Counter-terrorism and the inflation of EU databases

Original published on Statewatch (*) on May 2017

By Heiner Busch (@Busch_Heiner) and Matthias Monroy (@matthimon)  (Translation from DE by Viktoria Langer)

The topic of counter-terrorism in Europe remains closely linked to the development and expansion of police (and secret service) databases. This was the case in the 1970s, after 11 September 2001 and has also been the case since 2014, when the EU Member States started working on their action plans against ‘foreign terrorist fighters’.

The first effect of this debate has been a quantitative one: the amount of data in the relevant databases has increased explosively since 2015. This can be seen by looking in particular at available data on the Europol databases, like ‘Focal Points’ (formerly: Analytical Work Files) of the Europol analysis system. Since 2015 they have become one of the central instruments of the European Counter Terrorism Centre (ECTC) which was established in January 2016. ‘Hydra’, the ‘Focal Point’ concerning Islamist terrorism was installed shortly after 9/11. In December 2003 9,888 individuals had been registered, a figure that seemed quite high at the time – but not compared with today’s figures. [1] In September 2016 ‘Hydra’ contained 686,000 data sets (2015: 620,000) of which 67,760 were about individuals (2015: 64,000) and 11,600 about organisations (2015: 11,000).

In April 2014 an additional ‘Focal Point’, named ‘Travellers’, was introduced, which is exclusively dealing with “foreign terrorist fighters” (FTF). One year later ‘Travellers’ included 3,600 individuals, including contact details and accompanying persons. In April 2016 the total number increased by a factor of six. Of the 21,700 individuals registered at the time, 5,353 were “verified” FTFs. In September 2016, of 33,911 registered individuals, 5,877 had been verified as FTFs.

Since 2010 Europol and the USA have operated the Terrorist Finance Tracking Programme (TFTP), which evaluates transfers made via the Belgian financial service provider SWIFT. Until mid-April 2016 more than 22,000 intelligence leads had been arisen out of that programme, of which 15,572 since the start of 2015. 5,416 (25%) were related to FTFs.

In contrast to Europol’s analytical system, the Europol Information System (EIS, the registration system of the police agency) can be fed and queried directly from the police headquarters and other authorities of EU Member States. Here, more than 384,804 ‘objects’ (106,493 individuals) were registered at the start of October 2016, 50% more than the year before. The increase is partly due to the growing number of parties participating in the EIS. In 2015 13 Member States were connected; in 2016 19 Member States. Some of the EU States, like the UK, also let their national secret services participate in the system. 16 Member States currently use automatic data uploaders for input. The number of third parties involved has also increased (in 2015 there were four, in 2016 there were eight). Interpol, the FBI and the US Department of Homeland Security are some of them.

Europol has reported further growth in the number of “objects” linked to terrorism in the EIS. According to the Slovak Presidency of the Council of the EU’s schedule for the improvement of information exchange and information management, in the third quarter of 2016 alone these grew another 20% to 13,645. [2] The EIS includes 7,166 data sets about individuals linked to terrorism, of which 6,506 are marked as FTFs or their supporters, or are assumed to be so. For May 2016 the CTC stated a figure of 4,129. [3] The increase in terrorism linked data can also be seen in the Schengen Information System (SIS) – in the alerts for “discreet checks or specific checks” following Article 36 of the SIS Decision. According to this, suspect persons are not supposed to be arrested. However, information about accompanying persons, vehicles etc. are recorded to provide insight into movements and to keep tabs on the contacts of the observed person. At the end of September 2016 the number of such checks by the police authorities (following Article 36(2)) was 78,015 (2015: 61,575, 2014: 44,669). The number of alerts of the national secret services based on Article 36(3) was 9,516 (2015: 7,945, 2014: 1,859). “Hits” on such alerts and additional information are supposed to be sent directly to the alerting authorities and not as usual to national SIRENE offices (which deal with the exchange of supplementary information regarding alerts in the SIS). This option was only introduced in February 2015.

The Schengen states used the instrument for discreet surveillance or specific checks very differently. On 1 December 2015 44.34% of all Article 36 alerts came from authorities in France, 14.6% from the UK, 12.01% from Spain, 10.09% from Italy and 4.63% from Germany. [4] How many of these alerts actually had a link to terrorism remains unclear; a common definition has not yet been found. However, the Council Working Party on Schengen Matters agreed on the introduction of a new reference (“activity linked to terrorism”) for security agencies’ alerts. According to Federal Ministry for the Interior, German alerts are marked with this reference when concrete evidence for the preparation of a serious act of violent subversion (§§129a, 129b Penal Code) can be presented. [5]

‘Unnoticed in the Schengen area’ Continue reading

Worth Reading: Justice against sponsors of terrorism (JASTA and its international impact)

European Parliament Research Service (EPRS)  Briefing published on October 2016

SUMMARY

On 27 September 2016, the United States Congress overrode the presidential veto to pass the Justice Against Sponsors of Terrorism Act (JASTA), the culmination of lengthy efforts to facilitate lawsuits by victims of terrorism against foreign states and officials supporting terrorism. Until JASTA, under the ‘terrorism exception’ in the US Foreign Sovereign Immunities Act, sovereign immunity could only be denied to foreign states officially designated by the USA as sponsors of terrorism at the time or as a result of the terrorist act. JASTA extends the scope of the terrorism exception to the jurisdictional immunity of foreign states so as to allow US courts to exercise jurisdiction over civil claims regarding injuries, death or damages that occur inside the USA as result of a tort, including an act of terrorism committed anywhere by a foreign state or official.

The bill has generated significant debate within and outside the USA. State or sovereign immunity is a recognised principle of customary international law and, for that reason, JASTA has been denounced as potentially violating international law and foreign states’ sovereignty; some countries have already announced reciprocal measures against the USA. The terrorism exception to state immunity was already a controversial concept, with only the USA and Canada having introduced legislation on the matter.

In this briefing:
What is JASTA?
The law on state immunity and the terrorism exception
Debate in the United States
Reactions in third countries
Considerations for the European Union
The European Union’s approach to victims’ rights
Main references

What is JASTA?

The Justice Against Sponsors of Terrorism Act (JASTA) represents an attempt by the US Congress to reduce the number of obstacles faced by victims of terrorism when bringing lawsuits in the USA against foreign states and officials supporting terrorism. The bill amends the federal judicial code (USC) to expand the scope of the terrorism exception (Title 28 USC, section 1605A) to the jurisdictional immunity of a foreign state. It will give US courts jurisdiction over civil claims regarding injuries, death, or damages that occur inside the United States as a result of a tort, including an act of terrorism, committed anywhere by a foreign state or official. It also amends the federal criminal code to permit civil claims (Title 18 USC, section 2333) sought by individuals against a foreign state or official for injuries, death or damages from an act of international terrorism (unless the foreign state is immune under the Foreign Sovereign Immunities Act, as amended by JASTA). Additionally, the bill authorises federal courts to exercise personal jurisdiction over, and impose liability on, a person who commits, or aids, abets, or conspires to commit, an act of international terrorism against a US national (thus expanding the liability of foreign government officials in civil actions for terrorist acts). However, the foreign state will not be subject to the jurisdiction of US courts if the tortious act in question constitutes ‘mere negligence’. JASTA contains a stay of actions clause that can apply if the USA is engaged in good faith discussions with the foreign state or any parties as to the resolution of the claims. A stay can be granted for 180 days, and is renewable. JASTA will apply to any civil action ‘arising out of an injury to a person, property, or business, on or after September 11, 2001’.

The JASTA bill was approved by the US Senate in May 2016 (S. 2040) and by the House of Representatives in September 2016, but was vetoed by President Obama. The bill passed after Congress overrode the presidential veto on 27 September 2016. There are however indications that some changes to the law are already being considered by lawmakers. Several countries, including some EU Member States have expressed concern about the bill. The existing US terrorism exception to state immunity is already considered to be contrary to customary international law and is an isolated practice among other states.

The law on state immunity and the terrorism exception Continue reading

According to the CJEU the free trade agreement with Singapore cannot, in its current form, be concluded by the EU alone

The full text of the opinion is published on the CURIA website

(CJEU Press and Information)  Opinion 2/15 : The provisions of the agreement relating to non-direct foreign investment and those relating to dispute settlement between investors and States do not fall within the exclusive competence of the EU, so that the agreement cannot, as it stands, be concluded without the participation of the Member States

On 20 September 2013, the EU and Singapore initialled the text of a free trade agreement. The agreement is one of the first ‘new generation’ bilateral free trade agreements, that is to say, a trade agreement which contains, in addition to the classical provisions on the reduction of customs duties and of non-tariff barriers in the field of trade in goods and services, provisions on various matters related to trade, such as intellectual property protection, investment, public procurement, competition and sustainable development.

The Commission submitted a request to the Court of Justice for an opinion to determine whether the EU has exclusive competence enabling it to sign and conclude the envisaged agreement by itself. The Commission and the Parliament contend that that is the case. The Council and the governments of all the Member States which submitted observations to the Court1 assert that the EU cannot conclude the agreement by itself because certain parts of the agreement fall within a competence shared between the EU and the Member States, or even within the exclusive competence of the Member States.

In today’s opinion, the Court, after making it clear that the opinion relates only to the issue of whether the EU has exclusive competence and not to whether the content of the agreement is compatible with EU law, holds that the free trade agreement with Singapore cannot, in its current form, be concluded by the EU alone, because some of the provisions envisaged fall within competences shared between the EU and the Member States. It follows that the free trade agreement with Singapore can, as it stands, be concluded only by the EU and the Member States acting together.

In particular, the Court declares that the EU has exclusive competence so far as concerns the parts of the agreement relating to the following matters:

  • access to the EU market and the Singapore market so far as concerns goods and services (including all transport services)2 and in the fields of public procurement and of energy generation from sustainable non-fossil sources;
  • the provisions concerning protection of direct foreign investments of Singapore nationals in the EU (and vice versa);
  • the provisions concerning intellectual property rights;
  • the provisions designed to combat anti-competitive activity and to lay down a framework for concentrations, monopolies and subsidies;
  • the provisions concerning sustainable development (the Court finds that the objective of sustainable development now forms an integral part of the common commercial policy of the EU and that the envisaged agreement is intended to make liberalisation of trade between the EU and Singapore subject to the condition that the parties comply with their international obligations concerning social protection of workers and environmental protection);
  • the rules relating to exchange of information and to obligations governing notification, verification, cooperation, mediation, transparency and dispute settlement between the parties, unless those rules relate to the field of non-direct foreign investment (see below).

Ultimately, it is in respect of only two aspects of the agreement that, according to the Court, the EU is not endowed with exclusive competence, namely the field of non-direct foreign investment (‘portfolio’ investments made without any intention to influence the management and control of an undertaking) and the regime governing dispute settlement between investors and States.

In order for the EU to have exclusive competence in the field of non-direct foreign investment, conclusion of the agreement would have to be capable of affecting EU acts or altering their scope. As that is not the case, the Court concludes that the EU does not have exclusive competence. It has, on the other hand, a competence shared with the Member States.

That conclusion also extends to the rules relating to exchange of information, and to the obligations governing notification, verification, cooperation, mediation, transparency and dispute settlement, as regards non-direct foreign investment (see above). The regime governing dispute settlement between investors and States also falls within a competence shared between the EU and the Member States. Such a regime, which removes disputes from the jurisdiction of the courts of the Member States, cannot be established without the Member States consent.

It follows that the free trade agreement can, as it stands, only be concluded by the EU and the Member States jointly.

NOTES

1 Written observations were lodged by all the Member States with the exception of Belgium, Croatia, Estonia and Sweden. Belgium nevertheless appeared at the hearing and made oral observations.

2 Whether it be maritime transport, rail transport or road transport, the Court holds that the commitments contained in the envisaged agreement that relate to transport services may affect EU regulations or alter their scope, so that, in accordance with Article 3(2) TFEU, the European Union has exclusive competence to approve those commitments.

NOTE: A Member State, the European Parliament, the Council or the Commission may obtain the opinion of the Court of Justice as to whether an agreement envisaged is compatible with the Treaties or as to competence to conclude that agreement. Where the opinion of the Court is adverse, the agreement envisaged may not enter into force unless it is amended or the Treaties are revised.

Unofficial document for media use, not binding on the Court of Justice.

 

Worth reading : the final report by the EU High Level Expert Group on Information Systems and Interoperability (HLEG),

NB: The full version (PDF)  of the Report is accessible HERE

On May 8th the (EU) High Level Expert Group on Information Systems and Interoperability (HLEG) which was set up in June 2016 following the Commission Communication on “Stronger and Smarter Information Systems for Borders and Security ” has published its long awaited 56 long pages Report on Information Systems and Interoperability.

Members of the HLEG were the EU Members States (+ Norway, Switzerland and Liechtenstein), the EU Agencies (Fundamental Rights Agency, FRONTEX, European Asylum Support Office, Europol and the EU-LISA “Large Information Support Agency”) as well as the representatives of the Commission and the European Data Protection Supervisor (EDPS) and the Anti-Terrorism Coordinator (an High Council General Secretariat Official designated by the European Council).

Three Statements, respectively of the EU Fundamental Rights Agency, of the European Data Protection Supervisor and of the EU Counter-Terrorism Coordinator (CTC),  are attached. The first two can be considered as a sort of partially dissenting Opinions while the CTC  statement is quite obviously in full support of the recommendations set out by the report as it embodies for the first time at EU level the “Availability Principle” which was set up already in 2004 by the European Council. According to that principle if a Member State (or the EU) has a security related information which can be useful to another Member State it has to make it available to the authority of another Member State. It looks as a common sense principle which goes hand in hand with the principle of sincere cooperation between EU Member States and between them and the EU Institutions.

The little detail is that when information is collected for security purposes national and European legislation set very strict criteria to avoid the possible abuses by public EU and National Law enforcement authorities. This is the core of Data Protection legislation and of the art. 6, 7 and 8 of the EU Charter of Fundamental Rights which prevent the EU and its Member States from becoming a sort of Big Brother “State of surveillance”. Moreover, at least until now these principles have guided the post-Lisbon European Court of Justice jurisprudence in this domain and it is quite appalling that no reference is made in this report to the Luxembourg Court Rulings notably dealing with “profiling” and “data retention”(“Digital Rights”, “Schrems”, “TELE 2-Watson”…).

Needless to say to implement all the HLWG recommendations several legislative measures will be needed as well as the definition of a legally EU Security Strategy which should be adopted under the responsibility of the EU co-legislators. Without a strong legally founded EU security strategy not only the European Parliament will continue to be out of the game but also the control of the Court of Justice on the necessity and  proportionality of the existing and planned EU legislative measures will be weakened.  Overall this HLWG report is mainly focused on security related objectives and the references to fundamental rights and data protection are given more as “excusatio non petita” than as a clearly explained reasoning (see the Fundamental Rights Agency Statement). On the Content of the  perceived “threats” to be countered with this new approach it has to be seen if some of them (such as the mixing irregular migration with terrorism)  are not imaginary and, by the countrary, real ones are not taken in account.

At least this report is now public. It will be naive to consider it as purely “technical” : it is highly political and will justify several EU legislative measures. It will be worthless for the European Parliament to wake up when the formal legislative proposals will be submitted. If it has an alternative vision it has to show it NOW and not waiting when the Report will be quite likely “endorsed” by the Council and the European Council.

Emilio De Capitani

TEXT OF THE REPORT (NB  Figures have not been currently imported, sorry.)

——- Continue reading

EU accession to the Istanbul Convention preventing and combating violence against women. The current state of play.

by Luigi LIMONE (*)

The Council of Europe Convention on preventing and combating violence against women and domestic violence, known as ‘Istanbul Convention’, is the first legally binding treaty in Europe that criminalises different forms of violence against women including physical and psychological violence, sexual violence, sexual harassment and rape, stalking, female genital mutilation, forced marriage, forced abortion and forced sterilization.

It emphasises and recognises that violence against women is a human rights violation, a form of discrimination against women and a cause and a consequence of inequality between women and men. The Convention requires the public authorities of State parties to adopt a set of comprehensive and multidisciplinary measures in a proactive fashion to prevent violence, protect its victims/survivors and prosecute the perpetrators. The Convention recognises that women experience multiple forms of discrimination and requires the State parties to ensure that tits implementation is made without discrimination on any ground such as sex, gender, race, colour, language, religion, political or other opinion, national or social origin, association with a national minority, property, birth, sexual orientation, gender identity, age, state of health, disability, marital status, migrant or refugee status or other. It also states that violence against women can never be justified in the name of culture, custom, religion, tradition nor so-called ‘honour’.

It foresees obligations to adopt a specific gender-sensitive approach in migration and asylum matters, and the establishment of a specific monitoring mechanism, (The Group of Experts on Action against Violence against Women and Domestic Violence “GREVIO”), tasked with ensuring effective implementation of its provisions by the Parties.

The Convention contains 81 articles set out in 12 separate chapters and was adopted by the Committee of Ministers of the Council of Europe on 7 April 2011, and opened for signature.  on 11 May 2011.  The Convention is open for signature and approval by the (47) member States of the Council of Europe, non-member States which have participated in its elaboration and the European Union, and is open for accession by other non-member States. The Istanbul Convention came into force in 2014. It has been signed by all the EU Member States (but the ratification is still missing for Bulgaria, Croatia, Cyprus, Czeck Republik, Estonia, Germany, Greece, Hungary, Ireland Latvia, Lithuania, Luxembourg, Slovakia and UK)

EU Accession : different perspectives of the Commission and of the Council

It should be noted that from a legal point of view the Istanbul Convention, like many other international treaties, is a ‘mixed agreement’ which allows for EU accession in parallel to the Member States’ accession.  While the EU cannot sign up to older international human rights treaties, like the UN Covenants, since they are only open to States, newer treaties expressly provide for the EU to sign up to them. This holds particularly true for the Istanbul Convention, which deals with a number of fields the EU is competent in, including victims’ rights and protection orders, asylum and migration, as well as in judicial cooperation in criminal matters.

As Steve Peers said, the EU accession to the Istanbul Convention can only be welcomed. Although it may not, by itself, prevent any act of violence from being committed, it may accelerate a broader process of ratification and corresponding national law reform on this issue. It may also have the important practical impact of helping victims receive support or protection, particularly in the context of the law on crime victims, immigration or asylum.

More specifically, the EU ratification of the Istanbul Convention could provide encouragement to its Member States, as well as non-EU Member States, to ratify the Convention and, since the CJEU will have jurisdiction to interpret those provisions of the Convention which fall within the scope of EU competence, it could promote a uniform interpretation of those provisions within the EU, thus establishing a truly comprehensive  framework for preventing and combating violence against women and domestic violence.

On 4th March 2016, the European Commission has then issued a proposal for a Council decision on the conclusion, by the European Union, of the Council of Europe Convention on preventing and combating violence against women and domestic violence.

The Commission proposal for the EU accession to the Istanbul Convention has recognised the mixed nature of the Convention and but has explicitly stated that the European Union has exclusive competence to the extent that, according to art.3(2) the Convention may affect common EU rules or alter their scope (recital 6).

However it has to be noted that according to art.73 of the Convention  :“The provisions of this Convention shall not prejudice the provisions of internal law and binding international instruments which are already in force or may come into force, under which more favourable rights are or would be accorded to persons in preventing and combating violence against women and domestic violence.”  Consequently, contracting Parties to the Convention are allowed to maintain or introduce a higher level of protection for women and girls than the norms set out in the Convention.

This gives some leeway to the Member States which have already signed and in some cases also ratified the Convention. Moreover in cases where relevant Union legislation contains minimum standards as well, it can be questioned if they have lost their possibility of adopting national legislation more favorable to the victims. On September 2016, the Slovak Presidency has then requested the Legal Service to give an opinion on the competences of the Union relating to the Convention, and to identify the parts of the Convention, if any, that fall within the Union’s exclusive competence.

This opinion was issued on 27 October 2016 (doc. 13795/16 -only partially accessible to the public) and as a result of subsequent debates in the Council working Groups it was decided that the Convention should be signed on behalf of the EU only as regards matters falling within the competence of the Union insofar as the Convention may affect common rules or alter their scope.

According to an internal Council source the EU must be held to have exclusive competence for some of the provisions of the Convention set out in Chapters IV (“Protection and Support”), V (‘Substantive Law) and VI (‘Investigation, prosecution, procedural law and protective measures’) but only insofar as they relate to victims covered by Directive 2011/92/EU and Directive 2011/36/EU. (Moreover in the case of the Victim Directive it deals with minimum EU rules so that some competence remain at MS level).

On the contrary it seems indisputable that the Union has acquired exclusive competence in relation to two of the three provisions of Chapter VII (‘Migration and Asylum’).  In relation to Article 60(1) and (2) of the Convention, the current EU rules of the “Qualification Directive” does not appear to be much leeway for Member States to exceed the protection level set out in Union rules. The same applies to Article 60(3) of the Convention, in the light of the detailed provisions of the same Qualification Directive, the “Procedures Directive” and the “Reception conditions Directive”, even if they set, technically speaking, Member States to maintain or introduce more favourable protection.  As for Article 61 of the Convention, on non-refoulement, this appears to set “minimum” norms, but only in theory.  The same must be held for the corresponding provisions of EU provisions, whether primary (Article 78(1) TFEU), or secondary law.

Therefore, to protect the MS competence the Council has decided to change the legal basis and the draft decision on the signing on behalf of the European Union of the Istanbul Convention was divided into two decisions: one with regard to matters related to judicial cooperation in criminal matters and the second with regard to asylum and non-refoulement.

Both Council and Commission have recognised that the respective competences of the European Union and the Member States are inter-linked and have considered that it is appropriate to establish arrangements between the Commission and the Member States for the monitoring mechanism provided by the Convention, the so-called Group of experts on action against violence against women and domestic violence (GREVIO).

…in the meantime the European Parliament ..

At the European Parliament level, on several occasions MEPs have recalled that the EU accession to the Istanbul Convention would guarantee a coherent European legal framework to prevent and combat violence against women and gender-based violence and to protect the victims of violence, provide greater coherence and efficiency in EU internal and external policies and ensure better monitoring, interpretation and implementation of EU laws, programs and funds relevant to the Convention, as well as more adequate and better collection of comparable desegregated data on violence against women and gender-based violence at EU.

According to the MEPs the EU ratification would also reinforce the EU accountability at international level and, last but not least, it would apply renewed political pressure on Member States to ratify this instrument (note that so far all EU Member States have signed the Istanbul Convention, but only fourteen of them have ratified it).

The European Parliament has also recalled that the Commission is bound by Article 2 TEU and by the Charter of Fundamental Rights to guarantee, promote and take action in favour of gender equality. It has, therefore, welcomed the Commission proposal to sign and conclude the EU accession to the Istanbul Convention.

In this respect, a draft interim report between the LIBE and FEMM Committees is being drafted by two rapporteurs, Anna Maria Corazza Bildt (EPP – Sweden) and Christine Revault D’Allonnes Bonnefoy (S&D – France). A first LIBE/FEMM joint hearing on the issue took place on 29 November 2016. It was followed by a second joint hearing, which was held on 27 March 2017, whose aim was to highlight the importance as well as the necessity for the EU to access the Istanbul convention as a unique body.

During the latter hearing, some MEPs reiterated the importance of the EU accession to the Istanbul Convention, which could represent the basis for the introduction of a holistic approach addressing the issue of violence against women and girls and gender-based violence from a wide range of perspectives, such as prevention, the fight against discrimination, criminal law measures to combat impunity, victim protection and support, the protection of children, the protection of women asylum seekers and refugees and better data collection.

According to Malin Björk  (GUE/NGL – Sweden), the EU accession to the Istanbul convention would represent a very important step forward and it would allow to see violence against women as a political issue. For her, the EU ratification would be an opportunity to make people understand that such an issue is part of gender politics and it has to be recognised as such.

For Iratxe García Pérez (S&D – Spain), it would be extremely important to use all the best practices provided by some EU countries, such as Spain and Sweden, in order to define a common European framework for an active policy to combat violence against women. In her opinion, the European society is still unequal and gender-based violence derives from such an unbalance of power. The EU accession to the Istanbul Convention would be therefore crucial in order to set the basis for a common European strategy aiming to eliminate gender unbalances across Europe.

The key elements of the interim report were outlined during a third joint hearing which took place on 11 April 2017. On that occasion, the two rapporteurs stressed the needs for a joint effort between the European Parliament and the European Commission, in order to set up a holistic and comprehensive approach towards violence against women. Both the rapporteurs  expressed their strong support for the introduction of an EU directive and recalled that violence against women should not be considered as a national issue but as a European issue, since it affects the whole European society.

Despite the progress made at the European Parliament level, some MEPs deplored the fact that negotiations in the Council were not proceeding at the same speed.

It is not clear if the LIBE members were aware of the debates on the Council side or if they have been “timely and fully informed” of the new approach emerging on the Council side as it should had be the case according to art. 218 of the TFUE. Nor it is clear if the Commission has taken duly informed the LIBE Members in compliance with the EP-Commission Framework agreement.

(*) FREE-GROUP Trainee

 

EU-Afghanistan “Joint Way Forward on migration issues”: another “surrealist” EU legal text ?

magritte-est-vivant-magritte-et-la-creation-contemporaine_f8d24ebdc752b2954baf498e9cc320107a785529_sq_640

by Luigi LIMONE (*)

It may be a coincidence but this year we are not only celebrating the 50th anniversary of Rene’ MAGRITTE painter’s death but also witnessing his surrealist approach spreading also in the EU Institutions and Member States legal practice.

We already know already that the core of 90% of legislative interinstitutional negotiations takes place in a confidential “informal” framework (the so called “trilogues” procedure) which run against the Treaties grounded obligation of legislative debates to be held in public.

Thanks to the Court of Justice (Cases T-192/16, T-193/16 and T-257/16) we have also recently discovered that the EU-Turkey “deal” on migration which was trumpeted as an EU achievement by the European Council President was not in fact an EU agreement because “neither the European Council nor any other institution of the EU decided to conclude an agreement with the Turkish Government on the subject of the migration crisis.”  According to the CJEU press release “In the absence of any act of an institution of the EU, the legality of which it could review under Article 263 TFEU, the Court has declared that it lacked jurisdiction to hear and determine the actions brought by the three asylum seekers. For the sake of completeness, with regard to the reference in the ‘EU-Turkey statement’ to the fact that ‘the EU and [the Republic of] Turkey agreed on … additional action points’, the Court has considered that, even supposing that an international agreement could have been informally concluded during the meeting of 18 March 2016, something which has been denied by the European Council,  the Council  of  the European Union  and the  European Commission in the  present  cases, that agreement would have been an agreement concluded by the Heads of State or Government of the Member States of the EU and the Turkish Prime Minister. In an action brought under Article 263 TFEU, however, the Court does not have jurisdiction to rule on the lawfulness of an international agreement concluded by the Member States.”

 

Now a third example of legal surrealist approach is offered to us by the Joint Way Forward (JWF) declaration on migration issues with Afghanistan and the EU. It was signed during the Afghanistan donor conference which took place in Brussels on 4 and 5 October 2016 and brought together representatives from 75 countries and 26 international organizations, with the ultimate aim of finding new funding solutions to end violence and introduce a political process towards lasting peace and reconciliation in Afghanistan.

Unlike for the EU-Turkey “deal” this time the EU Institutions recognize to be responsible of this text.  Intervening before the European Parliament competent committee (LIBE)  Simon Mordue, Deputy Director-General for Migration, DG Migration and Asylum (DG HOME), this declaration aims to facilitate the return process of irregular Afghans and to support their sustainable reintegration in the Afghan society, while fighting the criminal network of smugglers and traffickers at the same time. The objective, as stated in the document, is “to establish a rapid, effective and manageable process for a smooth, dignified and orderly return of Afghan nationals who do not fulfill the conditions in force for entry to, presence in, or residence on the territory of the EU, and to facilitate their reintegration in Afghanistan in a spirit of cooperation”. The document also clarifies that “in their cooperation under this declaration, the EU and Afghanistan remain committed to all their international obligations, in particular: a) respecting the provisions of the 1951 Convention relating to the Status of Refugees and its 1967 New York Protocol; b) upholding the rights and freedoms guaranteed in the International Covenant on Civil and Political rights and the EU Charter on Fundamental Rights and the Universal Declaration on Human Rights; c) respecting the safety, dignity and human rights of irregular migrants subject to a return and readmission procedure”.

The little detail is that even if the wording of the text looks like an international agreement  the Commission has clearly stated also before the EP plenary that the text is not.. binding even if, its wording, objective and content, is the same of a formal readmission agreement like the ones that the European Union has so far concluded with 17 non-EU countries an which have approved by the European Parliament following art. 79 par 3 of the TFEU. (SEE NOTE BELOW)

According to the Commission the Joint Way Forward  should instead be considered a simple “joint statement”,  not legally enforceable wich simply “paves the way for a structural dialogue and cooperation on migration issues, based on a commitment to identify effective ways to address the needs of both sides”.  However, as noted by Tony Bunyan, director of Statewatch, also the readmission agreement with Turkey of 18 March 2016 originated in the form of two letters and of an informal declaration and the European Union. Now the EU has adopted the same approach with Afghanistan.

Is the joint declaration with Afghanistan, in fact, representing  another attempt to conclude a readmission agreement, while bypassing the rules (art.79 p 3 and 218 of the TFEU)   laid down in the EU Treaties for the conclusion of international readmission agreements and notably the approbation by the the European Parliament?

 

The Joint Way Forward (JWF) declaration is in line with the recent political shift in EU foreign policy, which now primarily focuses on curbing migration and making deterrence and expulsion the main objectives of its relationships with third countries. The shift towards the externalization of migration management and control is exemplified by the new Partnership Framework, which was proposed by the European Commission in June 2016 under the European Agenda on Migration. The ultimate aim of the Partnership Framework is “a coherent and tailored engagement where the Union and its Member States act in a coordinated manner putting together instruments, tools and leverage to reach comprehensive partnerships (“compacts”) with third countries to better manage migration in full respect of our humanitarian and human rights obligations”.

In practice, the Partnership Framework has introduced an alternative approach with regards to readmission agreements, which are now concluded in the form of informal agreements by means of “informal” swift procedures.

This is done  , under pressure from some Member States, in particular Germany. It was already the case for the “non-EU” agreement with Turkey on March 2016, and also now Germany has hardly fought for a rapid adoption of an “informal” agreement with Afghanistan. Faced with the rise in arrivals form Afghanistan, in October 2015 the German Ministry of Interior Thomas de Maizières had already announced that Germany wanted to return to Afghanistan all the Afghan nationals who were not eligible for asylum, including those who had lived in Iran or Pakistan and, consequently, had no link to Afghanistan itself, and that to do so he would have urged the European Union to negotiate an agreement with the government of Kabul.  By invoking the need urgently facing the migration crisis, the political priorities of the Member States are now “deterrence” and “expulsion” and this has also gained the support of  EU Commission which is increasingly moving towards packaging these priorities in a format which  bypass the European Parliament and the lengthy formal procedures with a high risk of  human rights violations.  In fact, this new fast-track approach not only prevents any form of democratic scrutiny but also ignores the concerns of the civil society about the situation in Afghanistan and about the major risks of rights violations, such as the principle of non-refoulement, exposure to inhuman and degrading treatment, protection against collective expulsions and the right to asylum.

Afghans constitute the second-largest group of asylum seekers in Europe, with 196,170 applying in 2015. The country is experiencing ongoing and escalated conflict, despite the efforts of the EU to present it as a country that is safe for returnees and able to reintegrate them successfully. The conflict has left more than 1.2 million people without permanent homes and has resulted in three million refugees fleeing to Pakistan and Iran. Since January 2015, around 242,000 Afghans have fled to the EU. Furthermore, the country is already facing a large number of returnees from the region. In 2015, more than 190,000 Afghan documented refugees have returned from neighbouring countries. People are exposed to a deeply deteriorating security situation, as provinces such as Helmand and Kunduz fall in to the hands of armed groups yet again.

Despite this situation, the Joint Way Forward declaration gives clear signals that the European Union will once again engage in a conduct that puts into question its obligation to protect those fleeing conflicts or persecution and to safeguard the human rights of all persons as required by the EU Charter. The declaration provides for measures to facilitate the return and readmission of Afghan nationals, such as the use of non-scheduled flights to Kabul, joint flights from several EU Member States organized and coordinated by the European Border and Coast Guard Agency (Frontex), including the possibility to build a dedicated terminal for return in Kabul airport. The Joint Way Forward declaration also opens up the return of women and unaccompanied children and no mention is made to the best interest of the child. The document, in fact, states that “special measures will ensure that such vulnerable groups receive adequate protection, assistance and care throughout the whole process”.

It has to be acknowledged that some Members of the European Parliament have already raised several concerns on the legitimacy of the Joint Way Forward declaration as well as on its content. They have criticized the approach of the European Commission with regard to the adoption of informal readmission agreements as well as the conditionality imposed to third countries. In fact, the format introduced by the Partnership Framework implies a kind of connection between development aid and the third country’s willingness to cooperate for the management of migration flows. It is clear that countries like Afghanistan which are strongly dependent on foreign aid for their revenues might have no other choice but to forcibly accept to cooperate in order to receive development and financial support in exchange.

The European Union must comply with the provisions of the Treaties as well as with its democratic principles and protection of human rights, in order to avoid the replication of the EU-Turkey “statement” and the EU-Afghanistan Joint Way Forward “declaration” with other third countries, in primis Libya and Sudan which have already been identified as “interesting partners” by Italy.

 

ANNEX EU-Legal Framework on readmission agreements

EU Readmission Agreements (EURAs) are based on reciprocal obligations and are concluded between the European Union and non-EU countries to facilitate the return of people residing irregularly in a country to their country of origin or to a country of transit. The EU has stated that readmission agreements with third countries of both origin and transit constitute a cornerstone for effective migration management and for the efficient return of third country nationals irregularly present in the EU. The objective of these agreements for the EU Member States is to facilitate the expulsion of third country nationals either to their country of origin or to a country through which they transited on route to the EU. As such, they are crucial to the EU return policy, as defined in the Return Directive (Directive 2008/115/EC).

Readmission agreements are negotiated in a broader context where partner countries are usually granted visa facilitation, which means simpler procedures for their nationals to obtain shorter stay visas to come to EU Member States, and other incentives such as financial support for implementing the agreement or special trade conditions in exchange for readmitting people residing irregularly in the EU.

The legal basis for the conclusion of readmission agreements with third countries is Article 79(3) TFEU which states that “the Union may conclude agreements with third countries for the readmission to their countries of origin or provenance of third-country nationals who do not or who no longer fulfil the conditions for entry, presence or residence in the territory of one of the Member States”. These agreements are negotiated with the partner country on the basis of a negotiating mandate grated by the Council to the Commission and they are then concluded after the European Parliament has given its consent. According to article 218(6) TFEU the European Parliament must, in fact, give its consent prior to the conclusion of association and similar agreements. Moreover, according to article 210(10) TFEU the European Parliament shall be immediately and fully informed at all stages of the procedure.

 

(*) FREE Group Trainee

Legal Frameworks for Hacking by Law Enforcement: Identification, Evaluation and Comparison of Practices

EXECUTIVE SUMMARY OF A STUDY FOR THE EP LIBE COMMITEE.

FULL TEXT ACCESSIBLE  HERE  

by Mirja  GUTHEIL, Quentin  LIGER, Aurélie  HEETMAN, James  EAGER, Max  CRAWFORD  (Optimity  Advisors)

Hacking by law enforcement is a relatively new phenomenon within the framework of the longstanding public policy problem of balancing security and privacy. On the one hand, law enforcement agencies assert that the use of hacking techniques brings security, stating that it represents a part of the solution to the law enforcement challenge of encryption and ‘Going Dark’ without systematically weakening encryption through the introduction of ‘backdoors’ or similar techniques. On the other hand, civil society actors argue that hacking is extremely invasive and significantly restricts the fundamental right to privacy. Furthermore, the use of hacking practices pits security against cybersecurity, as the exploitation of cybersecurity vulnerabilities to provide law enforcement with access to certain data can have significant implications  for  the security of the internet.

Against this backdrop, the present study provides the LIBE Committee with relevant, actionable insight into the legal frameworks and practices for hacking by law enforcement. Firstly, the study examines the international and EU-level debates on the topic of hacking by law enforcement (Chapter 2), before analysing the possible legal bases for EU intervention in the field (Chapter 3). These chapters set the scene for the primary focus of the study: the comparative analysis of legal frameworks and practices for hacking by law enforcement across six selected Member States (France, Germany, Italy, the Netherlands, Poland and the UK), with further illustrative examples from three non-EU countries (Australia, Israel and the US) (Chapter 4). Based on these analyses, the study concludes (Chapter 5) and presents concrete recommendations and policy proposals for  EU  action  in  the field (Chapter 6).

The international and EU-level debates on the use of hacking techniques by law enforcement primarily evolve from the law enforcement challenge posed by encryption – i.e. the  ‘Going  Dark’  issue.

Going Dark is a term used to describe [the] decreasing ability [of law enforcement agencies] to lawfully access and examine evidence at rest on devices and evidence in motion across   communications   networks.1

According to the International Association of Chiefs of Police (IACP), law enforcement agencies are not able to investigate illegal activity and prosecute criminals without this evidence. Encryption technologies are cited as one of the major barriers to this access. Although recent political statements from several countries (including France, Germany, the UK and the US) seemingly call for ‘backdoors’ to encryption technologies, support for strong encryption at international and EU fora remains strong. As such, law enforcement agencies across the world started to use hacking techniques to bypass encryption. Although the term ‘hacking’ is not used by law enforcement agencies, these practices essentially mirror the techniques used by hackers (i.e. exploiting any possible vulnerabilities – including technical, system  and/or human  vulnerabilities  – within  an  information  technology  (IT) system).

Law enforcement representatives, such as the IACP and Europol, report that access to encrypted and other data through such hacking techniques brings significant investigative benefits. However, it is not the only possible law enforcement solution to the ‘Going Dark’ issue. Outside of the scope of this study, the other options include: requiring users to provide their password or decrypt their data; requiring technology vendors and service providers to bypass   the   security   of   their   own   products   and   services;   and   the    systematic   weakening   of encryption through the mandated introduction of ‘backdoors’ and/or weakened standards for encryption.

With the benefits of hacking established, a 2016 Joint Statement published by the European Union Agency for Network and Information Security (ENISA) and Europol2 noted that the use of  hacking  techniques also brings  several   key  risks.

The primary risk relates to the fundamental right to privacy and freedom of expression and information, as enshrined in international, EU and national-level law. Hacking techniques are extremely invasive, particularly when compared with traditionally intrusive investigative tools (e.g. wiretapping, house searches etc.). Through hacking, law enforcement can gain access to all data stored or in transit from a device; this represents a significant amount of data (e.g. a recent investigation by Dutch law enforcement collected seven terabytes of data, which translates into around 86 million pages of Microsoft Word documents3), as well as extremely sensitive data (e.g. a person’s location and movements, all communications, all stored data etc.). Consequently, the use of hacking techniques will inherently restrict the fundamental right to privacy.

Therefore, current debates at international and EU fora focus on assessing and providing recommendations on the current legal balances and safeguards for the restriction of the right to privacy by hacking techniques. However, these debates have assumed that hacking practices are necessary for law enforcement and simply require governing laws; they have not discussed whether the use of hacking techniques by law enforcement is necessary and proportional. The law enforcement assertions regarding the necessity of these invasive tools have  not   been  challenged.

The second key risk relates to the security of the internet. Law enforcement use of hacking techniques has the potential to significantly weaken the security of the internet by “[increasing] the attack surface for malicious abuse”4. Given that critical infrastructure and defence organisations, as well as law enforcement agencies themselves, use the technologies targeted and potentially weakened by law enforcement hacking, the potential ramifications reach  far  beyond  the intended  target.

As such, debates at international and EU fora focus on the appropriate balances between security and privacy, as well as security and cybersecurity. Regarding security v. privacy, the debates to date have assessed and provided recommendations on the legislative safeguards required to ensure that hacking techniques are only permitted in situations where a restriction of the fundamental right to privacy is valid in line with EU legislation (i.e. legal, necessary and proportional). Regarding security v. cybersecurity, the debates have been limited and primarily centre around the use and/or reporting of zero-day vulnerabilities discovered  by  law enforcement agencies.

Further risks not discussed in the Joint Statement but covered by this study include: the risks to territorial sovereignty – as law enforcement agencies may not know the physical location of the target data; and the risks related to the supply and use of commercially-developed hacking tools by governments with poor consideration for human rights.

Alongside the analysis of international and EU debates, the study presents hypotheses on the legal  bases  for  EU  intervention  in  the  field. Although  possibilities for  EU  legal  intervention  in several areas are discussed, including mutual admissibility of evidence (Art. 82(2) TFEU), common investigative techniques (Art. 87(2)(c) TFEU), operational cooperation (Art. 87(3) TFEU) and data protection (Art. 16 TFEU, Art. 7 & 8 EU Charter), the onus regarding the development of legislation in the field is with the Member States. As such, the management of the risks associated with law enforcement activities is governed at the Member State level.

As suggested by the focus of the international and EU discussions, concrete measures need to be stipulated at national-level to manage these risks. This study presents a comparative analysis of the legal frameworks for hacking by law enforcement across six Member States, as well as certain practical aspects of hacking by law enforcement, thereby providing an overview of the primary Member State mechanisms for the management of these risks. Further illustrative examples are provided from research conducted in three non-EU countries.

More specifically, the study examines the legal and practical balances and safeguards implemented at national-level to ensure: i) the legality, necessity and proportionality of restrictions to the fundamental  right  to  privacy;   and ii) the security  of  the internet.

Regarding restrictions to the right to privacy, the study first examines the existence of specific legal frameworks for hacking by law enforcement, before exploring the ex-ante and ex-post conditions and mechanisms stipulated to govern restrictions of the right to privacy and ensure they are legal, necessary  and  proportional.

It is found that hacking practices are seemingly necessary across all Member States examined, as four Member States (France, Germany, Poland and the UK) have adopted specific legislative provisions and the remaining two are in the legislative process. For all Member States except Germany, the adoption of specific legislative provisions occurred in 2016 (France, Poland and the UK) or will occur later (Italy, the Netherlands).  This  confirms the  new  nature  of these investigative techniques.

Additionally, law enforcement agencies in all Member States examined have used, or still use, hacking techniques in the absence of specific legislative provisions, under so-called ‘grey area’ legal provisions. Given the invasiveness of hacking techniques, these grey areaprovisions are considered  insufficient  to adequately  protect the right to privacy.

Where specific legal provisions have been adopted, all stakeholders agree that a restriction of the right to privacy requires the implementation of certain safeguards. The current or proposed legal frameworks of all six Member States comprise a suite of ex-ante conditions and ex-post mechanisms that aim to ensure the use of hacking techniques is proportionate and necessary. As recommended by various UN bodies, the provisions of primary importance include judicial authorisation of hacking practices, safeguards related to the nature, scope and duration of possible measures (e.g. limitations to crimes of a certain gravity and the  duration  of  the hack,  etc.) and  independent   oversight.

Although many of these types of recommended conditions are common across the Member States examined – demonstrated in the below table – their implementation parameters differ. For instance, both German and Polish law permit law enforcement hacking practices without judicial authorisation in exigent circumstance if judicial authorisation is achieved in a specified timeframe. However, the timeframe differs (three days in Germany compared with five days in Poland). These differences make significant difference, as the Polish timeframe was criticised  by the Council  of  Europe’s  Venice Commission  for being  too long.5

Furthermore, the Member States examined all accompany these common types of ex-ante and ex-post conditions with different, less common conditions. This is particularly true for ex-post oversight mechanisms. For instance, in Poland, the Minister for internal affairs provides macro-level information to the lower (Sejm) and upper (Senat) chambers of Parliament;6 and in the UK, oversight is provided by the Investigatory Powers Commissioner, who reviews all cases of hacking by law enforcement, and the Investigatory Powers Tribunal, which  considers disputes or  complaints surrounding  law enforcement  hacking.7

Key ex-ante considerations
Judicial authorisation The    legal    provisions    of    all    six    Member    States    require    ex-ante judicial        authorisation        for        law        enforcement        hacking.        The information  to  be  provided  in  these requests differ.

Select     Member     States     (e.g.     Germany,     Poland,     the     UK)     also provide for hacking without prior judicial authorisation in exigent circumstances  if  judicial  authorisation  is subsequently  provided. The timeframes  for  ex-post authorisation  differ.

Limitation by crime and  duration All  six Member  States  restrict  the  use  of  hacking  tools  based  on the   gravity   of   crimes.    In    some    Member   States,    the    legislation presents  a  specific  list  of  crimes  for  which  hacking  is permitted; in     others,     the    limit    is    set     for    crimes    that    have    a    maximum custodial    sentence   of   greater   than    a   certain   number    of   years. The lists and numbers  of years required differ by Member   State.

Many Member States also restrict the duration for which hacking may   be   used.   This   restriction   ranges   from   maximum   1   month (France, Netherlands) to a maximum of 6 months (UK), although extensions     are     permitted     under     the     same     conditions     in     all Member States.

Key ex-post considerations
Notification and effective remedy Most    Member    States    provide    for    the    notification    of    targets    of hacking  practices and  remedy  in  cases  of unlawful   hacking.
Reporting and oversight Primarily, Member States report at a micro-level through logging hacking  activities and  reporting them  in  case  files.

However,   some   Member   States   (e.g.   Germany,   Poland   and   the UK) have macro-level  review  and  oversight mechanisms.

Furthermore, as regards the issue of territoriality (i.e. the difficulty law enforcement agencies face obtaining the location of the data to be collected using hacking techniques), only one Member States, the Netherlands, legally permits the hacking of devices if the location is unknown. If the device turns out to be in another jurisdiction, Dutch law enforcement must apply  for Mutual  Legal  Assistance.

As such, when aggregated, these provisions strongly mirror Article 8 of the European Convention on Human Rights, as well as the UN recommendations and paragraph 95 of the ECtHR  judgement  in  Weber and  Saravia  v.  Germany.  However,   there are  many,  and  varied, criticisms when the Member State conditions are examined in isolation. Some of the provisions criticised include: the limits based on the gravity of crimes (e.g. the Netherlands, France and Poland); the provisions for notification and effective remedy (e.g. Italy and the Netherlands); the process for screening and deleting non-relevant data (Germany); the definition of devices that can be targeted (e.g. the Netherlands); the duration permitted for hacking (e.g. Poland); and a lack of knowledge amongst the judiciary (e.g. France, Germany, Italy and the Netherlands).With this said, certain elements, taken in isolation, can be called good  practices. Such  examples  are  presented below.

Select  good practice: Member State legislative frameworks

Germany: Although they were deemed unconstitutional in a 2016 ruling, the provisions for the screening and deletion of data related to the core area of private life are a positive step. If the provisions are amended, as stipulated in the ruling, to ensure screening by an independent body, they would provide strong protection for the targeted individual’s private data.

Italy: The 2017 draft Italian law includes a range of provisions related to the development and monitoring of the continued use of hacking tools. As such, one academic stakeholder remarked that the drafting of the law must have been driven by technicians. However, these provisions bring significant benefits to the legislative provisions in terms of supervision and oversight of the use of hacking tools. Furthermore, the Italian draft law takes great care to separate the functionalities of the hacking tools, thus protecting against the overuse or abuse of a  hacking tool’s  extensive  capabilities.

Netherlands: The Dutch Computer Crime III Bill stipulates the need to conduct a formal proportionality assessment for each hacking request, with the assistance of a dedicated Central Review Commission (Centrale Toetsings Commissie). Also, the law requires rules to be laid down on the authorisation and expertise of the investigation officers that can perform hacking.

With these findings in mind, the study concludes that the specific national-level legal provisions examined provide for the use of hacking techniques in a wide array of circumstances. The varied combinations of requirements, including those related to the gravity of crimes, the duration and purpose of operations and the oversight, result in a situation where the law does not provide for much stricter conditions than are necessary for less  intrusive  investigative activities such  as interception.

Based on the study findings,  relevant  and actionable policy proposals and recommendations have been developed under the two key elements: i) the fundamental right  to  privacy;  and  ii) the security  of the internet.

Recommendations and policy proposals: Fundamental  right  to  privacy

It is recommended that the use of ‘grey area’ legal provisions is not sufficient to protect the fundamental right to privacy. This is primarily because existing legal provisions do not provide for the more invasive nature of hacking techniques and do not provide for the legislative precision  and  clarity  as  required  under  the  Charter and the  ECHR.

Furthermore, many of these provisions have only recently been enacted. As such, there is a need for robust evidence-based monitoring and evaluation of the practical application of these provisions. It is therefore recommended that the application of these new legal provisions is evaluated regularly at national level, and that the results of these evaluations are  assessed at  EU-level.

If specific legislative provisions are deemed necessary, the study recommends a range of good practice, specific ex-ante and ex-post provisions governing the use of hacking practices by  law  enforcement  agencies. These are detailed  in  Chapter 6.

Policy proposal 1: The European Parliament should pass a resolution calling on Member States to conduct a Privacy Impact Assessment when new laws are proposed to permit and govern the use of hacking techniques by law enforcement agencies. This Privacy Impact Assessment should focus on the necessity and proportionality of the use of hacking tools and should  require input  from  national  data protection  authorities.

Policy proposal 2: The European Parliament should reaffirm the need for Member States to adopt a clear and precise legal basis if law enforcement agencies are to use hacking techniques.

Policy proposal 3: The European Parliament should commission more research or encourage the European Commission or other bodies to conduct more research on the topic. In response to the Snowden revelations, the European Parliament called on the EU Agency for Fundamental Rights (FRA) to thoroughly research fundamental rights protection in the context of surveillance. A similar brief related to the legal frameworks governing the use of hacking techniques by law enforcement across all EU Member States would act as an invaluable piece  of  research.

Policy proposal 4: The European Parliament should encourage Member States to undertake evaluation and monitoring activities on the practical application of the new legislative provisions  that  permit  hacking  by  law  enforcement  agencies.

Policy proposal 5: The European Parliament should call on the EU Agency for Fundamental Rights (FRA) to develop a practitioner handbook related to the governing of hacking by law enforcement. This handbook should be intended for lawyers, judges, prosecutors, law enforcement officers and others working with national authorities, as well as non­governmental organisations and other bodies confronted with legal questions in the areas set out by the handbook. These areas should cover the invasive nature of hacking techniques and relevant safeguards as per international and EU law and case law, as well as appropriate mechanisms for supervision  and   oversight.

Policy proposal 6: The European Parliament should call on EU bodies, such as the FRA, CEPOL and Eurojust, to provide training for national-level members of the judiciary and data protection authorities, in collaboration with the abovementioned handbook, on the technical means for hacking in use across the Member States, their potential for invasiveness and the principles of  necessity  and  proportionality in  relation  to these  technical  means.

Recommendations and policy proposals: Security of  the  internet

The primary recommendation related to the security of the internet is that the position of the EU against the implementation of ‘backdoors’ and similar techniques, and in support of strong encryption standards, should be reaffirmed, given the prominent role encryption plays in our society and its importance to the EU’s Digital Agenda. To support this position, the EU should ensure continued engagement with global experts in computer science as well as civil society privacy and  digital  rights groups.

The actual impacts of hacking by law enforcement on the security of the internet are yet unknown. More work should be done at the Member State level to assess the potential impacts such that these data can feed in to overarching discussions on the necessity and proportionality of law enforcement hacking. Furthermore, more work should be done, beyond understanding the risks to the security of the internet, to educate those involved in the authorisation and use of  hacking  techniques by law enforcement.

At present, the steps taken to safeguard the security of the internet against the potential risks of hacking are not widespread. As such, the specific legislative provisions governing the use of hacking techniques by law enforcement, if deemed necessary, should safeguard the security of the internet and the security of the device, including reporting the vulnerabilities used to gain access to a device to the appropriate technology vendor or service provider; and  ensure  the  full  removal  of  the software  or hardware from the targeted  device.

Policy proposal 7: The European Parliament should pass a resolution calling on Member States to conduct an Impact Assessment to examine the impact of new or existing laws governing  the  use  of hacking  techniques by  law  enforcement on  the  security  of  the internet.

Policy proposal 8: The European Parliament, through enhanced cooperation with Europol
and the European Union Agency for Network and Information Security (ENISA), should
reaffirm its commitment to strong encryption considering discussions on the topic of hacking by law enforcement. In addition, the Parliament should reaffirm its opposition to the implementation of  
backdoors and  similar techniques in information technology infrastructures or  services.

Policy proposal 9: Given the lack of discussion around handling zero-day vulnerabilities, the European Parliament should support the efforts made under the cybersecurity contractual Public-Private Partnership (PPP) to develop appropriate responses to handling zero-day vulnerabilities, taking into consideration the risks related to fundamental rights and the security  of the internet.

Policy proposal 10: Extending policy proposal 4, above, the proposed FRA handbook should also cover the risks  posed  to  the  security  of the  internet  by  using hacking  techniques.

Policy proposal 11: Extending policy proposal 5, training provided to the judiciary by EU bodies such as FRA, CEPOL and Eurojust should also educate these individuals on the risks posed  to  the security  of  the internet  by  hacking  techniques.

Policy proposal 12: Given the lack of discussion around the risks posed to the security of the internet by hacking practices, the European Parliament should encourage debates at the appropriate fora specific to understanding this risk and the approaches to managing this risk. It is encouraged that law enforcement representatives should be present within such discussions.