Showing posts with label CJEU. Show all posts
Showing posts with label CJEU. Show all posts

Tuesday, February 16, 2021

Courts extend European accountability laws to private actors: Italian soccer federation, Irish wind farm

Two recent court decisions in Europe construed European directives on public accountability to reach ostensibly private actors, the Italian soccer federation and an Irish wind-power producer.

Stocksnap by Michal Jarmoluk CC0
The problem of accountability for private actors performing public functions is as old as the corporate form.  Burgeoning corporatocracy in the electronic era has rendered new challenges to the classical public-private dichotomy, in recent years, especially, in the area of social media regulation (e.g., pro and con).  I have written about rethinking this problem in the context of access to information, regarding reform in both the United States and Europe, and I continue to research emerging models in the developing world.  As a general matter, Europe has been much less reticent than the United States to breach the public-private line with accountability mechanisms such as transparency laws.

In early February, the Court of Justice of the European Union (CJEU) in Luxembourg ruled that the Italian Football Federation, or Federazione Italiana Giuoco Calcio (FIGC), an ostensibly private entity, is sometimes a public body for purposes of the 2014 European directive on public procurement.  The directive defines public bodies within its purview:

(a) they are established for the specific purpose of meeting needs in the general interest, not having an industrial or commercial character;

(b) they have legal personality; and

(c) they are financed, for the most part, by the State, regional or local authorities, or by other bodies governed by public law; or are subject to management supervision by those authorities or bodies; or have an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional or local authorities, or by other bodies governed by public law.

The definition is not unlike formulations in state freedom of information acts in the United States, which tend to press harder against the public-private line than the federal Freedom of Information Act (FOIA) does.  A classic example of disparate approaches in the states concerns access to the wealthy private foundations that lurk behind public universities.  My colleague Professor Robert Steinbuch has been bearing the transparency standard on this front in Arkansas and is supporting a bill there now.

At issue in the Italian case was a contract for porter services when foreign squads visit Italy.  A disappointed contractor challenged the process and won a round in Italy's high administrative court, and the appellate Council of State in Italy referred the interpretation question to the CJEU.  Both in the United States and globally, governing bodies in sport, often set up as private or quasi-public entities, have posed aggravating challenges in public accountability like the university-foundation problem.  Inapplicability of the FOIA to the US Olympic Committee has been cited as a contributing factor in sexual-assault cover-ups, and last summer, I took in no fewer than three books and a TV series on the intractable corruption in world soccer.

The CJEU opinion determined that the FIGC, constituted under private law, can act as a private body when it has autonomy to form private contracts.  However, the Italian National Olympic Committee (NOC) is a public body and has supervisory power, sometimes with a controlling stake, over some FIGC functions.  Insofar as the NOC is calling the shots on contracts, the FIGC is a public body, subject to public procurement rules.  The CJEU opinion now goes back to the Italian courts to parse the specifics. 

Cronelea Wind Farm in County Wicklow, 2008
Meanwhile, in late January, the High Court of Ireland ruled that electric company Raheenleagh Power DAC (RP) is a "public authority" for purposes of the Irish enactment of the European directive on public access to environmental information.  The law and directive define public authorities:

(a) government or other public administration, including public advisory bodies, at national, regional or local level;

(b) any natural or legal person performing public administrative functions under national law, including specific duties, activities or services in relation to the environment; and

(c) any natural or legal person having public responsibilities or functions, or providing public services, relating to the environment under the control of a body or person falling within (a) or (b).

Reversing the Irish Commissioner for Environmental Information, the High Court determined that RP came within the definition's latter terms.  The court explained, "RP is a joint-venture company which operates a wind farm in a forest in the Wicklow Mountains. The wind farm supplies electricity to the national grid."  Complicating the analysis, the RP venture includes a one-half stake by the national-monopoly Electricity Supply Board (ESB), which the court described as "an independent semi-State company."

Like in the Italian case, the court reasoned that ESB control and management of RP brought it within the purview of public accountability law.  The ruling is important for the example it sets amid the wide range of public-private hybrids providing critical utility and infrastructure across Europe and the world.

Even so, I would like to have seen the court hang its hat more firmly on the functional analysis of the cited paragraph (b), rather than resorting to the paradigm of state control.  The urgent communal interests at stake in environmental protection have been a salient inducement to the extension of transparency law in Europe and Africa.  Western social democracies have been keen to ameliorate the effects of climate change, and many African regimes have awakened to lasting environmental damage inflicted by colonial enterprises.

The Italian case is FIGC v. De Vellis Servizi Globali Srl, nos. C‑155/19 and C‑156/19, ECLI:EU:C:2021:88 (CJEU Feb. 3, 2021).  Cain Burdeau has coverage for Courthouse NewsSven Demeulemeester, William Timmermans, and Matthias Ballieu have commentary for Altius in Belgium.

The Irish case is Right to Know CLG v. Commissioner for Environmental Information, [2021] IEHC 46 (High Ct. Jan. 25, 2021) (Ireland).  Mr. Justice Alexander Owens delivered the judgment.  Right to Know is a transparency advocacy organization headed by activist, blogger, and entrepreneur Gavin Sheridan and former and working journalists.  Jonathan Moore and Patrick Reilly have commentary for Field Fisher in Dublin.

Monday, October 5, 2020

U.S. White Paper on 'Schrems II': Emperor still clothed

A new U.S. white paper on data protection means favorably to supplement the record on U.S. surveillance practices that, in part, fueled the European Court of Justice (ECJ) decision in "Schrems II," in July, rejecting the adequacy of the Privacy Shield Framework to secure EU-to-US data transfers.

From the U.S. Department of Commerce, Department of Justice, and Office of the Director of National Intelligence, the white paper suggests that the ECJ ruling was interim in nature, pending investigation of U.S. national security practices to better understand whether they comport with EU General Data Protection Regulation norms, such as data minimization, which means collecting only data necessary to the legitimate purpose at hand.  The paper states:

A wide range of information about privacy protections in current U.S. law and practice relating to government access to data for national security purposes is publicly available.  The United States government has prepared this White Paper to provide a detailed discussion of that information, focusing in particular on the issues that appear to have concerned the ECJ in Schrems II, for consideration by companies transferring personal data from the EU to the United States. The White Paper provides an up-to-date and contextualized discussion of this complex area of U.S. law and practice, as well as citations to source documents providing additional relevant information. It also provides some initial observations concerning the relevance of this area of U.S. law and practice that may bear on many companies’ analyses. The White Paper is not intended to provide companies guidance about EU law or what positions to take before European courts or regulators. 

Armed with this additional information, then, the message to the private sector seems to be, Keep Calm and Carry On, using the very same "standard contractual clauses" (SCCs) that the ECJ invalidated.  Yet if the information featured in the white paper has been publicly available, why assume that the ECJ was ill informed?  (Read more about SCC revisions under way, and their likely shortcomings, at IAPP.)

Unfortunately for the U.S. position, the ECJ opinion was not, to my reading, in any way temporary, or malleable, pending further development of the record.  The white paper comes off as another installment in the now quarter-century-old U.S. policy that the emperor is fully clothed.

I hope this white paper is only a stop-gap.  As I said in a Boston Bar CLE recently, no privacy bill now pending in Congress will bridge the divide between the continents on the subject of U.S. security surveillance.  A political negotiation, which might involve some give from the American side at least in transparency, seems now to be our only way forward.

The white paper is Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (Sept. 2020).

Saturday, September 28, 2019

EU court rules for Google, narrows French 'right to be forgotten' order to Europe

In the latest battle of the feud between Google and the French data protection authority (CNIL), the Court of Justice of the European Union ruled that the CNIL's "right to be forgotten" order should be limited to internet users in Europe.  However, the court did not rule out the possibility of a worldwide order if the facts warrant.

The court wrote:

[T]he right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality....  Furthermore, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world. 

While the EU legislature has, in Article 17(3)(a) of Regulation 2016/679 [GDPR], struck a balance between that right and that freedom so far as the Union is concerned ... it must be found that, by contrast, it has not, to date, struck such a balance as regards the scope of a de-referencing outside the Union.

"Proportionality" is a core principle of EU human rights law when regulation collides with individual rights, or, as here, state power is implicated to favor one individual's rights over those of others.  The same principle also constrains supra-national authority over member states.

The case arose from a CNIL fine of Google.  The French authority had ordered Google to de-list search results to protect certain individuals' privacy under the "right to be forgotten," or "right to erasure," when those individuals were searched by name.  "De-listing" or "de-referencing" search results is the front line of right-to-erasure court challenges today, though the specter of erasure orders that reach content providers directly looms on the horizon.

Google complied with the CNIL order only for European domains, such as "google.fr" for France, and not across Google domains worldwide.  Google employs geo-blocking to prevent European users from subverting de-listing simply by searching at "google.com" (United States) or "google.com.br" (Brazil).  Determined users still can beat geo-blocking with sly technocraft, so CNIL was dissatisfied with the efficacy of Google's solution.  Undoubtedly, a dispute will arise yet in which the CNIL or another European data protection authority tests its might with a more persuasive case for global de-listing.

The case is Google, LLC v. Commission Nationale de L’informatique et des Libert├ęs (CNIL), No. C-507/17 (E.C.J.), Sept. 24, 2019.  Several free speech and digital rights NGOs intervened on behalf of Google, including Article 19, the Internet Freedom Foundation, the Reporters Committee for Freedom of the Press, and the Wikimedia Foundation, as well as Microsoft Corp.  The case arose initially under the 1995 EU Data Protection Directive, but carries over to the new regime of the General Data Protection Regulation (GDPR).