Jusletter IT

TRUESSEC.eu – European Values and the Digital Single Market from a Legal Perspective

  • Author: Veronika Beimrohr
  • Category: Articles
  • Region: Austria
  • Field of law: Security and Law
  • Collection: Conference proceedings IRIS 2018
  • Citation: Veronika Beimrohr, TRUESSEC.eu – European Values and the Digital Single Market from a Legal Perspective, in: Jusletter IT 22 February 2018
At IRIS2017 the H2020 project TRUESSEC.eu was presented by Griesbacher/ Staudegger/ Stelzer in the contribution «SSH In ICT Using the Example of TRUESSEC.eu». This year the first project findings will be elaborated from a multidisciplinary perspective. From a legal point of view the question of how fundamental rights are reflected in the extensive ICT legal framework of the Digital Single Market will be discussed as well as their inclusion in a criteria catalogue for ICT product and service evaluation. This could help foster a trustworthy ICT environment for all stakeholders involved.

Table of contents

  • 1. The Digital Single Market and TRUESSEC.eu
  • 2. Mapping of the ICT Union legal framework
  • 3. Analysis of the ICT Union legal framework
  • 4. European Values and Fundamental Rights in the Legal Framework of the Digital Single Market
  • 5. Conclusion


The Digital Single Market and TRUESSEC.eu ^


In 2015 the European Commission declared the creation of the Digital Single Market one of its main priorities. The Commission announced several legislative actions, ranging from the reform of communications infrastructure regulation to a new copyright framework in order to achieve the Digital Single Market.1 According to the Communication a functioning Digital Single Market should enable the capitalization of the opportunities presented by digital technologies, foster growth, innovation and jobs as well as offer a high level of consumer and personal data protection.2 The strategy emphasized trust and trustworthiness as key for reaching that goal: A functioning Digital Single Market requires trustworthy infrastructure and content services, the building of consumer trust in case of cross-border e-commerce rules, and the reinforcement of trust in digital services and in the handling of personal data processing.3

In order to support the development of trust in the Digital Single Market the Horizon 2020 Coordination and Support Action TRUst-Enhancing certified Solutions for Security and protection of Citizens’ rights in digital Europe (TRUESSEC.eu)4 aims to identify trustworthiness properties in Information and Communication Technology (ICT) products and services with a focus on the respect for European fundamental rights and values. To this end the last twelve months were devoted to so-called Support Analysis and Studies (SUPPA) from the perspectives of sociology, law and ethics as well as business and technology. This year’s contribution aims to present the first finding of the legal SUPPA with a view to European values and fundamental rights within the ICT legal framework. This article shall disseminate the findings of the quantitative analysis of the ICT legal framework. An in-depth analysis of the relevant legal aspects for TRUESSEC.eu will be published shortly by our TRUESSEC.eu colleague Valentin Gibello of Université Lille 2 at the Ceraps Center for European Research on Administration, Politics, and Society. 5


Mapping of the ICT Union legal framework ^


In order to understand the requirements the Union`s legal framework sets for the ICT sector and thus for the Digital Single Market the first step of the analysis was to map out the secondary legal acts that are relevant for the ICT sector.6 Even though the argument can be made that since our lives are more and more permeated by information technology, so is the law,7 and thus every attempt at a classification for an ICT legal framework is an exercise in futility. Nevertheless, because such an approach is not useful in the context of research, an attempt has been made to classify and quantify the relevant core legislation of the cross sectional matter8 called ICT law.

In a first step classical ICT law areas such as data protection law, media and information law and laws regulating cybersecurity matters were included. Then regulation pertaining to telecommunications services and electricity supply were mapped out, because these infrastructure services are the backbone of the Digital Single Market. E-banking and electronic payment systems represent also an important aspect of this market and were thusly included. Intellectual property law has also been incorporated in the framework, since the Digital Single Market needs a unified IP law, particularly copyright law9, in order to function properly. Less obvious but fundamental for e-commerce in general is consumer protection law, including legislation pertaining to the jurisdiction and applicable law in consumer matters. In addition, various legislative acts relevant to the DSM, such as rules on standardization or the protection of business secrets, have also been included.


Analysis of the ICT Union legal framework ^


One of the main findings is the vastness of this framework: As of writing there are seventy-two distinct legislative acts currently in force regulating differing areas relevant for ICT, such as data protection, telecommunications regulation or electronic payment.10 Over 69,44% of these legal acts take the form of Directives meaning that for each of those fifty Directives another twenty-eight national legislative acts are necessary. This amounts to the astounding number of 1'400 different transposing legislations relevant for the ICT sector.

The area of intellectual property alone is governed by fifteen secondary EU legal acts not including the international treaties that Member States or the Union are party to. Another area EU legislators have been particularly active is consumer protection with fourteen secondary legal acts. This is also the case for the telecommunications and electricity framework, which is regulated by fourteen separate legislations. The media sector is governed by seven Union secondary acts, however three of them cover the specifics of advertising tobacco and medicinal products and health claims made on food.11 In the realm of data protection there are currently five legislative acts (3 Directives, 2 Regulations) in force, though that number will change to five when Directive 95/46/EC on data protection is repealed in May 2018 and again should the proposal for the new Regulation on Privacy and Electronic Communications be passed.12 Electronic payment and neighboring areas, such as anti-money laundering regulations, are the subject of five directives. The increasingly important realm of cyber security13 is regulated by four secondary legal acts. Furthermore, there are various Directives and Regulations relevant to the DSM, such as rules on standardization or the protection of business secrets. In addition to the legal texts there is a growing body of ECJ jurisprudence to consider, which significantly adds to the acquis communautaire relevant for the Digital Single Market.

Though there is little to no possibility that any legal subject in the Union is in danger of having to comply with all of these acts concurrently, these numbers illustrate the complexities and difficulties this legal landscape presents to actors in the Digital Single Market.


European Values and Fundamental Rights in the Legal Framework of the Digital Single Market ^

ICT services and products also need to respect European values and fundamental rights in order to deserve the trustworthy adjective, but which values and fundamental rights are especially relevant in the Digital Single Market? The European Union is comprised of twenty-eight14 Member States with diverse histories, languages and cultures which raises the question of whether they share any common values that thus deserve the label «European».
From a legal perspective this question is rather easily answered: Article 2 of the Treaty of the European Union clearly states the values common to the Member States as respect for human dignity, freedom, democracy, equality, the rule of law and respect for human rights, including minorities. These values form one pillar of the TRUESSEC.eu framework. The other pillar consists of the European fundamental rights as laid down in the European Convention on Human Rights (ECHR) and the EU Charter of Fundamental Rights (CFR). The next step of the legal analysis was to map out the explicit references to specific fundamental rights within the legal texts themselves.
Even though the EU has not yet acceded to the ECHR as foreseen in the Treaty of Lisbon,15 the ECHR is present in the secondary legal framework even before 2009. The Directive on data protection of 1995 explicitly mentions Article 8 ECHR in recital 8, which lays down the right to privacy. Seven Directives in total reference this right which makes it the most mentioned ECHR right ex aequo with Article 6 ECHR, the right to a fair trial. Article 10 which provides for the freedom of expression and information is in second place with five explicit mentions. The right to an effective remedy of Article 13 ECHR is mentioned in one Directive which is also the case for the right to property laid down in Article 1 of Protocol 1 to the ECHR.
The results look very different compared to the references made to the fundamental rights laid down in the CFR, even though the Charter is fifty years younger than the ECHR. Since its introduction in 2000 and subsequent entry into force in 2009,16 twenty-one different rights and freedoms have been explicitly referenced in the ICT legal framework.17 The earliest reference to the Charter was included in 2001 in the Regulation EC/1049/2001 on public access to documents18, with a general trend towards more mentions from 2010 onwards.

The single most mentioned right is Article 8, the right to protection of personal data, with eighteen separate legal acts referencing it. It is very often mentioned together with a related right, namely Article 7, the right to respect for private and family life, which was referenced in seventeen legal acts. EU legislators acknowledged the freedom of expression and information as laid down in Article 11 CFR ten separate times. This is closely followed by nine references to the right to effective remedy and to a fair trial as laid down in Article 47 CFR. Two closely related rights, the right to property of Article 17 CFR, and the right to conduct a business as laid down in Article 16 CFR, are acknowledged in seven and six separate legislative acts respectively.

CFR fundamental right Number of references
Art 8 – Protection of personal data 18
Art. 7 – Respect for private and family life 17
Art. 11- Freedom of expression and information 10
Art. 47 – Right to an effective remedy and to a fair trial 9
Art. 17 – Right to property 7
Art. 16 – Freedom to conduct a business 6
Art. 21 – Non-discrimination 4
Art 38 – Consumer protection 4
Art. 48 – Presumption of innocence and right of defence 4

Table 2: Overview over most referenced CFR fundamental rights in secondary Union legislation


Conclusion ^

Even though this quantitative perspective alone cannot replace an in depth analysis of the relationship between ICT legislation and the place of fundamental rights in the Digital Single Market, it still offers an overview over which fundamental rights are deemed important enough to warrant a mention by EU legislators.
Unsurprisingly within the ICT framework the right to data protection and privacy as laid down in the ECHR and CRF is mentioned in over 25% of relevant ICT legislation. These rights however need to be balanced out by the freedom of expression and information and the right to conduct a business and to property, emphasizing the fact that digital realm is our most important communication infrastructure where differing interests might clash. The rule of law is not only represented in Article 2 TEU but also reflected across the ICT framework with frequent acknowledgements of Article 6 ECHR and Article 47 CFR. TRUESSEC.eu will incorporate these findings in its Multidisciplinary Criteria Catalogue for Trustworthy ICT Products and Services as well as in its Recommendations on European Trust-Enhancing Labels.
  1. 1 See European commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee to the Regions. A Digital Single Market Strategy for Europe, COM(2015) 192 final, p. 3.
  2. 2 Ibid. p. 2.
  3. 3 Ibid. pp. 3, 4, 12.
  4. 4 The project was presented at IRIS 2017, for a general introduction see Griesbacher/Staudegger/Stelzer, SSH in ICT using the example of TRUESSEC.eu, in: Schweighofer/Kummer/Hötzendorfer/Sorge (Eds.), Trends and Communities of Legal Informatics. Proceedings of the 20th International Legal Informatics Symposium IRIS 2017, OCG Verlag, Wien 2017, p. 469.
  5. 5 These findings will be published shortly under Gibello, Deliverable D4.1. Legal Analysis, www.truessec.eu. (all websites accessed on 7 January 2017).
  6. 6 These findings will be published shortly. All numbers being presented are taken from: Beimrohr, Annex to Deliverable D4.1. Overview over the Legal ICT-Framework, www.truessec.eu.
  7. 7 See Weber, IT-Recht – Bausteine einer neuen Disziplin, in: Schweighofer/Kummer/Hötzendorfer/Sorge (Eds.), Trends and Communities of Legal Informatics. Proceedings of the 20th International Legal Informatics Symposium IRIS 2017, OCG Verlag, Wien 2017, p. 77 (p. 80).
  8. 8 Ibid. p. 82.
  9. 9 European commission, A Digital Single Market Strategy for Europe, p. 4.
  10. 10 Not included is legislation which only consists of amending provisions.
  11. 11 See Directive 2001/83/EC (Directive on advertising medicinal products), OJ L 311/67, 28 November 2001; Directive 2003/33/EC (Directive on Tobacco Products Advertising), OJ L 152/16, 20 June 2003; Regulation EC/1924/2006 (Regulation on health claims made on foods), OJ L 404/9, 30 December 2006.
  12. 12 Directive 95/46/EC (Directive on data protection), OJ L 281/31, 23 November 1995; Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM/2017/010 final – 2017/03 (COD).
  13. 13 The president of the European Commission declared it priority number four in his 2017 state of the Union address; see Juncker, President Jean-Claude Juncker’s State of the Union Address 2017, http://europa.eu/rapid/press-release_SPEECH-17-3165_en.htm, 2017.
  14. 14 European Union, The EU in brief, https://europa.eu/european-union/about-eu/eu-in-brief_en.
  15. 15 See ECJ, Opinion of the Court (Full Court) of 18 December 2014, http://curia.europa.eu/juris/document/document.jsf?text=&docid=160882&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=758846.
  16. 16 european commission, EU Charter of Fundamental Rights, http://ec.europa.eu/justice/fundamental-rights/charter/index_en.htm.
  17. 17 These are in order: Art. 1 – Human dignity; Art. 3 – Right to the integrity of the person; Art. 7 – Respect for private and family life; Art 8 – Protection of personal data; Art. 10 – Freedom of thought, conscience and religion; Art. 11 – Freedom of expression and information; Art. 15 – Freedom to choose an occupation and right to engage in work; Art. 16 – Freedom to conduct a business; Art. 17 – Right to property; Art. 21 – Non-discrimination; Art. 22 – Cultural, religious and linguistic diversity; Art. 24 – The rights of the child; Art. 28 – Right of collective bargaining and action; Art. 35 – Health care; Art. 37 – Environmental protection; Art. 38 – Consumer protection; Art. 41 – Right to good administration; Art. 42 – Right of access to documents; Art. 47 – Right to an effective remedy and to a fair trial; Art. 48 – Presumption of innocence and right of defence; Art. 49 – Principles of legality and proportionality of criminal offences and penalties; Art. 50 – Right not to be tried or punished twice in criminal proceedings for the same criminal offence.
  18. 18 See Recital 2 of Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents, OJ L 145/43, 31 May 2001.