3.2 Data protection – Page 3 – European Area of Freedom Security & Justice

Data retention and national law: whatever the CJEU rules, data retention may still survive!

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

by Matthew White, Ph.D candidate, Sheffield Hallam University

Should governments be able to retain data on everyone’s use of the Internet and their phones – because it might arguably aid the fight against terrorism and serious crime? This ‘data retention’ issue raises fundamental questions about the balance between privacy and security, at both national and EU level. Initially, in the electronic privacy (e-Privacy)Directive, EU legislation set out an option for Member States to adopt data retention rules, as a derogation from the normal rule of confidentiality of communications in that Directive. Subsequently, in 2006, at the urging of the UK government in particular, the EU went a step further. It adopted the Data Retention Directive (DRD), which requiredtelecom and Internet access providers to keep data on all use of the Internet and phones in case law enforcement authorities requested it.

However, on 8 April 2014, the Court of Justice of the European Union (CJEU) ruled that the latter Directive went too far. In its Digital Rights Ireland judgment (discussed here), that Court said that the EU’s Data Retention Directive (DRD) was invalid in light of a lack of compliance with the rights to privacy and data protection set out in Articles 7 and 8 of the EU Charter of Fundamental Rights (CFR) (para 69 and 73). This left open an important question: what happens to national data retention laws? Can they also be challenged for breach of the EU Charter rights, on the grounds that they are linked to EU law (the derogation in the e-Privacy Directive)? If so, do the standards in the Digital Rights Ireland judgment apply by analogy?

Instead of addressing this matter urgently, the United Kingdom government sat on its hands for a while and then unprecedentedly rushed through the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014). DRIPA 2014 was intended to be a reactionto the Digital Rights Ireland ruling, giving the UK as a matter of national law the power to retain data that had been struck down by the CJEU as a matter of EU law.

In 2015, Tom Watson (now the deputy leader of the UK Labour Party), David Davis (a Conservative party backbencher) and others challenged s.1 of DRIPA 2014 arguing that the powers to obligate data retention on public telecommunication operators set out in that section of DRIPA did not sufficiently reflect what the CJEU ruled in Digital Rights Ireland. Although that CJEU ruling only applied to EU legislation, they argued that it also applied by analogy to national legislation on data retention, since such legislation fell within the scope of the option to retain communications data set out in the derogation in the e-Privacy Directive, and so was linked to EU law (and therefore covered by the Charter). Even though the e-Privacy Directive only related to publicly available electronic communications services (Article 3(1)), it is submitted that any extension of the definition of public telecommunications operator would fall within the Data Protection Directive, and thus the CFR would still apply. The High Court (HC) ruled in the claimants’ favour inDavis where an order was made for s.1 of DRIPA to be disapplied by the 31^st of March 2016, insofar as it is incompatible with Digital Rights Ireland (para 122). This was in the hopes that it would give Parliament sufficient time to come up with a CFR compliant data retention law (para 121).

The government appealed to the Court of Appeal (CoA) which took a radically different approach maintaining that ‘the CJEU in Digital Rights Ireland was not laying down definitive mandatory requirements in relation to retained communications data’ (para 106). But for the sake of caution, the CoA made a preliminary reference to the CJEU asking:

(1) Did the CJEU in Digital Rights Ireland intend to lay down mandatory requirements of EU law with which the national legislation of Member States must comply?

(2) Did the CJEU in Digital Rights Ireland intend to expand the effect of Articles 7 and/or 8, EU Charter beyond the effect of Article 8 ECHR as established in the jurisprudence of the ECtHR?

The CoA was not the only national court to make a preliminary reference to the CJEU on matters regarding data retention and the reach of Digital Rights Ireland. On the 4^th May 2015, the Force was with Kammarrätten i Stockholm when it asked the CJEU:

Is a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime (as described [below under points 1-6]) compatible with Article 15(1) of Directive 2002/58/EC [the electronic privacy Directive], 1 taking account of Articles 7, 8 and 15(1) of the Charter?

If the answer to question 1 is in the negative, may the retention nevertheless be permitted where:

access by the national authorities to the retained data is determined as [described below under paragraphs 7-24], and

security requirements are regulated as [described below under paragraphs 26-31],

and all relevant data are to be retained for six months, calculated as from the day the communication is ended, and subsequently deleted as [described below under paragraphs 25]?

The way in which the first question in Davis and Watson is asked doesn’t specify whether the general obligation applies to every service provider under the state’s jurisdiction or specific service providers to retain what they individually process. The assumption is the former as ‘all means of electronic communication and all traffic data without any distinctions’ implies a catch all to the relevant services. The Home Secretary (and indeed the government) may argue that if the CJEU rules in the negative (note that Article 15(1) of the e-Privacy Directive only applies to publically available electronic communications services, thus the justification for retaining data from other services would have to be found in the Data Protection Directive (DPD)) it would mostly have affected cl.78 of theInvestigatory Powers Bill (IPB) (currently before Parliament) which would grant the Secretary of State the power to issue retention notices on a telecommunications or any number of operators to retain for e.g. any or all data for 12 if the power in cl.1 of the draft Communications Data Bill (dCDB) had been replicated. The dCDB was a legislative measure introduced in 2012 to allow public authorities to keep up to date with the sophistication of e-Crime. Clause 1 maintained that:

1 Power to ensure or facilitate availability of data

(1) The Secretary of State may by order—

(a) ensure that communications data is available to be obtained from telecommunications operators by relevant public authorities in accordance with Part 2, or

(b) otherwise facilitate the availability of communications data to be so obtained from telecommunications operators.

(2) An order under this section may, in particular—

(a) provide for—

(i) the obtaining (whether by collection, generation or otherwise) by telecommunications operators of communications data,

(ii) the processing, retention or destruction by such operators of data so obtained or other data held by such operators.

This measure was, however abandoned because the Liberal Democrats (in the then Coalition Government) did not approve of the far reaching nature of the proposal. In regards to cl.1, it clearly was a general power, as no distinction was made on who the obligation to retain may fall upon, and thus it is submitted that this power is analogous to the power which is the subject of the question being asked of the CJEU. Clause 78(1) of the IPB on the other hand, makes the distinction that a data retention notice may require a telecommunications operator to retain relevant communications data. Though there are two possible conflicts, the first, based on the assumption that the CJEU rules in the negative (to the first question) is cl.78(2)(a) and (b). This gives the Secretary of State the discretion to issue retention notices on any description of operators to retain all or any description of data. This could be considered a general obligation because it could affect all telecommunications operators and then be classed as a general obligation.

Secondly, retention ‘without distinction’ or ‘exceptions’ may be important when it comes to traffic data pertaining to journalists, politicians, and the medical and legal professions. But because the reference doesn’t mention specific service providers it cannot be said with certainty how much this would affect cl.78(1) which doesn’t make distinctions or exceptions.

When it comes to limitations on data retention, there is at least one, which was first noted in s.1(5) of DRIPA 2014 which allowed for a 12 month maximum period of retention. This is replicated in cl.78(3) and takes on board the recommendation of the Advocate General’s opinion (AG) in Digital Rights Ireland (para 149).

The President of the CJEU felt it was desirable to combine both preliminary references. The questions of access by both the Swedish and UK courts do not directly affect the cl.78 issuing of retention notices (insofar that it at least doesn’t involve everytelecommunications operator) nor does answering whether Article 7 and 8 was intended to extend beyond Article 8 ECHR jurisprudence. The security arrangements are dealt with by cl.81 (whether they are adequate is a different matter) and thus not relevant to the issuing of retention notices.

This, however, proceeds on the assumption that the CJEU will rule in the negative to the Swedish preliminary reference regarding retention being lawful for the purposes ofaccess, because if it does not, cl.78(2)(a) and (b) would not be affected at all. Moreover, the HC in Davis felt that the CJEU believed that data retention genuinely satisfied an objective of general interest (para 44) and that it must be understood to have held that a general retention regime is unlawful unless it is accompanied by an access regime which has sufficiently stringent safeguards to protect citizens’ rights set out in Articles 7 and 8 of the CFR (para 70). The CoA was silent on this matter, and therefore for the mean time, it is understood that if the CJEU rules in the positive, cl.78 would not be affected as a matter of EU law.

On the matter of whether the HC or the CoA had interpreted Digital Rights Irelandcorrectly, it is important to highlight one of the justifications for the CoA conclusions. It maintained in relation to mandatory requirements, that in the opinion of the AG, he was at least, not looking for the Directive to provide detailed regulation (para 77). Yet the CoA failed to mention his conclusions, where it was stated that the DRD was invalid as a result of the absence of sufficient regulation of the guarantees governing access to (by limiting access, if not solely to judicial authorities, at least to independent authorities, or, failing that, by making any request for access subject to review by the judicial authorities or independent authorities and it should have required a case-by-case examination of requests for access in order to limit the data provided to what is strictly necessary (para 127)) the data collected/retained and that the DRD should be suspended until the EU legislature adopts measures necessary to remedy the invalidity, but such measures must be adopted within a reasonable period (para 157-158). So at least in this regard the AG actually supports the stance of the HC (even though no reference was made on this point) and may therefore have had implications for the IPB (which does not require judicial or independent authorisation/review) in relation to access to communications data without a word from the CJEU.

Many thanks to Steve Peers for helpful comments on an earlier draft.

La sécurité digitale à l’heure des crises migratoire et terroriste, le noeud gordien de l’interconnexion des fichiers

ORIGINAL PUBLISHED ON CDRE SITE (20 AVRIL 2016)

par Pierre Berthelet, CDRE

La situation que connaît actuellement l’Union européenne n’aura échappé à personne. Qu’il s’agisse de la crise migratoire ou de la crise terroriste générée par les attentats à répétition en 2015 et en 2016, le remède préconisé par les États membres par la voix du Conseil et du Conseil européen, consiste à vouloir sécuriser davantage les frontières extérieures de l’Union européenne.

La protection renforcée de celles-ci constitue l’enjeu majeur de la lutte menée contre le phénomène terroriste, dont l’agenda converge désormais clairement avec la politique européenne en matière migratoire, comme l’atteste la communication de la Commission du 6 avril 2016 intitulée « des systèmes d’information plus forts et plus intelligents pour les frontières et la sécurité ». Le texte affirme à cet égard très clairement une « interconnexion dynamique » entre police, migration et gestion des frontières.

La crainte actuelle est, en particulier, le phénomène des combattants de l’État islamique venant d’Irak et de Syrie. L’organe de coordination antiterroriste belge, l’OCAM, a d’ailleurs souligné, le 19 avril 2016, un risque considérable d’attentat de la part de ces combattants, des Européens partis faire le Jihad au Moyen-Orient et rentrant aguerris (phénomène dit des « returnees »).

Nouveaux défis, mais anciennes solutions donc. L’observateur ne peut qu’avoir une impression de déjà-vu : les choix de ces derniers mois formulés par les chefs d’État et de gouvernement, inspirant les orientations contenues dans cette communication, ressemblent, à bien des égards, à ceux des Conseils européens de Laeken de 2001, de Séville de 2002 ou encore de Thessalonique 2003. À l’époque, l’Union était déjà confrontée aux problématiques du terrorisme et d’échouage de migrants sur les côtes européennes. Les agendas antiterroriste et migratoire se mêlaient alors autour de la sécurisation des frontières extérieures pour éviter toute intrusion possible d’agents d’Al-Quaïda dans l’UE, dissimulés dans les colonnes de migrants, jetant ainsi les fondations du projet des frontières électroniques (smart borders).

Anciennes solutions, mais nouveaux défis néanmoins. La communication du 6 avril 2016, accompagnée d’une proposition de règlement instituant le « Système Entrée-Sortie » (correspondant à une révision du précédent projet présenté en 2013, jugé trop onéreux par les États membres), marque un nouvel épisode dans la création des frontières électroniques européennes. Elle s’inscrit dans le contexte d’enjeux très actuels : la protection des frontières extérieures au prisme de la lutte antiterroriste a trait à deux problèmes distincts, celui des « combattants étrangers » (1) et celui de la fraude documentaire (2).

Dans le premier cas, il s’agit de contrôler les flux de voyageurs sortants pour empêcher ces « combattants étrangers » (foreign fighters), c’est-à-dire les jeunes Européens désireux de partir faire le Jihad au Moyen-Orient. Dans le deuxième cas, il s’agit de contrôler les flux de population, pour la plupart fuyant la guerre dans cette région. En réalité, ces deux problématiques se recoupent car la fraude documentaire concerne le contrôle des titre de voyage dont sont porteurs les flux de voyageurs, y compris les migrants irréguliers rassemblés dans les hotspots. Elle a trait aussi à l’identification des « combattants étrangers » franchissant les frontières Schengen avec de faux papiers. Les solutions apportées concernent, dans un cas comme dans l’autre, un meilleur déploiement des fichiers et une plus grande interconnexion de ceux-ci (3).

Analyser la manière dont l’Union s’efforce de répondre à ces deux problématiques distinctes mais sécantes est instructif. Cette réponse s’exprime de façon commune, le recours à la sécurité digitale, c’est-à-dire l’utilisation accrue des systèmes d’information et de communication et ce, en écho au phénomène de digitalisation de la vie sociale observable dans d’autres secteurs à l’ère du Big Data, tels que la santé digitale. Les problématiques secondaires, fraude documentaire et combattants étrangers, se trouvent au cœur de la résolution des crises migratoire et terroriste, elles-mêmes étroitement imbriquées. Il s’opère à ce propos un phénomène d’intrication immigration-terrorisme dans un contexte où s’échafaudent des capacités de gestion de crise horizontale, c’est-à-dire de polycrises.

L’interopérabilité des systèmes d’information devient alors un enjeu central, crucial même, car de son succès dépend la protection effective de l’Union. La sécurité digitale, expression archétypale dusolutionnisme technologique, constitue un nœud gordien au sens où le sort de lutte antiterroriste dépend de la réussite de l’interopérabilité des systèmes d’informations, qu’ils soient à finalité sécuritaire ou migratoire, l’une et l’autre apparaissant désormais mêlées.

1. Verrouiller les frontières pour résoudre le problème des combattants étrangers

Continue reading “La sécurité digitale à l’heure des crises migratoire et terroriste, le noeud gordien de l’interconnexion des fichiers”

(Legislative Alert) : The EU Directive on Passenger Name Record (PNR)

DIRECTIVE (EU) 2016/… OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of … on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular point (d) of Article 82(1) and point (a) of Article 87(2) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee[1],

After consulting the Committee of the Regions,

Acting in accordance with the ordinary legislative procedure[2],

Whereas:

(1) On 6 November 2007 the Commission adopted a proposal for a Council Framework Decision on the use of passenger name record (PNR) data for law enforcement purposes. However, upon entry into force of the Treaty of Lisbon on 1 December 2009, the Commission proposal, which had not been adopted by the Council by that date, became obsolete. Continue reading “(Legislative Alert) : The EU Directive on Passenger Name Record (PNR)”

The Commission’s draft EU-US Privacy Shield adequacy decision: A Shield for Transatlantic Privacy or Nothing New under the Sun?

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

by Dr. Maria Tzanou (Lecturer in Law, Keele University)

On 6 October 2015, in its judgment in Schrems, the CJEU invalidated the Commission’s decision finding that the US ensured an adequate level of protection for the transfer of personal data under the Safe Harbour framework on the basis that US mass electronic surveillance violated the essence of the fundamental right to privacy guaranteed in Article 7 EUCFR and the right to effective judicial protection, enshrined in Article 47 EUCFR (for an analysis of the judgment, seehere).

On 2 February 2016, the Commission announced that a political agreement was reached on a new framework for transatlantic data flows, the EU-US Privacy Shield, which will replace the annulled Safe Harbour. On 29 February 2016, the Commission published a draft Privacy Shield adequacy decision followed by seven Annexes that contain the US government’s written commitments on the enforcement of the arrangement. The Annexes include the following assurances from the US:
Annex I, a letter from the International Trade Administration of the Department of Commerce, which administers the programme, describing the commitments that it has made to ensure that the Privacy Shield operates effectively;
Annex II, the EU-US Privacy Shield Framework Principles;
Annex III, a letter from the US Department of State and accompanying memorandum describing the State Department’s commitment to establish a Privacy Shield Ombudsperson for submission of inquiries regarding the US’ intelligence practices;
Annex IV, a letter from the Federal Trade Commission (FTC) describing its enforcement of the Privacy Shield;
Annex V, a letter from the Department of Transportation describing its enforcement of the Privacy Shield;
Annex VI, a letter prepared by the Office of the Director of National Intelligence (ODNI) regarding safeguards and limitations applicable to US national security authorities; and,
Annex VII, a letter prepared by the US Department of Justice regarding safeguards and limitations on US Government access for law enforcement and public interest purposes.

Similar to its predecessor, Privacy Shield is based on a system of self-certification by which US companies commit to a set of privacy principles. However, unlike Safe Harbour, the draft Privacy Shield decision includes a section on the ‘access and use of personal data transferred under the EU-US Privacy Shield by US public authorities’ (para 75). In this, the Commission concludes that ‘there are rules in place in the United States designed to limit any interference for national security purposes with the fundamental rights of the persons whose personal data are transferred from the Union to the US to what is strictly necessary to achieve the legitimate objective.’ This conclusion is based on the assurances provided by the Office of the Director of National Surveillance (ODNI) (Annex VI), the US Department of Justice (Annex VII) and the US Secretary of State (Annex III), which describe the current limitations, oversight and opportunities for judicial redress under the US surveillance programmes. In particular, the Commission employs four main arguments arising from these letters to reach its adequacy conclusion:

Firstly, US surveillance prioritises targeted collection of personal data, while bulk collection is limited to exceptional situations where targeted collection is not possible for technical or operational reasons (this captures the essence of the principles of necessity and proportionality, according to the Commission).

Secondly, US intelligence activities are subject to ‘extensive oversight from within the executive branch’ and to some extent from courts such as the Foreign Intelligence Surveillance Court (FISC).

Thirdly, three main avenues of redress are available under US law to EU data subjects depending on the complaint they want to raise: interference under the Foreign Intelligence Surveillance Act (FISA); unlawful, intentional access to personal data by government officials; and access to information under Freedom of Information Act (FOIA).

Fourthly, a new mechanism will be created under the Privacy Shield, namely the Privacy Shield Ombusdperson who will be a Senior Coordinator (at the level of Under-Secretary) in the State Department in order to guarantee that individual complaints are investigated and individuals receive independent confirmation that US laws have been complied with or, in case of a violation of such laws, the non-compliance has been remedied.

The draft Privacy Shield framework may have been hailed as providing an ‘essentially equivalent’ level of protection for personal data transferred from the EU to the US, but despite the plethora of privacy-friendly words (‘Privacy Shield’, ‘robust obligations’, ‘clear limitations and safeguards’) one cannot be very optimistic that the new regime will fully comply with the Court’s judgment in Schrems.

A first problematic aspect with the US assurances is that they merely describe the US surveillance legal framework and the relevant safeguards that already exist.

In fact, the only changes that were introduced in the US following the Snowden revelations was the issuance of Presidential Policy Directive 28 (PPD-28) (in January 2014) which lays down a number of principles on the use of signal intelligence data for all people; and the passing of the USA Freedom Act which modified certain US surveillance programmes and put an end to the mass collection of Americans’ phone records by the NSA (in June 2015).

Finally, in February 2016, the US Congress passed the Judicial Redress Act which was signed into law by President Obama. Given that one can reasonably assume that the Court was aware of these developments when laying down its judgment in Schrems in October 2015, it seems that, with the exception of the Ombusdperson, Privacy Shield does not change much in US surveillance law. In fact, the Commission has entirely based its draft adequacy analysis on a mere detailed description of this law without any further commitment that this will improve in any way in order to comply with EU fundamental rights as interpreted by the CJEU.

While the assurance that US surveillance is mainly targeted and does not take place in bulk is important, there is no reference to the fact that US authorities access the content of the personal data that was deemed to violate the essence of the right to privacy in Schrems.

Furthermore, even if the US authorities engage only in targeted surveillance, the CJEU has held in Digital Rights Ireland that the mere retention of private-sector data for the purpose of making them available to national authorities affects Articles 7 and 8 EUCFR and might have a chilling effect on the use by subscribers of platforms of communication, such as Facebook or Google and, consequently, on their exercise of freedom of expression guaranteed by Article 11 EUCFR.

Individuals, when faced with surveillance, cannot know when they are targeted; nevertheless, the possibility of being the object of surveillance has an effect on the way they behave. Insofar as Article 47 EUCFR and the right to effective judicial protection is concerned, the Commission itself notes in its draft adequacy decision that the avenues of redress provided to EU citizens do not cover all the legal bases that US intelligence authorities may use and the individuals’ opportunities to challenge FISA are very limited due to strict standing requirements.

The creation of the Ombusdperson with the important function of ensuring individual redress and independent oversight should be welcomed as the main addition of the draft Privacy Shield. Individuals will be able to access the Privacy Shield Ombusdperson without having to demonstrate that their personal data has in fact been accessed by the US intelligence activities and the Ombusdperson, who will be carrying out his functions independently from Instructions by the US Intelligence Community will be able to rely on the US oversight and review mechanisms.

However, there are several limitations to the function of the Privacy Shield Ombusdperson. First, the procedure for accessing the Ombudsperson is not as straightforward as lodging a complaint before a national Data Protection Authority (DPA). Individuals have to submit their requests initially to the Member States’ bodies competent for the oversight of national security services and, eventually a centralised EU individual complaint handling body that will channel them to the Privacy Shield Ombusdperson if they are deemed ‘complete’. In terms of the outcome of the Ombusdperson’s investigation, the Ombusdperson will provide a response to the submitting EU individual complaint handling body –who will then communicate with the individual- confirming (i) that the complaint has been properly investigated, and (ii) that the US law has been complied with, or, in the event of non-compliance, such non-compliance has been remedied. However, the Ombudsperson will neither confirm nor deny whether the individual has been the target of surveillance nor will the Ombudsperson confirm the specific remedy that was applied.

Finally, Annex III stipulates that commitments in the Ombudsperson’s Memorandum will not apply to general claims that the EU-US Privacy Shield is inconsistent with EU data protection requirements. In the light of the above, the Privacy Shield Ombudsperson does not seem to provide the redress guarantees of a supervisory authority such as the DPAs as the AG had asked in his Opinion in Schrems.

Draft Privacy Shield is problematic for another reason as well: it puts together the regulative framework for commercial transactions with the regulation for law enforcement access to private sector data. These are, however, different issues and they should be dealt with separately. It is important to encourage and facilitate transborder trade, thus flexible mechanisms allowing for undertakings self-compliance with data protection principles should continue to apply. But, the challenges of online surveillance on fundamental rights are too serious to be covered by the same regime and some ‘assurances’ that essentially describe the current US law.

Two solutions could possibly deal with this problem: Either the US adheres to the Council of Europe Convention No. 108 and abandons the distinction between US and EU citizens regarding rights to redress or a transatlantic privacy and data protection framework that ensures a high level of protection of fundamental rights and the transparency and accountability of transnational counter-terrorism operations (the so-called ‘umbrella agreement’) is adopted. Regrettably, the current form of the umbrella agreement is very problematic as to its compatibility with EU data protection standards- or even human rights standards in general, and, therefore, does not seem to provide an effective solution to the issue.

A recently leaked document reveals that the Article 29 Working Party has difficulties in reaching an overall conclusion on the Commission’s draft adequacy decision and supports the view that Privacy Shield does not fully comply with the essential guarantees for the transfer of personal data from the EU to the US for intelligence activities.

Should the Commission nevertheless decide to proceed with the current draft, it is highly possible that the CJEU will be called in the future to judge the adequacy of Privacy Shield in aSchrems 2 line of cases.

(Legislative Alert) Data Protection : the draft Directive covering public security policies

ORIGINAL TEXT ACCESSIBLE IN ALL EU LANGUAGES ON THE EU COUNCIL SITE

Nota bene : the text below is the Council “position” which will be adopted in the coming hours by written procedure by the Coreper and sent to the EP for the second reading (currently foreseen for the APRIL session plenary together with the EU General Regulation on data protection and the draft Directive on the so called “EU PNR”). For the time being these passages foreseen by art. 294 TFEU are seen by the institutions as mere formalities as an “informal” agreement on the draft Council Position has already been reached on December 17/18 with an “informal” vote of the relevant Parliamentary committee (LIBE).

Following the “informal” practice of interinstitutional “early agreements” the Chairman of the Parliamentary Committee has already informed the Council that no amendments will be submitted by LIBE when the text of the Council position will be formally submitted to the EP. Therefore since last December the text below has already been revised from the Jurist linguistsso that it can be published on the official Journal maybe already in May or June after the formal vote of the EP and the final adoption by the Council as well as the signature of the EP and Council Presidents.

Below the text of the Council Position as well as of the Statement of reasons which according to the Treaty should explain to the EP why the text is different from the one voted by the latter. Again this has become a pure formality as the EP has already negotiated with the Council the amendments to the original Commission Proposal. One can guess if the loser of this “informal” way of proceeding where a “Position” of an institution is already a consolidated compromise is the ordinary European citizen who has no real means to understand who between the EP and the Council should be taken accountable for the different choices made to reach the “compromise”.

Comments on the content of the “Council Position” below will follow

EDC

—

(Draft) Statement of the Council’s reasons on the Position of the Council on DIRECTIVE (EU) 2016/… OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of … on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

INTRODUCTION Continue reading “(Legislative Alert) Data Protection : the draft Directive covering public security policies”

(Legislative Alert) Data Protection :the new EU general Regulation

ORIGINAL TEXT ACCESSIBLE IN ALL EU LANGUAGES ON THE EU COUNCIL SITE

Nota bene : the text below is the Council “position” which will be adopted in the coming hours by written procedure by the Coreper and sent to the EP for the second reading (currently foreseen for the APRIL session plenary together with the EU Directive on data protection in the security sector and the draft Directive on the so called “EU PNR”). For the time being these passages foreseen by art. 294 TFEU are seen by the institutions as mere formalities as an “informal” agreement on the draft Council Position has already been reached on December 17 with an “informal” vote of the relevant Parliamentary committee (LIBE).

Following the “informal” practice of interinstitutional “early agreements” the Chairman of the Parliamentary Committee has already informed the Council that no amendments will be submitted by LIBE when the text of the Council position will be formally submitted to the EP. Therefore since last December the text below has already been revised from the Jurist linguists so that it can be published on the official Journal maybe already in May or June after the formal vote of the EP and the final adoption by the Council as well as the signature of the EP and Council Presidents.

Comments on the content of the “Council Position” below will follow

EDC

(Draft) Statement of the Council’s reasons on the

Position of the Council at first reading with a view to the adoption of a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Continue reading “(Legislative Alert) Data Protection :the new EU general Regulation”

“EU-US Privacy Shield” : Towards a new Schrems 2.0 Case ?

NOTA BENE : This is not a final version (San Francisco, April 3^rd2016)

By Max SCHREMS

INTRO

In the past weeks I was repeatedly asked by policy makers, MEPs, DPAs and interested lawyers and individuals about a written summary of my assessment of the proposed “Privacy Shield” system. This document is a quick response to these requests. Due to the limited time it may contain some typos and minor errors.

The debate on “Privacy Shield” is ongoing and a full proper academic review of the more than 120 page draft Commission decision, in context of the European and US laws and decisions, is a substantive project outside of the scope of this document, which was written as a citizen over the course of a weekend. This document can therefore only highlight some potential issues identified in summarize an initial examination of the proposed “Privacy Shield” and does not constitute a final or deep review.

The European Commission and the US government, as well as some lobby groups, have extensively promoted the positive sides of “Privacy Shield” and the improvements compared to the previous “Safe Harbor” system. I will not repeat these points in this document. Instead this document focuses on possible problems, shortcomings and issues of the proposed system, to allow overall balanced view.

The level of knowledge varies between persons requesting this document. Unfortunately this means that some elements may be irrelevant, too generalized or explained in very simple terms for experts in the field of data protection and/or EU law.

In the following comments I am primarily (but not exclusively) focusing on a legal analysis. As an initial political comment, I would therefore like to highlight that I am of the view that the EU and the US should reach an agreement that replaces “Safe Harbor”. The aim of case C-362/14 was to create a situation where the political leaders on both sides of the Atlantic have to work towards a new deal that remedies the obvious problems disclosed by Snowden. I unfortunately feel that the current policy makers within the European Commission have not seen this situation as an opportunity to work towards an improved framework that would protect the fundamental right to privacy, but instead as a problem, that shall now be swept under the rug.

1.PRIVATE SECTOR / PRIVACY SHIELD PRINCIPLES Continue reading ““EU-US Privacy Shield” : Towards a new Schrems 2.0 Case ? “

WORTH READING : U.S.-EU Cooperation Against Terrorism

REPORT PUBLISHED BY STATEWATCH

by Kristin Archick

Summary

The September 11, 2001, terrorist attacks on the United States and the subsequent revelation of Al Qaeda cells in Europe gave new momentum to European Union (EU) initiatives to combat terrorism and improve police, judicial, and intelligence cooperation among its member states. Other deadly incidents in Europe, such as the Madrid and London bombings in 2004 and 2005, respectively, injected further urgency into strengthening EU counterterrorism capabilities.

Among other steps, the EU has established a common definition of terrorism and a common list of terrorist groups, an EU arrest warrant, enhanced tools to stem terrorist financing, and new measures to strengthen external EU border controls and improve transport security.

Over the years, the EU has also encouraged member states to devote resources to countering radicalization and terrorist recruitment; such efforts have received renewed attention in light of concerns about the threats posed by European fighters returning from the conflicts in Syria and Iraq, highlighted most recently by the November 13, 2015, attacks in Paris, France.

Promoting law enforcement and intelligence cooperation with the United States has been another top EU priority since 2001. Washington has largely welcomed enhanced counterterrorism cooperation with the EU. Since 9/11, contacts between U.S. and EU officials on police, judicial, and border control policy matters have increased substantially.

A number of U.S.-EU agreements have been reached; these include information-sharing arrangements between the United States and EU police and judicial bodies, U.S.-EU treaties on extradition and mutual legal assistance, and accords on container security and airline passenger data.
In addition, the United States and the EU have been working together to curb terrorist financing, strengthen transport security, and address the foreign fighter phenomenon.
Nevertheless, some challenges persist in fostering closer U.S.-EU cooperation in these fields.
Among the most prominent and long-standing are data privacy and data protection issues.
The negotiation of several U.S.-EU information-sharing agreements, from those related to tracking terrorist financial data to sharing airline passenger information, has been complicated by EU concerns about whether the United States could guarantee a sufficient level of protection for European citizens’ personal data.
EU worries about U.S. data protection safeguards and practices were further heightened by the unauthorized disclosures of U.S. National Security Agency (NSA) surveillance programs in mid-2013 and subsequent allegations of U.S. collection activities in Europe.
Other issues that have led to periodic tensions include detainee policies, differences in the U.S. and EU terrorist designation lists, and balancing measures to improve border controls and border security with the need to facilitate legitimate transatlantic travel and commerce.
Congressional decisions related to data privacy, intelligence-gathering, border controls, visa policy, and transport security may affect how future U.S.-EU counterterrorism cooperation evolves.
EU officials have welcomed passage of the Judicial Redress Act (P.L. 114-126) to provide EU citizens with a limited right of judicial redress for privacy violations in a law enforcement context, but they have expressed unease with some provisions in the Visa Waiver Program Improvement and Terrorist Travel Prevention Act of 2015 (passed as part of P.L. 114-113 in the wake of the Paris attacks and heightened U.S. concerns about European citizens fighting with terrorist groups abroad).
Given the European Parliament’s growing influence in many of these policy areas, Members of Congress may be able to help shape the Parliament’s views and responses through ongoing contacts and the existing Transatlantic Legislators’ Dialogue (TLD). This report examines the evolution of U.S.-EU counterterrorism cooperation, current issues, and the ongoing challenges that may be of interest in the 114th Congress.

NB Also see CRS Report R44003, European Fighters in Syria and Iraq: Assessments, Responses, and Issues for the United States, coordinated by Kristin Archick.

FULL REPORT : U.S.-EU Cooperation Against Terrorism Continue reading “WORTH READING : U.S.-EU Cooperation Against Terrorism”

(EP Study) The proposal for a European Border and Coast Guard: evolution or revolution in external border management?

THIS IS AN EXECUTIVE SUMMARY. (ACCESS TO THE FULL STUDY (40 pages) HERE)

by Dr. Jorrit Rijpma

The Commission proposal for a European Border and Coast Guard Authority brings together a reinforced (and renamed) Frontex – the European Border and Coast Guard Agency (EBCGA) – and the Member States’ border guard authorities under the umbrella of a European Border and Coast Guard (EBCG), making them jointly responsible for the management of the external borders. The proposal defines for the first time the notion of European integrated border management. It significantly broadens the scope of the new Agency to include internal security and measures within the area of free movement. The proposal reinforces both Frontex’s regulatory and operational role. In addition, it gives the Agency a supervisory role, placing it in charge of Vulnerability Assessments.

As such, the EBCG proposal is an important next step in the progressive Europeanisation of external border management. That said, the proposal is not a revolutionary leap forwards, as it preserves the fundamental premise that the Agency neither has its own border guards nor powers of command and control over national border guards.

Still, a proposal of this complexity, with substantial financial implications and an obvious impact on fundamental rights, deserves careful consideration.

The proposal does not address some key questions as regards accountability for operational activities at the external borders and is rather likely to add to the current unclear division of responsibilities. There is, moreover, a danger of placing unrealistic expectations on the Agency.

It seems contradictory that Member States would be willing to accept more binding obligations under this proposal, while nothing prevents them from furnishing the Agency with the necessary tools now. Likewise, it would be naïve to think that greater powers and a new name for Frontex might suddenly remedy structural flaws in some Member States’ external border management systems.

Although the current crisis may have exposed shortcomings in Frontex’s current legal framework, the proposal does not constitute a genuine emergency measure designed to tackle a short-term problem. Therefore, if this proposal is to stand the test of time as the regulatory framework for external border management, it is important to carefully consider the structural implications of the rules currently being considered for adoption.

With this in mind, this analysis highlights some of the central challenges in the new EBCG framework and provides some recommendations on how these might be addressed.

Supervisory role

The Agency’s supervisory role also entails drawing up Vulnerability Assessments to identify operational weaknesses in external border management. In this regard, it is important to:

– Clarify the relationship between the Schengen Evaluation Mechanism and the Vulnerability Assessment model.

– Ensure that the Agency’s supervisory role does not prejudice working relations in the field of operational cooperation.

– Introduce a fundamental rights component into the Assessments.

Regulatory role

Under the proposal, Member States would be obliged to provide the Agency with relevant information for its risk analysis.

– A more specific explanation of what constitutes relevant information could help to clarify the extent of this obligation.

– If the Agency were to be given access to European databases, this would have to be under strict conditions, taking into account relevant data protection legislation.

Operational role

Availability of human and technical resources

The proposal aims to remedy the current lack of human and technical resources. As such, in emergency situations, Member States would be required to provide border guards, with no possibility, as is currently the case, to invoke an emergency situation requiring their deployment at home. Similar, yet weaker provisions have been included as regards the obligation to make available technical equipment.

The Agency will be allowed to acquire its own equipment.

In addition, the Commission proposal provides for a right to intervene where a Member State does not follow up on the recommendations from the Vulnerability Assessment or in a situation where insufficient external border controls would put the overall functioning of the Schengen area at risk. This latter provision has, however, been amended in the Council text, which provides for a similar mechanism for reinstatement of the internal borders as under article 26 of the Schengen Borders Code.

– The unqualified obligation to make border guards available for rapid border interventions and the ‘right to intervene’ under the Commission’s proposal arguably contravene the Member States’ ultimate responsibility for internal security under the Treaties (Article 4(2) TEU and Article 72 TFEU).

Expansion of tasks and powers of guest officers

Guest officers’ powers may be considerably broadened by the host Member State, allowing these officers to act on its behalf. Guest officers would also have automatic access to European databases. The proposal should:

– Clearly state that guest officers act at all times within the scope of EU law and hence within the scope of the Charter of Fundamental Rights.

– Clearly state that, to the extent that national powers are delegated to guest officers, these officers should be considered to act as agents of the host Member State for the purpose of determining international responsibility.

Hotspot approach

The proposal gives the Agency a key role in the hotspot approach.

This is problematic as it seems to contradict the multi-agency purpose and nature of the hotspot approach, risking a one-sided focus on border control.

The Commission is thus much better placed to coordinate the activities of the Migration Management Support Teams.

-The hotspot approach and its legal and operational framework require prior definition, preferably in a separate legal framework, before making the Agency responsible for its functioning.

– If the Agency were to take primary responsibility for the hotspots, a reference to international protection should be included in the concept of integrated border management.

Return cooperation

The Agency would gain significant operational powers in the area of return with three new on-call lists of Member State officials: forced return monitors, forced return experts and return specialists.

The proposal provides for three types of return operations: return from a combination of Member States organised and carried out by the Member States and coordinated by Frontex; collecting return operations where the means of transport and return escorts are made available by a third country; and mixed return operations, where a number of returnees are transported from one third country to another.

There are a number of important concerns as regards the provisions on return that need to be addressed. It is important to:

– Detail the tasks, powers and responsibilities of these officials. Attention should be paid to the specific legal regime applicable on board aircrafts.

– Extend reporting obligations to return operations and include a role for the Agency’s Fundamental Rights Officer.

– Allow for collecting return operations only if the third country concerned is a party to the European Convention on Human Rights (ECHR).

– Allow for mixed return operations only if there are sufficient guarantees that the third country’s return decision and procedures comply with EU fundamental rights standards.

Information exchange and data protection

The proposal would transform the Agency into the central hub of information exchange of the EBCG, expanding its powers to collect and transmit data not only on people suspected of cross-border crime, but on irregular third country nationals.

This requires sufficient data protection rules. As pointed out by the European Data Protection Supervisor (EDPS), the proposal has important flaws in this regard and requires clarification.

The proposal should:

– Clearly distinguish between the different purposes for which data is processed, because migration management and criminal law enforcement are covered by separate legal regimes.

– Exhaustively list the purposes for which data may be processed.

– Indicate not only the categories of people whose data may be processed, but also specify which data may be processed.

– Clearly distinguish between the transfer of data to third parties within and outside the European Union.

Operational cooperation with third countries

The proposal would allow for joint operation activity on the territory of third countries. Cooperation with third countries should not allow the Agency and EU Member States to lower EU standards.

As such:

– Cooperation should be limited to third countries that are party to the ECHR and

the Geneva Convention and its Additional Protocol.

– The safeguard whereby liaison officers may only be posted to countries with human rights-compliant border practices should be reintroduced.

Coastguard

The provisions on the role of the Agency and the Member States in a European Coast Guard are the least developed part of the proposal and are largely limited to an obligation to exchange information. It is therefore important to clarify the extent to which this may involve the processing of personal data. Furthermore, it is important:

– To clarify the relationship between the military and the Agency in maritime border surveillance operations and any other Member State military involvement in integrated border management.

– To include Search and Rescue provisions to allow the Agency to play a more active SAR role without affecting the international SAR framework.

Constitutional considerations

It is submitted that, under the current rules on delegation of powers to Union bodies, it is not possible to delegate genuine executive powers to the EBCGA.

The Commission proposal respects these limits. Nonetheless, the removal of the ‘emergency situation’ exception for the deployment of human and technical resources, as well as the ‘right to intervene’, are at odds with the Treaty principle of ultimate responsibility of the Member States for their own internal security. Moreover:

– Careful consideration should be given to which decisions are politically sensitive and should be reserved for the Management Board and which are more technical and operational and should be left to the Executive Director.

Fundamental rights considerations

The significant reinforcement of the tasks of the Agency without the transfer of genuine executive powers to the Agency (for the reasons set out above), as well as the explicit affirmation of a shared responsibility for European integrated border management, will only exacerbate the existing conundrum as regards shared accountability.

While the introduction of an individual complaints mechanism is an important positive development, the Commission’s assertion that the mere existence of such a mechanism makes the Agency’s actions fundamental rights-compliant is clearly exaggerated.

Indeed, the proposed fundamental rights mechanisms require further refinement:

– The complaints procedure provisions must lay down rules on format, content and deadlines or should empower the Agency to set such rules.

– The Executive Director’s obligation to suspend or terminate operations in the event of fundamental rights violations should be further detailed and should provide for a role for the FRO and take into account the results of relevant monitoring mechanisms.

– The obligation for the Agency to set up a fundamental rights monitoring mechanism – with a broad review of fundamental rights at the external border – should be reintroduced.

– The FRO’s obligation to report to the Consultative Forum should be reintroduced.

Continue to the FULL STUDY

TERRORISM : EDRI RECOMMENDATIONS FOR THE EP REPORT ON TERRORISM

FOR A GENERAL OVERVIEW OF THE LEGISLATIVE PREPARATORY WORKS OF THE EU DIRECTIVE ON TERRORISM SEE HERE

EDRI Recommendations for the European Parliament’s
Draft Report on the Directive on Combating Terrorism (NDR : emphasis are added)

In the view of the Civil Liberties, Justice and Home Affairs Committee (LIBE)’s legislative work on the Directive on Combating Terrorism , European Digital Rights (EDRi) would like to make a set of recommendations regarding the provisions falling within our scope of work, i.e. the protection of human rights in the digital environment. The absence of comments on certain provisions shall not be interpreted as an endorsement.

EDRi supports the aim of achieving a united, coherent and effective response to terrorism. Notwithstanding the importance of ensuring that adequate measures are in place to fight terrorism, EDRi is concerned about the speed that this file is taking. Terrorism is a very complex issue and laws must be balanced, smart and work in times of crisis. With the view to being constructive in this process, EDRi encourages the rapporteur, shadow rapporteurs and LIBE members to consider EDRi’s recommendations outlined before, when and after proposing amendments. EDRi’s wording proposals are based on the Commission’s proposal unless expressly specified (in the latter case, to explain the changes needed to the rapporteur’s draft report).

I. Human Rights Impact assessment needed

EDRi regrets the absence of an impact assessment. This is in contradiction with the EU Better Regulation Guidelines and the European Commission’s Better Regulation tool No. 24. While parts of the text are similar to the 2008 Framework Decision, six years is a very long time to wait for a review of an issue of such importance. In addition, the Council and the Parliament rapporteur are proposing new elements without any obvious evidence base.

Civil society has not been awarded the opportunity to provide input, evidence or expertise prior to the proposal of the Directive. The justification given by the Commission was based on the urgency of the file. However, this contradicts the Member States’ proposal to transpose the Directive not in twelve months as proposed by the European Commission and the EP rapporteur, but in twenty-four months.
EDRi’s proposal:

We urge the European Parliament to ask the European Commission to conduct an Impact assessment immediately.

II. Strong and meaningful human rights safeguards

a) General clause

Contrary to the Framework Decision 2002, as amended in 2008, the Commission’s proposal for a Directive does not contain any reference to fundamental rights and freedoms in the Articles.

• Recital 19 should be deleted and replaced by a new Article

We consider it problematic that Recital 19 states that the Directive respects fundamental rights, since this is not necessarily a given. A similar phrasing was also used in Recital 22 of Directive 2006/24/EC (the Data Retention Directive), which was later ruled to be in violation of the Charter of Fundamental Rights of the European Union. An adequate fundamental rights clause should emphasise the limitations on fundamental rights that will be put in place as a result of this Directive, as well as the duty of Member states to observe such rights when implementing it, so judges can interpret the law adequately.

EDRi thus recommends rephrasing Recital 19 and converting it into an Article, based on the wording used in Article 1(2) of the 2002 Framework Decision on Combating Terrorism, Article 2 of the 2008 Framework Decision on Combating Terrorism, Article 12 of the Convention on the Prevention of Terrorism of the Council of Europe and Article 8 of the Additional Protocol. In addition, the Directive should emphasise that restrictions on fundamental rights must be provided for by law, be necessary and proportionate for the aim pursued..

EDRi’s proposal (providing an alternative wording for the rapporteur’s AM 53):

Article 23a (new): Fundamental Rights and Principles
1. This Directive respects the principles recognised by Article 2 of the Treaty on the European Union, respects fundamental rights and freedoms and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, including those set out in Chapters II, III, V and VI thereof which encompass inter alia the right to liberty and security, freedom of expression and information, freedom of association and freedom of thought conscience and religion, the general prohibition of discrimination in particular on grounds of race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, the right to respect for private and family life and the right to protection of personal data, the principle of legality and proportionality of criminal offences and penalties, covering also the requirement of precision, clarity and foreseeability in criminal law, the presumption of innocence as well as freedom of movement as set forth in Article 21(1) of the Treaty on the Functioning of the European Union and Directive 2004/38/EC. shall not have the effect of altering the obligation to respect fundamental rights and fundamental legal principles as enshrined in the Charter of Fundamental Rights of the European Union and Articles 2 and 6 of the Treaty on European Union, as well as in the European Convention for the Protection of Human Rights and Fundamental Freedoms and International humanitarian law.
2. Restrictions to fundamental rights and freedoms must be provided for by law, be necessary and proportionate for the aim pursued.
3. This Directive has to be implemented in accordance with these rights and principles the Charter of Fundamental Rights and principles of EU law.

b) Non-discrimination

The current text of the proposed Directive seems to be neutral, but taken into account the explanatory memorandum and certain provisions of the draft Directive, this legal instrument is highly likely to be discriminatory in practice. As the UN Special Rapporteur on Counter-Terrorism and Human Rights points out, “on paper most strategies to counter violent extremism are generic. In practice, however, they tend to target specific groups determined to be most ‘at risk’ of being drawn to violent extremism”.

The current proposal only provides a rather weak and narrow non-discrimination safeguard in Recital 20, which is restricted to criminal offences. EDRi encourages the European Parliament to strengthen this provision, in line with the EU Charter and the UN’s Plan of Action against Violent Extremism leading to terrorism, which calls on UN Member States to strengthen “the rule of law, repealing discriminatory legislation and implementing policies and laws that combat discrimination, marginalisation and exclusion in law and in practice”.

EDRi’s proposal (amending the Commission’s proposal):

Recital 20
The implementation of the criminalisation under this Directive should be proportional to the nature and circumstances of each case the offence, with respect to the legitimate aims pursued and to their necessity in a democratic society, and should exclude any form of arbitrariness or discrimination.

c) Freedom of expression

The draft Directive contains provisions which can have a chilling effect on freedom of expression. In the words of the European Court of Human Rights (ECtHR), freedom of expression applies to “information” or “ideas” that are favourably received or regarded as inoffensive or as a matter of indifference, but also to those that offend, shock or disturb the State or any sector of the population.

The Directive must ensure that “any restrictions on freedom of expression are clearly and narrowly defined and meet the three-part test of legality, proportionality and necessity”, as the UN Plan of Action Against Violent Extremism outlines. The Directive should help prevent abusive and arbitrary practices in Member States (see our Annex). Hence, EDRi encourages policy makers to adopt an Article which includes wording based on Recital 14 and Article 2 of the Framework Decision 2008.

EDRi’s proposal:

Article 23b (new) Freedom of expression
1. Nothing in this Directive may be interpreted as being intended to reduce or restrict the dissemination of information for the expression of an opinion. The expression of radical, polemical or controversial views in the public debate on sensitive political questions, including terrorism, fall outside the scope of this Directive and, in particular, of the definition of public provocation to commit a terrorist offence.
2. This Directive shall not have the effect to take measures in contradiction of fundamental principles relating to freedom of expression, including freedom of the press and the freedom of expression resulting from constitutional traditions or rules governing the rights and responsibilities of, and the procedural guarantees for, the press or other media where these rules relate to the determination or limitation of liability.

c) Emergency situations

The Directive must work for situation of crisis or emergency, in line with Article 15 of the European Convention on Human Rights (ECHR). In this sense, the UN Plan of Action on violent extremism leading to terrorism specifies that “certain rights are non-derogable even in time of public emergency which threatens the life of the nation”. As the five UN Special Rapporteurs highlighted regarding France’s situation after the Paris Attacks, “[w]hile exceptional measures may be required under exceptional circumstances, this does not relieve the authorities from demonstrating that these are applied solely for the purposes for which they were prescribed, and are directly related to the specific objective that inspired them.”

EDRi’s proposal:

Article 23c (new) Emergency situations and fundamental rights
In time of war or other public emergency threatening the life of the nation, Member States may take measures to derogate certain rights, in line with EU and International law. Such circumstances do not relieve the authorities from demonstrating that the measures undertaken are applied solely for the purpose of combating terrorism and are directly related to the specific objective of combating terrorism.

d) Effective remedies for Human Rights violations

The UN’s Plan of Action against violent extremism leading to terrorism also asks UN Member States to ensure accountability for human rights violations “through criminal procedures adhering to due-process guarantees.” This is absent from the European Commission’s proposal. EDRi’s proposal is based on the model clause proposed in the former UN Special rapporteur’s report on best practices when countering terrorism:

EDRi’s proposal:

Article 23d (new) Right to effective remedies
1. Any person whose fundamental rights and freedoms have been violated in the exercise of counter-terrorism powers or the application of counter-terrorism law has a right to a speedy, effective and enforceable remedy.
2. Member States’ judicial authorities shall have the ultimate responsibility to ensure that this right is effective.

e) Human rights safeguards for specific offences

All provisions need to be read in compliance with fundamental rights and freedoms. In addition, when referring to a concept that does not have a harmonised definition, EU institutions should provide a definition in Article 2, in order to comply with the principle of legality so that, as the UN Special Rapporteur on Human Rights and combating terrorism stated, “criminal liability is narrowly and clearly defined.”

III. Terrorist offences

• Article 2: definitions

The draft Directive contains many legal concepts which can mean different things. The Directive needs to comply with the principle of legality.

EDRi’s proposal:

Should the Directive contain legal terms which are not defined in the other provisions, Article 2 should be amended to add the appropriate definitions. For specific examples, please see our recommendations per provision in this document.

• Recital 5 and Article 3: terrorist offences

Article 3 defines the concept of ‘terrorist offences’. Recital 5 says that the Member States’ definition of terrorist offences should cover forms of behaviour “punishable also if committed through the Internet, including social media”. However, Articles 3(1)(b) and 3(2)(i) are not clear about what this means in practice.

• Recital 5

It is not clear why a reference to the Internet is needed. Criminal offences should be technology-neutral insofar as possible.

EDRi’s proposal:

Recital 5
Taking into account of the evolution of terrorist threats and legal obligations to the Union and Member States under international law, the definition of terrorist offences, including offences related to a terrorist group and offences related to terrorist activities, should be further approximated in all Member States, so that it covers more comprehensively conduct relate to in particular foreign terrorist fighters and terrorist financing. These forms of behaviour should be punishable also if committed through the Internet, including social media.

◦ Article 3(1)(b) on ‘unduly compelling a Government or international organisation ‘

Pursuant to Article 3(1)(b), an offence may qualify as a terrorist offence when it is committed with the aim of ‘(b) unduly compelling a Government or international organisation to perform or abstain from performing any act’. Notwithstanding its use in existing legislation, the use of the word ‘unduly‘ in this context is problematic, since it lacks a clear definition or legal import. An improved phrasing might refer to ‘using violence or the threat of violence to compel’, as we do not see how any non-violent attempt at influencing governmental policy could qualify as terrorism. Without such a modification, this provision risks affecting legitimate forms of protest and civil disobedience under the concept of terrorism. For instance, as the UN Human Rights Committee states and the UN Special Rapporteur on Human Rights and Countering Terrorism endorses, “no site or information dissemination system should be prohibited from publishing material solely on the basis that it may be critical of the government or the social system espoused by the government”.

EDRi’s proposal:

Article 3
1. (…)
(b) using violence or the threat of violence to compel or seek to compel unduly compelling a Government or international organisation to perform or abstain from performing any act.

◦ Article 3(2)(i)

Article 3(2) defines what ‘intentional acts’ means. EDRi considers Article 3(2)(i)’s wording is too broad and could lead to arbitrary and discriminatory abuses. EDRi suggests to bring it into line with Recital 13.

EDRi’s proposal:

Article 3
2. (…)
(i) seriously threatening to commit any of the acts listed in points (a) to (h), on the basis of objective, factual circumstances.

• Article 15: relationship to terrorist offences

If the amendments we suggest are adopted, the proposed text from the Commission appears unproblematic.

• Article 16: aiding or abetting, inciting and attempting

Article 16 is intended to prohibit ancillary offences related to terrorist offences, namely aiding, abetting, inciting and attempting. We see a significant overlap with the provisions under Title III (Offences related to Terrorist Activities), since these are also aimed at prohibiting (specific forms of) assistance for terrorist offences. It would appear that many of these offences related to terrorist activities could also be treated under the more general principles referenced in Article 16. Conversely, many related offences currently covered by Article 16 have already found more specific treatment in Title III. This confusion generated by this dual approach is best illustrated by the fact that aiding of terrorism (e.g. through financing or providing training) itself becomes a specific offence.

As a result of this extension, the Directive’s scope touches on activities with little to no direct relationship to actual terrorist acts. In the interest of legal certainty and good lawmaking, we would encourage a closer specification of the interaction between Article 16 and Title III of the Directive, with the aim of reducing overlap between these rules. In addition, Article 16(2) is redundant as Article 5 is the provision dealing with incitement to terrorism.

Therefore, EDRi proposes to delete it. In case MEPs disagree with its deletion, EDRi proposes the following alternative:

EDRi’s proposal:

Article 16
1. Each Member State shall take the necessary measures to ensure that aiding or abetting an offence referred to in Articles 3 to 8 and 11 to 14 is made punishable.
2. Each Member State shall take the necessary measures to ensure that inciting an offence referred to in Articles 3 to 14 is made punishable.
3. Each Member State shall take the necessary measures to ensure that attempting to commit an offence referred to in Articles 3, 6, 7, 9 and 11 to 14, with the exception of possession as provided for in point (f) of Article 3(2) and the offence referred to in point (i) of Article 3(2), is made punishable.

IV. Cooperation among Member States, their authorities and EU

• Information sharing about convicted individuals or suspects

EDRi agrees with the EP rapporteur’s intention in AM 17, but suggests improvements in order to comply with the principle of presumption of innocence.

EDRi’s proposal:

Recital 15c (amending the rapporteur’s proposal)*
In order to prevent and combat terrorism, a closer cross-border cooperation among the competent national and European authorities is needed with regard to expedient exchange of any relevant information from criminal records or other available sources on radicalised individuals, and in particular on individuals who are or have been subject to criminal proceedings, are suspects of a criminal offence or asset freezing. This provision is without prejudice to the [official name of police data protection Directive].

* Comments: Parts in bold and strike-through reflect the changes introduced vis-à-vis AM 17.

• ‘Electronic evidence’

Whereas the Commission remains silent on this issue, LIBE’s Draft report contains two proposals on (undefined) ‘electronic evidence’.

Regarding AM 19 and AM 20 of the Rapporteur’s Draft Report (recitals 15e and 15f), EP’s rapporteur mentions “the issues related to electronic evidence”, but does not explain what issues she is referring to or the analysis available that demonstrate the existence of a real issue. Should policy-makers wish to include a provision on ‘electronic evidence’:

• they should first define what ‘electronic evidence’ means (Article 2);

• be future-proof, being compatible with the development of technology and innovation; and

• merge both (new) recitals.

EDRi’s proposals:

Recital 15e (new) amending the rapporteur’s proposal)*
Considering that terrorist organisations rely heavily upon various electronic tools, the internet and social media to communicate, promote, and incite terrorist acts, to recruit potential fighters, to collect funds, or to arrange for other support for their activities, the issues related to electronic evidence create challenges in investigations and prosecutions of terrorist offences. Member States should therefore cooperate among each other, notably through Eurojust, to ensure a coordinated approach for the development of any necessary, proportionate and effective measures that may prove efficient in dealing with the gathering, sharing, and admissibility of electronic evidence, in compliance with [official name of police data protection directive].

*Comments: Parts in bold and strike-through reflect the changes introduced vis-à-vis AM 19.

Recital 15f(new) amending the rapporteur’s proposal)*

A Eurojust report of November 2014 notes that the growing sophistication and wider use of anonymisers, proxy servers, the Tor network, satellite links and foreign 3G networks create additional challenges to the gathering and analysis of electronic evidence, which are rendered even greater by the storage of data in the cloud. Member States should therefore cooperate among each other, in particular through Eurojust, to identify and remove possible obstacles that may occur in mutual legal assistance requests for electronic evidence.

*Comments: Parts in bold and strike-through reflect the changes introduced vis-à-vis AM 20.

• Professionalism of authorities and Human Rights training

Member State authorities vested of powers to combat terrorism must have received relevant training, including training on human rights; be accountable; and be subject to judicial oversight. EDRi’s proposal is based on wording used in para. 50 of the Recommendation of the UN Secretary-General of 24 December 2015.

EDRi’s proposal:

Recital 4c (new)
Member States should strengthen the professionalism of security forces, law enforcement agencies and justice institutions; and ensure effective oversight and accountability of such bodies, in conformity with international human rights law and the rule of law. This includes human rights training to security forces including on how to respect human rights within the context of measures taken to counter violent extremism and terrorism.

IV. Internet related provisions

In general

The Commission’s Draft Directive, or indeed all the texts on the table at the moment, refer to the Internet as being negative for society. There is no mention (not even in a recital) of the essential role of the Internet in promoting and protecting Human Rights and Fundamental Freedoms within the Union and in Third Countries. EDRi thus advises the European Parliament not to harm the progress the EU has made in the protection of Human Rights online within and outside our borders.

EDRi’s proposal:

Recital X (new)
The Internet plays an essential role in promoting values of peace, tolerance and solidarity as well as promoting and protecting Human Rights and Fundamental Freedoms within and outside the European Union.

• (new) Recital 4a – Internet Referral Units

EDRi is concerned with AM 3 of the rapporteur’s draft Report and appears unsuited to this Directive: the first part (up to “jurisdictional conflicts”) does not have any obvious link with the last part of the recital. Similarly, the second half of the recital lacks clarity; it does not specify what ‘flagging’ (notifying?) of content entails, to whom it must be ‘flagged’, by whom that content would have to be removed, and under what procedure this might take place. This Directive is aimed at criminalisation of terrorism offences rather than creating a framework of law enforcement measures. The Directive’s operative part does not contain any reference to these ‘special units’ or their activities. This recital therefore bears little relevance to the instrument as a whole. We see this as being a political statement rather than meaningful legislation.

Therefore, EDRi proposes NOT to adopt it. In case MEPs disagree with its deletion, EDRi proposes the following alternative:

Recital 4b (alternative to AM 3, Rapporteur’s Draft Report)*
Certain forms of internet use are conducive toTerrorist radicalisation, enabling fanatics throughout the world to both online and offline involves radicalised individuals connecting with each other and recruiting vulnerable individuals without any physical contact whatsoever and in a manner that is difficult to trace. Every Member State should set up a special unit tasked with flagging identifying illegal content on the internet and with facilitating the investigation, detection and removal of such content. Member States should publish statistics on numbers of reports, investigations and prosecutions taken as a result of these activities. The creation by Europol of the Internet Referral Unit (IRU), responsible for detecting illegal content and supporting Member States in this regard, while fully respecting the fundamental rights of all parties involved, in particular with regard to predictability of the measures taken, represents a significant step forward in this regard. Member States’ units should also cooperate with the Union counter terrorism coordinator and the European Counter Terrorist Centre within Europol, as well as with civil society organisations active in this field. Member States should cooperate with each other and with the relevant Union agencies on these matters.

* Comments:
Parts in bold and strick-through reflect the changes introduced vis-à-vis AM 3 of the rapporteur’s Draft Report.

These changes create accountability and judicial responsibility and allow individuals to adapt their conduct to the law (predictability). If these units had the option to simply refer unwelcome content to internet providers, with no transparency regarding investigations, legal assessment or prosecutions, UN’s standards would not be complied with. As the former Special rapporteur on the promotion and protection of Human Rights and fundamental freedoms while countering terrorism stated in its report “Ten areas of best practices in countering terrorism”, “[w]here the law relating to terrorism confers discretionary powers upon public agencies, adequate safeguards, including judicial review, must exist for the purpose of ensuring that discretionary powers are not exercised arbitrarily or unreasonably.”

Intent as a minimum standard for all terrorist offences, with a high standard of proof

• Recital 13

EDRi welcomes the attempt made in Recital 13 to clarify the meaning of ‘intent’ as used in the Directive. Distinguishing terrorist offences under this Directive from innocent activities such as travelling or debating is done primarily on the basis of intent. It is therefore crucial that intent is not merely imputed to suspects, but that it is proven on the basis of objective, factual circumstances. The proposed AM 13 heightens the standard set in the initial proposal, and EDRi therefore welcomes it, seconding the EP’s rapporteur justification. However, EDRi suggests to remove ‘as much as possible’, since this means that the intention does not have to be based on objective, factual circumstances.

EDRi’s proposal (amending the Commission’s proposal):

Recital 13
With regard to the criminal offences provided for in this Directive, the notion of intention must apply to all the elements constituting those offences. The intentional nature of an act or omission may should be inferred from objective, factual circumstances.

Unambiguous and limited rules on incitement of terrorism

• Article 5: Public provocation to commit a terrorist offence

EDRi is concerned about the ambiguous phrasing and broad scope of Article 5 and its potential for abuse, as national anti-terrorist provocation rules have been abused in cases which appear to bear little connection to actual terrorist offences (see the Annex to this document). EDRi welcomes the intention of the EP’s rapporteur to restrict Article 5. However, at this stage, none of the versions of Article 5 regarding “glorification of terrorism” comply with UN.

The former Special Rapporteur on human rights and counter terrorism stated (and the current rapporteur has supported this approach) that “for the offence of incitement to terrorism to comply with international human rights law, it
(a) must be limited to the incitement to conduct that is truly terrorist in nature;

(b) must restrict freedom of expression no more than is necessary for the protection of national security, public order and safety or public health or morals;

(c) must be prescribed by law in precise language, and avoid vague terms such as “glorifying” or “promoting” terrorism;

(d) must include an actual (objective) risk that the act incited will be committed;

(e) should expressly refer to intent to communicate a message and intent that this message incite the commission of a terrorist act; and

(f) should preserve the application of legal defences or principles leading to the exclusion of criminal liability by referring to “unlawful” incitement to terrorism.”

In addition, none of the current versions of Article 5 would prevent Member States from criminalising indirect incitement. In 2008, the UN Secretary-General recommended UN Member States that “laws should only allow for the criminal prosecution of direct incitement to terrorism, that is, speech that directly encourages the commission of a crime, is intended to result in criminal action and is likely to result in criminal sanction.” This recommendation has been backed up by the UN Special Rapporteur on Human Rights and counter-terrorism’s report of 22 February 2016 .

EDRi’s proposal (amending the Commission’s proposal) is in line with UN standards:

Article 5*
1. Member States shall take the necessary measures to ensure that the intentional and unlawful distribution, or otherwise making available of a message to the public, with the clear intent to incite the commission of one of the offences listed in points (a) to (h) of Article 3(2), where such conduct, whether or not directly expressly advocating the commission of terrorist offences, manifestly causes a clear, substantial and imminent danger that one or more such offences may be committed, is punishable as a criminal offence when committed intentionally and unlawfully
2. Member States shall only allow for the criminal prosecution of direct incitement to terrorism, that is, speech that directly encourages the commission of a crime, is intended to result in criminal action and is likely to result in criminal sanction.

*Comments: On top of the comments above, EDRi deems it necessary to further clarify three of the changes:

• Intent. Article 5 must be read in conjunction with Recitals 13 and 14. In the words of the UN Special Rapporteur on Human Rights and Combating Terrorism, the liability should not be in the illegality of the content of the speech alone, but on the “speaker’s intention or the actual impact of the speech”. Otherwise, this would prevent unnecessary or disproportionate interferences with freedom of expression.

• “Unlawfully” was included in Article 5 of the Council of Europe’s Convention on the Prevention of Terrorism and also in the model clause recommended by the UN Special Rapporteur on Counter-Terrorism and Human Rights. As the latter states, without ‘unlawfully’, the Directive would be excluding criminal liability exemptions and legal defences against it.

• “Expressly or not” instead of “directly or not” (European Convention’s language). The UN Special Rapporteur on Counter-Terrorism and Human rights proposed this modification to the European Convention on Prevention of Terrorism “to prove both a subjective intention to incite as well as an objective danger that a terrorist act will be committed”, while also including “coded language”. This recommendation is a reaction to EctHR case Leroy v France (2008) and is in line with Article 12(1) of the European Convention on Prevention of Terrorism.

Incitement to terrorism and websites’ blocking and removal

• Recital 7

Recital 7 should be deleted. As the Meijers Committee stated, “this recital leads to a disproportional infringement of freedom of expression including the freedom of the press”. “Member States may interpret this as meaning that, even if there is no real danger of future offences, offence to victims and their families is sufficient reason to criminalise expressions”. In addition, it is not clear whether with this recital Member States would be criminalising individuals sharing messages or images for ‘journalistic purposes’.

With regard to AM 6 in LIBE’s Draft Report, EDRi considers Internet access restrictions and websites’ removal fall outside the scope of the Directive, which is essentially to define criminal offences (see Article 1 of the proposed Directive). In addition, this does not harmonise Member State laws. Should MEPs want to address these issues, EDRi considers AM6’s text should be improved in line with Article 52 of the Charter of Fundamental Rights.

EDRi’s proposal (amending the rapporteur’s suggestion in AM 6):

Recital 7*
The offences related to public provocation to commit a terrorist offence act comprise, inter alia, the glorification and justification of terrorism or the dissemination of messages or images including those related to the victims of terrorism as a way to gain publicity for the terrorists cause or seriously intimidating the population, provided that such behaviour causes a danger that terrorist acts may be committed. To strengthen actions against public provocation to commit a terrorist offence on, and also taking into account the increased use of technology, in particular the Internet, it seems appropriate for Member States may to take measures to remove or to block access to webpages publicly inciting to commit terrorist offences. Where such measures are taken, they must be provided for by law, set by transparent procedures and provide adequate safeguards, in particular to ensure legal predictability and that restrictions are limited to what is necessary and proportionate. Such measures should be subject to periodic review, to assess if the stated goal(s) of the legislation are being achieved.

*Comments: these changes show the changes regarding AM 6 of the Rapporteur’s Draft Report.

• (new) Article 14a (AM 40 of LIBE’s Draft Report)

Restricted access to certain websites can be counterproductive, as websites can be replaced easily and rapidly, making it, at best” only a “temporary disruption”.

EDRi notes and welcomes that the provision on website blocking proposed by the EP’s rapporteur under AM 40 is largely similar to that in Article 25 of Directive 2011/92/EU (Directive on combating sexual exploitation of children), which contains reasonable wording dealing with this. However, the recital misses three things:

◦ First, it should emphasise that objectives need to be clear and in a way that these measures actually necessary and proportionate.

◦ Second, restrictions must be provided for by law (Article 52 of the Charter of Fundamental Rights) and subject to periodic review and judicial control. As the UN Special Rapporteur stated in its Report of 22 February 2016, “independent judicial recourse must be available. Laws that allow executive authorities to block websites, in the absence of any initial judicial control or ex-post facto judicial recourse may not comply with this requirement”.

◦ Third, websites’ removals and access restrictions (“blocking”) are two different things. Access restrictions should only be pursued when removals at source are not achieved.

EDRi’s proposal:

Article 14a (amending the rapporteur’s text)*
1. Member States shall take the necessary measures to ensure the prompt removal of webpages publicly inciting to commit a terrorist offence, as referred to in Article 5, hosted in their territory and to endeavour to obtain the removal of such pages hosted outside of their territory.
2. Where the measures described in Article 14a(1) cannot be achieved, Member States may take measures to block access to webpages publicly inciting to commit a terrorist offence towards the Internet users within their territory. These measures must be provided for by law, set by transparent procedures and provide adequate safeguards, in particular to ensure that the restriction is limited to what is demonstrably necessary and proportionate, and that users are informed of the reason for the restriction, that is subject to initial judicial control and periodic review. Those safeguards shall also include the possibility of judicial redress.

Comments: * Parts in bold and strike-through reflect the changes introduced vis-à-vis AM 40.

Rejecting or clarifying the proposed amendments on malware and ‘malicious software’

The proposed recital 11a (AM 12) and Article 14b (AM 41) by the EP’s rapporteur on her draft report on the Directive should not be adopted for three main reasons:
 These proposals would not comply with the principle of legality, as ‘malware’ is not defined.
 Regarding the concept ‘malware for terrorist purposes’, this appears superfluous. This AM is seeking to solve a problem whose existence is not known and never been shown. To the extent it might exist, it is already criminal under the Council of Europe’s Cybercrime Convention and Directive 2013/40/EU on attacks to Information systems, so it is unclear what added value this prohibition would bring in addition to existing European legal framework.

 EDRi also has difficulties to see the value of adding ‘malicious software’ in the Directive (AM 29 and AM 30 of LIBE’s Draft Report), since these aspects are also covered in the Directive on attacks against computer system.

Accordingly, EDRi recommends not proposing any amendments neither on manufacturing or developing malware, nor on ‘malicious software’.

VI. Human rights regular review

As the UN Special Rapporteur on Counter-terrorism and Human Rights states in its report of 22 February 2016, “it is critical that States strictly monitor the human rights compliance of measures adopted to counter violent extremism [leading to terrorism], and ensure transparency in the operation of their initiatives.”

• Article 25 (transposition) and Article 26 (reporting)

Not alone the EU institutions have adopted a piece of legislation without conducting a much-needed impact assessment, but it would take at least four years for the Commission to report to the European Parliament and Member States about its assessment on the “impact and added value of this Directive on combating terrorism”. This unacceptable period of non-review could go up to five years, if the Council’s version is adopted and prolonged, particularly bearing in mind that such reports are often delayed. In addition, the Directive remains silent about the review mechanisms by Member States. This does not comply with UN standards.

In fact, the UN Secretary-General recommended UN Member States in its Plan of Action to Prevent Violent Extremism of 24 December 2015 to “review all national legislation policies, strategies and practices aimed at preventing and countering violent extremism [leading to terrorism] to ascertain whether they are firmly grounded in respect fro human rights and the rule of law, and whether they put in place national mechanisms designed to ensure compliance.” In fact, according to the former Special rapporteur on Human Rights and Counter-terrorism, the review process should comply with the following requirements:

“a) annual governmental review of and reporting on the exercise of powers under counter-terrorism laws

b) annual independent review of the overall operation of counter-terrorism laws

c) periodic parliamentary review.”

EDRi’s proposals:

Article 25 Transposition and review mechanisms by Member States
1. Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by [12 months after adoption]. They shall forthwith communicate to the Commission the text of those provisions.
When Member States adopt those provisions, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. Member States shall determine how such reference is to be made.
2. Member States shall communicate to the Commission the text of the main provisions of national law which they adopt in the field covered by this Directive.
3. Member States shall conduct annual independent reviews of and reporting on the exercise of powers under the laws falling within the scope of this Directive.

Article 26 Reporting
1. The Commission shall, by [24 months after the deadline for implementation of this Directive], submit a report to the European Parliament and to the Council, assessing the extent to which the Member States have taken the necessary measures to comply with this Directive.
2. The Commission shall, by [48 12 months after the deadline for implementation of this Directive], submit a report to the European Parliament and to the Council, assessing the impact and added value of this Directive on combating terrorism and its impact on fundamental rights and freedoms and the rule of law. The Commission shall take into account the information provided by Member States under Decision 2005/671/JHA and any other relevant information regarding the exercise of powers under counter-terrorism laws related to the transposition and implementation of this Directive.
3. In light of the independent reports of the European Commission, Member States shall conduct parliamentary periodic reviews.

ANNEX
How rules on ‘provocation of terrorism’ threaten free speech

EDRi is concerned that the Article 5 of the proposed Directive on Combating Terrorism might lead to collateral damage by harming freedom of expression. Similar rules on ‘provocation of terrorism’ and related crimes in Member States and abroad have in practice repeatedly been misapplied to cases which have little or nothing do with any commonly-held conception of ‘terrorism’.

Criminalising speech can be dangerous, with significant risks for the freedom of expression. Such measures have affected public figures such as artists and journalists who play an integral part in public debate. They have been applied to clear cases of irony and satire. Furthermore, in some cases, links to the actual threat of terrorism are highly implausible.

At the same time, law enforcement action in such cases can have a profound effect on freedom of expression. Police interference, even when it does not lead to conviction, can ‘set an example’ and create a chilling effect, pushing others to self-censor out of fear. It should also be kept in mind that attempts to censor speech often have counter-productive effects; repressing speech, especially with false positives, can do more harm to the perceived legitimacy of government institutions than to the extremist movements which they aim to counteract. Legislators must therefore proceed with caution when attempting to criminalise speech in support of terrorism.

We provide various examples such incidents in order to illustrate the risks inherent in criminalising speech, and in order to reaffirm the need for clear, limited and specific rules with adequate free speech safeguards.

France

The French government has also criminalised speech which ‘glorifies’ terrorism. This rule has led to many prosecutions, including cases criminalising expressions on social media, but also to comments made during arrests and other interactions with police.

• One of the most egregious examples is the prosecution of a sixteen-year-old posting on Facebook, who uploaded a parody of a Charlie Hebdo comic (original and parody viewable here). The teen had no prior criminal record and, according to prosecutor Yvon Ollivier did not have a ‘profile suggesting an evolution toward jihadism’. He is one of four minors prosecuted for glorification of terrorism in France. Even an eight-year-old has been interrogated.

• Another troubling example is that of the French comedian Dieudonné, known for his controversial statements. He, too, was prosecuted for a Facebook post, after he wrote ‘Je me sens Charlie Coulibaly’. For this statement, he was received a two-month suspended prison sentence.

• In numerous incidents, the statements in question were made under the influence of alcohol. In others, those prosecuted had mental health problems or learning difficulties.
United Kingdom

In the United Kingdom, the following Tweet was considered worthy of prosecution:

‘Crap! Robin Hood airport is closed. You’ve got a week and a bit to get your shit together otherwise I’m blowing the airport sky high!!’.

The conviction of Paul Chambers for sending a “menacing” public electronic message was eventually overturned on appeal, but only after two and a half years of litigation and after having being dismissed from his job as a result. UK law enforcement has also interrogated a 10-year-old and his parents for writing in a school assignment that he lived in a ‘terrorist house’.

Finally, a case involving a four-year-old child was referred to the police because s/he drew a cucumber and subsequently referred to the drawing as a “cooker bomb” instead of a “cucumber”.

While these cases were not based on a legal prohibition on the provocation of terrorism, they do illustrate how law enforcement authorities and certain institutions are prone to overreact and harm freedom of expression in the process.

Spain

Spain criminalises the ‘glorification of terrorism’. Those convicted include:
• Two puppeteers, who were convicted for a performance in which a puppet officer held up a miniature sign falsely accusing another puppet of terrorism, using a play on words that combined Al Qaeda and the Basque Terrorist Group ETA.

• A rapper convicted and condemned for two years of prison for having composed songs that allegedly glorified terrorism.

• A rapper, who was prosecuted for his posts on Twitter.

• A 21-year-old student, who posted on Twitter inciting a terror group known as ‘the Grapo’ – even though this group is considered ‘to have long lost its operative capability’ and was last active over 25 years ago.

Outside the European Union

Incidents from outside the EU further illustrate how rules arbitrarily prohibiting speech related to terrorism can lend themselves for abuse. These are a few examples:

• In Turkey, two British journalists from the popular ‘Vice’ network were detained for ‘aiding a terrorist organisation’. Turkey has also blocked entire social media websites following terror attacks, such as when they blocked Twitter and Facebook in October 2015.
• In Jordan, over a dozen journalists and activists have been prosecuted under the anti-terror law, with one activist being jailed for five months for criticising the royal family’s support of Charlie Hebdo on Facebook.

• In Egypt, three journalists from Al Jazeera were sentenced to three years in prison for ‘broadcasting false information’ and ‘aiding a terrorist organisation’ for their reporting on the Muslim Brotherhood.

• In Cameroon, a Radio France International correspondent was prosecuted for ‘complicity in terrorism and failing to denounce acts of terror’ as an alleged accomplice of the Boko Haram group.
For more information or clarification, please contact Joe McNamee (joe.mcnamee@edri.org) and Maryant Fernández (maryant.fernandez-perez@edri.org)

Tel. +32 22742570