Passenger Name Records, data mining & data protection: the need for strong safeguards


by Douwe KORFF and Marie GEORGES (FREE-Group Members)


Much has been said and written about Passenger Name Records (PNR) in the last decade and a half. When we were asked to write a short report for the Consultative Committee about PNR, “in the wider contexts”, we therefore thought we could confine ourselves to a relatively straightforward overview of the literature and arguments.

However, the task turned out to be more complex than anticipated. In particular, the context has changed as a result of the Snowden revelations. Much of what was said and written about PNR before his exposés had looked at the issues narrowly, as only related to the “identification” of “known or [clearly ‘identified’] suspected terrorists” (and perhaps other major international criminals). However, the most recent details of what US and European authorities are doing, or plan to do, with PNR data show that they are part of the global surveillance operations we now know about.

More specifically, it became clear to us that there is a (partly deliberate?) semantic confusion about this “identification”; that the whole surveillance schemes are not only to do with finding previously-identified individuals, but also (and perhaps even mainly) with “mining” the vast amounts of disparate data to create “profiles” that are used to single out from the vast data stores people “identified” as statistically more likely to be (or even to become?) a terrorist (or other serious criminal), or to be “involved” in some way in terrorism or major crime. That is a different kind of “identification” from the previous one, as we discuss in this report.

We show this relatively recent (although predicted) development with reference to the most recent developments in the USA, which we believe provide the model for what is being planned (or perhaps already begun to be implemented) also in Europe. In the USA, PNR data are now expressly permitted to be added to and combined with other data, to create the kinds of profiles just mentioned – and our analysis of Article 4 of the proposed EU PNR Directive shows that, on a close reading, exactly the same will be allowed in the EU if the proposal is adopted.

Snowden has revealed much. But it is clear that his knowledge about what the “intelligence” agencies of the USA and the UK (and their allies) are really up to was and is still limited. He clearly had an astonishing amount of access to the data collection side of their operations, especially in relation to Internet and e-communications data (much more than any sensible secret service should ever have allowed a relatively junior contractor, although we must all be grateful for that “error”). However, it would appear that he had and has very little knowledge of what was and is being done with the vast data collections he exposed.

Yet it is obvious (indeed, even from the information about PNR use that we describe) that these are used not only to “identify” known terrorists or people identified as suspects in the traditional sense, but that these data mountains are also being “mined” to label people as “suspected terrorist” on the basis of profiles and algorithms. We believe that that in fact is the more insidious aspect of the operations.

This is why this report has become much longer than we had planned, and why it focusses on this wider issue rather than on the narrower concerns about PNR data expressed in most previous reports and studies.

The report is structured as follows. After preliminary remarks about the main topic of the report, PNR data (and related data) (further specified in the Attachment), Part I discusses the wider contexts within which we have analyzed the use of PNR data. We look at both the widest context: the change, over the last fifteen years or so, from reactive to “proactive” and “preventive” law enforcement, and the blurring of the lines between law enforcement and “national security” activities (and between the agencies involved), in particular in relation to terrorism (section I.i); and at the historical (immediately post-“9/11”) and more recent developments relating to the use of PNR data in data mining/profiling operations the USA, in the “CAPPS” and (now) the “Secure Flight” programmes (section I.ii).

In section I.iii, we discuss the limitations and dangers inherent in such data mining and “profiling”.

Only then do we turn to PNR and Europe by describing, in Part II. both the links between the EU and the US systems (section II.1), and then the question of “strategic surveillance” in Europe (II.ii).

In Part III, we discuss the law, i.e., the general ECHR standards (I); the ECHR standards applied to surveillance in practice (II, with a chart with an overview of the ECtHR considerations); other summaries of the law by the Venice Commission and the FRA (III); and further relevant case-law (IV).

In Part IV, we first apply the standards to EU-third country PNR agreements (IV.i), with reference to the by-passing of the existing agreements by the USA (IV.ii) and to the spreading of demands for PNR to other countries (IV.iii). We then look at the human rights and data protection-legal issues raised by the proposal for an EU PNR scheme. We conclude that part with a summary of the four core issues identified: purpose-specification and –limitation; the problem with remedies; “respect for human identity”; and the question of whether the processing we identify as our main concern – “dynamic”-algorithm-based data mining and profiling – actually works.

Part V contains a Summary of our findings; our Conclusions (with our overall conclusions set out in a box on p. 109); and tentative, draft Recommendations. (…)

Conclusions Continue reading “Passenger Name Records, data mining & data protection: the need for strong safeguards”

How the EU “legislative triangle” is becoming a “Bermudes, triangle “…

by Emilio De Capitani

According to several scholars the Lisbon Treaty has strengthened the implementation of the democratic principle in the EU as well as the framework for participative democracy. In theory with entry into force of the Charter the EU has become more accountable to its citizens and there has been a clear improvement of the legal framework for EU legislative and non legislative activity. Even if not perfectly sound) there is now a clear definition of what should be considered of “legislative” nature and there is now a clear obligation (at primary law level) to debate publicly both in the Council and in the European Parliament.

Needless to say, the latter has been for years the champion of legislative and administrative transparency  not only in the citizens interest but also in view of the definition of its own marge of maneuver during the negotiations with the Council. This former EP attitude was not particularly appreciated by the Council and the Commission when in 2001, before Lisbon, the three institutions negotiated the first EU legislation in this domain. (Regulation 1049/01). However at the time it was easy to say that time was needed to promote open debates and votes in the Council and in the Commission because it would had required a change of culture in an institution mainly structured as a bureaucratic machinery (the Commission) or in an other framed by a diplomatic approach (the Council).

Five years after Lisbon such a change of culture in the Council and the Commission is it under way or is the other way round for the EP?

Have a look to the exchange of messages below and make your own opinion. The issue is still pending but risks to have some interesting developments… Continue reading “How the EU “legislative triangle” is becoming a “Bermudes, triangle “…”

Les lourdes chaînes de Prométhée, réflexions critiques sur la Stratégie européenne de sécurité intérieure 2015 – 2020


par Pierre Berthelet, CDRE

Le Professeur Panayotis Soldatos comparait il y a peu l’Union européenne à Prométhée enchaîné par les Etats membres. Ces réflexions mettant en évidence une construction européenne dépendante des États, « dont les élites politiques, écrit-il, se refusent à admettre la réalité de l’obsolescence de la souveraineté nationale », s’illustrent parfaitement avec l’adoption par le Conseil de la stratégie européenne de sécurité intérieure pour la période 2015-2020.

À première vue, la sécurité intérieure vient de franchir un pas supplémentaire dans l’intégration avec l’approbation par le Conseil le 16 juin 2015, de conclusions renouvelant et modernisant pour cinq années à venir la stratégie 2010-2014. Pour autant, il semble bien que les chaînes soient pesantes, car les États conservent la main, et de main ferme pourrait-on dire, le processus d’intégration dans ce domaine.

Ces conclusions entraînent une série de réflexions critiques quant aux conséquences institutionnelles et quant à la manière dont les États décident d’œuvrer dans la construction européenne en matière de sécurité intérieure.

Elles suscitent d’emblée des interrogations concernant l’inclusion du Parlement européen dans le processus décisionnel lié au déroulement du cycle, ainsi que sur la préservation accrue des droits fondamentaux (1).
Continue reading “Les lourdes chaînes de Prométhée, réflexions critiques sur la Stratégie européenne de sécurité intérieure 2015 – 2020”

COE Human Rights Commissioneer : Reinforcing democratic oversight of security services cannot be further delayed

Strasbourg, 5 June 2015 – “The current systems of oversight of national security services in Europe remain largely ineffective. Revelations over the last years about security operations which have violated human rights should have prompted reforms in this field, but progress has been disappointingly slow. European countries must now ensure more democratic and effective oversight of what their security services do and avoid future operations leading to new human rights violations,” said today Nils Muižnieks, Commissioner for Human Rights, while presenting a report on this topic.

The report intends to provide guidance to strengthen human rights protection in the field of security services. It sets forth a number of measures necessary for making national oversight systems more effective and the security services accountable and fully compliant with human rights standards.  “Security service activities impact a variety of human rights, including the right to life, to personal liberty and security, and the prohibition of torture or inhuman, cruel and degrading treatment. They also impinge on the right to privacy and family life, as well as the rights to freedom of expression, association and assembly, and fair trial. It is therefore crucial that security services uphold the rule of law and human rights in undertaking their tasks.”

Council of Europe member states have taken diverse approaches to oversight, which include parliamentary committees, independent oversight bodies, institutions with broader jurisdictions such as ombudspersons, data commissioners and judicial bodies. However, none abides fully to internationally established norms. Drawing upon international and European standards and national practices, the paper sets out the most significant objectives and overriding principles that can enable more effective oversight of security services. “It is necessary to keep oversight democratic, primarily through the involvement of parliaments. It is also crucial to ensure prior authorisation of the most intrusive measures, including surveillance, and to establish a body able to issue legally binding decisions over complaints by individuals affected by security activities, as well as to access all intelligence-related information,” said the Commissioner.

“Security services exist to protect our democracies. Their work is fundamental to ensure that we all can live in security. This paper intends to show how their activities can be best sustained by policies which ensure their lawfulness and accountability. Ensuring that security agencies operate under independent scrutiny and judicial review does not reduce their effectiveness. On the contrary, governments would increase their credibility among the public and weaken support for anti-democratic causes if they show as much resolve in safeguarding human rights as in fighting terrorism.”

The executive summary and the Commissioner’s recommendations are also available in French and German. Translations into Turkish and Russian are under way.

To read more about the Commissioner’s work on counter-terrorism and human rights, please visit this page.

Press contact in the Commissioner’s Office:
Stefano Montanari, + 33 (0)6 61 14 70 37;; Twitter: @CommissionerHR; Facebook; youtube

The Commissioner for Human Rights is an independent, non-judicial institution within the Council of Europe, mandated to promote awareness of, and respect for, human rights in the 47 member states of the Organisation. Elected by the Parliamentary Assembly of the Council of Europe, the present Commissioner, Mr Nils Muižnieks, took up his function on 1 April 2012



by Steve PEERS

Due to my concern about inadequate democratic scrutiny of changes to UK law (often linked to EU law) affecting privacy rights, I am one of the signatories to today’s letter to MPs on this issue, published in the Guardian and elsewhere. Thanks to Andrew Murray and Paul Bernal for taking this initiative.

An open letter to all members of the House of Commons,

Dear Parliamentarian,

Ensuring the Rule of Law and the democratic process is respected as UK surveillance law is revised

Actions Taken Under the Previous Government

During the past two years, the United Kingdom’s surveillance laws and policies have come under scrutiny as the increasingly expansive and intrusive powers of the state have been revealed and questioned in the media. Such introspection is healthy for any democracy. However, despite a need for transparency in all areas of lawmaking, and in particular in areas of controversy, the previous Government repeatedly resisted calls for an open and transparent assessment and critique of UK surveillance powers. Instead, in response to legal challenges, it extended the powers of the state in the guise of draft Codes of Practice and “clarifying amendments.” As we welcome a new Government we expect another round of revisions to UK surveillance laws, with the likelihood that the Queen’s Speech will signal a revival of the Communications Data Bill. At this time we call on the new Government, and the members of the House, to ensure that any changes in the law, and especially any expansions of power, are fully and transparently vetted by Parliament, and open to consultation from the public and all relevant stakeholders.

Last year, in response to the introduction of the Data Retention and Investigatory Powers Bill (“DRIP”), a number of leading academics in the field – including many of the signatories to this letter – called for full and proper parliamentary scrutiny of the Bill to ensure Parliamentarians were not misled as to what powers it truly contained. Our concern emanated from the Home Secretary’s attempt to characterize the Bill, which substantially expanded investigatory powers, as merely a re-affirmation of the pre-existing data retention regime.[1]

Since that letter was written, it has become apparent that the introduction of the DRIP Bill was not the only time an expansion of surveillance powers was presented in a way seemingly designed to stifle robust democratic consideration. In February 2015, the Home Office published the draft Equipment Interference Code of Practice.[2] The draft Code was the first time the intelligence services openly sought specific authorisation to hack computers both within and outside the UK. Hacking is a much more intrusive form of surveillance than any previously authorised by Parliament. It also threatens the security of all internet services as the tools intelligence services use to hack can create or maintain security vulnerabilities that may be used by criminals to commit criminal acts and other governments to invade our privacy. The Government, though, sought to authorise its hacking, not through primary legislation and full Parliamentary consideration, but via a Code of Practice.

The previous Government also introduced an amendment via the Serious Crimes Act 2015, described in the explanatory notes to the Bill as a ‘clarifying amendment’.[3] The amendment effectively exempts the police and intelligence services from criminal liability for hacking. This has had an immediate impact on the ongoing litigation of several organisations who are suing the Government based in part on the law amended, the Computer Misuse Act 1990.[4]

The Way Ahead

The new Conservative Government has announced its intention to propose new surveillance powers through a resurrection of the Communications Data Bill. This will require internet and mobile phone companies to keep records of customers’ browsing activity, social media use, emails, voice calls, online gaming and text messages for a year, and to make that information available to the government and security services. We also anticipate this Parliament will see a review of the Regulation of Investigatory Powers Act 2000, which currently regulates much of the Government’s surveillance powers. The Independent Reviewer of Terrorism Legislation, David Anderson QC, has conducted an independent review of the operation and regulation of investigatory powers, with specific reference to the interception of communications and communications data. The report of that review has been submitted to the Prime Minister, but has yet to be made public: when it is made public, parliamentary scrutiny of the report and any recommendations made following it will be essential.

As the law requires that surveillance powers must be employed proportionate to any harm to privacy caused (as required by Article 8 of the European Convention on Human Rights and Article 12 of the Universal Declaration of Human Rights) we believe that any expansion or change to the UK’s surveillance powers should be proposed in primary legislation and clearly and accurately described in the explanatory notes of any Bill. The Bill and its consequences must then be fully and frankly debated in Parliament. When reaching an assessment of the proportionality, of any measure that restricts rights, both our domestic courts and the European Court of Human Rights place great stock on the degree and quality of Parliamentary involvement prior to any measure being adopted. If the matter ever came to before the courts one issue examined would be the nature of any “exacting review” undertaken by MPs into the necessity of extending these powers. The Government should not be permitted to surreptitiously change the law whenever it so desires, especially where such changes put our privacy and security at risk.

This letter has been prepared and signed by 35 academic researchers. We are comprised of people from both sides of this issue – those who believe that increased powers are a reasonable response to an emerging threat, and those who think them an unjustified extension of state interference. Our common goal is to see the Rule of Law applied and Parliamentary oversight reasserted. We are calling on all members of the House of Commons, new and returning, and of all political persuasions to support us in this by ensuring Parliamentary scrutiny is applied to all developments in UK surveillance laws and powers as proposed by the current Government.



Andrew Murray (contact signatory) Paul Bernal (contact signatory)
Professor of LawLondon School of Economics

Lecturer in Information Technology, Intellectual Property and Media Law University of East


Subhajit BasuAssociate Professor
University of Leeds
Sally Broughton MicovaDeputy Director LSE Media Policy Project, Department of Media and Communications
London School of Economics and Political Science
Abbe E.L. BrownSenior Lecturer
School of Law
University of Aberdeen
Ian BrownProfessor of Information Security and Privacy
Oxford Internet Institute
Ray CorriganSenior Lecturer in Maths, Computing and Technology
Open University
Angela DalyPostdoctoral Research Fellow
Swinburne Institute for Social Research
Swinburne University of Technology
Richard DanburyPostdoctoral Research Fellow Faculty of Law University of Cambridge
Catherine EastonLancaster University School of Law  
Lilian EdwardsProfessor of E-Governance Strathclyde University Andres GuadamuzSenior Lecturer in Intellectual Property Law University of Sussex
Edina HarbinjaLecturer in Law University of Hertfordshire
Julia HörnleProfessor in Internet Law Queen Mary University of London
Theodore KonstadinidesSenior Lecturer in Law University of Surrey
Douwe KorffProfessor of International Law London Metropolitan University
Mark LeiserPostgraduate Researcher Strathclyde University
Orla LynskeyAssistant Professor of Law London School of Economics
David MeadProfessor of UK Human Rights Law UEA Law School University of East Anglia
Robin MansellProfessor, Department of Media and Communication London School of Economics
Chris MarsdenProfessor of Law University of Sussex
Steve PeersProfessor of Law University of Essex
Gavin PhillipsonProfessor, Law School University of Durham Julia PowelsResearcher Faculty of Law University of Cambridge
Andrew PuddephattExecutive Director Global Partners Digital Judith RauhoferLecturer in IT Law University of Edinburgh
Chris ReedProfessor of Electronic Commerce Law Queen Mary University of London
Burkhard SchaferProfessor of Computational Legal Theory University of Edinburgh
Joseph SavirimuthuSenior Lecturer in Law University of Liverpool
Andrew ScottAssociate Professor of Law London School of Economics
Peter SommerVisiting Professor Cyber Security Centre, De Montfort University
Gavin SutterSenior Lecturer in Media Law Queen Mary University of London
Judith TownendDirector of the Centre for Law and Information Policy Institute of Advanced Legal Studies
University of London
Asma VranakiPost-Doctoral Researcher in Cloud Computing Queen Mary University of London
Lorna WoodsProfessor of Law University of Essex


Posted by Steve Peers at 03:18

Europe and “Whistleblowers” : still a bumpy road…

by Claire Perinaud (FREE Group trainee) The 9th and the 10th of April was organized in Paris by the University Paris X Nanterre la Défense in collaboration with the University Paris I Sorbonne a Conference on «  whistleblowers and fundamental rights »[1] which echoed a rising debate on the figure of  wistleblowers  after the numerous revelations of scandals and corruption which occurred last years, with some of them directly linked to EU institutions. In the following lines I will try to sketch a) the general framework then b) the main issues raised during the Conference

A) The general framework 

The term « whistle-blower » was created by Ralph Nader in 1970 in the context of the need to ensure the defense of citizens from lobbies. He defined « whistle blowing » as « an act of a man or woman who, believing that the public interest overrides the interest of the organization he serves, blows the whistle that the organization is in corrupt, illegal, fraudulent or harmful activity »[2]. The interest of scholars and lawyers to the figure of whistle-blowers in the United States dates back to the adoption by the Congress in 1863 of the False claims act which is deemed to be the first legislation related to the right of alert[3].
The system which developed afterwards is notably based on the idea that whistle-blowing is a strong mechanism to fight corruption and has to be encouraged by means of financial incentives[4]. If this mechanism is of utmost importance in the United States, protection of whistle blowers is only slowly introduced in Europe[5]
With numerous scandals related to systemic violations of human rights, the subject is progressively dealt with in the European Union (EU) and in the Council of Europe. Nevertheless, in both organizations, the protection of whistleblowers remain at the stage of project or only recommendations to the states.

The Council of Europe… Continue reading “Europe and “Whistleblowers” : still a bumpy road…”

J.P.Jacqué : Le droit pour la Commission de retirer une proposition législative. A’ propos de l’arrêt du 14 avril 2015 (C‑409/13)


par Jean Paul Jacqué

L’existence d’un droit pour la Commission de retirer une de ses propositions a, de tout temps, constitué une pomme de discorde entre le Conseil et la Commission. Pour la Commission, le droit de retrait devait être considéré comme un corollaire du droit d’initiative que lui reconnaît le traité. Il s’appuie sur l’article TFUE qui indique que la Commission peut à tout moment modifier sa proposition avant que le Conseil n’ait statué. Le retrait serait l’une des variantes du pouvoir de modification. Dans la mesure où le Conseil peut amender une proposition de la Commission sans l’accord de celle-ci dès lors qu’il statue à l’unanimité, le retrait viendrait tempérer ce pouvoir du Conseil. Pour le Conseil, il ne saurait être question de reconnaître à la Commission ce qui s’apparenterait à un veto législatif. Dès lors que le Conseil réunissait l’unanimité pour amender une proposition de la Commission, cette dernière ne devait pas avoir le pouvoir de faire obstacle à la volonté du Conseil. L’argumentation de la Commission méconnait la philosophie initiale du système.  Si la Commission s’est vue reconnaître le droit de modifier sa proposition, c’est pour lui permettre de rejoindre, si elle de désirait, la position d’une majorité d’Etats membres afin de permettre l’adoption d’une proposition qui n’aurait pas recueilli l’unanimité. Cette situation n’avait rien avec un droit de retrait qui n’avait pas été envisagé par les pères fondateurs[2]

Jusqu’à présent, cette divergence de vues entre institutions n’avait pas provoqué de difficultés insurmontables. Le retrait unilatéral par la Commission a été pratiqué cinq fois, essentiellement lors de la Commission Delors. Les autres cas de retrait étaient plus consensuels. Il s’agissait essentiellement du retrait de propositions devenues caduques ou affectées par un changement de circonstances et il était généralement précédé par des consultations avec le Parlement et le Conseil. La Commission avait également pris l’habitude de procèder à des retraits « administratifs » lors de son entrée en fonction Ceux-ci concernaient des propositions anciennes qui n’avaient pas uscité l’intérêt du législateur. Elle pouvait s’appuyer sur un prétendu principe de discontinuité législative que connaissent de nombreux parlements nationaux et qui est soutenu par le Parlement européen lequel est favorable à la caducité des propositions non adoptées pendant la précédente législature avec des exceptions pour celles adoptées en première lecture ou celles dont il veut poursuivre l’examen. En raison de l’opposition du Conseil, ces retraits étaient généralement précédés des négociations interinstitutionnelles.

La Commission Juncker semble s’être affranchie de ces contraintes en procédant à des retraits systématiques concernant des propositions dont le Parlement souhaitait poursuivre l’examen ce qui a donné lieu à controverses[3]. Continue reading “J.P.Jacqué : Le droit pour la Commission de retirer une proposition législative. A’ propos de l’arrêt du 14 avril 2015 (C‑409/13)”

State Surveillance: the Venice Commission updates its 2007 Report


The Council of Europe’s, European Commission for Democracy Through Law (VENICE COMMISSION) during its 102nd Plenary Session (Venice, 20-21 March 2015) has updated its 2007 Report on the democratic Oversight of the security services and report on the democratic oversight of Signals Intelligence Agencies.
In a time where EU founding States such as France are discussing some very cotroversial rules on potential mass interception and the European Union is more and more attracted by the so called “intelligence led policing” the Venice Commission recommendations are particulary timely and worth reading.

Below the Executive Summary of the updated Venice Commission’s Report.

1. The scope of the study.
As a result of processes of globalization and of the creation of internet, internal and external security threats may not be easily distinguished anymore. Significant threats may come from non-state actors. Consequently, one of the most important developments in intelligence oversight in recent years has been that Signals Intelligence or SIGINT does not relate exclusively to military and external intelligence anymore, but also falls to some extent into the domain of internal security. Thus, signals intelligence now can involve monitoring “ordinary telecommunications” (it is “surveillance”) and it has a much greater potential of affecting individual human rights. Different states organize their signals intelligence function in different ways. The summary which follows discusses issues generally, and should not be seen as asserting that all states follow a particular model of signals intelligence, or regulate it in a particular way.

2. Is there a need for improved democratic control?
Strategic surveillance involves access both to internet and telecommunications content and to metadata (all data not part of the content of the communication). It begins with a task being given to the signals intelligence agency to gather intelligence on a phenomenon or a particular person or group. Very large quantities of content data, and metadata, are then collected in a variety of different ways. The bulk content is subjected to computer analysis with the help of “selectors”. These can relate to persons, language, key words concerning content (e.g. industrial products) and communication paths and other technical data.

3. Unlike “targeted” surveillance (covert collection of conversations by technical means (bugging), covert collection of the content of telecommunications and covert collection of metadata), strategic surveillance does not necessarily start with a suspicion against a particular person or persons. Signals intelligence aims to inform foreign policy generally and/or military/strategic security, not necessarily at investigating internal security threats. It has a proactive element, aiming at find or identify a danger rather than merely investigating a known threat. Herein lies both the value it can have for security operations, and the risks it can pose for individual rights.

4. Agencies engaged in signals intelligence tend to have the bulk of the intelligence budget, and produce most intelligence, but the systems of oversight over them have tended to be weaker. There are a variety of explanations for this.
First, it is argued that access to mere metadata does not seriously affect privacy, and nor does access to content data because this is done by computerized search programmes (“selectors”). However, metadata now can reveal much about private life, and the content selectors can be designed to collect information on specific human beings and groups.
Second, telecommunications used to be mainly by radio, with an ensuing lower level of privacy expectations; however, the vast bulk of telecommunications is now by fiber-optic cable.
Third, strategic surveillance being aimed at external communications, it was argued that it is the privacy of non-citizens or non-residents which is affected; however, leaving aside the issue of whether such a distinction is acceptable under the ECHR, for technical reasons there is an inevitable mixing of the internal and external communications, and an ensuing risk of circumvention of tougher domestic controls and oversight which might exist over “ordinary” surveillance. Fourthly, controls have been weaker on account of the technical complexity and rapid technological growth of the area. It should be borne in mind, however, that if this sector is left unregulated, it will be the intelligence agency itself instead of the legislature which carries out the necessary balancing of rights, with the risk of erring on the side of over-collecting intelligence. The fifth reason is that various factors – too rapid growth in the size of a signals intelligence agency, rapid growth in technology, loss in institutional memory, political pressure to secure quick results – may adversely impact the integrity and professionalism of the staff. Finally, signals intelligence is an international cooperative network, which creates specific oversight problems.

5. Strategic surveillance is not necessarily “mass” surveillance but can be when bulk data is collected and the thresholds for accessing that data are set low. Signals intelligence agencies tend to possess much more powerful computing facilities and thus have a greater potential to affect privacy and other human rights. They thus need proper regulation in a Rechtsstaat.

6. Jurisdiction.
The collection of signals intelligence may legitimately take place on the territory of another state with its consent, but might still fall under the jurisdiction of the collecting state from the view point of human rights obligations under the ECHR. At any rate, the processing, analysis and communication of this material clearly falls under the jurisdiction of the collecting State and is governed by both national law and the applicable human rights standards. There may be competition or even incompatibility between obligations imposed on telecommunications companies by the collecting state and data protection obligations in the territorial state; minimum international standards on privacy protection appear all the more necessary.

7. Accountability. Organization.
Signals intelligence is expensive and requires sophisticated technical competence. Hence, while all developed states nowadays require a defensive function – cyber security – only some have an offensive signals intelligence capacity, either in the form of a specialist signals intelligence agency or by allocating a signals intelligence task to the external intelligence agency.

8. Form of the mandate.
Most democratic states have placed at least part of the mandate of the signals intelligence function in primary legislation, as required by the ECHR. More detailed norms or guidelines are normally set out in subordinate legislation promulgated either by the executive (and made public) or by the Head of the relevant agency (and kept secret). There may be issues of quality of the law (foreseeability etc) in this respect.

9. Content of the mandate.
The mandate of a signals intelligence agency may be drafted in very broad terms to allow collection of data concerning “relevant” “foreign intelligence” or data of “relevance” to the investigation of terrorism. Such broad mandates increase the risk of over-collection of intelligence. If the supporting documentation is inadequate, oversight becomes very difficult.

10. Collection of intelligence for “the economic well-being of the nation” may result in economic espionage. Strategic surveillance however is useful in at least three areas of business activity: proliferation of weapons of mass destruction (and violation of export control conditions generally), circumvention of UN/EU sanctions and major money laundering. A clear prohibition of economic espionage buttressed by strong oversight and the prohibition for the intelligence agencies to be tasked by the government departments or administrative agencies involved in promoting trade would be useful prevention mechanisms.

11. Bulk transfers of data between states occur frequently.
In order to avoid circumvention of rules on domestic intelligence gathering, it would be useful to provide that the bulk material transferred can only be searched if all the material requirements of a national search are fulfilled, and this is duly authorized in the same way as searches of bulk material obtained through national searches.

12. Government control and tasking.
Taskers depend on the nature of the intelligence sought (diplomatic, economic, military and domestic). Taskers should not be regarded as external controls.

13. Network accountability.
Due to their different geographical location and to the nature of internet, states frequently collect data which is of interest to other states or have access to different parts of the same message. The links between allied states as regards signals intelligence may be very strong. The “third party” or “originator rule” may thus be a serious obstacle to oversight and should not be applied to oversight bodies.

14. Accountability and the case law of the European Court of Human Rights.
The ECHR consists of minimum standards, and it is only a point of departure for European States, which should aim to provide more extensive guarantees. The European Court of Human Rights has not defined national security but has gradually clarified the legitimate scope of this term. In its case-law on secret measures of surveillance, it has developed the following minimum safeguards to be set out in statute law in order to avoid abuses of power: the nature of the offences which may give rise to an interception order; definition of the categories of people liable to have their telephones tapped, a limit on the duration of telephone tapping; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which recordings may or must be erased or the tapes destroyed.

15. The Court’s case law on strategic surveillance is so far very limited, although there is also national case law and oversight bodies practice based on the ECHR. Several of the standards related to ordinary surveillance have to be adapted to make them apply to strategic surveillance. The first safeguard (applicable only to states which allow the use of signals intelligence to investigate crimes) is that the offences which may be investigated through signals intelligence should be enumerated, and thus provision should be made for the destruction of data which might incidentally be gathered on other offences. The exception of transferring data to law enforcement should be narrowly defined and subject to oversight.

16. Another safeguard is a definition of the categories of people liable to have their communications intercepted. The power to contact chain (i.e. identify people in contact with each other) should be framed narrowly contact chaining of metadata should normally only be possible for people suspected of actual involvement in particularly seriously offences, such as terrorism. If the legislature nonetheless considers that such a widely framed contact-chaining power is necessary, then this must be subject to procedural controls and strong oversight.

17. As regards searches of content data, there are particular privacy implications when a decision is being considered to use a selector which is attributable to a natural person (e.g. his or her name, nickname, email address, physical address etc.). Strengthened justification requirements and procedural safeguards should apply, such as the involvement of a privacy advocate. The safeguard is also relevant as regards subsequent decisions to transfer intelligence obtained by strategic surveillance to internal security agencies, to law enforcement or to foreign services.

18. Interception of privileged communications by means of signals intelligence is particularly problematic as is use of signals intelligence against journalists in order to identify their sources. Methods must be devised to provide lawyers and other privileged communicants and journalists with some form of protection, such as requiring a high, or very high, threshold before approving signals intelligence operations against them, combined with procedural safeguards and strong external oversight.

19. The safeguard of setting out time limits is not as meaningful for strategic surveillance as it is for ordinary surveillance. Periods of surveillance tend to be long, and continually renewed. Retention periods also tend to be long: data originally thought to be irrelevant may, as a result of new data, come to be seen as relevant. Provision could be made for a requirement to make periodic internal reviews of the (continued) need to retain the data. To be meaningful, such a duty must be backed up by external oversight.

20. Two very significant stages in the signals intelligence process where safeguards must apply are the authorization and follow-up (oversight) processes. That the latter must be performed by an independent, external body is clear from the ECtHR’s case law. The question which arises here is whether even the authorization process should be independent.

21. Internal and governmental controls as part of overall accountability systems. For a number of reasons, It has been particularly tempting to rely primarily on internal controls in the area of strategic surveillance, but they are insufficient. Generally speaking, external oversight over signals intelligence needs to be strengthened considerably.

22. Parliamentary accountability.
There are a number of reasons why parliamentary supervision of strategic surveillance is problematic. First, the technical sophistication of signals intelligence makes it difficult for parliamentarians to supervise without the aid of technical experts. Second, the general problem of parliamentarians finding sufficient time for oversight along with all their other duties is particularly acute as regards strategic surveillance, where for controlling the dynamic process of refining the selectors (as opposed to a post-hoc scrutiny), some form of standing body is necessary. Thirdly, the high degree of network cooperation between certain signals intelligence agencies means an added reluctance to admit in parliamentary oversight, which can thus affect not simply one’s own agencies, but also those of one’s allies. In some states the doctrine of parliamentary privilege means that parliamentary committees cannot be security-screened, adding to an already-existing fear of leaks. The other, crucial, factor is that strategic surveillance involves an interference with individual rights. Supervision of such measures has traditionally been a matter for the judiciary. The constitutional principle of separation of powers can make it problematic for a parliamentary body to play such a quasi-judicial role.

23. A decision to use particular selectors, resembles, at least in some ways, a decision to authorize targeted surveillance. As such, it can be taken by a judicial body. As the decision involves considerable policy elements, knowledge of intelligence techniques and foreign policy are also desirable. Finding a group of people who combine all three types of competence is not easy, even for a large state. Thus, it is easier to create a hybrid body of judges and other experts. As regards follow-up (oversight) it is necessary to oversee decisions made by automated systems for deleting irrelevant data, as well as decisions by human analysts to keep the personal information collected, and to transfer it to other domestic and foreign agencies. This type of oversight is of a “data protection” character, most suitably assigned to an independent, expert administrative body. Neither of these types of decision is “political” in nature. What, by contrast, is more “political” is the prior decision taken, that somebody, or something, is of sufficient importance to national security to need intelligence about. This is the type of decision which would benefit from a (closed) discussion in a political body, where different spectrums of opinion are represented. Another type of policy-oriented issue is deciding the general rules regarding who, and under what circumstances, signals intelligence can be exchanged with other signals intelligence organisations. A third is making a general evaluation of the overall effectiveness and efficacy of signals intelligence measures. A fourth role for a political body is to engage in a continuous dialogue with whatever expert oversight body is established.

24. Judicial authorization.
A system of authorization needs to be complemented by some form of follow-up control that conditions are being complied with. This is necessary both because the process of refining selectors is dynamic and highly technical and because judges do not tend to see the results of the signals intelligence operations as these seldom lead to prosecutions. Thus the safeguards applying to a subsequent criminal trial do not become applicable.

25. Accountability to expert bodies.
The boundary line between parliamentary, judicial, and expert bodies is not hard and fast; in some states, oversight bodies are a mixture of the three. Expert bodies have a particular role to play in ensuring that signals intelligence agencies comply with high standards of data protection.

26. Complaints mechanisms.
Under the ECHR, a state must provide an individual with an effective remedy for an alleged violation of his or her rights. Notification that one has been subject to strategic surveillance is not an absolute requirement of Article 8 ECHR. If a state has a general complaints procedure to an independent oversight body, this can compensate for non-notification. There are certain requirements before a remedy can be seen as effective.

27. Concluding remarks.
States should not be content with the minimum standards of the ECHR. Signals intelligence has a very large potential for infringing the right to private life and other human rights. It can be regulated in a lax fashion, meaning that large numbers of people are caught up in a trawl and intelligence on them is retained, or relatively tightly, meaning that the actual infringement with private life and other human rights is kept down. The Swedish and German models have definite advantages over the other models studied from this perspective. In any event it is necessary to regulate the main elements in statute form and to provide for strong mechanisms of oversight. The national legislature must be given a proper opportunity to understand the area and draw the necessary balances.

The EU’s Maternity Leave Directive: The Council secretly rejects the EP’s olive branch

30.3.15  The Council’s refusal to accept the EP’s olive branch and even start negotiations on a possible compromise (however unlikely that might be) is petty and vindictive

by Steve Peers, Professor of Law, University of Essex (Twitter: @StevePeers)

Back in 2008, the Commission proposed a modest amendment to the EU’s existing maternity leave Directive. The European Parliament amended the proposal so that there would be a significant extension in the duration and cost of maternity leave – namely 20 weeks on full pay. This attracted very little interest in the Council, and negotiations were deadlocked for years.

The incoming Commission in 2014 indicated that the EP and the Council had a few months to reopen negotiations on the proposal, or it would withdraw it. It appears that the EP then made some overtures to the Council to open negotiations to this end, although the documents setting out this willingness to negotiate (referred to in the Council document) do not seem to be publicly available.

According to the attached LIMITE document (obtained by Statewatch) large number of Member States in the Council have clearly rejected this willingness to negotiate, raising not only procedural objections against the creation of an ad hoc form of committee (although the Council endlessly creates new ad hoc negotiating bodies for its own purposes) but also substantive objections to holding any discussions at all with the EP on this issue. Presumably the proposal is now doomed – unless there is some last-minute new political initiative.

Frankly, no one comes out of this saga well.

Whether the EP’s far-reaching amendments were a good idea or not, it was obvious for years that the Council would never adopt them, and the EP waited until the eleventh hour before showing any sign of flexibility. Its principled rigidity will lead to less generous maternity for many women, who might have benefited from more modest amendments that could possibly have been agreed years ago.

For the Council, the refusal to accept the EP’s olive branch and even start negotiations on a possible compromise (however unlikely that might be) is petty and vindictive.

For the Commission, the offer to wait for the Council and the EP appears like a cynical passing of the buck, letting the co-legislators take the blame for the failure of the talks.

Why not take an active stance, suggesting possible compromise positions and expending some political effort in trying to bring the other institutions together?

And more broadly, the EU legislative process has failed here. Not just in the obvious sense that there is a failure to do a deal, or that the EP overplayed its hand to an almost cartoonish degree. It failed because of the skulking secrecy that infected the dying months of these (non-)negotiations.

As far I can see from its website, the EP’s women’s committee did not hold any public hearing on this proposal since the Commission issued its ultimatum. Its chair’s letter to the Council is not public (or at any event, it cannot be easily found). Surely this an important enough issue to engage the public? And the Council’s rejection of the EP’s apparent offer to negotiate is only ‘public’ because this document has been leaked.

The basic principles of democratic accountability mean that the Member States should account in public for their refusal to negotiate, and the EP should have disclosed its position and debated it in public. Perhaps the proposed changes to the maternity leave directive were doomed whatever happened – but they should have died with a public bang, not a squalid backroom whimper.

Commission recent withdrawal of legislative proposals : Easter’s  “house cleaning” or a growing threat to the EU institutional balance ?

by Emilio De Capitani

On March 7 the Commission published on the official journal a list of legislative proposals which it has decided to withdraw. (1) The immediate consequence is that legislative negotiations between the European Parliament and the Council on some of these texts can go no further (even if the co-legislators are still interested in finalizing their work). (2) As it would happen if a referee  snatches the ball during a match of football , several parliamentary committees have loudly protested.(3)

The problem was not only that the game abruptly interrupted but also that no one could predict when it would start again (even after the Lisbon Treaty the European Parliament and the Council still lack the power to initiate new legislation and can play their legislative role only by amending, (as a general rule), a Commission legislative proposal.

This bizarre situation dates back to the first phase of the European Communities when the Commission was the only institution which could limit the risk that the members states through the Council could re-nationalise the powers conferred by the Treaties to the Community. Since then the rule has been that “…Union legislative acts may only be adopted on the basis of a Commission proposal, except where the Treaties provide otherwise” ( current art 17 p 2, first phrase TEU) and such a Commission’s monopoly of initiative has been further strengthened by two other elements:  Member States can change the Commission proposal only by an unanimous vote and conversely the Commission can amend its own proposals all along the procedure “… As long as the Council has not acted(..)”(art. 294 TFEU). In the real world this means that the Commission has to modify its proposal when it shares a majoritarian position emerges in the Council ( so that unanimity is no more needed). To strengthen even more its power to influence the Council position the Commission has developed (in the silence of the treaties) a legal theory according to which the right of initiative not only cover the right to amend a text but also the rights to withdraw it when the Commission consider that its “power” of legislative initiative risks to be abused by the Council in a way which according to the Brussels’s executive is contrary to the EU interest.

 In 2013 the beginning of an interinstitutional “Game of thrones” .. Continue reading “Commission recent withdrawal of legislative proposals : Easter’s  “house cleaning” or a growing threat to the EU institutional balance ?”