Revista de Derecho Comunitario Europeo

Otros Estudios

THE EUROPEAN UNION’S EXTERNAL COMPETENCE IN THE
DATA PROTECTION FIELD: IS MIXITY THE ONLY WAY OUT?

LA COMPETENCIA EXTERIOR DE LA UNIÓN
EUROPEA EN MATERIA DE PROTECCIÓN DE DATOS:
¿ES UN ACUERDO MIXTO LA ÚNICA VIA DE ESCAPE?

LA COMPÉTENCE EXTERNE DE L’UNION
EUROPÉENNE SUR LA PROTECTION DES DONNÉES:
EST-CE QUE LA MIXITÉ EST LA SEULE SOLUTION?

Francesca Tassinari‍[1]

[ Publication: 30/08/2023 ]

ABSTRACT

El presente estudio resume la jurisprudencia y las normas convencionales que sustentan el ejercicio de las competencias externas (implícitas) de la Unión Europea (UE) aplicadas al art. 16.2 del Tratado de Funcionamiento de la UE (TFUE). El art. 16.2 del TFUE faculta a la UE para adoptar normas sobre la protección de las personas cuyos datos personales son procesados y sobre la libre circulación de dichos datos. Las normas adoptadas sobre esta base jurídica podrían activar el criterio de afectación AETR/ERTA codificado en el art. 3.2 del TFUE, convirtiendo la competencia compartida interna de la UE en competencia exclusiva externa. Nuestro análisis sostiene que, a la luz de la legislación de la Unión vigente en materia de protección de datos, la UE posee una competencia externa (implícita) compartida/concurrente basada en el art. 16.2 del TFUE. Por este motivo, las negociaciones para acceder al Convenio 108+ del Consejo de Europa fueron mixtas.

Keywords: European Union; protection of personal data; nature of external implied competence; mixed agreement; Convention 108+.

RESUMEN

Palabras clave: Unión Europea; protección de datos personales; naturaleza de la competencia externa implícita; acuerdo mixto; Convenio 108+.

RÉSUMÉ

Cette étude résume la jurisprudence et les règles conventionnelles qui soutiennent l’exercice des compétences externes (implicites) de l’Union européenne (UE) appliquées à l’art. 16, §2, du Traité sur le fonctionnement de l’UE (TFUE). L’art. 16, §2, du TFUE habilite l’UE à adopter des règles relatives à la protection des personnes physiques dont les données à caractère personnel sont traitées et à la libre circulation de ces données. Les règles adoptées sur cette base juridique pourraient déclencher le critère d’affectation AETR/ERTA codifié à l’art. 3, §2, du TFUE, transformant la compétence interne partagée de l’UE en une compétence externe exclusive. Notre analyse soutient que, nonobstant la législation de l’Union en matière de protection des données en vigueur, l’UE a acquis une compétence externe (implicite) partagée/concurrente sur la base de l’art. 16, §2. Pour cette-raison là, les négociations pour adhérer à la Convention 108+ du Conseil de l’Europe ont été mixte.

Mots clés: Union européenne; protection des données personnelles; type de compétence externe implicite; accord mixte; Convention 108+.

Citation / Cómo citar este artículo: Tassinari, F. (2023). The European Union´s external competence in the data protection field: is mixity the only way out? Revista de Derecho Comunitario Europeo, 75, 247-‍292. doi: https://doi.org/10.18042/cepc/rdce.75.08

Copyright © 2023: Center for Political and Constitutional Studies. One year after its publication, this work is licensed under a Creative Commons recognition Attribution-Noncommercial - No Derivative Works 4.0 Spain, which allows third parties to share the work provided that its author is indicated and its first publication in this journal.

I. INTRODUCTION[Up]

Since the 1990s, the EU has set up an extensive regime on the protection of personal data to ensure the flow of information among its Member States while guaranteeing appropriate safeguards to individuals (‍‍EDPS, 2011). As globalisation increases, personal data are shared more and more among private companies worldwide and between countries that cooperate internationally. Following the Snowden scandal (‍‍EDPS, 2015: 9), the EU has been leading a global dialogue on personal data focused on the promotion of a human rights-centric approach (‍‍EDPS, 2014a: 2). As the European Data Protection Supervisor (EDPS) highlighted (‍‍EDPS, 2014b: 4), US intelligence programmes had not merely undermined governments’ trust, but they also affected real rights laid down under European law^‍[2].

Existing studies on the EU as the major player in the data protection field have analysed the extraterritorial application of EU legislation^‍[3] (‍‍Saluzzo, 2019; ‍‍Svantesson, 2015; ‍‍Moerel, 2011), including its knock-on Brussels effect (‍‍Bygrave, 2021; ‍‍Scott, 2019), and the Union’s regimes on the transfer of personal data (‍‍Kuner, 2017, ‍‍2019, ‍‍2020a). No research, however, has examined the type of the EU’s external competence in that area —at least to our knowledge— so it is not clear what is the range of the Union’s treaty-making power. This paper fills this literature gap and sheds light on the nature of the EU’s external (implied) competence based on Article 16(2) of the Treaty on the Functioning of the EU (TFEU). The rules adopted under this legal basis could trigger the AETR/ERTA affectation criterion codified under Article 3(2) of the TFEU^‍[4], turning the EU internal shared competence in the field of personal data into an external exclusive competence for the EU. Our analysis argues that, by virtue of the Union’s data protection legislation in force, the EU is conferred an external (implied) shared/concurrent competence. For this reason, negotiations for adhering to the Council of Europe’s Convention 108+ were mixed^‍[5].

To corroborate our hypothesis, we follow a set of steps. First, we summarise the relevant case law and conventional rules underpinning the exercise of the EU’s external (implied) competences, and the dichotomy of mandatory/facultative mixity (Section II). Second, we examine the insertion of a provision in the Treaty of Lisbon conferring on the EU an internal shared competence in the data protection field (Section III). On this basis, the EU renewed the legislation on the protection of personal data that forms the baseline upon which the nature of the EU’s (implied) external competence must be assessed. Thus, we analyse whether this competence is of a shared/concurrent nature (Section IV) and whether it triggered mixed negotiations for accessing the Council of Europe’s Convention 108+ (Section V).

II. EU EXTERNAL COMPETENCE AND THE ISSUES OF MIXITY[Up]

1. EU (implied) external competence: is there room for shared competences?[Up]

Article 216(1) TFEU codifies the Court of Justice of the EU’s (CJEU) jurisprudence on implied powers after the AETR/ERTA judgment found that the EU could conclude international agreements to achieve one of the objectives set down by the Treaties, notwithstanding the explicit provision of an underlying Union’s competence. According to this norm, the EU could act on the international scene in the following situations: first, the Treaties expressly empower it to do so; second, the empowerment is provided for in “a legally binding Union act”; third, the envisaged agreement “is likely to affect common rules or alter their scope”^‍[6]; and fourth, the conclusion of an international agreement is necessary to achieve one of the objectives referred to in the Treaties “within the framework of the Union’s policies”^‍[7]. While the first scenario clearly refers to explicit external competence, the second one attracted criticism insofar as it is interpreted as legitimising the Union’s external action in the absence of a legal basis in primary law^‍[8]. Finally, both the third and fourth scenarios point at conferring implicit external competence on the EU with the following nuance: the third scenario of affectation or alteration criterion underpins the necessity of the Union’s external action^‍[9] as well as its exclusivity^‍[10].

Exclusive external competence is conferred on the EU based on Article 3 TFEU, disregarding its implied or explicit provision. The first paragraph of Article 3 TFEU traces a perfect parallelism between the internal and external projections of a list of competencies that are also known as exclusive “by nature” or “a priori” exclusivity (‍‍García Andrade, 2018). In contrast, the second paragraph of Article 3 TFEU refers to the nature of the Union’s external competence only, and it adds two further scenarios to that of affectation or alteration^‍[11]: when the conclusion of an agreement is provided for in a legislative act of the Union, and when it is necessary to enable the Union to exercise its internal competence^‍[12].

By comparing the wording used under Article 3(2) TFEU with the wording of Article 216(1) TFEU, De Baere (‍‍2008: 68) observes that the nature of the external competence depends on the law-making procedure by which the internal act granting that competence was adopted. Thus, he maintains that the EU could derive its external competence by virtue of Article 216(1) TFEU when its need is set out in a legally binding Union act —i.e., also EU secondary law— instead of the founding Treaties (‍‍De Baere, 2017, ‍‍2018). García Andrade (‍‍2015: 96)^‍[13] opposes such an idea and clarifies that, despite its fuzzy formulation, the principle of the affectation of common norms outlined in Article 216(1) TFEU in fine cannot become a source that affirms the existence of EU external competence (‍‍Dashwood et al., 2011: 921)^‍[14]. In the same line, the CJEU finds that “[…] the competence of the European Union to conclude international agreements may arise not only from an express conferment by the Treaties, but may equally flow implicitly from other provisions of the Treaties and from measures adopted, within the framework of those provisions, by the EU institutions”^‍[15].

Also, the concept of “necessity” must be shaped differently depending on whether it legitimises the EU intervention under Article 216(1) TFEU, or it confers on the EU exclusive competence under Article 3(2) TFEU. The former type of necessity was first ruled upon in the AETR/ERTA doctrine and widely interpreted in the light of the paramount principle of effet utile^‍[16]. The latter type of necessity, instead, was first read in Opinion 1/76 as justifying the EU’s exclusive action as “[…] the only way to achieve the objectives of the internal competence from which it was deduced’ or ‘inextricably linked to the conclusion of international agreements”^‍[17]. Such exclusivity is also known as “reverse” AETR/ERTA effect (‍‍Chamon, 2021: 131-‍163) or “exclusivity by exercise” (‍‍García Andrade, 2015: 167)^‍[18], and it “[…] is problematic, in my view, because this kind of exclusivity is, according to ECJ case law, not determined by the necessity of international action, but by the introduction, through the agreement, of common rules to be affected by future Member States’ agreements; it is the exercise of the Union external competence which renders it exclusive. This exclusivity by external exercise can thus be considered to be included in the classic pre-emption referred to in Article 2(2) TFEU” (‍‍García Andrade, 2018: 175).

As the CJEU found in the COTIF I judgment^‍[19], situations in which the Union has an external competence in accordance with Article 216(1) TFEU are not limited to the scenarios set out in Article 3(2) TFEU^‍[20]. Falling outside the scope of Article 3(2) TFEU, the Court recalled that EU external competences can have a non-exclusive nature and, specifically, they could be shared or parallel even in the absence of internal rules. It is precisely in the cases of non-exclusive competences and, above all of shared ones^‍[21], where the exercise of the EU external action becomes highly complicated and might fall into the intricate practice of mixed agreements.

2. Facultative mixity within and beyond concurrent competences[Up]

Mixed agreements are agreements concluded by both the EU and its Member States as “a single Party” on the one side, and by one or more subjects of international law on the other (‍‍Chamon and Govaere, 2020). Due to the lack of legal provisions^‍[22], and consistent jurisprudential guidance (‍‍Govaere, 2020), mixity has attracted many doctrinal discussions for triggering legal uncertainty, e.g. a clear-cutting subdivision of responsibilities between the EU and its Member States, and practical drawbacks, e.g. the longer ratification procedure. Following Allan Rosas’ historical systematisation (‍‍1998: 131), mixity is deemed to be mandatory if, and only if, an agreement covers both EU-conferred competences^‍[23] and Member States’ national prerogatives^‍[24]. This kind of mixity, also labelled as “coexistence” (‍‍Rosas, 2020: 13)^‍[25] or “joint competence” (‍‍Govaere, 2020: 27)^‍[26], is deemed to be a “matter of shared competence” in light of the scope of the agreement, and not of the shared nature of the policy competences (‍‍Bosse-Platière and Cremona, 2020: 49). Facultative mixity, instead, surfaces when the envisaged agreement falls within an EU non-exclusive competence for which the EU could act on its own or together with its Member States as long as these are not legally excluded^‍[27].

As García Andrade notes, non-exclusive competences include both concurrent and parallel competences: the former legitimises the EU’s sole intervention with pre-emption over Member States’ powers; the latter occurs when the EU’s exercise of external competences does not prevent Member States from exercising theirs (‍‍2018: 165). Her analysis makes clear that the focus of the interinstitutional debate over mixity lies at the level of concurrent competences^‍[28]. Here, the Member States’ participation in an envisaged agreement cannot be excluded as the Union has not “occupied the ground” of a specific field and, even more important, the EU has not gained an external (implied) exclusive competence by virtue of the AETR/ERTA jurisprudence.

Concurrent competences would then cover two main scenarios of non-exclusivity: first, it could be the case that the EU has already adopted internal rules but these do not trigger the affectation criterion vis-à-vis the envisaged agreement; second (and although less frequent)^‍[29] the EU might not have adopted internal rules but it could decide to conclude an agreement that is not “[…] the only way to achieve the objectives of the internal competence from which it was deduced”^‍[30]. Concurrent competences have for long given rise to very heated debates (‍‍Cannizzaro et al., 2012; ‍‍Hillion and Koutrakos, 2010; ‍‍O’Keeffe and Schermers, 1983) as the choice between an EU/Member States’ only action and a mixed one could be presented as a merely political one^‍[31] (‍‍Martínez Capdevila, 2023: 82). If so, Member States might easily jump to the mixed formula so as not to lose ground before a given internal shared competence.

In reality, case studies on mixity go beyond the explanation above as mixed agreements might be concluded to align the external action of the Union to external factors. Specifically, Govaere refers to the international (legal) context; the dependence of the EU on its Member States’ presence on the international scene, the (special) responsibilities of (certain) Member States internationally, and the coherence of the international framework in which the EU operates (‍‍2020: 46). The author coined the concept of “functional mixity” to explain how these factors could determine the usage of the mixed formula, notwithstanding the vertical subdivision of competences between the Member States and the EU. Thus, Govaere systematises the CJEU’s jurisprudence that accepts facultative mixity though this is conditioned by political discretion (negative), and the case law that rejects facultative mixity unless required by functional imperatives (positive). This new theory brings a significant added value to the theory of mixed agreements, and also sheds light on the inconsistency of the CJEU’s case law which exacerbates legal uncertainty. According to Rosas, because Member States feel they suffer bias under the mixed formula, they might opt for it not only in a case of shared competences, where the Union and/or its Member States might intervene, but even when there is a Union exclusive competence for the entire agreement (false mixity), or a predominant part of it (ibid.: 9). Another crucial example is “vertical mixity”, an expression that points at international agreements split between EU substantive regulation and Member State implementation, which is fictitious according to García Andrade: “since the treaty-making power is a normative power, the Union will be entitled to conclude these agreements alone, either for being a field of exclusive EU competence in the case of short-term visas, or a concurrent competence that the EU may exercise in the case of readmissions” (‍‍2019: 45). The main issue to solve is whether the Council of the EU would cede in cases where the Member States hook the majority decision-making process to gain mixity^‍[32].

III. THE PROVISION OF AN EU COMPETENCE ON DATA PROTECTION[Up]

1. Data protection as an economic driver: overcoming the competence gap?[Up]

Before the Treaty of Lisbon was adopted, the European Community lacked a legal basis that it could have relied upon to legislate in the field of personal data. This gap did not prevent it from regulating the matter and data protection rules were provided for in both intergovernmental^‍[33] and supranational instruments^‍[34], given that the justice and home affairs area is the prominent example of a sectorial-patchworked regulation (‍‍Boehm, 2012). Yet, the increasing use of information by European and foreign trading companies urgently demanded coordination in this field^‍[35]. Legislative work within the (then) European Community was aligned to that of the Council of Europe’s Convention 108^‍[36] under the aegis of an all-inclusive multilateralism where various types of players would be involved. Provided that Convention 108 left “[…] open a large number of options for the implementation of the basic principles and at the beginning of the ‘90s it had been ratified by only seven Member States, of which one still had no domestic legislation”^‍[37], the European Commission estimated that harmonisation was still needed among the Member States (‍‍Pearce and Platten, 1998: 531 ff.).

Nevertheless, the (then) European Community could by no means regulate human rights (‍‍Liñán Nogueras, 1996: 13-‍16; ‍‍2001: 374; ‍‍2020: 126). Thus, the proposed legislation on the protection of personal data was smartly designed under the logic of trade liberalisation among Member States (‍‍Lynskey, 2015: 47-‍48). The European Commission presented a first package of measures pursuing two main objectives: first, the enhancement of European industrial capacity; and second, the coordination of strategic sectors such as banking and telecommunications^‍[38]. Under this package, a European Community legislative proposal on the protection of individuals with regard to the processing of personal data dating back to 1990 was put forward^‍[39] as part of the common commercial policy framework. Proposing Article 100a TEEC^‍[40] as the correct legal basis was, in a certain way, to be expected, but what surprises us the most is the fact that Member States did not contest it^‍[41]. Indeed, the European Community could have been accused of circumventing the competence gap left by the founding Treaty since the objective pursued was related to human rights rather than common market issues^‍[42] (‍‍Ruiz Miguel, 2003: 20 ff.).

The initial proposal soon needed to be amended because the entry into force of the Maastricht Treaty^‍[43] brought substantial changes to the previously envisaged lawmaking process. In addition, it was found to be too ambitious by some Member States that opposed a high-level harmonisation legislation instead of following the minimalist approach laid out under Convention 108. The amended proposal^‍[44] was presented by the European Commission on the basis of the approximation clause of Article 100a 1992 TEC according to which the European Community could promote measures of approximation for the implementation of the internal market, and Article 189b 1992 TEC empowering the European Parliament under the co-decision procedure^‍[45] (‍‍González Fuster, 2014: 122 ff.). The more accommodating approach undertaken by the European Commission in its amended proposal was decisive in order to find sufficient support within the Council and to finally adopt the Data Protection Directive (DPD)^‍[46] (‍‍Bigo et al., 2011: 128)^‍[47]. In the end, the legislation agreed was designed on the basis of a complex relationship between safeguarding the individual’s right to a private and family life on the one hand, and, on the other, the need to exchange information within Member States for economic reasons.

2. Shortcomings stemming from Directive 95/46/ec[Up]

The DPD pursued two main objectives: first, it protected the fundamental rights and freedoms of individuals, especially the right to privacy; second, it forbade any restrictions to the “free flow” of personal data (‍‍Rotenberg and Jacobs, 2013: 617)^‍[48]. Unlike the Council of Europe’s Convention 108, which only referred to the automatic processing of “information relating to an identified or identifiable natural person”^‍[49], the DPD focused on a wider spectrum of data flows by also including manual processing used in filing systems^‍[50], a regime on the transfer of personal data to third countries^‍[51], and the provision of an independent supervisory authority ensuring its correct implementation^‍[52]. As for its scope, the DPD did not cover activity outside of Community law, e.g. those provided for by Titles V and VI of the TEU, and the processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law^‍[53].

The level of approximation achieved by the DPD was as minimum as possible, which resulted in serious distortive effects because of the divergent transposition implemented in Member States’ law (‍‍Article 29 DPWP 2004, and ‍‍EDPS, 2007). Recital 9 DPD is significant while affirming that “[…] within the limits of this margin for manoeuvre and in accordance with Community law, disparities could arise in the implementation of the Directive, and this could have an effect on the movement of data within a Member State as well as within the Community”. In Lindqvist^‍[54], the CJEU found that the DPD generally set forth a complete level of harmonisation to ensure a high level of protection for the processing of personal data, but that Member States kept a certain margin of manoeuvre in some specific areas for which they could maintain or introduce ad hoc rules. Similarly, in Grégory Francotte, the CJEU affirmed that Member States were not obliged to transpose the limitations set down on the individuals’ rights^‍[55] as “[…] the legislator intended to give them the freedom to decide whether, and if so for what purposes, they wish to take legislative measures aimed at limiting, inter alia, the extent of the obligations to inform the data subject”^‍[56]. Also, in Verbraucherzentrale NRW eV^‍[57], the CJEU observed that Articles 22-‍24 DPD did not exhaustively regulate existing judicial remedies against the author having committed a breach of the data protection legislation and validated the German law allowing customer associations to bring judicial challenges in the interest of the data subject^‍[58]. Lynskey highlights that the interpretation of the provisions of the DPD was leaving too broad a margin of appreciation for national legislations and that “[t]hese disparities lead to fragmentation and are inimical to the objectives of the Directive. It can be seen that the Court’s reluctance to assert the fundamental rights underpinning the Directive endangered the coherence of its internal market objective which it had been so keen to promote in earlier cases” (‍‍2015: 57-‍58).

Therefore, speculating on a possible AETR/ERTA effect stemming from the DPD would be quite daring on our part^‍[59]. The internal legislation was minimally and partially harmonising the field at issue and, as a consequence, Member States fully kept their treaty-making power in the external layer (‍‍Article 29 DPWP, 2007a; ‍‍2009, ‍‍2013). In the specific case of the international data transfer regime, the analysis is even easier, as Article 25 DPD clarified (‍‍1998a) that both the European Commission and its Member States^‍[60] —specifically, data protection authorities and data controllers— could conduct an “adequate evaluation” (‍‍Article 29 DPWP, 2005), but, in the end, they had to cooperate with each other^‍[61]. The DPD envisaged the possibility to derogate from the adequacy parameter for the specific reasons set forth therein^‍[62] or using contractual clauses (‍‍Article 29 DPWP, 2001). Only in the latter case were Member States obliged to notify the European Commission in order to gain its approval^‍[63]. Consequently, the European Commission had no monopoly over the determination of the adequacy of data protection standards of third countries and international organisations; this had important consequences on the binding nature of the European Commission’s decision vis-à-vis data protection authorities (‍‍H. Weber, 2013: 127).

3. A new fundamental right to personal data protection[Up]

The first step towards the codification of the DPD’s principles (‍‍Mori, 2019: 236) was made in 1999 when the (then) European Community’s institutions and bodies were bound to a new data protection framework (‍‍Maiani, 2002: 289)^‍[64]. Article 286(1) of the TEC was given full effect by Regulation (EC) No 45/2001^‍[65] (or European Community Data Protection Regulation, ECDPR), which established the EDPS^‍[66] and, in a departure from the DPD’s approach, also regulated the confidentiality of communication within EU institutions and bodies^‍[67]. However, the ECDPR replaced neither the DPD nor the other sectoral instruments that had been adopted by the European Community, as Article 286(1) of the 1997 TEC made them applicable to the institutions and bodies. Their relationship, then, was underpinned by the principle of lex specialis derogat generali, where the ECDPR was the special legislation and the DPD the general framework.

A specific fundamental right to the protection of personal data was proclaimed on 7 December 2000 as a complement to the Treaty of Nice. The Nice Charter finally distinguished the right to the protection of personal data as separate to the right to a private and family life —Articles 7 and 8 respectively— while giving the (then) European Community a leading role over not only the Council of Europe’s Convention 108, but also over some of the Member States’ constitutional legal orders. In these terms, the Charter of Fundamental Rights of the EU (CFREU) was deemed to be founding a new fundamental right on the protection of personal data “in the light of changes in society, social progress and scientific and technological developments” (‍‍González Fuster, 2014: 198; ‍‍Hijmans, 2016: 185-‍226; ‍‍Hijmans and Scirocco, 2009: 1487).

The CJEU started releasing wide interpretations of the DPD’s norms that made the fundamental rights facet evident alongside the market liberalisation one. In Lindqvist, the CJEU declared that, to fall within the scope of the DPD, data processing activities should not necessarily have been seen as having a direct link with the fundamental freedoms of the internal market^‍[68]. Only activities strictly excluded from the scope of the DPD^‍[69] should have been set aside from the scope of EU action, such as, for example, “domestic activity”^‍[70]. In its reasoning, the CJEU kept on relying on Convention 108, but started progressively distancing itself from Article 8 of the ECHR as the Charter codified its own^‍[71] set of data protection principles and rights^‍[72], namely: the principle of fairness (‍‍Clifford, and Ausloos, 2018); the principle of purpose limitation^‍[73]; the principle of lawfulness (‍‍Hustinx, 2013); the right of access^‍[74] to personal data and to have it rectified^‍[75], and the control by an independent authority^‍[76]. With the Treaty of Lisbon, Article 8 of the CFREU acquired binding force as the Union’s primary law and it was directly linked to a new Union competence on the protection of personal data embedded in Article 16(2) TFEU.

IV. IS THERE A RISK THAT MIGHT AFFECT OR ALTER THE EU’S DATA PROTECTION ACQUIS? [Up]

Being placed outside the Lisbon competence catalogue^‍[77], Article 16(2) TFEU^‍[78] confers on the EU a new, shared, by-default competence on the protection of personal data and on the free movement of such data. This norm has an internal reflection directed at regulating the processing activities of Member States and EU institutions, bodies, offices, and agencies “[…] when carrying out activities that fall within the scope of Union law”. Hence, its insertion was expected to support the adoption of “specific juridical acts” with a cross-cutting dimension (‍‍Martín y Pérez de Nanclares, 2008: 228)^‍[79] excepting the common foreign and security policy^‍[80]. In reality, the EU renewed its data protection acquis via three legal instruments: the General Data Protection Regulation^‍[81] (GDPR), the Law Enforcement Directive^‍[82] (LED), and the EU Data Protection Regulation^‍[83] (EUDPR).

In a previous study of ours, the existence of EU external competence based on Article 16(2) TFEU has been assessed (‍‍Tassinari, 2022: 5 ff.). On that occasion, we identified two main objectives pursued by the EU internally: first, the safeguarding of a high level of protection of individuals’ fundamental rights; and second, the free movement of such data. The non-circumvention of the EU data protection acquis was then found to be the rationale justifying the necessity of EU intervention in the external layer. Still, in that study, we maintained that the EU’s external action in the data protection field is firstly put in place via the adoption of adequacy decisions (‍‍Kuner, 2020b: 777; ‍‍Tassinari, 2021: 4901 ff.) rather than international agreements^‍[84]. One of the reasons explaining the subversion of hierarchy of sources resulting^‍[85] from the adoption of adequacy decisions was avoiding falling into mixed negotiations. It is now time to assess the nature of the EU’s external competence by considering the degree of harmonisation achieved internally by the EU acquis against the affectation criterion set down in Article 3(2) TFEU. If the AETR/ERTA effect is not triggered, the EU external (implied) competence resulting from Article 16(2) TFEU would have a shared or concurrent nature^‍[86].

1. The General Data Protection Regulation’s scope, nature, and content[Up]

With the new GDPR, the EU expressly aims at eliminating any cumulative and simultaneous application of different national laws and to ensure its uniform application on the assumption that existing practical challenges jeopardise the enforcement of data protection legislation and undermine the cooperation between Member States and their authorities. Indeed, current Article 1(2) GDPR establishes that the GDPR “[…] protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data”. Yet its material scope makes major reservations^‍[87], for example to the common foreign and security policy^‍[88] and to the processing of personal data falling under the scope of the LED^‍[89].

The GDPR is a general, entirely binding, and directly applicable instrument^‍[90] and some of its rules do not leave any margin of manoeuvre to Member States^‍[91]. According to the CJEU, the level of protection granted by the GDPR is to be seen vis-à-vis the CFREU only, without taking into account either the ECHR^‍[92] or Member States’ national law —including their constitutional traditions— to ensure the homogeneous application of the rules for the protection of the fundamental rights and freedoms of natural persons whose data is processed within the EU^‍[93]. In the specific context of the transfer of personal data to third countries and international organisations, for example, Kuner maintains that:

Member States may not undertake obligations with third countries that affect common rules laid down by the EU, and Member States may act with regard to those areas of shared competences only to the extent that the EU has not done so. Since the GDPR has comprehensive regulated data protection and the rules covering the international data transfers in the Union, in practice, Member States have only limited margin to enter into international agreements governing international data transfer, if at all (‍‍2020: 761).

Indeed, alongside the protective objective, and as the European Commission stressed during the negotiations, common rules are to be justified to achieve cross-border flows of personal data among the Member States and with third-country nationals or international organisations providing for “a level of protection essentially equivalent to the EU one” (‍‍Sobrino García, 2021). Hijmans, although premising that the nature of the EU competence is not fully clear, highlights that “[…] Member States might wish to use this remaining competence for the exchange of law enforcement information with third countries, or otherwise for purposes of administrative cooperation with third countries requiring the exchange and use of personal data” (Sobrino García, 2016: 469). The author then reaches the conclusion that “[…] the existence of an exclusive EU competence under Article 16 TFEU must be assumed on the basis of the reasoning that effective protection of the fundamental rights of privacy and data protection on the internet cannot be achieved by internal rules alone. Effective protection requires the widest possible geographical scope of protection, and hence external action” (‍‍Hijmans, 2016: 469).

Recital 102 of the GDPR could be invoked to support the existence of an EU-exclusive (implied) external competence, as this prevents Member States from concluding an international agreement that involves the transfer of personal data to third countries or international organisations, in case such an agreement affects the GDPR or any other provisions of Union law^‍[94]. This recital (‍‍Klabbers, 2002: 165-‍166) echoes the AETR/ERTA doctrine by requiring an assessment of the principle of affectation. However, such an ascertainment could be performed on a case-by-case basis to clarify whether internal provisions trigger a pre-emptive exclusivity or not (‍‍Cremona, 2010a: 104). In this sense, we note how Member States have been fighting to lower the range of GDPR provisions of a binding nature and have opted for the following: provisions built upon national law; rules that require domestic law to give them effect; and norms enabling the adoption of more stringent provisions than the ones provided for by the GDPR at national level, or that are even divergent from it (‍‍EDPS, 2012: 9). Also, Member States insisted on a bottom-up enforcement system based on national supervisory authorities instead of an EU supervisory body (‍‍De Hert, 2021: 297). As a result, the GDPR has been described as a regulation with a directive’s soul, leaving the possibility open for new obstacles to prevent the data flow among Member States^‍[95]. GDPR recital 8 clarifies that where Member States are allowed to introduce specifications or restrictions “[…] may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law”. Thus, a margin of manoeuvre for Member States’ legislators exists, and even though this is limited to the open clauses set forth in the regulation, full harmonisation should be discarded^‍[96].

All the above considered makes us assume that the EU has reached exclusive competence in certain elements regulated by the GDPR, e.g. adequacy decisions and the assessment thereto, without it achieving total harmonisation as some other elements, e.g. appropriate safeguards and derogation clauses, are subject to further national development^‍[97]. Moreover, Member States still keep their sovereign prerogatives for regulating defence and national security policies. Consequently, the affectation criterion would be triggered or not depending on the elements touched upon in an envisaged agreement. If both elements of exclusivity and concurrency are present, then facultative mixity might be leveraged by Member States to impede an EU-only agreement^‍[98]. If the envisaged agreement also concerns defence and national security policies, mandatory mixity, not facultative, would then come into play.

2. The Law Enforcement Directive’s scope, nature, and content[Up]

The LED regulates the protection of natural persons as to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. Its scope is cumulatively limited from subjective and objective perspectives (‍‍Quintel, 2022): the LED does not apply when personal data are processed by competent authorities^‍[99] for non-LED purposes^‍[100], or to processing activities that are entrusted to competent authorities but lie outside the scope of the LED^‍[101]. In addition, the LED does not cover the processing of personal data “in the course of an activity which falls outside the scope of Union law”^‍[102]. As a Directive, the LED is a binding instrument firstly directed to the Member States which are responsible for balancing the respect of fundamental rights and freedoms with the need to exchange personal data^‍[103]. Yet the LED does not, as desired, explicitly state the level of harmonisation it seeks to achieve within its provisions.

The LED calls on the EU legislator to suppress existing obstacles deriving from Member States’ divergent legislations on the protection of personal data^‍[104] while ensuring “[…] a high level of protection within the Union”^‍[105]. Even more relevant, the LED legitimises Member States to adopt more stringent rules to guarantee a higher level of protection to individuals’ fundamental rights on personal data^‍[106]. These considerations suggest that, at first sight, the LED aims to lay down minimum standards of protection while leaving a margin of manoeuvre for Member States to adopt higher ones^‍[107] via national legislation and with due respect to the proportionality principle^‍[108]. As a general rule, minimum standards do not trigger the AETR/ERTA exclusivity provided that the envisaged agreement presents the same degree of harmonisation as the LED. As Klamert finds^‍[109]:

[…] when the Union adopts less stringent rules than those in a convention, then Member States can adopt more stringent measures than those provided in EU secondary law, by applying the (stricter measures of the) international agreement. Secondly, if the Union passes more stringent measures than those of the (minimum standard setting) international agreement, that agreement does not prevent the full application of the more stringent Union measures by the Member States. It could be added that, in the second case, neither the agreement nor the Union measures would bar Member States to regulate even stricter measures than foreseen by both acts. Thus, the ERTA pre-emption principle does not apply if both the international agreement and the provisions of Union law provide minimum standards (‍‍2015: 377).

The EU-US Umbrella Agreement concluded in 2016 might be a good example of this practice (‍‍Blasi Casagran, 2017: 100-‍11). The EU-US Umbrella Agreement was concluded on the basis of Article 16 TFEU^‍[110] and seeks “[…] a high level of protection of personal information and enhanced cooperation between the United States and the European Union and its Member States, in relation to the prevention, investigation, detection or prosecution of criminal offences, including terrorism”^‍[111]. For this purpose, it establishes “standards of protection” on the transfer of personal data between competent authorities established in the US and the EU respectively, without it constituting a valid legal basis for the enabling of the transfer of personal information^‍[112] (‍‍EDPS, 2009). The provisions set forth in the EU-US Umbrella Agreement are called upon to supplement those on the protection of personal data inserted in other EU-US treaties, and other agreements concluded between the Member State(s) and the US^‍[113]. Its programmatic nature (‍‍Fajardo del Castillo, 2018: 49) generates the expectation that further protocols or new treaties will be concluded on its basis (‍‍EDPS, 2009: 32)^‍[114]. For example, the EU-US Umbrella Agreement encompasses the EU-US e-Evidence Agreement as private service providers will have to disclose the personal data they owe to foreign law enforcement authorities.

As the EDPS noted, some discrepancies between the EU-US Umbrella Agreement and the LED are visible: first, the EU-US Umbrella Agreement has a limited scope ratione personae as it excludes the nationals of third countries while giving priority to EU and US citizens; second, the definition of “processing” does not include certain types of operations, such as recording, storage, retrieval, consultation, alignment or combination, blocking, erasure or destruction (‍‍EDPS, 2014c: 15). Finally, the EDPS noted that the right to access and to rectify personal data has been unduly restricted by virtue of broader clauses, such as one granting law enforcement access to sensitive information or the recommendation to reduce existing derogations. For its part, former Article 29 DPWP pointed out two additional shortcomings: first, the EU-US Umbrella Agreement does not cover cases of national security that are kept under the sovereign competences of the Member States^‍[115] and second, the Agreement does not regulate the access of third countries’ authorities to data processed by private companies (‍‍Article 29 DPWP, 2014: 25). With regard to the first point, former Article 29 DPWP specified that the national security clause set forth in Article 4(2) TEU defines the competence of the EU only vis-à-vis its Member States and cannot be used by data protection controllers operating under EU law to comply with a third country’s request for the transfer or disclosure of personal data according to their concept of “national security”^‍[116]. In its words:

Since the Umbrella Agreement will fall short in offering full protection to all citizens, what is needed is an international agreement providing adequate protection against indiscriminate surveillance […]. However, this agreement would be directly linked to the national security exemption and thus fall outside the scope of EU law. Therefore, it is up to the Member States to start negotiations in a coordinated manner (‍‍Article 29 DPWP 2014: 15 and 16).

Given that national security is kept within the prerogatives of the Member States, the latter are the only ones entitled to conclude an international agreement regulating the transfer of, or access to, personal data by surveillance agencies^‍[117]. As for the second aspect, former Article 29 DPWP pointed out that the EU-US Umbrella Agreement does not cover the possibility that third countries’ authorities are given access to private companies’ data processed under EU law, which was highly recommended by the EDPS (‍‍2009: 19-‍23). Yet we find that the exclusion of the private sector from the Agreement is in line with the CJEU’s jurisprudence binding law enforcement authorities to the data protection principles stemming from the derogations set out in the GDPR instead of the rules set forth by the LED^‍[118]. Indeed, the LED clearly refers to the exchange of data between public authorities alone, unless another body or entity is entrusted to exercise public authority and public powers.

From the considerations made above, we understand that the LED could in no case trigger the AETR/ERTA effect insofar as both the EU-US Umbrella Agreement and the provisions of Union law provide for minimum standards (‍‍Klamert, 2015: 377):

[…] when the Union adopts less stringent rules than those in a convention, then Member States can adopt more stringent measures then those provided in EU secondary law, by applying the (stricter measures of the) international agreement. Secondly, if the Union passes more stringent measures than those of the (minimum standard setting) international agreement, that agreement does not prevent the full application of the more stringent Union measures by the Member States^‍[119].

Therefore, the EU external (implied) competence for concluding the EU-US Umbrella Agreement would result in a non-exclusive competence and, specifically, in a concurrent one. This competence was exercised by the Union only, but it did not “occupy the territory” as Member States can apply more stringent measures internally, in line with the LED^‍[120]. However, in view of the development of Union law in the future, we should warn that Member States’ treaty-making power will be limited to the adoption of less stringent rules, i.e. granting more favourable treatment to their beneficiaries, than those adopted supranationally (‍‍Adam and Tizzano, 2022: 422)^‍[121]. If the envisaged (bilateral) agreement would impose more stringent rules than those of the LED, then the Union would not be able to raise its minimum standard above the absolute standard agreed by Member States with that third Party. In other words, Member States can conclude bilateral agreements based on the LED if, and only if, they provide less stringent rules than those of the LED (‍‍Wennerås, 2008).

V. MIXED ACCESSION TO CONVENTION 108+[Up]

The debate on the nature of EU external implied competence based on Article 16(2) TFEU was raised on the occasion of the adoption of a decision for the opening of negotiations to modernise Convention 108 (or Convention 108+)^‍[122]. At that time, the conditions and procedures for accession of the EU^‍[123] to Convention 108+ were discussed after the failure to adopt the 1999 Protocol for amendment^‍[124]. Convention 108+ is not thought to be a framework agreement, but sufficiently precise so as to grant rights and freedoms to individuals, following its incorporation into the national legal order where necessary. Besides, the scope of Convention 108+ is not a sectorial one and, while regulating law enforcement agencies, it touches upon areas tied to the core sovereignty of the State. Thus, Member States’ leverage towards mixity was quite obvious.

From the discussions held in the EU Council working party on information exchange and data protection, it results that the mandate for negotiation proposed by the European Commission, for which the Union could have ratified the amending Protocol on behalf of the Union tout court, was not welcomed by several delegations^‍[125]. In that mandate, the European Commission relied on the affectation or alteration criterion of Article 3(2) TFEU to support the EU’s exclusive competence and to solely conclude the envisaged agreement^‍[126]. Conversely, a bunch of delegations asked for mixity because “according to the division of competences in the EU, the area of data protection is one of a shared competence between the European Union and the Member States (Articles 4 and 16 TFEU), and one in which both the Union and its Member States continue to adopt important measures within their respective ambits of competences”^‍[127]. The European Commission’s mandate for negotiations, which originally lacked reference to the substantial legal basis of Article 16(2) TFEU^‍[128], was shaped following the reaction from Member States. The interpretation given by the European Commission to Article 3(2) TFEU was rejected for “[…] automatically pre-empting the entire agreement as falling within the exclusive competence of the EU the moment any part thereof may affect common rules”^‍[129]. Mixity would be justified, according to the opposing Member States, from three perspectives:

a)first, both Convention 108+ and the GDPR were under negotiations and, consequently, certain provisions might not have triggered the AETR/ERTA effect;
b)second, Member States added that the provisions related to retained sovereign competences, e.g. defence and national security, would have required their engagement by virtue of “mandatory mixity”: “In such circumstances, the choice of proceeding in the format of a mixed agreement is not only in accordance with EU law (including the requirements of the principle of subsidiarity) but also functionally warranted”^‍[130]; and
c)third, Member States noted that not all the provisions set down under Convention 108+ would be covered by the EU data protection acquis^‍[131].

Concerning the first point, the CJEU unknowledges that EU law might evolve in the future. In Opinion 1/03^‍[132], the Court found that, when common provisions are foreseeable at the time of Member States’ action, they must be taken into account to assess the AETR/ERTA exclusivity in respect of the principle of loyal cooperation^‍[133] (‍‍Cremona, 2020: 21). By alleging that certain provisions of the EU data protection acquis might have not triggered the AETR/ERTA effect, the delegations were inferring that the Union was prevented from acting alone for those elements of Convention 108+ covered by concurrent competences. Here, mixity might be criticised for implementing the AETR/ERTA test in an “atomistic” way, without taking into account the holistic or systematic approach promoted by the CJEU^‍[134]. Indeed, the affectation or alteration criterion could be deduced as long as the envisaged agreement had been largely covered by EU law^‍[135], and in the light of the main purpose and component pursued by the modernised Convention. Under this reading, a Union-only agreement would have been feasible^‍[136], eventually under the AETR/ERTA logic too. As for the third reasoning, and in the absence of internal provisions, the EU’s action solely should not be excluded a priori since the “necessity” of its external intervention might prove to be the sine qua non it can exercise its internal competence too^‍[137]. Even though it is hard to figure out provisions established in Convention 108+ that are not covered by the GDPR and the LED, in this case also, mixity, in its facultative meaning, could have been avoided. Conversely, it is difficult to rebut the assumption for which mixity was needed because of the co-presence of features of the Union’s exclusivity and Member States’ sovereignty (shared competence)^‍[138]. Obviously, Member States did not confer on the EU the exercise of sovereign competences on defence and national security and their provision set down in Convention 108+ imposes resorting to “mandatory mixity”. Indeed, and differently from EU law where national or public security clauses are used for derogating common provisions —so that the CJEU enters by assessing the lawfulness of national provisions with respect to the CFREU^‍[139]—, the scope of Convention 108+ includes them^‍[140]. On the top of that, the defence and security domains might push Convention 108+ to fall into “CFSP/TFEU mixity” or “horizontal mixity”^‍[141] (‍‍Dashwood, 2010: 354; ‍‍Wessel, 2012: 43-‍44) with consequent uncertainties for the choice of the correct legal basis and the decision-making procedure to be followed by the EU (‍‍García Andrade, 2017; ‍‍Cremona, 2010b: 99 ff.).

Besides, we should add one more objection to those raised by Member States. Today, Convention 108+ is open for signature to the EU^‍[142] —and other international organisations^‍[143]—, but its entry into force is conditioned to the ratification of Convention 108’s Parties. Thus, the EU could not sign or ratify the new Protocol at this stage provided that Convention 108 was open to State Parties only^‍[144]. Member States have been authorised to sign or ratify the modernised Convention in the interest of the Union^‍[145], but only “insofar as its provisions fall within the exclusive competence of the Union”^‍[146] and not “insofar as its provisions fall within Union competence”^‍[147]. Moreover, the conclusion of a (mandatory) mixed agreement in the multilateral context leads to practical difficulties in the terms explained below (‍‍Timmermans, 2010)^‍[148].

First of all, the co-presence of the EU and its Member States might have hindered smooth negotiations of the envisaged agreement (‍‍Monar, 2012: 24), with consequent delays for its conclusion^‍[149]. In 2017, the Parliamentary Assembly of the Council of Europe noted^‍[150] that disagreements^‍[151] were delaying the entry into force of the amending Protocol and urged the contracting Parties to ratify it or, alternatively, consider the adoption of a new convention (‍‍De Hert and Papakonstantinou, 2014). Interestingly, the solution found provides for the entry into force of Convention 108+ without the need of ratification, acceptance, or approval of all the Parties to the Protocol, with 38 ratifications of the Parties to Convention 108 being sufficient for its “partial entry” by 11 October 2023. It could be the case, then, that Convention 108+ enters into force, without it having been ratified by all Member States^‍[152], and that the EU signs it.

Secondly, the mixed accession to Convention 108+ sets aside the opportunity of drawing a clear line between the areas of EU-exclusive and concurrent competences^‍[153]. As the Committee of Ministers noted, the Union should submit, upon accession, a declaration of competences “[…] clarifying the distribution of competences between the EU and its Member States as regards the protection of personal data under the Convention. Subsequently, the EU will inform the Secretary-General of any substantial modification in the distribution of competences”^‍[154]. According to Polakiewicz, this declaration of competence:

[…] would not have to indicate exhaustively the list of EU competences, which are in any case evolutive in nature. Where necessary, questions related to the exact distribution of competences between the EU and its Member States could be addressed in the context of the monitoring mechanism in which both the EU and its Member States would anyway have to cooperate on the basis of the duty of loyal cooperation (‍‍Polakiewicz, 2021: 11; ‍‍Gascón Marcén, 2023: 236).

For the declaration of competences then, we will have to wait for the EU’s accession to Convention 108+. This declaration is expected to distribute voting rights^‍[155] within the Convention 108+ Committee^‍[156]. In the proposed directives for negotiations, Member States indicate that the European Commission should be entitled to vote on behalf of the Union, and with a number of votes equivalent to the number of Member States which are Parties to the treaty, only for matters falling within its exclusive competence^‍[157]. The Appendix attached to Convention 108+ specifies that: “Regional integration organisations, in matters within their competence, may exercise their right to vote in the Convention Committee, with a number of votes equal to the number of their Member States that are Parties to the Convention. Such an organisation shall not exercise its right to vote if any of its Member States exercises its right”^‍[158]. Yet the Union presence in the Convention 108+ Committee would confuse the majority quorum for voting: a general hyper-majority of four fifths would apply as a general rule, and a double majority (qualified majority together with simple majority of non-EU Parties) would be needed for decisions concerning compliance with Convention 108+ by a Party^‍[159]. Moreover, when the underlying competence is concurrent, the picture becomes less clear (‍‍Fajardo del Castillo, 2021: 61): it could be decided that both the Union, i.e. the European Commission, and its Member States, i.e. the Council rotating Presidency, participate in the discussions of the Convention 108+ Committee, being one of these two Parties entitled to exercise the right to vote alone^‍[160]. Such a provision would demand coordination^‍[161] between the Union and its Member States with a view to expressing a common position for concurrent competences^‍[162].

A third point of concern relates to international responsibility of contracting Parties in the case of rule breaches. In the MOX Plant case^‍[163], the CJEU confirmed that also the provisions of non-exclusive competences inserted in a mixed agreement fall under Union law. By accessing Convention 108+, the EU would assume responsibility for the performance of the agreement that comes to “form an integral part of the Community legal order”^‍[164]. Consequently, as long as the elements of Convention 108+ are covered by concurrent competences, it would be necessary “to establish whether and to what extent the [European Union], by becoming a party to the Convention, elected to exercise its external competence […]”^‍[165]. If so, that is if the EU has exercised its external concurrent competence, the CJEU could presumably extend its jurisdiction (‍‍Fajardo del Castillo, 2013) to the interpretation and application of Convention 108+, notwithstanding the jurisdiction of the European Court of Human Rights (ECtHR). Actually, mixed accession to Convention 108+ risks reopening the Pandora’s box on the EU’s accession to the ECHR^‍[166] and, specifically, on the “dialogue” between the CJEU and the ECtHR (‍‍Marin Aís, 2013). In this sense, we believe that the CJEU might come to reject the ECtHR’s interpretation of Convention 108+, even more so when the Union’s exclusive competences are touched upon^‍[167]. In parallel, the CJEU’s rulings would not oblige the ECtHR. Considering that Convention 108+ is expected to play a prominent role especially, but not only, in cases of (alleged) breach of the human right to respect for private and family life^‍[168], it is not clear how coordination between the two judicial bodies would be ensured. Finally, and so long as the EU will not accede to the ECHR, the former would not be subject to the ECtHR’s judicial control^‍[169] and, consequently, it would not be able to take part in any dispute procedure at all^‍[170].

VI. CONCLUSIONS[Up]

This contribution analysed the nature of the EU’s external competence on the protection of personal data and on the free movement of such data underpinned by Article 16(2) TFEU. After giving a brief overview of the law, jurisprudence, and state-of-the-art doctrinal debate concerning the theory of implied powers applied to the EU’s external action, it thoroughly inspected the conferral of a relevant, shared internal competence on the EU. We recalled that the EU started legislating on personal data, lacking an explicit legal basis and the power to regulate human rights as well, with a sectorial approach. Even though the DPD tried to regulate data protection matters comprehensively, it fell short in terms of harmonisation because of its internal market intention. The empowerment gap was filled firstly by the CFREU as it provided for a specific fundamental right to protect personal data, alongside the respect for private and family life —Articles 8 and 7 respectively.

Following the Treaty of Lisbon’s entry into force, the EU has developed its own acquis on personal data protection —namely, the GDPR, LED, and EUDPR— that draws on a sectorial approach in the light of the common foreign, security, and law enforcement domains. The GDPR and LED form the baseline upon which we assessed the nature of the EU’s external implied competence. The study found that neither the GDPR nor the LED reached full, total, or complete harmonisation, that would set off the AETR/ERTA affectation criterion of Article 3(2) of the TFEU. On the one hand, the GDPR maintains elements that allow Member States to diverge from the settled EU standard or not, as well as clauses excluding national prerogatives. On the other hand, the LED set down minimum standards for which Member States might implement more stringent measures internally, which excludes the AETR/ERTA rationale. It follows that, by virtue of the Union’s data protection legislation in force, the EU is conferred an external implied shared/concurrent competence that might fall into mixed negotiations.

Mixity was indeed stressed by some Member States to let the European Commission negotiate the Council of Europe’s Convention 108+. At that moment, mixity was justified under several angles: facultative mixity stemmed from the non-exclusive, or concurrent, nature of the underlying competence and the Member States’ reluctance in authorising the conclusion of a Union-only agreement, while mandatory mixity would be justified in the light of the security and defence clauses inserted in the envisaged agreement. Finally, de facto mixity was necessary to authorise the signature or ratification of the amending Protocol in the interest of the Union, but limited to areas of the Union’s exclusive competence. The conclusion of a mixed agreement in the multilateral context proved to be cumbersome and heralded legal uncertainty. In the absence of a firm declaration of competences between the EU and its Member States, it is not clear how these will be represented within the Convention 108+ Consultative Committee, how voting rights will be exercised, and how coordination will be achieved. Besides, accession of the EU to the modernised Convention after its entry into force will (again) put Luxembourg and French courts in tension insofar as their jurisdictions overlap.

NOTES[Up]

[1]	Ph.D. in Public international law and international relations at the University of Granada and in European Union law and national legal orders at the University of Ferrara. Researcher ID: H-5751-2018. ORCID: 0000-‍0003-4487-713. The opinions expressed in this paper are strictly personal and are not attributable to the institution of the author’s current work, namely the European Commission. The author wishes to thank García Andrade and the peer reviewers for their insightful inputs.
[2]	Judgment of 16 July 2020, Maximillian Schrems v Data Protection Commissioner, C-362/14, EU: C:2015:650, and Judgment of 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd, and Maximillian Schrems, C-311/18, EU: C:2020:559.
[3]	Opinion of 26 July 2017, Draft Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data, 1/15, EU:C:2017:592.
[4]	Judgment of 31 March 1971, Commission v Council, C-22/70, EU:C:1971:32.
[5]	Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, of 10 October 2018 (CETS No 223).
[6]	Judgment of 31 March 1971, Commission v Council, C-22/70, EU:C:1971:32, para. 17.
[7]	Opinion of 14 October 2014, Accession of third States to the Hague Convention, 1/13, EU:C:2014:2303, para. 67, and the case law cited therein.
[8]	See below.
[9]	Judgment of 5 December 2017, Germany v Council, C-600/14, EU:C:2017:35, para. 49: “[…] the scenario in which the conclusion of an agreement is liable to affect common rules or to alter their scope […] constitutes only one of those situations”.
[10]	Whether by nature or by exercise is, to me, a matter of interpretation: the former would stress that exclusivity now stems from Article 216(1) TFEU, the Lisbon Treaty having codified the relevant case law; the latter would imply that exclusivity follows the exercise of internal decision-making powers in accordance with the AETR/ERTA jurisprudence. On the distinction between necessity and nature of EU intervention see, e.g., Judgment of 5 December 2017, Germany v Council, C-600/14, EU:C:2017:35, para. 47.
[11]	Article 3(2) TFEU in fine.
[12]	Opinion of 26 April 1977, Draft Agreement establishing a European laying-up fund for inland waterway vessels, 1/76, EU:C:1977:63, para. 4.
[13]	She recalls Article 5(2) TEU in fine: “Competences not conferred upon the Union in the Treaties remain with the Member States”.
[14]	The authors find that such an expression refers to the AETR/ERTA judgment “[…] in its function as a source of competence for the Union to enter into international agreements where express conferral is lacking […] Nevertheless, the enshrinement of the AETR principle in Article 216(1) appears wise, since its ‘existence function’ is logically inseparable from its ‘exclusivity function’, and not to have acknowledged the former might have given rise to uncertainty”.
[15]	Judgment of 5 December 2017, Germany v Council, C-600/14, EU:C:2017:935, para. 45.
[16]	Judgment of 31 March 1971, Commission v Council, C-22/70, EU:C:1971:32, para. 87.
[17]	Opinion of 26 April 1977, Draft Agreement establishing a European laying-up fund for inland waterway vessels, 1/76, EU:C:1977:63, para. 7.
[18]	According to the author: “[…] an ‘exclusivity by external exercise’ would, as its name suggests, derive from the effects of the exercise of the external competence itself”, our own translation.
[19]	Judgment of 5 December 2017, Germany v Council, C-600/14, EU:C:2017:935, para. 50.
[20]	Ibid., para. 51.
[21]	Article 4 of the TFEU.
[22]	Except for the accession of the EU to the ECHR, as per Article 218(8) of the TFEU.
[23]	Notwithstanding whether the EU competence is exclusive or not, e.g. Paris Agreement on Climate Change of 12 December 2015 (UNTS vol. 3156), the mixed formula is required as the Union cannot be a contracting Party for the other part of the agreement (‍‍Fajardo del Castillo, 2018).
[24]	Opinion of 16 May 2017, Free Trade Agreement between the European Union and the Republic of Singapore, 2/15, EU:C:2017:376.
[25]	According to the author, coexistence occurs “[…] when there is, for a clearly distinguishable part of the agreement, an exclusive national competence which makes it legally impossible for the Union to function as a Contracting Party for that part”.
[26]	Rosas inserts concurrent competences under the broader “shared roof competences” together with mandatory mixity (‍‍2020: 13); Govaere, instead, depicts the former situations as “truly shared” and the latter as “joint competence” (‍‍2020: 27).
[27]	The principle of subsidiarity, instead, is called on to assess whether the Union’s intervention brings an added value to the Member States alone (‍‍Bosse-Platière and Cremona, 2020). If yes, then, the question of Union-only or Union mixed action could be raised.
[28]	In the case of parallel competences, e.g. in the fields of development cooperation or humanitarian aid, and provided that the EU and Member States can act alone, mixity is also facultative but less controversial as the EU action does not pre-empt Member State action —cfr., Judgment of 2 March 1994, Parliament v Council (EDF), C-316/91, EU:C:1994:76, para. 29: “These are mixed agreements in a formal sense, but not from a substantive perspective, since the Union would enjoy the power to adopt all the commitments contained in the agreement” (‍‍García Andrade, 2019: 46).
[29]	The case of readmission agreements is controversial among scholars: one could argue that these are supported by an EU-explicit [Article 79(3) TFEU] external competence of a concurrent nature that has not been (‍‍Rosas, 2020: 15) or could not be (‍‍García Andrade, 2018: 170 ff.) exercised internally.
[30]	Opinion of 26 April 1977, Draft Agreement establishing a European laying-up fund for inland waterway vessels, 1/76, EU:C:1977:63.
[31]	Among others, see the Opinion of AG Sharpston of 21 December 2016, Conclusion of the Free Trade Agreement between the European Union and the Republic of Singapore, 2/15, EU:C:2016:992, para. 74.
[32]	Council’s qualified majority voting or, even more difficult, unanimity is indispensable under Article 218(8), paras. 1 and 2 respectively, of the TFEU so Member States might push the EU to accept facultative mixity also in this case, as recalled in Judgment of 5 December 2017, Germany v Council, C-600/14, EU:C:2017:35, para. 68.
[33]	The Schengen acquis-Convention implementing the Schengen Agreement of 14 June 1985 between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders (OJ L 239, 22.9.2000, p. 19-62).
[34]	Council Regulation (EC) No 2424/2001 of 6 December 2001 on the development of the second-generation Schengen Information System (SIS II) (OJ L 328, 13.12.2001, pp. 4-‍6), and Council Decision 2001/886/JHA of 6 December 2001 on the development of the second-generation Schengen Information System (SIS II), (OJ L 328, 13.12.2001, pp. 1-‍3).
[35]	See Article (7)(a) of the Treaty of the European Community (hereinafter 1992 TEC). In 1973, the European Commission advanced the first proposal to build a community policy on data processing. This policy would be based on two fundamental points: firstly, the development of the capacities of European industry and, secondly, the promotion of the effective use of information —cfr., Communication from the Commission to the Council, Community policy on data processing, SEC(1973) 4300 final, Brussels, 21-‍11-1973, p. 2.
[36]	Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 (ETS No 108), and Resolution of the Parliamentary Assembly, Data processing and the protection of human rights, No 721, Strasbourg, 1.2.1980. Thus, the European Community started inserting data protection principles in its pre-accession strategy while making express reference to the United Nation’s and/or the Council of Europe’s frameworks (‍‍Terwangne, 2022).
[37]	Communication from the Commission, The protection of individuals in relation to the processing of personal data in the community and information security, COM(90) 314 final, Brussels, 13.9.1990.
[38]	The fear of being set apart from international trade was justified by the fact that 90% of computers in Europe came from US and, among them, 60% were monopolised by the International Business Machines Corporation —cfr., Communication from the Commission to the Council, Community policy on data processing, SEC(1973) 4300 final, Brussels, 21-‍11-1973, p. 2.
[39]	Proposal for a Council Directive concerning the protection of individuals in relation to the processing of personal data, COM(1990) 314 final (OJ C 277, 5.11.1990, pp. 3-‍12).
[40]	The proposal was underpinned by Article 100a and Article 113 of the Treaty of the European Economic Community (OJ L 169, 29.6.1987, pp. 3-‍288) (hereinafter TEEC). The lawmaking procedure required the qualified majority voting in the Council of the EU, and the cooperation of the European Parliament.
[41]	In Judgment of 18 November 1999, Commission v Council, C-209/97, EU:C:1999:559, paras. 33-‍37, the CJEU found that Article 235 of the 1992 TEC was the correct legal basis instead of Article 100a of the 1992 TEC for the establishment of the Customs Information System (CIS). Also, the CJEU referred to the provisions of the CIS on the protection of personal data and considered that the potential harmonisation stemming from it should have been considered as “incidental effect of legislation”.
[42]	Judgment of 17 March 1993, Commission v Council, C-155/91, EU:C:1993:98, and Judgment of 5 October 2000, C-376/98, Federal Republic of Germany v Parliament, and Council, EU:C:2000:544.
[43]	Treaty on European Union (OJ C 191, 29.7.1992, p. 1-112).
[44]	See Amended proposal for a Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM(1992) 422 final, Brussels, 15.10.1992.
[45]	List of proposals pending before the Council on 31 October 1993 for which entry into force of the Treaty on European Union will require a change in the legal base and/or a change in procedure, COM(1993) 570 final, Brussels, 10-‍11-1993. The European Parliament advanced limited amendments that were overall accepted by the European Commission —cfr., Opinion of the Commission pursuant to Article 189b(2)(d) of the EC Treaty, On the European Parliament’s amendments to the Council’s common position regarding the proposal for a European Parliament and Council Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM(1995) 0375 final, Brussels, 18.7.1995.
[46]	Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31-50).
[47]	United Kingdom tried to undermine the majority achieved and left the Council one step away from unanimity (‍‍White, 1997: 238).
[48]	Opinion of AG Tizzano of 14 November 2002, Neukomm and Lauremann v Österreichischer Rundfunk, C-465/00, EU:C:2002:662, para. 54: “Article 100a could not be invoked as a basis for measures going beyond […] the establishment and functioning of the internal market”.
[49]	Article 2(a) DPD, and Judgment of 17 July 2014, YS v Minister voor Immigratie, Integratie en Asiel, and Minister voor Immigratie, Integratie en Asiel v M. S., C-141/12 and C-372/12, EU:C:2014:2081, for the distinction between “information” and “personal data”.
[50]	Recital 27 DPD.
[51]	Chapter IV DPD.
[52]	Article 28 DPD.
[53]	Article 3(2), para. 1, DPD. Before police and judicial cooperation in criminal matters policies were brought under EU competence, the EU adopted Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ L 350, 30.12.2008, p. 60-71) based on Articles 30, 31 and 34(2)(b) of the Treaty on European Union (OJ C 340, 10.11.1997, p. 145-172). Remarkably, the CJEU jurisprudence did not apply to the intergovernmental framework, unless its jurisdiction had been expressly accepted (‍‍Cebado Romero, 2006: 80).
[54]	Judgment of 19 September 2002, Bodil Lindqvist v Åklagarkammaren i Jönköping, C-101/01, EU:C:2002:513, para. 82.
[55]	Namely Article 13 DPD.
[56]	Judgment of 7 November 2013, Institut professionnel des agents immobiliers (IPI) v Geoffrey Englebert, Immo 9 SPRL, Grégory Francotte, C-473/12, EU:C:2013:715, para. 32.
[57]	Judgment of 29 July 2019, Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, C-40/17, EU:C:2019:629.
[58]	In contrast, in the Judgment of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) and Federación de Comercio Electrónico y Marketing Directo (FECEMD) v Administración del Estado, C-468/10 and C-469/10, EU:C:2011:777, the CJEU emphasised that the catalogue of cases listed under Article 7(f) DPD should have been considered as exhaustive.
[59]	But this is possible, as the European Community could have acquired exclusive competence to act externally on the basis of a “general legal basis’, i.e. Article 100a of the 1992 TEC, only once the internal power had been exercised, according to Opinion of 15 November 1994, Competence of the Community to conclude international agreements concerning services and the protection of intellectual property, 1/94, EU:C:1994:384, para. 87 (‍‍De Baere, 2008: 59).
[60]	Article 25(1) and (6) DPD.
[61]	Article 25(3) DPD: “The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2”.
[62]	Article 26 DPD.
[63]	Article 26(3) and (4) DPD.
[64]	Article 286 of the Treaty establishing the European Community (hereinafter 1997 TEC).
[65]	Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, pp. 1-‍2).
[66]	Articles 1(2) and 41-‍48 ECDPR.
[67]	Chapter IV ECDPR. Member States’ administrations, instead, were bound to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, pp. 37-‍47).
[68]	Judgment of 19 September 2002, Bodil Lindqvist v Åklagarkammaren i Jönköping, C-101/01, EU:C:2002:513, para. 42.
[69]	See Article 3(2) DPD.
[70]	Íd.
[71]	Some scholars maintain that the right to a private and family life has a wider scope than the right to the protection of personal data (‍‍Boehm, 2012: 4). However, the right to the protection of personal data can be perceived as being wider than the right to a private and family life too (‍‍Kokott and Sobotta, 2013).
[72]	Judgment of 21 December 2016, Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others, C-203/15 and C-698/15, EU:C:2016:970, paras. 127 and 129. Similarly, Article 29 DPWP affirmed that the DPD covered data processing activities outside home and family, such as labour law, criminal convictions, administrative sanctions or judgments in civil cases (‍‍2007b: 7).
[73]	Judgment of 5 May 2011, Deutsche Telekom AG v Bundesrepublik Deutschland, C-543/09, EU:C:2011:279, para. 65.
[74]	In C‑141/12 and C‑372/12, YS v Minister voor Immigratie, Integratie en Asiel, and Minister voor Immigratie, Integratie en Asiel v M. S., para. 48.
[75]	C-434/16, Peter Nowak v Data Protection Commissioner, 20 December 2017, EU:C:2017:994, paras. 25 and 57.
[76]	Judgment of 9 March 2010, Commission v Federal Republic of Germany, C-518/07, EU:C:2010:125; Judgment of 16 October 2012, Commission v Austria, C-614/10, EU:C:2012; and Judgment of 5 July 2015, Gert-Jan Dennekamp v Parliament, T-115/13, EU:T:2015:497.
[77]	Article 4(1) of the TFEU.
[78]	Article 16(1) of the TFEU refers back to Article 8 of the CFREU.
[79]	The provision of a new article had already been debated on the occasion of the (failed) project on a Constitution for Europe —cfr., Council of the EU, 2003 IGC — Draft Treaty establishing a Constitution for Europe (following editorial and legal adjustments by the Working Party of IGC Legal Experts) 1, CIG 50/03, Brussels, 25.11.2003, p. 56.
[80]	Article 39 of the TEU derogates to Article 16(2) TFEU and sets down rules relating to the protection of personal data and its free movement in the common foreign and security policy. Because of the peculiarities of the EU’s competence systems in this area, where no pre-emption applies (‍‍Keukeleire and Delreux, 2022: 117 ff.), this norm could significantly impact the EU external action from a procedural point of view (‍‍Cremona, 2010b: 99 ff.).
[81]	Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (OJ L 119, 4.5.2016, p. 1-88).
[82]	Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, (OJ L 119, 4.5.2016, p. 89-131) followed by the Declarations to the TFEU No 20 on Article 16 of the Treaty on the Functioning of the European Union, and No 21 on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation.
[83]	Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39-98).
[84]	Article 44 GDPR and Article 35 LED.
[85]	Adequacy decisions are implementing decisions adopted by the European Commission to assess whether a level of protection “essentially equivalent” to that of the EU is ensured by a third country or international organisation. Thus, adequacy decisions are acts of secondary legislation that lie below both EU primary and secondary laws, while international agreements remain between secondary law and the founding treaties (‍‍Gianelli, 2012: 106).
[86]	Huge debates concerning the necessity and range of EU external action in the absence of adopted provisions can be set aside from the current study —cfr., Judgment of 5 December 2017, Council v Germany, C‑600/14, EU:C:2017:935.
[87]	Article 2(2)(b) and (d) GDPR respectively.
[88]	Chapter 2 of Title V of the TEU.
[89]	See infra.
[90]	Article 288 of the TFEU.
[91]	Judgment of 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, C-311/18, para. 98.
[92]	The same interpretation was given in the judgment of 21 December 2016, Tele2 Sverige AB v Post- och telestyrelsen, and Secretary of State for the Home Department v Tom Watson, Peter Brice, and Geoffrey Lewis, C-203/15 and C-698/15, para. 126 ff.
[93]	Judgment of 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd, and Maximillian Schrems, C-311/18, paras. 101 and 102.
[94]	Recital 102 GDPR.
[95]	“Application du RGPD, le manque d’harmonisation entre autorités nationales pointé par les eurodéputés”, Bulletin Quotidien Europe, No 12915, 22.3.2022.
[96]	Protocol No 25 on the exercise of shared competence (OJ C 115, 9.5.2008, p. 307), clarifies that “[…] when the Union has taken action in a certain area, the scope of this exercise of competence only covers those elements governed by the Union act in question and therefore does not cover the whole area”. See also “Les États membres demandent un réexamen plus large du règlement GDPR’’, Bulletin Quotidien Europe, No 12405, 17.1.2020, according to which: “[The Council] also highlights the risk of fragmentation of legislation due to the margin of manoeuvre left to national legislators to maintain or introduce more specific provisions to adapt the application of certain rules” (our own translation).
[97]	See the Opinion of AG Priit Pikamäe of 16 March 2023, OQ c Land Hessen, en présence de SCHUFA Holding AG, EU:C:2023:220, paras. 91-‍93.
[98]	“[…] It is clear that the [Paris Agreement on Climate Change] covers fields in which the EU has acquired exclusive competences through the AETR effect and fields of which it has shared competences under Article 191 TFEU. [I]t would have been possible to envisage the conclusion of the Agreement by the EU only, by double application of its exclusive powers and of the principle of subsidiarity [so Member States’ participation] — and therefore facultative mixity — is a political choice […]” (‍‍Bosse-Platière and Cremona, 2020: 78).
[99]	Article 3(7) LED defines competent authorities as public authorities competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, and other bodies or entities entrusted by Member State law to exercise public authority and public powers for those purposes.
[100]	Article 1(1) LED states that the Directive aims to regulate the processing of personal data by competent authorities to prevent, investigate, detect, or prosecute criminal offenses or execute criminal penalties, including safeguarding against and preventing threats to public security.
[101]	Article 9(2) LED.
[102]	Article 2(3)(b) LED.
[103]	Article 1(2) LED.
[104]	Article 288 of the TFEU and recital 15, first sentence, LED.
[105]	Recital 15 LED, second instance.
[106]	Recital 15 LED, last sentence, and Article 1(3) LED let Member States providing higher safeguards than those established in it for the protection of the rights and freedoms of the data subjects falling under the LED’s scope.
[107]	See German calling on an agreement on the fact that the LED sets only minimum standards in the document of the Council of the EU, Proposal for a directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data - Chapters V-VI, 6846/14 ADD 3, Brussels, 28.3.2014, p. 5.
[108]	Judgment of 14 April 2005, Deponiezweckverband Eiterköpfe v Land Rheinland-Pfalz, C-6/03, EU:C:2005:222, para. 63.
[109]	The author maintains that “minimum harmonisation” enables Member States to adopt further requirements that are not strictly necessary under EU legislation. Klamert affirms that minimum harmonisation is more cooperative than full harmonisation as it is in the case of directives, which impose on Member States to cooperate to achieve a predetermined objective.
[110]	No reference to Article 218 TFEU, as it should have been, was made.
[111]	Article 1(1) of the EU-US Umbrella Agreement
[112]	Article 1(3) of the EU-US Umbrella Agreement.
[113]	Article 5(1) of the EU-US Umbrella Agreement.
[114]	“The EDPS supports the preference in the report for a binding agreement [as] an indispensable prerequisite to any data transfer outside the EU, irrespective of the purpose for which the data are being transferred. […]. In other words, a Memorandum of Understanding or another non-binding instrument can be useful to give guidance for negotiations for further binding agreements, but can never replace the need for a binding agreement”.
[115]	Article 3(2) of the EU-US Umbrella Agreement.
[116]	The sole exception can be envisaged when the third country’s security interest is also shared by the Member State, in which case Article 29 DPWP recognised that “[…] the boundaries of an EU Member State’s national security may not always be clear” (‍‍2014: 26). Nevertheless, the mere allegation of national security interest cannot prevent EU law from being applicable: a third country’s interest shall be clearly set out in national law, including where it is sealed by an international treaty between the Member State and such a third Party.
[117]	Nevertheless, some grey areas still exist, specifically where law enforcement authorities and intelligence services cooperate under the aegis of the national security clause. These uncertainties prevent a clear demarcation between EU and Member States’ competences in the national security field (‍‍Article 29 DPWP 2014: 26).
[118]	Judgment of 21 December 2016, Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others, C-203/15 and C-698/15, EU:C:2016:970.
[119]	See also Judgment of 7 September 2004, Criminal proceedings against Paul Van de Walle, Daniel Laurent, Thierry Mersch and Texaco Belgium SA, C-1/03, EU:C:2004:490.
[120]	Judgment of 30 May 2006, Commission v Ireland, C-459/03, C-459/03, para. 102. Also, Opinion of 18 December 2014, Accession of the European Union to the European Convention for the Protection of Human Rights and Fundamental Freedoms, 2/13, EU:C:2014:2454, para. 188, recalls that “[…] the application of national standards of protection of fundamental rights must not compromise the level of protection provided for by the Charter or the primacy, unity and effectiveness of EU law”.
[121]	The authors find that when the founding Treaties expressly limit EU intervention to the adoption of minimum standards, then Member States remain free to maintain such a standard or introduce more stringent measures than the ones adopted by the EU. In other words, the limits imposed to the Member States in the exercise of a concurrent competence is left to the co-legislators’ willingness to settle the intensity for regulating in a specific field.
[122]	Council of the EU, Recommendation for a Council Decision authorising the opening of negotiations on the modernisation of Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (EST 108) and the conditions and modalities of accession of the European Union to the modernised Convention, Brussels, 6176/13, 14.2.2013.
[123]	Convention 108 was initially restricted to countries that were Party to the Council of Europe only, while the European Commission was granted observer status within the Committee of Ministers during the negotiations [cfr., Article 23(1) of Convention 108 and Graham, 2018]. The participation of the European Community in the preparatory works of the Council of Europe’s committees was aimed at ensuring the compatibility of Convention 108 with the DPD (‍‍Article 29 DPWP, 1998b).
[124]	In 1999, the European Community was invited to take part in Convention 108 through Article 4(2) of the Amendments approved by the Committee of Ministers of 15 June 1999 (ETS No 181). Thus, Member States were authorised to approve the decision of the Committee of Ministers on the Community’s behalf —cfr., Council of the EU, Adoption of Council Decision authorising the Member States to unanimously approve, on behalf of the European Communities, the adoption by the Committee of Ministers of the Council of Europe of amendments to allow the European Communities to accede to the Convention for the protection of individuals with regard to automatic processing of personal data (Council of Europe Convention 108), 8133/99, Brussels, 20.5.1999. However, not all Parties to Convention 108 notified acceptance of the proposed amendments as required by Article 21(6) of the Convention —cfr., the note No 44 in the chart of signatures and ratifications of Treaty 108 available at www.coe.int, and the Romanian declaration in Council of the EU, Recommendation for a Council Decision authorising the opening of negotiations on the modernisation of Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (EST 108) and the conditions and modalities of accession of the European Union to the modernised Convention, 6176/13 DCL 1, Brussels, 30.1.2019, p. 18. Therefore, that amendment has never entered into force and the EU has never taken part in Convention 108.
[125]	Cyprus, Czechia, Germany, Estonia, Spain, France, Hungary, Italy, Latvia, the Netherlands, Poland, Sweden, Slovenia and the United Kingdom as indicated in the Council of the EU, Recommendation for a Council Decision authorising the opening of negotiations on the modernisation of Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (EST 108) and the conditions and modalities of accession of the European Union to the modernised Convention, 6176/13, Brussels, 14.2.2013.
[126]	See European Parliament, Answers to written questions, P7 RE(2012) 010887, 2013.2.01.
[127]	Council of the EU, Recommendation for a Council Decision authorising the opening of negotiations on the modernisation of Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (EST 108) and the conditions and modalities of accession of the European Union to the modernised Convention, 6176/13, Brussels, 14.2.2013, p. 4.
[128]	See France’s position in ibid., p. 13.
[129]	Council of the EU, Recommendation for a Council Decision authorising the opening of negotiations on the modernisation of Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (EST 108) and the conditions and modalities of accession of the European Union to the modernised Convention, 6176/13, Brussels, 14.2.2013, p. 4.
[130]	Id..
[131]	See Portugal’s position in ibid., p. 20.
[132]	Opinion of 7 February 2006, New Lugano Convention, 1/03, EU:C:2006:81, para. 126 and 151-‍161, where the CJEU found that the regime established under Council Regulation (EC) No 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (OJ L 12, 16.1.2001, pp. 1-‍23) would be affected by any agreement establishing an own regime of conflict norms similar to the one elaborated under EU law, like the Lugano Convention.
[133]	Article 4(3) of the TEU.
[134]	European Commission, Vademecum on the external action of the European Union, SEC(2011) 881/3, Brussels, 2021.
[135]	The CJEU clarified that the ‘sector’ may be made of different instruments and not a unique measure, for example in Judgment of 4 September 2014, Parliament v Council, C114/12, EU:C:2014:2151, para. 83.
[136]	Article 4(2) of the TFEU and supra.
[137]	Article 3(2) of the TFEU and supra.
[138]	Judgment of 20 November 2018, Commission v Council, C- 626/15 and C‑659/16, EU:C:2018:925.
[139]	As an example, cfr., Judgment of 21 December 2016, Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others, C-203/15 and C-698/15, EU:C:2016:970.
[140]	Article 15 of Convention 108+, for example, according to the Council of Europe (2018) Convention 108+ Convention for the protection of individuals with regard to the processing of personal data. Strasbourg: Council of Europe Public Information, p. 29.
[141]	Cfr., Judgment of 20 May 2008, Commission v Council, C-91/05, EU:C:2008:288. Despite the suppression of the pillar structure, the cross-cutting scope of Convention 108+ could trigger this type of mixity as far as the common foreign and security policy, and, consequently, Article 39 of the TEU, is concerned. Article 39 of the TEU has been somehow left in limbo by the co-legislators (‍‍Blasi Casagran, 2017: 71-‍73), and its interaction with the external projection of Article 16(2) of the TFEU needs to be examined further.
[142]	Article 26 of Convention 108+.
[143]	Article 27 of Convention 108+ provides for the qualified-majority voting according to Article 20(d) of the Statute of the Council of Europe, and by the unanimous vote of the representatives of the contracting Parties entitled to sit on the Committee of Ministers.
[144]	This type of mixity must not be considered as mixity strictu sensu, as it is due to “external factors’ (‍‍Rosas, 2020:15).
[145]	Judgment of 22 November 2022, Commission v Council, C-24/20, EU:C:2022:911, para. 82, confirms that the Council of the EU may amend the Commission’s decision by unanimity and that, in case of distorting the Commission’s proposal, the latter is entitled to withdraw it.
[146]	Council Decision (EU) 2019/682 of 9 April 2019 authorising Member States to ratify, in the interest of the European Union, the Protocol amending the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (OJ L 115, 2.5.2019, p. 7-8).
[147]	Proposal for a Council Decision authorising Member States to ratify, in the interest of the European Union, the Protocol amending the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108), COM(2018) 451 final, Brussels, 5.6.2018.
[148]	The author distinguishes the following different layers: institutional, during the negotiations and the conclusion of the agreement; internal, when delimiting the nature of the competences conferred to the EU; ex post, with regard to their interpretation and the control of compatibility by the CJEU; and, finally, when allocating the responsibility in case of non-compliance with the obligations undertaken.
[149]	In Council of the EU, Negotiations on the modernisation of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of personal data (EST 108) - Preparation of the CAHDATA meeting on 28-‍30 April 2014, 6365/14 ADD 1 REV 2 DCL 1, 11 November 2019, EU and Member States’ positions before Convention 108+ are visible. Notably, while the European Commission sought a mandate for negotiations back in 2013, the modernising Protocol was only adopted in 2018.
[150]	Parliamentary Assembly of the Council of Europe, Opinion 296 on Draft Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108) and its explanatory report, Strasbourg, 2017.
[151]	See, for example, the Consultative committee of the convention for the protection of individuals with regard to automatic processing, Compilation of Comments on Standard Contractual Clauses for Transborder Flows, Strasbourg, 2.3.2022.
[152]	At the time of writing (13 May 2023), non-ratifying Member States are: Belgium, Czechia, Denmark, Greece, Hungary, Ireland, Latvia, Liechtenstein, Luxembourg, the Netherlands, Portugal, Slovakia, Slovenia, and Sweden.
[153]	See the French position claiming to clarify what should be intended for EU acquis in Council of the EU, Negotiations on the modernisation of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of personal data (EST 108)-Preparation of the CAHDATA meeting on 1-‍3 December 2014 (Strasbourg)’, 14780/14 DCL 1, Brussels, 31.10.2019, p. 18.
[154]	Decision of the Committee of Ministers of session No 128, Draft Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Elsinore, 18.5.2018, para. 160: “Upon accession, the EU shall make a statement clarifying the distribution of competences between the EU and its Member States as regards the protection of personal data under the Convention. Subsequently, the EU will inform the Secretary-General of any substantial modification in the distribution of competences”.
[155]	Judgment of 19 March 1996, Commission v Council, C-25/94, EU:C:1996:114, and the more recent Judgment of 27 March 2019, Commission v Federal Republic of Germany, C-620/16, EU:C:2019:256.
[156]	Article 22 of Convention 108+.
[157]	Council of the EU, Recommendation for a Council Decision authorising the opening of negotiations on the modernisation of Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (EST 108) and the conditions and modalities of accession of the European Union to the modernised Convention, 6176/13, Brussels, 14.2.2013, p. 8.
[158]	Judgment of 22 November 2022, Commission v Council, C-24/20, EU:C:2022:911, where the latter noted that in case no Member State would accede to the Geneva Act, the EU would have no voting rights in the Assembly.
[159]	Proposal for a Council Decision authorising Member States to ratify, in the interest of the European Union, the Protocol amending the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108), COM(2018) 451 final, Brussels, 5.6.2018.
[160]	Judgment of 19 March 1996, Commission v Council, C-25/94, EU:C:1996:114, para. 331.
[161]	Cfr., the principles of sincere cooperation, Article 4(3) TEU, and of institutional balance, Article 13(2) TEU.
[162]	Article 218(9) of the TFEU.
[163]	Judgment of 30 May 2006, Commission v Ireland, C-459/03, C-459/03, para. 93 ff.
[164]	Ibid., para. 82 ff. as international agreements fall in-between EU primary and secondary law (‍‍Gianelli, 2012: 106).
[165]	Ibid., para. 96. García Andrade maintains that Member States remain responsible for the areas covered by concurrent competences despite the concurrency of the Union as this cannot exercise pre-emptive power in a mixed agreement (‍‍2019: 50).
[166]	Opinion of 18 December 2014, Accession of the European Union to the European Convention for the Protection of Human Rights and Fundamental Freedoms, 2/13, EU:C:2014:2454, finding that the draft agreement on the accession of the EU to the European Convention on Human Rights, of 4 November 1950 (CETS No 005) was not compatible with Article 6(2) of the TEU.
[167]	Ibid., para. 165 ff.
[168]	Article 8 of the ECHR.
[169]	Opinion of 18 December 2014, Accession of the European Union to the European Convention for the Protection of Human Rights and Fundamental Freedoms, 2/13, EU:C:2014:2454, para. 181.
[170]	Article 6(2) of the TEU and Protocol No 8 relating to Article 6(2) on the accession of the Union to the European Convention on the Protection of Human Rights and Fundamental Freedoms (OJ C 326, 26.10.2012, p. 273-273).

Bibliography[Up]

[1]	A. Bygrave, L. (2021). The «Strasbourg Effect» on data protection in light of the «Brussels Effect»: logic, mechanics and prospects. Computer Law and Security Review, 40, 105460. Available at: https://doi.org/10.1016/j.clsr.2020.105460.
[2]	A. Wessel, R. (2012). Cross-pillar mixity. In E. Cannizzaro, P. Palchetti and A. R. Wessel (eds.). International Law as Law of the European Union (pp. 30-‍54). Leiden: Martinus Nijhoff Publishers.
[3]	Adam, R. and Tizzano, A. (2022). Lineamenti di diritto dell’Unione Europea. Torino: Giappichelli.
[4]	Article 29 Data Protection Working Party (1998a). Transfers of personal data to third countries: Applying Articles 25 and 26 of the European Union data protection directive (Report DPWP. Bulletin DPWP; WP216). Brussels: European Commission Public Information.
[5]	Article 29 Data Protection Working Party (1998b). Second annual report (Report DPWP.). Brussels: European Commission Public Information.
[6]	Article 29 Data Protection Working Party (2001). Draft Commission decision on standard contractual clauses for the transfer of personal data to third countries under art. 26-4 of Directive 95/46 (Report DPWP.). Brussels: European Commission Public Information.
[7]	Article 29 Data Protection Working Party (2004). More harmonised information provisions (Report DPWP.). Brussels: European Commission Public Information.
[8]	Article 29 Data Protection Working Party (2005). A common interpretation of art. 26-1 of Directive 95/46/EC of 24 october 1995 (Report DPWP.). Brussels: European Commission Public Information.
[9]	Article 29 Data Protection Working Party (2007a). First joint enforcement action: evaluation and future steps (Report DPWP.). Brussels: European Commission Public Information.
[10]	Article 29 Data Protection Working Party (2007b). The concept of personal data (Report DPWP.). Brussels: European Commission Public Information.
[11]	Article 29 Data Protection Working Party (2009). The future of privacy: joint contribution to the consultation of the European Commission on the legal framework for the fundamental right to protection of personal data (Report DPWP.). Brussels: European Commission Public Information.
[12]	Article 29 Data Protection Working Party (2013). Purpose limitation (Report DPWP. Bulletin WP; 203). Brussels: European Commission Public Information.
[13]	Article 29 Data Protection Working Party (2014). Surveillance of electronic communications for intelligence and national security purposes. (Report DPWP.). Brussels: European Commission Public Information.
[14]	B. Svantesson, D. J. (2015). Extraterritoriality and targeting in European Union data privacy law: the weak spot undermining the regulation. International Data Privacy Law, 5 (4), 226-‍234. Available at: https://doi.org/10.1093/idpl/ipv024.
[15]	Bigo, B., Carrera, S., González Fuster, G., Guild, E., De Hert, P., Jeandesboz, J. and Papakonstantinou, V. (2011). Towards a new European Union legal framework for data protection and privacy: challenges, principles and the role of the European Parliament. Brussels: Policy department C: Citizens’ rights and constitutional affairs civil liberties, justice and home affairs.
[16]	Blasi Casagran, C. (2017). Global data protection in the field of law enforcement: an European Union perspective. Abingdon: Routledge. Available at: https://doi.org/10.4324/9781315622521.
[17]	Boehm, F. (2012). Information sharing and data protection in the Area of Freedom, Security and Justice: towards harmonised data protection principles for information exchange at European Union-level. Luxembourg: Springer. Available at: https://doi.org/10.1007/978-3-642-22392-1.
[18]	Bosse-Platière, I. and Cremona, M. (2020). Facultative mixity in the light of the principle of subsidiarity. In M. Chamon and I. Govaere (eds.). European Union external relations post-Lisbon: The law and practice of facultative mixity (pp. 48-‍85). Leiden: Brill. Available at: https://doi.org/10.1163/9789004421981_005.
[19]	Cannizzaro, E., Palchetti, P. and A. Wessel, R. (2012). International Law as Law of the European Union. Leiden: Martinus Nijhoff Publishers. Available at: https://doi.org/10.1163/9789004215528.
[20]	Cebada Romero, A. (2006). La peculiaridad de la acción exterior de la Unión Europea. In A. Remiro Brotóns and I. Blázquez Navarro (eds.). El futuro de la acción exterior de la Unión Europea (pp. 73-‍100). Valencia: Tirant Lo Blanch.
[21]	Chamon, M. (2021). Provisional Application’s Novel Rationale: Facilitating Mixity in the EU’s Treaty Practice. In Th. Douma, W. (ed.). The Evolving Nature of EU External Relations Law (131-‍163). Berlin-Heidelberg: Springer. Available at: https://doi.org/10.1007/978-94-6265-423-5_6.
[22]	Chamon, M. and Govaere, I. (2020). Introduction: facultative mixity, more than just a childhood disease of European Union law? In M. Chamon and I. Govaere (eds.). European Union external relations post-Lisbon: The law and practice of facultative mixity (pp. 1-‍7). Leiden: Brill. Available at: https://doi.org/10.1163/9789004421981_002.
[23]	Clifford, D. and Ausloos, J. (2018). Data protection and the role of fairness. Yearbook of European Law, 37, 130-‍187. Available at: https://doi.org/10.1093/yel/yey004.
[24]	Cremona, M. (2010a). Disconnection clauses in European Union law and practices. In C. Hillion and P. Koutrakos (eds.). Mixed agreements revisited: the European Union and its member states in the world (pp. 160-‍186). Oxford: Hart Publishing. Available at: https://doi.org/10.3726/978-3-0352-6107-3.
[25]	Cremona, M. (2010b). The external dimension of the Area of Freedom, Security and Justice. In M. Cremona, J. Monar and S. Poli, (eds.). The external dimension of the European Union’s Area of Freedom, Security and Justice (pp. 3-‍30). Brussels: College of Europe Studies.
[26]	Cremona, M. (2020). Structural principles and their role in European Union external relations law. In M. Cremona (ed.). Structural principles in European Union external relations law (pp. 3-‍30). Portland: Hart Publishing.
[27]	Dashwood, A. (2010) Mixity in the era of the treaty of Lisbon. In C. Hillion and P. Koutrakos (eds.). Mixed agreements revisited: The European Union and its member States in the world (pp. 351-‍366). Oxford: Hart Publishing.
[28]	Dashwood, A. , Dougan, M., Rodger, B., Spaventa, E. and Wyatt, D. (2011). Wyatt and Dashwood’s European Union Law. Oregon: Hart Publishing.
[29]	De Baere, G. (2008) Constitutional Principles of European Union External Relations. Oxford: Studies in European Law. Available at: https://doi.org/10.1093/acprof:oso/9780199546688.001.0001.
[30]	De Baere, G. (2017). European Union external action. In C. Bernard and S. Peers (eds.). European Union Law (pp. 710-‍760). Oxford: Oxford University Press. Available at: https://doi.org/10.1093/he/9780198789130.003.0024.
[31]	De Baere, G. (2018). Subsidiarity as a structural principle governing the use of European Union external competences. In M. Cremona (ed.). Structural principles in European Union external relations law (pp. 71-‍92). Portland: Hart Publishing.
[32]	De Hert, P. (2021). European Union sanctioning powers and data protection: new tools for ensuring the effectiveness of the General Data Protection Regulation in the spirit of cooperative federalism. In S. Montaldo, F. Costamagna and A. Miglio (eds.). European Union law enforcement: the evolution of sanctioning powers (pp. 291-‍324). London: Routledge. Available at: https://doi.org/10. 4324/9780429197819-14.
[33]	De Hert, P. and Papakonstantinou, V. (2014). The Council of Europe data protection convention reform: analysis of the new text and critical comment on its global ambition. Computer Law and Security Review, 30 (6), 633-‍642. Available at: https://doi.org/10.1016/j.clsr.2014.09.002.
[34]	De Terwangne, C. (2022). Privacy and data protection in Europe: Council of Europe’s Convention+ and the European Union’s General Data Protection Regulation. In G. González Fuster, R. Van Berkel and P. De Hert (eds.). Research handbook on privacy and data protection law: values, norms, and global politics (pp. 10-‍35). Cheltenham: Edward Elgar Publishing. Available at: https://doi.org/10.4337/9781786438515.00007.
[35]	European Data Protection Supervisor (2007). Communication from the Commission to the European Parliament and the Council on the follow-up of the Work Programme for better implementation of the Data Protection Directive. (Report EDPS). Brussels: EDPS Public Information.
[36]	European Data Protection Supervisor (2009). Final report by the European UnionU-United States High Level Contact Group on information sharing and privacy and personal data protection. (Report EDPS). Brussels: EDPS Public Information.
[37]	European Data Protection Supervisor (2010). Contribution of the European Data Protection Supervisor to the consultation on the future European Union-United States international agreement on personal data protection and information sharing for law enforcement purposes. (Report EDPS). Brussels: EDPS Public Information.
[38]	European Data Protection Supervisor (2011). Opinion of the European Data Protection Supervisor on the communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions «a comprehensive approach on personal data protection in the European Union». (Report EDPS). Brussels: EDPS Public Information.
[39]	European Data Protection Supervisor (2012). The data protection reform package. (Report EDPS). Brussels: EDPS Public Information.
[40]	European Data Protection Supervisor (2014a). Opinion of the European Data Protection Supervisor on the Commission Communication on Internet Policy and Governance: Europe’s role in shaping the future of Internet Governance. (Report EDPS). Brussels: EDPS Public Information.
[41]	European Data Protection Supervisor (2014b). Opinion of the European Data Protection Supervisor on the communication from the Commission to the European Parliament and the Council on «Rebuilding Trust in European Union-United States data flows» and on the communication from the Commission to the European Parliament and the Council on «the Functioning of the safe harbour from the perspective of European Union citizens and companies established in the European Union». (Report EDPS). Brussels: EDPS Public Information.
[42]	European Data Protection Supervisor (2014c). Surveillance of electronic communications for intelligence and national security purposes. (Report EDPS). Brussels: EDPS Public Information.
[43]	European Data Protection Supervisor (2015). Europe’s big opportunity. European Data Protection Supervisor recommendations on the European Union’s options for data protection reform. (Report EDPS). Brussels: EDPS Public Information.
[44]	Fajardo del Castillo, T. (2013). Avances y retrocesos en materia de acuerdos mixtos y de acceso a la justicia para la protección del medio ambiente a la luz de la sentencia del Tribunal de Justicia de 8 de marzo de 2011 en el asunto Oso Pardo. Revista General de Derecho Europeo, 29, 1-‍27.
[45]	Fajardo del Castillo, T. (2018). El acuerdo de París sobre el cambio climático: sus aportaciones al desarrollo progresivo del derecho internacional y las consecuencias de la retirada de los Estados Unidos. Revista Española de Derecho Internacional, 70 (1), 23-‍51. Available at: https://doi.org/10.17103/redi.70.1.2018.1.01.
[46]	Fajardo del Castillo, T. (2021). La diplomacia del clima de la Unión Europea: La acción exterior sobre cambio climático y el pacto verde mundial. Madrid: Reus.
[47]	García Andrade, P. (2015). La acción exterior de la Unión Europea en la materia migratoria: Un problema de reparto de competencias. Valencia: Tirant Lo Blanch.
[48]	García Andrade, P. (2017). La base jurídica de la celebración de acuerdos internacionales por parte de la Unión Europea: entre la Política Exterior y de Seguridad Común de la Unión Europea y la dimensión exterior del espacio de libertad, seguridad y justicia. Comentario a la sentencia del Tribunal de Justicia de 14 de junio de 2016, asunto C-263/14, Parlamento c. Consejo. Revista General de Derecho Europeo, 41, 128-‍160.
[49]	García Andrade, P. (2018). European Union external competences in the field of migration: how to act externally when thinking internally. Common Market Law Review, 55, 157-‍200. Available at: https://doi.org/10.54648/COLA2018006.
[50]	García Andrade, P. (2019). European Union external competences on migration: which role for mixed agreements? In S. Carrera, J. Santos Vara and T. Strik (eds.). Constitutionalising the external dimensions of European Union migration policies in times of crisis. legality, rule of law and fundamental rights reconsidered (pp. 39-‍56). Cheltenham: Edward Elgar Publishing. Available at: https://doi.org/10.4337/9781788972482.00010.
[51]	Gascón Marcén, A. (2023). La Unión Europea y los convenios internacionales elaborados en el marco del Consejo de Europa. In P. García Andrade (ed.). Interacciones entre el Derecho de la Unión Europea y el Derecho internacional público (pp. 227-‍242). Valencia: Tirant lo Blanch.
[52]	Gianelli, A. (2012). Customary international law in the European Union. In E. Cannizzaro, P. Palchetti and R. Wessel (eds.). International law as Law of the European Union (pp. 93-‍110). Leiden: Martinus Nijhoff Publishers.
[53]	González Fuster, G. (2014). The emergence of personal data protection as a fundamental right of the European Union. Switzerland: Springer International. Available at: https://doi.org/10.1007/978-3-319-05023-2.
[54]	Govaere, I. (2020). «Facultative» and «Functional» mixity consonant with the principle of partial and imperfect conferral. In M. Chamon and I. Govaere (eds.). European Union external relations post-Lisbon: The law and practice of facultative mixity (pp. 21-‍47). Leiden: Brill. Available at: https://doi.org/10.1163/9789004421981_004.
[55]	H. Weber, R. (2013). Transborder data transfers: concepts, regulatory approaches and new legislative initiatives. International Data Privacy Law, 3 (2), 117-‍130. Available at: https://doi.org/10.1093/idpl/ipt001.
[56]	Hijmans, H. (2016). The European Union as guardian of internet privacy. Switzerland: Springer. Available at: https://doi.org/10.1007/978-3-319-34090-6.
[57]	Hijmans, H. and Scirocco, A. (2009). Shortcomings in European Union data protection in the third and the second pillars. Can the Lisbon treaty be expected to help? Common Market Law Review, 46 (5), 1485-‍1525. Available at: https://doi.org/10.54648/COLA2009061.
[58]	Hillion, C. and Koutrakos, P. (2010). Mixed agreements revisited: The European Union and its Member States in the world. Oxford: Hart Publishing.
[59]	Hustinx, P. (2013). European Union data protection law: The review of Directive 95/46/EC and the proposed general data protection Regulation. Collected Courses of the European University Institute’s Academy of European Law: 24. Session on European Union Law, 1-52.
[60]	Jerker B Svantesson, O. D. (2015). Extraterritoriality and targeting in European Union data privacy law: the weak spot undermining the regulation. International Data Privacy Law, 4 (5), 226-‍234. Available at: https://doi.org/10.1093/idpl/ipv024.
[61]	Keukeleire, S. and Delreux, T. (2022), The foreign policy of the European Union. London: Bloomsbury Publishing Plc.
[62]	Klabbers, J. (2002). Restraints on the treatymaking powers of Member States deriving from European Union Law? Towards a framework for analysis. In E. Cannizzaro (ed.). The European Union as an actor in international relations (pp. 151-‍176). The Hague: Kluwer Law International.
[63]	Klamert, M. (2015). What we talk about when we talk about harmonisation. Cambridge Yearbook of European Legal Studies, 17, 360-‍379. Available at: https://doi.org/10.1017/cel.2015.12.
[64]	Kokott, J. and Sobotta, Ch. (2013). The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR. International Data Privacy Law, 3(4), 222-‍228. Available at: https://doi.org/10.1093/idpl/ipt017.
[65]	Kuner, C. (2017) Reality and illusion in European Union data transfer regulation post Schrems. German Law Journal, 881-918. Available at: https://doi.org/10. 1017/S2071832200022197.
[66]	Kuner, C. (2019). International organizations and the Europan Union general data protection regulation. International Organizations Law Review, 16, 158-‍191. Available at: https://doi.org/10.1163/15723747-2019008.
[67]	Kuner, C. (2020a). Art. 44: General principles for transfer. In C. A. Kuner, L. Bygrave and C. Docksey (eds.). The European Union General Data Protection Regulation: a commentary (pp. 755-‍770). Oxford: Oxford University Press. Available at: https://doi.org/10.1093/oso/9780198826491.001.0001.
[68]	Kuner, C. (2020b). Art. 45: transfers on the basis of an adequacy decision. In C. A. Kuner, L. Bygrave and C. Docksey (eds.). The European Union General Data Protection Regulation: a commentary (pp. 771-‍766). Oxford: Oxford University Press. Available at: https://doi.org/10.1093/oso/9780198826491.003.0085.
[69]	Liñán Nogueras, D. J. (1996). Los derechos fundamentales en la Unión Europea. In A. Mangas Martín and D. J. Liñán Nogueras (eds.). Instituciones y Derecho de la Unión Europea (pp. 581-‍596). Madrid: McGraw-Hill.
[70]	Liñán Nogueras, D. J. (2001). Derechos Humanos y Unión Europea. In J. Cardona Llorens (ed.). Cursos Euromediterráneos Bancaja Derecho Internacional (pp. 363-‍440). Valencia: Tirant lo Blanch.
[71]	Liñán Nogueras, D. J. (2020). Derechos humanos y libertades fundamentales en la Unión Europea. In A. Mangas Martín and D. J. Liñán Nogueras (eds.). Instituciones y Derecho de la Unión Europea. Madrid: Tecnos.
[72]	Lynskey, O. (2015). The Foundations of European Union Data Protection Law. Oxford: Oxford Studies in European Law.
[73]	Maiani, F. (2002). Le cadre réglementaire des traitements de données personnelles effectués au sein de l’Union Européenne. Revue Trimestrielle de Droit Européenne, 2, 283-‍309.
[74]	Marin Aís, R. (2013). La participación de la Unión Europea en tratados internacionales para la protección de los derechos humanos. Madrid: Tecnos.
[75]	Martín y Pérez de Nanclares, J. (2008). Art. 8: protección de datos de cáracter personal. In A. Mangas Martín (ed.). Carta de Derechos Fundamentales de la Unión Europea: comentario artículo por artículo (pp. 223-‍243). Madrid: Fundación BBVA.
[76]	Martínez Capdevila, C. (2023). Los acuerdos internacionales de la Unión Europea en ámbitos de competencias compartidas: ¿mixidad facultativa o mixidad obligatoria? In P. García Andrade (ed.). Interacciones entre el Derecho de la Unión Europea y el Derecho internacional público (pp. 73-‍95). Valencia: Tirant lo Blanch.
[77]	Moerel, L. (2011). The long arm of European Union Data Protection Law: does the Data Protection Directive apply to processing of personal data of European Union citizens by websites worldwide? International Data Privacy Law, 46 (1), 28-‍46. Available at: https://doi.org/10.1093/idpl/ipq004.
[78]	Monar, J. (2012). The external dimension of the European Union’s Area of Freedom, Security and Justice: progress, potential and limitations after the treaty of Lisbon. Swedish: Swedish Institute for European Policy Studies.
[79]	Mori, P. (2019). Gli strumenti della codificazione nel diritto dell’Unione Europea. In A. Annoni, S. Forlati and F. Salerno (eds.). La codificazione nell’ ordinamento internazionale e dell’Unione europea (301-‍369). Napoli: Editoriale Scientifica.
[80]	O’Keeffe, D. and Schermers, G. H. (1983). Mixed agreements. Deventer: Kluwer.
[81]	Pearce, G. and Platten, N. (1998). Achieving personal data protection in the European Union. Journal of Common Market Studies, 36, 529-‍548. Available at: https://doi.org/10.1111/1468-5965.00138.
[82]	Polakiewicz, J. (2021). A Council of Europe perspective on the European Union: crucial and complex cooperation. Europe and the World: A Law Review, 5 (1), 1-‍19. Available at: https://doi.org/10.14324/111.444.ewlj.2021.30.
[83]	Quintel, T. (2022). Data protection, migration and border control. The General Data Protection Regulation, the Law Enforcement Directive and beyond. London: Bloomsbury Publishing. Available at: https://doi.org/10.5040/9781509959662.
[84]	Rosas, A. (1998). Mixed Union: mixed agreements. In Koskenniemi (ed.). International Law Aspects of the European Union (pp. 125-‍148). Leiden: Brill.
[85]	Rosas, A. (2020). Mixity past, present and future: some observations. In M. Chamon and I. Govaere (eds.). European Union external relations post-Lisbon: The law and practice of facultative mixity (pp. 8-‍20). Leiden: Brill. Available at: https://doi.org/10.1163/9789004421981_003.
[86]	Rotenberg, M. and Jacobs, D. (2013). Updating the law of information privacy: the new framework of the European Union. Harvard Journal of Law and Public Policy, 36, 605-‍652.
[87]	Ruiz Miguel, C. (2003). El derecho a la protección de datos personales en la carta de derechos fundamentales de la Unión Europea: Análisis crítico. Revista de Derecho Comunitario Europeo, 14, 7-‍43.
[88]	Saluzzo, S. (2019). The European Union as a global standard setting actor: the case of data transfers to third countries. In E. Carpanelli and N. Lazzerini. (eds.). Use and misuse of new technologies: contemporary challenges in international and European law (pp. 115-‍134). Switzerland: Springer. Available at: https://doi.org/10.1007/978-3-030-05648-3_6.
[89]	Scott, J. (2019). The global reach of European Union law. In M. Cremona and J. Scott (eds.). European Union Law beyond European Union borders: the extraterritorial reach of European Union Law (pp. 21-‍63). Oxford: Oxford University Press. Available at: https://doi.org/10.1093/oso/9780198842170.003.0002.
[90]	Sobrino García, I. (2021). Las decisiones de adecuación en las transferencias internacionales de datos. El caso del flujo de datos entre la Unión Europea y Estados Unidos. Revista de Derecho Comunitario Europeo, 68, 227-‍256. Available at: https://doi.org/10.18042/cepc/rdce.68.07.
[91]	Tassinari, F. (2021). La adopción de actos delegados y actos de ejecución comentario a los artículos 92 y 93 del General Data Protection Regulation. In A. Troncoso Reigada (ed.). Comentario al Reglamento general de protección de datos y la ley orgánica de protección de datos personales y garantía de los derechos digitales (pp. 4901-‍4920). Pamplona: Thomson Reuters Aranzadi.
[92]	Tassinari, F. (2022). The European Union adequacy standard in the field of data protection: a competence approach. Diritti Umani e Diritto Internazionale, 16 (1), 5-‍38.
[93]	Timmermans, C. (2010). Opening remarks: evolution of mixity since the Leiden 1982 Conference. In C. Hillion, and P. Koutrakos (eds.). Mixed agreements revisited: The European Union and its Member States in the world (pp. 1-‍8). Oxford: Hart Publishing.
[94]	Wennerås, P. (2008). Towards an ever greener Union? Competence in the field of the environment and beyond. Common Market Law Review, 45 (6), 1645-‍1685. Available at: https://doi.org/10.54648/COLA2008116.
[95]	White, A. (1997). Control of transborder data flow: reactions to the european data protection Directive. International Journal of Law and Information Technology, 5 (2), 230-‍247. Available at: https://doi.org/10.1093/ijlit/5.2.230.

THE EUROPEAN UNION’S EXTERNAL COMPETENCE IN THEDATA PROTECTION FIELD: IS MIXITY THE ONLY WAY OUT?

LA COMPETENCIA EXTERIOR DE LA UNIÓNEUROPEA EN MATERIA DE PROTECCIÓN DE DATOS:¿ES UN ACUERDO MIXTO LA ÚNICA VIA DE ESCAPE?

LA COMPÉTENCE EXTERNE DE L’UNIONEUROPÉENNE SUR LA PROTECTION DES DONNÉES:EST-CE QUE LA MIXITÉ EST LA SEULE SOLUTION?