Legal Frameworks for Hacking by Law Enforcement: Identification, Evaluation and Comparison of Practices

EXECUTIVE SUMMARY OF A STUDY FOR THE EP LIBE COMMITEE.

FULL TEXT ACCESSIBLE  HERE  

by Mirja  GUTHEIL, Quentin  LIGER, Aurélie  HEETMAN, James  EAGER, Max  CRAWFORD  (Optimity  Advisors)

Hacking by law enforcement is a relatively new phenomenon within the framework of the longstanding public policy problem of balancing security and privacy. On the one hand, law enforcement agencies assert that the use of hacking techniques brings security, stating that it represents a part of the solution to the law enforcement challenge of encryption and ‘Going Dark’ without systematically weakening encryption through the introduction of ‘backdoors’ or similar techniques. On the other hand, civil society actors argue that hacking is extremely invasive and significantly restricts the fundamental right to privacy. Furthermore, the use of hacking practices pits security against cybersecurity, as the exploitation of cybersecurity vulnerabilities to provide law enforcement with access to certain data can have significant implications  for  the security of the internet.

Against this backdrop, the present study provides the LIBE Committee with relevant, actionable insight into the legal frameworks and practices for hacking by law enforcement. Firstly, the study examines the international and EU-level debates on the topic of hacking by law enforcement (Chapter 2), before analysing the possible legal bases for EU intervention in the field (Chapter 3). These chapters set the scene for the primary focus of the study: the comparative analysis of legal frameworks and practices for hacking by law enforcement across six selected Member States (France, Germany, Italy, the Netherlands, Poland and the UK), with further illustrative examples from three non-EU countries (Australia, Israel and the US) (Chapter 4). Based on these analyses, the study concludes (Chapter 5) and presents concrete recommendations and policy proposals for  EU  action  in  the field (Chapter 6).

The international and EU-level debates on the use of hacking techniques by law enforcement primarily evolve from the law enforcement challenge posed by encryption – i.e. the  ‘Going  Dark’  issue.

Going Dark is a term used to describe [the] decreasing ability [of law enforcement agencies] to lawfully access and examine evidence at rest on devices and evidence in motion across   communications   networks.1

According to the International Association of Chiefs of Police (IACP), law enforcement agencies are not able to investigate illegal activity and prosecute criminals without this evidence. Encryption technologies are cited as one of the major barriers to this access. Although recent political statements from several countries (including France, Germany, the UK and the US) seemingly call for ‘backdoors’ to encryption technologies, support for strong encryption at international and EU fora remains strong. As such, law enforcement agencies across the world started to use hacking techniques to bypass encryption. Although the term ‘hacking’ is not used by law enforcement agencies, these practices essentially mirror the techniques used by hackers (i.e. exploiting any possible vulnerabilities – including technical, system  and/or human  vulnerabilities  – within  an  information  technology  (IT) system).

Law enforcement representatives, such as the IACP and Europol, report that access to encrypted and other data through such hacking techniques brings significant investigative benefits. However, it is not the only possible law enforcement solution to the ‘Going Dark’ issue. Outside of the scope of this study, the other options include: requiring users to provide their password or decrypt their data; requiring technology vendors and service providers to bypass   the   security   of   their   own   products   and   services;   and   the    systematic   weakening   of encryption through the mandated introduction of ‘backdoors’ and/or weakened standards for encryption.

With the benefits of hacking established, a 2016 Joint Statement published by the European Union Agency for Network and Information Security (ENISA) and Europol2 noted that the use of  hacking  techniques also brings  several   key  risks.

The primary risk relates to the fundamental right to privacy and freedom of expression and information, as enshrined in international, EU and national-level law. Hacking techniques are extremely invasive, particularly when compared with traditionally intrusive investigative tools (e.g. wiretapping, house searches etc.). Through hacking, law enforcement can gain access to all data stored or in transit from a device; this represents a significant amount of data (e.g. a recent investigation by Dutch law enforcement collected seven terabytes of data, which translates into around 86 million pages of Microsoft Word documents3), as well as extremely sensitive data (e.g. a person’s location and movements, all communications, all stored data etc.). Consequently, the use of hacking techniques will inherently restrict the fundamental right to privacy.

Therefore, current debates at international and EU fora focus on assessing and providing recommendations on the current legal balances and safeguards for the restriction of the right to privacy by hacking techniques. However, these debates have assumed that hacking practices are necessary for law enforcement and simply require governing laws; they have not discussed whether the use of hacking techniques by law enforcement is necessary and proportional. The law enforcement assertions regarding the necessity of these invasive tools have  not   been  challenged.

The second key risk relates to the security of the internet. Law enforcement use of hacking techniques has the potential to significantly weaken the security of the internet by “[increasing] the attack surface for malicious abuse”4. Given that critical infrastructure and defence organisations, as well as law enforcement agencies themselves, use the technologies targeted and potentially weakened by law enforcement hacking, the potential ramifications reach  far  beyond  the intended  target.

As such, debates at international and EU fora focus on the appropriate balances between security and privacy, as well as security and cybersecurity. Regarding security v. privacy, the debates to date have assessed and provided recommendations on the legislative safeguards required to ensure that hacking techniques are only permitted in situations where a restriction of the fundamental right to privacy is valid in line with EU legislation (i.e. legal, necessary and proportional). Regarding security v. cybersecurity, the debates have been limited and primarily centre around the use and/or reporting of zero-day vulnerabilities discovered  by  law enforcement agencies.

Further risks not discussed in the Joint Statement but covered by this study include: the risks to territorial sovereignty – as law enforcement agencies may not know the physical location of the target data; and the risks related to the supply and use of commercially-developed hacking tools by governments with poor consideration for human rights.

Alongside the analysis of international and EU debates, the study presents hypotheses on the legal  bases  for  EU  intervention  in  the  field. Although  possibilities for  EU  legal  intervention  in several areas are discussed, including mutual admissibility of evidence (Art. 82(2) TFEU), common investigative techniques (Art. 87(2)(c) TFEU), operational cooperation (Art. 87(3) TFEU) and data protection (Art. 16 TFEU, Art. 7 & 8 EU Charter), the onus regarding the development of legislation in the field is with the Member States. As such, the management of the risks associated with law enforcement activities is governed at the Member State level.

As suggested by the focus of the international and EU discussions, concrete measures need to be stipulated at national-level to manage these risks. This study presents a comparative analysis of the legal frameworks for hacking by law enforcement across six Member States, as well as certain practical aspects of hacking by law enforcement, thereby providing an overview of the primary Member State mechanisms for the management of these risks. Further illustrative examples are provided from research conducted in three non-EU countries.

More specifically, the study examines the legal and practical balances and safeguards implemented at national-level to ensure: i) the legality, necessity and proportionality of restrictions to the fundamental  right  to  privacy;   and ii) the security  of  the internet.

Regarding restrictions to the right to privacy, the study first examines the existence of specific legal frameworks for hacking by law enforcement, before exploring the ex-ante and ex-post conditions and mechanisms stipulated to govern restrictions of the right to privacy and ensure they are legal, necessary  and  proportional.

It is found that hacking practices are seemingly necessary across all Member States examined, as four Member States (France, Germany, Poland and the UK) have adopted specific legislative provisions and the remaining two are in the legislative process. For all Member States except Germany, the adoption of specific legislative provisions occurred in 2016 (France, Poland and the UK) or will occur later (Italy, the Netherlands).  This  confirms the  new  nature  of these investigative techniques.

Additionally, law enforcement agencies in all Member States examined have used, or still use, hacking techniques in the absence of specific legislative provisions, under so-called ‘grey area’ legal provisions. Given the invasiveness of hacking techniques, these grey areaprovisions are considered  insufficient  to adequately  protect the right to privacy.

Where specific legal provisions have been adopted, all stakeholders agree that a restriction of the right to privacy requires the implementation of certain safeguards. The current or proposed legal frameworks of all six Member States comprise a suite of ex-ante conditions and ex-post mechanisms that aim to ensure the use of hacking techniques is proportionate and necessary. As recommended by various UN bodies, the provisions of primary importance include judicial authorisation of hacking practices, safeguards related to the nature, scope and duration of possible measures (e.g. limitations to crimes of a certain gravity and the  duration  of  the hack,  etc.) and  independent   oversight.

Although many of these types of recommended conditions are common across the Member States examined – demonstrated in the below table – their implementation parameters differ. For instance, both German and Polish law permit law enforcement hacking practices without judicial authorisation in exigent circumstance if judicial authorisation is achieved in a specified timeframe. However, the timeframe differs (three days in Germany compared with five days in Poland). These differences make significant difference, as the Polish timeframe was criticised  by the Council  of  Europe’s  Venice Commission  for being  too long.5

Furthermore, the Member States examined all accompany these common types of ex-ante and ex-post conditions with different, less common conditions. This is particularly true for ex-post oversight mechanisms. For instance, in Poland, the Minister for internal affairs provides macro-level information to the lower (Sejm) and upper (Senat) chambers of Parliament;6 and in the UK, oversight is provided by the Investigatory Powers Commissioner, who reviews all cases of hacking by law enforcement, and the Investigatory Powers Tribunal, which  considers disputes or  complaints surrounding  law enforcement  hacking.7

Key ex-ante considerations
Judicial authorisation The    legal    provisions    of    all    six    Member    States    require    ex-ante judicial        authorisation        for        law        enforcement        hacking.        The information  to  be  provided  in  these requests differ.

Select     Member     States     (e.g.     Germany,     Poland,     the     UK)     also provide for hacking without prior judicial authorisation in exigent circumstances  if  judicial  authorisation  is subsequently  provided. The timeframes  for  ex-post authorisation  differ.

Limitation by crime and  duration All  six Member  States  restrict  the  use  of  hacking  tools  based  on the   gravity   of   crimes.    In    some    Member   States,    the    legislation presents  a  specific  list  of  crimes  for  which  hacking  is permitted; in     others,     the    limit    is    set     for    crimes    that    have    a    maximum custodial    sentence   of   greater   than    a   certain   number    of   years. The lists and numbers  of years required differ by Member   State.

Many Member States also restrict the duration for which hacking may   be   used.   This   restriction   ranges   from   maximum   1   month (France, Netherlands) to a maximum of 6 months (UK), although extensions     are     permitted     under     the     same     conditions     in     all Member States.

Key ex-post considerations
Notification and effective remedy Most    Member    States    provide    for    the    notification    of    targets    of hacking  practices and  remedy  in  cases  of unlawful   hacking.
Reporting and oversight Primarily, Member States report at a micro-level through logging hacking  activities and  reporting them  in  case  files.

However,   some   Member   States   (e.g.   Germany,   Poland   and   the UK) have macro-level  review  and  oversight mechanisms.

Furthermore, as regards the issue of territoriality (i.e. the difficulty law enforcement agencies face obtaining the location of the data to be collected using hacking techniques), only one Member States, the Netherlands, legally permits the hacking of devices if the location is unknown. If the device turns out to be in another jurisdiction, Dutch law enforcement must apply  for Mutual  Legal  Assistance.

As such, when aggregated, these provisions strongly mirror Article 8 of the European Convention on Human Rights, as well as the UN recommendations and paragraph 95 of the ECtHR  judgement  in  Weber and  Saravia  v.  Germany.  However,   there are  many,  and  varied, criticisms when the Member State conditions are examined in isolation. Some of the provisions criticised include: the limits based on the gravity of crimes (e.g. the Netherlands, France and Poland); the provisions for notification and effective remedy (e.g. Italy and the Netherlands); the process for screening and deleting non-relevant data (Germany); the definition of devices that can be targeted (e.g. the Netherlands); the duration permitted for hacking (e.g. Poland); and a lack of knowledge amongst the judiciary (e.g. France, Germany, Italy and the Netherlands).With this said, certain elements, taken in isolation, can be called good  practices. Such  examples  are  presented below.

Select  good practice: Member State legislative frameworks

Germany: Although they were deemed unconstitutional in a 2016 ruling, the provisions for the screening and deletion of data related to the core area of private life are a positive step. If the provisions are amended, as stipulated in the ruling, to ensure screening by an independent body, they would provide strong protection for the targeted individual’s private data.

Italy: The 2017 draft Italian law includes a range of provisions related to the development and monitoring of the continued use of hacking tools. As such, one academic stakeholder remarked that the drafting of the law must have been driven by technicians. However, these provisions bring significant benefits to the legislative provisions in terms of supervision and oversight of the use of hacking tools. Furthermore, the Italian draft law takes great care to separate the functionalities of the hacking tools, thus protecting against the overuse or abuse of a  hacking tool’s  extensive  capabilities.

Netherlands: The Dutch Computer Crime III Bill stipulates the need to conduct a formal proportionality assessment for each hacking request, with the assistance of a dedicated Central Review Commission (Centrale Toetsings Commissie). Also, the law requires rules to be laid down on the authorisation and expertise of the investigation officers that can perform hacking.

With these findings in mind, the study concludes that the specific national-level legal provisions examined provide for the use of hacking techniques in a wide array of circumstances. The varied combinations of requirements, including those related to the gravity of crimes, the duration and purpose of operations and the oversight, result in a situation where the law does not provide for much stricter conditions than are necessary for less  intrusive  investigative activities such  as interception.

Based on the study findings,  relevant  and actionable policy proposals and recommendations have been developed under the two key elements: i) the fundamental right  to  privacy;  and  ii) the security  of the internet.

Recommendations and policy proposals: Fundamental  right  to  privacy

It is recommended that the use of ‘grey area’ legal provisions is not sufficient to protect the fundamental right to privacy. This is primarily because existing legal provisions do not provide for the more invasive nature of hacking techniques and do not provide for the legislative precision  and  clarity  as  required  under  the  Charter and the  ECHR.

Furthermore, many of these provisions have only recently been enacted. As such, there is a need for robust evidence-based monitoring and evaluation of the practical application of these provisions. It is therefore recommended that the application of these new legal provisions is evaluated regularly at national level, and that the results of these evaluations are  assessed at  EU-level.

If specific legislative provisions are deemed necessary, the study recommends a range of good practice, specific ex-ante and ex-post provisions governing the use of hacking practices by  law  enforcement  agencies. These are detailed  in  Chapter 6.

Policy proposal 1: The European Parliament should pass a resolution calling on Member States to conduct a Privacy Impact Assessment when new laws are proposed to permit and govern the use of hacking techniques by law enforcement agencies. This Privacy Impact Assessment should focus on the necessity and proportionality of the use of hacking tools and should  require input  from  national  data protection  authorities.

Policy proposal 2: The European Parliament should reaffirm the need for Member States to adopt a clear and precise legal basis if law enforcement agencies are to use hacking techniques.

Policy proposal 3: The European Parliament should commission more research or encourage the European Commission or other bodies to conduct more research on the topic. In response to the Snowden revelations, the European Parliament called on the EU Agency for Fundamental Rights (FRA) to thoroughly research fundamental rights protection in the context of surveillance. A similar brief related to the legal frameworks governing the use of hacking techniques by law enforcement across all EU Member States would act as an invaluable piece  of  research.

Policy proposal 4: The European Parliament should encourage Member States to undertake evaluation and monitoring activities on the practical application of the new legislative provisions  that  permit  hacking  by  law  enforcement  agencies.

Policy proposal 5: The European Parliament should call on the EU Agency for Fundamental Rights (FRA) to develop a practitioner handbook related to the governing of hacking by law enforcement. This handbook should be intended for lawyers, judges, prosecutors, law enforcement officers and others working with national authorities, as well as non­governmental organisations and other bodies confronted with legal questions in the areas set out by the handbook. These areas should cover the invasive nature of hacking techniques and relevant safeguards as per international and EU law and case law, as well as appropriate mechanisms for supervision  and   oversight.

Policy proposal 6: The European Parliament should call on EU bodies, such as the FRA, CEPOL and Eurojust, to provide training for national-level members of the judiciary and data protection authorities, in collaboration with the abovementioned handbook, on the technical means for hacking in use across the Member States, their potential for invasiveness and the principles of  necessity  and  proportionality in  relation  to these  technical  means.

Recommendations and policy proposals: Security of  the  internet

The primary recommendation related to the security of the internet is that the position of the EU against the implementation of ‘backdoors’ and similar techniques, and in support of strong encryption standards, should be reaffirmed, given the prominent role encryption plays in our society and its importance to the EU’s Digital Agenda. To support this position, the EU should ensure continued engagement with global experts in computer science as well as civil society privacy and  digital  rights groups.

The actual impacts of hacking by law enforcement on the security of the internet are yet unknown. More work should be done at the Member State level to assess the potential impacts such that these data can feed in to overarching discussions on the necessity and proportionality of law enforcement hacking. Furthermore, more work should be done, beyond understanding the risks to the security of the internet, to educate those involved in the authorisation and use of  hacking  techniques by law enforcement.

At present, the steps taken to safeguard the security of the internet against the potential risks of hacking are not widespread. As such, the specific legislative provisions governing the use of hacking techniques by law enforcement, if deemed necessary, should safeguard the security of the internet and the security of the device, including reporting the vulnerabilities used to gain access to a device to the appropriate technology vendor or service provider; and  ensure  the  full  removal  of  the software  or hardware from the targeted  device.

Policy proposal 7: The European Parliament should pass a resolution calling on Member States to conduct an Impact Assessment to examine the impact of new or existing laws governing  the  use  of hacking  techniques by  law  enforcement on  the  security  of  the internet.

Policy proposal 8: The European Parliament, through enhanced cooperation with Europol
and the European Union Agency for Network and Information Security (ENISA), should
reaffirm its commitment to strong encryption considering discussions on the topic of hacking by law enforcement. In addition, the Parliament should reaffirm its opposition to the implementation of  
backdoors and  similar techniques in information technology infrastructures or  services.

Policy proposal 9: Given the lack of discussion around handling zero-day vulnerabilities, the European Parliament should support the efforts made under the cybersecurity contractual Public-Private Partnership (PPP) to develop appropriate responses to handling zero-day vulnerabilities, taking into consideration the risks related to fundamental rights and the security  of the internet.

Policy proposal 10: Extending policy proposal 4, above, the proposed FRA handbook should also cover the risks  posed  to  the  security  of the  internet  by  using hacking  techniques.

Policy proposal 11: Extending policy proposal 5, training provided to the judiciary by EU bodies such as FRA, CEPOL and Eurojust should also educate these individuals on the risks posed  to  the security  of  the internet  by  hacking  techniques.

Policy proposal 12: Given the lack of discussion around the risks posed to the security of the internet by hacking practices, the European Parliament should encourage debates at the appropriate fora specific to understanding this risk and the approaches to managing this risk. It is encouraged that law enforcement representatives should be present within such discussions.

The 2016 EU Justice Scoreboard

NOTA BENE : THE FULL REPORT IS ACCESSIBLE HERE 

The 2016 EU Justice Scoreboard was adopted by the European Commission on 10 April 2016 under reference number COM(2017) 167.

THE 2017 EU JUSTICE SCOREBOARD

(…) Introduction

‘Effective justice systems support economic growth and defend fundamental rights. That is why Europe promotes and defends the rule of law (1).’ This role of Member States’ justice systems underlined by Jean-Claude Juncker, President of the European Commission, is crucial for ensuring that individuals and businesses can fully enjoy their rights, for strengthening mutual trust and for building a business and investment-friendly environment in the single market.

Moreover, as underlined by Frans Timmermans, First Vice-President of the European Commission, effective justice systems also underpin the application of EU law: ‘The European Union is built on a common set of values, enshrined in the Treaty. These values include respect for the rule of law. That is how this organisation functions, that is how our Member States ensure the equal application of EU law across the European Union (2).’ For these reasons, improving the effectiveness of national justice systems is a well-established priority of the European semester — the EU’s annual cycle of economic policy coordination.

Independence, quality and efficiency are the key elements of an effective justice system. The 2017 EU Justice Scoreboard (‘the Scoreboard’) helps Member States to achieve this priority by providing an annual comparative overview of the independence, quality and efficiency of national justice systems. Such a comparative overview assists Member States in identifying potential shortcomings, improvements and good practices as well as trends in the functioning of national justice systems over time. It is also crucial for the effectiveness of EU law (3).

When applying EU law, national courts act as EU courts and ensure that the rights and obligations provided under EU law are enforced effectively. For this reason, the Scoreboard looks closely at the functioning of courts when applying EU law in specific areas.

The 2017 edition further develops this overview and examines new aspects of the functioning of justice systems:

– to better understand how consumers access the justice system, it examines which channels they use to submit complaints against companies (e.g. courts, out of court methods), how legal aid and court fees influence access to justice, particularly for persons at-risk-of-poverty, the length of court proceedings and before consumer authorities and how many consumers are using the online dispute resolution (ODR) platform which became operational in 2016.

–  to keep track of the situation of judicial independence in Member States, this edition presents the result of a new survey on the perception of citizens and companies; it shows new data on safeguards for protecting judicial independence.

– this edition continues to examine how national justice systems function in specific areas of EU law relevant for the single market and for an investment-friendly environment.

It presents a first overview of the functioning of national justice systems when applying EU anti-money laundering legislation in criminal justice. It also examines the length of proceedings for provisional measures to prevent imminent damages in certain areas of law.

– in order to have a clearer picture of the current use of information and communication technologies (ICT) in justice systems, this edition presents the results from a survey of lawyers on how they communicate with courts and for which reasons they use ICT.

– as standards on the functioning of courts can drive up the quality of justice systems, this edition examines in more detail standards aiming to improve the court management and the information given to parties on progress of their case.

As this is the fifth edition, the Scoreboard also takes stock of the progress achieved over time.

Although data are still lacking for certain Member States, the data gap continues to decrease, in particular for indicators on the efficiency of justice systems.

The fruitful cooperation with Member States’ contact points on national justice systems (4) and various committees and European judicial networks have enriched the data significantly.

The remaining difficulties in gathering data are often due to insufficient statistical capacity or to the fact that the national categories for which data are collected do not exactly correspond to the ones used for the Scoreboard. In very few cases, the data gap is due to the lack of willingness of certain national authorities to contribute. The Commission will continue to encourage Member States to further reduce this data gap.

(…) 2. Context

Justice remain high on the agenda (…)

In 2016, a large number of Member States pursued their efforts to improve the effectiveness of their national justice system. Justice reforms take time, sometimes several years from the first announcement of new reforms, over the adoption of legislative and regulatory measures, to the actual implementation of the adopted measures. Figure 1 presents an overview of adopted and envisaged justice reforms. It is a factual presentation of ‘who does what,’ without any qualitative evaluation. In that respect, it is important to underline that any justice reform should uphold the rule of law and comply with European standards on judicial independence. Figure 1 shows that procedural law remains an area of particular attention in a number of Member States and that a significant amount of new reforms have been announced for legal aid, alternative dispute resolution methods (ADR), court specialisation and judicial maps. A comparison with the 2015 Scoreboard shows that the level of activity generally remained stable, both on the announced reforms and measures under negotiation. (…)

The EU is encouraging certain Member States to improve the effectiveness of their justice system. In the 2016 European semester, based on a proposal from the Commission, the Council addressed country specific recommendations to six Member States in this area (21).

Two of the Member States which were subject to a country specific recommendation in 2015 did not receive a recommendation in 2016 due to the progress they had achieved (22).

In addition to those Member States subject to country specific recommendations, a further eight Member States are still facing particular challenges and are being closely monitored by the Commission through the European semester and economic adjustment programmes (23). The Commission further assists justice reforms in Romania and Bulgaria through the cooperation and verification mechanism (24).

In 2016, the Commission adopted, under the EU Rule of Law Framework (25), two recommendations regarding the rule of law in Poland, setting out the Commission’s concerns and recommending how these concerns can be addressed (26). The Commission considers it necessary that Poland’s Constitutional Tribunal is able to fully carry out its responsibilities under the Constitution, in particular to ensure an effective constitutional review of legislative acts.

The Commission continues to support justice reforms through the European Structural and Investment Funds (ESI Funds). During the current programming period 2014 – 2020, ESI Funds will provide up to EUR 4.2 billion to support Member States’ efforts to enhance the capacity of their public administration, including justice. 14 Member States have identified justice as a priority area for support by the ESI Funds. The Commission emphasises the importance of taking a result-oriented approach when implementing these priorities and calls upon Member States to evaluate the impact of ESI Funds support. In 2016, five Member States (27) requested technical assistance from the Structural Reform Support Service of the Commission, for example on sharing national experiences regarding judicial map reforms.

The positive economic impact of the good functioning of justice system deserves these efforts. A 2017 study by the Joint Research Centre identifies correlations between improvement of court efficiency and the growth rate of the economy and between businesses’ perception of judicial independence and the growth in productivity (28).

Where judicial systems guarantee the enforcement of rights, creditors are more likely to lend, firms are dissuaded from opportunistic behaviour, transaction costs are reduced and innovative businesses are more likely to invest. This positive impact is also underlined in further research, including from the International Monetary Fund, European Central Bank, OECD, World Economic Forum, and World Bank (29). (…)

Questions and Answers

 What is the EU Justice Scoreboard?

The EU Justice Scoreboard is a comparative information tool that aims to assist the EU and Member States to improve the effectiveness of their national justice systems by providing objective, reliable and comparable data on the quality, independence and efficiency of justice systems in all Member States. The Scoreboard does not present an overall single ranking but an overview of how all the justice systems function, based on various indicators that are of common interest for all Member States. The Scoreboard does not promote any particular type of justice system and treats all Member States on an equal footing. Timeliness, independence, affordability and user-friendly access are some of the essential parameters of an effective justice system, whatever the model of the national justice system or the legal tradition in which it is anchored.

The Scoreboard mainly focuses on litigious civil and commercial cases as well as administrative cases in order to assist Member States in their efforts to pave the way for a more investment, business and citizen-friendly environment. The Scoreboard is a comparative tool which evolves in dialogue with Member States and the European Parliament, with the objective of identifying the essential parameters of an effective justice system.

What is the methodology of the EU Justice Scoreboard?

The Scoreboard uses various sources of information. Large parts of the quantitative data are provided by the Council of Europe Commission for the Evaluation of the Efficiency of Justice (CEPEJ) with which the Commission has concluded a contract to carry out a specific annual study. These data range from 2010 to 2015, and have been provided by Member States according to CEPEJ’s methodology. The study also provides detailed comments and country specific information sheets that give more context. They should be read together with the figures (5).

Data on the length of proceedings collected by CEPEJ show the ‘disposition time’ which is a calculated length of court proceedings (based on a ratio between pending and resolved cases). Data on courts’ efficiency in applying EU law in specific areas show the average length of proceedings derived from actual length of court cases. It should be noted that the length of court proceedings may differ substantially geographically within a Member State, particularly in urban centres where commercial activities may lead to a higher caseload.

The other sources of data are: the group of contact persons on national justice systems (6), the European Network of Councils for the Judiciary (ENCJ) (7), the Network of the Presidents of the Supreme Judicial Courts of the EU (NPSJC) (8), Association of the Councils of State and Supreme Administrative Jurisdictions of the EU (ACA-Europe) (9), the European Competition Network (ECN) (10), the Communications Committee (COCOM) (11), the European Observatory on infringements of intellectual property rights (12), the Consumer Protection Cooperation Network (CPC) (13), the Expert Group on Money Laundering and Terrorist Financing (EGMLTF) (14), Eurostat (15), the European Judicial Training Network (EJTN) (16), the Council of Bars and Law Societies of Europe (CCBE) (17) and the World Economic Forum (WEF) (18).

The methodology for the Scoreboard has been further developed in close cooperation with the group of contact persons on national justice systems, particularly through a questionnaire and collecting data on certain aspects of the functioning of justice systems.

The Scoreboard contains figures on all three main elements of an effective justice system: quality, independence and efficiency. These should be read together, as all three elements are necessary for the effectiveness of a justice system and are often interlinked (initiatives aimed at improving one of them may have an influence on the other).

How does the EU Justice Scoreboard feed into the European semester?

The Scoreboard provides a comparative overview of the quality, independence and efficiency of national justice systems and helps Member States to improve the effectiveness of their national justice systems. This makes it easier to identify shortcoming and best practices and to keep track of challenges and progress. In the context of the European semester, country-specific assessments are carried out through bilateral dialogue with the national authorities and stakeholders concerned. This assessment takes into account the particularities of the legal system and the context of the Member States concerned. It may lead to the Commission proposing to the Council to adopt country-specific recommendations on the improvement of national justice systems (19).

NOTES

 

(1) 2016 State of the Union Speech delivered before the European Parliament on 14 September 2016: https://ec.europa.eu/priorities/state-union-2016_en
(2) http://europa.eu/rapid/press-release_SPEECH-16-2023_en.htm
(3) See also Communication from the Commission — EU law: Better results through better application, 13 December 2016, 2017/C 18/02.
(4) In view of the preparation of the EU Justice Scoreboard and to promote the exchange of best practices on the effectiveness of justice systems, the Commission asked Member States to designate two contact persons, one from the judiciary and one from the ministry of justice. Regular meetings of this informal group are taking place.
(5) http://ec.europa.eu/justice/effective-justice/scoreboard/index_en.htm
(6) In view of the preparation of the EU Justice Scoreboard and to promote the exchange of best practices on the effectiveness of justice systems, the Commission asked Member States to designate two contact persons, one from the judiciary and one from the ministry of justice. Regular meetings of this informal group are taking place.
(7) ENCJ unites the national institutions in the EU Member States which are independent of the executive and legislature, and which are responsible for the support of the Judiciaries in the independent delivery of justice: https://www.encj.eu/
(8) NPSJC provides a forum through which European institutions are given an opportunity to request the opinions of Supreme Courts and to bring them closer by encouraging discussion and the exchange of ideas: http://network-presidents.eu/
(9) ACA-Europe is composed of the Court of Justice of the EU and the Councils of State or the Supreme administrative jurisdictions of each EU Member State: http://www.juradmin.eu/index.php/en/
(10) ECN has been established as a forum for discussion and cooperation of European competition authorities in cases where Articles 101 and 102 of the TFEU are applied. The ECN is the framework for the close cooperation mechanisms of Council Regulation 1/2003. Through the European Competition Network, the Commission and the national competition authorities in all EU Member States cooperate with each other: http://ec.europa.eu/competition/ecn/index_en.html
(11) COCOM is composed of representatives of EU Member States. Its main role is to provide an opinion on the draft measures that the Commission intends to adopt: https://ec.europa.eu/digital-single-market/en/communications-committee
(12) The European Observatory on Infringements of Intellectual Property Rights is a network of experts and specialist stakeholders. It is composed of public- and private-sector representatives, who collaborate in active working groups. https://euipo.europa.eu/ohimportal/en/web/observatory/home
(13) CPC is a network of national authorities responsible for enforcing EU consumer protection laws in EU and EEA countries: http://ec.europa.eu/internal_market/scoreboard/performance_by_governance_tool/consumer_protection_cooperation_network/index_en.htm
(14) EGMLTF meets regularly to share views and help the Commission define policy and draft new legislation: http://ec.europa.eu/justice/civil/financial-crime/index_en.htm
(15) Eurostat is the statistical office of the EU: http://ec.europa.eu/eurostat/about/overview
(16) EJTN is the principal platform and promoter for the training and exchange of knowledge of the European judiciary. It develops training standards and curricula, coordinates judicial training exchanges and programmes, disseminates training expertise and promotes cooperation between EU judicial training institutions. EJTN has some 34 members representing EU states as well as EU transnational bodies. http://www.ejtn.eu/
(17) CCBE is an international non-profit association which represents European bars and law societies. CCBE membership includes the bars and law societies of 45 countries from the EU, the EEA, and wider Europe: http://www.ccbe.eu/
(18) WEF is an International Organisation for Public-Private Cooperation, whose members are companies: https://www.weforum.org/
(19) The reasons for country-specific recommendations and the progress on the implementation of such recommendations are presented on an annual basis by the Commission in individual country reports in the form of Staff Working Documents: https://ec.europa.eu/info/publications/2017-european-semester-country-reports_en
(20) The information has been collected in cooperation with the group of contact persons on national justice systems for 25 Member States. PL and UK did not submit information. DE explained that a number of reforms are under way as regards judiciary, where the scope and scale of the reform process can vary within the 16 federal states.
(21) BG, HR, IT, CY, PT, SK; see Council Recommendation of 12 July 2016 on the 2016 National Reform Programme of Bulgaria and delivering a Council opinion on the 2016 Convergence Programme of Bulgaria, (2016/C 299/08); Council Recommendation of 12 July 2016 on the 2016 National Reform Programme of Croatia and delivering a Council opinion on the 2016 Convergence Programme of Croatia (2016/C 299/23); Council Recommendation of 12 July 2016 on the 2016 National Reform Programme of Italy and delivering a Council opinion on the 2016 Stability Programme of Italy, (2016/C 299/01); Council Recommendation of 12 July 2016 on the 2016 National Reform Programme of Cyprus and delivering a Council opinion on the 2016 Stability Programme of Cyprus, (2016/C 299/07); Council Recommendation of 12 July 2016 on the 2016 National Reform Programme of Portugal and delivering a Council opinion on the 2016 Stability Programme of Portugal, (2016/C 299/26); Council Recommendation of 12 July 2016 on the 2016 National Reform Programme of Slovakia and delivering a Council opinion on the 2016 Stability Programme of Slovakia, (2016/C 299/15).
(22) LV and SI.
(23) BE, ES, LV, MT, PL, RO, SI. These challenges have been reflected in the recitals of the Country-Specific Recommendations and the country reports relating to these Member States. The country reports are available at: https://ec.europa.eu/info/publications/2017-european-semester-country-reports_en. Furthermore, justice reforms in EL are closely being monitored in the context of the Economic Adjustment Programme for Greece.
(24) Report on progress in Bulgaria under the Cooperation and Verification Mechanism, COM(2017) 43 final; Report on progress in Romania under the Cooperation and Verification Mechanism COM(2017) 44 final.
(25) COM(2014) 158 final/2.
(26) Commission Recommendation (EU) 2016/1374 of 27 July 2016 regarding the rule of law in Poland, OJ L 217, 12.8.2016, p. 53; Commission Recommendation (EU) 2017/146 of 21 December 2016 regarding the rule of law in Poland, OJ L 22, 27.1.2017, p. 65. See also IP/16/2643 and IP/16/4476.
(27) BG, EL, HR, CY, SI.
(28) ‘The judicial system and economic development across EU Member States’, JRC (forthcoming).
(29) See references in the 2016 EU Justice Scoreboard.

The Great (UK) Repeal Bill and the Charter of Fundamental Rights – not a promising start

ORIGINAL PUBLISHED ON “DESPITE OUR DIFFERENCES” BLOG

 (*)

One of the messages that the UK government has repeated since the decision of the British people to leave the EU, is that the withdrawal will not entail a loss of any right, particularly of social rights. This was (and is) an important part of the message, considering the high turnout of labour voters that voted for Brexit.

Yesterday the Government published an insightful White Paper on the upcoming Great Repeal Bill, which will incorporate most of EU Law into UK Law once Brexit takes place, in order to provide stability and legal certainty to citizens and undertakings currently living and working in the UK. In Chapter 2, the White Paper makes a reference to the hundreds of thousands of EU acts that will be incorporated and stresses the importance of providing stability in the legal framework once Brexit happens. EU Law will carry on being applicable, but only as UK Law, and reforms will be introduced into this “repatriated EU Law” from then onwards by both Parliament and Government.

Therefore, on the day Brexit happens EU Law will be incorporated into the UK legal system, including the entirety of the Court of Justice’s case-law. This is a huge digestion of rules and judicial rulings, unprecedented in the way and speed in which it will take place.

However, there is a piece of EU Law that will not be incorporated into UK Law. This is no ordinary or irrelevant piece. It is the Charter of Fundamental Rights of the European Union. It is another revealing sign of the impact that Brexit will have in the UK and, above all, for UK citizens and their rights.

The Government’s White Paper justifies the decision to exclude the Charter from the Great Repeal Bill with an argument so simple that it is, in fact, incorrect. I very much doubt that the UK Government incurred in a clerical error when drafting the text, so I assume that the justification is simply the best effort they could do. In the Government’s own words, “the Charter was not designed to create any new rights or alter the circumstances in which individuals could rely on fundamental rights to challenge the actions of the EU Institutions or member states in relation to EU Law.” The document carries on and claims that “the Charter was intended to make the rights that already existed in EU law more visible by bringing them together in a single document”.

I might be missing something, but the Charter, besides codifying some fundamental rights already recognized in the case-law of the Court of Justice, introduced many new rights and principles of enormous relevance and inexistent under EU Law until the entry into force of the Charter in 2009.

Thanks to the Charter, EU Law recognizes the prohibition of human cloning as part of the fundamental right to physical integrity (article 2.2.d). There is nothing in EU secondary law on schools, but the Charter enshrines the freedom to found educational establishments (article 14.3). And there is a very important right conferred on nationals of non-EU Member States that are authorized to work in the EU: the right to working conditions equivalent to those of citizens of the Union (article 15.3).

In an aging society in which we will live longer than any other previous generation, the Charter recognizes the rights of the elderly “to lead a life of dignity and independence and to participate in social and cultural life”. Many of the elderly in Britain voted for Brexit. This fundamental right has been deprived from them.

The effect is even more brutal when it comes to vulnerable groups, as is the case of persons with disabilities. Article 26 of the Charter recognizes the right of persons with disabilities “to benefit from measures designed to ensure their independence, social and occupational integration and participation in the life of the community”. This right under the Charter will be gone after Brexit.

The Government’s document is even more striking when it adds that “the removal of the Charter from UK law will not affect the substantive rights that individuals already benefit from in the UK”. This assertion is made on the assumption that EU secondary law suffices to keep all the rights untouched. But this claim is wrong, and it can be easily proved with an example.

In Kušionová, the Court of Justice was faced with an unfair term in a consumer credit contract, in which the guaranteed asset was the consumer’s home. When she faced the risk of an eviction and loss of her home, Mrs. Kušionová argued that the fundamental right to accommodation, as recognized in article 7 of the Charter, protected the consumer from procedures of enforcement that would entail her eviction, the auction of the property and, as a result, the loss of her home. The Court of Justice agreed and ruled that the enforcement could not carry on as a result of the Directive 93/13 (which says nothing about extrajudicial enforcements), as interpreted in light of the Charter. By relying on the Charter, the Court of Justice interpreted Directive 93/13 in a way that created a new provision, a rule of judicial creation, coherent with the Directive 93/13, but not included by the legislature in the articles of the legal text.

With the Great Repeal Bill, Mrs. Kušionová’s case would still apply in the UK because Directive 93/13 and the UK implementing legislation will be interpreted in light of the Court of Justice’s pre-Brexit case-law. And the judgment is Kušionová was rendered in 2014, so it will remain as part of UK law.

However, this will not be the case when it comes to interpret the 2014 Mortgage Credit Directive, which has not been interpreted yet by the Court of Justice (and will not be interpreted before Brexit). This Directive will be incorporated into UK Law as a result of the Great Repeal Bill, but it will be introduced with no case-law of the Court of Justice attached to it. Therefore, the right to protect the consumer’s home will be ensured when the substantial applicable rules are those under Directive 93/13 (Kušionová), but the consumer will be left all alone, in the hands of internal UK Law, when the same risk appears but the consumer can only rely on the Mortgage Credit Directive.

It is true that the Charter can only apply in Member States when there is another rule of EU Law at stake. But all EU lawyers know that the Charter is not only an interpretative tool for the application of EU Laws, but also a source of creation of new jurisprudential rules, closely attached to the EU rules governing the case. Kušionová is a good example of how the system works. It is also a good example of how unfair and regressive the Great Repeal Bill will be for millions of right-holders in the UK, particularly for the most vulnerable communities and individuals.

As every day goes by, we understand better what “take back control” means. In the area of fundamental rights, it means a lot. And the prospects are not very good for right-holders, despite the promises of the happy Brexiteers to keep rights untouched.

 

(*)  PROFESSOR AT THE UNIVERSITY COMPLUTENSE OF MADRID  Daniel Sarmiento is Professor of EU and Administrative Law at the Universidad Complutense of Madrid. Between 2007 and 2015 he was a legal secretary at the European Court of Justice. He currently devotes his research interests to European constitutional affairs, procedural law and fundamental rights. He is also a practising lawyer at Uría Menéndez, Madrid, where he counsels in EU Law.

Legally sophisticated authoritarians: the Hungarian Lex CEU

ORIGINAL PUBLISHED ON VERFASSUNGSBLOG

 (*)

On 28 March the Hungarian government tabled an amendment to the Act on National Higher Education in Parliament. Even though the draft is formulated in normative terms, the only targeted institution is the Central European University (CEU), founded by George Soros, one of the main enemies of the Viktor Orbán’s ‘illiberal state’. Michael Ignatieff, former professor of Harvard University’s John F. Kennedy School of Government, current president and rector of CEU assessed the draft as a discriminatory political vandalism, violating Hungarian academic freedom. Here I do not want to deal with the clear ideological and political motivations of the action of the current Hungarian Prime Minister, a that time liberal recipient of Soros’s financial support during his studies in Oxford three decades ago.

I want rather focus on the behavior of a contemporary authoritarian (or dictator, as Jean-Claude Juncker, the President of the European Commission once greeted him). As William Dobson argues is his book, The Dictator’s Learning Curve, “today’s dictators and authoritarians are far more sophisticated, savvy, and nimble that they once were”. They understand, as Orbán does, that in a globalized world the more brutal forms of intimidation are best replaced with more subtle forms of coercion. Therefore, they work in a more ambiguous spectrum that exists between democracy and authoritarianism, and from a distance, many of them look almost democratic, as the leader of Hungary, a Member State of the EU, does. Their constitutions, as the Fundamental Law of Hungary, often provide for a division of powers among the executive, the legislature, and the judiciary – at least on paper. They are also not particularly fearful of international organizations. Even a threat of foreign or international intervention and criticism can be a useful foil for stirring up nationalist passions and encouraging people to rally around the regime, as for Orbán, who claims to protect Hungary to became a colony of the EU. If necessary, they use the most refined European discourses, for instance about national constitutional identity, as the Orbán government did in order not to take part in any European efforts to solve the refugee and migration crisis. And as opposed to previous dictators of the old good times of totalitarian regimes, who just closed up organizations they did not like, without any scruples, today’s authoritarians take advantage of formalistic legal arguments against their enemies. The Russian authorities in the fall of 2016 revoked the educational license of the European University in St. Petersburg following unscheduled checks in the buildings referring to several violations against regulations, such as lack of fitness room and an information stand against alcoholism.

Similarly, the new draft law of the Hungarian government also uses legal tricks to force CEU to cease operation in Budapest. Such a clearly unacceptable requirement would be to open an additional campus in the State of New York. This wasn’t a condition in 1995, when CEU, holding a charter from the New York State Education Department, received its license to operate in Hungary from the Ministry of Culture and Education. Like other international universities chartered in the US, CEU does not maintain any academic or other programs in the United States. Moreover, in 2004 Hungary promulgated a special law on the establishment of Közép-európai Egyetem (KEE) as a Hungarian university, which was accredited by the Hungarian Accreditation Committee together with ten graduate and doctoral programs of the CEU as programs of KEE. Ever since the university has a dual legal entity, as KEE and CEU, but it is one university with only one campus, one academic staff, senate and rector, the latter appointed by the President of Hungary. According to the new law Hungarian universities could only deliver programs of European universities and not of countries from the OECD (including the US), therefore KEE, the Hungarian university could no longer deliver its single set program with CEU, which was allowed under the current law. 

The amendment if passed would make it impossible for CEU to continue its research and teaching activities, including its highly ranked comparative constitutional law LLM and SJD programs. This violates scientific freedom in Hungary, which on paper is still part of the Hungarian Fundamental Law. In the absence of an independent constitutional court in Hungary, the only domestic ‘remedy’ which one can imagine in an authoritarian regime is that the ‘wise leader’ graciously withdraws from his plan.

(*) Halmai, Gábor: Legally sophisticated authoritarians: the Hungarian Lex CEU, VerfBlog, 2017/3/31, http://verfassungsblog.de/legally-sophisticated-authoritarians-the-hungarian-lex-ceu/, DOI: https://dx.doi.org/10.17176/20170401-102552.

Parliamentary Tracker : the EP incoming resolution on the EU-USA (so called) “Privacy Shield”…

 

NOTA BENE : Below the text that will be submitted to vote at the next EP plenary. As in previous occasions the text is well drafted, legally precise and it confirms the high level of  competence that the European Parliament (and its committee LIBE) has developed along the last 17 years from the first inquiry on Echelon (2000), the Safe Harbor (2000), the EU-USA agreement on PNR (since 2003 a thirteen year long lasting saga…) the SWIFT agreement (2006) …

What is puzzling are the critics raised against the  so called “adequacy finding” mechanism which empowers the European Commission to decide if a third Country protect “adequately” the EU citizens personal data. The weaknesses of the Commission face to our strongest transatlantic ally  were already very well known when recently the parliamentarians have reformed the European legal framework on data protection in view of the new legal basis foreseen by the Treaties and in the art. 7 and 8 of the EU Charter.  However the EP did’nt try to strengthen the “adequacy” mechanism by transforming it at least in a “delegated” function (so that it would had been possible for the EP to block something which could had weackened our standards).

Now the US Congress is weakening the (already poor) US data protection and the new US administration will probably go in the same direction.  It seems to me to easy  to complain now on something that you had recently the chance to fix..

Let’s now hope that the Court of Justice by answering to the request for opinion on the EU-Canada PNR agreement will give to the EU legislator some additional recommendations but as an EU citizen I would had preferred a stronger EU legislation instead of been ruled by european or national Judges…

Emilio De Capitani

B8‑0235/2017 European Parliament resolution on the adequacy of the protection afforded by the EU-US Privacy Shield (2016/3018(RSP))

The European Parliament,

–        having regard to the Treaty on European Union (TEU), the Treaty on the Functioning of the European Union (TFEU) and Articles 6, 7, 8, 11, 16, 47 and 52 of the Charter of Fundamental Rights of the European Union,

–        having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive)[1],

–        having regard to Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters[2],

–        having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)[3], and to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA[4],

–        having regard to the judgment of the Court of Justice of the European Union of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner[5],

–        having regard to the Commission communication to the European Parliament and the Council of 6 November 2015 on the transfer of personal data from the EU to the United States of America under Directive 95/46/EC following the judgment by the Court of Justice in Case C-362/14 (Schrems) (COM(2015)0566),

–        having regard to the Commission communication to the European Parliament and the Council of 10 January 2017 on Exchanging and Protecting Personal Data in a Globalised World (COM(2017)0007),

–        having regard to the judgment of the Court of Justice of the European Union of 21 December 2016 in Cases C-203/15 Tele2 Sverige AB v Post- och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson and Others[6],

–        having regard to Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield[7],

–        having regard to Opinion 4/2016 of the European Data Protection Supervisor (EDPS) on the EU-US Privacy Shield draft adequacy decision[8],

–        having regard to the Opinion of the Article 29 Data Protection Working Party of 13 April 2016 on the EU-US Privacy Shield draft adequacy decision[9] and its Statement of 26 July 2016[10],

–        having regard to its resolution of 26 May 2016 on transatlantic data flows[11],

–        having regard to Rule 123(2) of its Rules of Procedure,

  1. whereas the Court of Justice of the European Union (CJEU) in its judgment of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner invalidated the Safe Harbour decision and clarified that an adequate level of protection in a third country must be understood to be ‘essentially equivalent’ to that guaranteed within the European Union by virtue of Directive 95/46/EC read in the light of the Charter of Fundamental Rights of the European Union (hereinafter ‘the EU Charter’), prompting the need to conclude negotiations on a new arrangement so as to ensure legal certainty on how personal data should be transferred from the EU to the US;
  2. whereas, when examining the level of protection afforded by a third country, the Commission is obliged to assess the content of the rules applicable in that country deriving from its domestic law or its international commitments, as well as the practice designed to ensure compliance with those rules, since it must, under Article 25(2) of Directive 95/46/EC, take account of all the circumstances surrounding a transfer of personal data to a third country; whereas this assessment must not only refer to legislation and practices relating to the protection of personal data for commercial and private purposes, but must also cover all aspects of the framework applicable to that country or sector, in particular, but not limited to, law enforcement, national security and respect for fundamental rights;
  3. whereas transfers of personal data between commercial organisations of the EU and the US are an important element for the transatlantic relationships; whereas these transfers should be carried out in full respect of the right to the protection of personal data and the right to privacy; whereas one of the fundamental objectives of the EU is the protection of fundamental rights, as enshrined in the EU Charter;
  4. whereas in its Opinion 4/2016 the EDPS raised several concerns on the draft Privacy Shield; whereas the EDPS welcomes in the same opinion the efforts made by all parties to find a solution for transfers of personal data from the EU to the US for commercial purposes under a system of self-certification;
  5. whereas in its Opinion 01/2016 on the EU-US Privacy Shield draft adequacy decision the Article 29 Working Party welcomed the significant improvements brought about by the Privacy Shield compared with the Safe Harbour decision whilst also raising strong concerns about both the commercial aspects and access by public authorities to data transferred under the Privacy Shield;
  6. whereas on 12 July 2016, after further discussions with the US administration, the Commission adopted its Implementing Decision (EU) 2016/1250, declaring the adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-US Privacy Shield;
  7. whereas the EU-US Privacy Shield is accompanied by several letters and unilateral statements from the US administration explaining, inter alia, the data protection principles, the functioning of oversight, enforcement and redress and the protections and safeguards under which security agencies can access and process personal data;
  8. whereas in its statement of 26 July 2016, the Article 29 Working Party welcomes the improvements brought by the EU-US Privacy Shield mechanism compared with Safe Harbour and commended the Commission and the US authorities for having taken into consideration its concerns; whereas the Article 29 Working Party indicates, nevertheless, that a number of its concerns remain, regarding both the commercial aspects and the access by US public authorities to data transferred from the EU, such as the lack of specific rules on automated decisions and of a general right to object, the need for stricter guarantees on the independence and powers of the Ombudsperson mechanism, and the lack of concrete assurances of not conducting mass and indiscriminate collection of personal data (bulk collection);
  9. Welcomes the efforts made by both the Commission and the US administration to address the concerns raised by the CJEU, the Member States, the European Parliament, data protection authorities (DPAs) and stakeholders, so as to enable the Commission to adopt the implementing decision declaring the adequacy of the EU-US Privacy Shield;
  10. Acknowledges that the EU-US Privacy Shield contains significant improvements regarding the clarity of standards compared with the former EU-US Safe Harbour and that US organisations self-certifying adherence to the EU-US Privacy Shield will have to comply with clearer data protection standards than under Safe Harbour;
  11. Takes note that as at 23 March 2017, 1 893 US organisations have joined the EU-US Privacy Shield; regrets that the Privacy Shield is based on voluntary self-certification and therefore applies only to US organisations which have voluntarily signed up to it, which means that many companies are not covered by the scheme;
  12. Acknowledges that the EU-US Privacy Shield facilitates data transfers from SMEs and businesses in the Union to the US;
  13. Notes that, in line with the ruling of the CJEU in the Schrems case, the powers of the European DPAs remain unaffected by the adequacy decision and they can, therefore, exercise them, including the suspension or the ban of data transfers to an organisation registered with the EU-US Privacy Shield; welcomes in this regard the prominent role given by the Privacy Shield Framework to Member State DPAs to examine and investigate claims related to the protection of the rights to privacy and family life under the EU Charter and to suspend transfers of data, as well as the obligation placed upon the US Department of Commerce to resolve such complaints;
  14. Notes with satisfaction that under the Privacy Shield Framework, EU data subjects have several means available to them to pursue legal remedies in the US: first, complaints can be lodged either directly with the company or through the Department of Commerce following a referral by a DPA, or with an independent dispute resolution body, secondly, with regard to interferences with fundamental rights for the purpose of national security, a civil claim can be brought before the US court and similar complaints can also be addressed by the newly created independent Ombudsperson, and finally, complaints about interferences with fundamental rights for the purposes of law enforcement and the public interest can be dealt with by motions challenging subpoenas; encourages further guidance from the Commission and DPAs to make those legal remedies all the more easily accessible and available;
  15. Acknowledges the clear commitment of the US Department of Commerce to closely monitor the compliance of US organisations with the EU-US Privacy Shield Principles and their intention to take enforcement actions against entities failing to comply;
  16. Reiterates its call on the Commission to seek clarification on the legal status of the ‘written assurances’ provided by the US and to ensure that any commitment or arrangement foreseen under the Privacy Shield is maintained following the taking up of office of a new administration in the United States;
  17. Considers that, despite the commitments and assurances made by the US Government by means of the letters attached to the Privacy Shield arrangement, important questions remain as regards certain commercial aspects, national security and law enforcement;
  18. Specifically notes the significant difference between the protection provided by Article 7 of Directive 95/46/EC and the ‘notice and choice’ principle of the Privacy Shield arrangement, as well as the considerable differences between Article 6 of Directive 95/46/EC and the ‘data integrity and purpose limitation’ principle of the Privacy Shield arrangement; points out that instead of the need for a legal basis (such as consent or contract) that applies to all processing operations, the data subject rights under the Privacy Shield Principles only apply to two narrow processing operations (disclosure and change of purpose) and only provide for a right to object (‘opt-out’);
  19. Takes the view that these numerous concerns could lead to a fresh challenge to the decision on the adequacy of the protection being brought before the courts in the future; emphasises the harmful consequences as regards both respect for fundamental rights and the necessary legal certainty for stakeholders;
  20. Notes, amongst other things, the lack of specific rules on automated decision-making and on a general right to object, and the lack of clear principles on how the Privacy Shield Principles apply to processors (agents);
  21. Notes that, while individuals have the possibility to object vis-à-vis the EU controller to any transfer of their personal data to the US, and to the further processing of those data in the US where the Privacy Shield company acts as a processor on behalf of the EU controller, the Privacy Shield lacks specific rules on a general right to object vis-à-vis the US self-certified company;
  22. Notes that only a fraction of the US organisations that have joined the Privacy Shield have chosen to use an EU DPA for the dispute resolution mechanism; is concerned that this constitutes a disadvantage for EU citizens when trying to enforce their rights;
  23. Notes the lack of explicit principles on how the Privacy Shield Principles apply to processors (agents), while recognising that all principles apply to the processing of personal data by any US self-certified company ‘[u]nless otherwise stated’ and that the transfer for processing purposes always requires a contract with the EU controller which will determine the purposes and means of processing, including whether the processor is authorised to carry out onward transfers (e.g. for sub-processing);
  24. Stresses that, as regards national security and surveillance, notwithstanding the clarifications brought by the Office of the Director of National Intelligence (ODNI) in the letters attached to the Privacy Shield framework, ‘bulk surveillance’, despite the different terminology used by the US authorities, remains possible; regrets the lack of a uniform definition of the concept of bulk surveillance and the adoption of the American terminology, and therefore calls for a uniform definition of bulk surveillance linked to the European understanding of the term, where evaluation is not made dependent on selection; stresses that any kind of mass surveillance is in breach of the EU Charter;
  25. Recalls that Annex VI (letter from Robert S. Litt, ODNI) clarifies that under Presidential Policy Directive 28 (hereinafter ‘PPD-28’), bulk collection of personal data and communications of non-US persons is still permitted in six cases; points out that such bulk collection only has to be ‘as tailored as feasible’ and ‘reasonable’, which does not meet the stricter criteria of necessity and proportionality as laid down in the EU Charter;
  26. Deplores the fact that the EU-US Privacy Shield does not prohibit the collection of bulk data for law enforcement purposes;
  27. Stresses that in its judgment of 21 December 2016, the CJEU clarified that the EU Charter ‘must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’; points out that the bulk surveillance in the US therefore does not provide for an essentially equivalent level of the protection of personal data and communications;
  28. Is alarmed by the recent revelations about surveillance activities conducted by a US electronic communications service provider on all emails reaching its servers, upon request of the National Security Agency (NSA) and the FBI, as late as 2015, i.e. one year after Presidential Policy Directive 28 was adopted and during the negotiation of the EU-US Privacy Shield; insists that the Commission seek full clarification from the US authorities and make the answers provided available to the Council, Parliament and national DPAs; sees this as a reason to strongly doubt the assurances brought by the ODNI; is aware that the EU-US Privacy Shield rests on PPD-28, which was issued by the President and can also be repealed by any future President without Congress’s consent;
  29. Expresses great concerns at the issuance of the ‘Procedures for the Availability or Dissemination of Raw Signals Intelligence Information by the National Security Agency under Section 2.3 of Executive Order 12333’, approved by the Attorney General on 3 January 2017, allowing the NSA to share vast amounts of private data gathered without warrants, court orders or congressional authorisation with 16 other agencies, including the FBI, the Drug Enforcement Agency and the Department of Homeland Security; calls on the Commission to immediately assess the compatibility of these new rules with the commitments made by the US authorities under the Privacy Shield, as well as their impact on the level of personal data protection in the United States;
  30. Deplores the fact that neither the Privacy Shield Principles nor the letters of the US administration providing clarifications and assurances demonstrate the existence of effective judicial redress rights for individuals in the EU whose personal data are transferred to a US organisation under the Privacy Shield Principles and further accessed and processed by US public authorities for law enforcement and public interest purposes, which were emphasised by the CJEU in its judgment of 6 October 2015 as the essence of the fundamental right in Article 47 of the EU Charter;
  31. Recalls its resolution of 26 May 2016 stating that the Ombudsperson mechanism set up by the US Department of State is not sufficiently independent and is not vested with sufficient effective powers to carry out its duties and provide effective redress to EU individuals; notes that according to the representations and assurances provided by the US Government the Office of the Ombudsperson is independent from the US intelligence services, free from any improper influence that could affect its function and moreover works together with other independent oversight bodies with effective powers of supervision over the US Intelligence Community; is generally concerned that an individual affected by a breach of the rules can apply only for information and for the data to be deleted and/or for a stop to further processing, but has no right to compensation;
  32. Regrets that the procedure of adoption of an adequacy decision does not provide for a formal consultation of relevant stakeholders such as companies, and in particular SMEs’ representation organisations;
  33. Regrets that the Commission followed the procedure for adoption of the Commission implementing decision in a practical manner that de facto has not enabled Parliament to exercise its right of scrutiny on the draft implementing act in an effective manner;
  34. Calls on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 16 May 2018, and with the EU Charter;
  35. Calls on the Commission to ensure, in particular, that personal data that has been transferred to the US under the Privacy Shield can only be transferred to another third country if that transfer is compatible with the purpose for which the data was originally collected, and if the same rules of specific and targeted access for law enforcement apply in the third country;
  36. Calls on the Commission to monitor whether personal data which is no longer necessary for the purpose for which it had been originally collected is deleted, including by law enforcement agencies;
  37. Calls on the Commission to closely monitor whether the Privacy Shield allows for the DPAs to fully exercise all their powers, and if not, to identify the provisions that result in a hindrance to the DPAs’ exercise of powers;
  38. Calls on the Commission to conduct, during the first joint annual review, a thorough and in-depth examination of all the shortcomings and weaknesses referred to in this resolution and in its resolution of 26 May 2016 on transatlantic data flows, and those identified by the Article 29 Working Party, the EDPS and the stakeholders, and to demonstrate how they have been addressed so as to ensure compliance with the EU Charter and Union law, and to evaluate meticulously whether the mechanisms and safeguards indicated in the assurances and clarifications by the US administration are effective and feasible;
  39. Calls on the Commission to ensure that when conducting the joint annual review, all the members of the team have full and unrestricted access to all documents and premises necessary for the performance of their tasks, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities, for either law enforcement or national security purposes;
  40. Stresses that all members of the joint review team must be ensured independence in the performance of their tasks and must be entitled to express their own dissenting opinions in the final report of the joint review, which will be public and annexed to the joint report;
  41. Calls on the Union DPAs to monitor the functioning of the EU-US Privacy Shield and to exercise their powers, including the suspension or definitive ban of personal data transfers to an organisation in the EU-US Privacy Shield if they consider that the fundamental rights to privacy and the protection of personal data of the Union’s data subjects are not ensured;
  42. Stresses that Parliament should have full access to any relevant document related to the joint annual review;
  43. Instructs its President to forward this resolution to the Commission, the Council, the governments and national parliaments of the Member States and the US Government and Congress.

NOTES
[1] OJ L 281, 23.11.1995, p. 31.
[2] OJ L 350, 30.12.2008, p. 60.
[3] OJ L 119, 4.5.2016, p. 1.
[4] OJ L 119, 4.5.2016, p. 89.
[5] ECLI:EU:C:2015:650.
[6] ECLI:EU:C:2016:970.
[7] OJ L 207, 1.8.2016, p. 1.
[8] OJ C 257, 15.7.2016, p. 8.
[9] http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp238_en.pdf
[10] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf
[11] Texts adopted, P8_TA(2016)0233.

What is the point of minimum harmonization of fundamental rights? Some further reflections on the Achbita case.

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

Eleanor Spaventa, Director of the Durham European Law Institute and Professor of European Law, Law School, Durham University

Ronan McCrea has already provided a very thoughtful analysis of the headscarf cases; this contribution seeks to complement that analysis by focusing on two issues arising from the Achbita case: first of all, the structural problems with the ruling of the Court, both in terms of reasoning and for the lack of information provided; secondly, the more general implications of the ruling for fundamental rights protections and the notion of minimum harmonization in the EU context.

It might be recalled that in the Achbita case a Muslim woman was dismissed from her employer for refusing to remove her headscarf, contrary to the employer’s policy of neutrality, which included a ban on wearing religious symbols. The case then centred on the interpretation of the framework discrimination Directive (2000/78) which prohibits, inter alia, discrimination on grounds of religion. The Belgian and French Government (which had a direct interest because of the Bougnaoui case) intervened in favour of the employee, believing that the discrimination at issue was not justified (Achbita opinion, para 63). The Court, following the Opinion of AG Kokott, found that the rules at issue might constitute indirect discrimination; that the employer’s aim to allegedly maintain neutrality was a legitimate aim as it related to its freedom to conduct a business as protected by Article 16 Charter. It then indicated that the policy was proportionate, if applied with some caveats.

The reasoning of the Court – some structural deficiencies

The headscarf cases are of fundamental importance to the European Union and to all of its citizens, not only those who practice a non-dominant religion, and as such have been widely reported even outside of the EU. One might have expected the Court to engage with a more thorough analysis of the parties’ submissions and of the issues at stake. Instead, we have two very short rulings with very little detail. Just to give an important example – in both cases the French and the Belgian governments sided with the claimants, hence drawing a very important conceptual limit to the principle of laïcité which is justified, in this view, because of the very nature of the State and its duty of neutrality, a duty which cannot be extended to private parties (or if so only exceptionally). This important distinction is not discussed in the ruling, not are the views of the governments who would be directly affected by the rulings.

More importantly though, the fact that the arguments of the parties are not recalled has also more general consequences: as it has been noted by Bruno De Witte elsewhere, the fact that no hermeneutic alternative is provided might give the impression that no hermeneutic alternative is in fact possible, as if legal interpretation is simply a matter of discovering the true hidden meaning of a written text. This approach, not uncommon in civil law jurisdiction but more nuanced in constitutional cases, hides the fact that, especially in cases of constitutional significance, there is more than one legitimate interpretative path that could be chosen, which also reflect different policy alternatives. Interpretation then is also a choice between those different paths: a choice which is, of course, constrained by the relevant legal system and one that might be more or less persuasive.  The failure to acknowledge counter-arguments then results in rulings, like the ones here at issue and many others in sensitive areas, which are not only potentially unhelpful, but also close the door to more effective scrutiny of the reasons that lead the Court to follow a given interpretation.

In the same vein, the analysis of the discriminatory nature of these provisions is rather superficial. In particular, there is no thought given to the fact that contractual clauses allegedly protecting a principle of neutrality, might not only have a discriminatory effect against certain individuals, but might have important inter-sectional (or multiple) discriminatory effects. In other words, a rule banning religious symbols might in fact also have a more pronounced effect on people from a certain ethnic background or a certain gender. Equally disappointing, and in this writer’s opinion legally flawed, is the approach taken in relation to the finding of the potentially indirectly discriminatory effects of the rules at issue. Here, the Court requires the national courts to determine whether the ‘apparently neutral obligation [(not to wear religious symbols)] (…) results in fact in persons adhering to a particular religion or belief being put at a particular disadvantage.” (para 34, emphasis added).

There are two issues to be noted here: first of all, the Court remains silent as to what type of evidence of indirect discrimination is required, and by whom. In discrimination cases, burden of proof is crucial. This is recognised by the discrimination directives at EU level, including Directive 2000/78 which provides that if the claimant shows direct or indirect discrimination, then it is for the ‘respondent to prove that there has been no breach of the principle of non-discrimination’ (Article 10(1)). One would have expected then the Court of Justice to instruct the national court to require the defendants to discharge this duty with a certain rigour, also by means of statistical analysis of the effect of such policies on religious minorities. Yet, the Court does not even engage with this question.

Secondly, and not less important, the Court seems to imply that a rule that discriminates all religious people would not be problematic. For instance if, say, Muslims and Orthodox Jews were equally discriminated against, whilst non-religious persons were unaffected, then, based on the dicta of the Court, there would be no discrimination. This interpretation seems restrictive and not supported by the text of the directive (or the Charter) that refers to discrimination on grounds of religion in general. In any event, in discrimination cases it is crucial to identify the comparator, and the Court fails to do so clearly and to support its choice with sound legal arguments. But, beside these very important structural issues, the Achbita ruling raises other more technical as well as general issues, as to the extent to which the Court’s interpretation might affect the Member States’ discretion to provide more extensive protection that that provided for in the Directive.

Minimum harmonization and fundamental rights

Directive 2000/78 is intended only to set minimum standards, so that Member States can, if they so wish, provide for a more extensive protection. Indeed many Member States have done so by extending either the protected categories of people, or the field of application of the legislation, or both. In theory then, the Achbita ruling should not be seen as the last word in relation to the treatment of religious people at work. After all, if Belgium or France or any other country finds the ruling problematic, it can simply pass legislation prohibiting private employers from requiring religious neutrality from its employees, unless of course a specific dress code is necessary to ensure the health and safety of the worker or the public. Viewed in this way, and notwithstanding the structural problems identified above, the ruling seems very sensible: it is agnostic, in that it does not impose either model on Member States, allowing therefore a degree of variation in a very sensitive area, something which, as eloquently discussed in McCrea’s post, might not be a bad thing. After all, this is the same path that has been taken by the European Court of Human Rights.

However, things are slightly more complicated in the European Union context. In particular there is nothing in the ruling to indicate that the Directive sets only minimum standards so that it would be open to those Member States to go further in protecting people holding religious beliefs. And, more crucially, the Court, mirroring the opinion of Advocate General Kokott, refers to the EU Charter of Fundamental Rights when assessing the legitimacy of the justification put forward by the employer. In particular, it finds that the business’s wish to ‘project an image of neutrality (…) relates to the freedom to conduct a business that is recognised in Article 16 of the Charter and is, in principle, legitimate’.

The reference to the Charter, which indirectly frames the question as a clash of fundamental rights, is important because, in the EU context, when the Charter applies it sets the fundamental rights standard. In simpler terms this means that should a Member State wish to provide more extensive protection to ensure that employees are not discriminated on grounds of their religious belief, something that is allowed under Directive 2000/78, it might be prevented from doing so since, pursuant to the Achbitaruling, it would infringe the right to conduct a business as protected by the Charter. In this way, far from leaving the desired flexibility and discretion to the Member States, the Court sets the standard – employers have a fundamental right, albeit with some limitations, to limit the employees’ right not to be discriminated against. One might well ask then, much as it has been remarked in relation to the Alemo Herron case, what is the point of minimum harmonization directives if the upward discretion of the Member States is so curtailed.

Conclusions

The Court of Justice did not have an easy task in the Achbita case: it was pretty much a ‘damned if you do, damned if you don’t’ scenario. For sure, some of us would have liked the balance at issue to be tilted firmly in favour of religious minorities, especially given the growing evidence of attacks and discrimination against, particularly, Muslim women. The Court chose a different path and that is, of course, within its prerogatives. However, the way that path was trodden upon leaves many open questions both in relation to the way the result was achieved, and to the many questions it overlooks. What is most troubling is the implication that the freedom of Member States to provide greater protection towards minorities may, in principle, be constrained by the Court’s interpretation of the freedom to conduct a business.

Barnard & Peers: chapter 9, chapter 20

 

Headscarf bans at work: explaining the ECJ rulings

ORIGINAL PUBLISHED ON EU LAW ANALYSIS ON TUESDAY, 14 MARCH 2017

Professor Steve Peers

When can employers ban their staff from wearing headscarves? Today’s rulings of the ECJ have attracted a lot of attention, some of it confused. There have been previous posts on this blog about the background to the cases, and about the non-binding opinions of Advocates-General, and there will hopefully be further more analytical pieces about today’s judgments to come. But this post is a short explanation of the rulings to clear up any confusion.

Background

The EU has long had laws on sex discrimination, and discrimination regarding EU citizens on grounds of nationality. Since 2000, it has also had laws against race discrimination and also a ‘framework directive’ against discrimination at work on grounds of disability, age, sexual orientation or religion. The ECJ has often been called upon to rule on the first three of those grounds, but today’s two judgments (G4S v Achbita and Bougnaoui) are the first time it has been asked to rule on non-discrimination at work on religious grounds.

EU law does not generally apply to other aspects of religion, except that EU law on asylum applies to people who have been persecuted on religious grounds. So today’s judgments are not relevant as regards regulating religion in education, for instance.

It should also be noted that the European Convention on Human Rights (ECHR) protects the freedom of religion.  The European Court of Human Rights – a separate body – has previously ruled on how that freedom applies in the workplace, concluding that in some cases employers must allow employees who wish to wear religious symbols (see Eweida v UK, for example).

The rulings

The G4S ruling is the more significant of the two cases, in which the ECJ’s reasoning is most fully set out. First the Court rules that clothing worn for religious reasons is an aspect of religious belief. Then it concludes that there was no direct discrimination (ie discrimination purely on religious grounds) against Ms. Achbita, who was not allowed to wear a headscarf when dealing with customers, because her employer had a general ban on any employee display of religious or political belief.

Next, the ECJ ruled on whether there was any indirect discrimination (ie discrimination not on religious grounds, but which affected people of a particular religion more than others). Such discrimination can be ‘objectively justified by a legitimate aim…if the means of achieving that aim are appropriate and necessary.’ In the Court’s view, the national court which had asked the ECJ these questions should consider that an employer’s ‘neutrality’ policy regarding customers was ‘legitimate’, and was part of its ‘freedom to conduct a business’.

However, such as policy had to be ‘systematic’ and ‘undifferentiated’ as regards different beliefs. It also should be considered whether it was limited to those workers who ‘interact with customers’, and whether it would have been possible to reassign the employee to a different role without ‘visual contact’ with customers, without the employer taking on an extra burden.

In the second case, the Court ruled that employers could not discriminate due to a customer request that employees not wear a headscarf.  This was not ‘a genuine and determining occupational requirement’ that could justify reserving a job to those who did not wear headscarves.

Summary

The ECJ’s rulings must be applied by the two national courts that requested it to rule. They are also binding more generally on the courts of all 28 EU Member States.

In principle the rulings mean that employers may ban employees from wearing headscarves, but only in certain cases. First of all, the cases only concern customer-facing employees, on condition that the employer has a ‘neutrality’ policy. The ECJ was not asked to rule on other groups of employees, but its rulings indicate that it would be more difficult, if not impossible, to justify bans in those cases. Nor was it asked to clarify further what a ‘customer-facing’ employee is exactly.

A neutrality policy mean an employer also has to ban other religious or political symbols worn by customer-facing employees. So no kippas, no crucifixes, no turbans – and no icons of Richard Dawkins either. This could be rather awkward in light of the human rights case law referred to above, which says wearing crucifixes (for instance) is sometimes an aspect of an employee’s right to manifest her freedom of religion.

There is a thin line between saying that employee headscarves can’t be banned just because customers ask for it on the one hand, and allowing employers to ban such clothing in effect due to anticipation of customer reaction. In practice this might prove something of a legal fiction.

The bottom line is that today’s judgments do not constitute a ‘workplace headscarf ban’, but merely permit employers to establish such a ban – subject to limits which might prove difficult to comply with in practice.