Counter-terrorism and the inflation of EU databases

Original published on Statewatch (*) on May 2017

By Heiner Busch (@Busch_Heiner) and Matthias Monroy (@matthimon)  (Translation from DE by Viktoria Langer)

The topic of counter-terrorism in Europe remains closely linked to the development and expansion of police (and secret service) databases. This was the case in the 1970s, after 11 September 2001 and has also been the case since 2014, when the EU Member States started working on their action plans against ‘foreign terrorist fighters’.

The first effect of this debate has been a quantitative one: the amount of data in the relevant databases has increased explosively since 2015. This can be seen by looking in particular at available data on the Europol databases, like ‘Focal Points’ (formerly: Analytical Work Files) of the Europol analysis system. Since 2015 they have become one of the central instruments of the European Counter Terrorism Centre (ECTC) which was established in January 2016. ‘Hydra’, the ‘Focal Point’ concerning Islamist terrorism was installed shortly after 9/11. In December 2003 9,888 individuals had been registered, a figure that seemed quite high at the time – but not compared with today’s figures. [1] In September 2016 ‘Hydra’ contained 686,000 data sets (2015: 620,000) of which 67,760 were about individuals (2015: 64,000) and 11,600 about organisations (2015: 11,000).

In April 2014 an additional ‘Focal Point’, named ‘Travellers’, was introduced, which is exclusively dealing with “foreign terrorist fighters” (FTF). One year later ‘Travellers’ included 3,600 individuals, including contact details and accompanying persons. In April 2016 the total number increased by a factor of six. Of the 21,700 individuals registered at the time, 5,353 were “verified” FTFs. In September 2016, of 33,911 registered individuals, 5,877 had been verified as FTFs.

Since 2010 Europol and the USA have operated the Terrorist Finance Tracking Programme (TFTP), which evaluates transfers made via the Belgian financial service provider SWIFT. Until mid-April 2016 more than 22,000 intelligence leads had been arisen out of that programme, of which 15,572 since the start of 2015. 5,416 (25%) were related to FTFs.

In contrast to Europol’s analytical system, the Europol Information System (EIS, the registration system of the police agency) can be fed and queried directly from the police headquarters and other authorities of EU Member States. Here, more than 384,804 ‘objects’ (106,493 individuals) were registered at the start of October 2016, 50% more than the year before. The increase is partly due to the growing number of parties participating in the EIS. In 2015 13 Member States were connected; in 2016 19 Member States. Some of the EU States, like the UK, also let their national secret services participate in the system. 16 Member States currently use automatic data uploaders for input. The number of third parties involved has also increased (in 2015 there were four, in 2016 there were eight). Interpol, the FBI and the US Department of Homeland Security are some of them.

Europol has reported further growth in the number of “objects” linked to terrorism in the EIS. According to the Slovak Presidency of the Council of the EU’s schedule for the improvement of information exchange and information management, in the third quarter of 2016 alone these grew another 20% to 13,645. [2] The EIS includes 7,166 data sets about individuals linked to terrorism, of which 6,506 are marked as FTFs or their supporters, or are assumed to be so. For May 2016 the CTC stated a figure of 4,129. [3] The increase in terrorism linked data can also be seen in the Schengen Information System (SIS) – in the alerts for “discreet checks or specific checks” following Article 36 of the SIS Decision. According to this, suspect persons are not supposed to be arrested. However, information about accompanying persons, vehicles etc. are recorded to provide insight into movements and to keep tabs on the contacts of the observed person. At the end of September 2016 the number of such checks by the police authorities (following Article 36(2)) was 78,015 (2015: 61,575, 2014: 44,669). The number of alerts of the national secret services based on Article 36(3) was 9,516 (2015: 7,945, 2014: 1,859). “Hits” on such alerts and additional information are supposed to be sent directly to the alerting authorities and not as usual to national SIRENE offices (which deal with the exchange of supplementary information regarding alerts in the SIS). This option was only introduced in February 2015.

The Schengen states used the instrument for discreet surveillance or specific checks very differently. On 1 December 2015 44.34% of all Article 36 alerts came from authorities in France, 14.6% from the UK, 12.01% from Spain, 10.09% from Italy and 4.63% from Germany. [4] How many of these alerts actually had a link to terrorism remains unclear; a common definition has not yet been found. However, the Council Working Party on Schengen Matters agreed on the introduction of a new reference (“activity linked to terrorism”) for security agencies’ alerts. According to Federal Ministry for the Interior, German alerts are marked with this reference when concrete evidence for the preparation of a serious act of violent subversion (§§129a, 129b Penal Code) can be presented. [5]

‘Unnoticed in the Schengen area’ Continue reading

Systèmes d’information européens sécurité-immigration : lorsqu’ “interopérabilité” ne rime effectivement pas avec “interconnexion”

ORIGINAL PUBLISHED ON “EU Immigration and Asylum Law and Policy” BLOG

by Pierre BERTHELET

“Il convient d’exploiter toutes les possibilités offertes par d’éventuelles synergies entre les systèmes d’information nationaux et européens, sur la base de l’interopérabilité”. Ces propos ne datent pas des conclusions du dernier Conseil JAI sur ce thème, celles du 9 juin 2017, mais bien d’une communication de la Commission remontant au mois de mai 2005. La problématique de l’interopérabilité des bases de données JAI est par conséquent tout sauf neuve. Elle revêt néanmoins une acuité particulière à la lumière des efforts axés sur le renforcement de l’efficacité et de l’efficience de la gestion des données dans l’UE. Comme le fait remarquer une étude juridique de mai 2017, le volume des données échangées entre les Etats membres et stockées au sein des systèmes européens d’information s’est accru considérablement depuis les attaques de Paris de 2015.

L’interopérabilité s’insère ainsi dans l’optique d’une rationalisation d’informations désormais abondantes au niveau de l’Union. Elle constitue un chantier majeur de la construction européenne en matière de gestion des systèmes d’information. Plus exactement, l’interopérabilité – et l’interconnexion par ailleurs – peuvent être envisagées sous la forme de poupées russes : l’interconnexion est un élément de la réponse des institutions européennes apportée en matière d’interopérabilité qui, elle-même, constitue un volet de la réforme actuelle ayant trait à la gestion des systèmes européens d’information. Elle est un concept générique qui s’inscrit dans le cadre de travaux interinstitutionnels visant à améliorer les mécanismes d’échange et de traitement de l’information, en toile de fond du développement considérable qu’ont connu ces systèmes cette dernière décennie. Son caractère ambigu tient au fait qu’elle renvoie autant au projet lui-même qu’à l’objectif porté par ce projet. Or, force est de constater que, depuis 2016, le degré d’avancement du chantier entrepris dans le domaine de l’interopérabilité est déjà élevé (1). Quant à l’interconnexion, il s’agit, à la lumière des récents textes l’évoquant, d’un processus loin de recueillir l’assentiment unanime (2).

1. L’interopérabilité des systèmes, un degré d’avancement du projet déjà élevé

Bien qu’évoquée depuis plusieurs années, l’interopérabilité des systèmes est un projet ayant connu un regain d’intérêt récent. Elle correspond à un processus interinstitutionnel  initié il y a quelques mois seulement (a). L’objectif est de rendre la gestion de l’information dans le domaine de la sécurité, des frontières et des flux migratoires davantage performante (b).

a. Un processus interinstitutionnel initié il y a quelques mois seulement

Avant d’entrer de plain-pied dans l’analyse, il importe de préciser les termes employés, à savoir l’interopérabilité d’une part et l’interconnexion d’autre part. Une communication de novembre 2005, consacrée au renforcement de l’efficacité et de l’interopérabilité des bases de données européennes fournit un éclairage à ce sujet. Dans ce texte destiné, déjà à l’époque, à lancer un débat en profondeur sur la forme et l’architecture à long terme des systèmes d’information, la Commission définit la connectivité comme un terme générique renvoyant à la connexion de systèmes aux fins de transfert de données. En France, le Conseil d’État considère, dans une décision du 19 juillet 2010, l’interconnexion «comme l’objet même d’un traitement qui permet d’accéder à, exploiter et de traiter automatiquement les données collectées pour un autre traitement et enregistrées dans le fichier qui en est issu ».

Tirant cette définition d’un document élaboré par l’European Interoperability Framework (qui est la concrétisation du plan d’action eEurope approuvé par le Conseil européen de Séville de 2002, et visant promouvoir les services publics en ligne), l’interopérabilité signifie, selon cette communication de novembre 2005, la « capacité qu’ont les systèmes d’information et les processus opérationnels dont ils constituent le support d’échanger des données et d’assurer le partage des informations et des connaissances ».

Ceci étant dit, les travaux actuels trouvent leur origine dans une communication de la Commission du 6 avril 2016 visant à lancer un débat sur l’existence de lacunes ainsi que de défaillances systémiques au sujet des bases de données JAI. Plus exactement, il s’agit d’œuvrer dans l’amélioration de l’architecture de gestion des données de l’UE concernant le contrôle aux frontières et de la sécurité intérieure. Le périmètre est ainsi réduit à un pan de l’ELSJ, et ce, même si la dimension judiciaire est évoquée ponctuellement à travers le projet d’interconnexion des casiers judiciaires européen. En outre, il est étendu partiellement aux systèmes d’information nationaux, l’objectif étant d’assurer une fluidité de l’information à la fois au niveau horizontal (les systèmes européens) et au niveau vertical (entre les systèmes européens et les systèmes nationaux).

Pour mener à bien cette réflexion, la Commission a réuni le mois suivant sa communication d’avril 2016, un « groupe d’experts de haut niveau sur les systèmes d’information et l’interopérabilité ». Ce groupe d’experts, qui a mené ses travaux conformément aux prescriptions d’une feuille de route sur l’échange d’information et l’interopérabilité, approuvée par le Conseil JAI du 10 juin 2016, a rassemblé des représentants des Etats membres (y compris les pays Schengen non membres de l’UE), ceux des agences européennes (Frontex, eu-LISA, Europol, EASO et FRA), le Coordinateur pour la lutte antiterroriste et le CEPD (et ont été associés aux travaux, le secrétariat général du Conseil et celui de la commission LIBE du Parlement européen au titre d’observateur). L’objectif de ce projet relatif à l’interopérabilité, précise le Conseil, vise à appuyer les investigations opérationnelles, notamment dans le domaine de la lutte antiterroriste, et d’apporter rapidement aux autorités nationales de terrain (garde-frontières, policiers, agents de l’immigration et procureurs notamment) toutes les informations nécessaires en temps et en heure pour mener à bien leurs missions.

Les travaux du groupe ont trouvé un soutien politique fort émanant à la fois du président de la Commission, Jean-Claude Juncker, ainsi que du Conseil européen. Le premier, dans son discours sur l’état de l’Union en septembre 2016, peu avant la tenue du Conseil européen informel de Bratislava, a souligné l’imminence de la présentation par la Commission, du système européen d’information et d’autorisation concernant les voyages (ETIAS). Le second, dans des conclusions de décembre 2016, a appelé « à poursuivre les efforts en matière d’interopérabilité des systèmes d’information et des bases de données » (point 9). Ce groupe à haut niveau a rendu son rapport final le 11 mai 2017, dont le contenu a nourri l’analyse de la Commission dans l’élaboration de son septième rapport publié une semaine plus tard, sur les progrès accomplis dans la mise en place d’une union de la sécurité réelle et effective. Enfin, le Conseil, jugeant l’interopérabilité comme essentielle à la sécurité, a approuvé, le 9 juin 2017, les conclusions précitées dans lesquelles il approuve les solutions dégagées par le groupe d’experts et ce, en vue d’une gestion de l’information davantage performante.

b. Une gestion de l’information se voulant davantage performante

L’importance de l’interopérabilité des systèmes d’information est clairement rappelée par la Commission dans ce septième rapport. En réalité, ce constat est dressé quelques mois plus tôt, dans sa communication d’avril 2016, qui elle-même, fait suite à différentes conclusions du Conseil. Ainsi, concernant le seul SIS II, dans celles d’octobre 2014, le Conseil a envisagé une connexion entre ce système et la base de données « faux documents » d’Interpol (SLTD), de manière à ce que les utilisateurs finaux aient accès simultanément aux deux systèmes lors d’une même recherche. Dans celles approuvées peu avant, en juin 2014, il a invité les États membres utiliser pleinement le SIS II dans le cadre de la lutte contre le terrorisme, invitation répétée au demeurant dans la déclaration commune de Riga, adoptée après les attaques contre le journal Charlie Hebdo. Quant aux conclusions du 20 novembre 2015, approuvées après les attaques du Bataclan et la fuite consécutive de Salah Abdeslam avec l’aide de deux complices venus de Belgique, le Conseil a souligné l’importance d’une consultation systématique du SIS II lors des contrôles frontaliers.

À cette fin, la Commission, en se référant à certains de ces textes ainsi qu’à la déclaration commune sur les attentats terroristes du 22 mars 2016 à Bruxelles préconisant de renforcer l’interopérabilité, a présenté dans sa communication d’avril 2016, dans laquelle elle identifie un ensemble d’incohérences et de dysfonctionnements, parmi lesquelles, des fonctionnalités non optimales des systèmes européens d’information et un problème de la qualité des données auquel s’ajoute des lacunes dans l’architecture de l’UE en matière de gestion des données liée notamment à l’absence pure et simple d’une série de systèmes d’information. Quant à ceux existants, leur fonctionnement doit être amélioré. C’est le cas du SIS II, dont Europol n’a pas encore fait pleinement usage, alors même que l’agence dispose d’un droit d’accès à celui-ci. En outre, certains systèmes existent partiellement, mais ils ne sont pas encore pleinement opérationnels. C’est le cas des systèmes nationaux mis en place dans le cadre des décisions dites « de Prüm » et pour lesquelles plusieurs États membres ne remplissent toujours pas leurs engagements. Le paysage européen des systèmes d’information se caractérise donc par une multiplicité de dispositifs, des niveaux d’achèvement différents et des modes de fonctionnement distincts. Il en résulte une mosaïque complexe, car ces systèmes sont soumis à des régimes juridiques variables, rendant l’ensemble difficilement intelligible.

Cette superposition de systèmes conduit à une architecture européenne fragmentée au sujet de la gestion des données. Chacun système fonctionne en silo, faisant que les informations contenues sont peu interconnectées. Ce compartimentage des données a des conséquences problématiques concrètes. Ainsi, l’auteur de l’attaque terroriste de Berlin de décembre 2016, Anis Amri, a eu recours à pas moins de quatorze identités différentes. Ces fausses identités ont permis à ce ressortissant tunisien de se déplacer aisément en Allemagne, puis de prendre la fuite hors du pays avant d’être abattu à Milan. Or, comme le fait observer le quatrième rapport de la Commission sur la sécurité, ses déplacements auraient pu être détectés si les systèmes employés étaient dotés d’une fonctionnalité permettant une recherche simultanée dans plusieurs d’entre eux, au moyen d’identificateurs biométriques.

L’interopérabilité apparaît dès lors comme une réponse aux défis sécuritaires, en particulier terroristes, pour lesquels le recours aux systèmes d’information est un élément indispensable de la réponse à fournir.

La réforme de la gestion de l’information est effectuée au moyen d’une approche horizontale, via les travaux du groupe d’experts de haut niveau. Elle s’effectue aussi de manière sectorielle, à travers l’adoption de textes instituant des systèmes d’information (ou modifiant ceux existants).

En premier lieu, des systèmes sont en projet ou en cours de réalisation. Peuvent être mentionnés la proposition présentée en janvier 2016, étendant aux ressortissants de pays tiers le Système européen d’information sur les casiers judiciaires (ECRIS-TCN), la proposition révisée établissant le système d’entrée/sortie (EES) et présentée en avril 2016 (en parallèle à une modification du règlement de mars 2016 relatif au Code Frontières Schengen), la proposition de règlement instituant l’ETIAS présentée quant à elle en novembre 2016, ou le système d’index européen des registres de la police (EPRIS) dont l’ébauche correspondrait au projet auquel la France prend part et dénommé ADEP (Automated Data Exchange Process).

En deuxième lieu, d’autre systèmes existent, mais ils doivent être réformés. Il s’agit en particulier d’Eurodac (une proposition de règlement, présentée en mai 2016, permettant notamment de stocker l’image faciale, est en cours de discussion entre le Conseil et le Parlement européen), et du SIS II (un paquet législatif, présenté en décembre 2016, composé de quatre propositions de règlement est également en cours de discussion, prévoyant l’obligation pour les États membres d’émettre des alertes concernant des personnes liées à des infractions terroristes).

Or, le processus de refonte opéré des différents systèmes (et la création de ceux n’existant pas encore) est pensé dans la perspective de l’interopérabilité et même de l’interconnexion. Par exemple, concernant le SIS II, une disposition de la proposition de règlement créant l’ETIAS, prévoit que l’unité centrale ETIAS puisse opérer des recherches dans le SIS II. De prime abord, l’interconnexion des systèmes est, au vu de cet exemple, effective, ou du moins, en voie de l’être. Or, ce n’est pas cas en réalité et il s’agit plutôt de l’exception qui confirme la règle.

2. L’interconnexion des systèmes, un projet suscitant peu l’enthousiasme institutionnel

L’interconnexion est une option visant à atteindre le stade de l’interopérabilité des systèmes d’information. Cependant, il s’agit d’une option parmi d’autres (a), et qui ne reçoit qu’un accueil institutionnel pour le moins prudent (b).

a. L’interconnexion, une option parmi d’autres

L’interconnexion, au sens défini ci-dessus, apparaît seulement comme une option parmi celles avancées par la Commission dans sa communication d’avril 2016. Plus exactement, le texte en présente quatre aux fins de parvenir à une situation d’interopérabilité : l’interface de recherche unique, le service partagé de mise en correspondance de données biométriques, le répertoire commun de données d’identité et enfin l’interconnexion des systèmes d’information proprement dite.

Dans le premier cas, l’interface de recherche unique, il s’agit de permettre à une autorité nationale d’interroger plusieurs systèmes d’information de manière simultanée. Ce système, qui existe en France avec l’application COVADIS (Contrôle et vérification automatiques des documents sécurisés), permet au service interrogeant d’obtenir sur un seul écran les résultats des requêtes, ceci dans le respect des droits d’accès propre à ce service. Cette hypothèse de l’interface unique a, au demeurant, reçu l’assentiment des ministres français et allemand dans le cadre de leur « initiative sur la sécurité intérieure en Europe » du 23 août 2016.

Le service partagé de mise en correspondance de données biométriques vise, quant à lui, à proposer au service utilisateur, une interrogation des systèmes à partir des identifiants biométriques. Pour l’heure, chaque système européen dispose de son propre dispositif d’identification. L’objectif est, au moyen de ce service partagé, d’effectuer des recherches dans les différents systèmes d’information et de mettre en évidence les coïncidences, par exemple sous forme de hit/no hit, entre ces données.

Le troisième cas a trait à l’établissement d’un répertoire commun de données d’identité en tant que module central dans lequel figure un portefeuille de données (nom, prénom, date et lieu de naissance par exemple). Ces données constituent un socle commun à tous les systèmes, les autres données étant, quant à elles, stockées au sein de modules spécifiques à chacun d’eux. Comme le précise le rapport du Sénat du 29 mars 2017 consacré à l’espace Schengen, la proposition de règlement créant l’ETIAS envisage ce dispositif, du moins entre ce système et l’EES.

Enfin, la dernière option a trait précisément à l’interconnexion des systèmes d’information. L’avantage est de permettre la consultation automatique des données figurant dans un système, par l’intermédiaire d’un autre système. L’interconnexion, ajoute ce rapport du Sénat, présente l’intérêt d’assurer un contrôle croisé automatique des données, limitant ainsi le volume d’informations circulant au sein des réseaux. À cet égard, la proposition de règlement relatif à l’EES envisage une interconnexion avec le VIS. Cette option est évoquée, mais elle va être, dans une large mesure du moins, délaissée.

b. L’interconnexion, une option en grande partie délaissée

Sans pour autant être totalement écartée (en particulier dans la proposition de règlement relatif à l’EES), l’interconnexion ne rencontre pas un franc succès et c’est le moins que l’on puisse dire. D’abord, elle n’a pas l’assentiment du groupe d’experts de haut niveau. Dans leur rapport intermédiaire, remis en décembre 2016, celui-ci avait considéré l’interconnectivité des systèmes comme une solution ponctuelle. Le rapport final consacre ce point de vue en rejetant l’idée d’une généralisation de l’interconnexion et il privilégie trois solutions qui font écho aux autres options avancées par la Commission, à savoir un portail de recherche européen, un service partagé de mise en correspondance de données biométriques et un répertoire commun de données d’identité. Plus exactement, l’interface de recherche unique est préférée à l’interconnexion, ce qui va dans le sens de la position du Conseil qui, dans sa feuille de route sur l’échange d’informations, s’était déclaré pour cette solution de l’interface unique. Reste que si cette dernière avait les faveurs du Conseil et ce, au regard des autres options, les experts ont, pour leur part, conservé l’idée d’un répertoire commun de données et la mise en correspondance de données biométriques comme des pistes exploitables à court terme, et non à moyen et long termes comme le suggérait la feuille de route.

Ensuite, l’interconnexion ne trouve pas non plus un écho favorable auprès de la Commission. Celle-ci fait sienne, à cet égard, les recommandations figurant dans le rapport du groupe d’expert, en se bornant à préciser que des réunions tripartites Conseil-Parlement-Commission au niveau technique devraient avoir lieu en automne 2017, en vue de dégager une vision commune avant la fin de l’année 2017, ceci afin de parvenir à cet objectif d’interopérabilité des systèmes à l’horizon de l’année 2020. La Commission reprend donc à son compte les options retenues par le groupe à haut niveau, en se bornant à fixer cette date-butoir, étant entendu par ailleurs que celle-ci correspond à l’échéance à laquelle l’EES devrait être opérationnel. À cette fin, une proposition législative sur l’interopérabilité devrait être présentée, en parallèle à une proposition de révision du VIS, à une proposition sur l’ECRIS, ainsi qu’à une autre visant à renforcer le mandat de l’agence européenne eu­LISA.

Au final, concernant les systèmes d’information européens sécurité-immigration, l’interopérabilité ne rime pas avec l’interconnexion. Cette lapalissade reflète parfaitement la volonté des institutions européennes préférant à la centralisation, la synergie ainsi que l’avaient souligné en leur temps, la déclaration de mars 2004 sur la lutte contre le terrorisme, le programme de La Haye et la déclaration du Conseil de juillet 2005 suite aux attentats de Londres. La voie choisie par ces institutions est bien résumée par le Commissaire à la sécurité, Sir Julian King, qui avait déclaré le 29 mai 2017 dans une allocution devant les députés de la commission LIBE, « ce que l’on ne propose pas, c’est une base de données gigantesque où tout serait interconnecté ».

Legislative Tracker : an interinstitutional agreement on the new EU “Entry-Exit” system is approaching …

by Beatrice FRAGASSO (Free-Group trainee)

On 6 April 2016 the European Commission put forward the Smart Borders Package, a set of measures intended to provide a more effective and modern external border management. One of the proposals consists in the introduction of the Entry/Exit System (EES), a centralized information system based on biometrics that would be interconnected with VIS and focus on third-country nationals.

The creation of the european Entry-Exit system will require the adoption of  two draft Regulations, one (COM/2016/0194) setting up the EES and amending Regulation (EC) No 767/2008 and Regulation (EU) No 1077/2011, the other (COM/2016/0196) amending Regulation (EU) 2016/399 (Schengen Borders Code) to embody this new system. The proposals has been accompanied by an Impact assessment.

The introduction of the EES aims at speeding up and reinforcing border check procedures for non-EU nationals travelling to the EU, by improving the quality and efficiency of controls as well as the detection of document and identity fraud.  The new texts replace the proposals presented by the European Commission in February 2013 and for which the co-legislators had voiced technical, financial and operational concerns.

The European Parliament defined its negotiating mandate on the latest Commission Proposals  on 27 February 2017: the LIBE Committee adopted his reports (on establishing EES and amending 2016/399) and decided to enter into negotiations with the Council on the basis of these mandates.

The rapporteur Agustín Dían De Mera García Consuegra stated before the LIBE Committee (11 May 2017) that progresses have been made during the “trilogue” negotiations and that the good cooperation between delegations will probably allow to come to a political agreement by the end of the summer. Two “political” trilogues as well as nine technical meetings have already taken place and a third political “trilogue” is scheduled for 31 May 2017. Needless to say no public recording is accessible on the debates which took place during these trilateral meetings

Further information on other aspects of the procedure is accessible on the European Parliament Research Service site HERE.

The scope of the Entry-Exit System (EES)

The EES will apply to non-EU nationals crossing the external borders of the Member States of the EU for a short stay (maximum 90 days period in any period of 180 days), both those that require a visa and those that are exempted.

How it will work

The introduction of the EES aims to:

  1. address border check delays and improve the quality of border checks for third-country nationals;
  2. ensure systematic and reliable identification of “overstayers”;
  3. reinforce internal security and the fight against terrorism and serious crime.

The system is intended to register the name, type of travel document, biometrics (four fingerprints and a visual image) and the date and place of entry and exit.

These actions will facilitate the border crossing of bona fide travelers, detect over-stayers and identify undocumented persons in the Schengen area. The system will also record refusals of entry.

Currently, the only possibility for national authorities to calculate the duration of stay of a third-country national in the Schengen area (and to verify their potential overstay), is the stamping of their travel document with the dates of entry and exit. This method is deemed to be slow and error-prone, since the entry/exit stamps may be unreadable or counterfeit. Under the new proposal, the current system of manual stamping of passports would be replaced by registration in a database and most of the data will be automated.

By using self-service systems and e-gates, third country national travelers would have their data verified, their picture or fingerprint taken and a set of questions asked. While using the self-service system, all mandatory checks would be triggered in the security databases (SIS, Interpol Stolen and Lost Travel Documents database). By the time the traveler is guided towards a border control lane, all his information would have reached the border guard, who may ask additional questions before granting the passenger access to the Schengen area.

The automation of the preparatory steps is expected to reduce the workload of border guards. This would mean that that Member States would not have to hire extra border guards to accommodate the growing traveler flows. It is also expected to reduce the long queues before passengers reach the border checkpoint.

Interoperability

The system would be interconnected with the Visa Information System (VIS) database, which would help reduce duplication of data processing, in accordance with the ‘privacy by design’ principle.

The European Parliament position (Libe Committee Debate)

The parliamentary debate showed that in the Commission proposal there are some controversial elements that the LIBE committee tried to address in the draft report approved on 27 February 2017.

The rapporteur Agustín Dían De Mera García Consuegra (EPP, Spain) presented the draft report before the LIBE Committee on 8 December 2016. According to him, establishing an EES will benefit travellers (they will spend less time waiting at borders), as well as border Member States and transit Member States, because of the speeding of the entire process. Border guards would carry on their tasks more easily. The aim of the draft report is to strike a balance between speeding up the process and guaranteeing security, protecting at the same time fundamental rights. In particular, one of the main concerns of the rapporteur is to ensure high standards for data protection: many of the amendments have been tabled in order to protect data in the system with reference to interoperability, data retention period and access to data by law enforcement authorities. According to the Rapporteur his amendments follow the indications given by the European Data Protection Supervisor (EDPS- Giovanni Buttarelli), in order to boost legal certainty in data protection area and to the role of EDPS and National Data Protection Authorities.[i] Another objective highlighted by the rapporteur is to guarantee more technical certainty, in order to know exactly who can access to the system as well as the circumstances of the access (logs). The procedure to follow in case of temporary failure, then, still has to be clarified. The rapporteur then pointed out the necessity to establish high standards for the procedure used to take facial images and fingerprints. Finally, it has been remarked the key-role played by Eu Lisa (here the Agency’s report on the Smart Borders Pilot Project), that will be responsible to manage the system.

The S&D “shadow rapporteur” Tanja Fajon (Slovenia) stated that she’s not convinced by the argument put forward by the Commission to justify the link between crime and border management. The purpose of the proposal is the border management, not the law enforcement and the proposal should clarify the way in which data will be processed in these two different situations. The difference between people who’s travelling legally and people who’s violating rules should be remarked, in order to guarantee fundamental rights. She criticized the retention period as disproportionate.

Mrs Fajon, then, pointed out that it’s necessary to better inform travellers about how the smart border system will change the current situation and which impact the regulation will have on their rights to enter and exit. People need to be aware about their rights and duties and about the consequences of possible infringments.  Finally, she stated that some measures risk to be unpractical in some Member States (as for example Slovenia) whose borders with non-Schegen countries are always busy, especially during summer.

The ECR “shadow rapporteur” Jussi Halla-Aho (Finland) stated that ECR supports an Entry/Exit System and that probably it was needed even before the abolition of internal controls. His group finds that law enforcement authorities should have a sufficient access to the database for a sufficient period of time. The amendments tabled by the rapporteur are well considered and balanced and ECR appreciate that the rapporteur has tried to make the instrument coherent with the existing tools, for example Eurodac: Regulations have to be harmonised and they have to work one with the others.

According to the ALDE shadow rapporteur Angelika Mlinar (Austria) the amendments improve the Commission proposal. But there are still some problematic issues to address, concerning the protection of fundamental rights and in particular the disproportionate and unjustified retention period that is equally applied to all the scope of the regulation. In addiction, the former 2013 proposal had one single purpose (speeding up border management procedures), while the current proposal has also an unjustified law enforcement purpose. Her political group presented amendments in order to:

– Limit and optimise the collection of biometrical data.
– Limit the law enforcement access to what is strictly necessary, ensuring safeguards.
– Reduce the data retention period.

Also the Greens’ shadow rapporteur Jan Philipp Albrecht (Germany) highlighted that the most controversial points are the long data retention period and the possibility for law enforcement authorities to access these data for other purposes. The risk is that the EES will create a huge (and very expensive) database with a long retention period that won’t be effective for the purpose of smart border management. Finally, the shadow rapporteur pointed out that data protection in EES should meet the same high standards in the data protection package recently adopted (and which should be transposed at national level for May 2018).

Where we are…

The LIBE Committee adopted the report establishing EES and the report amending 2016/399 on 27 February 2017 and the modifications proposed by the committee echo the parliamentary debate. Data should be stored for only two years, and not the five years proposed by Commission. MEPs also want to ensure that the text is in line with the provisions of the General Data Protection Regulation, for example by allowing the data subject the right to access his or her own data.

MEPs found that the purposes of data processing in the new system should also be clarified. Migration handling should be the first purpose and law enforcement an additional one. The two should be treated separately, as the conditions for the use and storage of the data are not the same.

The Council Position

According to a preparatory document of the Council (leaked by Statewatch, file 6572/17), it emerges that the most controversial issues concern the territorial scope of the EES (an issue linked to the question of the access to VIS for those Member States which do not yet fully apply the Schengen acquis but for which the verification in accordance with the applicable Schengen evaluation procedures has already been successfully completed) and the calculation of the duration of the short-stay.

A Guidance on these sensitive issues was then obtained at COREPER level on 1 February 2017. Concerning the territorial scope of application, COREPER gave clear guidance on the need to include into it all Member States that, while not applying the Schengen Acquis in full, meet nonetheless the cumulative conditions listed in Art. 60 of the draft EES Regulation (i.e.: have successfully completed the verification in accordance with applicable Schengen evaluation procedures, (ii) have put into effect the provisions of the Schengen acquis relating to SIS and (iii) to the VIS).

If these conditions are met, the Member State concerned can deploy the EES, with the consequences that such deployment implies, including with reference to the calculation of the duration of stay in its territory.  As a consequence, the automated calculator set out in Art. 10 of the EES draft Regulation will be a common one, covering the stays in any Member State operating the EES. According to the internal Council document, some delegations still oppose this solution on legal and practical grounds, notably because of its implications for other legal instruments and for the current practice in particular in the area of visa policy. However, the Presidency considers that the policy guidance given by Coreper, supported by a clear majority, should be followed.

MS Bilateral agreements with third Countries 

Another outstanding issue is whether the bilateral visa waiver agreements will be compatible with the EES (Art 54). At the trilogue meeting that took place on 29 September 2016 (file 12571/16), the Chair presented a drafting proposal by the Presidency that would set up a procedure which allows to keep those agreements into force while making the EES work. The Commission rejected the proposal because the proposal would comprehend only a few agreements, excluding those which provide for a stay less than 90 days, creating more problems than it was deemed to solve.

Secondly, the proposal would have been cumbersome both for Member States and third country nationals concerned and had the practical consequence of extending the effects of bilateral agreements to Member States that were not party to them. On the contrary, Member States showed a general support to the Presidency solution.

Access by national Law enforcement authorities

EES would be used by the same authorities that already use VIS: consular posts and border control. Moreover, it would allow law enforcement authorities as well as Europol to perform restricted queries in the database for criminal identification and intelligence to prevent serious crime and terrorism.

The conditions to grant access to the EES to law enforcement authorities (Chapter IV of the proposal) are one of the most controversial point of the proposal. According to the preparatory document of the Council (file 6572/17), some delegations have expressed the wish to further simplify it [the access to the EES by law enforcement authorities] in order to facilitate investigations in cases of serious crimes and terrorist offences. However, recent deliberations have shown a good degree of support for the Presidency compromise proposal, in which, upon request of a majority of delegations, the conditions for access have been softened to the maximum extent compatible to the current legal framework and case-law.

The European Parliament expressed major concerns with reference to Chapter IV and the Council in a document dated 22 may 2017 (file 9415/17) proposed a compromise.

In particular, the Council position would be maintained on:

(a) the reference to ‘designated authorities’ rather than ‘law enforcement authorities’;
(b) the possibility to access the EES even when the search in national databases results in a hit;
(c) the possibility to proceed to access the EES once the Prum search is launched; and
(d) the possibility to also check against refusal of entry records.

On the other hand, some amendments proposed by the European Parliament would be broadly accepted (some with amendments). These suggestions are in particular:

(a) limiting the urgency procedure to cases where there is an ‘imminent danger’ related to a terrorist offence or other serious criminal offence and requiring the ex post verification to take place within two working days.
(b) providing that there must be reasonable grounds to consider that consulting the EES will (rather than may) contribute to the detection, investigation or prevention of a terrorist/other serious criminal offence. Actually, it should be noted that ‘reasonable grounds’ would still be enough and certainty is not required. Moreover, a substantiated suspicion that the person falls within the scope of the EES would still be sufficient to fulfil this requirement.

Transfer of data to third countries and international organisations (Article 38) and to Member States not bound by, or not operating the EES (Article 38a)

The European Parliament opposes the possibility to transfer information to third countries and international organisations for the purpose of returns, unless there is a decision by the Commission regarding the adequate protection of personal data in that third country or a binding readmission agreement.

In particular, the European Parliament opposes the possibility to transfer such information on the basis of an arrangement similar to readmission agreements, arguing that these are not binding and do not contain the necessary data protection safeguards. The European Parliament also insists on the provision of guarantees by the third country concerned to use the data only for the purposes for which it is transferred, and that such transfers should only be possible once the return decision is final, and subject to the consent of the Member State that entered the data.

The EP also maintains its position against the transfer of information to third countries or to Member States not operating, or bound by, the EES, in cases of immediate threat of terrorist or other serious criminal offences (Article 38(4a) and Article 38a).

Reassurances have been provided that the relevant data protection legislation must still be respected (General Data Protection Regulation in case of returns/readmission and Data Protection Directive in case of terrorism/serious criminal offences), but this has not convinced the European Parliament.

Another concern raised by the European Parliament regards the fact that the conditions required to access the EES by national authorities (set out in Chapter IV) are not all reproduced for the transfer of such data to third countries, international organisations and Member States not operating the EES or to which the EES does not apply.

Data Retention (Article 31)

The European Parliament in its position reduces the data retention period from five years to:
– four years for third-country nationals who overstay;
– two years for third country nationals who respect the period of authorised stay.

According to a document dated 22 May 2017 (file 9415/17), the Council is still managing to find a compromise.

NOTE

[i] In its opinion 06/2016 of 21 September 2016, the European Data Protection Supervisor (EDPS) recognizes the need for coherent and effective information systems for borders and security. However, the EDPS underlines the significant and potentially intrusive nature of the proposed processing of personal data under the EES, which must therefore be considered under both Articles 7 and 8 of the EU Charter of Fundamental Rights.

According to EDPS opinion, necessity and proportionality of the EES scheme are to be assessed globally, taking into consideration the already existing large-scale IT systems in the EU.

The EDPS, then, notes that EES data will be processed for two different purposes, on the one hand for border management and facilitation purposes and on the other hand for law enforcement purposes. The EDPS strongly recommends clearly introducing the difference between these objectives, as these purposes entail a different impact on the rights to privacy and data protection.

 

Worth reading : the final report by the EU High Level Expert Group on Information Systems and Interoperability (HLEG),

NB: The full version (PDF)  of the Report is accessible HERE

On May 8th the (EU) High Level Expert Group on Information Systems and Interoperability (HLEG) which was set up in June 2016 following the Commission Communication on “Stronger and Smarter Information Systems for Borders and Security ” has published its long awaited 56 long pages Report on Information Systems and Interoperability.

Members of the HLEG were the EU Members States (+ Norway, Switzerland and Liechtenstein), the EU Agencies (Fundamental Rights Agency, FRONTEX, European Asylum Support Office, Europol and the EU-LISA “Large Information Support Agency”) as well as the representatives of the Commission and the European Data Protection Supervisor (EDPS) and the Anti-Terrorism Coordinator (an High Council General Secretariat Official designated by the European Council).

Three Statements, respectively of the EU Fundamental Rights Agency, of the European Data Protection Supervisor and of the EU Counter-Terrorism Coordinator (CTC),  are attached. The first two can be considered as a sort of partially dissenting Opinions while the CTC  statement is quite obviously in full support of the recommendations set out by the report as it embodies for the first time at EU level the “Availability Principle” which was set up already in 2004 by the European Council. According to that principle if a Member State (or the EU) has a security related information which can be useful to another Member State it has to make it available to the authority of another Member State. It looks as a common sense principle which goes hand in hand with the principle of sincere cooperation between EU Member States and between them and the EU Institutions.

The little detail is that when information is collected for security purposes national and European legislation set very strict criteria to avoid the possible abuses by public EU and National Law enforcement authorities. This is the core of Data Protection legislation and of the art. 6, 7 and 8 of the EU Charter of Fundamental Rights which prevent the EU and its Member States from becoming a sort of Big Brother “State of surveillance”. Moreover, at least until now these principles have guided the post-Lisbon European Court of Justice jurisprudence in this domain and it is quite appalling that no reference is made in this report to the Luxembourg Court Rulings notably dealing with “profiling” and “data retention”(“Digital Rights”, “Schrems”, “TELE 2-Watson”…).

Needless to say to implement all the HLWG recommendations several legislative measures will be needed as well as the definition of a legally EU Security Strategy which should be adopted under the responsibility of the EU co-legislators. Without a strong legally founded EU security strategy not only the European Parliament will continue to be out of the game but also the control of the Court of Justice on the necessity and  proportionality of the existing and planned EU legislative measures will be weakened.  Overall this HLWG report is mainly focused on security related objectives and the references to fundamental rights and data protection are given more as “excusatio non petita” than as a clearly explained reasoning (see the Fundamental Rights Agency Statement). On the Content of the  perceived “threats” to be countered with this new approach it has to be seen if some of them (such as the mixing irregular migration with terrorism)  are not imaginary and, by the countrary, real ones are not taken in account.

At least this report is now public. It will be naive to consider it as purely “technical” : it is highly political and will justify several EU legislative measures. It will be worthless for the European Parliament to wake up when the formal legislative proposals will be submitted. If it has an alternative vision it has to show it NOW and not waiting when the Report will be quite likely “endorsed” by the Council and the European Council.

Emilio De Capitani

TEXT OF THE REPORT (NB  Figures have not been currently imported, sorry.)

——- Continue reading

Legislative Tracker : the European Travel Information and Authorisation System (ETIAS)

by Beatrice FRAGASSO (Free-Group Trainee)

The European Commission, on 16 November 2016, has put forward a proposal (COM(2016) 731, 16.11.2016, 2016/0357(COD)) establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulation (EU) (EU) 2016/399 (the ‘Schengen Borders Code’), (EU) 2016/794 and (EU) 2016/1624.

This proposal is being negotiated as part of the Smart Border Package and aims to ensure a high level of internal security and free movement of persons in the Schengen area. The Commission didn’t conduct an impact assessment but published a feasibility study on ETIAS, conducted between June and October 2016.

The system designed by the proposal would require also visa-exempt travellers to undergo a risk assessment with respect to security, irregular migration and public health risks prior to their arrival at the Schengen borders. This assessment would be carried out by means of cross- checking applicant’s data submitted through ETIAS system against other EU information systems, a dedicated ETIAS watch list and screening rules. This process will result in granting or denying an automated authorization for entering the EU.

Further information from the European Parliament Research Service are available HERE

The current situation
Currently, both visa-obliged and visa-exempt travelers are subject to border controls when entering the Schengen area. According to Regulation (EU) 2016/399, both categories of travelers need to comply with the conditions for short-term stay, which include not being a threat to public order and security, holding valid travel documents, justifying the purpose and conditions of the intended stay, not being the subject of any alert in the SIS for the purpose of refusing entry, and having sufficient means of subsistence.

For visa holders the compliance with this conditions is assessed at the time on the request for a visa  and relevant data are stored in visa information system (VIS) which can be consulted by law enforcement authorities for the purposes of combatting serious crime and terrorism.

However, no such advance information can be currently obtained for visa-exempt nationals arriving at the Schengen external borders. This means that border guards need to decide on allowing or refusing access to the Schengen area without prior knowledge regarding any security, migration or public-health risks associated with visa exempt travelers.

This is particularly true for visa-exempt travelers arriving by land, as the only source of information about them is their travel document presented at the time of crossing the EU external border.

The situation is different for passengers arriving by air as Council Directive 2004/82/EC obliges carriers to communicate all passenger data, known as ‘advance passenger information’ (API), including name, date of birth, passport number and nationality at the time of the check-in for inbound flights to the EU. Another Directive (EU) 2016/681 on the use of passenger name record data (the ‘PNR Directive’) collect 19 types of personal data already at the time of the flight reservation and obliges airlines to hand over to EU MS authorities their passengers’ data linked with the travel reservation (which includes travel dates, travel itinerary, ticket information, frequent flyer data,  contact details, baggage information, credit card and general remarks stored in the Airline files).

For visa-exempt passengers arriving on foot or by car, bus or train, no such comparable advance information is available prior to their arrival.

The changes the proposal would bring

Schengen Border Checks
Prior to arriving in the Schengen area, all carriers will verify if visa-exempt third-country nationals have a valid ETIAS travel authorization, without which boarding will not be authorized. A valid ETIAS travel authorization, should be obtained in advance of arrival at a Schengen border crossing point, and this will be a precondition for entering the Schengen area. However, border guards at the external Schengen borders will still take the final decision to grant or refuse entry according to the Schengen Borders Code.

Online application
As it is currently the case for visa-exempt travelers to Canada “ETA”,  USA “ESTA”  and Australia “ETA” who have to ask for a travel authorization also travelers wanting enter the Schengen area will have to fill in an online application by providing their biographical and passport data, contact details, information on intended travel, and answers to background questions relating to public health risks, criminal records, presence in war zones and previous refusals of entry or an order to leave the territory of a Member State.

At the same time, an application fee of €5, which will go to the EU budget, will be mandatory for all applicants above the age of 18 before their application can be processed.

Processing of applications
The automated processing will be carried out by the central system, which will be in charge of checking data provided by applicants against security databases, such as the VIS, Europol data, the SIS, Eurodac, the  Interpol SLTD database , the European Criminal Records Information System (ECRIS) and the planned future EU “Entry-Exit” system (currently negotiated between the EP and the Council). Personal Data will also be screened against a ETIAS “watch list” (where people suspected to have committed, or be likely to commit a criminal offence will be listed by the EU MS) and against specific risk indicators (irregular migration, security or public- health risks) which will be defined in consultation with an ETIAS screening board.

In the case of a positive hit after the automatic processing, that personal application will be further assessed manually by operators in the ETIAS central unit and in the national units.
In case no risks has been detected a positive response, in a form of a travel authorisation valid for five years (or until the expiry of the passport) will be delivered. In the case of a refusal, a justification will be given and applicants will have the right to appeal.

Authorisation will be revoked or annulled when the conditions for its issuance are no longer met, particularly when it is believed that it was fraudulently obtained or when a new alert for refusal of entry is created in the SIS.

Etias structure
ETIAS will consist of an information system, a central unit and national units.

The information system will be designed for processing applications and will be interoperable with other security databases that ETIAS will be connected. The new system will be managed by the European Agency for the operational management of large-scale information systems in the area of freedom, security and justice (eu-LISA).

The central unit will be part of Frontex (the European Border and Coast Guard Agency) and will ensure that the data stored in the application files and the data recorded in ETIAS are correct and up to date. Where necessary, it will also verify travel authorisation applications whenever there are doubts regarding the identity of an applicant in cases where the latter’s data produced a match (a ‘hit’) against the stored data during automated processing.
The national units will be responsible for making the risk assessment and deciding on travel authorisation for applications rejected by the automated application process. They will also issue opinions when consulted by other national units, and act as a national access point for requests for access to the ETIAS data for law enforcement purposes related to terrorist and other serious criminal offences.

The role of Europol
Europol will be involved in ETIAS in several ways.
Firstly, Europol’s data related to criminal offences, convictions or potential threats will be compared to those provided by applicants for an ETIAS authorization.
Secondly, Europol will help define ETIAS screening rules by participating in the ETIAS screening board and managing the ETIAS watch list.
Thirdly, Europol will be consulted by the ETIAS national units in case of a match with Europol data during the ETIAS automated processing.
And finally, Europol will be able to consult personal data in the ETIAS central system for the prevention, detection or investigation of terrorist offences or other serious criminal offences (as provided by its mandate).

The Council’s position
In a  document om March 17, 2017 authored  by the Maltese Presidency of the Council of the EU and covering also the other legislative pending measures connected to ETIAS, a number of compromises are suggested: The Presidency identified other key issues that needed to be clarified and decided upon before revised text proposals could be submitted to delegations. The Presidency therefore prepared a discussion paper on which delegations were invited to comment. The issues outlined by the Presidency related to the division of competences between Frontex and the Member States, the definition of ‘responsible Member State’ as regards the decision to grant a travel authorisation, and the duration of a travel authorization […] With respect to the definition of the ‘responsible Member State’, delegations were divided into two groups, one in favour of the Member State of first entry, as proposed by the Commission, while the other stressed the key role played by the Member State at the origin of an alert triggering a “hit”. The following issues are the “object of extensive debates”:

“– the scope of the regulation;
– the ETIAS watchlist and the screening rules;
– the access to the ETIAS data;
– the interoperability of ETIAS with other systems and databases.”

More recently the Council Presidency has also submitted some possible compromise proposals to the other delegations (docs 8579/17 and 8584/17) and it is more than likely that the EP will be under pressure to launch the negotiations for a first reading agreement on this subject.

The European Parliament position (Libe Committee Debate)
On the EP side works are still at an initial phase (SEE OEIL DOSSIER HERE). The LIBE Committee has been informed for the first time by a Commission representative (Belinda Pyke) on 22 March 2017. It has been stressed that the purpose of the proposal is to improve internal security and border management and that policy visa liberalization is essential in the system. This proposal will contribute to the security of the Schengen area because as any risks will be identified prior to departure. Due to the political pressure of the European Council and the  very tight deadlines the Commission did not have the time to conduct an impact assessment although it would have been desirable; however, the Commission published a detailed study on the subject. The Commission representative made reference to the comparable systems in  Australia, Canada and USA and declared that the ETIAS system will take stock of the experience of these countries by overcoming their weaknesses and mirroring the strengths of these systems.
Firstly, request authorization will be easy and cheap. Applicants will receive rapidly (within 12 hours) a positive feedback and those without authorization will save travel costs. The ETIAS system provides an automatic control: such control will allow to verify that the criminal record is clean. These checks will take place on the basis of SIS, Interpol, ECRIS, Eurodac.
The ETIAS central unit will compare the data in the database and the identity of the applicant and the rest of the operations will be managed by the national units.
The decision of the unit will be delivered within 72 hours, unless it will be necessary to gather special information (in this case it will be possible an extension to a two-week maximum).
ETIAS will be financially self-sustaining, thanks to the tax that will be paid by applicants. It is estimated that the costs for developing it will amount to €212.1 million, while the average annual operations costs, to be covered by the revenue from fees, will be €85 million.
The data will be protected from abuse and the information may be given to law enforcement only in the case of very serious crimes (this possibility also exist for Eurodac).

The EP rapporteur Kinga Gal (PPE – Hungary) was not present at the debate, but a colleague read her statement. The rapporteur argues that the text is of great importance and it will cover three categories of passengers
1) European Citizens or persons enjoying the right of free movement under Union law
2) Third-country nationals under visa obligation
3) Third-country nationals without visa obligation
From now until 2020 the countries without visa obligation will increase. For third-country nationals without visa obligation it’s difficult to gather information; it’s therefore necessary to create an information system well established in legal terms, so as not to put excessive burdens for Member States.

The debate that followed, however, showed controversial elements in the proposal, criticized by MEPs.
Firstly, almost all the MEPs who spoke remarked the necessity of an impact assessment, finding it unacceptable yet another lack of it. An issue of such importance can not be studied without taking into account an impact assessment: the urgency can not justify such a lack.

Birgit Sippel (S&D – Germany), for instance, affirmed that she’s tired to listen to the Commission affirming that it’s necessary to adopt better legislation and that impact assessments are not conducted anymore because of urgency. EU needs to regulate well, not in a hurry: this rush to legislate, then, does not make sense if the execution by the Member States is so slow. She also remarked that one of the problems in this proposal is that the form requires a bit of everything and there is the risk that if an applicant forgets a small offense did at 15 years old he cannot enter.

The shadow rapporteur Gérard Deprez (ALDE – Belgium) wondered what professional criteria will be provided for ETIAS units and how it will be possible to apply Article 7 of the Schengen Code, because compulsory systematic checks for everybody (as provided in that Article) would have a significant impact on traffic at the border. Deprez considered that the term of 72 hours is reasonable whereas he considers excessive the term of validity of five years, because in the course of five years many things can change in a person’s life. Also foreign experiences in fact suggest different solutions: in US visa is valid for one year and in Australia for two years. Also with regard to rates, Deprez is at odds with the proposal: 5 euro is a low price if compared to the prices of US (14 euro) and Australia (20 euro). According to Deprez, then, in the request the applicant should indicate the member state where he would like to go. The proposal, in addiction, should define a better balancing of criminal convictions. For example, prison sentences of less than one year should not be an obstacle to the granting of authorization.

It may also emerge a serious problem for air traffic. It is estimated that for a plane carrying 300 people controls may last from four hours and a half to seven hours and a half. The controls are certainly a necessary corollary for visa liberalization, but the parliament should find more efficient solutions.

On behalf of DG HOME of the European Commission Mrs Belinda Pike replied that the validity of five years would be reasonable. Of course it is noted that in the case in which the person commits an offense such information is immediately acquired in the system. Contrary to what Deprez stated, then, the cost is not too low, but it’s instead sufficient to ensure the smart management of borders. It is a fee that will cover the costs and ensures a small gain. In the US half of the fee (therefore, 7 euros) is invested in the tourism sector. Do not pay anything on the other hand would be a huge burden on the EU budget.

Belinda Pike finally stressed that the screening does not immediately lead to the rejection of the request, but simply involves manual handling of the request.

Marie – Christine Vergiat (GUE/NGL – France) and Bodil Valero (Greens/EFA – Sweden) highlighted that visas are returned, albeit with a different name (authorization). According to Marie – Christine Vergiat, then, this proposal does not promote cooperation between member states, it is repressive and attacks the fundamental rights, like others in this area of “smart” borders. Security and immigration are matters to be addressed in different texts, because adhere to different problems. The fact that some people should be identified through a profiling system also raises an ethical problem.

Bodil Valero remarked the privacy-issue. People will also provide information on education and health and Greens/Efa group would like to receive explanations about what is the reason for these provisions: perhaps the Commission’s intention is to gather information that cannot be collected in other ways. Furthermore, the 5-year period envisaged for data stocking is too long. She underlined that also the EDPS (European Data Protection Supervisor) has taken a fairly critical position on some of the elements of the proposal.
In his opinion, in fact, the EDPS states, among other things, that the establishment of ETIAS would have a significant impact on the right to the protection of personal data, since various kinds of data, collected initially for very different purposes, will become accessible to a broader range of public authorities (i.e. immigration authorities, border guards, law enforcement authorities, etc). For this reason, the EDPS considers that there is a need for conducting an assessment of the impact that the Proposal will entail on the right to privacy and the right to data protection enshrined in the Charter of Fundamental Rights of the EU, which will take stock of all existing EU-level measures for migration and security objectives.

Last but not least, during a TRAN (transport and tourism) committee on Wednesday 22 March, different speakers representing the tourist sector expressed concerns about the costs generated by the ETIAS in the tourism sector. However, the TRAN Committee decided not to give an opinion to LIBE.

NEXT STEPS

As soon as the two co-legislators will have defined their position a trilogue  could be launched which can bring to an agreement on first reading. As things currently stay an agreement will probably go hand in hand with the other “ENTRY/EXIT” legislative proposal.

 

Immigration detention and the rule of law: the ECJ’s first ruling on detaining asylum-seekers in the Dublin system

ORIGINAL PUBLISHED ON EU LAW ANALYSIS (May 5,2017)

by Tommaso Poli (LL.M. candidate in Human Rights and Humanitarian Law at the University of Essex, School of Law).

One of the most controversial issues in immigration law is the detention of asylum-seekers. This issue was not initially addressed by the European Common Asylum System (CEAS), but is now addressed in some of the second-phase CEAS measures (the CEAS consists of the Asylum Procedures Directive, the Reception Conditions Directive, the Qualification Directive, the Dublin Regulation and the EURODAC Regulation).

In particular, the second-phase CEAS measures contain detailed rules on detaining asylum-seekers in two cases:  a) general rules in the Reception Conditions Directive, which were the subject of a first ECJ ruling in 2016 (discussed here) and a recent opinion of an Advocate-General; and b) more specific rules in the Dublin III Regulation, applying to asylum-seekers whose application is considered to be the responsibility of another Member State under those rules. Recently, the ECJ ruled for the first time on the interpretation of the latter provisions, in its judgment in the Al Chodor case.

As we will see, the Court took a strong view of the need for the rule of law to apply in detention cases. Moreover, its ruling is potentially relevant not just to Dublin cases, but also detention of asylum-seekers and irregular migrants in other contexts too.

The rules on detaining asylum-seekers in the context of the Dublin process are set out in Article 28 of the Dublin III Regulation. First of all, Article 28(1) states that asylum seekers can’t be detained purely because they are subject to the Dublin process. Then Article 28(2) sets out the sole ground for detention: when there is a ‘significant risk of absconding’. If that is the case ‘Member States may detain the person concerned in order to secure transfer procedures in accordance with’ the Dublin rules, ‘on the basis of an individual assessment and only in so far as detention is proportional and other less coercive alternative measures cannot be applied effectively’.

Next, Article 28(3) sets out detailed rules on time limits for ‘Dublin detention’; these are the subject of the pending Khir Amayry case. Finally, Article 28(4) states that the general rules on guarantees relating to procedural rights and detention conditions set out in the Reception Conditions Directive apply to asylum-seekers detained under the Dublin rules.

Al Chodor concerned the interpretation of the grounds for detention under Article 28(2): what is a ‘serious risk of absconding’?  The Dublin III Regulation offers some limited clarity, defining ‘risk of absconding’ as ‘the existence of reasons in an individual case, which are based on objective criteria defined by law, to believe that an applicant or a third country national or a stateless person who is subject to a transfer procedure may abscond.’ (Article 2(n) of the Regulation).

Facts

The case relates to an Iraqi man and his two minor children who were traveling from Hungary in the Czech Republic, without any documentation to establish their identity, with the aim of joining family members in Germany. After stopping the Al Chodors, the Czech Foreigners Police Section (FPS) consulted the Eurodac database and found that they had made an asylum application in Hungary. As a consequence, the Al Chodors were subjected to the transfer procedure according to Article 18(1)(b) of the Dublin III Regulation. In addition, the FPS took the view that there was a ‘serious risk of absconding’, given that the Al Chodors had neither a residence permit nor accommodation in the Czech Republic, while they were waiting for their transfer to Hungary.

So, they placed the Al Chodors in detention for 30 days pending their transfer pursuant to Paragraph 129(1) of the national law on the residence of foreign nationals, read in conjunction with Article 28(2) of the Dublin III Regulation. The Al Chodors brought an action against the decision ordering their detention to the regional Court, which annulled that decision, finding that Czech legislation does not lay down objective criteria for the assessment of the risk of absconding within the meaning of Article 2(n) of the Dublin III Regulation. That Court accordingly ruled that the decision was unlawful. Following the annulment of the decision of the FPS, the Al Chodors were released from custody.

The FPS brought an appeal on a point of law before the Supreme Administrative Court against the decision of the Regional Court. According to the FPS, the inapplicability of Article 28(2) of the Dublin III Regulation cannot be justified by the mere absence in Czech legislation of objective criteria defining the risk of absconding. That provision subjects the assessment of the risk of absconding to three conditions, namely an individual assessment taking account of the circumstances of the case, the proportionality of the detention, and the impossibility of employing a less coercive measure. The FPS has submitted that it satisfied those conditions.

The Supreme Administrative Court was uncertain whether the recognition by its settled case-law of objective criteria on the basis of which the detention of persons pursuant to Paragraph 129 of the Law on the residence of foreign nationals may be carried out can meet the requirement of a definition ‘by law’ within the meaning of Article 2(n) of the Dublin III Regulation, in so far as that case-law confirms a consistent administrative practice of the FPS which is characterised by the absence of arbitrary elements, and by predictability and an individual assessment in each case. So the Court decided to refer to the European Court of Justice for a preliminary ruling asking whether Article 2(n) and Article 28(2) of the Dublin III Regulation, read in conjunction, must be interpreted as requiring Member States to establish, in a national law, objective criteria underlying the reasons for believing that an applicant for international protection who is subject to a transfer procedure may abscond, and whether the absence of those criteria in a national law leads to the inapplicability of Article 28(2) of that regulation.

Judgment

The Court of Justice first of all ruled that Article 2(n) of the Dublin III Regulation explicitly requires that objective criteria defining the existence of a risk of absconding be defined by the national law of each Member State (paragraph 27-28). Then, determining whether the word ‘law’ must be understood as including settled case-law, the Court reaffirmed that in interpreting a provision of EU law, it is necessary to consider not only its wording but also the context in which it occurs and the objectives pursued by the rules of which it forms part (judgment of 26 May 2016, Envirotec Denmark, paragraph 27).

So with regard to the general scheme of the rules of which Article 2(n) of Dublin III Regulation forms part, the Court, referring to recital 9 of that regulation, states that the regulation is intended to make necessary improvements, in the light of experience, not only to the effectiveness of the Dublin system but also to the protection of fundamental rights afforded to applicants under that system. This high level of protection is also clear from Articles 28 and 2(n) of that regulation, read in conjunction. As regards the objective pursued by Article 2(n) of the Dublin III Regulation, read in conjunction with Article 28(2) thereof, the Court recalls that, by authorizing the detention of an applicant in order to secure transfer procedures pursuant to that regulation where there is a significant risk of absconding, those provisions provide for a limitation on the exercise of the fundamental right to liberty enshrined in Article 6 of the Charter.

In that regard, it is clear from Article 52(1) of the Charter that any limitation on the exercise of that right must be provided for by law and must respect the essence of that right and be subject to the principle of proportionality. Furthermore, it is worth noting that in this ruling the European Court of Justice explicitly aligns its interpretation to the European Court of Human Rights (ECtHR), reaffirming that any deprivation of liberty must be lawful not only in the sense that it must have a legal basis in national law, but also that lawfulness concerns the quality of the law and implies that a national law authorizing the deprivation of liberty must be sufficiently accessible, precise and foreseeable in its application in order to avoid risk of arbitrariness (judgment of the European Court of Human Rights of 21 October 2013, Del Río Prada v Spain, paragraph 125).

The Court then concluded by stating that taking account of the purpose of the provisions concerned, and in the light of the high level of protection which follows from their context, only a provision of general application could meet the requirement of clarity, predictability, accessibility and, in particular, protection against arbitrariness. It follows that Article 2(n) and Article 28(2) of the Dublin III Regulation, read in conjunction, must be interpreted as requiring that the objective criteria underlying the reasons for believing that an applicant may abscond must be established in a binding provision of general application. In the absence of such criteria, the detention was unlawful.

Comments

First of all, the Court’s ruling is likely relevant to the interpretation of other EU measures concerning immigration detention. In the Returns Directive, which inter alia concerns the detention of irregular migrants (as distinct from asylum seekers), the ‘risk of absconding’ forms part of the ground for detention (as well as one of the grounds for refusing to allow the irregular migrant a period for voluntary departure); and it is defined exactly the same way as in the Dublin III Regulation. As for asylum seekers who are detained on grounds other than the Dublin process, a ‘risk of absconding’ is an element of one of the grounds for detention under the Reception Conditions Directive, but is not further defined. But a recent Advocate-General’s opinion notes (at para 73) that this clause aims to prevent ‘arbitrary’ detention, which was a key feature of the reasoning in the Al Chodor judgment. This surely points to a consistent interpretation of the two asylum laws. It follows that arguably the Court’s judgment should be relevant not just to Dublin cases but to any immigration detention of non-EU citizens in any Member State bound by the relevant EU legislation.

Secondly, this ruling has reiterated the principle by which although regulations generally have immediate effect in national legal systems without it being necessary for the national authorities to adopt measures of application, some of those provisions may necessitate, for their implementation, the adoption of measures of applicability by the Member States (judgment of 14 April 2011, Vlaamse Dierenartsenvereniging and Janssens, paragraphs 47 and 48).

Most significantly, the Court has reaffirmed the primacy of Human Rights law in EU asylum law implementation, highlighting that the development of the EU asylum law itself depends on its compliance with Human Rights law. In particular, the ECJ’s ruling in this case first of all reflects the ECtHR’s interpretation of the ‘arbitrariness’ of detention, which extends beyond the lack of conformity with national law. Notably, it states that a deprivation of liberty that is lawful under domestic law can still be arbitrary and thus contrary to the general principles, stated explicitly or implied, in the Convention (judgment of the European Court of Human Rights of 9 July 2009, Mooren v. Germany, paragraphs 73-77).

The Court’s ruling also reflects UN human rights norms. The Human Rights Committee’s General Comment No. 31 related to the nature of the general legal obligation imposed on State parties to the UN Covenant on Civil and Political Rights, which all EU Member States are State parties to, which reads that ‘in no case may the restrictions be applied or invoked in a manner that would impair the essence of a Covenant right’ (paragraph 4). Furthermore, the Human Rights Committee’s General Comment No. 35 points out that “arbitrariness is not to be equated with ‘against the law’, but must be interpreted more broadly to include elements of inappropriateness, injustice, lack of predictability and due process of law, as well as elements of reasonableness, necessity and proportionality” (paragraph 12, see also HRC, Van Alphen v. Netherlands, paragraph 5.8).

Finally, the Court’s ruling has confirmed the constitutional value of the Charter of Fundamental Rights of the European Union, which assumes a critical value in this historical period, since, as with any constitutional instrument, the more society as a whole is going through difficult times (such as the perceived ‘migration crisis’ in Europe), the more important it is to reaffirm its principles and values.

Likewise Article 52 of the EU Charter states that in no case may restrictions be applied or invoked in a manner that would impair the essence of a Charter right; in the context of detention, a fortiori it can be also affirmed that essential elements of guarantee for that right, as the requirement of lawfulness and non-arbitrariness for the right of liberty, cannot be disregarded in any circumstance. The Al Chodor ruling puts meat on the bones of that fundamental principle.

Authorization of deprivation of liberty by judicial authorities in the recast Reception conditions Directive proposal (ICJ OBSERVATIONS)

 

April 2017

The Commision proposal of the Reception Conditions Directive (recast) COM(2016) 465 final has been published by the European Commission on 13.7.2016. On 23 February 2017, the amendments[1] have been tabled in the European Parliament on the draft report by Sophia in ‘t Veld from 18 January 2017, the Rapporteur of the recast Directive.

The ICJ supports the amendments especially when it comes to its proposals on detention. In particular in the sense that detention or other restrictions of movement that may cumulatively amount to deprivation of liberty should always and only be ordered by judicial authorities (the proposed amendments 10, 30-33, 93-95, and 243-246 regarding Recital 20, Article 8.1, 9.2 and 9.3 of the proposal in particular).

The right to liberty and security of the person is protected under international human rights law (Article 9 ICCPR, Art 5 ECHR), and means that, as a general rule, asylum seekers should not be detained, except where detention can be justified as a necessary and proportionate measure for a legitimate purpose in the specific circumstances of the case. Asylum seekers may have already suffered imprisonment and torture in the country from which they have fled and therefore, the consequences of detention may be particularly serious, causing severe emotional and psychological stress and may amount to inhuman and degrading treatment.

Under international human rights law, it is established that asylum seekers should only be detained, as a last resort, in exceptional cases and where non-custodial measures have been proven on individual grounds not to achieve the stated, lawful and legitimate purpose. Detention must not be imposed arbitrarily, it must be lawful, necessary, and applied without discrimination. Judicial authorization, as well as judicial review, of detention provides an important safeguard against arbitrariness.

The Parliamentary Assembly of the Council of Europe has clearly stated in its Resolution 1707 (2010) on Detention of asylum seekers and irregular migrants in Europe, para 9.1.3, that “detention shall be carried out by a procedure prescribed by law, authorised by a judicial authority and subject to periodic judicial review.

It has been also established in international law that there is a right to judicial review of any form of detention, and that such review must always be of a judicial nature[2] UNHCR guidelines also require both automatic review of detention and regular automatic periodic reviews thereafter, and a right to challenge detention.[3]

 Taking account of the complexity of the assessment of whether a deprivation of liberty is justifiable as necessary and proportionate in the individual case of an asylum seeker and of the seriousness of the impact on human rights of deprivation of liberty, the ICJ considers that authorization by a judicial authority would always be preferential in cases of detention or other serious restrictions of movement.

 NOTES

[1] See Amendments 1-51:; Amendments 52-295:; Amendments 296-543:

[2] see European Court of Human Rights in Öcalan v. Turkey, para 70; Human Rights Committee in C. v. Australia, para 8.2-8.3; HRC General Comment No. 35, Article 9 (Liberty and security of person), UN Doc. CCPR/C/GC/35 (2014), para 18).

[3] Guideline 7: “(iii) to be brought promptly before a judicial or other independent authority to have the detention decision reviewed. This review should ideally be automatic, and take place in the first instance within 24–48 hours of the initial decision to hold the asylum-seeker. The reviewing body must be independent of the initial detaining authority, and possess the power to order release or to vary any conditions of release. (iv) following the initial review of detention, regular periodic reviews of the necessity for the continuation of detention before a court or an independent body must be in place, which the asylum-seeker and his/her representative would have the right to attend. Good practice indicates that following an initial judicial confirmation of the right to detain, review would take place every seven days until the one month mark and thereafter every month until the maximum period set by law is reached. (v) irrespective of the reviews in (iii) and (iv), either personally or through a representative, the right to challenge the lawfulness of detention before a court of law at any time needs to be respected. The burden of proof to establish the lawfulness of the detention rests on the authorities in question. As highlighted in Guideline 4, the authorities need to establish that there is a legal basis for the detention in question, that the detention is justified according to the principles of necessity, reasonableness and proportionality, and that other, less intrusive means of achieving the same objectives have been considered in the individual case.”