2. Values & principles of the European Union – Page 11 – European Area of Freedom Security & Justice

SCHREMS CASE : The Essence of Privacy, and Varying Degrees of Intrusion

ORIGINAL PUBLISHED IN VERFASSUNGBLOG ON Wed 7 Oct 2015

by Martin Scheinin

This brief comment will address the 6 October 2015 CJEU Grand Chamber ruling inMax Schrems, asking what it tells us about the status of two fundamental rights in the EU legal order, namely the right to the respect for private life (privacy) and the right to the protection of personal data (EU Charter of Fundamental Rights, Articles 7 and 8, respectively). The ruling must be read together with the 8 April 2014 ruling inDigital Rights Ireland where Articles 7 and 8 were discussed side by side.

Although the Max Schrems ruling contains many references to personal data, it does not really discuss the right to the protection of personal data as a distinct fundamental right. Article 8 of the Charter is mentioned in the dispositive part of the ruling but not for instance in what I would call the main finding by the Court which refers only to Article 7:

In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter…

The outcome of the case – declaring Commission’s Safe Harbor Decision 2000/52 invalid – flows from this finding of a breach of the essence of the right to privacy when we are dealing with indiscriminate blanket access to data. In Digital Rights Ireland the CJEU had already indicated (paras. 39-40) that blanket access to ‘content’ would trigger the application of the essence clause in Article 52 (1.1) of the Charter, while surveillance, even indiscriminate mass surveillance, based on even complex use of various categories of metadata amounted to a “particularly serious interference” (Digital Rights Ireland, para. 65) with fundamental rights but did not trigger the application of the essence clause. The Court’s distinction between ‘content’ and ‘metadata’ can be criticized, and it was indeed relativised by the Court itself in Digital Rights Ireland (para. 27).

What is now remarkable in Max Schrems is that

a) the Court actually identified the intrusion in question as falling under the notion of the essence of privacy – something the European Court of Human Rights has never done under the privacy provision of ECHR Article 8, and

b) the identification of an intrusion as compromising the essence of privacy meant that there was no need for a proportionality assessment under Article 52 (1.2) of the Charter.

This can be contrasted with theDigital Rights Ireland judgment (para. 69) where the final outcome was based on the application of a proportionality test. For these reasons, the Max Schrems judgment is a pathbreaking development, a major contribution to the understanding of the structure and legal effect of fundamental rights under the Charter. Digital Rights Ireland indicated where the path would go, and now the Court actually went that way.

An equally important contribution is documented in the same paragraph, namely that mere “access” to communications by public authorities) constitutes an interference. Notably, Article 8 (2) of the Charter uses the notion of “processing” when defining the fundamental right to the protection of personal data. Surveillance advocates might have until the Max Schrems ruling enjoyed some credibility with their claims that mere access does not amount to processing, and therefore mere access to the flow of communications does not amount to an intrusion until the automated selectors and algorithms have made their job and the human eye starts to “process” a much more narrow set of data. Now we know, that mere access is an intrusion into privacy, and even into the essence of privacy when it provides for indiscriminate access to ‘content’.

This gives rise to the next question, whether the Max Schrems rationale will only apply to the “transfer” of data from Europe to “servers” in the United States. This was the factual basis of the case, as reflected in paragraphs 2 and 31. The CJEU was asked a question about data transfers from Europe to Facebook servers in the US under the Safe Harbor arrangement, and it responded to that question. It did not address the scenario of “upstream” access to data flows through the splitting of fiber-optic cables to obtain generic access to all data that passes through transatlantic cables just because the Internet is built in the way that a lot of traffic ends up going through those cables. It would indeed be difficult to bring a case to the CJEU that would address this scenario.

Nevertheless, paragraph 94 quoted above is formulated in a way that gives a generic answer concerning the contours of the right to privacy under Article 7 of the EU Charter: yes, also access through the upstream method of capturing the data flow in a fibre-optic cable is to be regarded as compromising the essence of privacy and therefore as prohibited under the Charter, without a need even to engage in a proportionality analysis. It may be hard to get a case to the CJEU but the content of the substantive norm under Article 7 of the Charter is now clear. One can on good grounds expect that the European Court of Human Rights will now be prepared to follow the lead of the CJEU and draw the same conclusion under ECHR Article 8.

In closing, I dare to present the view that the Digital Rights Ireland and Max Schremsrulings taken together provide verification and demonstration of the utility of the methodology we developed in the SURVEILLE project where we produced a general framework for the holistic assessment of surveillance technologies for their security benefit, cost efficiency, moral hazards and fundamental rights intrusion. In short, in our model an intrusion into the essence of privacy would by definition produce the highest possible fundamental rights intrusion score which is, again by definition, higher than the maximum usability score and would therefore make redundant any proportionality assessment. Other types of intrusion – even particularly serious ones – would be assessed through giving separate scores to the importance of a fundamental right in a given situation and the depth of the intrusion into the same right as created by surveillance, and by then comparing the resulting fundamental right intrusion score against the usability score based on technology assessment. Here, a proportionality assessment is needed, even if the highest possible intrusion scores will be so high that the benefits obtained through surveillance cannot in practice outweigh them. Similarly to the CJEU in the Digital Rights Ireland case, the outcome will be that crude methods of mass surveillance, even when not triggering the essence clause, will be assessed as unlawful.

Dieser Text steht unter der Lizenz CC BY NC ND

(http://creativecommons.org/licenses/by-nc-nd/4.0/legalcode)

Angela Merkel au Parlement européen, des paroles aux actes ?

ORIGINAL PUBLISHED ON CDRE (12 OCTOBER 2015)

par Henri Labayle,

Le discours prononcé par Angela Merkel devant le Parlement européen, 7 octobre 2015 aux cotés de François Hollande, est remarquable en tous points. Au delà du symbole d’une intervention du couple franco-allemand, qui n’était d’ailleurs peut être pas le meilleur signal à envoyer à ceux que l’on tentait de convaincre, cette prise de parole publique devant les représentants des peuples européens ne manque pas de sens.

Il était donc naturel d’en souligner l’impact, partageant le sentiment d’un Jürgen Habermas « aussi surpris que réjoui » par le positionnement allemand face à la crise des réfugiés dans l’Union.

L’intervention de la chancelière allemande traduit en effet une constance politique qui mérite le respect et elle annonce des évolutions techniques qui suscitent l’interrogation.

1. La constance

Angela Merkel persiste et signe, est-on obligé de souligner. Malgré une vague grandissante de critiques, confrontée à une fronde plus ou moins larvée au sein de sa propre majorité et à une crispation évidente de l’opinion publique allemande que traduisent des sondages récents, la chancelière n’a pas dévié d’un pouce quant au terrain sur lequel elle entendait se placer et entraîner à sa suite l’Union européenne.

Ce dernier est le seul concevable, il est celui des valeurs de l’Union européenne qui, aux termes des traités, la « fondent » et « sont communes aux Etats membres » et dont l’Union doit assurer la« promotion ». C’est à ces valeurs et à la dignité de l’être humain que s’est référée explicitement la chancelière allemande le 31 aout lorsque la crise matérielle de l’asile s’est transportée sur le terrain institutionnel.

Aussi, tenir le cap politique en faisant valoir qu’à l’inverse de ce que l’on entend ici et là, le débat ne se pose pas en termes d’opportunité mais d’obligation morale autant que juridique est un discours responsable. Tout autant que l’est le propos répétant qu’isolément les Etats sont impuissants et que la réponse collective est la seule envisageable. Effectivement, « céder à la tentation de rétrograder, d’agir à une échelle nationale » serait une erreur historique et il convient politiquement « d’assumer l’attrait de l’Europe ».

Tel est le bon angle d’attaque du débat public. Faut-il en effet rappeler que, depuis le traité de Maastricht qui la considérait comme une « question d’intérêt commun » jusqu’à l’affirmation d’une « politique commune d’asile » à Amsterdam, l’accueil des demandeurs de protection internationale s’est européanisé au point de nécessiter une seconde génération des textes composant le régime d’asile commun ? Les articles 18 et 19 de la Charte se bornent à en tirer les conséquences.

Du reste, et à supposer que le niveau européen de cette protection du droit d’asile soit discutable, comment oublier les contraintes pesant sur la totalité des Etats membres de l’Union en raison de leur adhésion à la Convention de Genève comme à celle des droits de l’Homme ? Enfin et au delà de la France et de la République fédérale et pour n’en rester qu’aux Etats membres récalcitrants, comment nier l’autorité de la proclamation de ce même droit d’asile par les textes constitutionnels en Hongrie (article 14), en Pologne (article 56) ou en Slovaquie (article 53) ?

Aussi, prétendre mener la contestation des mesures arrêtées dans l’Union en matière de relocalisation des réfugiés au nom du respect de la légalité, comme semble vouloir le faire la Slovaquie, témoigne d’une curieuse vision de la Communauté de droit à laquelle on appartient, par delà les arguments techniques ou procéduraux fondés ou non.

Cette constance avait également animé auparavant le propos remarquable du Président de la Commission, le 9 septembre dans son discours sur l’état de l’Union prononcé lui aussi devant le Parlement européen.

Rappelant le poids de l’Histoire du continent européen, avant, pendant comme après le second conflit mondial, le chef de l’exécutif communautaire a choisi de mettre l’accent sur « le respect de nos valeurs communes et de notre histoire » après avoir resitué l’ampleur de l’effort à accomplir. Soulignant l’impact du contexte international autant que les enjeux d’une sous-estimation des besoins de protection, Jean Claude Juncker a ainsi redonné sa signification politique à la fonction qu’il exerce, enfin.

Ce faisant, l’alliance des deux acteurs principaux de l’Union n’aurait pu produire d’effet sans le relais efficace d’une présidence luxembourgeoise renouant avec la tradition qui veut qu’une présidence assurée par un petit Etat membre soit souvent des plus productives. Là encore, la brusque accélération du dossier législatif « relocalisation » en a tiré le bénéfice, les deux décisions de relocalisation ayant été publiées et commençant à prendre effet.

Pour autant, la constance du discours est-elle annonciatrice de véritables changements dans la politique d’asile de l’Union européenne ou bien faut-il en douter, à l’image de certains commentaires médiatiques au lendemain de ce discours regrettant l’absence de mesures concrètes ?

2. Le changement

D’ores et déjà, il est en marche. La conduite du dossier législatif de la relocalisation en est précisément une manifestation douloureuse pour les partisans de la méthode intergouvernementale.

On sait en effet la grande relativité de la communautarisation des procédures législatives. Malgré l’appellation des traités, la « procédure législative ordinaire » qui voudrait que la majorité qualifiée et l’accord du Parlement soient la règle en matière d’asile et d’immigration est passablement différente dans la pratique décisionnelle. La culture du consensus qui anime les diplomates qui se prétendent législateurs les amène ainsi à préférer les pratiques anciennes, celles qui consistent à ne pas forcer les Etats membres, conduits au pire à se réfugier dans l’abstention.

Ainsi, le 20 juillet 2015, une « décision des représentants des gouvernements des Etats membres réunis au sein du Conseil» c’est-à-dire un acte non pas de l’Union mais un acte engageant simplement les Etats collectivement (CJUE, 30 juin 1993, Parlement c. Conseil et Commission, C-181/91 et C-248/91, point 25) a permis de surmonter, par consensus, les désaccords entre Etats et d’adopter la décision2015/1523 procédant à la relocalisation de 40 000 personnes à partir de la Grèce et de l’Italie.

En revanche, le retour à l’orthodoxie communautaire s’est avéré bien plus pratique lorsqu’il a fallu surmonter l’opposition résolue de quatre Etats membres : la décision 2015/1601 du 22 septembre 2015 a donc été adoptée selon les voies classiques du traité et même en utilisant la procédure de vote à la majorité qualifiée … Signe de l’ampleur des désaccords, les conclusions de cette réunion ont été présentées par le ministre luxembourgeois comme « celles de la Présidence » et non du Conseil …

La seconde marque de changement a frappé l’espace Schengen. Improprement présenté comme relevant des « accords de Schengen », présentation ambiguë qui pourrait laisser penser que ces accords peuvent être dénoncés, le droit de l’espace Schengen repose d’une part sur les articles 67 et 77 TFUE qui garantissent l’absence de contrôles aux frontières intérieures et, d’autre part, sur le règlement 562/2006 dit « Code Frontières Schengen » tel que modifié en 2013.

Ce dispositif de près de trente ans n’avait pas été conçu pour résister à une pression de l’ampleur de celle traversée par l’Union en cet été 2015. Il a donc volé en éclats tant à propos de la capacité des Etats membres à assumer leurs responsabilités de contrôles des frontières extérieures qu’en ce qui concerne l’interdiction d’exercer des contrôles nationaux aux frontières intérieures. Le rétablissement temporaire des contrôles aux frontières intérieures décidé par plusieurs Etats membres, de la Slovénie et l’Autriche avec l’aval de la Commission, conformément à l’article 25 du Code, a fait clairement ressortir la réalité.

Elle est double : d’une part, l’absence de modification substantielle d’un mécanisme conçu à 5 pour s’appliquer à 30 Etats est devenue clairement problématique, d’autre part, le maintien d’un espace de libre circulation intérieure dépend évidemment d’un renforcement effectif des contrôles aux frontières extérieures. Ce second constat ne connaît qu’une issue, à espace européen constant en tous cas : une gestion plus intégrée de ces frontières. Là encore, dès le début septembre comme au Parlement européen, la chancelière allemande n’a pas masqué la gravité de cet enjeu.

Troisième signe de changement, le plus lourd de signification sans doute, la remise en question du système dit de Dublin. Mal dénommé car né en réalité dans le chapitre VII de la convention d’application des accords de Schengen de 1990, ce système pose le principe du traitement unique de la demande d’asile. Critiqué à juste titre, d’une efficacité pour le moins douteuse comme en témoigne le dernier rapport d’AIDA, mis en cause jusqu’au Conseil de l’Europe, le système Dublin a connu diverses réformes mais n’a jamais été remis en question par principe.

La raison en est simple : il fait peser l’essentiel de la charge sur les Etats que le hasard de la géographie a mis au contact de la pression migratoire extérieure. Ceci sans aucune mesure avec leurs capacités de réponse, la Grèce étant un exemple caricatural de cette situation. Les Etats de seconde ligne, malgré ces dysfonctionnements, y trouvaient bon gré mal gré un certain confort et même si, dans les faits, le système n’a pas fonctionné comme on l’a vu en Italie ou en Grèce.

D’où une difficulté à accepter l’idée d’un changement, malgré le coup de tonnerre provoqué par l’ouverture des frontières allemandes, clairement en contradiction avec cet état du droit.

Cet attachement au dispositif Dublin s’est manifesté jusqu’au dernier moment. Ainsi, la réunion informelle des chefs d’Etat et de gouvernement du 23 septembre rappelait-elle que « nous devons tous respecter, appliquer et mettre en œuvre nos règles existantes, y compris le règlement de Dublin et l’acquis de Schengen ». De même, le dispositif de relocalisation adopté comme en préparation est-il présenté comme une « dérogation » au mécanisme de Dublin. Enfin, et sans que l’on voie exactement où elle entend se diriger, la Commission promet d’ouvrir le chantier de la réforme de Dublin en « mars 2016 ».

Sans tir de sommation, la salve de la chancelière allemande fait mouche et semble ouvrir un nouveau chapitre de la politique d’asile : « soyons francs, le processus de Dublin, dans sa forme actuelle, est obsolète » a-t-elle asséné aux parlementaires européens.

Dès lors, faut-il croire que la conclusion de la chancelière fera office de feuille de route ? Consciente de l’impasse dans laquelle sa politique l’a engagée, l’Union sera-t-elle capable d’une part d’ouvrir des voies légales d’accès à la protection et, d’autre part, de s’accorder sur une répartition équitable des charges telle que ses traités l’y invitent ?

AN INSUBSTANTIAL PAGEANT FADING: A VISION OF EU CITIZENSHIP UNDER THE AG’S OPINION IN C-308/14 COMMISSION V UK

PUBLISHED ON EU LAW ANALYSIS on Wednesday, 7 October 2015

by Charlotte O’Brien,

Senior Lecturer, York Law School

The political message being sent by irate governments to ‘back off’ from national welfare systems’ assumed prerogative to discriminate between home nationals and EU nationals is being received and applied with alacrity by the Court of Justice. The current direction of travel resiles from earlier progressive visions of EU citizenship, and in C-140/12 Brey, C-333/13 Dano and C-67/14 Alimanovic we see that which was once ‘destined to be [our] fundamental status’ receding ever further from view. Advocate General Cruz Villalón’s Opinion in Commission v UK continues the retreat, arguing that the Commission’s action challenging the UK right to reside test for family benefits should be dismissed. The result may, in the current environment, be unsurprising. But getting there with existing legal tools is problematic.

The Opinion contains a number of uncomfortable contortions to give undue deference to the national rules, and avoid tackling the underlying conflict of rules and approaches. It represents quite startling judicial activism in embroidering the legislation with unwritten limitations as to personal scope, tinkering with the subject matter, and asserting an unwritten licence to discriminate whenever something smells like a welfare benefit. The effect is as though the Court’s new teleological guiding principle should be that the legislature would have wanted at all costs to avoid offending the UK government.

The UK right to reside (RTR) test prevents any EU national who does not meet the criteria in Art 7 Directive 2004/38 from receiving Child Benefit or Child Tax Credit, both of which were accepted as being ‘family benefits’, so ‘pure social security’ (rather than special non-contributory benefits in Brey, Dano and Alimanovic) under Regulation 883/2004. The Commission challenged the test’s lawfulness on two grounds – that it imported extra conditions into the ‘habitual residence’ test, to undermine the effects of Regulation 883/2004, and that it is discriminatory since it only applies to non-UK citizens. The AG’s Opinion is remarkable, in its ability to reject both without engaging with either. This analysis deals with four key issues arising from the Opinion: (i) stitching, splicing and embroidering Reg 883/2004; (ii) the ‘inherent’, ‘inevitable’ and ex ante discrimination fudge; (iii) the parallel reality in which the UK does not presume unlawful residence; and (iv) the failure to notice that the UK automatically refuses social assistance to those reliant on ‘sufficient resources’.

(i) stitching, splicing and embroidering Regulation 883/2004

The AG is at some pains to determine whether the ‘right to reside’ test is part of the habitual residence test (HRT), or a separate test added on, suggesting that it is only if it is presented as the former, does the Commission have a case. As the UK government ‘distanced’ itself during proceedings from the combined test approach, and argued that it was a separate test of lawful residence, so the AG commented that the Commission’s case was ‘weakening over the course of the dispute’. Indeed, on the basis that the test was ‘independent’ of the HRT, the AG argued that the first ground should be dismissed. This is perplexing. It seems to be a matter of regulatory semantics whether the RTR is part of the HRT, or is applied as well as the HRT, if the effect – to undermine Regulation 883/2004 – is the same.

For the record, the conclusion that they are separate tests is unconvincing anyway. For all benefits with an official ‘habitual residence test’ the regulations provide that a claimant cannot be habitually resident unless she has the right to reside in the CTA (Income Support (General) Regulations 1987, reg 21AA; Jobseeker Allowance Regulations 1996, reg 85A; Employment and Support Allowance Regulations 2008, reg 70(2); State Pension Credit Regulations, reg 2; see DWP, DMG, 072771). For CB and CTC the terminology is slightly different – the words ‘habitually resident’ are not used, but a person must be treated as being in the UK. And to be treated as being in the UK, you have to have a right to reside (Child Benefit Regulations 2006, Reg 23(4)(a); Tax Credits (Residence) Regulations 2003, Reg. 3(5); CBTM10010 – Residence and immigration: residence – introduction).

However, whether we treat the RTR as part of habitual residence, or as an extra test, the effect in both cases is to add conditions onto the circumstances in which a person is treated as meeting the ‘residence’ criteria of Regulation 883/2004. That Regulation offers a clear, exhaustive list for allocating ‘competence’ of Member States for benefits, providing a residual category for the economically inactive, at Art 11(3)(e) in which the Member State of residence is competent. Once competence has been established, that State is then responsible for the payment of family benefits, subject to the non-discrimination provision.

The scheme of the Regulation is intentionally broader than that of Directive 2004/38 – applying a different personal scope for a start (covering all those who ‘are or have been subject to the legislation of one or more Member States’), and covering pensioners, those between jobs, those who might fall outside of the Dir 2004/38 Article 7(3) retention provisions – essentially, those who should be covered by social security provisions. To apply the right to reside test is to hack down the rationae personae of the Regulation to emulate that of Directive 2004/38 – an approach not endorsed, implied or merited in the Regulation. The AG’s assertion that law should not exist in ‘separate compartments’ as justification for splicing the instruments together and embroidering an extra condition into the Regulation rather too easily ignores the different purposes and scopes of the instruments. Similarly, the different material issues – the restriction of social assistance now embodied in Directive 2004/38, versus award of social security, are inappropriately assimilated. The AG notes, apparently approvingly, the UK’s assertion that ‘the two benefits at issue in the present case have some characteristics of social assistance’. This goes unexamined, and helps form the context in which the different nature of social security, and different subject matter of the Regulation, is effectively ignored. In sum, we have an approach in which if a benefit is a ‘bit like’ social assistance, and a legal instrument is in roughly the same area as Directive 2004/38, then unwritten restrictions kick in.

In the specific case of family benefits, the Regulation’s residual category should provide a guarantee that families do not fall through the cracks and find themselves disentitled to any family benefits, since many Child Benefits are tied to residence. This also serves the ‘bonus’ purpose of protecting children, who are not the agents of migration, and who the legislature and the Court have hitherto taken pains to protect from suffering the penalties of their parents’ choices and/or misfortunes – either out of an interest in child welfare, or as an instrumental way of avoiding disincentives (risks to their children’s welfare) for workers to migrate.

Here it is worth emphasising that when we speak of falling through the cracks, we mostly speak of people who have been working (rather than those who have never worked). The right to reside test results in a strict bifurcation between those ‘working’ and those not. The rules on retention of worker status are stringent and exclusionary, so that people can be working and contributing for many years and still fall over welfare cliff edges. Regulation 883/2004 should offer some protection to their pre-school children in such cases, even where Directive 2004/38 is (according to emerging case law) rather harsher to the parents.

However, in the AG’s approach we can see the Directive, having already been transformed from an instrument to promote free movement into a instrument to prevent benefit tourism (Dano); being promoted to the status of a fundamental principle of limitation, to be (retrospectively) mainstreamed into other (higher) legislative instruments – exerting restrictions that are not there written.

(ii) the ‘inherent’, ‘inevitable’ and ex ante discrimination fudge;

The AG avoided dealing with the question of whether the RTR test discriminates contrary to Regulation 883/2004, by finding that the RTR prevented the Regulation from being applicable at all – apparently treating ex ante discrimination as de facto lawful. This conceptual approach is deeply problematic – can Member States really avoid the non-discrimination obligations contained in legislation by applying discriminatory gateways to access that legislation?

As noted above, once competence of a Member State has been established for the purposes of Regulation 883/2004, it is then – according to that instrument, bound by non-discrimination duties (Article 4). However, under the proposed approach, there will be people for whom no Member State has competence, because competence is to be determined according to a set of restrictions in a completely different instrument which apply a different concept to a different set of people for a different set of benefits. And if they are in this way found not be within any State’s competence, the question of discrimination is avoided.

To the extent that the AG does engage with non-discrimination duties, it is part of an imprecise discussion about the likelihood of the lawfulness of curbing benefits from non-nationals (benefit restrictions are ‘traditionally associated’ with requirements of legal residence). In drawing upon Dano and Brey, the fact that those cases dealt with benefits therein defined as social assistance is swept aside somewhat as the AG finds ‘there is nothing in those judgments to indicate that such findings apply exclusively to the social assistance benefits or the special non-contributory cash benefits with which those cases were concerned and not to other social benefits’. But there is plenty to indicate that social security benefits should be treated differently in their coverage in a different piece of legislation. It is surely very odd to suggest that the Court should list those instruments on which it was not ruling.

Recognising that the rules do treat UK nationals and non nationals differently, the Opinion makes some rhetorical points about discrimination as part of the natural ecosystem of free movement – ‘one way of looking at it is that this difference in treatment as regards the right of residence is inherent in the system and, to a certain extent, inevitable… In other words, the difference in treatment between UK nationals and nationals of other Member States stems from the very nature of the system.’ None of this does anything to address the question of the problem of direct versus indirect discrimination – the latter being rather easier to justify. It almost suggests that some degree of direct discrimination has to be accepted as a matter of pragmatism. Indeed, the characterisation of the rules asindirectly discriminating on the grounds of nationality is one of the most contentious issues in the case. Much as in C-184/99 Grzelczyk, an extra condition is imposed only upon non-nationals. Hiding behind the banner of indirect discrimination seems unconvincing if we posit a brief thought experiment. Imagine all EU national men automatically had an RTR, but all EU national women had to pass the RTR test; that could not be described asindirectly discriminating on the grounds of sex. While it could be argued that nationality is a different type of ground to sex, and so different differences are acceptable, the fact that we are dealing with direct discrimination remains. And this is not explored. The only thing that needs justification, under this analysis, is not the test, but the procedural checking, which we look at next.

(iii) the parallel reality in which the UK does not presume unlawful residence

The AG states that it cannot be inferred that the UK presumes that claimants are unlawfully resident, adding that European citizenship would preclude such a presumption, and that claimants should not systematically be required to prove they are not unlawfully resident.

However, the whole claims process in the UK does systematically require proof of claimants that they are (not un)lawfully resident. The right to reside test takes the limitations of Directive 2004/38 and makes them a priori conditions of the existence of the right to move and reside. There is no general citizenship-based right to reside that can be modified by limitations, with some discretion. The conditions come first, and must be demonstrably met, in each and every case. The UK’s assertion that ‘In cases in which there is doubt as to whether the claimant has a right of residence, an individual assessment of the claimant’s personal circumstances is carried out’ rather masks the process of assessment that decision makers are required to undertake according to the decision maker guidance on establishing whether a claimant really is or was a worker – using the UK’s own definition. That definition is flawed in itself, requiring evidence to meet a higher threshold than set in EU law, and the evidential hurdles can be considerable. Even for the most straightforward cases of worker, proof is required that earnings have been at or above the Minimum Earnings Threshold for a continuous period of at least three months. Those with variable earnings are expected to provide considerable evidence if they wish to ‘prove’ their right to reside. In cases where HMRC have reason to doubt conditions continue to be met for tax credit awards, they issue further, penetrating compliance checks, and in the UK government’s Budget Policy costings document, the government announced that the restrictions on benefits ‘will be augmented by additional HMRC compliance checks to improve detection of when EEA migrants cease to be entitled to these benefits. The checks will apply to all EEA migrant claims’. The system is set up to make the conditions constitutive of the right to free movement, effectively requiring all claimants to prove that they are not unlawfully resident, notwithstanding the apparent ‘background’ of EU citizenship, and claims are subject to systematic checking, notwithstanding Article 14(2) of Directive 2004/38.

The AG however, took the position that such checks are not systematic, but may be indirectly discriminatory, but that they were lawful, with the briefest of nods to justification – as though the mere mention of the UK’s public finances is sufficient to provoke a reverential hush, genuflection and swift retreat from the subject:

‘without any need to pursue the argument further, I consider that the necessity of protecting the host Member State’s public finances, (75) an argument relied on by the United Kingdom, (76) is in principle sufficient justification for a Member State to check the lawfulness of residence at that point.’

No data, it seems, is required.

Nor is any engagement with the question as to whether purely economic aims are legitimate aims for the purpose of justifying discrimination or restricting a fundamental freedom – on this, see AG Sharpston’s Opinion in C-73/08 Bressol.

(iv) the failure to notice that the UK automatically refuses social assistance to those reliant on ‘sufficient resources’.

The AG rounds up the Opinion by noting that in any case, the economically inactive are not completely hung out to dry – they should have their circumstances examined to determine whether they have sufficient resources not to become a burden on the public purse. Here, the AG emphasises that mere recourse to public funds should not bar a claimant from having a right to reside based on sufficient resources, and that their case should be assessed as to whether they are an ‘excessive’ burden. This is all very well, but speaks to a rather different reality to that experienced in the UK, in which the economically inactive are automatically barred from claiming social assistance because they are automatically treated as not having sufficient resources at the point of claim. Moreover, the Upper Tribunal has suggested that ‘sufficient resources’ means sufficient to provide for the migrant’s family for five years; a migrant cannot claim to have had sufficient resources for a short period of time between jobs if those resources would not have lasted for five years.

In short, the Court should be wary of following the AG’s lead in backing off from the apparently prohibited area of UK welfare benefits quite so hastily. The Regulation’s personal and material scope, and purpose, cannot simply be ignored or modified, nor can the Directive be transformed into an all-encompassing, higher principle, through pro-Member State judicial activism. The right to reside test adds conditions to the application of the Regulation’s provisions, and it does so in a directly discriminatory way. The Court must address these points honestly; if it is prevented from doing so by the political wind – or if it too conjures up a default forcefield around benefits regardless of type, and gives licence to ‘inevitable’ discrimination – the ramifications will tell not only upon claimants, their children, the vanishing strands of EU citizenship and the obstructed freedom to move, but also upon the Court’s credibility.

The European citizens’ initiative and the new (and surprising) routes of EU competence litigation

REBLOGGED FROM “DESPITE OUR DIFFERENCES” (October 5, 2015)
by Daniel Sarmiento, *

EU competence is a touchy area of EU law. It has become very complex, together with the also intricate case-law on legal bases, which, after several decades of case-law, is not always easy to follow. After the entry into force of the Lisbon Treaty, EU competence has become a major domain for EU constitutional lawyers and it deserves very careful attention. The fact that the Treaties now include a typology and enumerate EU competences is a sign that many future battles in EU law will be fought in this terrain.

Furthermore, cases like Pringle, Gauweiler or Vodafone prove that issues of competence and legal bases are not the exclusive domain of institutional litigation, but areas that can be brought to the courts by private parties too. The Court has always been sensitive to these cases and it has dealt with them with utmost care, mostly in Grand Chamber formation.

Last week a rather surprising route for EU competence litigation came under the radar. In the case of Anagnostakis (no English version available, I’m afraid), the General Court ruled on an action of annulment brought by a private party against the decision of the Commission to reject, on the grounds of lack of competence, a European citizens’ initiative. Mr. Anagnostakis, together with more than a million supporters, brought a proposal pursuant to article 11.4 TEU and Regulation 211/2011, demanding the Commission to introduce in EU legislation “the principle of state of necessity, according to which, when the financial and political subsistence of a State is at stake due to its duty to comply with an odious debt, the refusal of payment is necessary and justified”. According to the promoters, the legal base of the initiative was to be found in articles 119 TFEU and 144 TFEU.

The Commission did not seem very impressed and, pursuant to articles 4.2,b and 3 of Regulation 211/2011, it refused to register the proposal, based on a lack of competence.

Mr. Anagnostakis introduced an action of annulment before the General Court, attacking the Commission’s Decision for breach of articles 122.1 and 2 TFEU, 136.1 TFEU and rules of international law.

The General Court dismissed the action, but it did not limit itself to scrutinize the Commission’s duty to state reasons. The General Court went into some detail in order to ascertain if haircuts in government debt are not only a competence of the EU, but also in conformity with EU Law. In a rather surprising format and procedural context, the General Court dealt quite openly with one of the Union’s hottest potato at the time: the Greek unsustainable public debt.

It is true that the judgment is quite laconic in its reasoning, but it relies several times on Pringle and Gauweiler when interpreting articles 122 and 136 TFEU. But no matter how laconic it may be, the judgment makes an assertion that will probably not go unnoticed when the Greek public debt becomes politically toxic again. In paragraph 58 of the judgment, the General Court states that “the adoption of a legislative act authorizing a member State to not reimburse its debt, far from being a part of the concept of economic policy guidelines in the sense of article 136.1.b) TFEU […] it would have the effect of substituting the free will of the contracting parties by a legislative instrument allowing for a unilateral abandonment of public debt, which is clearly not what the provision allows” (free translation).

The assertion might be formally correct in light of the limited scope of article 136.1.b) TFEU, but the language of the judgment is politically explosive. Even in legal terms, one wonders if Pringle was openly precluding any kind of haircut of government debt by any means. After reading the General Court’s decision in Anagnostakis, it seems that haircuts will be mission impossible in the future, despite the circumstances, the consensus among Member States (the IMF has been explicitly positive about a future Greek haircut) and, above all, the terms and scope of the haircut.

But of course, this judgment could be just a superficial decision undertaking a superficial degree of scrutiny due to the peculiar procedural context of the case. It could be argued that highly contested issues such as the EU’s competence in the area of EMU is something should be left to the Court of Justice, but not to the General Court in the circumstances of a case like Anagnostakis. The General Court might be aware of this and thus the brief and straight-forward reasoning of the decision. However, after reading the judgment several times, the more I read it the more explosive it sounds to me.

(*) Professor of EU Law at the University Complutense of Madrid

THE PARTY’S OVER: EU DATA PROTECTION LAW AFTER THE SCHREMS SAFE HARBOUR JUDGMEN

ORIGINAL PUBLISHED ON EU LAW ANALYSIS (on Wednesday, 7 October 2015)

by Steve Peers

The relationship between intelligence and law enforcement agencies (and companies like Google and Facebook) and personal data is much like the relationship between children and sweets at a birthday party. Imagine you’re a parent bringing out a huge bowl full of sweets (the personal data) during the birthday party – and then telling the children (the agencies and companies) thatthey can’t have any. But how can you enforce this rule? If you leave the room, even for a moment, the sweets will be gone within seconds, no matter how fervently you insist that the children leave them alone while you’re out. If you stay in the room, you will face incessant and increasingly shrill demands for access to the sweets, based on every conceivable self-interested and guilt-trippy argument. If you try to hide the sweets, the children will overturn everything to find them again.

When children find their demands thwarted by a strict parent, they have a time-honoured circumvention strategy: “When Mummy says No, ask Daddy”. But in the Safe Harbour case, things have happened the other way around. Mummy (the Commission) barely even resisted the children’s demands. In fact, she said Yes hours ago, and retired to the bath with an enormous glass of wine, occasionally shouting out feeble admonitions for the children to tone down their sugar-fuelled rampage. Now Daddy (the CJEU) is home, shocked at the chaos that results from lax parenting. He has immediately stopped the supply of further sweets. But the house is full of other sugary treats, and all the children are now crying. What now?

In this post, I’ll examine the reasons why the Court put its foot down, and invalidated the Commission’s ‘Safe Harbour’ decision which allows transfers of personal data to the USA, in the recent judgment in Schrems. Then I will examine the consequences of the Court’s ruling. But I should probably admit for the record that my parenting is more like Mummy’s than Daddy’s in the above example.

Background

For more on the background to the Schrems case, see here; on the hearing, see Simon McGarr’s summary here; and on the Advocate-General’s opinion, seehere. But I’ll summarise the basics of the case again briefly.

Max Schrems is an Austrian Facebook user who was disturbed by Edward Snowden’s revelations about mass surveillance by US intelligence agencies. Since he believed that transfers of his data to Facebook were subject to such mass surveillance, he complained to the Irish data protection authority, which regulates Facebook’s transfers of personal data from the EU to the USA.

The substantive law governing these transfers of personal data was the ‘Safe Harbour’ agreement between the EU and the USA, agreed back in 2000. This agreement was put into effect in the EU by a decision of the Commission, which was adopted pursuant to powers conferred upon the Commission by the EU’s current data protection Directive. The latter law gives the Commission the power to decide that transfers of personal data outside the EU receive an ‘adequate level of protection’ in particular countries.

The ‘Safe Harbour’ agreement was enforced by self-certification of the companies that have signed up for it (note that not all transfers to the USA fell within the scope of the Safe Harbour decision, since not all American companies signed up). Those promises were in turn meant to be enforced by the US authorities. But it was also possible (not mandatory) for the national data protection authorities which enforce EU data protection law to suspend transfers of personal data under the agreement, if the US authorities or enforcement system found a breach of the rules, or on a list of limited grounds set out in the decision.

The Irish data protection authority refused to consider Schrems’ complaint, so he challenged that decision before the Irish High Court, which doubted that this system was compatible with EU law (or indeed the Irish constitution). So that court asked the CJEU to rule on whether national data protection authorities (DPAs) should have the power to prevent data transfers in cases like these.

The judgment

The CJEU first of all answers the question which the Irish court asks about DPA jurisdiction over data transfers (the procedural point), and then goes on to rule that the Safe Harbour decision is invalid (the substantive point).

Following the Advocate-General’s view, the Court ruled that national data protection authorities have to be able to consider claims that flows of personal data to third countries are not compatible with EU data protection laws if there is an inadequate level of data protection in those countries, even if the Commission has adopted a decision (such as the Safe Harbour decision) declaring that the level of protection is adequate. Like the Advocate-General, the Court based this conclusion on the powers and independence of those authorities, read in light of the EU Charter of Fundamental Rights, which expressly refers to DPAs’ role and independence. (On the recent CJEU case law on DPA independence, see discussion here). In fact, the new EU data protection law currently under negotiation (the data protection Regulation) will likely confirm and even enhance the powers and independence of DPAs. (More on that aspect of the proposed Regulation here).

The Court then elaborates upon the ‘architecture’ of the EU’s data protection system as regards external transfers. It points out that either the Commission or Member States can decide that a third country has an ‘adequate’ level of data protection, although it focusses its analysis upon what happens if (as in this case) there is a Commission decision to this effect. In that case, national authorities (including DPAs) are bound by the Commission decision, and cannot issue a contrary ruling.

However, individuals like Max Schrems can still complain to the DPAs about alleged breaches of their data protection rights, despite the adoption of the Commission decision. If they do so, the Court implies that the validity of the Commission’s decision is therefore being called into question. While all EU acts must be subject to judicial review, the Court reiterates the usual rule that national courts can’t declare EU acts invalid, since that would fragment EU law: only the CJEU can do that. This restriction applies equally to national DPAs.

So how can a Commission decision on the adequacy of third countries’ data protection law be effectively challenged? The Court explains that DPAs must consider such claims seriously. If the DPA thinks that the claim is unfounded, the disgruntled complainant can challenge the DPA’s decision before the national courts, who must in turn refer the issue of the validity of the decision to the CJEU if they think it may be well founded. If, on the other hand, the DPA thinks the complaint is well-founded, there must be rules in national law allowing the DPA to go before the national courts in order to get the issue referred to the CJEU.

The Court then moves on to the substantive validity of the Safe Harbour decision. Although the national court didn’t ask it to examine this issue, the Court justifies its decision to do this by reference to its overall analysis of the architecture of EU data protection law, as well as the national court’s doubts about the Safe Harbour decision. Indeed, the Court is effectively putting its new architecture into use for the first time, and it’s quite an understatement to say that the national court had doubts about Safe Harbour (it had compared surveillance in the USA to that of Communist-era East Germany).

So what is an ‘adequate level of protection’ for personal data in third countries? The Court admits that the Directive is not clear on this point, so it has to interpret the rules. In the Court’s view, there must be a ‘high’ level of protection in the third country; this does not have to be ‘identical’ to the EU standard, but must be ‘substantially equivalent’ to it. Otherwise, the objective of ensuring a high level of protection would not be met, and the EU’s internal standards for domestic data protection could easily be circumvented. Also, the means used in the third State to ensure data protection rights must be ‘effective…in practice’, although they ‘may differ’ from that in the EU. Furthermore, the assessment of adequacy must be dynamic, with regular automatic reviews and an obligation for a further review if evidence suggests that there are ‘doubts’ on this score; and the general changes in circumstances since the decision was adopted must be taken into account.

The Court then establishes that in light of the importance of privacy and data protection, and the large number of persons whose rights will be affected if data is transferred to a third country with an inadequate level of data protection, the Commission has reduced discretion, and is subject to ‘strict’ standards of judicial review. Applying this test, two provisions of the ‘Safe Harbour’ decision were invalid.

First of all, the basic decision declaring adequate data protection in the USA (in the context of Safe Harbour) was invalid. While such a decision could, in principle, be based on self-certification, this had to be accompanied by ‘effective detection and supervision mechanisms’ ensuring that infringements of fundamental rights had to be ‘identified and punished in practice’. Self-certification under the Safe Harbour rules did not apply to US public authorities; there was not a sufficient finding that the US law or commitments met EU standards; and the rules could be overridden by national security requirements set out in US law.

Data protection rules apply regardless of whether the information is sensitive, or whether there were adverse consequences for the persons concerned. The Decision had no finding concerning human rights protections as regards the national security exceptions under US law (although the CJEU acknowledged that such rules pursued a legitimate objective), or effective legal protection in that context. This was confirmed by the Commission’s review of the Safe Harbour decision, which found (a) that US authorities could access personal data transferred from the EU, and then process it for purposes incompatible with the original transfer ‘beyond what was strictly necessary and proportionate for the purposes of national security’, and (b) that there was no administrative or judicial means to ensure access to the data and its rectification or erasure.

Within the EU, interference with privacy and data protection rights requires ‘clear and precise rules’ which set out minimum safeguards, as well as strict application of derogations and limitations. Those principles were breached where, ‘on a generalised basis’, legislation authorises ‘storage of all the personal data of all the persons whose data has been transferred’ to the US ‘without any differentiation, limitation or exception being made in light of the objective pursued’ and without any objective test limiting access of the public authorities for specific purposes. General access to the content of communications compromises the ‘essence’ of the right to privacy. On these points, the Court expressly reiterated the limits on mass surveillance set out in last year’s Digital Rights judgment (discussed here) on the validity of the EU’s data retention Directive. Furthermore, the absence of legal remedies in this regard compromises the essence of the right to judicial protection set out in the EU Charter. But the Commission made no findings to this effect.

Secondly, the restriction upon DPAs taking action to prevent data transfers in the event of an inadequate level of data protection in the USA (in the context of Safe Harbour) was also invalid. The Commission did not have the power under the data protection Directive (read in light of the Charter) to restrict DPA competence in that way. Since these two provisions were inseparable from the rest of the Safe Harbour decision, the entire Decision is invalid. The Court did not limit the effect of its ruling.

Comments

The Court’s judgment comes to the same conclusion as the Advocate-General’s opinion, but with subtle differences that I’ll examine as we go along. On the first issue, the Court’s finding that DPAs must be able to stop data flows if there is a breach of EU data protection laws in a third country, despite an adequacy Decision by the Commission, is clearly the correct result. Otherwise it would be too easy for the standards in the Directive to be undercut by means of transfers to third countries, which the Commission or national authorities might be willing to accept as a trade-off for a trade agreement or some other quid pro quowith the country concerned.

As for the Court’s discussion of the architecture of the data protection rules, the idea of the data protection authorities having to go to a national court if they agree with the complainant that the Commission’s adequacy decision is legally suspect is rather convoluted, since it’s not clear who the parties would be: it’s awkward that the Commission itself would probably not be a party. It’s unfortunate that the Court did not consider the alternative route of the national DPA calling on the Commission to amend its decision, and bringing a ‘failure to act’ proceeding directly in the EU courts if it did not do so. In the medium term, it would be better for the future so-called ‘one-stop shop’ system under the new data protection Regulation (see discussion here) to address this issue, and provide for a centralised process of challenging the Commission directly.

It’s interesting that the CJEU finds that there can be a national decision on adequacy of data flows to third States, since there’s no express reference to this possibility in the Directive. If such a decision is adopted, or if Member States apply the various mandatory and optional exceptions from the general external data protection rules set out in Article 26 of the data protection Directive, much of the Court’s Schrems ruling would apply in the same way by analogy. In particular, national DPAs must surely have the jurisdiction to examine complaints about the validity of such decisions too. But EU law does not prohibit the DPAs from finding the national decisions invalid; the interesting question is whether it obliges national law to confer such power upon the DPAs. Arguably it does, to ensure the effectiveness of the EU rules. Any decisions on these issues could still be appealed to the national courts, which would have the option (though not the obligation, except for final courts) to ask the CJEU to interpret the EU rules.

As for the validity of the Safe Harbour Decision, the Court’s interpretation of the meaning of ‘adequate’ protection in third States should probably be sung out loud, to the tune of ‘We are the World’. The global reach of the EU’s general data protection rules was already strengthened by last year’s Google Spain judgment (discussed here); now the Court declares that even the separate regime for external transfers is very similar to the domestic regime anyway. There must be almost identical degrees of protection, although the Court does hint that modest differences are permissible: accepting the idea of self-certification, and avoiding the issue of whether third States need an independent DPA (the Advocate-General had argued that they did).

It’s a long way from the judgment in Lindqvist over a decade ago, when the Court anxiously insisted that the external regime should not be turned into a copy of the internal rules; now it’s insistent that there should be as little a gap as possible between them. With respect, the Court’s interpretation is not convincing, since the word ‘adequate’ suggests something less than ‘essentially equivalent’, and the EU Charter does not bind third States.

But having said that, the American rules on mass surveillance would violate even a far more generous interpretation of the meaning of the word ‘adequate’. It’s striking that (unlike the Advocate-General), the Court does not engage in a detailed interpretation of the grounds for limiting Charter rights, but rather states that general mass surveillance of the content of communications affects the ‘essence’ of the right to privacy. That is enough to find an unjustifiable violation of the Charter.

So where does the judgment leave us in practice? Since the Court refers frequently to the primary law rules in the Charter, there’s no real chance to escape what it says by signing new treaties (even the planned TTIP or TiSA), by adopting new decisions, or by amending the data protection Directive. In particular, the Safe Harbour decision is invalid, and the Commission could only replace it with a decision that meets the standards set out in this judgment. While the Court refers at some points to the inadequacy or non-existence of the Commission’s findings in the Decision, it’s hard to believe that a new Decision which purports to claim that the American system now meets the Court’s standards would be valid if the Commission were not telling the truth (or if circumstances subsequently changed).

What standards does the US have to meet? The Court reiterates even more clearly that mass surveillance is inherently a problem, regardless of the safeguards in place to limit its abuse. Indeed, as noted already, the Court ruled that mass surveillance of the content of communications breaches the essence of the right to privacy and so cannot be justified at all. (Surveillance of content which is targeted on suspected criminal activities or security threats is clearly justifiable, however). In addition to a ban on mass surveillance, there must also be detailed safeguards in place. The US might soon be reluctantly willing to address the latter, but it will be even more unwilling to address the former.

Are there other routes which could guarantee that external transfers to the USA take place, at least until the US law is changed? In principle, yes, since (as noted above) there are derogations from the general rule that transfers can only take place to countries with an ‘adequate’ level of data protection. A first set of derogations is mandatory (though Member States can have exceptions in ‘domestic law governing particular cases’): where the data subject gives ‘consent unambiguously’; where the transfer is necessary to perform a contract with (or in the interest of) the data subject, or for pre-contractual relations; where it’s ‘necessary or legally required on important public interest grounds’, or related to legal claims; where it’s ‘necessary to protect the vital interests of the data subject’; or where it’s made from a public register. A second derogation is optional: a Member State may authorise transfers where the controller offers sufficient safeguards, possibly in the form of contractual clauses. The use of the latter derogation can be controlled by the Commission.

It’s hard to see how the second derogation can be relevant, in light of the Court’s concerns about the sufficiency of safeguards under the current law. US access to the data is not necessary in relation to a contract, to protect the data subject, or related to legal claims. An imaginative lawyer might argue that a search engine (though not a social network) is a modern form of public register; but the record of an individual’s use of a search engine is not.

This leaves us with consent and public interest grounds. Undoubtedly (as the CJEU accepted) national security interests are legitimate, but in the context of defining adequacy, they do not justify mass surveillance or insufficient safeguards. Would the Court’s ruling in Schrems still apply fully to the derogation regarding inadequate protection? Or would it apply in a modified way, or not at all?

As for consent, the CJEU ruled last year in a very different context (credibility assessment in LGBT asylum claims) that the rights to privacy and dignity could not be waived in certain situations (see discussion here). Is that also true to some extent in the context of data protection? And what does unambiguous consent mean exactly? Most people believe they are consenting only to (selected) people seeing what they post on Facebook, and are dimly aware that Facebook might do something with their data to earn money. They may be more aware of mass surveillance since the Snowden revelations; some don’t care, but some (like Max Schrems) would like to use Facebook without such surveillance. Would people have to consent separately to mass surveillance? In that case, would Facebook have to be accessible for those who did not want to sign that separate form? Or could a ‘spy on me’ clause be added at the end of a long (and unread) consent form? Consent is a crucial issue also in the context of the purely domestic EU data protection rules.

The Court’s ruling has addressed some important points, but leaves an enormous number of issues open. It’s clear that it will take a long time to clear up the mess left from this particular poorly supervised party.

Barnard and Peers: chapter 9

The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid

Court of Justice of the European Union PRESS RELEASE No 117/15

SEE THE TEXT OF JUDGMENT HERE

Luxembourg, 6 October 2015

Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner

Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity

The Data Protection Directive¹ provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the directive provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (‘national supervisory authorities’).

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 2000² the Commission considered that, under the ‘safe harbour’ scheme,³ the United States ensures an adequate level of protection of the personal data transferred (the Safe Harbour Decision).

The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

In today’s judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. The Court stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.

The Court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive. Nevertheless, the Court points out that it alone has jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the Court of Justice if they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court of Justice which has the task of deciding whether or not a Commission decision is valid.

The Court then investigates whether the Safe Harbour Decision is invalid. In this connection, the Court states that the Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. The Court observes that the Commission did not make such a finding, but merely examined the safe harbour scheme.

Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

The Court considers that that analysis of the scheme is borne out by two Commission communications,⁴ according to which the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.

As regards a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use. The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.

Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.

For all those reasons, the Court declares the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

NOTES

¹ Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
² Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7).
³ The safe harbour scheme includes a series of principles concerning the protection of personal data to which United States undertakings may subscribe voluntarily.
⁴ Communication from the Commission to the European Parliament and the Council entitled ‘Rebuilding Trust in EU-US Data Flows’ (COM(2013) 846 final, 27 November 2013) and Communication from the Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU (COM(2013) 847 final, 27 November 2013).

NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.

Unofficial document for media use, not binding on the Court of Justice. The full text of the judgment is published on the CURIA website on the day of delivery. Press contact: Christopher Fretwell S (+352) 4303 3355

The European legal framework on hate speech, blasphemy and its interaction with freedom of expression

Nota Bene : At the request of the European Parliament LIBE committee, this study provides an overview of the legal framework applicable to hate speech and hate crime on the one hand and to blasphemy and religious insult on the other hand. It also evaluates the effectiveness of existing legislation in selected Member States and explores opportunities to strengthen the current EU legal framework, whilst fully respecting the fundamental rights of freedom of expression and freedom of thought, conscience and religion. The study also provides the European Parliament with guidelines on dealing with hate speech within the EU institutions. Link to the full study (446 pages) AUTHORS (*)

EXECUTIVE SUMMARY

Hate speech and hate crime incidents, including those committed online, are on the rise in Europe¹, despite the existence of a robust legal framework. This study provides an overview of the legal framework applicable to hate speech and hate crime, as well as to blasphemy and religious insult. It also evaluates the effectiveness of existing legislation in selected Member States and explores opportunities to strengthen the current EU legal framework, whilst fully respecting the fundamental rights of freedom of expression and freedom of thought, conscience and religion. The study also provides the European Parliament with guidelines on dealing with hate speech within the EU institutions.

Legal framework on hate speech and hate crime

At the EU level the legal framework includes inter alia: Council Framework Decision 2008/913/JHA (CFD)² (requiring Member States to penalise the most severe forms of hate speech and hate crime); and the Audiovisual Media Services (AMSD)³ and Electronic Commerce Directives (ECD)⁴ (controlling racist and xenophobic behaviours in the media and over the internet). It is important to view the EU measures aimed at addressing racism and xenophobia in the context of the broader EU legislative framework. Instruments aimed at supporting victims of crime and antidiscrimination measures are of particular relevance in this respect. These include Directive 2012/29/EU⁵ (Victims’ Support Directive) and the EU’s equality and anti-discrimination legislation (e.g. Directive 2000/43/EC⁶ (the Racial Equality Directive)). The Racial Equality Directive is complemented by other antidiscrimination legislative instruments such as Directive 2000/78/EC⁷ (the Employment Equality Directive) and Directives 2004/113/EC and 2006/54/EC⁸ (the Equal Treatment Directives). The EU also provides its support in practice by financing projects aimed inter alia at fighting hate speech and hate crime (for example under the Europe for Citizens Programme 2014-2020⁹ or the Rights, Equality and Citizenship Programme 2014-2020¹⁰).

The current study, developed on the basis of information gathered through seven national studies (Belgium, Germany, Greece, France, Hungary, the Netherlands and Sweden), has revealed some major drawbacks of the current legal framework applicable to hate speech and hate crime:

Shortcomings related to the transposition of the CFD include its incomplete transposition. Gaps in transposition mainly arise in connection with Article 1(1)(c) and 1(1)(d) of the CFD requiring the penalisation of the condoning, denial or gross trivialisation of genocide, crimes against humanity and war crimes and of Nazi crimes, respectively. To ensure effective protection against the most severe forms of hate speech and hate crime, it is recommended that the European Commission (EC) initiates infringement proceedings against Member States failing to transpose the CFD. Another issue derives from the transposition of the protected characteristics (grounds upon which hate speech and hate crime are prohibited) set out in the CFD, the AMSD and the ECD. As a general rule, Member States’ legislation refers to characteristics beyond those required by the CFD, the AMSD and the ECD. Member States have not taken a harmonised approach in this respect, thus the list of protected characteristics varies from Member State to Member State. Therefore an ambitious review of existing EU law might be necessary.

The use in practice of the CFD, the AMSD and the ECD is hindered by similar factors. Member States fail to collect sufficient reliable data on hate speech and hate crime incidents, which hinders the monitoring and assessment of the scale of the problem. This mainly results from the fact that data collection related competences are often divided between more than one authority, whose data collection efforts are not harmonised. To overcome the existing data gap, Member States with less developed or harmonised data collection methods could be encouraged to learn from Member States with good practices in place. The underreporting of hate speech and hate crime incidents by victims also hinders the understanding of the scale of the problem. Member States could be encouraged to raise awareness of the means of reporting incidents or to facilitate reporting through alternative means, such as anonymously, through the internet or victim support organisations.

The absence of shared understanding by practitioners of the applicable legal provisions seems to be an issue across the globe. The provision of clear guidance to practitioners, for example through awareness raising materials or training programmes, is therefore needed. These tools should provide practitioners with the skills necessary to duly investigate, prosecute and adjudicate hate speech and hate crime incidents.

In addition, applicable rules often fail to cover the liability of operators for the publication of hate content by bloggers or users of social media sites. The liability of bloggers and users of websites is often regulated; however these individuals are sometimes difficult to trace back, moreover it is often difficult to prove their motivation. The situation is an issue of concern given that internet remains a critical tool for the distribution of racist and hateful propaganda. To overcome the potential impunity of offenders it is recommended to regulate the liability of operators, thereby encouraging them to better control the content of blogs and social media websites. Alternatively Member States could reinforce their efforts of monitoring the content of websites. This however, should be done in a manner ensuring the sufficient respect of freedom of expression.

In most Member States, no concerns have arisen regarding the unnecessary limitation of freedom of expression by hate speech legislation, or vice versa. France constitutes an exception in this respect where debates over the borderline between the protection of human dignity and the freedom of expression have recently reignited, when the French Government announced its new campaign against online hate speech. Some considered the French measures as too restrictive of the freedom of expression¹¹. Guidance on where the borderline stands between the two fundamental rights is found in the case law of the European Courts of Human Rights (ECtHR). The ECtHR has ruled that in a democratic society, which is based on pluralism, tolerance and broadmindedness, freedom of expression should be seen as a right extending also to information and ideas that might offend, shock or disturb others. Any limitation of the freedom of expression must be proportionate to the legitimate aim pursued¹². Member States could also be encouraged to sign and ratify the Council of Europe’s (CoE) Additional Protocol to the Convention of Cybercrime¹³, which gives due consideration to freedom of expression, while requiring the criminalisation of racist and xenophobic acts committed online.

Finally, the absence of one comprehensive policy dealing with hate speech and hate crime is itself a matter that should be addressed. This could be addressed through the adoption of a comprehensive strategy for fighting hate speech and hate crime. The Strategy could define concrete policy goals for the Member States, targeting the most severe forms of hate speech and hate crime, including online crime. These policy goals could be set in light of the most important factors hindering the application of hate speech and hate crime legislation in practice. These factors, as explained in details above, include inter alia the insufficient transposition of applicable rules, the inadequate knowledge of practitioners of the rules applicable to hate speech and hate crime, the insufficient data collection mechanisms in place and the existence of severe underreporting. The Strategy should ensure the sufficient respect of freedom of expression and acknowledge that hate speech and hate crime are present in all areas of life (e.g. politics, media, employment).

Legal framework on blasphemy and religious insult Continue reading “The European legal framework on hate speech, blasphemy and its interaction with freedom of expression”

Safe Harbor – No Future? How the General Data Protection Regulation and the rulings of the Court of Justice of the European Union (CJEU) will influence transatlantic data transfers

(ORIGINAL Posted on 1. Oktober 2015 in PETER SCHAAR. Der Blog. )

by Peter Schaar (*)

Ladies and gentlemen,

One week ago, the Advocate General at the Court of Justice of the European Union (CJEU) issued his vote on the Safe Harbor case of Max Schrems vs. the Irish Data Protection Commissioner.

Since 1995 when the General European Directive on Data Protection came into force, data transfers from the European Union and its member states to non-EU countries have been subject to specific privacy and security restrictions. Such restrictions do not exist only in Europe.

For example in the US several legal acts and decisions of regulatory authorities constitute the obligation to store specific data in the own country, in particular data, which have been generated by public bodies and providers of critical infrastructures. The US Federal Trade Commission has stated that a company subject to privacy obligations under US law is not allowed to avoid such obligations by outsourcing their data processing activities to offshore service providers.

The key message of Art. 25 of the 1995 GD is that transfer of personal data to a third country may take place only if the recipient in question ensures an adequate level of data protection. The adequacy shall be assessed in the light of all the circumstances surrounding the data transfer operation.

The main road to adequacy are the so-called adequacy decisions of the European Commission, that the said country ensures an adequate level of data protection. These decisions are binding for the member states. They shall take the measures necessary to comply with the Commission’s decision.

One of the most discussed adequacy decisions concerns the United States – the decision on Safe Harbor, although the Commission was of the opinion, that the US in general failed to provide an adequate level of data protection for the private sector, because of the lack of any comprehensive data protection legislation.

The Safe Harbor principles, negotiated between the Commission and the US government in the late 1990s should bridge this obstacle. The SH arrangement has been aimed at guaranteeing the adequate level of protection required by EU law for those companies, committing themselves to comply with the SH principles.

From the beginning, since the Safe Harbor was agreed in the year 2000 there has been some criticism against it. The main critical argument was that the principles do not meet the high EU data protection standards defined by the General Directive.

A scientific implementation study on SH done 2004 on behalf of the Commission came to the result that „Key concepts such as ‚US organization‘, ’personal data’,’deceptive practices’ lack clarity. Moreover, the jurisdiction of the FTC with regard to certain types of data transfers is dubious.“

It also has been criticized, that companies which declare compliance with the principles at once may profit from the Safe Harbor privileges, even if their privacy practices were not yet subject to an independent audit.

These issues remain important until our days. But after the vote the Advocate General at the CJEU (GA) issued recently, the focus lays on another question: How far practices and powers of US authorities have been ignored in the adequacy assessments.

At the first glance, law enforcement authorities, police and intelligence do not fall within the scope of the Safe Harbor agreement and therefore they do not have to be subject to the assessment. But this first impression is wrong.

As Art. 25 of the GD is pointing out, the assessment is to be done in the light of „all circumstances“ surrounding a data transfer to the third country. Even activities of authorities in the third country have to be examined. It is unclear how far this happened during the Safe Harbor assessment in the late 1990s.

But even if such assessment once took place, the result may be invalid today, because things changed dramatically after 9/11 2001. As we have learnt from Edward Snowden and other whistleblowers, US government has obtained broad access to private companies’ databases, telecommunications and Internet services.

Many companies which have co-operated with the NSA – voluntarily or based on legal obligations – have been safe harborists and there is no doubt that NSA and other services have got access to big amounts of data stemming from Europe or related to EU citizens.

The PATRIOT ACT and secret Presidential Orders, issued after 9/11 provided intelligence and law enforcement agencies with a lot of new powers and simultaneously demolished many safeguards which have been introduced in the 1970s to protect civil rights and privacy.

For years it seemed that many of these changes were not on the screen of the European Commission and other European stakeholders. The implementation study on SH of 2004 came to the conclusion: „Since the new US legislation only rarely contradicts the SH principles for data covered by SH, these conflicts do not appear to undermine the level of protection for any significant flows of personal data to the United States. The controversial provisions of the USA PATRIOT Act are essentially irrelevant for SH data flows.“ (p. 101)

But 2013, after the the beginning of the Snowdon revelations, nobody can ignore any more, that the practices of NSA, CIA and FBI introduced after 9/11 have impact on the level of data protection in the United States: The legal provisions on Government access to personal information, especially the Foreign Intelligence Surveillance Act (FISA), do not meet the basic standards of the rule of law at least so far data of non-US-persons are concerned. The practices disclosed in the last two years and the commitments of US officials on mass surveillance provided the public with loads of evidence that the NSA and others are involved in bulk collection of personal data coming from Europe. Therefore it seems evident, that these practices have to be taken into account by the CJEU.

Another change happened in Europe: The Lisbon Treaty came into force in 2009, and at least since then privacy and data protection, including the independent oversight, have been fundamental rights of the European Union, as parts of the European primary law. European secondary law and European Commission’s decisions have to fulfill these requirements. Even older legislation, agreements with third countries as to PNR or TFTP and Commission’s decisions have to be reviewed in the light of Art. 7 and 8 of the EU Charter of Fundamental Rights.

Acknowledging this, the vote of Advocate General Bot (AG) in the case of Maximilian Schrems versus the Irish Data Protection Commissioner, issued last week, is not really surprising. The vote touches two big points:

Even if the Commission decides that the level of data protection in a country is adequate, this does not prevent national data protection authorities from suspending the transfer of the data, it they are of the opinion, that in the concrete case adequacy criteria are not met by the recipient. As we have learnt from the Snowden revelations, Facebook and other Internet companies cooperated closely with the NSA and provided them with broad access to personal data stored on their servers.
The AG is of the opinion that the Safe Harbor arrangement itself is invalid, because the US, especially the intelligence services, do not provide adequate protection for the personal data coming from Europe. Therefore he proposes to suspend the Safe Harbor.

Nobody knows how the European Court of Justice will decide the case. The ruling is expected on 6 October. Perhaps you know the sentence „How the judge decides depends what he ate for breakfast“. It is correct: The vote of the advocate general is only an opinion and it does not bind anybody.

But for me it seems likely that the judges will acknowledge the vote, at least in the result. In two earlier cases, the court decided last year, on data retention and on the right to be forgotten, the judges underlined the high importance of European fundamental rights on privacy and data protection. In these cases the court went beyond the Advocate general’s vote. In the Schrems’ case the AG adapted this recent orientation of the judges.

If the CJEU will decide as proposed by the AG, this does not mean automatically the end of Safe Harbor. But the Safe Harbor arrangement must be renegotiated and at the end there might be a better safe Harbor System, meeting the principles of fundamental rights and complying with the new EU Data Protection Regulation.

Art. 41 of the Commissions proposal contains criteria, conditions and procedures for adequacy assessments, more specific than the current Art. 25 of the GD from 1995: The criteria which shall be taken into account for the Commission’s assessment of an adequate or not adequate level of protection include expressly the rule of law, judicial redress and independent supervision. The new article confirms explicitly the possibility for the Commission to assess the level of protection afforded by a territory or a processing sector within a third country.

My conclusion for today: Safe Harbor will be possible even in the future. But such a „happy end“ requires changes in the SH arrangement. And it requires effective legal guarantees for EU citizens in the US.

Also necessary is a new thinking in Europe, in particular on the fields of law enforcement and intelligence. If we urge the US to respect our privacy, European secret services have to respect fundamental rights of all EU citizens and citizens of third countries as well.

(*) Keynote on the conference „New Directions in Cyber Security“ Berlin, 1 October 2015

(MEIJERS COMMITTEE) Military action against human smugglers: legal questions concerning the EUNAVFOR Med operation

ORIGINAL PUBLISHED HERE ON 23 September 2015

The EUNAVFOR Med operation

On 22 June 2015, the Council of Ministers of the European Union adopted a Common Foreign Security Policy (CFSP) Decision establishing a military crisis management operation with the aim of combatting fighting people smuggling: EUNAVFOR Med.¹ This mission is currently in its first phase, focusing on intelligence gathering, i.e. surveillance and the assessment of existing smuggling networks.

A second phase would involve searching and possibly diverting vessels on the high seas and territorial waters, either under a mandate of the UN Security Council or with the consent of the appropriate coastal state. The Foreign Affairs Council has recently established that the conditions for the second phase have been met insofar as operations in international waters are concerned.² During the third phase, vessels and related assets of human smugglers would be destroyed and smugglers apprehended.

The mission will operate in a complex legal environment of overlapping rules of refugee law, international human rights law, the law of the sea, and international rules on the use of force. This note discusses some of the most pressing legal questions raised by this operation.

General remarks

At the outset, the Meijers Committee would like to raise a general point regarding the focus on people smuggling as a response to the loss of life at sea. In the absence of safe and legal access to the right to seek asylum in Europe, together with routes for legal migration, people will turn to human smugglers as a last resort. Increased border controls have resulted in higher casualties as people are forced to take more dangerous routes.

The Meijers Committee questions the appropriateness of the approach taken under EUNAVFOR Med to stop the loss of life at sea. The Committee would like to point to the shift from saving lives at sea under the Italian-led Mare Nostrum Operation, to border management (Triton), to military action (EUNAVFOR Med). The Meijers Committee emphasizes that the legal obligation to save lives at sea should have primacy in all Union action at sea and that a long-term solution must also involve improving legal access to asylum and legal employment.

Human smuggling as a threat to international peace and
security

The Meijers Committee notes that the decision establishing the EUNAVFOR Med operation refers explicitly to the need for a UN Security Council Resolution or consent of the coastal states concerned before the second phase of the operation can enter into force.

In this respect the Meijers Committee notes a fundamental difference from the EUNAVFOR operation Atalanta against piracy off the Somalian coast, which was taken as a model for EUNAVFOR Med. The Atalanta operation was explicitly supported by a UN Security Council Resolution, and had the consent of the coastal state involved.³

Articles 39 and 42 UN Charter stipulate that the Security Council shall only authorize the use of force if ‘necessary to maintain or restore international peace and security’. The Meijers Committee is not convinced that the EUNAVFOR MED mission meets this standard. Although the humanitarian crisis may meet this standard, the activities of human smugglers – unlike piracy – do not qualify. Although the Security Council has previously adopted resolutions in response to refugee crises in Iraq and Haiti, these were intended to stabilize the countries of origin and not to prevent persons from seeking refuge elsewhere.

Phase 2: search and diversion of ships

The Second Phase of the operation would involve the search and diversion of ships in third-country territorial waters, which requires the consent of the flag state or a UN Security Council Resolution.

The Meijers Committee recalls that on the high seas, Article 87 UN Convention on the Law of the Sea (UNCLOS) ensures the right to freedom of navigation. Article 110 permits a warship to board and inspect a vessel if, inter alia, it has no nationality. As regards the vessel, a finding of statelessness should allow states to exercise jurisdiction in order to ensure compliance with the ‘minimum public order on the high seas’, namely, the duties that normally fall on the flag state (Art. 94 UNCLOS).⁴ This could include a state’s power to escort the vessel into harbor for inspection. As regards the people on board, UNCLOS does not seem to provide a basis for the exercise of jurisdiction.

Although Article 110(1) UNCLOS expressly allows that grounds of interference may be established by Treaty, the UN Smuggling Protocol seems to impose a duty of cooperation only on the contracting parties, while maintaining the requirement of flag state authorization. Article 8(7) of the Smuggling Protocol provides a firmer legal basis for interference with stateless vessels than Article 110 UNCLOS. The wording ‘suppressing the use of the vessel’ or ‘take appropriate measures’ implies the possible use of force. Nevertheless, such force should be used as a means of last resort and will be subject to the requirement of necessity and proportionality. It is noted, however, that the Migrant Smuggling Protocol lacks the precision of, for instance, the UN drug trafficking regime, which explicitly sets out the measures that an intercepting power may take against a drug transport.⁵ Accordingly, no clear legal basis for action is provided in international law.

Diversions on the high seas may not result in the refoulement of people on board. It is important to stress that States cannot relieve themselves of this obligation by labelling an operation as ‘search and rescue’. The IMO Guidelines on the treatment of persons rescued at sea state that ‘[disembarkation of asylum-seekers and refugees recovered at sea, in territories where their lives and freedom would be threatened should be avoided.’ This approach has been confirmed by the European Court of Human Rights in the Hirsi case.⁶ Member States remain bound by their obligations under international human rights law, independently of the nature and location of their intervention. In this regard it is particularly problematic that Libya – one of the most important coastal states whose cooperation is sought – is currently a notoriously dangerous and unstable country.

It is unclear how the EU intends to give practical effect to these obligations in the course of the EUNAVFOR Med mission. The Meijers Committee would recommend that clear guidelines be put in place, comparable to the rules applicable in the framework of Frontex coordinated operations at sea.⁷

Phase 3: destruction of vessels and apprehension of smugglers

The Third Phase of the Operation would entail the destruction of vessels and related assets, and the apprehension of smugglers. The Meijers Committee argues that clear, binding, publicly available rules should be adopted prior to the commencement of Phase 3.

As regards the smugglers it must be noted that unlike piracy and international crimes, international law does not establish universal criminal jurisdiction over human smuggling. As with diversions, the interference with vessels believed to be engaged in human smuggling requires the consent of the flag state (or a UN SC Resolution). In case the ship is sailing without a flag, Article 8 of the Protocol allows a party to take ‘appropriate measures in accordance with relevant domestic and international law’. The extent to which this includes the exercise of criminal jurisdiction over human smugglers is not clear, however.

The Council decision establishing EUNAVFOR Med is silent about the possible detention and prosecution of smugglers. The Meijers Committee points out that even though EUNAVFOR Med is executed by military forces, the EU is not acting as party to an armed conflict and thus normal peacetime law applies. This means that after arrest, those suspected of migrant smuggling should be brought promptly before a judge⁸. In the case of subsequent criminal prosecution, jurisdiction should be established in one of the Member States. In this respect it is noted that not all Member States have established universal jurisdiction over human smuggling. If smugglers are to be extradited or released to third countries, their fundamental rights should be guaranteed.

The Meijers Committee notes that EUNAVFOR Med is aimed at the destruction of vessels used or suspected of being used for migrant smuggling, possibly even inside third-country territory, yet it remains unclear what legal standard is applied to identify such vessels. The Meijers Committee cautions that the destruction of vessels cannot be arbitrary. Unlike UNCLOS, which provides for clear rules on the seizure and liability for seizure of pirate ships, there is no explicit legal basis in international law for the seizure of migrant smuggling boats. The right to property as enshrined in Article 1 of Protocol 1 ECHR, which will apply to the Member States acting extra-territorially, prescribes that any destruction of property must be provided for by law and must be necessary and proportionate.

Unclear division of responsibility between the EU and its
Member States

The Meijers Committee recalls that Article 21 TEU requires CFSP actions to be based on human rights. This includes respect for human dignity, including the prohibition of torture and inhuman treatment; personal security and liberty; and protection from arbitrary detention and arrest.⁹ It also notes, however, that the Court of Justice of the EU has no authority to ensure this respect for fundamental rights as it lack jurisdiction over the CFSP.¹⁰ This means that legal remedies would have to be provided under the national law of the participating Member States.

The experience with joint operations under the coordination of Frontex shows that in case of violations of fundamental rights, it is unclear to whom wrongful conduct must be attributed. Although the operation is coordinated by the EU, it is the Member States that provide the assets and personnel, over which they maintain operational command.

Case law issuing from the European Court of Human Rights on the obligations of the Member States as contracting parties to the European Convention on Human Rights clearly indicates with regard to the Member States that they cannot escape their responsibilities under the Convention by acting outside the Convention’s territorial scope. The situation is more complicated, however, when Member States act as agents for the European Union (Bosphorus) or within the context of UN Peace Keeping Operations (Al Jeddah, Behrami, and Saramati). The Meijers Committee therefore stresses that it is fundamentally important that questions of international responsibility and responsibility under the European Convention for Human Rights are addressed prior to commencement of Phases 2 and 3.

Conclusions and recommendations

I. There are no indications that combating migrant smuggling contributes to the restoration of international peace and security or to ending the ongoing humanitarian crises;

II.      Without express consent from third states or authorization from the UN Security Council, the EU lacks jurisdiction over   vessels or assets in third-country territorial waters;
III.      Without express consent from third-country coastal states or   authorization from the UN Security Council, there is no clear legal basis for coercive measures against vessels or assets on the high seas;
IV Despite the unclear legal framework covering interdiction on the high seas, international human rights law does apply;
V.      Should a legal basis for action on the high seas and in territorial waters be provided, clear rules of engagement and proper safeguards should be in place to prevent indiscriminate destruction of civilian property; any undue loss should be compensated;
VI.      An unambiguous legal basis for the arrest and detention of suspected smugglers is needed, and also for the seizure and destruction of any personal property. Suspects should either be prosecuted, extradited or released, the last action having due regard to the right to asylum and the prohibition of refoulement;
VII.      Clear attribution rules and accountability mechanisms for human rights violations committed by EUNAVFOR assets should be in place;
VIII.      The right to apply for asylum, access to asylum procedures on land with proper language and legal assistance, and the prohibition of refoulement should be respected and subject to judicial oversight;
IX.       Outsourcing migration control to third countries, even though outside Member State jurisdiction, should take place with assurances and safeguards against human rights violations.

Notes

¹ Council Decision (CFSP) 2015/972 of 22 June 2015 launching the European Union military operation in the southern Central Mediterranean (EUNAVFOR MED), OJ 2015, L157/51.

² Council of the European Union, “EUNAVFOR Med: Council adopts a positive assessment on the conditions to move to the first step of phase 2 on the high seas”, Press Release, 14 September 2015, no. 643/15.
³ http://www.un.org/Depts/los/piracy/piracy_documents.htm
⁴ E. Papastavridis, ‘Enforcement Jurisdictions in the Mediterranean Sea: Illicit Activities and the Rule of Law on the High Seas’, International Journal of Marine and Coastal Law, Vol. 25, 2010, p. 585.
⁵ See Council of Europe Agreement on Illicit Traffic by Sea, implementing article 17 of the United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances.
⁶ ECHR, Hirsi Jamaa and others v. Italy, Grand Chamber, Judgment, 23 February 2012, Application no. 27765/09.
⁷ Regulation (EU) No 656/2014 of the European Parliament and of the Council of 15 May 2014 establishing rules for the surveillance of the external sea borders in the context of operational cooperation coordinated by the European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union, L 189, 27 June 2014.
⁸ ECHR, Medvedyev v France, 9 March 2010, appl. no. 3394/03.
⁹ The promotion and protection of human rights during common security and defence policy operations. In-between a spreading state of mind and an unsolved concern. M L Sánchez Barrueco, in The EU as a ”Global Player” in human rights?, J E Wetzel (edit.), 2011, pp. 158-160.
¹⁰ See also Case T-271/10, under appeal C-455/14 P.

About : The Meijers Committee is an independent group of legal scholars, judges and lawyers that advises on European and International Migration, Refugee, Criminal, Privacy, Anti-discrimination and Institutional Law. The Committee aims to promote the protection of fundamental rights, access to judicial remedies and democratic decision-making in EU legislation.

The Meijers Committee is funded by the Dutch Bar Association (NOvA), Foundation for Democracy and Media (Stichting Democratie en Media) the Dutch Refugee Council (VWN), Foundation for Migration Law Netherlands (Stichting Migratierecht Nederland), the Dutch Section of the International Commission of Jurists (NJCM), Art. 1 Anti-Discrimination Office, and the Dutch Foundation for Refugee Students UAF.

Contact info: Louis Middelkoop Executive secretary post@commissie-meijers.nl +31(0)20 362 0505

Please visit www.commissie-meijers.nl

IMPROVING THE LEGISLATION FOR LABOUR MIGRATION IN THE EUROPEAN UNION (a Study for the EP)

FULL STUDY ACCESSIBLE HERE

AUTHORS: Prof. Iván Martín Dr. Anna di Bartolomeo Prof. Philippe de Bruycker, Géraldine Renaudiere Dr. Justyna Salamońska Prof. Alessandra Venturini (Migration Policy Centre, Robert Shuman Centre for Advanced Studies, European University Institute)

The paradox between the need for international labour migration to counter the impending demographic crisis in Europe and the lack of commensurate policy instruments to attract and integrate labour migration from third countries into the EU is one of the key strategic issues for Europe. Upon request by the LIBE committee, this research paper reviews the social and economic context of EU international labour migration policy, the status of relevant EU legislation and the available policy options from a comprehensive labour market perspective, as well as their feasibility. These options for opening up legal labour migration channels to the EU should be considered in the framework of the ongoing discussion over the European Agenda on Migration.

EXECUTIVE SUMMARY

Attracting international labour over the medium- to long-term is a crucial strategic issue for the European Union: demographic challenges, enhanced European global competitiveness, sustained European growth and the survival of welfare systems over the next decades, all depend on it.

However, EU labour migration policy has received very little attention from policy-makers, media and the public in general, even in the framework of the recent proposal for a European Migration Agenda.

As a matter of fact, the EU has no comprehensive set of policy instruments to cope with the international labour required by its labour markets. There are several reasons to undertake the development of a more coherent and more comprehensive legal labour migration policy framework in the EU:

Non-economic migrants (family reunification, refugees and foreign students) amount to between two thirds and three quarters of all third-country nationals entering the EU labour market;
Labour migration policy is the only instrument allowing the selection of skilled migrants with the qualifications and skills required by European labour markets;
Effective legal labour migration channels are a necessary component of any strategy to fight irregular labour migration;
Legal migration is a key component of international bilateral migration policy dialogues between the EU and its partner countries, in particular Mobility Partnership with Neighbourhood countries. A coherent EU labour migration policy framework is required to integrate this issue into policy dialogues.

As a consequence, an EU labour migration policy framework should be an integral part of the emerging EU labour market and employment policies.

The political sensitiveness of immigration policy and the exclusive competence of Member States to decide the volume of admissions of third-country nationals seeking work are two major constraints on any policy initiative in this field.

Structure and main conclusions

This paper first reviews available evidence on the need for labour migration from third countries to the European Union. Today, in most Member States high unemployment and underemployment levels coexist with substantial labour shortages as perceived by employers. Whereas there is not an overall quantitative labour shortage for the whole EU, several studies find the existence of qualitative labour market shortages for specific skill levels, sectors or occupations, in particular for low-skilled occupations. Highly-skilled profiles are, instead, needed only in a limited number of occupations and countries. Accordingly, any strategy addressing labour needs in the EU – including highly-skilled migration schemes – should be geared to national labour markets’ needs and be strongly sector-oriented.

By looking at the different forecasts available, it can be seen that international migration is poised to play a major role in filling the EU’s labour market needs.

Accordingly, redesigning pro-immigration policies should be a complementary response to current and future European labour supply dynamics.

This paper, also, reviews the gradual development of an EU-wide legal framework on economic migration and its current status. After a 2001 attempt to adopt a comprehensive approach to economic migration to the EU, EU legislation has opted for a “category-by-category” approach. To date this has focused on students and researchers, highly-qualified migrants, seasonal workers and intra-corporate transferees. There is also a proposal recasting the Directives on foreign students and on researchers that has not yet been adopted. Assessments of the implementation of the Researchers Directive (2011) and the Blue Card Directive on highly-qualified migrants (2014) show low rates of use. In both cases, as with the Seasonal Workers Directive, the wide powers of discretion retained by Member States and insufficient promotion of the existence of new rules undermines the potential of directives.

Beyond the conditions of admission, the intra-EU mobility of third-country nationals remains a key component of EU labour migration policy and one of the biggest failures in European immigration policy. Overall, the EU labour migration system lacks effective coordination mechanisms between Member States for policy implementation at the EU level.

The paper, next, looks at the existing evidence for the impact of EU migration policies on migration flows in the labour market, as well as the integration challenges posed by the arrival of third-country nationals. Available data do not allow for a thorough assessment of the impact and effectiveness of immigration policies on migrant flows and – especially – on migrant composition in terms of reasons for entrance: family reunification beneficiaries, refugees, workers and students. Only very limited quantitative studies have been conducted in a systematic and comparative way at the EU level. This lack of data and research severely limits our ability to understand and design an evidence-based EU labour migration policy.

However, the low level of use of EU labour migration policy tools, such as the Researchers Directive or the Blue Card Directive, suggests that the impact of EU labour migration policy on migratory movements is very limited.

Empirical evidence reveals that migrants do not integrate into the labour market to the same extent as native workers. They have lower wages and are more likely to be unemployed than native workers with the same characteristics.

Regarding the proposal for a European Agenda on Migration presented by the European Commission on 13 May 2015, the chapter on “A new policy on legal migration” does not contain major novelties in relation to the current EU labour immigration regime. The proposals lack a clear vision of future EU labour migration policy and its integration with labour market and employment policy. They do not build a comprehensive and coherent policy set and they do not make up for the shortcomings of current EU labour migration policies. Overall, they are not suited to respond to the identified and projected labour needs of the European Union over the medium- to long-term. However, they open a unique opportunity to discuss EU labour migration policy: this opportunity should not be wasted.

Main recommendations

In this regard, the paper calls for a comprehensive labour market vision of EU economic migration regime. The current piecemeal, category-specific approach to legal labour migration at the EU-level does not respond to the needs of EU labour markets, which are subject to a process of gradual unification.

Indeed, EU labour migration policy should be an integral part of EU labour market policy. As such, it should incorporate measures facilitating the labour market integration of all flows of third-country nationals into the EU labour markets. This would include not only economic migrants entering the EU labour market with a work permit, but also all third-country nationals ultimately accessing European labour markets. Here there are, also, family reunification beneficiaries, asylum-seekers and foreign students.

An operationalization of the EU preference principle is crucial to ensuring the smooth implementation of any EU-wide labour migration scheme and the articulation between international migration and the intra-EU mobility of EU nationals.

Social partners and social dialogue mechanisms are a necessary component of any EU labour migration initiative. They both define an EU labour migration policy responding to the actual needs of the labour market and defuse misrepresentations of migrants in political discourse and public opinion.

A public information and communication strategy on the realities of migration and the need for a comprehensive labour migration policy at EU level should be an integral part of any policy debate in this field, given the strong anti-immigration attitudes in wide sectors of public opinion in many Member States.

Legal labour migration opportunities to the EU should be integrated into EU migration agreements with third countries (such as Mobility Partnerships), as well as mechanisms to facilitate the labour and skills matching for migrant workers from those countries. This would allow the articulation between EU labour migration policy and EU external cooperation in this field.

More precise and disaggregated migration statistics should be collected at the EU level, and the current Commission Annual Report on Immigration and Asylum could be transformed into a fully-fledged EU-wide migration policy review mechanism.

Last, but not least, more research and better production of data are crucial in any effective evidence-based labour migration policy at the EU level. More research is needed, in particular, in the following areas:

Labour market integration of non-economic migrants;
Patterns of intra-EU mobility of third-country nationals legally residing in the EU;
Mechanisms to better match the profile of labour migrants to the needs of the EU labour markets;
Foreign students graduating in EU education institutions should have some opportunity to access EU labour markets, enhancing thus the attractiveness of the EU destination, and an EU Traineeship Programme for third-country nationals could be a building block to facilitate the smooth integration into of third-country nationals with the required skills.
More generally, the recognition and certification of qualifications and skills obtained in third countries by third-country nationals should be made easier and progress towards an EU-wide recognition system should be envisaged.The actual implementation and working of labour market tests in different EU Member States.Policy options to open new avenues for legal labour migration to the EUThe paper briefly reviews a series of concrete policy options for widening the legal channels for access to the European labour market in response to identified labour market needs. The analysis of existing options allows some conclusions on the right mix of policy instruments to integrate into a comprehensive labour market approach. The main objectives would be the following: ensuring a more efficient international labour matching of migrant workers; optimizing the labour force already present in the EU; fitting legal migration channels to the needs of the European labour markets; and ensuring the availability of a sufficient pool of potential labour migrants for employers. In terms of policy instruments, an analysis of existing options suggests the following conclusions:
1. Improving labour matching within and outside the EU
- An EU-wide Labour Market Information System and an EU labour market needs a forecasting system integrating migration flows of non-economic migrants. Both are the basis of any effective, evidence-based labour migration policy at the EU level. The former can be used to facilitate international labour matching for third-country nationals and to operationalize the principle of EU preference and to ensure a better matching of labour migration policy outcomes to the actual needs of EU labour markets.
- Current EU and Member States job intermediation mechanisms (notably public employment services matching systems) could be extended to third country nationals, in particular through partnerships with public employment services in countries of origin. An obvious step there would be to extend the European Job Mobility Portal, EURES, to third countries, in particular Neigbourhood countries in the framework of Mobility Partnerships.
. The role of private placement agencies in international labour migration matching should be enhanced and regulated, for instance through the development of a system of certified international recruitment agencies.
1. Optimizing the labour force already present in the EU
- The labour market integration of non-economic migrants has to be
  supported, first by getting a better knowledge of their skills and facilitating
  changes in migratory status;
. The intra-EU mobility of third-country nationals legally working in EU Member States should be facilitated; and the targeted regularization of irregular migrants for whom there is labour market demand should be incentivized.
1. Fitting legal migration channels to the needs of the European labour markets
. The ongoing reform of the EU Blue Card should impose fewer costs on migrants and employers and grant more rights, in particular to intra-EU mobility, to Blue Card holders.
- Targeted and occupation-specific job search visas might be a more effective instrument to match EU labour migration policy to EU labour market needs than supply-driven “expression-of-interest” system, as suggested in the European Agenda on Migration.
1. Extending the pool of potential labour migrants for employers
  - Foreign students graduating in EU education institutions should have some opportunity to access EU labour markets, enhancing thus the attractiveness of the EU destination, and an EU Traineeship Programme for third-country nationals could be a building block to facilitate the smooth integration into of third-country nationals with the required skills.
  - More generally, the recognition and certification of qualifications and skills obtained in third countries by third-country nationals should be made easier and progress towards an EU-wide recognition system should be envisaged.