The EU’s new (internal) security agenda

ORIGINAL PUBLISHED ON STATEWATCH

by Chris Jones, May 2015

For anyone interested in an overview of the substantial law and order bureaucracy that the European Union and its Member States have constructed over the last four decades, and the direction in which it is heading, the European Commission’s recently-published ‘European Agenda for Security’ is worth a read. This article provides an overview of the key points.

The Agenda [1] opens by stating:
“The European Union aims to ensure that people live in an area of freedom, security and justice, without internal frontiers. Europeans need to feel confident that, wherever they move within Europe, their freedom and their security are well protected, in full compliance with the Union’s values, including the rule of law and fundamental rights.”
It follows on from the EU’s 2010 Internal Security Strategy and the ‘action plan’ that sought to implement it.
The Agenda was formally requested by the Justice and Home Affairs Council in December 2014, [2] through a set of conclusions that call for many of the same proposals put forward by the Commission.
It sets out a five-year “shared agenda between the Union and the Member States” that is supposed to lead to “an EU area of internal security where individuals are protected in full compliance with fundamental rights.”

On the basis of the Commission’s communication and ongoing political and legal developments, it is doubtful – to say the least – whether the proposed “full compliance with fundamental rights” will be achieved.
Instead, the Agenda looks likely to legitimise more repressive laws and policies at EU and national level.
What’s the Agenda? The Agenda will improve:

• “information exchange”, including of personal data;
• “increased operational cooperation” between policing, security, border guard and customs agencies, prosecutors, companies, etc.; and
• “mutual trust [between different national authorities], drawing on the full range of EU policies and tools.”

The three main priorities are “terrorism, organised crime and cybercrime”, although the Commission is “remaining vigilant to other emerging threats [to security] that might also require a coordinated EU response.” The Commission’s broad concerns are that:
“In recent years new and complex threats [to security] have emerged highlighting the need for further synergies and closer cooperation at all levels [of state and industry]. Many of today’s security concerns originate from instability in the EU’s immediate neighbourhood and changing forms of radicalisation, violence and terrorism. Threats are becoming more varied and more international, as well as increasingly cross-border and cross-sectorial in nature.”
There are undoubtedly a number of serious ongoing crises within the EU’s “immediate neighbourhood”. Nevertheless, this rather vague statement also to some extent encourages fear of the unknown. In any case, it provides significant leeway for developing new laws, policies and activities.

The key principles The Agenda has five:

• “full compliance with fundamental rights”, meaning that “all security measures must comply with the principles of necessity, proportionality and legality, with appropriate safeguards to ensure accountability and judicial redress”;
• “transparency, accountability and democratic control”, which will “give citizens confidence”;
• “better application and implementation of existing EU legal instruments”, with one priority for the Commission “to help Member States to further develop mutual trust, fully exploit existing tools for information sharing and foster cross-border operational cooperation”;
• “a more joined-up inter-agency and a cross-sectorial approach” – ensuring “all relevant EU agencies” are “fully coordinated” to deal with “the increasing nexus between different types of security threats”;
• “bring together all internal and external dimensions of security” in order to “further reinforce links between Justice and Home Affairs and Common Security and Defence Policy” and ensure “preventive engagement with third countries [non-EU countries]… to address the root causes of security issues.”

This section also puts forth how the Commission proposed to improve those pillars – but before another list, it’s worth taking a note of what the European Commission does. It proposes legislation, which is discussed and agreed (or not) by the Council of the European Union, made up of representatives of the EU’s 28 Member States, as well as ‘Associated Countries’ such as Norway and Switzerland. Depending on the type of legislation, the European Parliament may act as legislator alongside the Council.

The Commission is then responsible for overseeing the implementation of that legislation by the Member States, and by EU agencies or bodies. It also has responsibility for overseeing implementing acts, for drawing up action plans and strategies, and it controls the EU’s budget.
With regard to internal security the Commission has almost €4 billion to spend over the next five years, and a total home affairs budget of over €9 billion. [3]
It therefore has quite an interest in the Agenda, but it cannot implement it alone. This is a job for everyone, “be it EU institutions and agencies, Member States or national law enforcement authorities.” There is also likely to be significant involvement from businesses, an issue highlighted at certain points in the Agenda.

The Commission makes a number of proposals on how to “strengthen the pillars of the EU action”:

• helping Member States implement travel bans in relation to the “foreign fighters” phenomenon;
• introducing EU-wide automatic border controls;
• EU-wide profiling (“common risk indicators”, with the first set coming in the first half of 2015, on “foreign terrorist fighters”);
• Increased mass information-sharing (DNA, fingerprints, vehicle registration, passports, police records and more); [4]
• mass travel surveillance (with the EU Passenger Name Record or PNR Directive);
• an EU-wide criminal record system for non-EU nationals;
• more “concrete law enforcement operations to tackle organised crime” based on “an intelligence-led approach to internal security” with “threat assessments coordinated within Europol” and overseen by the snappily-titled Standing Committee on Operational Cooperation on Internal Security (COSI);
• “a high level of protection of personal data transferred between the EU and the US” (which seems optimistic given what has been demonstrated by the Snowden leaks);
• “law enforcement and judicial authorities” cooperating “more effectively with each other” through information-sharing, training aligned with EU priorities, and “systematically” involving EU agencies in cases;
• a “Maritime Common Information Sharing Environment” for information on “piracy, terrorism, arms and drugs smuggling, human trafficking, environmental pollution, civil protection and natural disasters”;
• “a more efficient and coherent EU response to crises sparked by criminal acts, impacting on borders, public security and critical systems”;
• “systematic” use of the European Arrest Warrant and the forthcoming European Investigation Order;
• billions of euros in financing for home affairs policies and for the development of new internal security technologies through a research programme that has for the last decade danced to the tune of Europe’s major “security and defence” corporations. [5]

On this last point, the Agenda states that:
“[S]ecurity should be a key priority in a wide range of funding instruments, research and innovation programmes as well as training initiatives. Existing priorities should be adjusted as required.”

This sentence alone makes clear the possibility that the significant institutional and financial backing for internal security will override the need to protect and fulfil fundamental rights. [6]

Presumably we are supposed to bear in mind, throughout the text, the five principles set out by the Commission – “full compliance with fundamental rights” being the first, although it is not mentioned beyond the thirteenth of the Agenda’s 21 pages. It will be necessary to keep a close eye on what exactly the Commission proposes when it starts acting on its “three main priorities for European security”: terrorism, serious and organised cross-border crime, and cybercrime.

Terrorists and radicals

The Commission wants to give the EU policing agency, Europol, a European Counter-Terrorism Centre, “maximising the use of already existing structures, services and tools… with a view to achieving economies of scale.” The Centre will have “a secure environment with the highest confidentiality in its communication,” and will include information on:

• foreign fighters;
• the EU-US Terrorist Finance Tracking Programme;
• money-laundering and terrorist financing information and intelligence;
• “Europol’s existing capabilities on firearms and explosive devices”; and
• the Internal Referral Unit (coming in July 2015, with or without the Centre), “helping Member States to identify and remove violent extremist content online, in cooperation with industry partners.”

This Centre “would operate strictly within the legal mandate of Europol [which is currently being re-negotiated, to give the agency new powers], and would not affect Member States’ sole responsibility for safeguarding national security [spying and subversion], nor the role of the EU Intelligence Analysis Centre (INTCEN) in the area of intelligence-based assessment of the threat.”

The EU is currently posting “security experts” to its dozens of delegations (essentially embassies) around the world. Whether INTCEN, Europol, or both will get the information they gather remains unknown.
As well as working with the Internet Referral Unit – described critically by one German MP as being focused on “unpleasant”, rather than illegal, content [7] – Europe’s major IT companies will also be invited to “an EU-level Forum”, which “will focus on deploying the best tools to counter terrorist propaganda on the internet and in social networks.”

The companies will also be present as the Forum discusses “the concerns of law enforcement authorities on new encryption technologies.” The EU Counter-Terrorism Coordinator has, much like the British government, called for “access of the relevant national authorities” to encrypted communications. [8]
Europol’s director, Rob Wainwright, has made similar comments, noting his “disappointment” with companies that encrypt their customers’ data. [9]

Europol’s cooperation with companies may be more successful than that with Member States’ police forces and security agencies. As Europol’s “concept note” on the Counter Terrorism Centre says, calls from the European Council for Member States to enhance intelligence- and information-sharing “are the most recent of many calls stretching back to 2001.” [10] These calls have largely been in vain because, as Europol’s Brian Donald has said, “obligation is a word that is lacking in EU law enforcement cooperation, member states do not like it and do not like to be obliged to do anything with anybody, least of all, Europol.” [11]

The Agenda discusses the Terrorist Financing Tracking Programme (TFTP), which the Commission says has “provided leads relating to numerous terrorist suspects and their support networks”. The EU-US TFTP Agreement involves transferring the financial records of thousands of people in Europe to the United States, and since 2001 has apparently “produced tens of thousands of leads and over 3,000 reports… to counter-terrorism authorities worldwide, including over 2,100 reports to European authorities.” [12]
Attempts to obtain more detailed information on the TFTP have faltered – both MEPs and the European Ombudsman have been told in recent years that they cannot see a document on the TFTP drafted by a wing of Europol. Access to a 2012 report by the Joint Supervisory Body, which supervises the application of data protection rules by the policing agency, has been prohibited on two occasions. This is because the document, despite being written by an EU agency, has been classified as secret by the US. [13]

The Commission also plans to consider new powers on terrorist financing, such as freezing the assets of “internal terrorists” [14] and “the control of forms of payment such as internet transfers and pre-paid cards.”

There will also be “a solid criminal justice response to terrorism”. The EU’s judicial cooperation agency, Eurojust, “should be fully involved” in the proposed Counter-Terrorism Centre, and in 2015 the Commission will also consider how to revise the EU’s 2008 Framework Decision on Terrorism in order to better implement UN Security Council Resolution 2178. [15] The Agenda notes that this legally-binding Resolution “requires states to criminalise travel to a conflict zone for terrorist purposes” (this is just one of its many requirements). According to the Commission, this can help “build a common understanding of the offences of foreign terrorist fighters.”

The Council of Europe (CoE, with 47 Member States) Convention on the Prevention of Terrorism is currently being amended with regard to the resolution, which has been heavily criticised for its use of vague and broad terms. [16] One analysis notes that it provides “a handy tool for oppressive regimes that choose to stigmatize as “terrorism” whatever they do not like”. [17] Nevertheless, states across the globe have begun implementation. In Malaysia, the resolution appears to have been used as the basis for measures that have been described as “an affront to the rule of law and repugnant to the principles of natural justice.” [18]
UK and French legislation that implements some of the Resolution’s requirements has also been heavily criticised. [19]
Whether the proposed amendments to the CoE Convention will seek to improve upon the Resolution – for example, by including a definition of terrorism – remains to be seen. Amendments have been proposed that would provide some improvements on the original draft, although as the CoE’s Parliamentary Assembly said in its own report, it “does not see a particular need to expand the current legal framework on combating terrorism.” [20] The Agenda promises that the EU’s work on the issue will “take into account” the CoE’s negotiations.

Beyond new laws, work will continue to “gather best practices and produce guidance” on a whole range of topics – Chemical, Biological, Radiological or Nuclear materials; explosives precursors; critical infrastructure (for example, transport and energy networks); and “soft targets, for instance at mass public events.” The Commission will also carry on promoting “preventive measures” to deal with radicalisation, including through “strategic communication”; will address hate crime; and will “prioritise combating radicalisation, marginalisation of youth and promoting inclusion” by tapping education, youth, sport and culture budgets. It seems that these budgets may be “adjusted” to meet the Agenda’s demand that spending priorities reflect security policy.

The EU’s Radicalisation Awareness Network (RAN), made up of “first-line practitioners” from across Europe who attempt to “stop people from getting involved in violent extremist or terrorist activities”, [21] will get a new Centre of Excellence. The RAN will also work with the European Organisation of Prison and Correctional Services to “promote the exchange of best practices and training on de-radicalisation and prevention of radicalisation in prisons,” and give similar training to “social workers, teachers and healthcare workers.” Similar practices in the UK have been heavily criticised for their intrusive and discriminatory nature. [22]

Organised criminals

On organised crime, the first issue highlighted by the Agenda is “identifying and tackling organised crime groups involved in the smuggling of migrants,” and Europol’s recently-launched Joint Operation MARE is highlighted. [23] Efforts will be made to increase “cooperation against the smuggling of migrants inside the EU and with third countries,” although the forthcoming European Agenda on Migration will deal with this in more detail.
However, the Agenda does note that people smuggling is one focus of the EU’s ‘Policy Cycle for serious and organised crime’. This is supposed to enhance EU and Member State action against organised and cross-border crime, and at the same time gives the Council’s internal security committee (COSI) greater influence over operational police cooperation, primarily through setting priorities, monitoring the outcomes of operations, and suggesting alterations for future working methods and operations. [24]

The priorities for the policy cycle in 2015 are illegal immigration, trafficking in human beings, counterfeit goods, Excise Fraud and Missing Trader Intra-Community Fraud, synthetic drugs, cocaine and heroin trafficking, cybercrime, firearms trafficking and organised property crime. [25]
Attempts to tackle the financing of organised crime will continue, with the Commission planning to establish “a coherent policy towards third countries that have deficient anti-money laundering and counter-terrorist financing regimes.” [26] The Agenda also proposes “linking up the work of national Asset Recovery Offices” to “improve cross-border freezing and confiscation of assets,” and in 2016 “the Commission will issue a feasibility study on common rules on non-conviction based confiscation of property derived from criminal activities.”

In 2016 the Commission will also consider harmonising rules on firearms, with “a common approach on the neutralisation and de-activation of firearms to prevent reactivation and use by criminals.” A recently-drafted “operational action plan” on dealing with firearms trafficking in the Western Balkans could “be replicated with other neighbours, in particular countries in the Middle East and North Africa.”

Illicit drugs, and in particular “new psychoactive substances”, show “the urgency of adopting a new EU legislative framework,” and the Commission will consider “whether to propose a new EU Action Plan for the period 2017-2020.”

Environmental crimes are also on the Agenda, and the Commission “will consider the need to strengthen compliance monitoring and enforcement, for instance by increasing training for enforcement staff, support for relevant networks of professionals, and by further approximating criminal sanctions in the EU.”

The Agenda even gets down to the level of local authorities, who “have a critical role to play in tackling organised crime,” which “often thinks globally but acts locally”. Local authorities can, for example, help fight organised crime “when allocating public tenders or granting casino licences, and they should have the tools to share information with other public administrative authorities or law enforcement.”

Cyber criminals

“Cybersecurity is the first line of defence against cybercrime,” according to the Agenda, which calls for the implementation of the 2013 EU Cybersecurity Strategy. [27] This involves four values – human rights, promoting and protecting Union interests and values in external policies, ensuring all EU citizens can access the internet, and protecting the digital economy – and a series of objectives. These are:

• “achieving cyber resilience”;
• dealing with cyber-crime;
• setting up cyber-security and cyber-defence policies;
• boosting European industry; and
• improving international cooperation.

The Agenda calls for the “full implementation of existing EU legislation” as “the first step in confronting cybercrime”, including the 2013 Directive on attacks against information systems and the 2011 Directive on child sexual exploitation. A Directive on a ‘high common level of network and information security across the Union’ is also currently under negotiation, [28] and the Commission plans to examine legislation on “combating fraud and counterfeiting of non-cash means of payment”, in order to “assess the need for further measures”. Member States are called on to implement the Council of Europe Budapest Convention on Cybercrime.

Cyber-criminals are “borderless, flexible and innovative,” says the Agenda, and “law enforcement has to be able to match and anticipate the ingenuity of the criminals.” This means ensuring “swifter cross-border access to evidence… Gathering electronic evidence in real time from other jurisdictions on issues like owners of IP addresses or other e-evidence, and ensuring its admissibility in court, are key issues.” Cooperating with private companies “is also of critical importance”. “In short,” declares the Commission, “cybercrime demands a new approach to law enforcement in the digital age.”

Part of this “new approach” may come from the European Cybercrime Centre, established by the Commission at the beginning of 2013 after the Rand Corporation carried out a “feasibility study” on the issue. Europol hosts the Centre, which is supposed to become “a central information hub for law enforcement in this area.” The Justice and Home Affairs Council’s December conclusions on a renewed Internal Security Strategy noted:
“A framework, respecting fundamental rights, for swift cooperation by investigating and prosecuting authorities in access to electronic evidence across jurisdictions held by players in industry is required.” [29]

There is also mention, in the list of actions at the end of the section, of “enhancing cyber capacity building action under external assistance instruments.” Work on this apparently began in July 2014 at the “cyber attaches” meeting, where Member States presented their initiatives. Whether the German delegation highlighted its cooperation on cybercrime with a host of less-than-democratic North African and Middle East regimes is unknown. [30] The EU, meanwhile, is funding work overseas through two different programmes: the Instrument contributing to Stability and Peace, and the Eastern Partnership Instrument.

Setting the Agenda

All in all, it’s a lengthy list of proposals. Some of it will go nowhere, some of it will achieve what it aims to, and some of it looks likely to legitimise more repressive laws and policies at EU and national level.

While the Agenda makes bold claims about fundamental rights, transparency and democratic control, there is little mention of them throughout the latter part of the text, which highlights the EU’s internal security priorities.
The proposals on removing internet content make no mention of judicial procedures; the call for new anti-terrorism measures says nothing of the criticisms made of the UN’s approach nor the heavy-handed response from Member States; the section on dealing with cross-border crime is silent on the rights of suspects and defendants (despite the EU currently working on a new set of laws in relation to this); and the calls for addressing law enforcement “concerns” over encryption and implementing “a new approach to law enforcement in the digital age” are almost certain to raise a few eyebrows.

The Agenda notes that the European Parliament has now “taken up its full role as co-legislator.” But the European Parliament has no formal role with regard to the action plans, security strategies, “best practices” and so on that are dotted throughout the Agenda. Neither does the Parliament have any real say on external security policy, where decision-making remains largely inter-governmental. It is not clear how the EU’s efforts to bring together “all internal and external dimensions of security” will be subject to any kind of democratic accountability.

The day after the publication of the Agenda, the Council of Europe published a report on the state of “democratic security” amongst its 47 Member States. [31] It noted that there are five pillars of democratic security:

• efficient and independent judiciary;
• freedom of expression;
• freedom of assembly and association;
• functioning of democratic institutions;
• inclusive society and democratic citizenship.

With regard to the judiciary, the report notes that “widespread weaknesses are evident”. Freedom of expression is facing threats that are “greater, deeper and geographically more widespread than has been previously understood”. Freedom of assembly and association are suffering from the use of excessive force to disperse demonstrations and attempts by governments to undermine and even control non-governmental organisations. “Restrictive media environments, voter intimidation and limits on the freedom of expression, assembly and association” undermine democratic institutions, as does the ongoing decrease in voter turnout. And the hope of building inclusive societies where people can exercise democratic citizenship faces numerous obstacles, not least “the backdrop of prolonged austerity” and “the climate of rising populism and intolerance”.

The European Agenda on Security makes no mention of any of these issues.
Instead its conception of security is one of “new and complex threats” that can change at any moment, to which we must “remain vigilant”. To deal with them, states need more powers to access and exchange information, new laws to extend and increase criminal sanctions, and new abilities to police the internet and new intrusive ways to prevent “radicalisation”. The effects on the rights to privacy, expression, association, and due process remains to be seen. However, given that the Agenda essentially maintains and extends the same approach to security that the EU and its Member States have followed for over a decade, the outlook is not positive.

Many of the proposals in the Agenda represent the Commission’s (and the Council’s) desire for new and enhanced EU powers in the field of internal security, and to better exercise the power that EU institutions and agencies have obtained in recent years. In its conclusion, the Commission stresses that: “The EU must be able to react to unexpected events, seize new opportunities and anticipate and adapt to future trends and security risks.”

However, the Commission also notes that it “must be a shared agenda,” which “depends on the political commitment of all actors to do more and to work better together. This includes EU institutions, Member States and EU agencies.” The opinions of the Member States (and the European Parliament) will presumably come to light in the coming weeks: the Commission has invited them to “endorse this Agenda as the renewed Internal Security Strategy” in time for the European Council meeting in June 2015.

Endnotes