Category: 8.2 Judicial cooperation in criminal matters

EU Internal Security strategy: towards a EU-USA common path?

The traditional meeting between the justice and home affairs ministerial representatives of the United States of America (USA) and of the European Union (EU) took place the 8th and 9th December 2010. Ms Janet Napolitano, from the Department of Homeland Security and Mr Eric Holder, General Attorney of the Department of Justice have discussed with the European Union presidency and the Commissioners Ms Cecilia Malmström and Ms Viviane Reding the transatlantic initiatives, both planned and underway- aimed at preventing and combating terrorism and organised crime.

The meeting confirmed the hegemonic and inspiring role that the American administration has towards the European Union when it comes to defining and implementing the European Internal Security Strategy (ISS).

This is true when it come to the synchronisation of the EU’ activities, since the Justice and Home Affairs Council which took place in Toledo in February 2010 adopted the strategy while the US administration approved the Fourth revision of its own internal security strategy.

It is also true in relation to the increasing concurrence of the objectives underpinning it. After all this is not so surprising for two allies which cooperate on a daily basis in all different domains, going from intelligence, money laundering, to the fight against drugs.

Therefore, the European ISS includes the fight against cyber crime, measures aimed at the protection of commercial flights and cargo safety, use of financial personal data and airplanes passengers. These objectives have been recalled by the Commission in its recent Communication entitled “The EU Internal Security Strategy in Action: Five steps towards a more secure Europe”.

The crucial element here is that while these objectives correspond to what the Congress requested, this is not the case for the European Union, where the position of the European Parliament – which should ensure the legislative transposition of some of these objectives- is much more cautious than the one of the Congress. This is even more striking  if one take into consideration the fact that the Congress is considered even more demanding than both the Bush and Obama Administration, for instance, concerning borders control with the creation of an entry-exit system and limits to visa liberalisation.

The opposition of the Strasbourg Assembly to the indiscriminate collection and systematic storage of personal data of millions of air passengers (PNR) for several years is renowned. Especially, because these data includes also those of individuals which are not wanted nor suspects and that, even after the controls, are not considered a danger for the flights safety.

That is why the Council of the European Union adopted the 3rd December 2010 a negotiation mandate to the Commission which should allow revising in a more restrictive manner the data protection provisions which are provisionally applied on the basis of the EU-USA agreement, since 2007.

It goes without saying that it would be rather naïve to expect the American Administration to welcome such a measure, especially because the new Republican majority in the Congress would interpret it as a lowering down of the guard. Nevertheless, it is also self-evident that the current agreement risks to be rejected by the European Parliament at any moment and this possibility would open a dangerous vacuum, also for the aviation companies.[1]

Rather, it is reasonable to expect a greater willingness from the European Parliament’s side to adopt measures concerning the fight against cyber-crime, one of the USA priority for a long time and recently recalled by the Obama Administration during the last EU-USA summit of 20th November 2010 in the Joint EU-US Statement. The summit promoted a EU-USA working group in the field of cyber security and cyber criminality, which within a year will present a report on a series of initiatives, such as those discussed in the recent EU-US-NATO summit of the 24th November. These measures includes among others,

–       the creation of Computer Emergency Response Team (CERTs) in each European country, along the lines of the corresponding American centres, with the support of the European Agency responsible for network security (ENISA)

–       – the implementation of an emergency network

–       The creation of a sort of control room at the European level, as indicated by the Commission in its proposal for an internal security strategy.

These measures should be complemented by legislative measures such as the Proposal for a Directive on attacks against information systems, currently under review by the European Parliament. This measure will probably get inspiration from the Convention on Cyber crime of the Council of Europe, ratified by the United States itself.

However, all these measures, as well as the last ministerial meeting, all share the same unresolved problem related to the different data protection standards existing in the two sides of the Atlantic, namely in relation to public security. On the one hand, in the United States the protection of privacy and personal data is not considered a fundamental right (at most a penumbral right, subordinated to the safeguard of the right of expression foreseen by the first amendment and to the right of residence foreseen by the fourth amendment). On the other hand, in the EU, these rights are recognised as fundamental by art. 8 of the European Convention on Human Rights as well articles 7 and 8 of the Charter of Fundamental Rights.

Indeed, the European Parliament has requested, especially after 9/11 a transatlantic binding agreement in this field. This could eventually take place on the basis of negotiation mandate which the Council conferred to the Commission on the 3rd December and that Vice-President Reding has already presented to the Parliament.

Theoretically, the US authorities should not oppose it given that the mandate recalls the recommendations made by a common working group which has elaborated a series of common principles. However, the American authorities fear that the new agreement will make more difficult the transfer of data that is already taking place under the EU-USA agreement in the field of judicial cooperation in criminal matters, the agreements with Europol and Eurojust and more importantly the various bilateral agreements negotiated in the last decades between the USA and the EU Member States, in the field of security and fight against crime.[2]

The next months look quite challenging and it will be interesting to follow not only the negotiations but also the tone of the dialogue that will be established between the Congress and the European Parliament, i.e. whether  they will be able to share to a greater extent the perception of a threat and therefore the need to a common answer.

If this will take place, it could be possible to open the way to a Transatlantic Schengen-like space which ahs already been announced in the  EU-US Joint Statement on “Enhancing transatlantic cooperation in the area of Justice, Freedom and Security”

EDC

[1] The same issue is true for those measures which are considered too invasive for the individual privacy, such as the installation of body scanners (1300 are foreseen to be installed in the USA and a few tens in the European Union). It remains to be seen what the European Union will do to implement the new international strategy in the field of aviation security adopted by the 37th ICAO Assembly which took place on 8th October 2010 (Comprehensive Aviation Security Strategy) (ICASS).

[2] See Prüm-like agreements on the basis of which the EU Member States committed themselves to transfer information, , to the United States. These transfer include sensitive information, such as DNA codes, in exchange of looser conditions to obtain visa for their citizens.

 

SWIFT and PNR resolutions adopted by the European Parliament

The European Parliament adopted on the 5th May 2010 the two resolutions on SWIFT and PNR:

European Parliament resolution of 5 May 2010 on the Recommendation from the Commission to the Council to authorise the opening of negotiations for an agreement between the European Union and the United States of America to make available to the United States Treasury Department financial messaging data to prevent and combat terrorism and terrorist financing

European Parliament resolutionof 5 May 2010 on the launch of negotiations for Passenger Name Record (PNR) agreements with the United States, Australia and Canada

The European Parliament to vote on PNR

The European Parliament will vote the resolution on the PNR agreement during the mini-plenary that will take place in Brussels on Thursday 6 May 2010.

This after the LIBE Committee announced in April the intention to postpone the vote on the EU-USA PNR agreement, calling the Commission to put forward a more comprehensive measure defining common data protection terms.

The European Commission is therefore going to put forward a more coherent “package” which will include:

a) a Communication listing general standards that should apply to any PNR agreement (regulate external aspects)

b) a PNR directive which will be a “lisbonisation” of the current agreement and

c) a recommendation for a negotiating mandate with the USA, CANADA and Australia on PNR.

There are several loopholes that have been identified by experts, academics as well as Members of the Parliament which refer to other on-going negotiations as well, namely the so-called SWIFT Agreement and the Framework Agreement on data protection and data sharing.

Different understanding of privacy and data protection

Privacy and data protection are two different albeit interlinked principles and this distinction needs to be applied in the internal and external dimension of the EU.

The right to privacy is not absolute. In fact most of the emphasis is on the conditions under which restriction could be imposed. The right to data protection always applies when personal data are processed. Indeed, the European Court of Human Rights has emphasised that in applying data protection principles also article 8 of the European Convention on Human Rights must be respected.

This interlink becomes increasingly important in relation with data sharing measures and even more when they entails international agreements with third countries, such as in the case of Passenger Name Record (PNR).

In the transatlantic arena, for example, the different understanding of data protection and privacy further complicate the issue, since the U.S. approach to privacy protection relies on industry-specific legislation, regulation and self-regulation whereas the European Union relies on a comprehensive privacy legislation.

Negotiators need to bridge these two approaches ensuring general adequate principles, which can then be applied to all specific agreements.

However, the transfer of personal data is already taking place without the existence of such an overarching agreement via the agreement provisionally implemented on PNR.

This approach is highly objectionable.  It is necessary to make sure that the broad agreement is compatible with the EU-US general agreement on data protection and not the other way around, as highlighted by the European Data Protection Supervisor. Otherwise the risk of inconsistency between the general principles and their application to specific agreements becomes more than likely.

This risk is already a reality with the PNR Agreement, which currently entails a series of measures at risk of violation of human rights as enshrined in the European legislation and case law:

Computerised Reservation Systems (CRS) as the “brokers” between the airlines the customers and the security authorities

As Mr Edward Hasbrouck explained, PNR data are entered by travel agencies, travel websites and tour operators in a third-party “Computerised Reservation System” (CSR.

The CSR then send the PNR data to the Department of Homeland Security (DHS) and since three out of four servers are based in the USA (including an office of the major EU sever), DHS and others in the USA can have access to EU data, even when they refer to intra-Europe flights.

The current PNR agreement covers transfers of PNR data from the EU to the DHS, it does not cover DHS relations with CSR. Hence, as Mr Hasbrouck correctly pointed out, standard airlines business completely overpass EU-US PNR agreement.

As far as the CRS are concerned the legal situation in the EU has been recently updated (February 4th, 2009) by Regulation (EC) No 80/2009 of the European Parliament and of the Council of 14 January 2009 on a Code of Conduct for computerised reservation systems and repealing Council Regulation (EEC) No 2299/89.

Art. 11 to which recital 21 refers states:

1. Personal data collected in the course of the activities of a CRS for the purpose of making reservations or issuing tickets for transport products shall only be processed in a way compatible with these purposes. With regard to the processing of such data, a system vendor shall be considered as a data controller in accordance with Article 2(d) of Directive 95/46/EC.

2. Personal data shall only be processed in so far as processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

3. Where special categories of data referred to under Article 8 of Directive 95/46/EC are involved, such data shall only be processed where the data subject has given his or her explicit consent to the processing of those data on an informed basis.

4. Information under the control of the system vendor concerning identifiable individual bookings shall be stored offline within seventy-two hours of the completion of the last element in the individual booking and destroyed within three years. Access to such data shall be allowed only for billing-dispute reasons.

5. Marketing, booking and sales data made available by a system vendor shall include no identification, either directly or indirectly, of natural persons or, where applicable, of the organisations or companies on whose behalf they are acting.

6. Upon request, a subscriber shall inform the consumer of the name and address of the system vendor, the purposes of the processing, the duration of the retention of personal data and the means available to the data subject of exercising his or her access rights.

7. A data subject shall be entitled to have access free of charge to data relating to him or her regardless of whether the data are stored by the system vendor or by the subscriber.

8. The rights recognised in this Article are complementary to and shall exist in addition to the data subject rights laid down by Directive 95/46/EC, by the national provisions adopted pursuant thereto and by the provisions of international agreements to which the Community is party.

9. The provisions of this Regulation particularise and complement Directive 95/46/EC for the purposes mentioned in Article 1.Save as otherwise provided, the definitions in that Directive shall apply. Where the specific provisions with regard to the processing of personal data in the context of the activities of a CRS laid down in this Article do not apply, this Regulation shall be without prejudice to the provisions of that Directive, the national provisions adopted pursuant thereto and the provisions of international agreements to which the Community is party.

10. Where a system vendor operates databases in different capacities such as, as a CRS, or as a host for airlines, technical and organisational measures shall be taken to prevent the circumvention of data protection rules through the interconnection between the databases, and to ensure that personal data are only accessible for the specific purpose for which they were collected.”

It is worth noting that according to art. 14 of the Regulation the activity of the CRS on the EU territory falls under the European Commission oversight and the Commission has the appropriate powers of control and will accept appeals against any infringement of the code of conduct:

“In order to carry out the duties assigned to it by this Regulation, the

Commission may, by simple request or decision, require undertakings or associations of undertakings to provide all necessary information, including the provision of specific audits notably on issues covered by Articles 4, 7, 10 and 11.”

But the extent to which this oversight power can actually be enforced is questionable. This is because the Directorate General (DG) of the European Commission in charge of the CRS is DG Transport (DG TRAN) whereas the DG responsible for PNR is Justice, Liberty and Security (DG JLS). Hence, if the two DG do not coordinate effectively, it is very difficult for the Commission to carry on the investigative tasks mentioned in article 14 and ensure that no infringement of the code of conduct takes place.

The proportionality principle governing the processing of personal data

According to Directive 95/46, Member States must respect the following principles in the processing of personal data: the purpose limitation, the data quality and proportionality principle, and the transparency principle.

Hence, proportionality is also one the criteria that allows for limitation of privacy. In order to deliver proportionality in practice it is necessary to provide answers to the following questions:

–       What does “narrowly tailored request” mean?

–       What does “case by case request” means?

–       Does case refer to a specific individual or more, or rather any data of all individual falling under a specific criteria?

The proportionality principle may only function against evidence. However, the evidence of the necessity of such measure has not been demonstrated yet. On the contrary, using the words of the Director General of DG JLS, Jonathan Faull, during the LIBE Committee on 24 March 2010, any evidence must remain secret as a matter of national security.

The balance between the limitation of privacy and data protection rights and the implementation of security measures can be reached only if such measures are assessed against the actual and not the perceived or presumed impact that they have on security. Otherwise, the very principle of proportionality fails and with it the respect of individuals’ fundamental rights.

The purpose limitation and the question of re-use

The question of proportionality is directly linked to the purpose of data sharing. The recital of the 2004 Agreement states that its purpose is “to prevent and combat terrorism and transnational crime”. Hence, it is necessary to guarantee that when investigations demonstrate that someone is not a terrorist but has committed other unlawful acts, (such as overstay or copyrights infringement) the data collected will not be used to trigger another procedure.

However, as Dr Patrick Breyer pointed out, the High Level Contact Group (HLGC) report of May 2008 “does not provide for restrictive and specific purpose limitation in that sense and thus fails to satisfy human rights requirements to the disclosure of personal information to foreign agents and states”.

Exchange of data between private and public sectors

Furthermore, by allowing the exchange of data between the private and public sectors the risk of breaching the purpose limitation is a given and extra specific legitimacy -in addition to that already required- should be provided in order to guarantee the full respect of data protection and privacy.

In addition to this, another issues related to the private/public transfer of data entails the question of profiling.

Profiling

Currently, no common definition of profiling exists mainly because there are many profiling activities (In this regard, the Council of Europe is preparing a report which, according to Ms Vassiliadou, will provide the guiding principle for the Commission’s future work).

Data profiling consists in using key words to generate new data so as to progress in data analysis. Hence, by using normal data there is the risk of generating sensitive data.

This “practice” has become increasingly popular among private companies in order to create a more tailored service to their clients. Indeed, this commercial purpose may meet the interest of an individual, especially if the result is a better service provided. However, if these profiles are used for law enforcement purposes by public authorities, the same individual may be against it.

That is why, according to Prof. Paul de Hert the principles of data minimisation and purpose limitations should be included when dealing with data protection and privacy legislation.

However, this might not be enough especially when faced with the risks represented by the automated machine data selection, although the European Commission reassured the audience stating that there should always be a person to take the final decision rather then a machine and this should avoid that profiling will lead to a direct effect to a person

Purpose limitation and profiling are even more delicate aspects once analysed together with the right to redress foreseen in the PNR agreement as well as in the work of the HLCG.

Right to redress and effective remedy

Everyone whose right to data protection and privacy have been violated must have the right to an effective remedy before and independent tribunal as guaranteed in Article 13 ECHR and Art. 47 of the Charter of Fundamental Rights of the European Union.

However, the judicial system of the United States does not provide effective remedy and the Annex to the HLCG report of October 2009 only provides for administrative redress which cannot be defined an effective remedy.

Despite these unresolved issued, the Commission and the Council of the EU are determined to carry on negotiations concerning the SWIFT agreement as well as the PNR agreement.

Undisclosed sources referred that during the EU-US JHA meeting which took place at Ministerial level on 8-9 April 2010 in Madrid, the European Commission is looking for solutions on the aspects where divergences between the EU and the USA exist such as the bulk data transfer, redress principle, purpose limitation and push/pull techniques.

It is regrettable that despite all the aforementioned loopholes, to use an euphemism, the Commission did not supported the approach by which first a general framework agreement on data protection and data sharing with the USA should be concluded and only afterwards – if considered necessary on the basis of evidence- specific agreements such as PNR and SWIFT should be negotiated. Even though the current proposal for a general agreement falls way short of being acceptable.

The European Commission argued that it considers that the SWIFT agreement will be reinforced by the conclusion of the EU US data protection agreement.

During the meeting, the USA not only denied the existence of differences on the understanding of principles related to data protection and privacy on the basis of the OECD guidelines (which the EU thinks is not the right basis), but also considered that the issues raised by the European side in relation to the SWIFT agreement are based on pure misconceptions on how the system works.

If the European Parliament will back up such an agreement it will cover only a minimal part of the exchange of information, since it has no power o regulate the flows of data, for example between the US and third countries. The only aspect that the European Parliament can try to regulate, a fundamental aspect, is the flows of information between the federal and the national authorities in the United States.  On the 6 May will see if at least this aspect will be covered.

LB

Action Plan on the Stockholm Programme released by Statewatch

European Commission: Stockholm Programme: Statewatch Analysis: Action Plan on the Stockholm Programme: A bit more freedom and justice and a lot more security (pdf) by Tony Bunyan: “The “harnessing of the digital tsunami” as advocated by the EU Future Group and the surveillance society, spelt out in Statewatch’s “The Shape of Things to Come” is embedded in the Commission’s Action Plan as it is in the Stockholm Programme….There is no mention of the European Security Research Programme (ESRP). Much of the technological development is being funded under the 1.4 billion euro security research programme. See: Statewatch/TNI report: Neoconopticon: EU security-industrial complex.

Statewatch Briefing: European Commission: Action Plan on the Stockholm Programme (pdf) Comments by Professor Steve Peers, University of Essex – Full-text: Communication from the Commission: Delivering an area of freedom, security and justice for Europe’s citizens Action Plan Implementing the Stockholm Programme (COM 171/2010, pdf)

http://www.statewatch.org/


LIBE Committee resume the works on the future SWIFT long term agreement

The LIBE Committee discussed on 7 April 2010 the re-launch of negotiations on a SWIFT long term agreement.

It has to be recalled that following the European Parliament refusal to provide its consent on the US-EU SWIFT Interim Agreement last February a new draft-negotiating mandate has been indeed submitted by the College of Commissioners on 24 March 2010 to the Council, which in turn is expected to approve it on 22/23 April. According to the Commission the new agreement might be concluded at the beginning of June of this year.

Will the new agreement be founded on Judicial cooperation in penal matters or ….?

According to the Commission statement and the legal basis chosen for the new mandate (art. 82 of the TFUE) the future agreement will comply with the EP request  expressed already in September 2009 to build the EU US cooperation in this domain in a framework which could be consistent with the new EU Treaty the art. 8 of the European Charter of Fundamental rights and the request of some Constitutional Courts such as the German Court. To do so the draft mandate has foreseen the creation of  an European “Authority of  judicial nature” which could check the necessity and proportionality of the US request of SWIFT data .

Therefore during the debate Rapporteur Ms Jeanine Hennis Plasschaert (ALDE) enquired the European Commission on whether it would be possible to explore alternative legal frameworks from judicial cooperation in penal matters .

Mr Faull underlined that the Commission could not see any feasible short term alternative system to the mutual legal assistance framework, however this will not prevent the Commission to explore also other possibilities, following the requests from the Spanish Presidency and by taking in account the question posed by the Rapporteur. On the same logic to find alternative solution to judicial cooperation Ms Carmen Romero López (S&D) suggested to work within the framework of an anti-money laundering directive revised to include banking messaging companies.

Therefore according to Jan Philipp Albrecht (Greens/EFA) these “alternative” approaches would go against the European Charter on Fundamental Rights, the European Convention on Human Rights as well as the German Court (see recent judgment on data retention) with the risk, as pointed out “that Germany will feel impelled to reject this mandate on constitutional grounds”. To avoid possible “clashes” with European or national constitutional courts Mr Albrecht has then suggested then to request for the opinion of the EU Court of Justice on the compatibility of the draft agreement with the EU legislation, as foreseen by Article 218 §11 of the Treaty on the Functioning of the European Union.

The new draft negotiating mandate

The new draft negotiating mandate as agreed upon by the College of Commissioners on 24 March 2010 and upon approval of the Council foresees  -among others- the following elements:

  • Safeguards to ensure the respect of the fundamental right to the protection of personal data;
  • Transfer to third countries of only information derived from terrorism investigations (“lead information”);
  • A judicial public authority in the EU with the responsibility to receive requests from the United States Department of the Treasury, verify if  the substantiated  request meets the requirements of the Agreement and if appropriate require the provider to transfer the data on the basis of a “push” system;
  • Retention of personal data extracted from the TFTP database for no longer than necessary for the specific investigation or prosecution and non-extracted data retained for five years;
  • Onward transfer of information obtained through the TFTP under the Agreement shall be limited to law enforcement, public security, or counter terrorism authorities of US government agencies or of EU Member States and third countries or Europol or Eurojust as well as Interpol.
  • The Agreement shall provide for:

1) the right of individuals to information relating to the processing of personal data;

2) the right to access his/her personal data;

3) to the rectification, and

4) as appropriate erasure thereof.

Hence, it appears that the College of Commissioners has tried to address some of the past concerns addressed by the MEPs.

However, while demonstrating the willingness to explore grounds for a new agreement on the SWIFT data-sharing, some of the Members of the LIBE Committee, expressed a variety of concerns, most of which were already raised in the previous report of the European Parliament and that can be summarised as follows:

Proportionality

Members of Parliament still have concerns that the transfer of bulk data will not be addressed properly. According to Ms Sophie In’t Veld (ALDE) filtering should be done in the EU for financial data, PNR and telecommunications. Also Ms  Birgit Sippel (S&D) stressed that SWIFT should be able to individualise data ahead of a transfer.

In this regard it remains to be seen whether SWIFT has the technical ability but not the willingness to bare the costs derived from selecting and transferring  individual data instead of ‘data in bulk’.

According to Mr Faull it will not be possible to reduce the quantity of data transferred however he will work to reduce their size by removing the presumably non-useful data.

Data storage period

MEPs expressed concerned over the five years data storage as foreseen by the new text despite the attempts of Mr Faull to reassure the Committee stating that five years was not “unreasonable” given data’s useful lifespan in counter-terrorism.

Access, rectification, compensation and redress outside the EU

Mr Stavros Lambrinidis (S&D) enquired whether there was no other way for the bulk transfer of data and if it was not possible to impose some prior European check when the US wants to transfer the data to third countries.

Furthermore MEPs expressed the need to ensure the right to appeal to European citizens in front of American authorities in case of personal data abuse/misuse.

In this respect Mr Busutill asked to ensure equal rights between US and EU citizens and Mr Faull replied that the Privacy Act is indeed discriminatory and therefore does not guarantee the same rights to EU and US citizens.  However the Privacy Act does not apply to the TFTP , hence asking to apply the same right of US citizens to the European ones means not having any rights at all.

No evidence on the effectiveness

There still is no evidence that cases of terrorism have been prevented or prosecuted based exclusively on the financial data.

Procedural concerns

The fact that the EU is planning to conclude an executive agreement on exchanges of data before negotiating the general agreements on rules governing the data protection raise additional concerns. Indeed, the acceleration of the envisaged SWIFT II agreement will limit the margin of maneuver for negotiators on the overarching transatlantic agreement on data sharing and data protection. In other words, it will force the latter to simply accept praxis established before the development of the general principles governing data protection.

Also the Commission -using the words of the Director General of DG JLS Mr Jonathan Faull- is of the opinion that “in an ideal world” general norms should be established before specific ones. However, no sufficient reasons have been provided to explain why the European Union is accelerating the negotiations on the SWIFT agreement instead of giving precedence to the establishment of overarching general framework on EU-US data protection and exchange.

In conclusion, the European Union is engaging in a delicate exercise trying to define at the same time internal, external, specific and general data protection norms. This would have been possible -in theory- if the European Union had clear objectives and points of reference. However, following the LIBE Committee debate on 7 April this seems far from being the case.

L.B.

Rights to interpretation and translation in criminal proceedings: LIBE amendments and new Commission proposal

As anticipated in a previous post in this blog the Committee on Civil Liberties, Justice and Home affairs (LIBE) discussed the draft report on the directive of the European Parliament and of the Council on the rights to interpretation and to translation in criminal proceedings presented by rapporteur Sarah Ludford on 17 March 2010, based on the initiative put forward by 13 Member states.

But this was not the only initiative discussed on this matter, also that of the European Commission presented on 9 March 2010 was discussed.

Therefore, after a brief introduction of the aim of the directive, the amendments of the LIBE on the MSs’ initiative will be analysed and then, few observations on the Commission proposal will be made on the basis of the debate that took place in the LIBE committee.

Continue reading “Rights to interpretation and translation in criminal proceedings: LIBE amendments and new Commission proposal”

On the BVG ruling on Data Retention: “So lange” – here it goes again…

As mentioned a couple of weeks ago in the blog (10 January 2010 – Directive on data retention: now the floor goes to the German Constitutional Court) the German Constitutional Court was preparing to make a decision about the German internal application of the controversial Data Retention Directive (2006/24/EC), demanding telecommunication data retention from 6 months till 2 years. Some historical background is provided in the above mentioned blog. On March 2 the decision has arrived (1 BvR 256/08 , 1 BvR 263/08 , 1 BvR 586/08). And what a decision it is. It is of the same work as the famous decision in Marbury v. Madison presided over by John Marshall. The German Federal Constitutional Court (Bundesverfassungsgericht) avoided a direct conflict with the ECJ but showed once again that it will take its prerogatives very seriously regarding the protection of human rights and annulled the German provisions applying the Directive.

Continue reading “On the BVG ruling on Data Retention: “So lange” – here it goes again…”

Twelve European countries call for a “European Protection Order” combating violence against women

This week the Civil Liberties, Justice and Home Affairs Committee of the European Parliament will examine an interesting initiative for a Directive presented by twelve Members of the European Union (the Kingdom of Belgium, the Republic of Bulgaria, the Kingdom of Spain, the Republic of Estonia, the French Republic, the Italian Republic, the Republic of Hungary, the Republic of Poland, the Portuguese Republic, Romania, the Republic of Finland and the Kingdom of Sweden under the Spanish Presidency in accordance to the Stockholm Programme) within the framework of judicial cooperation in criminal matters.

The initiative concerns a proposal for a “European Protection Order” to ensure that the protection provided especially to women victims of violence in one Member State is maintained and continued in any other Member State to which the person moves or has moved.

The Initiative is accompanied by an explanatory memorandum allowing to appraise compliance with the principles of subsidiarity and proportionality, in accordance with Article 5 of Protocol (No 2) to the Lisbon Treaty together with a questionnaire drawn up by the Spanish Presidency on the current legislative framework in the Member States.

 According to the proposal for a directive, the victim under threat should, as far as possible, enjoy the same level of protection throughout EU territory as in the State which adopted the original protection measure. The Member State to which the victim under threat moves should provide an “immediate response” in the form of a “European protection order” imposing to the “Person causing danger” one or more of the following obligations or prohibitions:

(a) an obligation not to enter certain localities, places or defined areas where the protected person resides or that he visits;

(b) an obligation to remain in a specified place, where applicable during specified times;

(c) an obligation containing limitations on leaving the territory of the issuing State;

(d) an obligation to avoid contact with the protected person; or

(e) a prohibition on approaching the protected person closer than a prescribed distance.

Naturally, this initiative “shall not have the effect of modifying the obligation to respect fundamental rights and fundamental legal principles” as enshrined in Article 6 (article 3) of the TEU.

The European protection order is issued by a judicial authority or another competent authority only at the request of the protected person, after verifying that the protection measure meets all the requirements of the national legislation of the issuing or the requesting State.

It shall also include a summary of the facts and circumstances which have led to the imposition of the protection measure in the issuing State (if necessary with an explicit indication of a ruling on the basis of article 2 of the framework decision 2008/947/GAI or a decision concerning preventive measures on the basis of article o 4 of the framework decision 2009/829/GAI) as well as the obligations or prohibitions imposed in the protection measure underlying the European protection order on the person causing danger.

Furthermore, the length of these obligations and restrictions and the express indication that their infringement constitutes a criminal offence under the law of the issuing State or may otherwise be punishable by a deprivation of liberty should be indicated.

The proposal for a directive recognises the right by the competent authority of the executing State to refuse to recognise a European protection order in the following circumstances:

(a) the European protection order is not complete or has not been completed within the time-limit set by the competent authority of the executing State;

(b) the requirements set out in Article 2(2) have not been met;

(c) the protection derives from the execution of a penalty or measure that is covered by amnesty according to the law of the executing State and relates to an act which falls within its competence according to that law;

(d) there is immunity conferred under the law of the executing State on the person causing danger, which makes it impossible to adopt the protection measures.

The scrutiny of this initiative  appears as a priority of the Spanish Presidency which, therefore, will try to obtain the European Parliament’s support in view of a swift adoption in first reading (as it happened in other cases).

If this will occur, the qualified majority in the Council will be sufficient to adopt the initiative together with the simple majority in the European Parliament.

In addition, national parliaments will be entitled to intervene to signal their opposition if they believe that the proposal does not respect the principle of subsidiarity.

Last but not least, also the European Commission will be able to express its opinion during the legislative process. However, it will not be able to tide the Council’s position as when it does when it concerns its own initiative (indeed, in these circumstances the Council may approve a proposal different from the Commission’s one only by unanimity in order to protect the right of initiative of the institution defined as the “guardian of the Treaties”).

EDC

Is the respect of minimum standard in criminal procedures utopia?

 The adoption of EU legislation on procedural rights in criminal procedures is at stake since a long time and despite a number of calls from the European Parliament, no legislative instrument is yet in place.

As a consequence, suspects and defendants have no other protection than the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) (all EU Member States are parties to the ECHR) and, after the entry into force of the Treaty of Lisbon, the Charter of fundamental Rights of the European Union.

Works in view of the adoption of a legal instrument in this field started in 2003 with the publication, by the European Commission, of a Green Paper.

Due to the positive feedback received, in 2004 the European Commission tabled a proposal for a framework decision to set common minimum standards for procedural safeguards (COM(2004)0328).

In 2007, after having largely watered down the Commission’s proposal without reaching any result, the Council took note of the impossibility of reaching a consensus on it. Hence, a number of Member States called to limit the application of such an instrument to cross-boarder cases or to cases in which an European Arrest Warrant (EAW) was issued.

In July 2009 the European Commission tabled a new proposal for a framework decision (COM(2009)338) on procedural rights. The proposal was extremely limited in scope covering only the rights to interpretation and translation of all “essential” documents. T

he Swedish Presidency therefore proposed the framework decision to be accompanied by a Council Resolution providing for further measures on training for interpreters and translators, accreditation/certification of interpreters and translators as well as their mandatory registration.

The Swedish Presidency presented also a draft Council Resolution on a “Roadmap” for strengthening procedural rights of suspected and accused persons in criminal proceedings.

The roadmap was adopted at the Justice and Home Affairs Council held on 23 October 2009 and a reference to it is contained in the Stockholm Programme. It covers the following measures:

A: Translation and interpretation

B: Information on rights and information about the charges

C: Legal advice and legal aid

D: Communication with relatives, employers and consular authorities

E: Special safeguards for vulnerable suspected or accused persons

F: A Green Paper on pre-trial detention .

In December 2009 the Treaty of Lisbon entered into force and all pending legislative procedures, including this one, could not come to their end.

Following to the impossibility to adopt the Framework Decision, a group of 13 Member States (BE, DE, ES, EE, FR, HU, IT, LU, AT, PT, RO, FI and SE) tabled an Initiative for the adoption of a Directive on the rights to interpretation and translation in criminal proceedings under the new legal framework provided by the Treaty of Lisbon.

The Initiative is based on the text agreed at Council level in October 2009 and will be negotiated, under the ordinary legislative procedure, under Spanish Presidency.

Will this time the EU manage to provide itself with a legal instrument ensuring to suspects and defendants minimum procedural rights in criminal proceedings?

C.G.

The EU-USA Provisional Agreement on Interbank Financial data access (SWIFT) under European Parliament scrutiny

In the next few weeks the European Parliament will receive  several international agreements in the field of police and judicial cooperation negotiated or signed -albeit not yet ratified by the European Council- before the entry into force of the Lisbon Treaty. 

Among these, special attentions deserve the two agreements signed with the United States concerning access to personal data to fight against terrorism.

The first one concerns personal data managed by airline companies when they conclude a transport contract which has as a destination or point of transition the United States (EU-USA Agreement on access to Passenger Name Record- PNR).

The second one, recently published in the Official Journal, concerns the access to personal and financial data exchanged via interbanking messages and processed worldwide, in almost their totality, by a specific society called SWIFT .

Their access is regulated by the Terrorist Finance Tracking Program (TFTP) on the basis of which the USA Treasury Department may request via an administrative mandate (“subpoena”) to access personal and financial data to prevent and fight terrorism.

The advantage of interbanking messages relies on their fast and easy accessibility compared to financial information, whose access is regulated by the prevention programmes for combating Money Laundering and Terrorist Financing. In fact, on the basis of these measures applied worldwide, it is a bank’s responsibility to signal suspicious transactions to the National Financial Intelligence Unit (FIU) which in turn transmits the information to the FIU of the countries involved in terrorist investigations.[1]  

On the contrary TFTP access is direct, avoiding delays, risks of incomprehension and non-cooperative banks around the globe.

Even if available data are limited (such as clients generalities and amounts of transferred money) they become  essential once they are cross-checked with information coming from other sources related to judicial, police and intelligence investigations.

This is obviously an extraordinary instrument also for the USA. This authorisation is based on exceptional powers granted to the President of the United States on a temporary basis by the  Emergency Economic Powers Act (50 USC, sections 1701-1706). The President immediately used them after the 9/11 attacks and since then the Congress has renewed its authorisation every year.[2]

The TFTP programme remained secret up to 2006 when the USA press[3] published a series of articles and the Society SWIFT released a few statements after obtaining more restrictive measures to the access of data by the USA Treasury Department. 

This took place despite the fact that the TFTP is exceptionally not covered by the Privacy ACT of the United States and neither by the general norms laid down to protect privacy in financial transitions.

The debate triggered at the European Union level resulted in a series of hearings and resolutions of the European Parliament[4], it  set off an investigation of the CE Commission, an opinion of the data protection national authorities Working Group and an investigation carried out by the Belgian authorities ,who are the one responsible for the control of the activities carried onby the company  SWIFT.

The conclusions of these discussions pointed out that the management of these data – although illegal in the EU territory-  is legal in the USA territory on condition that:

-the company SWIFT adheres to the voluntary programme “SAFE HARBOR” to protect its clients[5] and

– American authorities respect a series of self-imposed limitations to limits data access; Furthermore,  the constant presence of SWIFT employees when data are collected should be granted and a periodical review by an independent authority  nominated in a concerted way by the USA and the EU takes place.

This complex jurisdictional construction was – and still is-  based on the principle that these data are in the USA territory and therefore under jurisdiction of the American authorities.

However, things chaged when the company SWIFT restructured the systems architecture of the financial messaging network in 2007 and its global data centres.  Becasue of this, SWIFT decided that the data coming from interbanking transactions outside the USA territory were all relocated exclusively within the European territory no longer allowing a mirror copy of these data in the American servers.

Based on the argument that retained data are crucial to the fight against terrorism, American authorities asked to keep on accessing these data also once they would have been relocated to the EU territory (and under EU legislation), with the guarantee that in case of a terrorist threat these data would have been transmitted back to the EU.

This ofer was mainly made on the basis that the majority of the European states are not equipped to use and process the data gathered in the TFTP. Therefore, in this way not only the United States but also the European Union would have benefit from the programme. 

On the basis of this reasoning, negotiations started before summer 2009 and have been carefully followed by the European Parliament which in its resolution in September 2009 listed the minimum conditions to be applied to make sure that the use of data of TFTP is compatible with European standards. These indications refer to data protection as well as judicial protection standards, given that these are information that can be used for counter terrorism activities.

Against this background two agreements have been put forward:  a first transitional agreement of the limited duration of 9 months and a second longer one whose negotiations should start in the next few weeks.

The “transitional” text of the first agreement has now been published in the Official Journal and will enter into force on 1st February 2010;  it recalls some of the concerns of the European Parliament, not last the one concerning the need to anchor the implementation of this agreement to that on judicial cooperation in criminal matters between the EU and the USA concluded in Washington on 28 October 2009.[6]

It is too early to predict what the European parliament will do. One should not give for granted the outcome of the parliamentary scrutiny and its final vote since the Treaty of Lisbon (Article 16 TFEU) and the now binding Charter of Fundamental Rights[7] have introduced even stricter standard in terms of data protection.

EDC

[1] See GAFI recommendations such as the VII financial provision to gather data concerning transfer above 1.000 $ in Europe (3.000 $ in the USA) and to make them available to the authorities; see also Communitarian Directives on money laundering and Communitarian Regulations in this field (such as  Regulation (CE) No 1781/2006 of the European Parliament and the Council of 15 November 2006 on information on the payer accompanying transfers of funds)  

[2] CRF Presidential Executive Order 13224 issued by the President George Bush on 23 September 2001.

[3] See Wikipedia reconstruction: http://en.wikipedia.org/wiki/Terrorist_Finance_Tracking_Program

[4] See resolution of 6 July 2006 on the interception of bank transfer data from the SWIFT system by the US secret services (OJ C 303 E, 13.12.2006, p. 843) and Resolution of 14 February 2007 on SWIFT, the PNR agreement and the transatlantic dialogue on these issues (OJ C 287 E, 29.11.2007, p. 349).

[5] The Commission CE assessed that Safe Harbor guaranteed a sufficient level of data protection back in 2001.

[6] Processing of EU originating Personal Data by United States Treasury Department for Counter Terrorism Purposes – “SWIFT” (OJ C 166, 20.7.2007, p. 18).

[7] See also the European Convention on Human Rights, in particular Articles 5, 6, 7 and 8 thereof, the Charter of Fundamental Rights, in particular Articles 7, 8, 47, 48 and 49 thereof, Council of Europe Convention No 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, Directive 95/46/EC and Regulation (EC) No 45/2001.