The EU General Data Protection Regulation (GDPR) entered into force on 25 May, two weeks after Europe Day. Quite a lot has been said about the objectives for it, its requirements, and the steps of preparation both on a practical and on a jurisprudential level.*1 In brief, one can state that the GDPR is generally good and necessary: it will vigorously protect the fundamental rights of self-determination and identity of European people.*2
In all of this data-protection bustle, one rather fundamental issue has gone unnoticed, though: the General Data Protection Regulation violates EU treaties! In other words, in essence it runs counter to the ‘constitutional organisation’ of the EU, formed in line with the establishing treaties. How so? The conflict arises from the interaction of two elements. Firstly, the GDPR is, at base, a ‘European law’. Secondly, European laws are banned by European treaties.
I will begin with the second of these elements. If we are to understand this, we need to go back in time about 15 years.
In February 2002, at the instigation of France, the Convention on the Future of Europe became enforceable, with the aim of developing the constitutional agreement or constitution for the EU. By June 2003, the draft constitution was ready, and in October of the following year it was sent to the EU member states for ratification. Whether regrettably or not, the most ambitious plan to reform the European Union crashed at the hurdle of the very first referenda: on 29 May 2005, 55% of those voting in France cast their vote against the project, and two days later, on 1 June, 61.6% of voters in the Netherlands did the same. Although earlier ‘repeat referenda’ in Denmark and Ireland had proved able to save the treaties of Maastricht and Nice and while some countries, Germany and Austria among them, did attempt to continue the process of creating the EU constitution, the opposition scared the leaders enough for the plan to be dropped.
The draft treaty establishing a constitution for Europe*3 envisaged an important innovation – two legal instruments directly applicable in the Member States and superior to them: the European law and European framework law (see CONV 850/03, articles 10, 32, and 33). The legislators of the Member States would have had no say about European laws once these had been adopted by the European Parliament and Council; however, the institution of European framework laws was designed to allow some issues to be delegated to parliaments. Furthermore, now the directives would have been renamed regulations and the current regulations would have been abolished as unnecessary next to European laws.
But there would be no European laws – they were rejected by the draft. If one were to be asked what was federalist in the draft European constitution, among other things the list would undoubtedly feature these very European laws and framework laws.*4
Some words about the current legislative organisation of the EU are necessary at this juncture. The EU ‘constitution’ is made up of two so-called foundational treaties: the Treaty on the European Union (TEU) and the Treaty on the Functioning of the European Union (TFEU).*5 Pursuant to the treaties, the legislative acts of the EU consist of the directives, regulations, and decisions of the European Parliament and the Council (under the TFEU’s Article 288, among other terms). It should be mentioned that acts going by the same name may be adopted by the Parliament or the Council alone as well as by other EU institutions, but without a legislative procedure they are not ‘legislative’.*6
Thus far, legislative directives have been the main shapers of European law.*7 The specific character of a directive as compared to national law is that it is not directly applicable. The EU directives are compulsory for EU member states’ legislators; that is, a similar regulation (it cannot be identical to the directive) needs to be enforced in national law so as to harmonise law and the legal system across Europe. This process is called the implementation of the directive. A directive never enters into force directly: in a Member State, the act to which the rules of the directive are transposed remains the superior and directly applicable law. However, the directive retains its nature as a compulsory source of interpretation of lawin cases wherein national laws address the scope of the directive in an incomprehensible, incomplete, or incorrect manner.*8 Directives are intended to harmonise EU law, where the objective for the harmonisation of EU law is to be noble, beneficial, and acceptable, at least as long as conformance with the commonalities and values of Europe as occidental culture and morality is maintained.*9
Regulations are mandatory and directly applicable in all EU member states. In this sense, they are similar to laws. That said, the EU’s mandate to impose European law directly through regulations is significantly more limited relative to the scope for national laws. The constitutions of Member States do not normally dictate which themes or sectors should be regulated by laws and which should not: the right and freedom of the state to legislate is the main attribute of sovereignty under democratic rule of law (restrictions rooted in such important values as human rights are not sector-specific, for the most part). However, in terms of the themes and sectors addressed, the treaties of the EU do stipulate the procedures and legislative acts that should be used to regulate such areas. Legislative regulations may or must be used to regulate around 20–30 themes and sectors. These include, for example, competition rules and other general principles for the economy, the principles for services of general economic interest, principles and restrictions governing publication of or access to EU documents, procedures and conditions for submitting citizens’ initiatives, rules governing the financing of pan-European political parties, and frameworks for the implementation of such elements as common commercial policy. Regulations must be applied also to organise administrative co-operation between EU institutions (e.g., Europol and the Court of Justice) and EU member states. Some regulations address very narrow and sector-specific issues (such as the distribution of mobile-communication frequency bands or food safety); others deal with more general procedures for cross-border operations and enforcement issues (e.g., Regulation (EC) No 44/2001, ‘on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters’, and Regulation (EC) No 593/2008, ‘on the law applicable to contractual obligations (Rome I)’).*10 Although several EU regulations have effects on numerous persons, both legal and natural, none has ever affected, in principle, all European citizens, residents, and legal entities – a feature in common with national laws in relation to their subjects. Regulations that are in such restricted use do not infringe the fundamental rights and freedoms of EU citizens and residents or impinge on their legitimate interests. On the contrary, the regulations usually force professional actors to act in a way that protects people’s fundamental rights and freedoms. Likewise, EU regulations in the past have not infringed or violated the sovereignty of Member States, be it ‘shared with the Union’ or ‘kept to themselves’.
The above-mentioned thematic and sector-linked precept is, in principle, restrictive and exhaustive, since the structure of the EU (its ‘constitution’) is based on several inter-linked fundamental principles. According to these, the EU shall not impose obligations or restrictions on the Member States and their subjects beyond the frameworks of the treaties. Some of these fundamental principles are that:
a) competencies are conferred on the Union by the treaties (TEU Article 5(1–2));
b) all competencies that are not conferred on the Union by the treaties remain with the Member States (TEU Article 4(1) and Article 5(2)), a principle that, for purposes of legal certainty, has been articulated twice in the treaty language; and
c) the above-mentioned principles are complemented by the principles of subsidiarity (see TEU Article 5 (1) and (3) and proportionality (viz., eligibility, restraint, and necessity of the relevant measure) (see TEU Article 5 (1) and (4)).
Hence, the first constituent element of conflict between the GDPR and EU treaties that I have posited has been substantiated: European laws are not permitted, since they were rejected in 2005 and the current treaties do not foresee any law-like European legislation.
Now, let us investigate why the GDPR is by nature a (European) law. To this end, let us look at to whom the GDPR is addressed, what the spatial scope of its applicability is, and what impacts (legal consequences especially) it has.
Firstly, the GDPR potentially concerns all residents of Europe, albeit by adding to the rights of individuals and protecting their freedoms. This is good, and any future general regulations of the EU should be allowed only if they follow the same path. Secondly, the GDPR addresses virtually all legal entities and undertakings acting, physically or through a network, in the European judicial area. This includes those having established that they could opt out of the processing of personal data or that other grounds exist for them not needing to fulfil the additional obligations imposed by the general regulation. They can comply with the GDPR by opting out of the processing of personal data. Data processors whose operations are going to necessitate seeking of individuals’ consent to process their personal data will thereby incur significant and legal and technical costs. Thirdly, the GDPR addresses the Member States: among other requirements, there is a demand that they interface their data-protection supervisory authorities for integration into a mechanism of single points of contact. Furthermore, the GDPR is addressed to the Union itself: the European Data Protection Board and the office of a European Data Protection Supervisor are to be set up, and additional obligations are imposed on the European Commission and the European Court of Justice.
The GDPR has cross-border applicability and covers the whole Union. Furthermore, its reach extends to service providers outside the EU: if their service targets EU data subjects, they too need to fulfil all the obligations prescribed by the GDPR, with the EU committing to observe their online behaviour.
The GDPR’s impacts on subjects on whom it imposes obligations are substantial. First of all, their fulfilment entails significant financial costs or making other investments – both in the preparatory stages and in the form of ongoing costs. Such investment is not inappropriate per se, but the Union’s competence to impose costs of this nature is debatable. Also, the legal consequences of infringements are significant: taking the form of progressive fines of up to 10 or even 20 million euros or, in the case of an undertaking, 2% or 4% of the total worldwide annual turnover (under Article 83 of the GDPR). The GDPR thereby prescribes liability that is significantly higher than, for instance, the criminal liability of a legal entity for any act under the Estonian Penal Code.
Thus, the scope, depth, and impacts of the GDPR exceed all the limits that the treaties permit regulations to have. On top of this, the treaties do not even know the term ‘general regulation’. Although the designation ‘General Data Protection Regulation’ is ‘hidden’ in brackets in the headings, it is precisely this term that, perhaps intentionally, has entered general use.
Accordingly, the General Data Protection Regulation possesses the characteristics of a ‘European law’ (insofar as the resolution of some issues has been delegated to the legislators of the EU member states, the GDPR fulfils the criteria for being a ‘European framework law’ too, but this does not make a difference). It may be worth noting that this has been acknowledged at least at some levels: former member of the European Parliament Marju Lauristin explicitly stated at a webinar that the GDPR is ‘like a (general) law’.*11 Another interesting fact worth noting is that the draft EU constitution stated that future rules for data protection need to be imposed by means of a European law*12 (CONV 850/03, Article 50(2)) – this provision is almost identical to Article 16 of the TFEU, on which the GDPR is explicitly based (see the first sentence of the preamble). Consequently, the general regulation is ‘seamlessly’ positioned in a place reserved by the draft EU constitution for the ‘European law on data protection’.
So what? The issue here is this: how deep an EU-level political integration and relinquishment of the sovereignty of the Member States do the European nations that have joined the Union actually want? For instance, most analyses of the causes of Brexit cite loss of sovereignty of a Member State as one of the factors contributing to the decision. It does not matter whether this loss is perceived rather than real.*13
The contradiction between the GDPR and the treaties can be illustrated via the following thought experiment. Sooner or later, Estonia probably will begin writing its ‘e-state’ (e‑riik) into the Constitution. Let us imagine that, with respect to the e-state, the Estonian legislator would like to stipulate principles for the protection of personal data in the Constitution, while experience of the Estonian e-state indicates that some of the regulations established by the GDPR should be reconsidered or changed. Does the Estonian Parliament have the right to provide for the protection of personal data in the Estonian Constitution otherwise as provided by the GDPR? By the GDPR’s “logic” it does not. According to the “logic of the treaties, however, it does. In consequence, the two “logics” – the dogmatic of the GDPR and the treaties – are at odds. Which was to be proved.
This is even more germane because the GDPR is not the end of the matter. There is another EU regulation on the horizon – the so-called ePrivacy Regulation*14 – which will replace an earlier (outdated) directive. If the trend of replacing directives with directly applicable regulations were to continue, such legislation would be ‘stealthily federal’.
The foregoing discussion points to two parallel tendencies that can be observed in the European legislation: regulations replacing directives and such regulations expanding into laws. In this process, the Member States are relinquishing their sovereignty to a greater extent than agreed upon in the treaties. Is that good or bad? Is this a way to better integrate Europe or a hidden path to federalising it? I leave it to everyone to form his or her own opinion. One thing is certain, though: the legislative process of the Union needs to be transparent and based on European treaties.
One solution would be to introduce the term ‘general regulation’ in the treaties. Doing so would make their use – in addition to the specification of possible sectors and themes – subject to the condition that general regulations are to be established solely for the protection of the fundamental rights and freedoms of people (individuals) and of their security. Via an additional condition, it should be made clear that such fundamental rights and freedoms must not be restricted, either directly or indirectly, under the pretext of protective measures of any sort – for instance, in the fight against terrorism. Restricting people’s fundamental rights and freedoms should remain exclusively within the purview of the EU member states.
The GDPR is with us to stay. In principle, two ways of avoiding violation of the treaties existed. One of them was to establish data-protection rules in the form of a directive. True, this would have meant time-consuming and probably arduous implementation of the directive in the laws of the Member States, but it would have been the right way. The second appropriate option would have been to amend the treaties beforehand. With this multiplication of the time, effort, and political will needed, a GDPR-like result would have likely been virtually impossible. However, amendment of the treaties cannot be avoided anymore, because noble objectives cannot justify infringements of the ‘European constitution’ and the constitutions of the Member States. And we all know where roads paved with good intentions lead.