Category: 8.2 Judicial cooperation in criminal matters

Cybersecurity in the European Union and Beyond: Exploring the Threats and Policy Responses

FULL STUDY ( 152 pages) ACCESSIBLE HERE 

This study was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. It sets out to develop a better understanding of the main cybersecurity threats and existing cybersecurity capabilities in the European Union and the United States. The study further examines transnational cooperation and explores perceptions of the effectiveness of the EU response, pinpointing remaining challenges and suggesting avenues for improvement. AUTHORS : Dr Nicole van der Meulen, Eun A Jo and Stefan Soesanto (RAND Europe)

EXECUTIVE SUMMARY

The European Commission published the European Union Cyber Security Strategy along with the accompanying proposal for a Network and Information Security (NIS) Directive in 2013. Since the proposal was published, the cybersecurity landscape has continued to evolve, leading to questions regarding the nature and seriousness of the cyberthreats faced by the European Union (EU), the capabilities of Member States to manage these threats and respond to incidents, and the effectiveness of these capabilities. At the time of writing, discussions about the content and scope of the proposed NIS Directive are continuing. This study of cybersecurity threats in the EU was commissioned by the European Parliament (EP). It has five objectives:

  • To identify key cyberthreats facing the EU and the challenges associated with their identification.
  • To identify the main cybersecurity capabilities in the EU.
  • To identify the main cybersecurity capabilities in the United States (US).
  • To assess the current state of transnational cooperation.
  • To explore perceptions of the effectiveness of the current EU response.

Defining cybersecurity

Any study of cybersecurity must reflect on the challenges introduced by the different meanings of the term. There is no consensus on a standard or universally accepted definition of cybersecurity. The term cybersecurity has roots in information security but is now used to refer to a broader range of issues, linked to national security. The observation that cybersecurity means different things to different people is not without its consequences. How the issue is framed influences what constitutes a threat as well as what counter-measures are needed and justified.

Mapping cybersecurity threats

The study team’s analysis of six threat assessments1 and an existing meta-analysis carried about by Gehem et al. (2015) highlight the difficulty with systematically comparing threat assessments and gauging the reliability of data and findings on the basis of which threat assessments are conducted. The challenge rests in part in the absence of a commonly accepted definition of what constitutes a threat and the variation in the methodology and metrics used for threat assessments. Moreover, some threat assessments reference or are based on other threat assessments, rather than original sources, leading to potential duplication of findings and lack of clarity about the evidence underlying threat assessments. As a result, there is no clearly established framework to classify and map threats.

The study team created a framework for mapping threats. The framework distinguishes:

  • Threat    actors:    states,    profit-driven    cybercriminals,    and    hacktivists   and extremists.
  • Threat tools: malware and its variants, such as (banking) Trojans, ransomware, point-of-sale malware, botnets and exploits.
  • Threat   types:   unauthorised   access,   destruction,   disclosure,   modification   of information and denial of service.

The mapping of the cyberthreat landscape through the review of the six threat assessments was complemented by a discussion on the varying perceptions of the severity of threats and the concept of‘threat inflation’.

Cybersecurity capabilities in the EU

To respond to the evolving threat in the area of cybersecurity, the EU has aimed to provide an overarching response through the publication of the EU Cyber Security Strategy together with the proposed NIS Directive. The Strategy identifies five objectives including:

  • Achieving cyberresilience.
  • Drastically reducing cybercrime.
  • Developing   cyberdefence   policy  and   capabilities  related  to  the  Common Security and Defence Policy (CSDP).
  • Developing the industrial and technological resources for cybersecurity.
  • Establishing   a   coherent   international   cyberspace   policy  for  the   EU   and promote core EU values.

This study focuses on providing a descriptive overview of capabilities for the first three objectives. Capabilities for the purposes of this study have been operationalised as institutional structures, such as agencies and departments.

  • In the area of cyberresilience, the European Network and Information Security Agency (ENISA) is the primary player at the EU level. ENISA is tasked with addressing the existing fragmentation in the European approach to cybersecurity, namely by bridging the capability gaps of its Member States. In the cybercrime domain, the European Cyber Crime Centre (EC3) serves as a European cybercrime platform. Besides combatting cybercrime, EC3 also gathers cyberintelligence and serves as an intermediary among various stakeholders, such as law enforcement authorities, Computer Emergency Response Teams (CERTs), industry and academia.
  • In the area of cyberdefence, the European Defence Agency (EDA) supports the capability development necessary to implement the Strategy. Its most apparent activities remain in research and development and designing a common crisis response platform. Given that foreign and defence policies have conventionally been areas of domestic competence, it is understandable that EU-wide cyberdefence capabilities have developed at a different pace compared to the other two objectives, cyberresilience and cybercrime.

Cybersecurity capabilities in the US

Cybercapabilities in the US are challenging to map in a comprehensive manner. The tendency to layer initiatives and agencies makes navigating the different components difficult. For the purposes of a high-level comparison with the EU cyber capabilities, the study focuses on key institutional players and their roles in relation to three strategic priorities: cyberresilience, cybercrime and cyberdefence.

  • In the area of cyberresilience, the Department of Homeland Security (DHS) is the formal leader. The DHS is responsible for securing federal civilian government networks, protecting critical infrastructure and responding to cyberthreats.
  • In the area of cybercrime, the US has not designated any lead investigative agency. Instead, numerous federal law enforcement agencies combat cybercrime in their own capacity. These include the US Secret Service (USSS) and the US Immigration and Customs Enforcement (ICE) Cyber Crimes Center, which are both  agencies  within  the  DHS.  The  Federal   Bureau  of Investigation  (FBI)’s cyberdivision is also involved.
  • In cyberdefence, the Department of Defence (DoD) plays a leading role. It is readily apparent from the DoD’s multiple publications that the US has become more open about its capabilities and willing to name its adversaries. The DoD is also increasingly encompassing in its response to cyberthreats over time, investing in both defensive as well as offensive cybercapabilities, as detailed in its cyberdefence strategy published in April 2015. Commentators note that deterrence is a key characteristic of the US cyberdefence strategy.

Transnational cooperation

The necessity to engage in transnational cooperation to counter the complex challenge posed by cybercrime is widely recognised both inside and outside the EU. Transnational cooperation exists at both the strategic and the operational level. The EU-US Working Group on Cybersecurity and Cybercrime is an example of strategic cooperation and is the first transatlantic dialogue to tackle common challenges in the area of cybercrime and cybersecurity. On an operational level, transnational cooperation has manifested through a range of activities, from botnet takedown to disruption of underground forums.

Challenges, however, remain in the area of combatting cybercrime as identified by the study team through the interviews. Mutual Legal Assistance Treaties (MLATs) are widely regarded as outdated and obstacles to effective and timely information sharing. Further, the importance of acquiring data for investigations is debated among law enforcement agencies and civil society groups. Deconfliction – avoiding the duplication or conflict of efforts – is another challenge. Due to the involvement of various stakeholders, cooperation is essential to avoid potentially disrupting others’ efforts. The draft Europol Regulation contains provisions that interviewees have reported could complicate the attainment of information from the private sector, possibly obstructing future operations.2

Effectiveness of the EU response

Ideally, capabilities respond directly to threats and the effectiveness of the EU response can be measured by noticeable changes in the threat landscape. However, such an assessment is not feasible; there is not enough information available in the public domain and measurement problems persist. Moreover, the EU response is still very much in development and geared towards addressing fragmentation in its approach to cybersecurity, as well as the approach taken by the 28 Member States. This consists of harmonising strategies and standards and coordinating regulatory interventions, as well as facilitating (or more precisely, requiring) information sharing and gap closures between Member States. Due to the inherently relative nature of cybersecurity and the challenges associated with attaining cyberresilience, it is difficult to state whether the new initiatives have been successful. Given these challenges to measuring effectiveness, the study team explored perceptions about the effectiveness of the EU response based on existing commentary and supplemented with interviewees’ responses.
 
The first key finding in relation to the perceived effectiveness of the EU response is that while there is still fragmentation, there is also discernible improvement. Particularly noteworthy is the strategic cooperation agreement between ENISA and EC3, which aims to facilitate closer cooperation and the exchange of expertise. However, questions remain about fragmentation, especially with respect to the proposed NIS Directive. Various points of dissension remain as the trilogue negotiations between the European Commission, European Parliament and the Council of the European Union continue. Moreover, fragmentation is notable not only in terms of operational capabilities but also in terms of Member States’ understanding of the cyberdomain. Bridging these gaps will therefore require technical support as well as strategic guidance.

The second finding is that differences in opinion persist as to whether the overall approach to cybersecurity should be voluntary and informal or mandatory and formal. For example, the CERT community, which has conventionally relied on voluntary participation and cooperation between private and public entities, appears less willing to move to a system in which information sharing is mandatory. In contrast, other security agencies favour law enforcement and support more stringent requirements, for instance in information sharing, as they believe voluntary reporting has failed.

Third, as the new approach proposed through the Strategy and the draft NIS Directive is largely regulatory in nature, the issue of scope – in terms of the entities formally included as having a role in cybersecurity – is heightened and contested. One issue is whether Internet service providers (ISPs) should be included. These scoping challenges are likely to exacerbate existing contentions surrounding the NIS Directive and call into question whether the present regulatory approach is appropriate to secure European cyberspace.

Policy options

Based on this study’s findings the research team suggests the following policy options for the European Parliament’s consideration in terms of EU action on cybersecurity. Each option is elaborated in the Conclusion.

  1. Encourage ENISA, EC3 and others involved in European cyberthreat assessments to investigate further harmonisation of threat assessments, which can effectively incorporate information from Member States and other EU agencies and provide clearer indications of the evidence base for the assessment. This recommendation follows from the findings from the review of threat assessments undertaken for this study.
  2. Make use of existing structures as much as possible. One of the concerns identified by the study team – from a review of existing literature and in interviews with experts – was the tendency of the Commission to develop new structures and exclude existing initiatives and agencies.
  3. Consider reinserting law enforcement in the Network and Information Security (NIS) Directive. The attempt to overcome fragmentation at the EU level is hampered by the exclusion of law enforcement from provisions in the proposed NIS Directive.
  4. Ensure Europol has speedy and more direct access to information from the private sector. Speedy access to relevant information from the private sector is essential for Europol to combat transnational cybercrime. There is potential for this access to be hindered by having to go through the Member States, which may reduce the effectiveness of Europol’s operations, especially as Europol cooperates with partners at the transnational level.
  5. Assess what capability gaps actually exist between the Member States and measure progress. Despite the claims about gaps between Member States, our research suggests that there is very little empirical evidence to indicate which States are more advanced than others and in what areas. To improve this situation and to develop a better understanding of these gaps, ranking Member States and identifying areas of improvement could be made more explicit.

…continue reading

NOTES

1  (ACSC: Threat Report; BSI: State of IT Security Germany; ENISA: Threat Landscape (ETL); Europol: Internet Organised Crime Threat Assessment (iOCTA); NCSC: Cyber Security Threat Assessment the Netherlands (CSAN); Verizon: Data Breach Investigations Report (DBIR).
2 European Parliament. 2014b. Legislative resolution of 25 February 2014 on the proposal for a regulation of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA. P7_TA(2014)0121 (COM(2013)0173 – C7-0094/2013 – 2013/0091(COD)). As of 12 October 2015: http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0121&language=EN&ring=A7-2014-0096

 

“Foreign Fighters” and EU implementation of the UNSC resolution 2178. Another case of “Legislate in haste, repent at leisure…” ? (2)

by Dalila DELORENZI (FREE Group Trainee – Original in Italian)

1. Foreword
As the hostilities in Syria and Iraq continue and terrorism activities worldwide seem to be on the rise, EU Member States are increasingly confronted with the problem of aspiring and returning ‘foreign fighters’ as described already in this blog HERE. More precisely, in the EU the term is used to indicate European citizens who, after leaving to join jihadist groups, may have become further radicalised and acquired combat experience, and therefore be capable of carrying out deadly terrorist attacks once they return to Europe.

Such phenomenon is anything but new; however, its scale certainly is: as illustrated by the rise of the terrorist group calling itself “Islamic state”, the phenomenon has acquired an entirely new dimension – according to the EU intelligence sources 19% of the total fighters originated from the EU.

It explains then the wide perception of these individuals as a serious threat to the security of both individual Member States and the EU as a whole – especially in the aftermath of the recent terrorist attacks occurred in Brussels[1], Paris[2], Copenhagen[3].

Broadly speaking , a different way to envision human mobility and checks at external borders of Schengen has come to light. Whereas initially, they were rather conceived to protect the Schengen area from threats coming from country outside the Schengen zone, now such threat to security is deemed to be already inside the EU, due to the fact that most of the time militants returning to Europe possess the nationality of a Member State.

2. EU response Continue reading ““Foreign Fighters” and EU implementation of the UNSC resolution 2178. Another case of “Legislate in haste, repent at leisure…” ? (2)”

Some notes on the relations between UNSC Resolution 2240 (2015) fighting smugglers in Mediterranean and the EUNAVFOR Med “Sophia” operation

by Isabella Mercone  (Free Group Trainee – Original Version in Italian)

  1. INTRODUCTION

On 9 October 2015, the Security Council of the United Nations adopted Resolution 2240 (2015), authorizing Member States to intercept vessels off  Libyan coast, suspected of migrant smuggling.

The resolution was adopted in a short time, without much discussion and ahead of schedule, with 14 votes in favour and just one abstention (Venezuela). “Incredible!” – Someone could say – “For once, the Security Council succeeded in adopting a resolution on time.” However, the true is that the adopted resolution is not the one imagined in May by the High Representative for Foreign Affairs and Security Policy of the European Union, Federica Mogherini, when operation EUNAVFOR Med was launched. But let’s go one step at a time: let’s see first where the idea of ​​EUNAVFOR Med came from and what is its goal, and let’s try to understand why the EU should have required a resolution by the Security Council, allowing it to intervene in the Mediterranean and dismantle the smuggling of migrants.

  1. THE OPERATION EUNAVFOR MED (now renamed “SOPHIA”)

Continue reading “Some notes on the relations between UNSC Resolution 2240 (2015) fighting smugglers in Mediterranean and the EUNAVFOR Med “Sophia” operation”

EU-US Umbrella Data Protection Agreement : Detailed analysis by Douwe Korff

14 October 2015 (NOTA BENE : This text is more than 60 pages)

by Douwe KORFF (FREE GROUP MEMBER)

About the Fundamental Rights Europe Expert Group (FREE): The Fundamental Rights European Experts Group (FREE Group : http://www.free-group.eu)  is a Belgian non governmental organisation (Association Sans But Lucratif (ASBL) Registered at Belgian Moniteur: Number 304811. According to art 3 and 4 of its Statute ( see below *) the association focus is on monitoring, teaching and advocating in the European Union freedom security and justice related policies. In the same framework we follow also the EU actions in protecting and promoting EU values and fundamental rights in the Member States as required by the article 2, 6 and 7 of the Treaty on the European Union (risk of violation by a Member State of EU founding values)

About the author: Douwe Korff is a Dutch comparative and international law expert on human rights and data protection. He is Emeritus Professor of International Law, London Metropolitan University; Associate, Oxford Martin School, University of Oxford (Global Cybersecurity Capacity Centre); Fellow, Centre for Internet & Human Rights, University of Viadrina, Frankfurt/O and Berlin; and Visiting Fellow, Yale University (Information Society Project).

Acknowledgments: The author would like to express his thanks to Mme. Marie Georges and Prof. Steve Peers, members of FREE Group, for their very helpful comments on and edits of the draft of this Note.

OVERALL CONCLUSIONS

We believe the following aspects of the Umbrella Agreement violate, or are likely to lead to violations of, the Treaties and the EU Charter of Fundamental Rights:

  1. The Umbrella Agreement appears to allow the “sharing” of data sent by EU law enforcement agencies to US law enforcement agencies with US national security agencies (including the FBI and the US NSA) for use in the latter’s mass surveillance and data mining operations; as well as the “onward transfer” of such data to “third parties”, including national security agencies of yet other (“third”) countries, which the Agreement says may not be subjected to “generic data protection conditions”;
  2. The Umbrella Agreement does not contain a general human rights clause prohibiting the “sharing” or “onward transfers” of data on EU persons, provided subject to the Agreement, with or to other agencies, in the USA or elsewhere, in circumstances in which this could lead to serious human rights violations, including arbitrary arrest and detention, torture or even extrajudicial killings or “disappearances” of the data subjects (or others);
  3. The Umbrella Agreement does not provide for equal rights and remedies for EU- and US nationals in the USA; but worse, non-EU citizens living in EU Member States who are not nationals of the Member State concerned – such as Syrian refugees or Afghan or Eritrean asylum-seekers, or students from Africa or South America or China – and non-EU citizens who have flown to, from or through the EU and whose data may have been sent to the USA (in particular, under the EU-US PNR Agreement), are completely denied judicial redress in the USA under the Umbrella Agreement.

In addition:

  1. The Umbrella Agreement in many respects fails to meet important substantive requirements of EU data protection law;
  2. The Umbrella Agreement also fails to meet important requirements of EU data protection law in terms of data subject rights and data subjects’ access to real and effective remedies; and
  3. In terms of transparency and oversight, too, the Umbrella Agreement falls significantly short of fundamental European data protection and human rights requirements.

The Agreement should therefore, in our view, not be approved by the European Parliament in its present form.

FULL TEXT OF THE ANALYSIS 

  1. Introduction / Background

Continue reading “EU-US Umbrella Data Protection Agreement : Detailed analysis by Douwe Korff”

UNSC RESOLUTION 2240(215) (NB:fighting smugglers and traffickers in the Mediterranean Sea)

NOTA BENE : After UNSC Resolution 2178(2014) on Foreign Fighters aiming to address a problem raised notably by the EU, UNSC Resolution 2240(2015) paves now the way for a strenghtened  EU intervention against smugglers and traffickers in the South Mediterranean currently conducted in the framework of the Operation EUNAVFOR -Sophia. Emphasis have been added to the original text and comment will follow in the coming days 

UNITED NATIONS 

Resolution 2240(2015) Adopted by the Security Council at its 7531st meeting, on 9 October 2015

The Security Council,

Recalling  its press statement of 21 April on the maritime tragedy in the Mediterranean Sea,

Reaffirming its strong commitment to the sovereignty, independence, territorial integrity and national unity of Libya,

Recalling that international law, as reflected in the United Nations Convention on the Law of the Sea of 10 December 1982, sets out the legal framework applicable to activities in the ocean,

Reaffirming also the United Nations Convention against Transnational Organized Crime (UNTOC Convention) and its Protocol against the Smuggling of Migrants by Land, Air and Sea, as the primary international legal instruments to combat the smuggling of migrants and related conduct, and the Protocol to Prevent, Suppress and Punish Trafficking in Persons,

Especially Women and Children, supplementing the UNTOC Convention, as the primary international legal instruments to combat trafficking in persons,

Underlining that, although the crime of smuggling of migrants may share, in some cases, some common features with the crime of trafficking in persons, Member States need to recognise that they are distinct crimes, as defined by the UNTOC Convention and its Protocols, requiring differing legal, operational, and policy responses,

Deploring the continuing maritime tragedies in the Mediterranean Sea that have resulted in hundreds of casualties, and noting with concern that such casualties were, in some cases, the result of exploitation and misinformation by transnational criminal organisations which facilitated the illegal smuggling of migrants via dangerous methods for personal gain and with callous disregard for human life,

Expressing grave concern at the recent proliferation of, and endangerment of lives by, the smuggling of migrants in the Mediterranean Sea, in particular off the coast of Libya and recognizing that among these migrants may be persons who meet the definition of a refugee under the 1951 Convention relating to the Status of Refugees and the 1967 Protocol thereto,

Emphasizing in this respect that migrants, including asylum-seekers and regardless of their migration status, should be treated with humanity and dignity and that their rights should be fully respected, and urging all States in this regard to comply with their obligations under international law, including international human rights law and international refugee law, as applicable, stressing also the obligation of States, where applicable, to protect the human rights of migrants regardless of their migration status, including when implementing their specific migration and border security policies,

Reaffirming in this respect the need to promote and protect effectively the human rights and fundamental freedoms of all migrants, regardless of their migration status, especially those of women and children, and to address international migration through international, regional or bilateral cooperation and dialogue and through a comprehensive and balanced approach, recognizing the roles and responsibilities of countries of origin, transit and destination in promoting and protecting the human rights of all migrants, and avoiding approaches that might aggravate their vulnerability,

Further recalling the International Convention for the Safety of Life at Sea and the International Convention on Maritime Search  and Rescue,

Expressing further concern that the situation in Libya is exacerbated by the smuggling of migrants and human trafficking into, through and from the Libyan territory, which could provide support to other organised crime and terrorist networks in Libya,

Mindful of its primary responsibility for the maintenance of international peace and security under the Charter of the United Nations,

Underlining the primary responsibility of the Libyan Government to take appropriate action to prevent the recent proliferation of, and endangerment of lives by, the smuggling of migrants and human trafficking through the territory of Libya and its territorial sea,

Mindful of the need to support further efforts to strengthen Libyan border management, considering the difficulties of the Libyan Government to manage effectively the migratory flows in transit through Libyan territory, and noting its concern for the repercussions of this phenomenon on the stability of Libya and of the Mediterranean region,

Welcoming support already provided by the most concerned Member States, including Member States of the European Union (EU), taking into account inter alia the role of FRONTEX and the specific mandate of EUBAM Libya in support of the Libyan Government, and by neighbouring States,

Acknowledging the European Council statement of 23 April 2015 and the press statement of the African Union Peace and Security Council of 27 April, which underlined the need for effective international action to address both the immediate and long-term aspects of human trafficking towards Europe,

Taking note of the Decision of the Council of the European Union of 18 May 2015 setting up ‘EUNAVFOR Med’ which underlined the need for effective international action to address both the immediate and long-term aspects of migrant smuggling and human trafficking towards Europe,

Taking further note of the ongoing discussions between the EU and the Libyan Government on migration related issues,

Expressing also strong support to the States in the region affected by the smuggling of migrants and human trafficking, and emphasizing the need to step up coordination of efforts in order to strengthen an effective multidimensional response to these common challenges in the spirit of international solidarity and shared responsibility, to tackle their root causes and to prevent people from being exploited by migrant smugglers and human traffickers,

Acknowledging the need to assist States in the region, upon request, in the development of comprehensive and integrated regional and national strategies, legal frameworks, and institutions to counter terrorism, transnational organised crime, migrant smuggling, and human trafficking, including mechanisms to implement them within the framework of States’ obligations under applicable international law,

Stressing that addressing both migrant smuggling and human trafficking, including dismantling smuggling and trafficking networks in the region and prosecuting migrant smugglers, and human traffickers requires a coordinated, multidimensional approach with States of origin, of transit, and of destination, and further acknowledging the need to develop effective strategies to deter migrant smuggling and human trafficking in States of origin and transit,

Emphasizing that migrants should be treated with humanity and dignity and that their rights should be fully respected, and urging all States in this regard to comply with their obligations under international law, including international human rights law and international refugee law, as applicable,

Bearing in mind the obligations of States under applicable international law to exercise due diligence to prevent and combat migrant smuggling and human trafficking, to investigate and punish perpetrators, to identify and provide effective assistance to victims of trafficking and migrants and to cooperate to the fullest extent possible to prevent and suppress migrant smuggling and human trafficking,

Affirming the necessity to put an end to the recent proliferation of, and endangerment of lives by, the smuggling of migrants and trafficking of persons in the Mediterranean Sea off the coast of Libya, and, for these specific purposes, acting under Chapter VII of the Charter of the United Nations,

  1. Condemns all acts of migrant smuggling and human trafficking into, through and from the Libyan territory and off the coast of Libya, which undermine further the process of stabilisation of Libya and endanger the lives of thousands of people;
  1. Calls on Member States acting nationally or through regional organisations, including the EU, to assist Libya, upon request, in building needed capacity including to secure its borders and to prevent, investigate and prosecute acts of smuggling of migrants and human trafficking through its territory and in its territorial sea; in order to prevent the further proliferation of, and endangerment of lives by, the smuggling of migrants and human trafficking into, through and from the territory of Libya and off its coast;
  1. Urges Member States and regional organisations, in the spirit of international solidarity and shared responsibility, to cooperate with the Libyan Government, and with each other, including by   sharing   information about acts of migrant smuggling and human trafficking in Libya’s territorial sea and on the high seas off the coast of Libya, and rendering assistance to migrants and victims of human trafficking recovered at sea, in accordance with international law;
  1. Urges States and regional organisations whose naval vessels and aircraft operate on the high seas and airspace off the coast of Libya, to be vigilant for acts of migrant smuggling and human trafficking, and in this context, encourages States and regional organisations to increase and coordinate their efforts to deter acts of migrant smuggling and human trafficking, in cooperation with Libya;
  2. Calls upon Member States acting nationally or through regional organisations that are engaged in the fight against migrant smuggling and human trafficking to inspect, as permitted under international law, on the high seas off the coast of Libya, any unflagged vessels that they have reasonable grounds to believe have been, are being, or imminently will be used by organised criminal enterprises for migrant smuggling or human trafficking from Libya, including inflatable boats, rafts and dinghies;
  1. Further calls upon such Member States to inspect, with the consent of the flag State, on the high seas off the coast of Libya, vessels that they have reasonable grounds to believe have been, are being, or imminently will be used by organised criminal enterprises for migrant smuggling or human trafficking from Libya;
  1. Decides, with a view to saving the threatened lives of migrants or of victims of human trafficking on board such vessels as mentioned above, to authorise, in these exceptional and specific circumstances, for a period of one year from the date of the adoption of this resolution, Member States, acting nationally or through regional organisations that are engaged in the fight against migrant smuggling and human trafficking, to inspect on the high seas off the coast of Libya vessels that they have reasonable grounds to suspect are being used for migrant smuggling or human trafficking from Libya, provided that such Member States and regional organisations make good faith efforts to obtain the consent of the vessel’s flag State prior to using the authority outlined in this paragraph;
  1. Decides to authorise for a period of one year from the date of the adoption of this resolution, Member States acting nationally or through regional organisations to seize vessels inspected under the authority of paragraph 7 that are confirmed as being used for migrant smuggling or human trafficking from Libya, and underscores that further action with regard to such vessels inspected under the authority of paragraph 7, including disposal, will be taken in accordance with applicable international law with due consideration of the interests of any third parties who have acted in good faith;
  1. Calls upon all flag States involved to cooperate with respect to efforts under paragraphs 7 and 8, and decides that Member States acting nationally or through regional organisations under the authority of those paragraphs shall keep flag States informed of actions taken with respect to their vessels, and calls upon flag States that receive such requests to review and respond to them in a rapid and timely manner;
  1. Decides to authorise Member States acting nationally or through regional organisations to use all measures commensurate to the specific circumstances in confronting migrant smugglers or human traffickers in carrying out activities under paragraphs 7 and 8 and in full compliance with international   human   rights   law,   as applicable, underscores that the authorizations in paragraph 7 and 8 do not apply with respect to vessels entitled to sovereign immunity under international law, and calls upon Member States and regional organisations carrying out activities under paragraphs 7, 8 and this paragraph, to provide for the safety of persons on board as an utmost priority and to avoid causing harm to the marine environment or to the safety of navigation;
  1. Affirms that the authorisations provided in paragraphs 7 and 8 apply only with respect to the situation of migrant smuggling and human trafficking on the high seas off the coast of Libya and shall not affect the rights or obligations or responsibilities of Member States under international law, including any rights or obligations under UNCLOS, including the general principle of exclusive jurisdiction of a flag State over its vessels on the high seas, with respect to any other situation, and further affirms that the authorisation provided in paragraph 10 applies only in confronting migrant smugglers and human traffickers on the high seas off the coast of Libya;
  1. Underscores that this resolution is intended to disrupt the organised criminal enterprises engaged in migrant smuggling and human trafficking and prevent loss of life and is not intended to undermine the human rights of individuals or prevent them from seeking protection under international human rights law and international refugee law;
  1. Emphasises that all migrants, including asylum-seekers, should be treated with humanity and dignity and that their rights should be fully respected, and urges all States in this regard to comply with their obligations under international law, including international human rights law and international refugee law, as applicable;
  1. Urges Member States and regional organisations acting under the authority of this resolution to have due regard for the livelihoods of those engaged in fishing or other legitimate activities;
  1. Calls upon all States, with relevant jurisdiction under international law and national legislation, to investigate and prosecute persons responsible for acts of migrant smuggling and human trafficking at sea, consistent with States’ obligations under international law, including international human rights law and international refugee law, as applicable;
  1. Calls for Member States to consider ratifying or acceding to, and for States Parties to effectively implement the Protocol against the Smuggling of Migrants by Land, Sea and Air, supplementing the United Nations Convention against Transnational Organized Crime, and as well as the Protocol to Prevent, Suppress and Punish Trafficking in Persons, Especially Women and Children;
  1. Requests States utilising the authority of this resolution to inform the Security Council within three months of the date of adoption of this resolution and every three months thereafter on the progress of actions undertaken in exercise of the authority provided in paragraphs 7 to 10 above;
  1. Requests the Secretary-General to report to the Security Council eleven months after the adoption of this resolution on its implementation, in particular with regards to the implementation of paragraphs 7 to 10 above;
  1. Expresses its intention to review the situation and consider, as appropriate, renewing the authority provided in this resolution for additional periods;
  1. Decides to remain seized of the matter.

THE CJEU’S RULING IN CELAJ: CRIMINAL PENALTIES, ENTRY BANS AND THE RETURNS DIRECTIVE

ORIGINAL PUBLISHED ON EU LAW ANALYSIS (Tuesday, 6 October 2015)

By Izabella Majcher, Associate Researcher at Global Detention Project and PhD candidate in International Law at the Graduate Institute of International and Development Studies is Geneva.

In its ruling in the Skerdjan Celaj case (C-290/14), rendered on 1st October 2015, the Court of Justice of the European Union (CJEU) addressed once again the relation between immigration and criminal law and in particular the compatibility of national penal measures imposed as a punishment for irregular migration with the EU Returns Directive. In the previous cases touching upon this issue, the Court assessed whether the Directive allowed states to penalize non-compliance with a return order or irregular stay itself with imprisonment (El Dridi andAchughbabian, respectively) and with home detention (Sagor) as a criminal law penalty (as distinct from administrative law detention, which is expressly regulated by the Directive). In turn, in Celaj the Luxembourg judges were requested to consider whether a criminal law sentence of imprisonment imposed for a breach of a re-entry ban was compatible with the Returns Directive.

As defined in Article 3(6) of the Directive, an “entry ban” means an “administrative or judicial decision or act prohibiting entry into and stay on the territory of the Member States for a specified period, accompanying a return decision.”

The Case

Mr Celaj was arrested by Italian police in August 2011 for attempted robbery. In April 2012 he was issued a removal order accompanied by a three-year entry ban and left Italian territory some five months later. Subsequently Mr Celaj re-entered Italy and was apprehended by the police in February 2014. The public prosecutor then brought criminal law proceedings against him and sought a term of imprisonment of eight months for the breach of the entry-ban. The District Florence Court, before whom the proceedings were brought, decided to stay the proceedings and refer the question to the Luxembourg Court for a preliminary ruling. The referring court asked the CJEU whether the Returns Directive precludes domestic legislation penalizing re-entry in breach of an entry ban with a prison sentence up to four years. The Court found that it does not.

The Court did not follow the Opinion of Advocate General (AG) Szpunar, issued in April 2015. The AG based his Opinion on the effectiveness and the main objective of the Returns Directive, which is the return of undocumented non-EU citizens. These arguments had been developed by the Court in a line of case-law addressing the relation between domestic penal sanctions and the Directive. Indeed, in El Dridi (§ 58) the Court ruled that imprisonment as a criminal law penalty for the failure to leave the country during the voluntary departure period was not compatible with the Returns Directive. In Achughbabian (§ 45) it found that the Directive also precluded imprisonment as a criminal law penalty for irregular stay itself if ordered prior to starting removal proceedings or during such proceedings. The underlying justification of the Court’s conclusions in both cases was that a term of imprisonment as a criminal law penalty would delay the removal of the person concerned and thus jeopardize the objective pursued by the Directive (El Dridi, § 59; Achughbabian, § 45). The ruling in Sagor (§ 45) shows that not only prison sentences but even home detention during return proceedings as a criminal law penalty risks delaying deportation and thus should not be imposed. The AG thus invited the Court to follow its well-established case-law and declare that imprisonment for a breach of entry ban as a criminal law penalty is incompatible with the Directive because it would delay return of the person concerned (§ 6).

Yet, the Court ruled that the Returns Directive does not preclude domestic legislation which provides for a prison sentence as a criminal law penalty for non-EU citizens who unlawfully re-enter the country in breach of an entry ban (§25 and 33). The CJEU did reiterate that the objective of the Directive would be undermined if removal would be delayed by a criminal prosecution leading to a term of imprisonment, as ruled in El Dridi, Achughbabian, and Sagor (§ 26). However, it found that the circumstances in the Celaj case were “clearly distinct” from those inEl Dridi and Achughbabian. This distinction, in the Court’s opinion, was due to the fact that, unlike Mr Celaj, the non-citizens concerned in El Dridi and Achughbabianwere subject to a first return procedure (§ 28). The Court also added that, in line with the second indent of its ruling in Achughbabian, the Directive does not preclude penal sanctions as a criminal law penalty to be imposed on a migrant who has been subject to a return procedure but stays in an irregular manner in the member state (§ 29).

Comments

Were the circumstances in Celaj so “clearly distinct” from those in El Dridi andAchughbabian to justify such a different conclusion? Does it fundamentally matter that those cases dealt with a first return procedure? Every return procedure regulated by the Directive has essentially the same goal – the swift removal of the non-EU citizen concerned. It appears thus irrelevant whether return is pursued because of irregular entry or irregular re-entry.

Under Article 6(1) of the Directive member states are required to issue a return decision to every migrant in irregular situation, subject to some exceptions. As highlighted by the AG (§ 42, 49, and 50), this duty is persistent and continuous. This means that each time a non-EU citizen finds himself or herself on the State territory without permission, the authorities should start a return procedure by issuing a return decision. Thus, in line with the rules under the Directive, a non-EU citizen who has re-entered the Member State unlawfully should be liable to a new return decision rather than criminal proceedings which may postpone his or her ultimate removal. This finding is also supported by the Court’s ruling inAchughbabian (§ 45) where it held that the obligation incumbent on states to conduct removal shall be fulfilled as soon as possible and thus states should not carry out criminal proceedings involving custodial penalties not only prior to theimplementation of the return decision, but also prior to the adoption of such a decision.

Strikingly, the CJEU did not consider at all whether criminal proceedings against Mr Celaj would delay his return. This omission is hardly consistent with the Court’s well established case-law which attaches pivotal importance to the effectiveness of the procedures regulated under the Directive (El Dridi, § 55; Achughbabian, § 39;Sagor, § 32). It is easily foreseeable that after serving his prison sentence, Mr Celaj will be issued with a return decision. The term of imprisonment as a criminal law penalty will inevitably delay his return and thus jeopardize the very objective of the Returns Directive.

Likewise, the second, somehow auxiliary, argument advanced by the Luxembourg judges is not wholly convincing. True, in line with the second indent of the ruling inAchughbabian (§ 51) states may impose a criminal law prison sentence on a non-EU citizen to whom a return procedure has been applied but who stays in an irregular manner in the Member State. However, as pointed out by the AG (§ 61), to be compatible with the main part of the ruling, this conclusion should only cover situations where authorities did not succeed in returning the person concerned, who then continues to stay on the state’s territory. The second indent in the judgment in Achughbabian should thus have no bearing on Celaj where the non-EU citizen concerned left the country, thus return proceedings reached their goal. Following his irregular re-entry, he should be liable to a new return procedure.

The judgment in Celaj appears not consistent with the CJEU’s well-established jurisprudence on the interplay between domestic penal sanctions and the effectiveness of return policy as laid down in the Returns Directive. The Court relied on an apparent clear distinction between return proceedings imposed for irregular entry and subsequent re-entry in breach of an entry ban. As discussed above, the wording of the provisions of the Returns Directive, supported by the underlying objective of the Directive repetitively stressed in the Court’s previous rulings, does not warrant finding such a distinction. The “distinction” argument had been advanced by the European Commission and intervening governments during the proceedings. They stressed that the circumstances in re-entry cases are distinct because penal sanctions could be imposed to dissuade migrants from breaching re-entry bans (AG’s Opinion, § 46). So the “distinction” argument – which was central to the Court’s conclusion – relies on states’ deterrence-oriented concerns rather than considerations based on the provisions and objective of the Returns Directive. The ruling in Celaj seems thus to compromise on the effectiveness of the Directive in order to accord discretion to states to apply their domestic criminal provisions to deter and punish migrants for breaching re-entry ban.

What is the nature of the entry ban whose breach states are now explicitly allowed to punish with criminal law imprisonment? As noted above, Article 3(6) of the Directive defines an entry ban as a prohibition of re-entry to the host state (or other Member States) for a specified period of time. In Article 11(1) the Directive obliges states to impose an entry ban on a non-EU citizen who has not been granted the possibility of voluntary departure or has not complied with a return decision. Since the Directive provides for broad circumstances for refusal of a voluntary departure period (Article 7(4); see discussion of the case law on this issue here) and does not explicitly prohibit states from issuing a return decision on non-refoulement and family or private life grounds (the Directive merely allows states grant a residence permit on humanitarian or other reasons, in Article 6(4)), in practice Article 11(1) may entail that entry bans are imposed in a systematic way. This risk is amplified by the same provision as it allows states to apply a ban on re-entry also in “other cases.”

In practice, as the Evaluation on the application of the Returns Directive, commissioned by the European Commission, shows, the legislation of almost 40 percent of the countries bound by the Directive provides for an automatic application of entry bans on all return decisions. A recent European Migration Network’s study Good Practices in the return and reintegration of irregular migrants demonstrates the scale of the use of entry bans. In 2013 more than 125,000 entry bans were imposed in the EU. Compared to the total number of return decisions that year (see Eurostat), these figures evince that the member states accompany a considerable proportion of return decisions with entry bans, including Greece (almost 100 %), Poland (80 %), or Sweden (70 %). It appears thus that entry bans are systematically applied in practice.

States are free not to impose or withdraw an entry ban for humanitarian or other reasons (article 11(3)). They are however not obligated to waive the entry ban requirement in such cases – it lies within their discretion. While the Directive clarifies that entry bans shall not prejudice the right to international protection (Article 11(5)), this assertion should be translated into a clear obligation on states not to impose the ban where the protection from non-refoulement could be impaired. The severity of this entry ban is further strengthened by its length. The Directive allows a five-year duration of an entry ban (article 11(2)). The above mentioned Commission study highlights that the majority of states issue entry bans for this maximum permitted period of time. In addition, states may apply a longer ban (the time period of which is not limited by the Directive), if they judge that the person concerned represents a serious threat to public policy or national security (Article 11(2)).

Thus, potentially the majority of non-EU citizens liable to return are prohibited for prolonged periods to re-enter the host state or even the whole EU, if the entry ban has been registered in the Schengen Information System (SIS). An entry ban is thus a harsh and coercive measure, which is a deterrent in itself and potentially conflicts with migrants’ fundamental rights. It cannot be ruled out that a non-EU citizen will be obliged to re-enter, where prompted by his family links, disrupted by deportation, or changes in the situation in his country of origin. While, as noted above, states may withdraw an entry ban, they are nevertheless not obliged to do so. Imposition of a criminal law prison sentence for breach of an entry ban, as permitted in Celaj, appears thus disproportionate and unnecessary. States may use other available methods to punish this breach, such as an extension of an existing ban. More generally, criminalization of breaches of (administrative) immigration law risks creating a conflation between (non-punitive) immigration law and criminal law, with negative consequences for migrants, and an undue overburden to the criminal justice system.

Barnard & Peers: chapter 26

Safe Harbor – No Future? How the General Data Protection Regulation and the rulings of the Court of Justice of the European Union (CJEU) will influence transatlantic data transfers

(ORIGINAL Posted on 1. Oktober 2015  in PETER SCHAAR. Der Blog. )

 by    (*)

Ladies and gentlemen,

One week ago, the Advocate General at the Court of Justice of the European Union (CJEU) issued his vote on the Safe Harbor case of Max Schrems vs. the Irish Data Protection Commissioner.

Since 1995 when the General European Directive on Data Protection came into force, data transfers from the European Union and its member states to non-EU countries have been subject to specific privacy and security restrictions. Such restrictions do not exist only in Europe.

For example in the US several legal acts and decisions of regulatory authorities constitute the obligation to store specific data in the own country, in particular data, which have been generated by public bodies and providers of critical infrastructures. The US Federal Trade Commission has stated that a company subject to privacy obligations under US law is not allowed to avoid such obligations by outsourcing their data processing activities to offshore service providers.

The key message of Art. 25 of the 1995 GD is that transfer of personal data to a third country may take place only if the recipient in question ensures an adequate level of data protection. The adequacy shall be assessed in the light of all the circumstances surrounding the data transfer operation.

The main road to adequacy are the so-called adequacy decisions of the European Commission, that the said country ensures an adequate level of data protection. These decisions are binding for the member states. They shall take the measures necessary to comply with the Commission’s decision.

One of the most discussed adequacy decisions concerns the United States – the decision on Safe Harbor, although the Commission was of the opinion, that the US in general failed to provide an adequate level of data protection for the private sector, because of the lack of any comprehensive data protection legislation.

The Safe Harbor principles, negotiated between the Commission and the US government in the late 1990s should bridge this obstacle. The SH arrangement has been aimed at guaranteeing the adequate level of protection required by EU law for those companies, committing themselves to comply with the SH principles.

From the beginning, since the Safe Harbor was agreed in the year 2000 there has been some criticism against it. The main critical argument was that the principles do not meet the high EU data protection standards defined by the General Directive.

A scientific implementation study on SH done 2004 on behalf of the Commission came to the result that „Key concepts such as ‚US organization‘, ’personal data’,’deceptive practices’ lack clarity. Moreover, the jurisdiction of the FTC with regard to certain types of data transfers is dubious.“

It also has been criticized, that companies which declare compliance with the principles at once may profit from the Safe Harbor privileges, even if their privacy practices were not yet subject to an independent audit.

These issues remain important until our days. But after the vote the Advocate General at the CJEU (GA) issued recently, the focus lays on another question: How far practices and powers of US authorities have been ignored in the adequacy assessments.

At the first glance, law enforcement authorities, police and intelligence do not fall within the scope of the Safe Harbor agreement and therefore they do not have to be subject to the assessment. But this first impression is wrong.

As Art. 25 of the GD is pointing out, the assessment is to be done in the light of „all circumstances“ surrounding a data transfer to the third country. Even activities of authorities in the third country have to be examined. It is unclear how far this happened during the Safe Harbor assessment in the late 1990s.

But even if such assessment once took place, the result may be invalid today, because things changed dramatically after 9/11 2001. As we have learnt from Edward Snowden and other whistleblowers, US government has obtained broad access to private companies’ databases, telecommunications and Internet services.

Many companies which have co-operated with the NSA – voluntarily or based on legal obligations – have been safe harborists and there is no doubt that NSA and other services have got access to big amounts of data stemming from Europe or related to EU citizens.

The PATRIOT ACT and secret Presidential Orders, issued after 9/11 provided intelligence and law enforcement agencies with a lot of new powers and simultaneously demolished many safeguards which have been introduced in the 1970s to protect civil rights and privacy.

For years it seemed that many of these changes were not on the screen of the European Commission and other European stakeholders. The implementation study on SH of 2004 came to the conclusion: „Since the new US legislation only rarely contradicts the SH principles for data covered by SH, these conflicts do not appear to undermine the level of protection for any significant flows of personal data to the United States. The controversial provisions of the USA PATRIOT Act are essentially irrelevant for SH data flows.“ (p. 101)

But 2013, after the the beginning of the Snowdon revelations, nobody can ignore any more, that the practices of NSA, CIA and FBI introduced after 9/11 have impact on the level of data protection in the United States: The legal provisions on Government access to personal information, especially the Foreign Intelligence Surveillance Act (FISA), do not meet the basic standards of the rule of law at least so far data of non-US-persons are concerned. The practices disclosed in the last two years and the commitments of US officials on mass surveillance provided the public with loads of evidence that the NSA and others are involved in bulk collection of personal data coming from Europe. Therefore it seems evident, that these practices have to be taken into account by the CJEU.

Another change happened in Europe: The Lisbon Treaty came into force in 2009, and at least since then privacy and data protection, including the independent oversight, have been fundamental rights of the European Union, as parts of the European primary law. European secondary law and European Commission’s decisions have to fulfill these requirements. Even older legislation, agreements with third countries as to PNR or TFTP and Commission’s decisions have to be reviewed in the light of Art. 7 and 8 of the EU Charter of Fundamental Rights.

Acknowledging this, the vote of Advocate General Bot (AG) in the case of Maximilian Schrems versus the Irish Data Protection Commissioner, issued last week, is not really surprising. The vote touches two big points:

Even if the Commission decides that the level of data protection in a country is adequate, this does not prevent national data protection authorities from suspending the transfer of the data, it they are of the opinion, that in the concrete case adequacy criteria are not met by the recipient. As we have learnt from the Snowden revelations, Facebook and other Internet companies cooperated closely with the NSA and provided them with broad access to personal data stored on their servers.
The AG is of the opinion that the Safe Harbor arrangement itself is invalid, because the US, especially the intelligence services, do not provide adequate protection for the personal data coming from Europe. Therefore he proposes to suspend the Safe Harbor.

Nobody knows how the European Court of Justice will decide the case. The ruling is expected on 6 October. Perhaps you know the sentence „How the judge decides depends what he ate for breakfast“. It is correct: The vote of the advocate general is only an opinion and it does not bind anybody.

But for me it seems likely that the judges will acknowledge the vote, at least in the result. In two earlier cases, the court decided last year, on data retention and on the right to be forgotten, the judges underlined the high importance of European fundamental rights on privacy and data protection. In these cases the court went beyond the Advocate general’s vote. In the Schrems’ case the AG adapted this recent orientation of the judges.

If the CJEU will decide as proposed by the AG, this does not mean automatically the end of Safe Harbor. But the Safe Harbor arrangement must be renegotiated and at the end there might be a better safe Harbor System, meeting the principles of fundamental rights and complying with the new EU Data Protection Regulation.

Art. 41 of the Commissions proposal contains criteria, conditions and procedures for adequacy assessments, more specific than the current Art. 25 of the GD from 1995: The criteria which shall be taken into account for the Commission’s assessment of an adequate or not adequate level of protection include expressly the rule of law, judicial redress and independent supervision. The new article confirms explicitly the possibility for the Commission to assess the level of protection afforded by a territory or a processing sector within a third country.

My conclusion for today: Safe Harbor will be possible even in the future. But such a „happy end“ requires changes in the SH arrangement. And it requires effective legal guarantees for EU citizens in the US.

Also necessary is a new thinking in Europe, in particular on the fields of law enforcement and intelligence. If we urge the US to respect our privacy, European secret services have to respect fundamental rights of all EU citizens and citizens of third countries as well.

(*) Keynote on the conference „New Directions in Cyber Security“  Berlin, 1 October 2015

(MEIJERS COMMITTEE) Military action against human smugglers: legal questions concerning the EUNAVFOR Med operation

ORIGINAL PUBLISHED HERE ON 23 September 2015

  1. The EUNAVFOR Med operation

On 22 June 2015, the Council of Ministers of the European Union adopted a Common Foreign Security Policy (CFSP) Decision establishing a military crisis management operation with the aim of combatting fighting people smuggling: EUNAVFOR Med.1 This mission is currently in its first phase, focusing on intelligence gathering, i.e. surveillance and the   assessment of existing smuggling networks.

A second phase would involve searching and possibly diverting vessels on the high seas and territorial waters, either under a mandate of the UN Security Council or with the consent of the appropriate coastal state. The Foreign Affairs Council has recently established that the conditions for the second phase have been met insofar as operations in international waters are concerned.2 During the third phase, vessels and related assets of human smugglers would be destroyed and smugglers apprehended.

The mission will operate in a complex legal environment of overlapping rules of refugee law, international human rights law, the law of the sea, and international rules on the use of force. This note discusses some of the most pressing legal questions raised by this operation.

  1. General remarks

At the outset, the Meijers Committee would like to raise a general point regarding the focus on people smuggling as a response to the loss of life at sea. In the absence of safe and legal access to the right to seek asylum in Europe, together with routes for legal migration, people will turn to human smugglers as a last resort. Increased border controls have resulted in higher casualties as people are forced to take more dangerous routes.

The Meijers Committee questions the appropriateness of the approach taken under EUNAVFOR Med to stop the loss of life at sea. The Committee would like to point to the shift from saving lives at sea under  the  Italian-led  Mare  Nostrum  Operation,  to  border management  (Triton),  to  military  action (EUNAVFOR Med). The Meijers Committee emphasizes that the legal obligation to save lives at sea should have primacy in all Union action at sea and that a long-term solution must also involve improving legal access to asylum and legal employment.

  1. Human smuggling as a threat to international peace and
    security

The Meijers Committee notes that the decision establishing the EUNAVFOR Med operation refers explicitly to the need for a UN Security Council Resolution or consent of the coastal states concerned before the second phase of the operation can enter into force.

In this respect the Meijers Committee notes a fundamental difference from the EUNAVFOR operation Atalanta against piracy off the Somalian coast, which was taken as a model for EUNAVFOR Med. The Atalanta operation was explicitly supported by a UN Security Council Resolution, and had the consent of the coastal state involved.3

Articles 39 and 42 UN Charter stipulate that the Security Council shall only authorize the use of force if ‘necessary to maintain or restore international peace and security’. The Meijers Committee is not convinced that the EUNAVFOR MED mission meets this standard. Although the humanitarian crisis may meet this standard, the activities of human smugglers – unlike piracy do not qualify. Although the Security Council has previously adopted resolutions in response to refugee crises in Iraq and Haiti, these were intended to stabilize the countries of origin and not to prevent persons from seeking refuge elsewhere.

  1. Phase 2: search and diversion of ships

The Second Phase of the operation would involve the search and diversion of ships in third-country territorial waters, which requires the consent of the flag state or a UN Security Council Resolution.

The Meijers Committee recalls that on the high seas, Article 87 UN Convention on the Law of the Sea (UNCLOS) ensures the right to freedom of navigation. Article 110 permits a warship to board and inspect a vessel if, inter alia, it has no nationality. As regards the vessel, a finding of statelessness should allow states to exercise jurisdiction in order to ensure compliance with the ‘minimum public order on the high seas’, namely, the duties that normally fall on the flag state (Art. 94 UNCLOS).4 This could include a state’s power to escort the vessel into harbor for inspection. As regards the people on board, UNCLOS does not seem to provide a basis for the exercise of jurisdiction.

Although Article 110(1) UNCLOS expressly allows that grounds of interference may be established by Treaty, the UN Smuggling Protocol seems to impose a duty of cooperation only on the contracting parties, while maintaining the requirement of flag state authorization. Article 8(7) of the Smuggling Protocol provides a firmer legal basis for interference with stateless vessels than Article 110 UNCLOS. The wording ‘suppressing the use of the vessel’ or ‘take appropriate measures’ implies the possible use of force. Nevertheless, such force should be used as a means of last resort and will be subject to the requirement of necessity and proportionality. It is noted, however, that the Migrant Smuggling Protocol lacks the precision of, for instance, the UN drug trafficking regime, which explicitly sets out the measures that an intercepting power may take against a drug transport.5 Accordingly, no clear legal basis for action is provided in international law.

Diversions on the high seas may not result in the refoulement of people on board. It is important to stress that States cannot relieve themselves of this obligation by labelling an operation as ‘search and rescue’. The IMO Guidelines on the treatment of persons rescued at sea state that ‘[disembarkation of asylum-seekers and refugees recovered at sea, in territories where their lives and freedom would be threatened should be avoided.’ This approach has been confirmed by the European Court of Human Rights in the Hirsi case.6 Member States remain bound by their obligations under international human rights law, independently of the nature and location of their intervention. In this regard it is particularly problematic that Libya one of the most important coastal states whose cooperation is sought is currently a notoriously dangerous and unstable country.

It is unclear how the EU intends to give practical effect to these obligations in the course of the EUNAVFOR Med mission. The Meijers Committee would recommend that clear guidelines be put in place, comparable to the rules applicable in the framework of Frontex coordinated operations at sea.7

  1. Phase 3: destruction of vessels and apprehension of smugglers

The Third Phase of the Operation would entail the destruction of vessels and related assets, and the apprehension of smugglers. The Meijers Committee argues that clear, binding, publicly available rules should be adopted prior to the commencement of Phase 3.

As regards the smugglers it must be noted that unlike piracy and international crimes, international law does not establish universal criminal jurisdiction over human smuggling. As with diversions, the interference with vessels believed to be engaged in human smuggling requires the consent of the flag state (or a UN SC Resolution). In case the ship is sailing without a flag, Article 8 of the Protocol allows a party to take ‘appropriate measures in accordance with relevant domestic and international law’. The extent to which this includes the exercise of criminal jurisdiction over human smugglers is not clear, however.

The Council decision establishing EUNAVFOR Med is silent about the possible detention and prosecution of smugglers. The Meijers Committee points out that even though EUNAVFOR Med is executed by military forces, the EU is not acting as party to an armed conflict and thus normal peace­time law applies. This means that after arrest, those suspected of migrant smuggling should be brought promptly before a judge8. In the case of subsequent criminal prosecution, jurisdiction should be established in one of the Member States. In this respect it is noted that not all Member States have established universal jurisdiction over human smuggling. If smugglers are to be extradited or released to third countries, their fundamental rights should be guaranteed.

The Meijers Committee notes that EUNAVFOR Med is aimed at the destruction of vessels used or suspected of being used for migrant smuggling, possibly even inside third-country territory, yet it remains unclear what legal standard is applied to identify such vessels. The Meijers Committee cautions that the destruction of vessels cannot be arbitrary. Unlike UNCLOS, which provides for clear rules on the seizure and liability for seizure of pirate ships, there is no explicit legal basis in international law for the seizure of migrant smuggling boats. The right to property as enshrined in Article 1 of Protocol 1 ECHR, which will apply to the Member States acting extra-territorially, prescribes that any destruction of property must be provided for by law and must be necessary and proportionate.

  1. Unclear division of responsibility between the EU and its
    Member States

The Meijers Committee recalls that Article 21 TEU requires CFSP actions to be based on human rights. This includes respect for human dignity, including the prohibition of torture and inhuman treatment; personal security and liberty; and protection from arbitrary detention and arrest.9 It also notes, however, that the Court of Justice of the EU has no authority to ensure this respect for fundamental rights as it lack jurisdiction over the CFSP.10 This means that legal remedies would have to be provided under the national law of the participating Member States.

The experience with joint operations under the coordination of Frontex shows that in case of violations of fundamental rights, it is unclear to whom wrongful conduct must be attributed. Although the operation is coordinated by the EU, it is the Member States that provide the assets and personnel, over which they maintain operational command.

Case law issuing from the European Court of Human Rights on the obligations of the Member States as contracting parties to the European Convention on Human Rights clearly indicates with regard to the Member States that they cannot escape their responsibilities under the Convention by acting outside the Convention’s territorial scope. The situation is more complicated, however, when Member States act as agents for the European Union (Bosphorus) or within the context of UN Peace Keeping Operations (Al Jeddah, Behrami, and Saramati). The Meijers Committee therefore stresses that it is fundamentally important that questions of international responsibility and responsibility under the European Convention for Human Rights are addressed prior to commencement of Phases 2 and 3.

Conclusions and recommendations

I. There are no indications that combating migrant smuggling contributes to the restoration of international peace and security or to ending the ongoing humanitarian crises;

II.      Without express consent from third states or authorization from the UN Security Council, the EU lacks jurisdiction over   vessels or assets in third-country territorial waters;
III.      Without express consent from third-country coastal states or   authorization from the UN Security Council, there is no clear legal basis for coercive measures against vessels or assets on the high seas;
IV Despite the unclear legal framework covering interdiction on the high seas, international human rights law does apply;
V.      Should a legal basis for action on the high seas and in territorial waters be provided, clear rules of engagement and proper safeguards should be in place to prevent indiscriminate destruction of civilian property; any undue loss should be compensated;
VI.      An unambiguous legal basis for the arrest and detention of suspected smugglers is needed, and also for the seizure and destruction of any personal property. Suspects should either be prosecuted, extradited or released, the last action having due regard to the right to asylum and the prohibition of refoulement;
VII.      Clear attribution rules and accountability mechanisms for human rights violations committed by EUNAVFOR assets should be in place;
VIII.      The right to apply for asylum, access to asylum procedures on land with proper language and legal assistance, and the prohibition of refoulement should be respected and subject to judicial oversight;
IX.       Outsourcing migration control to third countries, even though outside Member State jurisdiction, should take place with assurances and safeguards against human rights violations.

Notes

1 Council Decision (CFSP) 2015/972 of 22 June 2015 launching the European Union military operation in the southern Central Mediterranean (EUNAVFOR MED), OJ 2015, L157/51.

2 Council of the European Union, “EUNAVFOR Med: Council adopts a positive assessment on the conditions to move to the first step of phase 2 on the high seas”, Press Release, 14 September 2015, no. 643/15.
3 http://www.un.org/Depts/los/piracy/piracy_documents.htm
4 E. Papastavridis, ‘Enforcement Jurisdictions in the Mediterranean Sea: Illicit Activities and the Rule of Law on the High Seas’, International Journal of Marine and Coastal Law, Vol. 25, 2010, p. 585.
5 See Council of Europe Agreement on Illicit Traffic by Sea, implementing article 17 of the United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances.
6 ECHR, Hirsi Jamaa and others v. Italy, Grand Chamber, Judgment, 23 February 2012, Application no. 27765/09.
7 Regulation (EU) No 656/2014 of the European Parliament and of the Council of 15 May 2014 establishing rules for the surveillance of the external sea borders in the context of operational cooperation coordinated by the European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union, L 189, 27 June 2014.
8 ECHR, Medvedyev v France, 9 March 2010, appl. no. 3394/03.
9 The promotion and protection of human rights during common security and defence policy operations. In-between a spreading state of mind and an unsolved concern. M L Sánchez Barrueco, in The EU as a ”Global Player” in human rights?, J E Wetzel (edit.), 2011, pp. 158-160.
10 See also Case T-271/10, under appeal C-455/14 P.

About : The Meijers Committee is an independent group of legal scholars, judges and lawyers that advises on European and International Migration, Refugee, Criminal, Privacy, Anti-discrimination and Institutional Law. The Committee aims to promote the protection of fundamental rights, access to judicial remedies and democratic decision-making in EU legislation.

The Meijers Committee is funded by the Dutch Bar Association (NOvA), Foundation for Democracy and Media (Stichting Democratie en Media) the Dutch Refugee Council (VWN), Foundation for Migration Law Netherlands (Stichting Migratierecht Nederland), the Dutch Section of the International Commission of Jurists (NJCM), Art. 1 Anti-Discrimination Office, and the Dutch Foundation for Refugee Students UAF.

Contact info: Louis Middelkoop Executive secretary post@commissie-meijers.nl +31(0)20 362 0505

Please visit www.commissie-meijers.nl

AMERICAN MASS SURVEILLANCE OF EU CITIZENS: IS THE END NIGH?

ORIGINAL PUBLISHED ON EU LAW ANALYSIS  (Wednesday, 23 September 2015)

by Steve PEERS

*This blog post is dedicated to the memory of the great privacy campaigner Caspar Bowden, who passed away recently. What a tragedy he did not leave to see the developments in this case. To continue his work, you can donate to the Caspar Bowden Legacy Fund here.

 

A brilliant university student takes on the hidebound establishment – and ultimately wins spectacularly. That was Mark Zuckerberg, founding Facebook, in 2002. But it could be Max Schrems, taking on Zuckerberg and Facebook, in the near future – if the Court of Justice decides to follow the Advocate-General’s opinion in the Schrems case, released today.

In fact, Facebook is only a conduit in this case: Schrems’ real targets are the US government (for requiring Facebook and other Internet companies to hand over personal data to intelligence agencies), as well as the EU Commission and the Irish data protection authority for going along with this. In the Advocate-General’s opinion, the Commission’s decision to allow EU citizens’ data to be subject to mass surveillance in the US is invalid, and the national data protection authorities in the EU must investigate these flows of data and prohibit them if necessary. The case has the potential to change much of the way that American Internet giants operate, and to complicate relations between the US and the EU in this field.

Background

There’s more about the background to this litigation here, and Simon McGarr has summarised the CJEU hearing in this case here. But I’ll summarise the basics of the case again here briefly.

Max Schrems is an Austrian Facebook user who was disturbed by Edward Snowden’s revelations about mass surveillance by US intelligence agencies. Since such mass surveillance is put into effect by imposing obligations to cooperate upon Internet companies, he wanted to complain about Facebook’s transfers of his personal data to the USA. Since Facebook’s European operations are registered in Ireland, he had to bring his complaints to the Irish data protection authority.

The legal regime applicable to such transfers of personal data is the ‘Safe Harbour’ agreement between the EU and the USA, agreed in 2000 – before the creation of Facebook and some other modern Internet giants, and indeed before the 9/11 terrorist attacks which prompted the mass surveillance. This agreement was put into effect in the EU by a decision of the Commission, which used the power conferred by the EU’s current data protection Directive to declare that transfers of personal data to the USA received an ‘adequate level of protection’ there.

The primary means of enforcing the arrangement was self-certification of the companies concerned (not all transfers to the USA fall within the scope of the Safe Harbour decision), enforced by the US authorities.  But it was also possible (not mandatory) for the national data protection authorities which enforce EU data protection law to suspend transfers of personal data, if the US authorities or enforcement system have found a breach of the rules, or on the following further list of limited grounds set out in the decision:

there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond.

In fact, Irish law prevents the national authorities from taking up this option. So the national data protection authority effectively refused to consider Schrems’ complaint. He challenged that decision before the Irish High Court, which doubted that this system was compatible with EU law (or indeed the Irish constitution). So that court asked the CJEU to rule on whether national data protection authorities (DPAs) should have the power to prevent data transfers in cases like these.

The Opinion

The Advocate-General first of all answers the question which the Irish court asks, and then goes on to examine whether the Safe Harbour decision is in fact valid. I’ll address those two issues in turn.

In the Advocate-General’s view, national data protection authorities have to be able to consider claims that flows of personal data to third countries are not compatible with EU data protection laws, even if the Commission has adopted a decision declaring that they are. This stems from the powers and independence of those authorities, read in light of the EU Charter of Fundamental Rights, which expressly refers to DPAs’ role and independence. (On the recent CJEU case law on DPA independence, see discussion here). It’s worth noting that the new EU data protection law under negotiation, the data protection Regulation, will likely confirm and even enhance the powers and independence of DPAs. (More on that aspect of the proposed Regulation here).

On the second point, the opinion assesses whether the Safe Harbour Decision correctly decided that there was an ‘adequate level of protection’ for personal data in the USA. Crucially, it argues that this assessment is dynamic: it must take account of the protection of personal data now, not just when the Decision was adopted back in 2000.

As for the meaning of an ‘adequate level of protection’, the opinion argues that this means that third countries must ensure standards ‘essentially equivalent to that afforded by the Directive, even though the manner in which that protection is implemented may differ from that’ within the EU, due to the importance of protecting human rights within the EU. The assessment of third-country standards must examine both the content of those standards and their enforcement, which entailed ‘adequate guarantees and a sufficient control mechanism’, so there was no ‘lower level of protection than processing within the European Union’. Within the EU, the essential method of guaranteeing data protection rights was independent DPAs.

Applying these principles, the opinion accepts that personal data transferred to the USA by Facebook is subject to ‘mass and indiscriminate surveillance and interception’ by intelligence agencies, and that EU citizens have ‘no effective right to be heard’ in such cases. These findings necessarily mean that the Safe Harbour decision was invalid for breach of the Charter and the data protection Directive.

More particularly, the derogation for the national security rules of US law set out in the Safe Harbour principles was too general, and so the implementation of this derogation was ‘not limited to what is strictly necessary’. EU citizens had no remedy against breaches of the ‘purpose limitation’ principle in the US either, and there should be an ‘independent control mechanism suitable for preventing the breaches of the right to privacy’.

The opinion then assesses the dispute from the perspective of the EU Charter of Rights. It first concludes that the transfer of the personal data in question constitutes interference with the right to private life. As in last year’s Digital Rights Ireland judgment (discussed here), on the validity of the EU’s data retention directive, the interference with rights was ‘particularly serious, given the large numbers of users concerned and the quantities of data transferred’. In fact, due to the secret nature of access to the data, the interference was ‘extremely serious’. The Advocate-General was also concerned about the lack of information about the surveillance for EU citizens, and the lack of an effective remedy, which breaches Article 47 of the Charter.

However, interference with these fundamental rights can be justified according to Article 52(1) of the Charter, as long as the interference is ‘provided for by law’, ‘respect[s] the essence’ of the right, satisfies the ‘principle of proportionality’ and is ‘necessary’ to ‘genuinely meet objectives of general interest recognized by’ the EU ‘or the need to protect the rights and freedoms of others’.

In the Advocate-General’s view, the US law does not respect the ‘essence’ of the Charter rights, since it extends to the content of the communications. (In contrast, the data collected pursuant to the data retention Directive which the CJEU struck down last year concerned only information on the use of phones and the Internet, not the content of phone calls and Facebook posts et al). On the same basis, he objected to the ‘broad wording’ of the relevant derogations on national security grounds, which did not clearly define the ‘legitimate interests’ at stake. Therefore, the derogation did not comply with the Charter, ‘since it does not pursue an objective of general interest defined with sufficient precision’. Moreover, it was too easy under the rules to escape the limitation that the derogation should only apply when ‘strictly necessary’.

Only the ‘national security’ exception was sufficiently precise to be regarded as an objective of general interest under the Charter, but it is still necessary to examine the ‘proportionality’ of the interference. This was a case (like Digital Rights Ireland) where the EU legislature’s discretion was limited, due to the importance of the rights concerned and the extent of interference with them. The opinion then focusses on whether the transfer of data is ‘strictly necessary’, and concludes that it is not: the US agencies have access to the personal data of ‘all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security’.

Crucially, the opinion concludes that ‘[s]uch mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference’ with Charter rights. The Advocate-General agreed that since the EU and the Member States cannot adopt legislation allowing for mass surveillance, non-EU countries ‘cannot in any circumstances’ be considered to ensure an ‘adequate level of protection’ of personal data if they permit it either.

Furthermore, there were not sufficient guarantees for protection of the data. Following the Digital Rights Ireland judgment, which stressed the crucial importance of such guarantees, the US system was not sufficient. The Federal Trade Commission could not examine breach of data protection laws for non-commercial purposes by government security agencies, and nor could specialist dispute resolution bodies. In general, the US lacks an independent supervisory authority, which is essential from the EU’s perspective, and the Safe Harbour decision was deficient for not requiring one to be set up. A third country cannot be considered to have ‘an adequate level of protection’ without it. Furthermore, only US citizens and residents had access to the judicial system for challenging US surveillance, and EU citizens cannot obtain remedies for access to or correction of data (among other things).

So the Commission should have suspended the Safe Harbour decision. Its own reports suggested that the national security derogation was being breached, without sufficient safeguards for EU citizens. While the Commission is negotiating revisions to that agreement with the USA, that is not sufficient: it must be possible for the national supervisory authority to stop data transfers in the meantime.

Comments

The Advocate-General’s analysis of the first point (the requirement that DPAs must be able to stop data flows if there is a breach of EU data protection laws) is self-evidently correct. In the absence of a mechanism to hear complaints on this issue and to provide for an effective remedy, the standards set out in the Directive could too easily be breached. Having insisted that the DPAs must be fiercely independent of national governments, the CJEU should not now accept that they can be turned into the tame poodles of the Commission.

On the other hand, his analysis of the second point (the validity of the Safe Harbour Decision) is more problematic – although he clearly arrives at the correct conclusion. With respect, there are several flaws in his reasoning. Although EU law requires strong and independent DPAs within the EU to ensure data protection rights, there is more than one way to skin this particular cat. The data protection Directive notably does not expressly require that third countries have independent DPAs. While effective remedies are of course essential to ensure that data protection law (likely any other law) is actually enforced in practice, those remedies do not necessarily have to entail an independent DPA. They could also be ensured by an independent judiciary. After all, Americans are a litigious bunch; Europeans could join them in the courts. But having said that, it is clear that in national security cases like this one, EU citizens have neither an administrative nor a judicial remedy worth the name in the USA. So the right to an effective remedy in the Charter has been breached; and it is self-evident that processing information from Facebook interferes with privacy rights.

Is that limitation of rights justified, however? Here the Advocate-General has muddled up several different aspects of the limitation rules. For one thing, the precision of the law limiting rights and the public interest which it seeks to protect are too separate things. In other words, the public interest does not have to be defined precisely; but the law which limits rights in order to protect the public interest has to be. So the opinion is right to say that national security is a public interest which can justify limitation of rights in principle, but it fails to undertake an examination of the precision of the rules limiting those rights. As such, it omits to examine some key questions: should the precision of the law limiting rights be assessed as regards the EU law, the US law, or both?  Should the US law be held to the same standards of clarity, foreseeability and accessibility as European states’ laws must be, according to the ECHR jurisprudence?

Next, it’s quite unconvincing to say that processing the content of communications interferes with the ‘essence’ of the privacy and data protection rights. The ECHR case law and the EU’s e-privacy directive expressly allow for interception of the content of communications in specific cases, subject to strict safeguards. So it’s those two aspects of the US law which are problematic: its nature as mass surveillance, plus the inadequate safeguards.

On these vital points, the analysis in the opinion is correct. The CJEU’s ruling inDigital Rights Ireland suggests, in my view, that mass surveillance is inherently a problem, regardless of the safeguards in place to limit its abuse. This is manifestly the Advocate-General’s approach in this case; and the USA obviously has in place mass surveillance well in excess of the EU’s data retention law. The opinion is also right to argue that EU rules banning mass surveillance apply to the Member States too, as I discuss here. But even if this interpretation is incorrect, and mass surveillance is only a problem if there are weak safeguards, then the Safe Harbour decision still violates the Charter, due to the lack of accessible safeguards for EU citizens as discussed above. Hopefully, the Court of Justice will confirm whether mass surveillance is intrinsically problematic or not: it is a key issue for Member States retaining data by way of derogation from the e-privacy Directive, for the validity of EU treaties (and EU legislation) on specific issues such as retaining passenger data (see discussion here of a pending case), and for the renegotiation of the Safe Harbour agreement itself.

This brings us neatly to the consequences of the CJEU’s forthcoming judgment (if it follows the opinion) for EU/US relations. Since the opinion is based in large part upon the EU Charter of Rights, which is primary EU law, it can’t be circumvented simply by amending the data protection Directive (on the proposed new rules on external transfers under the planned Regulation, see discussion here). Instead, the USA must, at the very least, ensure that adequate remedies for EU citizens and residents are in place in national security cases, and that either a judicial or administrative system is in place to enforce in practice all rights which are supposed to be guaranteed by the Safe Harbour certification. Facebook and others might consider moving the data processing of EU residents to the EU, but it’s hard to see how this could work for any EU resident with (for instance) Facebook friends living in the USA. Surely in such cases processing of the EU data in the USA is unavoidable.

Moreover, arguably it would not be sufficient for the forthcoming EU/US trade and investment agreement (known as ‘TTIP’) to provide for a qualified exemption for EU data protection law, along the lines of the WTO’s GATS. Only a complete immunity of EU data protection law from the TTIP – and any other EU trade and investment agreements – would be compatible with the Charter. Otherwise, companies like Facebook and Google might try to invoke the controversial investor dispute settlement system (ISDS) every time a judgment like Google Spain or (possibly) Schrems cost them money.

Schrems Versus Facebook: is the end of Safe Harbor approaching ?

by Emilio De Capitani

Today Advocate General Yves Bot has presented his long-awaited conclusions on the Case C‑362/14 Maximillian Schrems v Data Protection Commissioner. This case better described by the press as the “Schrems v Facebook” Case (why not “David V Goliath” ?)  put in question the so called Safe harbor “agreement” which frame the conditions under which personal data of the people under the EU jurisdiction can be transferred or treated by servers of US Companies (such as Facebook, Google, E-Bay) on the US territory.
As the protection of personal data is a fundamental right under EU law (notably after the entry into force of the art.8 of the EU Charter)  art. 25 of Directive 95/46 foresees that the transfer of these data to a third country is legitimate only if the data are “adequately” protected.
The problem is that in the US there is no comprehensive legal protection framework comparable to the one existing in the EU so that in 2000 the Commission negotiated with the US the establishment of a specific voluntary regime (the “Safe Harbor Principles”) which could had been considered granting an “adequate” protection of personal data  having regard to the standard applicable in Europe.

At the time the European Parliament voted against this regime but was unable to obtain stronger safeguards because of the unwillingness of the US authorities and moreover by the Commission which was more interested to the transfer of data than of their protection.

Since then the transatlantic flow of data has grown every day and with them the economic benefices of the US Companies without any real re-assesment of the compliance of the Safe Harbor principles on the US side (by the Federal Trade Commission) or on the EU side (by the Commission) even after the entry into force of the Lisbon Treaty which changed the legal basis of EU policies linked with the protection of personal data.

However when the Snowden revelations made clear to everybody that all these EU personal data could be massively analyzed without judicial overview by the US Intelligence Services someone in the EU  woke up.

Between the EU Institutions the European Parliament asked the suspension of the Safe Harbor agreement but its initiative was not followed by the Commission (as unfortunately happens more and more frequently); but it is thanks to the obstinacy of Maximilian Schrems, an Austrian law student that the case was finally been brought, first before to the Irish Data Protection Commissioner, then before the Irish High Court and now before the Court of Justice.

This case is extremely interesting  not only because it confirms that in a democracy someone has to …watch the watchers be they at national or European level (notably if they are sleeping or hiding behind each other…) but also because it shows that also an “ordinary” Citizen can dare to do in name of the EU law and of his rights what the EU Institutions are less and less willing to do.

Enjoy now the reading the instructive and very detailed Yves BOT arguments drawing him to declare that the Commission initial “adequacy finding” was not adequate at all (as also the EP wrote in its 2000 resolution) and that National Authorities should fully play their role and not hiding behind the Commission “Adequacy decisions”.

Such a strong reasoning if endorsed by the Luxembourg Judges should inspire

  • a re-assessment of other EU-US ‘executive’ agreements dealing with data protection (the draft “Umbrella agreement” included)
  • a revision of the Data Protection package at least as far as the regime of Commission “adequacy finding” is concerned (which due to its large marge of discretion could no more be considered a simple “implementing measure” but at least a “delegated” power …) and a stronger role of the Data Protection Board which should have a direct jurisdiction at least for Data controller “over the top” such as Facebook, Google, E-Bay and so on…

It is only unfortunate that the European Parliament which on these issues was on the right side between 1999 and 2004 is now slowly sliding away notwithstanding a much stronger constitutional framework and a binding Charter …

Anyway many thanks Max!! Hope that 10, 100, 1000 of European citizens could follow your example…

 

CONTINUE READING : OPINION OF ADVOCATE GENERAL BOT 

delivered on 23 September 2015 (1Case C‑362/14 Maximillian Schrems Data Protection Commissioner

Continue reading “Schrems Versus Facebook: is the end of Safe Harbor approaching ?”