Category: 3.2 Data protection

The New EU General Data Protection Regulation – A First Assessment

Original published on the European Academy for Freedom of Information and Data Protection  site (EAID)

by Peter SCHAAR

The results of the trilogue of the EU institutions (European Parliament, Commission and Council) on the data protection reform package (SEE BELOW)  is an important milestone on the way into the global information society. The General Data Protection Regulation (GDPR) will replace 28 different data protection laws of the Member States.

The reach of the new legal framework extends beyond the European Union. Even companies with headquarters outside the EU will have to comply with the GDPR so far they are doing business in EU Member States and process data generated here (article 3 para. 2). Compliance with the rules is monitored by independent data protection authorities, which all have in future same, effective sanction powers.

In cases of serious infringements they may impose fines up to up to 4% of the global annual turnover against the respective companies (art. 79). It has to be highlighted, that a number of last minute attempts have failed to mitigate or weaken the new privacy requirements in central points, such as on scope of the regulation or the purpose limitation rules.

Nevertheless, there are also areas where the result is less positive than hoped for. Thus, the EP has not been completely successful in the requirements on individual consent to the processing of personal data (‚the data subject’s consent‘ means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative, signifies agreement to personal data relating to them being processed“ – article 4 para 8). Explicit consent is only required if consent refers to „special categories of personal data“ (article 9) – such as health data or genetic information. Also the rules on profiling lag behind the demands of privacy advocates. The relevant provisions are limited to decisions based solely on automated processing, which produce legal effects concerning the data subject or similarly significantly affects him or her (article 20).

During the negotiations, critics – in particular from Germany – complained the GDPR would weaken or undermine the data protection requirements defined by national law.  Today we can say, this fear did not realize, at least in general.

Only in specific areas the new legal requirements are lagging behind the present national laws, for example with regard to the more stringent data protection provisions for Internet services of the German Telemedia Act.  On the other hand, the German data protection level is just here high only in theory, but not de facto.

This became evident from the example Facebook: German data protection authorities have failed with lawsuits against the company whose European headquarters is located in Dublin – to undertake to comply with the German data protection rules.

However, every company that does business in Europe in future must comply with the new single European data protection law. This is real progress, even if the GDPR in certain areas lagging behind the national law.

In addition, there are other areas – such as the Federal Citizens Registration Act – where data protection requirements of new EU regulation are stricter than the present German legislature.

The unconditional dissemination of public register data on request to everybody is not compatible any more with European law and must be terminated.

Light and shadow also for the rules on the internal data protection officer (DPO). On one hand, article 35 obliges public authorities and government agencies – except for courts acting in their judicial capacity – to designate a DPO.  Also those private companies have to designate a DPO, whose „core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and sistematic monitoring of data subjects on a large scale“ or with core activities consisting „of processing on a large scale of special categories of  data pursuant to Article 9 and data relating to criminal convictions and offences“.

However, the significantly more stringent requirements of the German Federal Data Protection Act on DPOs have not completely been included in the GDPR. At least the adopted text allows the national legislators to stick to the mandatory designation of DPO (article 35 (4): „in cases other than those referred to in paragraph 1, the controller or processor … may or, where required by Union or Member State law shall, designate a data protection officer …“) .

Even if, as expected, the provisions now adopted – the GDPR and the Directive on data protection for police and justice – will soon pass the formal EU legislative procedure, a lot of work has still to be done at European and at national level prior to their entry into force in 2018.

  • At EU level the compatibility of other legal provisions with the GDPR has to be reviewed. This particularly applies to the directive on data protection in electronic communications („ePrivacy Directive“).
  • Governments and parliaments of the Member States are requested to review their national law. This applies in particular for Germany with its numerous sector specific data protection provisions. Many laws need to be revised, some need to be eliminated.
  • A special mission coming to the national legislators is the processing of personal data in the employment context. Article 82 GDPR provides the national legislators with  competence to regulate the handling of employee data in detail. („Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees‘ personal data in the employment context, …“).
  • National regulators have also to deal with the question of how far the legal provisions for data processing for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties need to be adapted to the requirements of the new Data Protection Directive for police and justice.
  • Finally, businesses and public authorities have to adapt their practices to the new rules. New processes and procedures have to be designed, existing procedures need to be changed …

The European Academy for Freedom of Information and Data Protection (EAID), Berlin, will focus in the coming years on the impact of new EU data protection rules. For 2016 we are planning workshops for decision-makers in business, politics and administration on implementation of the new EU rules and on needs for revision of national legislation.

READ MORE ON THE DATA PROTECTION REFORM PACKAGE:

The text of the Draft Regulation as agreed is accessible HERE  (204 Pages !)
The text of the Multicolumn Table (with the positions of the three institutions) of the Draft REGULATION is here (671 pages !)
The text of the Draft Directive (data protection in the law enforcement sector) as agreed is accessible here ( 102 pages)
The text of the Multicolumn Table with the position of the three institutions on the Draft DIRECTIVE  is accessible here (271 pages !)

Zakharov v Russia: Mass Surveillance and the European Court of Human Rights

Reblogged also by EU LAW ANALYSIS on Wednesday, 16 December with permission from the IALS Information Lawand Policy Centre blog

by Lorna Woods, (*) 

Introduction 

The European Court of Human Rights has heard numerous challenges to surveillance regimes, both individual and mass surveillance, with mixed results over the years.   Following the Snowden revelations, the question would be whether the ECtHR would take a hard line particularly as regards mass surveillance, given its suggestion in Kennedy that indiscriminate acquisition of vast amounts of data should not be permissible. Other human rights bodies have condemned this sort of practice, as can be seen by the UN Resolution 68/167 the Right to Privacy in the Digital Age. Even within the EU there has been concern as can be seen in cases such as Digital Rights Ireland (discussed here) and more recently in Schrems (discussed here). The Human Rights Court has now begun to answer this question, in the Grand Chamber judgment in Zakharov v. Russia(47143/06), handed down on December 4 2015.

Facts

Zakharov, a publisher and a chairman of an NGO campaigning for media freedom and journalists’ rights, sought to challenge the Russian system for permitting surveillance in the interests of crime prevention and national security. Z claimed that the privacy of his communications across mobile networks was infringed as the Russian State, by virtue of Order No. 70, had required the network operators to install equipment which permitted the Federal Security Service to intercept all telephone communications without prior judicial authorisation.

This facilitated blanket interception of mobile communications. Attempts to challenge this and to ensure that access to communications was restricted to authorised personnel were unsuccessful at national level. The matter was brought before the European Court of Human Rights. He argued that the laws relating to monitoring infringe his right to private life under Article 8; that parts of these laws are not accessible; and that there are no effective remedies (thus also infringing Art. 13 ECHR).

Judgment

The first question was whether the case was admissible. The Court will usually not rule on questions in abstracto, but rather on the application of rules to a particular situation. This makes challenges to the existence of a system, rather than its use, problematic. The Court has long recognised that secret surveillance can give rise to particular features that may justify a different approach. Problematically, there were two lines of case law, one of which required the applicant to show a ‘reasonable likelihood’ that the security services had intercepted the applicant’s communications (Esbester) and which favoured the Government’s position, and the other which suggested the menace provided by a secret surveillance system was sufficient (Klass) and which favoured the applicant.

The Court took the opportunity to try to resolve these potentially conflicting decisions, developing its reasoning in Kennedy. It accepted the principle that legislation can be challenged subject to two conditions: the applicant potentially falls within the scope of the system; and the level of remedies available. This gives the Court a form of decision matrix in which a range of factual circumstances can be assessed. Where there are no effective remedies, the menace argument set out in its ruling in Klass would be accepted.

Crucially, even where there are remedies, an applicant can still challenge the legislation if ‘due to his personal situation, he is potentially at risk of being subjected to such measures’ [para 171]. This requirement of ‘potentially at risk’ seems lower than the ‘reasonable likelihood’ test in the earlier case of Esbester. The conditions were satisfied in this case as it has been recognised that mobile communications fall within ‘private life’ and ‘correspondence’ (see Liberty, para 56, cited here para 173).

This brought the Court to consider whether the intrusion could be justified. Re-iterating the well-established principles that, to be justified, any interference must be in accordance with the law, pursue a legitimate aim listed in Article 8(2) and be necessary in a democratic society, the Court considered each in turn.

The requirement of lawfulness has a double aspect, formal and qualitative. The challenged measure must be based in domestic law, but it must also be accessible to the person concerned and be foreseeable as to its effects (see e.g Rotaru). While these principles are generally applicable to all cases under Article 8 (and applied analogously in other rights, such as Articles 9, 10 and 11 ECHR), the Court noted the specificity of the situation. It stated that:

‘…. domestic law must be sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures’ [para 229].

In this, the Court referred to a long body of jurisprudence relating to surveillance, which recognises the specific nature of the threats that surveillance is used to address. In the earlier case of Kennedy for example, the Court noted that ‘threats to national security may vary in character and may be unanticipated or difficult to define in advance’ [para 159].

While the precision required of national law might be lower than the normal standard, the risk of abuse and arbitrariness are clear, so the exercise of any discretion must be laid down by law both as to its scope and the manner of its exercise. It stated that ‘it would be contrary to the rule of law … for a discretion granted to the executive in the sphere of national security to be expressed in terms of unfettered power’ [para 247]. Here, the Court noted that prior judicial authorisation was an important safeguard [para 249]. The Court gave examples of minimum safeguards:

  • The nature of offences which may give rise to an interception order
  • A definition of the categories of people liable to have their telephones tapped
  • A limit on the duration of telephone tapping
  • Protections and procedures for use, storage and examination of resulting data
  • Safeguards relating to the communication of data to third parties
  • Circumstances in which data/recordings must be erased/destroyed (para 231)
  • the equipment installed by the secret services keeps no logs or records of intercepted communication, which coupled with the direct access rendered any supervisory arrangements incapable of detecting unlawful interceptions
  • the emergency procedure provided for in Russian law, which enables interception without judicial authorization, does not provide sufficient safeguards against abuse.

The Court then considered the principles for assessing whether the intrusion was ‘necessary in a democratic society’, highlighting the tension between the needs to protect society and the consequences of that society of the measures taken to protect it. The Court emphasised that it must be satisfied that there are adequate and effective guarantees against abuse.

In this oversight mechanisms are central, especially where individuals will not – given the secret and therefore unknowable nature of surveillance – be in a position to protect their own rights. The court’s preference is to entrust supervisory control to a judge. For an individual to be able to challenge surveillance retrospectively, affected individuals need either to be informed about surveillance or for individuals to be able to bring challenges on the basis of a suspicion that surveillance has taken place.

Russian legislation lacks clarity concerning the categories of people liable to have their phones tapped, specifically through the blurring of witnesses with suspects and the fact that the security services have a very wide discretion. The provisions regarding discontinuation of surveillance are omitted in the case of the security services. The provisions regarding the storage and destruction of data allow for the retention of data which is clearly irrelevant; and as regards those charged with a criminal offence is unclear as to what happens to the material after the trial.

Notably, the domestic courts do not verify whether there is a reasonable suspicion against the person in respect of whose communications the security services have requested interception be permitted. Further, there is little assessment of whether the interception is necessary or justified: in practice it seems that the courts accept a mere reference to national security issues as being sufficient.

The details of the authorisation are also not specified, so authorisations have been granted without specifying – for example – the numbers to be interception. The Russian system, which at a technical level allows direct access, without the police and security services having to show an authorisation is particularly prone to abuse. The Court determined that the supervisory bodies were not sufficiently independent. Any effectiveness of the remedies available to challenge interception of communications is undermined by the fact that they are available only to persons who are able to submit proof of interception, knowledge and evidence of which is hard if not impossible to come by.

Comments

The Court could be seen as emphasising in its judgment by repeated reference to its earlier extensive case law on surveillance that there is nothing new here. Conversely, it could be argued that Zakharov is a Grand Chamber judgment which operates to reaffirm and highlight points made in previous judgments about the dangers of surveillance and the risk of abuse. The timing is also significant, particularly from a UK perspective. Zakharov was handed down as the draft Investigatory Powers Bill was published. Cases against the UK are pending at Strasbourg, while it follows the ECJ’s ruling in Schrems, with Davis (along with the Swedish Tele2 reference), querying whether theDigital Rights ruling applies to national data retention schemes, now pending before the ECJ (on that issue, see discussion here). The ECtHR noted the Digital Rights Ireland case in its summary of applicable law.

In setting out its framework for decisions, the Court’s requirement of ‘potentially at risk’ even when remedies are available seems lower than the ‘reasonable likelihood’ test in Esbester. The Court’s concern relates to ‘the need to ensure that the secrecy of surveillance measures does not result in the measures being effectively unchallengeable and outside the supervision of the national judicial authorities and of the Court’ [para 171]. This broad approach to standing is, as noted by Judge Dedon’s separate but concurring opinion, in marked contrast to the approach of the United States Supreme Court in Clapper where that court ‘failed to take a step forward’ (Opinion, section 4).

The reassessment of ‘victim status’ simultaneously determines standing, the question of the applicability of Article 8 and the question of whether there has been an infringement of that right. The abstract nature of the review then means that a lot falls on the determination of ‘in accordance with the law’ and consequently the question of whether the measures (rather than individual applications) are necessary in a democratic society. The leads to a close review of the system itself and the safeguards built in. Indeed, it is noteworthy that the Court did not just look at the provisions of Russian law, but also considered how they were applied in practice.

The Court seemed particularly sceptical about broadly determined definitions in the context of ‘national, military, economic or ecological security’ which confer ‘almost unlimited degree of discretion’ [para 248]. Although the system required prior judicial authorisation (noted para 259], in this case it was not sufficient counter to the breadth of the powers. So, prior judicial authorisation will not be a ‘get out of gaol free’ card for surveillance systems. There must be real oversight by the relevant authorities.

Further, the Court emphasised the need for the identification of triggering factor(s) for interception of communications, as otherwise this will lead to overbroad discretion [para 248]. Moreover, the Court stated that the national authorisation authorities must be capable of ‘verifying the existence of a reasonable suspicion against the person concerned’ [260-2], which in the context of technological access to mass communications might be difficult to satisfy. The Court also required that specific individuals or premises be identified. If it applies the same principles to mass surveillance currently operated in other European states, many systems might be hard to justify.

A further point to note relates to the technical means by which the interception was carried out. The Court was particularly critical of a system which allows the security services and the police the means to have direct access to all communications. It noted that ‘their ability to intercept the communications of a particular individual or individuals is not conditional on providing an interception authorisation to the communications service provider’ [para 268], thereby undermining any protections provided by the prior authorisation system.

Crucially, the police and security services could circumvent the requirement to demonstrate the legality of the interception [para 269]. The problem is exacerbated by the fact that the equipment used does not create a log of the interceptions which again undermines the supervisory authorities’ effectiveness [para 272]. This sort of reasoning could be applied in other circumstances where police and security forces have direct technical means to access content which is not dependent on access via a service provider (e.g. hacking computers and mobiles).

In sum, not only has the Russian system been found wanting in terms of compliance with Article 8, but the Court has drawn its judgment in terms which raised questions about the validity of other systems of mass surveillance.

  • Professor of Internet Law, University of Essex

 

Schengen, un coupable idéal ?

ORIGINAL PUBLISHED ON CDRE SITE (25 NOVEMBRE 2015)

par Henri Labayle, 

Les réalisations européennes servent de bouc émissaire aux crises nationales. Ce n’est pas chose nouvelle. Après l’Euro, l’espace « Schengen » de l’Union est aujourd’hui sur la sellette. Les attentats terroristes lui auraient donné le coup de grâce, après ceux de la crise des migrants. Est-ce bien réaliste, est-ce vraiment opportun ?

Les discours officiels relèvent ici de la vieille fable de la paille et de la poutre. C’est aux Etats membres eux-mêmes que le conseil du ministre de l’Intérieur français de « se reprendre » devrait être donné tant la construction de Schengen est dépendante de leur volonté. Néanmoins, le réalisme interdit l’optimisme. Ayant perdu de vue ses caractéristiques initiales, Schengen n’échappera pas à une remise en question profonde.
Le fabuleux destin de l’espace Schengen, sa « success story », enregistrent incontestablement au coup d’arrêt, dont il conviendra de mesurer l’impact réel. Il y a des explications à cela.

1. Une construction datée

Les principes de Schengen sont inscrits désormais dans les traités : abolition des contrôles aux frontières intérieures, reportés là où l’espace commun est en contact avec les pays tiers. Sont-ils toujours à la hauteur des défis ? Répondent-ils à la menace terroriste comme à la pression migratoire ? A trop raisonner à logiciel constant, on peut en douter.

Le contexte de la création de Schengen, en 1985, a été oublié. Fruit d’un accord bilatéral franco-allemand, rejoint par les Etats du Bénélux, Schengen s’inscrivait dans un paysage aujourd’hui disparu : peu de participants, ensemble homogène animé des mêmes buts. Au point d’être scellé dans une convention d’application dont la date n’est pas indifférente : 1990, au lendemain de la chute du mur de Berlin …

En attendre une réponse efficace à des défis qui n’existaient pas lors de sa conception est un peu simpliste.
Que Schengen n’ait pas été à même, en 2015, d’arrêter les flots de réfugiés remontant le ventre mou du couloir des Balkans s’explique : il a été conçu en 1990 dans la logique d’un continent fermé, d’une Europe coupée en deux par le rideau de fer, ignorant les 7700 kilomètres de frontières terrestres devenues les siennes aujourd’hui. Figée dans une problématique Nord/Sud, l’Europe de l’époque n’avait aucune idée de la dimension Est/Ouest qui s’y est surajoutée.
Le contexte géopolitique de l’époque le confirme. L’environnement de Schengen était fait de l’Union soviétique de Gromyko au Maroc d’Hassan II en passant par la Tunisie de Ben Ali et la Libye de Kadhafi, sans parler de la Syrie ou de la Yougoslavie de Tito. Les dictateurs qui l’entouraient étaient ses meilleurs garde-frontières et la vague migratoire de 2015 inimaginable …

L’argument vaut aussi en matière terroriste. Oubli ou mauvaise foi des partisans d’un retour aux frontières nationales, celles-ci font obstacle à la lutte anti-terroriste. D’ETA réfugié en France à l’IRA en République d’Irlande ou à la bande à Baader en France, les exemples ne manquent pas. Leur maîtrise nationale empêcha-t-elle la vague d’attentats des années 80 en France ? Evidemment non.
Pour autant, « l’obsession » de la frontière justement décrite par Michel Foucher n’a pas disparu. En fait, Schengen se borne à déplacer le lieu où la frontière joue toujours son rôle de barrière, de protection. Il est un compromis entre l’ouverture d’un continent, notamment pour des besoins économiques, et sa fermeture, pour des raisons sécuritaires.

La crise de 2015 met ouvertement en question l’équilibre de ce compromis, sa capacité à assumer la fonction sécuritaire de la frontière commune. Les Etats, en trente ans, l’ont construit et maintenu envers toute logique, d’où leur responsabilité centrale.

2. Des compromis boiteux

Habillé d’un prétexte sécuritaire, ce que l’on appelait à l’époque le « déficit sécuritaire », Schengen répondait en fait à une autre réalité : celle du besoin économique d’un continent asphyxié, cloisonné en Etats aussi nombreux que petits. Le marché intérieur, lancé exactement à la même période, ne pouvait s’en satisfaire.
Le détour par la case « sécurité » dissimule à peine cette vérité. Ouvrir l’espace intérieur était d’abord un impératif économique, satisfaisant les opérateurs mais plus facile à assumer en mettant en avant la lutte contre l’immigration ou le crime. La réinstauration des contrôles provoquée par la crise des attentats de Paris confirme l’impact économique de cette ouverture : retards dans les aéroports, kilomètres de bouchons sur les autoroutes aux passages frontaliers avec l’Espagne ou l’Italie… Le compromis entre mobilité et sécurité, pourtant exclusivement au cœur du projet initial Schengen, s’est réalisé au détriment de la seconde. Quitte à ignorer les aspirations des citoyens européens.
D’autant que, dans sa quête de points d’appui, la construction européenne s’est emparée de Schengen pour en faire un symbole. Curieux retournement des choses, Schengen vilipendé lors de sa création, stigmatisé parce que qualifié de « liberticide » et que « l’Europe des polices » était alors un gros mot, fut ensuite présenté comme l’acquis principal de la liberté des citoyens européens. Avant aujourd’hui d’être à nouveau accusé de tous les maux d’une intégration européenne qu’il ne réalise pourtant pas.

La vérité se cache ailleurs. A force de non-dits et de compromis étatiques, la démarche sécuritaire quasi-exclusive sur laquelle reposait Schengen initialement s’est progressivement banalisée.
Elle imposait le respect d’un certain nombre de principes. Avant toute autre chose, celui de la responsabilité de chaque Etat, garant par son sérieux de la sécurité de tous. D’où le refus initial de l’ouvrir à des partenaires jugés peu fiables, de l’Italie à la péninsule ibérique ou à la Grèce.
La logique communautaire, celle des élargissements, l’a emporté sur ce paramètre. Une prétendue « confiance mutuelle » entre Etats a été vantée dans un univers où la méfiance demeure la règle, peu sensible au credo du monde libéral.

Puisque, depuis des années, la Grèce était une passoire et ne remplissait plus ses obligations, comment s’étonner que le système ait volé en éclat au début de l’été ? Puisque, depuis des années, le système dit de « Dublin » (imaginé à Schengen) ne remplissait pas son office, pourquoi s’étonner de l’abcès de fixation ouvert hier à Sangatte, aujourd’hui à Calais ? Enfin, faute de donner un sens au mot « sanction », pourquoi l’Union européenne ne s’est-elle pas préoccupée d’une réaction vigoureuse, réservant ses foudres aux eaux de baignade et aux aides d’Etat …

Arbitrant au moyen de compromis médiocres, quand il aurait sans doute fallu établir publiquement et respecter des priorités politiques, l’Union s’est donc trouvée démunie lorsque la bise est venue, lorsque les urnes nationales et européennes se sont emplies de votes protestataires. Faisant l’aubaine de partis extrémistes dépourvus de toute réponse réaliste, elle s’est ainsi placée sur la défensive.
L’impasse faite sur la dimension économique du contrôle des frontières illustre cette absence de pilotage. Le mirage des solutions technologiques de demain, les « smarts borders » et la biométrie, ajouté au lobbying des grandes multinationales désireuses d’obtenir les marchés publics y sacrifiant, ne peut dissimuler l’aberration consistant à confier la sécurité de tous à un Etat membre, la Grèce, étranglé financièrement et budgétairement pour les raisons que l’on sait …

S’il est exact que les Etats Unis consacrent 32 milliards de dollars à leur politique migratoire dont la moitié au contrôle des frontières, comment comprendre les 142 millions d’Euros du budget de Frontex ?

Dilué, Schengen a perdu de vue l’originalité de sa charge pour être appréhendé comme une politique ordinaire. Sauf que les Etats membres n’ont en rien abdiqué.

3. Une logique intergouvernementale

Laboratoire de la construction européenne, Schengen demeure une construction aux mains des Etats.
Au prix d’une certaine schizophrénie, les Etats ont en effet prétendu à la fois intégrer leur action mais en conserver la maîtrise. Entre ceux qui voulaient mais ne pouvaient pas en faire partie (la Bulgarie, la Roumanie), ceux qui pouvaient mais ne le voulaient pas (les iles britanniques), ceux qui ne pouvaient pas mais que l’on a voulu (la Suisse, la Norvège, l’Islande) et ceux qui ne pouvaient pas et dont on aurait pas du vouloir (la Grèce), Schengen est devenu un véritable patchwork.

La greffe aurait pu prendre. Elle n’a été qu’imparfaite.
D’abord car la diversité des situations nationales n’a pas disparu. D’une part, les législations et pratiques nationales demeurent suffisamment éloignées pour que l’effet « vases communicants » ne joue pas. Migrants comme criminels ont parfaitement identifié ces points faibles. D’autre part car le degré d’attraction des Etats membres de cet espace ne s’est pas réduit, rendant inutile le souhait de responsabiliser l’ensemble. Convaincus que l’Allemagne et la Suède étaient des eldorados, les demandeurs de refuge n’envisagent pas d’autre destination, pour la plus grande satisfaction des Etats membres qu’ils traversent et qui vont jusqu’à leur faciliter la tâche.

Ensuite, parce que les Etats refusent toujours la contrainte. En indiquant clairement dans son article 4 que « la sécurité nationale relève de la seule souveraineté de chaque Etat membre », le traité sur l’Union fixe une barrière infranchissable.

Les enseignements des commissions d’enquête au lendemain des attentats de Charlie Hebdo le confirment. Le dispositif européen est moins en cause que les conditions de sa mise en œuvre. La faillite de Schengen n’est pas dans la poursuite mais dans la prévention, dans le renseignement en amont des attentats et l’alimentation des outils communs qui n’est pas obligatoire. La qualité remarquable de l’action policière et judiciaire, y compris par delà la frontière franco-belge, ne dissimule la faillite de la prévention politique et policière, des deux cotés de cette frontière.
Comment Mehdi Nemmouche hier, Abaaoud ou les frères Abdeslam cette semaine, ont-ils pu perpétrer leurs crimes sans obstacle réel, échappant aux contrôles Schengen autant que nationaux ? Qui refusait jusqu’au Conseil de vendredi dernier d’inclure les « combattants étrangers » dans le SIS et pourquoi 5 Etats seulement fournissent-ils plus de la moitié des informations sur leurs déplacements au Système d’information d’Europol de l’aveu du coordinateur européen de la lutte contre le terrorisme ?

L’absence de transparence de l’Union ne facilite pas la réponse. La responsabilité des Etats membres est pourtant au cœur de ce fiasco, constat déjà posé après Charlie Hebdo, sans réelle suite.

La France n’y échappe pas, étonne par l’arrogance de notre discours public. Des failles de son contrôle judiciaire aux pannes de son système de fichier Chéops, à sa gestion des documents d’identité, aux  erreurs de ses services de renseignements ou aux moyens alloués et à l’autisme de ses gouvernants qui qualifient de simples « complicités françaises » l’action des terroristes de Paris, elle n’est pas en situation d’administrer les leçons qu’elle prétend donner à la Belgique et à l’Union.

Celle-ci doit pourtant se remettre en question.

Quant au périmètre de son action d’abord. Malgré le politiquement correct, la composition de l’espace commun où contrôles comme échanges de renseignement s’effectuent est une question ouverte. Les Pays Bas, comme d’autres, semblent réfléchir à un redimensionnement effectué soit par un repli, sur un petit nombre de partenaires performants, soit par une mise à l’écart, de membres jugés non fiables.

Quand au fond ensuite. Les principes d’organisation sur lesquels Schengen repose, frontières intérieures/extérieures demeurent aussi pertinents qu’hier. En revanche, ils ne peuvent plus se satisfaire du vide politique actuel. La cohérence exige de percevoir l’asile comme un même devoir, réclame de criminaliser le radicalisme et le terrorisme de façon identique. Ce préalable n’est pas satisfait aujourd’hui dans l’Union. De même que la « solidarité » doit avoir un sens concret pour les Etats membres, ces derniers doivent partager l’accueil des réfugiés et privilégier la coopération et la police judiciaires et la coordination des poursuites à l’action exclusive des services de renseignement. Dans tous les cas, il faut y mettre le prix.

Alors, pourquoi n’entendons nous pas les mots de « parquet européen », « d’équipes communes d’enquête », « d’Eurojust » ? Pourquoi l’essentiel du contingent de la relocalisation est-il encore vacant ? Parce que nous n’osons pas lever le tabou de l’action commune, de la quasi-fédéralisation qu’impliquent le développement des agences se substituant aux Etats défaillants, que nous prétendons que l’administration nationale des politiques européennes est toujours l’alpha et l’oméga de la construction européenne ?

L’hypothèse de l’avancée, même si celle du repli est peu crédible sinon impossible, est donc incertaine. A l’image de celle du projet européen tout entier dont Schengen demeure bien, toujours, un « laboratoire ».

Data retention and bulk data: sometime the Council raises some good questions. But what about the answers ?

It does not happen very often but in a PUBLIC document diffused yesterday the Council Presidency raises some very interesting questions arising from the 2014 CJEU ruling on data retention (see below). It is worth recalling that already at that time the Court justified its decision with reference not only to art. 8 of the Charter (protection of personal data) but also to art. 7 (protection of privacy). The same happened this year with the Schrems case which deals with a similar situation (even if referred to a third country). Quite surprisingly the Council Presidency does not make reference to this ruling even if , according some doctrine (see the Martin Scheinin position published here)  it contain already an answer to the first question. According to Martin Scheinin the Court by referring to Article 7 of the Charter makes clear that:  In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter…

When the “essence” itself of a fundamental right is threatened, according to art.52 of the Charter is no more question of verify the “proportionality” of this kind of measures as they would be per se against the Charter (and the Treaty)

Let’s see what will be the MS (and judiciary) reaction and if they will take this occasion to re-examine some wide ranging legislative proposals which foresee a generalised collection of personal data (PNR, Entry-exit systems, not to speak of the monthly bulk transmission of EU citizens personal data to the US administration within the EU-USA TFTP (“SWIFT”) agreement…).

EDC

 

DOC  14246/15 24 November 2015 NOTE
From:Presidency
To:Permanent Representatives Committee/Council
No. prev. doc.:14369, 13085/15, 11747/1/15 REV 1
Subject: Retention of electronic communication data – General debate

1. The invalidation of the Data Retention Directive 1 by the Court of Justice of the EU 2on the grounds that it disproportionately restricted the rights to privacy and to the protection of personal data, has given rise to questions in the Member States, in particular as regards national transposition legislation and the availability of electronic communication data collected for access by law enforcement authorities and their use as evidence in criminal proceedings.

2. Member States had been given a wide margin of discretion in the implementation of the Data Retention Directive. This lead to considerable differences in the national legal frameworks3, which are compounded by the varying consequences of the assessment of the national data retention schemes by national parliaments and courts, especially in view of the Data Retention Judgement and the pending “Tele2” case 4.

3. The Data Retention Judgement has not directly affected national implementing legislations of the Data Retention Directive and these remain valid until amended, or repealed by national parliaments, or invalidated by national courts, provided that they comply with Articles 7 and 8 of the Charter of Fundamental Rights of the EU. Member States thus find themselves in a situation where they no longer have an obligation deriving from a specific Union legal instrument to introduce or maintain a national data retention regime providing for the mandatory storage of electronic communication data by providers for the purposes of detecting, investigating, and prosecuting serious crime. However, Member States retain the possibility to do so under Article 15(1) of the “E-privacy Directive” 5.

4. Opinions diverge on the interpretation of the Court’s judgement and thus on the legality of schemes for retaining bulk electronic communication data without specific reason. This has inter alia resulted in a large variety of situations at national level6. Some Member States have already adopted or are in a process of preparing new legislation on data retention, that, according to the information received by delegations, aims at ensuring strengthened procedural guarantees and safeguards in compliance with the Charter and in line with the ruling of the Court (EE, ES, IE, LT, LU, LV, MT, PL), including some Member States where the national law has been invalidated by the constitutional Court (DE, BG, NL).

5.Eurojust’s analysis of the current situation7 and expert debates held during the Luxembourg Presidency8 highlight that this fragmentation of the legal framework on data retention across the Union has an impact on the effectiveness of criminal investigations and prosecutions at national level, in particular in terms of reliability and admissibility of evidence to the courts based on the collection of electronic communication data, as well as on cross-border judicial cooperation between Member States and internationally.

6 In view of these challenges and the legal, procedural and practical problems they pose for investigations and prosecutions of all kinds of crime, not in the least in relation to counter-terrorism, the Presidency invites Ministers to address the following questions:

  • Is the Data Retention Judgement to be interpreted in the sense that retaining bulk electronic communication data without specific reason is still allowed ?
  • Considering the current fragmented situation throughout the Union, and the consequences it entails, should an EU-wide response be considered or should it be up to individual Member States to address the issue ?
  • Should the Commission be invited to present a new legislative initiative and if yes in what timeframe ?

 

NOTES

1        Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC
3        It is recalled that the transposition did not go easily in certain Member States, as a number of national constitutional courts annulled the national transposition laws for being contrary to the Constitution or the European Convention on Human Rights and certain national parliaments raised serious concerns.
2        Judgement of the Court of justice of the European Union (CJEU) (Grand Chamber) “Digital Rights Ireland and Seitlinger and others” of 8 April 2015 in joined Cases C-293/12 and C-594/12
4        The CJEU currently examines a preliminary ruling (pending Case C-203/15, lodged on 4 May 2015, Tele2 Sverige AB v. Post-och telestyrelsen ) on the compatibility of a national legislation (Swedish law in this case) to retain traffic data covering all persons, all means of electronic communication and all traffic data for the purpose of combating crime, with Article 15(1) of Directive 2002/58/EC (the e-privacy Directive), taking account of Articles 7, 8 and 15(1) of the Charter.
5        Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector
6        The current state of play is as follows: the transposition law of the Data Retention Directive has been invalidated in at least 11 Member States (AT, BE, BG, DE, LT, NL, PL, RO, SI, SK, UK). Amongst these, 9 countries have had the law invalidated by the Constitutional Court (AT, BE, BG, DE, SI, NL, PL, RO, SK). In 15 Member States (CY, CZ, DK, EE, ES, FI, FR, HR, HU, IE, LU, LV, MT, PT, SE) the domestic law on data retention remains in force, while they are still processing communication data.
7        Doc. 13085/15 and 13689/15
8        Doc. 11747/1/15 REV 1

After Paris : Justice and Home affairs Council draft Conclusions

ORIGINAL DOCUMENT ACCESSIBLE ON STATEWATCH SITE

(NOTA BENE : Comments will follow on the text finally adopted) 

Draft Conclusions of the Council of the EU and of the Member States meeting within the Council on Counter-Terrorism

  1. The Council is appalled by the heinous terrorist attacks which took place in Paris on 13 November 2015 and expresses its deepest condolences to the victims of these attacks, their families and friends. The Council emphasises its solidarity with the people of France and pays tribute to the courage and decisive actions of the French authorities. The attacks were an assault on the European values of freedom, democracy, human rights and the rule of law. This is not the first time that the EU has been confronted with a major terrorist attack and important measures have already been taken. The Council underlines the importance of accelerating the implementation of all areas covered by the statement on counter-terrorism issued by the Members of the European Council of 12 February 2015 and in particular of the measures outlined below.

PNR

  1. The Council reiterates the urgency and priority to finalise an ambitious EU PNR before the end of 2015, which should include internal flights in its scope, provide for a sufficiently long data period during which PNR data can be retained in non-masked out form and should not be limited to crimes with a transnational nature.

Firearms

  1. The Council:
  • welcomes the adoption of the Implementing Regulation on common deactivation standards on 18 November 2015,
  • welcomes the presentation by the Commission on 18 November 2015 of a proposal to revise the current Directive on Firearms,
  • is committed to increasing operational cooperation through Europol under the EU Policy Cycle on serious and organised crime, notably within the Operational Action Plan Firearms. All Member States affected by the problem are invited to join these efforts by the end of 2015,
  • invites Frontex and Europol to assist the Member States bordering the Western Balkans region with regard to increasing controls of external borders to detect smuggling of firearms.

Strengthening controls of external borders

4. Member States undertake to:

  • implement immediately the necessary systematic and coordinated checks at external borders, including on individuals enjoying the right of free movement,
    • on the bases of a quick identification of urgent needs and possible solutions, to be performed by the Commission before the end of 2015, upgrade the Member States border control systems (electronic connection to the relevant Interpol databases at all external border crossing points, automatic screening of travel documents) by March 2016,
    • in the context of the current migratory crisis, carry out a systematic registration, including fingerprinting, of all migrants entering into the Schengen area and perform systematic security checks by using relevant databases in particular SIS II, Interpol SLTD database, VIS and national police databases, with the support of Frontex and Europol, and ensure that hotspots are equipped with the relevant technology. Europol will deploy guest officers to the hotspots in support of the screening process, in particular by reinforcing secondary security controls,
    • strengthen the control at the external borders which are most exposed, in particular by deploying rapid border intervention teams (RABITs) and police officers in order to guarantee systematic screening and security checks.
    1. The Council reiterates its Conclusions of 9 November 2015 and invites the Commission to:
    • include EU nationals in the upcoming Smart Borders proposals and in this context present a proposal for the targeted revision of Art.7(2) Schengen Borders Code regarding systematic controls against relevant databases at EU external borders,
    • provide, in its proposal to update the Frontex Regulation, a solid legal basis for the contribution of Frontex to the fight against terrorism and organised crime and access to the relevant databases.
    1. Frontex will:
    • contribute to the fight against terrorism and support the coordinated implementation of the Common Risk Indicators (CRIs) before the end of 2015,
    • assist the Member States to tighten controls of external borders to detect suspicious travels of foreign terrorist fighters and smuggling of firearms, in cooperation with Europol,
    • work closely with Europol and Eurojust, in particular in the context of the hotspots, and exchange data with Europol on the basis of the cooperation agreement to exchange personal data. The latter should be concluded and become operational without delay.

    Information sharing

    7. The Council decides to step up law enforcement cooperation on counter-terrorism (CT):

    • Member States will instruct national authorities to enter data on all suspected foreign terrorist fighters into the SIS II under Article 36.3, carry out awareness raising and training on the use of the SIS and define a common approach to the use of the SIS II data relating to foreign fighters,
    • Europol will launch the European Counter Terrorist Centre (ECTC) on 1 January 2016 as a platform by which Member States can increase information sharing and operational coordination with regard to the monitoring and investigation of foreign terrorist fighters, the trafficking of illegal firearms and terrorist financing. The ECTC will provide national CT authorities with enhanced information sharing capacities notably via Focal Point Travellers, the Europol Information System and Europol’s SIENA system reserved for counter-terrorism cases. The new Europol Regulation, on which an agreement should be reached between the co-legislators before the end of the year, should be consistent with the mandate and objectives of the ECTC, including the IRU,
    • Member States will second CT experts to the ECTC to form an enhanced cross-border investigation support unit, capable of providing quick and comprehensive support to the investigation of major terrorist incidents in the EU. Eurojust should also participate,
    • The Commission is invited to ensure that Europol is reinforced with the necessary resources to support ECTC and to submit a legislative proposal in order to enable Europol to systematically cross-check the Europol databases against the SIS II as established by Council Decision 2007/533/JHA on the establishment, operation and use of the second generation Schengen Information System (SIS II),
    • Member States will make maximum use of these capabilities to improve the overall level of information exchange between CT authorities in the EU. Member States will instruct the relevant national authorities to further increase their contributions to Focal Point Traveller at Europol to reflect the threat and connect to relevant Europol information exchange systems.

     
    Terrorist financing

    1. The Council invites the Commission to present proposals to strengthen, harmonise and improve cooperation between Financial Intelligence Units (FIU’s), notably through the proper embedment of the FIU.net network for information exchange in Europol and ensure their fast access to necessary information, in order to enhance the effectiveness and efficiency of the fight against money laundering and terrorist financing in conformity with Financial Action Task Force (FATF) recommendations, to implement more quickly the asset freezing required by the UN Security Council (Resolution 1373), to strengthen controls of non-banking payment methods such as electronic/anonymous payments and virtual currencies and transfers of gold, precious metals, by pre-paid cards and to curb more effectively the illicit trade in cultural goods.

     Criminal justice response to terrorism and violent extremism

     9. The Council welcomes the signing in Riga on 22 October 2015 by the EU of the Council of Europe’s Convention on the Prevention of terrorism and of its additional Protocol on Foreign Terrorist Fighters and invites the Commission to present a proposal for a directive updating the Framework Decision on Combating Terrorism before the end of 2015 with a view to collectively implementing into EU law UNSC Resolution 2178 (2014) and the additional Protocol to the Council of Europe’s Convention.

     10. Member States will use ECRIS at its full potential. The Council invites the Commission to submit by January 2016 a proposal for the extension of ECRIS to cover third country nationals.

     11. The Council invites the Commission to allocate as a matter of urgency the necessary financial resources to implement the Council Conclusions on enhancing the criminal justice response to radicalisation leading to terrorism and violent extremism. This should notably support the development of rehabilitation programmes as well as risk assessment tools in order to determine the most appropriate criminal justice response, taking into account the individual circumstances and security and public safety concerns.

     Funding

    1. The Council invites Member States to use the Internal Security Fund to support the implementation of these conclusions and to prioritise relevant actions under the national programmes to this effect, and calls on the Commission to prioritise the funding available under centrally managed funds to the priorities identified in these conclusions.

    Implementation

    1. In view of its role on strengthening internal security within the Union, COSI shall coordinate the role of the various Council Working Parties and of the EU agencies in the implementation of these Council Conclusions. The Counter Terrorism Coordinator will monitor their implementation.

    Fundamental Rights Agency :  Surveillance by intelligence  services: fundamental rights safeguards and remedies in the EU.  Mapping Member States’ legal frameworks

    EXECUTIVE SUMMARY : FULL REPORT AVAILABLE HERE

     Introduction

    Recent revelations of mass surveillance underscore the importance of mechanisms that help prevent fundamental rights violations in the context of intelligence activities.

    This FRA report aims to evaluate such mechanisms in place across the European Union (EU) by describing the current legal framework related to surveillance in the 28 EU Member States. The report first outlines how intelligence services are organised, describes the various forms surveillance measures can take and presents Member States’ laws on surveillance. It then details oversight mechanisms introduced across the EU, outlines the work of entities set up thereunder, and presents various remedies available to individuals seeking to challenge surveillance efforts.

    The report does not assess the implementation of the respective laws, but maps current legal frameworks. In addition, it provides an overview of relevant fundamental rights standards, focusing on the rights to privacy and data protection.

    Background

    In June 2013, media worldwide began publishing the ‘Snowden documents’, describing in detail several surveillance programmes being carried out, including by the United States’ National Security Agency (NSA) and by the United Kingdom’s Government Communications Headquarters (GCHQ). These brought to light the existence of extensive global surveillance. Details of these programmes, which set up a global system of digital data interception and collection, have been widely publicised 1 and critically assessed.2

    Neither the US nor the British authorities questioned the authenticity of the revelations,3 and in some cases confirmed them.4 However, the media’s interpretation of the programmes was sometimes contested – for example, by the UK Intelligence and Security Committee of Parliament 5 and academia.6

    Since most of the Snowden revelations have not been recognised by the British government, the Investigatory Powers Tribunal, in hearing challenges to the legality of the programmes, took the approach of hearing cases on the basis of hypothetical facts closely resembling those alleged by the media.7 For the Austrian Federal Agency for State Protection and Counter Terrorism (BVT), the Snowden revelations represented a “paradigm shift”: “Up until a few years ago, espionage was largely directed at state or business secrets, and not, for the most part, at people’s privacy, which can now be interfered with extensively by intelligence services since they possess the necessary technical resources to do so”. 8

    The Snowden revelations were not the first to hint at the existence of programmes of large-scale communication surveillance set up in the aftermath of the 11 September 2001 attacks.9

    But the magnitude of the revelations was unprecedented, potentially affecting the entire world.

    The revelations triggered an array of reactions.10 In the intelligence community, and in particular among the specialised bodies in charge of overseeing the work of intelligence services, dedicated inquiries were conducted.11 The European Union reacted strongly.

    The European Commission (EC), the Council of the European Union and the European Parliament (EP) reported on the revelations, expressing concern about mass surveillance programmes, seeking clarification from US authorities, and working on “rebuilding trust” in light of the damage created by the revelations.12

    On 12 March 2014, the EP adopted a resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights, and transatlantic cooperation in Justice and Home Affairs (the Resolution).13

    The resolution drew on the in-depth inquiry that the EP tasked the Civil Liberties, Justice and Home Affairs Committee (LIBE) to conduct during the second half of 2013, shortly after the revelations on mass surveillance were published in the press.14

    The wide-reaching resolution launched a “European Digital Habeas Corpus”, aimed at protecting fundamental rights in a digital age while focusing on eight key actions. In this context, the EP called on the EU Agency for Fundamental Rights (FRA) “to undertake in-depth research on the protection of fundamental rights in the context of surveillance, and in particular on the current legal situation of EU citizens with regard to the judicial remedies available to them in relation to those practices”.15

    Scope of the analysis

    This report constitutes the first step of FRA’s response to the EP request. It provides an overview of the EU Member States’ legal frameworks regarding surveillance. FRA will further consolidate its legal findings with fieldwork research providing data on the day-to-day implementation of the legal frameworks. A socio-legal report based on an empirical study, to be published at a later stage, will expand on the findings presented ere.

    While the EP requested the FRA to study the impact of ‘surveillance’ on fundamental rights, given the context in which the resolution was drafted, it is clear that ‘mass surveillance’ is the main focus of the Parliament’s current work. During the data collection phase, FRA used the Parliament’s definition to delineate the scope of FRA net’s research.

    The EP resolution refers to “far-reaching, complex and highly techno-logically advanced systems designed by US and some Member States’ intelligence services to collect, store and analyse communication data, including content data, location data and metadata of all citizens around the world, on an unprecedented scale and in an indiscriminate and non-suspicion-based manner” (Paragaph 1).

    This definition encompasses two essential aspects: first, a reference to a collection technique, and second, the distinction between targeted and untargeted collection.

    The report does not analyse the surveillance techniques themselves, but rather the legal frameworks that enable these techniques. For Member States that carry out signals intelligence, the focus of the analysis is on this capacity, and not on other intrusive capabilities the services may have (such as wiretapping).

    This report covers the work of intelligence services. It does not address the obligations of commercial entities which, willingly or not, provide intelligence services with the raw data that constitute Signals Intelligence (SIGINT), and are otherwise involved in the implementation of the surveillance programmes.16 The private sector’s role in surveillance requires a separate study.

    While the premise of this report is the existence of an interference, since the “secret monitoring of communications” interferes with privacy rights from a fundamental rights point of view,17 the report focuses on analysing the legal safeguards in place in the EU Member States’ legal frameworks, and therefore on their approaches to upholding fundamental rights.

    “Assuming therefore that there remains a legal right to respect for the privacy of digital communications (and this cannot be disputed (see General Assembly Resolution 68/167)), the adoption of mass surveillance technology undoubtedly impinges on the very essence of that right.” UN, Human Rights Council, Emmerson, B. (2014), para. 18

    The report’s analysis of EU Member States’ legal frameworks tries to keep law enforcement and intelligence services separate. By doing so, the report excludes the work of law enforcement from its scope, while recognising that making this division is not always easy.

    As stated by Chesterman, “Governments remain conflicted as to the appropriate manner of dealing with alleged terrorists, the imperative to detect and prevent terrorism will lead to ever greater cooperation between different parts of government”.18 The EP resolution recognises this and called on the Europol Joint Supervisory Body (JSB) to inspect whether information and personal data shared with Europol have been lawfully acquired by national authorities, particularly if the data were initially acquired by intelligence services in the EU or a third country.19

    The Snowden revelations have also shed light on cooperation between intelligence services. This issue, important for the oversight of intelligence services’ activities, has been addressed by the EP resolution (Paragraph 22), by oversight bodies,20 by the Venice Commission,21 and by academia.22

    This aspect, however, proved impossible to analyse in a comparative study, since, in the great majority of cases, cooperation agreements or modalities for transferring data are neither regulated by law nor public. This in itself creates a fundamental rights issue linked to the rule of law and, more particularly, regarding the importance of the existence of a law that is accessible to the public, as well as regarding the rules governing the transfer of personal data to third countries.

    Though this report could not deal with this aspect beyond referencing the lack of proper control by over-sight bodies, it does raise important questions under relevant legal standards.

    Fundamental rights and safeguards Continue reading “Fundamental Rights Agency :  Surveillance by intelligence  services: fundamental rights safeguards and remedies in the EU.  Mapping Member States’ legal frameworks”

    A new wideranging EP resolution on mass surveillance in the “post Snowden” (and Schrems ) era.

    Below the provisional text voted yesterday 29 October by the European Parliament on mass surveillance and violation of fundamental rights to privacy and data protection. The press has already highlighted that  the EP voted by 285 to 281 to call on the member states to “drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistle-blower and international human rights defender”. Moreover  the EP  calls on the Commission to give consideration to the impact of the Court of Justice Safe Harbor ruling of 6 October on any other instruments for the transfer of personal data to the US and to report on the matter by the end of 2015.  Very rightly the Strasbourg plenary acknowledges that the Court ruling “has confirmed the long-standing position of Parliament regarding the lack of an adequate level of protection under this instrument” so that the Commission has to “immediately take the necessary measures to ensure that all personal data transferred to the US are subject to an effective level of protection that is essentially equivalent to that guaranteed in the EU”.

    But here is the point : bulk collection of personal data (as foreseen by several US practices agreed with the EU in the PNR and TFTP cases) are not themselves threatening the “essence” of data protection under EU law as protected by the art.52 of the EU Charter of fundamental rights so that they are no negotiable even with the best friend and ally such the USA? 

    Passed by 342 votes to 274 , with 29 abstentions, this is a center-left resolution where liberals and socialists voted together but (not surprisingly) EPP and ECR voted against. In this legislature where socialists and conservatives have created a sort of “grosse Koalitionen” the text risks to be only a political gesture before the public opinion if not followed by consistent votes on the legal binding texts currently on the EP table such as the data protection reform or the transatlantic negotiations on the so called “umbrella agreement” and on “Safe Harbor”.

    Moreover the text even if criticizes the European Commission as “inadequate” and evokes the possibility of a “fail to act” against it does not triggers it. The risk is then this very inspired and solid text remains a toothless tiger.. The coming weeks will show if this tiny majority will be confirmed when the post-Lisbon data protection reform will be voted.

    Emilio De Capitani

    European Parliament resolution of 29 October 2015 on the follow-up to the EP resolution of 12 March 2014 on the electronic mass surveillance of EU citizens (2015/2635(RSP)) Continue reading “A new wideranging EP resolution on mass surveillance in the “post Snowden” (and Schrems ) era.”

    The law enforcement challenges of cybercrime: are we really playing catch-up?

    FULL STUDY ( 68 pages) ACCESSIBLE HERE

    Abstract : This study was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. With a number of high-profile criminal cases, such as ‘Silk Road’, cybercrime has been very much in the spotlight in recent years, both in Europe and elsewhere. While this study shows that cybercrime poses significant challenges for law enforcement, it also argues that the key cybercrime concern for law enforcement is legal rather than technical and technological. The study further underlines that the European Parliament is largely excluded from policy development in the field of cybercrime, impeding public scrutiny and accountability. AUTHOR(S): Dr. Ben Hayes, Dr. Julien JeandesbozDr. Francesco Ragazzi, Dr. Stephanie Simon, and Prof. Valsamis Mitsilegas.

    EXECUTIVE SUMMARY

    Cybercrime has become one of the key priorities for EU law enforcement agencies, as demonstrated by the establishment of the European Cybercrime Centre (EC3) in January 2013 and the development of specific European threat assessment reports in this field. High-profile criminal investigations such as the ‘Silk Road’ case, major data breaches or particularly nefarious hacks or malware attacks have been very much in the spotlight and widely reported in the media, prompting discussions and debates among policymakers and in law enforcement circles. Over the last few months, the cybercrime debate has specifically evolved around the issue of encryption and anonymisation.

    In this context, this Study argues that debates on the law enforcement challenge of cybercrime in the EU should steer clear both of doomsday scenarios that overstate the problem and scepticism that understates it, and that the key cybercrime concern for law enforcement is legal in nature rather than simply technical and technological. Indeed, the Study finds that the key challenge for law enforcement is the lack of an effective legal framework for operational activities that guarantees the fundamental rights principles enshrined in EU primary and secondary law.

    In order to address this core argument, this Study starts by analysing claims and controversies over the Internet ‘going dark’ on law enforcement (Section 2). It shows that these claims have been made for quite some time and should be considered as moral panics rather than accurate reflections of the challenges posed by cybercrime to law enforcement. Moreover, current controversies rehash older ones, conflating law enforcement concerns with intelligence-gathering and surveillance concerns. Without denying the fact that criminal activities do take place online, pose technical difficulties to law enforcement services and require the availability of specific capabilities, this section demonstrates that these difficulties do not impede criminal investigation to such an extent that exceptional means should be envisaged. While these technical aspects need to be considered, they raise issues related to policy and law rather than technology as such. The policy and law-related challenges are made greater by the fact that defining cybercrime is not an easy task. Very broad definitions have been adopted at the EU level, often leading to overlapping and sometimes conflicting mandates.

    Section 3 thus analyses the institutional architecture of EU cybercrime policy. It shows that the complexity of cybercrime measures and the expansive mandates and number of actors involved in their implementation make it difficult to ascertain and circumscribe the full scope of EU cybercrime policy. Whereas the Council of Europe (CoE) sought to codify cybercrime powers into an international convention, much of the EU’s policy to fight cybercrime is based on non-legislative measures, including operational cooperation and ad hoc public-private partnerships. Furthermore, important distinctions and restrictions designed to ensure a ‘separation of powers’ between state agencies concerned with law enforcement (cyber-policing), civil protection (cybersecurity), national security (cyber-espionage) and military force (offensive cyber capabilities) are harder to distinguish in the area of cybercrime, at both national and EU level. Section 3 underlines that, within this complex architecture, and with the blurring of the boundaries between those responsible for policing the Internet, for gathering intelligence from it, for conducting cyber-espionage against foreign targets, and for ensuring the safety of critical internet infrastructure, the European    Parliament    and    civil    society    are    largely    excluded    from    policy development, impeding public scrutiny and accountability. This compounds the EP’s existing problems in ensuring that fundamental rights and data protection are diligently protected in the area of justice and home affairs.

    In light of these gaps in oversight and accountability, Section 4 analyses in particular the challenge of jurisdiction, cooperation and fundamental rights safeguards. This section argues that operational challenges in cybercrime law enforcement do not change the obligation of EU institutions and Member States to ensure the safeguarding of EU fundamental rights in any operating framework of internal or transnational cooperation in law enforcement and criminal justice. Cybercrime law enforcement frequently cites the challenge of accessing and transferring data through existing Mutual Legal Assistance agreements. Yet practices taken outside of established legal channels cannot guarantee rights protections and run the risk of raising mistrust in the general public, the private sector and in transatlantic relations. Furthermore, across the spectrum of cybercrime prevention, investigation, and prosecution, the particular geography of the digital environment is said to complicate the traditional territorial foundations of law. Law enforcement bodies make continuous reference to the ways in which traditional legal structures stand in the way of operations. However, an updated legal framework designed to overcome these challenges should foreground fundamental rights concerns, which are essential to ensure due process and a necessary condition for the successful prosecution of cybercriminal offences.

    In light of these findings, the Study concludes with key recommendations for the European Parliament.

    In particular, to ensure that the Parliament is not marginalised altogether with respect to the implementation and review of EU cybercrime policies by the exercise of delegated   powers,   EU   agency   discretion   and   non-legislative   decision-making   bodies, further monitoring of EU council structures, Europol and international cooperation agreements is required (Recommendation 1).

    Moreover, the EP should ensure that the development of any cooperation/information-sharing framework guarantees the respect of fundamental rights (Recommendation 2).

    In light of the current discussions on a revised CoE Cybercrime Convention, the European Parliament should, further, ensure that the Conventions obligations are consistent with EU law and fundamental rights protections (Recommendation 3).

    The EP must also ensure that cybercrime is not used as a justification to undermine new information security protocols and the right to privacy in telecommunications, both of which are fundamental components of the functioning of the Internet (Recommendation 4).

    Finally, if European law enforcement agencies need to keep pace with technological change, it is imperative that training courses on cybercrime forensics and digital evidence include an applied fundamental rights component (Recommendation 5).

    Continue reading…

    EU-US Umbrella Data Protection Agreement : Detailed analysis by Douwe Korff

    14 October 2015 (NOTA BENE : This text is more than 60 pages)

    by Douwe KORFF (FREE GROUP MEMBER)

    About the Fundamental Rights Europe Expert Group (FREE): The Fundamental Rights European Experts Group (FREE Group : http://www.free-group.eu)  is a Belgian non governmental organisation (Association Sans But Lucratif (ASBL) Registered at Belgian Moniteur: Number 304811. According to art 3 and 4 of its Statute ( see below *) the association focus is on monitoring, teaching and advocating in the European Union freedom security and justice related policies. In the same framework we follow also the EU actions in protecting and promoting EU values and fundamental rights in the Member States as required by the article 2, 6 and 7 of the Treaty on the European Union (risk of violation by a Member State of EU founding values)

    About the author: Douwe Korff is a Dutch comparative and international law expert on human rights and data protection. He is Emeritus Professor of International Law, London Metropolitan University; Associate, Oxford Martin School, University of Oxford (Global Cybersecurity Capacity Centre); Fellow, Centre for Internet & Human Rights, University of Viadrina, Frankfurt/O and Berlin; and Visiting Fellow, Yale University (Information Society Project).

    Acknowledgments: The author would like to express his thanks to Mme. Marie Georges and Prof. Steve Peers, members of FREE Group, for their very helpful comments on and edits of the draft of this Note.

    OVERALL CONCLUSIONS

    We believe the following aspects of the Umbrella Agreement violate, or are likely to lead to violations of, the Treaties and the EU Charter of Fundamental Rights:

    1. The Umbrella Agreement appears to allow the “sharing” of data sent by EU law enforcement agencies to US law enforcement agencies with US national security agencies (including the FBI and the US NSA) for use in the latter’s mass surveillance and data mining operations; as well as the “onward transfer” of such data to “third parties”, including national security agencies of yet other (“third”) countries, which the Agreement says may not be subjected to “generic data protection conditions”;
    2. The Umbrella Agreement does not contain a general human rights clause prohibiting the “sharing” or “onward transfers” of data on EU persons, provided subject to the Agreement, with or to other agencies, in the USA or elsewhere, in circumstances in which this could lead to serious human rights violations, including arbitrary arrest and detention, torture or even extrajudicial killings or “disappearances” of the data subjects (or others);
    3. The Umbrella Agreement does not provide for equal rights and remedies for EU- and US nationals in the USA; but worse, non-EU citizens living in EU Member States who are not nationals of the Member State concerned – such as Syrian refugees or Afghan or Eritrean asylum-seekers, or students from Africa or South America or China – and non-EU citizens who have flown to, from or through the EU and whose data may have been sent to the USA (in particular, under the EU-US PNR Agreement), are completely denied judicial redress in the USA under the Umbrella Agreement.

    In addition:

    1. The Umbrella Agreement in many respects fails to meet important substantive requirements of EU data protection law;
    2. The Umbrella Agreement also fails to meet important requirements of EU data protection law in terms of data subject rights and data subjects’ access to real and effective remedies; and
    3. In terms of transparency and oversight, too, the Umbrella Agreement falls significantly short of fundamental European data protection and human rights requirements.

    The Agreement should therefore, in our view, not be approved by the European Parliament in its present form.

    FULL TEXT OF THE ANALYSIS 

    1. Introduction / Background

    Continue reading “EU-US Umbrella Data Protection Agreement : Detailed analysis by Douwe Korff”

    SCHREMS CASE : The Essence of Privacy, and Varying Degrees of Intrusion

    ORIGINAL PUBLISHED IN VERFASSUNGBLOG ON Wed 7 Oct 2015

    by Martin Scheinin

    This brief comment will address the 6 October 2015 CJEU Grand Chamber ruling inMax Schrems, asking what it tells us about the status of two fundamental rights in the EU legal order, namely the right to the respect for private life (privacy) and the right to the protection of personal data (EU Charter of Fundamental Rights, Articles 7 and 8, respectively). The ruling must be read together with the 8 April 2014 ruling inDigital Rights Ireland where Articles 7 and 8 were discussed side by side.

    Although the Max Schrems ruling contains many references to personal data, it does not really discuss the right to the protection of personal data as a distinct fundamental right. Article 8 of the Charter is mentioned in the dispositive part of the ruling but not for instance in what I would call the main finding by the Court which refers only to Article 7:

    In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter…

    The outcome of the case – declaring Commission’s Safe Harbor Decision 2000/52 invalid – flows from this finding of a breach of the essence of the right to privacy when we are dealing with indiscriminate blanket access to data. In Digital Rights Ireland the CJEU had already indicated (paras. 39-40) that blanket access to ‘content’ would trigger the application of the essence clause in Article 52 (1.1) of the Charter, while surveillance, even indiscriminate mass surveillance, based on even complex use of various categories of metadata amounted to a “particularly serious interference” (Digital Rights Ireland, para. 65) with fundamental rights but did not trigger the application of the essence clause. The Court’s distinction between ‘content’ and ‘metadata’ can be criticized, and it was indeed relativised by the Court itself in Digital Rights Ireland (para. 27).

    What is now remarkable in Max Schrems is that

    a) the Court actually identified the intrusion in question as falling under the notion of the essence of privacy – something the European Court of Human Rights has never done under the privacy provision of ECHR Article 8, and

    b) the identification of an intrusion as compromising the essence of privacy meant that there was no need for a proportionality assessment under Article 52 (1.2) of the Charter.

    This can be contrasted with theDigital Rights Ireland judgment (para. 69) where the final outcome was based on the application of a proportionality test. For these reasons, the Max Schrems judgment is a pathbreaking development, a major contribution to the understanding of the structure and legal effect of fundamental rights under the Charter. Digital Rights Ireland indicated where the path would go, and now the Court actually went that way.

    An equally important contribution is documented in the same paragraph, namely that mere “access” to communications by public authorities) constitutes an interference. Notably, Article 8 (2) of the Charter uses the notion of “processing” when defining the fundamental right to the protection of personal data. Surveillance advocates might have until the Max Schrems ruling enjoyed some credibility with their claims that mere access does not amount to processing, and therefore mere access to the flow of communications does not amount to an intrusion until the automated selectors and algorithms have made their job and the human eye starts to “process” a much more narrow set of data. Now we know, that mere access is an intrusion into privacy, and even into the essence of privacy when it provides for indiscriminate access to ‘content’.

    This gives rise to the next question, whether the Max Schrems rationale will only apply to the “transfer” of data from Europe to “servers” in the United States. This was the factual basis of the case, as reflected in paragraphs 2 and 31. The CJEU was asked a question about data transfers from Europe to Facebook servers in the US under the Safe Harbor arrangement, and it responded to that question. It did not address the scenario of “upstream” access to data flows through the splitting of fiber-optic cables to obtain generic access to all data that passes through transatlantic cables just because the Internet is built in the way that a lot of traffic ends up going through those cables. It would indeed be difficult to bring a case to the CJEU that would address this scenario.

    Nevertheless, paragraph 94 quoted above is formulated in a way that gives a generic answer concerning the contours of the right to privacy under Article 7 of the EU Charter: yes, also access through the upstream method of capturing the data flow in a fibre-optic cable is to be regarded as compromising the essence of privacy and therefore as prohibited under the Charter, without a need even to engage in a proportionality analysis. It may be hard to get a case to the CJEU but the content of the substantive norm under Article 7 of the Charter is now clear. One can on good grounds expect that the European Court of Human Rights will now be prepared to follow the lead of the CJEU and draw the same conclusion under ECHR Article 8.

    In closing, I dare to present the view that the Digital Rights Ireland and Max Schremsrulings taken together provide verification and demonstration of the utility of the methodology we developed in the SURVEILLE project where we produced a general framework for the holistic assessment of surveillance technologies for their security benefit, cost efficiency, moral hazards and fundamental rights intrusion. In short, in our model an intrusion into the essence of privacy would by definition produce the highest possible fundamental rights intrusion score which is, again by definition, higher than the maximum usability score and would therefore make redundant any proportionality assessment. Other types of intrusion – even particularly serious ones – would be assessed through giving separate scores to the importance of a fundamental right in a given situation and the depth of the intrusion into the same right as created by surveillance, and by then comparing the resulting fundamental right intrusion score against the usability score based on technology assessment. Here, a proportionality assessment is needed, even if the highest possible intrusion scores will be so high that the benefits obtained through surveillance cannot in practice outweigh them. Similarly to the CJEU in the Digital Rights Ireland case, the outcome will be that crude methods of mass surveillance, even when not triggering the essence clause, will be assessed as unlawful.

    Dieser Text steht unter der Lizenz CC BY NC ND

    (http://creativecommons.org/licenses/by-nc-nd/4.0/legalcode)