Category: 1. EU and MS legal Order and Institutional framework

THE CJEU’S RULING IN CELAJ: CRIMINAL PENALTIES, ENTRY BANS AND THE RETURNS DIRECTIVE

ORIGINAL PUBLISHED ON EU LAW ANALYSIS (Tuesday, 6 October 2015)

By Izabella Majcher, Associate Researcher at Global Detention Project and PhD candidate in International Law at the Graduate Institute of International and Development Studies is Geneva.

In its ruling in the Skerdjan Celaj case (C-290/14), rendered on 1st October 2015, the Court of Justice of the European Union (CJEU) addressed once again the relation between immigration and criminal law and in particular the compatibility of national penal measures imposed as a punishment for irregular migration with the EU Returns Directive. In the previous cases touching upon this issue, the Court assessed whether the Directive allowed states to penalize non-compliance with a return order or irregular stay itself with imprisonment (El Dridi andAchughbabian, respectively) and with home detention (Sagor) as a criminal law penalty (as distinct from administrative law detention, which is expressly regulated by the Directive). In turn, in Celaj the Luxembourg judges were requested to consider whether a criminal law sentence of imprisonment imposed for a breach of a re-entry ban was compatible with the Returns Directive.

As defined in Article 3(6) of the Directive, an “entry ban” means an “administrative or judicial decision or act prohibiting entry into and stay on the territory of the Member States for a specified period, accompanying a return decision.”

The Case

Mr Celaj was arrested by Italian police in August 2011 for attempted robbery. In April 2012 he was issued a removal order accompanied by a three-year entry ban and left Italian territory some five months later. Subsequently Mr Celaj re-entered Italy and was apprehended by the police in February 2014. The public prosecutor then brought criminal law proceedings against him and sought a term of imprisonment of eight months for the breach of the entry-ban. The District Florence Court, before whom the proceedings were brought, decided to stay the proceedings and refer the question to the Luxembourg Court for a preliminary ruling. The referring court asked the CJEU whether the Returns Directive precludes domestic legislation penalizing re-entry in breach of an entry ban with a prison sentence up to four years. The Court found that it does not.

The Court did not follow the Opinion of Advocate General (AG) Szpunar, issued in April 2015. The AG based his Opinion on the effectiveness and the main objective of the Returns Directive, which is the return of undocumented non-EU citizens. These arguments had been developed by the Court in a line of case-law addressing the relation between domestic penal sanctions and the Directive. Indeed, in El Dridi (§ 58) the Court ruled that imprisonment as a criminal law penalty for the failure to leave the country during the voluntary departure period was not compatible with the Returns Directive. In Achughbabian (§ 45) it found that the Directive also precluded imprisonment as a criminal law penalty for irregular stay itself if ordered prior to starting removal proceedings or during such proceedings. The underlying justification of the Court’s conclusions in both cases was that a term of imprisonment as a criminal law penalty would delay the removal of the person concerned and thus jeopardize the objective pursued by the Directive (El Dridi, § 59; Achughbabian, § 45). The ruling in Sagor (§ 45) shows that not only prison sentences but even home detention during return proceedings as a criminal law penalty risks delaying deportation and thus should not be imposed. The AG thus invited the Court to follow its well-established case-law and declare that imprisonment for a breach of entry ban as a criminal law penalty is incompatible with the Directive because it would delay return of the person concerned (§ 6).

Yet, the Court ruled that the Returns Directive does not preclude domestic legislation which provides for a prison sentence as a criminal law penalty for non-EU citizens who unlawfully re-enter the country in breach of an entry ban (§25 and 33). The CJEU did reiterate that the objective of the Directive would be undermined if removal would be delayed by a criminal prosecution leading to a term of imprisonment, as ruled in El Dridi, Achughbabian, and Sagor (§ 26). However, it found that the circumstances in the Celaj case were “clearly distinct” from those inEl Dridi and Achughbabian. This distinction, in the Court’s opinion, was due to the fact that, unlike Mr Celaj, the non-citizens concerned in El Dridi and Achughbabianwere subject to a first return procedure (§ 28). The Court also added that, in line with the second indent of its ruling in Achughbabian, the Directive does not preclude penal sanctions as a criminal law penalty to be imposed on a migrant who has been subject to a return procedure but stays in an irregular manner in the member state (§ 29).

Comments

Were the circumstances in Celaj so “clearly distinct” from those in El Dridi andAchughbabian to justify such a different conclusion? Does it fundamentally matter that those cases dealt with a first return procedure? Every return procedure regulated by the Directive has essentially the same goal – the swift removal of the non-EU citizen concerned. It appears thus irrelevant whether return is pursued because of irregular entry or irregular re-entry.

Under Article 6(1) of the Directive member states are required to issue a return decision to every migrant in irregular situation, subject to some exceptions. As highlighted by the AG (§ 42, 49, and 50), this duty is persistent and continuous. This means that each time a non-EU citizen finds himself or herself on the State territory without permission, the authorities should start a return procedure by issuing a return decision. Thus, in line with the rules under the Directive, a non-EU citizen who has re-entered the Member State unlawfully should be liable to a new return decision rather than criminal proceedings which may postpone his or her ultimate removal. This finding is also supported by the Court’s ruling inAchughbabian (§ 45) where it held that the obligation incumbent on states to conduct removal shall be fulfilled as soon as possible and thus states should not carry out criminal proceedings involving custodial penalties not only prior to theimplementation of the return decision, but also prior to the adoption of such a decision.

Strikingly, the CJEU did not consider at all whether criminal proceedings against Mr Celaj would delay his return. This omission is hardly consistent with the Court’s well established case-law which attaches pivotal importance to the effectiveness of the procedures regulated under the Directive (El Dridi, § 55; Achughbabian, § 39;Sagor, § 32). It is easily foreseeable that after serving his prison sentence, Mr Celaj will be issued with a return decision. The term of imprisonment as a criminal law penalty will inevitably delay his return and thus jeopardize the very objective of the Returns Directive.

Likewise, the second, somehow auxiliary, argument advanced by the Luxembourg judges is not wholly convincing. True, in line with the second indent of the ruling inAchughbabian (§ 51) states may impose a criminal law prison sentence on a non-EU citizen to whom a return procedure has been applied but who stays in an irregular manner in the Member State. However, as pointed out by the AG (§ 61), to be compatible with the main part of the ruling, this conclusion should only cover situations where authorities did not succeed in returning the person concerned, who then continues to stay on the state’s territory. The second indent in the judgment in Achughbabian should thus have no bearing on Celaj where the non-EU citizen concerned left the country, thus return proceedings reached their goal. Following his irregular re-entry, he should be liable to a new return procedure.

The judgment in Celaj appears not consistent with the CJEU’s well-established jurisprudence on the interplay between domestic penal sanctions and the effectiveness of return policy as laid down in the Returns Directive. The Court relied on an apparent clear distinction between return proceedings imposed for irregular entry and subsequent re-entry in breach of an entry ban. As discussed above, the wording of the provisions of the Returns Directive, supported by the underlying objective of the Directive repetitively stressed in the Court’s previous rulings, does not warrant finding such a distinction. The “distinction” argument had been advanced by the European Commission and intervening governments during the proceedings. They stressed that the circumstances in re-entry cases are distinct because penal sanctions could be imposed to dissuade migrants from breaching re-entry bans (AG’s Opinion, § 46). So the “distinction” argument – which was central to the Court’s conclusion – relies on states’ deterrence-oriented concerns rather than considerations based on the provisions and objective of the Returns Directive. The ruling in Celaj seems thus to compromise on the effectiveness of the Directive in order to accord discretion to states to apply their domestic criminal provisions to deter and punish migrants for breaching re-entry ban.

What is the nature of the entry ban whose breach states are now explicitly allowed to punish with criminal law imprisonment? As noted above, Article 3(6) of the Directive defines an entry ban as a prohibition of re-entry to the host state (or other Member States) for a specified period of time. In Article 11(1) the Directive obliges states to impose an entry ban on a non-EU citizen who has not been granted the possibility of voluntary departure or has not complied with a return decision. Since the Directive provides for broad circumstances for refusal of a voluntary departure period (Article 7(4); see discussion of the case law on this issue here) and does not explicitly prohibit states from issuing a return decision on non-refoulement and family or private life grounds (the Directive merely allows states grant a residence permit on humanitarian or other reasons, in Article 6(4)), in practice Article 11(1) may entail that entry bans are imposed in a systematic way. This risk is amplified by the same provision as it allows states to apply a ban on re-entry also in “other cases.”

In practice, as the Evaluation on the application of the Returns Directive, commissioned by the European Commission, shows, the legislation of almost 40 percent of the countries bound by the Directive provides for an automatic application of entry bans on all return decisions. A recent European Migration Network’s study Good Practices in the return and reintegration of irregular migrants demonstrates the scale of the use of entry bans. In 2013 more than 125,000 entry bans were imposed in the EU. Compared to the total number of return decisions that year (see Eurostat), these figures evince that the member states accompany a considerable proportion of return decisions with entry bans, including Greece (almost 100 %), Poland (80 %), or Sweden (70 %). It appears thus that entry bans are systematically applied in practice.

States are free not to impose or withdraw an entry ban for humanitarian or other reasons (article 11(3)). They are however not obligated to waive the entry ban requirement in such cases – it lies within their discretion. While the Directive clarifies that entry bans shall not prejudice the right to international protection (Article 11(5)), this assertion should be translated into a clear obligation on states not to impose the ban where the protection from non-refoulement could be impaired. The severity of this entry ban is further strengthened by its length. The Directive allows a five-year duration of an entry ban (article 11(2)). The above mentioned Commission study highlights that the majority of states issue entry bans for this maximum permitted period of time. In addition, states may apply a longer ban (the time period of which is not limited by the Directive), if they judge that the person concerned represents a serious threat to public policy or national security (Article 11(2)).

Thus, potentially the majority of non-EU citizens liable to return are prohibited for prolonged periods to re-enter the host state or even the whole EU, if the entry ban has been registered in the Schengen Information System (SIS). An entry ban is thus a harsh and coercive measure, which is a deterrent in itself and potentially conflicts with migrants’ fundamental rights. It cannot be ruled out that a non-EU citizen will be obliged to re-enter, where prompted by his family links, disrupted by deportation, or changes in the situation in his country of origin. While, as noted above, states may withdraw an entry ban, they are nevertheless not obliged to do so. Imposition of a criminal law prison sentence for breach of an entry ban, as permitted in Celaj, appears thus disproportionate and unnecessary. States may use other available methods to punish this breach, such as an extension of an existing ban. More generally, criminalization of breaches of (administrative) immigration law risks creating a conflation between (non-punitive) immigration law and criminal law, with negative consequences for migrants, and an undue overburden to the criminal justice system.

Barnard & Peers: chapter 26

The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid

Court of Justice of the European Union PRESS RELEASE No 117/15

SEE THE TEXT OF JUDGMENT HERE

Luxembourg, 6 October 2015

Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner

Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a persons data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decisions validity

The Data Protection Directive1 provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the directive provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (‘national supervisory authorities’).

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme,3 the United States ensures an adequate level of protection of the personal data transferred (the Safe Harbour Decision).

The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

In today’s judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. The Court stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.

The Court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a persons data to a third country complies with the requirements laid down by the directive. Nevertheless, the Court points out that it alone has jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the Court of Justice if they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court of Justice which has the task of deciding whether or not a Commission decision is valid.

The Court then investigates whether the Safe Harbour Decision is invalid. In this connection, the Court states that the Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. The Court observes that the Commission did not make such a finding, but merely examined the safe harbour scheme.

Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

The Court considers that that analysis of the scheme is borne out by two Commission communications,4 according to which the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.

As regards a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use. The Court adds that legislation permitting the public     authorities     to     have      access     on      a      generalised      basis     to      the     content      of      electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.

Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities powers in that way.

For all those reasons, the Court declares the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schremscomplaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebooks European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

NOTES

1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
2 Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7).
3 The safe harbour scheme includes a series of principles concerning the protection of personal data to which United States undertakings may subscribe voluntarily.
4 Communication from the Commission to the European Parliament and the Council entitled ‘Rebuilding Trust in EU-US Data Flows’ (COM(2013) 846 final, 27 November 2013) and Communication from the Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU (COM(2013) 847 final, 27 November 2013).

NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.

Unofficial document for media use, not binding on the Court of Justice. The full text of the judgment is published on the CURIA website on the day of delivery. Press contact: Christopher Fretwell S (+352) 4303 3355 

 

 

 

The European legal framework on hate speech, blasphemy and its interaction with freedom of expression

Nota Bene : At the request of the European Parliament LIBE committee, this study provides an overview of the legal framework applicable to hate speech and hate crime on the one hand and to blasphemy and religious insult on the other hand. It also evaluates the effectiveness of existing legislation in selected Member States and explores opportunities to strengthen the current EU legal framework, whilst fully respecting the fundamental rights of freedom of expression and freedom of thought, conscience and religion. The study also provides the European Parliament with guidelines on dealing with hate speech within the EU institutions. Link to the full study (446 pages) AUTHORS (*)

EXECUTIVE SUMMARY

Hate speech and hate crime incidents, including those committed online, are on the rise in Europe1, despite the existence of a robust legal framework. This study provides an overview of the legal framework applicable to hate speech and hate crime, as well as to blasphemy and religious insult. It also evaluates the effectiveness of existing legislation in selected Member States and explores opportunities to strengthen the current EU legal framework, whilst fully respecting the fundamental rights of freedom of expression and freedom of thought, conscience and religion. The study also provides the European Parliament with guidelines on dealing with hate speech within the EU institutions.

Legal framework on hate speech and hate crime

At the EU level the legal framework includes inter alia: Council Framework Decision 2008/913/JHA (CFD)2 (requiring Member States to penalise the most severe forms of hate speech and hate crime); and the Audiovisual Media Services (AMSD)3 and Electronic Commerce Directives (ECD)4 (controlling racist and xenophobic behaviours in the media and over the internet). It is important to view the EU measures aimed at addressing racism and xenophobia in the context of the broader EU legislative framework. Instruments aimed at supporting victims of crime and antidiscrimination measures are of particular relevance in this respect. These include Directive 2012/29/EU5 (Victims’ Support Directive) and the EU’s equality and anti-discrimination legislation (e.g. Directive 2000/43/EC6 (the Racial Equality Directive)). The Racial Equality Directive is complemented by other antidiscrimination legislative instruments such as Directive 2000/78/EC7 (the Employment Equality Directive) and Directives 2004/113/EC and 2006/54/EC8 (the Equal Treatment Directives). The EU also provides its support in practice by financing projects aimed inter alia at fighting hate speech and hate crime (for example under the Europe for Citizens Programme 2014-20209 or the Rights, Equality and Citizenship Programme 2014-202010).

The current study, developed on the basis of information gathered through seven national studies (Belgium, Germany, Greece, France, Hungary, the Netherlands and Sweden), has revealed some major drawbacks of the current legal framework applicable to hate speech and hate crime:

Shortcomings related to the transposition of the CFD include its incomplete transposition. Gaps in transposition mainly arise in connection with Article 1(1)(c) and 1(1)(d) of the CFD requiring the penalisation of the condoning, denial or gross trivialisation of genocide, crimes against humanity and war crimes and of Nazi crimes, respectively. To ensure effective protection against the most severe forms of hate speech and hate crime, it is recommended that the European Commission (EC) initiates infringement proceedings against Member States failing to transpose the CFD. Another issue derives from the transposition of the protected characteristics (grounds upon which hate speech and hate crime are prohibited) set out in the CFD, the AMSD and the ECD. As a general rule, Member States’ legislation refers to characteristics beyond those required by the CFD, the AMSD and the ECD. Member States have not taken a harmonised approach in this respect, thus the list of protected characteristics varies from Member State to Member State. Therefore an ambitious review of existing EU law might be necessary.

The use in practice of the CFD, the AMSD and the ECD is hindered by similar factors. Member States fail to collect sufficient reliable data on hate speech and hate crime incidents, which hinders the monitoring and assessment of the scale of the problem. This mainly results from the fact that data collection related competences are often divided between more than one authority, whose data collection efforts are not harmonised. To overcome the existing data gap, Member States with less developed or harmonised data collection methods could be encouraged to learn from Member States with good practices in place. The underreporting of hate speech and hate crime incidents by victims also hinders the understanding of the scale of the problem. Member States could be encouraged to raise awareness of the means of reporting incidents or to facilitate reporting through alternative means, such as anonymously, through the internet or victim support organisations.

The absence of shared understanding by practitioners of the applicable legal provisions seems to be an issue across the globe. The provision of clear guidance to practitioners, for example through awareness raising materials or training programmes, is therefore needed. These tools should provide practitioners with the skills necessary to duly investigate, prosecute and adjudicate hate speech and hate crime incidents.

In addition, applicable rules often fail to cover the liability of operators for the publication of hate content by bloggers or users of social media sites. The liability of bloggers and users of websites is often regulated; however these individuals are sometimes difficult to trace back, moreover it is often difficult to prove their motivation. The situation is an issue of concern given that internet remains a critical tool for the distribution of racist and hateful propaganda. To overcome the potential impunity of offenders it is recommended to regulate the liability of operators, thereby encouraging them to better control the content of blogs and social media websites. Alternatively Member States could reinforce their efforts of monitoring the content of websites. This however, should be done in a manner ensuring the sufficient respect of freedom of expression.

In most Member States, no concerns have arisen regarding the unnecessary limitation of freedom of expression by hate speech legislation, or vice versa. France constitutes an exception in this respect where debates over the borderline between the protection of human dignity and the freedom of expression have recently reignited, when the French Government announced its new campaign against online hate speech. Some considered the French measures as too restrictive of the freedom of expression11. Guidance on where the borderline stands between the two fundamental rights is found in the case law of the European Courts of Human Rights (ECtHR). The ECtHR has ruled that in a democratic society, which is based on pluralism, tolerance and broadmindedness, freedom of expression should be seen as a right extending also to information and ideas that might offend, shock or disturb others. Any limitation of the freedom of expression must be proportionate to the legitimate aim pursued12. Member States could also be encouraged to sign and ratify the Council of Europe’s (CoE) Additional Protocol to the Convention of Cybercrime13, which gives due consideration to freedom of expression, while requiring the criminalisation of racist and xenophobic acts committed online.

Finally, the absence of one comprehensive policy dealing with hate speech and hate crime is itself a matter that should be addressed. This could be addressed through the adoption of a comprehensive strategy for fighting hate speech and hate crime. The Strategy could define concrete policy goals for the Member States, targeting the most severe forms of hate speech and hate crime, including online crime. These policy goals could be set in light of the most important factors hindering the application of hate speech and hate crime legislation in practice. These factors, as explained in details above, include inter alia the insufficient transposition of applicable rules, the inadequate knowledge of practitioners of the rules applicable to hate speech and hate crime, the insufficient data collection mechanisms in place and the existence of severe underreporting. The Strategy should ensure the sufficient respect of freedom of expression and acknowledge that hate speech and hate crime are present in all areas of life (e.g. politics, media, employment).

Legal framework on blasphemy and religious insult Continue reading “The European legal framework on hate speech, blasphemy and its interaction with freedom of expression”

Safe Harbor – No Future? How the General Data Protection Regulation and the rulings of the Court of Justice of the European Union (CJEU) will influence transatlantic data transfers

(ORIGINAL Posted on 1. Oktober 2015  in PETER SCHAAR. Der Blog. )

 by    (*)

Ladies and gentlemen,

One week ago, the Advocate General at the Court of Justice of the European Union (CJEU) issued his vote on the Safe Harbor case of Max Schrems vs. the Irish Data Protection Commissioner.

Since 1995 when the General European Directive on Data Protection came into force, data transfers from the European Union and its member states to non-EU countries have been subject to specific privacy and security restrictions. Such restrictions do not exist only in Europe.

For example in the US several legal acts and decisions of regulatory authorities constitute the obligation to store specific data in the own country, in particular data, which have been generated by public bodies and providers of critical infrastructures. The US Federal Trade Commission has stated that a company subject to privacy obligations under US law is not allowed to avoid such obligations by outsourcing their data processing activities to offshore service providers.

The key message of Art. 25 of the 1995 GD is that transfer of personal data to a third country may take place only if the recipient in question ensures an adequate level of data protection. The adequacy shall be assessed in the light of all the circumstances surrounding the data transfer operation.

The main road to adequacy are the so-called adequacy decisions of the European Commission, that the said country ensures an adequate level of data protection. These decisions are binding for the member states. They shall take the measures necessary to comply with the Commission’s decision.

One of the most discussed adequacy decisions concerns the United States – the decision on Safe Harbor, although the Commission was of the opinion, that the US in general failed to provide an adequate level of data protection for the private sector, because of the lack of any comprehensive data protection legislation.

The Safe Harbor principles, negotiated between the Commission and the US government in the late 1990s should bridge this obstacle. The SH arrangement has been aimed at guaranteeing the adequate level of protection required by EU law for those companies, committing themselves to comply with the SH principles.

From the beginning, since the Safe Harbor was agreed in the year 2000 there has been some criticism against it. The main critical argument was that the principles do not meet the high EU data protection standards defined by the General Directive.

A scientific implementation study on SH done 2004 on behalf of the Commission came to the result that „Key concepts such as ‚US organization‘, ’personal data’,’deceptive practices’ lack clarity. Moreover, the jurisdiction of the FTC with regard to certain types of data transfers is dubious.“

It also has been criticized, that companies which declare compliance with the principles at once may profit from the Safe Harbor privileges, even if their privacy practices were not yet subject to an independent audit.

These issues remain important until our days. But after the vote the Advocate General at the CJEU (GA) issued recently, the focus lays on another question: How far practices and powers of US authorities have been ignored in the adequacy assessments.

At the first glance, law enforcement authorities, police and intelligence do not fall within the scope of the Safe Harbor agreement and therefore they do not have to be subject to the assessment. But this first impression is wrong.

As Art. 25 of the GD is pointing out, the assessment is to be done in the light of „all circumstances“ surrounding a data transfer to the third country. Even activities of authorities in the third country have to be examined. It is unclear how far this happened during the Safe Harbor assessment in the late 1990s.

But even if such assessment once took place, the result may be invalid today, because things changed dramatically after 9/11 2001. As we have learnt from Edward Snowden and other whistleblowers, US government has obtained broad access to private companies’ databases, telecommunications and Internet services.

Many companies which have co-operated with the NSA – voluntarily or based on legal obligations – have been safe harborists and there is no doubt that NSA and other services have got access to big amounts of data stemming from Europe or related to EU citizens.

The PATRIOT ACT and secret Presidential Orders, issued after 9/11 provided intelligence and law enforcement agencies with a lot of new powers and simultaneously demolished many safeguards which have been introduced in the 1970s to protect civil rights and privacy.

For years it seemed that many of these changes were not on the screen of the European Commission and other European stakeholders. The implementation study on SH of 2004 came to the conclusion: „Since the new US legislation only rarely contradicts the SH principles for data covered by SH, these conflicts do not appear to undermine the level of protection for any significant flows of personal data to the United States. The controversial provisions of the USA PATRIOT Act are essentially irrelevant for SH data flows.“ (p. 101)

But 2013, after the the beginning of the Snowdon revelations, nobody can ignore any more, that the practices of NSA, CIA and FBI introduced after 9/11 have impact on the level of data protection in the United States: The legal provisions on Government access to personal information, especially the Foreign Intelligence Surveillance Act (FISA), do not meet the basic standards of the rule of law at least so far data of non-US-persons are concerned. The practices disclosed in the last two years and the commitments of US officials on mass surveillance provided the public with loads of evidence that the NSA and others are involved in bulk collection of personal data coming from Europe. Therefore it seems evident, that these practices have to be taken into account by the CJEU.

Another change happened in Europe: The Lisbon Treaty came into force in 2009, and at least since then privacy and data protection, including the independent oversight, have been fundamental rights of the European Union, as parts of the European primary law. European secondary law and European Commission’s decisions have to fulfill these requirements. Even older legislation, agreements with third countries as to PNR or TFTP and Commission’s decisions have to be reviewed in the light of Art. 7 and 8 of the EU Charter of Fundamental Rights.

Acknowledging this, the vote of Advocate General Bot (AG) in the case of Maximilian Schrems versus the Irish Data Protection Commissioner, issued last week, is not really surprising. The vote touches two big points:

Even if the Commission decides that the level of data protection in a country is adequate, this does not prevent national data protection authorities from suspending the transfer of the data, it they are of the opinion, that in the concrete case adequacy criteria are not met by the recipient. As we have learnt from the Snowden revelations, Facebook and other Internet companies cooperated closely with the NSA and provided them with broad access to personal data stored on their servers.
The AG is of the opinion that the Safe Harbor arrangement itself is invalid, because the US, especially the intelligence services, do not provide adequate protection for the personal data coming from Europe. Therefore he proposes to suspend the Safe Harbor.

Nobody knows how the European Court of Justice will decide the case. The ruling is expected on 6 October. Perhaps you know the sentence „How the judge decides depends what he ate for breakfast“. It is correct: The vote of the advocate general is only an opinion and it does not bind anybody.

But for me it seems likely that the judges will acknowledge the vote, at least in the result. In two earlier cases, the court decided last year, on data retention and on the right to be forgotten, the judges underlined the high importance of European fundamental rights on privacy and data protection. In these cases the court went beyond the Advocate general’s vote. In the Schrems’ case the AG adapted this recent orientation of the judges.

If the CJEU will decide as proposed by the AG, this does not mean automatically the end of Safe Harbor. But the Safe Harbor arrangement must be renegotiated and at the end there might be a better safe Harbor System, meeting the principles of fundamental rights and complying with the new EU Data Protection Regulation.

Art. 41 of the Commissions proposal contains criteria, conditions and procedures for adequacy assessments, more specific than the current Art. 25 of the GD from 1995: The criteria which shall be taken into account for the Commission’s assessment of an adequate or not adequate level of protection include expressly the rule of law, judicial redress and independent supervision. The new article confirms explicitly the possibility for the Commission to assess the level of protection afforded by a territory or a processing sector within a third country.

My conclusion for today: Safe Harbor will be possible even in the future. But such a „happy end“ requires changes in the SH arrangement. And it requires effective legal guarantees for EU citizens in the US.

Also necessary is a new thinking in Europe, in particular on the fields of law enforcement and intelligence. If we urge the US to respect our privacy, European secret services have to respect fundamental rights of all EU citizens and citizens of third countries as well.

(*) Keynote on the conference „New Directions in Cyber Security“  Berlin, 1 October 2015

Repetita Juvant ? The EDPS 2nd Opinion on the EU system of collection of passenger name records (PNR)

Foreword:
The systematic collection for prevention of terrorism of Air traveller’s personal data (PNR) from Airlines, Travel Agencies and Computer Reservation Systems started in the US, Australia, Canada after 9/11 and was considered illegal by the European Data Protection authorities as well by the European Parliament who challenged in 2004 before the Court of Justice the first EU-US agreement in this matter as well as the Commission Declaration (“Adequacy Finding”) which considered the adequate the condition of treatment of EU passengers data on the other side of the Atlantic.

The Court of Justice Judgment recognized in 2006 that the Commission’s “Adequacy Finding” and the EU-US Agreement were not founded on the correct legal basis but did not examined the EP plea on the fact that the agreement could had infringed the fundamental right to protection of personal data because of lack of clarity and of its incompatibility with a democratic society (at the time required by art.8 of the ECHR)

Therefore it has to be noted that already in 2004 the Commission considered that also the EU should develop its own PNR system for security purposes and after the CJ ruling decided to renegotiate with the US (on a security related legal basis) a new PNR agreements which explicitly made reference to the possibility of exchanging PNR data as soon as the EU would had has its own PNR related System.
In the absence of an EU internal legal framework for PNR data some EU Countries started building their own national systems with a more or less open support by the Commission notwithstanding the (vocal) opposition of the European Parliament.

Quite surprisingly it is after the entry into force of the LISBON Treaty and of the Charter of Fundamental Rights which recognize a self-standing fundamental right of protection of personal data that the Gericho Walls have fallen and the European Parliament has approved a transatlantic agreement in this matter (even if there was not yet an internal EU legal framework in this matter and the level of protection of Personal data in the agreement was much lower than the one that the same Parliament challenged before the Court of Justice in 2004…).

This change of strategy (due to an clear change of political majority) was seized by the Commission as the right signal to create an EU internal PNR system. After a first badly written proposal the Bruxelles Executive came back with a legislative proposal to authorise the collection of PNR data also by the EU Member States.

Needless to say this move was contested by the national data protection authorities and less convincingly by the European Parliament. Even if it blocked in the last legislature the legislative procedure it has finally decided to reopen the negotiations this year. This is probably due to the converging pressure of the European Council, of the Council Interior Ministers as well as by the convergence of the two biggest political groups (also thanks to the good offices of the EP President..).

From a procedural point of view, the legislative proposal is still in its first phase (parliamentary first reading) but the new majority (covering also the ALDE and ECR) has decided to try to obtain an early agreement with the Council in the framework of the so called “first reading agreements”.
As usual the informal (secret) dialogue has started and there is a clear political will to reach an agreement in the coming months (still under the Luxembourg Presidency).

This being the case both the National Data Protection Authorities and the European Data Protection Supervisor EDPS) are trying to slow down the process by repeating the constitutional, legislative and operational reservations which have also been summarized in the EDPS opinion adopted last week and published below.

Most of these arguments have been raised hundred of times (even by the European Parliament since its first resolution in march 2003) but quite paradoxically the new political majority in the EP, notwithstanding the stronger post-Lisbon constitutional framework of data protection, has decided to change its mind and is giving up the points which has defended in the previous legislatures.

Under such a new political situation it is more than likely that the very well drafted EDPS considerations will not be taken in account. But even if in this case REPETITA (will not) JUVANT other obstacles can arise before the adoption by the European Parliament of the EU PNR legislative proposal.

“There are still judges in Berlin”?

Like the humble miller who facing an unjust decision the Prussian King Frederick II, the Great exclaimed that “There are still judges in Berlin” our “Berlin” judges can be the European Court of Justice which will give an important judgment partially related to this matter on October 6.

The judgment deals with a case raised by Max SCHREMS, an Austrian Student who has considered that his personal data accessible via Facebook were not adequately protected in the US territory (because they can be too easily accessed by the US Security Services).

It will be interesting to see if the Court of Justice meeting as Grand Chamber (as it happens for “big” judgments) will follow the recent Conclusions of Advocate General Yves BOT who has raised strong concerns on the compatibility with the EU Charter of the current US data protection standards in the security domain.

If this was the case the same doubts could be extended on the envisaged EU PNR system which (badly) mirror the US PNR system… Will the determination of one European Citizen be more effective for the rights of each one of us of the hundred pages and countless debates of the European Parliament in the last twelve years? We will know it very soon and in the meantime let’s …fasten our seat belts.

Emilio De Capitani

EDPS SECOND OPINION ON EU PNR – ORIGINAL PUBLISHED HERE Continue reading “Repetita Juvant ? The EDPS 2nd Opinion on the EU system of collection of passenger name records (PNR)”

RELOCATION OF ASYLUM-SEEKERS IN THE EU: LAW AND POLICY

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

by Steve Peers

I last looked at the legal issues surrounding the refugee crisis two weeks ago, focussing on the international law dimension of the issue. But I left out the issue of relocation of asylum-seekers, pending further developments. Subsequently the EU has adopted a second, more controversial Decision on relocation of asylum-seekers within the EU this week (against the opposition of several Member States), following soon after the first Decision on this issue earlier in September. These measures are both provisional, in force for a total of two years, but there’s also a proposal for a permanent system of provisional measures. I will be looking at the relocation issue (including the pending proposal) in more detail in a report for a think-tank soon, but for now I’ll look briefly at three aspects of these measures: (a) the main content; (b) their legality, particularly since some Member States have threatened to sue to annul the second Decision; and (c) the merits of the relocation policy.

Content of the Decisions

First of all, two points about terminology. Some press reports refer to these Decisions ‘resettling’ refugees within the EU, but that’s not accurate. In both EU and international law, ‘resettlement’ refers to admitting people in need of protection from their country of origin or neighbouring countries. The EU uses the word ‘relocation’ instead, when addressing the issue of moving persons between Member States.

But that’s the process; how should we refer to the persons concerned? Technically, the most accurate term is ‘asylum-seekers’, since the relocation Decisions only apply to those who have applied for asylum but whose claim has not yet been determined. So I will use that term in this post. But since the Decisions only apply to those whose application is quite likely to succeed (more on that below), it should not be forgotten that the subsequent refugee determination procedure will likely conclude that the large majority of these asylum-seekers (but not quite all of them) are in fact refugees, or otherwise need protection. It would certainly be misleading to use the term ‘migrants’, since this word is sometimes interpreted as meaning that the people concerned have no protection need.

The first Decision

The first Decision provides for relocating asylum-seekers from Italy and Greece. It only applies to asylum-seekers who have applied for asylum in one of those States, and if that State would normally be responsible for considering the application under the Dublin rules. This will normally be the case, since the asylum-seeker will have crossed the border of Italy or Greece without authorisation. But in some cases, the Dublin rules would give priority to another Member State (if the asylum-seeker has close family there, for instance), and so in those case the Dublin rules would still apply, instead of the relocation procedure.

The relocated asylum-seekers will be split 60/40 between Italy and Greece: 24,000 from Italy and 16,000 from Greece. They will be allocated to other Member States on the basis of optional commitments made by those other States. (The UK, Ireland and Denmark have opt-outs; see discussion of the UK opt-out here). While the intention was to relocate 40,000 people, Member States could ultimately not agree to offer that many relocation spaces, falling several thousand short (see the accompanying Resolution of Member States).

Relocation will be selective, applying only to those nationalities whose applications have over a 75% success rate in applications for international protection (refugee status, and subsidiary protection), on the basis of quarterly Eurostat statistics. On the basis of the most recent statistics, this means that only Syrians, Iraqis and Eritreans will qualify. This might change over time, however, on the basis of each new batch of statistics.

In principle, the selection of asylum-seekers to be relocated will be made by Italy and Greece, who must give ‘priority’ to those who are considered ‘vulnerable’ as defined by the EU reception conditions Directive. However, the preamble to the Decision makes clear that the ‘contact points’ of the relocating Member States (national officials) will indicate a preference for specific asylum-seekers they are willing to accept. To this end, the preamble states that ‘specific account should be given to the specific qualifications and characteristics of the applicants concerned, such as their language skills and other individual indications based on demonstrated family, cultural or social ties which could facilitate their integration into the Member State of relocation’. But this preference is not binding: the main text of the Decision states that the relocation States must accept the asylum-seekers nominated by Italy and Greece, except that they can refuse relocation ‘only where there are reasonable grounds for regarding’ an asylum-seeker as a danger to their national security or public order or where there are serious reasons for applying the exclusion provisions in thequalification Directive (concerning acts such as war crimes, terrorism and genocide).

Relocation can only apply to asylum-seekers who have already been fingerprinted pursuant to the Eurodac Regulation. This simply restates an existing EU law obligation to fingerprint everyone over 14 who applies for asylum or is found crossing the external border without permission, although that obligation is sometimes not applied in practice. Also, ‘applicants who elude the relocation procedure shall be excluded from relocation’, although this rather states the obvious.

The relocation process should usually take no more than two months after the relocating Member State has indicated how many asylum-seekers it will take. Member States of relocation will be responsible for considering the application. After relocation, asylum-seekers will not legally be able to move between Member States, in accordance with the normal Dublin rules; if they do so, the Member State of relocation must take them back. The preamble to the Decision also notes that, to deter ‘secondary movements’ Member States can limit the suspensive effect of appeals against transfers, impose reporting obligations, provide benefits in kind, and issue national entry bans. They should refrain from issuing travel documents allowing the asylum-seekers to visit other countries. There might be carrots, as well as sticks: as an incentive to stay in the Member State of relocation, the Commission has proposed that relocated asylum-seekers should be allowed to work straight away, rather than after a 9-month wait (the longest period Member States can require under the reception conditions Directive).

As for the asylum-seekers themselves, there is no requirement that they consent to their relocation or have the power to request it. The Decision only requires Italy and Greece to inform and notify the asylum-seekers about the relocation, and the preamble states that they could only appeal against the decision if there are major human rights problems in the country to which they would be relocated. So neither the relocation itself, nor the choice of Member State that a person will be relocated to, is voluntary. It is possible, however, that the asylum-seekers left behind in Italy or Greece will be disappointed that they are not picked. There is no specific remedy for them to challenge their non-selection, although arguably to the extent that Italy and Greece select people who are not vulnerable for relocation, vulnerable persons could challenge their non-inclusion, in light of the legal obligation to select vulnerable persons as a priority.  Asylum-seekers do have the right to insist that their core family members (spouse or partner, unmarried minor children, or parents of minors) who are already on EU territory come with them to the relocated Member State.

Finally, other Member States have an obligation to assist Italy and Greece, while those Member States must in return establish and implement an asylum action plan. If they do not, then the Commission can suspend the Decision as regards either country. Member States relocating asylum-seekers receive a lump sum of €6000 per person from the EU budget to help with costs. The Decision applies until 17 September 2017, and covers asylum-seekers who arrived after 15 August 2015.

The second Decision

The second Decision follows the same basic template as the first Decision, but there are some key differences. First of all, it applies to 120,000 asylum-seekers, on top of the 40,000 provided for – but not fully committed – in the first Decision (the first Decision remains legally valid; it wasn’t amended or repealed by the second one).

Secondly, the numbers of relocated asylum-seekers in the second Decision is not based upon voluntary commitments by Member States, but upon specific numbers set out in an Annex to the Decision. While most Member States agreed to these numbers (the Decision needed a qualified majority vote of ministers in the Council to pass), clearly not all did: Slovakia, Romania, Hungary and the Czech Republic voted against the Decision. This means that there is a legal obligation to take these specific numbers of people.

Thirdly, the distribution of relocation is much different. Reflecting events on the ground over the summer, which has seen a much bigger influx of potential asylum-seekers into Greece, the second Decision provides for relocating 50,400 from Greece, but only 15,600 from Italy. The remaining 54,000 were meant to be relocated from Hungary, but Hungary did not want to be seen as a ‘frontline State’. So those 54,000 are ‘on ice’ for now. They will be relocated in a year’s time either from Italy and Greece on the same basis as under this Decision, or relocated on a different basis in light of changes in circumstances (subject to approval from the Council in either case).

Fourthly, Member States can request a temporary delay of 30% of their intake of asylum-seekers in ‘exceptional circumstances’, if it gives ‘duly justified reasons compatible with the fundamental values’ of the EU, such as human rights and non-discrimination. This delay can then be authorised by the Council on a proposal from the Commission. The preamble to the Decision indicates that such circumstances ‘could include, in particular’ a sudden inflow that places ‘extreme pressure’ upon even a well-prepared asylum system, or a ‘high probability’ of such an inflow.

Fifthly, the preamble contains stronger language as regards the ‘secondary movement’ of asylum-seekers. Member States can take measures as regards social benefits and remedies, and can ‘should’ detain asylum-seekers in accordance with the Returns Directive if no alternative means of preventing secondary movements are available.

Sixthly, in addition to the lump sum of €6000 per person from the EU budget for Member States of relocation, Italy and Greece will receive €500 per person to help with costs. Finally, the Decision will also apply for two years, but it will apply to all those who have arrived in Italy or Greece since the end of March this year, not just from mid-August.

Legality of the Decisions

Both decisions are based on Article 78(3) of the TFEU, which is a revised version of the ‘emergency power’ relating to immigration issues that has been in the Treaties since 1993 – but was never used until this month.

Article 78(3) reads as follows:

In the event of one or more Member States being confronted by an emergency situation characterised by a sudden inflow of nationals of third countries, the Council, on a proposal from the Commission, may adopt provisional measures for the benefit of the Member State(s) concerned. It shall act after consulting the European Parliament.

This should be seen in the context of the purpose of Article 78(1), which states that the EU shall have:

a common policy on asylum, subsidiary protection and temporary protection with a view to offering appropriate status to any third-country national requiring international protection and ensuring compliance with the principle of nonrefoulement. This policy must be in accordance with the Geneva Convention of 28 July 1951 and the Protocol of 31 January 1967 relating to the status of refugees, and other relevant treaties.

Article 78(2) specifies that the EU shall have power to adopt measures to create ‘a common European asylum system’, listing seven areas where it can act by means of the ordinary legislative procedure. (Note that the proposed permanent system for relocation would be based on Article 78(2), not Article 78(3), so the legality of that proposal raises different issues; I’m not considering that proposal here).

Several elements of Article 78(3) are obvious: there must be a Commission proposal (which there was for both decisions); the Council votes by qualified majority (this isn’t expressly mentioned in the clause, but it’s the default rule); and the European Parliament (EP) is only consulted, whereas it has its usual joint decision-making power as regards other asylum legislation. It’s implicit that Article 78(3) measures can only relate to asylum, due to the placement of this clause in Article 78. Moreover, prior to the Treaty of Lisbon, the previous version of this clause had been free-standing, and therefore applicable to all immigration and asylum issues; its placement in the asylum Article was surely no accident and must therefore be legally relevant.

The strongest legal argument against the validity of the second Decision is a procedural one. CJEU case law has always stated that where the EP has to be consulted on a measure, it must be reconsulted if the essential elements of the measure are then changed after it was initially consulted. That certainly applies here, because the removal of Hungary from the list of frontline States changed an essential element of the law. Against this, it might be argued that there is no obligation to reconsult, or a less stringent obligation to reconsult, in ‘emergency’ cases. But if the claim is successful on this point, it won’t accomplish much: the Council will only have to consult the EP again, and the CJEU might (as it often does) keep the Decision in force in the meantime, since the legal flaw is purely procedural.

As to the substance of the emergency measures power, first of all it must implicitly be consistent with Article 78(1), forming part of a ‘common’ policy, ensuring compliance with ‘non-refoulement’ and being in accordance with the Geneva Convention. The two Decisions meet those criteria; some alternative suggestions like closing the external border or returning people to unsafe countries would not.

Next, several terms in Article 78(3) have to be defined: an ‘emergency situation’, a ‘sudden inflow’, a ‘provisional measure’ and the ‘benefit’ of Member States. The idea of an ‘emergency’ suggests a situation which Member States find particularly difficult to handle, and the current crisis certainly qualifies for that. Some have questioned whether the inflow is ‘sudden’, given that it has been building up for years, with the Syrian civil war starting back in 2011. But the overall numbers have clearly increased sharply in 2015; the scale of that increase surely qualifies as a ‘sudden’ inflow, even if the inflow did not start overnight.

Surely it is up to the Member States in question to determine if they will ‘benefit’ from the measures concerned; that’s why it was legally necessary to remove Hungary from the list of beneficiaries. Just because another policy might, in the view of other Member States, be preferable, doesn’t mean that the Member States concerned will not benefit. Anyway, it’s manifestly clear that Italy and Greece will benefit from having fewer asylum-seekers on their territory, as things now stand.

There’s a strong literal argument that the measures in question can only benefitMember States, as distinct from (say) Serbia – although the EU could still assist Serbia by other means. But that issue doesn’t arise, since the two Decisions are only relocating asylum-seekers from Member States. A purely consequential impact on third States (fewer people will transit Serbia) isn’t sufficient to infringe this rule.

This leaves us with the definition of ‘provisional measures’. The notion of ‘provisional’ means that it must be limited in time. Since the Treaty of Lisbon removed the previous limitation to six months, this means that measures can last for longer than that. Although there may be a legal argument that two years is too long, a period of one year (during which time a permanent system may well be agreed) is surely legal. So the most a successful claim could do here is curtail the length of the validity of the second Decision, not annul it completely. If a provisional measure is renewed, or replaced with a similar provisional measure, the ‘provisional’ nature of the powers would be infringed, but we have not got to that stage yet.

What ‘measures’ can be adopted? Can they amend existing legislation? This is relevant because the two Decisions derogate from the Dublin rules, as any relocation system would have to do. The EP’s role has been circumvented because it was only consulted. While I previously held the view that for this reason, emergency asylum measures could not derogate from EU asylum legislation, I no longer think that’s correct. Because the Treaty refers to a ‘common’ asylum policy, it must follow that the power to adopt emergency measures would be nugatory if it couldn’t amend existing legislation.

Does the EU have power to adopt quotas of asylum-seekers? A power to adopt quota rules is ruled out under Article 79(5) TFEU in the case of those looking for work. But those limitations only apply to ‘that Article’, and the Treaty drafters chose to regulate asylum issues, including reception conditions for asylum-seekers and the status of refugees (which concern access to employment) on the basis of Article 78 instead. Indeed, as noted already, there’s no right to work for asylum-seekers on the basis of EU law unless they have been waiting nine months for a decision (although Member States can choose to be more generous if they wish), and some asylum-seekers will be too young to seek work or otherwise not seek work due to family responsibilities or illness, for example. So asylum-seekers aren’t within the scope of Article 79. Moreover, the issue of relocation quotas had been discussed several times before, to the Treaty drafters must have been aware of it. If they had wanted to rule out quotas for asylum-seekers in Article 78(3), they would therefore surely have done so expressly. Article 79(5) has an a contrario effect.

Should Article 78(3) be narrowly interpreted? The Treaty drafters chose to use broad wording, and indeed Article 80 TFEU refers broadly to the principle of solidarity and burden-sharing (‘including’, ie not limited to, financial support). Unlike Treaty provisions which stress the narrowness of the EU’s powers, such as the powers over health or education, Article 78 repeatedly refers to a ‘common’ or ‘uniform’ policy (there are more such references in Articles 67 and 78(2)). The Treaty drafters placed limits on the scope of the EU’s immigration policy (as we have seen already); and in the same Title of the Treaty, there are various special rules relating to competence or voting over various aspects of border controls, civil law, police cooperation, and criminal law. It’s quite striking that no comparable limits exist as regards the EU’s asylum powers. One may reasonably argue that there should be such limits, but I am not convinced that there are such limits at the moment.

Just because those powers exist, however, does not mean that they should necessarily be used. So finally I will turn to the question of whether relocation is a good idea in general, and whether it is wise to force it upon recalcitrant States – even if it is legal.

Appraising the relocation policy

In principle, the objectives of the relocation policy are entirely valid. Article 80 TFEU refers to the need for solidarity and burden-sharing among Member States as regards asylum, and this reflects also the burden-sharing principle of international law, set out in the preamble to the Geneva Convention on refugees. The numbers who have arrived in Greece and Italy in recent months are clearly unmanageable for those countries to handle alone, although it should not be forgotten that some of the (potential) asylum-seekers concerned have moved on to other Member States under their own steam in the meantime. While solidarity also can (and does) take the form of financial support and additional personnel, reception centres cannot be built overnight and officials from other Member States cannot simply become part of the Greek or Italian civil service for a while.

If anything, the relocation Decisions are insufficient. It’s clearly an overstatement to say that the EU has ‘done nothing’ to help those countries: the Decisions won’t relieve all the pressure upon Italy and Greece, but equally it should in principle relieve some of it. According to the preamble to the second Decision, it will relieve Greece and Italy of 43% of the asylum-seekers who clearly needed international protection (ie the nationalities with high success rates in asylum claims) who arrived there over July and August. But this is less impressive than it first appears, since it assumes that the further 54,000 asylum-seekers now ‘on ice’ will be relocated from those countries, whereas this is not yet certain. And while the asylum-seekers in question will be relocated over two years, the numbers referred to in the preamble arrived over two months. Although the first Decision will also relieve some pressure, the percentage of the asylum-seekers from priority countries who will arrive in Italy and Greece over the next two years who will be relocated will therefore be much less than 43%. It is even possible that the more systematic application of the obligation to fingerprint applicants will mean that Italy and Greece would end up responsible for more applicants from the priority countries than before.

Overall, then, taking into account the numbers of asylum-seekers not subject to the Decisions because they are not from a priority country, the two Decisions are likely to prove insufficient. This can be addressed in practice by further such Decisions (or the proposed new permanent system for addressing these issues) in the near future.

The question of whether it is possible to reduce the numbers of asylum-seekers who arrive at the EU’s external borders in the first place is outside the scope of my analysis here – although this will ultimately determine whether a mass influx continues to occur in the years to come.

As for the details of the Decisions, there are two particularly controversial issues: the role of asylum-seekers, and the wisdom of enforcing quotas upon unwilling Member States. On the first point, it is problematic to compel asylum-seekers to move to a country that they do not wish to be in, since this has already proved unworkable in the original Dublin context. It would have been preferable at least to give asylum-seekers the opportunity to express a (non-binding) preference (with reasons) for particular Member State, or perhaps a list of several preferred Member States. That would increase the likelihood that asylum-seekers will stay put, since they are would be in a Member States where they prefer to be. It will also increase the likelihood that they will integrate into the host State once obtaining protection status (as most people subject to the Decisions will), given that they may prefer particular destinations because they have extended family members, friends or acquaintances there. But it will probably not be possible to respect every asylum-seeker’s preferred destination – or every asylum-seeker who wants to relocate.

In the absence of any attempt to consider the asylum-seekers’ preferences, Member States instead fell back upon the idea of punishing them if they make secondary movements. Although the Dublin system has notably not worked well at ensuring that asylum-seekers always remain in the State which is responsible for their application, it has worked better when asylum-seekers have been fingerprinted, so that it is easy to ascertain the responsible Member State; and relocation under the Decisions will only be possible for those who have been fingerprinted. While the Decisions correctly state that asylum-seekers who make secondary movements have to be taken back (pursuant to the Dublin Regulation), the preamble to the second Decision wrongly claims that they could be detained pursuant to the Returns Directive. In fact, since that Directive doesn’t apply to asylum-seekers (see the CJEU rulings in Kadzoev and Arslan), the narrower grounds for detention in the Dublin Regulation would apply instead, if the person concerned applies for asylum.

It’s also not clear exactly what benefits sanctions and remedies restrictions could be legally applied to asylum-seekers who don’t stay in the Member State of relocation, beyond the possibility of limiting the suspensive effect of a legal challenge. As regards benefits, the CJEU ruled in Cimade and GISTI that benefits must still be paid to asylum-seekers even if they have moved to another Member State (by that Member State), until the point when they are transferred back to the responsible Member State under the Dublin rules. This is now reflected in the preamble to the Dublin III Regulation. It might prove more fruitful to take up the Commission’s suggestion of allowing relocated asylum-seekers to work at an earlier date.

On the second point, historically calls for asylum burden-sharing have relied upon moral suasion, not legal imposition. The relocation process will in any event be difficult to carry out if the outvoted Member States refuse to cooperate with it. (It’s not clear if they will suspend their commitments under the first Decision too – although note that Hungary made no such commitments in the first place). The Commission can begin infringement proceedings for non-cooperation, but this will take time, and the Member States in question might prefer to pay a fine (the sanction for non-compliance with a CJEU infringement ruling) than cooperate with relocation.

While the recalcitrant Member States’ objections to burden-sharing are not very convincing, more efforts should have been made to offer them an alternative. The original suggestion of a financial contribution to alleviate the costs of the Member States with the biggest burden was dropped, since it was (wrongly) perceived as a sanction, rather than as an alternate type of burden-sharing. Perhaps a better idea would have been to offer the option of assisting the neighbouring countries hosting Syrians, Iraqis and Eritreans, either by resettling more people directly from those countries or by making bigger financial contributions to those countries (and thereby reducing ‘push’ factors). Either option could have indirectly relieved the burden on Greece or Italy.

Finally, to what extent can the outvoted Member States (or others) reduce their obligations under the Decisions? As we have seen, the second Decision allows them to reduce their intake temporarily, if the Council approves. They must have good reasons, in particular relating to reception capacity. Given the exceptional nature of the rule, it is hard to see how other reasons can easily be accepted; certainly paranoia cannot. And the grounds for the request must be compatible with EU values, so Islamophobia is equally an impermissible ground too.

(MEIJERS COMMITTEE) Military action against human smugglers: legal questions concerning the EUNAVFOR Med operation

ORIGINAL PUBLISHED HERE ON 23 September 2015

  1. The EUNAVFOR Med operation

On 22 June 2015, the Council of Ministers of the European Union adopted a Common Foreign Security Policy (CFSP) Decision establishing a military crisis management operation with the aim of combatting fighting people smuggling: EUNAVFOR Med.1 This mission is currently in its first phase, focusing on intelligence gathering, i.e. surveillance and the   assessment of existing smuggling networks.

A second phase would involve searching and possibly diverting vessels on the high seas and territorial waters, either under a mandate of the UN Security Council or with the consent of the appropriate coastal state. The Foreign Affairs Council has recently established that the conditions for the second phase have been met insofar as operations in international waters are concerned.2 During the third phase, vessels and related assets of human smugglers would be destroyed and smugglers apprehended.

The mission will operate in a complex legal environment of overlapping rules of refugee law, international human rights law, the law of the sea, and international rules on the use of force. This note discusses some of the most pressing legal questions raised by this operation.

  1. General remarks

At the outset, the Meijers Committee would like to raise a general point regarding the focus on people smuggling as a response to the loss of life at sea. In the absence of safe and legal access to the right to seek asylum in Europe, together with routes for legal migration, people will turn to human smugglers as a last resort. Increased border controls have resulted in higher casualties as people are forced to take more dangerous routes.

The Meijers Committee questions the appropriateness of the approach taken under EUNAVFOR Med to stop the loss of life at sea. The Committee would like to point to the shift from saving lives at sea under  the  Italian-led  Mare  Nostrum  Operation,  to  border management  (Triton),  to  military  action (EUNAVFOR Med). The Meijers Committee emphasizes that the legal obligation to save lives at sea should have primacy in all Union action at sea and that a long-term solution must also involve improving legal access to asylum and legal employment.

  1. Human smuggling as a threat to international peace and
    security

The Meijers Committee notes that the decision establishing the EUNAVFOR Med operation refers explicitly to the need for a UN Security Council Resolution or consent of the coastal states concerned before the second phase of the operation can enter into force.

In this respect the Meijers Committee notes a fundamental difference from the EUNAVFOR operation Atalanta against piracy off the Somalian coast, which was taken as a model for EUNAVFOR Med. The Atalanta operation was explicitly supported by a UN Security Council Resolution, and had the consent of the coastal state involved.3

Articles 39 and 42 UN Charter stipulate that the Security Council shall only authorize the use of force if ‘necessary to maintain or restore international peace and security’. The Meijers Committee is not convinced that the EUNAVFOR MED mission meets this standard. Although the humanitarian crisis may meet this standard, the activities of human smugglers – unlike piracy do not qualify. Although the Security Council has previously adopted resolutions in response to refugee crises in Iraq and Haiti, these were intended to stabilize the countries of origin and not to prevent persons from seeking refuge elsewhere.

  1. Phase 2: search and diversion of ships

The Second Phase of the operation would involve the search and diversion of ships in third-country territorial waters, which requires the consent of the flag state or a UN Security Council Resolution.

The Meijers Committee recalls that on the high seas, Article 87 UN Convention on the Law of the Sea (UNCLOS) ensures the right to freedom of navigation. Article 110 permits a warship to board and inspect a vessel if, inter alia, it has no nationality. As regards the vessel, a finding of statelessness should allow states to exercise jurisdiction in order to ensure compliance with the ‘minimum public order on the high seas’, namely, the duties that normally fall on the flag state (Art. 94 UNCLOS).4 This could include a state’s power to escort the vessel into harbor for inspection. As regards the people on board, UNCLOS does not seem to provide a basis for the exercise of jurisdiction.

Although Article 110(1) UNCLOS expressly allows that grounds of interference may be established by Treaty, the UN Smuggling Protocol seems to impose a duty of cooperation only on the contracting parties, while maintaining the requirement of flag state authorization. Article 8(7) of the Smuggling Protocol provides a firmer legal basis for interference with stateless vessels than Article 110 UNCLOS. The wording ‘suppressing the use of the vessel’ or ‘take appropriate measures’ implies the possible use of force. Nevertheless, such force should be used as a means of last resort and will be subject to the requirement of necessity and proportionality. It is noted, however, that the Migrant Smuggling Protocol lacks the precision of, for instance, the UN drug trafficking regime, which explicitly sets out the measures that an intercepting power may take against a drug transport.5 Accordingly, no clear legal basis for action is provided in international law.

Diversions on the high seas may not result in the refoulement of people on board. It is important to stress that States cannot relieve themselves of this obligation by labelling an operation as ‘search and rescue’. The IMO Guidelines on the treatment of persons rescued at sea state that ‘[disembarkation of asylum-seekers and refugees recovered at sea, in territories where their lives and freedom would be threatened should be avoided.’ This approach has been confirmed by the European Court of Human Rights in the Hirsi case.6 Member States remain bound by their obligations under international human rights law, independently of the nature and location of their intervention. In this regard it is particularly problematic that Libya one of the most important coastal states whose cooperation is sought is currently a notoriously dangerous and unstable country.

It is unclear how the EU intends to give practical effect to these obligations in the course of the EUNAVFOR Med mission. The Meijers Committee would recommend that clear guidelines be put in place, comparable to the rules applicable in the framework of Frontex coordinated operations at sea.7

  1. Phase 3: destruction of vessels and apprehension of smugglers

The Third Phase of the Operation would entail the destruction of vessels and related assets, and the apprehension of smugglers. The Meijers Committee argues that clear, binding, publicly available rules should be adopted prior to the commencement of Phase 3.

As regards the smugglers it must be noted that unlike piracy and international crimes, international law does not establish universal criminal jurisdiction over human smuggling. As with diversions, the interference with vessels believed to be engaged in human smuggling requires the consent of the flag state (or a UN SC Resolution). In case the ship is sailing without a flag, Article 8 of the Protocol allows a party to take ‘appropriate measures in accordance with relevant domestic and international law’. The extent to which this includes the exercise of criminal jurisdiction over human smugglers is not clear, however.

The Council decision establishing EUNAVFOR Med is silent about the possible detention and prosecution of smugglers. The Meijers Committee points out that even though EUNAVFOR Med is executed by military forces, the EU is not acting as party to an armed conflict and thus normal peace­time law applies. This means that after arrest, those suspected of migrant smuggling should be brought promptly before a judge8. In the case of subsequent criminal prosecution, jurisdiction should be established in one of the Member States. In this respect it is noted that not all Member States have established universal jurisdiction over human smuggling. If smugglers are to be extradited or released to third countries, their fundamental rights should be guaranteed.

The Meijers Committee notes that EUNAVFOR Med is aimed at the destruction of vessels used or suspected of being used for migrant smuggling, possibly even inside third-country territory, yet it remains unclear what legal standard is applied to identify such vessels. The Meijers Committee cautions that the destruction of vessels cannot be arbitrary. Unlike UNCLOS, which provides for clear rules on the seizure and liability for seizure of pirate ships, there is no explicit legal basis in international law for the seizure of migrant smuggling boats. The right to property as enshrined in Article 1 of Protocol 1 ECHR, which will apply to the Member States acting extra-territorially, prescribes that any destruction of property must be provided for by law and must be necessary and proportionate.

  1. Unclear division of responsibility between the EU and its
    Member States

The Meijers Committee recalls that Article 21 TEU requires CFSP actions to be based on human rights. This includes respect for human dignity, including the prohibition of torture and inhuman treatment; personal security and liberty; and protection from arbitrary detention and arrest.9 It also notes, however, that the Court of Justice of the EU has no authority to ensure this respect for fundamental rights as it lack jurisdiction over the CFSP.10 This means that legal remedies would have to be provided under the national law of the participating Member States.

The experience with joint operations under the coordination of Frontex shows that in case of violations of fundamental rights, it is unclear to whom wrongful conduct must be attributed. Although the operation is coordinated by the EU, it is the Member States that provide the assets and personnel, over which they maintain operational command.

Case law issuing from the European Court of Human Rights on the obligations of the Member States as contracting parties to the European Convention on Human Rights clearly indicates with regard to the Member States that they cannot escape their responsibilities under the Convention by acting outside the Convention’s territorial scope. The situation is more complicated, however, when Member States act as agents for the European Union (Bosphorus) or within the context of UN Peace Keeping Operations (Al Jeddah, Behrami, and Saramati). The Meijers Committee therefore stresses that it is fundamentally important that questions of international responsibility and responsibility under the European Convention for Human Rights are addressed prior to commencement of Phases 2 and 3.

Conclusions and recommendations

I. There are no indications that combating migrant smuggling contributes to the restoration of international peace and security or to ending the ongoing humanitarian crises;

II.      Without express consent from third states or authorization from the UN Security Council, the EU lacks jurisdiction over   vessels or assets in third-country territorial waters;
III.      Without express consent from third-country coastal states or   authorization from the UN Security Council, there is no clear legal basis for coercive measures against vessels or assets on the high seas;
IV Despite the unclear legal framework covering interdiction on the high seas, international human rights law does apply;
V.      Should a legal basis for action on the high seas and in territorial waters be provided, clear rules of engagement and proper safeguards should be in place to prevent indiscriminate destruction of civilian property; any undue loss should be compensated;
VI.      An unambiguous legal basis for the arrest and detention of suspected smugglers is needed, and also for the seizure and destruction of any personal property. Suspects should either be prosecuted, extradited or released, the last action having due regard to the right to asylum and the prohibition of refoulement;
VII.      Clear attribution rules and accountability mechanisms for human rights violations committed by EUNAVFOR assets should be in place;
VIII.      The right to apply for asylum, access to asylum procedures on land with proper language and legal assistance, and the prohibition of refoulement should be respected and subject to judicial oversight;
IX.       Outsourcing migration control to third countries, even though outside Member State jurisdiction, should take place with assurances and safeguards against human rights violations.

Notes

1 Council Decision (CFSP) 2015/972 of 22 June 2015 launching the European Union military operation in the southern Central Mediterranean (EUNAVFOR MED), OJ 2015, L157/51.

2 Council of the European Union, “EUNAVFOR Med: Council adopts a positive assessment on the conditions to move to the first step of phase 2 on the high seas”, Press Release, 14 September 2015, no. 643/15.
3 http://www.un.org/Depts/los/piracy/piracy_documents.htm
4 E. Papastavridis, ‘Enforcement Jurisdictions in the Mediterranean Sea: Illicit Activities and the Rule of Law on the High Seas’, International Journal of Marine and Coastal Law, Vol. 25, 2010, p. 585.
5 See Council of Europe Agreement on Illicit Traffic by Sea, implementing article 17 of the United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances.
6 ECHR, Hirsi Jamaa and others v. Italy, Grand Chamber, Judgment, 23 February 2012, Application no. 27765/09.
7 Regulation (EU) No 656/2014 of the European Parliament and of the Council of 15 May 2014 establishing rules for the surveillance of the external sea borders in the context of operational cooperation coordinated by the European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union, L 189, 27 June 2014.
8 ECHR, Medvedyev v France, 9 March 2010, appl. no. 3394/03.
9 The promotion and protection of human rights during common security and defence policy operations. In-between a spreading state of mind and an unsolved concern. M L Sánchez Barrueco, in The EU as a ”Global Player” in human rights?, J E Wetzel (edit.), 2011, pp. 158-160.
10 See also Case T-271/10, under appeal C-455/14 P.

About : The Meijers Committee is an independent group of legal scholars, judges and lawyers that advises on European and International Migration, Refugee, Criminal, Privacy, Anti-discrimination and Institutional Law. The Committee aims to promote the protection of fundamental rights, access to judicial remedies and democratic decision-making in EU legislation.

The Meijers Committee is funded by the Dutch Bar Association (NOvA), Foundation for Democracy and Media (Stichting Democratie en Media) the Dutch Refugee Council (VWN), Foundation for Migration Law Netherlands (Stichting Migratierecht Nederland), the Dutch Section of the International Commission of Jurists (NJCM), Art. 1 Anti-Discrimination Office, and the Dutch Foundation for Refugee Students UAF.

Contact info: Louis Middelkoop Executive secretary post@commissie-meijers.nl +31(0)20 362 0505

Please visit www.commissie-meijers.nl

AMERICAN MASS SURVEILLANCE OF EU CITIZENS: IS THE END NIGH?

ORIGINAL PUBLISHED ON EU LAW ANALYSIS  (Wednesday, 23 September 2015)

by Steve PEERS

*This blog post is dedicated to the memory of the great privacy campaigner Caspar Bowden, who passed away recently. What a tragedy he did not leave to see the developments in this case. To continue his work, you can donate to the Caspar Bowden Legacy Fund here.

 

A brilliant university student takes on the hidebound establishment – and ultimately wins spectacularly. That was Mark Zuckerberg, founding Facebook, in 2002. But it could be Max Schrems, taking on Zuckerberg and Facebook, in the near future – if the Court of Justice decides to follow the Advocate-General’s opinion in the Schrems case, released today.

In fact, Facebook is only a conduit in this case: Schrems’ real targets are the US government (for requiring Facebook and other Internet companies to hand over personal data to intelligence agencies), as well as the EU Commission and the Irish data protection authority for going along with this. In the Advocate-General’s opinion, the Commission’s decision to allow EU citizens’ data to be subject to mass surveillance in the US is invalid, and the national data protection authorities in the EU must investigate these flows of data and prohibit them if necessary. The case has the potential to change much of the way that American Internet giants operate, and to complicate relations between the US and the EU in this field.

Background

There’s more about the background to this litigation here, and Simon McGarr has summarised the CJEU hearing in this case here. But I’ll summarise the basics of the case again here briefly.

Max Schrems is an Austrian Facebook user who was disturbed by Edward Snowden’s revelations about mass surveillance by US intelligence agencies. Since such mass surveillance is put into effect by imposing obligations to cooperate upon Internet companies, he wanted to complain about Facebook’s transfers of his personal data to the USA. Since Facebook’s European operations are registered in Ireland, he had to bring his complaints to the Irish data protection authority.

The legal regime applicable to such transfers of personal data is the ‘Safe Harbour’ agreement between the EU and the USA, agreed in 2000 – before the creation of Facebook and some other modern Internet giants, and indeed before the 9/11 terrorist attacks which prompted the mass surveillance. This agreement was put into effect in the EU by a decision of the Commission, which used the power conferred by the EU’s current data protection Directive to declare that transfers of personal data to the USA received an ‘adequate level of protection’ there.

The primary means of enforcing the arrangement was self-certification of the companies concerned (not all transfers to the USA fall within the scope of the Safe Harbour decision), enforced by the US authorities.  But it was also possible (not mandatory) for the national data protection authorities which enforce EU data protection law to suspend transfers of personal data, if the US authorities or enforcement system have found a breach of the rules, or on the following further list of limited grounds set out in the decision:

there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond.

In fact, Irish law prevents the national authorities from taking up this option. So the national data protection authority effectively refused to consider Schrems’ complaint. He challenged that decision before the Irish High Court, which doubted that this system was compatible with EU law (or indeed the Irish constitution). So that court asked the CJEU to rule on whether national data protection authorities (DPAs) should have the power to prevent data transfers in cases like these.

The Opinion

The Advocate-General first of all answers the question which the Irish court asks, and then goes on to examine whether the Safe Harbour decision is in fact valid. I’ll address those two issues in turn.

In the Advocate-General’s view, national data protection authorities have to be able to consider claims that flows of personal data to third countries are not compatible with EU data protection laws, even if the Commission has adopted a decision declaring that they are. This stems from the powers and independence of those authorities, read in light of the EU Charter of Fundamental Rights, which expressly refers to DPAs’ role and independence. (On the recent CJEU case law on DPA independence, see discussion here). It’s worth noting that the new EU data protection law under negotiation, the data protection Regulation, will likely confirm and even enhance the powers and independence of DPAs. (More on that aspect of the proposed Regulation here).

On the second point, the opinion assesses whether the Safe Harbour Decision correctly decided that there was an ‘adequate level of protection’ for personal data in the USA. Crucially, it argues that this assessment is dynamic: it must take account of the protection of personal data now, not just when the Decision was adopted back in 2000.

As for the meaning of an ‘adequate level of protection’, the opinion argues that this means that third countries must ensure standards ‘essentially equivalent to that afforded by the Directive, even though the manner in which that protection is implemented may differ from that’ within the EU, due to the importance of protecting human rights within the EU. The assessment of third-country standards must examine both the content of those standards and their enforcement, which entailed ‘adequate guarantees and a sufficient control mechanism’, so there was no ‘lower level of protection than processing within the European Union’. Within the EU, the essential method of guaranteeing data protection rights was independent DPAs.

Applying these principles, the opinion accepts that personal data transferred to the USA by Facebook is subject to ‘mass and indiscriminate surveillance and interception’ by intelligence agencies, and that EU citizens have ‘no effective right to be heard’ in such cases. These findings necessarily mean that the Safe Harbour decision was invalid for breach of the Charter and the data protection Directive.

More particularly, the derogation for the national security rules of US law set out in the Safe Harbour principles was too general, and so the implementation of this derogation was ‘not limited to what is strictly necessary’. EU citizens had no remedy against breaches of the ‘purpose limitation’ principle in the US either, and there should be an ‘independent control mechanism suitable for preventing the breaches of the right to privacy’.

The opinion then assesses the dispute from the perspective of the EU Charter of Rights. It first concludes that the transfer of the personal data in question constitutes interference with the right to private life. As in last year’s Digital Rights Ireland judgment (discussed here), on the validity of the EU’s data retention directive, the interference with rights was ‘particularly serious, given the large numbers of users concerned and the quantities of data transferred’. In fact, due to the secret nature of access to the data, the interference was ‘extremely serious’. The Advocate-General was also concerned about the lack of information about the surveillance for EU citizens, and the lack of an effective remedy, which breaches Article 47 of the Charter.

However, interference with these fundamental rights can be justified according to Article 52(1) of the Charter, as long as the interference is ‘provided for by law’, ‘respect[s] the essence’ of the right, satisfies the ‘principle of proportionality’ and is ‘necessary’ to ‘genuinely meet objectives of general interest recognized by’ the EU ‘or the need to protect the rights and freedoms of others’.

In the Advocate-General’s view, the US law does not respect the ‘essence’ of the Charter rights, since it extends to the content of the communications. (In contrast, the data collected pursuant to the data retention Directive which the CJEU struck down last year concerned only information on the use of phones and the Internet, not the content of phone calls and Facebook posts et al). On the same basis, he objected to the ‘broad wording’ of the relevant derogations on national security grounds, which did not clearly define the ‘legitimate interests’ at stake. Therefore, the derogation did not comply with the Charter, ‘since it does not pursue an objective of general interest defined with sufficient precision’. Moreover, it was too easy under the rules to escape the limitation that the derogation should only apply when ‘strictly necessary’.

Only the ‘national security’ exception was sufficiently precise to be regarded as an objective of general interest under the Charter, but it is still necessary to examine the ‘proportionality’ of the interference. This was a case (like Digital Rights Ireland) where the EU legislature’s discretion was limited, due to the importance of the rights concerned and the extent of interference with them. The opinion then focusses on whether the transfer of data is ‘strictly necessary’, and concludes that it is not: the US agencies have access to the personal data of ‘all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security’.

Crucially, the opinion concludes that ‘[s]uch mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference’ with Charter rights. The Advocate-General agreed that since the EU and the Member States cannot adopt legislation allowing for mass surveillance, non-EU countries ‘cannot in any circumstances’ be considered to ensure an ‘adequate level of protection’ of personal data if they permit it either.

Furthermore, there were not sufficient guarantees for protection of the data. Following the Digital Rights Ireland judgment, which stressed the crucial importance of such guarantees, the US system was not sufficient. The Federal Trade Commission could not examine breach of data protection laws for non-commercial purposes by government security agencies, and nor could specialist dispute resolution bodies. In general, the US lacks an independent supervisory authority, which is essential from the EU’s perspective, and the Safe Harbour decision was deficient for not requiring one to be set up. A third country cannot be considered to have ‘an adequate level of protection’ without it. Furthermore, only US citizens and residents had access to the judicial system for challenging US surveillance, and EU citizens cannot obtain remedies for access to or correction of data (among other things).

So the Commission should have suspended the Safe Harbour decision. Its own reports suggested that the national security derogation was being breached, without sufficient safeguards for EU citizens. While the Commission is negotiating revisions to that agreement with the USA, that is not sufficient: it must be possible for the national supervisory authority to stop data transfers in the meantime.

Comments

The Advocate-General’s analysis of the first point (the requirement that DPAs must be able to stop data flows if there is a breach of EU data protection laws) is self-evidently correct. In the absence of a mechanism to hear complaints on this issue and to provide for an effective remedy, the standards set out in the Directive could too easily be breached. Having insisted that the DPAs must be fiercely independent of national governments, the CJEU should not now accept that they can be turned into the tame poodles of the Commission.

On the other hand, his analysis of the second point (the validity of the Safe Harbour Decision) is more problematic – although he clearly arrives at the correct conclusion. With respect, there are several flaws in his reasoning. Although EU law requires strong and independent DPAs within the EU to ensure data protection rights, there is more than one way to skin this particular cat. The data protection Directive notably does not expressly require that third countries have independent DPAs. While effective remedies are of course essential to ensure that data protection law (likely any other law) is actually enforced in practice, those remedies do not necessarily have to entail an independent DPA. They could also be ensured by an independent judiciary. After all, Americans are a litigious bunch; Europeans could join them in the courts. But having said that, it is clear that in national security cases like this one, EU citizens have neither an administrative nor a judicial remedy worth the name in the USA. So the right to an effective remedy in the Charter has been breached; and it is self-evident that processing information from Facebook interferes with privacy rights.

Is that limitation of rights justified, however? Here the Advocate-General has muddled up several different aspects of the limitation rules. For one thing, the precision of the law limiting rights and the public interest which it seeks to protect are too separate things. In other words, the public interest does not have to be defined precisely; but the law which limits rights in order to protect the public interest has to be. So the opinion is right to say that national security is a public interest which can justify limitation of rights in principle, but it fails to undertake an examination of the precision of the rules limiting those rights. As such, it omits to examine some key questions: should the precision of the law limiting rights be assessed as regards the EU law, the US law, or both?  Should the US law be held to the same standards of clarity, foreseeability and accessibility as European states’ laws must be, according to the ECHR jurisprudence?

Next, it’s quite unconvincing to say that processing the content of communications interferes with the ‘essence’ of the privacy and data protection rights. The ECHR case law and the EU’s e-privacy directive expressly allow for interception of the content of communications in specific cases, subject to strict safeguards. So it’s those two aspects of the US law which are problematic: its nature as mass surveillance, plus the inadequate safeguards.

On these vital points, the analysis in the opinion is correct. The CJEU’s ruling inDigital Rights Ireland suggests, in my view, that mass surveillance is inherently a problem, regardless of the safeguards in place to limit its abuse. This is manifestly the Advocate-General’s approach in this case; and the USA obviously has in place mass surveillance well in excess of the EU’s data retention law. The opinion is also right to argue that EU rules banning mass surveillance apply to the Member States too, as I discuss here. But even if this interpretation is incorrect, and mass surveillance is only a problem if there are weak safeguards, then the Safe Harbour decision still violates the Charter, due to the lack of accessible safeguards for EU citizens as discussed above. Hopefully, the Court of Justice will confirm whether mass surveillance is intrinsically problematic or not: it is a key issue for Member States retaining data by way of derogation from the e-privacy Directive, for the validity of EU treaties (and EU legislation) on specific issues such as retaining passenger data (see discussion here of a pending case), and for the renegotiation of the Safe Harbour agreement itself.

This brings us neatly to the consequences of the CJEU’s forthcoming judgment (if it follows the opinion) for EU/US relations. Since the opinion is based in large part upon the EU Charter of Rights, which is primary EU law, it can’t be circumvented simply by amending the data protection Directive (on the proposed new rules on external transfers under the planned Regulation, see discussion here). Instead, the USA must, at the very least, ensure that adequate remedies for EU citizens and residents are in place in national security cases, and that either a judicial or administrative system is in place to enforce in practice all rights which are supposed to be guaranteed by the Safe Harbour certification. Facebook and others might consider moving the data processing of EU residents to the EU, but it’s hard to see how this could work for any EU resident with (for instance) Facebook friends living in the USA. Surely in such cases processing of the EU data in the USA is unavoidable.

Moreover, arguably it would not be sufficient for the forthcoming EU/US trade and investment agreement (known as ‘TTIP’) to provide for a qualified exemption for EU data protection law, along the lines of the WTO’s GATS. Only a complete immunity of EU data protection law from the TTIP – and any other EU trade and investment agreements – would be compatible with the Charter. Otherwise, companies like Facebook and Google might try to invoke the controversial investor dispute settlement system (ISDS) every time a judgment like Google Spain or (possibly) Schrems cost them money.

Schrems Versus Facebook: is the end of Safe Harbor approaching ?

by Emilio De Capitani

Today Advocate General Yves Bot has presented his long-awaited conclusions on the Case C‑362/14 Maximillian Schrems v Data Protection Commissioner. This case better described by the press as the “Schrems v Facebook” Case (why not “David V Goliath” ?)  put in question the so called Safe harbor “agreement” which frame the conditions under which personal data of the people under the EU jurisdiction can be transferred or treated by servers of US Companies (such as Facebook, Google, E-Bay) on the US territory.
As the protection of personal data is a fundamental right under EU law (notably after the entry into force of the art.8 of the EU Charter)  art. 25 of Directive 95/46 foresees that the transfer of these data to a third country is legitimate only if the data are “adequately” protected.
The problem is that in the US there is no comprehensive legal protection framework comparable to the one existing in the EU so that in 2000 the Commission negotiated with the US the establishment of a specific voluntary regime (the “Safe Harbor Principles”) which could had been considered granting an “adequate” protection of personal data  having regard to the standard applicable in Europe.

At the time the European Parliament voted against this regime but was unable to obtain stronger safeguards because of the unwillingness of the US authorities and moreover by the Commission which was more interested to the transfer of data than of their protection.

Since then the transatlantic flow of data has grown every day and with them the economic benefices of the US Companies without any real re-assesment of the compliance of the Safe Harbor principles on the US side (by the Federal Trade Commission) or on the EU side (by the Commission) even after the entry into force of the Lisbon Treaty which changed the legal basis of EU policies linked with the protection of personal data.

However when the Snowden revelations made clear to everybody that all these EU personal data could be massively analyzed without judicial overview by the US Intelligence Services someone in the EU  woke up.

Between the EU Institutions the European Parliament asked the suspension of the Safe Harbor agreement but its initiative was not followed by the Commission (as unfortunately happens more and more frequently); but it is thanks to the obstinacy of Maximilian Schrems, an Austrian law student that the case was finally been brought, first before to the Irish Data Protection Commissioner, then before the Irish High Court and now before the Court of Justice.

This case is extremely interesting  not only because it confirms that in a democracy someone has to …watch the watchers be they at national or European level (notably if they are sleeping or hiding behind each other…) but also because it shows that also an “ordinary” Citizen can dare to do in name of the EU law and of his rights what the EU Institutions are less and less willing to do.

Enjoy now the reading the instructive and very detailed Yves BOT arguments drawing him to declare that the Commission initial “adequacy finding” was not adequate at all (as also the EP wrote in its 2000 resolution) and that National Authorities should fully play their role and not hiding behind the Commission “Adequacy decisions”.

Such a strong reasoning if endorsed by the Luxembourg Judges should inspire

  • a re-assessment of other EU-US ‘executive’ agreements dealing with data protection (the draft “Umbrella agreement” included)
  • a revision of the Data Protection package at least as far as the regime of Commission “adequacy finding” is concerned (which due to its large marge of discretion could no more be considered a simple “implementing measure” but at least a “delegated” power …) and a stronger role of the Data Protection Board which should have a direct jurisdiction at least for Data controller “over the top” such as Facebook, Google, E-Bay and so on…

It is only unfortunate that the European Parliament which on these issues was on the right side between 1999 and 2004 is now slowly sliding away notwithstanding a much stronger constitutional framework and a binding Charter …

Anyway many thanks Max!! Hope that 10, 100, 1000 of European citizens could follow your example…

 

CONTINUE READING : OPINION OF ADVOCATE GENERAL BOT 

delivered on 23 September 2015 (1Case C‑362/14 Maximillian Schrems Data Protection Commissioner

Continue reading “Schrems Versus Facebook: is the end of Safe Harbor approaching ?”

EP Study : Big Data and smart devices and their impact on privacy

FULL STUDY ACCESSIBLE HERE
AUTHORS : Dr  Gloria  González Fuster, (Research  Professor  at  the Vrije Universiteit  Brussel  (VUB), Dr Amandine Scherrer, (European Studies Coordinator and Associate Researcher at the Centre d’Etudes sur les  Conflits,  Liberté  et  Sécurité -CCLS)

EXECUTIVE SUMMARY

EU citizens and residents and, more generally, all individuals deserving protection as ‘data subjects’ by EU law, are directly impacted by EU strategies in the field of Big Data. Indeed, the data-driven economy poses significant challenges to the EU Charter of Fundamental Rights, notably  in  the fields of  privacy and  personal data protection.

Big Data refers to the exponential growth both in the availability and automated use of information. Big Data comes from gigantic digital datasets held by corporations, governments and other large organisations; these are extensively analysed (hence the name ‘data analytics’) through computer algorithms. There are numerous applications of Big Data in various sectors, including healthcare, mobile communications, smart grids, traffic management, fraud detection, or marketing and retail (both on- and offline). The notion, primarily driven by economic concerns, has been largely promoted through market-led strategies and policies. Presented as an enabler of powerful analytical and predictive tools, the concept of Big Data has also raised numerous criticisms emphasising such risks as biased information, spurious correlations (associations that are statistically robust but happen only by chance), and statistical discrimination. Moreover, the promotion of Big Data as an economic driver raises significant challenges for privacy and digital rights in general. These challenges are even greater in a digital ecosystem with a proliferation of cheap sensors, numerous apps on mobile devices and an increasingly connected world that sometimes does not even require human intervention (as shown in the increasing development of the Internet of Things [IoT]). The flows of information on- and off line, shared and multiplied across computers, mobile devices, watches, SmartBands, glasses, etc., have dramatically increased the availability, storage, extraction and processing of data on a large scale. It has become increasingly difficult to track what is made of our data. This situation is complicated further by the wide variety of actors  engaged  in  data  collection  and  processing.

The numerous debates triggered by the increased collection and processing of personal data for various – and often unaccountable – purposes are particularly vivid at the EU level. Two interlinked, and to some extent conflicting, initiatives are relevant here: the development of EU strategies promoting a data-driven economy and the current reform of the EU personal data protection legal framework, in the context of the adoption of a General   Data  Protection  Regulation  (GDPR).

In order to address the issues at stake, the present Study provides an overview of Big Data and smart devices, outlining their technical components and uses (section 2). This section shows that many contemporary data processing activities are characterised by a high degree of opacity. This opacity directly affects the ability of individuals to know how data collected about them is used; it also hinders their capacity to assess and trust the manner in which choices are (automatically) made – whether, in other words, these choices are appropriate or fair. As regards smart devices, cheap sensors or the IoT, the pervasiveness of sensors and extensive routine data production might not be fully understood by individuals, who may be unaware of the presence of sensors and of the full spectrum of data they produce, as well as the data processing operations treating this diverse data. If Big Data, smart devices and IoT are often promoted as key enablers of market predictions and economic/social dynamics, data processing raises the question of who  controls one’s  data.

In this perspective, Section 3 presents the different EU approaches on the digital economy and the questions raised in terms of privacy and personal data protection (Section 3). This section argues that in the current context of the development of a Digital Single Market for Europe (DSM), the European Commission’s perspective is very much commercially and economically driven, with little attention to the key legal and social challenges regarding privacy and personal data protection. Even though the European Commission points out some of the key challenges of processing data for economic and market purposes (i.e., anonymisation, compatibility, minimisation), the complexity of these challenges is somehow under-estimated. These challenges can be grouped around the following questions any digital citizen may ask her/himself under EU law: which data about me are collected and for what purposes? Are data protected from unauthorised access and to  what  extent  is  control  exercised  upon  the processing  of my  personal   data?

Section 4 then considers these questions in the specific context of the Data Protection Reform package. Arguing that the digital citizens rights should be the main focus of the current debates around the GDPR, this Section underlines that Big Data, smart devices and the IoT reveal a series of potential gaps in the EU legal framework, in the following areas in particular: transparency and information obligations of data controllers; consent (including consent in case of repurposing); the need to balance public interest and the interests of data subjects for legitimising personal data processing; the regulation of profiling; and proper safeguarding of digital rights in case of data transfers to  third  parties and  third  countries.

In light of these findings, the Study concludes with key recommendations for the European Parliament and, in particular, the LIBE Committee responsible for the protection of natural persons with regards to the processing of personal data. These recommendations aim at ensuring that negotiations around the GDPR promote a strong and sustainable framework  of  transparency  and  responsibility  in which  the data  subject’s rights  are  central.

In particular, the guiding principle of any exploitation of personal data should be driven by the requirement of guaranteeing respect for the Fundamental Rights (privacy  and  personal  data protection) laid  down  in EU primary  and secondary  law (recommendations 1 & 2).

The role of data controllers in this perspective is central as they are legally required to observe a number of principles when they process personal data, compliance of which must be reinforced. The degree of information and awareness of data subjects must be of prime concern whenever personal data processing takes places, and the responsibility for protecting Fundamental Rights should be promoted along the data production chain and gather various stakeholders. Furthermore, the GDPR should ensure that individuals are granted complete and effective protection in the face of current   and   upcoming   technological   developments   of   Big   Data   and   smart   devices (recommendation 3).

The GDPR currently under discussion should in any case not offer less protection and guarantees than the 1995 Data Protection Directive, and users should remain in complete control of their personal data throughout the data lifecycle.

Finally, effective protection of individuals cannot be guaranteed solely by the adoption of a sound GDPR. It will also require a consistent review of the e-Privacy Directive (recommendation 4), an instrument that not only pursues the safeguarding of personal data protection but, more generally, aims to ensure this right and the right to respect for private life.