Article 11 ePrivacy Regulation - Restrictions
Article 11 ePrivacy Regulation
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1) (c) to (e), (i) and (j) of Regulation (EU) 2016/679 or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.
1a. Article 23 (2) of Regulation (EU) 2016/679 shall apply to any legislative measures referred to in paragraph 1.
2. Providers of electronic communications services shall establish internal procedures for responding to requests for access to end-users’ electronic communications data based on a legislative measure adopted pursuant to paragraph 1. They shall provide the competent supervisory authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response.
Corresponding Recitals
(26) When the processing of electronic communications data by providers of electronic communications services falls within its scope, this Regulation should provide for the possibility for the Union or Member States under specific conditions to restrict by law certain obligations and rights, including by way of derogations, when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific public interests, including public security and the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests. Therefore, this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications, including by requiring providers to enable and assist competent authorities in carrying out lawful interceptions, or take other measures, such as legislative measures providing for the retention of data for a limited period of time, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights. Providers of electronic communications services should provide for appropriate procedures to facilitate legitimate requests of competent authorities, where relevant also taking into account the role of the representative designated pursuant to Article 3(3).
I. Competence to restrict rights and obligations pursuant to Arts. 5 – 8 ePrivacy Regulation, Art. 11 Sec. 1
Art. 11 ePrivacy Regulation concludes Chapter II regarding the protection of end-users´ electronic communications and the protection of the integrity of terminal equipment. It provides for the competence of Member States to restrict the rights and obligations under Arts. 5 to 8 ePrivacy Regulation by way of legislative measures. Pointing towards the fundamental rights determination of such restriction, appropriate and proportionate measures, in the legislator´s notion, need to fulfil one or more public purposes referred to in Art. 23 Sec. 1 lits. c to e, i and j GDPR. Additionally, Art. 11 ePrivacy Regulation enlists further purposes, as the monitoring, inspection or regulatory function connected to the exercise of official authority.[1]
This provision reflects the European Union law´s general ordre-public-reservation, laid down in Art. 72 TFEU. Since enactment of the ePrivacy Regulation bases on Art. 16 Sec. 1 and 2 and Art. 114 TFEU, stipulations of the TFEU had to be respected. According to Art. 72 TFEU exercise of responsibilities incumbent upon Member States with regard to the maintenance of law and order and the safeguarding of internal security is not affected by the treaty´s provisions. It aims to encounter serious threats for the public safety and order, i.e for fundamental elements of the national legal system.[2] Such elements represent inter alia the existence of the state, its institutions or elemental services.[3] That being said, strict limitation of the term ‘public safety and order’ somewhat softens in light of the member states´ assessment prerogative emerging from the respect for national legal traditions.[4] Certain case groups evolved in that regard, leaving space for member states´ discretion, namely the fight against drug trafficking[5], the fight against different forms of crime in connection with alcohol abuse[6], the fight against illegal immigration and residence[7] as well as the general and specific criminal law[8]. Public safety and order moreover encompasses other subjects pursuant to Titel V TFEU, such as police law or enforcement of private law.
Art. 11 ePrivacy Regulation in connection with Art. 23 GDPR corresponds to the above mentioned definitions and case groups, so to speak anticipating member states´ assessment of the ordre-public-reservation. It provides guidance on relevant criteria in the context of telecommunications and data protection, yet in an exhaustive manner.[9] Respective topics are enlisted in Art. 11 Sec. 1 ePrivacy Regulation with regard to Art. 23 Sec. 1 lits. c to e, i and j GDPR as well as the monitoring, inspection or regulatory function connected to the exercise of official authority. Thus, member states´ competence reduces on a specification of these topics and the associated measures.[10]
[1] For details on independent supervisory authorities, cf. Art. 18 ePrivacy Regulation.
[2] Weiß, in: Streinz, EUV/AEUV (TEU/TFEU), Art. 72 TFEU (2018), Rec. 6.
[3] Ibid.
[4] Röben, in: Grabitz/Hilf/Nettesheim, Das Recht der Europäischen Union, Art. 72 TFEU (2021), Rec. 12.
[5] CJEU, judgment of 29 April 2004, C-482/01 and C-493/01 – Orfanopoulos and Olivieri.
[6] CJEU, judgment of 15 June 1999, C-394/97 – Heinonen.
[7] CJEU, judgment of 6 December 2011, C-329/11 – Achughbabian, Rec. 30, 33 and CJEU, judgment of 19 July 2012, C-278/12 PPU – Adil, Rec. 66; note, however, that Chapter 2 of Title V – Policies on border checks, asylum and immigration, is already excluded from the material scope of the ePrivacy Regulation pursuant to its Art. 2 Sec. 2 lit. b.
[8] Cf. CJEU, judgment of 10 April 2012, C-83/12 – Vo.
[9] Cf. for the corresponding provision in Art. 23 Sec. 1 GDPR, Dix, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Art. 23 GDPR (2019), Rec. 19.
[10] Still, this leeway has been criticised in context of the GDPR, as it was considered too wide and thus hazardous for overall harmonisation, cf. Albrecht/Jotzo, in: Albrecht/Jotzo, Das neue Datenschutzrecht der EU, Teil 4: Individuelle Datenschutzrechte (2017), Rec. 30 and Bäcker, in: Kühling/Buchner, DSGVO BDSG, Art. 23 GDPR (2020), Rec. 11; this opinion is opposed by the fact that material barriers within the provision are in fact rather high (as it is the case for Art. 11 ePrivacy Regulation), cf. Benecke/Wagner, DVBl 2016, 600 (604).
1. Scope of obligations and rights pursuant to Arts. 5 to 8 ePrivacy Regulation
Art. 11 Sec. 1 ePrivacy Regulation ties in to the scope of obligations and rights provided for by Arts. 5 to 8 ePrivacy Regulation. This refers to the general aim of protection for communications data and terminal equipment information on the one hand and the specific measures applied for that purpose on the other. Since both are core elements of privacy pursuant to Art. 7 CFR, limitations on its scope, as with all other fundamental rights and freedoms, must respect their ‘essence’.[11] Art. 11 Sec. 1 ePrivacy Regulation points out, this particularly includes compliance to the principle of proportionality.[12] To this end, restrictions must be necessary, appropriate and contain material and procedural safeguards, in order to shield the risks arising from restrictions for the data subject.[13]
[11] Cf. Art. 52 Sec. 1 CFR.
[12] For details see I.4. and II.
[13] Bäcker, in: Kühling/Buchner, DSGVO BDSG, Art. 23 GDPR (2020), Rec. 6.
2. General public interests pursuant to Art. 23 GDPR
Art. 11 Sec. 1 ePrivacy Regulation allows for restrictions “to safeguard one or more of the general public interests referred to in Article 23 Sec. 1 lits. c to e, i and j GDPR”.
a) Public security, Art. 23 Sec. 1 lit. c GDPR
The term of public security is an autonomous European term, which must be interpreted in the light of European primary law.[14] The TFEU mentions it at various points, regularly in connection with the term of public order (e.g. Arts. 36, 45 Sec. 2, 52, 65 and 202).[15] Subsequently, public security represents a narrow concept with regard to particularly important goods and elementary legal standards (cf. above).[16] Recital 73 GDPR mentions the protection of human life especially in response to natural or manmade disasters.
A delimitation problem emerges between Art. 23 Sec. 1 lit. c and lit. d, since both provisions include the term of public security. Lit. c encompasses all respective issues in general. Lit. d targets handling of criminal offences with regard to “the safeguarding against and the prevention of threats to public security”. In view of its regulatory context, lit. d must be considered to exclusively encompass threat prevention in case of impending or committed criminal offences. It represents lex specialis to lit. c, which in that sense serves as a catch-all-clause.
b) Criminal offences and execution of criminal penalties, Art. 23 Sec. 1 lit. d GDPR
As mentioned above, Art. 23 Sec. 1 lit. d GDPR allows for restrictions in order to prevent or prosecute criminal offences, including such, that represent a threat to public security.[17] ‘Threats’, in that regard, must be specific, i.e. a situation which, according to experience in security law and from the point of view of a reasonable observer ex ante, will in the unimpeded course of events lead to damages to the legal interests of public security or order.[18] Abstract threats do not suffice.[19] The term ‘criminal offence’ is defined within each Member State law.[20] In this respect, Member States determine limitations for the restriction-competence themselves. The same applies to the terms of ‘prevention’, ‘investigation’, ‘detection’ and ‘execution of criminal penalties’.
Problematically, by a first glance, such activities are already excluded from the material scope of the ePrivacy Regulation according to its Art. 2 Sec. 2 lit. d.[21] Thus, there seems to be no need for further restrictions pursuant to Art. 11 Sec. 1 ePrivacy Regulation in the first place. However, with respect to the particular wording in Art. 2 Sec. 2 lit. d ePrivacy Regulation the exclusion only refers to “competent authorities”. That means, Art. 11 Sec. 1 ePrivacy Regulation´s scope is excluded only in case of authorities or other actors, which are particularly appointed for criminal prosecution or prevention.[22] Thus, there remains a significant space of application for all other actors, which are not appointed. These might still be in need of exemptions, as for instance service providers, when having access to communications data or terminal equipment, that turns out to be critical for uncovering public security-threats.[23] Exemptions in this case can allow collection of data or the use of processing capabilities of terminal equipment as well as a change in purpose and further processing, in case such interference with protection under Arts. 5 to 8 ePrivacy Regulation becomes necessary.[24]
c) Other important objectives of general public interest, Art. 23 Sec. 1 lit. e GDPR
Art. 23 Sec. 1 lit. e GDPR represents a further catch-all-clause for public interests. Examples are made with respect to important economic or financial interests, including “monetary, budgetary and taxation and matters of public health and social security”. Since, however, examples within this provision are not exhaustive, it encompasses any conceivable purpose. This fact has been criticised, since it counteracts the exhaustive character of Art. 23 Sec. 1 GDPR.[25] Indeed, the legislator leaves unclear, what approach – exhaustive or open legislation – it pursues. Thus, the doors are open to extensive law particulation within the Member States.
The critique applies vis-à-vis to the corresponding purposes under Art. 11 Sec. 1 ePrivacy Regulation.[26] It is questionable, if harmonisation for exceptions under the ePrivacy Regulation can be achieved, when these are subject to the sole discretion of the Member States.[27] Indeed, one might argue, Art. 11 Sec. 1 ePrivacy Regulation in connection with Art. 23 Sec. 1 lit. e GDPR stipulated a threshold of ‘importance’, in order to limit objectives and prevent deliberate misuse. Also, in particular, because of its rather vague wording, the provision had to be subject to a stricter interpretation:[28] Not any given purpose would be justified accordingly.[29] Rather, a critical assessment in the light of public interests and individual interests of the persons concerned would be required in each individual case, reflecting on the fact that respective interests had to be ‘essential’.[30] Yet, the threshold for additional purposes remains rather small. In the light of uncertainty about the exact interpretation of the term ‘importance’ and the requirement of an assessment in each individual case, it appears much closer at hand to dissolve this stipulation in the course of compliance to the clearer-cut principle of proportionality and that it will thus remain an empty phrase, after all.[31]
d) Protection of the data subject or the rights and freedoms of others, Art. 23 Sec. 1 lit. i GDPR
Art. 23 Sec. 1 lit. i GDPR includes two alternative legal bases for restrictions under Union and Member State law: it provides for (i) the possibility to protect the data subject – which in the context of the ePrivacy Regulation is the respective end-user – and (ii) the protection of rights and freedoms of others. The provision serves to balance out conflicting interests of persons concerned, controllers and third parties, withal taking into account the principle of proportionality and fundamental rights pursuant to the European Charter of Fundamental Rights (CFR).[32]
With regard to Art. 23 Sec. 1 lit. i Alt. 1 GDPR a restriction appears to be sensible, however only in a rather small amount of cases.[33] This follows from the fact that the rights under Arts. 5 to 8 ePrivacy Regulation are already designed specifically, in order to protect the end-users. Restricting these rights, in order to serve the same end, represents a certain contradiction, consequently. Conceivable constellations further narrow down in light of the fact that Arts. 5 to 8 ePrivacy Regulation themselves provide for exceptions in order to safeguard specific security measures.[34] That concerns particularly one classical case within Art. 23 Sec. 1 lit. i GDPR, in which obligations of providers can been restricted with regard to the anonymization or deletion of information.[35] Such restriction follows from the idea that in the course of a longer term of inspection, end-users are provided with better access to information, allowing them to retrace and comprehend certain activities of controllers. Thus, their decision-making power with regard to the use of legal remedies pursuant to Art. 21 ePrivacy Regulation is enhanced.[36] Indeed, Art. 7 Sec. 4 ePrivacy Regulation already includes Member State authority to provide for respective expansion of retention periods, if installed to prevent or investigate criminal offences or to execute criminal penalties and safeguard against threats to public security. Thus, Art. 11 Sec. 1 Alt. 1 ePrivacy Regulation in connection with Art. 23 Sec. 1 lit. i ePrivacy Regulation only applies to a small amount of remaining use cases, i.e. the retention in cases of general infringements or in cases of Art. 8 ePrivacy Regulation. Use of processing and storage capabilities or the collection of data from terminal-equipment might moreover be indicated, whenever end-users must be protected towards their own activities, e.g. persons of limited legal capacity or persons, who are defenceless against certain environmental influences. The latter might be the case, for instance, in legal systems with strict drug policies or extensive suicide prevention plans. As already mentioned, cases will be limited in count, making it hard to imagine, Art. 11 Sec. 1 ePrivacy Regulation in connection with Art. 23 Sec. 1 lit. i Alt. 1 GDPR to have a significant scope of application.
With regard to Art. 23 Sec. 1 lit. i Alt. 2 GDPR´s this finding turns into the contrary. The provision´s wording is very broad, encompassing all “rights and freedoms of others”. Restrictions are limited only by the so-called ‘essence-guarantee’ and the principle of proportionality.[37] Thus, Member States are free to subsume any conceivable right or privilege as long as such is legally approved and not purely of economic nature (e.g. approved business purposes).[38] Case groups include the collection and processing of data in the course of the enactment of the freedom of press or the work of human rights organisations.[39] With regard to the enforcement of rights in the course of legal remedies under Art. 21 ePrivacy Regulation, restrictions might also concern possible rights of inspection, to the extent, in which these could infringe trade secrets (e.g. copyright on software).[40] In light of the breadth of this provision, further fuel adds to concerns on the scope of harmonisation under Art. 11 ePrivacy Regulation.[41]
e) Enforcement of civil law claims, Art. 23 Sec. 1 lit. j GDPR
‘Enforcement of civil law claims’ as an interest of third parties specifies the general terms of protection for data subjects or the rights and freedoms of others under Art. 23 Sec. 1 lit. i GDPR. It is therefore considered a mere clarification to the already existing regulatory content.[42] In that, Art. 23 Sec. 1 lit. j GDPR encompasses all kinds of enforcement. While some assumed, the word “enforcement” only related to the actual proceedings of foreclosure, it is right to subsume both extrajudicial and judicial actions.[43] That follows from the broader choice of words, which relates to the “enforcement of civil law claims” instead of the more specific term of “enforcement orders”. Following on from this, it has been discussed, if claims of public institutions could be subsumed accordingly. Yet, in light of the clear wording of Art. 23 Sec. 1 lit. j GDPR, this will only be the case for civil law claims, i.e. such resulting from non-sovereign activities (e.g. fiscal activities).[44] Instead, public orders, such as tax claims or administrative acts, can be privileged under Art. 23 Sec. 1 lit. i GDPR.[45] Finally, the question was posed, whether the defence against claims might as well be subject to this provision. Indeed, this rather technical issue might prove to be of low practical relevance, since such actions might be privileged on bases of Art. 23 Sec. 1 lit. i GDPR anyways. Nonetheless, it appears unreasonable to privilege the enforcement of claims only on grounds of which party makes the claim at the first instance and which of both follows secondly. Especially in cases of synallagmatic obligations it becomes evident, that both the enforcement and the defence must fall under Art. 23 Sec. 1 lit. j GDPR.[46]
[14] Ibid., Rec. 19.
[15] Bäcker, in: Kühling/Buchner, DSGVO BDSG, Art. 23 GDPR (2020), Rec. 19.
[16] Ibid., with reference to Müller-Graff, in: von der Groeben/Schwarze/Hatje, Europäisches Unionsrecht, Art. 36 TFEU (2015), Rec. 49 ff.; cf. also introductory comments under I.
[17] Bäcker, ibid., Rec. 21.
[18] As defined in German police law, cf. Krüger, JuS 2013, 985 (985).
[19] Dix, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Art. 23 GDPR (2019), Rec. 26; Paal, in: Paal/Pauly, DS-GVO BDSG, Art. 23 (2021), Rec. 26.
[20] Paal, ibid., Rec. 28.
[21] The stipulation matches the wording of Art. 23 Sec. 1 lit. d GDPR.
[22] Peuker, in: Sydow, Europäische Datenschutzgrundverordnung, Art. 23 GDPR (2018), Rec. 23.
[23] Sydow, ibid., Rec. 24 mentions money laundering and forensic laboratories with regard to Rec. 19 GDPR; Bäcker, ibid., with reference to employer-employee relationships.
[24] Cf. Dix, ibid. Rec. 26; Bäcker, ibid.; for the issue of further processing in general cf. Arts. 6c and 8 Sec. 1 lit. g.
[25] Cf. Dix, ibid., Rec. 27, calling Art. 23 Sec. 1 lit. e GDPR a ‘blankett rule’; Paal, ibid., Rec. 31a; Bäcker, ibid.; Grages, in: Plath, DSGVO/BDSG, Art. 23 GDPR (2018), Rec. 1.
[26] The EDPB criticized that restrictions by Member States regarding data retention and possible exceptions for service providers in general would undermine data protection standards and possibly conflict with jurisdiction of the CJEU, cf. EDPB, statement 03/2021 on the ePrivacy Regulation, 9 March 2021, p. 2; With particular regard to concerns on precautionary data retention see the statement of the German Federal Commissioner for Data Protection and Freedom of Information from 10 February 2021, who raises similar concerns, available at https://www.bfdi.bund.de/DE/Infothek/Pressemitteilungen/
2021/03_Ratsposition-ePrivacy-VO.html, last retrieved 8 February 2022.
[27] Cf. critque by Albrecht/Jotzo, in: Albrecht/Jotzo, Das neue Datenschutzrecht der EU, Teil 4: Individuelle Datenschutzrechte (2017), Rec. 30 and Bäcker, in: Kühling/Buchner, DSGVO BDSG, Art. 23 GDPR (2020), Rec. 11
[28] Dix, ibid., Rec. 27.
[29] Paal, ibid, Rec. 31.
[30] Ibid.
[31] Bäcker, ibid., Rec. 22.
[32] Paal, ibid., Rec. 40 with reference to Petri, DuD 2018, 347 (349).
[33] Dix, ibid., Rec. 33.
[34] Art. 6 Sec. 1 lit. d; Art. 6b Sec. 1 lit. b, lit. d; Art. 7 Sec. 4; Art. 8 Sec. 1 lit. da, lit. e No. (i), lit. f.
[35] Cf. Bäcker, ibid., Rec. 31.
[36] Bäcker, ibid.; cf. e.g. German data protection law in § 35 Sec. 2 S. 1 BDSG.
[37] Bäcker, ibid., Rec. 32; for details see I.4.
[38] This is the prevailing opinion, cf. e.g. Dix, ibid., Rec. 32 and Bäcker, ibid.; as regards the minor opinion: Grages, in: Plath, DSGVO/BDSG, Art. 23 GDPR (2018), Rec. 6.
[39] Peuker, ibid., Rec. 35; Council of Europe, Explanatory Report to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28 January 1981, Rec. 58.
[40] Rec. 63 GDPR; Dix, ibid., Rec. 35; moreover, interferences with such rights might be direct or indirect, cf. Bäcker, ibid., Rec. 32.
[41] Cf. above under No. I.2.c).
[42] Dix, ibid., Rec. 36, calling this provision “redundant”
[43] With regard to the discussion originating from the German word “Durchsetzung” as opposed to the more specific term “Vollstreckung” cf. Koreng, in: Taeger/Gabel, DSGVO – BDSG – TTDSG, Art. 23 (2022), Rec. 54.
[44] Bäcker, ibid., Rec. 33, with reference to the opposing view, held by the German Federal Administrative Court, decision of 4 July 2019, 7 C31.17, NVwZ-RR 2019, 1015, Rec. 17.
[45] Cf. Dix, ibid., Rec. 36 with reference to the contrary opinion in the Explanatory Memorandum to the German draft Data Protection Act, BT-Drs. 18/11325, p. 103.
[46] Contrary position: Bäcker, ibid., Rec. 33a.
3. Monitoring, inspection or regulatory function of official authority
Art. 11 Sec. 1 ePrivacy Regulation stipulates that not only the interests referred to in Art. 23 Sec. 1 GDPR serve to be reason for restrictions to the obligations and rights pursuant to Arts. 5 to 8 ePrivacy Regulation, but also actions necessary in the course of an exercise of official authority to enact such interests.[47] Indeed, respective actions would have already been included to the legal bases of Art. 23 Sec. 1 lit. c to lit. e GDPR, since ‘public security’, ‘criminal justice’ and ‘other important objectives of general public interest’ by nature entail enforcement by executive authority already.[48] In light of its systematic location subsequent to the enlistment of provisions under Art. 23 Sec. GDPR and the express detachment of this stipulation from its legal origin in Art. 23 Sec. 1 lit. h GDPR, Art. 11 Sec. 1 Alt. 2 ePrivacy Regulation, however, serves as a clarification to that fact.
Respective actions concern monitoring, inspection or regulatory functions, which might, to a greater or lesser extent, include the processing of electronic communications data or the interference with terminal equipment.[49] Monitoring defines any activity, which extends over a given period of time, i.e. repeated data collections or enduring interferences. An inspection, by contrast, refers to a singular event, in which the respective authority demands access to specific information. Regulatory function, in this regard, must be considered a catch-all provision, encompassing all related activities, required in the course of an effective exercise of power. If such is not being exercised by public agencies, private parties might as well be addressed by respective privileges, as long as they are legally appointed to do so.[50]
[47] For more details, see above.
[48] Cf. Paal, ibid., Rec. 38.
[49] For context to these terms, see Art. 5 Rec. 7 and Art. 8 ePrivacy Regulation.
[50] Cf. for the German legal figure of the “Beliehener”, Paal, ibid., Rec. 39.
4. Essence-guarantee, necessity and proportionality of restrictions
Art. 11 Sec. 1 ePrivacy Regulation is subject to material limitations as regards the legislative shaping of restrictions to the obligations and rights provided for in Arts. 5 to 8 ePrivacy Regulation. Accordingly, a restriction must “respect the essence of the fundamental rights and freedoms and be a necessary, appropriate and proportionate measure in a democratic society”.
a) Essence-guarantee for fundamental rights and freedoms
The first limitation corresponds to Art. 52 Sec. 1 S. 1 CFR, pursuant to which any restriction on the exercise of its recognised rights and freedoms, must respect its very essence. This so-called ‘essence-guarantee’ originates from German constitutional law and has become a general principle in European constitutions.[51] In the context of Arts. 5 – 8 ePrivacy Regulation and the specific stipulation by Art. 11 Sec. 1 ePrivacy Regulation, which refers to the respect for the essence of fundamental rights in general, the legislator emphasises that legislative measures might not only concern the right for privacy or protection of personal data as in Art. 7 and 8 CFR, but also other rights can be inflicted in the course of legislation. That is particularly, since any restrictions of certain fundamental rights bear the risk of ‘chilling effects’ towards the exercise of others.[52] Thus, in every case the individual effects of legislation under Art. 11 Sec. 1 ePrivacy Regulation must be considered and evaluated in the light of possible interferences with the ‘essence’ of respective other fundamental rights.
‘Essence-guarantee’ refers to the ‘core area’ of fundamental rights.[53] It must be understood as a counterpart to the proportionality-principle, concerning the relation between burdens of interference and importance of pursued ends outside this area.[54] The core is being respected, if the guarantee of a fundamental right is not called into question and restriction takes place only in accordance to individual and exceptional behaviour.[55] Conversely, the core is infringed, if restriction leaves no significant remains to that right, i.e. it deprives its very substance.[56] The CJEU assumed such infringement in cases, the person concerned was not able to make effective use of legal remedies[57] and a severe interference with fundamental rights was made without further examination[58]. Also, elements of fundamental rights, originating in the guarantee of human dignity, are part of the core area.[59] However, the definition of the core area of fundamental rights is difficult to determine in the abstract.[60] Rather, these depend on each fundamental right individually and must be determined in every single case.[61] To that effect an infringement of the essence of the right to privacy (Art. 7 CFR) and protection of personal data (Art. 8 CFR) was assumed, if public agencies were allowed to access electronic communications content in general, i.e. in reversal of the rule-exception-ratio.[62] This ruling must be particularly kept in mind under respective restrictions pursuant to Art. 11 Sec. 1 Alt. 1 ePrivacy Regulation.
b) Proportionality of restrictions
The second limitation refers to the principle of proportionality, which in practice represents the most important requirement.[63] It is designed according to Arts. 8 – 11 ECHR and its corresponding legal interpretation by the CJEU, which had originally implemented the principle of proportionality into the concept of necessity.[64] According to common European understanding, sovereign measures must be appropriate, necessary and proportionate to achieve the purpose pursued[65], withal entailing a certain ‘margin of appreciation’ of the Member States[66]. Thus, the explicit fixation in Art. 11 Sec. 1 ePrivacy Regulation, albeit being consistent in light of the related provision of Art. 23 Sec. 1 GDPR, would have actually been dispensable.[67]
The tripartite examination starts by defining the relevant objectives of restrictions.[68] Such objectives are determined by the general public interests referred to above. Restrictions must be practically appropriate to achieve these objectives, i.e. they must be purpose-built, at least.[69] Moreover, they are necessary only, if representing the mildest, least intrusive means for fundamental rights pursuant to Arts. 7 and 8 ECFR.[70] Accordingly, restrictions, which comprehensively exclude rights pursuant to Arts. 5 to 6b ePrivacy Regulation, e.g. when only linked to the discretion of a particular authority, certain forms of data collection (e.g. remote spying) or certain kinds of data (e.g. electronic communications metadata), without at the same time taking into account possible adjustments or exceptions (e.g. means to avoid collection of intimate conversation content), will regularly not be necessary.[71] Finally, measures must be weighed up against the quality of interference on the one hand and the importance of objectives on the other hand. To that extent, it makes sense to take an overall view of the legal situation in the respective member state: Member States providing an extensive protection of privacy and personal data will, generally, have more leeway for restrictions, than it is the case for such, completely exhausting possibilities under Art. 11 Sec. 1 ePrivacy Regulation.[72] Using such leeway, Member States should moreover provide for exception clauses and separate margins of appreciation, since only by then, case-by-case-justice, as a central element of proportionality, will be achievable.[73]
c) Measures in a democratic society
The reference to the term of a ‘democratic society’ serves to incorporate European standards under the rule of law to the assessment of viable restrictions pursuant to Art. 11 Sec. 1 ePrivacy Regulation.[74] Such standards encompass elements like pluralism, tolerance and the ‘spirit of an open society’, as entailed by the ECHR´s jurisdiction.[75] It moreover serves to establish a systematic connection of the assessment of restrictions to the standards under national state organisational laws, which are usually also taken into account in the course of interpretation of national fundamental rights.[76] However, in respect of the lack of an encompassing constitutional frame within the EU, such interpretation will rather refer to abstract standards of European parliamentary democracies as a whole, than to each individual Member State legislation alone.[77]
[51] Dix, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Art. 23 GDPR (2019), Rec. 13.
[52] Dix, ibid., with further references; inter alia CJEU, decision of 21 December 2015, C-203/15 – Tele 2 Sverige, C-698/15 – Secretary of State for the Home Department, NJW 2017, 717, Rec. 92-94, 100 f.
[53] Jarass, in: Jarass, EU-Grundrechte-Charta, Art. 52 (2021), Rec. 28.
[54] Jarass, ibid.
[55] CJEU, decision of 14 September 2017, C-18/16 – K., Rec. 35; CJEU, decision of 20 March 2014, C-129/14 – Spasic, Rec. 58.
[56] Schwerdtfeger, in: Meyer/Hölscheidt, GRCh, Art. 52 (2019), Rec. 34.
[57] CJEU, decision of 15 October 2010, C-400/10 – McB, Rec. 55 ff.
[58] CJEU, decision of 23 March 2006, C-408/03 – Commission/Belgium, Rec. 68.
[59] Jarass, ibid., Rec. 29 with further references.
[60] Dix, ibid., Rec. 14.
[61] Jarass, ibid., Rec. 29.
[62] CJEU, decision of 8 April 2014, C-293/12, C-594/12 – Digital Rights Ireland, Rec. 39; CJEU, decision of 6 October 2015, C-362/14 – Schrems, Rec. 94.
[63] Bäcker, in: Kühling/Buchner, DSGVO BDSG, Art. 23 GDPR (2020), Rec. 58.
[64] Peuker, in: Sydow, Europäische Datenschutzgrundverordnung, Art. 23 GDPR (2018), Rec. 43; cf. also Rec. 26 ePrivacy Regulation.
[65] Cf. CJEU, decision of 22 January 2013, C-283/11 – Sky/ORF, Rec. 50 et seqq.; CJEU, decision of 8 April 2014, C-293/12, C-594/12 – Digital Rights Ireland, Rec.;
[66] Peuker, ibid., Rec. 44, with further reference to Grabenwarter/Pabel, in: Grabenwarter/Pabel, EMRK (2021), § 18, Rec. 20; cf. also ECHR, decision of 7 December 1976, 5095/71 – Handyside/UK, Rec. 47 ff.
[67] Peuker, ibid.
[68] Bäcker, ibid., Rec. 44.
[69] Cf, CJEU, decision of 21 December 2016, C-203/15, C-698/15 – Tele 2 Sverige AB, Rec. 110 et seq.
[70] Paal, in: Paal/Pauly, DSGVO, Art. 23 (2021), Rec. 9;
[71] Cf. Rec. 19 GDPR; Paal, ibid.; Bertermann, in Ehmann/Selmayr, DSGVO (2018), Art. 23 Rec. 4.
[72] Dix, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Art. 23 GDPR (2019), Rec.18.
[73] Cf. Bäcker, ibid., Rec. 58; also Paal, ibid
[74] Grabenwarter/Pabel, ibid., § 18, Rec. 18.
[75] Grabenwarter/Pabel, ibid., with further reference to ECHR, decision of 7 December 1976, 5095/71 – Handyside/UK, Rec. 47 ff.; ECHR, decision of 13 August 1981, 7601/76 – Joung, James and Webster, Rec. 64; ECHR, decision of 25 May 1993, 14307/88 – Kokkinakis/GRE, Rec. 33.
[76] Grabenwarter/Pabel, ibid., Rec. 19.
[77] Grabenwarter/Pabel, ibid.
II. Material requirements regarding the content of restrictions, Art. 11 Sec. 1a
Art. 11 Sec. 1a ePrivacy Regulation implements requirements pursuant to Art. 23 Sec. 2 GDPR on the material content of restrictions by Member States. These serve inter alia to guarantee obedience to the principle of legal clarity and certainty, which are encompassed by the rule of law.[78] Legal clarity refers to the notion that the individual addressee of a legal provision must be able to determine the scope of its rights and obligations and to act accordingly.[79] Conversely, the degree of indeterminacy has an impact on the quality of a restriction, since it narrows the corridor of (legally certain) enactment of related individual fundamental rights, accordingly. Assessment standards within the proportionality-principle will therefore be significantly stricter under Art. 11 Sec. 1 ePrivacy Regulation, the less legally clear a restriction is.[80]
Art. 23 Sec. 2 GDPR stipulates that legislative measures referred to in Sec. 1 (cf. Art. 11 Sec. 1 ePrivacy Regulation) shall contain specific provisions, wherever relevant to the respective restriction measurement. This includes the purposes of the processing or categories of processing (lit. a), the categories of personal data concerned (lit. b), the scope of the restrictions introduced (lit. c), safeguards to prevent abuse or unlawful access or transfer (lit. d), the specification of the controller or categories of controllers (lit. e), storage periods and applicable safeguards to the processing (lit. f) and the right of data subjects to be informed about the restriction (lit. h).
[78] Cf. Art. 5 – 7 ECHR; also Payandeh, Das unionsverfassungsrechtliche Rechtsstaatsprinzip, JuS 2021, 481 (484).
[79] CJEU, decision of 17 July 1997, C-354/95 – NFU, Rec. 57; CJEU, decision of 11 June 2009, C-170/08 – Nijemeisland, Rec. 44; CFI, decision of 13 March 2003, T-340/00 – Communitá montana della Valnerina.
[80] Dix, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Art. 23 GDPR (2019), Rec. 37.
III. Internal responding-procedures to access requests by supervisory authorities, Art. 11 Sec. 2
According to Art. 11 Sec. 2 ePrivacy Regulation and its corresponding Recital 26, service providers need to provide for appropriate procedures to facilitate access to end-users´ electronic communications data, in case competent authorities make respective demands according to legislative measures based on Sec. 1. Thus, the European Legislator explicitly provides for a legal basis to sovereign access-rights regarding personal and other data by national authorities. This includes data, which has been transmitted over the network or other forms of conveyance by providers, even though the provider is located outside the EU. The only requirement in that regard represents the fact that data will at least concern one party, which is located within it.[81]
It is questionable, how such legislation can be justified in front of the ongoing quest by Member States´ authorities to restrict data transmission into particular foreign countries, such as for example the USA. Not only, a significant fragmentation of Member States´ legislation becomes possible in this regard, but also, and more importantly, Art. 11 Sec. 2 ePrivacy Regulation gives way to sovereign cross-border-access to data, which – in no apparent way – distinguishes from activities related to the much-noticed US CLOUD Act.[82] Hence, Art. 11 Sec. 2 ePrivacy Regulation might fuel critique on the related issue of a practically unfeasible interpretation of the GDPR.[83]
[81] Cf. Art. 3 Sec. 2 ePrivacy Regulation; in that respect also see Art. 3 Rec. 3.
[82] H. R. 4943 – 115th Congress (2017-218), US Clarifying Lawful Overseas Use of Data Act (CLOUD Act), https://www.congress.gov/bill/115th-congress/house-bill/4943/text; cf. in this regard EDPB-EDPS, Joint Response to the LIBE Committee on the impact of the US Cloud Act on the European legal framework for personal data protection, https://edpb.europa.eu/our-work-tools/our-documents/letters/edpb-edps-joint-response-libe-committee-impact-us-cloud-act_en, both last retrieved 08 February 2022.
[83] Cf. VG Wiesbaden, ZD 2022, 177 commented by v. d. Bussche.