time” as a factor in deciding about retention or erasure of data’, in S. Gutwirth, R. Leenes, and P. de Hert (eds), Reforming European Data Protection Law (2015) 171. On data protection and freedom of expression, see Erdos, ‘Freedom of Expression Turned on Its Head? Academic Social Research and Journalism in the European Privacy Framework’, 1 Public Law (2013) 52.

851 

Giovanni Sartor

185

When personal data concerning users—​who are data subjects with regard to such data—​are processed upon the initiative of the provider, with or without the users’ consent, the data should be erased if the user abandons the platform, as the purpose of the processing would expire. Moreover, when consent by users is required for processing users’ personal data, withdrawal of consent makes the deletion of such data mandatory, as explicitly stated by Article 7(3), according to which the data subject ‘shall have the right to withdraw his or her consent at any time’. A complement to the right to withdraw consent is addressed by Article 20, which introduces a right to ‘data portability’, i.e. the right of data subjects to obtain a copy of their personal data in an interoperable format. Above, we have distinguished between data that are intrinsically personal (because they consist of information about the data subject, such as a photograph or a description of some of that person’s life events), and data that are contextually personal (because the data have been collected or authored by the data subject). Indeed, Article 20 may raise the question of whether contextually personal data should also be covered. For instance, does the right to portability entitle me to obtain, in an appropriate format, only the pictures of myself, or also the pictures of other people, which I have uploaded on a platform? Let now consider whether data subjects have the power to request providers to erase items of data that were uploaded by other users. Since the obligation to comply with such requests only concerns controllers, the decisive point seems to be whether providers should be considered as controllers or only as processors of such data. For instance, we may ask whether the online encyclopaedia Wikipedia is a controller or a processor of personal data published by Wikipedians on its pages. Let us first assume that providers are only processors of user-​generated personal data concerning identifiable third parties, so that users who uploaded such data are the controllers of them. Under this assumption, a data subject who wants some personal data to be erased according to Article 17(1) should request the user who has uploaded such data to take them down. The user would then decide whether to take the data down or whether to leave the data on the platform, facing the risk of a lawsuit. The concerned data subject could also ask the provider to take down the data, but in this case, given that the provider is only a processor, the data subject could not rely on Article 17(1). The data subject’s request could only be based on the E-​Commerce Directive, according to which a provider becomes liable only when he knows that he is hosting illegal data (which would raise the issue of knowledge of illegality, as discussed earlier). Let us now assume, on the contrary, that providers rather than users are considered to be controllers of user-​generated data concerning third parties. Under this assumption, a provider would have the obligation to take down personal data uploaded by a user whenever so requested by the concerned data subject, in accordance with Article 17(1). This would mean that providers would become law enforcers for data protection against their users. If a provider-​controller failed to take down privacy-​infringing content, not only would the provider have to provide compensation, but he would also be subject to a severe sanction (Art. 83),

861

186

Liabilities of Internet Users and Providers

as we shall see in the next section. Under such conditions, providers appear to have no choice but to remove any contested item of data. It seems to me that this second way of understanding Article 17(1) could involve a serious infringement of the fundamental rights of internet users, and in particular, an unacceptable limitation of freedom of expression.

7.  The Right to Be Forgotten The right to erasure, also named ‘right to be forgotten’ in Article 17(1) of the DP Regulation, covers the data subjects’ right to terminate any illegal processing of their data, a right already granted by Article 12(1)(d) of the DP Directive, under the heading of a right to erasure.13 In particular, this right addresses situations where an initially lawful processing becomes unlawful at a later time, when the right to privacy starts to outweigh the interests supporting the processing. For instance, consider the situation when certain information is most relevant to the public for a short time after its publication and then loses most of its general interest, but continues to have a negative impact on the privacy of the individuals concerned. Similarly, certain information relevant to security (e.g. information recorded on CCTV systems in shops and in public areas) loses most of its significance in relation to security after a short period of time, but it may continue to have a serious negative impact on the privacy of the persons whose images are stored. Thus while at the beginning the benefit in freedom of expression (or security) obtained by processing the data outweighs the resulting loss in privacy, at a subsequent point in time there is a change: the loss in privacy starts to outweigh the benefit in freedom of expression (or security). This is the point in time where the data should be forgotten, since the overall positive trade-​off between benefits and losses is maximized by switching at that time from processing to not processing the data. The two examples we have just considered share this general pattern, but they differ in one important regard. In the case of footage from CCTV cameras, it is possible to establish a maximum retention time which in general corresponds to the point where the balance of interest has changed, since inquiries into possible crimes which may have occurred in the spaces monitored usually can be initiated within a short period of time. This is not the case for the online distribution of information, where public interest in the information being distributed and searchable on the web may persist through time, to an extent which is highly dependent on the nature of the information at issue. In fact, some events are always of interest to the public (e.g. scandals involving politicians), others are relevant for a long time (e.g. very serious crimes), and others lose their significance

13  On the regulation of the right to be forgotten in the DP Regulation, see Sartor, ‘The Right to Be Forgotten in the Draft Data Protection Regulation’, 5 International Data Privacy Law (2014) 1.

8 17

Giovanni Sartor

187

in a short space of time (e.g. a small entrepreneur becoming bankrupt or being convicted for a tax offence). In Figure 6.1 the changing balance is modelled in a graphic form. The horizontal axis represents the passage of time, starting from the initial moment when the processing has begun (time 0). The vertical axis represents the legal impacts that the processing has with regard to the interests at stake. The full curve represents the importance of positive impacts on the pro-​processing interest, i.e. all those interests that are promoted by the processing, such as freedom of expression and information. The dotted curve represents the importance of the negative impacts on the con-​processing interests, i.e. all those interests that are demoted by the processing. The importance of the legal impact of a processing on each set of interests at a particular point in time is represented by the height of the curve corresponding to that interest at that point in time. The point when the two lines cross denotes the reversal time, namely, the point in time when con-​processing interests (in particular, privacy interests) start to outweigh the pro-​processing interests. By stopping the processing at the reversal time the best overall result is obtained: we maintain the differential advantage—​with regard to trade-​off of the interests at stake—​obtained before the reversal time without incurring the differential loss we would suffer after that time. Note that in some cases it is not necessary to stop all processing, but only that kind of processing for which the pattern considered above holds. For instance, newspaper articles may be archived and made accessible in limited ways, while preventing them from being indexed by search engines, which avoids these articles being accessible to the general public through casual searches.

Impacts Gain Differential advantage by processing Loss

Reversal time

Fig. 6.1  The framework of the right to be forgotten

Differential loss by processing

Time

81

188

Liabilities of Internet Users and Providers

8.  Sanctions for Those Who Do Not Forget As I observed earlier, it may be difficult to determine whether a data processing is illegitimate, and to anticipate authoritative assessments on the matter. This is even more difficult when the right to be forgotten is involved, since even when we agree that this right exists with regard to a certain item of information, we still may disagree on when the reversal time is reached, that is, on the point in time at which privacy interests start to outweigh pro-​processing interests. This uncertainty is likely to induce self-​and collateral censorship, to avoid the risk of sanctions. An additional factor in the equation is provided by the sanctions for the violation of this right. The violation of the right to be forgotten, like other violations of data subjects’ rights, is subject to the sanction of Article 83(5) of the DP Regulation, namely ‘administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher’, in addition to the obligation to provide compensation for the damage. Assuming that individuals publishing information online would be viewed as controllers in terms of Article 83(5), such a high penalty for the refusal to take down illegal information may induce such individuals to comply with any request to remove personal information, whenever there is even a minimal risk that distributing the information may be illegal. This would significantly impinge on freedom of expression. Individual publishers would face the choice between yielding to the removal request or risking the penalty, should they be unable to prove that: (i) they had posted the data ‘solely for journalistic purposes or the purpose of artistic or literary expression’; and that (ii) in the particular case freedom of expression should prevail over data protection, according to a comparative assessment. In fact, for the party who wished to distribute the information, the removal request would modify the equation: prior to the request, the publisher merely had to consider the possibility of having to pay compensation versus the advantages (personal or public) involved in distributing the information. After the request, the publisher would face the possibility of paying compensation plus the possibility of being punished versus the advantages of distributing the information. Sanctions for the failure to comply with removal requests would also apply to providers if they were considered as controllers of the processing at issue. To illustrate the draconian deterrent effect this might have, consider the application of the right to be forgotten to Wikipedia: all entries including a person’s name would have to be deleted on request by the concerned data subjects. Thus, every data subject mentioned in Wikipedia’s pages could compel the authors of those Wikipedia pages, and Wikipedia itself, to selectively clean the pages of every statement he or she did not like. To prevent such censorial excesses, I think that providers should be exempted at least from the administrative sanctions for maintaining illegal content online that they believe in good faith to be legal. On the contrary, if providers were not attributed controllership, they would not be subject to administrative sanctions for not complying with the right to

891 

Giovanni Sartor

189

be forgotten, as these sanctions apparently apply only to controllers. Under this interpretation, providers would only run the risk of having to pay compensation according to Article 82(1), which is complemented by the provision of Article 82(3):  this latter provision excludes liability ‘if the controller or the processor proves that they are not responsible for the event giving rise to the damage’.

9.  Interests and Motivations Figure 6.2 addresses the evolution over time of the interests involved in the right to be forgotten, the motivation of the parties, and the impact of sanctions. To help the reader, all these trends are represented through straight lines, i.e. as linear functions of time. Part A  of the figure shows the evolution of privacy-​related versus publicity-​ related interests: the privacy–​impact curve starts at a higher level, but decreases more rapidly than the publicity–​impact curve, so that at a switch point the two lines cross. From that point on, the damage to privacy interests is no longer fully compensated by the benefit to publicity interests. Hence, from that point on, data processing provides a negative legal trade-​off, which apparently justifies its impermissibility, and the provision of sanctions upon the processing parties, i.e.,

A

Impacts Legal gain

Differential advantage by processing Differential loss by processing

Legal loss

Time B

Motivations

Uploader’s gain Uploader’s loss C

Time

Motivations

Provider’s gain Provider’s loss Removal-time Removal-time Removal-time preferred preferred preferred by provider by uploader by the law

Fig. 6.2  Motivations and sanctions

Time

901

190

Liabilities of Internet Users and Providers

the publisher/​uploader of the information and the host provider who is storing it in a virtual repository (whether it be a server, website, or forum). Figure 6.2 also contains a representation of the motivations of publishers (part B) and of host providers (part C) to keep the information online in the absence of sanctions, both of which are decreasing, but remain positive (assuming that no sanctions are put in place). Motivations are represented by downward-​sloping full lines, to show that, usually, such motivation tends to decrease as time goes by, at least in cases concerning the online distribution of information (since old news items no longer provide information about current events, and an increasingly large subset of the interested readership has already accessed them). Publishers’ motivation includes the economic gains that they expect to achieve, directly or indirectly, by distributing the information, but also the moral and social importance which they attribute to providing such information. Abstracting from different individual attitudes, we may assume that the motivation for distributing information is measured by the maximal personal loss that publishers would be ready to sustain for not distributing the information, regardless of the reasons that explain this attitude. Consider, for instance, the situation of a person who has to decide whether to publish online information concerning a political or economic scandal on a blog. The publisher knows that this may generate some personal advantage (perhaps relating to his or her personal reputation as a journalist or political activist, as well as to financial gain resulting from attracting readers to the blog, etc.), but may also result in significant personal losses (e.g. losing possible contracts, missing out on career advancement, or even putting life or freedom at risk, etc.). Moreover, the publisher knows that this information would be highly beneficial to the public (contributing to curb the plight of corruption) while it would damage the reputation of the data subjects involved in the scandal. That publisher’s motivation would not be measured only by the mere trade-​off of personal gains and losses, nor would it be measured by adding to this trade-​off the full amount of the expected (net) public benefit. The motivation would, rather, be measured by adding to the trade-​off of personal gains and losses a quantity expressing the limited extent up to which the person internalizes the moral or social merit of her action, i.e. a quantity that indicates what additional personal loss she would be ready to sustain so as to accomplish that action. Consider, for instance, a news item that is published in an online journal, and assume that after a certain point in time the legal balance regarding publication becomes negative, since the damage in privacy starts to outweigh benefits in publicity. At that particular point in time, the publisher will still be interested in keeping the item online, since it may still attract readers and thus produce revenue. Thus, if there were no law in place (leaving aside the possibility that the data subject may use private sanctions), the publisher would probably continue to distribute the item even when the legal trade-​off had become negative. A provider’s motivation to keep an item of information online is usually lower than the motivation of the publisher of that item, since providers host huge amounts of material and have little interest in continuing to distribute a specific single piece of information. Providers will wish to have a legal discipline that does

9 1

Giovanni Sartor

191

not make them liable for the distribution of illegal information; however, if the battle for a general exemption is lost, they will prefer to comply with removal requests rather than be subject to sanctions for individual cases.

10.  The Effect of Sanctions and of Their Anticipation It may seem that in order to induce data controllers to remove the information as soon as the reversal time is reached, distribution after the reversal time should be punished. The sanctions, to be effectively deterrent, should be sufficiently high so as to induce most controllers to behave as requested. In general, we may assume that sanctions for failure to remove the data should include compensation of the damage to the data subject, as requested by Article 23 of the DP Directive. This compensation, according to national laws, such as the Italian legislation,14 may also include non-​economic damage. In addition, the sanctions may include administrative fines, as established by national legislation, and as required by the DP Regulation. If these sanctions were always imposed upon processing personal data only after the point in time where the balance between pro-​and con-​processing interests was reversed, and the processing party knew exactly where this point was located, this discipline would induce behaviour that maximized the achievement of legal values. Before the reversal time publishers and providers would leave the material online, since they could enjoy the benefits resulting from the distribution of the information without encountering any legal sanction. After that point they would take the information down, because continuing to distribute the information would expose them to the obligation to compensate data subjects for damage and to the risk of any further sanction established by data protection law. This analysis, however, is fallacious, since it does not consider an important aspect of the situation. The data processing parties may be uncertain whether distributing certain information at a certain point in time provides a positive or a negative balance between publicity and privacy interests, and thus they may not know whether that information is lawful or unlawful. Or, in any case, they may be uncertain how the competent judge or data protection authority will assess the issue. This means that, even before the reversal time, the expected sanction will not be set at zero. Rather, the expected sanction for keeping a piece of information online at a particular point in time t will result from multiplying the level of the sanction at t and the probability of being sanctioned, which corresponds to the probability that the competent decision-​makers will ex post consider that at time t the con-​processing interests already outweighed the pro-​processing interests. This probability increases as time goes by, under the assumption that it is inversely 14  Act no. 196 of 30 June 2003 Codice in materia di protezione dei dati personali/​Personal data protection code [2003] OJ 174/​03, Art. 15(2).

912

192

Liabilities of Internet Users and Providers

correlated to the difference between con-​processing interests and pro-​processing interests: as this difference diminishes (and then is reversed), it becomes more and more probable that the adjudicating authority may consider that con-​processing interests outweigh pro-​processing interests. Thus, even if we assume that the amount of the sanction does not increase over time, the expected sanction for the continued distribution increases over time, as represented by the upward broken line in the lower part of Figure 6.2. In the figure, this line crosses (overtakes) the continuous line representing the motivation of the processing party at a time that is earlier than the reversal in the balance of the legal interests at stake. This means that according to this picture, the processing party will be motivated to take down the information before the time when this would be legally preferable. To understand this behaviour, we have to analyse the reasoning of the data processing party that tries to assess whether a data processing that at an earlier time was lawful on the basis of a positive trade-​off, still is lawful, or whether it is now unlawful since the trade-​off has already become negative. This judgment is likely to be uncertain, since the processing party will only be able to make a very approximate estimation of both the gain in publicity interests and the loss in privacy interest at that point in time, and of the way in which gains and losses will be assessed and weighed by the decision-​maker. The uncertainty is likely to increase as the timeline approaches the reversal time. To identify the point in time from which the party will no longer be motivated to continue to distribute the information, three main aspects have to be considered: first, the loss that the party would suffer if the distribution taking place at a certain point in time were considered to be illegal; second, the probability that the distribution will be acknowledged as illegal by the authorities; and third, the motivation that the party has for continuing the distribution at that time, leaving the data online. The first element is the total loss expected if distributing the data was considered to be illegal:  this is the amount comprising the privacy damages, plus possible fines. The second element is the subjective probability (as assessed by the concerned parties) that the distribution taking place at a certain point in time would be considered to be illegal, according to the judgment of the competent authority, based on the evaluation of the balance of interests. The expected losses of a party (publisher or provider) resulting from the illegal distribution at a certain point in time is obtained by multiplying the total loss that the party would suffer if the distribution at that time were considered to be illegal, for the subjective probability that indeed the distribution would be considered illegal (which is likely to be 50 per cent around the reversal time). The expected loss is represented by the broken line in the lower part of Figure 6.2. The third element is the motivation of the data processing parties for leaving the material online, measured by the level of the financial loss sufficient to induce them to remove the information. Given the analysis just provided of these three elements (total loss, subjective probability of loss, and motivation), I conclude that not only is there a point in

931 

Giovanni Sartor

193

time when the expected sanction will outweigh the motivation to distribute the material, but also that this point in time will generally be earlier than the reversal time. This may induce the parties involved in the distribution to withdraw the material prematurely, i.e. at a point in time when publicity interests still outweigh privacy interests. This anticipation will grow when the motivation drops or the uncertainty increases. If we reasonably assume that a publisher’s motivation to keep the material online is stronger than that of the providers, the expectation of a sanction will have a stronger anticipatory effect on providers than on publishers, as Figure 6.2 shows.

11. The Google Spain Case The decision of the Court of Justice of the European Union (CJEU) in the Google Spain case15 needs to be separately addressed since it does not concern removing content from the web. Rather, it concerns the obligation for a search engine ‘to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful’.16 This obligation, and the corresponding right of the data subject to request the so-​called ‘delisting’, was held to prevail over the interest of the public to access the information through name-​based searches, unless ‘it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question’. Thus, data subjects have, in principle, a right to determine—​by excluding pages they dislike—​what personal data may be retrieved by using their names as the keyword in a search. In this way, data subjects have some control over their online image, as it emerges from the list of results obtained from name-​based searches. Thus, this right does not entail that the data should be deindexed or removed from the web. For instance, assume that a search engine has complied with a delisting request relating to newspaper article on an act of domestic violence, following a request by the perpetrator. Members of the public who are interested in domestic violence will still be able to retrieve the article when searching with the keywords ‘domestic violence’, rather than with the name of the perpetrator. The decision of the CJEU gives data subjects some control over the searches that are more likely to affect them, namely, searches made using their names. In

15  Case C-​131/​12, Google Spain SL, Google Inc. v.  Agencia Española de Protección de Datos (AEPD), Mario Costeja González (ECLI:EU:C:2014:317). 16  Ibid., ruling, para. 3.

941

194

Liabilities of Internet Users and Providers

fact, such searches are typically made by people interested in the data subjects themselves rather than in the general significance of the facts in which the data subjects are involved. Thus, the specific legal remedy affirmed in this decision—​ namely, the right to delisting—​enables data subjects to obtain some protection for their privacy interests, while minimizing the negative impacts on freedom of expression and information. The passage of time may be relevant in this context, leading to a change in the balance of interests. While there may be a strong public interest in name-​based access to a page containing fresh news about a person, this interest is likely to decrease as time goes by and to be outweighed by that person’s interest that the information is not accessed in this way. Thus, the decision of the CJEU, by mandating the smallest limitation to accessibility, upon request of the data subject, is likely to have indicated the best balance of the interests at stake in the case it has addressed. This does not exclude that at a later time a stronger limitation of accessibility, such as deindexation or removal may become preferable to mere delisting. Whether this is the case or not depends on the range of interests at stake, and on the dynamic of the impacts of online accessibility on those interests. What is perplexing in the decision of the CJEU is the idea that search engines are controllers with regard to indexes and links extracted from user-​generated materials. This makes them liable in principle for any unlawful processing pertaining to the indexation and retrieval, exposing them to data protection sanctions whenever they provide links to data that should not have been published on data protection grounds. On this approach, search engines, especially smaller ones, may be induced to comply with unjustified or anticipated requests to delist or even to deindex unwanted content. To avoid this consequence, I suggest that search engines, with regard to their indexing and retrieval function, should be assimilated to host providers and enjoy the e-​commerce immunities. Thus, they should be subject to delisting or deindexing injunctions by competent authorities, but should be exempted from liabilities when failing to comply with a private request, except for intentional illegality or gross negligence. This should reduce pressure to remove search results under conditions of legal uncertainty, in order to avoid the risk of sanctions, and enable decisions on controversial cases to be deferred to data protection authorities. To reach this result, however, it seems that we should take a perspective that is different from that adopted by the CJEU, namely, we should assume that search engines are not controllers with regard to the indexation of user-​generated content; the only controller of the indexing is the user, who has chosen to have the content processed in this way by uploading it on the open internet without deactivating indexation.17 Alternatively, if we prefer to view search engines as controllers, we should decouple the parallelism between the e-​commerce dichotomy—​user (content provider) versus (host or communication) 17  For this perspective, see Sartor, ‘Search Engines as Controllers:  Inconvenient Implications of a Questionable Classification. Case C-​131/​12, Google Spain and Google Inc. v. AEPD et Costeja Gonzalez’, 21 Maastricht Journal of European and Comparative Law (2014) 564.

9 15

Giovanni Sartor

195

provider—​and the data protection dichotomy—​controller versus processor—​so as to admit that a search engine can be a controller with regard to some operations on user-​generated content, but still enjoy the immunities for host or communication providers. If, following the approach of the CJEU, we assume that the provision of an indexing service over all data available on the web involves controllership over that data, we may still argue for providers’ immunities on the basis of the neutrality of this service, and its correspondence to an implicit request made by the publishers, whose interests the indexing is primarily meant to satisfy.

12. Conclusion I have considered the interaction between providers’ liability and data protection, with regard to the neutral hosting online of personal data uploaded by third parties. I have argued for the need to maintain and strengthen providers’ immunities, since such immunities contribute to preserving an open, accessible, and free flow of information online. In this spirit, I  have also argued for the need to overcome the ‘data protection exceptionalism’, namely, the idea that providers’ immunities do not apply to data protection. In this regard, the DP Regulation represents significant progress: while enhancing the protection of data subjects, the Regulation puts online freedom of speech and of information on safer ground by clarifying that providers’ immunities, as introduced by the E-​Commerce Directive, also apply to data protection. I have then addressed the issue of the right to be forgotten, focusing on cases where originally permissible data processing becomes impermissible at a later time, due to a supervening negative imbalance between pro-​ processing and con-​processing interests. In particular, I have considered cases where freedom of expression and information originally prevail, but at a later time are outweighed by privacy interests. While recognizing that cases exist in which a right to be forgotten is in principle justified, I have considered the impact of sanctions on the behaviour of parties who fail to forget, i.e. who continue processing after the reversal time, namely, the time when ideally processing should be terminated or limited. I have argued that, under conditions of uncertainty on locating the reversal time, sanctions against continued processing may induce the concerned parties—​and in particular publishers and host providers of information distributed on the open web—​to prematurely terminate their processing, giving in to removal requests. In this regard, the discipline of the right to be forgotten in the DP Regulation—​ which provides for administrative sanction for the failure to comply with removal requests, in addition to the compensation of pecuniary and moral damages—​ may lead to inadequate responses to the online distribution of information. Some adjustments are required to pay due respect to online freedom of speech and information.

916

196

Liabilities of Internet Users and Providers

Providers should not be liable for keeping data online when they reasonably believe in good faith that the data might be legal, and no competent authority has yet ordered removal. Providers’ immunity could possibly be complemented by a removal procedure that would allow publishers to express their views, and data protection authorities to express a binding—​though presumptive, being subject to judicial review—​assessment of illegality. Finally, the sanctions for the violation of the right to be forgotten should be reconsidered with regard to both providers and individual users. In particular, the administrative sanction of Article 83(5) should be limited to cases where the injunction of a data protection authority is disregarded, since the threat of such a serious punishment, under conditions of uncertainty, is likely to have a chilling effect on freedom of speech, forcing providers into carrying out collateral censorship.

971 

7 Brave New Borders: The EU’s Use of New Technologies for the Management of Migration and Asylum Jorrit J. Rijpma

The successful monopolization of the legitimate means of movement had to await the creation of elaborate bureaucracies and technologies that only gradually came into existence, a trend that intensified dramatically toward the end of the nineteenth century.1

1. Introduction As Torpey explains, it was the passport, both as a means to identify and sort people and as a requirement for the ‘legitimate movement across territorial spaces’ that allowed states to assert their sovereign prerogative to regulate the entry and exit of persons.2 Today, countries in the developed world try to reinforce their power over the cross-​border movement of people with renewed vigour. Once again new bureaucracies and technologies play a key role in enabling them to do so. Presentday regulatory regimes for the management of migration and asylum, and the authorities responsible for their implementation and enforcement, have come to rely heavily on the use of modern technology. Importantly, the nation state is no longer the sole actor regulating cross-​border movement of people. It has been joined by post-​national forms of government.3 The prime example of a new governmental player is of course the EU, which

1  J. Torpey, The Invention of the Passport: Surveillance, Citizenship and the State (2000), at 35. 2  Ibid. 3  Increasingly, private actors have come to play a role in the management of migration and asylum. See T. Gammeltoft-​Hansen, Access to Asylum (2011), at 158–​208. The focus of this chapter will however be on the use of new technology by public actors. Brave New Borders: The EU’s Use of New Technologies for the Management of Migration and Asylum, First Edition, Jorrit J.Rijpma © Jorrit J. Rijpma 2017. Published 2017 by Oxford University Press

918

198

Brave New Borders

has steadily acquired new competences in the field. Mirroring developments at national and international level, the EU has embraced modern technologies, integrating them in its regulatory instruments for the management of borders, visas, migration, and asylum. Whether Member States’ authorities wish to establish the responsibility for an asylum claim, identify a boat carrying irregular migrants in distress, issue a passport to its nationals, or determine whether a third country national is overstaying her visa, in all cases European legislation governs their actions and provides for technological instruments allowing them, for instance, to check personal data, including biometric data, and exchange relevant information through secured EU networks of communication. This chapter will examine how new technologies and bureaucracies have become part and parcel of the EU’s migration and asylum policy and how the two are intimately linked. Section 2 will set the scene against which the EU operates in this area. Section 3 will look at the mass storage and collection of (biometric) data in centralized databases set up for the management of migration and asylum. Specific focus will be on the data protection rules applicable to these databases. Section 4 will look at the EUROSUR system. This surveillance system is intended to link national border guard authorities and the EU’s border management agency Frontex within a common environment for information exchange on the situation at the external borders. Centralized databases and the surveillance of the EU’s external borders are two dimensions in which the management of migration and asylum has most prominently been ‘Europeanized’ and in which modern technology plays a key role. The conclusion will bring the preceding sections together showing how in the 21st century new technologies and new bureaucracies have allowed the EU and its Member States to tighten their grip on the movement of people. It will show that the use of technology has transformed the nature of the European border and has reinforced the agencies in charge of its management, even if this has been done without a clearly defined vision or grand design. Rather, it was technology itself that enabled this development and has greatly helped to shape it. It will be questioned whether a decade after the Hague Programme mandated the adoption of a coherent approach and harmonized solutions on biometric identifiers and data, the EU has managed to do so.4 While technology has often been portrayed as value-​neutral, it may now pose challenges to some of the EU’s fundamental rights, most notably the right to data protection.

4  The Hague Programme formed the multi-​a nnual policy plan for EU Justice and Home Affairs from 2004–​2009:  The Hague Programme:  Strengthening Freedom, Security and Justice in the European Union, Annex to the European Council Presidency Conclusions, 14292/​1/​04 REV 1, 8 December 2004, at 25, para. 1.7.2.

91 

Jorrit J. Rijpma

199

2.  Setting the Scene: EU’s Migration and Asylum Policy and the Role of New Technologies At the outset it is useful to briefly discuss the EU’s competence over matters of migration and asylum, since—​as with any policy field—​the EU’s room for action is limited to the extent to which Member States have carried over powers to the EU level. We will then examine how the EU has made use of its powers and show that it has consistently integrated new technologies in its migration and asylum policy. We will therefore take a closer look at the role technology plays in modern migration and asylum law. We will continue to discuss three developments that stand in a mutually reinforcing relationship to this use of modern technology. These are increased cross-​border flows, the re-​definition of the border, and the link between the movement of people and security.

A. EU Competence and Differentiated Integration The EU was first given powers in the field of asylum and migration—​as areas of common concern—​under the third pillar of the Maastricht Treaty.5 Cooperation in this area had, however, taken off between a more limited number of Member States within the framework of the Schengen cooperation. The 1986 Schengen Agreement, under which the principled decision to abolish internal borders was taken, was supplemented by the 1990 Convention Implementing the Schengen Agreement (CISA) and a range of decisions of the Schengen Executive Committee which provided for ‘compensatory’ or ‘flanking’ measures to offset the lack of controls at the internal borders. These included rules on the external borders, visa, asylum, police cooperation, and importantly also the first centralized database for the exchange of information between law enforcement authorities: the Schengen Information System (SIS).6 It was the Treaty of Amsterdam that introduced the establishment of an Area of Freedom, Security and Justice (AFSJ) as an overarching objective of the EU competence in Justice and Home Affairs (JHA). It also communitarized powers in the field of migration and asylum by transferring them to the intergovernmental first pillar. Most importantly, this facilitated the incorporation of the Schengen rules into the EU legal framework, which required that each part of the acquis was assigned a legal basis either under the first pillar (asylum and migration) or under the third pillar (police cooperation in criminal matters).7 It

5  See in more detail Rijpma, ‘The Third Pillar of the Maastricht: The Coming Out of Justice and Home Affairs’, in M. de Visser and A. P. van der Mei (eds), The Treaty on European Union 1993–​2013 (2013) 269. 6  Council Decision 1999/​435/​EC Concerning the Definition of the Schengen Acquis, OJ 1999 L 176/​1. 7  Council Decision 1999/​436/​EC Determining the Legal Basis for Each of the Provisions or Decisions which Constitute the Schengen Acquis, OJ 1999 L 176/​17.

02

200

Brave New Borders

also necessitated opt-​outs and opt-​ins for the Member States that had remained outside the Schengen cooperation (the United Kingdom and Ireland), special arrangements for Denmark—​which only wished to participate on an intergovernmental basis—​and treaties between the EC/​EU and the third countries that had previously joined Schengen.8 The Lisbon Treaty formed a last step in reuniting the AFSJ under a single institutional framework, abolishing the Maastricht pillar structure and supranationalizing powers in the field of criminal law. Denmark, the United Kingdom, and Ireland maintained their opt-​outs, which were broadened to cover the whole of the AFSJ, including criminal law. The United Kingdom, Ireland, as well as Denmark have the possibility to opt in to measures that develop those parts of the Schengen acquis that they have previously subscribed to under their respective arrangements.9 These mainly concern measures aimed at controlling irregular migration and responsibility sharing for asylum claims. Since the United Kingdom and Ireland do not subscribe to the lifting of internal border controls, they have been excluded from EU rules developing those parts of the Schengen acquis: namely rules on passports, the external borders and visas.10 A number of Member States, namely Cyprus, Bulgaria, Romania, and Croatia are still awaiting a Council Decision to declare that they are ready to lift internal border controls and apply the provisions of the Schengen acquis in full.

B. The Role of Technology in the EU’s Migration and Asylum Policy Since the adoption of the Amsterdam Treaty, the EU has steadily built a common corpus of legislation governing access to the Schengen area. Although migration and asylum entail much more than the act of passing a border, it is an inevitable part thereof and the EU’s priorities have very much focused on regulating entry and fighting irregular migration. Many of the existing Schengen measures have been recast as EU instruments, most importantly the Schengen Borders Code and the Visa Code.11 In parallel the EU has worked on the establishment of a Common European Asylum System (CEAS), setting minimum standards for the

8  The ‘Schengen Associated Countries’, which are currently Iceland, Norway, Liechtenstein, and Switzerland. 9  See Fahey, ‘Swimming in a Sea of Law: Reflections on Water Borders, Irish (British) Euro Relations and Opting-​Out and Opting-​In after the Treaty of Lisbon’, 47 Common Market Law Review (2010) 645 and Gammeltoft-​Hansen and Adler-​Nissen, ‘Straitjacket or Sovereignty Shield? The Danish Opt-​Out on Justice and Home Affairs and Prospects after the Treaty of Lisbon’, in N. Hvidt and H. Mourtizen (eds), Danish Foreign Policy Yearbook (2010) 137. 10  Case C-​77/​05, United Kingdom v. Council, [2007] ECR I-​1145 (ECLI:EU:C:2007:803) (passports); Case C-​137/​05, United Kingdom v. Council, [2007] ECR I-​11593 (ECLI:EU:C:2007:805) (Frontex); and Case C-​ 482/​ 08, United Kingdom v.  Council, [2010] ECR I-​ 10413 (ECLI:EU:C:2010:631) (VIS Decision). 11  Regulation (EC) 562/​2006, OJ 2006 L 105/​1 (‘Schengen Borders Code’); Regulation (EC) 810/​2009, OJ 2009 L 243/​1 (‘Visa Code’).

1 20

Jorrit J. Rijpma

201

qualification, procedure, and reception of asylum seekers and recasting the Dublin Convention on the responsibility for asylum claims as regulation.12 Instruments providing avenues for legal migration have remained much more limited and only concerning specific categories of third country nationals.13 Migration and asylum continue to be politically sensitive policy areas. The power over borders and the ius excludendi alios touch upon Member States’ core understanding of sovereignty. Lacking genuine enforcement powers in this area, the implementation of these policies has remained firmly in the hands of the Member States. Many of the EU’s legislative efforts aim at providing a framework for cooperation between national authorities and promoting such cooperation, rather than at substantive harmonization. A number of EU agencies have been established to assist the Member States and the Commission in coordinating this cooperation.14 The cooperation between national authorities amongst themselves and with the EU’s institutions and agencies relies heavily on the collection of data and the exchange of information. The 2004 Hague Programme placed significant emphasis on the effectiveness and interoperability of EU information systems.15 It also called for the use of biometrics in identity and travel documents. Ever since, a variety of EU policy documents has underlined the benefits of technology for controlling entry into the Schengen area.16 In 2008, the Commission’s Communication on the Next Steps in Border Management in the European Union placed great emphasis on modernizing and automating border controls with the help of technology.17 That same year, the European Council’s Pact on Migration and Asylum called for the use of ‘modern technological means to ensure that systems are interoperable and to enable to effective integrated management of the external border’.18 In 2009, the Stockholm Agenda—​the follow-​up to the Hague Programme—​ reaffirmed that ‘technology can play a key role in improving and reinforcing the system of external border controls’.19 The Commission’s Communication

12  Regulation (EU) 604/​2013, OJ 2013 L 180/​31 (recast, ‘Dublin III Regulation’). See for an overview http://​ec.europa.eu/​dgs/​home-​a ffairs/​what-​we-​do/​policies/​a sylum/​index_​en.htm (last visited 20 September 2016). 13  See for an overview http://​ec.europa.eu/​dgs/​home-​a ffairs/​what-​we-​do/​policies/​immigration/​ index_​en.htm (last visited 20 September 2016). 14  Council Regulation (EC) 2007/​2004 Establishing a European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union, OJ 2004 L 349/​1 (‘Frontex Regulation’); Regulation (EU) 439/​2010 Establishing a European Asylum Support Office (EASO), OJ 2010 L 132/​11; Regulation (EU) 1077/​2011 Establishing a European Agency for the Operational Management of Large-​Scale IT Systems in the Area of Freedom, Security and Justice, OJ 2011 L 286/​1 (‘eu-​LISA Regulation’). 15  The Hague Programme, supra note 4, at 1.7.2. 16  Ibid. 17 Commission Communication, Preparing the Next Steps in Border Management in the European Union, COM(2008) 69 final, 13 February 2008, at 5. 18 Council of the European Union, Corrigendum to Note, 13440/​08 COR 4, 16 October 2008, at 10. 19  The Stockholm Programme—​A n Open and Secure Europe Serving and Protecting Citizens, OJ 2009 C 115/​1, at 5.1.

20

202

Brave New Borders

on Migration of 2011 deemed it ‘necessary to adopt a risk-​based approach and to ensure greater use of modern technology at land as well as sea borders’ and referred to the ‘next generation of border checks relying on new technologies’.20 In June 2014 the Strategic Guidelines adopted at the European Council in Brussels, once more called for ‘[i]‌ntensifying operational cooperation while using the potential of Information and Communication Technologies’ innovations’.21 They also reaffirmed political commitment to the legislative proposals for smart borders, including an Entry-​Exit System (EES) registering all cross-​border movements by third country nationals.22 In the absence of substantive harmonization and in view of the politically sensitive nature of migration and asylum, not only in the eyes of the public but also in the eyes of the Member States, it has proven tempting to present practical cooperation and the use of technology as a neutral means to render the EU’s migration and asylum policies more effective. However, this may not only result in further integration by stealth, it also fails to acknowledge that new technologies should not simply be considered the natural response to the question of how to best manage migration and asylum flows in the EU.

C. The Rise of ‘Migration Technology’ Migration technology is an elusive term.23 In this chapter it will be used in a very practical sense, to denote the use of modern technology, constituting new means, tools, machines, and instruments deployed for the purpose of managing migration and asylum flows, as well the non-​migratory movement of people across borders.24 Migration technology shares the features that Ceyhan lists as characteristic of security technologies: miniaturization, mobility, and connectivity.25 These result from a combination of biotechnology, optical and electronic technologies, and information and communication technologies.26 Biometric data are considered an important tool in terms of document security (allowing for a so-​called ‘one-​to-​one comparison’). Technological innovation has allowed for the translation of biometric data into numeric values that can be digitally processed, making the body ‘machine-​readable’.27 This has, for

20  Commission Communication, Communication on Migration, COM(2011) 248 final, 4 May 2011, at 7 and 10. 21  European Council Conclusions, EUCO 79/​14, 27 June 2014, at 2. 22  Ibid. 23  It is coined by Dijstelbloem, Meijer, and Besters, ‘The Migration Machine’, in H. Dijstelbloem and A. Meijer (eds), Migration and the New Technological Borders of Europe (2011) 1, at 4. 24 Borrowing from Bain’s definition of technology:  ‘Technology and State Government’, 2 American Sociological Review (1937) 860, at 860. 25  Ceyhan, ‘Technologization of Security: Management of Uncertainty and Risk in the Age of Biometrics’, 5 Surveillance & Society (2008) 102, at 108. 26  Ibid. 27  Van der Ploeg, ‘Machine-​Readable Bodies Biometrics, Informatization and Surveillance’, in E. Mordini and M. Green (eds), Identity, Security and Democracy (2009) 85. Aas speaks of the ‘coded body’:  ‘ “The Body Does Not Lie”:  Identity, Risk and Trust in Technoculture’, 2 Crime Media Culture (2006) 143, at 153.

3 20

Jorrit J. Rijpma

203

instance, facilitated their inclusion in passports and residence permits.28 Personal data, including biometric identifiers, have long been stored to recognize or verify identities, in particular for law enforcement purposes.29 Increasingly, databases have become digitalized, interoperable, and capable of containing a seemingly unlimited amount of information. Most importantly, these two developments have been combined, enhancing databases through the inclusion of digitalized biometrics. The obvious connection here is that biometric data will only be of value for the purpose of ‘one-​to-​more’ comparisons, where they are readily available in databases.30 As Amoore and De Goede point out, the link between biometrics and databases not only provides for identification beyond doubt, but also upgrades the value of data connected to that identity.31 It will not come as a surprise that this development is particularly visible in the management of migration and asylum which relies heavily on legal documentation and identification.32 Even at the territorial border itself, fences and watchtowers are now complemented by ever more sophisticated technical equipment for the surveillance of border areas and the detection of irregular border-​crossers. The use of satellite imagery, infrared cameras, heat sensors, and even unmanned aerial vehicles (drones) is no longer science fiction. The rapidly developing possibilities of modern technologies have resulted in a firm belief in the benefits of their use for the management of migration and asylum. It has also created an influential industry willing to provide countries with the required machinery.33 Within a politicized area such as migration and asylum, new technology may be presented as an apolitical and value-​neutral practical tool for cooperation and efficient policy implementation: ‘scientific, neutral and “smart” ’.34 The use of modern technology may, however, have consequences that go beyond the enforcement of rules agreed upon by elected governments. It transforms the way in which questions of migration and asylum are framed, in which bureaucracies make decisions, and in which groups of people are treated differently. It therefore requires proper debate and democratic legitimation. As

28  At EU level: Council Regulation (EC) 2252/​2004, OJ 2004 L 385/​1 (passports) and Council Regulation (EC) 1030/​2002, OJ 2002 L 157/​1 (third country national residence permits). 29  D. Broeders, Breaking Down Anonymity (2009), at 44. 30  Mitsilegas, ‘Contrôle des étrangers, des passagers, des citoyens: surveillance et anti-​terrorisme’, 58 Cultures & Conflits (2005), at point 58. 31 Amoore and De Goede, ‘Governance, Risk and Dataveillance in the War on Terror’, 43 Crime, Law & Social Change (2005) 149, at 165. 32  Biometrics have been defined as ‘automated means of identifying an individual through the measurement of distinguishing physiological or behavioural traits’, such as DNA, fingerprints, iris retinas, voice patterns, etc.: J. Redpath, Biometrics and International Migration (2005), at 6. 33  Amoore and De Goede, supra note 31, at 151. See also Hayes, ‘The Surveillance Industrial Complex’, in K. Ball, K. Haggerty, and D. Lyon (eds), Routledge Handbook on Surveillance Studies (2012) 167. 34  Amoore and De Goede, supra note 31, at 165.

042

204

Brave New Borders

Bonditti puts it, ‘[t]‌he excessive resorting to technology effectively hides the political character of problems that technology is intended to solve’.35 In the following sections, we will discuss three developments in global migration and asylum which form the background against which the EU’s policy in this field is developed. Furthermore, the use of modern technology can be seen as a response to these developments, but at the same time as a cause, or in any case a catalyst thereof.

D. Globalization and Increased Cross-​Border Mobility It is a common assumption that globalization, the increased worldwide interconnectedness as a result of improvements in transport and telecommunication technology, has spurred people’s ‘capabilities and aspirations to migrate’.36 Although recent evidence seems to indicate that globalization has not resulted in increased levels of migration globally, there has been a ‘shift in migratory patterns mirroring global inequality’.37 Most importantly, Europe has transformed ‘from a global source region … into a “global migration magnet” ’.38 Moreover, technology and globalization have resulted in increased levels of non-​migratory forms of mobility and concomitant cross-​border movements.39 Tourism, for instance, has seen uninterrupted growth with the EU as one of the world’s major destinations.40 New technologies should help the EU to handle the expected increase in travellers crossing the external Schengen borders, in particular at EU airports. As early as 2008 the Commission contemplated the introduction of a Registered Traveller Programme for bona fide travellers which would allow this category of trusted traveller to cross the external borders more rapidly with the use of automated border gates.41 In its 2014 Communication on the future of EU Home Affairs, the Commission stated that: ‘… with the increasing numbers of people coming to the EU and a further increase expected, especially in the numbers using air travel, the EU needs to move towards modern and more efficient border management, using state-​of-​the art technology’.42 So although technology has not increased global levels of migration, it has increased global mobility. At the same time, Europe is a major destination region, not only for non-​migratory movement but also for migrants and asylum seekers. The proposal for a Registered Traveller Programme shows how the Schengen

35  Bonditti, ‘From Territorial Space to Networks: A Foucauldian Approach to the Implementation of Biometry’, 29 Alternatives (2004) 465, at 466. 36  H. De Haas, Mobility and Human Development (2009), at 14. 37  J.-​Y. Hamel, Information and Communication Technologies and Migration (2009), at 34. Czaika and De Haas, ‘The Globalization of Migration: Has the World Become More Migratory?’, 48 International Migration Review (2014) 283, at 318. 38  Czaika and De Haas, supra note 37, at 314. 39  Ibid., at 317. 40  UN World Tourism Organization, Tourism Highlights (2014). 41  COM(2008) 69 final, supra note 17, at 5. 42  Commission Communication, An Open and Secure Europe: Making It Happen, COM(2014) 154 final, 11 March 2014, at 6.

5 20

Jorrit J. Rijpma

205

borders are meant to act simultaneously as walls and gates. Modern technology is deployed not only as an instrument to prevent the entry of the unwanted migrants, but also to speed up the border crossing of trusted travellers. This results in the sorting of border-​crossers into ‘risk categories’, which can be linked to the broader development of the diversification of the border and the risk logic that is applied to management of borders, migration, and asylum.

E. The Diversification of the Border Visa regimes, carrier sanctions, and migration controls taking place both within and outside state territory have resulted in an inward and outward shifting, or rather multiplication of the border. The border can no longer be considered a line delineating a territory, but can be found in different places and is experienced differently by different people.43 States have tried to move the border inwards by creating extraterritorial transit zones, e.g. at international airports, or by excising parts of their territory from the application of normal migration and asylum law.44 Likewise, they have sought to shift the border outwards, by erecting pre-​border obstacles preventing asylum seekers and irregular migrants from actually reaching a state’s territory. In this respect, the term ‘remote policing’ has been applied to refer either to specific procedures and techniques, such as pre-​boarding procedures or visa requirements, as well as the deployment of police officers or private actors outside national territory.45 In the EU, carrier sanctions, a common visa list, and the deployment of immigration liaison officers can all be seen as examples.46 In addition, the EU’s external policy is geared towards the reinforcement of third countries’ capacity to guard their borders and to have procedures for migration and asylum in place.47 Further, in a more literal sense, the linear territorial border is transformed into a border zone through the use of internal police controls, as well as pre-​border

43  See, e.g., Guild, ‘Moving the Borders of Europe’, Inaugural Lecture, University of Nijmegen, 2001, available at http://​cmr.jur.ru.nl/​cmr/​docs/​oratie.eg.pdf (last visited 20 September 2016); Lahav and Guiraudon, ‘Comparative Perspectives on Border Control: Away from the Border and Outside the State’, in P. Andreas and T. Snyder (eds), The Wall around the West. State Borders and Immigration Controls in North America and Europe (2000) 55; E. Balibar, Politics and the Other Scene (2002), at 78; and Kesby, ‘The Multiple and Shifting Border and International Law’, 27 Oxford Journal of Legal Studies (2007) 101, at 113. 44  See, e.g., Australia’s Pacific Solution or the US ‘white foot, wet foot’ policy. The European Court of Human Rights (ECtHR) has held that Contracting Parties cannot excise parts of their territory from the application of the European Convention on Human Rights:  ECtHR, Amuur v. France (Application no. 19776/​92), 25 June 1996, at para. 52. All ECtHR decisions are available at http://​hudoc.echr.coe.int/​. 45  Bigo and Guild, ‘Policing at Distance: Schengen Visa Policies’, in D. Bigo and E. Guild (eds), Controlling Frontiers: Free Movement Into and Within Europe (2005) 233, at 234. 46  Council Directive 2001/​51/​EC, OJ 2001 L 187/​45; Council Regulation (EC) 539/​2001, OJ 2001 L 81/​1; Council Regulation (EC) 377/​2004, OJ 2004 L 141/​13. 47  Commission Communication, The Global Approach to Migration and Mobility, COM(2011) 743 final, at 15.

026

206

Brave New Borders

monitoring and intelligence gathering and cooperation with third countries.48 This multilayered border is clearly visible in the 2006 JHA Council Conclusion on Integrated Border Management, which includes a four-​tier access control mode comprising:  measures in third countries, cooperation with neighbouring countries, border control, and control measures within the area of free movement (including return).49 In the Schengen area, following the abolition of checks at the internal borders, a marked increase in police checks in areas adjacent to the internal borders was observed.50 Although the Schengen rules do not affect the powers of the Member States to carry out police checks, including in border areas, the Schengen Borders Code imposes strict limitations.51 Importantly, these police checks should not have border control as their objective. The Court of Justice of the European Union (CJEU) has demanded that they be strictly regulated in terms of intensity and frequency in order not to qualify as forbidden border controls.52 That does not, however, preclude the use of police checks in order to carry out identity checks or combat irregular migration after border crossing.53 The term ‘border surveillance’ under the Schengen Border Code refers to the patrolling of the borders between border crossing points in order to prevent persons from circumventing border checks.54 Its purpose is to prevent the illegal crossing of the external border. It may also be carried out by technical means, including electronic means.55 In not questioning the territorial scope of application of the Council’s implementing Decision on surveillance in the context of Frontex joint operations at sea, it is implied in the CJEU’s judgment in Case C-​ 355/​10 that such surveillance may take place extraterritorially.56 In social sciences, surveillance has been defined much more broadly as ‘the focused and systematic and routine attention to personal details for purposes of influence, management, protection or direction’.57 Border control has become one of the most important aims of surveillance, designed to order populations with the purpose of inclusion or exclusion, not merely in the literal sense of denying

48  Topak, ‘The Biopolitical Border in Practice:  Surveillance and Death at the Greece-​Turkey Borderzones’, 32(5) Environment and Planning D: Society and Space (2014) 815. 49  Press Release of the Justice and Home Affairs Council Meeting, Brussels, 4–​5 December 2006, at 27 (Council Doc. 15801/​06). 50  Groenendijk, ‘New Borders Behind Old Ones: Post-​Schengen Controls Behind the Internal Borders and Inside the Netherlands and Germany’, in C. Groenendijk, E. Guild, and P. Minderhout (eds), In Search of Europe’s Borders (2003) 131. 51  Art. 21 Schengen Borders Code, supra note 11. 52  Joined Cases C-​188 and 189/​10, Melki and Abdeli, [2010] ECR I-​05667 (ECLI:EU:C:2010:363), at para. 74. 53  Ibid., at para. 71 and Case C-​ 278/​ 12 PPU, Adil, Judgment of 19 July 2012 (ECLI:EU:C:2012:508), at para. 67. 54  Art. 2(11) Schengen Borders Code, supra note 11. 55  Ibid., Art. 12. 56  Case C-​355/​10, European Parliament v.  Council, 5 September 2012, not yet published (ECLI:EU:C:2012:516). The Court, however, did annul the Decision in question, arguing that the Council had exceeded its implementing powers. The Decision has been replaced by Regulation (EU) 656/​2014, OJ 2014 L 189/​93. 57  D. Lyon, Surveillance Studies: An Overview (2007), at 14.

7 20

Jorrit J. Rijpma

207

access to territory.58 Bigo, in a variation to Foucault’s panopticon, speaks of a ban-​ opticon under which the ‘social practices of surveillance and control sort out, filter and serialize who needs to be controlled and who is free from control, because he is “normalized” ’.59 Modern technology plays an important role in these sorting processes and as such in the diversification of the border. The obligation to electronically request travel authorization before traveling to the United States under the visa waiver programme, or the obligation on air carriers to transmit so-​called Advanced Passenger Information (API) to the border guards of the EU Member States are clear examples.60 Biometric identifiers are used to establish the identity of passport and visa holders as well as asylum seekers. In various airports around the world the use of fingerprints or iris scans allow for fast-​track border procedures. In some airports biometric passports enable the use of fully automated border checks. Surveillance by the Member States on the basis of EU law primarily focuses on preventing access to the territory of Member States of unwanted third country national migrants by means of pre-​emptive surveillance. The most obvious example would be the EU’s visa policy, however intelligence gathering on pre-​frontier zones or the patrolling of international waters may also be considered as forms of pre-​emptive surveillance. At the same time there is a marked tendency to use the instruments originally designed to control access for a more generalized monitoring of third country nationals also within EU territory. Moreover, instruments that were initially designed for the management of borders, migration, and asylum are increasingly deployed in the realm of internal security. This is connected to the third development shaping the EU’s migration and asylum policy; namely, that the movement of people across borders has become a security issue, resulting in the use of migration technology as a law enforcement tool rather than as a tool for the management of cross-​border mobility.

F. Mobility as a Security Issue It has become commonplace that since the late 1980s migration has come to be regarded as a societal security threat. There is an abundant literature on the so-​ called securitization of migration. Securitization may take place either at the level of political discourse or policy practice. The first takes the form of a speech act

58 Broeders, supra note 29, at 41. 59  Bigo and Guild, ‘Policing in the Name of Freedom’ in Bigo and Guild, supra note 45, 1, at 3. 60  API includes all data elements which travellers have to present at the border control in the destination country, such as identity, nationality, travel documents, visa identity, nationality, travel documents, visa: Directive 2004/​82/​EC, OJ 2004 L 261/​24. The Commission proposed the introduction of an EU-​E STA system in its 2008 Communication on the Next Steps in EU Border Management (supra note 17, at 9), but abandoned the idea in its 2011 Communication on Smart Borders (COM(2011) 680 final, at 7).

208

208

Brave New Borders

which frames migration as an existential threat.61 The second takes the form of a security practice which ties together various disparate security concerns into a single ‘(in)security continuum’, facilitating the transfer of security practices from one area to the other.62 Huysmans has added that security practices and technologies often already exist in one form or another and as such inform policy decisions rather than being the result thereof.63 There is a link between the two forms of securitization in that political discourse may legitimize policy practices, while security actors participate in the ‘verbal and non-​verbal reproduction of a security discourse’ when implementing policy.64 In recent years the securitization theory has been questioned. An important critical perspective has been added by risk theory. Risk has been described as an ‘estimation of the dangerousness of the future’ and as such there is an important element of uncertainty as regards the actual danger.65 Contrary to securitization logic, risk deals not with the existence of existential threats but rather with the anticipation and active prevention of undesirable events.66 It is an approach which is based on precaution and is future-​oriented.67 According to Beck, the main characteristic of politics in risk society is to feign control over the uncontrollable.68 This is done through ‘risk analysis, calculation and management’, developing strategies to ‘embrace risk’ rather than to eliminate it.69 An example here is the idea that with the use of databases containing biometric data of visa applicants, the good traveller can be separated from the bad and as such the dual aim of open and closed borders can be achieved.70 The risk logic can also be applied to border management practices at the external border, which have moved away from the traditional guarding to risk analysis, attributing ‘impact’ or ‘threat’ levels to stretches of the external border.71 These

61 B. Buzan, O. Waever, and J. De Wilde, A New Framework for Analysis (1998), at 26. Huysmans and Buonfino, ‘Politics of Exception and Unease: Immigration, Asylum and Terrorism in Parliamentary Debates in the UK’, 56 Political Studies (2008) 766, at 782. 62  Bigo, ‘Security and Immigration: Toward a Critique of the Governmentality of Unease’, 27 Alternatives, (2002) 63, at 65. 63  J. Huysmans, The Politics of Insecurity: Fear, Migration and Asylum in the EU (2006), at 8–​9. 64  Boswell, ‘Migration Control in Europe After 9/​11: Explaining the Absence of Securitisation’, 45 Journal of Common Market Studies (2007) 589, at 593. 65 Aradau, Lobo-​ Guerrero, and Van Munster, ‘Security, Technologies of Risk, and the Political: Guest Editor’s Introduction’, 39 Security Dialogue (2008) 147, at 148 and 150. 66 Aradau and Van Munster, ‘Governing Terrorism through Risk:  Taking Precautions, (Un) Knowing the Future’, 13 European Journal of International Relations (2007) 89, at 96. 67 Niemann and Schmidthäussler, The Logic of EU Policy-​ Making on (Irregular) Migration:  Securitisation or Risk? (2012), at 13, available at http://​uaces.org/​documents/​papers/​ 1201/​niemann.pdf (last visited 20 September 2016). 68 Beck, ‘The Terrorist Threat:  World Risk Society Revisited’, 19 Theory, Culture & Society (2002) 39, at 41. 69  Aradau, Lobo-​Guerrero, and Van Munster, supra note 65, at 148 and 149. 70  Cf. Amoore and De Goede, supra note 31, at 161. 71  See, e.g., Art. 8, Regulation (EU) 515/​2014 Establishing, as Part of the Internal Security Fund, the Instrument for Financial Support for External Borders and Visa, OJ 2014 L 150/​143 and Art. 15, Regulation (EU) 1052/​2013 Establishing the European Border Surveillance System (Eurosur), OJ 2013 L 295/​11 (‘EUROSUR Regulation’).

 290

Jorrit J. Rijpma

209

risks now include threats such as terrorism and organized crime, which reinforces the police function of the border. The 2005 Communication of the Commission on Improved Effectiveness, Enhanced Operability and Synergies Amongst European Databases focused exclusively on the use of biometrics in these databases in the context of the fight against crime and internal security. While the Commission’s 2010 Communication on Information Sharing in the AFSJ took into consideration all existing information-​sharing instruments, including the large-​scale migration and asylum databases, the follow-​up Communication of 2012 on a European Information Exchange Model (EIXM) again focused only on the exchange of information for the purpose of law enforcement.72 It comes as no surprise that the European Council’s Internal Security Strategy (ISS) also mentioned Integrated Border Management as one of the ten strategic guidelines for action.73 The Commission’s Communication on the ISS in Action specifically mentioned strengthening security through border management as one of its five strategic objectives.74 One of the consequences of the risk-​based approach to border management is that many new ‘security technologies’ that are applied to migrants, asylum seekers, and other border-​crossers alike, do not have as their (sole) purpose the management of migration and asylum. In fact, many of the new technologies that are applied at the external borders do not have a legal basis in the EU’s powers in the field of borders, migration, and asylum. They are either based on the EU’s competence in the internal market or its powers in the field of police and judicial cooperation in criminal matters. This means that their main purpose is either to remove obstacles to the functioning of the internal market or to fight terrorism or other forms of organized cross-​border crime. Internal market legislation may simultaneously pursue other public interests, including public security and, as such, contribute to the fight against terrorism and organized crime. An example here is provided by the security measures applicable at EU airports where, for instance, body scanners have become a familiar sight. The use of these scanners is governed by legislation adopted under the EU’s transport policy, more precisely air transport safety.75 The agreements with third countries on the exchange of Passenger Name Records (PNR) of air passengers are an example of measures with a clear security objective.76 PNR are considered 72  Whereas these communications were to consider harmonized solutions for the use of biometrics and data in relation to the management of migration flows as mandated by The Hague Programme of 2004, supra note 4. 73  Council Document 7120/​10, ‘The Internal Security Strategy for the European Union: “Towards a European Security Model” ’. 74 Commission Communication, The EU Internal Security Strategy in Action:  Five Steps Towards a More Secure Europe, COM(2010) 673 final, 22 November 2010. 75  Regulation (EC) 300/​2008, OJ 2008 L 97/​72, based on Art. 100(2) TFEU. The use of body scanners has been regulated by Commission Regulation 1141/​2011, OJ 2011 L 293/​22. 76  PNR are data which airlines store in relation to flight reservations and include a wide range of information such as ticketing information, payment and billing information (e.g. credit card number), itinerary, etc. See the EU–​US Agreement, OJ 2012 L 215/​5, the EU–​Australia Agreement, OJ 2012 L 186/​4, and the EU–​Canada Agreement, OJ 2006 L 82/​15. A new treaty with Canada was

210

210

Brave New Borders

an important tool for risk assessment, to obtain intelligence and to profile people. Although initially based on the internal market provisions, because of the existence of internal legislation on the protection of personal data, the CJEU held that the purpose of the PNR Agreement with the United States was fighting terrorism and organized crime.77 It therefore would have had to be concluded on the basis of the EU’s competences on police cooperation.78 When the Commission in 2007 proposed the introduction of an EU PNR system for flights from and to the EU, it did so on the basis of the EU’s competences under the former third pillar.79 For the purpose of this chapter, it is important to realize that new technologies are not merely the result of a risk-​based approach to migration and asylum. They also enable it, and as such are as much a cause as a result of considering cross-​border mobility as a security matter. The mobility–​risk nexus has resulted in the use of technology at the borders which has not been based on the EU’s competences on borders, migration, and asylum, but in the field of criminal justice instead. Moreover, instruments originally intended for the management of migration and asylum are increasingly used for the purposes of criminal law enforcement. The three developments described earlier—​the increase in cross-​border flows, the diversification of the border, and the risk-​based approach to cross-​border mobility—​will all play a role in the following sections in which we will examine the use of centralized EU databases for the purpose of migration and asylum, and the establishment of the EUROSUR system for the exchange of information between border guard authorities.

signed on 25 June 2014, but has been referred by the European Parliament to the CJEU for an advisory opinion (EP Resolution of 25 November 2014, P8_​TA(2014)0058). 77  Joined Cases C-​317 and 318/​04, European Parliament v.  Council and Commission, [2006] ECR I-​4721 (ECLI:EU:C:2006:346), at para. 56. 78  See Gilmore and Rijpma, ‘Annotation Joined Cases C-​317/​04 and C-​318/​04’, 44 Common Market Law Review (2007) 1081–​1099. 79 Commission, Proposal for a Council Framework on the Use of Passenger Name Record (PNR) for Law Enforcement Purposes, COM(2007) 654 final, 6 November 2007, now replaced by Proposal for a Directive of the European Parliament and of the Council on the Use of Passenger Name Record Data for the Prevention, Detection, Investigation and Prosecution of Terrorist Offences and Serious Crime, COM(2011) 32 final, 2 November 2011. The proposal is an example of the EU mirroring US anti-​terrorism policies: Argomaniz, ‘When the EU is the “Norm-​taker”: The Passenger Name Records Agreement and the EU’s Internalization of US Border Security Norms’, 31 European Integration (2009) 119. Parliament’s LIBE Committee rejected the proposal in April 2013. In June 2013, the plenary assembly referred the matter back to the Committee. In a joint statement of 11 January 2015, the EU Ministers of the Interior, in the wake of the 13 November 2015 Charlie Hebdo attacks in Paris, called upon the swift adoption of the intra-​EU PNR scheme, ‘adopting a constructive approach with the European Parliament’ (available at http://​ec.europa.

 21

Jorrit J. Rijpma

211

3.  Centralized EU Databases: The Collection and Exchange of the Personal Data of Non-​EU Citizens Since the lifting of the internal borders the EU has established a number of large-​ scale centralized databases all of which provide for the inclusion of personal data including biometric data, such as fingerprints and photographs. These databases are connected to access points in Member States and serve to exchange information between national border, migration, and asylum authorities. This has been quite accurately described as the digitalization of the borders.80 In this section we will discuss these databases and the data protection rules that apply to them. Particular attention will be paid to the proposal for an EES which is still under discussion in the European Parliament and Council.81 Not only do the databases that will be examined in this section illustrate well the developments discussed in the previous section, they also form an example par excellence of how new technologies allow the EU and its Member States to reinforce control over the movement of people. At the end of the chapter, Table 7.1 provides an overview of the instruments establishing centralized EU databases for the management of migration and asylum. Important questions have been raised as regards the legality of these databases, in particular their compatibility with the fundamental right to private life and the right to the protection of one’s personal data. These questions have taken on a new significance after the Court’s ruling in the Data Retention case.82 In this case, the CJEU struck down the Directive that obliged Member States to retain the personal data from telecommunications for the purpose of criminal law enforcement for violating the right to private life and data protection as protected in the Charter of Fundamental Rights (CFR).83 We will briefly discuss the aim and scope of the existing EU databases. We will then look in more detail at the proposed EES. In view of the fact that all databases include personal data, including biometric data, we will discuss the data

eu/​d gs/​home-​a ffairs/​what-​is-​new/​news/​news/​docs/​20150111_​joint_ ​statement_​of_​m inisters_​for_​ interrior_​en.pdf (last visited 20 September 2016), at 3). 80  Besters and Brom, ‘ “Greedy” Information Technology: The Digitalization of the European Migration Policy’, 12 European Journal of Migration and Law (2010) 455. 81 Commission, Proposal for a Regulation of the European Parliament and of the Council Establishing an Entry/​Exit System (EES) to Register Entry and Exit Data of Third Country Nationals Crossing the External Borders of the Member States of the European Union, COM(2013) 95 final, 28 February 2013 (‘EES Proposal’). 82 Joined Cases C-​ 293/​ 12 (Digital Rights Ireland) and C-​ 594/​ 12 (Kärtner Landesregierug), Judgment of 8 April 2014, not yet published (ECLI:EU:C:2014:238). 83  Regulation (EC) 1211/​2009 of the European Parliament and of the Council Establishing the Body of European Regulators for Electronic Communications (BEREC) and the Office, OJ 2009 L 337/​1 (‘Data Retention Directive’).

12

212

Brave New Borders

protection rules that apply to these systems. After that, we will assess whether the current databases and the EES as proposed will be compatible with EU law, in the light of the case law of the European Court of Human Rights (ECtHR) and the CJEU.84

A. SIS II, EURODAC, and VIS The first and foremost of the EU’s centralized information systems was the SIS, initially established as a flanking measure on the basis of the CISA.85 From the outset it has had the dual aim of controlling the external borders and facilitating cooperation between police authorities. It included data on those people who were not allowed to enter or stay in the Schengen territory, as well as objects such as stolen vehicles and people wanted in relation to criminal offences. As early as 2001, the decision was taken to further develop SIS.86 An important reason was to expand the maximum capacity of the system of 18 Member States to accommodate the 2004 enlargement. However, another important reason was to widen the categories of data that could be included and the addition of new functionalities transforming the database from a hit/​no-​hit system into a ‘general search and intelligence tool’.87 In 2006, the legislative measures on the establishment, operation, and use of the second generation SIS were adopted under the first and third pillars.88 It was not until April 2013 that SIS II became operational, after years of delay and cost overruns caused by technical difficulties in its development.89 In 2000 the EURODAC system was established in order to support the functioning of the Dublin System establishing the responsibility for asylum claims.90 The storage of the fingerprints of asylum seekers and illegal border-​crossers makes it possible for asylum authorities in one Member State to see whether that person has already requested asylum in another Member State or entered another Member State illegally (that Member State then being responsible for the application). In 2009 a Regulation establishing the Visa Information System (VIS) was

84  The rights contained in the ECHR as interpreted by the ECtHR form part of the general principles of EU law. Case 36/​75, Rutili, [1975] ECR 1219 (ECLI:EU:C:1975:137), at para. 32. Art. 52(3) of the CFR explicitly provides that the rights in the Charter shall have the same scope and meaning as the corresponding right in the ECHR. 85  Title IV CISA. 86 Regulation (EC) 2424/​ 2001 on the Development of the Second Generation Schengen Information System (SIS II), OJ 2001 L 328/​4, and Decision 2001/​886/​JHA on the Development of the Second Generation Schengen Information System (SIS II), OJ 2001 L 328/​1. 87 Regulation (EC) 2424/​2001, Recs 2 and 3.  E. Brouwer, Digital Borders and Real Rights (2008), at 106. 88  Regulation (EC) 1987/​2006, OJ 2006 L 381/​4 (‘SIS II Regulation’) and Council Decision 2007/​533/​JHA, OJ 2007 L 205/​63 (‘SIS II Decision’). This dual legal basis reflects the dual nature of the SIS as a tool for migration control (under the EC Treaty covered by the first pillar) and criminal law enforcement (the former third pillar). 89  J. Parkin, The Difficult Road to the Schengen Information System II: The Legacy of ‘Laboratories’ and the Cost for Fundamental Rights and the Rule of Law (2011). 90  Regulation (EU) 603/​2013, OJ 2013 L 180/​1 (‘EURODAC Regulation (recast)’), supporting the functioning of the Dublin III Regulation, supra note 12.

1 23

Jorrit J. Rijpma

213

adopted, which provides for the collection of data on all visa applicants and serves to facilitate the work of Member States’ consular services and visa authorities.91 A regulatory agency, the EU Agency for the Operational Management of Large Scale IT-​Systems in the AFSJ (eu-​LISA) has been established, taking over the position of the Commission as management authority of the centralized databases, which is responsible for their day-​to-​day functioning.92 The Agency is based in Tallinn, Estonia, but the physical databases are in Strasbourg with a backup site in Sankt Johann im Pongau, Austria. Although all these databases run on a common technical platform monitored by the Agency, they are not interoperable, even if technically this would be possible. Nevertheless, the European Data Protection Supervisor (EDPS) warned in 2005 that where databases use a common platform this may become a ‘powerful drive for de facto acceding or exchanging these data’, echoing Huysmans’ argument that security practices may inform policy decisions rather than vice versa.93 As Mitsilegas has pointed out, the interoperability of databases deprives safeguards based on the principle that access and use are limited for a specific purpose of their effect.94 The EDPS also warned that the proliferation of databases in the AFSJ risks impeding a critical assessment of individual proposals, which themselves may be acceptable, yet may not be in synergy with others.95 The three existing databases now contain a vast amount of data, mostly on third country nationals. SIS II contained over 50,000 alerts by the end of 2013, between 11 October 2011 and 31 August 2013 the VIS processed more than 4.3 million visa applications, and in 2013 the EURODAC Central Unit registered a total of 508,565 successful transactions.96 These figures, however, seem modest in comparison to the number of transactions and the amount of data that would be collected under the proposed EES. The Commission estimated the total number of border crossings in and out of the Schengen area at over 700 million in 2011.97 Under the proposed EES, the entry and exit of every third country national entering or leaving the Schengen area would be registered and their data would be stored in the system. This would include those third country nationals exempt from a visa duty. The EES can thus

91  Regulation (EC) 767/​2008, OJ 2008 L 218/​60 (‘VIS Regulation’). 92  eu-​LISA Regulation, supra note 14. 93 EDPS, Comments on the Communication of the Commission on Interoperability of European Databases (2006), at 2, available at http://​w ww.edps.europa.eu/​EDPSWEB/​webdav/​site/​ mySite/​shared/​Documents/​C onsultation/​C omments/​2006/​0 6-​03-​10_​I nteroperability_​E N.pdf (last visited 20 September 2016). See also Besters and Brom, supra note 80, at 469. 94 Mitsilegas, supra note 30, at point 62. 95  EDPS, Preliminary Comments on Three Communications from the Commission on Border Management (2008), at 3, available at https://​secure.edps.europa.eu/​EDPSWEB/​webdav/​shared/​ Documents/​Consultation/​Comments/​2008/​08-​03-​03_​Comments_​border_​package_​EN.pdf (last visited 20 September 2016). 96  See the reports on the technical functioning of the systems by eu-​LISA, available at http://​ ec.europa.eu/​dgs/​home-​a ffairs/​what-​we-​do/​policies/​borders-​a nd-​visas/​a gency/​index_​en.htm (last visited 20 September 2016). 97  Commission Staff Working Paper, SWD(2013) 51 final, 28 February 2013, at 2.

421

214

Brave New Borders

be seen as the final step in the surveillance of border crossings, although it stops short of requiring the registration of all border crossers, i.e. including EU citizens.98 According to the Commission, possible delays due to the need to take fingerprints at the time of border checks would be offset by facilitating trusted travellers through a Registered Traveller Programme (RTP) and the use of automated border gates, reconciling the need for open, but secure, borders.99

B. The Entry-​E xit System and the Registered Traveller Programme In 2005 and 2006 the Commission for the first time mentioned the idea of introducing a system for crossing the external borders of the Schengen area, mirroring similar moves made on the other side of the Atlantic.100 Its ideas were presented in more detail in the Commission Communication of 2008, Preparing the Next Steps in EU Border Management, and of 2011 on Smart Borders.101 A  legislative proposal followed in 2013.102 The purpose of the EES is to improve border controls and fight irregular migration.103 It does so by obliging border guards to register the entry and exit of every third country national, in as far as they do not benefit from the right of free movement under EU law.104 The proposal explicitly provides for the possibility of storing fingerprints, in as far as these have not already been registered in the VIS.105 Currently the passports of third country nationals are systematically stamped upon entry into and exit from the Schengen area, which is considered a rather unreliable method of establishing overstay.106 The EES would allow Member States’ authorities to quickly and precisely calculate authorized stay, help identify those people who do not or no longer have legal presence, and provide statistics on 98  In a joint statement of 11 January 2015, the EU Ministers of the Interior, in the wake of the Charlie Hebdo attacks in Paris, called for measure allowing a ‘broader consultation of the Schengen Information System during the crossing of external borders by individuals enjoying the right to free movement’. One could imagine that in the future (categories) of EU citizens would therefore be included in the EES, see supra note 79, at 2–​3. 99  Commission, Proposal for a Regulation of the European Parliament and of the Council Establishing a Registered Traveller Programme, COM(2013) 97 final, 28 February 2013. 100 Commission Communication on Improved Effectiveness, Enhanced Interoperability and Synergies among European Databases in the Area of Justice and Home Affairs, COM(2005) 597 final, 24 November 2005, at 9; Commission Communication on Policy Priorities in the Fight Against Illegal Immigration of Third-​Country Nationals, COM(2006) 402 final, 19 July 2006, at 6. 101  COM(2008) 69 final, supra note 17 and Commission Communication on Smart Borders—​ Options and the Way Ahead, COM(2011) 680 final, 25 October 2011. 102  Together with the EES Proposal and Proposal for a RTP and for the Necessary Amendments of the Schengen Borders Code, supra notes 81 and 99. 103  Art. 4 EES Proposal, supra note 81. 104  This would be EU citizens and their third country national family members as defined in Art. 2(2) of Directive 2004/​38, OJ 2004 L 158/​77, the nationals of the European Association Agreement (EEA) countries (Norway, Iceland, and Liechtenstein), and Switzerland. 105  Art. 12 EES Proposal, supra note 81. 106 Art. 10 Schengen Borders Code. Stamps may be illegible or visa applicants may simply require a new passport to hide previous overstay.

 251

Jorrit J. Rijpma

215

the flow of travellers.107 Doing away with the obligation to stamp passports would allow for the automated border controls of trusted travellers under the accompanying proposal for an RTP.108 Under Article 18 of the proposal, the authorities of a Member State competent to carry out identity checks and verify the migration status of a third country national shall have a right of access to the EES. This means that the EES, although presented as a border management tool, is essentially a more general surveillance tool also enabling internal migration controls. The SIS II may already be used for checks inside the territory, although a third country national would only be flagged in this database if they had committed a serious crime or had violated migration laws resulting in an entry ban.109 The VIS, which contains the data of all visa applicants, allows competent authorities to access the data in the VIS for the identification of a third country national and to see if they are legally present. The same is allowed for any person who may not be legally present.110 The Commission’s proposal for the EES duplicates these provisions in Articles 18 and 19. The use of the centralized databases has also been extended into the realm of internal security. All existing databases allow for access by national law enforcement agencies for the prevention, detection, or investigation of terrorism or serious crimes.111 This access was either foreseen in their original purpose and design (SIS II) or later included by separate legislative instrument (SIS, VIS) or in the framework of a general recast (EURODAC).112 In addition Europol and Eurojust, the EU’s agencies for the coordination of police, investigating, and prosecuting authorities, have been granted access to SIS II.113 Europol has been given further access to the VIS and EURODAC.114 The extension of access rights has proven

107  Art. 4 EES Proposal, supra note 81. 108  Explanatory Memorandum EES Proposal, at 4. 109  Arts 27 and 28 SIS II Regulation, supra note 88. With the mutual recognition of entry bans under the Return Directive (Art. 11 Directive 2008/​115/​EC, OJ 2008 L 348/​98) there has been an increase of entries in SIS II under Art. 24(3) of the SIS II Regulation, even if such entry would have to be proportionate and can therefore not be automatic (Art. 21 SIS II Regulation). The minutes of the Council at the moment of the adoption of the Return Directive state the Commission’s declaration that the review of the SIS II, as envisaged by Art. 24(5) of its founding Regulation, would be the opportunity to propose an obligation to register entry bans issued under the Return Directive (Council Document 16166/​08, ADD 1 REV 1, 2 December 2008). See Meijers Committee, Note on the Coordination of the Relationship between the Entry Ban and the SIS Alert: an Urgent Need for Legislative Measures, 8 February 2012, available at http://​w ww.statewatch.org/​news/​2012/​ feb/​eu-​meijers-​cttee-​note-​on-​t he-​coordination.pdf (last visited 20 September 2016). Similar issues could arise if the issuing of an entry ban were to be linked to overstay under the proposed EES. 110  Arts 19 and 20 VIS Regulation, supra note 91. 111  Europol is established on the basis of Council Decision 2009/​371/​JHA, OJ 2009 L 121/​37. 112  Council Regulation (EC) 871/​2004, OJ 2004 L 162/​29; Art. 27 SIS II Regulation, supra note 88; Art. 40 SIS II Decision, supra note 88; Council Decision 2008/​633/​JHA, OJ 2008 L 218/​129 (‘VIS Decision’); and Ch. VI EURODAC Regulation, supra note 90. 113  Council Decision 2005/​211/​JHA, OJ 2005 L 68/​4 4; Arts 41 and 42 SIS II Decision, supra note 88. 114  Art. 7 VIS Decision; Art. 21 EURODAC Regulation, supra note 90.

621

216

Brave New Borders

controversial as it conflates the management of migration—​and even more controversially asylum—​with the fight against crime and raises questions as regards the principle of purpose limitation.115 The Commission in the proposal for an EES suggested that access for law enforcement staff would only be considered in the first evaluation of this system.116 However, from the very beginning a majority of Member States pronounced themselves in favour of such access.117 Current discussions in the Council indeed seem to point to the inclusion of access rights for law enforcement staff from the entry into force of the EES.118 The EU legislator should in that case consider whether law enforcement can still be considered as a merely ancillary goal and whether—​ also in view of the principle of purpose limitation—​the Regulation should not also be based on Articles 82 and 87 of the Treaty on the Functioning of the European Union (TFEU).119 It is clear that the EES is already fully anticipated as a law enforcement tool as is evidenced, for instance, by the reference made to the ESS in the ISS as an example of intelligence-​led border management.120

C. The Data Protection Rules Applicable to the EU Centralized Databases All of the databases include the storage and processing of personal data, i.e. any information relating to an identified or identifiable natural person. The EU framework for the protection of such data is and remains fragmented, as does the framework for data protection applicable to the centralized migration and asylum databases.121 Regulation (EC) 45/​2001 applies to the processing of personal data by the EU institutions and bodies and hence the centralized part of the databases.122 Directive 95/​46/​EC applies to the processing of personal data by the Member States in as far as it does not concern the processing of data for the purpose of police or judicial

115  As was pointed out by the EDPS, Opinion of 20 January 2006, OJ 2006 C 97/​6, at point 1.2 and Opinion of 7 October 2009, OJ 2010 C 92/​1, at point 22. 116  Art. 46(5) EES Proposal, supra note 81. 117  Council of the European Union, Presidency Project for a System of Electronic Recording of Entry and Exit Dates of Third-​country Nationals in the Schengen Area, Doc. 13403/​08, 24 September 2008. 118  Council of the European Union, Draft Regulation of the European Parliament and of the Council Establishing an Entry/​Exit System (EES) to Register Entry and Exit Data of Third Country Nationals Crossing the External Borders of the Member States, Doc. 13225/​14, 17 September 2014. 119  The adoption of a dual legal basis would probably lead the United Kingdom and Ireland to argue for their participation in the EES, comparable to their participation in the SIS II Decision. However, this argument would probably be unsuccessful as the CJEU previously barred the participation of these Member States in the VIS Decision (Case C-​482/​08, supra note 10), which was exclusively based on a former third pillar legal basis. 120  Council Document 7120/​10, supra note 73, at VII. 121  See F. Boehm, Information Sharing and Data Protection in the Area of Freedom, Security and Justice (2012). 122  Regulation (EC) 45/​2001, OJ 2001 L 8/​1.

 271

Jorrit J. Rijpma

217

cooperation in criminal matters.123 In the latter situations, the SIS II Decision provides that the Convention of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data is applicable.124 In addition, the Framework Decision on data protection in police and judicial cooperation in criminal matters applies to the processing of data under the SIS II Decision, as well as the access of law enforcement staff to VIS and EURODAC.125 Europol and Eurojust are subject to the data protection rules contained in their founding decisions.126 The National Supervisory Authorities (NSAs) under Directive 95/​46/​EC are responsible for supervising the data processing in the Member States and the European Data Protection Officer (EDPO) is responsible at EU level under Regulation No 45/​2001.127 SIS II, VIS, and EURODAC contain further ‘specifications’ to these rules in their founding regulations. Under these rules, the data subject has to be informed of her inclusion in the system.128 She has a right to request access, correction, and deletion of unlawfully stored data.129 This request can be made in any Member State, although the actual change would have to be carried out by the Member State that entered the data. All founding regulations provide for remedies against decisions on access, correction, and deletion before a competent authority or court.130 All regulations contain rules on liability and penalties for the unlawful processing of data.131 Only the SIS II Regulation imposes a duty on each Member State to enforce the final decisions of the national courts or authorities concerning SIS.132 This implies that national courts have the power to consider the lawfulness of entries made by other Member States, which would be in line with the principle of sincere cooperation and mutual trust.133 The VIS Regulation lacks a similar 123  Directive 95/​46/​EC, OJ 1995 L 281/​31. 124  Art. 57 SIS II Decision, supra note 88. 125  Council Framework Decision 2008/​977/​JHA, OJ 2008 L 350/​60. This Framework Decision had not been adopted at the time of the adoption of the SIS II Decision, but is referred to in Rec. 21 of the SIS II Decision as applicable once adopted, supplementing the more generally phrased provisions of the Convention. 126  Decision 2009/​371/​JHA, OJ 2009 L 121/​37 (Europol) and Council Decision 2002/​187/​ JHA, OJ 2002 L 63/​1 (Eurojust). Only the EURODAC Regulation, supra note 90, makes this explicit in Art. 33 for data processing by Europol. 127 The EDPS has replaced the Joint Supervisory authority of SIS (Art. 115 CISA) and EURODAC (Art. 20 Council Regulation (EC) 2725/​2000 (‘Dublin II Regulation’), OJ 2000 L 316/​1: Art. 45 SIS II Regulation and Art. 31 EURODAC Regulation, supra note 90. 128  Art. 42 SIS II Regulation, supra note 88; Art. 29(1)–​(3) EURODAC Regulation, supra note 90; Art. 37 VIS Regulation, supra note 91. 129  Art. 41 SIS II Regulation, supra note 88; Art. 29(4)–​(13) EURODAC Regulation, supra note 90; Art. 38 VIS Regulation, supra note 91. 130  Art. 43 SIS II Regulation, supra note 88; Art. 29(14) and (15) EURODAC Regulation, supra note 90; Art. 40 VIS Regulation, supra note 91. 131  Arts 48 and 49 SIS II Regulation, supra note 88; Arts 37 and 51 EURODAC Regulation, supra note 90; Arts 33 and 36 VIS Regulation, supra note 91. 132  Art. 43(2) SIS II Regulation, supra note 88. 133 This may also be concluded from Case C-​ 150/​ 05, Van Straaten, [2006] ECR I-​ 9327 (ECLI:EU:C:2006:614), in which the CJEU answered preliminary questions of a Dutch lower court allowing it to assess the lawfulness of an Italian alert in the SIS. See Brouwer, supra note 87, at ch. 13.

821

218

Brave New Borders

provision. Under Article 38, access, correction, and deletion can be requested in each Member State, but the responsibility for checking the accuracy and lawfulness of the processing of the data lies with the Member State that entered the data into the system. An appeal against such a decision can therefore only be brought in that Member State. The EES would essentially follow the provisions of the VIS Regulation. The EURODAC Regulation explicitly provides that an action relating to the right of access can be brought in any Member State, but an action in relation to the correction or deletion of data has to be brought in the Member State that entered the data.134 From the point of view of the protection of the data subject and the potentially serious consequences of the (incorrect) inclusion of personal data in one of these systems, it seems unnecessarily restrictive to allow only the courts of the Member States that entered the data to rule on the accuracy and legality thereof. Article 16 TFEU now provides the legal basis for a comprehensive data protection regime. In 2012 the Commission proposed an overhaul of the current rules on data protection.135 However, EU ministers remain divided and the adoption of the Commission’s proposals was been delayed until 2015. It is rather discomforting that legislation such as the EES, which has important implications for personal data, could be adopted prior to reforming the data protection framework itself. Importantly, the new framework would still distinguish between the collection and processing of data generally for which a regulation has been proposed, and the processing of data within the context of criminal investigation, which would be subject to the rules of a proposed Directive.136 The Directive has been seriously criticized by the EDPS for offering ‘an inadequate level of protection, which is greatly inferior to the proposed Regulation’.137 The secondary legislation on the protection of personal data forms the expression of the fundamental right to data protection, as protected by Article 8 of the CFR. A right to the protection of personal data is not included in the European Convention on Human Rights (ECHR) as such, but has been read into Article 8 ECHR on respect for private life.138 The right to respect for private life is also contained in Article 7 of the CFR. As Brouwer has pointed out, the right to data protection is not synonymous with the right to privacy and stricter criteria may be applied when the right to privacy is at stake.139 The CJEU has, moreover, held

134  Art. 29(15) EURODAC Regulation, supra note 90. 135  Commission Communication, Safeguarding Privacy in a Connected World:  A  European Data Protection Framework for the 21st Century, COM(2012) 9, 25 January 2012; Commission Communication, Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM(2012) 11 final, 25 January 2012. 136  COM(2012) 11 final and COM(2012) 9 final, supra note 135. 137  EDPS, Opinion of the European Data Protection Supervisor on the Data Protection Reform Package (2012), at 68. 138 ECtHR, Leander v. Sweden (Application no. 9248/​81), 26 March 1987, at para. 48. 139  Brouwer, ‘The Use of Biometrics at the Borders: A European Policy and Law Perspective’, in S. Van der Hof and M. Groothuis (eds), Innovating Government (2011) 231, at 242.

9 21

Jorrit J. Rijpma

219

that the data protection rules of Directive 95/​46/​EC need to be interpreted in the light of Article 8 ECHR.140 With the elevation of the CFR to the status of primary law, the CJEU’s first point of reference for assessing the compatibility of EU legislation with the right to respect for private life and to the protection of personal data will be the CFR. This will also be our main benchmark, although of course the rights to personal data protection and respect for private life have long been recognized as general principles of EU law and the CFR will have to be interpreted in line with the case law of the ECtHR.

D. The Legality of the EU Centralized Databases There is no doubt that the large-​scale collection and storage of personal data, including biometric data, forms an interference with the right to private life under the ECHR, and hence also under the CFR. The ECtHR held that ‘the mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8’.141 The subsequent use of the stored information has no bearing on that finding.142 The CJEU has already held that whether the information is sensitive or not and whether or not persons concerned have been inconvenienced in any way is irrelevant.143 In S & Marper v.  United Kingdom the ECtHR held that fingerprint records constitute personal data containing ‘certain external identification features’ comparable to photographs or voice samples.144 They contain ‘unique information about the individual concerned allowing his or her identification with precision in a wide range of circumstances’.145 As such they belong to a special category of more sensitive data.146 At the same time, the ECtHR acknowledged the relevance of ‘modern scientific techniques of investigation and identification’ which rely on such data.147 Under Article 8(2) of the CFR data can only be processed with the consent of the persons concerned or if there is a legitimate basis laid down in law. Any interference with the right to the protection of one’s personal data must be justified under the Charter’s general exception clause. Article 52(1) of the CFR requires that any limitation is provided for by law and must respect the essence of the right. Limitations must be proportionate, and are only allowed if necessary and if they genuinely meet the objectives of a general interest recognized by the Union or the need to protect the rights of others. 140  Joined Cases C-​465/​0 0, C-​138/​01 and C-​139/​01, Österreichischer Rundfunk and Others, [2003] ECR I 4989 (ECLI:EU:C:2003:294), at para. 21. 141  Leander v. Sweden, supra note 138, at para. 48; ECtHR, S. and Marper v. United Kingdom (Application nos 30562/​04 and 30566/​04), 4 December 2008, ECtHR (2008) 1581, at para 67. 142 ECtHR, Amann v.  Switzerland, [GC] (Application no.  27798/​95), 16 February 2000, at para. 69; S. and Marper v. United Kingdom, supra note 141. 143  Österreichischer Rundfunk and Others, supra note 140, at para. 75. 144  S. and Marper v United Kingdom, supra note 141, at para. 81. 145  Ibid., at para. 84. 146  Ibid., at para. 103. 147  Ibid., at para. 105.

20

220

Brave New Borders

In two recent cases, the Court applied the exception clause to limitations to protection of personal data and the respect for private life. The first case concerned the storage of biometric data in EU passports under Council Regulation (EC) 2252/​ 2004.148 The second case, which has drawn considerably more attention, concerned the obligation under Directive 2006/​24/​EC to retain data obtained in the supply of telecommunication services.149 Both cases are of importance when assessing to what extent the storage of personal data in the EU’s centralized databases for borders, migration, and asylum can be justified under the rules of the Charter.

1. The Passport Case Article 1(2) of Council Regulation (EC) 2252/​2004 obliges Member States to include in their passports and travel documents a facial image, as well as fingerprints in interoperable formats. In the Netherlands there was considerable opposition to the inclusion of fingerprints, resulting in a string of preliminary references from the Dutch Council of State to the CJEU.150 However, the first case to be decided by the Court originated in a German court. Mr Schwarz argued that the obligation in Article 1(2) of the Passport Regulation infringed Articles 7 and 8 of the CFR.151 The Court readily accepted, with reference to S and Marper v. United Kingdom, that the processing of fingerprints constituted ‘a threat’ to the right to respect for private life and the right to protection of personal data.152 It therefore assessed whether this threat could be justified. The CJEU first of all recognized that in view of the importance of travel documents in order to be able to travel, people’s consent to giving their fingerprints cannot in practice be considered free.153 The same would have to be argued for the inclusion of fingerprints in EURODAC, the VIS, and the EES. The Court then considered that the right to respect for private life and to the protection of personal data is not absolute, ‘but must be considered in relation to their function in society’.154 It went on to apply Article 52(1) of the CFR. The Court argued that there was a legitimate aim for the inclusion of biometric data in a passport, namely to counter falsifications and fraudulent use and hence irregular migration.155 This would probably also apply to the SIS II, VIS, and EURODAC Regulation, as well as the proposed EES. More problematic, however, would be justifying the necessity of collecting this data under the EES for the purpose of collecting statistics on cross-​border flows. As the Court held in the case of Watson and

148  Council Regulation 2252/​2004, supra note 28; Case C-​291/​12, Schwarz, Judgment of 17 October 2013 (ECLI:EU:C:2013:670). 149  Directive 2006/​24/​EC, OJ 2006 L 105/​54 (‘Data Retention Directive’), Joined Cases C-​293 and 594/​12, supra note 82. 150  Cases C-​4 46–​4 49/​12, subsequently withdrawn. 151  Schwarz, supra note 148. 152  Ibid., at paras 23–​30. 153  Ibid., at para. 32. 154  Ibid., at para. 33 with reference to Joined Cases C‑92 and 93/​09, Schecke, [2010] ECR I-​ 11063 (ECLI:EU:C:2009:284), at para. 48 and Case C‑543/​09, Deutsche Telekom, [2011] ECR I-​3441 (ECLI:EU:C:2011:279), at para. 51. 155  Schwarz, supra note 148, at paras 36–​38.

1 2

Jorrit J. Rijpma

221

Belmann, EU law does not prevent Member States from adopting measures which enable authorities to have an exact knowledge of population movements affecting their territory.156 Where this applies to EU citizens it a fortiori applies to third country nationals. However, that does not mean that the collection and storage of individualized personal information in a register is per se necessary, as only anonymous information is required in order for such an objective to be attained.157 The CJEU in Schwarz went on to consider that the rules were also proportionate, meaning they were appropriate and did not go beyond what was necessary to achieve them. First, the Court argued that the storage was appropriate as it required ‘sophisticated technology’ which would make forgery more difficult and would facilitate the work of border guard authorities.158 It did not accept the argument that fingerprints are not always reliable. It was sufficient that the use of fingerprints significantly reduced the likelihood of irregular entry.159 The Court here places a remarkable and scarcely motivated faith in the technology in question, taking possible mistakes for granted. The question remains whether the EES could pass the same test of appropriateness. It would only be capable of registering overstay, but it would not be able to locate the persons concerned within the Schengen area. Insofar as the system would be used for the prevention and detection of serious crime, the system would merely enable law enforcement authorities to know if suspected law-​breakers are in the Schengen area, as well as where and when they entered or left, provided of course that they did not cross an external border irregularly. The Commission’s impact assessment noted that the EES may have a deterrent effect, but at the same time conceded that it may result in overstayers deciding not to leave at all.160 Moreover, it is not unthinkable that irregular migrants may change strategies opting for irregular entry rather than actually applying for a visa.161 Finally, the mere identification of an overstayer for the purpose of return proceedings does not offer any solution in the common situation in which a third country does not cooperate in return proceedings.162 As regards the question whether the measure was the least restrictive, the Court in Schwarz held that the taking of fingerprints was not of an intimate nature nor such as to cause particular physical or mental discomfort.163 In the case of traumatized asylum seekers in relation to EURODAC, this could be questioned. Moreover, this does not seem in line with earlier case law in which the Court held that whether or not persons concerned have been inconvenienced in any way is

156  Case 118/​75, Watson and Belmann, [1976] ECR 1185 (ECLI:EU:C:1976:106), at para. 17 and Case C-​524/​06, Huber, [2008] ECR I-​9705 (ECLI:EU:C:2008:724), at para. 63. 157  Huber, supra note 156, at para. 65. 158  Schwarz, supra note 148, at para. 41. 159  Ibid., at para. 43. 160  Commission Staff Working Document, SEC(2008) 153, 13 February 2008, at 48. 161  Peers, ‘Proposed New EU Border Control Systems’, Briefing Paper, European Parliament Directorate-​General for Internal Policies (2008), at 9. 162  See also Meijers Committee, Note on the Smart Borders Proposals (COM(2013) 95 final, COM(2013) 96 final and COM(2013) 97 final) (2013). 163  Schwarz, supra note 148, at para. 48.

2

222

Brave New Borders

irrelevant.164 Its finding was not changed by the fact that fingerprints were taken in combination with facial photographs.165 The Court also considered that the only possible alternative to taking fingerprints would be iris-​scanning, but that the technology for this means of identification is not as advanced and not necessarily less restrictive than taking fingerprints.166 It is interesting that by looking only at the available technological alternatives, the Court makes an assumption about the appropriateness of the technological means to achieve the desired result.167 Yet, as regards the identification of overstayers using fingerprints under the EES, it could be argued that there are less intrusive ways to do so. It is already possible to check a person suspected of no longer fulfilling the requirements for legal stay by verifying the entry and exit stamps in their passport or consulting the VIS. An important element that could, however, cast doubt on the proportionality of the large-​scale storing of fingerprints in EU centralized databases is the fact that, in the Schwarz case, the CJEU recognized that fingerprints play a particular role in the field of identifying persons in general.168 The reason why taking fingerprints did not go beyond what was necessary, was that the data was not stored anywhere other than in the passport itself and could not be used for any other purpose than preventing illegal entry.169 This is, of course, different in the case of the EU centralized databases and the access given to the data by a wide range of national authorities, including law enforcement staff.

2. The Data Retention Case Whilst the Court in Schwarz did not have much difficulty in upholding the validity of the contested Regulation, it did not have to go to great lengths in order to reach the opposite conclusion as regards the Data Retention Directive, annulling it in its entirety. Directive 2002/​58/​EC, an internal market measure which had as its ancillary goal the prevention and prosecution of crime, harmonized the data retention rules of the Member States.170 It obliged providers of publicly available electronic communications services or of public communications networks to retain, for a prescribed period, data relating to a person’s private life and to his communications. Moreover, it provided for access to these data by competent national authorities. In clear and certain terms, both Advocate General Cruz Villalón and the Court reached the conclusion that the infringement of privacy and personal data which this constituted could not be justified.171

164  Joined Cases C-​465/​0 0, C-​138/​01 and C-​139/​01, supra note 140, at para. 75. 165  Case C-​291/​12, supra note 148, at paras 49–​50. 166  Ibid., at paras 51 and 52. 167  Thanks to Marise Cremona for pointing this out. 168  Case C-​291/​12, supra note 148, at para 59. 169  Ibid., at paras 60–​62. 170  Data Retention Directive, supra note 149. 171  Joined Cases C-​293 and 594/​12, supra note 82, with the Opinion of Advocate General Cruz Villalón, delivered on 12 December 2013 (ECLI:EU:C:2013:845).

3 2

Jorrit J. Rijpma

223

The Court first of all made it clear that despite the fact that the content of the communications themselves was not stored, the information taken as a whole would allow for precise conclusions to be drawn as regards an individual’s private life.172 The same could be said, albeit to lesser and differing degrees, of the information stored in the VIS and the EES. The same holds true for the observation by both the Advocate General and the Court that wide-​ranging retention and subsequent use without the user being informed would be liable to create a feeling of constant surveillance.173 The interference with Articles 7 and 8 of the CFR was therefore particularly serious. At the same time, it did genuinely satisfy an objective of genuine interest, namely the fight against international terrorism and serious crime.174 The Court then turned to the proportionality of the Directive. As a preliminary remark it considered that in the light of the extent and seriousness of the interference and the importance of data protection for the right to privacy, the discretion of the EU legislator was limited and the Court’s review strict.175 Under the first limb of the proportionality test (appropriateness) the Court considered that data related to telecommunications are valuable law enforcement tools and that retention of and access to these data were therefore suitable for attaining the objective pursued.176 As regards the second limb of the proportionality test (necessary, no less restrictive means), the Court stressed that the aim of preventing terrorism and organized crime does not in itself render the measure necessary. It emphasized the importance of the right to the protection of personal data for the right to respect for private life and referred to prior case law in which it had held that limitations to the right to the protection of personal data can only apply as far as strictly necessary.177 It stressed the importance of clear and precise data protection rules to prevent abuse and unlawful access and use of the data, especially where data were processed automatically and there is a significant risk of unlawful access.178 The Court held that the Directive failed to be strictly necessary on four grounds. First, it provided for the generalized storage of all data traffic of all persons using electronic devices. As such, it applied even to people for whom there was no evidence whatsoever of a link with serious crime.179 A similar argument could be made as regards the general fingerprinting of third country nationals under the EES and VIS. The vast majority of these people would not have the intent to overstay, let alone have links to terrorism or organized crime. 172  Joined Cases C-​293 and 594/​12, ibid., at para. 27. 173  Ibid., at para. 37, with reference to paras 52 and 72 of the Advocate General’s opinion. 174  Ibid., at paras 41–​4 4. This in addition to the internal market objective, as had already been recognized by the Court in Case C-​301/​06, Ireland v. European Parliament and Council, [2009] ECR I-​593 (ECLI:EU:C:2009:68), at paras 71–​74. 175  Joined Cases C-​293 and 594/​12, supra note 82, at paras 47–​48. 176  Ibid., at para. 49. 177  Ibid., at paras 52 and 53, referring to Case C-​473/​12, IPI, Judgment of 7 November 2013, not yet published (ECLI:EU:C:2013:715), at para. 39. 178  Ibid., at paras 54 and 55, with reference to case law from the ECtHR, including S.  and Marper v. United Kingdom, supra note 141, at para. 103. 179  Ibid., at paras 57–​58.

42

224

Brave New Borders

Second, the Data Retention Directive did not define the limits of access by competent authorities to the data for want of a definition of serious crime and substantive and procedural conditions relating to the subsequent use of this data.180 Arguably, this is regulated better in the case of the EU centralized databases. All, with the exception of the EURODAC Regulation, require the Member States to communicate which authorities are competent to access the data and this list must be published.181 Serious terrorist and criminal offences are defined with reference to the Framework Decision on Combatting Terrorism and the European Arrest Warrant, although the definitions provided in these measures have also been criticized for want of specificity.182 In the case of EURODAC, law enforcement staff must first exhaust the use of existing databases.183 In the case of VIS, the full data set available will only be given to law enforcement staff in the case of a positive hit resulting from a search in a more limited data set.184 In both cases, there must be grounds to consider that consultation would substantially contribute to the prevention or detection of serious crime. Currently, discussions in the Council on the access for law enforcement staff to the EES include the question whether to follow the VIS model or the EURODAC model on access for law enforcement staff.185 Although the Court’s second reason for ruling that the Data Retention Directive failed the proportionality test seems less pertinent when assessing the legality of the centralized databases, there are two additional concerns as regards access to and use of these databases. The first concern is the sheer number of people who will have access to the different databases, and the fact that many of these people will have access to different databases at the same time, which increases the risk of improper searches, returning to the EDPS’s argument regarding the cumulative effects of creating different databases alongside each other. The second concern is that any transfer of personal data to third countries would require particular safeguards considering that these data concern third country nationals. The EURODAC and the SIS II Regulation do not allow for such transfers.186 The VIS Regulation and the proposed EES state that there shall be no transfer of data to third countries but will allow for derogations if necessary for the identification of third country nationals in individual cases, including for the purpose of return.187 This is subject to the rules of Directive 95/​46/​ 180  Ibid., at paras 60–​62. 181  Art. 31(8) SIS II Regulation, supra note 88; Art. 6(3) VIS Regulation, supra note 91; Art. 7(2) EES Proposal, supra note 81. Art. 3(2) EURODAC Regulation, supra note 90, does require Member States to have one single National Access Point. In Art. 5(2) it requires Member States to keep a list of designated authorities for access for law enforcement purposes. 182  Art. 2(1)(j) and (k) EURODAC Regulation, supra note 90; Art. 7(c) and (d) VIS Decision, supra note 10, referring to Council Framework Decision 2002/​475/​JHA, OJ 2002 L 164/​1 and Council Framework Decision 2002/​584/​JHA, OJ 2002 L 190/​1 (‘European Arrest Warrant’). See inter alia Calderoni, ‘A Definition That Does Not Work: The Impact of the EU Framework Decision on the Fight against Organized Crime’, 49 Common Market Law Review (2010) 1365, at 1390. 183  Arts 20 and 21 EURODAC Regulation, supra note 90. 184  Arts 5 and 7 VIS Decision, supra note 10. 185  Council Document 13225/​14, supra note 118, at 4. 186  Art. 39 SIS II Regulation, supra note 88; Art. 35 EURODAC Regulation, supra note 90. 187  Art. 31(2) VIS Regulation, supra note 91; Art. 27 EES Proposal, supra note 81.

 25

Jorrit J. Rijpma

225

EC and specific reference is made to the position of refugees and the principle of non-​refoulement. Most problematic here is the VIS Decision, which allows for the transfer of data in cases of urgency for the purpose of preventing terrorism or serious crime.188 This is regulated by national law, which in the light of the CJEU’s judgment on the Data Retention Directive does not seem to provide sufficient safeguards. The Court’s third reason for considering that the Directive went beyond what was strictly necessary was that it did not distinguish data retention periods for the different data categories and only prescribed a minimum and maximum period of retention without specifying that this should be limited to what is strictly necessary.189 Here there does not seem to be an immediate concern with the existing centralized databases, as all provide for automatic deletion upon expiry of the retention period and the possibility of advance deletion of data.190 The retention period of five years in the case of the VIS appears to be justified as this is the period of reference in assessing the applicant’s good faith and to detect continued practices of fraud or visa shopping.191 However, in relation to the proposed EES a retention period of five years may prove disproportionate in view of the serious obstacles this may cause for future visa applications, de facto imposing an entry ban, also in case of negligible or excusable periods of overstay. Moreover, insofar as the storing of data in the VIS and possibly the EES serves the prevention of serious crime, the storage of data for five years seems excessively long.192 Finally, the CJEU considered that the Directive did not adequately protect the security of the data. This concern is to some extent mitigated by the establishment of the eu-​LISA specifically responsible for the central architecture and the network, and specific security rules imposed on the national authorities.193 The CJEU does not out of principle object to the use of biometrics in the fight against irregular migration. The legal framework in place for SIS II, EURODAC, and VIS is clearly more elaborate compared to the blatant lack of safeguards under the Data Retention Directive. Nonetheless, both cases do raise questions as regards the compatibility also of these databases. Most importantly, the cases raise concerns in relation to the proposed EES, especially if it were to include access to law enforcement staff. This is in view of the accumulation of access rights, the general nature of the persons under surveillance, and the indiscriminate retention period foreseen in the proposal. As evidenced by discussions in the Council, there seems to be an awareness that the EES will need to be carefully drafted in order

188  Art. 8(4) VIS Decision, supra note 10. 189  Joined Cases C-​293 and 594/​12, supra note 82, at paras 63–​65. 190  Art. 29 SIS II Regulation, supra note 88; Arts 23 and 25 VIS Regulation; Arts 12 and 13 EURODAC Regulation, supra note 90; Arts 20 and 22 EES Proposal, supra note 81. 191  Rec. 14 VIS Regulation, supra note 91. 192  See also Advocate General Cruz Villalón, in Joined Cases C-​293 and 594/​12, supra note 82, at para 149. 193  Art. 10 SIS II Regulation, supra note 88; Art. 34 EURODAC Regulation, supra note 90; Art. 32 VIS Regulation, supra note 91; Art. 28 EES Proposal, supra note 81.

26

226

Brave New Borders

to comply with the data protection rules as explained by the Court in the Data Retention case.194

E. Additional Concerns in Relation to the Entry-​E xit System It is interesting that the Court did not follow the Advocate General’s approach of first assessing the proportionality of the proposal under Article 5(4) of the Treaty on European Union (TEU). According to the Advocate General, this test would have been a lighter test deferring more to the legislator’s prerogatives of political choice.195 Nonetheless, it could also be argued here that the fact that the proposal impinges on fundamental rights would considerably limit the legislator’s discretion, or that in any case a measure that violates fundamental rights would have to be considered manifestly inappropriate.196 Nevertheless, an assessment of the EES on the basis of this Article could give room to the cost–​benefit argument and the arguments relating to technical feasibility. Although some have argued that the question of costs and technical feasibility is one for politicians and experts rather than for lawyers, it should play a role in the assessment of the proposal’s proportionality and necessity.197 In this respect, the US experience may be informative. As early as 1996 the Illegal Immigration Reform and Immigration Responsibility Act prescribed the introduction of an EES.198 The US-​Visit programme was supposed to comply with this obligation.199 However, to date the registration of exit does not function properly, despite the United States having a much more limited number of recognized border points than the EU, and despite considerable financial investment.200 Likewise, large IT projects at EU and national level have often been characterized by delays and overspends, the SIS II being a case in point. Member States in the Council have consistently supported the idea of an EES. They have stressed the need to make progress on smart borders without undue delay.201 At the same time, they have shown themselves to be wary of the costs in times of austerity. A first feasibility study was carried out in 2008, feeding into the Commission’s impact assessments accompanying the proposals for smart borders

194  Advocate General Cruz Villalón, in Joined Cases C-​293 and 594/​12, supra note 82, at para. 89. 195  Council Document 13225/​14, supra note 118, at 3. 196  V. Kosta, Fundamental Rights in EU Internal Market Legislation (2015), at ch. 3. 197  Guild, Carrera, and Geyer, ‘The Commission’s New Border Package—​Does it Take us One Step Closer to a “Cyber-​Fortress Europe”?’, CEPS Policy Briefs No. 154 (2008), at 3. 198  Division C of Pub. L. 104-​208, 110 Stat. 3009-​546. 199 The United States Visitor and Immigrant Status Indicator Technology (US-​V ISIT) was replaced in 2013 by the ‘Office of Biometric Identity Management’ (OBIM). 200  See the scathing report of the GAO, Homeland Security: Prospects For Biometric US-​V ISIT Exit Capability Remain Unclear (2007) and GAO, Secure Border Initiative: DHS Needs to Address Significant Risks in Delivering Key Technology Investment (2008). 201 Council of the European Union, Approach for the Way Forward on the Smart Borders Package, Doc. 5828/​14, 4 February 2014, at 3.

7 2

Jorrit J. Rijpma

227

in 2011.202 A study commissioned by the Civil Liberties, Justice and Home Affairs (LIBE) Committee qualified these impact assessments as ‘designed to legitimize the policy option already chosen by the European Commission’.203 As these impact assessments also failed to convince the Member States, the Commission— in response to questions raised in the Council as to the technical, operational, and financial feasibility of the EES—commissioned an additional feasibility study in 2014, as well as a pilot project to be carried out by eu-​LISA in 2015.204 In view of these concerns, it seems all the more questionable that in parallel to these studies being carried out, the political decision-​making process remains in full swing. The introduction of an EES thus seems inevitable. In the words of former Commissioner of Home Affairs Cecilia Malmström, ‘it is a train that has left the station’. The Commission seems not only deaf to the concerns of civil society which it has itself described as very ‘critical of the setting up of an EES’, but also of the EDPS and the Article 29 Data Protection Working Party.205 Unsurprisingly, the security industry has been more favourable, playing an active role in proposing, developing, and implementing ‘smart borders’.206 Finally, eu-​LISA and the EU’s border management agency, Frontex, both supposedly non-​political Union bodies, have spoken out in favour of the use of modern technology in general, including the EES and are actively involved in the preparation thereof.207 This links into Bigo’s power-​maximizing logic under which security actors try to expand their influence, albeit here not necessarily into other policy domains.208 Similar dynamics can be observed when assessing the EUROSUR system, an instrument that with the help of modern technology links national border guard agencies allowing for a risk-​based approach towards the management of the EU border. Here the territorial and the digital border come together.

202 European Commission, Commission Staff Working Document, Impact Assessment, SWD(2013) 47 final, 28 February 2013. 203  Jeandesboz, Bigo, Hayes, and Simon (European Parliament), ‘The Commission’s Legislative Proposals on Smart Borders: Their Feasibility and Costs’, Study, European Parliament Directorate-​ General for Internal Policies (2013), at 7. 204  Council Document 5828/​14, supra note 201. 205  SWD(2013) 47 final, supra note 202, at 8. See Meijers Committee, supra note 162; EDPS, Opinion on the Proposals for a Regulation Establishing an Entry/​Exit System (EES) and a Regulation Establishing a Registered Traveller Programme (RTP) (2013); Opinion 05/​2013 on Smart Borders, 2013 (WP 29). 206  Bigo, Carrera, Hayes, Hernanz, and Jeandesboz, ‘Justice and Home Affairs Databases and a Smart Borders System at EU External Borders’, CEPS Paper in Liberty and Security no. 52 (2012), at 35. See also D. Hayes and M. Vermeulen, Borderline, The EU’s New Border Surveillance Initiatives (2012), at 55–​57. 207  eu-​LISA will be entrusted with carrying out the pilot project for the EES and Frontex already carried out research into automated Border Control Systems. 208  Bigo, ‘When Two Become One:  Internal and External Securitisations in Europe’, in M. Kelstrup and M. Williams (eds), International Relations Theory and the Politics of European Integration: Power, Security, and Community (2000) 171, at 193–​194.

82

228

Brave New Borders

4.  EUROSUR: The Exchange of Operational Information On 2 December 2013, the European Surveillance system (EUROSUR) became operational, linking national border guards and the European border management agency, Frontex, in a common information-​sharing environment. EUROSUR is not itself a database, but rather an operating model for information exchange between the Member States and Frontex ‘in order to improve situational awareness and to increase reaction capability at the external borders’.209 The purpose of EUROSUR is threefold: fighting irregular migration, combating cross-​border crime, and contributing to the rescue of lives at sea.210 Although the system only allows for very limited processing of personal data, it must nonetheless be seen in the light of similar initiatives that diminish the role of human border guards through the use of (information) technology and a risk-​based approach to the management of territorial external borders.211 It relies heavily on the use of modern surveillance equipment for the gathering of information and the exchange thereof. The focus in this last section will be on the way in which EUROSUR provides a framework for the use of modern technology allowing new (EU) and old (Member State) bureaucracies to reinforce their control over the movement of people. It also shows how EU agencies, in this case Frontex, actively shape the EU’s border policy and how through practical and technical cooperation substantive integration is achieved.

A. The Operational Preparation of EUROSUR Frontex, the EU’s agency for the coordination of operational cooperation at the external borders, was established as an independent agency of the EU in 2004 and became operational a year later.212 Its tasks are not only to coordinate joint operations and training but also to carry out risk analyses, to set up pilot projects, and to follow up on research and development relevant for border management.213 As such, it came to play an important role in the process culminating in the establishment of EUROSUR. As early as 2003, a study commissioned by the JHA Council had hinted at the technical feasibility of combining all available information, from fixed or mobile sensors, to establish a centralized overview of a specific area.214 The first 209  Ibid. 210  Art. 1 EUROSUR Regulation, supra note 71. 211  González Fuster and Gutwirth, ‘When “Digital Borders” Meet “Surveilled Geographical Borders”: Why the Future of EU Border Management is a Problem’, in J. P. Burgess and S. Gutwirth (eds), A Threat Against Europe? Security, Migration and Integration (2011) 170. See also Marin, ‘Is Europe Turning into a “Technological Fortress”? Innovation and Technology for the Management of EU’s External Borders: Reflections on FRONTEX and EUROSUR’, in M. A. Heldeweg and E. Kica (eds), Regulating Technological Innovation: Legal and Economic Regulation of Technological Innovation (2011) 131. 212  Frontex Regulation, supra note 14. 213  Ibid., Art. 2. 214  Council of the European Union, Feasibility Study on the Control of the European Union’s Maritime Borders—Final Report, Doc. 11490/​1/​03, 19 September 2003, at 65.

 29

Jorrit J. Rijpma

229

concrete steps towards EUROSUR’s development were made in 2005 when Frontex was given the task of carrying out two feasibility studies: MEDSEA on a Mediterranean Coastal Patrols Network and BORTEC on a surveillance system covering the whole of the southern maritime borders of the EU.215 In 2006, in its Communication on the reinforcement of the management of the external borders, the Commission announced the creation of EUROSUR.216 The Council’s strategic deliberations on its Integrated Border Management Strategy of 2006 placed great emphasis on the need for spatial technological surveillance, in particular as regards the sea border.217 The Council identified the need for a ‘tactical command function for real time coordination of observation and risk analysis’ and contemplated a possible role for Frontex in this regard.218 The Commission’s 2008 Communication on EUROSUR provided a road map for the establishment of EUROSUR in three phases.219 The first phase consisted of the linking and streamlining of Member States’ surveillance systems. The second phase exclusively focused on the improvement and development of surveillance tools and sensors, such as earth observation satellites and unmanned aerial vehicles. In the third phase, ‘a common information sharing environment’ or ‘system of systems’ would integrate all existing maritime reporting and monitoring systems in the field of internal security.220 The Commission contemplated that eventually this could be broadened to an overarching surveillance system covering all aspects of maritime safety and security, a ‘common monitoring and information environment’ (common information sharing environment, CISE).221 The Commission announced that at a later stage it would ‘assess the need for a legislative initiative’ with regard to the progress made on guidelines for National Coordination Centres (NCCs).222 It would further make a proposal for the system architecture for the communication network. The impact assessment accompanying the Communication considered that phases 1 and 2 could be largely implemented within the existing legislative framework and based to a large extent on actions already under preparation.223 The Commission asserted that EUROSUR 215  Council of the European Union, Frontex Feasibility Study on Mediterranean Coastal Patrols Network—​MEDSEA, Doc. 12049/​06 (partly accessible), 20 November 2006; FrontexStudy on Technical Feasibility of Establishing a Surveillance System (European Surveillance System)—​ BORTEC (2007), not public. See for a discussion Hayes and Vermeulen, supra note 206, at 14–​15. 216 Commission Communication, Reinforcing the Management of the European Union’s Southern Maritime Borders, COM(2006) 733 final, 30 November 2006, at 8. 217  Council of the European Union, Integrated Border Management; Strategy Deliberations, Doc. 13926/​3/​06 REV 3, 21 November 2006, at 8–​9. 218  Ibid., at 10. 219  Commission Communication, Examining the Creation of a European Border Surveillance System (EUROSUR), COM(2008) 68 final, 13 February 2008. Together with COM(2008) 69 final, supra note 17 and the Report on the Evaluation and Future Development of the FRONTEX Agency (COM(2008) 67 final, 13 February 2008) it formed the so-​called ‘2008 Border Package’. 220  COM(2008) 68 final, supra note 219, at 9. 221 See also Commission Communication, Better Situational Awareness by Enhanced Cooperation across Maritime Surveillance Authorities: Next Steps Within the Common Information Sharing Environment for the EU Maritime Domain, COM(2014) 451 final, 8 July 2014. 222  COM(2008) 68 final, supra note 219, at 7. 223  Commission Staff Working Document, SEC(2008) 151, 13 February 2008, at 19 and 57.

302

230

Brave New Borders

could be set up ‘without affecting the respective areas of jurisdiction of Member States, nor [would it] replace any existing systems’.224 The Commission made one further and general reference to the need for legislative measures at the end of the Communication where it considered that EU data protection laws would require the processing of personal data within the context of EUROSUR to be based upon ‘appropriate legislative measures’.225 It is questionable from the point of view of democratic legitimacy that prior to any decision by the EU legislator, a fait accompli was created through operational and technical cooperation. Already in 2007 Frontex, at the instigation of the European Council, had launched the so-​called European Patrol Network (EPN), coordinating Member States’ patrolling activities in the Mediterranean in order to prevent overlap and increase cost-​efficiency.226 It moreover started work on an organizational structure, establishing NCCs which would eventually be integrated in EUROSUR. The Frontex Situation Centre (FSC), which would maintain the communication network with and between NCCs, was established in 2008. In 2009, Frontex formulated guidelines for the NCCs, which were subsequently incorporated in the (non-​binding) Schengen Catalogue on External Border Control.227 Between 2008 and 2010 the Member States, Frontex, and the Commission defined the technical components of Frontex, which were tested and validated in pilot and demonstration projects for 2010 and 2011.228 These projects were carried out ‘with the support of industry’ which self-​evidently demonstrated considerable interest in the development of EUROSUR from an early stage.229 It was only in 2011, after considerable work had already been done and financial investments had been made, that the Commission presented a legislative proposal ‘to connect the dots’.230 However, it did much more than that, as it finally provided EUROSUR with a legal basis. It eventually obliged all Member States, not only those at the southern maritime borders, to ‘make substantial investments in the alignment of their own border control systems with EUROSUR’s standards and requirements’.231 It also considerably reinforced the role of Frontex, making it a key actor in the overall functioning of the system. The Regulation was eventually adopted in October 2013.232

224  COM(2008) 68 final, supra note 219, at 4. 225  Ibid., at 11. 226  Council of the European Union, Presidency Conclusions (Brussels European Council, 14–​15 December 2006), Document 16879/​06, 15 December 2006, at point 24(c). 227  Council of the European Union, Updated EU Schengen Catalogue on External Borders Control, Return and Readmission, Document 7864/​09, 16 March 2009. 228  Commission Staff Working Paper, Determining the Technical and Operational Framework of the European Border Surveillance System (EUROSUR) and the Actions to Be Taken for Its Establishment, SEC(2011) 145 final, 28 January 2011, at 2. 229  Hayes and Vermeulen, supra note 206, 55–​57. 230 European Commission, ‘EUROSUR:  “Connecting the Dots in Border Surveillance” ’, Press Release, 12 December 2011; Proposal for a Regulation, Establishing the European Border Surveillance System (EUROSUR), COM(2011) 873 final, 12 December 2001. 231  Hayes and Vermeulen, supra note 206, 19. 232  EUROSUR Regulation, supra note 71.

 213

Jorrit J. Rijpma

231

B. The EUROSUR Regulation Under Regulation (EU) 1052/​2013, Frontex is the spider at the centre of the web that is EUROSUR. The agency is responsible for the communication network which provides the communication and analytical tools for the exchange of non-​ classified sensitive and classified information in a secure manner and in near-​real-​ time with, and among, the NCCs on a 24/​7 basis.233 NCCs draw up a national situational picture containing ‘effective, accurate and timely information’ on the situation at their respective stretches of the external border. This information is compiled with other information from national border surveillance systems, stationary and mobile sensors operated by national border guard authorities and patrols on border surveillance, and other monitoring missions.234 On the basis of the national situational pictures and on the basis of its own data from sources such as the Commission, Union delegations, other EU agencies, and the authorities of third countries, Frontex compiles both a European situational picture, covering the EU’s external borders, and a ‘common pre-​frontier intelligence picture’, covering the areas beyond the external borders.235 The Agency coordinates the common application of surveillance tools, such as satellites and ship reporting systems, answering information requests from NCCs ‘on a regular, reliable and cost-​efficient basis’.236 The information it provides can be based, for instance, on the monitoring of third country ports and coasts or the selective monitoring of designated pre-​frontier areas. It could also be derived from ship reporting systems, satellite imagery, and sensors mounted on any vehicle, vessel, or other craft, which includes drones. The establishment of a pre-​frontier intelligence picture contributes to the redefinition of the territorial border, also diminishing the relevance of the legal border. As Jeandesboz has, for instance, pointed out, the definition of coastal waters and open seas in the BORTEC study relied solely on the reach of observation by land-​based surveillance infrastructure.237 The fact that cooperation with third countries and their eventual inclusion in the system was considered essential to the proper functioning of the system forms another example of the diversification of the border.238 The European situational picture and the common pre-​frontier intelligence picture inform the Agency’s risk analysis on the basis of which it attributes ‘impact levels’ to sections of the external land and sea borders.239 These impact levels range from low, through medium, to high depending on whether illegal immigration or cross-​border crime have an insignificant, moderate, or significant impact 233  Ibid., Art. 7. 234  Ibid., Art. 9. 235  Arts 10 and 11 EUROSUR Regulation, supra note 71. 236  Ibid., Art. 12. 237 Jeandesboz, ‘Beyond the Tartar Steppe:  EUROSUR and the Ethics of European Border Control Practices’, in J. P. Burgess and S. Gutwirth (eds), A Threat Against Europe? Security, Migration and Integration (2011) 111, at 120. 238  COM(2011) 873 final, supra note 230, at 3. 239  Art. 15 EUROSUR Regulation, supra note 71.

23

232

Brave New Borders

on border security at the relevant border section. Although not explicitly stated, it should be argued that in view of the Regulation’s third objective, the contribution to saving lives at sea, the number of search and rescue operations should also be taken into account, even where this does not directly impact on border security itself. Depending on the impact level, Member States are required to improve their ‘reaction capability’ by intensifying their surveillance activities.240 The responsible authorities should coordinate with their NCC, which remains in close contact with Frontex, informing it specifically on the measures taken when a high impact level is attributed. If necessary, Frontex may be asked for (emergency) assistance.

C. Reinforcing the External Borders, Reinforcing Frontex The call to reinforce the external borders of the EU has often been accompanied by calls for reinforcement of the Agency. Successive amendments to its legal basis had already reinforced the role of Frontex in 2007 and 2011.241 In 2007, a mechanism for the rapid deployment of emergency teams was introduced and the Agency received the power to acquire technical equipment that could be deployed in joint operational activity. In 2011, it was given the power to independently finance joint operations, send liaison officers to third countries, as well as launch and finance technical assistance projects in third countries. In 2011 it was also given the, albeit limited, power to process personal data in return operations and joint operational activity.242 In the context of the latter, it may only process personal data in relation to people suspected of cross-​border criminal activities, in facilitating illegal migration activities, or in human trafficking activities. The use of these data is limited to onward transmission to Europol or other Union law enforcement agencies and in a depersonalized form for risk analyses. Under EUROSUR, national situational pictures may be used to process personal data subject to Directive 95/​46, Framework Decision 2008/​977/​JHA, and relevant national legislation.243 Frontex may use the European situational picture and the common pre-​frontier intelligence picture only for the processing of personal data concerning ship identification numbers subject to Regulation 45/​ 2001.244 Interestingly, the Commission’s proposal on EUROSUR referred to the processing of data under the EU horizontal framework for data protection, anticipating its adoption which, as noted earlier, has still not taken place.245 Frontex was given the power to process the personal data of persons suspected of cross-​border crime in 2011, and the EUROSUR Regulation now confirms that

240  Ibid., Art. 16. 241 Regulation (EC) 863/​2007, OJ 2007 L 199/​30; Regulation (EU) 1168/​2011, OJ 2011 L 304/​1. 242  Art. 11c Frontex Regulation, supra note 14. 243  Art. 13(1) EUROSUR Regulation, supra note 71. 244  Art. 11ca Frontex Regulation, supra note 14. 245  COM(2011) 873 final, supra note 230, at 2.

3 2

Jorrit J. Rijpma

233

in the post-​Lisbon reality there are no longer legal obstacles to Frontex’s involvement in police and judicial cooperation in criminal matters. This is very much in line with the Council’s Integrated Border Management Strategy and the EU’s ISS. Frontex has now also been allowed to join deliberations on the follow-​up of the Communication of 2012 on a European Information Exchange Model. As it previously did not participate, the current model does not yet take information exchange under EUROSUR into account.246 As Neal has pointed out, a double risk logic can be applied to Frontex. On the one hand, its ‘analytical and predictive gaze’ is directed at the ‘risk’ of irregular migration at the external borders, but at the same time it exposes the ‘risk’ posed by the weaknesses in Member States’ border regimes.247 This is clearly reflected in the attribution of impact factors to stretches of the external border, but also the role the Agency plays in the Schengen evaluation system under which the implementation of the Schengen acquis by the Member States is assessed.248 With the introduction of EUROSUR, the focus of the Agency seems to shift away from coordinating on-​the-​ground operational activity towards gathering intelligence and carrying out risk analyses. Much like the centralized databases which categorize individuals into risk categories, EUROSUR profiles places of departure, movement, and modus operandi in the maritime domain.249 Bigo shows that there is a marked difference in approach between those border guards working at the physical border and those ‘border guards’ working in the EU institutions and agencies, such as Frontex and eu-​LISA. Unsurprisingly, the latter tend to attribute considerably less value to controls at the territorial border itself and much more to intelligence gathering and risk analysis.250 Jeandesboz furthermore observes that EUROSUR has both a spatial and temporal dimension. The temporal dimension is twofold, adding to the familiar proactive element of risk management, that of instantaneity (‘real-​time information’), allowing not only for preventive, but also faster, policing.251 In any case, the EUROSUR Regulation confirms the central role of Frontex in the development of an integrated system for the management of the external borders, as an intelligence actor, and as a point of reference for national border guard authorities.

D. EUROSUR in Practice: Control over Rescue EUROSUR neatly demonstrates a number of characteristics of developments in EU migration and asylum law: its development driven by security actors, the link between irregular migration and organized crime, the risk-​based approach 246  Van de Ryse, ‘De grenzen vervagen. Ook voor Frontex?’, 65 Orde van de Dag (2014) 65, at 73. 247  Neal, ‘Securitization and Risk at the EU Border: The Origins of FRONTEX’, 47 Journal of Common Market Studies (2009) 333, at 349. 248  In particular Arts 7 and 10(5) Council Regulation (EU) 1053/​2013, OJ 2013 L 295/​27. 249 Jeandesboz, supra note 237, at 122–​124. 250  Bigo, ‘The (In)securitization Practices of the Three Universes of EU Border Control: Military/​ Navy—​Border Guards/​Police—​Database Analysts’, 45 Security Dialogues (2014) 209, at 215. 251 Jeandesboz, supra note 237, at 125.

342

234

Brave New Borders

to the management of an increasingly mobile border, and an unchecked faith in the possibilities of technology. It also proves how a focus on technology, and its portrayal as neutral and apolitical, successfully masks underlying, more contentious, questions on the future of EU border management. Moreover, by presenting EUROSUR as a technical solution aimed at saving lives at sea, it has been able to detract from the continuing disagreement amongst Member States on responsibilities in the field of search and rescue at sea. The EUROSUR Regulation was adopted in the aftermath of yet another tragedy with boat refugees off the coast of Lampedusa and hailed as an instrument capable of preventing such tragedies in the future.252 Only months after the adoption of the Regulation, agreement was reached on how to act in situations of search and rescue and disembarkation in the context of Frontex-​coordinated joint operations at sea.253 Yet, the majority of Member State patrolling of the external sea borders is done by individual Member States which continue to apply the public international law rules on search and rescue in line with their own interpretation. From a strictly legal point of view, Frontex’s founding regulation does not give it any competence in search and rescue. The joint declaration at the end of the EUROSUR Regulation even stresses that search and rescue is completely outside EU competence. During the negotiations, proposals to include in the definition of ‘reaction capability’ the ability to perform actions aimed at protecting the lives of migrants at the external borders were unsuccessful.254 At one point in the legislative process, the objective of saving lives at sea was even completely omitted from the proposal.255 The current position is that the Regulation contributes to the international law regime on search and rescue, by raising situational awareness and hence the international search and rescue regime may be triggered more readily. The only large-​scale operation specifically aimed to rescue life at sea was organized by an individual Member State, Italy. The Mare Nostrum operation was a national operation which did not include the involvement of Frontex. It is unclear to what extent, if at all, EUROSUR was actively used in the context of this operation. The Italian operation has now been replaced with the much smaller Triton joint operation under the coordination of Frontex, which however has as its objective the control of the external borders.

252  Commission Press Releases of 19 June 2013 (EUROSUR: new tools to save migrants’ lives at sea and fight cross-​border crime) and 29 November 2013 (EUROSUR kicks off: new tools to save migrants’ lives and prevent crime at EU borders) and the Statement by Commissioner Malmström on the Tragedy, 13 October 2013. 253  Regulation (EU) 656/​2014, supra note 56. 254  Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council Establishing the European Border Surveillance System (EUROSUR), Doc. 11437/​ 12, 13 July 2012. 255  Council of the European Union, Proposal for a Regulation of the European Parliament and of the Council Establishing the European Border Surveillance System (EUROSUR), Doc. 12905/​ 12, 1 August 2012.

5 23

Jorrit J. Rijpma

235

During the first year of operation of EUROSUR, cross-​Mediterranean migration saw a steep increase due to conflict in the neighbourhood of the EU. The limits on the possibilities of technology have already become apparent. Real-​time information in the EUROSUR system cannot provide for a level of detail allowing the identification of people in distress. As the Frontex Executive Director Gil-​ Arias made very clear, even if satellite imagery were to become available, which it is not for the time being, that ‘would not be even useful for preventing tragedies because the satellite images will be available to the border authorities hours or even days after’.256 The EUROSUR Regulation only gives a general indication of the information that has to be included in the national situational picture. Frontex does not have the power to validate the information contained therein. As a mere coordinator Frontex cannot give instructions to national border guard authorities on how to respond to information contained in EUROSUR. This confirms that in practice the surveillance capacity of Member States is still conditioned by the possibilities of technology, whilst legislative measures providing merely for a technological infrastructure cannot fully substitute a lack of agreement on more substantive rules, such as the application of the search and rescue regime. Nevertheless, it seems only a matter of time before new measures will be proposed in response to these concerns. In all likelihood this will first be done within the existing legal framework, introducing more state-​of-​the-​art technology and strengthening Frontex’s role in practice. The Commission report on the Implementation of the Work of the Task Force on the Mediterranean, established after the Lampedusa tragedy of October 2013, aims to strengthen EUROSUR’s capabilities, strengthen the cooperation between Frontex and the European Maritime Safety Agency (EMSA), and to carry out research to further develop the technical capabilities for border surveillance, in particular for the detection of small vessels.257 In July 2014, the Commission published its Communication on enhanced cooperation across all relevant maritime surveillance authorities. It emphasized that the development of a so-​called Maritime Common Information Sharing Environment would neither impact on the administrative structures of Member States, nor on the existing EU legislation in this field. Eventually, however, one may very well imagine that new legislation will be proposed to give Frontex more of a direct say over the input of information into EUROSUR and the follow-​up to be given to its risk assessments.

256 EUObserver, EU Border Surveillance System not Helping to Save Lives, 14 May 2014, available at http://​euobserver.com/​justice/​124136 (last visited 20 September 2016). 257 Commission Staff Working Document, Implementation of the Communication on the Work of the Task Force Mediterranean, SWD(2014) 173 final, 22 May 2014, at 38. Although the use of small vessels continues to be one of the main modi operandi of human smugglers, they have recently also resorted to the use of larger, equally sea-​unworthy ships.

326

236

Brave New Borders

5. Conclusion In this chapter we have seen the importance that the EU attaches to the use of modern technology in its migration and asylum policy. Much as states gained control of the movement of people in the 19th century, the use of new technologies and the development of bureaucracies is allowing the EU and its Member States to reinforce their control over the movement of people. Not only has the EU established the substantive rules for the use of new technologies, it has also provided for the necessary technological infrastructure, for instance in the form of large-​scale databases. This infrastructure further includes a bureaucracy of quasi-​independent agencies, which apply and manage these technologies in order to foster Member State cooperation. They have become central to information exchange between national agencies and increasingly subordinate national agencies to their coordination. They actively support the use of modern technology, which allows them to gain importance within the network they form with national authorities. The examples of the EU’s centralized databases and EUROSUR illustrate the need to consider technology in the EU’s migration and asylum management as value-​ laden, rather than value-​neutral. Regarding technology as somehow unconnected to the underlying policy field has had two important consequences. First, it has allowed integration in these fields to proceed as a technocratic process in which the use of technology has been able to conceal or even substitute political agreement on substantive policy, and even influence its direction. Second, it has allowed for the transposition of migration technology to other fields of EU policy, most notably criminal law enforcement, confirming and reinforcing the conceptualization of the movement of people across borders in terms of risk. However, perhaps the most important reason not to be fooled by technology’s apparent neutrality is the profound impact its use may have on the rights and freedoms of individuals who in this particular policy field are third country nationals and therefore find themselves by definition in a weaker position in relation to the authorities. The control over people moving across the EU’s external borders has become ever more intrusive with the proliferation of databases containing vast amounts of personal data, including biometric data. As these databases are increasingly used for identity checks within the territory and as law enforcement tools they have turned into general surveillance tools which no longer solely serve their original purpose of managing migration and asylum. Rather, they allow a risk-​based approach to the movement of people, shifting border controls inside and outside Schengen territory, ideally preventing the arrival of asylum seekers, filtering out unwanted migrants and criminals prior to their arrival, and providing speedy access to trusted travellers. Although the 2004 Hague Programme stipulated that new centralized European databases should only be created on the basis of studies that show their added value,258 the Stockholm Programme and its successor, the Strategic 258  The Hague Programme, supra note 4, at point 2.1.

7 23

Jorrit J. Rijpma

237

Guidelines for the AFSJ, have not shown signs of restraint. Although there is an undeniable streamlining of the founding instruments of existing databases, a consistent and coherent policy on data and biometric data remains lacking. More specifically, serious concerns have been raised as regards the compatibility of these databases and more specifically the proposed EES with the fundamental rights to privacy and data protection. Although more detailed and specific rules are available to protect the rights of data subjects than was the case in the Data Retention Directive, the Court of Justice’s ruling on the legality of the Directive has nonetheless made it abundantly clear that the CJEU will not hesitate to enforce the rights contained in the Charter. The risk-​based approach to the management of migration and asylum and the diffusion of the border is also visible at the external border itself. The EUROSUR system has essentially transformed the border line into a border zone, subjecting it to constant surveillance by advanced technology. The EUROSUR Regulation forms a clear example of the (mis)placed faith in technology, in this particular instance not merely to fight irregular migration and crime, but also to save lives. A measure that is essentially presented as technical in reality does not resolve fundamental differences underlying the difficulty in a common approach towards the refugee crisis in the Mediterranean and gives a significant boost to the further integration of national border guards’ authority under an ever more influential European border agency. With the proposals for an EES and the renewed attention on a European PNR directive, one can only hope for a better informed political debate that assesses the costs of new technology not merely in terms of financial investment but also in terms of respect for the fundamental rights the EU has set out to uphold and protect. Ultimately, as technical feasibility constrains the use of modern technologies less and less, the law will have to provide the necessary framework to do so.259 The use of technology requires democratic scrutiny and judicial control because neither technologies nor the people who operate them should be considered flawless.

259 Broeders, supra note 29, at 44.

823

Table 7.1 Instruments establishing centralized EU databases for the management of migration and asylum Instrument

Founding Act

Purpose(s)

Structure

Data coverage

Access to data

Data protection

Data retention

Participating states

Reporting obligations

Schengen Information System II (SIS II)

Regulation (EC) 1987/​ 2006 and Council Decision 2007/​533/​ JHA

To ensure a high level of security in the area of freedom, security, and justice and facilitate the movement of persons using information communicated via this system.

Centralized: N. SIS II (national parts) connected by interface to CS-​SIS (central part). Supplementary information is exchanged between ‘SIRENE bureaux’, SIS II runs on the secure s-​T ESTA network.

Names and aliases, physical characteristics, place and date of birth, fingerprints, photographs, nationality, whether a person is armed or violent. Copy European Arrest Warrant SIS II alerts relate to several different groups of persons.

Police, border police, customs, and judicial authorities will have access to all data; immigration and consular authorities to the entry ban list and lost and stolen documents. Europol and Eurojust have limited access within their field of competence.

Specific rules in founding acts; Directive 95/​46/​ EC Regulation (EC) 45/​2001 Council Framework Decision 2008/​ 977/​JHA Regulation (EC) 45/​2011 CoE Convention 108 CoE Police Recommendation R (87) 15.

Personal data may be kept only for the time required to meet the purpose for which they were entered. Erasure after three years, unless extended by the Member State. Data on persons subject to exceptional monitoring on account of the threat they pose to public or national security must be deleted after one year.

Applicable in all MS and SACs. The UK and Ireland participate in SIS II with the exception of alerts on third ​country nationals on the entry ban list.

Three years after entry into operation and every four years thereafter report by the Commission to the EP and Council. Every two years a report by eu-​LISA to EP, Council on technical functioning incl. security. At least every four years report by the EDPS to the EP, Council, Management. Authority, Commission, and NSAs. Audit by NSA of N.SIS II at least every four years. Every two years a Joint report of the NSAs and EDPS to EP, Council, Commission, and Management Authority.

 293

EURODAC Regulation (EU) 603/​ 2013

To assist in determining which Member State should assess an asylum application.

Centralized, consisting of National Access Points connected through a Communication Infrastructure to the EURODAC Central System. Additional exchange of data takes place through the DubliNet system. EURODAC runs on the s-​T ESTA network.

Fingerprint data, sex, Member State of origin, place and date of apprehension, place and date of the application for asylum, reference number used by the Member State of origin, and the date on which the fingerprints were taken, transmitted, and entered in the system.

Member States must specify the list of authorities with access to the data, which typically includes asylum and migration authorities, border guards, and the police.

Specific rules in Founding Act; Directive 95/​46/​EC Regulation (EC) 45/​2001 Council Framework Decision 2008/​977/​JHA.

Ten years for Applicable asylum in all MS and seekers’ SACs fingerprints; 18 months for those of third country nationals apprehended in connection with the irregular crossing of an external border.

By 20 July 2018 and every four years, Commission report to the EP and Council. At least every three years report by EDPS to EP, Council, Commission, eu-​ LISA, and NSAs. Yearly audit by NSA. Every two years Joint report of the NSAs and EDPS to EP, Council, Commission, and Management Authority. Annual report by eu-​ LISA to EP, Council, Commission, and EDPS.

(Continued)

402

Table 7.1 Continued Instrument

Founding Act

Visa Regulation Information (EC) 767/​ System 2008 (VIS)

Purpose(s)

Structure

Data coverage

Access to data

Data protection

Data retention

To help implement a common visa policy and prevent threats to internal security.

Centralized, consisting of a central VIS connected to national interfaces. VIS runs on the s-​T ESTA network.

Alphanumeric data on the applicant (which includes: names, sex, date, place and country of birth, nationality, type and number of travel document, name and address of sponsor, employer/​school, fingerprints, photographs, related visa decisions, and links between related applications.

Visa, asylum, immigration, and border control authorities. LEAs designated by the Member States and Europol may consult VIS for the prevention, detection, and investigation of serious crime.

Specific rules in 5 years Founding Act. Directive 95/​46/​EC Regulation (EC) 45/​2001 Council Framework Decision 2008/​977/​JHA, CoE Convention 108 CoE Additional Protocol 181 CoE Police Recommendation R (87) 15.

Participating states

Reporting obligations

Applicable in all Member States (except the United Kingdom and Ireland) and SACs.

Three years after entry into operation and every three years thereafter. At least every four years report by EDPS to EP, Council, Commission, eu-​ LISA, and NSAs. Audit by NSA at least every four years. Every two years Joint report of the NSAs and EDPS to EP, Council, Commission, and Management Authority. Every two years report by eu-​LISA to EP, Council, Commission, and EDPS.

 214

Entry-​E xit System (EES)

Commission Proposal COM(2013) 95 final

Improve management of the external borders and the fight against irregular migration.

Centralized, consisting of a central unit connected to a national system of national interfaces (Network Entry Points).

Alphanumeric data: names, date and place of birth, sex, type and number of travel documents, data on the travel document and visa (date of expire, issuing states, etc.). Registered Traveller if applicable, date and time of the entry and/​ or exit, place of entry, and/​or exit, fingerprints.

Visa, asylum, immigration, and border control authorities, competent for border controls, checking migration status, issuing visa, RTP. Access for LEAs considered in evaluation (Art. 46(5)), Council in favour of immediate introduction (Council Doc. 13225/​14).

Specific rules in Founding Act; Directive 95/​46/​EC Regulation (EC) 45/​2001

Max. 181 days. Max. 91 days after the last exit record, if there is no entry record within 90 days following that last exit record. In absence of exit record, following the date of expiry of the authorized period of stay, the data shall be stored for a max. period of five years.

Applicable in all MS (except the UK and Ireland) and SACs.

Two years after entry into operation and every four years thereafter Commission report to the EP and Council. Every two years report by EDPS to EP, Council, Commission, eu-​LISA, and NSAs. Audit by NSA at least every four years. Every two years Joint report of the NSAs and EDPS to EP, Council, Commission, and Management Authority. Every two years report by eu-​LISA to EP, Council, Commission, and EDPS.

42

432

Index abortion ​44, 46, 70–​1, 72 Advanced Passenger Information (API) ​207 advanced therapy medicinal products (ATMPs) ​9, 10, 21, 27–​35, 78 marketing and product safety ​112, 116–​17 traceability ​117 see also xenotransplantation ageing population ​82 agricultural aid ​143 Amsterdam Treaty ​199–​200 animals  cells, tissues, and organs see xenotransplantation use in scientific research ​109–​10 Area of Freedom, Security and Justice (AFSJ) ​199, 200, 209, 216, 237 asylum policy ​4, 137, 197–​8 Common European Asylum System (CEAS) ​200 globalization and increased cross-​border mobility ​204–​5 role of technology ​200–​2, 236 bacteria ​55 barriers to trade ​83 bioethical stamp ​101 bioethics  abortion ​44, 46, 70–​1, 72 biovalue ​39 case law ​40 cloning ​49, 68 commodification and ​49–​51 definitions ​38 EU biomedical law ​40 Blood Directive ​59 Brüstle Decision ​62, 63–​8 competence and legal basis ​41–​5 direct incorporation of ethical principles ​60–​2 fundamental rights ​46–​7, 50 legitimacy ​45–​6 non-​market values ​47–​8 ontological normativity ​48–​9 Organs Directive ​62 Patents Directive see Patents Directive of 1998 pragmatic modes of reasoning ​49–​51 procedural vs. substantive norms ​52 Tissues Directive ​59 harmonization ​42–​3, 45 human dignity ​47, 49, 50, 66 human embryos ​45, 48, 61, 63–​8, 100 human tissues ​39, 43, 50

interaction between ECHR law and EU law ​68 avoidance of substantive issues ​68–​71 fundamental rights vs. fundamental economic freedoms ​71–​3 moral pluralism vs. core common norms ​59–​60 national and European levels of regulation ​39–​40, 45 patent law  Craig Venter’s express sequenced tags ​55– ​6 exclusion of patentability ​54, 58, 63, 66, 68 Harvard Oncomouse case ​55 Howard Florey Institute case ​56, 58 Myriad Genetics case ​56 US Supreme Court Chakrabarty ruling of 1980 ​55 see also Patents Directive of 1998 problems deriving legal norms from biology ​67 reproduction ​39, 44, 72–​3 tissue economy ​49, 51 totipotent vs. pluripotent cells ​67 xenotransplantation ​17, 21–​2, 27–​8, 32–​3 biomedical issues ​2 EU competence ​3 see also medical technologies biometric data ​198, 201–​3, 207, 211, 219–​220, 225 fingerprints ​143, 144, 145 biotechnological inventions ​3 Biotechnology Directive ​4–​5 biotechnology medicine ​78 blood donation ​59 blood products ​49–​50 border management ​4 diversification of the border ​205–​7 maritime borders see maritime borders surveillance ​203, 206–​7 see also asylum policy; migration management BORTEC ​229, 231 Brüstle Decision ​62–​8 BSE (bovine spongiform encephalopathy) ​23 CCTV systems ​186 cell-​based therapies ​9, 27 Charter of Fundamental Rights ​28, 32, 37, 60 data protection ​125, 138–​41, 166–​7, 172–​3 impact of the Lisbon Treaty ​141–​2, 149 relevant case law ​142–​6

42

244

Index

citizenship ​11 clinical safety ​103–​4 Clinical Trials Directive (CTD) ​104–​7 Clinical Trials Regulation (CTR) ​104–​8 cloning ​49, 68 cloud hosting ​174–​7, 195 Committee for Advanced Therapies (CAT) ​28–​30 Common European Asylum System (CEAS) ​200 competences ​3, 41–​5 consent  data protection ​150 xenotransplantation ​17, 22, 31 consumer behaviour monitoring ​124 consumer protection ​88 Convention on Human Rights and Biomedicine ​24 co-​production ​10–​12, 15, 35 Council of Europe  bioethics ​48 data protection ​125–​7, 129, 131, 139, 171 xenotransplantation ​21 see also European Convention on Human Rights Court of Justice of the European Union  data protection case law ​134–​6, 142–​6, 167, 169–​70, 172 Google Spain case ​193–​5 mediating between national regulation and common rules ​4–​5 Creutzfeldt-​Jakob disease ​23 data minimization ​150 data portability ​153, 185 data protection ​3 biometric data ​198, 201–​3, 207, 211, 219–​223, 225 Charter of Fundamental Rights ​125, 138–​41, 166–​7, 172–​3 Lisbon Treaty and ​141–​2, 149 relevant case law ​142–​6, 172 clinical trials ​108 consent ​150 Council of Europe ​125–​7, 129, 131, 139, 171 development of the concept ​123, 125–​31 European Data Protection Board ​161, 168–​70 European Data Protection Supervisor (EDPS) ​137 General Data Protection Regulation ​5 accountability and compliance ​167–​9 administrative burdens and innovation ​158–​60 continuity and innovation ​172 general scope ​151–​3 global privacy ​155–​6, 163–​6 independent supervision and consistency ​169–​71

internet providers’ liability ​174, 183–​6 interoperability ​165 one-​stop shops for citizens and business ​151, 160–​3 responsibility ​154 single set of applicable rules ​156–​8 supervision and enforcement ​154–​5 user control ​153 health data ​132 informational self determination ​130, 171 internal market and fundamental rights ​166–​7 internet ​134, 179–​81 General Data Protection Regulation ​174, 183–​6 Google Spain case ​193–​5 Lisbon Treaty, impact of ​141–​2 national laws ​157 obligations placed on controllers ​133 personal data ​124, 127–​8, 130, 132–​3, 143–​4 databases see databases privacy and ​124–​5, 127, 171, 172 global privacy ​155–​6, 163–​6 private and family life ​125–​6, 144, 171, 173 right to privacy ​125 Privacy Guidelines (OECD) ​130–​1, 165, 171 public sector ​152 right to be forgotten ​153, 174, 184, 186–​7, 195–​6 sanctions for violations of the right ​188–​9, 196 risk assessment ​4, 159–​60 sensitive data ​132 supervision authorities ​133 territorial scope ​133 transborder data flows ​156 Data Protection Authority (DPA) ​151, 160–​3, 169, 170 Data Protection Convention ​126–​30, 131–​2, 137, 139, 171–​2 Data Protection Directive ​124 e-​commerce immunities ​179–​81 harmonization ​131–​2 other data protection instruments ​136–​8 relevant case law ​134–​6 review of  main lines of the review ​148–​51 origin of the review ​146–​8 outcome ​171 right to be forgotten  effect of sanctions and of their anticipation ​191–​3 interests and motivations ​189–​91 scope and substance ​132–​4 Data Retention case ​216–​9 Data Retention Directive ​145–​6

524

Index databases ​211–​12, 236 data protection rules applicable to ​216–​19 Data Retention case ​222– ​6 Entry-​Exit System and the Registered Traveller Programme ​214–​16, 220–​2, 224–​5, 237 concerns in relation to the Entry-​Exit System ​226–​7 legality ​219–​26, 237 Passport case ​220–​2 SIS II, EURODAC, and VIS ​212–​15, 217, 220, 224–​5 depoliticized debates ​2 derogations ​85–​9, 114 Digital Agenda ​124, 158 Digital Millennium Copyright Act (US) ​179 drugs: internet sales ​88 e-​commerce ​3 E-​Commerce Directive ​177–​9, 180–​1, 183, 185 economic freedoms ​71–​3 embryo research ​45, 48, 61, 63–​8, 100 Entry-​E xit System (EES) ​202, 212–​18, 220–​7, 237 environmental protection ​89, 93 ethics see bioethics; value-​based choices EU law and new technology  bioethics see bioethics biomedicine ​2–​3 distinctive character ​1 depoliticized approach ​2–​3 dominance of procedural over substantive approach ​2–​3 risk-​based approach ​2 see also risk assessment; risk management health technologies see medical technologies; new health technologies market-​orientated norms ​119 medical technologies see medical technologies; new health technologies models  division between science/​neutral fact and policy/​value choices ​2, 5, 11–​13, 36 extended participatory/​peer review model ​2, 12 scientific neutrality and scientific uncertainty ​2, 13–​14 pace of innovation ​74 rationales for EU regulation ​3–​4 see also regulation risk-​based approach see risk assessment; risk management eu-​LISA ​5, 213, 225, 233 EURODAC ​212–​13, 215, 217, 220–​1, 224–​5 Eurojust ​137, 215 Europe 2020 ​81, 97–​8 European Convention on Human Rights ​24 interaction with EU biomedical law ​68 avoidance of substantive issues ​68–​71

245

fundamental rights vs. economic freedoms ​71–​3 procedural vs. substantive rights ​69 right to private and family life (Article 8) ​125–​6, 128–​9, 130, 135, 139, 143, 171, 173, 218–​19 European Data Protection Board ​161, 168–​71 European Data Protection Supervisor (EDPS) ​137, 147–​8 European Economic Area ​134 European Group on Ethics in Science and New Technologies (EGE) ​28n, 33n, 40, 45, 52–​3, 61–​2, 98, 115 European Information Exchange Model (EIXM) ​209 European integration ​76, 119 see also negative integration; positive integration European Maritime Safety Agency (EMSA) ​239 European Medicine Agency (EMA) ​103, 105, 109, 111, 116 European Patent Convention ​54n European Research Area ​81 Europol ​137, 219 EUROSUR ​5, 210, 227–​8, 236 control vs. rescue ​233–​5 National Coordination Centres (NCCs) ​229, 231–​2 operational preparation ​228–​30 reinforcing external borders and Frontex ​232–​3 EUROSUR Regulation ​231–​2, 237 expert patients ​31 express sequenced tags ​55 extended participatory model ​2, 12, 19 fair trial, right to ​69 family life, right to ​125–​6 fertility clinics ​50 fingerprints ​143–​5, 211, 223–​4, 27 fiscal barriers ​83 freedom of movement ​71–​3, 80, 83–​5 derogations and justifications ​85–​9, 114 proportionality ​24, 76, 89–​92, 96 Frontex ​5, 232, 234–​9 fundamental rights ​3, 46–​7, 50 data protection ​166–​7 internal market and ​166–​7 vs. fundamental economic freedoms ​71–​3 genetic research ​97 genetic sequences ​55–​8 genetic testing products ​87 genetically modified micro-​organisms (GMMOs) ​110–​11 genetically modified organisms see GM food; GMOs; GMOs Directive

462

246

Index

global privacy ​155–​6 globalization ​204–​5 GM food ​23 GMOs (genetically modified organisms) ​2, 20, 34, 36, 110–​11 Harvard Oncomouse case ​55 GMOs Directive ​26, 36 good clinical practice (GCP) ​102, 107 good laboratory practice (GLP) ​102–​4 Google Spain case ​193–​5 ‘green’ technologies ​74 Hague Programme ​198, 240 harmonization ​42–​3, 45, 77, 82, 99, 119 Data Protection Directive ​131–​2 necessity of minimum harmonization ​91–​6 health and safety ​114–​15, 120 see also public health health data ​132 health programme funding ​97–​9 health technologies see medical technologies; new health technologies HIV ​16, 18 Horizon 2020 ​96–​8, 101–​2, 109 hosting services ​174–​7, 195 human dignity ​47, 49, 50, 66, 100–​1 human embryos ​45, 48, 61, 63–​8, 100 human genetic sequences ​55, 57 human rights  economic freedoms vs. ​71–​3 xenotransplantation and ​24 see also European Convention on Human Rights; fundamental rights income data ​144 informational self-​determination ​130, 171 informed consent: xenotransplantation ​17, 22, 31 innovation: positive integration ​96–​9 Innovation Union ​82 intellectual property law  new health technologies (NHTs) ​99–​102 see also patent law intelligence sharing ​5 internal market ​3, 44, 47 data protection ​166–​7 definition ​80–​1 derogations and justifications ​85–​9, 114 free movement ​71–​3, 80, 83–​5 proportionality ​24, 76, 89–​91, 92, 96 fundamental rights and ​166–​7 harmonization ​42–​3, 45, 77, 82, 99, 119 necessity of minimum harmonization ​91–​6 mutual recognition ​85, 91, 95 negative integration ​76, 79, 83, 91–​2, 117, 119 positive integration ​76, 77, 79, 83, 117–​18 engaging with research processes ​102–​11

intellectual property law and fostering technoscientific development ​99–​102 marketing and product safety ​111–​17 stimulating and steering innovation through funding ​96–​9 problems ​83 risk management ​75–​6, 82–​3, 117 see also risk management Internal Security Strategy (ISS) ​209 internet: sales of non-​prescription drugs ​88 internet governance ​3 data protection ​134, 179–​81 General Data Protection Regulation ​174, 183–​6 Google Spain case ​193–​5 Digital Millennium Copyright Act (US) ​179 illegal data ​177–​8 knowledge of illegality and online censorship ​181–​3 neutral and non-​neutral information processing ​177, 184, 195 personal vs. anonymous information ​176–​7 private–​public divide ​175– ​6 providers’ immunities ​174 data protection exceptionalism ​179–​81, 195 e-​commerce immunities ​177–​9 illegal data ​177–​8, 181–​3 multiple interests and rights ​178 right to be forgotten ​174, 184, 186–​7, 195–​6 effect of sanctions and of their anticipation ​191–​3 sanctions for violations of the right ​188–​9, 196 right to withdraw content ​184–​6 self-​regulation ​179 user-​generated content ​177, 179, 184, 185 web and cloud hosting ​174–​7, 195 Wikipedia ​185, 188 Justice and Home Affairs (JHA) ​199, 228 knowledge triangle ​81 Legal Protection of Biotechnological Inventions Directive ​99–​101 Lisbon Strategy ​81 Lisbon Treaty  Area of Freedom, Security and Justice (AFSJ) ​199, 200, 209, 213, 237 data protection and ​141–​2 Maastricht Treaty ​14, 46, 199–​200 maritime borders ​229–​30 European Maritime Safety Agency (EMSA) ​235 Mare Nostrum ​234

274

Index Maritime Common Information Sharing Environment ​235 Mediterranean Coastal Patrols Network ​229 market-​oriented norms ​119 marketing: product safety ​111–​17 measures having equivalent effect to quantitative restrictions (MEQRs) ​84 medical devices ​78, 112–​14 plastics used in ​87, 90, 114 Medical Devices Directive ​113 medical technologies  EU competence ​3 regulatory evolution ​9 xenotransplantation see xenotransplantation see also new health technologies medicinal products ​111–​12, 115–​16 migration management ​2–​3, 4–​5, 197 Advanced Passenger Information (API) ​207 biometric data ​198, 201–​3, 207, 211, 219–​20, 225 border surveillance ​203, 206–​7 BORTEC ​229, 231 centralized EU databases ​211–​12, 236 additional concerns in relation to the Entry-​Exit System ​226–​7 data protection rules applicable to ​216–​19 Data Retention case ​222–​26 Entry-​Exit System and the Registered Traveller Programme ​214–​16, 220–​2, 225 legality ​219–​26, 237 Passport case ​220–​2 SIS II, EURODAC, and VIS ​212–​14, 215, 217, 220, 224–​5 consequences of technology beyond value-​neutrality ​198, 203 diversification of the border ​205–​7 EU competences ​197–​8 Area of Freedom, Security and Justice (AFSJ) ​199–​200, 209, 213, 237 differentiated integration ​199–​200 Justice and Home Affairs (JHA) ​199, 228 EUROSUR ​5, 210, 227–​8, 236 control vs. rescue ​233–​5 National Coordination Centres (NCCs) ​ 229, 231–​2 operational preparation ​228–​30 reinforcing external borders and Frontex ​232–​3 EUROSUR Regulation ​231–​2, 237 Frontex ​5, 228, 230–​5 globalization and increased cross-​border mobility ​204–​5 Hague Programme ​198, 236 maritime borders ​229–​30 European Maritime Safety Agency (EMSA) ​239 European Patrol Network ​234

247

Mare Nostrum ​238 Maritime Common Information Sharing Environment ​235 Mediterranean Coastal Patrols Network ​229 migration technology ​202–​4 see also biometric data nation state ​197 Passenger Name Records (PNR) ​209–​10, 237 Registered Traveller Programme (RTP) ​204, 214–​16 role of technology ​200–​2, 236 Schengen area ​199–​201, 204, 206, 213–​14, 221, 233, 236 securitization of migration ​205, 207–​10, 237 security technologies ​209 see also biometric data Stockholm Agenda ​201, 236 tourism ​204 migration technology ​202–​4 see also biometric data monitoring consumer behaviour ​124 mutual recognition ​85, 91, 95 nanomedicine ​79 nanotechnology ​97 national measures ​84, 86 data protection ​157 negative integration ​76, 79, 83, 91–​2, 117, 119 new health technologies (NHTs) ​75, 77 categories ​78–​9 negative integration ​76, 79, 83, 91–​2 , 117, 119 positive integration ​76–​7, 117–​18 engaging with research processes ​102–​11 intellectual property law and fostering technoscientific development ​ 99–​102 marketing and product safety ​111–​17 stimulating and steering innovation through funding ​96–​7 public health protection  derogations and justifications ​87– ​8, 114, 116 proportionality ​89–​92, 96 risk management  centralization ​75, 96 intellectual property rights ​99–​102 see also medical technologies New Modes of Governance (NMG) ​62 new technologies  EU law and see EU law and new technologies rationales for EU regulation ​3–​4 non-​fiscal barriers ​83 normative learning process ​12 Nuffield Council on Bioethics ​21

428

248

Index

online censorship ​181–​3, 188 Open Method of Coordination ​62 ordre public ​54, 58, 66, 100 organ transplantation ​45 see also xenotransplantation organized crime ​209–​10, 223, 233 Organs Directive ​62 orphan medicinal products ​108–​9, 112 paediatric clinical research ​108–​9 Passenger Name Record (PNR) ​209–​10, 237 passports ​143–​5, 197–​8, 203, 207, 220 patent law  Craig Venter’s express sequenced tags ​55–​6 exclusions of patentability ​54, 58, 63, 66, 68 Harvard Oncomouse case ​55 Howard Florey Institute case ​56, 58 Myriad Genetics case ​56 new health technologies (NHTs) ​99–​102 US Supreme Court Chakrabarty ruling of 1980 ​55 Patents Directive of 1998 ​53 contentious negotiations over adoption process ​53–​4, 56–​9, 61 substantively minimal content ​58–​60 patient safety ​113 Patients’ Rights Directive ​78 peer review model ​2, 12 personal data ​124, 127–​8, 130, 132–​3, 143–​4 databases see databases pharmaceuticals ​111 clinical testing ​3 pharmacovigilance ​116–​17 plastics: in medical devices ​87, 90, 114 pluripotent cells ​67 policy  value choices ​2, 36 non-​market values ​4, 47–​8 science and regulation ​11–​12, 36 see also value-​based choices positive integration ​76–​7, 79, 83, 117–​18 engaging with research processes ​102–​11 intellectual property law and fostering technological development ​99–​102 marketing and product safety ​111–​17 stimulating and steering innovation through funding ​96–​7 precautionary principle ​12–​15, 20–​1, 23, 25, 91 privacy  bioethics and ​50 clinical trials ​108 data protection and ​124–​5, 127, 171–​2 global privacy ​155–​6, 163–​6 private and family life ​125–​6, 144, 171, 173, 218–​19 right to privacy ​125 internet see internet governance Privacy by Design ​150, 159 Privacy Guidelines (OECD) ​130–​1, 165, 171

procedural emphasis ​2, 3 Product Liability Directive ​117 product safety ​3, 75, 118, 120 certification ​113 Clinical Trials Regulation (CTR) ​108 GMOs ​110 intellectual property rights ​99–​102 marketing and ​111–​17 positive integration ​96–​9 proportionality ​24, 76, 89–​92, 96, 223 public confidence ​12 public consultations ​33–​4, 36 public health  crises ​15, 23 EU biomedical law ​44 free movement provisions  derogations and justifications ​87–​8, 114, 116 proportionality ​89–​91, 92, 96 xenotransplantation and ​18, 22 public interest ​88–​9, 186 public morality ​33, 66, 86, 100, 112 see also ordre public public participation ​15, 37 public policy ​88, 112 public security ​86–​7 quantitative restrictions (QR) ​84 REACH legislation ​79 ‘red’ technologies ​74 regulation  definition ​76n science and ​1 co-​production ​10, 11–​12, 15, 35 existing models ​10 extended participatory/​peer-​reviewed model ​2, 12, 19 normative learning process ​12 precautionary model ​12–​15, 20–​1, 23, 25, 91 science-​based model ​12, 13, 19, 36 speaking truth to power ​13 uncertainty ​2, 13–​14 xenotransplantation see xenotransplantation reproductive medicine ​39, 44, 72–​3 research and innovation ​5 European Research Area ​81, 109 funding ​97–​9 new health technologies ​102–​11 positive integration ​102–​11 Responsible Research and Innovation (RRI) ​32 right to be forgotten ​153, 174, 184, 186–​7, 195–​6 effect of sanctions and of their anticipation ​191–​3 interests and motivations ​189–​91

294

Index sanctions for violations of the right ​188–​9, 196 risk assessment ​1, 2 data protection ​4, 159–​60 precautionary model ​12–​15 product safety risk ​3 security risks ​4 surveillance and intelligence sharing ​5 xenotransplantation ​16–​18, 22, 28, 34–​5 risk management  centralization ​75, 96 disparate national attempts ​83 generating a risk profile for new technologies ​82–​3, 89 migration management ​205, 207–​10, 237 product safety ​3, 75, 118, 120 certification ​113 Clinical Trials Regulation (CTR) ​108 GMOs ​110 intellectual property rights ​99–​102 marketing and ​111–​17 new health technologies (NHTs) ​79–​80 positive integration ​96–​9 risk society ​118 safety standards ​43 Schengen area ​199–​201, 204, 206, 213–​14, 221, 233, 236 science  citizenship and ​11 neutrality  objectivity questioned ​67 policy/​value choices and ​2, 5, 11–​13, 198, 203 see also value-​based choices uncertainty and ​2, 13–​14 pure vs. applied ​11 regulation and ​1 co-​production ​10–​12, 15, 35 existing models ​10 extended participatory/​ peer-​reviewed model ​2, 12, 19 normative learning process ​12 precautionary model ​12–​15, 20–​1 science-​based model ​12–​13, 19, 36 speaking truth to power ​13 uncertainty ​2, 13–​14 xenotransplantation see xenotransplantation sociology of ​67 Science and Technology Studies (STS) ​36, 67 sector-​specific policies ​47 securitization of migration ​205, 207–​10, 237 security risks ​4 surveillance and intelligence sharing ​5 security technologies ​209 selling arrangements ​84 sensitive data ​132 SIS II ​212–​13, 215, 217, 220, 224–​5

249

social networks ​174–​5 sociology of science ​67 soft law ​52, 59, 77, 103, 116 sovereign choice ​45 stem cells ​50, 61, 63–​4, 101n Stockholm Agenda ​201, 236 subsidiarity ​27, 92 substantive policy ​2–​3 surrogate motherhood ​50 surveillance ​5, 203, 206–​7 EUROSUR see EUROSUR technocratic processes ​2–​3 technoscientific imaginary ​36 terrorism ​4, 209–​10, 219, 227–​8 tissue economy ​49, 51 tissue-​engineering ​9, 27 Tissues Directive ​59 totipotent cells ​67 transborder data flows ​156 transgenic animals ​111 uncertainty ​2, 13–​14 US National Security Agency ​124 US-​Visit programme ​226 value-​based choices ​2, 36 non-​market values ​4, 47–​8 science and regulation ​11–​12, 36 Visa Information System (VIS) ​212–​15, 217–​18, 220, 222–​5 visas ​207– ​8, 221 vitamins ​90–​1 web hosting ​174–​7, 195 Wikipedia ​185, 188 World Health Organization (WHO): xenotransplantation ​19–​20 xenotransplantation  advanced therapy medicinal products (ATMPs) ​9–​10, 21, 27–​35 as pharmaceutical product ​27 Australia ​18–​20 Canada ​18–​20 ethics and ​17, 21–​2, 27–​8, 32–​3 European Regulatory Framework ​20–​1 ATMPs ​27–​35 Council of Europe ​21–​5 EC/​EU ​25–​7 regulatory normalization ​27–​35 single regulatory framework for human and non-​human cells and tissues ​29–​30 expert patients ​31 HIV risk ​16, 18 human rights and ​24 informed consent and ​17, 22, 31 Netherlands ​26 New Zealand ​18–​19

520

250 xenotransplantation (cont.): pigs ​15–​16 precautionary principle ​21, 23, 25 primates ​16 public consultations ​33–​4, 36 regulatory history ​9–​10, 18–​20 safety concerns ​16–​17, 28, 34–​5

Index scientific and clinical interest in ​16 Switzerland ​25 traceability ​30 transgenic animals ​111 UK ​25 US ​17–​22, 29 WHO ​19–​20