Does the EU PNR Directive pave the way to Mass surveillance in the EU? (soon to be decided by the CJEU… )

Fundamental Rights European Experts Group

(FREE-Group)

Opinon on the broader and core issues arising in the PNR Case currently before the CJEU (Case C-817/19)

by Douwe Korff (Emeritus Professor of International Law, London Metropolitan University Associate, Oxford Martin School, University of Oxford)

(LINK TO THE FULL VERSION 148 Pages)

EXECUTIVE SUMMARY

(with a one-page “at a glance” overview of the main findings and conclusions)

Main findings and conclusions at a glance

In my opinion, the appropriate tests to be applied to mass surveillance measures such as are carried out under the PNR Directive (and were carried out under the Data Retention Directive, and are still carried out under the national data retention laws of the EU Member States that continue to apply in spite of the CJEU case-law) are:

Have the entities that apply the mass surveillance measure – i.e., in the case of the PNR Directive (and the DRD), the European Commission and the EU Member States – produced reliable, verifiable evidence:

  • that those measures have actually, demonstrably contributed significantly to the stated purpose of the measures, i.e., in relation to the PNR Directive, to the fight against PNR-relevant crimes (and in relation the DRD, to the fight against “serious crime as defined by national law”); and
  • that those measures have demonstrably not seriously negatively affected the interests and fundamental rights of the persons to whom they were applied?

If the mass surveillance measures do not demonstrably pass both these tests, they are fundamentally incompatible with European human rights and fundamental rights law and the Charter of Fundamental Rights; this means the measures must be justified, by the entities that apply them, on the basis of hard, verifiable, peer-reviewable data.

The conclusion reached by the European Commission and Dutch Minister of Justice: that overall, the PNR Directive, respectively the Dutch PNR law, had been “effective” because the EU Member States said so (Commission) or because PNR data were quite widely used and the competent authorities said so (Dutch Minister) is fundamentally flawed, given that this conclusion was reached in the absence of any real supporting data. Rather, my analyses show that:

  • Full PNR data are disproportionate to the purpose of basic identity checks;
  • The necessity of the PNR checks against Interpol’s Stolen and Lost Travel Document database is questionable;
  • The matches against unspecified national databases and “repositories” are not based on foreseeable legal rules and are therefore not based on “law”;
  • The necessity and proportionality of matches against various simple, supposedly “suspicious” elements (tickets bought from a “suspicious” travel agent; “suspicious” travel route; etc.) is highly questionable; and
  • The matches against more complex “pre-determined criteria” and profiles are inherently and irredeemably flawed and lead to tens, perhaps hundreds of thousands of innocent travellers wrongly being labelled to be a person who “may be” involved in terrorism or serious crime, and are therefore unsuited (D: ungeeignet) to the purpose of fighting terrorism and serious crime.

The hope must be that the Court will stand up for the rights of individuals, enforce the Charter of Fundamental Rights, and declare the PNR Directive (like the Data Retention Directive) to be fundamentally in breach of the Charter.

– o – O – o –

Executive Summary

This document summarises the analyses and findings in the full Opinion on the broader and core issues arising in the PNR Case currently before the CJEU (Case C-817/19), using the same headings and heading numbers. Please see the full opinion for the full analyses and extensive references. A one-page “at a glance” overview of the main findings and conclusions is also provided.

The opinion drew in particular on the following three documents, also mentioned in this Executive Summary:

– o – O – o –

  1. Introduction

In the opinion, after explaining, at 2, the broader context in which personal data are being processed under the PNR Directive, I try to assess whether the processing that the PNR Directive requires or allows is suitable, effective and proportionate to the aims of the directive. In doing so, in making those assessments, I base myself on the relevant European human rights and data protection standards, summarised at 3.

NB: The opinion focusses on the system as it is designed and intended to operate, and on what it allows (even if not everything that may be allowed is [yet] implemented in all Member States), and less on the somewhat slow implementation of the directive in the Member States and on the technical aspects that the Commission report and the staff working document often focussed on. It notes in particular a number of elements or aspects of the directive and the system it establishes that are problematic, either conceptually or in the way they are supposed to operate or to be evaluated.

2. PNR in context

In the footsteps of the US and UK intelligence services (as revealed by Snowden), the EU Member States’ law enforcement agencies are increasingly using their access to bulk data – bulk e-communications data, financial data, PNR data, etc. – to “mine” the big data sets by means of sophisticated, self-learning algorithms and Artificial Intelligence (AI).

The European Union Agency for Law Enforcement Cooperation, Europol, has become increasingly involved in algorithm/AI-based data analysis (or at least in the research underpinning those technologies), and last year the Commission proposed to significantly further expand this role.

The processing of PNR data under the PNR Directive must be seen in these wider contexts: the clear and strengthening trend towards more “proactive”, “preventive” policing by means of analyses and algorithm/AI-based data mining of (especially) large private-sector data sets and databases; the increasingly central role played by Europol in this (and the proposal to expand that role yet further); the focusing on “persons of interest” against whom there is (as yet) insufficient evidence for action under the criminal law (including, in relation to Europol, persons against whom there is an “Article 36 alert” in its SIS II database); and the still increasing intertwining of law enforcement and national security “intelligence” operations in those regards.

Notably, “Article 36 SIS alerts” have been increasing, and in the Netherlands, in 2020, 82.4% of all PNR “hits” against the Schengen Information System, confirmed by the Dutch Passenger Information Unit established under the PNR Directive, were “hits” against “Article 36 alerts”.

Human rights-, digital rights- and broader civil society NGOs have strongly criticised these developments and warned of the serious negative consequences. Those concerns should be taken seriously, and be properly responded to.

3 Legal standards

General fundamental rights standards stipulate that all interferences with fundamental rights must be based on a “law” that meets the European “quality of law” standards: the law must be public, clear and specific, and foreseeable in its application; the interferences must be limited to what is “necessary” and “proportionate” to serve a “legitimate aim” in a democratic society; the relevant limitations must be set out in the law itself (and not left to the discretion of states or state authorities); and those affected by the interferences must be able to challenge them and have a remedy in a court of law. Generalised, indiscriminate surveillance of whole populations (such as all air passengers flying to or from the EU) violates the EU Charter of Fundamental Rights. A special exception to this prohibition accepted by the EU Court of Justice in the La Quadrature du Net case, which allows EU Member States to respond to “serious”, “genuine and present or foreseeable” threats to “the essential functions of the State and the fundamental interests of society” must be strictly limited in time and place: it cannot form the basis for continuous surveillance of large populations (such as all air passengers) generally, on a continuous, indefinite basis: that would turn the (exceptional) exception into the rule. Yet that is precisely what the PNR Directive provides for.

European data protection law expands on the above general principles in relation to the processing of personal data. The (strict) case-law of the CJEU and the European Court of Human Rights on data protection generally and generalised surveillance in particular are reflected in the European Data Protection Board’s European Essential Guarantees for surveillance (EEGs).

Processing of information on a person suggesting that that person “may be” involved in criminal activities is subject to especially strict tests of legitimacy, necessity and proportionality.

Contrary to assertions by the European Commission and representatives of EU Member States (inter alia, at the hearing in the PNR case in July 2021) that the processing under the PNR Directive has little or no effect on the rights and interests of the data subjects, the processing under the directive must under EU data protection law be classified as posing “high risks” to the fundamental rights and interests of hundreds of millions of airline passengers.

Under the Law Enforcement Directive (as under the GDPR), this means that the processing should be subject to careful evaluation of the risks and the taking of remedial action to prevent, as far as possible, any negative consequences of the processing – such as the creation of “false positives” (cases in which a person is wrongly labelled to be a person who “may be” involved in terrorism or serious crime). It also means that if it is not possible to avoid excessive negative consequences, the processing is “not fit for purpose” and should not be used.

Under the proposed Artificial Intelligence Act that is currently under consideration, similar duties of assessment and remedial action – or abandoning of systems – are to apply to AI-based processes.

4 The PNR Directive

4.1 Introduction

4.2 The system

Under the PNR Directive, special “Passenger Information Units” (PIUs) in each EU Member State match the data contained in so-called passenger name records (PNRs) that airlines flying into or from the EU have to provide to those units against supposedly relevant lists and databases, to both identify already “known” formally wanted persons or already “known” “persons of interest” who “may be” involved in terrorism or other serious crime, and to “identify” (i.e., label) previously “unknown” persons who “may be” involved in such activities by means of “risk analyses” and the identification of “patterns” and “profiles” based on the identified patterns (see below, at 4.7).

The opinion analyses and assesses all major elements of the system in turn.

4.3 The aims of the PNR Directive

In simple terms, the overall aim of the PNR Directive is to facilitate the apprehension of terrorists and individuals who are involved in terrorism or other serious transnational crime, including in particular international drug- and people trafficking.

However, the first aim of the checking of the PNR data by the PIUs is more limited than the aims of the directive overall; this is: to identify persons who require further examination by the competent authorities [see below, at 4.5], and, where relevant, by Europol [see below, at 4.11], in view of the fact [?] that such persons may be involved in a terrorist offence or serious crime. (Article 6(1)(a))

When there is a match of PNR data against various lists, i.e., a “hit” (see below, at 4.9), the PNR passes this “hit” on to certain “competent authorities” (see below, at 4.5) for “further examination”; if the initial “hit” was generated by automated means, this is only done after a manual review by PIU staff. In practice, about 80% of initial “hits” are discarded (see below, at 4.9).

It is one of the main points of the opinion that the suitability, effectiveness and proportionality of the PNR Directive cannot and should not be assessed by reference to the number of initial “hits” noted by the PIUs, compared to the number of cases passed on for “further examination” to the competent authorities, but rather, with reference to more concrete outcomes (as is done in section 5.2).

4.4 The Legal Basis of the PNR Directive

It appears obvious from the Court of Justice opinion on the Draft EU-Canada Agreement that the PNR Directive, like that draft agreement, should have been based on Articles 16 and 87(2)(a) TFEU, and not on Article 82(1) TFEU. It follows that the PNR Directive, too, appears to not have been adopted in accordance with the properly applicable procedure. That could lead to the directive being declared invalid on that ground alone.

4.5 The Competent Authorities

Although most competent authorities (authorities authorised to receive PNR data and the results of processing of PNR data from the PIUs) in the EU Member States are law enforcement agencies, “many Member States [have designated] intelligence services, including military intelligence services, as authorities competent to receive and request PNR data from the Passenger Information Unit”, and “in some Member States the PIUs are actually “embedded in … [the] state security agenc[ies]”.

Given the increasingly close cooperation between law enforcement agencies (and border agencies) and intelligence agencies, in particular in relation to the mining of large data sets and the development of evermore sophisticated AI-based data mining technologies by the agencies working together (and in future especially also with and through Europol), this involvement of the intelligence agencies (and in future, Europol) in PNR data mining must be seen as a matter of major concern.

4.6 The crimes covered (“PNR- Relevant offences”)

The PNR Directive stipulates that PNR data and the results of processing of PNR data may only be used for a range of terrorist and other serious offences, as defined in Directive 2017/541 and in an annex to the PNR Directive, respectively (so-called “PNR-relevant offences”).

The processing under the PNR Directive aims to single out quite different categories of data subjects from this large base: on the one hand, it seeks to identify already “known” formally wanted persons (i.e., persons formally designated suspects under criminal [procedure] law, persons formally charged with or indicted for, or indeed already convicted of PNR-relevant offences) and already “known” “persons of interest” (but who are not yet formally wanted) by checking basic identity data in the PNRs against the corresponding data in “wanted” lists (such as “Article 26 alerts” in SIS II); and on the other hand, it seeks to “identify” previously “unknown” persons as possibly being terrorist or serious criminals, or “of interest”, on the basis of vague indications and probability scores. In the latter case, the term “identifying” means no more than labelling a person as a possible suspect or “person of interest” on the basis of a probability.

The opinion argues that any assessment of the suitability, effectiveness and proportionality of the processing must make a fundamental distinction between these different categories of data subjects (as is done in section 5).

4.7 The categories of personal data processed

An annex to the PNR Directive lists the specific categories of data that airlines must send to the database of the PIU of the Member State on the territory of which the flight will land or from the territory of which the flight will depart. This obligation is stipulated with regard to extra-EU flights but can be extended by each Member State to apply also to intra-EU flights  – and all but one Member States have done so. The list of PNR data is much longer than the Advance Passenger Information (API) data that airlines must already send to the Member States under the API Directive, and includes information on travel agents used, travel routes, email addresses, payment (card) details, luggage, and fellow travellers. On the other hand, often some basic details (such as date of birth) are not included in the APIs.

The use of sensitive data

The PNR Directive prohibits the processing of sensitive data, i.e., “data revealing a person’s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation”. In the event that PNR data revealing such information are received by a PIU, they must be deleted immediately. Moreover, competent authorities may not take “any decision that produces an adverse legal effect on a person or significantly affects a person” on the basis of such data. However, PNR data can be matched against national lists and data “repositories” that may well contain sensitive data. Moreover, as noted at 4.9(f), below, the provisions in the PNR Directive do not really protect against discriminatory outcomes of the profiling that it encourages.

4.8 The different kinds of matches

(a) Matching of basic identity data in PNRs against the identity data of “known” formally wanted persons

PNR data are matched against SIS II alerts on “known” formally wanted persons (including “Article 26 alerts”) and against “relevant” national lists of “known” formally wanted persons.

This is usually done by automated means, followed by a manual review. The Commission reports that approximately 81% of all initial matches are rejected – and not passed on to competent authorities for further examination. Notably:

– the quality of the PNR data as received by the PIUs, including even of the basic identity data, is apparently terrible and often “limited”; this is almost certainly the reason for the vast majority of the 81% rejections;

– most of the long lists of PNR data are not needed for basic identity checks: full names, date of birth, gender and citizenship/nationality should suffice – and a passport or identity card number would make the match more reliable still. All those data are included in the API data, and all are included in optical character recognition format in the machine-readable travel documents (MRTD) that have been in wide use since the 1980s.

In other words, paradoxically, PNR data are both excessive for the purpose of basic identity checks (by containing extensive data that are not needed for such checks), and insufficient (“too limited”), in particular in relation to intra-Schengen flights (by not [always] including the dates of birth of the passengers).

– the lists against which the PNR data are compared, including in particular the SIS alerts and the EAW lists, but also many national lists, relate to many more crimes than are subject to the PNR Directive (“PNR-relevant offences”) – but in several Member States “hits” against not-PNR-relevant suspects (etc.) are still passed on to competent authorities, in clear breach of the purpose-limitation principle underpinning the directive.

In that respect, it should be noted that the Commission staff working document claims that in relation to situations in which the PNR data is “too limited” (typically, by not including date of birth), “[t]he individual manual review provided for in Article 6.5 of the PNR Directive protects individuals against the adverse impact of potential ‘false positives’” – but this is simply untrue: While a confirmed matching of identity data in relation to a person who is formally wanted in relation to PNR-relevant offences can be regarded as a “positive” result of the identity check, a “hit” in relation to a person who is wanted for not-PNR-relevant offences should of course not be regarded as a positive result under the PNR Directive.

(b) Matching of basic identity data in PNRs against the identity data of “known” “persons of interest”

In principle, the matching of basic identity data from PNRs against lists of basic identity data of “persons of interest” listed in the SIS system (and comparable categories in national law enforcement repositories), like the matching of data on formally wanted persons, should be fairly straight-forward.

However, the PNRs in this regard first of all suffer from the same two deficiencies as were discussed in relation to matches for formally wanted persons, discussed at (a), above: PNR data are both excessive for the purpose of basic identity checks (by containing extensive data that are not needed for such checks), and insufficient (“too limited”), in particular in relation to intra-Schengen flights (by not [always] including the dates of birth of the passengers). The third issue identified in the previous sub-section, that SIS alerts (and similar alerts in national law enforcement repositories) can relate to many more criminal offences than those that are “PNR-relevant” also applies: many persons labelled “person of interest” will be so labelled in relation to “non-PNR-relevant” offences.

In my opinion, while a confirmed matching of identity data in relation to persons who are formally wanted in relation to (formally suspected of, charged with, or convicted of) PNR-relevant offences can be regarded as a “positive” result of an identity check, a “hit” in relation to persons who are labelled “person of interest” should not be regarded as a positive result under the PNR Directive – certainly of course not if they are so labelled in relation to non-PNR-relevant offences, but also not if they are in no way implicated as in any way being culpable of PNR-relevant offences.

In my opinion, even confirmed “hits” confirming the identity of already listed “persons of interest” should not be regarded as “positive” results under the PNR Directive unless they result in those persons subsequently being formally declared to be formal suspects in relation to terrorist or other serious, PNR-relevant criminal offences.

(c) Matching of PNR Data against data on lost/stolen/fake credit cards and lost/stolen/fake identity or travel documents

The staff working document makes clear that PNR data are checked by “a large majority of PIUs” against Interpol’s Stolen and Lost Travel Document database as one “relevant database”. However, this is somewhat of a residual check because that database is also already made available to airlines through Interpol’s “I-Checkit” facility. Moreover:

Even leaving the issue of purpose-limitation aside, a “hit” against a listed lost/stolen/fake credit card or a lost/stolen/fake identity or travel document should still only be considered a “positive result” in terms of the PNR Directive if it results in a person subsequently being formally declared to be (at least) a formal suspect in relation to terrorist or other serious, PNR-relevant criminal offences.

(d) Matching of PNR data against other, unspecified, supposedly relevant (in particular national) databases

It is far from clear what databases can be – and in practice, in the different Member States, what databases actually are – regarded as “relevant databases” in terms of the PNR Directive: this is left to the Member States. At the July 2021 Court hearing, the representative of the Commission said that the data of Facebook, Amazon and Google could not be regarded as “relevant”, and that law enforcement databases (des bases policières) would be the most obvious “relevant” databases. But the Commission did not exclude matches against other databases with relatively “hard” data, such as databases with financial data (credit card data?) or telecommunications data (location data?).

The vagueness of the phrase “relevant databases” in Article 6(3)(a) and the apparently wide discretion granted to Member States to allow matching against all sorts of unspecified data sets is incompatible with the Charter of Fundamental Rights and the European Convention on Human Rights. It means that the application of the law is not clear or foreseeable to those affected – i.e., the provision is not “law” in the sense of the Charter and the Convention (and EU law generally) – and that the laws can be applied in a disproportionate manner.

In other words, even in relation to the basic checks on the basis of lists of “simple selectors”, the PNR Directive does not ensure that those checks are based on clear, precise, and in their application foreseeable Member State laws, or that those laws are only applied in a proportionate manner. In the terminology of the European Court of Human Rights, the directive does not protect individuals against arbitrary interferences with the rights to privacy and protection of personal data.

(e) Matching of PNR data against lists of “suspicious travel agents”, “suspicious routes”, etc.

The staff working document repeatedly refers to checks of PNR data against “patterns” such as tickets being bought from “suspicious” travel agents; the use of “suspicious” travel routes; passengers carrying “suspicious” amounts of luggage (and the Dutch evaluation report even mentions that a person wearing a suit and hastening through customs [while being black] was regarded by custom authorities as fitting a “suspicious” pattern). No proper prosecuting or judicial authority could declare travellers to be a formal suspect – let alone to charge, prosecute or convict a traveller – on the basis of a match against such simple “suspicious” elements alone. In my opinion:

For the purpose of evaluating the suitability, effectiveness and proportionality of the PNR Directive (and of the practices under the directive), a simple “hit” against these vague and far-from-conclusive factors or “criteria” should not be regarded as a “positive” result. Rather, a “hit” against such vague “criteria” as the purchase of an air ticket from a “suspicious” travel agent, or the using of a “suspicious” route, or the carrying of a “suspicious” amount of luggage – let alone “walking fast in a suit (while being black)” – should again only be considered a “positive result” in terms of the PNR Directive if it result in a person subsequently being formally declared to be (at least) a formal suspect in relation to terrorist or other serious, PNR-relevant criminal offences.

(f) Matching of data in the PNRs against more complex “pre-determined criteria” or profiles

(fa)      Introduction

Under the PNR Directive, PIUs may, in the course of carrying out their assessment of whether passengers “may be involved in a terrorist offence or [other] serious crime”, “process PNR data against pre-determined criteria”. As also noted by the EDPS, it is clear that the PNR data can be matched against “patterns” discerned in previous data and against “profiles” of possible terrorists and serious criminals created on the basis of these patterns, that are more complex than the simple patterns discussed at (e), above. This is also undoubtedly the direction in which searches for terrorists and other serious criminals are moving.

(fb)      The nature of the “pre-determined criteria”/“profiles”

The EU and EU Member State agencies are increasingly applying, or are poised to apply, increasingly sophisticated data mining technologies such as are already used by the UK (and US) agencies. This involves self-learning, AI-based algorithms that are constantly dynamically re-generated and refined through loops linking back to earlier analyses. The software creates constantly self-improving and refining profiles against which it matches the massive amounts of data – and in the end, it produces lists of individuals that the algorithm suggests may (possibly or probably) be terrorists, or associates of terrorists or other serious criminals. It is the stated policy of the EU to accelerate the development and deployment of these sophisticated technologies, under the guidance of Europol.

Whatever the current level of use of such sophisticated techniques in law enforcement and national security contexts in the Member States (as discussed at (fd), below), if the PNR Directive is upheld as valid in its current terms, nothing will stand in the way of the ever-greater deployment of these more sophisticated (but flawed) technologies in relation to air passengers. That would also pave the way to yet further use of such (dangerous) data mining and profiling in relation to other large population sets (such as all users of electronic communications, or of bank cards).

(fc)      The creation of the “pre-determined criteria”/“profiles”

Given (a) the increasingly sophisticated surveillance and data analysis/data mining/risk assessment technologies developed by the intelligence services of the EU Member States (often drawing on US and UK experience) and now also by law enforcement agencies and (b) the clear role assigned to Europol in this respect, it would appear clear that there is being developed a cadre of data mining specialists in the EU – and that the PNR data are one of the focus areas for this work. In other words, the “pre-determined criteria” – or AI-based algorithms – that are to be used in the mining of the PNR data are being developed, not solely by or within the PIUs but by this broader cadre that draws in particular on intelligence experts (some of whom may be embedded in the PIUs). The PNR databases are (also) between them a test laboratory for data mining/profiling technologies. And (c) there is nothing in the PNR Directive that stands in the way of using other data than PNR data in the creation of “pre-determined criteria”, or indeed in the way of using profiles developed by other agencies (including intelligence agencies) as “pre-determined criteria” in the PIU analyses.

(fd)      The application of the more complex “pre-determined criteria”/“profiles” in practice

It would appear that to date, few Member States are as yet using data mining in relation to PNR data in as sophisticated a way as described in sub-section (fb), above (or at least acknowledge such uses).

However, in a range of EU Member States algorithm/AI-based profiling is already in use in relation to broader law enforcement (and especially crime prevention). Moreover, the aim of the Commission and the Member States is expressly to significantly expand this use, with the help of Europol and its Travel Intelligence Task Force, and through “training on the development of pre-determined criteria” in “an ongoing EU-funded project, financed under the ISF-Police Union Actions.”

This merely underlines the point I made in the previous sub-sections: that the PNR database is being used as a test laboratory for advanced data mining technologies, and that if the PNR Directive is upheld as valid in its current terms, nothing will stand in the way of the ever-greater deployment of these more sophisticated (but flawed) technologies in relation to air passengers, and others. The fact that sophisticated data mining and profiling is said to not yet be in widespread operational use in most Member States should not be a reason for ignoring this issue – on the contrary: this is the desired destination of the analyses.

(fe)      The limitations of and flaws in the technologies

There are three main problems with algorithmic data mining-based detection of rare phenomena (such as terrorists and serious criminals in a general population):

– The base-rate fallacy and its effect on false positives:

In very simple layperson’s terms, the base-rate fallacy means that if you are looking for very rare instances or phenomena in a very large dataset, you will inevitably obtain a very high percentage of false positives in particular – and this cannot be remedied by adding more or somehow “better” data: by adding hay to a haystack.

As noted above, at 4.7, a very rough guess would be that on average the 1 billion people counted by Eurostat as flying to or from the EU relate to 500 million distinct individuals. In other words, the base rate for PNR data can be reasonably assumed to be in the region of 500 million.

The Commission reports that there are initial “hits” in relation to 0.59% of all PNRs, while 0.11% of all PNRs are passed on as confirmed “hits” to competent authorities for “further examination”. The Commission report and the staff working document appear to imply – and certainly do nothing to refute – that the 0.11% of all confirmed “hits” that are passed on to competent authorities are all “true positives”. However, that glaringly fails to take account of the base rate, and its impact on results.

Even if the PNR checks had a failure rate of just 0.1% (meaning that (1) in relation to persons who are actually terrorists or serious criminals, the PIUs will rightly confirm this as a proper “hit” 99.9% of the time, and fail to do so 0.1% of the time and (2) in relation to persons who are not terrorists, the PIUs will rightly not generate a confirmed “hit” 99.9% of the time, but wrongly register the innocent person as a confirmed “hit” 0.1% of the time) the probability that a person flagged by this system is actually a terrorist would still be closer to 1% than to 99%. In any case, even if the accuracy rate of the PNR checks were to be as high as this assumed 99.9% (which of course is unrealistic), that would still lead to some 500,000 false positives each year.

Yet the Commission documentation is silent about this.

– Built-in biases:

The Commission staff working document claims that, because the “pre-determined criteria” that are used in algorithmic profiling may not be based on sensitive data, “the assessment cannot be carried out in a discriminatory manner” and that “[t]his limits the risk that discriminatory profiling will be carried out by the authorities.” This is simply wrong.

In simple terms: since “intimate part[s] of [a person’s] private life” can be deduced, or at least inferred, from seemingly innocuous information – such as data included in PNRs (in particular if matched against other data) – those “intimate aspects” are not “fully protected by the processing operations provided for in the PNR Directive”. Indeed, in a way, the claim to the contrary is absurd: the whole point of “risk analysis” based on “pre-determined criteria” is to discover unknown, indeed hidden matters about the individuals who are being profiled: inferring from the data on those people, on the basis of the application of those criteria, that they are persons who “may be” involved in terrorism or other serious crimes surely is a deduction of an “intimate aspect” of those persons (even if it is not specifically or necessarily a sensitive datum in the GDPR sense – although if the inference was that a person “might be” an Islamist terrorist, that would be a [tentatively] sensitive datum in the strict sense). Moreover, even without specifically using or revealing sensitive information, the outcomes of algorithmic analyses and processing, and the application of “abstract”, algorithm/AI-based criteria to “real” people can still lead to discrimination.

The PNR Directive stipulates that the assessment[s] of passengers prior to their scheduled arrival in or departure from the Member State carried out with the aim of identifying persons who require further examination by the competent authorities of the directive “shall be carried out in a non-discriminatory manner”. However, this falls considerably short of stipulating: (i) that the “pre-determined criteria” (the outputs of the algorithms) are not biased in some way and (ii) that measures must be taken to ensure that the outcomes of the assessments are not discriminatory. It is important to address both those issues (as explained in a recent EDRi/TU Delft report).

Given that profile-based matches to detect terrorists and other serious criminals are inherently “high risk” (as noted at 3, above and further discussed at 5, below), it requires an in-depth Data Protection Impact Assessment under EU data protection law, and indeed a broader human rights impact assessment. The need for serious pre-evaluation of algorithms to be used in data mining and for continuous re-evaluation throughout their use is also stressed in various paragraphs in the recent Council of Europe recommendation on profiling. The proposed AI Act also requires this.

However, no serious efforts have been made by the European Commission or the EU Member States to fulfil these duties. Neither have ensured that full, appropriate basic information required for such serious ex ante  and ex post evaluations is even sought or recorded.

In sum: the European Commission and the EU Member States have not ensured that in practice the processing of the PNR data, and the linking of those data to other data (databases and lists), does not have discriminatory outcomes. The mere stipulation that outputs of algorithmic/AI-based profiling should not be “solely based on” sensitive aspects of the data subjects (the airline passengers) falls far short of ensuring compliance with the prohibition of discrimination.

– Opacity and unchallengeability of decisions:

In the more developed “artificial intelligence” or “expert” systems, the computers operating the relevant programmes create feedback loops that continuously improve the underlying algorithms – with almost no-one in the end being able to explain the results: the analyses are based on underlying code that cannot be properly understood by many who rely on them, or even expressed in plain language. This makes it extremely difficult to provide for serious accountability in relation to, and redress against, algorithm-based decisions generally. Profiling thus poses a serious threat of a Kafkaesque world in which powerful agencies take decisions that significantly affect individuals, without those decision-makers being able or willing to explain the underlying reasoning for those decisions, and in which those subjects are denied any effective individual or collective remedies.

That is how serious the issue of profiling is: it poses a fundamental threat to the most basic principles of the Rule of Law and the relationship between the powerful and the people in a democratic society. Specifically in relation to PNR:

– PIU staff cannot challenge algorithm-based computer outputs;

– The staff of the competent authorities are also unlikely (or indeed also effectively unable) to challenge the computer output; and

– Supervisory bodies cannot properly assess the systems.

External supervisory bodies such as Member States’ data protection supervisory authorities will generally not be given access to the underlying data, cannot review the algorithms at the design stage or at regular intervals after deployment and in any case do not have the expertise. Internal bodies are unlikely to be critical and may involve the very people who design the system (who write the code that provides the [dynamic] algorithm). The report on the evaluation of the Dutch PNR Law noted that under that law (under which the algorithms/profiles are supposed to be checked by a special commission):

The rules [on the creation of the pre-determined criteria] do not require the weighing [of the elements] or the threshold value [for regarding a “hit” against those criteria to be a valid one] to meet objective scientific standards.

This is quite an astonishing matter. It acknowledges that the algorithm/AI-based profiles are essentially unscientific. In my opinion, this fatally undermines the way the pre-determined criteria are created and “tested” in the Netherlands. Yet at the same time, the Dutch system, with this “special commission”, is probably better than what is in place in most other EU Member States. This surely is a matter that should be taken into account in any assessment of the PNR system EU-wide – including the assessment that is shortly to be made by the Luxembourg Court.

In sum:

– because the “base-rate” for the PNR data mining is so high (in the region of 500 million people) and the incidence of terrorists and serious criminals within this population so relatively low, algorithm/AI-based profiling is likely to result in tens of thousands of “false positives”: individual air passengers who are wrongly labelled to a be person who “may be” involved in terrorism or other serious crime;

– the provisions in the PNR Directive that stipulate that no sensitive data may be processed, and that individual decisions and matches may not be “solely based on” sensitive aspects of the individuals concerned do not protect those individuals from discriminatory outcomes of the profiling;

– the algorithm/AI-based outcomes of the processing are almost impossible to challenge because those algorithms are constantly dynamically changed (“improved” through self-learning) and therefore in effect impossible to fully comprehend even by those carrying out the analyses/risk assessments; and

– the outputs and outcomes of the algorithm/AI-based profiling and data mining and matching are not subject to proper scientific testing or auditing, and extremely unlikely to made subject to such testing and auditing.

4.9 Direct access to PNR data by EU Member States’ intelligence agencies

It appears that at least in the Netherlands, the national intelligence agencies are granted direct access to the bulk PNR database, without having to go through the PIU (or at least without this being properly recorded). If the Dutch authorities were to argue that such direct access to data by the Dutch intelligence agencies is outside EU law, they would be wrong. Specifically, in its LQDN judgment, the CJEU held that the rules on personal data processing operations by entities that are, in that processing, subject to EU data protection law (in that case, providers of electronic communication services, who are subject to the e-Privacy Directive), including processing operations by such entities resulting from obligations imposed on them (under the law) by Member States’ public authorities (in that case, for national security purposes) can be assessed for their compatibility with the relevant EU data protection instrument and the Charter of Fundamental Rights.

In my opinion, if the Dutch intelligence and security agencies do indeed have direct access to the PNR database, without having to go through the Dutch PIU (the Pi-NL), or without that being recorded – as appears to be pretty obviously the case – that is in direct breach of the PNR Directive, of the EU data protection instruments, and of the EU Charter of Fundamental Rights.

Whether the EU data protection instruments and the PNR Directive are similarly circumvented in other EU Member States, I do not know. Let me just recall that in several Member States, the PIU is “embedded in … [the] state security agenc[ies]”. However, the Dutch example shows how dangerous, in a democratic society, the accruing of such bulk databases is.

4.10 Dissemination and subsequent use of the data and purpose-limitation

(a) Spontaneous provision of PNR data and information on (confirmed) “hits”

In principle, subject only to a “relevant and necessary” requirement in relation to transmissions to the other PIUs, confirmed “hits” can be very widely shared across all the EU Member States, both between the PIUs but also, via the PIUs, with any “competent authority” in any Member State (including intelligence agencies where those are designated as such: see at 4.5, above).

(aa)     Spontaneous provision of information to domestic competent authorities on the basis of matches against lists and databases (including SIS II)

The Commission staff working report gives no insight into the actual scope of spontaneous dissemination of PNR data or “results of the processing” of PNR data by the PIUs on the basis of (confirmed) “hits” to competent authorities in the PIUs’ own countries.

The report on the evaluation of the Dutch PNR Law suggests that, in that country, spontaneous provisions of PNR to Dutch authorities “for further examination” are still effectively limited to (confirmed) matches against the SIS II database, and indeed to matches against the alerts listed in Articles 26 and 36 of the Council Decision establishing that database (respectively, alerts for persons wanted for arrest for extradition, and alerts relating to people or vehicles requiring discreet checks). The Dutch SIS II matches amounted to roughly 10 in every 100,000 passengers (2:100,000 “Article 26” matches and 8:100,000 “Article 36” matches).

If the Dutch statistics of 10:100,000 and 82.4% are representative of the overall situation in the EU, this would mean that each year, out of the 500 million passengers on whom PNR data are collected annually, approximately 50,000 passengers are subjected to “further examination” on the basis of a SIS II match, 40,000 of whom are relate to “Article 36 alerts”, i.e., to “persons of interest” who are not (yet) formally wanted in relation to any crime (let alone a PNR-relevant one).

But of course, there are also (confirmed) “hits” on other bases (including on the basis of “pre-determined criteria” and matches resulting from requests for information) – and other countries may also match against more than just Article 26 and Article 36 alerts on SIS II.

(ab)     Spontaneous provision of information to other PIUs on the basis of matches against lists and databases (including SIS II)

It would appear that, until now, in practice, information – including information on matches against SIS II alerts – is only rarely spontaneously shared between PIUs.

However, the clear aim of the Commission is to significantly increase the number of spontaneous transmissions of PNR data and of information on (confirmed) “hits” against SIS II (or against pre-determined criteria: see below) between PIUs, and via PIUs to competent authorities in other EU Member States (again including intelligence agencies in Member States where those are designated as such).

(ac)     Spontaneous provision of information to domestic competent authorities and to other PIUs on the basis of matches against pre-determined criteria

It would appear that matching of PNR data against pre-determined criteria – and consequently also the spontaneous informing of competent authorities of (confirmed) “hits” against such criteria – is still extremely rare in the EU Member States. However, the aim is for the use of such criteria to be greatly expanded.

(ad)     Spontaneous provision of “results of processing” of PNR data other than information on matches against list or databases (such as SIS II) or pre-determined criteria

The spontaneous sharing of new or improved criteria is more likely to occur within the data mining cadre that is being formed (see above, at 4.9(fc)), rather than done through exchanges between PIUs. But that of course does not mean that it will not occur – on the contrary, the aim is clearly to extend the use of pre-determined criteria, and for the EU Member States to cooperate much more closely in the development and sharing of those criteria, specifically through a much-enhanced role for Europol.

(b) Provision of PNR data and analysis data to competent authorities, other PIUs or Europol on request

(ba)     Provision of information to domestic competent authorities at the request of such authorities

In relation to the provision of information by the PIUs to their domestic competent authorities at the latter’s request, the relevant national rules apply. The Commission staff working document provides no information whatsoever on the extent to which this option is used beyond saying that the numbers are increasing. In the Netherlands, some procedural safeguards are established to seek to ensure that requests are only made in appropriate cases, and in particular only in relation to PNR-relevant offences. Whether other Member States impose procedural safeguards such as prior authorisation of requests from certain senior officials, I do not know. The PNR Directive does not require them (it leaves this to the laws of the Member States) and the Commission staff working report does not mention them.

(bb)     Provision of information to competent authorities of other EU Member States at the request of such authorities

The Commission claims that provision of PNR data at the request of competent authorities of other EU Member States is one part of the PNR system that operates well. However, the Commission staff working report suggests that there are problems, in particular in relation to compliance with the purpose-limitation principle underpinning the PNR Directive: see below, at (d).

Moreover, if the Dutch data are anything to go by, it would appear that the vast majority of requests for PNR data come from the national authorities of the PIU’s own country: in the Netherlands, in 2019-20, there were 3,130 requests from national authorities, against just 375 requests from other PIUs and authorities in other EU Member States. This rather qualifies the Commission claim that “the exchange of data between the Member States based on requests functions in an effective manner” and that “[t]he number of requests has grown consistently”. Both statements could be true, but the actual total numbers of requests from other Member States may still be extremely low (for now), at least in comparison with the number of requests the PIUs receive from their own national authorities.

(bc)     Provision of information to Europol at the latter’s request

The Commission staff working document does not provide any information on the number of requests made by Europol, or on the responses to such requests from the PIUs. The report on the evaluation of the Dutch PNR notes that within Europol there appear to be no procedural conditions or safeguards relating to the making of requests (such as the safeguard that requests from Dutch authorities must be checked by a Dutch prosecutor (OvJ).

If the Dutch data are anything to go by, it would appear that there are in fact very view requests for information from Europol: in that country, the PIU only received 32 such requests between June 2019 and the end of 2020, i.e., less than two a month. But if Europol is to be given a much more central role in the processing of PNR data, especially in the matching of those data against more sophisticated pre-determined criteria (with Europol playing the central role in the development of those more sophisticated criteria, as planned), the cooperation between the Member States’ PIUs and Europol, and the sharing of PNR data and data on “hits”, is certain to greatly expand.

(c) Transfer of PNR data to third countries on a case-by-case basis.

The transfer of PNR data by the Member States to countries outside the EU is only allowed on a case-by-case basis and only when necessary for fighting terrorism and serious crime, and PNR data may be shared only with public authorities that are competent for combating PNR-relevant offences. Moreover, the DPO of the relevant PIU must be informed of all such transfers.

However, the Commission reports that four Member States have failed to fully transpose other conditions provided for by the Directive relating to the purposes for which the data can be transferred or the authorities competent to receive it, and two do not require the informing of the DPO.

It is seriously worrying that several Member States do not adhere to the conditions and safeguards relating to transfers of PNR data (and of “the results of processing” of PNR data – which can include the fact that there was a “hit” against lists or criteria) to third countries that may not have adequate data protection rules (or indeed other relevant rule of law-conform rules) in place. Some of the (unnamed) Member States that do not comply with the PNR Directive in this regard are likely to pass on such data in breach of the Directive (in particular, without ensuring that the data are only used in the fight against terrorism and serious crime) to close security and political allies such as the ones that make up the “Five Eyes” intelligence group: the USA, the UK, Australia, Canada and New Zealand.

This concern is especially aggravated in relation to the USA, which the Court of Justice has now held several times to not provide adequate protection to personal data transferred to it from the EU, specifically because of its excessive mass surveillance (and there are similar concerns in relation to the UK, in spite of the Commission having issued an adequacy decision in respect of that country).

Moreover, neither the Commission staff working document nor the Dutch report provides any information on how it is – or indeed can be – guaranteed that data provided in response to a request from a third country are really only used by that third country in relation to PNR-relevant offences, or how this is – or indeed can be – monitored.

For instance, if data are provided to the US Federal Bureau of Investigation (FBI) in relation to an investigation into suspected terrorist activity, those data will also become available to the US National Security Agency (NSA), which may use them in relation to much broader “foreign intelligence purposes”. That issue of course arises in relation to provision of information from any EU Member State to any third country that has excessive surveillance laws.

Furthermore, if I am right to believe that the Dutch intelligence agencies have secret, unrecorded direct access to the PNR database (see above, at 4.10), they may also be sharing data from that database more directly with intelligence partners in other countries, including third countries, bypassing the whole PNR Directive system. Neither the Commission staff working document nor the report on the evaluation of the Dutch PNR law addresses this issue. And that issue, too, may well arise also in relation to other EU Member States.

(d) Subsequent use of the data and purpose-limitation

In principle, any information provided by the PIUs to any other entities, at home or abroad, or to Europol, is to be used by any recipient only for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, more specifically for the prevention, detection, investigation and prosecution of PNR-relevant offences.

But it has become clear that this is far from assured in practice:

– because of the dilemma faced by PIUs in some EU Member States caused by the duty of any agency to pursue any offence that comes to their attention, the PIUs in some Member States pass on information also on (confirmed) “hits” relating to not-PNR-relevant offences (both spontaneously and in response to requests), and those data are then used in relation to the prevention, detection, investigation and prosecution of those not-PNR-relevant offences;

– in the Netherlands (and probably other Member States), once information is provided to a domestic competent authority, those data enter the databases of that authority (e.g., the general police databases) and will be subject to the legal regime that applies to the relevant database – which means that there is no guarantee that their subsequent use is in practice limited to PNR-relevant offences;

– when PNR data are provided by a PIU of one Member State to a PIU of another Member State (or to several or all of the other PIUs), they are provided subject to the purpose-limitation principle of the PNR Directive – but if those data are then provided by the recipient PIU(s) to competent authorities in their own countries, the same problems arise as noted in the previous indents;

– Member States take rather different views of what constitute PNR-relevant offences, and some make “broad and unspecified requests to many (or even all Passenger Information Units)” – suggesting that in this regard, too, the purpose-limitation principle is not always fully adhered to;

– within Europol there appears to be no procedural conditions or safeguards relating to the making of requests for PNR data from PIUs (such as the safeguard that requests from Dutch authorities must be checked by a Dutch prosecutor) and the Commission staff report does not indicate whether all the PIUs check whether Europol requests are strictly limited to PNR-relevant offences (or if they do, how strict and effective those checks are);

– “four Member States have failed to fully transpose … [the] conditions provided for by the Directive relating to the purposes for which [PNR data] can be transferred [to third countries] or [relating to] the authorities competent to receive [such data]”;

– neither the Commission staff working document nor the Dutch report provides any information on how it is – or indeed can be – guaranteed that data provided in response to a request from a third country are really only used by that third country in relation to PNR-relevant offences, or how this is – or indeed can be – monitored;

and

– if I am right to believe that the Dutch intelligence agencies have secret, unrecorded direct access to the PNR database, they may also be sharing data from that database more directly with intelligence partners in other countries, including third countries, bypassing the whole PNR Directive system. Neither the Commission staff working document nor the report on the evaluation of the Dutch PNR law addresses this issue. And that issue, too, may well arise also in relation to other EU Member States.

In sum: There are major deficiencies in the system as concerns compliance, by the EU Member States, by Europol, and by third countries that may receive PNR data on a case-by-case-basis, with the fundamental purpose-limitation principle underpinning the PNR Directive, i.e., with the rule that any PNR data (or data resulting from the processing of PNR data) may only be used – not just by the PIUs, but also by any other entities that may receive those data – for the purposes of the prevention, detection, investigation and prosecution of PNR-relevant offences. In simple terms: in this respect, the PNR system leaks like a sieve.

4.11 The consequences of a “match”

It is quite clear from the available information that confirmed “hits” and the associated PNR data on at the very least tens of thousands and most probably several hundred thousand innocent people are passed on to law enforcement (and in many cases, intelligence agencies) of EU Member States and to Europol – and in some cases to law enforcement and intelligence agencies of third countries – for “further examination”. Many of those data – many of those individuals – will end up in miscellaneous national databases as data on “persons of interest”, and/or in the Europol SIS II database as “Article 36 alerts”. They may even end up in similar databases or lists of third countries.

In terms of European human rights and data protection law, even the supposedly not-very-intrusive measures such as “only” being made the object of “discreet checks” constitute serious interferences with the fundamental rights of the individuals concerned – something that the European Commission and several Member States studiously avoided acknowledging at the Court hearing. More intrusive measure such as being detained and questioned or barred from flying of course constitute even more serious interferences. Both kinds require significant justification in terms of suitability, effectiveness and proportionality – with the onus of proof lying squarely on those who want to impose or justify those interferences, i.e., in casu, the European Commission and the Member States.

Moreover, in practice “watch lists” often become “black lists”. History shows that people – innocent people – will suffer if there are lists of “suspicious”, “perhaps not reliable”, “not one of us” people lying around, and not just in dictatorships.

That is yet another reason why those who argue in favour of such lists – and that includes “Article 36 alerts” and other lists of “persons of interest” “identified” on the basis of flimsy or complex criteria or profiles – bear a heavy onus to prove that those lists are absolutely necessary in a democratic society, and that the strongest possible measures are in place to prevent such further slippery uses of the lists.

5. The suitability, effectiveness and proportionality of the processing

5.1 The lack of data and of proof of effectiveness of the PNR Directive

Neither the European Commission’s review nor the Dutch evaluation has come up with serious, measurable data showing that the PNR Directive and the PNR law are effective in the fight against terrorism or serious crime.

The Dutch researchers at least tried to find hard data, but found that in many crucial respects no records were kept that could provide such data. At most, some suggestions for better recording were made, and some ideas are under consideration, to obtain better data (although the researchers also noted that some law enforcement practitioners thought it would be too much effort).

To date, neither the Commission nor the Member States (including the Netherlands) have seriously tried to design suitable, scientifically valid methods and methodologies of data capture (geeignete Formen der Datenerfassung) in this context. Given that the onus is clearly on them to demonstrate – properly, scientifically demonstrate, in a peer-reviewable manner – that the serious interferences with privacy and data protection they insist on perpetrating are effective, this is a manifest dereliction of duty.

The excuse for not doing this essential work – that it would be too costly or demanding of law enforcement time and staff – is utterly unconvincing, given the many millions of euros that are being devoted to developing the “high risk” intrusive technologies themselves.

5.2 An attempt at an assessment

(a) The appropriate tests to be applied

(aa)     The general tests

In my opinion, the appropriate tests to be applied to mass surveillance measures such as are carried out under the PNR Directive (and were carried out under the Data Retention Directive, and are still carried out under the national data retention laws of the EU Member States that continue to apply in spite of the CJEU case-law) are:

Have the entities that apply the mass surveillance measure – i.e., in the case of the PNR Directive (and the DRD), the European Commission and the EU Member States – produced reliable, verifiable evidence:

(iii) that those measures have actually, demonstrably contributed significantly to the stated purpose of the measures, i.e., in relation to the PNR Directive, to the fight against PNR-relevant crimes (and in relation the DRD, to the fight against “serious crime as defined by national law”); and

(iv) that those measures have demonstrably not seriously negatively affected the interests and fundamental rights of the persons to whom they were applied?

If the mass surveillance measures do not demonstrably pass both these tests, they are fundamentally incompatible with European human rights and fundamental rights law.

This means the measures must be justified, by the entities that apply them, on the basis of hard, verifiable, peer-reviewable data.

(ab)     When a (confirmed) “hit can be said to constitute a “positive” result (and when not)

In the context of collecting and assessing data, it is important to clarify when a (confirmed) “hit can be said to constitute a “positive” result (and when not).

In my opinion, confirmed “hits” confirming the identity of “known” “persons of interest”/subjects of “Article 36 alerts” and the “identification” (labelling) of previously “unknown” persons by the PIUs as “persons who may be involved in terrorism or serious crime” can only be regarded as “positive” results under the PNR Directive if they result in those persons subsequently being formally declared to be formal suspects in relation to terrorist or other serious, PNR-relevant criminal offences.

(b) The failure of the European Commission (and the Dutch government) to meet the appropriate test

The conclusion reached by the European Commission and Dutch Minister of Justice: that overall, the PNR Directive, respectively the Dutch PNR law, had been “effective” because the EU Member States said so (Commission) or because PNR data were quite widely used and the competent authorities said so (Dutch Minister) is fundamentally flawed, given that this conclusion was reached in the absence of any real supporting data.

It is the equivalent to a snake oil salesman claiming that the effectiveness of his snake oil is proven by the fact that his franchise holders agree with him that the product is effective, or by the fact that many gullible people bought the stuff.

Or to use the example of Covid vaccines, invoked by the judge-rapporteur: it is equivalent to a claim that a vaccine is effective because interested parties say it is, or because many people had been vaccinated with the vaccine – without any data on how many people were protected from infection or, perhaps worse, how many people suffered serious side-effects.

At the very least, the competent authorities in the EU Member States should have been required to collect, in a systematic and comparable way, reliable information on the outcomes of the passing on of (confirmed) “hits”. Given that they have not done so – and that the Commission and the Member States have not even tried to establish reliable systems for this – there is no insight into how many of the (confirmed) “hits” actually, concretely contributed to the fight against PNR-relevant offences.

(c) An attempt to apply the tests to the different types of matches

In my opinion, confirmed “hits” confirming the identity of “known” “persons of interest”/subjects of “Article 36 alerts” and the “identification” (labelling) of previously “unknown” persons by the PIUs as “persons who may be involved in terrorism or serious crime” can only be regarded as “positive” results under the PNR Directive if they result in those persons subsequently being formally declared to be formal suspects in relation to terrorist or other serious, PNR-relevant criminal offences.

At the very least, the competent authorities in the EU Member States should have been required to collect, in a systematic and comparable way, reliable information on such outcomes. Given that they have not done so – and that the Commission and the Member States have not even tried to establish reliable systems for this, there is no insight into how many of the (confirmed) “hits” actually, concretely contributed to the fight against PNR-relevant offences.

However, the following can still usefully be observed as regards the lawfulness, suitability, effectiveness and proportionality of the different kinds of matches:

– Full PNR data are disproportionate to the purpose of basic identity checks;

– The necessity of the PNR checks against Interpol’s Stolen and Lost Travel Document database is questionable;

– The matches against unspecified national databases and “repositories” are not based on foreseeable legal rules and are therefore not based on “law”;

– The necessity and proportionality of matches against various simple, supposedly “suspicious” elements (tickets bought from a “suspicious” travel agent; “suspicious” travel route; etc.) is highly questionable; and

– The matches against more complex “pre-determined criteria” and profiles are inherently and irredeemably flawed and lead to tens and possibly hundreds of thousands of innocent travellers wrongly being labelled to be a person who “may be” involved in terrorism or serious crime, and are therefore unsuited (D: ungeeignet) for the purpose of fighting terrorism and serious crime.

5.3 Overall conclusions

The PNR Directive and the generalised, indiscriminate collection of personal data on an enormous population – all persons flying to or from, and the vast majority of people flying within, the EU – that it facilitates (and intends to facilitate) is part of a wider attempt by the European Union and the EU Member States to create means of mass surveillance that, in my opinion, fly in the face of the case-law of the Court of Justice of the EU.

In trying to justify the directive and the processing of personal data on hundreds of millions of individuals, the vast majority of whom are indisputably entirely innocent, the European Commission and the Member States not only do not produce relevant, measurable and peer-reviewable data, they do not even attempt to provide for the means to obtain such data. Rather, they apply “measures” of effectiveness that are not even deserving of that name: the wide use of the data and the “belief” of those using them that they are useful.

If proper tests are applied (as set out in sub-section 5.2(a), above), the disingenuousness of the “justifications” becomes clear: the claims of effectiveness of the PNR Directive (and the Dutch PNR Law) are based on sand; in fact, as the Dutch researchers rightly noted:

“There are no quantitative data on the way in which [and the extent to which] PNR data have contributed to the prevention, detection, investigation and prosecution of terrorist offences and serious crime.”

The Commission and the Member States also ignore the “high risks” that the tools used to “identify” individuals who “may be” terrorists or serious criminals entail. This applies in particular to the use of algorithm/AI-based data mining and of profiles based on such data mining that they want to massively increase.

If the Court of Justice were to uphold the PNR Directive, it would not only endorse the mass surveillance under the directive as currently practised – it would also give the green light to the massive extension of the application of (so far less used) sophisticated data mining and profiling technologies to the PNR data without regard for their mathematically inevitable serious negative consequences for tens and possible hundreds of thousands of individuals.

What is more, that would also pave the way to yet further use of such (dangerous) data mining and profiling technologies in relation to other large population sets (such as all users of electronic communications, or of bank cards). Given that the Commission has stubbornly refused to enforce the Digital Rights Ireland judgment against Member States that continue to mandate retention of communications data, and is in fact colluding with those Member States in actually seeking to re-introduce mandatory communications data retention EU wide in the e-Privacy Regulation that is currently in the legislative process, this is a clear and imminent danger.

The hope must be that the Court will stand up for the rights of individuals, enforce the Charter of Fundamental Rights, and declare the PNR Directive (like the Data Retention Directive) to be fundamentally in breach of the Charter.

– o – O – o –

Douwe Korff (Prof.)

Cambridge (UK)

November 2021

  1. 1.1           The categories of personal data processed

An annex to the PNR Directive lists the specific categories of data that airlines must send to the database of the PIU of the Member State on the territory of which the flight will land or from the territory of which the flight will depart. This obligation is stipulated with regard to extra-EU flights but can be extended by each Member State to apply also to intra-EU flights  – and all but one Member States have done so. The list of PNR data is much longer than the Advance Passenger Information (API) data that airlines must already send to the Member States under the API Directive, and includes information on travel agents used, travel routes, email addresses, payment (card) details, luggage, and fellow travellers. On the other hand, often some basic details (such as date of birth) are not included in the APIs.

NB: The opinion focusses on the system as it is designed and intended to operate, and on what it allows (even if not everything that may be allowed is [yet] implemented in all Member States), and less on the somewhat slow implementation of the directive in the Member States and on the technical aspects that the Commission report and the staff working document often focussed on. It notes in particular a number of elements or aspects of the directive and the system it establishes that are problematic, either conceptually or in the way they are supposed to operate or to be evaluated.

Parliamentary Tracker : Establishing an EU migrants resettlement framework

by Luigi LIMONE (FREE Group trainee)

Background

Yesterday, the European Commission and the High Representative, Federica Mogherini, have diffused the 5th Report on the progress made under the Partnership Framework on Migration and implementation of measures to address the situation along the Central Mediterranean Route, in line with the Action Plan on measures to support Italy.

The Partnership Framework on Migration was launched in June 2016 to step up as a priority cooperation with countries of origin and transit in Africa. Measures taken are aimed at saving lives along the migratory routes, increase protection of migrants and refugees, enhance resilience of host communities, address root causes of migration and open up legal ways to Europe for those in need, in particular with more resettlements for refugees.

A legislative proposal regarding the establishment of an EU resettlement framework is currently under discussion.

Towards an EU law on resettlement

Together with relocation, resettlement is recognised by the Council of the European Union as one of the three dimensions of the EU efforts to address the increasing migratory flows. The two others are return, readmission and reintegration of irregular migrants and cooperation with countries of origin and transit to tackle the root causes of migration. During the Justice and Home Affairs Council meeting dating back to 20 July 2015, the EU Member States already adopted conclusion on resettling through multilateral and national schemes 22504 displaced persons from outside the EU who are in clear need of international protection.

On 13 July 2016 the European Commission launched a proposal for a EU Resettlement Framework to establish a common European policy on resettlement with the aim of ensuring orderly and safe pathways to Europe for persons in need of international protection. Such a proposal is part of the Commission reform of the Common European Asylum System (CEAS) and the long-term policy on better migration management set out by the European Agenda on Migration.

The proposal is intended to provide for a permanent framework with common standard  procedures for resettlement across the EU and should complement current national and multilateral resettlement initiatives, by providing common EU rules on the admission of third-country nationals, procedures in the resettlement process, types of status to be accorded by Member States, decision-making procedures for implementation of the framework and financial support for Member States’ resettlement efforts. According to Commissioner for Migration, Home Affairs and Citizenship, Dimitris Avramopoulos, the proposal represents “an integral part of the larger objective of ensuring that protection is offered to those who need it, reducing the incentives for irregular migration and protecting migrants from exploitation by smuggling networks and dangerous journeys to reach Europe”.

The Commission proposal widens the resettlement categories established by the UNHCR, by including persons with socio-economic vulnerability, persons with family links to third-country nationals, stateless persons or Union citizens legally resident in a Member State. Such a new framework will allow for two types of standard resettlement procedures: ordinary and expedited. Under the ordinary procedure, Member States will identify third-country nationals or stateless persons in a third country and assess whether they fall within the scope of a targeted resettlement scheme. With a positive decision, they can grant those persons refugee status or subsidiary protection status.

The expedited procedure is used in case of specific humanitarian grounds or urgent legal or physical protection needs, which justify rapid admission of third-country nationals or stateless persons to the territory of a Member State. The persons are granted subsidiary protection status and should be able to apply for international protection once admitted to a Member State. Member States will be entitled to €10 000 from the EU budget for each person they resettle. Nevertheless, they will only receive these funds when resettling through the Union Resettlement Framework. Resettlements under national schemes will not be supported financially by the EU budget.

The Commission proposal does not provide for a distribution key. Member States are given the possibility to decide how many persons they will resettle each year. Furthermore, it does not specify the scale of resettlement and the regions or third countries from which resettlement will take place, but it indicates that preference will be given to third countries which cooperate effectively with the EU in the field of migration and asylum, notably a third country’s efforts to reduce the number of irregular migrants coming to the EU from its territory, their cooperation on return and readmission and their capacity build-up for reception and protection. The proposal also includes grounds for exclusion of third-country nationals or stateless persons from the resettlement scheme, including those who have irregularly stayed, irregularly entered or attempted to irregularly enter the territory of the Member States during the five years prior to resettlement.

The proposal falls under the ordinary legislative procedure. In the European Parliament, it was assigned to the LIBE Committee under the rapporteurship of Malin Björk (GUE/NGL – Sweden). The draft report was presented before the LIBE Committee on 12 April 2017.

According to the draft report, resettlement should be recognised as complementary to other legal and safe routes to international protection, such as humanitarian visas, extended family reunification and humanitarian admission programmes. The EU resettlement framework should also complement other international structures for resettlement and build upon the work of the UNHCR, as well as support Member States’ national resettlement programmes. The draft report also provides that the EU resettlement framework should not depend on third countries’ cooperation on migration but should instead be based on humanitarian needs, contribute to global resettlement needs and serve as a protection tool.

As regards concrete numbers, the EU Member States host 8 % of the world’s refugees, which, according to the rapporteur, is few compared to other developed countries and not enough to reduce the burden on developing countries. The rapporteur therefore suggests that the EU framework should target the resettling of at least 25 % of the annual projected global resettlement needs as defined by the UNHCR. With regard to resettlement as a durable solution, the draft report suggests Member States should provide resettled persons with residence permits of permanent or unlimited validity, on terms that are more favourable than provided for in the current legislation.

After the presentation of the draft report, the shadow rapporteurs expressed the position of their political parties as well.

According to Agustín Díaz de Mera García Consuegra (shadow rapporteur for the EPP – Spain), a clear distinction between relocation and resettlement should be included in the report to prevent from confusion and overlapping definitions. In his opinion, it is very important that the EU commitment is fully supported by the civil society and the private sector and Member States should be encouraged to implement their resettlement programs through a number of incentives.

Birgit Sippel (S&D – Germany) talked on behalf of Katy Piri (shadow rapporteur for the S&D – the Netherlands). According to her, resettlement is the only way possible to help people in need and prevent them from entering through illegal channels or smuggling networks. This fully reflects the EU humanitarian approach, which is intended to grant protection to people fleeing war and persecution through legal and safe pathways.

Helga Stevens (shadow rapporteur for the ECR – Belgium) said that the ECR group was going to present a huge number of amendments. She believes, however, that constructive consultations are possible and that the shadow meetings should focus on existing resources in order to think about a resettlement framework in a more practical way.

Cecilia Wikström (ALDE – Sweden) talked on behalf of Louis Michel (shadow rapporteur for the ALDE, Belgium). According to her, the European Parliament should work in a constructive way to create a mechanism based on equal sharing of responsibilities between Member States, with the aim of increasing the number of legal entry avenues for people in need of international protection.

According to Ignazio Corrao (shadow rapporteur for the EFDD – Italy), resettlement is a fundamental humanitarian tool to manage migration flows and the EU should reinforce its cooperation with third countries and work on practical numbers to understand the real proportion of this challenge. In his opinion, resettlement can be used to promote family reunification, but only as an element of last resort when family reunification channels cannot be applied.

The proposal on the EU resettlement framework was presented by the Commission at the meeting of the Asylum Working Party of the Council on 29 September 2016. On that occasion, a first exchange of views took place and serious concerns were raised on certain issues such as the mandatory character of resettlement schemes, the legal basis of the proposed act and the inclusion of internally displaced people (IDPs) among the categories that could benefit from resettlement. The Asylum Working Party finalised a first detailed article-by-article examination of the proposal on 17 January 2017. A second round of examination took place on 2 March 2017 and additional concerns were expressed with respect to the definition of resettlement and the possibility to include other forms of humanitarian admission, the admissibility criteria as well as the procedure that will be used for resettlement. Some delegations also voiced concerns regarding the Commission’s right to adopt delegated acts to complement some elements of the procedure.

Civil society organisations and international actors have expressed their support to the establishment of a framework for a structured and coordinated approach to resettlement within the EU, since they believe that such a framework can ensure greater participation and commitment towards resettlement from Member States and allow the EU to contribute more meaningfully towards global resettlement. However, they have raised serious concerns with respect to key aspects of the proposal. These concerns relate primarily to the way resettlement may be instrumentalised to encourage countries to cooperate on migration control and deterrence of irregular arrivals, but also to eligibility and exclusion criteria which potentially exclude many categories of refugees in need of resettlement, including vulnerable cases and those with no other solution in sight.

According to the European Council on Refugees and Exiles (ECRE), the fact that the proposal makes clear reference to the Partnership Framework risks making resettlement “a partnership activity” instead of a humanitarian programme that provides durable solutions for the most vulnerable. Inspired by the EU-Turkey deal that offers resettlement as a quid pro quo, the resettlement framework risks instrumentalising resettlement to exert leverage on partner countries. Amnesty International has strongly objected to resettlement becoming instrumental to the objective of migration deterrence and returns as well. The NGO is also concerned that the proposal would entrench EU-wide ineligibility criteria which aim to discourage irregular movement to and within the EU, since it is based on definitions and unfair grounds for exclusion

The Visegrad Four countries – the Czech Republic, Hungary, Poland and Slovakia – have made no secret that they are trying to oppose the new relocation and resettlement schemes and put forward by the European Commission. Although the Visegrad countries have different position on the refugee crisis and there is political position among them, with Poland and Hungary being more resistant and the Czech Republic and Slovakia more open to the Commission proposal, all four countries argue that asylum seekers are not interested in long-term stays in Central or Eastern Europe and would seek to move to wealthier EU Member States. They challenge the new asylum policy and in particular the replacement of the defunct Dublin system and the quota system on migrant resettlement and relocation, claiming that the such reforms violate their national sovereignty.

With the need to reinstate a genuine mutual trust among Member States as a precondition for finding a shared solutions to the relocation impasse and to the migration challenge, an intra EU convergence on relocation and resettlement is crucial. Faced with the Visegrad countries’ resistance to relocation and resettlement schemes, the European Commission should definitely   decide to proceed with the adoption of a clearer “carrot and stick” approach: if Member States want to enjoy the benefits of the Schengen system, they also need to accept the responsibilities of formulating a common migration and asylum policy.

Counter-terrorism and the inflation of EU databases

Original published on Statewatch (*) on May 2017

By Heiner Busch (@Busch_Heiner) and Matthias Monroy (@matthimon)  (Translation from DE by Viktoria Langer)

The topic of counter-terrorism in Europe remains closely linked to the development and expansion of police (and secret service) databases. This was the case in the 1970s, after 11 September 2001 and has also been the case since 2014, when the EU Member States started working on their action plans against ‘foreign terrorist fighters’.

The first effect of this debate has been a quantitative one: the amount of data in the relevant databases has increased explosively since 2015. This can be seen by looking in particular at available data on the Europol databases, like ‘Focal Points’ (formerly: Analytical Work Files) of the Europol analysis system. Since 2015 they have become one of the central instruments of the European Counter Terrorism Centre (ECTC) which was established in January 2016. ‘Hydra’, the ‘Focal Point’ concerning Islamist terrorism was installed shortly after 9/11. In December 2003 9,888 individuals had been registered, a figure that seemed quite high at the time – but not compared with today’s figures. [1] In September 2016 ‘Hydra’ contained 686,000 data sets (2015: 620,000) of which 67,760 were about individuals (2015: 64,000) and 11,600 about organisations (2015: 11,000).

In April 2014 an additional ‘Focal Point’, named ‘Travellers’, was introduced, which is exclusively dealing with “foreign terrorist fighters” (FTF). One year later ‘Travellers’ included 3,600 individuals, including contact details and accompanying persons. In April 2016 the total number increased by a factor of six. Of the 21,700 individuals registered at the time, 5,353 were “verified” FTFs. In September 2016, of 33,911 registered individuals, 5,877 had been verified as FTFs.

Since 2010 Europol and the USA have operated the Terrorist Finance Tracking Programme (TFTP), which evaluates transfers made via the Belgian financial service provider SWIFT. Until mid-April 2016 more than 22,000 intelligence leads had been arisen out of that programme, of which 15,572 since the start of 2015. 5,416 (25%) were related to FTFs.

In contrast to Europol’s analytical system, the Europol Information System (EIS, the registration system of the police agency) can be fed and queried directly from the police headquarters and other authorities of EU Member States. Here, more than 384,804 ‘objects’ (106,493 individuals) were registered at the start of October 2016, 50% more than the year before. The increase is partly due to the growing number of parties participating in the EIS. In 2015 13 Member States were connected; in 2016 19 Member States. Some of the EU States, like the UK, also let their national secret services participate in the system. 16 Member States currently use automatic data uploaders for input. The number of third parties involved has also increased (in 2015 there were four, in 2016 there were eight). Interpol, the FBI and the US Department of Homeland Security are some of them.

Europol has reported further growth in the number of “objects” linked to terrorism in the EIS. According to the Slovak Presidency of the Council of the EU’s schedule for the improvement of information exchange and information management, in the third quarter of 2016 alone these grew another 20% to 13,645. [2] The EIS includes 7,166 data sets about individuals linked to terrorism, of which 6,506 are marked as FTFs or their supporters, or are assumed to be so. For May 2016 the CTC stated a figure of 4,129. [3] The increase in terrorism linked data can also be seen in the Schengen Information System (SIS) – in the alerts for “discreet checks or specific checks” following Article 36 of the SIS Decision. According to this, suspect persons are not supposed to be arrested. However, information about accompanying persons, vehicles etc. are recorded to provide insight into movements and to keep tabs on the contacts of the observed person. At the end of September 2016 the number of such checks by the police authorities (following Article 36(2)) was 78,015 (2015: 61,575, 2014: 44,669). The number of alerts of the national secret services based on Article 36(3) was 9,516 (2015: 7,945, 2014: 1,859). “Hits” on such alerts and additional information are supposed to be sent directly to the alerting authorities and not as usual to national SIRENE offices (which deal with the exchange of supplementary information regarding alerts in the SIS). This option was only introduced in February 2015.

The Schengen states used the instrument for discreet surveillance or specific checks very differently. On 1 December 2015 44.34% of all Article 36 alerts came from authorities in France, 14.6% from the UK, 12.01% from Spain, 10.09% from Italy and 4.63% from Germany. [4] How many of these alerts actually had a link to terrorism remains unclear; a common definition has not yet been found. However, the Council Working Party on Schengen Matters agreed on the introduction of a new reference (“activity linked to terrorism”) for security agencies’ alerts. According to Federal Ministry for the Interior, German alerts are marked with this reference when concrete evidence for the preparation of a serious act of violent subversion (§§129a, 129b Penal Code) can be presented. [5]

‘Unnoticed in the Schengen area’ Continue reading “Counter-terrorism and the inflation of EU databases”

Systèmes d’information européens sécurité-immigration : lorsqu’ “interopérabilité” ne rime effectivement pas avec “interconnexion”

ORIGINAL PUBLISHED ON “EU Immigration and Asylum Law and Policy” BLOG

by Pierre BERTHELET

“Il convient d’exploiter toutes les possibilités offertes par d’éventuelles synergies entre les systèmes d’information nationaux et européens, sur la base de l’interopérabilité”. Ces propos ne datent pas des conclusions du dernier Conseil JAI sur ce thème, celles du 9 juin 2017, mais bien d’une communication de la Commission remontant au mois de mai 2005. La problématique de l’interopérabilité des bases de données JAI est par conséquent tout sauf neuve. Elle revêt néanmoins une acuité particulière à la lumière des efforts axés sur le renforcement de l’efficacité et de l’efficience de la gestion des données dans l’UE. Comme le fait remarquer une étude juridique de mai 2017, le volume des données échangées entre les Etats membres et stockées au sein des systèmes européens d’information s’est accru considérablement depuis les attaques de Paris de 2015.

L’interopérabilité s’insère ainsi dans l’optique d’une rationalisation d’informations désormais abondantes au niveau de l’Union. Elle constitue un chantier majeur de la construction européenne en matière de gestion des systèmes d’information. Plus exactement, l’interopérabilité – et l’interconnexion par ailleurs – peuvent être envisagées sous la forme de poupées russes : l’interconnexion est un élément de la réponse des institutions européennes apportée en matière d’interopérabilité qui, elle-même, constitue un volet de la réforme actuelle ayant trait à la gestion des systèmes européens d’information. Elle est un concept générique qui s’inscrit dans le cadre de travaux interinstitutionnels visant à améliorer les mécanismes d’échange et de traitement de l’information, en toile de fond du développement considérable qu’ont connu ces systèmes cette dernière décennie. Son caractère ambigu tient au fait qu’elle renvoie autant au projet lui-même qu’à l’objectif porté par ce projet. Or, force est de constater que, depuis 2016, le degré d’avancement du chantier entrepris dans le domaine de l’interopérabilité est déjà élevé (1). Quant à l’interconnexion, il s’agit, à la lumière des récents textes l’évoquant, d’un processus loin de recueillir l’assentiment unanime (2).

1. L’interopérabilité des systèmes, un degré d’avancement du projet déjà élevé

Bien qu’évoquée depuis plusieurs années, l’interopérabilité des systèmes est un projet ayant connu un regain d’intérêt récent. Elle correspond à un processus interinstitutionnel  initié il y a quelques mois seulement (a). L’objectif est de rendre la gestion de l’information dans le domaine de la sécurité, des frontières et des flux migratoires davantage performante (b).

a. Un processus interinstitutionnel initié il y a quelques mois seulement

Avant d’entrer de plain-pied dans l’analyse, il importe de préciser les termes employés, à savoir l’interopérabilité d’une part et l’interconnexion d’autre part. Une communication de novembre 2005, consacrée au renforcement de l’efficacité et de l’interopérabilité des bases de données européennes fournit un éclairage à ce sujet. Dans ce texte destiné, déjà à l’époque, à lancer un débat en profondeur sur la forme et l’architecture à long terme des systèmes d’information, la Commission définit la connectivité comme un terme générique renvoyant à la connexion de systèmes aux fins de transfert de données. En France, le Conseil d’État considère, dans une décision du 19 juillet 2010, l’interconnexion «comme l’objet même d’un traitement qui permet d’accéder à, exploiter et de traiter automatiquement les données collectées pour un autre traitement et enregistrées dans le fichier qui en est issu ».

Tirant cette définition d’un document élaboré par l’European Interoperability Framework (qui est la concrétisation du plan d’action eEurope approuvé par le Conseil européen de Séville de 2002, et visant promouvoir les services publics en ligne), l’interopérabilité signifie, selon cette communication de novembre 2005, la « capacité qu’ont les systèmes d’information et les processus opérationnels dont ils constituent le support d’échanger des données et d’assurer le partage des informations et des connaissances ».

Ceci étant dit, les travaux actuels trouvent leur origine dans une communication de la Commission du 6 avril 2016 visant à lancer un débat sur l’existence de lacunes ainsi que de défaillances systémiques au sujet des bases de données JAI. Plus exactement, il s’agit d’œuvrer dans l’amélioration de l’architecture de gestion des données de l’UE concernant le contrôle aux frontières et de la sécurité intérieure. Le périmètre est ainsi réduit à un pan de l’ELSJ, et ce, même si la dimension judiciaire est évoquée ponctuellement à travers le projet d’interconnexion des casiers judiciaires européen. En outre, il est étendu partiellement aux systèmes d’information nationaux, l’objectif étant d’assurer une fluidité de l’information à la fois au niveau horizontal (les systèmes européens) et au niveau vertical (entre les systèmes européens et les systèmes nationaux).

Pour mener à bien cette réflexion, la Commission a réuni le mois suivant sa communication d’avril 2016, un « groupe d’experts de haut niveau sur les systèmes d’information et l’interopérabilité ». Ce groupe d’experts, qui a mené ses travaux conformément aux prescriptions d’une feuille de route sur l’échange d’information et l’interopérabilité, approuvée par le Conseil JAI du 10 juin 2016, a rassemblé des représentants des Etats membres (y compris les pays Schengen non membres de l’UE), ceux des agences européennes (Frontex, eu-LISA, Europol, EASO et FRA), le Coordinateur pour la lutte antiterroriste et le CEPD (et ont été associés aux travaux, le secrétariat général du Conseil et celui de la commission LIBE du Parlement européen au titre d’observateur). L’objectif de ce projet relatif à l’interopérabilité, précise le Conseil, vise à appuyer les investigations opérationnelles, notamment dans le domaine de la lutte antiterroriste, et d’apporter rapidement aux autorités nationales de terrain (garde-frontières, policiers, agents de l’immigration et procureurs notamment) toutes les informations nécessaires en temps et en heure pour mener à bien leurs missions.

Les travaux du groupe ont trouvé un soutien politique fort émanant à la fois du président de la Commission, Jean-Claude Juncker, ainsi que du Conseil européen. Le premier, dans son discours sur l’état de l’Union en septembre 2016, peu avant la tenue du Conseil européen informel de Bratislava, a souligné l’imminence de la présentation par la Commission, du système européen d’information et d’autorisation concernant les voyages (ETIAS). Le second, dans des conclusions de décembre 2016, a appelé « à poursuivre les efforts en matière d’interopérabilité des systèmes d’information et des bases de données » (point 9). Ce groupe à haut niveau a rendu son rapport final le 11 mai 2017, dont le contenu a nourri l’analyse de la Commission dans l’élaboration de son septième rapport publié une semaine plus tard, sur les progrès accomplis dans la mise en place d’une union de la sécurité réelle et effective. Enfin, le Conseil, jugeant l’interopérabilité comme essentielle à la sécurité, a approuvé, le 9 juin 2017, les conclusions précitées dans lesquelles il approuve les solutions dégagées par le groupe d’experts et ce, en vue d’une gestion de l’information davantage performante.

b. Une gestion de l’information se voulant davantage performante

L’importance de l’interopérabilité des systèmes d’information est clairement rappelée par la Commission dans ce septième rapport. En réalité, ce constat est dressé quelques mois plus tôt, dans sa communication d’avril 2016, qui elle-même, fait suite à différentes conclusions du Conseil. Ainsi, concernant le seul SIS II, dans celles d’octobre 2014, le Conseil a envisagé une connexion entre ce système et la base de données « faux documents » d’Interpol (SLTD), de manière à ce que les utilisateurs finaux aient accès simultanément aux deux systèmes lors d’une même recherche. Dans celles approuvées peu avant, en juin 2014, il a invité les États membres utiliser pleinement le SIS II dans le cadre de la lutte contre le terrorisme, invitation répétée au demeurant dans la déclaration commune de Riga, adoptée après les attaques contre le journal Charlie Hebdo. Quant aux conclusions du 20 novembre 2015, approuvées après les attaques du Bataclan et la fuite consécutive de Salah Abdeslam avec l’aide de deux complices venus de Belgique, le Conseil a souligné l’importance d’une consultation systématique du SIS II lors des contrôles frontaliers.

À cette fin, la Commission, en se référant à certains de ces textes ainsi qu’à la déclaration commune sur les attentats terroristes du 22 mars 2016 à Bruxelles préconisant de renforcer l’interopérabilité, a présenté dans sa communication d’avril 2016, dans laquelle elle identifie un ensemble d’incohérences et de dysfonctionnements, parmi lesquelles, des fonctionnalités non optimales des systèmes européens d’information et un problème de la qualité des données auquel s’ajoute des lacunes dans l’architecture de l’UE en matière de gestion des données liée notamment à l’absence pure et simple d’une série de systèmes d’information. Quant à ceux existants, leur fonctionnement doit être amélioré. C’est le cas du SIS II, dont Europol n’a pas encore fait pleinement usage, alors même que l’agence dispose d’un droit d’accès à celui-ci. En outre, certains systèmes existent partiellement, mais ils ne sont pas encore pleinement opérationnels. C’est le cas des systèmes nationaux mis en place dans le cadre des décisions dites « de Prüm » et pour lesquelles plusieurs États membres ne remplissent toujours pas leurs engagements. Le paysage européen des systèmes d’information se caractérise donc par une multiplicité de dispositifs, des niveaux d’achèvement différents et des modes de fonctionnement distincts. Il en résulte une mosaïque complexe, car ces systèmes sont soumis à des régimes juridiques variables, rendant l’ensemble difficilement intelligible.

Cette superposition de systèmes conduit à une architecture européenne fragmentée au sujet de la gestion des données. Chacun système fonctionne en silo, faisant que les informations contenues sont peu interconnectées. Ce compartimentage des données a des conséquences problématiques concrètes. Ainsi, l’auteur de l’attaque terroriste de Berlin de décembre 2016, Anis Amri, a eu recours à pas moins de quatorze identités différentes. Ces fausses identités ont permis à ce ressortissant tunisien de se déplacer aisément en Allemagne, puis de prendre la fuite hors du pays avant d’être abattu à Milan. Or, comme le fait observer le quatrième rapport de la Commission sur la sécurité, ses déplacements auraient pu être détectés si les systèmes employés étaient dotés d’une fonctionnalité permettant une recherche simultanée dans plusieurs d’entre eux, au moyen d’identificateurs biométriques.

L’interopérabilité apparaît dès lors comme une réponse aux défis sécuritaires, en particulier terroristes, pour lesquels le recours aux systèmes d’information est un élément indispensable de la réponse à fournir.

La réforme de la gestion de l’information est effectuée au moyen d’une approche horizontale, via les travaux du groupe d’experts de haut niveau. Elle s’effectue aussi de manière sectorielle, à travers l’adoption de textes instituant des systèmes d’information (ou modifiant ceux existants).

En premier lieu, des systèmes sont en projet ou en cours de réalisation. Peuvent être mentionnés la proposition présentée en janvier 2016, étendant aux ressortissants de pays tiers le Système européen d’information sur les casiers judiciaires (ECRIS-TCN), la proposition révisée établissant le système d’entrée/sortie (EES) et présentée en avril 2016 (en parallèle à une modification du règlement de mars 2016 relatif au Code Frontières Schengen), la proposition de règlement instituant l’ETIAS présentée quant à elle en novembre 2016, ou le système d’index européen des registres de la police (EPRIS) dont l’ébauche correspondrait au projet auquel la France prend part et dénommé ADEP (Automated Data Exchange Process).

En deuxième lieu, d’autre systèmes existent, mais ils doivent être réformés. Il s’agit en particulier d’Eurodac (une proposition de règlement, présentée en mai 2016, permettant notamment de stocker l’image faciale, est en cours de discussion entre le Conseil et le Parlement européen), et du SIS II (un paquet législatif, présenté en décembre 2016, composé de quatre propositions de règlement est également en cours de discussion, prévoyant l’obligation pour les États membres d’émettre des alertes concernant des personnes liées à des infractions terroristes).

Or, le processus de refonte opéré des différents systèmes (et la création de ceux n’existant pas encore) est pensé dans la perspective de l’interopérabilité et même de l’interconnexion. Par exemple, concernant le SIS II, une disposition de la proposition de règlement créant l’ETIAS, prévoit que l’unité centrale ETIAS puisse opérer des recherches dans le SIS II. De prime abord, l’interconnexion des systèmes est, au vu de cet exemple, effective, ou du moins, en voie de l’être. Or, ce n’est pas cas en réalité et il s’agit plutôt de l’exception qui confirme la règle.

2. L’interconnexion des systèmes, un projet suscitant peu l’enthousiasme institutionnel

L’interconnexion est une option visant à atteindre le stade de l’interopérabilité des systèmes d’information. Cependant, il s’agit d’une option parmi d’autres (a), et qui ne reçoit qu’un accueil institutionnel pour le moins prudent (b).

a. L’interconnexion, une option parmi d’autres

L’interconnexion, au sens défini ci-dessus, apparaît seulement comme une option parmi celles avancées par la Commission dans sa communication d’avril 2016. Plus exactement, le texte en présente quatre aux fins de parvenir à une situation d’interopérabilité : l’interface de recherche unique, le service partagé de mise en correspondance de données biométriques, le répertoire commun de données d’identité et enfin l’interconnexion des systèmes d’information proprement dite.

Dans le premier cas, l’interface de recherche unique, il s’agit de permettre à une autorité nationale d’interroger plusieurs systèmes d’information de manière simultanée. Ce système, qui existe en France avec l’application COVADIS (Contrôle et vérification automatiques des documents sécurisés), permet au service interrogeant d’obtenir sur un seul écran les résultats des requêtes, ceci dans le respect des droits d’accès propre à ce service. Cette hypothèse de l’interface unique a, au demeurant, reçu l’assentiment des ministres français et allemand dans le cadre de leur « initiative sur la sécurité intérieure en Europe » du 23 août 2016.

Le service partagé de mise en correspondance de données biométriques vise, quant à lui, à proposer au service utilisateur, une interrogation des systèmes à partir des identifiants biométriques. Pour l’heure, chaque système européen dispose de son propre dispositif d’identification. L’objectif est, au moyen de ce service partagé, d’effectuer des recherches dans les différents systèmes d’information et de mettre en évidence les coïncidences, par exemple sous forme de hit/no hit, entre ces données.

Le troisième cas a trait à l’établissement d’un répertoire commun de données d’identité en tant que module central dans lequel figure un portefeuille de données (nom, prénom, date et lieu de naissance par exemple). Ces données constituent un socle commun à tous les systèmes, les autres données étant, quant à elles, stockées au sein de modules spécifiques à chacun d’eux. Comme le précise le rapport du Sénat du 29 mars 2017 consacré à l’espace Schengen, la proposition de règlement créant l’ETIAS envisage ce dispositif, du moins entre ce système et l’EES.

Enfin, la dernière option a trait précisément à l’interconnexion des systèmes d’information. L’avantage est de permettre la consultation automatique des données figurant dans un système, par l’intermédiaire d’un autre système. L’interconnexion, ajoute ce rapport du Sénat, présente l’intérêt d’assurer un contrôle croisé automatique des données, limitant ainsi le volume d’informations circulant au sein des réseaux. À cet égard, la proposition de règlement relatif à l’EES envisage une interconnexion avec le VIS. Cette option est évoquée, mais elle va être, dans une large mesure du moins, délaissée.

b. L’interconnexion, une option en grande partie délaissée

Sans pour autant être totalement écartée (en particulier dans la proposition de règlement relatif à l’EES), l’interconnexion ne rencontre pas un franc succès et c’est le moins que l’on puisse dire. D’abord, elle n’a pas l’assentiment du groupe d’experts de haut niveau. Dans leur rapport intermédiaire, remis en décembre 2016, celui-ci avait considéré l’interconnectivité des systèmes comme une solution ponctuelle. Le rapport final consacre ce point de vue en rejetant l’idée d’une généralisation de l’interconnexion et il privilégie trois solutions qui font écho aux autres options avancées par la Commission, à savoir un portail de recherche européen, un service partagé de mise en correspondance de données biométriques et un répertoire commun de données d’identité. Plus exactement, l’interface de recherche unique est préférée à l’interconnexion, ce qui va dans le sens de la position du Conseil qui, dans sa feuille de route sur l’échange d’informations, s’était déclaré pour cette solution de l’interface unique. Reste que si cette dernière avait les faveurs du Conseil et ce, au regard des autres options, les experts ont, pour leur part, conservé l’idée d’un répertoire commun de données et la mise en correspondance de données biométriques comme des pistes exploitables à court terme, et non à moyen et long termes comme le suggérait la feuille de route.

Ensuite, l’interconnexion ne trouve pas non plus un écho favorable auprès de la Commission. Celle-ci fait sienne, à cet égard, les recommandations figurant dans le rapport du groupe d’expert, en se bornant à préciser que des réunions tripartites Conseil-Parlement-Commission au niveau technique devraient avoir lieu en automne 2017, en vue de dégager une vision commune avant la fin de l’année 2017, ceci afin de parvenir à cet objectif d’interopérabilité des systèmes à l’horizon de l’année 2020. La Commission reprend donc à son compte les options retenues par le groupe à haut niveau, en se bornant à fixer cette date-butoir, étant entendu par ailleurs que celle-ci correspond à l’échéance à laquelle l’EES devrait être opérationnel. À cette fin, une proposition législative sur l’interopérabilité devrait être présentée, en parallèle à une proposition de révision du VIS, à une proposition sur l’ECRIS, ainsi qu’à une autre visant à renforcer le mandat de l’agence européenne eu­LISA.

Au final, concernant les systèmes d’information européens sécurité-immigration, l’interopérabilité ne rime pas avec l’interconnexion. Cette lapalissade reflète parfaitement la volonté des institutions européennes préférant à la centralisation, la synergie ainsi que l’avaient souligné en leur temps, la déclaration de mars 2004 sur la lutte contre le terrorisme, le programme de La Haye et la déclaration du Conseil de juillet 2005 suite aux attentats de Londres. La voie choisie par ces institutions est bien résumée par le Commissaire à la sécurité, Sir Julian King, qui avait déclaré le 29 mai 2017 dans une allocution devant les députés de la commission LIBE, « ce que l’on ne propose pas, c’est une base de données gigantesque où tout serait interconnecté ».

Legislative Tracker : an interinstitutional agreement on the new EU “Entry-Exit” system is approaching …

by Beatrice FRAGASSO (Free-Group trainee)

On 6 April 2016 the European Commission put forward the Smart Borders Package, a set of measures intended to provide a more effective and modern external border management. One of the proposals consists in the introduction of the Entry/Exit System (EES), a centralized information system based on biometrics that would be interconnected with VIS and focus on third-country nationals.

The creation of the european Entry-Exit system will require the adoption of  two draft Regulations, one (COM/2016/0194) setting up the EES and amending Regulation (EC) No 767/2008 and Regulation (EU) No 1077/2011, the other (COM/2016/0196) amending Regulation (EU) 2016/399 (Schengen Borders Code) to embody this new system. The proposals has been accompanied by an Impact assessment.

The introduction of the EES aims at speeding up and reinforcing border check procedures for non-EU nationals travelling to the EU, by improving the quality and efficiency of controls as well as the detection of document and identity fraud.  The new texts replace the proposals presented by the European Commission in February 2013 and for which the co-legislators had voiced technical, financial and operational concerns.

The European Parliament defined its negotiating mandate on the latest Commission Proposals  on 27 February 2017: the LIBE Committee adopted his reports (on establishing EES and amending 2016/399) and decided to enter into negotiations with the Council on the basis of these mandates.

The rapporteur Agustín Dían De Mera García Consuegra stated before the LIBE Committee (11 May 2017) that progresses have been made during the “trilogue” negotiations and that the good cooperation between delegations will probably allow to come to a political agreement by the end of the summer. Two “political” trilogues as well as nine technical meetings have already taken place and a third political “trilogue” is scheduled for 31 May 2017. Needless to say no public recording is accessible on the debates which took place during these trilateral meetings

Further information on other aspects of the procedure is accessible on the European Parliament Research Service site HERE.

The scope of the Entry-Exit System (EES)

The EES will apply to non-EU nationals crossing the external borders of the Member States of the EU for a short stay (maximum 90 days period in any period of 180 days), both those that require a visa and those that are exempted.

How it will work

The introduction of the EES aims to:

  1. address border check delays and improve the quality of border checks for third-country nationals;
  2. ensure systematic and reliable identification of “overstayers”;
  3. reinforce internal security and the fight against terrorism and serious crime.

The system is intended to register the name, type of travel document, biometrics (four fingerprints and a visual image) and the date and place of entry and exit.

These actions will facilitate the border crossing of bona fide travelers, detect over-stayers and identify undocumented persons in the Schengen area. The system will also record refusals of entry.

Currently, the only possibility for national authorities to calculate the duration of stay of a third-country national in the Schengen area (and to verify their potential overstay), is the stamping of their travel document with the dates of entry and exit. This method is deemed to be slow and error-prone, since the entry/exit stamps may be unreadable or counterfeit. Under the new proposal, the current system of manual stamping of passports would be replaced by registration in a database and most of the data will be automated.

By using self-service systems and e-gates, third country national travelers would have their data verified, their picture or fingerprint taken and a set of questions asked. While using the self-service system, all mandatory checks would be triggered in the security databases (SIS, Interpol Stolen and Lost Travel Documents database). By the time the traveler is guided towards a border control lane, all his information would have reached the border guard, who may ask additional questions before granting the passenger access to the Schengen area.

The automation of the preparatory steps is expected to reduce the workload of border guards. This would mean that that Member States would not have to hire extra border guards to accommodate the growing traveler flows. It is also expected to reduce the long queues before passengers reach the border checkpoint.

Interoperability

The system would be interconnected with the Visa Information System (VIS) database, which would help reduce duplication of data processing, in accordance with the ‘privacy by design’ principle.

The European Parliament position (Libe Committee Debate)

The parliamentary debate showed that in the Commission proposal there are some controversial elements that the LIBE committee tried to address in the draft report approved on 27 February 2017.

The rapporteur Agustín Dían De Mera García Consuegra (EPP, Spain) presented the draft report before the LIBE Committee on 8 December 2016. According to him, establishing an EES will benefit travellers (they will spend less time waiting at borders), as well as border Member States and transit Member States, because of the speeding of the entire process. Border guards would carry on their tasks more easily. The aim of the draft report is to strike a balance between speeding up the process and guaranteeing security, protecting at the same time fundamental rights. In particular, one of the main concerns of the rapporteur is to ensure high standards for data protection: many of the amendments have been tabled in order to protect data in the system with reference to interoperability, data retention period and access to data by law enforcement authorities. According to the Rapporteur his amendments follow the indications given by the European Data Protection Supervisor (EDPS- Giovanni Buttarelli), in order to boost legal certainty in data protection area and to the role of EDPS and National Data Protection Authorities.[i] Another objective highlighted by the rapporteur is to guarantee more technical certainty, in order to know exactly who can access to the system as well as the circumstances of the access (logs). The procedure to follow in case of temporary failure, then, still has to be clarified. The rapporteur then pointed out the necessity to establish high standards for the procedure used to take facial images and fingerprints. Finally, it has been remarked the key-role played by Eu Lisa (here the Agency’s report on the Smart Borders Pilot Project), that will be responsible to manage the system.

The S&D “shadow rapporteur” Tanja Fajon (Slovenia) stated that she’s not convinced by the argument put forward by the Commission to justify the link between crime and border management. The purpose of the proposal is the border management, not the law enforcement and the proposal should clarify the way in which data will be processed in these two different situations. The difference between people who’s travelling legally and people who’s violating rules should be remarked, in order to guarantee fundamental rights. She criticized the retention period as disproportionate.

Mrs Fajon, then, pointed out that it’s necessary to better inform travellers about how the smart border system will change the current situation and which impact the regulation will have on their rights to enter and exit. People need to be aware about their rights and duties and about the consequences of possible infringments.  Finally, she stated that some measures risk to be unpractical in some Member States (as for example Slovenia) whose borders with non-Schegen countries are always busy, especially during summer.

The ECR “shadow rapporteur” Jussi Halla-Aho (Finland) stated that ECR supports an Entry/Exit System and that probably it was needed even before the abolition of internal controls. His group finds that law enforcement authorities should have a sufficient access to the database for a sufficient period of time. The amendments tabled by the rapporteur are well considered and balanced and ECR appreciate that the rapporteur has tried to make the instrument coherent with the existing tools, for example Eurodac: Regulations have to be harmonised and they have to work one with the others.

According to the ALDE shadow rapporteur Angelika Mlinar (Austria) the amendments improve the Commission proposal. But there are still some problematic issues to address, concerning the protection of fundamental rights and in particular the disproportionate and unjustified retention period that is equally applied to all the scope of the regulation. In addiction, the former 2013 proposal had one single purpose (speeding up border management procedures), while the current proposal has also an unjustified law enforcement purpose. Her political group presented amendments in order to:

– Limit and optimise the collection of biometrical data.
– Limit the law enforcement access to what is strictly necessary, ensuring safeguards.
– Reduce the data retention period.

Also the Greens’ shadow rapporteur Jan Philipp Albrecht (Germany) highlighted that the most controversial points are the long data retention period and the possibility for law enforcement authorities to access these data for other purposes. The risk is that the EES will create a huge (and very expensive) database with a long retention period that won’t be effective for the purpose of smart border management. Finally, the shadow rapporteur pointed out that data protection in EES should meet the same high standards in the data protection package recently adopted (and which should be transposed at national level for May 2018).

Where we are…

The LIBE Committee adopted the report establishing EES and the report amending 2016/399 on 27 February 2017 and the modifications proposed by the committee echo the parliamentary debate. Data should be stored for only two years, and not the five years proposed by Commission. MEPs also want to ensure that the text is in line with the provisions of the General Data Protection Regulation, for example by allowing the data subject the right to access his or her own data.

MEPs found that the purposes of data processing in the new system should also be clarified. Migration handling should be the first purpose and law enforcement an additional one. The two should be treated separately, as the conditions for the use and storage of the data are not the same.

The Council Position

According to a preparatory document of the Council (leaked by Statewatch, file 6572/17), it emerges that the most controversial issues concern the territorial scope of the EES (an issue linked to the question of the access to VIS for those Member States which do not yet fully apply the Schengen acquis but for which the verification in accordance with the applicable Schengen evaluation procedures has already been successfully completed) and the calculation of the duration of the short-stay.

A Guidance on these sensitive issues was then obtained at COREPER level on 1 February 2017. Concerning the territorial scope of application, COREPER gave clear guidance on the need to include into it all Member States that, while not applying the Schengen Acquis in full, meet nonetheless the cumulative conditions listed in Art. 60 of the draft EES Regulation (i.e.: have successfully completed the verification in accordance with applicable Schengen evaluation procedures, (ii) have put into effect the provisions of the Schengen acquis relating to SIS and (iii) to the VIS).

If these conditions are met, the Member State concerned can deploy the EES, with the consequences that such deployment implies, including with reference to the calculation of the duration of stay in its territory.  As a consequence, the automated calculator set out in Art. 10 of the EES draft Regulation will be a common one, covering the stays in any Member State operating the EES. According to the internal Council document, some delegations still oppose this solution on legal and practical grounds, notably because of its implications for other legal instruments and for the current practice in particular in the area of visa policy. However, the Presidency considers that the policy guidance given by Coreper, supported by a clear majority, should be followed.

MS Bilateral agreements with third Countries 

Another outstanding issue is whether the bilateral visa waiver agreements will be compatible with the EES (Art 54). At the trilogue meeting that took place on 29 September 2016 (file 12571/16), the Chair presented a drafting proposal by the Presidency that would set up a procedure which allows to keep those agreements into force while making the EES work. The Commission rejected the proposal because the proposal would comprehend only a few agreements, excluding those which provide for a stay less than 90 days, creating more problems than it was deemed to solve.

Secondly, the proposal would have been cumbersome both for Member States and third country nationals concerned and had the practical consequence of extending the effects of bilateral agreements to Member States that were not party to them. On the contrary, Member States showed a general support to the Presidency solution.

Access by national Law enforcement authorities

EES would be used by the same authorities that already use VIS: consular posts and border control. Moreover, it would allow law enforcement authorities as well as Europol to perform restricted queries in the database for criminal identification and intelligence to prevent serious crime and terrorism.

The conditions to grant access to the EES to law enforcement authorities (Chapter IV of the proposal) are one of the most controversial point of the proposal. According to the preparatory document of the Council (file 6572/17), some delegations have expressed the wish to further simplify it [the access to the EES by law enforcement authorities] in order to facilitate investigations in cases of serious crimes and terrorist offences. However, recent deliberations have shown a good degree of support for the Presidency compromise proposal, in which, upon request of a majority of delegations, the conditions for access have been softened to the maximum extent compatible to the current legal framework and case-law.

The European Parliament expressed major concerns with reference to Chapter IV and the Council in a document dated 22 may 2017 (file 9415/17) proposed a compromise.

In particular, the Council position would be maintained on:

(a) the reference to ‘designated authorities’ rather than ‘law enforcement authorities’;
(b) the possibility to access the EES even when the search in national databases results in a hit;
(c) the possibility to proceed to access the EES once the Prum search is launched; and
(d) the possibility to also check against refusal of entry records.

On the other hand, some amendments proposed by the European Parliament would be broadly accepted (some with amendments). These suggestions are in particular:

(a) limiting the urgency procedure to cases where there is an ‘imminent danger’ related to a terrorist offence or other serious criminal offence and requiring the ex post verification to take place within two working days.
(b) providing that there must be reasonable grounds to consider that consulting the EES will (rather than may) contribute to the detection, investigation or prevention of a terrorist/other serious criminal offence. Actually, it should be noted that ‘reasonable grounds’ would still be enough and certainty is not required. Moreover, a substantiated suspicion that the person falls within the scope of the EES would still be sufficient to fulfil this requirement.

Transfer of data to third countries and international organisations (Article 38) and to Member States not bound by, or not operating the EES (Article 38a)

The European Parliament opposes the possibility to transfer information to third countries and international organisations for the purpose of returns, unless there is a decision by the Commission regarding the adequate protection of personal data in that third country or a binding readmission agreement.

In particular, the European Parliament opposes the possibility to transfer such information on the basis of an arrangement similar to readmission agreements, arguing that these are not binding and do not contain the necessary data protection safeguards. The European Parliament also insists on the provision of guarantees by the third country concerned to use the data only for the purposes for which it is transferred, and that such transfers should only be possible once the return decision is final, and subject to the consent of the Member State that entered the data.

The EP also maintains its position against the transfer of information to third countries or to Member States not operating, or bound by, the EES, in cases of immediate threat of terrorist or other serious criminal offences (Article 38(4a) and Article 38a).

Reassurances have been provided that the relevant data protection legislation must still be respected (General Data Protection Regulation in case of returns/readmission and Data Protection Directive in case of terrorism/serious criminal offences), but this has not convinced the European Parliament.

Another concern raised by the European Parliament regards the fact that the conditions required to access the EES by national authorities (set out in Chapter IV) are not all reproduced for the transfer of such data to third countries, international organisations and Member States not operating the EES or to which the EES does not apply.

Data Retention (Article 31)

The European Parliament in its position reduces the data retention period from five years to:
– four years for third-country nationals who overstay;
– two years for third country nationals who respect the period of authorised stay.

According to a document dated 22 May 2017 (file 9415/17), the Council is still managing to find a compromise.

NOTE

[i] In its opinion 06/2016 of 21 September 2016, the European Data Protection Supervisor (EDPS) recognizes the need for coherent and effective information systems for borders and security. However, the EDPS underlines the significant and potentially intrusive nature of the proposed processing of personal data under the EES, which must therefore be considered under both Articles 7 and 8 of the EU Charter of Fundamental Rights.

According to EDPS opinion, necessity and proportionality of the EES scheme are to be assessed globally, taking into consideration the already existing large-scale IT systems in the EU.

The EDPS, then, notes that EES data will be processed for two different purposes, on the one hand for border management and facilitation purposes and on the other hand for law enforcement purposes. The EDPS strongly recommends clearly introducing the difference between these objectives, as these purposes entail a different impact on the rights to privacy and data protection.

 

Worth reading : the final report by the EU High Level Expert Group on Information Systems and Interoperability (HLEG),

NB: The full version (PDF)  of the Report is accessible HERE

On May 8th the (EU) High Level Expert Group on Information Systems and Interoperability (HLEG) which was set up in June 2016 following the Commission Communication on “Stronger and Smarter Information Systems for Borders and Security ” has published its long awaited 56 long pages Report on Information Systems and Interoperability.

Members of the HLEG were the EU Members States (+ Norway, Switzerland and Liechtenstein), the EU Agencies (Fundamental Rights Agency, FRONTEX, European Asylum Support Office, Europol and the EU-LISA “Large Information Support Agency”) as well as the representatives of the Commission and the European Data Protection Supervisor (EDPS) and the Anti-Terrorism Coordinator (an High Council General Secretariat Official designated by the European Council).

Three Statements, respectively of the EU Fundamental Rights Agency, of the European Data Protection Supervisor and of the EU Counter-Terrorism Coordinator (CTC),  are attached. The first two can be considered as a sort of partially dissenting Opinions while the CTC  statement is quite obviously in full support of the recommendations set out by the report as it embodies for the first time at EU level the “Availability Principle” which was set up already in 2004 by the European Council. According to that principle if a Member State (or the EU) has a security related information which can be useful to another Member State it has to make it available to the authority of another Member State. It looks as a common sense principle which goes hand in hand with the principle of sincere cooperation between EU Member States and between them and the EU Institutions.

The little detail is that when information is collected for security purposes national and European legislation set very strict criteria to avoid the possible abuses by public EU and National Law enforcement authorities. This is the core of Data Protection legislation and of the art. 6, 7 and 8 of the EU Charter of Fundamental Rights which prevent the EU and its Member States from becoming a sort of Big Brother “State of surveillance”. Moreover, at least until now these principles have guided the post-Lisbon European Court of Justice jurisprudence in this domain and it is quite appalling that no reference is made in this report to the Luxembourg Court Rulings notably dealing with “profiling” and “data retention”(“Digital Rights”, “Schrems”, “TELE 2-Watson”…).

Needless to say to implement all the HLWG recommendations several legislative measures will be needed as well as the definition of a legally EU Security Strategy which should be adopted under the responsibility of the EU co-legislators. Without a strong legally founded EU security strategy not only the European Parliament will continue to be out of the game but also the control of the Court of Justice on the necessity and  proportionality of the existing and planned EU legislative measures will be weakened.  Overall this HLWG report is mainly focused on security related objectives and the references to fundamental rights and data protection are given more as “excusatio non petita” than as a clearly explained reasoning (see the Fundamental Rights Agency Statement). On the Content of the  perceived “threats” to be countered with this new approach it has to be seen if some of them (such as the mixing irregular migration with terrorism)  are not imaginary and, by the countrary, real ones are not taken in account.

At least this report is now public. It will be naive to consider it as purely “technical” : it is highly political and will justify several EU legislative measures. It will be worthless for the European Parliament to wake up when the formal legislative proposals will be submitted. If it has an alternative vision it has to show it NOW and not waiting when the Report will be quite likely “endorsed” by the Council and the European Council.

Emilio De Capitani

TEXT OF THE REPORT (NB  Figures have not been currently imported, sorry.)

——- Continue reading “Worth reading : the final report by the EU High Level Expert Group on Information Systems and Interoperability (HLEG),”

Legislative Tracker : the European Travel Information and Authorisation System (ETIAS)

by Beatrice FRAGASSO (Free-Group Trainee)

The European Commission, on 16 November 2016, has put forward a proposal (COM(2016) 731, 16.11.2016, 2016/0357(COD)) establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulation (EU) (EU) 2016/399 (the ‘Schengen Borders Code’), (EU) 2016/794 and (EU) 2016/1624.

This proposal is being negotiated as part of the Smart Border Package and aims to ensure a high level of internal security and free movement of persons in the Schengen area. The Commission didn’t conduct an impact assessment but published a feasibility study on ETIAS, conducted between June and October 2016.

The system designed by the proposal would require also visa-exempt travellers to undergo a risk assessment with respect to security, irregular migration and public health risks prior to their arrival at the Schengen borders. This assessment would be carried out by means of cross- checking applicant’s data submitted through ETIAS system against other EU information systems, a dedicated ETIAS watch list and screening rules. This process will result in granting or denying an automated authorization for entering the EU.

Further information from the European Parliament Research Service are available HERE

The current situation
Currently, both visa-obliged and visa-exempt travelers are subject to border controls when entering the Schengen area. According to Regulation (EU) 2016/399, both categories of travelers need to comply with the conditions for short-term stay, which include not being a threat to public order and security, holding valid travel documents, justifying the purpose and conditions of the intended stay, not being the subject of any alert in the SIS for the purpose of refusing entry, and having sufficient means of subsistence.

For visa holders the compliance with this conditions is assessed at the time on the request for a visa  and relevant data are stored in visa information system (VIS) which can be consulted by law enforcement authorities for the purposes of combatting serious crime and terrorism.

However, no such advance information can be currently obtained for visa-exempt nationals arriving at the Schengen external borders. This means that border guards need to decide on allowing or refusing access to the Schengen area without prior knowledge regarding any security, migration or public-health risks associated with visa exempt travelers.

This is particularly true for visa-exempt travelers arriving by land, as the only source of information about them is their travel document presented at the time of crossing the EU external border.

The situation is different for passengers arriving by air as Council Directive 2004/82/EC obliges carriers to communicate all passenger data, known as ‘advance passenger information’ (API), including name, date of birth, passport number and nationality at the time of the check-in for inbound flights to the EU. Another Directive (EU) 2016/681 on the use of passenger name record data (the ‘PNR Directive’) collect 19 types of personal data already at the time of the flight reservation and obliges airlines to hand over to EU MS authorities their passengers’ data linked with the travel reservation (which includes travel dates, travel itinerary, ticket information, frequent flyer data,  contact details, baggage information, credit card and general remarks stored in the Airline files).

For visa-exempt passengers arriving on foot or by car, bus or train, no such comparable advance information is available prior to their arrival.

The changes the proposal would bring

Schengen Border Checks
Prior to arriving in the Schengen area, all carriers will verify if visa-exempt third-country nationals have a valid ETIAS travel authorization, without which boarding will not be authorized. A valid ETIAS travel authorization, should be obtained in advance of arrival at a Schengen border crossing point, and this will be a precondition for entering the Schengen area. However, border guards at the external Schengen borders will still take the final decision to grant or refuse entry according to the Schengen Borders Code.

Online application
As it is currently the case for visa-exempt travelers to Canada “ETA”,  USA “ESTA”  and Australia “ETA” who have to ask for a travel authorization also travelers wanting enter the Schengen area will have to fill in an online application by providing their biographical and passport data, contact details, information on intended travel, and answers to background questions relating to public health risks, criminal records, presence in war zones and previous refusals of entry or an order to leave the territory of a Member State.

At the same time, an application fee of €5, which will go to the EU budget, will be mandatory for all applicants above the age of 18 before their application can be processed.

Processing of applications
The automated processing will be carried out by the central system, which will be in charge of checking data provided by applicants against security databases, such as the VIS, Europol data, the SIS, Eurodac, the  Interpol SLTD database , the European Criminal Records Information System (ECRIS) and the planned future EU “Entry-Exit” system (currently negotiated between the EP and the Council). Personal Data will also be screened against a ETIAS “watch list” (where people suspected to have committed, or be likely to commit a criminal offence will be listed by the EU MS) and against specific risk indicators (irregular migration, security or public- health risks) which will be defined in consultation with an ETIAS screening board.

In the case of a positive hit after the automatic processing, that personal application will be further assessed manually by operators in the ETIAS central unit and in the national units.
In case no risks has been detected a positive response, in a form of a travel authorisation valid for five years (or until the expiry of the passport) will be delivered. In the case of a refusal, a justification will be given and applicants will have the right to appeal.

Authorisation will be revoked or annulled when the conditions for its issuance are no longer met, particularly when it is believed that it was fraudulently obtained or when a new alert for refusal of entry is created in the SIS.

Etias structure
ETIAS will consist of an information system, a central unit and national units.

The information system will be designed for processing applications and will be interoperable with other security databases that ETIAS will be connected. The new system will be managed by the European Agency for the operational management of large-scale information systems in the area of freedom, security and justice (eu-LISA).

The central unit will be part of Frontex (the European Border and Coast Guard Agency) and will ensure that the data stored in the application files and the data recorded in ETIAS are correct and up to date. Where necessary, it will also verify travel authorisation applications whenever there are doubts regarding the identity of an applicant in cases where the latter’s data produced a match (a ‘hit’) against the stored data during automated processing.
The national units will be responsible for making the risk assessment and deciding on travel authorisation for applications rejected by the automated application process. They will also issue opinions when consulted by other national units, and act as a national access point for requests for access to the ETIAS data for law enforcement purposes related to terrorist and other serious criminal offences.

The role of Europol
Europol will be involved in ETIAS in several ways.
Firstly, Europol’s data related to criminal offences, convictions or potential threats will be compared to those provided by applicants for an ETIAS authorization.
Secondly, Europol will help define ETIAS screening rules by participating in the ETIAS screening board and managing the ETIAS watch list.
Thirdly, Europol will be consulted by the ETIAS national units in case of a match with Europol data during the ETIAS automated processing.
And finally, Europol will be able to consult personal data in the ETIAS central system for the prevention, detection or investigation of terrorist offences or other serious criminal offences (as provided by its mandate).

The Council’s position
In a  document om March 17, 2017 authored  by the Maltese Presidency of the Council of the EU and covering also the other legislative pending measures connected to ETIAS, a number of compromises are suggested: The Presidency identified other key issues that needed to be clarified and decided upon before revised text proposals could be submitted to delegations. The Presidency therefore prepared a discussion paper on which delegations were invited to comment. The issues outlined by the Presidency related to the division of competences between Frontex and the Member States, the definition of ‘responsible Member State’ as regards the decision to grant a travel authorisation, and the duration of a travel authorization […] With respect to the definition of the ‘responsible Member State’, delegations were divided into two groups, one in favour of the Member State of first entry, as proposed by the Commission, while the other stressed the key role played by the Member State at the origin of an alert triggering a “hit”. The following issues are the “object of extensive debates”:

“– the scope of the regulation;
– the ETIAS watchlist and the screening rules;
– the access to the ETIAS data;
– the interoperability of ETIAS with other systems and databases.”

More recently the Council Presidency has also submitted some possible compromise proposals to the other delegations (docs 8579/17 and 8584/17) and it is more than likely that the EP will be under pressure to launch the negotiations for a first reading agreement on this subject.

The European Parliament position (Libe Committee Debate)
On the EP side works are still at an initial phase (SEE OEIL DOSSIER HERE). The LIBE Committee has been informed for the first time by a Commission representative (Belinda Pyke) on 22 March 2017. It has been stressed that the purpose of the proposal is to improve internal security and border management and that policy visa liberalization is essential in the system. This proposal will contribute to the security of the Schengen area because as any risks will be identified prior to departure. Due to the political pressure of the European Council and the  very tight deadlines the Commission did not have the time to conduct an impact assessment although it would have been desirable; however, the Commission published a detailed study on the subject. The Commission representative made reference to the comparable systems in  Australia, Canada and USA and declared that the ETIAS system will take stock of the experience of these countries by overcoming their weaknesses and mirroring the strengths of these systems.
Firstly, request authorization will be easy and cheap. Applicants will receive rapidly (within 12 hours) a positive feedback and those without authorization will save travel costs. The ETIAS system provides an automatic control: such control will allow to verify that the criminal record is clean. These checks will take place on the basis of SIS, Interpol, ECRIS, Eurodac.
The ETIAS central unit will compare the data in the database and the identity of the applicant and the rest of the operations will be managed by the national units.
The decision of the unit will be delivered within 72 hours, unless it will be necessary to gather special information (in this case it will be possible an extension to a two-week maximum).
ETIAS will be financially self-sustaining, thanks to the tax that will be paid by applicants. It is estimated that the costs for developing it will amount to €212.1 million, while the average annual operations costs, to be covered by the revenue from fees, will be €85 million.
The data will be protected from abuse and the information may be given to law enforcement only in the case of very serious crimes (this possibility also exist for Eurodac).

The EP rapporteur Kinga Gal (PPE – Hungary) was not present at the debate, but a colleague read her statement. The rapporteur argues that the text is of great importance and it will cover three categories of passengers
1) European Citizens or persons enjoying the right of free movement under Union law
2) Third-country nationals under visa obligation
3) Third-country nationals without visa obligation
From now until 2020 the countries without visa obligation will increase. For third-country nationals without visa obligation it’s difficult to gather information; it’s therefore necessary to create an information system well established in legal terms, so as not to put excessive burdens for Member States.

The debate that followed, however, showed controversial elements in the proposal, criticized by MEPs.
Firstly, almost all the MEPs who spoke remarked the necessity of an impact assessment, finding it unacceptable yet another lack of it. An issue of such importance can not be studied without taking into account an impact assessment: the urgency can not justify such a lack.

Birgit Sippel (S&D – Germany), for instance, affirmed that she’s tired to listen to the Commission affirming that it’s necessary to adopt better legislation and that impact assessments are not conducted anymore because of urgency. EU needs to regulate well, not in a hurry: this rush to legislate, then, does not make sense if the execution by the Member States is so slow. She also remarked that one of the problems in this proposal is that the form requires a bit of everything and there is the risk that if an applicant forgets a small offense did at 15 years old he cannot enter.

The shadow rapporteur Gérard Deprez (ALDE – Belgium) wondered what professional criteria will be provided for ETIAS units and how it will be possible to apply Article 7 of the Schengen Code, because compulsory systematic checks for everybody (as provided in that Article) would have a significant impact on traffic at the border. Deprez considered that the term of 72 hours is reasonable whereas he considers excessive the term of validity of five years, because in the course of five years many things can change in a person’s life. Also foreign experiences in fact suggest different solutions: in US visa is valid for one year and in Australia for two years. Also with regard to rates, Deprez is at odds with the proposal: 5 euro is a low price if compared to the prices of US (14 euro) and Australia (20 euro). According to Deprez, then, in the request the applicant should indicate the member state where he would like to go. The proposal, in addiction, should define a better balancing of criminal convictions. For example, prison sentences of less than one year should not be an obstacle to the granting of authorization.

It may also emerge a serious problem for air traffic. It is estimated that for a plane carrying 300 people controls may last from four hours and a half to seven hours and a half. The controls are certainly a necessary corollary for visa liberalization, but the parliament should find more efficient solutions.

On behalf of DG HOME of the European Commission Mrs Belinda Pike replied that the validity of five years would be reasonable. Of course it is noted that in the case in which the person commits an offense such information is immediately acquired in the system. Contrary to what Deprez stated, then, the cost is not too low, but it’s instead sufficient to ensure the smart management of borders. It is a fee that will cover the costs and ensures a small gain. In the US half of the fee (therefore, 7 euros) is invested in the tourism sector. Do not pay anything on the other hand would be a huge burden on the EU budget.

Belinda Pike finally stressed that the screening does not immediately lead to the rejection of the request, but simply involves manual handling of the request.

Marie – Christine Vergiat (GUE/NGL – France) and Bodil Valero (Greens/EFA – Sweden) highlighted that visas are returned, albeit with a different name (authorization). According to Marie – Christine Vergiat, then, this proposal does not promote cooperation between member states, it is repressive and attacks the fundamental rights, like others in this area of “smart” borders. Security and immigration are matters to be addressed in different texts, because adhere to different problems. The fact that some people should be identified through a profiling system also raises an ethical problem.

Bodil Valero remarked the privacy-issue. People will also provide information on education and health and Greens/Efa group would like to receive explanations about what is the reason for these provisions: perhaps the Commission’s intention is to gather information that cannot be collected in other ways. Furthermore, the 5-year period envisaged for data stocking is too long. She underlined that also the EDPS (European Data Protection Supervisor) has taken a fairly critical position on some of the elements of the proposal.
In his opinion, in fact, the EDPS states, among other things, that the establishment of ETIAS would have a significant impact on the right to the protection of personal data, since various kinds of data, collected initially for very different purposes, will become accessible to a broader range of public authorities (i.e. immigration authorities, border guards, law enforcement authorities, etc). For this reason, the EDPS considers that there is a need for conducting an assessment of the impact that the Proposal will entail on the right to privacy and the right to data protection enshrined in the Charter of Fundamental Rights of the EU, which will take stock of all existing EU-level measures for migration and security objectives.

Last but not least, during a TRAN (transport and tourism) committee on Wednesday 22 March, different speakers representing the tourist sector expressed concerns about the costs generated by the ETIAS in the tourism sector. However, the TRAN Committee decided not to give an opinion to LIBE.

NEXT STEPS

As soon as the two co-legislators will have defined their position a trilogue  could be launched which can bring to an agreement on first reading. As things currently stay an agreement will probably go hand in hand with the other “ENTRY/EXIT” legislative proposal.

 

Common Asylum Procedure Regulation: ICJ comments on the current proposal of the Regulation

THE ORIGINAL DOCUMENT OF THE INTERNATIONAL COMMISSION OF JURISTS  IS PUBLISHED HERE  (April 2017)

Introduction

On 13 July 2016, the European Commission published a proposal (Common Asylum Procedure Regulation)1 to repealing the current Common Asylum Procedures Directive (2013/32/EU).2 In this briefing paper, the ICJ presents its comments on several key procedural aspects of the proposed Regulation in view of the possible impact on the rights of asylum seekers in Europe.3

The areas most impacted include access to legal information; legal assistance, representation and legal aid; accelerated and border procedures; and access to an effective remedy.

The proposed Regulation is one of the instruments of the Common European Asylum System4 of the EU. It is intended to replace the current Asylum Procedures Directive with a Regulation and thereby aims to reduce the scope of discretion enjoyed by Member States in the implementation of matters covered under its provisions.5

The proposal of 13 July 2016 was developed in reaction to the increased arrivals of refugees in 2015 which was identified by the European Commission as a “refugee crisis for the EU.”6 In 2015, over one million people – refugees, displaced persons and other migrants – made their way to EU countries. The International Organization for Migration has estimated that some 3,771 of these persons died on their journey7 and a high number of people were stranded in the border countries, mainly Italy and Greece. The European Commission reacted with a number of legislative and policy proposals, among them a proposal for intra-EU relocation schemes,8 and the new Common European Asylum System directives and regulations.

  1. Scope of the proposal

(a)  Regulation proposal

Recital 7 and Article 2.1 would limit the scope of the Regulation to territory, border, territorial waters and transit zones. Recital 7 states that  : “This Regulation should apply to all applications for international protection made in the territory of the Member States, including those made at the external border, on the territorial sea or in the transit zones of Member States, and the withdrawal of international protection. Persons seeking international protection who are present on the territorial sea of a Member State should be disembarked on land and have their applications examined in accordance with this Regulation.”

Article 2.1 states that: “This Regulation applies to all applications for international protection made in the territory of the Member States, including at the external border, in the territorial sea or in the transit zones of the Member States, and to the withdrawal of international protection.”

(b)  Analysis of International and EU law

The limitation of the scope of the Regulation to territory, border, territorial waters and transit zones does not cover all situations, which fall under the protective jurisdiction of a State under international human rights law. Consequently, there are situations where the right of asylum (Article 18 EU Charter), the prohibition of non-refoulement, and other human rights cannot be guaranteed or risk being undermined, such as in the case of interception or rescue in international waters.

Under international human rights law, jurisdiction is generally broader than that contemplated under Recital 7 and Article 2.1. While the exact scope of a State’s protective jurisdiction will be dependent on the primary treaty or other source of law providing the basis for the protection, a common minimum standard under international human rights law is that, “jurisdiction” applies to all persons who fall under the authority or the effective control of the State’s authorities or of other people acting on its behalf, and to all extraterritorial zones, whether of a foreign State or not, where the State exercises effective control of the territory on which the person is situated.

Particularly under the European Convention of Human Rights, the leading case Al-Skeini and others v. UK, where the European Court of Human Rights (Grand Chamber) also provided a clarification as to the extraterritorial reach of the European Convention and its jurisprudence on jurisdiction.10 Among the various means in which the jurisdiction of Convention extended extraterritorially, was that of control and authority of individuals, irrespective of territory on which control and authority are exercised: “It is clear that, whenever the State through its agents exercises control and authority over an individual, and thus jurisdiction, the State is under an obligation under Article 1 to secure to that individual the rights and freedoms under Section 1 of the Convention that are relevant to the situation of that individual.11 Similarly, under the International Covenant on Civil and Political Rights, to which all EU States are Party, States “must respect and ensure the rights laid down in the Covenant to anyone within the power of effective control of that State Party, even if not situated within the territory of the State Party.12” In respect of some of other human rights treaties, obligations extend with no territorial limitations whatsoever. For instance, the International Court of Justice has said that “there is no restriction of a general nature in the Convention on the Elimination of all forms of Racial Discrimination”, to which all EU member States are a party, and therefore it applies to all State actions within or outside its territory.13

A State may have obligations to respect and protect the rights of persons who have not entered the territory, but who have otherwise entered areas under the authority and control of the State, or who have been subject to extra-territorial action (such as detention) by a State agent who has placed them under the control of that State. Of particular relevance for migrants is the fact that the State’s jurisdiction may extend in certain situations to international waters. The European Court of Human Rights has clearly affirmed that measures of interception of boats, including on the high seas, attract the jurisdiction of the State implementing the interception. From the moment of effective control of the boat, all the persons on it fall within the jurisdiction of the intercepting State, which must secure and protect their human rights.14 The same principles apply in the context of operations of rescue at sea.

(c) Conclusions and recommendations

The ICJ recommends extending the scope of the Regulation so as to apply to all situations where the Member State has effective authority or control over the asylum seeker, including in international waters.

  1. Access to legal information

Continue reading “Common Asylum Procedure Regulation: ICJ comments on the current proposal of the Regulation”

EU-Afghanistan “Joint Way Forward on migration issues”: another “surrealist” EU legal text ?

magritte-est-vivant-magritte-et-la-creation-contemporaine_f8d24ebdc752b2954baf498e9cc320107a785529_sq_640

by Luigi LIMONE (*)

It may be a coincidence but this year we are not only celebrating the 50th anniversary of Rene’ MAGRITTE painter’s death but also witnessing his surrealist approach spreading also in the EU Institutions and Member States legal practice.

We already know already that the core of 90% of legislative interinstitutional negotiations takes place in a confidential “informal” framework (the so called “trilogues” procedure) which run against the Treaties grounded obligation of legislative debates to be held in public.

Thanks to the Court of Justice (Cases T-192/16, T-193/16 and T-257/16) we have also recently discovered that the EU-Turkey “deal” on migration which was trumpeted as an EU achievement by the European Council President was not in fact an EU agreement because “neither the European Council nor any other institution of the EU decided to conclude an agreement with the Turkish Government on the subject of the migration crisis.”  According to the CJEU press release “In the absence of any act of an institution of the EU, the legality of which it could review under Article 263 TFEU, the Court has declared that it lacked jurisdiction to hear and determine the actions brought by the three asylum seekers. For the sake of completeness, with regard to the reference in the ‘EU-Turkey statement’ to the fact that ‘the EU and [the Republic of] Turkey agreed on … additional action points’, the Court has considered that, even supposing that an international agreement could have been informally concluded during the meeting of 18 March 2016, something which has been denied by the European Council,  the Council  of  the European Union  and the  European Commission in the  present  cases, that agreement would have been an agreement concluded by the Heads of State or Government of the Member States of the EU and the Turkish Prime Minister. In an action brought under Article 263 TFEU, however, the Court does not have jurisdiction to rule on the lawfulness of an international agreement concluded by the Member States.”

 

Now a third example of legal surrealist approach is offered to us by the Joint Way Forward (JWF) declaration on migration issues with Afghanistan and the EU. It was signed during the Afghanistan donor conference which took place in Brussels on 4 and 5 October 2016 and brought together representatives from 75 countries and 26 international organizations, with the ultimate aim of finding new funding solutions to end violence and introduce a political process towards lasting peace and reconciliation in Afghanistan.

Unlike for the EU-Turkey “deal” this time the EU Institutions recognize to be responsible of this text.  Intervening before the European Parliament competent committee (LIBE)  Simon Mordue, Deputy Director-General for Migration, DG Migration and Asylum (DG HOME), this declaration aims to facilitate the return process of irregular Afghans and to support their sustainable reintegration in the Afghan society, while fighting the criminal network of smugglers and traffickers at the same time. The objective, as stated in the document, is “to establish a rapid, effective and manageable process for a smooth, dignified and orderly return of Afghan nationals who do not fulfill the conditions in force for entry to, presence in, or residence on the territory of the EU, and to facilitate their reintegration in Afghanistan in a spirit of cooperation”. The document also clarifies that “in their cooperation under this declaration, the EU and Afghanistan remain committed to all their international obligations, in particular: a) respecting the provisions of the 1951 Convention relating to the Status of Refugees and its 1967 New York Protocol; b) upholding the rights and freedoms guaranteed in the International Covenant on Civil and Political rights and the EU Charter on Fundamental Rights and the Universal Declaration on Human Rights; c) respecting the safety, dignity and human rights of irregular migrants subject to a return and readmission procedure”.

The little detail is that even if the wording of the text looks like an international agreement  the Commission has clearly stated also before the EP plenary that the text is not.. binding even if, its wording, objective and content, is the same of a formal readmission agreement like the ones that the European Union has so far concluded with 17 non-EU countries an which have approved by the European Parliament following art. 79 par 3 of the TFEU. (SEE NOTE BELOW)

According to the Commission the Joint Way Forward  should instead be considered a simple “joint statement”,  not legally enforceable wich simply “paves the way for a structural dialogue and cooperation on migration issues, based on a commitment to identify effective ways to address the needs of both sides”.  However, as noted by Tony Bunyan, director of Statewatch, also the readmission agreement with Turkey of 18 March 2016 originated in the form of two letters and of an informal declaration and the European Union. Now the EU has adopted the same approach with Afghanistan.

Is the joint declaration with Afghanistan, in fact, representing  another attempt to conclude a readmission agreement, while bypassing the rules (art.79 p 3 and 218 of the TFEU)   laid down in the EU Treaties for the conclusion of international readmission agreements and notably the approbation by the the European Parliament?

 

The Joint Way Forward (JWF) declaration is in line with the recent political shift in EU foreign policy, which now primarily focuses on curbing migration and making deterrence and expulsion the main objectives of its relationships with third countries. The shift towards the externalization of migration management and control is exemplified by the new Partnership Framework, which was proposed by the European Commission in June 2016 under the European Agenda on Migration. The ultimate aim of the Partnership Framework is “a coherent and tailored engagement where the Union and its Member States act in a coordinated manner putting together instruments, tools and leverage to reach comprehensive partnerships (“compacts”) with third countries to better manage migration in full respect of our humanitarian and human rights obligations”.

In practice, the Partnership Framework has introduced an alternative approach with regards to readmission agreements, which are now concluded in the form of informal agreements by means of “informal” swift procedures.

This is done  , under pressure from some Member States, in particular Germany. It was already the case for the “non-EU” agreement with Turkey on March 2016, and also now Germany has hardly fought for a rapid adoption of an “informal” agreement with Afghanistan. Faced with the rise in arrivals form Afghanistan, in October 2015 the German Ministry of Interior Thomas de Maizières had already announced that Germany wanted to return to Afghanistan all the Afghan nationals who were not eligible for asylum, including those who had lived in Iran or Pakistan and, consequently, had no link to Afghanistan itself, and that to do so he would have urged the European Union to negotiate an agreement with the government of Kabul.  By invoking the need urgently facing the migration crisis, the political priorities of the Member States are now “deterrence” and “expulsion” and this has also gained the support of  EU Commission which is increasingly moving towards packaging these priorities in a format which  bypass the European Parliament and the lengthy formal procedures with a high risk of  human rights violations.  In fact, this new fast-track approach not only prevents any form of democratic scrutiny but also ignores the concerns of the civil society about the situation in Afghanistan and about the major risks of rights violations, such as the principle of non-refoulement, exposure to inhuman and degrading treatment, protection against collective expulsions and the right to asylum.

Afghans constitute the second-largest group of asylum seekers in Europe, with 196,170 applying in 2015. The country is experiencing ongoing and escalated conflict, despite the efforts of the EU to present it as a country that is safe for returnees and able to reintegrate them successfully. The conflict has left more than 1.2 million people without permanent homes and has resulted in three million refugees fleeing to Pakistan and Iran. Since January 2015, around 242,000 Afghans have fled to the EU. Furthermore, the country is already facing a large number of returnees from the region. In 2015, more than 190,000 Afghan documented refugees have returned from neighbouring countries. People are exposed to a deeply deteriorating security situation, as provinces such as Helmand and Kunduz fall in to the hands of armed groups yet again.

Despite this situation, the Joint Way Forward declaration gives clear signals that the European Union will once again engage in a conduct that puts into question its obligation to protect those fleeing conflicts or persecution and to safeguard the human rights of all persons as required by the EU Charter. The declaration provides for measures to facilitate the return and readmission of Afghan nationals, such as the use of non-scheduled flights to Kabul, joint flights from several EU Member States organized and coordinated by the European Border and Coast Guard Agency (Frontex), including the possibility to build a dedicated terminal for return in Kabul airport. The Joint Way Forward declaration also opens up the return of women and unaccompanied children and no mention is made to the best interest of the child. The document, in fact, states that “special measures will ensure that such vulnerable groups receive adequate protection, assistance and care throughout the whole process”.

It has to be acknowledged that some Members of the European Parliament have already raised several concerns on the legitimacy of the Joint Way Forward declaration as well as on its content. They have criticized the approach of the European Commission with regard to the adoption of informal readmission agreements as well as the conditionality imposed to third countries. In fact, the format introduced by the Partnership Framework implies a kind of connection between development aid and the third country’s willingness to cooperate for the management of migration flows. It is clear that countries like Afghanistan which are strongly dependent on foreign aid for their revenues might have no other choice but to forcibly accept to cooperate in order to receive development and financial support in exchange.

The European Union must comply with the provisions of the Treaties as well as with its democratic principles and protection of human rights, in order to avoid the replication of the EU-Turkey “statement” and the EU-Afghanistan Joint Way Forward “declaration” with other third countries, in primis Libya and Sudan which have already been identified as “interesting partners” by Italy.

 

ANNEX EU-Legal Framework on readmission agreements

EU Readmission Agreements (EURAs) are based on reciprocal obligations and are concluded between the European Union and non-EU countries to facilitate the return of people residing irregularly in a country to their country of origin or to a country of transit. The EU has stated that readmission agreements with third countries of both origin and transit constitute a cornerstone for effective migration management and for the efficient return of third country nationals irregularly present in the EU. The objective of these agreements for the EU Member States is to facilitate the expulsion of third country nationals either to their country of origin or to a country through which they transited on route to the EU. As such, they are crucial to the EU return policy, as defined in the Return Directive (Directive 2008/115/EC).

Readmission agreements are negotiated in a broader context where partner countries are usually granted visa facilitation, which means simpler procedures for their nationals to obtain shorter stay visas to come to EU Member States, and other incentives such as financial support for implementing the agreement or special trade conditions in exchange for readmitting people residing irregularly in the EU.

The legal basis for the conclusion of readmission agreements with third countries is Article 79(3) TFEU which states that “the Union may conclude agreements with third countries for the readmission to their countries of origin or provenance of third-country nationals who do not or who no longer fulfil the conditions for entry, presence or residence in the territory of one of the Member States”. These agreements are negotiated with the partner country on the basis of a negotiating mandate grated by the Council to the Commission and they are then concluded after the European Parliament has given its consent. According to article 218(6) TFEU the European Parliament must, in fact, give its consent prior to the conclusion of association and similar agreements. Moreover, according to article 210(10) TFEU the European Parliament shall be immediately and fully informed at all stages of the procedure.

 

(*) FREE Group Trainee

PARLIAMENTARY TRACKER : THE NEW PROPOSAL ON SYSTEMATIC CONTROLS AT EU EXTERNAL BORDERS

by Beatrice FRAGASSO (*)

On Friday 7 April,   Regulation (EU) 2017/458  reinforcing of checks against relevant databases at external borders for all travellers crossing the external Schengen borders, including European nationals, has entered into force. It is the latest  but not the last amendment to the Schengen Border Code (Regulation (EC) 562/2006 ): other amendments are currently negotiated in the framework of the so called Smart Border Package (and others will follow in the coming months) such as

-the two proposals on the ENTRY-EXIT System (issues currently debated are i) the scope of the EES; ii) the optimal choice and use of biometric identifiers; iii) the calculation of the 90/180 day- timeframe regarding Member States which do not yet apply the Schengen acquis in full; iv) the conditions under which stamps will still be used on travel documents; v) the transfer of data to third countries and other third parties; vi)the interaction between the EES and the bilateral agreements under which a Member State extends the stay of the third country national concerned for a period longer than 90 days).

-the proposal to create a European Travel Information and Authorisation System (ETIAS) in order for the visa-exempt third country nationals to be authorised to travel to the Schengen Area for short-stay visits following a pre-screening prior to their trip. Such pre-screening should allow the competent authorities to assess whether such travel poses a security or migration risk. However, it should be noted that this authorisation would not grant entry to the Schengen Area, which remains to be decided by the border guards. ETIAS would cover all external border types (air, land and sea).

– the establishment of additional functionalities for the SIS such as the creation of SIS alerts on irregular migrants who are the subject of return decisions; the use of facial images for biometric identification, in addition to fingerprints; the automatic transmission of information on a hit following a check; the storing of hit information on discreet and specific check alerts in the SIS Central System; the creation of a new alert category on ‘Wanted Unknown Persons’ for which forensic data may exist in national databases (e.g. a latent print left behind at a crime scene) and the extension of the scope of SIS for immigration purposes.  (SEE 7644/16 – Communication from the Commission to the European Parliament and to the Council Stronger and Smarter Information Systems for Borders and Security)

PROCEDURAL ASPECTS :

This latest reform  reinforcing of checks against relevant databases at external borders (Legislative PROCEDURE COD(2015)0307) was proposed by the European Commission (see COM(2015)0670) at the end of 2015 following the Paris terrorists attacks. The Council adopted a “general approach” already on February 25 , 2016 as a basis for a trilogue with the European Parliament and the Commission.

On his side the EP LIBE Committee adopted its Report on 21 June 2016 (A8-0218/2016) . Since then, several technical meetings  and at least three trilogues meetings , (on 13 July 2016, 11 October 2016 and 5 December 2016 ) have taken place. As usual there is no transparency on this kind of legislative negotiations from June 2016 to February 2017 and the only accessible reference is a multicolumn document leaked by Statewatch (dated 8 July 2016). According to that document and other informal sources the main issues debated between the Parliament and the Council were : i) regarding air borders, the extent of the transitional period during which it will be possible to derogate from the systematic checks; ii) the question whether reference should be made in the text to consultation of national data bases to verify that there is no threat to the internal security, etc.; iii) the question whether the scope of cases to be exempted from systematic checks under certain conditions shall be limited to the disproportionate delays (and if allowed by the relevant risk analysis) or would be broaden; iv) The sunset clause which the Parliament wants to be included in the text in order to have the application of this Regulation terminated after a given time.

The Member States pressure on the European Parliament has been particularly strong after  the “informal” meeting of the Heads of State or Government at Bratislava on 16 September 2016 and the result of it (and of the trilogues) has been a compromise wich has been endorsed by LIBE has submitted and submitted to the  European Parliament.

The latter has adopted its position on 16 February 2017 and this  text  is particularly interesting because it shows clearly all the amendments agreed on by the Co-legislator (European Parliament and Council) on the original Commission proposal.. Needless to say, the Council unanimously endorsed the text on Tuesday 7 March, with the only exception of UK, IRL (which can decide to join later) and of DK.

However Slovenia while approving the text confirmed in a separate statement its strong concerns because  “.. checks carried out systematically on all persons crossing the external borders, including those enjoying the right of free movement under Union Law, without targeted checks as a basic principle for efficient border checks and without taking into consideration justified exemptions, is a disproportionate measure in relation to the pursued objective of the change….Additional doubts to the efficiency of the new provisions of Article 7(2) of the Code are related to the possible transitional period for border checks at air borders that are especially vulnerable part of the external borders. The implementation on the scale as specified in Article 7 (2) of the Code will have an adverse effect on passenger flows at external borders as it will also have financial implications for Member States. Slovenia cannot be held ultimately accountable for such outcomes.”

These concerns have been echoed also in a statement of Croatia. The latter is formally a member of the Schengen cooperation but has still to obtain (like Romania and Bulgaria) the Council decision which states that  all the technical tests have been past and internal controls can be suppressed. In practice Croatia is considered still outside the Schengen area and the internal borders controls with Slovenia and Hungary will continue until the Council gives its green light.  For this reason “..the Republic of Croatia regrets that these measures are to be implemented not only at the European Union’s external borders but also at internal borders between Member States fully applying the Schengen acquis and Member States not yet fully applying the Schengen acquis. The title of the Regulation itself implies its application at the European Union’s external borders, not at Schengen borders. For that precise reason, all Member States should have been treated equally. Such a regime will constitute a significant additional burden on the national resources of the Republic of Croatia in terms of the required level of technical and personnel capacities, which could have negative implications for the Croatian economy and the efficient flow of passenger and goods traffic. The Republic of Croatia considers that not even at a symbolic level does such a regime at internal borders contribute to unity in achieving the objectives of this Regulation….”

SOME HIGHLIGHTS OF THE NEW REGULATION AND ECHOES OF THE EP DEBATE 

To have an idea of the impact of the new regulation suffice to remember that in 2014 there has been 60.906.914 Schengen external borders crossings of those 48.792.665 EU citizens.  In the first half of 2016: 26.842.855 passengers, of those 21.385.972 EU citizens.

The new Regulation concerns in particular the Article 7 of Regulation 562/2006, that rules the border checks on persons. Reinforcing the checks against databases at external borders is a response, in particular, to the increased threat of terrorism, and it aims to guarantee the proper functioning of the Schengen area. The new regulation introduces the obligation of systematic checking of all citizens (also EU citizens) at air, sea and land borders on the basis of police databases, such as the Schengen Information System (SIS) or the Interpol database of stolen or missing documents, in view of tracking journeys possibly made for terrorist purposes.

While third-country nationals are already subject to systematic document and security checks against relevant databases upon entry, according to the current legislation EU citizens were subjects to a minimum control based on a rapid and straightforward verification of the validity of the travel document for crossing the border.

The phenomenon of foreign terrorist fighters, many of whom are Union citizens, has generated the need to reinforce checks at external borders with regard to persons enjoying the right of free movement under Union law (i.e. EU citizens and members of their families who are not EU citizens). These new provisions try to face the risks posed by returning terrorist foreign fighters, who have returned to the EU from non-EU countries, exercising their right of free movement.

The regulation introduces a new ordinary procedure for border checking.

The travel documents of persons enjoying the right of free movement under Union law should be checked systematically, on entry into and on exit from the territory of Member States, against SIS and Interpol databases for stolen, misappropriated, lost and invalidated travel documents in order to ensure that such persons do not hide their real identity.

Border guards should conduct systematically checks using data provided by the SIS, Interpol database on stolen and lost travel documents, national databases. To that end, the Member States should ensure that their border guards have access at external border crossing points to the national and Union databases.

The EP rapporteur Monica Macovei (ECR – Romania) at the plenary (on 15 February 2017) gave an example of how the control system is supposed to work: the passport will be scanned and, if one of the databases shows information about that person, further analysis will be done on that traveller. She underlined that it will be a fast verification, because border guards will utilise only one interface, that gather all the databases. According to the regulation, such systematic checks of course should be carried out in full compliance with relevant Union law, including the Charter of Fundamental Rights of the European Union and should fully respect human dignity.

As an exception to the systematic controls, Member States will be allowed to carry out “targeted” (non-systematic) control to particular cases in which systematic checks at the border would have a disproportionate impact on the flow of the traffic. In these cases, a Member State may decide to carry out those checks on a targeted basis at specified border crossing points. This exemption is allowed just if, on the basis of a risk assessment, it is determined that such a relaxation would not lead to a security risk. Such a risk assessment should be transmitted to the European Border and Coast Guard Agency.  In cases where there are doubts about the travel document or where there are indications that such a person could represent a threat to the public policy, internal security, public health or international relations of the Member States, the border guard should consult all named databases.

The regulation provides for adaptations to take account of the problems, mostly of a technical nature, raised by certain member states: at the air borders, for instance, the Member States will be allowed to carry out “targeted” controls over a six-month transition period, once the new regulation enters into force. This timeframe could then be extended for a maximum 18-month period in exceptional circumstances, for instance if airports need to adapt because they do not have the infrastructure to enable them to carry out the systematic controls.

The rapporteur Monica Macovei (ECR – Romania) at the plenary (on 15 February 2017) highlighted the main changes to the Schengen Borders Code. Since now EU citizens have not been checked on entering and leaving the Schengen area and the citizens from third countries are checked only at the entrance, and not in exit. This will change with the regulation: everyone, EU citizens, and non-EU citizens, will be checked both at entry and exit of the EU external border (and not only of the Schengen Area). The rapporteur underlined also the important responsibility of Member States in the regulation’s implementation: Member States should enter data into the EU databases and ensure that the data are accurate and up-to-date and that they are obtained and entered lawfully.

However, the first days of implementation showed some difficulties and inadequacies of the Regulation. As the deputy Tanja Fajon (S&D, Slovenia) had already predicted in her intervention at the plenary (15 february 2017), the first days of implementation produced traffic chaos on some borders, especially on the Slovenia-Croatia one (Slovenia is a member of the Schengen Area, Croatia not yet). Many holidaymakers from Austria, Germany and Switzerland spent hours in queues and during Easter break and summer holidays it will probably get worst.

Tanja Fajon stated that border guards would not have been able to handle the new provisions and that border states would have dealt with queues at the borders. She pointed out that the new rules are characterized by an excessive inflexibility and that they are too unbalanced: they increase security but at the expense of measures user-friendly for all passengers.

And that’s what happened the last weekend on the Slovenia-Croatia borders. Late on Friday Slovenian police suspended the systematic checks of all passengers and continued checking only those from third countries, as the Regulation allows in particular cases in which systematic checks have a disproportionate impact on the flow of the traffic. Slovenian Prime Minister Miro Cerar said that Slovenian police would continue with a “softer” implementation of the new regime until the normalisation of conditions at the border. He stated that the new Regulation is “unacceptable” and the Croatian Prime Minister Andrej Plenkovic agreed with him: Slovenia and Croatia will present proposals to the European Commission to change the Regulation as soon as possible.

The debate at the plenary that took place on 15 February shows also other controversial elements in the Regulation, criticized by MEPs.

Sophia in t’ Veld, on behalf of the Alde Group, criticized the lack of impact assessment, as also Ulrike Lunacek (on behalf of Verts/ALE Group) did: they criticized the fact that the Commission didn’t give any proof that the regulation will make EU more secure. In second place, both the groups find it strange that the Commission use as justification for the proposal the Paris attacks, because one of the main shortcomings emerged in that case was that Member States were not sharing information and terrorists were able to cross internal borders without problems.

Then, with regard with legislative text, Alde group would have preferred a risk-based system, proportional and necessary, rather than the default setting of systematic checks. They also would have liked risk assessment at the European level, based on common European criteria.

Furthermore, they pushed for an equal treatment of land, air and sea borders, with no results. It would therefore have been logical to introduce this equivalence, because if everybody is submitted to systematic checks at airports, but there can be exceptions for land and sea borders, obviously a person who wants to escape control will take the car.

However, Alde group is satisfied for the introduction of the limitation of compulsory checks to well-defined databases, rather than the general reference that was included initially (all relevant databases).

Marie-Christine Vergiat, on behalf of the GUE/NGL group, affirmed that her group firmly oppose the regulation, because it represents another stage in the building of Europe as a security state. GUE/NGL affirm that controls will be random because databases will be consulted just in case of doubt about the validity of travel documents and certain categories of person may also be exempted. They consider that this regulation will affect fundamental rights, without the right to the safety being strengthened.

Laurențiu Rebega, on behalf of ENF group, pointed out that under the justification of security they are building huge databases which are beyond any democratic control. Furthermore, they consider unfair and humiliating that States that are not in Schengen will have the same obligations of Schengen States, but without enjoying the same rights.

All the interventions, anyway, highlighted that the Regulation will be useless if Member States keep ignore the system in place and if Member States do not feed information into it and do not check it. Member States should accept that there is an obligation to use the existing system. The parliamentary debate shows also the shared need to improve dialogue between the databases, and interconnectivity between them and the infrastructure responsible for management of external borders, in full respect of the rules on data protection and fundamental rights.

(*) FREE Group Trainee

  1. Statement by SloveniaThe Republic of Slovenia reaffirms its commitment to implement the provisions of the Schengen Border Code (hereinafter the Code) introducing strengthened checks on persons crossing the external borders of Member States, also on those enjoying the right of free movement under Union law. While the purpose of exercising border checks in this manner is expected to deliver an improvement to control of external borders, to increase Member States’ internal security and to prevent terrorism, this will also have other consequences.By this declaration, Slovenia wishes to draw attention to the potential consequences that will follow from consistent implementation of Article 7(2) of the Code.
    The Republic of Slovenia, as a country whose territory is one of the most heavily burdened entry and exit areas enabling access to Member States1, is fully aware of its responsibility of carrying out border control in the interest of all Member States. In Slovenia’s view, checks carried out systematically on all persons crossing the external borders, including those enjoying the right of free movement under Union Law, without targeted checks as a basic principle for efficient border checks and without taking into consideration justified exemptions, is a disproportionate measure in relation to the pursued objective of the change. Additional doubts to the efficiency of the new provisions of Article 7(2) of the Code are related to the possible transitional period for border checks at air borders that are especially vulnerable part of the external borders. The implementation on the scale as specified in Article 7 (2) of the Code will have an adverse effect on passenger flows at external borders as it will also have financial implications for Member States. Slovenia cannot be held ultimately accountable for such outcomes.

    Slovenia also welcomes the intention of the European Commission to assess regularly the implementation of the Code, including the consequences of amended provisions, and propose relevant amendments if necessary.

    Statement by Croatia

    The Republic of Croatia supports the objective of this Regulation. It is of the opinion that implementing the mechanisms established thereunder will help to strengthen and maintain security throughout the territory of the European Union and the Schengen area, and also contribute to the overall control of our border, that is the external border of the European Union. At the same time, the Republic of Croatia regrets that these measures are to be implemented not only at the European Union’s external borders but also at internal borders between Member States fully applying the Schengen acquis and Member States not yet fully applying the Schengen acquis. The title of the Regulation itself implies its application at the European Union’s external borders, not at Schengen borders. For that precise reason, all Member States should have been treated equally. Such a regime will constitute a significant additional burden on the national resources of the Republic of Croatia in terms of the required level of technical and personnel capacities, which could have negative implications for the Croatian economy and the efficient flow of passenger and goods traffic. The Republic of Croatia considers that not even at a symbolic level does such a regime at internal borders contribute to unity in achieving the objectives of this Regulation.

    Nevertheless, the Republic of Croatia remains fully committed to consistent compliance with and implementation of the Regulation, and welcomes the European Commission’s intention to regularly monitor its implementation and propose relevant amendments whenever it deems this possible.

    With a view to ensuring efficient implementation, the Republic of Croatia also recalls the specific situations of certain Member States and invites the European Commission to take steps, in consultation with stakeholders and further to the European Council conclusions of December 2016, to find appropriate solutions to address those specific situations.

    The Republic of Croatia therefore has an interest and is actively engaged in finding ways to mitigate the undesired consequences of the measures introduced on the flow of passenger and goods traffic both at its external border and at its internal land border with the Republic of Slovenia and Hungary. Bearing in mind the Regulation’s objective and benefits for the European Union as a whole and the fact that it enjoys the broad support of Member States, the Republic of Croatia, as a constructive Member State, supports its adoption.