Think of the children: the ECJ clarifies the status of non-EU parents of EU citizen children living in their own Member State

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

Professor Steve Peers

What immigration rights do non-EU citizens have under EU law? There are three main areas of EU law that address this issue: EU immigration and asylum law; EU treaties with non-EU countries; and EU free movement law. The latter area of law is focussed on EU citizens’ right to move between Member States, and so only covers non-EU citizens if they are family members of EU citizens who have moved to another Member State. Those rules also apply by analogy where an EU citizen with a non-EU family member has moved to another Member State, then moved back to that citizen’s home Member State. (These are known as Surinder Singh cases: see this discussion of the ECJ’s most recent ruling on such cases, from 2014).

But what if an EU citizen has a non-EU family member, but has never moved to another Member State? Such cases fall outside the scope of EU free movement law. They will therefore in principle fall solely within the scope of national law, unless either EU immigration and asylum law or EU treaties with non-EU countries apply (they usually will not). But in a limited number of cases, there is a fourth category of EU law which might apply to them: EU citizenship law.

This principle was first set out in the 2011 judgment in Ruiz Zambrano, which concerned Belgian children living in Belgium with two non-EU parents. The ECJ ruled that expelling the non-EU parents would in effect would result in the departure of the children from the EU, thereby risking the ‘genuine enjoyment of the substance’ of those children’s EU citizenship rights.

Subsequent ECJ case law (discussed here) made clear that this principle is apparently restricted to the non-EU parents of EU citizen children living in their home State. Cases very similar to Zambrano – two non-EU parents of an EU child – are rare, because Member States now rarely, if ever, confer nationality upon children simply because they are born on the territory. However, there are rather more cases where: a) a home-State EU citizen marries a non-EU citizen, b) their child gets home-State citizenship because one of her parents is a home-State citizen; and c) the parents’ relationship ends.

In those cases, Ruiz Zambrano still potentially applies, as long as the non-EU parent is the ‘primary carer’ for the home-State EU citizen child. In that case, removing this parent to a non-EU country would in effect force the EU citizen child to leave the EU as well.  But when exactly does the ‘primary carer’ test apply? The ECJ clarified this issue in today’s important judgment in Chavez-Vilchez and others.

Judgment

Chavez-Vilchez and others concerned a number of non-EU parents of Dutch children in the Netherlands, who sought to argue that they were primary carers of those children, and so entitled to residence in accordance with the Ruiz Zambrano judgment. The Dutch government argued that they could not automatically be considered primary carers if it was possible for the other parent, ie the Dutch citizen, to take care of the children:

…the mere fact that a third-country national parent undertakes the day-to–day care of the child and is the person on whom that child is in fact dependent, legally, financially or emotionally, even in part, does not permit the automatic conclusion that a child who is a Union citizen would be compelled to leave the territory of the European Union if a right of residence were refused to that third-country national. The presence, in the territory of the Member State of which that child is a national or in the territory of the Union, as a whole, of the other parent, who is himself a Union citizen and is capable of caring for the child, is, according to the Netherlands Government, a significant factor in that assessment (para 66)

While the Court of Justice agreed that the non-EU parents could not automatically be considered as primary carers where the home state EU citizen child was dependent upon them, the Court’s approach was more open. It began by restating prior case law: the key issue was ‘who has custody of the child and whether that child is legally, financially or emotionally dependent on the third-country national parent’ (para 68). It then reiterated, following Zambrano, that dependency was particularly significant (para 69). Then it added new detail on how to assess dependency:

…it is important to determine, in each case at issue in the main proceedings, which parent is the primary carer of the child and whether there is in fact a relationship of dependency between the child and the third-country national parent. As part of that assessment, the competent authorities must take account of the right to respect for family life, as stated in Article 7 of the Charter of Fundamental Rights of the European Union, that article requiring to be read in conjunction with the obligation to take into consideration the best interests of the child, recognised in Article 24(2) of that charter (para 70).

For the purposes of such an assessment, the fact that the other parent, a Union citizen, is actually able and willing to assume sole responsibility for the primary day-to-day care of the child is a relevant factor, but it is not in itself a sufficient ground for a conclusion that there is not, between the third-country national parent and the child, such a relationship of dependency that the child would be compelled to leave the territory of the European Union if a right of residence were refused to that third-country national. In reaching such a conclusion, account must be taken, in the best interests of the child concerned, of all the specific circumstances, including the age of the child, the child’s physical and emotional development, the extent of his emotional ties both to the Union citizen parent and to the third-country national parent, and the risks which separation from the latter might entail for that child’s equilibrium. (para 71; emphases added)

The Court went on to answer questions from the national court about the burden of proof in Zambrano cases, which were connected with the substantive test to be applied. The Dutch government had argued:

…the burden of proof of the existence of a right of residence under Article 20 TFEU lies on the applicants in the main proceedings. It is for them to demonstrate that, because of objective impediments that prevent the Union citizen parent from actually caring for the child, the child is dependent on the third-country national parent to such an extent that the consequence of refusing to grant that third-country national a right of residence would be that the child would be obliged, in practice, to leave the territory of the European Union (para 74).

Although the ECJ accepted that the burden of proof lay upon the non-EU parent (para 75), it also ruled that national authorities ‘must ensure that the application of national legislation on the burden of proof’ in such cases ‘does not undermine the effectiveness’ of EU citizenship rights (para 76). This meant that the authorities had to make ‘the necessary inquiries’ to find out where the EU citizen parent lived, ‘whether that parent is, or is not, actually able and willing to assume sole responsibility for the primary day-to-day care of the child’ and whether the EU citizen child was dependent upon the non-EU parent (para 77).

In effect, the Court ruled that while the non-EU citizen must make a prima facie case, national authorities share some of the burden to investigate some aspects of the case. Again, the substantive test applicable is less stringent than urged by the Dutch government.

Comments

Today’s judgment clarified a number of issues relating to Zambrano cases, following on from last year’s judgments in CS and Rendón Marín (discussed here) which clarified when non-EU Zambrano parents could be expelled for public policy reasons. While the 2016 judgments referred to the child’s best interests, age, situation and dependency (referring to case law of the European Court of Human Rights), today’s judgment also refers to ‘physical and emotional development’, ‘emotional ties’ to both parents, and the effect of separation on the child. All of these are factors relating to the child, not to the non-EU parent; but all of them nevertheless concern the child’s links with that parent.

The Dutch government’s desired focus on the capability of the EU citizen parent takes a back seat to the child’s best interests, as further elaborated by the Court. This will protect more non-EU parents, but in a differential way. Oddly, the Court’s case law does not take express account of situations of joint custody, or the more general argument that the child’s best interest will usually be to maintain strong relationships with bothparents (assuming they are not negligent or abusive).

Could it also be argued that the requirement of always seeking to identify a ‘primary carer’ is problematic from the point of view of gender equality?  Due to the division of labour relating to child care in practice, the Court’s rulings would classify more non-EU mothers than non-EU fathers as ‘Zambrano carers’; but the expulsion of those fathers will only increase the childcare demands on the EU citizen mother who remains, as well as disrupt the child’s right to maintain a relationship with his father. Of course, the presence of the parent who looks after a child day-to-day is essential; but children love the parent who kicks the ball as well as the parent who cooks the meal.

The procedural aspects of the Court’s judgment are interesting, but raise further questions: is there a right to appeal, to a decision within a reasonable time, to a lawyer, to legal aid? In last year’s judgments, the Court of Justice referred to concepts from EU free movement law and its relevant case law when discussing the substantive test for expelling Zambrano carers; but it made no such cross-references today. The long-term immigration status of the parent is also an open question, although Zambrano noted that there should be access to employment to make the residence rights of the parent effective.

Finally, a Brexit point: the draft EU position for negotiating acquired rights does not appear to cover Zambrano carers. From a technical point of view, this is logical because the case law concerns (from the UK’s perspective) non-EU parents of UK citizens who have not moved within the EU. So no free movement rights have been acquired; we are rather talking of EU citizenship rights which will necessarily be lost when the UK ceases to be a Member State, since citizenship of the EU is defined as deriving from the nationality of a Member State. But from a human point of view, any deterioration in legal status could damage or even shatter the family lives of the children concerned. Zambrano carers should therefore be protected ideally in the Brexit talks, or failing that by the UK unilaterally.

See also further reading on UK Zambrano case law by Charlotte O’Brien and Desmond Rutledge

EU accession to the Istanbul Convention preventing and combating violence against women. The current state of play.

by Luigi LIMONE (*)

The Council of Europe Convention on preventing and combating violence against women and domestic violence, known as ‘Istanbul Convention’, is the first legally binding treaty in Europe that criminalises different forms of violence against women including physical and psychological violence, sexual violence, sexual harassment and rape, stalking, female genital mutilation, forced marriage, forced abortion and forced sterilization.

It emphasises and recognises that violence against women is a human rights violation, a form of discrimination against women and a cause and a consequence of inequality between women and men. The Convention requires the public authorities of State parties to adopt a set of comprehensive and multidisciplinary measures in a proactive fashion to prevent violence, protect its victims/survivors and prosecute the perpetrators. The Convention recognises that women experience multiple forms of discrimination and requires the State parties to ensure that tits implementation is made without discrimination on any ground such as sex, gender, race, colour, language, religion, political or other opinion, national or social origin, association with a national minority, property, birth, sexual orientation, gender identity, age, state of health, disability, marital status, migrant or refugee status or other. It also states that violence against women can never be justified in the name of culture, custom, religion, tradition nor so-called ‘honour’.

It foresees obligations to adopt a specific gender-sensitive approach in migration and asylum matters, and the establishment of a specific monitoring mechanism, (The Group of Experts on Action against Violence against Women and Domestic Violence “GREVIO”), tasked with ensuring effective implementation of its provisions by the Parties.

The Convention contains 81 articles set out in 12 separate chapters and was adopted by the Committee of Ministers of the Council of Europe on 7 April 2011, and opened for signature.  on 11 May 2011.  The Convention is open for signature and approval by the (47) member States of the Council of Europe, non-member States which have participated in its elaboration and the European Union, and is open for accession by other non-member States. The Istanbul Convention came into force in 2014. It has been signed by all the EU Member States (but the ratification is still missing for Bulgaria, Croatia, Cyprus, Czeck Republik, Estonia, Germany, Greece, Hungary, Ireland Latvia, Lithuania, Luxembourg, Slovakia and UK)

EU Accession : different perspectives of the Commission and of the Council

It should be noted that from a legal point of view the Istanbul Convention, like many other international treaties, is a ‘mixed agreement’ which allows for EU accession in parallel to the Member States’ accession.  While the EU cannot sign up to older international human rights treaties, like the UN Covenants, since they are only open to States, newer treaties expressly provide for the EU to sign up to them. This holds particularly true for the Istanbul Convention, which deals with a number of fields the EU is competent in, including victims’ rights and protection orders, asylum and migration, as well as in judicial cooperation in criminal matters.

As Steve Peers said, the EU accession to the Istanbul Convention can only be welcomed. Although it may not, by itself, prevent any act of violence from being committed, it may accelerate a broader process of ratification and corresponding national law reform on this issue. It may also have the important practical impact of helping victims receive support or protection, particularly in the context of the law on crime victims, immigration or asylum.

More specifically, the EU ratification of the Istanbul Convention could provide encouragement to its Member States, as well as non-EU Member States, to ratify the Convention and, since the CJEU will have jurisdiction to interpret those provisions of the Convention which fall within the scope of EU competence, it could promote a uniform interpretation of those provisions within the EU, thus establishing a truly comprehensive  framework for preventing and combating violence against women and domestic violence.

On 4th March 2016, the European Commission has then issued a proposal for a Council decision on the conclusion, by the European Union, of the Council of Europe Convention on preventing and combating violence against women and domestic violence.

The Commission proposal for the EU accession to the Istanbul Convention has recognised the mixed nature of the Convention and but has explicitly stated that the European Union has exclusive competence to the extent that, according to art.3(2) the Convention may affect common EU rules or alter their scope (recital 6).

However it has to be noted that according to art.73 of the Convention  :“The provisions of this Convention shall not prejudice the provisions of internal law and binding international instruments which are already in force or may come into force, under which more favourable rights are or would be accorded to persons in preventing and combating violence against women and domestic violence.”  Consequently, contracting Parties to the Convention are allowed to maintain or introduce a higher level of protection for women and girls than the norms set out in the Convention.

This gives some leeway to the Member States which have already signed and in some cases also ratified the Convention. Moreover in cases where relevant Union legislation contains minimum standards as well, it can be questioned if they have lost their possibility of adopting national legislation more favorable to the victims. On September 2016, the Slovak Presidency has then requested the Legal Service to give an opinion on the competences of the Union relating to the Convention, and to identify the parts of the Convention, if any, that fall within the Union’s exclusive competence.

This opinion was issued on 27 October 2016 (doc. 13795/16 -only partially accessible to the public) and as a result of subsequent debates in the Council working Groups it was decided that the Convention should be signed on behalf of the EU only as regards matters falling within the competence of the Union insofar as the Convention may affect common rules or alter their scope.

According to an internal Council source the EU must be held to have exclusive competence for some of the provisions of the Convention set out in Chapters IV (“Protection and Support”), V (‘Substantive Law) and VI (‘Investigation, prosecution, procedural law and protective measures’) but only insofar as they relate to victims covered by Directive 2011/92/EU and Directive 2011/36/EU. (Moreover in the case of the Victim Directive it deals with minimum EU rules so that some competence remain at MS level).

On the contrary it seems indisputable that the Union has acquired exclusive competence in relation to two of the three provisions of Chapter VII (‘Migration and Asylum’).  In relation to Article 60(1) and (2) of the Convention, the current EU rules of the “Qualification Directive” does not appear to be much leeway for Member States to exceed the protection level set out in Union rules. The same applies to Article 60(3) of the Convention, in the light of the detailed provisions of the same Qualification Directive, the “Procedures Directive” and the “Reception conditions Directive”, even if they set, technically speaking, Member States to maintain or introduce more favourable protection.  As for Article 61 of the Convention, on non-refoulement, this appears to set “minimum” norms, but only in theory.  The same must be held for the corresponding provisions of EU provisions, whether primary (Article 78(1) TFEU), or secondary law.

Therefore, to protect the MS competence the Council has decided to change the legal basis and the draft decision on the signing on behalf of the European Union of the Istanbul Convention was divided into two decisions: one with regard to matters related to judicial cooperation in criminal matters and the second with regard to asylum and non-refoulement.

Both Council and Commission have recognised that the respective competences of the European Union and the Member States are inter-linked and have considered that it is appropriate to establish arrangements between the Commission and the Member States for the monitoring mechanism provided by the Convention, the so-called Group of experts on action against violence against women and domestic violence (GREVIO).

…in the meantime the European Parliament ..

At the European Parliament level, on several occasions MEPs have recalled that the EU accession to the Istanbul Convention would guarantee a coherent European legal framework to prevent and combat violence against women and gender-based violence and to protect the victims of violence, provide greater coherence and efficiency in EU internal and external policies and ensure better monitoring, interpretation and implementation of EU laws, programs and funds relevant to the Convention, as well as more adequate and better collection of comparable desegregated data on violence against women and gender-based violence at EU.

According to the MEPs the EU ratification would also reinforce the EU accountability at international level and, last but not least, it would apply renewed political pressure on Member States to ratify this instrument (note that so far all EU Member States have signed the Istanbul Convention, but only fourteen of them have ratified it).

The European Parliament has also recalled that the Commission is bound by Article 2 TEU and by the Charter of Fundamental Rights to guarantee, promote and take action in favour of gender equality. It has, therefore, welcomed the Commission proposal to sign and conclude the EU accession to the Istanbul Convention.

In this respect, a draft interim report between the LIBE and FEMM Committees is being drafted by two rapporteurs, Anna Maria Corazza Bildt (EPP – Sweden) and Christine Revault D’Allonnes Bonnefoy (S&D – France). A first LIBE/FEMM joint hearing on the issue took place on 29 November 2016. It was followed by a second joint hearing, which was held on 27 March 2017, whose aim was to highlight the importance as well as the necessity for the EU to access the Istanbul convention as a unique body.

During the latter hearing, some MEPs reiterated the importance of the EU accession to the Istanbul Convention, which could represent the basis for the introduction of a holistic approach addressing the issue of violence against women and girls and gender-based violence from a wide range of perspectives, such as prevention, the fight against discrimination, criminal law measures to combat impunity, victim protection and support, the protection of children, the protection of women asylum seekers and refugees and better data collection.

According to Malin Björk  (GUE/NGL – Sweden), the EU accession to the Istanbul convention would represent a very important step forward and it would allow to see violence against women as a political issue. For her, the EU ratification would be an opportunity to make people understand that such an issue is part of gender politics and it has to be recognised as such.

For Iratxe García Pérez (S&D – Spain), it would be extremely important to use all the best practices provided by some EU countries, such as Spain and Sweden, in order to define a common European framework for an active policy to combat violence against women. In her opinion, the European society is still unequal and gender-based violence derives from such an unbalance of power. The EU accession to the Istanbul Convention would be therefore crucial in order to set the basis for a common European strategy aiming to eliminate gender unbalances across Europe.

The key elements of the interim report were outlined during a third joint hearing which took place on 11 April 2017. On that occasion, the two rapporteurs stressed the needs for a joint effort between the European Parliament and the European Commission, in order to set up a holistic and comprehensive approach towards violence against women. Both the rapporteurs  expressed their strong support for the introduction of an EU directive and recalled that violence against women should not be considered as a national issue but as a European issue, since it affects the whole European society.

Despite the progress made at the European Parliament level, some MEPs deplored the fact that negotiations in the Council were not proceeding at the same speed.

It is not clear if the LIBE members were aware of the debates on the Council side or if they have been “timely and fully informed” of the new approach emerging on the Council side as it should had be the case according to art. 218 of the TFUE. Nor it is clear if the Commission has taken duly informed the LIBE Members in compliance with the EP-Commission Framework agreement.

(*) FREE-GROUP Trainee

 

Legal Frameworks for Hacking by Law Enforcement: Identification, Evaluation and Comparison of Practices

EXECUTIVE SUMMARY OF A STUDY FOR THE EP LIBE COMMITEE.

FULL TEXT ACCESSIBLE  HERE  

by Mirja  GUTHEIL, Quentin  LIGER, Aurélie  HEETMAN, James  EAGER, Max  CRAWFORD  (Optimity  Advisors)

Hacking by law enforcement is a relatively new phenomenon within the framework of the longstanding public policy problem of balancing security and privacy. On the one hand, law enforcement agencies assert that the use of hacking techniques brings security, stating that it represents a part of the solution to the law enforcement challenge of encryption and ‘Going Dark’ without systematically weakening encryption through the introduction of ‘backdoors’ or similar techniques. On the other hand, civil society actors argue that hacking is extremely invasive and significantly restricts the fundamental right to privacy. Furthermore, the use of hacking practices pits security against cybersecurity, as the exploitation of cybersecurity vulnerabilities to provide law enforcement with access to certain data can have significant implications  for  the security of the internet.

Against this backdrop, the present study provides the LIBE Committee with relevant, actionable insight into the legal frameworks and practices for hacking by law enforcement. Firstly, the study examines the international and EU-level debates on the topic of hacking by law enforcement (Chapter 2), before analysing the possible legal bases for EU intervention in the field (Chapter 3). These chapters set the scene for the primary focus of the study: the comparative analysis of legal frameworks and practices for hacking by law enforcement across six selected Member States (France, Germany, Italy, the Netherlands, Poland and the UK), with further illustrative examples from three non-EU countries (Australia, Israel and the US) (Chapter 4). Based on these analyses, the study concludes (Chapter 5) and presents concrete recommendations and policy proposals for  EU  action  in  the field (Chapter 6).

The international and EU-level debates on the use of hacking techniques by law enforcement primarily evolve from the law enforcement challenge posed by encryption – i.e. the  ‘Going  Dark’  issue.

Going Dark is a term used to describe [the] decreasing ability [of law enforcement agencies] to lawfully access and examine evidence at rest on devices and evidence in motion across   communications   networks.1

According to the International Association of Chiefs of Police (IACP), law enforcement agencies are not able to investigate illegal activity and prosecute criminals without this evidence. Encryption technologies are cited as one of the major barriers to this access. Although recent political statements from several countries (including France, Germany, the UK and the US) seemingly call for ‘backdoors’ to encryption technologies, support for strong encryption at international and EU fora remains strong. As such, law enforcement agencies across the world started to use hacking techniques to bypass encryption. Although the term ‘hacking’ is not used by law enforcement agencies, these practices essentially mirror the techniques used by hackers (i.e. exploiting any possible vulnerabilities – including technical, system  and/or human  vulnerabilities  – within  an  information  technology  (IT) system).

Law enforcement representatives, such as the IACP and Europol, report that access to encrypted and other data through such hacking techniques brings significant investigative benefits. However, it is not the only possible law enforcement solution to the ‘Going Dark’ issue. Outside of the scope of this study, the other options include: requiring users to provide their password or decrypt their data; requiring technology vendors and service providers to bypass   the   security   of   their   own   products   and   services;   and   the    systematic   weakening   of encryption through the mandated introduction of ‘backdoors’ and/or weakened standards for encryption.

With the benefits of hacking established, a 2016 Joint Statement published by the European Union Agency for Network and Information Security (ENISA) and Europol2 noted that the use of  hacking  techniques also brings  several   key  risks.

The primary risk relates to the fundamental right to privacy and freedom of expression and information, as enshrined in international, EU and national-level law. Hacking techniques are extremely invasive, particularly when compared with traditionally intrusive investigative tools (e.g. wiretapping, house searches etc.). Through hacking, law enforcement can gain access to all data stored or in transit from a device; this represents a significant amount of data (e.g. a recent investigation by Dutch law enforcement collected seven terabytes of data, which translates into around 86 million pages of Microsoft Word documents3), as well as extremely sensitive data (e.g. a person’s location and movements, all communications, all stored data etc.). Consequently, the use of hacking techniques will inherently restrict the fundamental right to privacy.

Therefore, current debates at international and EU fora focus on assessing and providing recommendations on the current legal balances and safeguards for the restriction of the right to privacy by hacking techniques. However, these debates have assumed that hacking practices are necessary for law enforcement and simply require governing laws; they have not discussed whether the use of hacking techniques by law enforcement is necessary and proportional. The law enforcement assertions regarding the necessity of these invasive tools have  not   been  challenged.

The second key risk relates to the security of the internet. Law enforcement use of hacking techniques has the potential to significantly weaken the security of the internet by “[increasing] the attack surface for malicious abuse”4. Given that critical infrastructure and defence organisations, as well as law enforcement agencies themselves, use the technologies targeted and potentially weakened by law enforcement hacking, the potential ramifications reach  far  beyond  the intended  target.

As such, debates at international and EU fora focus on the appropriate balances between security and privacy, as well as security and cybersecurity. Regarding security v. privacy, the debates to date have assessed and provided recommendations on the legislative safeguards required to ensure that hacking techniques are only permitted in situations where a restriction of the fundamental right to privacy is valid in line with EU legislation (i.e. legal, necessary and proportional). Regarding security v. cybersecurity, the debates have been limited and primarily centre around the use and/or reporting of zero-day vulnerabilities discovered  by  law enforcement agencies.

Further risks not discussed in the Joint Statement but covered by this study include: the risks to territorial sovereignty – as law enforcement agencies may not know the physical location of the target data; and the risks related to the supply and use of commercially-developed hacking tools by governments with poor consideration for human rights.

Alongside the analysis of international and EU debates, the study presents hypotheses on the legal  bases  for  EU  intervention  in  the  field. Although  possibilities for  EU  legal  intervention  in several areas are discussed, including mutual admissibility of evidence (Art. 82(2) TFEU), common investigative techniques (Art. 87(2)(c) TFEU), operational cooperation (Art. 87(3) TFEU) and data protection (Art. 16 TFEU, Art. 7 & 8 EU Charter), the onus regarding the development of legislation in the field is with the Member States. As such, the management of the risks associated with law enforcement activities is governed at the Member State level.

As suggested by the focus of the international and EU discussions, concrete measures need to be stipulated at national-level to manage these risks. This study presents a comparative analysis of the legal frameworks for hacking by law enforcement across six Member States, as well as certain practical aspects of hacking by law enforcement, thereby providing an overview of the primary Member State mechanisms for the management of these risks. Further illustrative examples are provided from research conducted in three non-EU countries.

More specifically, the study examines the legal and practical balances and safeguards implemented at national-level to ensure: i) the legality, necessity and proportionality of restrictions to the fundamental  right  to  privacy;   and ii) the security  of  the internet.

Regarding restrictions to the right to privacy, the study first examines the existence of specific legal frameworks for hacking by law enforcement, before exploring the ex-ante and ex-post conditions and mechanisms stipulated to govern restrictions of the right to privacy and ensure they are legal, necessary  and  proportional.

It is found that hacking practices are seemingly necessary across all Member States examined, as four Member States (France, Germany, Poland and the UK) have adopted specific legislative provisions and the remaining two are in the legislative process. For all Member States except Germany, the adoption of specific legislative provisions occurred in 2016 (France, Poland and the UK) or will occur later (Italy, the Netherlands).  This  confirms the  new  nature  of these investigative techniques.

Additionally, law enforcement agencies in all Member States examined have used, or still use, hacking techniques in the absence of specific legislative provisions, under so-called ‘grey area’ legal provisions. Given the invasiveness of hacking techniques, these grey areaprovisions are considered  insufficient  to adequately  protect the right to privacy.

Where specific legal provisions have been adopted, all stakeholders agree that a restriction of the right to privacy requires the implementation of certain safeguards. The current or proposed legal frameworks of all six Member States comprise a suite of ex-ante conditions and ex-post mechanisms that aim to ensure the use of hacking techniques is proportionate and necessary. As recommended by various UN bodies, the provisions of primary importance include judicial authorisation of hacking practices, safeguards related to the nature, scope and duration of possible measures (e.g. limitations to crimes of a certain gravity and the  duration  of  the hack,  etc.) and  independent   oversight.

Although many of these types of recommended conditions are common across the Member States examined – demonstrated in the below table – their implementation parameters differ. For instance, both German and Polish law permit law enforcement hacking practices without judicial authorisation in exigent circumstance if judicial authorisation is achieved in a specified timeframe. However, the timeframe differs (three days in Germany compared with five days in Poland). These differences make significant difference, as the Polish timeframe was criticised  by the Council  of  Europe’s  Venice Commission  for being  too long.5

Furthermore, the Member States examined all accompany these common types of ex-ante and ex-post conditions with different, less common conditions. This is particularly true for ex-post oversight mechanisms. For instance, in Poland, the Minister for internal affairs provides macro-level information to the lower (Sejm) and upper (Senat) chambers of Parliament;6 and in the UK, oversight is provided by the Investigatory Powers Commissioner, who reviews all cases of hacking by law enforcement, and the Investigatory Powers Tribunal, which  considers disputes or  complaints surrounding  law enforcement  hacking.7

Key ex-ante considerations
Judicial authorisation The    legal    provisions    of    all    six    Member    States    require    ex-ante judicial        authorisation        for        law        enforcement        hacking.        The information  to  be  provided  in  these requests differ.

Select     Member     States     (e.g.     Germany,     Poland,     the     UK)     also provide for hacking without prior judicial authorisation in exigent circumstances  if  judicial  authorisation  is subsequently  provided. The timeframes  for  ex-post authorisation  differ.

Limitation by crime and  duration All  six Member  States  restrict  the  use  of  hacking  tools  based  on the   gravity   of   crimes.    In    some    Member   States,    the    legislation presents  a  specific  list  of  crimes  for  which  hacking  is permitted; in     others,     the    limit    is    set     for    crimes    that    have    a    maximum custodial    sentence   of   greater   than    a   certain   number    of   years. The lists and numbers  of years required differ by Member   State.

Many Member States also restrict the duration for which hacking may   be   used.   This   restriction   ranges   from   maximum   1   month (France, Netherlands) to a maximum of 6 months (UK), although extensions     are     permitted     under     the     same     conditions     in     all Member States.

Key ex-post considerations
Notification and effective remedy Most    Member    States    provide    for    the    notification    of    targets    of hacking  practices and  remedy  in  cases  of unlawful   hacking.
Reporting and oversight Primarily, Member States report at a micro-level through logging hacking  activities and  reporting them  in  case  files.

However,   some   Member   States   (e.g.   Germany,   Poland   and   the UK) have macro-level  review  and  oversight mechanisms.

Furthermore, as regards the issue of territoriality (i.e. the difficulty law enforcement agencies face obtaining the location of the data to be collected using hacking techniques), only one Member States, the Netherlands, legally permits the hacking of devices if the location is unknown. If the device turns out to be in another jurisdiction, Dutch law enforcement must apply  for Mutual  Legal  Assistance.

As such, when aggregated, these provisions strongly mirror Article 8 of the European Convention on Human Rights, as well as the UN recommendations and paragraph 95 of the ECtHR  judgement  in  Weber and  Saravia  v.  Germany.  However,   there are  many,  and  varied, criticisms when the Member State conditions are examined in isolation. Some of the provisions criticised include: the limits based on the gravity of crimes (e.g. the Netherlands, France and Poland); the provisions for notification and effective remedy (e.g. Italy and the Netherlands); the process for screening and deleting non-relevant data (Germany); the definition of devices that can be targeted (e.g. the Netherlands); the duration permitted for hacking (e.g. Poland); and a lack of knowledge amongst the judiciary (e.g. France, Germany, Italy and the Netherlands).With this said, certain elements, taken in isolation, can be called good  practices. Such  examples  are  presented below.

Select  good practice: Member State legislative frameworks

Germany: Although they were deemed unconstitutional in a 2016 ruling, the provisions for the screening and deletion of data related to the core area of private life are a positive step. If the provisions are amended, as stipulated in the ruling, to ensure screening by an independent body, they would provide strong protection for the targeted individual’s private data.

Italy: The 2017 draft Italian law includes a range of provisions related to the development and monitoring of the continued use of hacking tools. As such, one academic stakeholder remarked that the drafting of the law must have been driven by technicians. However, these provisions bring significant benefits to the legislative provisions in terms of supervision and oversight of the use of hacking tools. Furthermore, the Italian draft law takes great care to separate the functionalities of the hacking tools, thus protecting against the overuse or abuse of a  hacking tool’s  extensive  capabilities.

Netherlands: The Dutch Computer Crime III Bill stipulates the need to conduct a formal proportionality assessment for each hacking request, with the assistance of a dedicated Central Review Commission (Centrale Toetsings Commissie). Also, the law requires rules to be laid down on the authorisation and expertise of the investigation officers that can perform hacking.

With these findings in mind, the study concludes that the specific national-level legal provisions examined provide for the use of hacking techniques in a wide array of circumstances. The varied combinations of requirements, including those related to the gravity of crimes, the duration and purpose of operations and the oversight, result in a situation where the law does not provide for much stricter conditions than are necessary for less  intrusive  investigative activities such  as interception.

Based on the study findings,  relevant  and actionable policy proposals and recommendations have been developed under the two key elements: i) the fundamental right  to  privacy;  and  ii) the security  of the internet.

Recommendations and policy proposals: Fundamental  right  to  privacy

It is recommended that the use of ‘grey area’ legal provisions is not sufficient to protect the fundamental right to privacy. This is primarily because existing legal provisions do not provide for the more invasive nature of hacking techniques and do not provide for the legislative precision  and  clarity  as  required  under  the  Charter and the  ECHR.

Furthermore, many of these provisions have only recently been enacted. As such, there is a need for robust evidence-based monitoring and evaluation of the practical application of these provisions. It is therefore recommended that the application of these new legal provisions is evaluated regularly at national level, and that the results of these evaluations are  assessed at  EU-level.

If specific legislative provisions are deemed necessary, the study recommends a range of good practice, specific ex-ante and ex-post provisions governing the use of hacking practices by  law  enforcement  agencies. These are detailed  in  Chapter 6.

Policy proposal 1: The European Parliament should pass a resolution calling on Member States to conduct a Privacy Impact Assessment when new laws are proposed to permit and govern the use of hacking techniques by law enforcement agencies. This Privacy Impact Assessment should focus on the necessity and proportionality of the use of hacking tools and should  require input  from  national  data protection  authorities.

Policy proposal 2: The European Parliament should reaffirm the need for Member States to adopt a clear and precise legal basis if law enforcement agencies are to use hacking techniques.

Policy proposal 3: The European Parliament should commission more research or encourage the European Commission or other bodies to conduct more research on the topic. In response to the Snowden revelations, the European Parliament called on the EU Agency for Fundamental Rights (FRA) to thoroughly research fundamental rights protection in the context of surveillance. A similar brief related to the legal frameworks governing the use of hacking techniques by law enforcement across all EU Member States would act as an invaluable piece  of  research.

Policy proposal 4: The European Parliament should encourage Member States to undertake evaluation and monitoring activities on the practical application of the new legislative provisions  that  permit  hacking  by  law  enforcement  agencies.

Policy proposal 5: The European Parliament should call on the EU Agency for Fundamental Rights (FRA) to develop a practitioner handbook related to the governing of hacking by law enforcement. This handbook should be intended for lawyers, judges, prosecutors, law enforcement officers and others working with national authorities, as well as non­governmental organisations and other bodies confronted with legal questions in the areas set out by the handbook. These areas should cover the invasive nature of hacking techniques and relevant safeguards as per international and EU law and case law, as well as appropriate mechanisms for supervision  and   oversight.

Policy proposal 6: The European Parliament should call on EU bodies, such as the FRA, CEPOL and Eurojust, to provide training for national-level members of the judiciary and data protection authorities, in collaboration with the abovementioned handbook, on the technical means for hacking in use across the Member States, their potential for invasiveness and the principles of  necessity  and  proportionality in  relation  to these  technical  means.

Recommendations and policy proposals: Security of  the  internet

The primary recommendation related to the security of the internet is that the position of the EU against the implementation of ‘backdoors’ and similar techniques, and in support of strong encryption standards, should be reaffirmed, given the prominent role encryption plays in our society and its importance to the EU’s Digital Agenda. To support this position, the EU should ensure continued engagement with global experts in computer science as well as civil society privacy and  digital  rights groups.

The actual impacts of hacking by law enforcement on the security of the internet are yet unknown. More work should be done at the Member State level to assess the potential impacts such that these data can feed in to overarching discussions on the necessity and proportionality of law enforcement hacking. Furthermore, more work should be done, beyond understanding the risks to the security of the internet, to educate those involved in the authorisation and use of  hacking  techniques by law enforcement.

At present, the steps taken to safeguard the security of the internet against the potential risks of hacking are not widespread. As such, the specific legislative provisions governing the use of hacking techniques by law enforcement, if deemed necessary, should safeguard the security of the internet and the security of the device, including reporting the vulnerabilities used to gain access to a device to the appropriate technology vendor or service provider; and  ensure  the  full  removal  of  the software  or hardware from the targeted  device.

Policy proposal 7: The European Parliament should pass a resolution calling on Member States to conduct an Impact Assessment to examine the impact of new or existing laws governing  the  use  of hacking  techniques by  law  enforcement on  the  security  of  the internet.

Policy proposal 8: The European Parliament, through enhanced cooperation with Europol
and the European Union Agency for Network and Information Security (ENISA), should
reaffirm its commitment to strong encryption considering discussions on the topic of hacking by law enforcement. In addition, the Parliament should reaffirm its opposition to the implementation of  
backdoors and  similar techniques in information technology infrastructures or  services.

Policy proposal 9: Given the lack of discussion around handling zero-day vulnerabilities, the European Parliament should support the efforts made under the cybersecurity contractual Public-Private Partnership (PPP) to develop appropriate responses to handling zero-day vulnerabilities, taking into consideration the risks related to fundamental rights and the security  of the internet.

Policy proposal 10: Extending policy proposal 4, above, the proposed FRA handbook should also cover the risks  posed  to  the  security  of the  internet  by  using hacking  techniques.

Policy proposal 11: Extending policy proposal 5, training provided to the judiciary by EU bodies such as FRA, CEPOL and Eurojust should also educate these individuals on the risks posed  to  the security  of  the internet  by  hacking  techniques.

Policy proposal 12: Given the lack of discussion around the risks posed to the security of the internet by hacking practices, the European Parliament should encourage debates at the appropriate fora specific to understanding this risk and the approaches to managing this risk. It is encouraged that law enforcement representatives should be present within such discussions.

The 2016 EU Justice Scoreboard

NOTA BENE : THE FULL REPORT IS ACCESSIBLE HERE 

The 2016 EU Justice Scoreboard was adopted by the European Commission on 10 April 2016 under reference number COM(2017) 167.

THE 2017 EU JUSTICE SCOREBOARD

(…) Introduction

‘Effective justice systems support economic growth and defend fundamental rights. That is why Europe promotes and defends the rule of law (1).’ This role of Member States’ justice systems underlined by Jean-Claude Juncker, President of the European Commission, is crucial for ensuring that individuals and businesses can fully enjoy their rights, for strengthening mutual trust and for building a business and investment-friendly environment in the single market.

Moreover, as underlined by Frans Timmermans, First Vice-President of the European Commission, effective justice systems also underpin the application of EU law: ‘The European Union is built on a common set of values, enshrined in the Treaty. These values include respect for the rule of law. That is how this organisation functions, that is how our Member States ensure the equal application of EU law across the European Union (2).’ For these reasons, improving the effectiveness of national justice systems is a well-established priority of the European semester — the EU’s annual cycle of economic policy coordination.

Independence, quality and efficiency are the key elements of an effective justice system. The 2017 EU Justice Scoreboard (‘the Scoreboard’) helps Member States to achieve this priority by providing an annual comparative overview of the independence, quality and efficiency of national justice systems. Such a comparative overview assists Member States in identifying potential shortcomings, improvements and good practices as well as trends in the functioning of national justice systems over time. It is also crucial for the effectiveness of EU law (3).

When applying EU law, national courts act as EU courts and ensure that the rights and obligations provided under EU law are enforced effectively. For this reason, the Scoreboard looks closely at the functioning of courts when applying EU law in specific areas.

The 2017 edition further develops this overview and examines new aspects of the functioning of justice systems:

– to better understand how consumers access the justice system, it examines which channels they use to submit complaints against companies (e.g. courts, out of court methods), how legal aid and court fees influence access to justice, particularly for persons at-risk-of-poverty, the length of court proceedings and before consumer authorities and how many consumers are using the online dispute resolution (ODR) platform which became operational in 2016.

–  to keep track of the situation of judicial independence in Member States, this edition presents the result of a new survey on the perception of citizens and companies; it shows new data on safeguards for protecting judicial independence.

– this edition continues to examine how national justice systems function in specific areas of EU law relevant for the single market and for an investment-friendly environment.

It presents a first overview of the functioning of national justice systems when applying EU anti-money laundering legislation in criminal justice. It also examines the length of proceedings for provisional measures to prevent imminent damages in certain areas of law.

– in order to have a clearer picture of the current use of information and communication technologies (ICT) in justice systems, this edition presents the results from a survey of lawyers on how they communicate with courts and for which reasons they use ICT.

– as standards on the functioning of courts can drive up the quality of justice systems, this edition examines in more detail standards aiming to improve the court management and the information given to parties on progress of their case.

As this is the fifth edition, the Scoreboard also takes stock of the progress achieved over time.

Although data are still lacking for certain Member States, the data gap continues to decrease, in particular for indicators on the efficiency of justice systems.

The fruitful cooperation with Member States’ contact points on national justice systems (4) and various committees and European judicial networks have enriched the data significantly.

The remaining difficulties in gathering data are often due to insufficient statistical capacity or to the fact that the national categories for which data are collected do not exactly correspond to the ones used for the Scoreboard. In very few cases, the data gap is due to the lack of willingness of certain national authorities to contribute. The Commission will continue to encourage Member States to further reduce this data gap.

(…) 2. Context

Justice remain high on the agenda (…)

In 2016, a large number of Member States pursued their efforts to improve the effectiveness of their national justice system. Justice reforms take time, sometimes several years from the first announcement of new reforms, over the adoption of legislative and regulatory measures, to the actual implementation of the adopted measures. Figure 1 presents an overview of adopted and envisaged justice reforms. It is a factual presentation of ‘who does what,’ without any qualitative evaluation. In that respect, it is important to underline that any justice reform should uphold the rule of law and comply with European standards on judicial independence. Figure 1 shows that procedural law remains an area of particular attention in a number of Member States and that a significant amount of new reforms have been announced for legal aid, alternative dispute resolution methods (ADR), court specialisation and judicial maps. A comparison with the 2015 Scoreboard shows that the level of activity generally remained stable, both on the announced reforms and measures under negotiation. (…)

The EU is encouraging certain Member States to improve the effectiveness of their justice system. In the 2016 European semester, based on a proposal from the Commission, the Council addressed country specific recommendations to six Member States in this area (21).

Two of the Member States which were subject to a country specific recommendation in 2015 did not receive a recommendation in 2016 due to the progress they had achieved (22).

In addition to those Member States subject to country specific recommendations, a further eight Member States are still facing particular challenges and are being closely monitored by the Commission through the European semester and economic adjustment programmes (23). The Commission further assists justice reforms in Romania and Bulgaria through the cooperation and verification mechanism (24).

In 2016, the Commission adopted, under the EU Rule of Law Framework (25), two recommendations regarding the rule of law in Poland, setting out the Commission’s concerns and recommending how these concerns can be addressed (26). The Commission considers it necessary that Poland’s Constitutional Tribunal is able to fully carry out its responsibilities under the Constitution, in particular to ensure an effective constitutional review of legislative acts.

The Commission continues to support justice reforms through the European Structural and Investment Funds (ESI Funds). During the current programming period 2014 – 2020, ESI Funds will provide up to EUR 4.2 billion to support Member States’ efforts to enhance the capacity of their public administration, including justice. 14 Member States have identified justice as a priority area for support by the ESI Funds. The Commission emphasises the importance of taking a result-oriented approach when implementing these priorities and calls upon Member States to evaluate the impact of ESI Funds support. In 2016, five Member States (27) requested technical assistance from the Structural Reform Support Service of the Commission, for example on sharing national experiences regarding judicial map reforms.

The positive economic impact of the good functioning of justice system deserves these efforts. A 2017 study by the Joint Research Centre identifies correlations between improvement of court efficiency and the growth rate of the economy and between businesses’ perception of judicial independence and the growth in productivity (28).

Where judicial systems guarantee the enforcement of rights, creditors are more likely to lend, firms are dissuaded from opportunistic behaviour, transaction costs are reduced and innovative businesses are more likely to invest. This positive impact is also underlined in further research, including from the International Monetary Fund, European Central Bank, OECD, World Economic Forum, and World Bank (29). (…)

Questions and Answers

 What is the EU Justice Scoreboard?

The EU Justice Scoreboard is a comparative information tool that aims to assist the EU and Member States to improve the effectiveness of their national justice systems by providing objective, reliable and comparable data on the quality, independence and efficiency of justice systems in all Member States. The Scoreboard does not present an overall single ranking but an overview of how all the justice systems function, based on various indicators that are of common interest for all Member States. The Scoreboard does not promote any particular type of justice system and treats all Member States on an equal footing. Timeliness, independence, affordability and user-friendly access are some of the essential parameters of an effective justice system, whatever the model of the national justice system or the legal tradition in which it is anchored.

The Scoreboard mainly focuses on litigious civil and commercial cases as well as administrative cases in order to assist Member States in their efforts to pave the way for a more investment, business and citizen-friendly environment. The Scoreboard is a comparative tool which evolves in dialogue with Member States and the European Parliament, with the objective of identifying the essential parameters of an effective justice system.

What is the methodology of the EU Justice Scoreboard?

The Scoreboard uses various sources of information. Large parts of the quantitative data are provided by the Council of Europe Commission for the Evaluation of the Efficiency of Justice (CEPEJ) with which the Commission has concluded a contract to carry out a specific annual study. These data range from 2010 to 2015, and have been provided by Member States according to CEPEJ’s methodology. The study also provides detailed comments and country specific information sheets that give more context. They should be read together with the figures (5).

Data on the length of proceedings collected by CEPEJ show the ‘disposition time’ which is a calculated length of court proceedings (based on a ratio between pending and resolved cases). Data on courts’ efficiency in applying EU law in specific areas show the average length of proceedings derived from actual length of court cases. It should be noted that the length of court proceedings may differ substantially geographically within a Member State, particularly in urban centres where commercial activities may lead to a higher caseload.

The other sources of data are: the group of contact persons on national justice systems (6), the European Network of Councils for the Judiciary (ENCJ) (7), the Network of the Presidents of the Supreme Judicial Courts of the EU (NPSJC) (8), Association of the Councils of State and Supreme Administrative Jurisdictions of the EU (ACA-Europe) (9), the European Competition Network (ECN) (10), the Communications Committee (COCOM) (11), the European Observatory on infringements of intellectual property rights (12), the Consumer Protection Cooperation Network (CPC) (13), the Expert Group on Money Laundering and Terrorist Financing (EGMLTF) (14), Eurostat (15), the European Judicial Training Network (EJTN) (16), the Council of Bars and Law Societies of Europe (CCBE) (17) and the World Economic Forum (WEF) (18).

The methodology for the Scoreboard has been further developed in close cooperation with the group of contact persons on national justice systems, particularly through a questionnaire and collecting data on certain aspects of the functioning of justice systems.

The Scoreboard contains figures on all three main elements of an effective justice system: quality, independence and efficiency. These should be read together, as all three elements are necessary for the effectiveness of a justice system and are often interlinked (initiatives aimed at improving one of them may have an influence on the other).

How does the EU Justice Scoreboard feed into the European semester?

The Scoreboard provides a comparative overview of the quality, independence and efficiency of national justice systems and helps Member States to improve the effectiveness of their national justice systems. This makes it easier to identify shortcoming and best practices and to keep track of challenges and progress. In the context of the European semester, country-specific assessments are carried out through bilateral dialogue with the national authorities and stakeholders concerned. This assessment takes into account the particularities of the legal system and the context of the Member States concerned. It may lead to the Commission proposing to the Council to adopt country-specific recommendations on the improvement of national justice systems (19).

NOTES

 

(1) 2016 State of the Union Speech delivered before the European Parliament on 14 September 2016: https://ec.europa.eu/priorities/state-union-2016_en
(2) http://europa.eu/rapid/press-release_SPEECH-16-2023_en.htm
(3) See also Communication from the Commission — EU law: Better results through better application, 13 December 2016, 2017/C 18/02.
(4) In view of the preparation of the EU Justice Scoreboard and to promote the exchange of best practices on the effectiveness of justice systems, the Commission asked Member States to designate two contact persons, one from the judiciary and one from the ministry of justice. Regular meetings of this informal group are taking place.
(5) http://ec.europa.eu/justice/effective-justice/scoreboard/index_en.htm
(6) In view of the preparation of the EU Justice Scoreboard and to promote the exchange of best practices on the effectiveness of justice systems, the Commission asked Member States to designate two contact persons, one from the judiciary and one from the ministry of justice. Regular meetings of this informal group are taking place.
(7) ENCJ unites the national institutions in the EU Member States which are independent of the executive and legislature, and which are responsible for the support of the Judiciaries in the independent delivery of justice: https://www.encj.eu/
(8) NPSJC provides a forum through which European institutions are given an opportunity to request the opinions of Supreme Courts and to bring them closer by encouraging discussion and the exchange of ideas: http://network-presidents.eu/
(9) ACA-Europe is composed of the Court of Justice of the EU and the Councils of State or the Supreme administrative jurisdictions of each EU Member State: http://www.juradmin.eu/index.php/en/
(10) ECN has been established as a forum for discussion and cooperation of European competition authorities in cases where Articles 101 and 102 of the TFEU are applied. The ECN is the framework for the close cooperation mechanisms of Council Regulation 1/2003. Through the European Competition Network, the Commission and the national competition authorities in all EU Member States cooperate with each other: http://ec.europa.eu/competition/ecn/index_en.html
(11) COCOM is composed of representatives of EU Member States. Its main role is to provide an opinion on the draft measures that the Commission intends to adopt: https://ec.europa.eu/digital-single-market/en/communications-committee
(12) The European Observatory on Infringements of Intellectual Property Rights is a network of experts and specialist stakeholders. It is composed of public- and private-sector representatives, who collaborate in active working groups. https://euipo.europa.eu/ohimportal/en/web/observatory/home
(13) CPC is a network of national authorities responsible for enforcing EU consumer protection laws in EU and EEA countries: http://ec.europa.eu/internal_market/scoreboard/performance_by_governance_tool/consumer_protection_cooperation_network/index_en.htm
(14) EGMLTF meets regularly to share views and help the Commission define policy and draft new legislation: http://ec.europa.eu/justice/civil/financial-crime/index_en.htm
(15) Eurostat is the statistical office of the EU: http://ec.europa.eu/eurostat/about/overview
(16) EJTN is the principal platform and promoter for the training and exchange of knowledge of the European judiciary. It develops training standards and curricula, coordinates judicial training exchanges and programmes, disseminates training expertise and promotes cooperation between EU judicial training institutions. EJTN has some 34 members representing EU states as well as EU transnational bodies. http://www.ejtn.eu/
(17) CCBE is an international non-profit association which represents European bars and law societies. CCBE membership includes the bars and law societies of 45 countries from the EU, the EEA, and wider Europe: http://www.ccbe.eu/
(18) WEF is an International Organisation for Public-Private Cooperation, whose members are companies: https://www.weforum.org/
(19) The reasons for country-specific recommendations and the progress on the implementation of such recommendations are presented on an annual basis by the Commission in individual country reports in the form of Staff Working Documents: https://ec.europa.eu/info/publications/2017-european-semester-country-reports_en
(20) The information has been collected in cooperation with the group of contact persons on national justice systems for 25 Member States. PL and UK did not submit information. DE explained that a number of reforms are under way as regards judiciary, where the scope and scale of the reform process can vary within the 16 federal states.
(21) BG, HR, IT, CY, PT, SK; see Council Recommendation of 12 July 2016 on the 2016 National Reform Programme of Bulgaria and delivering a Council opinion on the 2016 Convergence Programme of Bulgaria, (2016/C 299/08); Council Recommendation of 12 July 2016 on the 2016 National Reform Programme of Croatia and delivering a Council opinion on the 2016 Convergence Programme of Croatia (2016/C 299/23); Council Recommendation of 12 July 2016 on the 2016 National Reform Programme of Italy and delivering a Council opinion on the 2016 Stability Programme of Italy, (2016/C 299/01); Council Recommendation of 12 July 2016 on the 2016 National Reform Programme of Cyprus and delivering a Council opinion on the 2016 Stability Programme of Cyprus, (2016/C 299/07); Council Recommendation of 12 July 2016 on the 2016 National Reform Programme of Portugal and delivering a Council opinion on the 2016 Stability Programme of Portugal, (2016/C 299/26); Council Recommendation of 12 July 2016 on the 2016 National Reform Programme of Slovakia and delivering a Council opinion on the 2016 Stability Programme of Slovakia, (2016/C 299/15).
(22) LV and SI.
(23) BE, ES, LV, MT, PL, RO, SI. These challenges have been reflected in the recitals of the Country-Specific Recommendations and the country reports relating to these Member States. The country reports are available at: https://ec.europa.eu/info/publications/2017-european-semester-country-reports_en. Furthermore, justice reforms in EL are closely being monitored in the context of the Economic Adjustment Programme for Greece.
(24) Report on progress in Bulgaria under the Cooperation and Verification Mechanism, COM(2017) 43 final; Report on progress in Romania under the Cooperation and Verification Mechanism COM(2017) 44 final.
(25) COM(2014) 158 final/2.
(26) Commission Recommendation (EU) 2016/1374 of 27 July 2016 regarding the rule of law in Poland, OJ L 217, 12.8.2016, p. 53; Commission Recommendation (EU) 2017/146 of 21 December 2016 regarding the rule of law in Poland, OJ L 22, 27.1.2017, p. 65. See also IP/16/2643 and IP/16/4476.
(27) BG, EL, HR, CY, SI.
(28) ‘The judicial system and economic development across EU Member States’, JRC (forthcoming).
(29) See references in the 2016 EU Justice Scoreboard.

The Great (UK) Repeal Bill and the Charter of Fundamental Rights – not a promising start

ORIGINAL PUBLISHED ON “DESPITE OUR DIFFERENCES” BLOG

 (*)

One of the messages that the UK government has repeated since the decision of the British people to leave the EU, is that the withdrawal will not entail a loss of any right, particularly of social rights. This was (and is) an important part of the message, considering the high turnout of labour voters that voted for Brexit.

Yesterday the Government published an insightful White Paper on the upcoming Great Repeal Bill, which will incorporate most of EU Law into UK Law once Brexit takes place, in order to provide stability and legal certainty to citizens and undertakings currently living and working in the UK. In Chapter 2, the White Paper makes a reference to the hundreds of thousands of EU acts that will be incorporated and stresses the importance of providing stability in the legal framework once Brexit happens. EU Law will carry on being applicable, but only as UK Law, and reforms will be introduced into this “repatriated EU Law” from then onwards by both Parliament and Government.

Therefore, on the day Brexit happens EU Law will be incorporated into the UK legal system, including the entirety of the Court of Justice’s case-law. This is a huge digestion of rules and judicial rulings, unprecedented in the way and speed in which it will take place.

However, there is a piece of EU Law that will not be incorporated into UK Law. This is no ordinary or irrelevant piece. It is the Charter of Fundamental Rights of the European Union. It is another revealing sign of the impact that Brexit will have in the UK and, above all, for UK citizens and their rights.

The Government’s White Paper justifies the decision to exclude the Charter from the Great Repeal Bill with an argument so simple that it is, in fact, incorrect. I very much doubt that the UK Government incurred in a clerical error when drafting the text, so I assume that the justification is simply the best effort they could do. In the Government’s own words, “the Charter was not designed to create any new rights or alter the circumstances in which individuals could rely on fundamental rights to challenge the actions of the EU Institutions or member states in relation to EU Law.” The document carries on and claims that “the Charter was intended to make the rights that already existed in EU law more visible by bringing them together in a single document”.

I might be missing something, but the Charter, besides codifying some fundamental rights already recognized in the case-law of the Court of Justice, introduced many new rights and principles of enormous relevance and inexistent under EU Law until the entry into force of the Charter in 2009.

Thanks to the Charter, EU Law recognizes the prohibition of human cloning as part of the fundamental right to physical integrity (article 2.2.d). There is nothing in EU secondary law on schools, but the Charter enshrines the freedom to found educational establishments (article 14.3). And there is a very important right conferred on nationals of non-EU Member States that are authorized to work in the EU: the right to working conditions equivalent to those of citizens of the Union (article 15.3).

In an aging society in which we will live longer than any other previous generation, the Charter recognizes the rights of the elderly “to lead a life of dignity and independence and to participate in social and cultural life”. Many of the elderly in Britain voted for Brexit. This fundamental right has been deprived from them.

The effect is even more brutal when it comes to vulnerable groups, as is the case of persons with disabilities. Article 26 of the Charter recognizes the right of persons with disabilities “to benefit from measures designed to ensure their independence, social and occupational integration and participation in the life of the community”. This right under the Charter will be gone after Brexit.

The Government’s document is even more striking when it adds that “the removal of the Charter from UK law will not affect the substantive rights that individuals already benefit from in the UK”. This assertion is made on the assumption that EU secondary law suffices to keep all the rights untouched. But this claim is wrong, and it can be easily proved with an example.

In Kušionová, the Court of Justice was faced with an unfair term in a consumer credit contract, in which the guaranteed asset was the consumer’s home. When she faced the risk of an eviction and loss of her home, Mrs. Kušionová argued that the fundamental right to accommodation, as recognized in article 7 of the Charter, protected the consumer from procedures of enforcement that would entail her eviction, the auction of the property and, as a result, the loss of her home. The Court of Justice agreed and ruled that the enforcement could not carry on as a result of the Directive 93/13 (which says nothing about extrajudicial enforcements), as interpreted in light of the Charter. By relying on the Charter, the Court of Justice interpreted Directive 93/13 in a way that created a new provision, a rule of judicial creation, coherent with the Directive 93/13, but not included by the legislature in the articles of the legal text.

With the Great Repeal Bill, Mrs. Kušionová’s case would still apply in the UK because Directive 93/13 and the UK implementing legislation will be interpreted in light of the Court of Justice’s pre-Brexit case-law. And the judgment is Kušionová was rendered in 2014, so it will remain as part of UK law.

However, this will not be the case when it comes to interpret the 2014 Mortgage Credit Directive, which has not been interpreted yet by the Court of Justice (and will not be interpreted before Brexit). This Directive will be incorporated into UK Law as a result of the Great Repeal Bill, but it will be introduced with no case-law of the Court of Justice attached to it. Therefore, the right to protect the consumer’s home will be ensured when the substantial applicable rules are those under Directive 93/13 (Kušionová), but the consumer will be left all alone, in the hands of internal UK Law, when the same risk appears but the consumer can only rely on the Mortgage Credit Directive.

It is true that the Charter can only apply in Member States when there is another rule of EU Law at stake. But all EU lawyers know that the Charter is not only an interpretative tool for the application of EU Laws, but also a source of creation of new jurisprudential rules, closely attached to the EU rules governing the case. Kušionová is a good example of how the system works. It is also a good example of how unfair and regressive the Great Repeal Bill will be for millions of right-holders in the UK, particularly for the most vulnerable communities and individuals.

As every day goes by, we understand better what “take back control” means. In the area of fundamental rights, it means a lot. And the prospects are not very good for right-holders, despite the promises of the happy Brexiteers to keep rights untouched.

 

(*)  PROFESSOR AT THE UNIVERSITY COMPLUTENSE OF MADRID  Daniel Sarmiento is Professor of EU and Administrative Law at the Universidad Complutense of Madrid. Between 2007 and 2015 he was a legal secretary at the European Court of Justice. He currently devotes his research interests to European constitutional affairs, procedural law and fundamental rights. He is also a practising lawyer at Uría Menéndez, Madrid, where he counsels in EU Law.

Legally sophisticated authoritarians: the Hungarian Lex CEU

ORIGINAL PUBLISHED ON VERFASSUNGSBLOG

 (*)

On 28 March the Hungarian government tabled an amendment to the Act on National Higher Education in Parliament. Even though the draft is formulated in normative terms, the only targeted institution is the Central European University (CEU), founded by George Soros, one of the main enemies of the Viktor Orbán’s ‘illiberal state’. Michael Ignatieff, former professor of Harvard University’s John F. Kennedy School of Government, current president and rector of CEU assessed the draft as a discriminatory political vandalism, violating Hungarian academic freedom. Here I do not want to deal with the clear ideological and political motivations of the action of the current Hungarian Prime Minister, a that time liberal recipient of Soros’s financial support during his studies in Oxford three decades ago.

I want rather focus on the behavior of a contemporary authoritarian (or dictator, as Jean-Claude Juncker, the President of the European Commission once greeted him). As William Dobson argues is his book, The Dictator’s Learning Curve, “today’s dictators and authoritarians are far more sophisticated, savvy, and nimble that they once were”. They understand, as Orbán does, that in a globalized world the more brutal forms of intimidation are best replaced with more subtle forms of coercion. Therefore, they work in a more ambiguous spectrum that exists between democracy and authoritarianism, and from a distance, many of them look almost democratic, as the leader of Hungary, a Member State of the EU, does. Their constitutions, as the Fundamental Law of Hungary, often provide for a division of powers among the executive, the legislature, and the judiciary – at least on paper. They are also not particularly fearful of international organizations. Even a threat of foreign or international intervention and criticism can be a useful foil for stirring up nationalist passions and encouraging people to rally around the regime, as for Orbán, who claims to protect Hungary to became a colony of the EU. If necessary, they use the most refined European discourses, for instance about national constitutional identity, as the Orbán government did in order not to take part in any European efforts to solve the refugee and migration crisis. And as opposed to previous dictators of the old good times of totalitarian regimes, who just closed up organizations they did not like, without any scruples, today’s authoritarians take advantage of formalistic legal arguments against their enemies. The Russian authorities in the fall of 2016 revoked the educational license of the European University in St. Petersburg following unscheduled checks in the buildings referring to several violations against regulations, such as lack of fitness room and an information stand against alcoholism.

Similarly, the new draft law of the Hungarian government also uses legal tricks to force CEU to cease operation in Budapest. Such a clearly unacceptable requirement would be to open an additional campus in the State of New York. This wasn’t a condition in 1995, when CEU, holding a charter from the New York State Education Department, received its license to operate in Hungary from the Ministry of Culture and Education. Like other international universities chartered in the US, CEU does not maintain any academic or other programs in the United States. Moreover, in 2004 Hungary promulgated a special law on the establishment of Közép-európai Egyetem (KEE) as a Hungarian university, which was accredited by the Hungarian Accreditation Committee together with ten graduate and doctoral programs of the CEU as programs of KEE. Ever since the university has a dual legal entity, as KEE and CEU, but it is one university with only one campus, one academic staff, senate and rector, the latter appointed by the President of Hungary. According to the new law Hungarian universities could only deliver programs of European universities and not of countries from the OECD (including the US), therefore KEE, the Hungarian university could no longer deliver its single set program with CEU, which was allowed under the current law. 

The amendment if passed would make it impossible for CEU to continue its research and teaching activities, including its highly ranked comparative constitutional law LLM and SJD programs. This violates scientific freedom in Hungary, which on paper is still part of the Hungarian Fundamental Law. In the absence of an independent constitutional court in Hungary, the only domestic ‘remedy’ which one can imagine in an authoritarian regime is that the ‘wise leader’ graciously withdraws from his plan.

(*) Halmai, Gábor: Legally sophisticated authoritarians: the Hungarian Lex CEU, VerfBlog, 2017/3/31, http://verfassungsblog.de/legally-sophisticated-authoritarians-the-hungarian-lex-ceu/, DOI: https://dx.doi.org/10.17176/20170401-102552.

Parliamentary Tracker : the EP incoming resolution on the EU-USA (so called) “Privacy Shield”…

 

NOTA BENE : Below the text that will be submitted to vote at the next EP plenary. As in previous occasions the text is well drafted, legally precise and it confirms the high level of  competence that the European Parliament (and its committee LIBE) has developed along the last 17 years from the first inquiry on Echelon (2000), the Safe Harbor (2000), the EU-USA agreement on PNR (since 2003 a thirteen year long lasting saga…) the SWIFT agreement (2006) …

What is puzzling are the critics raised against the  so called “adequacy finding” mechanism which empowers the European Commission to decide if a third Country protect “adequately” the EU citizens personal data. The weaknesses of the Commission face to our strongest transatlantic ally  were already very well known when recently the parliamentarians have reformed the European legal framework on data protection in view of the new legal basis foreseen by the Treaties and in the art. 7 and 8 of the EU Charter.  However the EP did’nt try to strengthen the “adequacy” mechanism by transforming it at least in a “delegated” function (so that it would had been possible for the EP to block something which could had weackened our standards).

Now the US Congress is weakening the (already poor) US data protection and the new US administration will probably go in the same direction.  It seems to me to easy  to complain now on something that you had recently the chance to fix..

Let’s now hope that the Court of Justice by answering to the request for opinion on the EU-Canada PNR agreement will give to the EU legislator some additional recommendations but as an EU citizen I would had preferred a stronger EU legislation instead of been ruled by european or national Judges…

Emilio De Capitani

B8‑0235/2017 European Parliament resolution on the adequacy of the protection afforded by the EU-US Privacy Shield (2016/3018(RSP))

The European Parliament,

–        having regard to the Treaty on European Union (TEU), the Treaty on the Functioning of the European Union (TFEU) and Articles 6, 7, 8, 11, 16, 47 and 52 of the Charter of Fundamental Rights of the European Union,

–        having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive)[1],

–        having regard to Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters[2],

–        having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)[3], and to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA[4],

–        having regard to the judgment of the Court of Justice of the European Union of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner[5],

–        having regard to the Commission communication to the European Parliament and the Council of 6 November 2015 on the transfer of personal data from the EU to the United States of America under Directive 95/46/EC following the judgment by the Court of Justice in Case C-362/14 (Schrems) (COM(2015)0566),

–        having regard to the Commission communication to the European Parliament and the Council of 10 January 2017 on Exchanging and Protecting Personal Data in a Globalised World (COM(2017)0007),

–        having regard to the judgment of the Court of Justice of the European Union of 21 December 2016 in Cases C-203/15 Tele2 Sverige AB v Post- och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson and Others[6],

–        having regard to Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield[7],

–        having regard to Opinion 4/2016 of the European Data Protection Supervisor (EDPS) on the EU-US Privacy Shield draft adequacy decision[8],

–        having regard to the Opinion of the Article 29 Data Protection Working Party of 13 April 2016 on the EU-US Privacy Shield draft adequacy decision[9] and its Statement of 26 July 2016[10],

–        having regard to its resolution of 26 May 2016 on transatlantic data flows[11],

–        having regard to Rule 123(2) of its Rules of Procedure,

  1. whereas the Court of Justice of the European Union (CJEU) in its judgment of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner invalidated the Safe Harbour decision and clarified that an adequate level of protection in a third country must be understood to be ‘essentially equivalent’ to that guaranteed within the European Union by virtue of Directive 95/46/EC read in the light of the Charter of Fundamental Rights of the European Union (hereinafter ‘the EU Charter’), prompting the need to conclude negotiations on a new arrangement so as to ensure legal certainty on how personal data should be transferred from the EU to the US;
  2. whereas, when examining the level of protection afforded by a third country, the Commission is obliged to assess the content of the rules applicable in that country deriving from its domestic law or its international commitments, as well as the practice designed to ensure compliance with those rules, since it must, under Article 25(2) of Directive 95/46/EC, take account of all the circumstances surrounding a transfer of personal data to a third country; whereas this assessment must not only refer to legislation and practices relating to the protection of personal data for commercial and private purposes, but must also cover all aspects of the framework applicable to that country or sector, in particular, but not limited to, law enforcement, national security and respect for fundamental rights;
  3. whereas transfers of personal data between commercial organisations of the EU and the US are an important element for the transatlantic relationships; whereas these transfers should be carried out in full respect of the right to the protection of personal data and the right to privacy; whereas one of the fundamental objectives of the EU is the protection of fundamental rights, as enshrined in the EU Charter;
  4. whereas in its Opinion 4/2016 the EDPS raised several concerns on the draft Privacy Shield; whereas the EDPS welcomes in the same opinion the efforts made by all parties to find a solution for transfers of personal data from the EU to the US for commercial purposes under a system of self-certification;
  5. whereas in its Opinion 01/2016 on the EU-US Privacy Shield draft adequacy decision the Article 29 Working Party welcomed the significant improvements brought about by the Privacy Shield compared with the Safe Harbour decision whilst also raising strong concerns about both the commercial aspects and access by public authorities to data transferred under the Privacy Shield;
  6. whereas on 12 July 2016, after further discussions with the US administration, the Commission adopted its Implementing Decision (EU) 2016/1250, declaring the adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-US Privacy Shield;
  7. whereas the EU-US Privacy Shield is accompanied by several letters and unilateral statements from the US administration explaining, inter alia, the data protection principles, the functioning of oversight, enforcement and redress and the protections and safeguards under which security agencies can access and process personal data;
  8. whereas in its statement of 26 July 2016, the Article 29 Working Party welcomes the improvements brought by the EU-US Privacy Shield mechanism compared with Safe Harbour and commended the Commission and the US authorities for having taken into consideration its concerns; whereas the Article 29 Working Party indicates, nevertheless, that a number of its concerns remain, regarding both the commercial aspects and the access by US public authorities to data transferred from the EU, such as the lack of specific rules on automated decisions and of a general right to object, the need for stricter guarantees on the independence and powers of the Ombudsperson mechanism, and the lack of concrete assurances of not conducting mass and indiscriminate collection of personal data (bulk collection);
  9. Welcomes the efforts made by both the Commission and the US administration to address the concerns raised by the CJEU, the Member States, the European Parliament, data protection authorities (DPAs) and stakeholders, so as to enable the Commission to adopt the implementing decision declaring the adequacy of the EU-US Privacy Shield;
  10. Acknowledges that the EU-US Privacy Shield contains significant improvements regarding the clarity of standards compared with the former EU-US Safe Harbour and that US organisations self-certifying adherence to the EU-US Privacy Shield will have to comply with clearer data protection standards than under Safe Harbour;
  11. Takes note that as at 23 March 2017, 1 893 US organisations have joined the EU-US Privacy Shield; regrets that the Privacy Shield is based on voluntary self-certification and therefore applies only to US organisations which have voluntarily signed up to it, which means that many companies are not covered by the scheme;
  12. Acknowledges that the EU-US Privacy Shield facilitates data transfers from SMEs and businesses in the Union to the US;
  13. Notes that, in line with the ruling of the CJEU in the Schrems case, the powers of the European DPAs remain unaffected by the adequacy decision and they can, therefore, exercise them, including the suspension or the ban of data transfers to an organisation registered with the EU-US Privacy Shield; welcomes in this regard the prominent role given by the Privacy Shield Framework to Member State DPAs to examine and investigate claims related to the protection of the rights to privacy and family life under the EU Charter and to suspend transfers of data, as well as the obligation placed upon the US Department of Commerce to resolve such complaints;
  14. Notes with satisfaction that under the Privacy Shield Framework, EU data subjects have several means available to them to pursue legal remedies in the US: first, complaints can be lodged either directly with the company or through the Department of Commerce following a referral by a DPA, or with an independent dispute resolution body, secondly, with regard to interferences with fundamental rights for the purpose of national security, a civil claim can be brought before the US court and similar complaints can also be addressed by the newly created independent Ombudsperson, and finally, complaints about interferences with fundamental rights for the purposes of law enforcement and the public interest can be dealt with by motions challenging subpoenas; encourages further guidance from the Commission and DPAs to make those legal remedies all the more easily accessible and available;
  15. Acknowledges the clear commitment of the US Department of Commerce to closely monitor the compliance of US organisations with the EU-US Privacy Shield Principles and their intention to take enforcement actions against entities failing to comply;
  16. Reiterates its call on the Commission to seek clarification on the legal status of the ‘written assurances’ provided by the US and to ensure that any commitment or arrangement foreseen under the Privacy Shield is maintained following the taking up of office of a new administration in the United States;
  17. Considers that, despite the commitments and assurances made by the US Government by means of the letters attached to the Privacy Shield arrangement, important questions remain as regards certain commercial aspects, national security and law enforcement;
  18. Specifically notes the significant difference between the protection provided by Article 7 of Directive 95/46/EC and the ‘notice and choice’ principle of the Privacy Shield arrangement, as well as the considerable differences between Article 6 of Directive 95/46/EC and the ‘data integrity and purpose limitation’ principle of the Privacy Shield arrangement; points out that instead of the need for a legal basis (such as consent or contract) that applies to all processing operations, the data subject rights under the Privacy Shield Principles only apply to two narrow processing operations (disclosure and change of purpose) and only provide for a right to object (‘opt-out’);
  19. Takes the view that these numerous concerns could lead to a fresh challenge to the decision on the adequacy of the protection being brought before the courts in the future; emphasises the harmful consequences as regards both respect for fundamental rights and the necessary legal certainty for stakeholders;
  20. Notes, amongst other things, the lack of specific rules on automated decision-making and on a general right to object, and the lack of clear principles on how the Privacy Shield Principles apply to processors (agents);
  21. Notes that, while individuals have the possibility to object vis-à-vis the EU controller to any transfer of their personal data to the US, and to the further processing of those data in the US where the Privacy Shield company acts as a processor on behalf of the EU controller, the Privacy Shield lacks specific rules on a general right to object vis-à-vis the US self-certified company;
  22. Notes that only a fraction of the US organisations that have joined the Privacy Shield have chosen to use an EU DPA for the dispute resolution mechanism; is concerned that this constitutes a disadvantage for EU citizens when trying to enforce their rights;
  23. Notes the lack of explicit principles on how the Privacy Shield Principles apply to processors (agents), while recognising that all principles apply to the processing of personal data by any US self-certified company ‘[u]nless otherwise stated’ and that the transfer for processing purposes always requires a contract with the EU controller which will determine the purposes and means of processing, including whether the processor is authorised to carry out onward transfers (e.g. for sub-processing);
  24. Stresses that, as regards national security and surveillance, notwithstanding the clarifications brought by the Office of the Director of National Intelligence (ODNI) in the letters attached to the Privacy Shield framework, ‘bulk surveillance’, despite the different terminology used by the US authorities, remains possible; regrets the lack of a uniform definition of the concept of bulk surveillance and the adoption of the American terminology, and therefore calls for a uniform definition of bulk surveillance linked to the European understanding of the term, where evaluation is not made dependent on selection; stresses that any kind of mass surveillance is in breach of the EU Charter;
  25. Recalls that Annex VI (letter from Robert S. Litt, ODNI) clarifies that under Presidential Policy Directive 28 (hereinafter ‘PPD-28’), bulk collection of personal data and communications of non-US persons is still permitted in six cases; points out that such bulk collection only has to be ‘as tailored as feasible’ and ‘reasonable’, which does not meet the stricter criteria of necessity and proportionality as laid down in the EU Charter;
  26. Deplores the fact that the EU-US Privacy Shield does not prohibit the collection of bulk data for law enforcement purposes;
  27. Stresses that in its judgment of 21 December 2016, the CJEU clarified that the EU Charter ‘must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’; points out that the bulk surveillance in the US therefore does not provide for an essentially equivalent level of the protection of personal data and communications;
  28. Is alarmed by the recent revelations about surveillance activities conducted by a US electronic communications service provider on all emails reaching its servers, upon request of the National Security Agency (NSA) and the FBI, as late as 2015, i.e. one year after Presidential Policy Directive 28 was adopted and during the negotiation of the EU-US Privacy Shield; insists that the Commission seek full clarification from the US authorities and make the answers provided available to the Council, Parliament and national DPAs; sees this as a reason to strongly doubt the assurances brought by the ODNI; is aware that the EU-US Privacy Shield rests on PPD-28, which was issued by the President and can also be repealed by any future President without Congress’s consent;
  29. Expresses great concerns at the issuance of the ‘Procedures for the Availability or Dissemination of Raw Signals Intelligence Information by the National Security Agency under Section 2.3 of Executive Order 12333’, approved by the Attorney General on 3 January 2017, allowing the NSA to share vast amounts of private data gathered without warrants, court orders or congressional authorisation with 16 other agencies, including the FBI, the Drug Enforcement Agency and the Department of Homeland Security; calls on the Commission to immediately assess the compatibility of these new rules with the commitments made by the US authorities under the Privacy Shield, as well as their impact on the level of personal data protection in the United States;
  30. Deplores the fact that neither the Privacy Shield Principles nor the letters of the US administration providing clarifications and assurances demonstrate the existence of effective judicial redress rights for individuals in the EU whose personal data are transferred to a US organisation under the Privacy Shield Principles and further accessed and processed by US public authorities for law enforcement and public interest purposes, which were emphasised by the CJEU in its judgment of 6 October 2015 as the essence of the fundamental right in Article 47 of the EU Charter;
  31. Recalls its resolution of 26 May 2016 stating that the Ombudsperson mechanism set up by the US Department of State is not sufficiently independent and is not vested with sufficient effective powers to carry out its duties and provide effective redress to EU individuals; notes that according to the representations and assurances provided by the US Government the Office of the Ombudsperson is independent from the US intelligence services, free from any improper influence that could affect its function and moreover works together with other independent oversight bodies with effective powers of supervision over the US Intelligence Community; is generally concerned that an individual affected by a breach of the rules can apply only for information and for the data to be deleted and/or for a stop to further processing, but has no right to compensation;
  32. Regrets that the procedure of adoption of an adequacy decision does not provide for a formal consultation of relevant stakeholders such as companies, and in particular SMEs’ representation organisations;
  33. Regrets that the Commission followed the procedure for adoption of the Commission implementing decision in a practical manner that de facto has not enabled Parliament to exercise its right of scrutiny on the draft implementing act in an effective manner;
  34. Calls on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 16 May 2018, and with the EU Charter;
  35. Calls on the Commission to ensure, in particular, that personal data that has been transferred to the US under the Privacy Shield can only be transferred to another third country if that transfer is compatible with the purpose for which the data was originally collected, and if the same rules of specific and targeted access for law enforcement apply in the third country;
  36. Calls on the Commission to monitor whether personal data which is no longer necessary for the purpose for which it had been originally collected is deleted, including by law enforcement agencies;
  37. Calls on the Commission to closely monitor whether the Privacy Shield allows for the DPAs to fully exercise all their powers, and if not, to identify the provisions that result in a hindrance to the DPAs’ exercise of powers;
  38. Calls on the Commission to conduct, during the first joint annual review, a thorough and in-depth examination of all the shortcomings and weaknesses referred to in this resolution and in its resolution of 26 May 2016 on transatlantic data flows, and those identified by the Article 29 Working Party, the EDPS and the stakeholders, and to demonstrate how they have been addressed so as to ensure compliance with the EU Charter and Union law, and to evaluate meticulously whether the mechanisms and safeguards indicated in the assurances and clarifications by the US administration are effective and feasible;
  39. Calls on the Commission to ensure that when conducting the joint annual review, all the members of the team have full and unrestricted access to all documents and premises necessary for the performance of their tasks, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities, for either law enforcement or national security purposes;
  40. Stresses that all members of the joint review team must be ensured independence in the performance of their tasks and must be entitled to express their own dissenting opinions in the final report of the joint review, which will be public and annexed to the joint report;
  41. Calls on the Union DPAs to monitor the functioning of the EU-US Privacy Shield and to exercise their powers, including the suspension or definitive ban of personal data transfers to an organisation in the EU-US Privacy Shield if they consider that the fundamental rights to privacy and the protection of personal data of the Union’s data subjects are not ensured;
  42. Stresses that Parliament should have full access to any relevant document related to the joint annual review;
  43. Instructs its President to forward this resolution to the Commission, the Council, the governments and national parliaments of the Member States and the US Government and Congress.

NOTES
[1] OJ L 281, 23.11.1995, p. 31.
[2] OJ L 350, 30.12.2008, p. 60.
[3] OJ L 119, 4.5.2016, p. 1.
[4] OJ L 119, 4.5.2016, p. 89.
[5] ECLI:EU:C:2015:650.
[6] ECLI:EU:C:2016:970.
[7] OJ L 207, 1.8.2016, p. 1.
[8] OJ C 257, 15.7.2016, p. 8.
[9] http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp238_en.pdf
[10] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf
[11] Texts adopted, P8_TA(2016)0233.