Action Plan on the Stockholm Programme released by Statewatch

European Commission: Stockholm Programme: Statewatch Analysis: Action Plan on the Stockholm Programme: A bit more freedom and justice and a lot more security (pdf) by Tony Bunyan: “The “harnessing of the digital tsunami” as advocated by the EU Future Group and the surveillance society, spelt out in Statewatch’s “The Shape of Things to Come” is embedded in the Commission’s Action Plan as it is in the Stockholm Programme….There is no mention of the European Security Research Programme (ESRP). Much of the technological development is being funded under the 1.4 billion euro security research programme. See: Statewatch/TNI report: Neoconopticon: EU security-industrial complex.

Statewatch Briefing: European Commission: Action Plan on the Stockholm Programme (pdf) Comments by Professor Steve Peers, University of Essex – Full-text: Communication from the Commission: Delivering an area of freedom, security and justice for Europe’s citizens Action Plan Implementing the Stockholm Programme (COM 171/2010, pdf)

Body Scanners: an effective tool to address perceived rather than real increased security?

Several countries around the world have already installed body scanners in airports, including the Schiphol International Airport in Amsterdam.

Several politicians coming from both sides of the Atlantic visited the airport, in order to assess the extent to which such a measure is proportionate and effectively increases security in the airports.

The technology employed in Schiphol has been welcomed by several legislators. For example, the three United States Senators Collins, Kyl and Chambliss praised the advantages of the Schiphol technology in addressing health and privacy concerns (see previous post) in a letter to Secretary Napolitano of the Department of Homeland Security, urging to reconsider such technology also for U.S. airports.

Health concerns

The body scanners technology employed in Amsterdam Airport is based on millimeter waves using extremely high frequency radio waves to produce images with no-ionizing radiation. This frequency range is just below the (related) sub-millimeter “Terahertz radiation” (or “T-ray”) range.

While the digital journal reports that  Health Canada says the scanners are safe, the UK Health and Safety Executive states that relatively little appears to be known about the possible health & safety implications of exposure to Terahertz radiation, as a EU project in this area  confirms.

Thus, the question related to the effect that body scanners have on human bodies remains opened and needs to be investigated further.


Concerning the privacy aspect, the body scanners can “see” through passengers’ clothes, revealing sensitive information (implants, piercings…).

Nonetheless, the letter of the three senators explains that such a loopholes can be reduced by computer-based auto-detection:

“Computer-based auto-detection technology identifies potentially threatening objects on a person and highlights with boxes on a featureless human body outline those areas of the individual that may require further inspection.  If the computer scan finds no problems, then the passenger and screener at the imaging machine are notified almost immediately that the passenger may proceed (…). The automated review of images by a computer, rather than by a screener examining the image in a separate room, address privacy concerns.”

Although this option does represent an improvement compared to the systems currently used in several airports, it does not solve the privacy issues.

Especially if added to the fact that no certainty exists over the fact that images are immediately deleted, despite the fact that manufacturers insist that images cannot be stored or transferred. In fact, the machines have the ability to store images on hard disk storage, and that they possess the ability to send the images.

On top of this, the capacity of these machines for detecting devices/weapons concealed inside a body is still very limited, questioning the effectiveness of such a measure to prevent terrorist attacks. One can even argue that if an individual willing to attack an airport reach the airport, it is already too late.

Hence, once again the balance between effectiveness and invasion of fundamental rights, remains to be verified and therefore the use of body scanners in airports seems more a measure to address perceived rather than real greater security.


LIBE Committee resume the works on the future SWIFT long term agreement

The LIBE Committee discussed on 7 April 2010 the re-launch of negotiations on a SWIFT long term agreement.

It has to be recalled that following the European Parliament refusal to provide its consent on the US-EU SWIFT Interim Agreement last February a new draft-negotiating mandate has been indeed submitted by the College of Commissioners on 24 March 2010 to the Council, which in turn is expected to approve it on 22/23 April. According to the Commission the new agreement might be concluded at the beginning of June of this year.

Will the new agreement be founded on Judicial cooperation in penal matters or ….?

According to the Commission statement and the legal basis chosen for the new mandate (art. 82 of the TFUE) the future agreement will comply with the EP request  expressed already in September 2009 to build the EU US cooperation in this domain in a framework which could be consistent with the new EU Treaty the art. 8 of the European Charter of Fundamental rights and the request of some Constitutional Courts such as the German Court. To do so the draft mandate has foreseen the creation of  an European “Authority of  judicial nature” which could check the necessity and proportionality of the US request of SWIFT data .

Therefore during the debate Rapporteur Ms Jeanine Hennis Plasschaert (ALDE) enquired the European Commission on whether it would be possible to explore alternative legal frameworks from judicial cooperation in penal matters .

Mr Faull underlined that the Commission could not see any feasible short term alternative system to the mutual legal assistance framework, however this will not prevent the Commission to explore also other possibilities, following the requests from the Spanish Presidency and by taking in account the question posed by the Rapporteur. On the same logic to find alternative solution to judicial cooperation Ms Carmen Romero López (S&D) suggested to work within the framework of an anti-money laundering directive revised to include banking messaging companies.

Therefore according to Jan Philipp Albrecht (Greens/EFA) these “alternative” approaches would go against the European Charter on Fundamental Rights, the European Convention on Human Rights as well as the German Court (see recent judgment on data retention) with the risk, as pointed out “that Germany will feel impelled to reject this mandate on constitutional grounds”. To avoid possible “clashes” with European or national constitutional courts Mr Albrecht has then suggested then to request for the opinion of the EU Court of Justice on the compatibility of the draft agreement with the EU legislation, as foreseen by Article 218 §11 of the Treaty on the Functioning of the European Union.

The new draft negotiating mandate

The new draft negotiating mandate as agreed upon by the College of Commissioners on 24 March 2010 and upon approval of the Council foresees  -among others- the following elements:

  • Safeguards to ensure the respect of the fundamental right to the protection of personal data;
  • Transfer to third countries of only information derived from terrorism investigations (“lead information”);
  • A judicial public authority in the EU with the responsibility to receive requests from the United States Department of the Treasury, verify if  the substantiated  request meets the requirements of the Agreement and if appropriate require the provider to transfer the data on the basis of a “push” system;
  • Retention of personal data extracted from the TFTP database for no longer than necessary for the specific investigation or prosecution and non-extracted data retained for five years;
  • Onward transfer of information obtained through the TFTP under the Agreement shall be limited to law enforcement, public security, or counter terrorism authorities of US government agencies or of EU Member States and third countries or Europol or Eurojust as well as Interpol.
  • The Agreement shall provide for:

1) the right of individuals to information relating to the processing of personal data;

2) the right to access his/her personal data;

3) to the rectification, and

4) as appropriate erasure thereof.

Hence, it appears that the College of Commissioners has tried to address some of the past concerns addressed by the MEPs.

However, while demonstrating the willingness to explore grounds for a new agreement on the SWIFT data-sharing, some of the Members of the LIBE Committee, expressed a variety of concerns, most of which were already raised in the previous report of the European Parliament and that can be summarised as follows:


Members of Parliament still have concerns that the transfer of bulk data will not be addressed properly. According to Ms Sophie In’t Veld (ALDE) filtering should be done in the EU for financial data, PNR and telecommunications. Also Ms  Birgit Sippel (S&D) stressed that SWIFT should be able to individualise data ahead of a transfer.

In this regard it remains to be seen whether SWIFT has the technical ability but not the willingness to bare the costs derived from selecting and transferring  individual data instead of ‘data in bulk’.

According to Mr Faull it will not be possible to reduce the quantity of data transferred however he will work to reduce their size by removing the presumably non-useful data.

Data storage period

MEPs expressed concerned over the five years data storage as foreseen by the new text despite the attempts of Mr Faull to reassure the Committee stating that five years was not “unreasonable” given data’s useful lifespan in counter-terrorism.

Access, rectification, compensation and redress outside the EU

Mr Stavros Lambrinidis (S&D) enquired whether there was no other way for the bulk transfer of data and if it was not possible to impose some prior European check when the US wants to transfer the data to third countries.

Furthermore MEPs expressed the need to ensure the right to appeal to European citizens in front of American authorities in case of personal data abuse/misuse.

In this respect Mr Busutill asked to ensure equal rights between US and EU citizens and Mr Faull replied that the Privacy Act is indeed discriminatory and therefore does not guarantee the same rights to EU and US citizens.  However the Privacy Act does not apply to the TFTP , hence asking to apply the same right of US citizens to the European ones means not having any rights at all.

No evidence on the effectiveness

There still is no evidence that cases of terrorism have been prevented or prosecuted based exclusively on the financial data.

Procedural concerns

The fact that the EU is planning to conclude an executive agreement on exchanges of data before negotiating the general agreements on rules governing the data protection raise additional concerns. Indeed, the acceleration of the envisaged SWIFT II agreement will limit the margin of maneuver for negotiators on the overarching transatlantic agreement on data sharing and data protection. In other words, it will force the latter to simply accept praxis established before the development of the general principles governing data protection.

Also the Commission -using the words of the Director General of DG JLS Mr Jonathan Faull- is of the opinion that “in an ideal world” general norms should be established before specific ones. However, no sufficient reasons have been provided to explain why the European Union is accelerating the negotiations on the SWIFT agreement instead of giving precedence to the establishment of overarching general framework on EU-US data protection and exchange.

In conclusion, the European Union is engaging in a delicate exercise trying to define at the same time internal, external, specific and general data protection norms. This would have been possible -in theory- if the European Union had clear objectives and points of reference. However, following the LIBE Committee debate on 7 April this seems far from being the case.


Freedom on the Internet at risk

The freedom on the Internet is increasingly at risk, as the following three recent examples demonstrate: the on-going secret negotiations on the ACTA agreement, the conviction of three Google executives by an Italian prosecutor and the new approach of Google to China.

Hence, following the digital platform debate hosted by the European Parliament on 24 March 2010 and far from entering into the merit of the specific cases, they will be used as a useful starting point to make some reflections concerning the principle of freedom on the internet as a fundamental aspect to fulfil the more general right to freedom of expression. Firstly, the principle of liability will be investigated, then the ‘commercial purpose’ criterion followed by an overview of some of the sanctions under scrutiny to limit Internet access will be illustrated.

The liability principle

The principle of liability is fundamental to understand what is stake when dealing with measures limiting the freedom on the Internet, hence it is necessary to understand what it means.

Such a principle may have a strict application (strict liability system) or a lighter application (with-fault liability system) and can be applied to individuals and companies having a direct relation with the content of material (being copyrighted, harmful, private or defamatory) as well as to intermediaries, such as Internet Service Providers (ISP). This analysis will mainly focus on the latter, although it will also refer to the former when exploring the ‘commercial purpose’ criterion.

A strict liability system foresees the possibility to held responsible an ISP regardless of its knowledge and control over the material that is disseminated through its facilities. This system may be indirectly established by imposing, an obligation to monitor all the material that is posted on the Internet by private actors.

On the contrary, a with-fault liability system foresees that an ISP is held responsible only if it intentionally violates the rights of others, either by knowing that there is some material on the Internet that violates someone’s rights or if it has certain hints on the existence of certain material infringing someone’s rights.

At the European level, the relevant provision is Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’), which in articles 12 -15 does not establish a general liability regime applicable to ISPs. Instead, it provides for a system of specific liability exemptions.

This means that in cases where the ISPs provide a specific service (mere conduit, caching, and hosting) and comply with a series of requirements, they will not be held liable for the services performed. The limitations apply only to liability for damages because the last paragraphs of Articles 12, 13, and 14 of the Directive establish that Member States retain the right to require the ISPs to terminate or prevent known infringements.

Following the conviction of three Google executives by an Italian prosecutor, questions were raised on whether IPSs can be considered liable over the content distributed by users even when they are not aware of the existence of such material.

In this regard, Mark Rotenberg rightly pointed out that a distinction should be made between responsibility over the content and ways to make profit out of displayed material.

Hence, although ISPs are not responsible over the content as such they may be considered responsible if they use it to make profit out of it.

The commercial scale criterion

This point was also discussed during the above-mentioned digital platform, namely in relation to whether and under which circumstances a physical person or legal entity (hence not limiting the analysis to ISPs) can be considered liable of infringing owners’ rights.

According to the European Data Protection Supervisor ‘s opinion on the ACTA negotiations “(…) the ‘commercial scale’ embodied in the IPRE Directive is a very appropriate element to set the limits of the monitoring in order to respect the principle of proportionality”. Hence, according to the EDPS, sanctions can be imposed if the alleged infringements have a commercial scale.

However, this criterion may lead to any kind of interpretation and this vagueness is not justifiable, especially when individuals may face not only civil but also criminal prosecutions and convictions.

Therefore, in case of the unfortunate approval of such an agreement, the criterion of “commercial intent”, seems more appropriate to limit the scope of the sanctions, as pointed out by Mr Zimmermann during the Digital Platform meeting on 24 March 2010.

What is more, it has not been demonstrated yet that file sharing damages the commercial interest of rights owners. As the Draft report on enhancing the enforcement of intellectual property rights in the internal market (Gallo report) points out, these assumptions based on “data concerning the scale of IPR infringements are inconsistent, incomplete, insufficient and dispersed”.


Despite these loopholes, Member states have (France) or are very close to (United Kingdom) put into place measures to suspend or block Internet to users infringing owners rights.

Also the ACTA agreement contains such an option despite the fact the European Commissioner Mr De Gucht stated that ” The ‘three-strike rule’ or graduated response systems are not compulsory in Europe. Different EU countries have different approaches, and we want to keep this flexibility, while fully respecting fundamental rights, freedoms and civil liberties. The EU does not support and will not accept that ACTA creates an obligation to disconnect people from the internet because of illegal downloads.”

Denying access to the Internet represents indeed a violation of fundamental rights, freedoms and liberties. As the Gallo report and the European Data Protection Supervisor correctly remind, these measures already exist and are provided for by Directive 2004/48/EC on the enforcement of intellectual property rights on the internal market and since from the point of view of the protection of rights their inefficacy has not been assessed they should be considered as alternative options.

In conclusion, using the words of decision n. 2009/580 (EN) of the French Constitutional Council:

“The free communication of ideas and opinions is one of the most precious rights of man. Every citizen may thus speak, write and publish freely, except when such freedom is misused in cases determined by Law”. In the current state of the means of communication and given the generalized development of public online communication services and the importance of the latter for the participation in democracy and the expression of ideas and opinions, this right implies freedom to access such services.”

The next round of the ACTA negotiations will take place in New Zealand on 12-16 April 2010 and their discussions on Internet, civil, customs and penal measures will be followed as closely as possible, while waiting for a real open debate with stakeholders.