The  European Union’s  Policies  on  Counter-Terrorism. Relevance,  Coherence and Effectiveness

FULL TEXT (226 pages) ACCESSIBLE HERE 

(*)This research paper was requested by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs and was commissioned, overseen and published by the Policy Department for  Citizens’ Rights and  Constitutional  Affairs. (January 2017)

AUTHORS :
(PwC) : Wim  WENSINK, Bas WARMENHOVEN, Roos HAASNOOT, Rob  WESSELINK, Dr  Bibi   VAN  GINKEL,
 International  Centre for  Counter-Terrorism (ICCT)  – The  Hague:  Stef WITTENDORP,  Dr  Christophe  PAULUSSEN, Dr  Wybe  DOUMA, Dr  Bérénice  BOUTIN,  Onur  GÜVEN, Thomas  RIJKEN, With   research   assistance   from:   Olivier  VAN   GEEL,   Max   GEELEN,   Geneviève   GIRARD,   Stefan HARRIGAN, Lenneke  HUISMAN,  Sheila  JACOBS  and  Caroline TOUSSAINT.

EXECUTIVE SUMMARY (emphasis are added)

Background and aim

The series of recent terrorist attacks, as well as the various foiled and failed terrorist plots on European soil, have more than ever reinforced the popular awareness of the vulnerabilities that go hand-in-hand with the open democracies in the European Union (EU). The fact that these attacks followed each other with short intervals, but mostly due to the fact that they often did not fit the profile and modus operandi of previous attacks, have significantly contributed to the difficulty for security agencies to signal the threats as they are materialising. The modi operandi used showed a diversity of targets chosen, were committed by a variety of actors including foreign fighter returnees, home-grown jihadist extremists, and lone actors, and were executed with a variety of weapons or explosives. Furthermore, another complicating factor is the trend towards the weaponisation of ordinary life  in  which  a truck or  a kitchen  knife already  fulfils the purpose.

Governments, policy-makers, and politicians in most EU Member States feel the pressure of the population who call for adequate responses to these threats. Similarly, the various actors of the EU on their own accord, or the European Council driven by (some) Member States, have stressed the importance of effective responses to these increased threats, and have specifically underlined the importance of sharing of information and good cooperation. Very illustrating in this respect are the conclusions adopted during the European Council meeting of 15 December 2016, in which the European Council stressed the importance of the political agreement on the Counter-Terrorism Directive, emphasised the need to swiftly adopt the proposals on regulation of firearms and anti-money laundering, as well as the implementation of the new passenger name record (PNR) legislation.1 The European Council furthermore welcomed the agreement on the revised Schengen Borders Code, and stressed the importance of finding agreement on the Entry/Exit System and the European Travel   Information  and   Authorisation  System.2

Although the easy way to satisfy the call for action by the national populations seems to be to just take action for the sake of it, the responsibility lies with the relevant actors, in line with the objectives and principles of the EU Treaty and the values the EU represents 3, to actually assess the security situation, and implement, amend or suggest (new) policies that are adequate, legitimate, coherent and effective in the long run. It is with that objective in mind that this study, commissioned by the European Parliament, has made an assessment of the current policy architecture of the EU in combating terrorism, particularly looking into loopholes, gaps or overlap in policies in areas ranging from international and inter-agency cooperation, data exchange, external border security, access to firearms and explosives, limiting the financing of terrorist activities, criminalising terrorist behaviour and prevention of radicalisation. This study furthermore looks into the effectiveness of the implementation of  policies in Member States  and  the  legitimacy and coherence  of  the  policies.

Seven major policy themes were selected and addressed in depth by this study:

  • Measures and tools for operational cooperation and intelligence/law enforcement and judicial information exchange;
  • Data collection and database access and interoperability;
  • Measures to enhance external border security;
  • Measures to combat terrorist financing;
  • Measures to reduce terrorists’ access to weapons and explosives; . Criminal justice measures;
  • Measures to combat radicalisation and recruitment.

The research team has assessed the degree of implementation of EU counter-terrorism measures under these seven themes in a selection of seven Member States: Belgium, Bulgaria, France, Germany, the Netherlands, Slovakia and Spain. This study sets out policy options for the future direction of EU counter-terrorism policy. The focus of policy options is on future threats and developments, and on developing creative yet feasible policy solutions.

Main findings Continue reading

The Mejiers Committee on the inter-parliamentary scrutiny of Europol

ORIGINAL PUBLISHED ON THE MEJIERS COMMITTE (*) PAGE  HERE

  1. Introducton

Article 88 TFEU provides for a unique form of scrutiny on the functioning of Europol. It lays down that the [regulations on Europol] shall also lay down the procedures for scrutiny of Europol’s activities by the European Parliament, together with national Parliaments.

Such a procedure is now laid down in Article 51 of the Europol Regulation (Regulation (EU) 2016/794), which provides for the establishment of a “specialized Joint Parliamentary Scrutiny Group (JPSG)”, which will play the central role in ensuring this scrutiny. The Europol Regulation shall apply from 1st of May 2017.

Article 51 of the Europol Regulation also closely relates to Protocol (1) of the Lisbon Treaty on the role of national parliaments in the EU. Article 9 of that protocol provides: “The European Parliament and national Parliaments shall together determine the organization and promotion of effective and regular inter-parliamentary cooperation within the Union.”

Article 51 (2) does not only lay down the basis for the political monitoring of Europol’s activities (the democratic perspective), but also stipulates that “in fulfilling its mission”, it should pay attention to the impact of the activities of Europol on the fundamental rights and freedoms of natural persons (the perspective of the rule of law).

The Meijers Committee takes the view that improving the inter-parliamentary scrutiny of Europol, with appropriate involvement of both the national and the European levels, will by itself enhance the attention being paid by Europol on the perspectives of democracy and the rule of law, and more in particular the fundamental rights protection. It will raise the alertness of Europol as concerns these perspectives.

Moreover, the scrutiny mechanism could pay specific attention to the fundamental rights protection within Europol. This is particularly important in view of the large amounts of – often sensitive – personal data processed by Europol and exchanged with national police authorities of Member States and also with authorities of third countries.

The implementation of Article 51 into practice is currently debated, e.g. in the inter-parliamentary committee of the European Parliament and national parliaments.1 As specified by Article 51 (1) of the Europol regulation, the organization and the rules of procedure of the JPSG shall be determined.

The Meijers Commitee wishes to engage in this debate and makes, in this note, recommendations on the organization and rules of procedure.

  1. Context

Continue reading

The time has come to complain about the EU Terrorism Directive

By Maryant Fernández Pérez

Nearly a year has passed since we told that you’d be now complaining about the Terrorism Directive. On 16 February, Members of the European Parliament (MEPs) will vote on the draft Terrorism Directive. EU policy-makers have meaningfully addressed only very few of the concerns that EDRi and other NGOs have raised since the beginning of the EU legislative process.

We worked hard during the elaboration of the Terrorism Directive at the EU level: we defended digital rights since the very beginning, providing policy-makers with expert input; we joined forces with other digital rights organisations; and raised our voice against key proposals together with NGOs like Amnesty International, Human Rights Watch (HRW), the International Commission of Jurists (ICJ), the Open Society Foundations (OSF), the European Network Against Racism (ENAR) and the Fundamental Rights European Experts (FREE) Group (see our joint statements here and here). As a result of the hard work and numerous exchanges with policy-makers, not everything in the Directive is bad for digital rights.

What’s good?

Unfortunately, not as much as we would like. However, there are still some positives. Several provisions that we had advocated for are part of the final text, for example an assurance, in principle, of being able to express radical, polemic or controversial views.

We managed to eliminate mandatory internet “blocking”, and some safeguards were introduced with regard to removing and blocking online content and limiting when the absurdly vague concept of unduly compelling a government can constitute a terrorist offence. We also killed some bad proposals that, for instance, tried to undermine encryption and the use of TOR.

What’s wrong?

From a digital rights perspective, there is a long list of bad elements that the European Commission, EU Member States* and the majority of the MEPs of the European Parliament’s Committee on Civil Liberties (LIBE) have introduced and/or kept in the draft Terrorism Directive, including the following:

To sum up, it took a year and two months to conclude a legislative instrument that endangers the protection of our rights and freedoms. This compares badly with the time that it took the EU to conclude an instrument to protect fundamental rights, such as the General Data Protection Regulation (five years, and two more years until it enters into force). Obvious, depressing, conclusions can be drawn about the priorities that drove different parts of the EU decision-making process in both cases.

Therefore, we urge the European Parliament to vote against this Directive or at least vote in favour of some of the amendments proposed to improve some of the elements listed above.

What can you do?

You can raise awareness and contact your MEPs prior to the debate on 15 February (starting around 3pm CET) and the vote on the Directive on 16 February (around 12pm CET). After the vote, it will be the turn of your Member State to implement the Directive and give meaning to the ambiguous provisions of the Directive. If the Terrorism Directive is adopted, civil society should look closely how their national parliaments will implement it, so it will not lead to abusive provisions. Ultimately, yet again, we will have to rely on the courts to be the guardians of our civil liberties.

If you have any questions, don’t hesitate to contact us!

The Ever-expanding National Security State in Europe: the Case of Poland

by Luigi LIMONE (*)

One of the most alarming developments across the European Union is the effort by States to make it easier to invoke and prolong a “state of emergency” as a response to terrorism or the threats to violent attacks. Emergency measures, which are generally supposed to be temporary, have become embedded in ordinary criminal law. Parliaments across the European Union are adopting a number of coercive measures in fast-truck processes, leaving little time for consideration on their impact on human rights and civil liberties.

In compliance with international human rights law, exceptional measures should only be applied in genuinely exceptional circumstances and, as stated by Article 15 of the European Convention on Human Rights (ECHR), “in time of war or other public emergency threatening the life of the nation”.

Nevertheless, phenomena such as the rise of nationalist parties, anti-refugee sentiment, stereotyping and discrimination against Muslims communities, intolerance for speech or other forms of expression, risk that this “emergency measures” will target certain people for reasons which have nothing to do with a genuine threat to national security or from terrorist-related acts.

Up to now, France is the only EU Member State to have formally declared a state of emergency on national security grounds for terrorism-related acts on the last couple of years. However, other Member States have passed laws in fast-track processes and engaged in operations in response to real or perceived security threats. A clear example comes from Austria and Hungary, which have recently invoked the threat of terrorism in the context of the refugee crisis with profoundly negative impact on the right to seek and enjoy asylum in Europe.

One of the countries which is currently attracting the attention of several NGOs working in the field of human rights protection is Poland. Several cases of human rights violations as well as dismantlement of the rule of law have been reported since the Law and Justice (Prawo i Sprawiedliwość) party came to power in October 2015.

In June 2016, Poland enacted a new Counter-terrorism Law following a fast-track legislative process. This law consolidates sweeping powers in the hands of the Internal Security Agency (ISA) and, combined with other recent legislative amendments, it creates conditions for violations of the rights to liberty, privacy, fair trial, expression, peaceful assembly and non-discrimination.

The new Counter-terrorism Law gives a broad and vague definition of terrorism which paves the way for: a) the expansion of indiscriminate mass surveillance powers; b) the targeting of foreign nationals; c) the extension of pre-charge detention.

According to Amnesty International, such an ill-defined and imprecise definition allows for disproportionate interference with human rights as well as arbitrary application and abuse.

The UN Human Rights Committee recommended in October 2016 that a definition be adopted that “does not give the authorities excessive discretion or obstruct the exercise of rights”.

The Counter-terrorism law includes provision for the Director of the Internal Security Agency to order the immediate blocking of specific websites with no prior judicial authorization if he or she considers that a delay could result in “terrorist incident”. Such a provision compromises the right to freedom of expression, including the right to seek, receive and impart information.

Freedom of peaceful assembly is also under threat under the new Counter-terrorism Law.

The Law, in fact, establishes a terror alert system which, if it reaches the level of three or four, allows the authorities to ban assemblies and large-scale events in particular locations.

The lack of transparency in the operation of the alert system, together with the vague definition of terrorism, could result in violations of the right to peaceful assembly and freedom of expression. As a result, the terror alert system could be used by the government as an excuse to ban peaceful public protests against its policy on a wide range of issues, including abortion or Lesbian, Gay, Bisexual, Transgender and Intersex (LGBTI) rights.

Foreign nationals in Poland are particular targets of the new Counter-terrorism Law. They can be subjected to a range of covert surveillance measures, including wire-tapping, monitoring of electronic communications and surveillance of telecommunication networks and devices without any judicial oversight for the first three months.

Such surveillance is permitted if there is a “fear” that a foreign national may be involved in terrorism-related activities. In addition, the Law does not provide procedural safeguards to ensure that anyone made aware of surveillance can challenge it and have access to an effective remedy against unlawful surveillance. It also impacts Polish citizens who communicate or live with foreigners under investigation.

Poland’s new Counter-terrorism Law also provides for 14 days of detention without charge of people suspected of “terrorist crimes”. Since such detention measures can be adopted on the basis of information obtained through the broad surveillance powers given to the executive, the suspects and their lawyer may be denied access to the evidence upon which the pre-charge detention is based. Given the fact that the new surveillance powers primarily target foreigners, such measures could discriminate against non-nationals and have a disproportionate impact on foreign individuals, their families and communities.

Furthermore, the situation in Poland appears very critical when it comes to criminal law and to protection from discrimination and hate crimes in particular. While the country has made some progress in addressing hate crimes against certain groups, it has left others entirely behind, thus creating a double system and a significant protection gap in law as well as in practice.

Polish criminal law provides for the investigation and prosecution of hate crimes motivated by race, ethnicity, nationality, religion and political affiliation. However, it does not establish that age, disability, gender, gender identity and expression, sexual orientation and social or economic status are grounds to investigate and prosecute hate crimes.

As stated in a report published by Amnesty International in September 2015, members of ethnic minorities, refugees, asylum-seekers and migrants continue to experience discrimination and violence in practice. In addition, transgender and intersex people are not explicitly protected from discrimination on grounds of gender identity and expression, and protection on the grounds of disability and religion is limited as well.

The situation is particularly crucial with regard to discrimination motivated by gender identity as well as expression and sexual orientation. LGBTI people are not sufficiently protected, as demonstrated by the huge number of homophobic and transphobic hate crimes. As far as women and girls are concerned, they continue to face obstacles in accessing legal and safe abortion and frequent cases of sexual harassment and rape are still being reported.

The current legal framework governing abortion in Poland is one of the most restrictive in Europe with terminations legally permitted only when the life of the foetus is under threat, when there is a grave threat to the health of the mother and in the instance that the pregnancy resulted from rape or incest.

A new bill proposing to further restrict sexual and reproductive rights was submitted to Parliament on 5 July 2016. The restrictive measure is intended to ban abortion in all circumstances except for when it is considered to be the only means available to save a woman’s life. It would also criminalize women and girls who are found to have obtained abortion as well as the people encouraging or assisting them to do so.

Following mass protests and women’s strikes, the bill has been eventually rejected but the government, supported by the Polish Catholic church, has announced that it is considering other restrictions, including a total ban of emergency contraception and of the morning after-pill in particular.

In conclusion, significant deterioration in several areas has been observed since the Law and Justice party’s assumption of power in October 2015. A total of 148 new laws and legislative amendments have been enacted since then, which have led to serious violation of several fundamental rights enshrined in international human rights treaties, including the right to life, health and freedom from torture and other inhuman or degrading treatment as well as the right to privacy, information, equality and non-discrimination.

(*) FREE Group Trainee

Sources:

– Dangerously Disproportionate: The Ever-expanding National Security State in Europe, by Amnesty International, 17 January 2017, Index number: EUR 01/5342/2017

– Poland: Submission to the United Nations Human Rights Committee – 118th session, 17 Oct.-04 Nov. 2016, Index number: EUR 37/4849/2016

– Poland: Dismantling Rule of Law?, Amnesty International Submission for the UN Universal Periodic Review – 27th Session of the Upr Working Group, April/May 2017,  EUR: 37/5069/2016

 

Foreign fighters’ helpers excluded from refugee status: the ECJ clarifies the law

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

by Steve Peers

What if a person claiming to be a refugee is an alleged terrorist, or at least giving assistance to alleged terrorists? Can they still claim to be a refugee – and if not, how should we define ‘terrorism’ for the purposes of rejecting their claim to be one? Today’s judgment of the EU Court of Justice in the Lounani case usefully clarifies some aspects of this controversial and legally complex issue, but inevitably leaves some difficult questions open.

Legal framework

The starting point for this issue is the wording of the UN Refugee Convention, known by the EU as the ‘Geneva Convention’, which contains an ‘exclusion’ clause in Article 1.F:

  1. The provisions of this Convention shall not apply to any person with respect to whom there are serious reasons for considering that:

(a) he has committed a crime against peace, a war crime, or a crime against humanity, as defined in the international instruments drawn up to make provision in respect of such crimes;

(b) he has committed a serious non-political crime outside the country of refuge prior to his admission to that country as a refugee;

(c) he has been guilty of acts contrary to the purposes and principles of the United Nations.

The UN rules (which all EU Member States have signed up to) have been transposed, but with variations, in the EU’s Qualification Directive, which applies to every Member State except Denmark. (Technically the UK and Ireland are bound only by the first version of this Directive, but the rules on exclusion haven’t changed).  Article 12(3) of that Directive reads as follows:

  1. A third-country national or a stateless person is excluded from being a refugee where there are serious reasons for considering that:

(a) he or she has committed a crime against peace, a war crime, or a crime against humanity, as defined in the international instruments drawn up to make provision in respect of such crimes;

(b) he or she has committed a serious non-political crime outside the country of refuge prior to his or her admission as a refugee, which means the time of issuing a residence permit based on the granting of refugee status; particularly cruel actions, even if committed with an allegedly political objective, may be classified as serious non-political crimes;

(c) he or she has been guilty of acts contrary to the purposes and principles of the United Nations as set out in the Preamble and Articles 1 and 2 of the Charter of the United Nations.

  1. Paragraph 2 applies to persons who incite or otherwise participate in the commission of the crimes or acts mentioned therein.

It can be seen that the EU rules differ from the UN rules to the extent that: they add some wording on the timing and nature of ‘serious non-political crimes’; they clarify the reference to acts contrary to UN ‘purposes and principles’; and they apply the exclusion to those who ‘incite or otherwise participate’ in all three categories of acts leading to exclusion.

Despite this attempt at clarification, there will always be issues of interpreting these rules. The EU Court has ruled on them once before, in its judgment in B and D, when it stated that first of all that the second and third exclusion clauses can apply to terrorist offences.  However, exclusion must be assessed in each individual case, meaning that membership of a group listed as ‘terrorist’ in EU foreign policy sanctions against terrorists does not automatically trigger the exclusion clause, although it is a ‘factor’ to consider. Participating in a terrorist group, as defined by EU criminal law on terrorism, does not automatically trigger the exclusion clause either. Instead, there must be direct involvement by the person concerned in such offences, as further explained by the Court. Furthermore, there is no additional ‘proportionality’ or ‘present danger’ test for exclusion. Finally, the exclusion clause is mandatory: ie Member States cannot assert a right to apply higher standards and give someone refugee status if they fall within the exclusion criteria.

The judgment

What does today’s judgment add? The person concerned was convicted of participating in a terrorist group, but not of carrying out any terrorist acts as such. So is such a conviction sufficient to trigger the exclusion clause?

The EU court ruled that it was. First of all, the preamble to the EU Directive referred to UN Resolutions on ‘financing, planning and inciting’ terrorism; so the third exclusion clause goes beyond terrorist acts as such. Secondly, the EU legislature had not intended to match the exclusion clause in asylum law with the narrower definition of terrorism in (current) EU criminal law legislation.

Next, the EU court ruled that following a later UN Security Council Resolution, assisting with recruitment, organisation or transport of ‘foreign fighters’ could also fall within the scope of the exclusion clause. So could ‘participation’ in such activities, pursuant to Article 12(3) of the EU Directive. It was relevant that the group in question was listed as terrorist by the UN Security Council, and particularly relevant that the person concerned had been convicted of terrorist offences in Belgium.

Comments

The Court’s judgment asserts a broad scope of the exclusion clause, meaning that a degree of support for ‘foreign fighters’ will also result in exclusion from refugee status. In doing so, it answers the claims of those who believe that many refugees are ‘jihadists’. Simply put, anyone who has been directly involved in terrorist acts (B and D) or in facilitating the activities of ‘foreign fighters’ (today’s judgment) is not entitled to refugee status. Although the judgment does not mention it, this aligns the interpretation of the exclusion clause to some extent with recent developments in criminal law, namely the 2015 Protocol to the Council of Europe Convention on the prevention of terrorism, and the agreed revision of the EU’s anti-terrorism laws.

But the judgment cannot help leaving some difficult questions open. What if the asylum-seeker has not been convicted of terrorist offences anywhere, but there are allegations of such action? Since a conviction is particularly relevant to applying the exclusion clause, would a lack of such conviction conversely be particularly relevant in determining that the clause should not apply? Would that assessment be different if the person had been acquitted, or if an investigation or trial was pending? If the criminal law process was pending, should the asylum determination process be put on hold? What if the authorities had claimed to have information supplied from the security services, and were reluctant to bring criminal proceedings in order to preserve their sources and intelligence capability?

What if there is a criminal conviction for terrorism from another country – particularly in the asylum-seeker’s country of origin, which might define criticism of the government as ‘terrorism’? Similarly what about ‘provocation’ to terrorism, which might include ‘glorification’ of terrorist acts, according to the revised EU criminal law? Here the question is to what extent freedom of expression, not directly connected to violent acts, might justify a refusal of refugee status. Recent acts remind us that as far as criminal law is concerned, terrorist acts – and the climate of hatred that surrounds them – are not confined to Islamist extremists, but stem also from those who fanatically hate minority groups as well.

TELE2 SVERIGE AB AND WATSON ET AL: CONTINUITY AND …RADICAL CHANGE

ORIGINAL PUBLISHED ON EUROPEAN LAW BLOG  (JANUARY 12, 2017)
By Orla Lynskey

 

Introduction

The CJEU delivered its judgment in Tele2 Sverige AB and Watson on 21 December 2016. The Court had been asked by a Swedish and British court respectively to consider the scope and effect of its previous judgment in Digital Rights Ireland (discussed here). The judgment reflects continuity in so far as it follows in the line of this, and earlier judgments taking a strong stance on data protection and privacy. Yet, the degree of protection it offers these rights over competing interests, notably security, is radical. In particular, the Court unequivocally states that legislation providing for general and indiscriminate data retention is incompatible with the E-Privacy Directive, as read in light of the relevant EU Charter rights. While the judgment was delivered in the context of the E-Privacy Directive, the Court’s reasoning could equally apply to other EU secondary legislation or programmes interpreted in light of the Charter. This judgment will be a game-changer for state surveillance in Europe and while it offered an early Christmas gift to privacy campaigners, it is likely to receive a very mixed reaction from EU Member States as such. While national data retention legislation has been annulled across multiple Member States (Bulgaria, Czech Republic, Cyprus, Germany and Romania), this annulment has been based on an assessment of the proportionality of the relevant measures rather than on a finding that blanket retention is per se unlawful. For those familiar with the facts and findings, skip straight to the comment below.

Facts

The preliminary ruling stems from two Article 267 TFEU references regarding the interpretation of the Court’s judgment in Digital Rights Ireland (henceforth DRI). The first, Tele2 Sverige AB, was a Swedish reference resulting from the refusal by Tele2 Sverige (a Swedish electronic communications provider) to continue to retain electronic communications data following the finding in DRI that the Data Retention Directive was invalid. A dispute regarding the interpretation of DRI ensued and the Swedish Justice Minister commissioned a report to assess the compatibility of Swedish law with EU law and the ECHR. This report concluded that DRI could not be interpreted as prohibiting general and indiscriminate data retention as a matter of principle, or as establishing criteria – all of which must be fulfilled – in order for legislation to be deemed proportionate. Rather, it held that it was necessary to conduct an assessment of all the circumstances in order to determine the compatibility of Swedish legislation with EU law. Tele2 Sverige maintained that the report was based on a misinterpretation of DRI. Given these differing perspectives, the referring court asked the Court to give ‘an unequivocal ruling on whether…the general and indiscriminate retention of electronic communications data is per se incompatible with Articles 7 and 8 and 52(1) of the Charter’ [50].

The second preliminary reference (Watson) arose before the Court of Appeal in the context of applications for judicial review of the UK’s Data Retention and Investigatory Powers Act (DRIPA) on the grounds that this Act was incompatible with the EU Charter and the ECHR. It was disputed before the national court whether DRI laid down ‘mandatory requirements of EU law’ that national legislation for communications data retention and access must respect. The domestic referring court suggested that it was appropriate to distinguish between legislation governing retention, and legislation governing access. DRI was confined to an assessment of the former as it assessed the validity of the Data Retention Directive, which excluded provisions relating to data access. The latter, provisions on data access, must be subject to a distinct validity assessment in light of their differing context and objectives, according to the referring court. The Court of Appeal did not however deem the answer to this question obvious, given that six courts in other EU Member States had declared national legislation to be invalid on the basis of DRI. It therefore asked the Court to consider whether, firstly, DRI lays down mandatory requirements of EU law that would apply to the regime governing access to retained data at national level. It also asked whether DRI expands the scope of the Charter rights to data protection and privacy beyond the scope of Article 8 ECHR. The Watson reference was dealt with pursuant to the expedited procedure provided for in Article 105(1) of the Court’s Rules of Procedure and joined to the Tele2 Sverige reference for oral arguments and judgment.

Findings of the Court

The Scope of the E-Privacy Directive

The Court examined, as a preliminary point, whether national legislation on retention and access to data fell within the scope of the E-Privacy Directive. Article 15(1) of that Directive provides for restrictions to certain rights it provides for when necessary for purposes such as national security and the prevention, investigation, detection and prosecution of criminal offences. Article 15(1) also allows for the adoption of data retention legislation by Member States. However, Article 1(3) of that Directive states that the Directive will not apply to, amongst others, ‘activities concerning public security, defence, State security (…) and the activities of the State in areas of criminal law’. There is thus an apparent internal inconsistency within the Directive.

To guide its findings, the Court had regard to the general structure of the Directive. While the Court acknowledged that the objectives pursued by Articles 1(3) and 15(1) overlap substantially, it held that Article 15(1) of the Directive would be deprived of any purpose if the legislative measures it permits were excluded from the scope of the Directive on the basis of Article 1(3) [73]. Indeed, it held that Article 15(1) ‘necessarily presupposes’ that the national measures referred to therein fall within the scope of that directive ‘since it expressly authorizes the Member States to adopt them only if the conditions laid down in the directive are met’. [73]. In order to support this finding, the Court suggests that the legislative measures provided for in Article 15(1) apply to providers of electronic communications services [74] and extend to measures requiring data retention [75] and access to retained data by national authorities [76]. It justifies this final claim – that the E-Privacy Directive includes data access legislation – on the (weak) grounds that recital 21 of the directive stipulates that the directive’s aim is to protect confidentiality by preventing unauthorised access to communications, including ‘any data related to such communications’ [77]. The Court emphasises that provisions on data access must fall within the scope of the Directive as data is only retained for the purpose of access to it by competent national authorities and thus national data retention legislation ‘necessarily entails, in principle, the existence of provisions relating to access by the competent national authorities to the data retained’ [79]. The Court also noted that the Directive requires providers to establish internal procedures for responding to requests for access based on the relevant provisions of national law [80].

The compatibility of ‘general and indiscriminate’ data retention with EU law

The Court then moved on to consider the most important substantive point in the judgment: the compatibility of ‘general and indiscriminate’ data retention with the relevant provisions of EU law. It began by recalling that the E-Privacy Directive’s overarching aim is to offer users of electronic communications services protection against the risks to fundamental rights brought about by technological advances [83]. It emphasised, in particular, the general principle of confidentiality of communications in Article 5(1) of the Directive and the related safeguards for traffic data and location data (in Articles 6 and 9 respectively), [85-87]. While the Court acknowledged that Article 15(1) of the Directive allows for exceptions to these principles by restricting their scope, it held that this provision must be interpreted strictly. It clearly stated that Article 15(1) cannot permit the exception to the Directive’s confidentiality obligation to become the rule, as this would render the confidentiality obligation meaningless [89].

The Court also emphasised that according to Article 15(1)’s wording it must be interpreted in light of general principles of EU law, thus including the fundamental rights in the EU Charter [91]. The Court noted, with reference to its previous case-law, the importance of the fundamental rights engaged in the current context, namely the right to privacy (Article 7), the right to data protection (Article 8) and the right to freedom of expression (Article 11) ([92]-[93]). The limitations on the exercise of these Charter rights are echoed in the E-Privacy Directive, recital 11 of which states that measures derogating from its principles must be ‘strictly’ proportionate to the intended purpose, while Article 15(1) itself specifies that data retention should be ‘justified’ by reference to one of the  objectives stated in Article 15(1) and be for a ‘limited period’ [95]. In considering whether national legislation complies with these requirements of strict necessity, the Court observed that ‘the legislation provides for a general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’ and that the retention obligation on providers is ‘to retain the data systematically and continuously, with no exceptions’ [97].

Having established the scope of the retention obligation, the Court emphasised the revealing nature of this data and recalled its finding in DRI that the data ‘taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained’ [98]. The Court also stated that the data provides the means of profiling the individual concerned and – importantly – that the information is ‘no less sensitive having regard to the right to privacy, than the actual content of the communications’ [99]. The Court held that general and indiscriminate data retention legislation entailed a particularly serious interference with the rights to privacy and data protection and that the user concerned is, as a result, likely to feel that their private lives are the subject of constant surveillance [100]. It could also, according to the Court, affect the use of means of electronic communication and thus the exercise by users of their freedom of expression [101]. The Court therefore held that only the objective of fighting serious crime could justify national data retention legislation [102].

While the Court acknowledged that the fight against serious crime may depend on modern investigative techniques for its effectiveness, this objective cannot in itself justify the finding that general and indiscriminate data retention legislation is necessary for this fight against crime [103]. It noted in particular that such legislation applies to persons for whom ‘there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious criminal offences’ and that no exception is made for those whose communications are subject to professional secrecy [106]. As a result of these failings, the Court held that the national legislation exceeds the limits of what is strictly necessary and cannot be considered justified under Article 15(1), read in light of the Charter [107].

The Court did not go so far as to deem all data retention unlawful however. It highlighted that Article 15(1) does not prevent a Member State from introducing legislation that would facilitate targeted retention of traffic and location data for the preventive purpose of fighting serious crime. Such legislation must however be limited to what is strictly necessary in terms of the categories of data retained; the means of communication affected, the persons and the period of time concerned [108]. In particular, such legislation should indicate ‘in what circumstances and under which conditions’ a data retention measure could be adopted as a preventive measure [109]. The Court also emphasised that while the precise contours may vary, data retention should meet objective criteria that establish a connection between the data to be retained and the objective pursued [110]. The national legislation must therefore be evidence-based: this objective evidence should make it possible to ‘identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences’ [111].

Mandatory Requirements of DRI?

Having established the incompatibility of generalised data retention legislation with EU law, the Court then went on to consider whether EU law precludes national data retention and access legislation if that legislation:

  • does not restrict access solely to the objective of fighting serious crime;
  • does not require access to be subject to prior review by a court or independent body
  • and, if it does not require that the data should be retained within the EU [114].

The Court reiterated an early finding that access to retained data must be for one of the exhaustive objectives identified in Article 15(1) of the E-Privacy Directive, and that only the objective of fighting serious crime would justify access to retained data [115]. Such legislation must also set out clear and precise rules indicating when and how competent national authorities should be granted access to such data [117]. The Court also held that national legislation must set out the substantive and procedural conditions governing access based on objective criteria [118-119]. Such access can, ‘as a general rule’ be granted only ‘to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime’ [119]. Access to the data of others might exceptionally be granted where, for instance, vital national interests are threatened by terrorist activities, if there is objective evidence to reflect the effective contribution access to such data could make [119]. As a result, access to retained data should, with the exception of cases of validly established urgency, be subject to a prior review by a court or an independent administrative authority at the request of the competent national authorities [120]. These competent national authorities must also notify the persons affected by the data access, under the applicable national procedures, as soon as such notification no longer jeopardises the investigations. The Court highlighted that such notice is necessary to enable these individuals to exercise their right to a legal remedy pursuant to the Directive and EU data protection law [121].

On the issue of data security, the Court held that Article 15(1) does not allow Member States to derogate from the Directive’s data security provisions, which require providers to take appropriate technical and organisational measures to ensure the effective protection of retained data. The Court held that a particularly high level of data security was appropriate given the quantity and nature of the data retained and the riskiness of this operation. It therefore held that the national legislation must provide for the data to be retained within the EU, and for the irreversible destruction of the data at the end of the data retention period [122]. Member States must also ensure that an independent authority reviews compliance with EU law, as such independent control of data protection compliance is an essential element of the right to data protection set out in Article 8(3) Charter. The Court emphasised the link between such independent supervision and the availability of a legal remedy for data subjects [123]. The Court therefore concluded that national legislation that did not comply with these conditions would be precluded pursuant to Article 15(1) as read in light of the Charter [125]. However, it was for the relevant national courts to examine whether such conditions were satisfied in the present case [124].

Finally, in relation to the UK Court of Appeal’s query regarding the relationship between the EU Charter rights to data protection and privacy and Article 8 ECHR, the Court held that the answer to this question would not affect the interpretation of the E-Privacy Directive and thus matter in these proceedings [131]. It recalled its settled case-law that the preliminary reference procedure serves the purpose of effectively resolving EU law disputes rather than providing advisory opinions or answering hypothetical questions [130]. This did not however prevent it from offering a sneak preview of its thinking on this matter. It emphasised that, while the EU has not acceded to the ECHR, the ECHR does not constitute a formally incorporated element of EU law. It did however note that Article 52(3) seeks to ensure consistency between the Charter and the ECHR without adversely affecting the autonomy of EU law. EU law is not therefore precluded from providing more extensive protection than the ECHR. The Court added that Article 8 of the Charter concerns a fundamental right which is distinct from that enshrined in Article 7 and which has no equivalent in the ECHR. Therefore, while the Court did not answer the question of which offered a wider scope of protection, it did confirm the distinctiveness of these two rights.

Comment

The Tele2 judgment represents a rupture with the past in one very significant way: the Court, for the first time, unequivocally states that blanket data retention measures are incompatible with EU law, read in light of the Charter. This radical finding is likely to receive a mixed reaction. For instance, in the UK some will lament that this judgment comes too late to have influenced the passage into law of the UK’s new data retention legislation, the Investigatory Powers Act, 2016. This legislation – which allows for bulk interception and hacking, amongst other things – should now be found to be incompatible with EU law, with all of the post-Brexit implications for ‘adequacy’ this may entail (also here). Others, such as the UK’s Independent Reviewer of Terrorism Legislation – David Anderson QC – have expressed regret. Anderson QC suggests that:

‘Precisely because suspects are often not known in advance, data retention which is not universal in its scope is bound to be less effective as a crime reduction measure.  In addition, a person whose data has not been retained cannot be exonerated by use of that data (e.g. by using location data to show that the person was elsewhere).’

The Advocate General (here; and commentary here) had similarly noted that data retention could help competent authorities ‘examine the past’ [AG, 178]. He had refused to declare general retention measures per se unlawful, preferring instead to assess the compatibility of data retention legislation against strict proportionality requirements [AG, 116]. His approach could therefore be said to be more nuanced and systematic than that of the Court. While examining proportionality stricto sensu he concluded that it would be for national courts to weigh the benefit of ‘examining the past’ with the potential it would provide for authorities to abuse this power by using metadata to catalogue entire populations, noting that evidence of abuses had been put before the Court [AG, 259-260]. This evidence before the Court might help to refute the critique that the Court should have focused on the actual harm of communications metadata retention ‘and sought to avoid assertions based on theory or informal predictions of popular feeling’.

Blanket retention was not the only important point on which the Court and the Advocate General departed. The Advocate General explicitly claimed that DRI set out mandatory requirements [AG, 221] while the Court did not. The Advocate General was also more stringent than the Court by requiring that data is retained in the relevant Member State [AG, 241] while the Court opted for the marginally more realistic requirement that data is retained in the EU. The Advocate General did not, however, consider Article 15(1) a derogation to the E-Privacy Directive (and therefore not a provision that required strict interpretation). The Court did not however engage with his elaborate reasoning on this point [AG, 106-115]. The Court did however confirm that competent national authorities must notify persons affected by data access as soon as such notification no longer jeopardises the investigation [121]. This significant procedural right is likely to play an important role in acting as a check on abusive access requests.

Perhaps the only fly in the ointment for the digital rights groups that intervened before the Court is the Court’s seemingly uncritical endorsement of geographic and group profiling. It does this when it emphasises that there should be relationship between the data retained and the threat, for instance when the data pertains to a ‘geographic area’ [108]. The ethical and social issues such profiling may entail would require further consideration. The Court appears to recognise this by suggesting that such profiling would need to be strictly evidence-based ([111]). Should generalised retention measures be replaced by ad hoc location-based retention measures, the legality of the latter would itself be the subject of much controversy.

New ECJ ruling on data retention: Preservation of civil rights even in difficult times!

Original published here on 22. Dezember 2016

by

Translation – German version see here.

The European Court of Justice has made a Christmas present to more than 500 million EU citizens. With its new judgment on data retention (C-203/15 of 21 December 2016) – the highest court of the European Union stresses the importance of fundamental rights. All Member States are required to respect the rights represented in the European Charter of Fundamental Rights in their national legislation. The ECJ issued an important signal that can hardly be surmounted taking into account the current political discussions on internal and external threats and the strengthening of authoritarian political currents providing the public with simplistic answers to difficult questions.

The ECJ remains true to itself

The ruling of the European Court of Justice is in line with its judgment of 8 April 2014, by which the Court annulled Directive 2006/24/EC on the retention of data. The general obligation to retain traffic and location data required by this Directive was not limited to the absolutely necessary and thus disproportionate to the fundamental rights of respect for private life and the protection of personal data (Articles 7 and 8 of the European Charter of Fundamental Rights).

Despite the annulment of the Data Retention Directive by the ECJ, several Member States have continued or even broadened their practice of data retention. The latter took place in Great Britain, where shortly after the ECJ ruling – in July 2014 – a new legal basis for data retention was passed, which even went beyond the abolished EC directive. According to the British Parliament’s intention to implement the so-called „Investigatory Powers Act“, the major current commitments to compulsory data storage and the supervisory powers of the security authorities are to be extended in the short term and will include web services, in particular transactions on social networks. On November 29, 2016, the upper and lower house agreed on a corresponding legal text, which is to enter into force soon after its formal approval by the Queen. In other Member States, too, there are – differently broad-ranging – legal requirements which oblige providers of telecommunications and internet services to reserve traffic and location data whose conservation is not necessary for the provision or the billing of the respective service.

European Charter of Fundamental Rights binding for national legislature

A Swedish and a British court had asked the ECJ to clarify whether the respective national regulations on the retention of data corresponded to the European legal requirements.

In its new ruling the ECJ answered this question by stating that national regulations which provide a general and indiscriminate storage of data are not in line with the EU law. A national regulation providing for the storage of traffic and location data, is to be regarded as serious interference in fundamental rights. Member States must not maintain or re-adopt rules which are based on, or even go beyond, an EU act which has been annulled on grounds of its fundamental illegality.

The provisions of EU law bind the national legislature. The EU Directive 2002/58/EC on data protection in electronic communications (the ePrivacy Directive) has to be interpreted in the light of the Charter of Fundamental Rights. Exceptions to the protection of personal data should be limited to the absolutely necessary. This applies not only to the rules on data retention, but also to the access of authorities to the stored data. A national provision providing for general and indiscriminate data retention which does not require a link between the data for which it is originally intended to be stored and a threat to public security, and in particular is not limiting the data on a period and / or a geographical area and / or of a group of persons which could be involved in a serious criminal act, transcends the limits of the absolutely necessary and can not be regarded as justified in a democratic society. Laws of Member States that do not meet these requirements must be abolished or amended accordingly.

With regard to the contested British and Swedish laws, the competent national courts which had appealed to the ECJ are now required to enforce the ECJ ruling in substance. However, even the parliaments and governments of the Member States are, too, responsible for reviewing and, where appropriate, correcting the relevant provisions of national law.

What happens to German data retention?

The implications of the ECJ ruling for the German data retention recently reintroduced must also be urgently examined. The retention obligations of the new German Data Retention Act remain behind the predecessor regulation, which was repealed by the Federal Constitutional Court in 2010. However, it is highly doubtful whether the provisions of the ECJ will be fulfilled by the new data retention act, since it obliges the telecommunications providers to store the data without any material restriction on a specific area or a particular risk situation.

The fact that the Federal Government or the parliamentary fractions backing them will now carry out this examination in an objective manner appears to be highly unlikely in the light of the additional powers which they have recently decided to hand over to the security authorities. In the end, the Federal Constitutional Court will probably have to ensure clarity again.

Peter Schaar (21 December 2016)