Category: 3.2 Data protection

EU Anti-Money Laundering legal framework: the race has started again…

by Dalila DELORENZI (FREE Group Trainee)

After two years, the revision of the new EU Anti-Money Laundering (AML) framework has finally come to an end. The 20th May the European Parliament at its second reading has adopted the Fourth Directive AML  (Directive (EU) 2015/849) along with the new Regulation on information on the payer accompanying transfers of funds (Regulation (EU) 2015/847).

The revision was triggered by the necessity to adapt the legal framework to counter new threats of money laundering and terrorist financing and to reflect recent changes due to revised Financial Actiont Task Force (FATF)  Recommendations. In the following lines the new legal framework is presented by including some crucial measures which could represent a real step-up in the fight against money laundering, financing terrorism and tax evasion.

  1. Introduction of an European register of beneficial ownership

The creation of an European register of beneficial ownership has been one of the sticking point and the reason why the text has attracted much more political attention than the latest directives and the negotiations have taken much longer than it was expected.

1.1 Definition of beneficial ownership and the problems caused by “phantom firms”

A beneficial owner  is a natural person – a real, live human being and not another company or trust – who stands behind a company (or trust) as the ultimate owner and controller, directly or indirectly exercising substantial control over the company or receiving substantial economic benefits (such as receipt of income) from the company. If the true owner’s name is disguised, we deal with “anonymous companies”. In a majority of countries, keeping unknown the true owner’s name is perfectly legal and there is typically no requirement to disclose that the names listed are merely front-people.

Such anonymous companies can be created by using “nominees”, people who front the company in place of the true owner, or by incorporating one or more of the companies in a country which does not make details of the beneficial owners publicly available. Also called “phantom firms”, they exist only on paper, with no real employees or office.

Now, it’s certainly true that such entities can also have legitimate uses, but the untraceable company can also be a vehicle of choice for crimes such as money laundering, tax evaders and financier of terrorism.

1.2 The role of anonymous companies in money laundering

Although there are countless ways to launder money, money laundering can be broken down into three stages:

  • Placement: the initial entry of illicit money into the financial system. This might be done by breaking up large amounts of cash into less conspicuous smaller sums that are then deposited directly into a bank account.
  • Layering: the second step consists in the process of separating the funds from their source. This purpose is often followed by using anonymous shell companies: for instance, wiring money to account owned by anonymous shell company.
  • Integration: money re-enter the legitimate economy. For instance, by investing the funds into real estate and luxury assets.
  • That being said, it is clear that these secretive “shell” companies and trusts play a central role in laundering and channelling funds, concealing behind a veil of secrecy the identity of corrupt individuals and irresponsible businesses involved in activities, including tax evasion, terrorist financing, and the trafficking of drugs and people. More precisely, it is impossible for law enforcement officials go back to the real individuals ultimately responsible for the company’s actions and to track the origin of illicit funds.
  • 1.3 The importance of central registers

Continue reading “EU Anti-Money Laundering legal framework: the race has started again…”

EU-USA “UMBRELLA” AGREEMENT ON DATA PROTECTION: A …LEAKY UMBRELLA ?

Posted HERE on 18. September 2015

by

Leave a comment 

On 8 September 2015, the European Commission announced the successful completion of the negotiations with the US on a framework agreement („Umbrella Agreement“), that shall apply to the co-operation between law enforcement authorities. „Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic. It will in particular guarantee that all EU citizens have the right to enforce their data protection rights in US courts“, said the competent EU Commissioner Věra Jourová. Prerequisite for the signing of the agreement will be, however, that the US Congress will have approved the necessary legislative changes („Judicial Redress Bill“).

Although the Commission initially did not want to publish the agreement, the text – however – has found it’s way into the Internet, enabling the assessment.

First the good news: The agreement contains, in fact, substantial concessions from the US side. It has to be highlighted, that the US shall even provide EU citizens with a right to seek judicial redress if they are of the opinion that their privacy rights have been violated in the context of processing information the respective US authorities have received from the EU. Over years, the US government insisted on granting EU citizens only administrative redress. For Europe such limited redress – ultimately depending on the goodwill of the US administration – would not have provided an adequate level of data protection.

Another positive aspect is that both sides have agreed to commit to the principles of proportionality, necessity and purpose limitation and that they have to determine the use and duration of storage of personal information in accordance with these principles. The concrete purposes of data processing and the retention periods have to be determined by the specific legal acts.

However, although the agreement improves the legal status of EU citizens whose data are transferred to the US, it would be a misperception that the agreement provides EU citizens with the same privacy rights as US persons. If this would have been intended, the rights provided by US Privacy Act of 1974 and other laws, currently limited to US citizens and residents, could have been extended to EU citizens. Instead, the agreement text contains complicated rules, which do not ensure equality in the result. EU citizens have first to seek administrative redress. They may call a US court only after administrative redress definitely was exhausted. In addition, administrative and judicial redress are limited to those privacy rights explicitly specified in the Agreement, as the right to access and correction of the personal information. The agreement will not grant EU citizens – unlike US citizens – further rights to challenge the lawfulness of the entire process of data processing before a US court.

Furthermore, it should be noted that the agreement shall apply only to judicial and police authorities, but not to authorities with the task to guarantee the „national security“. US intelligence agencies like the NSA and the CIA share personal data with law enforcement agencies, even if they have received these information from their European partners. The provisions of the umbrella agreement would not apply in these cases. Last but not least the agreement does not cover data US and European authorities collect on the basis of national laws, i.e. the Foreign Intelligence Surveillance Act (FISA) or similar European legislation.

Another limitation of the umbrella: While according to the European data protection law, all personal data will be protected regardless of the nationality of the persons concerned, the agreement should apply only to data on EU citizens which have been transferred to the US by European authorities or companies based on bilateral or multilateral agreements. So data relating to citizens of third countries remain unprotected.

Finally, the agreement (Art. 21) falls short, however, with regard to the data protection oversight. It lacks an explicit commitment of both parties to ensure an independent data protection supervision. While the European Union commits that the independent data protection authorities shall be competent to check the provisions, the agreement refers with respect to the United States on a variety of oversight institutions, some of them not independent, which are to exercise the supervision of data protection „cumulatively“.

Given these shortcomings, to me the exultation of the agreement seem premature. The European legal bodies which need to approve the ratification of the agreement, in particular the European Parliament and the parliaments of the Member States are called upon to thoroughly examine the agreement, in particular, its compatibility with the provisions of the EU Charter of Fundamental Rights. Depending on the results of such assessment it might be necessary to renegotiating and caulking the umbrella.

 

Passenger Name Records, data mining & data protection: the need for strong safeguards

EXCERPTS FROM EXPERTS’ OPINION SUBMITTED TO THE COUNCIL OF EUROPE (PUBLISHED ON THE STATEWATCH SITE)

by Douwe KORFF and Marie GEORGES (FREE-Group Members)

Introduction

Much has been said and written about Passenger Name Records (PNR) in the last decade and a half. When we were asked to write a short report for the Consultative Committee about PNR, “in the wider contexts”, we therefore thought we could confine ourselves to a relatively straightforward overview of the literature and arguments.

However, the task turned out to be more complex than anticipated. In particular, the context has changed as a result of the Snowden revelations. Much of what was said and written about PNR before his exposés had looked at the issues narrowly, as only related to the “identification” of “known or [clearly ‘identified’] suspected terrorists” (and perhaps other major international criminals). However, the most recent details of what US and European authorities are doing, or plan to do, with PNR data show that they are part of the global surveillance operations we now know about.

More specifically, it became clear to us that there is a (partly deliberate?) semantic confusion about this “identification”; that the whole surveillance schemes are not only to do with finding previously-identified individuals, but also (and perhaps even mainly) with “mining” the vast amounts of disparate data to create “profiles” that are used to single out from the vast data stores people “identified” as statistically more likely to be (or even to become?) a terrorist (or other serious criminal), or to be “involved” in some way in terrorism or major crime. That is a different kind of “identification” from the previous one, as we discuss in this report.

We show this relatively recent (although predicted) development with reference to the most recent developments in the USA, which we believe provide the model for what is being planned (or perhaps already begun to be implemented) also in Europe. In the USA, PNR data are now expressly permitted to be added to and combined with other data, to create the kinds of profiles just mentioned – and our analysis of Article 4 of the proposed EU PNR Directive shows that, on a close reading, exactly the same will be allowed in the EU if the proposal is adopted.

Snowden has revealed much. But it is clear that his knowledge about what the “intelligence” agencies of the USA and the UK (and their allies) are really up to was and is still limited. He clearly had an astonishing amount of access to the data collection side of their operations, especially in relation to Internet and e-communications data (much more than any sensible secret service should ever have allowed a relatively junior contractor, although we must all be grateful for that “error”). However, it would appear that he had and has very little knowledge of what was and is being done with the vast data collections he exposed.

Yet it is obvious (indeed, even from the information about PNR use that we describe) that these are used not only to “identify” known terrorists or people identified as suspects in the traditional sense, but that these data mountains are also being “mined” to label people as “suspected terrorist” on the basis of profiles and algorithms. We believe that that in fact is the more insidious aspect of the operations.

This is why this report has become much longer than we had planned, and why it focusses on this wider issue rather than on the narrower concerns about PNR data expressed in most previous reports and studies.

The report is structured as follows. After preliminary remarks about the main topic of the report, PNR data (and related data) (further specified in the Attachment), Part I discusses the wider contexts within which we have analyzed the use of PNR data. We look at both the widest context: the change, over the last fifteen years or so, from reactive to “proactive” and “preventive” law enforcement, and the blurring of the lines between law enforcement and “national security” activities (and between the agencies involved), in particular in relation to terrorism (section I.i); and at the historical (immediately post-“9/11”) and more recent developments relating to the use of PNR data in data mining/profiling operations the USA, in the “CAPPS” and (now) the “Secure Flight” programmes (section I.ii).

In section I.iii, we discuss the limitations and dangers inherent in such data mining and “profiling”.

Only then do we turn to PNR and Europe by describing, in Part II. both the links between the EU and the US systems (section II.1), and then the question of “strategic surveillance” in Europe (II.ii).

In Part III, we discuss the law, i.e., the general ECHR standards (I); the ECHR standards applied to surveillance in practice (II, with a chart with an overview of the ECtHR considerations); other summaries of the law by the Venice Commission and the FRA (III); and further relevant case-law (IV).

In Part IV, we first apply the standards to EU-third country PNR agreements (IV.i), with reference to the by-passing of the existing agreements by the USA (IV.ii) and to the spreading of demands for PNR to other countries (IV.iii). We then look at the human rights and data protection-legal issues raised by the proposal for an EU PNR scheme. We conclude that part with a summary of the four core issues identified: purpose-specification and –limitation; the problem with remedies; “respect for human identity”; and the question of whether the processing we identify as our main concern – “dynamic”-algorithm-based data mining and profiling – actually works.

Part V contains a Summary of our findings; our Conclusions (with our overall conclusions set out in a box on p. 109); and tentative, draft Recommendations. (…)

Conclusions Continue reading “Passenger Name Records, data mining & data protection: the need for strong safeguards”

Privacy and Data Protection Implications of the Civil Use of Drones

IN DEPTH ANALYSIS FOR THE EP CIVIL LIBERTIES COMMITTEE (LIBE)

by Ottavio MARZOCCHI  (Policy Department  C: Citizens’ Rights and  Constitutional  Affairs European  Parliament )

EXECUTIVE SUMMARY

Drones (also called RPAS, Remotely Piloted Aircraft Systems, or UAV, unmanned aerial vehicles)  are  aircraft   without  a  human  pilot on board,  which are  guided  by a  remote pilot.
Drones have been developed for military use but are now increasingly used for civil purposes. Currently drones are employed for critical infrastructure and civil protection, disaster management and search and rescue, environmental protection, law enforcement and surveillance, journalism, commercial activities and leisure, while it is foreseen that in the future they will also be employed for other missions, such as agriculture, energy, transport  of goods  and  cargo  – and  even  of people.

States plan to increase their use of drones, while industry, small and medium enterprises and private companies have a growing interest in the manufacturing, selling and use of drones to monitor their activities or provide goods and services to clients. Being currently available on the market at affordable prices, their use by private individuals has  increased   exponentially.

The current and prospective development of drones has a series of positive impacts, notably for employment, SMEs and industrial development, and has a potential to generate growth and jobs. Drones can carry out operations in emergency situations, where human intervention is either impossible or difficult (drones could help save lives in operations of humanitarian relief, search and rescue at sea, when nuclear accidents or natural  disasters  occur,  etc).
As with any technology, there are also risks to be taken into serious account by stakeholders, regulators, institutions and citizens in order to prevent, minimize and counter the potential negative impacts of some applications of drone technology. This is especially the case in the absence of proper regulation or/and when drones are used in illegal,  unsafe or irresponsible  ways.

In terms of risks for privacy and data protection, drones normally carry video-cameras to allow pilots to fly them. These images can be easily recorded and stored, and are often uploaded onto the internet. The privacy of private life and property can be interfered with and violated when drones capture images of people in their houses or gardens. A series of other applications and payloads can also be installed on drones, allowing the gathering and processing of personal data and seriously interfering with and potentially violating citizens’ rights to privacy and data  protection1.

In terms of security and safety, drones pose a series of considerable and serious risks. As reported by the media, drones have been spotted over airports or close to them, disrupting or/and threatening civil aviation; have crashed on the ground; have been flown over critical infrastructure, embassies or tourist attractions; have injured people. The prospective increase in the number of drones flying at different heights (including in the space currently reserved for civil aviation), in different directions (drones normally change    direction    multiple    times,    on    the    basis    of    pilots’    orders)    and    areas,    with    different weights and speeds, over people and private properties, poses serious challenges. The technological environment to ensure the secure and safe integration of drones in the civil aviation system does not yet seem ripe, as communications can be easily lost or hijacked, the detect and avoid systems are not by default installed on drones and systems to block their access into no-fly zones (geo-fencing) are not in place. Responsibility and liability for drones’ use is not yet guaranteed, as identification of the owners or pilots is not required in most EU MS, making transparency or law enforcement action almost impossible.

Potentially, the positive applications of drones (e.g. for fire-fighting; or nuclear plan inspection) can be nullified by negative applications (e.g. private drones flying around and impeding quick fire-fighter intervention, as happened in Norway; or private drones flying over the nuclear power plant, or even crashing on it). These elements show that drones pose a series of challenges and concrete risks for safety, security and the fundamental rights of persons, which are to be addressed seriously.

The exponential development and spread of drones challenges policy makers to regulate them and their use by balancing the will to support drones’ positive potential for the economy while preventing, minimizing and countering the negative impacts and the risks illustrated above. A series of initiatives at international, European and national level are currently underway to respond to this challenge.

The European Commission has worked in recent years to promote RPAS integration into the European civil aviation airspace (“non-segregated air traffic management environments”). The next steps in the process will be the development of safety rules by EASA during 2015. Based on this, the Commission will issue a package containing a revision of the basic European Civil Aviation Safety Regulation (currently under impact assessment) possibly in 2015 to allow the integration of drones from 2016 onwards.

The Commission has identified priority areas where the EU could play a leading or coordinating role, notably by developing a regulatory framework to guarantee safety; fostering enabling technologies; security; protecting citizens’ fundamental rights (privacy and data protection); guaranteeing third party liability and insurance; supporting market development and emergence and promoting the European RPAS industry and its competitiveness. EASA and the Council, as well as MS regulations, seem to go broadly in the same direction.

This research finds that:

  • In order to ensure that the EU can regulate drones regardless of their weight, it is necessary to modify EC Regulation 216/2008 and notably its Annex 2, which currently limits the scope of EU action to RPAS weighting more than 150 kg. Once this has been done, the current regulations and laws adopted at national level will have to be modified on the basis of the future EU regulatory regime, which might be based on a new “proportionate to the risk” approach;

. Notwithstanding the fact that interferences to privacy and data protection can be particularly serious when drones are used to collect personal data for law enforcement purposes and surveillance activities, EU data protection law does not currently cover this area (except when such data is exchanged amongst Member States). Activities by private individuals are excluded from the application of the DP Directive due to the “household” exception, but it seems likely that the capturing and processing of personal data carried out by drones in public spaces could be subject to EU data protection law, following the ECJ jurisprudence on CCTV. In these areas, it is primarily for Member States to ensure that privacy and data protection guarantees apply; looking forward, the approval of the Data Protection Regulation and Directive will bring a positive contribution in terms of impact assessments, privacy by design and privacy  by default,  as  these  will  become mandatory;

Citizens’ right to security and safety of citizens does not seem to be fully guaranteed across the EU and by all MS in relation to drones and their use, while enabling technologies are still in development; law enforcement action is virtually impossible as rules on identification of drones and of their operations, responsibility and liability are not  yet  in  place everywhere;

The whole “drones’ chain” should be more closely examined in terms of current and future EU and/or MS regulation needed to minimize or counter risks for citizens and to their rights, from manufacturing and trade (production, selling, buying, internal and international trade, notice for buyers on risks and hazards and applicable rules or legislation for flying drones), to safety (airworthiness, pilot licences, operation authorisation, identification and monitoring of drones and of their flights, establishment of no-fly zones such as critical infrastructures, airports, cities and villages, gatherings, rules that should be followed when operating a drone, for instance visual line of sight, private properties, etc), privacy and data protection rules, as well as laws related to criminal behaviour, intellectual property, aviation, environmental law that are to be respected by drones, security (regulations and measures to ensure that law enforcement action against illegal and unsafe use of drones is possible, responsibility and liability for damage to persons or property as a result of an incident caused by an RPA).

The debate on the future regulatory regime for drones, which has been mainly carried out up to now between industry, stakeholders, technical regulators and working groups (be it at the national, European and international level), should involve more closely both citizens and legislators. Consultations on future options should be carried out, so to take into account citizens’ views and concerns, while legislators should be the ones to take decisions on regulation, given the risks posed by drones. This is the only way to ensure that “public acceptance” of, or “societal concerns” in relation to, drones are addressed and resolved, though the open and democratic debate and  scrutiny.

In order to achieve these objectives at the EU level and ensure a more transparent and democratic debate on the future policy on drones, the EP could ask the Commission report in detail and in straightforward terms, for instance in its upcoming impact assessment, about which actions it plans to undertake in the “drones’ chain” to ensure that the objectives of safety, security, respect of fundamental rights, namely privacy and data protection, environment, responsibility and liability, law enforcement action, insurance, identification and transparency, technological development, can be achieved, with recommendations for MS and/or EU action, and possible options. A description of the regulatory approaches in MS should also be provided, so to allow a comparison and to identify best practices. It should also report about the past, present and future use of EU funds for drones development, and on how funds for civilian uses and military/defence uses of drones interact. A yearly reporting mechanism would also be useful, and could also address the causes and possible remedies to deal with drones’ incidents.

1 For instance: high power zoom, facial recognition, behaviour profiling, movement detection, number plate recognition, thermal sensors, night vision, radar, see-through imaging, Wi-fi sensors, microphones and audio-recording systems, biometric sensors to process biometric data, GPS systems processing the location of the persons filmed, systems to read IP addresses and track RFID devices, systems to intercept electronic communications.

CONTINUE READING THE FULL REPORT HERE
 

US CONGRESSIONAL RESEARCH SERVICE: Overview of Constitutional Challenges to NSA Collection Activities

FULL REPORT ACCESSIBLE HERE (May 21, 2015)

by Edward C. Liu Legislative Attorney, Andrew Nolan Legislative Attorney and  Richard M. Thompson II Legislative Attorney

Summary

Beginning in summer 2013, media reports of foreign intelligence activities conducted by the National Security Agency (NSA) have been widely published. The reports have focused on two main NSA collection activities approved by the Foreign Intelligence Surveillance Court (FISC) established under the Foreign Intelligence Surveillance Act (FISA) of 1978. The first is the bulk collection of telephony metadata for domestic and international telephone calls. The second involves the interception of Internet-based communications and is targeted at foreigners who are not within the United States, but may also inadvertently acquire the communications of U.S. persons. As public awareness of these programs grew, questions about the constitutionality of these programs were increasingly raised by Members of Congress and others. This report provides a brief overview of these two programs and the various constitutional challenges that have arisen in judicial forums with respect to each.

A handful of federal courts have addressed the Fourth Amendment issues raised by the NSA telephony metadata program. FISC opinions declassified in the wake of the public’s awareness of the NSA telephony metadata program have found that the program does not violate the Fourth Amendment. Similarly, in ACLU v. Clapper, the federal District Court for the Southern District of New York held that a constitutional challenge to the telephony metadata program was not likely to be successful on the merits. On appeal, the United States Court of Appeals for the Second Circuit refrained from reaching the merits of this Fourth Amendment challenge, but instead resolved the case on statutory grounds, holding that the metadata program exceeded statutory authorization under Section 215 of the PATRIOT Act. However, the panel did engage in a general discussion about the Fourth Amendment principles implicated by this program, including the effect of modern technology on American’s expectations of privacy. Both the district courts for the Southern District of California and the District of Idaho have found the bulk metadata program constitutional under existing Supreme Court precedent. In Klayman v. Obama, the federal District Court for the District of Columbia held that there is a significant likelihood that a challenge to the constitutionality of the NSA telephony metadata program would be successful.

Constitutional challenges to the NSA’s acquisition of Internet communications of overseas targets under FISA have arisen in a number of different contexts. First, such challenges have arisen in both the FISC and the Foreign Intelligence Surveillance Court of Review as part of those courts’ roles in approving the parameters of these collection activities. Secondly, constitutional challenges have been brought in traditional federal courts as civil actions by plaintiffs asserting an injury or in criminal proceedings by defendants who have been notified that evidence against them was obtained or derived from collection under Section 702. While the FISA courts have at times curbed the government’s ability to engage in surveillance activity to ensure compliance with the Fourth Amendment, the one federal court to address the issue has upheld the program against constitutional challenge.

CONTINUE READING HERE

 

 

COE Human Rights Commissioneer : Reinforcing democratic oversight of security services cannot be further delayed

Strasbourg, 5 June 2015 – “The current systems of oversight of national security services in Europe remain largely ineffective. Revelations over the last years about security operations which have violated human rights should have prompted reforms in this field, but progress has been disappointingly slow. European countries must now ensure more democratic and effective oversight of what their security services do and avoid future operations leading to new human rights violations,” said today Nils Muižnieks, Commissioner for Human Rights, while presenting a report on this topic.

The report intends to provide guidance to strengthen human rights protection in the field of security services. It sets forth a number of measures necessary for making national oversight systems more effective and the security services accountable and fully compliant with human rights standards.  “Security service activities impact a variety of human rights, including the right to life, to personal liberty and security, and the prohibition of torture or inhuman, cruel and degrading treatment. They also impinge on the right to privacy and family life, as well as the rights to freedom of expression, association and assembly, and fair trial. It is therefore crucial that security services uphold the rule of law and human rights in undertaking their tasks.”

Council of Europe member states have taken diverse approaches to oversight, which include parliamentary committees, independent oversight bodies, institutions with broader jurisdictions such as ombudspersons, data commissioners and judicial bodies. However, none abides fully to internationally established norms. Drawing upon international and European standards and national practices, the paper sets out the most significant objectives and overriding principles that can enable more effective oversight of security services. “It is necessary to keep oversight democratic, primarily through the involvement of parliaments. It is also crucial to ensure prior authorisation of the most intrusive measures, including surveillance, and to establish a body able to issue legally binding decisions over complaints by individuals affected by security activities, as well as to access all intelligence-related information,” said the Commissioner.

“Security services exist to protect our democracies. Their work is fundamental to ensure that we all can live in security. This paper intends to show how their activities can be best sustained by policies which ensure their lawfulness and accountability. Ensuring that security agencies operate under independent scrutiny and judicial review does not reduce their effectiveness. On the contrary, governments would increase their credibility among the public and weaken support for anti-democratic causes if they show as much resolve in safeguarding human rights as in fighting terrorism.”

The executive summary and the Commissioner’s recommendations are also available in French and German. Translations into Turkish and Russian are under way.

To read more about the Commissioner’s work on counter-terrorism and human rights, please visit this page.

Press contact in the Commissioner’s Office:
Stefano Montanari, + 33 (0)6 61 14 70 37; stefano.montanari@coe.int
www.commissioner.coe.int; Twitter: @CommissionerHR; Facebook; youtube
 
The Commissioner for Human Rights is an independent, non-judicial institution within the Council of Europe, mandated to promote awareness of, and respect for, human rights in the 47 member states of the Organisation. Elected by the Parliamentary Assembly of the Council of Europe, the present Commissioner, Mr Nils Muižnieks, took up his function on 1 April 2012

The US legal system on data protection in the field of law enforcement. Safeguards, rights and remedies for EU citizens

EXECUTIVE SUMMARY OF STUDY FOR THE EUROPEAN PARLIAMENT LIBE COMMITTEE PUBLISHED HERE

by Francesca BIGNAMI (*)

In US law, there are a number of different legal sources that govern data protection in the field of federal law enforcement. This study first considers the two most important sources of data protection law^the Fourth Amendment to the US Constitution and the Privacy Act of 1974. It then turns to the most significant methods of information collection that are available for ordinary criminal investigations and national security investigations and the data protection guarantees set down under the laws authorizing and regulating such information collection.

The Fourth Amendment prohibits “unreasonable searches and seizures” by the government. Reasonableness is established if the search or seizure is conducted pursuant to a valid warrant, that is, a judicial order based on a showing of probable cause and on a particular description of the property to be searched and the items to be seized. Reasonableness can also be established if one of the exceptions to the warrant requirements exists. In the data protection context, however, the application of the Fourth Amendment is relatively limited because of the third-party records doctrine which holds that individuals do not have an expectation of privacy in personal data that they voluntarily turn over to third parties like financial institutions and communications providers. With regard to EU citizens, the Supreme Court has held that foreign citizens resident abroad are not covered by the Fourth Amendment.

Among U.S. laws, the Privacy Act of 1974 is the closest analogue to a European data protection law in that it seeks to regulate comprehensively personal data processing, albeit only with respect to federal government departments and agencies. It regulates the collection, use, and disclosure of all types of personal information, by all types of federal agencies, including law enforcement agencies. At a general level, the Privacy Act contains most of the elements of the EU right to personal data protection. However, it only protects US citizens and permanent residents, not EU citizens.

Furthermore, there are a number of exemptions available specifically for law enforcement agencies. As a result, the benefits of the proposed legislation on judicial redress for EU citizens are unclear. The proposed legislation contemplates three types of law suits, two of which are designed to protect the right of access to and correction of personal data, and one of which enables individuals to obtain compensation for unlawful disclosures of personal data. Since law enforcement agencies commonly exempt their data bases from the access requirements of the Privacy Act, the right of action for intentional or willful disclosures that cause actual damage is the only one that would be available on a general basis.

In investigations involving ordinary crime, there are at least three different methods of personal data collection available to law enforcement officials: (1) use of private sources like commercial data brokers; (2) court and administrative subpoenas; (3) electronic surveillance and access to electronic communications based on a court order under the Electronic Communications Privacy Act. These information-gathering methods afford the same level of data protection for US and EU citizens.

With respect to EU data protection law, however, some of these methods contain relatively few data protection guarantees.

In the case of private sources of personal data, this is attributable to the absence of a comprehensive data protection scheme in the private sector and the vast quantities of personal information freely available to market actors and, consequently, also to law enforcement officials. With respect to the subpoena power and access to communications metadata and subscriber records (under the Stored Communications Act and the Pen Register Act), the lack of significant data protection guarantees is associated with the standard of “relevance” to any type of criminal investigation and the permissive application of that standard by the courts. The law and jurisprudence of “relevance,” in turn, is driven by the failure of US law to recognize a robust privacy interest in the personal data held by corporate entities and other third parties.

In investigations involving national security threats, which can involve both an intelligence and a law enforcement component, there are a number of additional means available to the government: (1) a special type of administrative subpoena known as a “national security letter”; (2) surveillance authorized by the Foreign Intelligence Surveillance Act (FISA); (3) any other form of intelligence gathering authorized by Executive Order 12,333 (and not covered by FISA). The information gathered through such methods can be shared with criminal prosecutors if relevant for law enforcement purposes.

Foreign intelligence gathering, both inside and outside the United States, follows a two-track scheme, one for US persons and another for non-US persons. With the exception of FISA electronic and physical surveillance orders, the data protection guarantees afforded to non-US persons are minimal. The stated intent of Presidential Policy Directive 28 is to provide for stronger personal data protection for non-US persons, but it is difficult to come to any conclusions at this point in time on what effect it will have.

More generally, even with respect to US persons, personal data protection under foreign intelligence law raises a couple of questions.

The first concerns the point in time when the right to privacy is burdened by government action. The US government has suggested that in the case of bulk collection of personal data, harm to the privacy interest only occurs after the personal data is used to search, or results from a search of, the information included in the data base.

This position stands in marked contrast with EU law, where it is well established that bulk collection, even before the personal data is accessed, is a serious interference with the right to personal data protection because of the number of people and the amount of personal data involved.

The second question concerns the conditions under which personal data can be shared between intelligence and law enforcement officials. In the realm of data processing by law enforcement and intelligence agencies, the European courts have emphasized that intrusive surveillance can only be conducted to combat serious threats that are carefully defined in law. They have also held that the information that results from such surveillance can only be used to combat those serious threats, whether to take national security measures or to prosecute the associated criminal offenses. In US law, by contrast, the law allows for intelligence to be transferred to the police and criminal prosecutors for any type of law enforcement purpose.

Continue reading here 

(*) Prof. at George Washington University Law School, Washington, DC, USA

Summer School on The European Area of Criminal Justice (Brussels, 29 June – 3 July 2015)

NB: This Summer School is particularly designed for practitioners in the field of police cooperation and judicial cooperation in criminal matters, EU or national civil servants, as well as researchers and students interested in EU “Freedom, Security and Justice” policies.

Programme (See updated version here)

The 12th edition of the Summer School “The EU Area of Criminal Justice” will take place in Brussels from 29 June – 3  July  2015.

The objective of the Summer School is to provide participants with an extensive knowledge of EU criminal law. The classes are both theoretical and practical. They are conducted by academics, national experts or European officials who deal every day with the European criminal area.

The Summer School is specially designed for practitioners in the field of police and judicial cooperation in criminal matters, EU or national civil servants as well as researchers and students interested in the EU area of freedom, security and justice.

Concerning the programme: the Summer School takes place over a week, lectures are in English, participants receive a certificate of attendance, the final examination entitles participants to receive 3 ECTS and lawyers to gain 37 points from the OBFG (Ordre des Barreaux Francophones et Germanophone de Belgique).

The Summer School covers essentially 5 topics :

  • subject I (day 1): general introduction (historical evolution, institutional issues – Schengen included, judicial control – EU accession to ECHR included);
  • subject II (day 2): cooperation between national authorities in criminal cases, covering both police cooperation and judicial co-operation. The latter will address the evolution from classic judicial cooperation (Mutual Legal Assistance instruments) to mutual recognition instruments, with special attention to the  European Arrest Warrant;
  • subject III (day 3): approximation of criminal law, in theory and practice. Thus, following a class on the approximation of substantive criminal law, the example of financial crimes will be addressed. Similarly, the theoretical course on approximation of procedural law will be complemented with the study of the Directive on the right of access to a lawyer;
  • subject IV (day 4): current and future actors of the European criminal area, particularly Eurojust, Europol and the EPPO.
  • subject V (day 5): data protection and external dimension of the EU area of criminal justice. The Summer School will end with a negotiation exercise.

Special events during the Summer School:

  • Mid-week conference : “Foreign fighters – a criminal law revolution?” 

The conference will be chaired by Hans G. Nilsson (General Secretariat of the EU Council) and will count on speeches from illustrious practitioner and professors. For details, please download the programme on the right.

The Summer School is organised by the Institute for European Studies of the Free University of Brussels (IEE-ULB) in collaboration with the European Criminal Law Academic Network (ECLAN).

OPEN LETTER TO UK MPS: ENSURING DEMOCRATIC SCRUTINY OF UK SURVEILLANCE LAW CHANGES

ORIGINAL PUBLISHED ON EU LAW ANALYSIS 

by Steve PEERS

Due to my concern about inadequate democratic scrutiny of changes to UK law (often linked to EU law) affecting privacy rights, I am one of the signatories to today’s letter to MPs on this issue, published in the Guardian and elsewhere. Thanks to Andrew Murray and Paul Bernal for taking this initiative.

An open letter to all members of the House of Commons,

Dear Parliamentarian,

Ensuring the Rule of Law and the democratic process is respected as UK surveillance law is revised

Actions Taken Under the Previous Government

During the past two years, the United Kingdom’s surveillance laws and policies have come under scrutiny as the increasingly expansive and intrusive powers of the state have been revealed and questioned in the media. Such introspection is healthy for any democracy. However, despite a need for transparency in all areas of lawmaking, and in particular in areas of controversy, the previous Government repeatedly resisted calls for an open and transparent assessment and critique of UK surveillance powers. Instead, in response to legal challenges, it extended the powers of the state in the guise of draft Codes of Practice and “clarifying amendments.” As we welcome a new Government we expect another round of revisions to UK surveillance laws, with the likelihood that the Queen’s Speech will signal a revival of the Communications Data Bill. At this time we call on the new Government, and the members of the House, to ensure that any changes in the law, and especially any expansions of power, are fully and transparently vetted by Parliament, and open to consultation from the public and all relevant stakeholders.

Last year, in response to the introduction of the Data Retention and Investigatory Powers Bill (“DRIP”), a number of leading academics in the field – including many of the signatories to this letter – called for full and proper parliamentary scrutiny of the Bill to ensure Parliamentarians were not misled as to what powers it truly contained. Our concern emanated from the Home Secretary’s attempt to characterize the Bill, which substantially expanded investigatory powers, as merely a re-affirmation of the pre-existing data retention regime.[1]

Since that letter was written, it has become apparent that the introduction of the DRIP Bill was not the only time an expansion of surveillance powers was presented in a way seemingly designed to stifle robust democratic consideration. In February 2015, the Home Office published the draft Equipment Interference Code of Practice.[2] The draft Code was the first time the intelligence services openly sought specific authorisation to hack computers both within and outside the UK. Hacking is a much more intrusive form of surveillance than any previously authorised by Parliament. It also threatens the security of all internet services as the tools intelligence services use to hack can create or maintain security vulnerabilities that may be used by criminals to commit criminal acts and other governments to invade our privacy. The Government, though, sought to authorise its hacking, not through primary legislation and full Parliamentary consideration, but via a Code of Practice.

The previous Government also introduced an amendment via the Serious Crimes Act 2015, described in the explanatory notes to the Bill as a ‘clarifying amendment’.[3] The amendment effectively exempts the police and intelligence services from criminal liability for hacking. This has had an immediate impact on the ongoing litigation of several organisations who are suing the Government based in part on the law amended, the Computer Misuse Act 1990.[4]

The Way Ahead

The new Conservative Government has announced its intention to propose new surveillance powers through a resurrection of the Communications Data Bill. This will require internet and mobile phone companies to keep records of customers’ browsing activity, social media use, emails, voice calls, online gaming and text messages for a year, and to make that information available to the government and security services. We also anticipate this Parliament will see a review of the Regulation of Investigatory Powers Act 2000, which currently regulates much of the Government’s surveillance powers. The Independent Reviewer of Terrorism Legislation, David Anderson QC, has conducted an independent review of the operation and regulation of investigatory powers, with specific reference to the interception of communications and communications data. The report of that review has been submitted to the Prime Minister, but has yet to be made public: when it is made public, parliamentary scrutiny of the report and any recommendations made following it will be essential.

As the law requires that surveillance powers must be employed proportionate to any harm to privacy caused (as required by Article 8 of the European Convention on Human Rights and Article 12 of the Universal Declaration of Human Rights) we believe that any expansion or change to the UK’s surveillance powers should be proposed in primary legislation and clearly and accurately described in the explanatory notes of any Bill. The Bill and its consequences must then be fully and frankly debated in Parliament. When reaching an assessment of the proportionality, of any measure that restricts rights, both our domestic courts and the European Court of Human Rights place great stock on the degree and quality of Parliamentary involvement prior to any measure being adopted. If the matter ever came to before the courts one issue examined would be the nature of any “exacting review” undertaken by MPs into the necessity of extending these powers. The Government should not be permitted to surreptitiously change the law whenever it so desires, especially where such changes put our privacy and security at risk.

This letter has been prepared and signed by 35 academic researchers. We are comprised of people from both sides of this issue – those who believe that increased powers are a reasonable response to an emerging threat, and those who think them an unjustified extension of state interference. Our common goal is to see the Rule of Law applied and Parliamentary oversight reasserted. We are calling on all members of the House of Commons, new and returning, and of all political persuasions to support us in this by ensuring Parliamentary scrutiny is applied to all developments in UK surveillance laws and powers as proposed by the current Government.

Signatories

 

Andrew Murray (contact signatory) Paul Bernal (contact signatory)
Professor of LawLondon School of Economics

a.murray@lse.ac.uk

 Lecturer in Information Technology, Intellectual Property and Media Law University of East AngliaPaul.Bernal@uea.ac.uk

 
Subhajit BasuAssociate Professor
University of Leeds
 		 Sally Broughton MicovaDeputy Director LSE Media Policy Project, Department of Media and Communications
London School of Economics and Political Science
 
Abbe E.L. BrownSenior Lecturer
School of Law
University of Aberdeen
 		 Ian BrownProfessor of Information Security and Privacy
Oxford Internet Institute
Ray CorriganSenior Lecturer in Maths, Computing and Technology
Open University
 		 Angela DalyPostdoctoral Research Fellow
Swinburne Institute for Social Research
Swinburne University of Technology
Richard DanburyPostdoctoral Research Fellow Faculty of Law University of Cambridge
 		 Catherine EastonLancaster University School of Law  
Lilian EdwardsProfessor of E-Governance Strathclyde University Andres GuadamuzSenior Lecturer in Intellectual Property Law University of Sussex
 
Edina HarbinjaLecturer in Law University of Hertfordshire
 		 Julia HörnleProfessor in Internet Law Queen Mary University of London
Theodore KonstadinidesSenior Lecturer in Law University of Surrey
 		 Douwe KorffProfessor of International Law London Metropolitan University
 
Mark LeiserPostgraduate Researcher Strathclyde University
 		 Orla LynskeyAssistant Professor of Law London School of Economics
 
 
 
David MeadProfessor of UK Human Rights Law UEA Law School University of East Anglia
 		 Robin MansellProfessor, Department of Media and Communication London School of Economics
 
Chris MarsdenProfessor of Law University of Sussex
 		 Steve PeersProfessor of Law University of Essex
 
Gavin PhillipsonProfessor, Law School University of Durham Julia PowelsResearcher Faculty of Law University of Cambridge
 
Andrew PuddephattExecutive Director Global Partners Digital Judith RauhoferLecturer in IT Law University of Edinburgh
 
Chris ReedProfessor of Electronic Commerce Law Queen Mary University of London
 		 Burkhard SchaferProfessor of Computational Legal Theory University of Edinburgh
 
Joseph SavirimuthuSenior Lecturer in Law University of Liverpool
 		 Andrew ScottAssociate Professor of Law London School of Economics
 
Peter SommerVisiting Professor Cyber Security Centre, De Montfort University
 		 Gavin SutterSenior Lecturer in Media Law Queen Mary University of London
 
Judith TownendDirector of the Centre for Law and Information Policy Institute of Advanced Legal Studies
University of London
 		 Asma VranakiPost-Doctoral Researcher in Cloud Computing Queen Mary University of London
 
Lorna WoodsProfessor of Law University of Essex
 

 
 
[1] http://bit.ly/1jNzlUz
[2] http://bit.ly/1yiXUZD
[3] http://bit.ly/1LfVFz3
[4] http://bit.ly/1S4RCdJ

Posted by Steve Peers at 03:18

Europe and “Whistleblowers” : still a bumpy road…

by Claire Perinaud (FREE Group trainee) The 9th and the 10th of April was organized in Paris by the University Paris X Nanterre la Défense in collaboration with the University Paris I Sorbonne a Conference on «  whistleblowers and fundamental rights »[1] which echoed a rising debate on the figure of  wistleblowers  after the numerous revelations of scandals and corruption which occurred last years, with some of them directly linked to EU institutions. In the following lines I will try to sketch a) the general framework then b) the main issues raised during the Conference

A) The general framework 

The term « whistle-blower » was created by Ralph Nader in 1970 in the context of the need to ensure the defense of citizens from lobbies. He defined « whistle blowing » as « an act of a man or woman who, believing that the public interest overrides the interest of the organization he serves, blows the whistle that the organization is in corrupt, illegal, fraudulent or harmful activity »[2]. The interest of scholars and lawyers to the figure of whistle-blowers in the United States dates back to the adoption by the Congress in 1863 of the False claims act which is deemed to be the first legislation related to the right of alert[3].
The system which developed afterwards is notably based on the idea that whistle-blowing is a strong mechanism to fight corruption and has to be encouraged by means of financial incentives[4]. If this mechanism is of utmost importance in the United States, protection of whistle blowers is only slowly introduced in Europe[5]
With numerous scandals related to systemic violations of human rights, the subject is progressively dealt with in the European Union (EU) and in the Council of Europe. Nevertheless, in both organizations, the protection of whistleblowers remain at the stage of project or only recommendations to the states.

The Council of Europe… Continue reading “Europe and “Whistleblowers” : still a bumpy road…”