Worth reading : the final report by the EU High Level Expert Group on Information Systems and Interoperability (HLEG),

NB: The full version (PDF)  of the Report is accessible HERE

On May 8th the (EU) High Level Expert Group on Information Systems and Interoperability (HLEG) which was set up in June 2016 following the Commission Communication on “Stronger and Smarter Information Systems for Borders and Security ” has published its long awaited 56 long pages Report on Information Systems and Interoperability.

Members of the HLEG were the EU Members States (+ Norway, Switzerland and Liechtenstein), the EU Agencies (Fundamental Rights Agency, FRONTEX, European Asylum Support Office, Europol and the EU-LISA “Large Information Support Agency”) as well as the representatives of the Commission and the European Data Protection Supervisor (EDPS) and the Anti-Terrorism Coordinator (an High Council General Secretariat Official designated by the European Council).

Three Statements, respectively of the EU Fundamental Rights Agency, of the European Data Protection Supervisor and of the EU Counter-Terrorism Coordinator (CTC),  are attached. The first two can be considered as a sort of partially dissenting Opinions while the CTC  statement is quite obviously in full support of the recommendations set out by the report as it embodies for the first time at EU level the “Availability Principle” which was set up already in 2004 by the European Council. According to that principle if a Member State (or the EU) has a security related information which can be useful to another Member State it has to make it available to the authority of another Member State. It looks as a common sense principle which goes hand in hand with the principle of sincere cooperation between EU Member States and between them and the EU Institutions.

The little detail is that when information is collected for security purposes national and European legislation set very strict criteria to avoid the possible abuses by public EU and National Law enforcement authorities. This is the core of Data Protection legislation and of the art. 6, 7 and 8 of the EU Charter of Fundamental Rights which prevent the EU and its Member States from becoming a sort of Big Brother “State of surveillance”. Moreover, at least until now these principles have guided the post-Lisbon European Court of Justice jurisprudence in this domain and it is quite appalling that no reference is made in this report to the Luxembourg Court Rulings notably dealing with “profiling” and “data retention”(“Digital Rights”, “Schrems”, “TELE 2-Watson”…).

Needless to say to implement all the HLWG recommendations several legislative measures will be needed as well as the definition of a legally EU Security Strategy which should be adopted under the responsibility of the EU co-legislators. Without a strong legally founded EU security strategy not only the European Parliament will continue to be out of the game but also the control of the Court of Justice on the necessity and  proportionality of the existing and planned EU legislative measures will be weakened.  Overall this HLWG report is mainly focused on security related objectives and the references to fundamental rights and data protection are given more as “excusatio non petita” than as a clearly explained reasoning (see the Fundamental Rights Agency Statement). On the Content of the  perceived “threats” to be countered with this new approach it has to be seen if some of them (such as the mixing irregular migration with terrorism)  are not imaginary and, by the countrary, real ones are not taken in account.

At least this report is now public. It will be naive to consider it as purely “technical” : it is highly political and will justify several EU legislative measures. It will be worthless for the European Parliament to wake up when the formal legislative proposals will be submitted. If it has an alternative vision it has to show it NOW and not waiting when the Report will be quite likely “endorsed” by the Council and the European Council.

Emilio De Capitani

TEXT OF THE REPORT (NB  Figures have not been currently imported, sorry.)

——- Continue reading

Legislative Tracker : the European Travel Information and Authorisation System (ETIAS)

by Beatrice FRAGASSO (Free-Group Trainee)

The European Commission, on 16 November 2016, has put forward a proposal (COM(2016) 731, 16.11.2016, 2016/0357(COD)) establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulation (EU) (EU) 2016/399 (the ‘Schengen Borders Code’), (EU) 2016/794 and (EU) 2016/1624.

This proposal is being negotiated as part of the Smart Border Package and aims to ensure a high level of internal security and free movement of persons in the Schengen area. The Commission didn’t conduct an impact assessment but published a feasibility study on ETIAS, conducted between June and October 2016.

The system designed by the proposal would require also visa-exempt travellers to undergo a risk assessment with respect to security, irregular migration and public health risks prior to their arrival at the Schengen borders. This assessment would be carried out by means of cross- checking applicant’s data submitted through ETIAS system against other EU information systems, a dedicated ETIAS watch list and screening rules. This process will result in granting or denying an automated authorization for entering the EU.

Further information from the European Parliament Research Service are available HERE

The current situation
Currently, both visa-obliged and visa-exempt travelers are subject to border controls when entering the Schengen area. According to Regulation (EU) 2016/399, both categories of travelers need to comply with the conditions for short-term stay, which include not being a threat to public order and security, holding valid travel documents, justifying the purpose and conditions of the intended stay, not being the subject of any alert in the SIS for the purpose of refusing entry, and having sufficient means of subsistence.

For visa holders the compliance with this conditions is assessed at the time on the request for a visa  and relevant data are stored in visa information system (VIS) which can be consulted by law enforcement authorities for the purposes of combatting serious crime and terrorism.

However, no such advance information can be currently obtained for visa-exempt nationals arriving at the Schengen external borders. This means that border guards need to decide on allowing or refusing access to the Schengen area without prior knowledge regarding any security, migration or public-health risks associated with visa exempt travelers.

This is particularly true for visa-exempt travelers arriving by land, as the only source of information about them is their travel document presented at the time of crossing the EU external border.

The situation is different for passengers arriving by air as Council Directive 2004/82/EC obliges carriers to communicate all passenger data, known as ‘advance passenger information’ (API), including name, date of birth, passport number and nationality at the time of the check-in for inbound flights to the EU. Another Directive (EU) 2016/681 on the use of passenger name record data (the ‘PNR Directive’) collect 19 types of personal data already at the time of the flight reservation and obliges airlines to hand over to EU MS authorities their passengers’ data linked with the travel reservation (which includes travel dates, travel itinerary, ticket information, frequent flyer data,  contact details, baggage information, credit card and general remarks stored in the Airline files).

For visa-exempt passengers arriving on foot or by car, bus or train, no such comparable advance information is available prior to their arrival.

The changes the proposal would bring

Schengen Border Checks
Prior to arriving in the Schengen area, all carriers will verify if visa-exempt third-country nationals have a valid ETIAS travel authorization, without which boarding will not be authorized. A valid ETIAS travel authorization, should be obtained in advance of arrival at a Schengen border crossing point, and this will be a precondition for entering the Schengen area. However, border guards at the external Schengen borders will still take the final decision to grant or refuse entry according to the Schengen Borders Code.

Online application
As it is currently the case for visa-exempt travelers to Canada “ETA”,  USA “ESTA”  and Australia “ETA” who have to ask for a travel authorization also travelers wanting enter the Schengen area will have to fill in an online application by providing their biographical and passport data, contact details, information on intended travel, and answers to background questions relating to public health risks, criminal records, presence in war zones and previous refusals of entry or an order to leave the territory of a Member State.

At the same time, an application fee of €5, which will go to the EU budget, will be mandatory for all applicants above the age of 18 before their application can be processed.

Processing of applications
The automated processing will be carried out by the central system, which will be in charge of checking data provided by applicants against security databases, such as the VIS, Europol data, the SIS, Eurodac, the  Interpol SLTD database , the European Criminal Records Information System (ECRIS) and the planned future EU “Entry-Exit” system (currently negotiated between the EP and the Council). Personal Data will also be screened against a ETIAS “watch list” (where people suspected to have committed, or be likely to commit a criminal offence will be listed by the EU MS) and against specific risk indicators (irregular migration, security or public- health risks) which will be defined in consultation with an ETIAS screening board.

In the case of a positive hit after the automatic processing, that personal application will be further assessed manually by operators in the ETIAS central unit and in the national units.
In case no risks has been detected a positive response, in a form of a travel authorisation valid for five years (or until the expiry of the passport) will be delivered. In the case of a refusal, a justification will be given and applicants will have the right to appeal.

Authorisation will be revoked or annulled when the conditions for its issuance are no longer met, particularly when it is believed that it was fraudulently obtained or when a new alert for refusal of entry is created in the SIS.

Etias structure
ETIAS will consist of an information system, a central unit and national units.

The information system will be designed for processing applications and will be interoperable with other security databases that ETIAS will be connected. The new system will be managed by the European Agency for the operational management of large-scale information systems in the area of freedom, security and justice (eu-LISA).

The central unit will be part of Frontex (the European Border and Coast Guard Agency) and will ensure that the data stored in the application files and the data recorded in ETIAS are correct and up to date. Where necessary, it will also verify travel authorisation applications whenever there are doubts regarding the identity of an applicant in cases where the latter’s data produced a match (a ‘hit’) against the stored data during automated processing.
The national units will be responsible for making the risk assessment and deciding on travel authorisation for applications rejected by the automated application process. They will also issue opinions when consulted by other national units, and act as a national access point for requests for access to the ETIAS data for law enforcement purposes related to terrorist and other serious criminal offences.

The role of Europol
Europol will be involved in ETIAS in several ways.
Firstly, Europol’s data related to criminal offences, convictions or potential threats will be compared to those provided by applicants for an ETIAS authorization.
Secondly, Europol will help define ETIAS screening rules by participating in the ETIAS screening board and managing the ETIAS watch list.
Thirdly, Europol will be consulted by the ETIAS national units in case of a match with Europol data during the ETIAS automated processing.
And finally, Europol will be able to consult personal data in the ETIAS central system for the prevention, detection or investigation of terrorist offences or other serious criminal offences (as provided by its mandate).

The Council’s position
In a  document om March 17, 2017 authored  by the Maltese Presidency of the Council of the EU and covering also the other legislative pending measures connected to ETIAS, a number of compromises are suggested: The Presidency identified other key issues that needed to be clarified and decided upon before revised text proposals could be submitted to delegations. The Presidency therefore prepared a discussion paper on which delegations were invited to comment. The issues outlined by the Presidency related to the division of competences between Frontex and the Member States, the definition of ‘responsible Member State’ as regards the decision to grant a travel authorisation, and the duration of a travel authorization […] With respect to the definition of the ‘responsible Member State’, delegations were divided into two groups, one in favour of the Member State of first entry, as proposed by the Commission, while the other stressed the key role played by the Member State at the origin of an alert triggering a “hit”. The following issues are the “object of extensive debates”:

“– the scope of the regulation;
– the ETIAS watchlist and the screening rules;
– the access to the ETIAS data;
– the interoperability of ETIAS with other systems and databases.”

More recently the Council Presidency has also submitted some possible compromise proposals to the other delegations (docs 8579/17 and 8584/17) and it is more than likely that the EP will be under pressure to launch the negotiations for a first reading agreement on this subject.

The European Parliament position (Libe Committee Debate)
On the EP side works are still at an initial phase (SEE OEIL DOSSIER HERE). The LIBE Committee has been informed for the first time by a Commission representative (Belinda Pyke) on 22 March 2017. It has been stressed that the purpose of the proposal is to improve internal security and border management and that policy visa liberalization is essential in the system. This proposal will contribute to the security of the Schengen area because as any risks will be identified prior to departure. Due to the political pressure of the European Council and the  very tight deadlines the Commission did not have the time to conduct an impact assessment although it would have been desirable; however, the Commission published a detailed study on the subject. The Commission representative made reference to the comparable systems in  Australia, Canada and USA and declared that the ETIAS system will take stock of the experience of these countries by overcoming their weaknesses and mirroring the strengths of these systems.
Firstly, request authorization will be easy and cheap. Applicants will receive rapidly (within 12 hours) a positive feedback and those without authorization will save travel costs. The ETIAS system provides an automatic control: such control will allow to verify that the criminal record is clean. These checks will take place on the basis of SIS, Interpol, ECRIS, Eurodac.
The ETIAS central unit will compare the data in the database and the identity of the applicant and the rest of the operations will be managed by the national units.
The decision of the unit will be delivered within 72 hours, unless it will be necessary to gather special information (in this case it will be possible an extension to a two-week maximum).
ETIAS will be financially self-sustaining, thanks to the tax that will be paid by applicants. It is estimated that the costs for developing it will amount to €212.1 million, while the average annual operations costs, to be covered by the revenue from fees, will be €85 million.
The data will be protected from abuse and the information may be given to law enforcement only in the case of very serious crimes (this possibility also exist for Eurodac).

The EP rapporteur Kinga Gal (PPE – Hungary) was not present at the debate, but a colleague read her statement. The rapporteur argues that the text is of great importance and it will cover three categories of passengers
1) European Citizens or persons enjoying the right of free movement under Union law
2) Third-country nationals under visa obligation
3) Third-country nationals without visa obligation
From now until 2020 the countries without visa obligation will increase. For third-country nationals without visa obligation it’s difficult to gather information; it’s therefore necessary to create an information system well established in legal terms, so as not to put excessive burdens for Member States.

The debate that followed, however, showed controversial elements in the proposal, criticized by MEPs.
Firstly, almost all the MEPs who spoke remarked the necessity of an impact assessment, finding it unacceptable yet another lack of it. An issue of such importance can not be studied without taking into account an impact assessment: the urgency can not justify such a lack.

Birgit Sippel (S&D – Germany), for instance, affirmed that she’s tired to listen to the Commission affirming that it’s necessary to adopt better legislation and that impact assessments are not conducted anymore because of urgency. EU needs to regulate well, not in a hurry: this rush to legislate, then, does not make sense if the execution by the Member States is so slow. She also remarked that one of the problems in this proposal is that the form requires a bit of everything and there is the risk that if an applicant forgets a small offense did at 15 years old he cannot enter.

The shadow rapporteur Gérard Deprez (ALDE – Belgium) wondered what professional criteria will be provided for ETIAS units and how it will be possible to apply Article 7 of the Schengen Code, because compulsory systematic checks for everybody (as provided in that Article) would have a significant impact on traffic at the border. Deprez considered that the term of 72 hours is reasonable whereas he considers excessive the term of validity of five years, because in the course of five years many things can change in a person’s life. Also foreign experiences in fact suggest different solutions: in US visa is valid for one year and in Australia for two years. Also with regard to rates, Deprez is at odds with the proposal: 5 euro is a low price if compared to the prices of US (14 euro) and Australia (20 euro). According to Deprez, then, in the request the applicant should indicate the member state where he would like to go. The proposal, in addiction, should define a better balancing of criminal convictions. For example, prison sentences of less than one year should not be an obstacle to the granting of authorization.

It may also emerge a serious problem for air traffic. It is estimated that for a plane carrying 300 people controls may last from four hours and a half to seven hours and a half. The controls are certainly a necessary corollary for visa liberalization, but the parliament should find more efficient solutions.

On behalf of DG HOME of the European Commission Mrs Belinda Pike replied that the validity of five years would be reasonable. Of course it is noted that in the case in which the person commits an offense such information is immediately acquired in the system. Contrary to what Deprez stated, then, the cost is not too low, but it’s instead sufficient to ensure the smart management of borders. It is a fee that will cover the costs and ensures a small gain. In the US half of the fee (therefore, 7 euros) is invested in the tourism sector. Do not pay anything on the other hand would be a huge burden on the EU budget.

Belinda Pike finally stressed that the screening does not immediately lead to the rejection of the request, but simply involves manual handling of the request.

Marie – Christine Vergiat (GUE/NGL – France) and Bodil Valero (Greens/EFA – Sweden) highlighted that visas are returned, albeit with a different name (authorization). According to Marie – Christine Vergiat, then, this proposal does not promote cooperation between member states, it is repressive and attacks the fundamental rights, like others in this area of “smart” borders. Security and immigration are matters to be addressed in different texts, because adhere to different problems. The fact that some people should be identified through a profiling system also raises an ethical problem.

Bodil Valero remarked the privacy-issue. People will also provide information on education and health and Greens/Efa group would like to receive explanations about what is the reason for these provisions: perhaps the Commission’s intention is to gather information that cannot be collected in other ways. Furthermore, the 5-year period envisaged for data stocking is too long. She underlined that also the EDPS (European Data Protection Supervisor) has taken a fairly critical position on some of the elements of the proposal.
In his opinion, in fact, the EDPS states, among other things, that the establishment of ETIAS would have a significant impact on the right to the protection of personal data, since various kinds of data, collected initially for very different purposes, will become accessible to a broader range of public authorities (i.e. immigration authorities, border guards, law enforcement authorities, etc). For this reason, the EDPS considers that there is a need for conducting an assessment of the impact that the Proposal will entail on the right to privacy and the right to data protection enshrined in the Charter of Fundamental Rights of the EU, which will take stock of all existing EU-level measures for migration and security objectives.

Last but not least, during a TRAN (transport and tourism) committee on Wednesday 22 March, different speakers representing the tourist sector expressed concerns about the costs generated by the ETIAS in the tourism sector. However, the TRAN Committee decided not to give an opinion to LIBE.

NEXT STEPS

As soon as the two co-legislators will have defined their position a trilogue  could be launched which can bring to an agreement on first reading. As things currently stay an agreement will probably go hand in hand with the other “ENTRY/EXIT” legislative proposal.

 

Legal Frameworks for Hacking by Law Enforcement: Identification, Evaluation and Comparison of Practices

EXECUTIVE SUMMARY OF A STUDY FOR THE EP LIBE COMMITEE.

FULL TEXT ACCESSIBLE  HERE  

by Mirja  GUTHEIL, Quentin  LIGER, Aurélie  HEETMAN, James  EAGER, Max  CRAWFORD  (Optimity  Advisors)

Hacking by law enforcement is a relatively new phenomenon within the framework of the longstanding public policy problem of balancing security and privacy. On the one hand, law enforcement agencies assert that the use of hacking techniques brings security, stating that it represents a part of the solution to the law enforcement challenge of encryption and ‘Going Dark’ without systematically weakening encryption through the introduction of ‘backdoors’ or similar techniques. On the other hand, civil society actors argue that hacking is extremely invasive and significantly restricts the fundamental right to privacy. Furthermore, the use of hacking practices pits security against cybersecurity, as the exploitation of cybersecurity vulnerabilities to provide law enforcement with access to certain data can have significant implications  for  the security of the internet.

Against this backdrop, the present study provides the LIBE Committee with relevant, actionable insight into the legal frameworks and practices for hacking by law enforcement. Firstly, the study examines the international and EU-level debates on the topic of hacking by law enforcement (Chapter 2), before analysing the possible legal bases for EU intervention in the field (Chapter 3). These chapters set the scene for the primary focus of the study: the comparative analysis of legal frameworks and practices for hacking by law enforcement across six selected Member States (France, Germany, Italy, the Netherlands, Poland and the UK), with further illustrative examples from three non-EU countries (Australia, Israel and the US) (Chapter 4). Based on these analyses, the study concludes (Chapter 5) and presents concrete recommendations and policy proposals for  EU  action  in  the field (Chapter 6).

The international and EU-level debates on the use of hacking techniques by law enforcement primarily evolve from the law enforcement challenge posed by encryption – i.e. the  ‘Going  Dark’  issue.

Going Dark is a term used to describe [the] decreasing ability [of law enforcement agencies] to lawfully access and examine evidence at rest on devices and evidence in motion across   communications   networks.1

According to the International Association of Chiefs of Police (IACP), law enforcement agencies are not able to investigate illegal activity and prosecute criminals without this evidence. Encryption technologies are cited as one of the major barriers to this access. Although recent political statements from several countries (including France, Germany, the UK and the US) seemingly call for ‘backdoors’ to encryption technologies, support for strong encryption at international and EU fora remains strong. As such, law enforcement agencies across the world started to use hacking techniques to bypass encryption. Although the term ‘hacking’ is not used by law enforcement agencies, these practices essentially mirror the techniques used by hackers (i.e. exploiting any possible vulnerabilities – including technical, system  and/or human  vulnerabilities  – within  an  information  technology  (IT) system).

Law enforcement representatives, such as the IACP and Europol, report that access to encrypted and other data through such hacking techniques brings significant investigative benefits. However, it is not the only possible law enforcement solution to the ‘Going Dark’ issue. Outside of the scope of this study, the other options include: requiring users to provide their password or decrypt their data; requiring technology vendors and service providers to bypass   the   security   of   their   own   products   and   services;   and   the    systematic   weakening   of encryption through the mandated introduction of ‘backdoors’ and/or weakened standards for encryption.

With the benefits of hacking established, a 2016 Joint Statement published by the European Union Agency for Network and Information Security (ENISA) and Europol2 noted that the use of  hacking  techniques also brings  several   key  risks.

The primary risk relates to the fundamental right to privacy and freedom of expression and information, as enshrined in international, EU and national-level law. Hacking techniques are extremely invasive, particularly when compared with traditionally intrusive investigative tools (e.g. wiretapping, house searches etc.). Through hacking, law enforcement can gain access to all data stored or in transit from a device; this represents a significant amount of data (e.g. a recent investigation by Dutch law enforcement collected seven terabytes of data, which translates into around 86 million pages of Microsoft Word documents3), as well as extremely sensitive data (e.g. a person’s location and movements, all communications, all stored data etc.). Consequently, the use of hacking techniques will inherently restrict the fundamental right to privacy.

Therefore, current debates at international and EU fora focus on assessing and providing recommendations on the current legal balances and safeguards for the restriction of the right to privacy by hacking techniques. However, these debates have assumed that hacking practices are necessary for law enforcement and simply require governing laws; they have not discussed whether the use of hacking techniques by law enforcement is necessary and proportional. The law enforcement assertions regarding the necessity of these invasive tools have  not   been  challenged.

The second key risk relates to the security of the internet. Law enforcement use of hacking techniques has the potential to significantly weaken the security of the internet by “[increasing] the attack surface for malicious abuse”4. Given that critical infrastructure and defence organisations, as well as law enforcement agencies themselves, use the technologies targeted and potentially weakened by law enforcement hacking, the potential ramifications reach  far  beyond  the intended  target.

As such, debates at international and EU fora focus on the appropriate balances between security and privacy, as well as security and cybersecurity. Regarding security v. privacy, the debates to date have assessed and provided recommendations on the legislative safeguards required to ensure that hacking techniques are only permitted in situations where a restriction of the fundamental right to privacy is valid in line with EU legislation (i.e. legal, necessary and proportional). Regarding security v. cybersecurity, the debates have been limited and primarily centre around the use and/or reporting of zero-day vulnerabilities discovered  by  law enforcement agencies.

Further risks not discussed in the Joint Statement but covered by this study include: the risks to territorial sovereignty – as law enforcement agencies may not know the physical location of the target data; and the risks related to the supply and use of commercially-developed hacking tools by governments with poor consideration for human rights.

Alongside the analysis of international and EU debates, the study presents hypotheses on the legal  bases  for  EU  intervention  in  the  field. Although  possibilities for  EU  legal  intervention  in several areas are discussed, including mutual admissibility of evidence (Art. 82(2) TFEU), common investigative techniques (Art. 87(2)(c) TFEU), operational cooperation (Art. 87(3) TFEU) and data protection (Art. 16 TFEU, Art. 7 & 8 EU Charter), the onus regarding the development of legislation in the field is with the Member States. As such, the management of the risks associated with law enforcement activities is governed at the Member State level.

As suggested by the focus of the international and EU discussions, concrete measures need to be stipulated at national-level to manage these risks. This study presents a comparative analysis of the legal frameworks for hacking by law enforcement across six Member States, as well as certain practical aspects of hacking by law enforcement, thereby providing an overview of the primary Member State mechanisms for the management of these risks. Further illustrative examples are provided from research conducted in three non-EU countries.

More specifically, the study examines the legal and practical balances and safeguards implemented at national-level to ensure: i) the legality, necessity and proportionality of restrictions to the fundamental  right  to  privacy;   and ii) the security  of  the internet.

Regarding restrictions to the right to privacy, the study first examines the existence of specific legal frameworks for hacking by law enforcement, before exploring the ex-ante and ex-post conditions and mechanisms stipulated to govern restrictions of the right to privacy and ensure they are legal, necessary  and  proportional.

It is found that hacking practices are seemingly necessary across all Member States examined, as four Member States (France, Germany, Poland and the UK) have adopted specific legislative provisions and the remaining two are in the legislative process. For all Member States except Germany, the adoption of specific legislative provisions occurred in 2016 (France, Poland and the UK) or will occur later (Italy, the Netherlands).  This  confirms the  new  nature  of these investigative techniques.

Additionally, law enforcement agencies in all Member States examined have used, or still use, hacking techniques in the absence of specific legislative provisions, under so-called ‘grey area’ legal provisions. Given the invasiveness of hacking techniques, these grey areaprovisions are considered  insufficient  to adequately  protect the right to privacy.

Where specific legal provisions have been adopted, all stakeholders agree that a restriction of the right to privacy requires the implementation of certain safeguards. The current or proposed legal frameworks of all six Member States comprise a suite of ex-ante conditions and ex-post mechanisms that aim to ensure the use of hacking techniques is proportionate and necessary. As recommended by various UN bodies, the provisions of primary importance include judicial authorisation of hacking practices, safeguards related to the nature, scope and duration of possible measures (e.g. limitations to crimes of a certain gravity and the  duration  of  the hack,  etc.) and  independent   oversight.

Although many of these types of recommended conditions are common across the Member States examined – demonstrated in the below table – their implementation parameters differ. For instance, both German and Polish law permit law enforcement hacking practices without judicial authorisation in exigent circumstance if judicial authorisation is achieved in a specified timeframe. However, the timeframe differs (three days in Germany compared with five days in Poland). These differences make significant difference, as the Polish timeframe was criticised  by the Council  of  Europe’s  Venice Commission  for being  too long.5

Furthermore, the Member States examined all accompany these common types of ex-ante and ex-post conditions with different, less common conditions. This is particularly true for ex-post oversight mechanisms. For instance, in Poland, the Minister for internal affairs provides macro-level information to the lower (Sejm) and upper (Senat) chambers of Parliament;6 and in the UK, oversight is provided by the Investigatory Powers Commissioner, who reviews all cases of hacking by law enforcement, and the Investigatory Powers Tribunal, which  considers disputes or  complaints surrounding  law enforcement  hacking.7

Key ex-ante considerations
Judicial authorisation The    legal    provisions    of    all    six    Member    States    require    ex-ante judicial        authorisation        for        law        enforcement        hacking.        The information  to  be  provided  in  these requests differ.

Select     Member     States     (e.g.     Germany,     Poland,     the     UK)     also provide for hacking without prior judicial authorisation in exigent circumstances  if  judicial  authorisation  is subsequently  provided. The timeframes  for  ex-post authorisation  differ.

Limitation by crime and  duration All  six Member  States  restrict  the  use  of  hacking  tools  based  on the   gravity   of   crimes.    In    some    Member   States,    the    legislation presents  a  specific  list  of  crimes  for  which  hacking  is permitted; in     others,     the    limit    is    set     for    crimes    that    have    a    maximum custodial    sentence   of   greater   than    a   certain   number    of   years. The lists and numbers  of years required differ by Member   State.

Many Member States also restrict the duration for which hacking may   be   used.   This   restriction   ranges   from   maximum   1   month (France, Netherlands) to a maximum of 6 months (UK), although extensions     are     permitted     under     the     same     conditions     in     all Member States.

Key ex-post considerations
Notification and effective remedy Most    Member    States    provide    for    the    notification    of    targets    of hacking  practices and  remedy  in  cases  of unlawful   hacking.
Reporting and oversight Primarily, Member States report at a micro-level through logging hacking  activities and  reporting them  in  case  files.

However,   some   Member   States   (e.g.   Germany,   Poland   and   the UK) have macro-level  review  and  oversight mechanisms.

Furthermore, as regards the issue of territoriality (i.e. the difficulty law enforcement agencies face obtaining the location of the data to be collected using hacking techniques), only one Member States, the Netherlands, legally permits the hacking of devices if the location is unknown. If the device turns out to be in another jurisdiction, Dutch law enforcement must apply  for Mutual  Legal  Assistance.

As such, when aggregated, these provisions strongly mirror Article 8 of the European Convention on Human Rights, as well as the UN recommendations and paragraph 95 of the ECtHR  judgement  in  Weber and  Saravia  v.  Germany.  However,   there are  many,  and  varied, criticisms when the Member State conditions are examined in isolation. Some of the provisions criticised include: the limits based on the gravity of crimes (e.g. the Netherlands, France and Poland); the provisions for notification and effective remedy (e.g. Italy and the Netherlands); the process for screening and deleting non-relevant data (Germany); the definition of devices that can be targeted (e.g. the Netherlands); the duration permitted for hacking (e.g. Poland); and a lack of knowledge amongst the judiciary (e.g. France, Germany, Italy and the Netherlands).With this said, certain elements, taken in isolation, can be called good  practices. Such  examples  are  presented below.

Select  good practice: Member State legislative frameworks

Germany: Although they were deemed unconstitutional in a 2016 ruling, the provisions for the screening and deletion of data related to the core area of private life are a positive step. If the provisions are amended, as stipulated in the ruling, to ensure screening by an independent body, they would provide strong protection for the targeted individual’s private data.

Italy: The 2017 draft Italian law includes a range of provisions related to the development and monitoring of the continued use of hacking tools. As such, one academic stakeholder remarked that the drafting of the law must have been driven by technicians. However, these provisions bring significant benefits to the legislative provisions in terms of supervision and oversight of the use of hacking tools. Furthermore, the Italian draft law takes great care to separate the functionalities of the hacking tools, thus protecting against the overuse or abuse of a  hacking tool’s  extensive  capabilities.

Netherlands: The Dutch Computer Crime III Bill stipulates the need to conduct a formal proportionality assessment for each hacking request, with the assistance of a dedicated Central Review Commission (Centrale Toetsings Commissie). Also, the law requires rules to be laid down on the authorisation and expertise of the investigation officers that can perform hacking.

With these findings in mind, the study concludes that the specific national-level legal provisions examined provide for the use of hacking techniques in a wide array of circumstances. The varied combinations of requirements, including those related to the gravity of crimes, the duration and purpose of operations and the oversight, result in a situation where the law does not provide for much stricter conditions than are necessary for less  intrusive  investigative activities such  as interception.

Based on the study findings,  relevant  and actionable policy proposals and recommendations have been developed under the two key elements: i) the fundamental right  to  privacy;  and  ii) the security  of the internet.

Recommendations and policy proposals: Fundamental  right  to  privacy

It is recommended that the use of ‘grey area’ legal provisions is not sufficient to protect the fundamental right to privacy. This is primarily because existing legal provisions do not provide for the more invasive nature of hacking techniques and do not provide for the legislative precision  and  clarity  as  required  under  the  Charter and the  ECHR.

Furthermore, many of these provisions have only recently been enacted. As such, there is a need for robust evidence-based monitoring and evaluation of the practical application of these provisions. It is therefore recommended that the application of these new legal provisions is evaluated regularly at national level, and that the results of these evaluations are  assessed at  EU-level.

If specific legislative provisions are deemed necessary, the study recommends a range of good practice, specific ex-ante and ex-post provisions governing the use of hacking practices by  law  enforcement  agencies. These are detailed  in  Chapter 6.

Policy proposal 1: The European Parliament should pass a resolution calling on Member States to conduct a Privacy Impact Assessment when new laws are proposed to permit and govern the use of hacking techniques by law enforcement agencies. This Privacy Impact Assessment should focus on the necessity and proportionality of the use of hacking tools and should  require input  from  national  data protection  authorities.

Policy proposal 2: The European Parliament should reaffirm the need for Member States to adopt a clear and precise legal basis if law enforcement agencies are to use hacking techniques.

Policy proposal 3: The European Parliament should commission more research or encourage the European Commission or other bodies to conduct more research on the topic. In response to the Snowden revelations, the European Parliament called on the EU Agency for Fundamental Rights (FRA) to thoroughly research fundamental rights protection in the context of surveillance. A similar brief related to the legal frameworks governing the use of hacking techniques by law enforcement across all EU Member States would act as an invaluable piece  of  research.

Policy proposal 4: The European Parliament should encourage Member States to undertake evaluation and monitoring activities on the practical application of the new legislative provisions  that  permit  hacking  by  law  enforcement  agencies.

Policy proposal 5: The European Parliament should call on the EU Agency for Fundamental Rights (FRA) to develop a practitioner handbook related to the governing of hacking by law enforcement. This handbook should be intended for lawyers, judges, prosecutors, law enforcement officers and others working with national authorities, as well as non­governmental organisations and other bodies confronted with legal questions in the areas set out by the handbook. These areas should cover the invasive nature of hacking techniques and relevant safeguards as per international and EU law and case law, as well as appropriate mechanisms for supervision  and   oversight.

Policy proposal 6: The European Parliament should call on EU bodies, such as the FRA, CEPOL and Eurojust, to provide training for national-level members of the judiciary and data protection authorities, in collaboration with the abovementioned handbook, on the technical means for hacking in use across the Member States, their potential for invasiveness and the principles of  necessity  and  proportionality in  relation  to these  technical  means.

Recommendations and policy proposals: Security of  the  internet

The primary recommendation related to the security of the internet is that the position of the EU against the implementation of ‘backdoors’ and similar techniques, and in support of strong encryption standards, should be reaffirmed, given the prominent role encryption plays in our society and its importance to the EU’s Digital Agenda. To support this position, the EU should ensure continued engagement with global experts in computer science as well as civil society privacy and  digital  rights groups.

The actual impacts of hacking by law enforcement on the security of the internet are yet unknown. More work should be done at the Member State level to assess the potential impacts such that these data can feed in to overarching discussions on the necessity and proportionality of law enforcement hacking. Furthermore, more work should be done, beyond understanding the risks to the security of the internet, to educate those involved in the authorisation and use of  hacking  techniques by law enforcement.

At present, the steps taken to safeguard the security of the internet against the potential risks of hacking are not widespread. As such, the specific legislative provisions governing the use of hacking techniques by law enforcement, if deemed necessary, should safeguard the security of the internet and the security of the device, including reporting the vulnerabilities used to gain access to a device to the appropriate technology vendor or service provider; and  ensure  the  full  removal  of  the software  or hardware from the targeted  device.

Policy proposal 7: The European Parliament should pass a resolution calling on Member States to conduct an Impact Assessment to examine the impact of new or existing laws governing  the  use  of hacking  techniques by  law  enforcement on  the  security  of  the internet.

Policy proposal 8: The European Parliament, through enhanced cooperation with Europol
and the European Union Agency for Network and Information Security (ENISA), should
reaffirm its commitment to strong encryption considering discussions on the topic of hacking by law enforcement. In addition, the Parliament should reaffirm its opposition to the implementation of  
backdoors and  similar techniques in information technology infrastructures or  services.

Policy proposal 9: Given the lack of discussion around handling zero-day vulnerabilities, the European Parliament should support the efforts made under the cybersecurity contractual Public-Private Partnership (PPP) to develop appropriate responses to handling zero-day vulnerabilities, taking into consideration the risks related to fundamental rights and the security  of the internet.

Policy proposal 10: Extending policy proposal 4, above, the proposed FRA handbook should also cover the risks  posed  to  the  security  of the  internet  by  using hacking  techniques.

Policy proposal 11: Extending policy proposal 5, training provided to the judiciary by EU bodies such as FRA, CEPOL and Eurojust should also educate these individuals on the risks posed  to  the security  of  the internet  by  hacking  techniques.

Policy proposal 12: Given the lack of discussion around the risks posed to the security of the internet by hacking practices, the European Parliament should encourage debates at the appropriate fora specific to understanding this risk and the approaches to managing this risk. It is encouraged that law enforcement representatives should be present within such discussions.

Parliamentary Tracker : the EP incoming resolution on the EU-USA (so called) “Privacy Shield”…

 

NOTA BENE : Below the text that will be submitted to vote at the next EP plenary. As in previous occasions the text is well drafted, legally precise and it confirms the high level of  competence that the European Parliament (and its committee LIBE) has developed along the last 17 years from the first inquiry on Echelon (2000), the Safe Harbor (2000), the EU-USA agreement on PNR (since 2003 a thirteen year long lasting saga…) the SWIFT agreement (2006) …

What is puzzling are the critics raised against the  so called “adequacy finding” mechanism which empowers the European Commission to decide if a third Country protect “adequately” the EU citizens personal data. The weaknesses of the Commission face to our strongest transatlantic ally  were already very well known when recently the parliamentarians have reformed the European legal framework on data protection in view of the new legal basis foreseen by the Treaties and in the art. 7 and 8 of the EU Charter.  However the EP did’nt try to strengthen the “adequacy” mechanism by transforming it at least in a “delegated” function (so that it would had been possible for the EP to block something which could had weackened our standards).

Now the US Congress is weakening the (already poor) US data protection and the new US administration will probably go in the same direction.  It seems to me to easy  to complain now on something that you had recently the chance to fix..

Let’s now hope that the Court of Justice by answering to the request for opinion on the EU-Canada PNR agreement will give to the EU legislator some additional recommendations but as an EU citizen I would had preferred a stronger EU legislation instead of been ruled by european or national Judges…

Emilio De Capitani

B8‑0235/2017 European Parliament resolution on the adequacy of the protection afforded by the EU-US Privacy Shield (2016/3018(RSP))

The European Parliament,

–        having regard to the Treaty on European Union (TEU), the Treaty on the Functioning of the European Union (TFEU) and Articles 6, 7, 8, 11, 16, 47 and 52 of the Charter of Fundamental Rights of the European Union,

–        having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive)[1],

–        having regard to Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters[2],

–        having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)[3], and to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA[4],

–        having regard to the judgment of the Court of Justice of the European Union of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner[5],

–        having regard to the Commission communication to the European Parliament and the Council of 6 November 2015 on the transfer of personal data from the EU to the United States of America under Directive 95/46/EC following the judgment by the Court of Justice in Case C-362/14 (Schrems) (COM(2015)0566),

–        having regard to the Commission communication to the European Parliament and the Council of 10 January 2017 on Exchanging and Protecting Personal Data in a Globalised World (COM(2017)0007),

–        having regard to the judgment of the Court of Justice of the European Union of 21 December 2016 in Cases C-203/15 Tele2 Sverige AB v Post- och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson and Others[6],

–        having regard to Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield[7],

–        having regard to Opinion 4/2016 of the European Data Protection Supervisor (EDPS) on the EU-US Privacy Shield draft adequacy decision[8],

–        having regard to the Opinion of the Article 29 Data Protection Working Party of 13 April 2016 on the EU-US Privacy Shield draft adequacy decision[9] and its Statement of 26 July 2016[10],

–        having regard to its resolution of 26 May 2016 on transatlantic data flows[11],

–        having regard to Rule 123(2) of its Rules of Procedure,

  1. whereas the Court of Justice of the European Union (CJEU) in its judgment of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner invalidated the Safe Harbour decision and clarified that an adequate level of protection in a third country must be understood to be ‘essentially equivalent’ to that guaranteed within the European Union by virtue of Directive 95/46/EC read in the light of the Charter of Fundamental Rights of the European Union (hereinafter ‘the EU Charter’), prompting the need to conclude negotiations on a new arrangement so as to ensure legal certainty on how personal data should be transferred from the EU to the US;
  2. whereas, when examining the level of protection afforded by a third country, the Commission is obliged to assess the content of the rules applicable in that country deriving from its domestic law or its international commitments, as well as the practice designed to ensure compliance with those rules, since it must, under Article 25(2) of Directive 95/46/EC, take account of all the circumstances surrounding a transfer of personal data to a third country; whereas this assessment must not only refer to legislation and practices relating to the protection of personal data for commercial and private purposes, but must also cover all aspects of the framework applicable to that country or sector, in particular, but not limited to, law enforcement, national security and respect for fundamental rights;
  3. whereas transfers of personal data between commercial organisations of the EU and the US are an important element for the transatlantic relationships; whereas these transfers should be carried out in full respect of the right to the protection of personal data and the right to privacy; whereas one of the fundamental objectives of the EU is the protection of fundamental rights, as enshrined in the EU Charter;
  4. whereas in its Opinion 4/2016 the EDPS raised several concerns on the draft Privacy Shield; whereas the EDPS welcomes in the same opinion the efforts made by all parties to find a solution for transfers of personal data from the EU to the US for commercial purposes under a system of self-certification;
  5. whereas in its Opinion 01/2016 on the EU-US Privacy Shield draft adequacy decision the Article 29 Working Party welcomed the significant improvements brought about by the Privacy Shield compared with the Safe Harbour decision whilst also raising strong concerns about both the commercial aspects and access by public authorities to data transferred under the Privacy Shield;
  6. whereas on 12 July 2016, after further discussions with the US administration, the Commission adopted its Implementing Decision (EU) 2016/1250, declaring the adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-US Privacy Shield;
  7. whereas the EU-US Privacy Shield is accompanied by several letters and unilateral statements from the US administration explaining, inter alia, the data protection principles, the functioning of oversight, enforcement and redress and the protections and safeguards under which security agencies can access and process personal data;
  8. whereas in its statement of 26 July 2016, the Article 29 Working Party welcomes the improvements brought by the EU-US Privacy Shield mechanism compared with Safe Harbour and commended the Commission and the US authorities for having taken into consideration its concerns; whereas the Article 29 Working Party indicates, nevertheless, that a number of its concerns remain, regarding both the commercial aspects and the access by US public authorities to data transferred from the EU, such as the lack of specific rules on automated decisions and of a general right to object, the need for stricter guarantees on the independence and powers of the Ombudsperson mechanism, and the lack of concrete assurances of not conducting mass and indiscriminate collection of personal data (bulk collection);
  9. Welcomes the efforts made by both the Commission and the US administration to address the concerns raised by the CJEU, the Member States, the European Parliament, data protection authorities (DPAs) and stakeholders, so as to enable the Commission to adopt the implementing decision declaring the adequacy of the EU-US Privacy Shield;
  10. Acknowledges that the EU-US Privacy Shield contains significant improvements regarding the clarity of standards compared with the former EU-US Safe Harbour and that US organisations self-certifying adherence to the EU-US Privacy Shield will have to comply with clearer data protection standards than under Safe Harbour;
  11. Takes note that as at 23 March 2017, 1 893 US organisations have joined the EU-US Privacy Shield; regrets that the Privacy Shield is based on voluntary self-certification and therefore applies only to US organisations which have voluntarily signed up to it, which means that many companies are not covered by the scheme;
  12. Acknowledges that the EU-US Privacy Shield facilitates data transfers from SMEs and businesses in the Union to the US;
  13. Notes that, in line with the ruling of the CJEU in the Schrems case, the powers of the European DPAs remain unaffected by the adequacy decision and they can, therefore, exercise them, including the suspension or the ban of data transfers to an organisation registered with the EU-US Privacy Shield; welcomes in this regard the prominent role given by the Privacy Shield Framework to Member State DPAs to examine and investigate claims related to the protection of the rights to privacy and family life under the EU Charter and to suspend transfers of data, as well as the obligation placed upon the US Department of Commerce to resolve such complaints;
  14. Notes with satisfaction that under the Privacy Shield Framework, EU data subjects have several means available to them to pursue legal remedies in the US: first, complaints can be lodged either directly with the company or through the Department of Commerce following a referral by a DPA, or with an independent dispute resolution body, secondly, with regard to interferences with fundamental rights for the purpose of national security, a civil claim can be brought before the US court and similar complaints can also be addressed by the newly created independent Ombudsperson, and finally, complaints about interferences with fundamental rights for the purposes of law enforcement and the public interest can be dealt with by motions challenging subpoenas; encourages further guidance from the Commission and DPAs to make those legal remedies all the more easily accessible and available;
  15. Acknowledges the clear commitment of the US Department of Commerce to closely monitor the compliance of US organisations with the EU-US Privacy Shield Principles and their intention to take enforcement actions against entities failing to comply;
  16. Reiterates its call on the Commission to seek clarification on the legal status of the ‘written assurances’ provided by the US and to ensure that any commitment or arrangement foreseen under the Privacy Shield is maintained following the taking up of office of a new administration in the United States;
  17. Considers that, despite the commitments and assurances made by the US Government by means of the letters attached to the Privacy Shield arrangement, important questions remain as regards certain commercial aspects, national security and law enforcement;
  18. Specifically notes the significant difference between the protection provided by Article 7 of Directive 95/46/EC and the ‘notice and choice’ principle of the Privacy Shield arrangement, as well as the considerable differences between Article 6 of Directive 95/46/EC and the ‘data integrity and purpose limitation’ principle of the Privacy Shield arrangement; points out that instead of the need for a legal basis (such as consent or contract) that applies to all processing operations, the data subject rights under the Privacy Shield Principles only apply to two narrow processing operations (disclosure and change of purpose) and only provide for a right to object (‘opt-out’);
  19. Takes the view that these numerous concerns could lead to a fresh challenge to the decision on the adequacy of the protection being brought before the courts in the future; emphasises the harmful consequences as regards both respect for fundamental rights and the necessary legal certainty for stakeholders;
  20. Notes, amongst other things, the lack of specific rules on automated decision-making and on a general right to object, and the lack of clear principles on how the Privacy Shield Principles apply to processors (agents);
  21. Notes that, while individuals have the possibility to object vis-à-vis the EU controller to any transfer of their personal data to the US, and to the further processing of those data in the US where the Privacy Shield company acts as a processor on behalf of the EU controller, the Privacy Shield lacks specific rules on a general right to object vis-à-vis the US self-certified company;
  22. Notes that only a fraction of the US organisations that have joined the Privacy Shield have chosen to use an EU DPA for the dispute resolution mechanism; is concerned that this constitutes a disadvantage for EU citizens when trying to enforce their rights;
  23. Notes the lack of explicit principles on how the Privacy Shield Principles apply to processors (agents), while recognising that all principles apply to the processing of personal data by any US self-certified company ‘[u]nless otherwise stated’ and that the transfer for processing purposes always requires a contract with the EU controller which will determine the purposes and means of processing, including whether the processor is authorised to carry out onward transfers (e.g. for sub-processing);
  24. Stresses that, as regards national security and surveillance, notwithstanding the clarifications brought by the Office of the Director of National Intelligence (ODNI) in the letters attached to the Privacy Shield framework, ‘bulk surveillance’, despite the different terminology used by the US authorities, remains possible; regrets the lack of a uniform definition of the concept of bulk surveillance and the adoption of the American terminology, and therefore calls for a uniform definition of bulk surveillance linked to the European understanding of the term, where evaluation is not made dependent on selection; stresses that any kind of mass surveillance is in breach of the EU Charter;
  25. Recalls that Annex VI (letter from Robert S. Litt, ODNI) clarifies that under Presidential Policy Directive 28 (hereinafter ‘PPD-28’), bulk collection of personal data and communications of non-US persons is still permitted in six cases; points out that such bulk collection only has to be ‘as tailored as feasible’ and ‘reasonable’, which does not meet the stricter criteria of necessity and proportionality as laid down in the EU Charter;
  26. Deplores the fact that the EU-US Privacy Shield does not prohibit the collection of bulk data for law enforcement purposes;
  27. Stresses that in its judgment of 21 December 2016, the CJEU clarified that the EU Charter ‘must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’; points out that the bulk surveillance in the US therefore does not provide for an essentially equivalent level of the protection of personal data and communications;
  28. Is alarmed by the recent revelations about surveillance activities conducted by a US electronic communications service provider on all emails reaching its servers, upon request of the National Security Agency (NSA) and the FBI, as late as 2015, i.e. one year after Presidential Policy Directive 28 was adopted and during the negotiation of the EU-US Privacy Shield; insists that the Commission seek full clarification from the US authorities and make the answers provided available to the Council, Parliament and national DPAs; sees this as a reason to strongly doubt the assurances brought by the ODNI; is aware that the EU-US Privacy Shield rests on PPD-28, which was issued by the President and can also be repealed by any future President without Congress’s consent;
  29. Expresses great concerns at the issuance of the ‘Procedures for the Availability or Dissemination of Raw Signals Intelligence Information by the National Security Agency under Section 2.3 of Executive Order 12333’, approved by the Attorney General on 3 January 2017, allowing the NSA to share vast amounts of private data gathered without warrants, court orders or congressional authorisation with 16 other agencies, including the FBI, the Drug Enforcement Agency and the Department of Homeland Security; calls on the Commission to immediately assess the compatibility of these new rules with the commitments made by the US authorities under the Privacy Shield, as well as their impact on the level of personal data protection in the United States;
  30. Deplores the fact that neither the Privacy Shield Principles nor the letters of the US administration providing clarifications and assurances demonstrate the existence of effective judicial redress rights for individuals in the EU whose personal data are transferred to a US organisation under the Privacy Shield Principles and further accessed and processed by US public authorities for law enforcement and public interest purposes, which were emphasised by the CJEU in its judgment of 6 October 2015 as the essence of the fundamental right in Article 47 of the EU Charter;
  31. Recalls its resolution of 26 May 2016 stating that the Ombudsperson mechanism set up by the US Department of State is not sufficiently independent and is not vested with sufficient effective powers to carry out its duties and provide effective redress to EU individuals; notes that according to the representations and assurances provided by the US Government the Office of the Ombudsperson is independent from the US intelligence services, free from any improper influence that could affect its function and moreover works together with other independent oversight bodies with effective powers of supervision over the US Intelligence Community; is generally concerned that an individual affected by a breach of the rules can apply only for information and for the data to be deleted and/or for a stop to further processing, but has no right to compensation;
  32. Regrets that the procedure of adoption of an adequacy decision does not provide for a formal consultation of relevant stakeholders such as companies, and in particular SMEs’ representation organisations;
  33. Regrets that the Commission followed the procedure for adoption of the Commission implementing decision in a practical manner that de facto has not enabled Parliament to exercise its right of scrutiny on the draft implementing act in an effective manner;
  34. Calls on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 16 May 2018, and with the EU Charter;
  35. Calls on the Commission to ensure, in particular, that personal data that has been transferred to the US under the Privacy Shield can only be transferred to another third country if that transfer is compatible with the purpose for which the data was originally collected, and if the same rules of specific and targeted access for law enforcement apply in the third country;
  36. Calls on the Commission to monitor whether personal data which is no longer necessary for the purpose for which it had been originally collected is deleted, including by law enforcement agencies;
  37. Calls on the Commission to closely monitor whether the Privacy Shield allows for the DPAs to fully exercise all their powers, and if not, to identify the provisions that result in a hindrance to the DPAs’ exercise of powers;
  38. Calls on the Commission to conduct, during the first joint annual review, a thorough and in-depth examination of all the shortcomings and weaknesses referred to in this resolution and in its resolution of 26 May 2016 on transatlantic data flows, and those identified by the Article 29 Working Party, the EDPS and the stakeholders, and to demonstrate how they have been addressed so as to ensure compliance with the EU Charter and Union law, and to evaluate meticulously whether the mechanisms and safeguards indicated in the assurances and clarifications by the US administration are effective and feasible;
  39. Calls on the Commission to ensure that when conducting the joint annual review, all the members of the team have full and unrestricted access to all documents and premises necessary for the performance of their tasks, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities, for either law enforcement or national security purposes;
  40. Stresses that all members of the joint review team must be ensured independence in the performance of their tasks and must be entitled to express their own dissenting opinions in the final report of the joint review, which will be public and annexed to the joint report;
  41. Calls on the Union DPAs to monitor the functioning of the EU-US Privacy Shield and to exercise their powers, including the suspension or definitive ban of personal data transfers to an organisation in the EU-US Privacy Shield if they consider that the fundamental rights to privacy and the protection of personal data of the Union’s data subjects are not ensured;
  42. Stresses that Parliament should have full access to any relevant document related to the joint annual review;
  43. Instructs its President to forward this resolution to the Commission, the Council, the governments and national parliaments of the Member States and the US Government and Congress.

NOTES
[1] OJ L 281, 23.11.1995, p. 31.
[2] OJ L 350, 30.12.2008, p. 60.
[3] OJ L 119, 4.5.2016, p. 1.
[4] OJ L 119, 4.5.2016, p. 89.
[5] ECLI:EU:C:2015:650.
[6] ECLI:EU:C:2016:970.
[7] OJ L 207, 1.8.2016, p. 1.
[8] OJ C 257, 15.7.2016, p. 8.
[9] http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp238_en.pdf
[10] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf
[11] Texts adopted, P8_TA(2016)0233.

(EP BRIEFING) Revision of the Schengen Information System for law enforcement

ORIGINAL PUBLISHED HERE (PDF FILE)

by Costica Dumbrava (Members’ Research Service)

OVERVIEW

The Schengen Information System (SIS) is a large-scale information database that supports external border control and law enforcement cooperation in the Schengen states. It enables competent authorities, such as police and border guards, to enter and consult alerts on certain categories of wanted or missing persons and lost or stolen property. In December 2016, the European Commission adopted a package of proposals aimed at responding more effectively to new migration and security challenges. One of these proposals is focused on improving and extending the use of the SIS in the field of police cooperation and judicial cooperation in criminal matters. It clarifies procedures, creates new alerts and checks, extends the use of biometrics, and enlarges access for law enforcement authorities. The proposal is part of a legislative package that includes a proposal to revise the rules of the SIS in the field of border checks and a proposal for establishing a new role of the SIS in the return of illegally staying third-country nationals.

Proposal for a regulation of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2010/261/EU
Committee responsible: Civil Liberties, Justice and Home Affairs (LIBE) COM(2016) 883 21.12.2016
Rapporteur: To be appointed 2016/0409(COD)
Shadow rapporteurs: Next steps expected: To be appointed

Initial discussions in committee

Ordinary legislative procedure (COD) (Parliament and Council on equal footing – formerly ‘co-decision’)

 

Introduction

The Schengen Information System (SIS) was established by the Convention implementing the Schengen Agreement in 1990, as a primary compensatory measure for the abolition of controls at the internal borders in the Schengen area. SIS II – the current version of the SIS – was established in 2006 and became operational in 2013. Its legal basis is currently defined by Regulation (EC) No 1987/2006 on alerts on persons, Regulation (EC) No 1986/2006 on alerts on vehicles, and Council Decision 2007/533/JHA on alerts on missing and wanted persons and objects.

To respond more effectively to new migration and security challenges in recent years, the European Union (EU) has decided to implement a set of measures aimed at strengthening its external borders, and enhancing cooperation and information exchange between Member States. One such measure was the proposal for a European Border and Coast Guard Agency in 2015 which resulted in the guard being launched in October 2016. Similarly, in December 2015, the European Commission proposed a targeted modification of the Schengen Borders Code to establish mandatory systematic checks for all travellers entering or exiting the EU, and put forward a proposal for a directive on combating terrorism. In January 2016, the European Commission launched a proposal for a directive on the European criminal records information system. In May 2016, the European Commission proposed a revision of the Eurodac Regulation to allow the Eurodac database to be used for identifying illegally staying third-country nationals who do not claim asylum in the EU.

The proposal for a European travel information and authorisation system, put forward in November 2016, is aimed at introducing a mechanism requiring visa-exempt third-country nationals to obtain authorisation to travel to the Schengen area.
In December 2016, the European Commission launched a proposal to establish an EU entry/exit system for recording data on the entry and exit of third-country nationals crossing the EU’s external borders.
The proposal on the revision of the SIS in the field of police cooperation and judicial cooperation is part of a legislative package along with a proposal to revise the SIS in the field of border checks and a proposal to use the SIS for the return of illegally staying third-country nationals.
The first two proposals contain a number of identical provisions and would constitute the new legal basis for the SIS. The Commission announced it will launch a second set of proposals, to further improve the interoperability of the SIS with other information technology (IT) systems, in mid-2017.

 DeathForTerrorism

Figure 1 -Terrorism-related arrests, attacks and deaths

Data source: Europol, 2014; 2015; 2016.

Context

In 2015, Frontex recorded 1.8 million detections of irregular crossings of the EU’s external borders (about 1 million irregular migrants). Despite EU efforts to stop the flow of irregular migrants, about 0.5 million detections are estimated to have been made in 2016. The number of terrorist attacks in the EU – foiled, failed and completed attacks – increased from 152 to 211 from 2013 to 2015, while the number of persons arrested on terrorism-related charges has doubled in the same period (see Figure 1). At least 151 persons were killed in terrorist attacks in 2015 and the number of deaths caused by such attacks remained high in 2016. Although the majority of perpetrators were EU citizens, many had links with terrorist organisations from outside the EU, and some entered the EU irregularly by exploiting weaknesses of the EU external borders. According to Europol, the perpetrators of the Charlie Hebdo attacks in Paris had links to Al-Qaeda in the Arabian Peninsula (AQAP) in Yemen, while a number of the suspects involved in the November 2015 Paris attacks had previously travelled to and been trained in Syria. The growing phenomenon of foreign fighters (EU citizens travelling to conflict zones abroad to engage in fighting) reveals another dimension of the complex relationship between migration and cross-border crime. In 2015, about 5 000 EU citizens travelled abroad to engage in terrorist activities. The crackdown against the self-proclaimed ‘Islamic State’ in Iraq and Syria (ISIL/Da’esh) has raised serious concerns about the return to Europe of many of these foreign fighters.

Existing situation

Characteristics of the SIS

The SIS consists of three components: 1) a central system; 2) national systems in each Member State that communicate with the central system; and 3) a communication infrastructure. Member States can enter, update, delete, and search data via their national systems, and exchange information via the supplementary information request at the national entry bureaux (Sirene). Member States are responsible for setting up, operating and maintaining their national systems and national Sirene bureaux. The EU Agency for large-scale IT systems in the area of freedom, security and justice (eu-LISA) is responsible for the operational management of the central system and the communication infrastructure. The Commission is responsible for the general oversight and evaluation of the system and for the adoption of implementing measures. The European Data Protection Supervisor (EDPS) monitors the application of the data protection rules for the central system, while the national data protection authorities supervise the application of the data protection rules in their respective countries.

SIS alerts cover the following categories of persons and objects:

  • refusal of entry or stay to third-country nationals who are not entitled to enter or stay in the Schengen area;
  • persons for whom a European arrest warrant or an extradition request (in the case of associated countries) has been issued;
  • missing persons, in view of placing them under protection, if necessary;
  • persons sought to assist with criminal judicial procedures;
  • persons and objects for discreet or specific checks, in view of prosecuting criminal offences and preventing threats to public or national security;
  • objects for seizure or use as evidence in criminal procedures.

SIS alerts consist of three types of data: identification data for the person or object an alert is about; information about why the person or object is being sought; and instructions for concrete action to be taken by officers on the ground when the person or object is found.

Access to data is given to national authorities responsible for border control, police, customs, visa and vehicle registration and, by extension, to national judicial authorities when this is necessary for the performance of their tasks.

The European Police Office (Europol) and the European Union’s Judicial Cooperation Unit (Eurojust) have limited access rights for performing certain types of queries. SIS checks are mandatory for the processing of short-stay visas, for border checks for third-country nationals and, on a non-systematic basis, for EU citizens and other persons enjoying the right of free movement. Every police check on the territory of a Schengen state should include a check in the SIS. Any person has the right to access SIS data related to them, as provided for by the national law of the Member State concerned. Access may only be refused when this is indispensable for the performance of a lawful task related to an alert, and for protecting the rights and freedoms of other people. Individuals may bring actions before the courts or other authorities competent under the national law to access, correct, delete or retrieve information, or to obtain compensation in connection with an alert relating to them.

Identified shortcomings

According to eu-LISA reports, the total number of alerts inserted in the SIS increased between December 2013 and December 2015 (see Figure 2). These alerts have been distributed unevenly across Member States.

In 2015, three countries had more than half of the total number   of   alerts:   Italy   (18 million), Germany     (9.5 million)     and     France (6.5 million). Despite an increase in the total number of SIS alerts between 2013 and 2015, the number of alerts on persons  has slightly decreased. The number of searches   in   the   SIS   increased   from 1.2 billion to 2.9 billion between April 2013 and December 2015. Member States do not use the SIS equally: in 2015, three Member States conducted about half of the searches: France (555 million), Spain (398 million) and Germany (393 million).
Currently, identity checks in the SIS are based on alphanumeric searches (name and date of birth).
Fingerprints can be used only in order to verify and confirm the identity of a person who has already been identified by name. The SIS legal framework allows the use of facial images and fingerprints in order to verify identity, provided that the necessary technology is available.
In 2016, the European Commission asked eu-LISA to start working on implementing the fingerprint functionality in the SIS. In its March 2016 report, the European Counter-terrorism Coordinator (ECTC) pointed to problems related to the absence of common standards for inserting alerts, interpreting and reporting information in SIS.
With regard to using SIS to combat terrorism, the ECTC noted that Member States continue to apply different standards and did not enter systematically in SIS identified foreign terrorist fighters.
The European Commission has made several legal and technical improvements to the SIS to enable real-time communication from the ground to relevant services in other Member States, and to improve information exchange on terrorist suspects.
In 2015, the Commission revised the Schengen handbook and finalised a set of common risk indicators to be used during border checks in order to detect foreign terrorist fighters. The proposal for a directive on combating terrorism obliges Member States to enter systematically in the SIS alerts on suspected or convicted terrorist offenders.
Currently, there is little interoperability and interconnection between different information systems. The ECTC reported a discrepancy between the numbers of SIS alerts on national security grounds and the number of entries on foreign terrorist fighters in the Europol’s European information system (EIS). All SIS alerts related to terrorism should, by default, also be recorded in the EIS. The Commission announced that it would start working towards introducing a single search interface to allow simultaneous searches to be performed in all relevant systems without changing existing access rights.

Parliament’s starting position

The European Parliament has consistently advocated more effective cooperation between Member States’ law enforcement authorities, provided that appropriate safeguards on data protection and privacy are maintained.
In its resolution of 17 December 2014 on renewing the EU internal security strategy, the Parliament called on the Member States to make better use of valuable existing instruments, including through ‘more expeditious and efficient sharing of relevant data and information’.
In its resolution of 11 February 2015 on anti-terrorism measures, the Parliament restated its call on the Member States to make optimal use of existing databases, and reiterated that ‘all data collection and sharing, including by EU agencies such as Europol, should be compliant with EU and national law and based on a coherent data protection framework offering legally binding personal data protection standards at an EU level’.
In its resolution of 6 July 2016 on the strategic priorities for the Commission work programme 2017, the Parliament called on the Commission to present proposals to improve and develop existing information systems, address information gaps and move towards interoperability.

Council and European Council starting positions

The European Council has repeatedly called to reinforce the management of the EU’s external borders in order to cope with migration pressure and security challenges.
The European Council’s strategic guidelines for justice and home affairs of June 2014 identified the need to improve the link between the EU’s internal and external policies, and called for the intensification of operational cooperation among Member States, ‘while using the potential of information and communication technologies’ innovations’.
In its conclusions of 15 October 2015, the European Council called for devising ‘technical solutions to reinforce the control of the EU’s external borders to meet both migration and security objectives, without hampering the fluidity of movement’. In its conclusions of 17- 18 December 2015, the European Council urged to address the shortcomings at the external borders, notably by ensuring systematic security checks with relevant databases.
On 16 September 2016, the 27 Heads of State or Government attending the Bratislava Summit adopted the Bratislava declaration and roadmap, in which they called for the intensification of cooperation and information exchange, and urged the ‘adoption of the necessary measures to ensure that all persons, including nationals from EU Member States, crossing the Union’s external borders will be checked against the relevant databases, that must be interconnected’.
The Council also called for ‘reinforc[ing] border security through systematic and coordinated checks against the relevant databases based on risk assessment’, and for ‘improving information exchange and accessibility, especially by ensuring the interoperability of different information systems’ in its conclusions of 10 June 2015 on the renewed European Union internal security strategy 2015-2020.
On 6 June 2016, the Council Presidency put forward a roadmap to enhance information exchange and information management including interoperability solutions in the area of justice and home affairs. In a note on IT measures related to border management, presented on 3 October 2016, the Council Presidency maintained that well-functioning information architecture constituted a prerequisite for effective border management.

Preparation of the proposal

In April 2016, the European Commission adopted a communication on stronger and smarter information systems for borders and security, in which it identified a number of key shortcomings in the existing information systems and explored options on how existing and future information systems could enhance external border management and internal security.
With regard to the SIS, the communication outlined several possible developments: the creation of SIS alerts on irregular migrants subject to return decisions; the use of facial images for biometric identification; the automatised transmission of information on a hit following a check; and the creation of a new alert category on ‘wanted unknown persons’.
In June 2016, the high-level expert group on information systems and interoperability (HLEG) was established to work on a joint strategy to make data management in the EU more effective and efficient. The HLEG is composed of high-level representatives of the Commission, Member States, associated members of the Schengen area (Iceland, Norway and Switzerland), EU agencies (eu-LISA, Frontex, the European Union Agency for Fundamental Rights (FRA), the European Asylum Support Office (EASO) and Europol) and the Counter-terrorism Coordinator.
The Council Secretariat and representatives of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) participate as observers.
The HLEG’s interim report, presented in December 2016, emphasised the need to raise the standards of data quality and data usage, and identified priority options to be considered in promoting information systems interoperability.
The comprehensive evaluation of the SIS II, finalised by the Commission in December 2016, found that, despite the ‘obvious success’ of the system, changes were needed in order to provide a better response to ongoing security and migration challenges.
The report emphasised the need to reinforce the use of the SIS for counter-terrorism purposes, to clarify the situation of children who are under threat of parental abduction, to extend the use of biometric identifiers and to enhance security standards, data quality and the transparency of SIS.
In the preparation of the proposal, the Commission took into account the results of consultations with relevant stakeholders, such as the SISVIS committee, the SIS II supervision coordination group, and the Member States’ national data protection authorities. The Commission did not carry out an impact assessment but relied on the findings of three independent studies.

The changes the proposal would bring

New alerts and checks

The proposal would introduce a new alert category of ‘unknown wanted persons’ who are connected to a crime, for example persons whose fingerprints are found on a weapon used in a crime.
The scope of the existing alert on missing persons would be extended to allow national authorities to issue preventive alerts for children who are at high risk of parental abduction. The proposal would establish an obligation on the Member States to create SIS alerts for cases related to terrorist offences.
A new ‘inquiry check’ would allow authorities to question a person more thoroughly than in the case of a discreet check, in order to gather more information about the person and to decide on whether further action should be taken. This new type of check is intended to support measures to counter terrorism and serious crime. The proposal would further expand the list of objects for which alerts can be issued, to cover, for example, blank official documents, issued identity papers, vehicles, falsified documents and falsified banknotes.

Extended use of biometrics

The proposal would provide for more effective use of existing biometrics, such as facial imaging and fingerprints and introduce new elements of biometric identifiers, such as palm prints and DNA profiles. It would be mandatory to carry out a fingerprint search if the identity of the person cannot be ascertained in any other way. The system would allow for the storage of fingerprints of ‘unknown wanted persons’. DNA profiles could be used in the case of missing persons who need to be placed under protection when fingerprint or palm prints are not available.

Wider access for law enforcement authorities

The proposal would grant access to SIS to national authorities responsible for examining conditions, and taking decisions, relating to entry, stay, and return of third-country nationals on the territory of Member States.
The extension of access to various immigration authorities would enable the consultation of SIS in relation to irregular migrants who have not been checked at a regular border control. Registration authorities for boats and aircraft would receive limited access to SIS to carry out their tasks, provided that they are governmental services. Europol would receive full access rights to SIS, including to alerts on missing persons. The European border and coast guard agency and its teams would be allowed to access SIS when carrying out operations in support of Member States.

Enhanced data protection and security

The proposal would allow to enter more detailed information in alerts, such as whether a person is involved in terrorism-related activities (as defined by Articles 1-4 of Council Framework decision 2002/475/JHA on combating terrorism), details of a person’s identity or travel documents, and other person-related remarks.
It would expand the list of personal data to be entered and processed in SIS for the purpose of dealing with misused identities. It would provide for the recording of the details of data subjects’ personal identification documents and make it possible to categorise missing children according to the circumstances of their disappearance.
The proposal would introduce additional safeguards to ensure that the collection and processing of, and access to, data is limited to what is strictly necessary, in full respect of EU legislation and fundamental rights. It would provide for specific alert-deletion rules and reduce the retention period for object alerts.
According to the proposal, Member States would be prohibited from copying data entered by another Member State into other national data files.
The proposal would establish a uniform set of rules and obligations for end-users (officers on the ground) on how to access and process SIS data in a secure way. In order to ensure proper monitoring of SIS, eu-LISA would be charged with providing daily, monthly and annual statistics on how the system is used.

Budgetary implications

The estimated costs related to the proposal amount to €64.3 million for the 2018-2020 period and would serve to cover, among other things, implementing the changes provided for in the proposed revision of SIS in the field of police cooperation and judicial cooperation in criminal matters. Each Member State would receive a lump sum of €1.2 million to upgrade its national system. The budget would be secured through a re-programming of the smart borders envelope of the Internal Security Fund.

Advisory committees
The advisory committees are not mandatorily consulted on this proposal.

National parliaments
To date, none of the national parliaments has submitted a reasoned opinion on the compatibility of the proposal with the principle of subsidiarity.

Stakeholders’ views
This section aims to provide a flavour of the debate and is not intended to be an exhaustive account of all different views on the proposal. Additional information can be found in related publications listed under EP supporting analysis.
No major stakeholder has issued a position on the Commission’s proposal so far.

Legislative process
The legislative proposal (COM(2016) 883), adopted on 21 December 2016, falls under the ordinary legislative procedure (2016/0409(COD)) and, within the European Parliament, has been assigned to the Committee on Civil Liberties, Justice and Home Affairs (LIBE). Work in the committee is still at an early stage. In the Council, the working party for Schengen matters is likewise still at an early stage in its examination of the proposal.

EP supporting analysis
– Bakowski, P., Puccio, L., Foreign fighters – Member State responses and EU action, EPRS, March 2016.
– van Ballegooij, W., The cost of non-Schengen: Civil liberties, justice and home affairs aspects, EPRS, September 2016.
– Gatto, A., Carmona, J., European Border and Coast Guard System, EPRS, October 2016.
– Gatto, A., Goudin, P., Niemenen, R., Schengen area: Update and state of play, EPRS, March 2016.
– Malmersjo, G., Remáč, M., Schengen and the management of the EU’s external borders, Implementation appraisal, EPRS, April 2016.
– Voronova, S., Combating terrorism, EPRS, July 2016.

Other sources
Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, European Parliament, Legislative Observatory (OEIL).

Disclaimer and Copyright
The content of this document is the sole responsibility of the author and any opinions expressed therein do not necessarily represent the official position of the European Parliament. It is addressed to the Members and staff of the EP for their parliamentary work. Reproduction and translation for non-commercial purposes are authorised, provided the source is acknowledged and the European Parliament is given prior notice and sent a copy.
© European Union, 2017.

eprs@ep.europa.eu http://www.eprs.ep.parl.union.eu (intranet) http://www.europarl.europa.eu/thinktank (internet) http://epthinktank.eu (blog)
First edition. The EU Legislation in Progress briefings are updated at key stages throughout the legislative procedure.

TERROR AND EXCLUSION IN EU ASYLUM LAW CASE – C-573/14 LOUNANI (GRAND CHAMBER, 31 JANUARY 2017)

ORIGINAL PUBLISHED ON EUROPEAN LAW BLOG  ON  MARCH 3, 2017 (NB: EMPHASIS ARE ADDED)

By Stephen Coutts

The on-going conflict in the Middle East has profound implications for the global legal order in two areas of law in particular: asylum law and anti-terrorist law.

The European Union and EU law have not been immune from this development and in many respects are closely affected by these geopolitical developments and their legal impact. After a fitful start, the EU has become a major actor in the area of criminal law, and in particular anti-terrorist law, on the one hand and in asylum law on the other.[1]

The two fields meet in Article 12(2)(c) of the Qualification Directive, itself reflecting Article 1F of the Geneva convention,[2] providing that an individual shall be excluded from eligibility for refugee status for acts contrary to the principles and purposes of the United Nations, acts which have been held to include acts of terrorism.

Furthermore, Article 12(3) of the Qualification Directive extends that exclusion to ‘persons who instigate or otherwise participate in the commission of the crimes or acts’ mentioned in Article 12(2). The status of terrorist and refugee are legally incompatible and mutually exclusive; one simply cannot be a terrorist and also a refugee. What, however, constitutes a terrorist for the purposes of Article 12 of the Qualification Directive? That essentially is the question at stake in Lounani.

Facts and Background Context

Mr Lounani, a Moroccan national, arrived in Europe in 1991 and initially applied for asylum in Germany where his application was rejected. He moved to Belgium in 1997 and lived there illegally. In 2010 he was convicted of membership of the Moroccan Islamic Combatant Group (MICG), an organisation that has been listed by the United Nations Security Council as a terrorist organisation. It appears he occupied a leading role in the MICG over many years and participated in various aspects of its organisation including fund-raising, forging of documents and arranging the travel of individuals to Iraq.

Crucially, however, he was never convicted of direct terrorist acts and there appears to be some dispute as to whether the MICG and/or individuals Mr Lounani aided in travelling to Iraq themselves participated directly in terrorist acts.

Mr Lounani subsequently claimed asylum in Belgium on the grounds that, following his conviction for terrorist related offences, he would be persecuted upon return to Morocco. An initial decision excluding him from refugee status on the basis of Article 12(2)(c) of the Qualification directive was overturned on review. That decision was in turn appealed to the Conseil d’Etat which stayed the case and referred a number of questions to the Court of Justice asking essentially if the exclusion clause operated only in relation to terrorist acts as defined in Article 1 of the Framework Decision on Combatting Terrorism (FDCT)[4] or if ancillary acts of participation in terrorist organisation and facilitating the commission of terrorist acts could be considered contrary to the principles and values of the UN as referred to in Articles 12(2)(c) and 12(3)[5] of the Qualification Directive.

Finally, if so, the Conseil d’Etat queried if a criminal conviction would automatically lead to the application of the exclusion clause.

Opinion of AG Sharpston[6]  Continue reading

The  European Union’s  Policies  on  Counter-Terrorism. Relevance,  Coherence and Effectiveness

FULL TEXT (226 pages) ACCESSIBLE HERE 

(*)This research paper was requested by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs and was commissioned, overseen and published by the Policy Department for  Citizens’ Rights and  Constitutional  Affairs. (January 2017)

AUTHORS :
(PwC) : Wim  WENSINK, Bas WARMENHOVEN, Roos HAASNOOT, Rob  WESSELINK, Dr  Bibi   VAN  GINKEL,
 International  Centre for  Counter-Terrorism (ICCT)  – The  Hague:  Stef WITTENDORP,  Dr  Christophe  PAULUSSEN, Dr  Wybe  DOUMA, Dr  Bérénice  BOUTIN,  Onur  GÜVEN, Thomas  RIJKEN, With   research   assistance   from:   Olivier  VAN   GEEL,   Max   GEELEN,   Geneviève   GIRARD,   Stefan HARRIGAN, Lenneke  HUISMAN,  Sheila  JACOBS  and  Caroline TOUSSAINT.

EXECUTIVE SUMMARY (emphasis are added)

Background and aim

The series of recent terrorist attacks, as well as the various foiled and failed terrorist plots on European soil, have more than ever reinforced the popular awareness of the vulnerabilities that go hand-in-hand with the open democracies in the European Union (EU). The fact that these attacks followed each other with short intervals, but mostly due to the fact that they often did not fit the profile and modus operandi of previous attacks, have significantly contributed to the difficulty for security agencies to signal the threats as they are materialising. The modi operandi used showed a diversity of targets chosen, were committed by a variety of actors including foreign fighter returnees, home-grown jihadist extremists, and lone actors, and were executed with a variety of weapons or explosives. Furthermore, another complicating factor is the trend towards the weaponisation of ordinary life  in  which  a truck or  a kitchen  knife already  fulfils the purpose.

Governments, policy-makers, and politicians in most EU Member States feel the pressure of the population who call for adequate responses to these threats. Similarly, the various actors of the EU on their own accord, or the European Council driven by (some) Member States, have stressed the importance of effective responses to these increased threats, and have specifically underlined the importance of sharing of information and good cooperation. Very illustrating in this respect are the conclusions adopted during the European Council meeting of 15 December 2016, in which the European Council stressed the importance of the political agreement on the Counter-Terrorism Directive, emphasised the need to swiftly adopt the proposals on regulation of firearms and anti-money laundering, as well as the implementation of the new passenger name record (PNR) legislation.1 The European Council furthermore welcomed the agreement on the revised Schengen Borders Code, and stressed the importance of finding agreement on the Entry/Exit System and the European Travel   Information  and   Authorisation  System.2

Although the easy way to satisfy the call for action by the national populations seems to be to just take action for the sake of it, the responsibility lies with the relevant actors, in line with the objectives and principles of the EU Treaty and the values the EU represents 3, to actually assess the security situation, and implement, amend or suggest (new) policies that are adequate, legitimate, coherent and effective in the long run. It is with that objective in mind that this study, commissioned by the European Parliament, has made an assessment of the current policy architecture of the EU in combating terrorism, particularly looking into loopholes, gaps or overlap in policies in areas ranging from international and inter-agency cooperation, data exchange, external border security, access to firearms and explosives, limiting the financing of terrorist activities, criminalising terrorist behaviour and prevention of radicalisation. This study furthermore looks into the effectiveness of the implementation of  policies in Member States  and  the  legitimacy and coherence  of  the  policies.

Seven major policy themes were selected and addressed in depth by this study:

  • Measures and tools for operational cooperation and intelligence/law enforcement and judicial information exchange;
  • Data collection and database access and interoperability;
  • Measures to enhance external border security;
  • Measures to combat terrorist financing;
  • Measures to reduce terrorists’ access to weapons and explosives; . Criminal justice measures;
  • Measures to combat radicalisation and recruitment.

The research team has assessed the degree of implementation of EU counter-terrorism measures under these seven themes in a selection of seven Member States: Belgium, Bulgaria, France, Germany, the Netherlands, Slovakia and Spain. This study sets out policy options for the future direction of EU counter-terrorism policy. The focus of policy options is on future threats and developments, and on developing creative yet feasible policy solutions.

Main findings Continue reading