Data retention and national law: the ECJ ruling in Joined Cases C-203/15 and C-698/15 Tele2 and Watson (Grand Chamber)

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

Lorna Woods, Professor of Internet Law, University of Essex

Introduction

Today’s judgment in these important cases concerns the acceptability from a human rights perspective of national data retention legislation maintained even after the striking down of the Data Retention Directive in Digital Rights Ireland (Case C-293/12 and 594/12) (“DRI”) for being a disproportionate interference with the rights contained in Articles 7 and 8 EU Charter of Fundamental Rights (EUCFR).  While situated in the context of the Privacy and Electronic Communications Directive (Directive 2002/58), the judgment sets down principles regarding the interpretation of Articles 7 and 8 EUCFR which will be applicable generally within the scope of EU law. It also has possible implications for the UK’s post-Brexit relationship with the EU.

Background and Facts

The Privacy and Electronic Communications Directive requires the confidentiality of communications, including the data about communications to be ensured through national law. As an exception it permits, under Article 15, Member States to take measures for certain public interest objectives such as the fight against terrorism and crime, which include requiring public electronic communications service providers to retain data about communications activity. Member States took very different approaches, which led to the enactment of the Data Retention Directive (Directive 2006/24) within the space for Member State action envisaged by Article 15.  With that directive struck down, Article 15 remained the governing provision for exceptions to communications confidentiality within the field harmonised by the Privacy and Electronic Communications Directive.  This left questions as to what action in respect of requiring the retention of data could be permissible under Article 15, as understood in the light of the EUCFR.

The cases in today’s judgment derive from two separate national regimes. The first, concerning Tele2, arose when – following the DRI judgment – Tele2 proposed to stop retaining the data specified under Swedish implementing legislation in relation to the Data Retention Directive. The second arose from a challenge to the Data Retention and Investigatory Powers Act 2014 (DRIPA) which had been enacted to provide a legal basis in the UK for data retention when the domestic regime implementing the Data Retention Directive fell as a consequence of the invalidity of that directive.  Both sets of questions referred essentially asked about the impact of the DRI reasoning on national regimes, and whether Articles 7 and 8 EUCFR constrained the States’ regimes.

The Advocate General handed down an opinion in July (noted here) in which he opined that while mass retention of data may be possible, it would only be so when adequate safeguards were in place.  In both instances, the conditions – in particular those identified in DRI – were not satisfied.

Judgment

Scope of EU Law

A preliminary question is whether the data retention, or the access of such data by police and security authorities, falls within EU law.  While the Privacy and Electronic Communications Directive regulated the behaviour of communications providers generally, Article 1(3) of that Directive specifies that matters covered by Titles V and VI of the TEU at that time (e.g. public security, defence, State security) fall outside the scope of the directive, which the Court described as relating to “activities of the State” . Further Article 15(1) permits the State to take some measures resulting in the infringement of the principle of confidentiality found in Art 5(1) which again “concern activities characteristic of States or State authorities, and are unrelated to fields in which individuals are active” [para 72]. While there seems to be overlap between Article 1(3) and Article 15(1), this does not mean that matters permitted on the basis of Article 15(1) fall outside the scope of the directive as “otherwise that provision would be deprived of any purpose” [para 73].

In the course of submissions to the Court, a distinction was made between the retention of data (by the communications providers) and access to the data (by police and security services).  Accepting this distinction would allow a line to be drawn between the two, with retention as an activity of the commercial operator regulated by the Privacy and Electronic Communications Directive within its scope and the access, as an activity of the State lying outside it. The Court rejected this analysis and held that both retention and access lay within the field of the Privacy and Electronic Communications Directive [para 76]. It argued that Article 5(1) guarantees confidentiality of communications from the activities of third parties whether they be private actors or state authorities. Moreover, the effect of the national legislation is to require the communications providers to give access to the state authorities which in itself is an act of processing regulated by the Privacy and Electronic Communications Directive [para 78]. The Court also noted that the sole purpose of the retention is to be able to give such access.

Interpretation of Article 15(1)

The Court noted that the aim of the Privacy and Electronic Communications Directive is to ensure a high level of protection for data protection and privacy. Article 5(1) established the principle of confidentiality and that “as a general rule, any person other than the user is prohibited from storing, without the consent of the users concerned, the traffic data”, subject only to technical necessity and the terms of Article 15(1) (citing Promusicae) [para 85].  This requirement of confidentiality is backed up by the obligations in Article 6 and 9 specifically dealing with restrictions on the use of traffic and location data. Moreover, Recital 30 points to the need for data minimisation in this regard [para 87]. So, while Article 15(1) permits exceptions, they must be interpreted strictly so that the exception does not displace the rule; otherwise the rule would be “rendered largely meaningless” [para 89].

As a result of this general orientation, the Court held that Member States may only adopt measures for the purposes listed in the first sentence of Article 15(1) and those measures must comply with the requirements of the EUCFR.  The Court, citing DRI (at paras 25 and 70), noted that in addition to Articles 7 and 8 EUCFR, Article 11 EUCFR – protecting freedom of expression – was also in issue. The Court noted the need for such measures to be necessary and proportionate and highlighted that Article 15 provided further detail in the context of communications whilst Recital 11 to the Privacy and Electronic Communications Directive requires measures to be “strictly proportionate” [para 95].

The Court then considered these principles in the light of the reference in Tele2 at paras 97 et seq of its judgment. Approving expressly the approach of the Advocate General on this point, it  underlined that communications “data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained” and that such data is no less sensitive that content [para 99]. The interference in the view of the Court was serious and far-reaching in relation to Articles 7, 8 and 11.  While Article 15 identifies combatting crime as a legitimate objective, the Court – citing DRI – limited this so that only the fight against serious crime could be capable of justifying such intrusion.  Even the fight against terrorism “cannot in itself justify that national legislation providing for the general and indiscriminate retention of all traffic and location data should be considered necessary” [para 103].  The Court stressed that the regime provides for “no differentiation, limitation or exception according to objectives pursued” [para 105].  The Court did confirm that some measures would be permissible:

… Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, does not prevent a Member State from adopting legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary. [para 108]

It then set down some relevant conditions:

Clear and precise rules “governing the scope and application of such a data retention measure and imposing minimum safeguards, so that the persons whose data has been retained have sufficient guarantees of the effective protection of their personal data against the risk of misuse” [para 109].

while “conditions may vary according to the nature of the measures taken for the purposes of prevention, investigation, detection and prosecution of serious crime, the retention of data must continue nonetheless to meet objective criteria, that establish a connection between the data to be retained and the objective pursued” [110].

The Court then emphasised that there should be objective evidence supporting the public whose data is to be collected on the basis that it is likely to reveal a link, even an indirect one, with serious criminal offences, and thereby contribute in one way or another to fighting serious crime or to preventing a serious risk to public security. The Court accepted that geographical factors could be one such ground, on the basis that “that there exists, in one or more geographical areas, a high risk of preparation for or commission of such offences” [para 111].

Conversely,

…Article 15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication [para 112].

Acceptability of legislation where (1) the measure is not limited to serious crime; (2) where there is no prior review; and (3) where there is no requirement that the data stays in the EU.

This next section deals with the first question referred in the Watson case, as well as the Tele 2 reference.

As regards the first point, the answer following the Court’s approach at paragraphs 90 and 102 is clear: only measures justified by reference to serious crime would be justifiable.  As regards the second element, the Court noted that it is for national law to law conditions of access so as to ensure that the measure does not exceed what is strictly necessary.  The conditions must be clear and legally binding. The Court argued that since general access could not be considered strictly necessary, national legislation must set out by reference to objective criteria the circumstances in which access would be permissible.  Referring to the European Court of Human Rights (ECtHR) judgment in Zakharov, the Court specified:

access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime [para 119].

It then distinguished the general fight against crime from the fight against terrorism to suggest that in the latter case:

access to the data of other persons might also be granted where there is objective evidence from which it can be deduced that that data might, in a specific case, make an effective contribution to combating such activities [para 119].

The conditions set down must be respected. The Court therefore held that, save in cases of genuine emergency, prior review by an independent body must be carried out on the basis of a reasoned request by the investigating bodies. In making this point, the Court referred to the ECtHR judgment in Szabó and Vissy v. Hungary, as well as its own previous ruling in DRI. Furthermore, once there was no danger to the investigation by so doing, individuals affected should be notified, so as to those affected people the possibility to exercise their right to a remedy as specified in Article 15(2) read with Article 22 of the Data Protection Directive (Directive 95/46).

Article 15(1) permits derogation only in relation to specified provisions in the directive; it does not permit derogation with regard to the security obligations contained in Article 4(1) and 4(1a). the Court noted the quantity of data as well as its sensitivity to suggest that a high level of security measures would be required on the part of the electronic communications providers. Following this, the Court then stated:

…, the national legislation must make provision for the data to be retained within the European Union and for the irreversible destruction of the data at the end of the data retention period (see, by analogy, in relation to Directive 2006/24, the Digital Rights judgment, paragraphs 66 to 68) [para 122].

The Court noted that as a separate obligation from the approval of access to data, that States should ensure that independent review of compliance with the required regulatory framework was carried out by an independent body. In the view of the Court, this followed from Article 8(3) EUCFR. This is an essential element of individuals’ ability to make claims in respect of infringements of their data protection rights, as noted previously in DRI and Schrems.

The Court then summarised the outcome of this reasoning, that Article 15 and the EUCFR:

must be interpreted as precluding national legislation governing the protection and security of traffic and location data and, in particular, access of the competent national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union. [para 125]

Relationship between the EUCFR, EU law and the ECHR

The English Court of Appeal had referred a question about the impact of the ECHR on the scope of the EUCFR in the light of Article 52 EUCFR. While the Court declared the question inadmissible, it –like the Advocate General – took the time to point out that the ECHR is not part of EU law, so the key issue is the scope of the EUCFR; and in any event Article 52(3) does not preclude Union law from providing protection that is more extensive than the ECHR. As a further point, the Court added that Article 8 EUCFR, which provides a separate right to data protection, does not have an exact equivalent in the ECHR and that there is therefore a difference between the two regimes.

Comment

Given the trend of recent case law, the outcome in this case is not surprising.  There are some points that are worth emphasising.

The first relates to the scope of EU law, which is a threshold barrier to any claim based on the EUCFR.  The Advocate General seemed prepared to accept a distinction between the retention of data and the access thereto (although conditions relating to the latter could bear on the proportionality of the former).  The Court took a different approach and held that the access also fell within the scope of the Directive/EU law, because the national regime imposed an obligation on the communications service provider to provide access to the relevant authorities. Given this was an obligation on the service provider, it fell within the regulatory schema.  This approach thus avoids the slightly unconvincing reasoning which the Advocate General adopted.  It also possibly enlarges the scope of EU law.

In general terms, the Court’s reasoning looks at certain provisions of the Privacy and Electronic Communications Directive.  While the reasoning is set in that context, it does not mean that the Court’s interpretation of the requirements deriving from the EUCFR is limited only to this set of surveillance measures.  The rules of interpretation of particularly Articles 7 and 8 could apply more generally – perhaps to PNR data (another form of mass surveillance) – and beyond.  It is also worth noting that according to a leaked Commission document, it is proposed to extend the scope of the Privacy and Electronic Communications Directive to other communications service providers not currently regulated by the directive, but who may be subject to some data retention requirements already.

Whilst the Court makes the point that Articles 7 and 8 EUCFR are separate and different, and that data retention implicates also Article 11 EUCFR, in its analysis of the impact of national measures providing for retention it does not deal with Articles 7 and 8 separately (contrast DRI where a limited consideration was given to this). Having flagged Article 11 EUCFR, it takes that analysis no further.  This is the leaves questions as to the scope of the rights, and particularly how Article 11 issues play out.

Note that the Court does not state that data retention itself is impermissible; indeed, it specifies circumstances when data retention would be acceptable. It challenges the compatibility of mass data retention with Articles 7 and 8 EUCFR, however, even in the context of the fight against terrorism.  In this, it is arguable that the Court has taken a tougher stance than its Advocate General on this point of principle.  In this we see a mirror of the approach in DRI, when the Court took a different approach to its Advocate General.  In that case too, the Advocate General focussed on safeguards and the quality of law, as has the Advocate General here. For the Court here, differentiation – between people and between types of offences and threats – based on objective, evidenced grounds is central to showing that national measures are proportionate and no more than – in the terms of the directive – strictly necessary. This seems to go close to disagreeing with the Opinion of the Advocate General that in DRI, the Court ‘did not, however, hold that that absence of differentiation meant that such obligations, in themselves, went beyond what was strictly necessary’ (Opinion, para 199). The Advocate General used this point to argue that DRI did not suggest that mass surveillance was per se unlawful (see Opinion, para 205). Certainly, in neither case did the Court expressly hold that mass surveillance was per so unlawful, so the question still remains. What is clear, however, is that the Court supports the retention of data following justified suspicion – even perhaps generalised suspicion – rather than using the analysis of retained data to justify suspicion.

In its reasoning, the Court did not –unlike the Advocate General – specifically make a ruling on whether or not the safeguards set down in DRI, paras 60-68, should be seen as mandatory – in effect creating a 6 point check list. Nonetheless, it repeatedly cited DRI approvingly. Within this framework, it highlighted specific aspects – such as the need for prior approval; the need for security and control over data; a prohibition on transferring data outside the EU; the need for subjects to be able to exercise their right to a remedy. Some of these points will be difficult to reconcile with the current regime in the United Kingdom regarding communications data.

It did not, however, touch on acceptable periods for retention (even though it – like its Advocate General – referred to Zakharov). More generally, the Court’s analysis – by comparison with that of the Advocate General – was less detailed and structured, particularly about the meaning of necessity and proportionality. It did not directly address the points the Advocate General made about lawfulness, with specific reference to reliance on codes (an essential feature of the UK arrangements); it did in passing note that the conditions for access to data should be binding within the domestic legal system. Is this implicit agreement with the Advocate General on this point? It certainly agreed with him that the seriousness of the interference meant that data retention of communications data should be restricted to ‘serious crime’ and not just any crime.

One final issue relates to the judicial relationship between Strasbourg and Luxembourg.  Despite emphasising that the ECHR is not part of EU law, the Court relies on two recent cases from the ECtHR, perhaps seeking to emphasis the consistency in this area between the two courts – or perhaps seeking to put pressure on Strasbourg to hold the line as it faces a number of state surveillance cases on its own docket, many against the UK. The position of Strasbourg is significant for the UK. While many assume that the UK will maintain the GDPR after Brexit in the interests of ensuring equivalence, it could be that the EUCFR will no longer be applicable in the UK post-Brexit. For UK citizens, the ECHR then is the only route to challenge state intrusion into privacy. For those in the EU, data transfers to the UK post-Brexit could be challenged on the basis that the UK’s law is not sufficiently adequate compared to EU standards. Today’s ruling – and the UK’s response to it, if any – could be a significant element in arguing that issue.

‘I Travel, therefore I Am a Suspect’: an overview of the EU PNR Directive

ORIGINAL PUBLISHED ON  EU Immigration and Asylum Law and Policy BLOG

By Niovi Vavoula, Queen Mary University of London

According to the PNR (Passenger Name Record) Directive 2016/681 of 27 April2016, a series of everyday data of all air passengers (third-country nationals but also EU citizens, including those on intra-Schengen flights) will soon be transferred to specialised units to be analysed in order to identify persons of interest in relation to terrorist offences and other serious crimes. This new instrument raises once again fundamental rights challenges posed by its future operation, particularly in relation to privacy and citizenship rights. Therefore, the story of the PNR Directive, as described below, is probably not finished as such concerns open up the possibility of a future involvement of the Court of Justice.

1. The story behind the EU PNR System

In the aftermath of 9/11 and under the direct influence of how the terrorist attacks took place, the US legislature established inextricable links between the movement of passengers, ‘border security’ and the effective fight against international terrorism. Strong emphasis was placed on prevention through pre-screening of passengers, cross-checking against national databases and identification of suspicious behaviours through dubious profiling techniques. At the heart of this pre-emptive logic has been the adoption of legislation obliging airlines flying into the US to provide their domestic authorities with a wide range of everyday data on their passengers. These so-called PNR data constitute records of each passenger’s travel arrangements and contain the information necessary for air carriers to manage flight reservations and check-in systems. Under this umbrella definition, a broad array of data may be included: from information on name, passport, means of payment, travel arrangements and contact details to dietary requirements and requests for special assistance. Amidst concerns regarding the compliance of such mechanisms with EU privacy and data protection standards, this model was internalized at EU level through the conclusion of three PNR Agreements with the US – one in 2004, which wasstruck down by the CJEU in 2006, and others in 2007 and 2012. In addition, PNR Agreements with Canada (currently awaiting litigation before the CJEU) andAustralia have also been adopted.

The idea of developing a similar system to process EU air travel data had been on the agenda for almost a decade, particularly since the EU-US PNR Agreements contain reciprocity clauses referring to the possibility of the EU developing such systems. The first proposal for a Framework Decision dates back to 2007. However, no agreement was reached until the entry into force of the Lisbon Treaty. A revised proposal was released in 2011, essentially mimicking the EU-US PNR model, at least as regards the types of data to be processed and the focus on assessing the risks attached to passengers as a mean of preventing terrorist attacks or other serious crimes. In comparison to the proposed Framework Decision it constituted an improvement (for instance, it provided for a reduced retention period and prohibited the processing of sensitive data), yet it was met with great scepticism by a number of EU actors, including the European Data Protection Supervisor, the Fundamental Rights Agency and the Article 29 Working Party who argued that it failed to respect the principles of necessity and proportionality. Eventually, the proposal was rejected by the European Parliament on fundamental rights grounds, but the voting was postponed and the proposal was transferred back to the LIBE Committee.

The EU PNR project was brought back to life after the Charlie Hebdo events in January 2015. In the extraordinary JHA Council meeting of 20 November, immediately after the Paris terrorist attacks, the Council reiteratedthe urgency and priority to finalise an ambitious EU PNR before the end of 2015’. Indeed, on 4 December 2015 a compromise text was agreed. A few days later, the Council confirmed the agreement, but the Parliament did not give its blessing until April 2016, presumably in the light of the negotiations on the Data Protection legislative reforms, which were running in parallel. The fact that the legality of the EU-Canada PNR Agreement was disputed did not affect the course of the negotiations.

2. The EU PNR Directive in a nutshell

The EU PNR Directive places a duty on airline carriers operating international flights between the EU and third countries to forward PNR data of all passengers (as set out in Annex 1) to the Passenger Information Unit (PIU) established at domestic level for this purpose (Article 4). According to Article 2 of the Directive, Member States are given the discretion to extend the regime set out in the Directive to intra-EU flights, or to a selection of them (for a discussion see Council Documents 8016/11 and 9103/11, partly accessible). Perhaps unsurprisingly, all participating Member States have declared their intention to make use of their discretion.

Once transmitted, the data will be stored and analysed by the PIU. The purpose of this is to ‘identify persons who were previously unsuspected of involvement in terrorism or serious crime’ and require further examination by the competent authorities in relation to the offences listed in Annex II of the Directive. Contrary to the Commission’s assertions that PNR data will be used in different ways – reactively, pro-actively and in real-time – the focus on prevention is central. The analysis entails a risk assessment of all passengers prior to their travel on the basis of predetermined criteria to be decided by the respective PIU and possibly involving cross-checking with existing blacklists (Article 6(3)).

Furthermore, the PIUs will respond to requests by national authorities to access the data on a case-by-case basis and subject to sufficient indication (Article 6(2(b)). Nevertheless, processing should not take place on the basis of sensitive data revealing race, ethnic origin, religion or belief, political or any other opinion, trade union membership, health or sexual orientation etc. (Recital 20). According to Article 12, the initial retention period is six months, after which PNR data will be depersonalised, meaning that the PIU is entrusted with the task of masking out the names, address and contact information, payment information, frequent flyer information, general remarks and all API data. This process should not be confused with anonymisation, as the data could be re-identifiable and may still be used for criminal law purposes under ‘very strict and limited conditions’ (Recital 25). Therefore, upon expiry of the six-month retention period, disclosure of the full PNR data is permitted if so approved by a judicial authority or another national authority competent to review whether the conditions have been met and subject to information and ex post review by the Data Protection Officer of the PIU (Articles 12(3) and 5).

3. Privacy and surveillance of movement

The challenges that the development of the EU PNR system poses to the protection of privacy and data protection rights are acute. In essence, as with thePNR Agreements, the Directive allows the systematic, blanket and indiscriminate transfer, storage and further processing of a wide range of personal data of millions of travellers from and to the EU. Drawing from Digital Rights Ireland and the recent opinion of AG Mengozzi on the EU-Canada PNR Agreement, the interference with the rights to privacy (Article 7 EUCFR and 8 ECHR) and data protection (Article 8 EUCFR) is particularly serious. On the basis of the data collected, which include biographic information, credit card details and contact information, law enforcement authorities shall be able to compile a rather complete profile of travellers’ private lives.

The involvement of the private sector in the fight against terrorism and serious crime is considerably extended, particularly if one takes into account that the obligations on air carriers are extended to non-carrier economic operators (e.g. travel agencies). In addition, the inclusion of intra-EU flights within the scope of the Directive significantly expands the reach of surveillance. Indeed, back in 2011, it was noted that intra-EU flights represent the majority of EU flights (42%) followed by international flights (36%), and only 22% of flights operate within a single Member State (Council Document 8016/11). In this framework, the movement of the vast majority of travellers, including EU citizens, is placed under constant monitoring, irrespective of the fact that they are a priori innocent and not suspected of any criminal offence. In fact, the operation of the PNR scheme signifies the reversal of the presumption of innocence, whereby everyone is deemed as a potential security risk, thus necessitating their examination in order to confirm or rebut this presumption. Besides, there is no differentiation between flights transporting persons at risk and others.

Furthermore, the risk assessment will take place in a highly obscure manner, particularly since the Directive fails to prescribe comprehensively and in detail how the data will be analysed. The underlying rationale is the profiling of all passengers and the identifying of behavioural patterns in a probabilistic logic, but nowhere in the Directive it is indicated that this is indeed the case. This lack of clarity raises concerns considering that the recently adopted Data Protection Directive includes a definition of profiling (Article 3(4)). Moreover, it is stated that ‘relevant databases’ may be consulted, however, it is not clear which these are. For instance, a possible examination on a routine basis of the databases storing asylum seekers’ fingerprints’ or visa applicants’ data (Eurodac and VIS respectively) will frustrate their legal framework, resulting in a domino effect of multiple function creeps. It may even grow the appetite for Member States to desire the systematic processing of EU nationals’ personal data in centralised databases in the name of a more ‘efficient’ fight against terrorism.

This ambiguous modus operandi of PIUs may even call into question the extent to which the interference with privacy is ‘in accordance with law’ (Article 8(2) ECHR) or in EU terms ‘provided for by law’ (Article 52(1) EU Charter). According to settled case law of the ECtHR, every piece of legislation should meet the requirements of accessibility and foreseeability as to its effects (Rotaru v Romania). The lack of clear rules as to how the processing of data will take place may suggest that travellers cannot foresee the full extent of the legislation.

Another contested issue is the ambiguous definitions of terrorism and serious crimes at EU level. The offences falling under the remits of terrorism are currently revised, which had led to criticism for lack of clarity, whereas the definition of serious offences (acts punishable by a custodial sentence or detention order of a maximum period of three years or longer) constitutes a relatively low threshold, particularly in those Member States where domestic criminal law allows for potentially long custodial sentences for minor crimes. In addition, as regards the conditions of access by national competent authorities, the requirement that the request must be based on ‘sufficient indication’ seems to falls short of the criteria established in Digital Rights Ireland. The threshold is particularly low and may lead to generalised consultation by law enforcement authorities, whereas it is uncertain who will check that there is indeed sufficient indication. As for the offences covered by the scope of the Directive, although Annex II sets out a list in this regard, PNR data could still be used for other offences, including minor ones, when these are detected in the course of enforcement action further to the initial processing.

Moreover, in relation to the period for which the data will be retained, it appears that the EU institutions by no means have a clear understanding of what constitutes a proportionate retention period. For instance, the 2007 proposal envisaged an extensive retention period of five years, after which time the data would be depersonalised and kept for another eight years, whereas the 2011 proposal prescribed a significantly reduced initial retention period of 30 days, after which the data would be anonymised and kept for a further period of five years. In its General Approach (Council Document 14740/15), the Council called for an extension of the initial retention period to two years, followed by another three years of storage for depersonalised data. A more privacy-friendly approach can be found in an Opinion of the Council Legal Service dating from 2011, according to which the data of passengers in risky flights would be initially retained for 30 days and then be held for an overall period of six months (Council Document 8850/11in German). Some Member States supported a retention period of less than 30 days (Council Document 11392/11). Although it is welcomed that there are two sets of deadlines and, more importantly, that re-personalisation may take place only under limited circumstances. However, there is no indication of why the chosen retention periods are proportionate. Furthermore, an approach suggesting a differentiation between flights at risk or not at risk, with different retention periods, seems more balanced.

4. Free movement and citizenship concerns

In addition to the privacy challenges highlighted above, another point of concern is whether the processing of PNR data, including on intra-EU flights, could infringe free movement enjoyed by EU citizens. In this respect, the Commission Legal Service found that the EU PNR does not obstruct free movement (see Council Document 8230/11, which is partially available to the public, although the outcome of the opinion is attested in Council Document 8016/11). Nonetheless, the Parliament managed to include a reference that any assessments on the basis of PNR data shall not jeopardise the right of entry to the territory of the Member States concerned (in Article 4). The extent to which this reference is sufficient is doubtful.

According to Article 21 of the Schengen Borders Code, police controls performed in the territory of a Member State are allowed insofar as they do not have the equivalent effect of border control. Such an effect is precluded when, inter alia, the checks are carried out on the basis of spot-checks. In Melki, the CJEU found that ‘controls on board an international train or on a toll motorway’ limiting their application to the border region ‘might (…) constitute evidence of the existence of such an equivalent effect’ (para 72). By analogy, the focus on controls at the border area to the systematic manner set out in the directive, could have the equivalent effect of a border check. The lack of any differentiation between flights at risk or not at risk (an approach that was also favoured by the Council Legal Service, Council Document 8850/11) and the fact that member States are left entirely free to determine the extent to which they monitor flights to and from other Member States could enhance the risk of falling into the category of controls with an equivalent effect to border control.

5. Conclusion

The EU PNR Directive is yet another example of how the counter-terrorism rhetoric outweighs serious fundamental rights concerns in the name of ensuring security. The storyline is well-known: after a terrorist attack, numerous ideas – either incorporated in legislative proposals that have stalled or which were ultimately too ambitious and controversial to be presented in the first place – feature on the EU agenda. The EU PNR initiative was buried due to privacy concerns and was brought back from the dead when the circumstances matured. Soon national law enforcement authorities will put their hand into the passengers’ data jar and will deploy their surveillance techniques on an unprecedented and unpredictable scale.

By internalising US standards, the EU puts the privacy of individuals under threat. The new instrument does no longer target third-country nationals only, but also EU citizens, thus marking the end of an era where instruments were used ‘solely’ on foreigners. Undoubtedly, there is a strong ‘momentum’ for justifying mass surveillance practices. In waiting for the ruling on the EU-Canada PNR Agreement, as well as the ruling on Tele2 Sverige (following up on Digital Rights Ireland), one can only hope that the CJEU will uphold its inspiring reasoning and reiterate the important limits placed on deploying surveillance practices, by giving proper weight to the fundamental right to the protection of personal data.

OPINION 1/15: AG MENGOZZI LOOKING FOR A NEW BALANCE IN DATA PROTECTION

ORIGINAL PUBLISHED ON EUROPEAN LAW BLOG (OCTOBER 18, 2016)
By Maxime Lassalle
On 8 September 2016, Advocate General (AG) Mengozzi delivered his much awaited opinion on the agreement between Canada and the European Union on the transfer and processing of Passenger Name Record (PNR). It follows the European Parliament’s resolution seeking an Opinion from the Court of Justice of the European Union (CJEU) on the compatibility of the agreement with the Treaties. Even though the opinion concludes that the agreement has many loopholes, it could disappoint those who were expecting a strong condemnation of PNR schemes as such.

This blogpost intends to present the context of this procedure and the main elements of the AG’s opinion before analysing them. The question of the appropriate legal basis for the agreement, also raised by the Parliament, will not be addressed. However, before turning to the AG’s opinion, we need to briefly sketch the background of the proposed agreement.

The context

Today, in the absence of a PNR agreement with the EU, Canadian authorities apply their own PNR system unilaterally to air carriers established in the European Union (EU) which provide flights to Canada. This means that air carriers have to transfer PNR data (para. 7 of the AG’s opinion) to the extent that it is collected and contained in their automated reservation systems and departure control systems (para. 19). According to the Commission, the adoption of PNR systems is necessary to balance the legitimacy of the requests for PNR data in the fight against terrorism and the need to protect personal data of EU citizens from abusive access. As a result of the Lisbon Treaty, the adoption of PNR agreements now also requires the consent of the European Parliament (EP) (Article 218(6)(a)(v) of the Treaty on the Functioning of the European Union (TFEU)), and it is no secret that the EP is quite reluctant to adopt data retention schemes.

For a long time the EP has been requesting the Commission to provide for evidence that PNR schemes are necessary and in particular that the processing of Advance Passenger Information (API) would not be sufficient to reach the same objective of fighting terrorism and serious crime (for example here andhere). API are one of the 19 categories of PNR data and are limited to the identification of the travelers (name, date of birth, gender, citizenship, and travel document data) while PNR data encompass a much broader range of information (food habits, seating information etc.).

Nevertheless, the Commission ignored this request for evidence and proposed in 2013 a Council decision on the conclusion of a PNR agreement with Canada. This proposal was seriously criticized by the European Data Protection Supervisor (EDPS), also questioning the necessity of PNR schemes. Even though in the past, the Parliament had, albeit reluctantly, given its consent to similar PNR agreements (see the EU-US Agreement and the EU-Australia Agreement), this time it persisted and on 25 November 2014 it decided to refer the proposal on the agreement with Canada to the CJEU for it to assess the compatibility of this proposed agreement with the provisions of the TFEU and the Charter. Clearly, this move of the Parliament was inspired by the activism of the CJEU which had proved to be extremely demanding on the protection of personal data in the framework of the fight against terrorism in its famous Digital Rights Ireland case (DRI, commented on this blog).

The AG’s general considerations on PNR schemes

Let us now have a closer look at the (lengthy) opinion of the AG. Before analyzing the agreement, the AG assesses the intrusiveness of the PNR schemes as such, in relation to the right to data protection and the right to privacy. PNR data consist of 19 categories of personal data including data which ‘might provide information concerning, in particular, the health of one or more passengers, their ethnic origin or their religious beliefs’ (para. 169). The processing of these data therefore constitutes an interference which is of a ‘considerable size’ and ‘a not insignificant gravity’ (para. 176). This system is ‘capable of giving the unfortunate impression that all the passengers concerned are transformed into potential suspects’ (para. 176). However, the interference does not reach a level where the essence of the fundamental rights is harmed, because the PNR data do not permit to draw precise conclusions concerning ‘the essence of the private life of the persons concerned’ (para. 186). To justify the interference caused by the processing of PNR data, PNR schemes, should be properly provided for by law, such as an EU agreement adopted by the Council and approved by the EP (paras. 191-192), and meet an objective of general interest, namely the objective of combating terrorism and serious transnational crime (para. 194).

The AG’s general considerations on the standard to be applied to this unprecedented case

Following a classical reasoning on the assessment of the proportionality of the interference (see for example Schwarz, C‑291/12, para. 53), the AG explains that the proposed agreement ‘must also consist of the measures least harmful […] while making an effective contribution to the public security objective pursued by the agreement envisaged’. Provided that there are alternative measures which would be less intrusive, ‘those alternative measures must also be sufficiently effective’ in order to be considered as serious alternatives (para. 208). However, the definition of what is “sufficiently effective” is not given by the previous case law, neither that of the European Court of Human Rights (ECtHR) nor that of the CJEU. For the AG, the effectiveness of these alternative measures must ‘be comparable […] in order to attain the public security objective pursued by that agreement’ (para. 208). This standard of comparability is set by the AG himself. This was not evident as he could also have considered that less effective measures are still sufficiently effective. Requesting comparable effectiveness is a first. Usually in the reasoning, it is easy to decide whether there alternative measures are sufficiently effective or not (see for example Saint-Paul Luxembourg S.A. v. Luxembourg, para. 44). For measures of secret surveillance, it seems more difficult. The comparability criteria may be a way not to address a difficult question.

The AG acknowledges the ability of the interference to achieve the public security objective based on statistics communicated by the United Kingdom Government and the Commission concerning the Canadian authorities’ best practices (para. 205). Between April 2014 and March 2015, thanks to PNR data, 9,500 targets were identified, among them 1,765 persons were subjected to more thorough checks and 178 were arrested for a serious transnational criminal offence, connected in particular with drug trafficking (para. 262). However, the AG does not take into account that the statistics which were presented to the Court do not indicate the amount of data which was necessary to identify these targets. Moreover, one could note that according to the statistics no terrorist was identified, which is quite surprising for a scheme whose main purpose is precisely to identify people related to terrorism. The AG was obviously satisfied with the fact that PNR schemes are effective against organized crime.

The AG goes on addressing the specificity of PNR schemes, namely that it is their very nature to be based on profiling methods, by a comparison of the PNR data with scenarios or predetermined assessment criteria and that PNR data processing can lead to ‘false positive “targets” being identified’ (para. 255). This specificity of PNR schemes, which have never been assessed by the CJEU, made it necessary for the AG to detail the conditions under which PNR schemes could be considered as proportionate. In order to do so, he suggests to adapt a standard used by the ECtHR in Zakharov v. Russia, namely the standard of ‘reasonable suspicion’. For the AG, these procedures should manage to target ‘individuals who might be under a ‘reasonable suspicion’ of participating in terrorism or serious transnational crime’ (para. 256). The application of this standard is ambitious. Indeed, Judge Pinto de Albuquerque, in his dissenting opinion in Szabò and Vissy v. Hungary, had feared that this standard would be replaced by an ‘individual suspicion’, a lower standard, for surveillance measures whose purpose is to fight terrorism. However, this standard is used to limit the access to personal data by law enforcement authorities (an idea also present in the DRI case, para. 60-62). And yet the purpose of PNR schemes is not to create a pool of information available under strict conditions to law enforcement authorities, but to allow the Canadian competent authority, namely the Canada Border Services Agency, to use data mining procedures in order to discover new persons who were not previously suspected. Hence, the application of the standard of the ‘reasonable suspicion’ seems impossible as such: the limitation of the access to the data is not compatible with the idea, accepted by the AG, that PNR schemes need to process all the data that are available. The AG nevertheless tries to adapt the standard by proposing three principles.

The first principle is that the assessment criteria used to analyse the PNR data should not ‘be based on an individual’s racial or ethnic origin, his political opinions, his religion or philosophical beliefs, his membership of a trade union, his health or his sexual orientation’ (para. 258). The AG obviously fears discriminatory measures based on the processing of PNR data. The second principle, which is in line with the new principles proposed by Directive 2016/680 (i.e., the new Directive on data protection for police and criminal justice sector) is that the result of the automatic processing of data must be examined by non-automatic means (para. 259). The third principle is that the functioning of the automatic means should be checked regularly by an independent public authority (para. 259).

The AG’s proportionality test

After these general considerations, the AG starts his proportionality test. In the opinion nine points are considered separately (para. 210). From this analysis, three main elements deserve to be emphasized.

The first important point is that the AG accepts PNR schemes as a matter of principles. He considers that, excluding sensitive data, all categories of PNR data are considered relevant for the purpose of the envisaged agreement. Sensitive data are defined in Article 2 (e) of the envisaged agreement as ‘information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or information about a person’s health or sex life’. The processing of sensitive data is allowed by the envisaged agreement but, for the AG, this is not acceptable as it creates a risk of stigmatization (para. 222). What is more, the fact that these data are excluded from the PNR agreement with Australia shows that the transfer of sensitive data is not necessary to pursue the objective of the scheme (para. 222). This appreciation of the AG is a direct consequence of the first of the three principles he established.

Still on the categories of data, the opinion brushes away the criticism of both the EP and the Article 29 data protection Working Party requesting evidence that the transfer of less data, for example only of API, is not sufficient to meet the objective of the proposed agreement. According to the AG, ‘data of that type does not reveal information about the booking methods, payment methods used and travel habits, the cross-checking of which can be useful for the purposes of combating terrorism and other serious transnational criminal activities. Independently of the methods used to process that data, the API data […] are therefore not sufficient to attain with comparable effectiveness the public security objective pursued by the agreement envisaged’ (para. 214).

Even though all these data are transferred to the Canadian authority irrespective of any indication that the persons concerned may have a connection with terrorism or serious transnational crime (para. 215), the purpose of PNR schemes is to identify persons who were ‘not known to the law enforcement services who may nonetheless present an ‘interest’ or a risk to public security’ (para. 216). For the AG, bulk transfers of data are then necessary. However, he considers the definition of certain categories of data as too vague. For example, heading 17 of the annex, on ‘general remarks’, covers all ‘supplementary information apart from that listed elsewhere in the annex to the agreement envisaged’ (para. 217). Consequently, it is likely that air carriers will transfer all the data that they own, and not only the data that are necessary for Canadian authorities (para. 220).

In addition, the AG’s opinion considers that the scope ratione personae of the agreement envisaged is not too broad and that the massive and indiscriminate transfer of personal data is necessary. If, in theory, it could be possible to imagine a PNR data transfer system which distinguishes passengers according to specific criteria, these systems would never be as effective as PNR data schemes in combating terrorism and serious transnational crime (para. 243). The AG also underlines that consumers of commercial flights voluntarily use a mode of transportation ‘which is itself, repeatedly, unfortunately, a vehicle or a victim of terrorism or serious transnational crime, which requires the adoption of measures ensuring a high level of security for all passengers’ (para. 242).

These first considerations are very important as they show that in principle, for the AG, massive transfer and processing of PNR data is not disproportionate as such. If the undifferentiated and general nature of the retention of the data of any person using electronic communications in the Union was one of the main reasons why Directive 2006/24/EC was considered as going beyond what was strictly necessary (para. 59 of the DRI case), such data retention schemes are possible as long as they respect strict conditions (see the opinion of AG Saugmandsgaard Øe on the joined cases Tele2 Sverige AB and Secretary of State for the Home Department, commented on this blog). The fact that AG Mengozzi accepts the principle of large scale transfer of PNR data is thus not so surprising.

Once this step was made and given the specificity of the case, he needed to create specific conditions under which PNR schemes are proportionate. In addition to the loopholes already explained, these conditions are further elaborated in the two remaining important points of the opinion.

The second important point is that the agreement envisaged should justify the duration of data retention. The AG regrets that the agreement envisaged ‘does not indicate the objective reasons that led the contracting parties to increase the PNR data retention period to a maximum of five years’ (para. 279). He adds that such a long period of retention of the data exceeds what is necessary, particularly because all the data are retained for the same duration (para. 284) and because the masking procedure is incomplete and does not fully ensure the depersonalization of the data (para. 287).

This point is significant as this is the only element in the AG’s opinion which is very critical of PNR schemes in general and which puts the PNR directive at risk. This question was also a key issue in the DRI case. In Directive 2006/24/EC the data retention period of a maximum of two years without distinguishing categories of data on the basis of their usefulness was not based on objective criteria and was therefore excessive (para. 64 of the DRI case). This threatens the validity of the PNR Directive. Indeed, Article 12 (1) of this Directive provides for a duration of five years, without distinguishing categories of data and explaining the reasons for such a long retention. Noticeably, its depersonalisation procedure seems more in line with the assessment of the AG, particularly because more data elements are masked (Article 12 (2) of the Directive, para. 287 of the AG opinion).

The last important point relates to the serious doubt of the AG concerning the level of protection granted by Canada. The opinion is indeed the most critical when it comes to the international nature of the agreement. This is not that surprising given that the Court recently adopted a very demanding position on bulk transfers of data to third countries (in the case Schrems, commented on this blog here). The AG acknowledges that the Court ‘cannot express a view on the legislation or the practice of a third country’ (para. 163). However, the terms of the agreement themselves should have been formulated in such a way that no discretion would be left to Canadian authorities as for the applicable level of protection (para. 164).

For the AG, the access to the data and the use of the transferred data by Canadian authorities is not sufficiently regulated in the envisaged agreement. It leaves to Canada the entire discretion to determine what officials and what competent authorities are allowed to access the data (paras. 250 and 267). Similarly, the envisaged agreement does not stick to a strict principle of purpose limitation as the processing of PNR data is not strictly limited to the fight against terrorism and serious crime (paras 236-237). This is aggravated by the fact that the offences which belong to the categories of terrorism and serious crime are not exhaustively listed (para. 235). Concerning the use of the data, the AG considers that the possibilities of disclosure and subsequent transfer of the PNR data is not sufficiently framed. Indeed, Articles 18 and 19 of the agreement envisaged allow the disclosure and subsequent transfer of the PNR data to other government authorities in Canada and could be used to circumvent the level of protection afforded in the EU (para. 296). As a matter of fact, no independent authority or judge would check the appreciation of the Canadian competent authority that the authority to which the data are transferred can afford an equivalent level of protection (para. 300). The AG concludes that all these points need to be more detailed in the agreement in order to make sure that the level of protection of data ensured in Canada is equivalent to the level of protection ensured in the European Union. Following the previous case law of the Court, particularly the DRI case, the level of protection ensured in the EU is quite demanding and the respect of same level of protection has to be ensured before transferring personal data to third countries (see in particular para. 96 in Schrems).

Finally, the AG points out that the mechanism for detection and review of any violations of the rules of the agreement envisaged affording protection of passengers’ privacy and personal data is not effective because it does not belong to a fully independent and impartial supervisory authority (para. 315). This last point reminds the Commission that the mechanisms of control in the third country must be insured by a sufficiently independent body. This reminder is interesting as the new ‘privacy shield’ replacing the safe harbor is criticized for providing a right to review only through an ombudsman whose independence and powers are questionable.

Some comments

In his reasoning, the AG addresses issues linked to the very nature of PNR schemes and the solutions he proposes do not threaten the principle of PNR schemes. Even though this opinion could seem at first disappointing for those who were expecting the AG to condemn PNR schemes, it appears that this ‘implicit acceptance’ of PNR schemes follows the general principles created by the Court but simply innovates and addresses the new issues that had not been addressed so far with more consideration for the necessity to provide for effective tools to fight terrorism and serious crime.

Even though a lot of questions had to be addressed by the AG, there is one which is of paramount importance. Ever since its DRI case, the Court has developed a strong focus on the guarantees concerning the access to personal data by law enforcement authorities and the AG had to adapt the requirements of the Court to PNR schemes. The attempt of the AG to adapt the standard of the ‘reasonable suspicion’ shows that the applicability of guarantees to law enforcement authorities’ access to data from different data retention schemes is a question which would deserve more attention. Generally speaking, the ECtHR considers that to assess the existence of a reasonable suspicion, it is necessary to check ‘whether there are factual indications for suspecting that person of planning, committing or having committed criminal acts or other acts that may give rise to secret surveillance measures, such as, for example, acts endangering national security’ (para. 260 of the case Zakharov v. Russia). The problem with PNR schemes is that the suspicion is not prior to the collection and processing of PNR data but discovered as a result of this collection and processing.

This question differs from the ones the Court has previously addressed in its case law, in particular in the DRI case. However, such an issue also exists in other areas. For instance, based on the European system of prevention of money laundering and terrorist financing, financial institutions have to monitor the transactions of all their clients and have the duty to report suspicious transactions. The control of suspicious transactions by these financial institutions also relies on mechanisms of data mining. The processing of personal data is made by private parties, namely financial institutions. Law enforcement authorities can in theory only obtain these data once financial institutions have reported a suspicion (this is, however, something that the Commission would like to change in order to facilitate the access to the data for the Financial Intelligence Units, see its proposal). Consequently, only the financial institutions, which collect anyways these data for the purpose of their economic activities and are subjected to the data protection framework provided for by Directive 95/46/EC, can access these data. This appears to be a safeguard against abusive access from law enforcement authorities. As a matter of fact, when law enforcement authorities access the personal data, after a report from a financial institution, there is already a degree of suspicion. This is probably more in line with the standard of ‘reasonable suspicion’. However, in this field, too, there is a massive collection of personal data which are analysed mainly through data mining procedures in order to discover suspicious transactions.

For PNR data, according to the agreement with Canada as well as for the new PNR Directive, air carriers companies do not have to analyse the data by themselves, but have to transfer all the data respectively to the Canada Border Services Agency or to the new ‘Passenger Information Units’ which will analyse all these data, through data mining procedures. From this data processing suspicions will then emerge which will be further analysed by law enforcement authorities.

Those two examples show that personal data are not only used a posteriori, once criminal investigations are open when a suspicion already exists but are also used for data mining processes with the purpose of discovering new suspicions. It might be that there is a difference based on whether private parties or public authorities are in charge of the data mining procedures. However, in both cases there is no previous ‘reasonable suspicion’; suspicions emerge following a massive monitoring of personal data.

At the end of the day, once the principle of massive surveillance schemes based on data mining mechanisms is considered to be acceptable as such, the standard of the ‘reasonable suspicion’ is overrun and has to be replaced by principles and other guarantees preventing any abuse, provided that this is possible. Are the three principles proposed by the AG sufficient? Hopefully the Court will address this key issue in a clear and detailed way.

Continue reading

THE FUTURE OF NATIONAL DATA RETENTION OBLIGATIONS – HOW TO APPLY DIGITAL RIGHTS IRELAND AT NATIONAL LEVEL?

ORIGINAL PUBLISHED ON EUROPEAN LAW BLOG ( JULY 25, 2016)
By Vanessa Franssen

 

On 19 July, Advocate General (AG) Saugmandsgaard Øe delivered his much awaited opinion on the joined cases Tele2 Sverige AB and Secretary of State for the Home Department, which were triggered by the Court of Justice’s (CJEU) ruling in Digital Rights Ireland, discussed previously on this blog. As a result of this judgment, invalidating the Data Retention Directive, many Member States which had put in place data retention obligations on the basis of the Directive, were confronted with the question whether these data retention obligations were compatible with the right to privacy and the right to protection of personal data, guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights (Charter). Hence, without a whisper of a doubt, several national legislators eagerly await the outcome of these joined cases, in the hope to get more guidance as to how to applyDigital Rights Ireland concretely to their national legislation. The large number of Member States intervening in the joined cases clearly shows this: in addition to Sweden and the UK, no less than 13 Member States submitted written observations. The AG’s opinion is a first – important – step and thus merits a closer look.

National and European shock waves after Digital Rights Ireland

The Digital Rights Ireland case was ground-breaking in many respects, and caused a real shock effect across the EU. As a result of the CJEU ruling, national data retention legislation was invalidated in several Member States. For instance, the District Court of The Hague struck down the Dutch national data retention legislation on 11 March 2015, and shortly afterwards, on 11 June 2015, the Belgian data retention law was annulled by the Constitutional Court, which largely copy-pasted the CJEU’s reasoning. This situation creates great uncertainty about the further potential use of traffic and location data of electronic communications in national and transnational criminal investigations (see eg the Workshop on data retention organized by the Consultative Forum and the Luxembourg Presidency), especially because such data are used in an increasingly large number of criminal cases, not just as incriminating, but also as exculpatory evidence.

In other Member States, the legislator very quickly launched the process for amending the national data retention legislation. For instance, in the UK, the Data Retention and Investigatory Powers Act was adopted only three months after the CJEU’s ruling. By contrast, in Luxembourg, which has invested significantly in the digital economy in the last few years while also emphasizing the importance of the protection of privacy and personal data, the legislative process kicked off in January 2015 but has still not resulted in new legislation.

At the European level, the legislator has so far shown little appetite to adopt a new Data Retention Directive, despite some attempts of the Luxembourg Presidency in the Autumn of 2016 to initiate such legislative process, or at least to stimulate the discussion. This should not come as a real surprise. On the one hand, the CJEU has been very active in the field of data protection over the last two years, addressing a large number of questions and raising new ones (some of which have been discussed previously on this blog: see here, here and here). On the other, the EU was already busy tackling other urgent and delicate data protection issues, such as the adoption of the new General Data Protection Regulation, repealing Directive 95/46/EC, and the Data Protection Directive with respect to the processing of personal data for criminal investigations, repealing Council Framework Decision 2008/977/JHA, and the negotiations and adoption of the new Umbrella Agreement with regard to EU-US law enforcement cooperation.

Short background to the cases

Immediately after the Digital Rights Ireland ruling, Tele2 Sverige AB (a provider of electronic communications) notified  the Swedish competent authority that it would no longer comply with the Swedish national data retention obligations as it considered those obligations were not meeting the CJEU’s conditions. This decision obviously caused great concern for the national authority, ordering Tele2 Sverige to resume its retention of data. Yet, Tele2 Sverige persevered and appealed this order before the Administrative Court in Stockholm and subsequently before the Administrative Court of Appeal, which referred the matter for a preliminary ruling to the CJEU. (Opinion, §§ 50-55)

In the meantime in the UK, the 2014 Data Retention and Investigatory Powers Act was challenged before the High Court of Justice of England and Wales and declared invalid on 17 July 2015, because the data retention regime did not provide for adequate safeguards in order to protect the right to privacy and the right to protection of personal data laid down in the Charter. In other words, the UK data retention regime did not comply with the conditions put forward by the CJEU inDigital Rights Ireland. However, the Home Secretary appealed this judgment and the Court of Appeal decided to refer two questions to the CJEU for a preliminary ruling. (Opinion, §§ 56-60)

Questions submitted to the CJEU

Interestingly, the approach of both referring courts is quite different, as results clearly from the way they formulate their respective questions for the CJEU.

The Swedish referring court asks the CJEU, first of all, whether

a general obligation to retain data in relation to all persons and all means of electronic communication and extending to all traffic data, without any distinction, limitation or exception being made by reference to the objective of fighting crime (…) [is] compatible with Article 15(1) of Directive 2002/58, taking into account Articles 7, 8 and 52(1) of the Charter?’ (Opinion, § 55)

Should such a general data retention obligation not be compatible with the Charter, could a data retention obligation then nevertheless be compatible with the Charter if the access of the competent authorities to the retained data is regulated as it is under Swedish law, if the protection and security of the data are regulated as they are under Swedish law, and if all relevant data must be retained for a period of 6 months before being erased, as imposed by Swedish law?

By contrast, the Court of Appeal of England and Wales is of the view that the CJEU did not set out ‘specific mandatory requirements of EU law with which national legislation must comply, but was simply identifying and describing protections that were absent from the harmonised EU regime.’ (Opinion, § 59)

Nevertheless, to be absolutely sure, it asks the CJEU to clarify this point:

Does the judgment of the Court of Justice in Digital Rights Ireland (including, in particular, paragraphs 60 to 62 thereof) lay down mandatory requirements of EU law applicable to a Member State’s domestic regime governing access to data retained in accordance with national legislation, in order to comply with Articles 7 and 8 of the [Charter]?’ (Opinion, § 60)

Furthermore, the Court of Appeal would like to know whether Digital Rights Irelandexpands the scope of Articles 7 and/or 8 of the Charter beyond that of Article 8 of the European Convention of Human Rights (ECHR), as interpreted by the European Court of Human Rights (ECtHR). Put differently, the referring court wonders whether the level of protection offered by the Charter is higher than that under the ECHR.

The AG’s opinion

The latter question raised by the Court of Appeal in the UK case should be rejected as inadmissible according to the AG, because it is only ‘of purely theoretical interest’ (§ 82) and not ‘relevant to the resolution of the disputes’ (§ 75). Even if the Court would want to address the question, EU law does of course not prevent the Court (or the legislator) from going beyond the protection offered by the ECHR (§ 80). On the contrary, in my view it may be quite desirable to go beyond the minimum safeguards guaranteed by the ECHR, and not just with respect to Article 8. Unfortunately, EU legislation – for instance also with respect to procedural safeguards in criminal proceedings – does not pass, or barely passes, the minimum level of protection granted by the ECHR (see, for instance, the analysis on this blog regarding the recently adopted Presumption of Innocence Directive).

Subsequently, the AG addresses the first question of the Swedish referring court, regarding the compatibility of a general data retention obligation with Article 15(1) ofDirective 2002/58/EC (the Directive on privacy and electronic communications) and Articles 7 and 8 of the Charter. In a first step, the AG affirms that a general data retention obligation falls within the scope of Directive 2002/58/EC, despite the exclusion of State activities relating to criminal law by Article 1(3) of the Directive. Indeed, it is not because the data retained can be accessed and used by police and judicial authorities for criminal investigations that the data retention rules, which address private actors providing electronic communications services (service providers), would themselves be excluded from the scope of the Directive (§§ 87-97). Next, the AG scrutinizes whether the possibility offered by Article 15(1) of Directive 2002/58/EC to restrict the rights and obligations of the Directive allows for the creation of a general data retention regime by national law. Unlike some of the civil liberties organisations intervening in the joined cases, the AG considers that the wording of Article 15(1) of Directive 2002/58/EC (‘Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period’) indicates that data retention obligations are not, as such, inconsistent with the Directive. The same goes for general data retention obligations, yet only if they ‘satisfy certain conditions’ (§ 108). Recital (11) of the Directive confirms this as it states that the Directive

does not alter the existing balance between the individual’s right to privacy and the possibility for Member States to take the measures referred to in Article 15(1) of this Directive, necessary for the protection of public security (…) and the enforcement of criminal law.

Hence, it

does not affect the ability of Member States to carry out lawful interception of electronic communications, or take other measures, if necessary for any of these purposes and in accordance with the [ECHR]

provided that those

measures [are] appropriate, strictly proportionate to the intended purpose and necessary within a democratic society and (…) subject to adequate safeguards in accordance with the [ECHR].

In sum, what matters, is that (general) data retention rules meet certain requirements, which ensure striking an acceptable balance between the purposes pursued by those rules and the individual’s fundamental rights. These rights are not just the ones laid down in the ECHR, but also the ones of the Charter as data retention rules ‘constitutes a measure implementing the option provided for in Article 15(1) of Directive 2002/58’ (§ 121). In other words, national legislation encompassing data retention obligations are ‘governed’ by EU law, which triggers the application of the Charter, as the CJEU clarified in the Åkerberg Fransson case(discussed on this blog) and refined in later case law (eg Siragusa, also analysed on this blog, and Julian Hernández and others, §§ 32-49). By contrast, whether the Charter also applies to the national rules determining under what conditions police and judicial authorities can access the retained data is less obvious, because Directive 2002/58/EC does not cover ‘activities of the State in areas of criminal law’ (Art. 1(3)). While the AG is inclined to conclude that the Charter does not apply to those rules (§§ 123-124), he also stresses that

the raison d’être of a data retention obligation is to enable law enforcement authorities to access the data retained, and so the issue of the retention of data cannot be entirely separated from the issue of access to that data. As the Commission has rightly emphasised, provisions governing access are of decisive importance when assessing the compatibility with the Charter of provisions introducing a general data retention obligation in implementation of Article 15(1) of Directive 2002/58. More precisely, provisions governing access must be taken into account in the assessment of the necessity and proportionality of such an obligation.’ (§ 125, emphasis)

In other words, does this mean that the Charter indirectly applies to national rules regulating the access to the retained data? It will be interesting to see if and how the CJEU addresses this point, adding another piece to what Benedikt Pirker described on this blog as ‘the jigsaw puzzle of earlier decisions on the scope of EU fundamental rights’.

This brings the AG to the biggest and most tricky questions submitted for a preliminary ruling, combining the second question of the Swedish court and the first question of the Court of Appeal, concerning the conditions national legislation should respect when creating a general data retention obligation. Without a doubt, general data retention obligations constitute a serious interference with the right to privacy (Article 7 of the Charter) and the right to the protection of personal data (Article 8 of the Charter) (§ 128). So the crucial question is whether such interference may be justified and on what conditions (§ 129).

Based on a reading of Article 15(1) of Directive 2002/58/EC and Article 52(1) of the Charter, the AG identifies six cumulative conditions that must be met to justify the serious interference caused by a general data retention obligation:

–        the retention obligation must have a legal basis;

–        it must observe the essence of the rights enshrined in the Charter;

–        it must pursue an objective of general interest;

–        it must be appropriate for achieving that objective;

–        it must be necessary in order to achieve that objective;

–        it must be proportionate, within a democratic society, to the pursuit of that same objective.’ (§ 132)

While most of these requirements were already put forward by the CJEU in Digital Rights Ireland, when evaluating the legal regime laid down in the Data Retention Directive, the AG nevertheless wishes to revisit them, ‘[f]or the sake of clarity and given the facts which distinguish the present cases from Digital Rights Ireland’ (§ 133). In particular, he wants to have a closer look at the requirement of a legal basis (which was not addressed in Digital Rights Ireland) and the necessity and proportionality of data retention obligations in a democratic society.

The first requirement, imposing the need for a legal basis, should be interpreted in light of Article 52(1) of the Charter, stating that limitations to the rights of the Charter should be ‘provided for by law’ – a phrase that resonates the wording of the ECHR (‘in accordance with the law’, Article 8 ECHR) and the case law of the ECtHR (§ 141) – as well as in light of Article 15(1) of Directive 2002/58/EC. As a result, a regime of general data retention should be established on the basis of measures adopted by a legislative authority, that are accessible and foreseeable while offering adequate protection against arbitrary interference with the rights of privacy and data protection (§ 153). That being said, considering the differences in the various language versions of Article 15(1) of Directive 2002/58/EC (§§ 145-147), the AG acknowledges that regulatory measures adopted by an executive authority might also suffice, although he would personally prefer to give the executive authority only the responsibility of implementing the measures adopted by the legislative authority (§§ 152-153).

Second, any general data retention regime should observe the essence of the rights enshrined in Articles 7 and 8 of the Charter, as the CJEU also highlighted inDigital Rights Ireland. As long as the national data retention obligations do not concern the content of the electronic communications and as long as they provide for safeguards that ‘effectively protect personal data’ retained by service providers ‘against the risk of abuse and against any unlawful access and use of that data’ (§ 159), this requirement does not seem to create particular problems in the cases submitted to the CJEU.

Third, the interference with the rights to privacy and data protection caused by a general data retention obligation can only by justified if the latter pursues ‘an objective of general interest recognised by the European Union’. As the CJEU pointed out in Digital Rights Ireland, the objective to fight serious crime (such as international terrorism) is definitely recognized by EU law; Article 6 of the Charter does not only warrant the right to liberty, but also the right to security. Yet, whether data retention obligations are also justifiable, more generally, to combat ordinary crime, or even in proceedings other than criminal proceedings, as the UK government argues in its submission before the CJEU, is much less obvious. It should be acknowledged that limitations allowed for by Article 15(1) of Directive 2002/58/EC are not confined to ‘serious crime’. Indeed, this provision allows Member States to adopt restrictions that are necessary, appropriate and proportionate within a democratic society ‘to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences’. Nevertheless, in the AG’s view, the interferences caused by a general data retention regime are so serious that the fight against ‘ordinary offences and the smooth conduct of proceedings other than criminal proceedings’ are not ‘capable of justifying a general data retention obligation’ considering the ‘considerable risks that such obligations entail’ (§§ 172-173).

Moving forward, the AG evaluates the proportionality of general data retention obligations, which he splits up in three separate (sub-)requirements: are they appropriate (fourth requirement) as well as strictly necessary (fifth requirement) to achieve the aforementioned objective of fighting serious crime and proportionate in a democratic society (sixth requirement). Like the CJEU in Digital Rights Ireland, the AG sees no obstacle in the appropriateness of general data retention obligations to fight serious crime (§ 177). He even insists on the usefulness of such data, which allow police and judicial authorities to ‘examine the past’, even with respect to persons who were not suspected of a serious crime at the time of the electronic communications (§§ 178-181). Considering the current safety threats and the numerous terrorist attacks that took place after the Digital Rights Irelandjudgment, any other viewpoint would have surprised.

Next, the AG addresses the fifth requirement: are general data retention obligations really (ie strictly) necessary to combat serious crime? This requirement unfolds in two questions. For one, is a general data retention obligation strictly necessary, or on the contrary, does it go ‘beyond the bounds of what is strictly necessary for the purposes of fighting serious crime, irrespectively of any safeguards that might accompany such an obligation’ (emphasis added)? For another, if a general data retention does not exceed what is strictly necessary, ‘must it be accompanied by all the safeguards mentioned by the Court in paragraphs 60 to 68 of Digital Rights Ireland’ (§ 189).

As regards the first of these two questions, the AG adheres to the point of view that most parties (in particular the Member States) took in their written submissions:  a general data retention obligation as such does not exceed the limits of strict necessity. According to the AG, paragraphs 56 to 59 of Digital Rights Irelandshould indeed be interpreted as meaning that a general data retention obligation does not pass the strict necessity test but only if ‘it is not accompanied by stringent safeguards concerning access to the data, the period of retention and the protection and security of the data’ (§ 195, original emphasis).

One may wonder whether this is a correct reading of the CJEU’s judgment, which emphasized that the Data Retention Directive required the retention of all traffic data relating to all means of electronic communications and regarding all persons (‘practically the entire European population’), ‘without any differentiation, limitation or exception being made in light of the objective of fighting against serious crime’ (§§ 56-57). That being said, as some governments pointed out, if the Court would have considered that a general data retention obligation by itself exceeds the threshold of what is strictly necessary, then why did it bother to spell out in the subsequent paragraphs the safeguards that should apply? The upcoming judgment will undoubtedly tell us which interpretation is the right one.

Furthermore, the AG insists on the fact that national courts will have to assess whether there are no equally effective and less restrictive means available in the national system to achieve the same goal as a general data retention obligation (§§ 206-215), thereby passing on a difficult but very important balancing exercise to the national courts.

Assuming a general data retention obligation is strictly necessary, then all the safeguards put forward by the CJEU in Digital Rights Ireland (§§ 60-68) should respected by national law. Any other approach which would allow for a further balancing exercise between the different safeguards (as, for instance, the German government suggested, using the metaphor of ‘communicating vessels’) would, according to the AG, empty those safeguards of their practical effect (§§ 221-227). This means that national data retention rules should

1) make sure that the ‘access to and the subsequent use of the retained data [are] strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating thereto’ (§ 229);

2) make the access to those data ‘dependent on a prior review carried out by a court or by an independent administrative body’ in order to assess the strict necessity of the access and subsequent use of the data (§ 232);

3) require service providers ‘to retain data within the European Union, in order to facilitate the review’ and to make sure that the EU safeguards apply (§§ 238-240), and

4) limit the retention period in function of the usefulness of the data (§ 242).

While it is again for national courts to evaluate whether the safeguards provided for by national law are sufficient, the AG does not hide his opinion that both the Swedish and the UK regime reveal a number of deficiencies in this respect (§§ 230, 233 and 239).

Sixth and last, the AG emphasizes the need to evaluate the ‘proportionality stricto sensu’ of a general data retention obligation, which consists in weighing the advantages and disadvantages of such an obligation within a democratic society (§ 248). Once more, the AG argues this is a task for national courts, but he nonetheless points out that a general data retention obligation entails a considerable risk of mass surveillance (§ 256). Based on an analysis of a large amount of (meta-)data, authorities could easily find as much, or even more, about an individual as they can by means of targeted surveillance measures, including the interception of content data (§§ 254 and 259). Unlike the content of communication, meta-data ‘facilitate the almost instantaneous cataloguing of entire populations’ (§ 259). If one just considers the large amount of requests service providers in Sweden and the UK receive from the competent authorities, one realizes that the risk of abusive or illegal access to the retained data is far from ‘theoretical’ (§ 260).

Some first thoughts

As the above analysis suggests, the AG’s opinion offers a lengthy and mitigated assessment of the six cumulative requirements that general data retention obligations under national law should meet. Some of these requirements (eg the requirement of a legal basis) can easily be fulfilled. Yet others will raise many problems for national legislators when delineating the domestic data retention framework.

For instance, the requirement that general data retention obligations must pursue ‘an objective of general interest recognised by the European Union that is capable of justifying a general data retention obligation’ will undoubtedly raise many problems at the national level. Is the fight against serious crime indeed the only acceptable objective? For sure, the ‘material objective’ of the Data Retention Directive was ‘to contribute to the fight against serious crime and thus ultimately to public security’, which made the CJEU decide that the Directive satisfied an objective of general interest (Digital Rights Ireland, §§ 41-44). But does this mean, as the AG advocates, that it is the only possible justifiable objective for nationaldata retention obligations, considering the seriousness of the interferences with the right to privacy and the right to protection of personal data? Furthermore, assuming it is, what offences are sufficiently ‘serious’ to justify a general data retention obligation? In Digital Rights Ireland, the CJEU explicitly stated that this is to be ‘defined by each Member States in its national law’ (§ 41). Yet, the AG suggest a different approach, by stressing that it should be ‘an objective of general interest recognized by the European Union’. Hence, how much leeway do Member States have? If an EU-wide understanding of the label ‘serious crime’ is to be preferred, would the list of Eurocrimes (which are in fact broad categories of crimes) in Article 83(1) TFEU then be of sufficient guidance?

Another concern of police and judicial authorities, which national legislators will want to take into account, is that what starts out as a simple, ‘ordinary’ criminal case, may very well turn out to be much more ‘serious’ in a later stage of the investigation. It may not be so easy to reconcile this concern with the safeguard to limit the data retention period in light of the usefulness of the data, ie considering the objective pursued or according to the persons concerned.

One may also wonder whether the AG’s opinion provides as much clarity as national legislators hope to get from the CJEU. Many issues will still need to be addressed by national legislators (eg to design safeguards that pass the Digital Rights Ireland test) and national courts (eg to evaluate whether there are no less restrictive alternatives than a general data retention obligation and whether the risk of mass surveillance does not outweigh the benefits offered by a general data retention obligation).

For sure, this is only a first reflection. Further reflection will undoubtedly follow after the Grand Chamber of the CJEU will have rendered its ruling. In the meantime, national legislators will have to be patient and uncertainty will persist about the potential use in criminal proceedings of traffic and location data retained on the basis of a general data retention obligation.

Openness, Transparency and the Right of Access to Documents in the EU

THIS IS AN  “In-depth analysis” FOR THE PETITIONS COMMITTEE OF THE EUROPEAN PARLIAMENT. FULL TEXT ACCESSIBLE HERE 

AUTHORS : Deirdre CURTIN, Päivi LEINO-SANDBERG.

Abstract . Upon request of the PETI Committee, the Policy Department on Citizens’ Rights and Constitutional Affairs commissioned the present analysis, which examines the situation in relation to openness, transparency, access to documents and information in the EU. Case law and developments in the jurisprudence of the CJEU are examined, notably for legislative documents, documents relating to administrative proceedings, to Court proceedings, infringement proceedings and EU Pilot cases, protection of privacy and international relations. Current and future challenges, as well as conclusions and policy recommendations are set out, in order to ensure compliance with the Treaties’ and Charter of Fundamental Rights’ requirements aimed at enhancing citizens’ participation in the EU decision-making process, and consequently stronger accountability and democracy in the EU.

  1. OPENNESS, TRANSPARENCY AND THE RIGHT TO ACCESS DOCUMENTS IN THE EU

The Treaty of Lisbon, in force since December 2009, includes a number of reforms emphasising open-decision making, citizen participation and the role of transparency and good administration in building up the democratic credentials of the European Union (EU).

As regards democratic decision-making and transparency in particular, a specific Title in the Treaty on the European Union (TEU) now includes a number of core provisions on democratic principles, applicable in all areas of Union action.

They underline the principle of representative democracy through the European Parliament, representing the citizens directly at Union level, and through the governments forming the European Council and the Council and that are democratically accountable either to their national parliaments, or to their citizens.1

Even participatory democracy enjoys a pivotal role in the new Treaty framework; in order to guarantee the right of ’every citizen’ to ’participate in the democratic life of the Union’, the Treaty establishes that ’[d]ecisions shall be taken as openly and as closely as possible to the citizen’ and that both citizens and representatives should be given opportunities to ’make known and publicly exchange their views in all areas of Union action’.2

These provisions have a linkage both with the new citizens’ initiative3 and with Article 15 TFEU, which places the legislature under an obligation to act publicly, and establishes that citizens have the right to access documents held by all Union institutions, bodies and agencies.

The right of access to documents, and its nature as a fundamental right, is further emphasised by Article 42 of the EU Charter of Fundamental Rights, which now enjoys ‘the same legal value as the Treaties’.4

In practice, open decision-making is to a large extent realised through the right of the general public to access documents. Regulation No 1049/2001 on public access to documents held by the EU institutions (Access Regulation),5 builds on the principle of ‘widest possible access’, and has together with case law been instrumental in operationalising the right of citizen access by establishing procedures and standards for the exercise of their democratic rights.

All documents held by the European Parliament, Council and Commission are public, as the main principle, but certain public and private interests are protected through specific exceptions under Article 4. But as exceptions derogate from the principle of the widest possible public access to documents, they must, according to established case-law, be interpreted and applied narrowly.6

Article 15(3) TFEU extends the public right of access to documents of all the Union institutions, bodies, offices and agencies. The Court of Justice, the European Central Bank and the European Investment Bank are subject to this provision only when exercising their administrative tasks.

The original 2001 Regulation only directly applies to the European Parliament, the Council, and the Commission. However, its application has been extended to the agencies by virtue of a specific provision in their respective founding acts. Furthermore, a number of institutions and bodies have adopted voluntary acts laying down rules on access to their documents which are identical or similar to Regulation No 1049/2001.

It has been 15 years since the adoption of Regulation No 1049/2001. In the same time frame the Commission and the Council set about adopting internal rules based on their rules of procedure on security and other classifications for documents. Such rules continue to exist in amended form today and exist alongside the legislative rules on access to documents.

Discussions on the reform of Regulation No 1049/2001 have been pending since 2008.7

While one would think that the tendency was – in line with the recent Treaty reforms – to strengthen the rights of citizens further, in fact the opposite seems to be the case, with discussions on reform mainly circulating around new ways to limit citizen access,8 many of them in rather fundamental ways that seem to be at odds with the letter of the Treaties.

These discussions bear witness to what seems to be a change of paradigm and priorities.

The tendency since the Treaty of Maastricht has been to strengthen the rights of citizens,9 now this objective seems lees squarely at the forefront of either the policy agenda or actual institutional practice. Staffan Dahllöf, a journalist specialising in freedom of information, describes the situation as follows: The voices asking for openness and citizen’s involvement are today weaker and fewer than they were when the present rules were decided in 2001 – at least amongst the Member State governments, and definitely in the Commission. It’s more like the Empire strikes back.10

Since there is a complete impasse in the legislative procedure (already for a very long time) on amending the 2001 Regulation, the role of the CJEU is very much centre-stage with litigants attempting to challenge a range of embedded secretive practices across a range of institutions and tasks.11

From a democratic point of view this can be considered problematic as it shifts responsibility from the EU legislator to the courts who cannot re-design the system in the required manner but deal with issues on a case by case basis, as and when they are brought before it. The same applies to the European Ombudsman, although her work is increasingly significant in bringing specific secretive practices to light and tackling them both on a case by case basis and more structurally through a growing number of own initiative enquiries.

Keeping in mind Dahllöf’s accurate observation quoted above, opening negotiations on the reform of Regulation No 1049/2001 naturally brings with it a risk of discussions leading to a further tightening of the EU transparency regime. The current Commission is not necessarily positively disposed to increasing transparency (as evidenced in legal observations before the CJEU in particular), and it has the backup of the majority of Member States in the Council.

Despite this, we think that there should be an open discussion about the possibilities of increasing openness. If this proves to be impossible, the Parliament can always block any reform that could result in negative outcomes or a levelling down.

In this note we discuss recent developments in jurisprudence and the challenges that currently exist in the application of the Regulation No 1049/2001 with a focus on public access by citizens. We conclude with a number of policy recommendations for consideration.

CONTINUE READING...

NOTES (to the section above)

1 Article 10(1) and (2) TEU.
2 Article 10(3) TEU, Article 11 TEU.
3 See Regulation No 211/2011 on the citizens’ initiative, OJ L [2011] 65/1.
4 Article 6(1) TEU.
5 Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents, OJ L 145/43.
6 See e.g. C-280/11 P Council v Access Info Europe para 30 and the case law quoted in the paragraph.
7. See e.g. Ian Harden, ‘The Revision of Regulation 1049/2001 on Public Access to Documents’, 15(2) European Public Law (2009) 239-256.
8 See the open letter by Beatrice Ask, Minister for Justice, Sweden and Anna-Maja Henriksson, Minister of Justice, Finland, published at http://www.wobbing.eu/sites/default/files/Open%20letter.pdf.
9 For one account of the EU’s transparency development so far, see Deirdre Curtin, ’Judging EU Secrecy’, Cahiers de Droit Européen, 2012 (2) 459 – 490.
10 Staffan Dahllöf, ‘Guide to the battle of transparency – UPDATED’, 09/06/2012, available at the EU wobbing website http://www.wobbing.eu/news/guide-battle-transparency-%E2%80%93-updated. On the varying positions of the Member States to the reform process, see M.Z. Hillebrandt, D.M. Curtin and A.J. Meijer, ‘Transparency in the EU Council of Ministers: An Institutional Analysis’, 20(1) European Law Journal, 2014, 1-20.
11 For a discussion, see Päivi Leino, “Transparency, Participation and EU Institutional Practice: An Inquiry into the Limits of the ‘Widest Possible’”, EUI Working Paper (LAW 3/2014).

European Data Protection Supervisor Opinion on the EU-U.S. Privacy Shield draft adequacy decision

ORIGINAL PUBLISHED HERE

Executive Summary (emphasis are added)

Data flows are global. The EU is bound by the Treaties and the Charter of Fundamental Rights of the European Union which protect all individuals in the EU. The EU is obliged to take all necessary steps to ensure the rights to privacy and to the protection of personal data are respected throughout all processing operations, including transfers.

Since the revelations in 2013 of surveillance activities, the EU and its strategic partner the United States have been seeking to define a new set of standards, based on a system of self-certification, for the transfer for commercial purposes to the U.S. of personal data sent from the EU. Like national data protection authorities in the EU, the EDPS recognises the value, in an era of global, instantaneous and unpredictable data flows, of a sustainable legal framework for commercial transfers of data between the EU and the U.S., which represent the biggest trading partnership in the world. However, this framework needs to fully reflect the shared democratic and individual rights-based values, which are expressed on the EU side in the Lisbon Treaty and the Charter of Fundamental Rights and on the U.S. side by the U.S. Constitution.

The draft Privacy Shield may be a step in the right direction but as currently formulated it does not adequately include, in our view, all appropriate safeguards to protect the EU rights of the individual to privacy and data protection also with regard to judicial redress. Significant improvements are needed should the European Commission wish to adopt an adequacy decision. In particular, the EU should get additional reassurances in terms of necessity and proportionality, instead of legitimising routine access to transferred data by U.S. authorities on the basis of criteria having a legal basis in the recipient country, but not as such in the EU, as affirmed by the Treaties, EU rulings and constitutional traditions common to the Member States.

Moreover, in an era of high hyperconnectivity and distributed networks, self-regulation by private organisations, as well as representation and commitments by public officials, may play a role in the short term whilst in the longer term they would not be sufficient to safeguard the rights and interests of individuals and fully satisfy the needs of a globalised digital world where many countries are now equipped with data protection rules.

Therefore, a longer term solution would be welcome in the transatlantic dialogue, to also enact in binding federal law at least the main principles of the rights to be clearly and concisely identified, as is the case with other non EU countries which have been ‘strictly assessed’ as ensuring an adequate level of protection; what the CJEU in its Schrems judgment expressed as meaning ‘essentially equivalent’ to the standards applicable under EU law, and which according to the Article 29 Working Party, means containing ‘the substance of the fundamental principles’ of data protection.

We take positive note of the increased transparency demonstrated by the U.S. authorities as to the use of the exception to the Privacy Shield principles for the purposes of law enforcement, national security and public interest.

However, whereas the 2000 Safe Harbour Decision formally treated access for national security as an exception, the attention devoted in the Privacy Shield draft decision to access, filtering and analysis by law enforcement and intelligence of personal data transferred for commercial purposes indicates that the exception may have become the rule. In particular, the EDPS notes from the draft decision and its annexes that, notwithstanding recent trends to move   from   indiscriminate   surveillance   on   a   general   basis   to   more   targeted   and   selected approaches, the scale of signals intelligence and the volume of data transferred from the EU, subject to potential collection and use once transferred and notably when in transit, may still be high and thus open to question.

Although these practices may also relate to intelligence in other countries, and while we welcome the transparency of the U.S. authorities on this new reality, the current draft decision may legitimise this routine. We therefore encourage the European Commission to give a stronger signal: given the obligations incumbent on the EU under the Lisbon Treaty, access and use by public authorities of data transferred for commercial purposes, including when in transit, should only take place in exceptional circumstances and where indispensable for specified public interest purposes.

On the provisions for transfers for commercial purposes, controllers should not be expected constantly to change compliance models. And yet the draft decision has been predicated on the existing EU legal framework, which will be superseded by Regulation (EU) 2016/679 (General Data Protection Regulation) in May 2018, less than one year after the full implementation by controllers of the Privacy Shield. The GDPR creates and reinforces obligations on controllers which extend beyond the nine principles developed in the Privacy Shield. Regardless of any final changes to the draft, we recommend the European Commission to comprehensively assess the future perspectives since its first report, to timely identify relevant steps for longer term solutions to replace the Privacy Shield, if any, with more robust and stable legal frameworks to boost transatlantic relations.

The EDPS therefore issues specific recommendations on the Privacy Shield.

(FULL TEXT)  Continue reading

Goodbye, cruel world: visas for holidays after Brexit?

ORIGINAL PUBLISHED ON EU LAW ANALYSIS (April 25, 2016)

by Steve Peers

Until yesterday, I have consistently argued that the prospect of British citizens being subject to visas for short-term visits to the EU after Brexit was highly remote. In fact, I even told off some ‘Remain’ supporters who suggested that this might happen. EU policy is consistently to waive short-term visa requirements for wealthy countries (like the USA, Canada and Japan) as long as those countries waived short-term visa requirements for all EU citizens in return. I couldn’t imagine that it was likely that anyone on the ‘Leave’ side would wish to advocate short-term visa requirements for EU citizens visiting the UK after Brexit, thus damaging the British tourist industry and leading to a reciprocal obligation for UK citizens to get visas for short visits to the EU.

Incredibly, I was wrong on this. Yesterday, Dominic Raab, a senior figure on the Leave side, suggested that the UK might want to introduce visas for EU citizens after Brexit, and accepted that UK citizens might be subject to visa requirements for visits to the remaining EU in turn. It can’t seriously now be suggested that it’s ‘scaremongering’ to consider that this might become UK policy after Brexit – unless there’s such a thing as ‘self-scaremongering’ by the Leave side.

Let’s be clear about this. The idea of short-term visa requirements after Brexit is utterly and profoundly stupid. It is by no means a necessary consequence of Brexit, and would cause the maximum possible damage to UK businesses and the ordinary lives of British citizens who seek to visit the EU after Brexit, with little or no security benefit in return.

Background: EU visa policy

As an EU Member State, the UK allows short-term entry to EU citizens without a visa, as well as longer-term free movement of people – although the latter issue is severable from short-term visas. The reverse is also true, of course: simplifying the leisure, family and business visits of millions of British citizens to the EU every year. While there is an earlier treaty from the Council of Europe (a body separate from the EU) which abolishes visa requirements between European states, the UK is not a party to that treaty – and presumably would not become one under Raab’s plans.

The EU has agreements on free movement of people with Norway, Iceland and Switzerland, but it seems clear from official statements by the Leave side that the UK would not sign up to these after Brexit. But as I said, short-term visa waivers are a severable issue: the EU does have reciprocal short-term visa waiver treaties with a number of non-EU countries, as well as a unilateral policy of waiving short-term visa requirements for other wealthy countries who reciprocate. Therefore, all it would take for British citizens to retain the visa waiver for short-term visits to the EU after Brexit would be a British government policy not to impose short-term visa requirements on EU citizens, or a UK/EU treaty to this effect. This seemed highly likely – until Raab’s rant.

The EU decides visa policy as a bloc, so there is no possibility that the UK could do separate deals on short-term visas with individual EU countries. As an exception, Ireland (like the UK at present) has an opt-out from the EU’s visa policy, so the UK and Ireland could retain their separate Common Travel Area arrangements – if they wished to. It’s not clear if Raab also wants to impose visa requirements for Irish nationals (which might also then be reciprocated). If that happens, then border controls would have to be reimposed between Northern Ireland and the Irish Republic, as some on the Leave side have already called for (though others have taken a different view).

EU visas: the legal framework

The EU (apart from Ireland) has a standard short-term visa policy, which entails issuing ‘Schengen visas’ valid for all the Schengen states.  So in legal terms we know what the impact would be of the EU imposing visas on British citizens. The basic rules are set out in the EU visa code, although a few EU countries (Romania, Bulgaria, Cyprus and Croatia) don’t apply that code yet as they are not yet fully part of Schengen. While the Schengen system currently has many well-known problems as regards border control, this has not affected Schengen visa policy, and there is no reason why it would do.

To get a Schengen visa, the visa code requires an application at a consulate, although in practice the applications are often made through a private service provider. Applications can be made up to three months before the date of travel, or six months for multiple-entry visas. Applicants need to provide fingerprints, except for children under twelve and some other limited exceptions. They must also provide documents supporting the reason for their travel, obtain medical insurance and pay a fee of €60 per applicant, along with an extra fee if the applicant uses a private service provider. The fee is reduced to €35 for children between six and twelve, and waived for younger children, as well as pupils and teachers on study trips, researchers and representatives of NGOs. It may be waived in a small number of other cases; but it is always payable for tourist or business trips.

Most applications for Schengen visas are accepted, but applications are scrutinised for subsistence and intention to return, so it may be more likely that unemployed or low-waged British citizens find their visa applications refused. Any rejections will be registered in the EU’s Visa Information System for five years, which may make it less likely for a future application to be accepted. Usually a visa is valid for a period of three months over the next six months, but it is possible to get a multiple-entry visa (valid for several trips over a five year period) if there is a proven need to travel frequently. Visas can’t usually be obtained at the border, so British citizens would have to apply for a visa at least several days in advance to be sure of being able to travel. Without a visa, they would be denied boarding planes, trains or ferries, due to the EU law on carrier sanctions.

Back in 2014, the Commission proposed amendments to the EU visa code. They would, for instance, simplify the rules on getting multiple-entry visas, and allow for earlier applications. But such visas would still not be standard. Recently, both the Council and the European Parliament adopted their positions on this proposal, and so it will likely be agreed later this year. I’ve blogged separately on the main changes that the Commission proposed, as well as the chance to add rules on humanitarian visas, and on the specific proposals affecting UK citizens’ non-EU family members. But if the new code ultimately applies to all British citizens, its impact will be obviously be much greater.

The EU has signed some treaties on visa facilitation with non-EU countries. These treaties don’t waive the visa requirement, but they reduce the application fee and simplify the process. Of course they are reciprocal – the UK would have to cut the fees and simplify the process for EU citizens applying for short-term visas to visit the UK too.

Practical consequences: the unbearable madness of visa requirements

There’s no doubt that visa requirements reduce travel for tourism, business and other purposes. There are detailed estimates of the scale of the economic impact in a reportdrawn up for the Commission before it proposed the revised visa code. Think of it at the individual level: if there’s no visa facilitation treaty, a British couple with two teenagers would have to pay an extra €240 for a family holiday in the EU in visa application fees, with fees often paid to service providers on top. Even with a visa facilitation treaty like the one with Ukraine, the family would pay €70 in fees (€35/adult, under-18s exempt from fees), and again possibly service providers.

Raab argues that all this is justified on security grounds. Is it? First of all, the vast majority of terrorist (or other) offences in the UK are committed by British citizens. But some foreign visitors do commit crimes. How best to screen them out? The basic problem is that imposing a visa requirement doesn’t, in itself, increase our capacity to determine if a particular individual is likely to pose a threat. It simply, in effect, moves the decision on entry in time (to a date before arrival) and space (away from the border to a consulate – although individuals will still be checked at the border to ensure that there is a visa in their passport). The best way of knowing if a particular individual is a threat is by checking the available data.

That information is easy to find if the visa applicant has previously committed a crime in the UK, because in that case there ought to be a criminal record accompanied by an entry ban. But in this scenario, the entry ban information should in principle not only be available to consulates considering a visa application, but also to border guards deciding on entry at the border. So the visa requirement adds nothing. Nor does it add anything as far as EU citizens are concerned: the EU citizens’ Directive allows the UK to impose an entry ban on EU citizens who have committed serious crimes; and the UK can (and does) refuse entry to EU citizens at the border.

What if the visa applicant has committed a crime in another country? Whether people have to apply for a visa or are checked at the border, there is no general access to other countries’ criminal records. However, the UK does have access to some relevant dataas an EU Member State. Last year, it gained access to the Schengen Information System, which includes information on wanted persons, including some terrorist suspects. From 2012, the EU system for exchange of information on criminal recordswas set up (known as ECRIS: the European Criminal Records Information System), and the EU Commission recently reported that it had greatly improved the flow of information on this issue. The ECRIS law provides for criminal records to be exchanged more easily as regards a country’s own citizens (so we now have more information on UK citizens who have committed crimes abroad). Furthermore, the UK opted into the newly adopted EU law on passenger name records.

These laws don’t provide perfect security, of course. Not all terrorist suspects’ names appear in the Schengen Information System, for instance. The passenger name records law is likely to be challenged on human rights grounds, since it gathers information on all passengers, not just suspects. The criminal records law was unable to stop a tragic killing two years ago, because British police unfortunately did not ask another Member State about the killer’s criminal record (on the basis of a separate EU law) when they had the opportunity. As I suggested at the time, it would be desirable to provide for automatic circulation of the criminal records of EU citizens who have been convicted of very serious crimes, if they have been released from prison, so that they can be stopped and validly rejected from entry at the border.  The upcoming amendments to the Schengen Information System would be an opportunity to do this.

But how would Brexit, with or without a visa requirement, improve this situation? It would not give the UK any more access to EU databases, or to other Member States’ criminal records systems; indeed, it might mean less access. The EU has not extended ECRIS to any non-EU countries; the Schengen Information System has only been extended to those (like Norway and Switzerland) that are fully part of Schengen. The EU has some treaties on exchange of passenger name data with non-EU countries, but this policy is being challenged on data protection grounds in the EU court.

More broadly, the EU court has ruled in the Schrems case that personal data can only be transferred to non-EU countries that have data protection law ‘essentially equivalent’ to EU law. The UK would have to commit to continue applying a law very similar to EU law, or risk disruptions in the flow of personal data – affecting digital industries as well as exchange of data between law enforcement authorities. This restriction can’t easily be negotiated away, since the case law is based on the EU Charter of Fundamental Rights, which has the same legal effect as the Treaties. The UK’s compliance with the EU rules would almost certainly be challenged in practice: see by analogy the Davis and Watson case already pending before the EU court. Outside the EU, the effect of a ruling that the UK did not comply with the rules would be a potential disruption of the flows of personal data.

One final point. Let’s remind ourselves that the UK already allows nationals of over fiftynon-EU countries to visit for a short period without a visa. So obviously we have found a way to reconcile the possible security threat this might pose with the needs of the UK economy. Why should that be so difficult to do as regards EU countries after Brexit? The mere existence of that policy anyway creates a loophole: any EU citizen with the dual nationality of one of those non-EU states (or perhaps Ireland) would be able to visit the UK without a visa anyway. Or is the intention to require a visa for everyone?

Of course, this loophole would work the other way around too. As a dual citizen of the UK and Canada, I could still visit the EU visa-free on a Canadian passport. So could any other British people who are also citizens of a Member State, or a non-EU country on the EU visa whitelist. But many others (including my family, for instance) could not. Let’s conclude on the utter absurdity of this: a British citizen contemplating the use of a Canadian passport to visit the European Union. Is this really the vision of an open, liberal, global United Kingdom after Brexit that the Leave side want people to vote for on June 23rd?