UK/EU Security Cooperation After Brexit: the UK Government’s Future Partnership Papers

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

Professor Steve Peers

The Prime Minister’s big speech in Florence has received the most attention in recent weeks, but it’s also worth looking at the UK government’s recent papers on its planned EU/UK close partnership after Brexit.  I’ll look here at the papers on two aspects of security – external security (foreign policy and defence) on the one hand, and internal security (police and criminal law cooperation) on the other. Both of them are impacted in the short term by the Florence speech, since the Prime Minister called for the current UK/EU security arrangements to apply for a period of around two years, followed by a comprehensive EU/UK security treaty. Assuming that such a transition period is agreed, the issue is what happens after that. In other words, what will be the content of that future comprehensive security treaty?

External security: Foreign policy and defence

The UK government’s foreign policy paper devotes much of its space – the first 17 pages – to explaining the UK’s major commitments in this field, including via its EU membership. A Martian reader would assume that the UK was applying to join the Union. Only the last few pages discuss the government’s preferred policy – which is both rather vague and highly resembles EU membership.

In short (although there’s no long version), the government seeks to maintain a relationship with the EU in this field that’s closer than any other non-EU country – although without offering many specifics. The government does, however, state that it wants to contribute to EU defence missions and to align sanctions regimes with the EU. The point about sanctions is particularly relevant, since the UK provides intelligence to justify their imposition and some of the individuals concerned have placed their assets in the UK.

For instance, in the recent ECJ judgment in Rosneft (discussed here), which followed a reference from the UK courts, the sanctioned company tried to reopen the case to argue that the referendum result already meant that EU sanctions ceased to apply in the UK. The ECJ simply replied that the Russian company had not explained how the Brexit vote altered the jurisdiction of the Court or the effect of its judgments.

Of course, the legal position will certainly change from Brexit Day: the UK government plans to propose a new Bill regulating post-Brexit sanctions policy in the near future, following a White Paper on this issue earlier this year (see also the government response to that consultation). One key question will be whether that Bill already attempts to regulate the UK’s post-Brexit coordination with the EU on sanctions, or whether that will be left to the Brexit negotiations to address.

This brings us to the issue of the ECJ, which is a difficult question as regards many aspects of the Brexit talks. In principle, in the area of foreign policy and defence, Brexit talks should not be too complicated by ECJ issues, since the Court has only limited jurisdiction. However, as the case of Rosneft illustrates, it does have jurisdiction over sanctions issues. In fact, there are frequent challenges to EU sanctions and many challenges are successful, so there will be a risk of divergence between EU and UK policy after Brexit that may need to be discussed. Such divergence could lead to a knock-on complication with capital movement between the UK and EU.

The paper also covers development and external migration policy, where the UK again seeks something which is both vague and much like membership – collaboration on coordinating policy. While the EU has its own development policy, Member States are free to have their own policies, subject to loose coordination – which is what the UK is aiming for as a non-member.

This was, perhaps, a missed opportunity here to touch on the most difficult issue in the talks: the financial liabilities upon leaving in the EU. Some of the EU’s spending in these areas is not part of the ordinary EU budget (as the ECJ has confirmed), although it is part of the EU negotiation position. So the UK could have addressed that issue to move talks along and to make links between ‘upfront’ and ‘future’ issues to get around sequencing problems in the Brexit talks. (The Prime Minister’s subsequent speech in Florence did not explicitly mention these funds). Furthermore, the UK government could have used this paper to reassure some febrile people that it will have a veto on what it chooses to participate in, as well as on the ECJ.

Internal security: Criminal Law and Policing

In many ways, the government paper on criminal law matters is similar to the foreign policy paper. It also starts out by saying how useful the current relationship is, for instance as regards data on wanted persons and stolen objects uploaded into the Schengen Information System, the use of the European Arrest Warrant for fast-track extradition, and the EU police intelligence agency, Europol.

What happens after Brexit? The UK paper correctly points out that the EU already has agreements in this area with many non-EU countries, particularly as regards the exchange of policing data but also as regards some forms of criminal justice cooperation. But as with foreign policy and defence, the UK wants a distinctive relationship after Brexit, given the existing close links.

Again, however, the actual content of what the UK wants is vague. Which of the current EU laws in this field which the UK has signed up to (for a summary of those laws, see my referendum briefing here) would it still like to participate in? The only clear point is that the government doesn’t want direct ECJ jurisdiction. In principle, that should be fine for the long term, since the EU27 negotiation position only refers to the ECJ during a transition period. There’s no insistence on using it afterward, which is consistent with EU treaties in this field with non-EU countries.

However, some of those treaties refer to taking account of each other’s case law, and dispute settlement or (in some treaties) possible termination in the event of judicial or legislative divergences. The UK paper gives no idea of how it will tackle those issues, whereas the recent paper on the parallel issue of civil litigation (discussed here) at least indicated a willingness to require UK courts to take account of relevant ECJ rulings.

Comments

The contrast between the importance of these issues and the vagueness with which they are treated is striking. Imagine a television viewer aching to watch Tenko or Broadchurch – but having to settle for Last of the Summer Wine.  It is fair to assume that the government has more detailed plans than this but doesn’t want to release them; but presumably anything more specific would have opened division in the cabinet or run the perceived risk of making the government look awkward by disclosing an ultimately unsuccessful negotiation position (what the government refers to as undermining negotiations). Increasingly these papers look like an attempt to respond to poor polls about negotiations rather than a contribution to the talks.

The government does have a point, however: the UK and EU have significant shared interests in this area, and the UK has a lot to offer, in terms of its defence contribution, supply of intelligence and round-up of fugitives from other Member States, for instance. Of course, the UK benefits in turn from having swifter access to other countries’ intelligence, as well as fast track extradition and transfer of criminal evidence.  The Brexit process might also be an opportunity to address the civil liberties concerns that sometimes arise about these measures, but there is no detailed discussion of that.

It will likely be awhile before these issues are discussed in detail in the talks, and it remains to be seen how interested the EU27 side is in the UK government’s position. But at first sight, it seems possible that the future of the EU/UK relationship on security issues will not be vastly different from the present.

Counter-terrorism and the inflation of EU databases

Original published on Statewatch (*) on May 2017

By Heiner Busch (@Busch_Heiner) and Matthias Monroy (@matthimon)  (Translation from DE by Viktoria Langer)

The topic of counter-terrorism in Europe remains closely linked to the development and expansion of police (and secret service) databases. This was the case in the 1970s, after 11 September 2001 and has also been the case since 2014, when the EU Member States started working on their action plans against ‘foreign terrorist fighters’.

The first effect of this debate has been a quantitative one: the amount of data in the relevant databases has increased explosively since 2015. This can be seen by looking in particular at available data on the Europol databases, like ‘Focal Points’ (formerly: Analytical Work Files) of the Europol analysis system. Since 2015 they have become one of the central instruments of the European Counter Terrorism Centre (ECTC) which was established in January 2016. ‘Hydra’, the ‘Focal Point’ concerning Islamist terrorism was installed shortly after 9/11. In December 2003 9,888 individuals had been registered, a figure that seemed quite high at the time – but not compared with today’s figures. [1] In September 2016 ‘Hydra’ contained 686,000 data sets (2015: 620,000) of which 67,760 were about individuals (2015: 64,000) and 11,600 about organisations (2015: 11,000).

In April 2014 an additional ‘Focal Point’, named ‘Travellers’, was introduced, which is exclusively dealing with “foreign terrorist fighters” (FTF). One year later ‘Travellers’ included 3,600 individuals, including contact details and accompanying persons. In April 2016 the total number increased by a factor of six. Of the 21,700 individuals registered at the time, 5,353 were “verified” FTFs. In September 2016, of 33,911 registered individuals, 5,877 had been verified as FTFs.

Since 2010 Europol and the USA have operated the Terrorist Finance Tracking Programme (TFTP), which evaluates transfers made via the Belgian financial service provider SWIFT. Until mid-April 2016 more than 22,000 intelligence leads had been arisen out of that programme, of which 15,572 since the start of 2015. 5,416 (25%) were related to FTFs.

In contrast to Europol’s analytical system, the Europol Information System (EIS, the registration system of the police agency) can be fed and queried directly from the police headquarters and other authorities of EU Member States. Here, more than 384,804 ‘objects’ (106,493 individuals) were registered at the start of October 2016, 50% more than the year before. The increase is partly due to the growing number of parties participating in the EIS. In 2015 13 Member States were connected; in 2016 19 Member States. Some of the EU States, like the UK, also let their national secret services participate in the system. 16 Member States currently use automatic data uploaders for input. The number of third parties involved has also increased (in 2015 there were four, in 2016 there were eight). Interpol, the FBI and the US Department of Homeland Security are some of them.

Europol has reported further growth in the number of “objects” linked to terrorism in the EIS. According to the Slovak Presidency of the Council of the EU’s schedule for the improvement of information exchange and information management, in the third quarter of 2016 alone these grew another 20% to 13,645. [2] The EIS includes 7,166 data sets about individuals linked to terrorism, of which 6,506 are marked as FTFs or their supporters, or are assumed to be so. For May 2016 the CTC stated a figure of 4,129. [3] The increase in terrorism linked data can also be seen in the Schengen Information System (SIS) – in the alerts for “discreet checks or specific checks” following Article 36 of the SIS Decision. According to this, suspect persons are not supposed to be arrested. However, information about accompanying persons, vehicles etc. are recorded to provide insight into movements and to keep tabs on the contacts of the observed person. At the end of September 2016 the number of such checks by the police authorities (following Article 36(2)) was 78,015 (2015: 61,575, 2014: 44,669). The number of alerts of the national secret services based on Article 36(3) was 9,516 (2015: 7,945, 2014: 1,859). “Hits” on such alerts and additional information are supposed to be sent directly to the alerting authorities and not as usual to national SIRENE offices (which deal with the exchange of supplementary information regarding alerts in the SIS). This option was only introduced in February 2015.

The Schengen states used the instrument for discreet surveillance or specific checks very differently. On 1 December 2015 44.34% of all Article 36 alerts came from authorities in France, 14.6% from the UK, 12.01% from Spain, 10.09% from Italy and 4.63% from Germany. [4] How many of these alerts actually had a link to terrorism remains unclear; a common definition has not yet been found. However, the Council Working Party on Schengen Matters agreed on the introduction of a new reference (“activity linked to terrorism”) for security agencies’ alerts. According to Federal Ministry for the Interior, German alerts are marked with this reference when concrete evidence for the preparation of a serious act of violent subversion (§§129a, 129b Penal Code) can be presented. [5]

‘Unnoticed in the Schengen area’ Continue reading

Worth Reading: Justice against sponsors of terrorism (JASTA and its international impact)

European Parliament Research Service (EPRS)  Briefing published on October 2016

SUMMARY

On 27 September 2016, the United States Congress overrode the presidential veto to pass the Justice Against Sponsors of Terrorism Act (JASTA), the culmination of lengthy efforts to facilitate lawsuits by victims of terrorism against foreign states and officials supporting terrorism. Until JASTA, under the ‘terrorism exception’ in the US Foreign Sovereign Immunities Act, sovereign immunity could only be denied to foreign states officially designated by the USA as sponsors of terrorism at the time or as a result of the terrorist act. JASTA extends the scope of the terrorism exception to the jurisdictional immunity of foreign states so as to allow US courts to exercise jurisdiction over civil claims regarding injuries, death or damages that occur inside the USA as result of a tort, including an act of terrorism committed anywhere by a foreign state or official.

The bill has generated significant debate within and outside the USA. State or sovereign immunity is a recognised principle of customary international law and, for that reason, JASTA has been denounced as potentially violating international law and foreign states’ sovereignty; some countries have already announced reciprocal measures against the USA. The terrorism exception to state immunity was already a controversial concept, with only the USA and Canada having introduced legislation on the matter.

In this briefing:
What is JASTA?
The law on state immunity and the terrorism exception
Debate in the United States
Reactions in third countries
Considerations for the European Union
The European Union’s approach to victims’ rights
Main references

What is JASTA?

The Justice Against Sponsors of Terrorism Act (JASTA) represents an attempt by the US Congress to reduce the number of obstacles faced by victims of terrorism when bringing lawsuits in the USA against foreign states and officials supporting terrorism. The bill amends the federal judicial code (USC) to expand the scope of the terrorism exception (Title 28 USC, section 1605A) to the jurisdictional immunity of a foreign state. It will give US courts jurisdiction over civil claims regarding injuries, death, or damages that occur inside the United States as a result of a tort, including an act of terrorism, committed anywhere by a foreign state or official. It also amends the federal criminal code to permit civil claims (Title 18 USC, section 2333) sought by individuals against a foreign state or official for injuries, death or damages from an act of international terrorism (unless the foreign state is immune under the Foreign Sovereign Immunities Act, as amended by JASTA). Additionally, the bill authorises federal courts to exercise personal jurisdiction over, and impose liability on, a person who commits, or aids, abets, or conspires to commit, an act of international terrorism against a US national (thus expanding the liability of foreign government officials in civil actions for terrorist acts). However, the foreign state will not be subject to the jurisdiction of US courts if the tortious act in question constitutes ‘mere negligence’. JASTA contains a stay of actions clause that can apply if the USA is engaged in good faith discussions with the foreign state or any parties as to the resolution of the claims. A stay can be granted for 180 days, and is renewable. JASTA will apply to any civil action ‘arising out of an injury to a person, property, or business, on or after September 11, 2001’.

The JASTA bill was approved by the US Senate in May 2016 (S. 2040) and by the House of Representatives in September 2016, but was vetoed by President Obama. The bill passed after Congress overrode the presidential veto on 27 September 2016. There are however indications that some changes to the law are already being considered by lawmakers. Several countries, including some EU Member States have expressed concern about the bill. The existing US terrorism exception to state immunity is already considered to be contrary to customary international law and is an isolated practice among other states.

The law on state immunity and the terrorism exception Continue reading

Systèmes d’information européens sécurité-immigration : lorsqu’ “interopérabilité” ne rime effectivement pas avec “interconnexion”

ORIGINAL PUBLISHED ON “EU Immigration and Asylum Law and Policy” BLOG

by Pierre BERTHELET

“Il convient d’exploiter toutes les possibilités offertes par d’éventuelles synergies entre les systèmes d’information nationaux et européens, sur la base de l’interopérabilité”. Ces propos ne datent pas des conclusions du dernier Conseil JAI sur ce thème, celles du 9 juin 2017, mais bien d’une communication de la Commission remontant au mois de mai 2005. La problématique de l’interopérabilité des bases de données JAI est par conséquent tout sauf neuve. Elle revêt néanmoins une acuité particulière à la lumière des efforts axés sur le renforcement de l’efficacité et de l’efficience de la gestion des données dans l’UE. Comme le fait remarquer une étude juridique de mai 2017, le volume des données échangées entre les Etats membres et stockées au sein des systèmes européens d’information s’est accru considérablement depuis les attaques de Paris de 2015.

L’interopérabilité s’insère ainsi dans l’optique d’une rationalisation d’informations désormais abondantes au niveau de l’Union. Elle constitue un chantier majeur de la construction européenne en matière de gestion des systèmes d’information. Plus exactement, l’interopérabilité – et l’interconnexion par ailleurs – peuvent être envisagées sous la forme de poupées russes : l’interconnexion est un élément de la réponse des institutions européennes apportée en matière d’interopérabilité qui, elle-même, constitue un volet de la réforme actuelle ayant trait à la gestion des systèmes européens d’information. Elle est un concept générique qui s’inscrit dans le cadre de travaux interinstitutionnels visant à améliorer les mécanismes d’échange et de traitement de l’information, en toile de fond du développement considérable qu’ont connu ces systèmes cette dernière décennie. Son caractère ambigu tient au fait qu’elle renvoie autant au projet lui-même qu’à l’objectif porté par ce projet. Or, force est de constater que, depuis 2016, le degré d’avancement du chantier entrepris dans le domaine de l’interopérabilité est déjà élevé (1). Quant à l’interconnexion, il s’agit, à la lumière des récents textes l’évoquant, d’un processus loin de recueillir l’assentiment unanime (2).

1. L’interopérabilité des systèmes, un degré d’avancement du projet déjà élevé

Bien qu’évoquée depuis plusieurs années, l’interopérabilité des systèmes est un projet ayant connu un regain d’intérêt récent. Elle correspond à un processus interinstitutionnel  initié il y a quelques mois seulement (a). L’objectif est de rendre la gestion de l’information dans le domaine de la sécurité, des frontières et des flux migratoires davantage performante (b).

a. Un processus interinstitutionnel initié il y a quelques mois seulement

Avant d’entrer de plain-pied dans l’analyse, il importe de préciser les termes employés, à savoir l’interopérabilité d’une part et l’interconnexion d’autre part. Une communication de novembre 2005, consacrée au renforcement de l’efficacité et de l’interopérabilité des bases de données européennes fournit un éclairage à ce sujet. Dans ce texte destiné, déjà à l’époque, à lancer un débat en profondeur sur la forme et l’architecture à long terme des systèmes d’information, la Commission définit la connectivité comme un terme générique renvoyant à la connexion de systèmes aux fins de transfert de données. En France, le Conseil d’État considère, dans une décision du 19 juillet 2010, l’interconnexion «comme l’objet même d’un traitement qui permet d’accéder à, exploiter et de traiter automatiquement les données collectées pour un autre traitement et enregistrées dans le fichier qui en est issu ».

Tirant cette définition d’un document élaboré par l’European Interoperability Framework (qui est la concrétisation du plan d’action eEurope approuvé par le Conseil européen de Séville de 2002, et visant promouvoir les services publics en ligne), l’interopérabilité signifie, selon cette communication de novembre 2005, la « capacité qu’ont les systèmes d’information et les processus opérationnels dont ils constituent le support d’échanger des données et d’assurer le partage des informations et des connaissances ».

Ceci étant dit, les travaux actuels trouvent leur origine dans une communication de la Commission du 6 avril 2016 visant à lancer un débat sur l’existence de lacunes ainsi que de défaillances systémiques au sujet des bases de données JAI. Plus exactement, il s’agit d’œuvrer dans l’amélioration de l’architecture de gestion des données de l’UE concernant le contrôle aux frontières et de la sécurité intérieure. Le périmètre est ainsi réduit à un pan de l’ELSJ, et ce, même si la dimension judiciaire est évoquée ponctuellement à travers le projet d’interconnexion des casiers judiciaires européen. En outre, il est étendu partiellement aux systèmes d’information nationaux, l’objectif étant d’assurer une fluidité de l’information à la fois au niveau horizontal (les systèmes européens) et au niveau vertical (entre les systèmes européens et les systèmes nationaux).

Pour mener à bien cette réflexion, la Commission a réuni le mois suivant sa communication d’avril 2016, un « groupe d’experts de haut niveau sur les systèmes d’information et l’interopérabilité ». Ce groupe d’experts, qui a mené ses travaux conformément aux prescriptions d’une feuille de route sur l’échange d’information et l’interopérabilité, approuvée par le Conseil JAI du 10 juin 2016, a rassemblé des représentants des Etats membres (y compris les pays Schengen non membres de l’UE), ceux des agences européennes (Frontex, eu-LISA, Europol, EASO et FRA), le Coordinateur pour la lutte antiterroriste et le CEPD (et ont été associés aux travaux, le secrétariat général du Conseil et celui de la commission LIBE du Parlement européen au titre d’observateur). L’objectif de ce projet relatif à l’interopérabilité, précise le Conseil, vise à appuyer les investigations opérationnelles, notamment dans le domaine de la lutte antiterroriste, et d’apporter rapidement aux autorités nationales de terrain (garde-frontières, policiers, agents de l’immigration et procureurs notamment) toutes les informations nécessaires en temps et en heure pour mener à bien leurs missions.

Les travaux du groupe ont trouvé un soutien politique fort émanant à la fois du président de la Commission, Jean-Claude Juncker, ainsi que du Conseil européen. Le premier, dans son discours sur l’état de l’Union en septembre 2016, peu avant la tenue du Conseil européen informel de Bratislava, a souligné l’imminence de la présentation par la Commission, du système européen d’information et d’autorisation concernant les voyages (ETIAS). Le second, dans des conclusions de décembre 2016, a appelé « à poursuivre les efforts en matière d’interopérabilité des systèmes d’information et des bases de données » (point 9). Ce groupe à haut niveau a rendu son rapport final le 11 mai 2017, dont le contenu a nourri l’analyse de la Commission dans l’élaboration de son septième rapport publié une semaine plus tard, sur les progrès accomplis dans la mise en place d’une union de la sécurité réelle et effective. Enfin, le Conseil, jugeant l’interopérabilité comme essentielle à la sécurité, a approuvé, le 9 juin 2017, les conclusions précitées dans lesquelles il approuve les solutions dégagées par le groupe d’experts et ce, en vue d’une gestion de l’information davantage performante.

b. Une gestion de l’information se voulant davantage performante

L’importance de l’interopérabilité des systèmes d’information est clairement rappelée par la Commission dans ce septième rapport. En réalité, ce constat est dressé quelques mois plus tôt, dans sa communication d’avril 2016, qui elle-même, fait suite à différentes conclusions du Conseil. Ainsi, concernant le seul SIS II, dans celles d’octobre 2014, le Conseil a envisagé une connexion entre ce système et la base de données « faux documents » d’Interpol (SLTD), de manière à ce que les utilisateurs finaux aient accès simultanément aux deux systèmes lors d’une même recherche. Dans celles approuvées peu avant, en juin 2014, il a invité les États membres utiliser pleinement le SIS II dans le cadre de la lutte contre le terrorisme, invitation répétée au demeurant dans la déclaration commune de Riga, adoptée après les attaques contre le journal Charlie Hebdo. Quant aux conclusions du 20 novembre 2015, approuvées après les attaques du Bataclan et la fuite consécutive de Salah Abdeslam avec l’aide de deux complices venus de Belgique, le Conseil a souligné l’importance d’une consultation systématique du SIS II lors des contrôles frontaliers.

À cette fin, la Commission, en se référant à certains de ces textes ainsi qu’à la déclaration commune sur les attentats terroristes du 22 mars 2016 à Bruxelles préconisant de renforcer l’interopérabilité, a présenté dans sa communication d’avril 2016, dans laquelle elle identifie un ensemble d’incohérences et de dysfonctionnements, parmi lesquelles, des fonctionnalités non optimales des systèmes européens d’information et un problème de la qualité des données auquel s’ajoute des lacunes dans l’architecture de l’UE en matière de gestion des données liée notamment à l’absence pure et simple d’une série de systèmes d’information. Quant à ceux existants, leur fonctionnement doit être amélioré. C’est le cas du SIS II, dont Europol n’a pas encore fait pleinement usage, alors même que l’agence dispose d’un droit d’accès à celui-ci. En outre, certains systèmes existent partiellement, mais ils ne sont pas encore pleinement opérationnels. C’est le cas des systèmes nationaux mis en place dans le cadre des décisions dites « de Prüm » et pour lesquelles plusieurs États membres ne remplissent toujours pas leurs engagements. Le paysage européen des systèmes d’information se caractérise donc par une multiplicité de dispositifs, des niveaux d’achèvement différents et des modes de fonctionnement distincts. Il en résulte une mosaïque complexe, car ces systèmes sont soumis à des régimes juridiques variables, rendant l’ensemble difficilement intelligible.

Cette superposition de systèmes conduit à une architecture européenne fragmentée au sujet de la gestion des données. Chacun système fonctionne en silo, faisant que les informations contenues sont peu interconnectées. Ce compartimentage des données a des conséquences problématiques concrètes. Ainsi, l’auteur de l’attaque terroriste de Berlin de décembre 2016, Anis Amri, a eu recours à pas moins de quatorze identités différentes. Ces fausses identités ont permis à ce ressortissant tunisien de se déplacer aisément en Allemagne, puis de prendre la fuite hors du pays avant d’être abattu à Milan. Or, comme le fait observer le quatrième rapport de la Commission sur la sécurité, ses déplacements auraient pu être détectés si les systèmes employés étaient dotés d’une fonctionnalité permettant une recherche simultanée dans plusieurs d’entre eux, au moyen d’identificateurs biométriques.

L’interopérabilité apparaît dès lors comme une réponse aux défis sécuritaires, en particulier terroristes, pour lesquels le recours aux systèmes d’information est un élément indispensable de la réponse à fournir.

La réforme de la gestion de l’information est effectuée au moyen d’une approche horizontale, via les travaux du groupe d’experts de haut niveau. Elle s’effectue aussi de manière sectorielle, à travers l’adoption de textes instituant des systèmes d’information (ou modifiant ceux existants).

En premier lieu, des systèmes sont en projet ou en cours de réalisation. Peuvent être mentionnés la proposition présentée en janvier 2016, étendant aux ressortissants de pays tiers le Système européen d’information sur les casiers judiciaires (ECRIS-TCN), la proposition révisée établissant le système d’entrée/sortie (EES) et présentée en avril 2016 (en parallèle à une modification du règlement de mars 2016 relatif au Code Frontières Schengen), la proposition de règlement instituant l’ETIAS présentée quant à elle en novembre 2016, ou le système d’index européen des registres de la police (EPRIS) dont l’ébauche correspondrait au projet auquel la France prend part et dénommé ADEP (Automated Data Exchange Process).

En deuxième lieu, d’autre systèmes existent, mais ils doivent être réformés. Il s’agit en particulier d’Eurodac (une proposition de règlement, présentée en mai 2016, permettant notamment de stocker l’image faciale, est en cours de discussion entre le Conseil et le Parlement européen), et du SIS II (un paquet législatif, présenté en décembre 2016, composé de quatre propositions de règlement est également en cours de discussion, prévoyant l’obligation pour les États membres d’émettre des alertes concernant des personnes liées à des infractions terroristes).

Or, le processus de refonte opéré des différents systèmes (et la création de ceux n’existant pas encore) est pensé dans la perspective de l’interopérabilité et même de l’interconnexion. Par exemple, concernant le SIS II, une disposition de la proposition de règlement créant l’ETIAS, prévoit que l’unité centrale ETIAS puisse opérer des recherches dans le SIS II. De prime abord, l’interconnexion des systèmes est, au vu de cet exemple, effective, ou du moins, en voie de l’être. Or, ce n’est pas cas en réalité et il s’agit plutôt de l’exception qui confirme la règle.

2. L’interconnexion des systèmes, un projet suscitant peu l’enthousiasme institutionnel

L’interconnexion est une option visant à atteindre le stade de l’interopérabilité des systèmes d’information. Cependant, il s’agit d’une option parmi d’autres (a), et qui ne reçoit qu’un accueil institutionnel pour le moins prudent (b).

a. L’interconnexion, une option parmi d’autres

L’interconnexion, au sens défini ci-dessus, apparaît seulement comme une option parmi celles avancées par la Commission dans sa communication d’avril 2016. Plus exactement, le texte en présente quatre aux fins de parvenir à une situation d’interopérabilité : l’interface de recherche unique, le service partagé de mise en correspondance de données biométriques, le répertoire commun de données d’identité et enfin l’interconnexion des systèmes d’information proprement dite.

Dans le premier cas, l’interface de recherche unique, il s’agit de permettre à une autorité nationale d’interroger plusieurs systèmes d’information de manière simultanée. Ce système, qui existe en France avec l’application COVADIS (Contrôle et vérification automatiques des documents sécurisés), permet au service interrogeant d’obtenir sur un seul écran les résultats des requêtes, ceci dans le respect des droits d’accès propre à ce service. Cette hypothèse de l’interface unique a, au demeurant, reçu l’assentiment des ministres français et allemand dans le cadre de leur « initiative sur la sécurité intérieure en Europe » du 23 août 2016.

Le service partagé de mise en correspondance de données biométriques vise, quant à lui, à proposer au service utilisateur, une interrogation des systèmes à partir des identifiants biométriques. Pour l’heure, chaque système européen dispose de son propre dispositif d’identification. L’objectif est, au moyen de ce service partagé, d’effectuer des recherches dans les différents systèmes d’information et de mettre en évidence les coïncidences, par exemple sous forme de hit/no hit, entre ces données.

Le troisième cas a trait à l’établissement d’un répertoire commun de données d’identité en tant que module central dans lequel figure un portefeuille de données (nom, prénom, date et lieu de naissance par exemple). Ces données constituent un socle commun à tous les systèmes, les autres données étant, quant à elles, stockées au sein de modules spécifiques à chacun d’eux. Comme le précise le rapport du Sénat du 29 mars 2017 consacré à l’espace Schengen, la proposition de règlement créant l’ETIAS envisage ce dispositif, du moins entre ce système et l’EES.

Enfin, la dernière option a trait précisément à l’interconnexion des systèmes d’information. L’avantage est de permettre la consultation automatique des données figurant dans un système, par l’intermédiaire d’un autre système. L’interconnexion, ajoute ce rapport du Sénat, présente l’intérêt d’assurer un contrôle croisé automatique des données, limitant ainsi le volume d’informations circulant au sein des réseaux. À cet égard, la proposition de règlement relatif à l’EES envisage une interconnexion avec le VIS. Cette option est évoquée, mais elle va être, dans une large mesure du moins, délaissée.

b. L’interconnexion, une option en grande partie délaissée

Sans pour autant être totalement écartée (en particulier dans la proposition de règlement relatif à l’EES), l’interconnexion ne rencontre pas un franc succès et c’est le moins que l’on puisse dire. D’abord, elle n’a pas l’assentiment du groupe d’experts de haut niveau. Dans leur rapport intermédiaire, remis en décembre 2016, celui-ci avait considéré l’interconnectivité des systèmes comme une solution ponctuelle. Le rapport final consacre ce point de vue en rejetant l’idée d’une généralisation de l’interconnexion et il privilégie trois solutions qui font écho aux autres options avancées par la Commission, à savoir un portail de recherche européen, un service partagé de mise en correspondance de données biométriques et un répertoire commun de données d’identité. Plus exactement, l’interface de recherche unique est préférée à l’interconnexion, ce qui va dans le sens de la position du Conseil qui, dans sa feuille de route sur l’échange d’informations, s’était déclaré pour cette solution de l’interface unique. Reste que si cette dernière avait les faveurs du Conseil et ce, au regard des autres options, les experts ont, pour leur part, conservé l’idée d’un répertoire commun de données et la mise en correspondance de données biométriques comme des pistes exploitables à court terme, et non à moyen et long termes comme le suggérait la feuille de route.

Ensuite, l’interconnexion ne trouve pas non plus un écho favorable auprès de la Commission. Celle-ci fait sienne, à cet égard, les recommandations figurant dans le rapport du groupe d’expert, en se bornant à préciser que des réunions tripartites Conseil-Parlement-Commission au niveau technique devraient avoir lieu en automne 2017, en vue de dégager une vision commune avant la fin de l’année 2017, ceci afin de parvenir à cet objectif d’interopérabilité des systèmes à l’horizon de l’année 2020. La Commission reprend donc à son compte les options retenues par le groupe à haut niveau, en se bornant à fixer cette date-butoir, étant entendu par ailleurs que celle-ci correspond à l’échéance à laquelle l’EES devrait être opérationnel. À cette fin, une proposition législative sur l’interopérabilité devrait être présentée, en parallèle à une proposition de révision du VIS, à une proposition sur l’ECRIS, ainsi qu’à une autre visant à renforcer le mandat de l’agence européenne eu­LISA.

Au final, concernant les systèmes d’information européens sécurité-immigration, l’interopérabilité ne rime pas avec l’interconnexion. Cette lapalissade reflète parfaitement la volonté des institutions européennes préférant à la centralisation, la synergie ainsi que l’avaient souligné en leur temps, la déclaration de mars 2004 sur la lutte contre le terrorisme, le programme de La Haye et la déclaration du Conseil de juillet 2005 suite aux attentats de Londres. La voie choisie par ces institutions est bien résumée par le Commissaire à la sécurité, Sir Julian King, qui avait déclaré le 29 mai 2017 dans une allocution devant les députés de la commission LIBE, « ce que l’on ne propose pas, c’est une base de données gigantesque où tout serait interconnecté ».

Worth reading : the final report by the EU High Level Expert Group on Information Systems and Interoperability (HLEG),

NB: The full version (PDF)  of the Report is accessible HERE

On May 8th the (EU) High Level Expert Group on Information Systems and Interoperability (HLEG) which was set up in June 2016 following the Commission Communication on “Stronger and Smarter Information Systems for Borders and Security ” has published its long awaited 56 long pages Report on Information Systems and Interoperability.

Members of the HLEG were the EU Members States (+ Norway, Switzerland and Liechtenstein), the EU Agencies (Fundamental Rights Agency, FRONTEX, European Asylum Support Office, Europol and the EU-LISA “Large Information Support Agency”) as well as the representatives of the Commission and the European Data Protection Supervisor (EDPS) and the Anti-Terrorism Coordinator (an High Council General Secretariat Official designated by the European Council).

Three Statements, respectively of the EU Fundamental Rights Agency, of the European Data Protection Supervisor and of the EU Counter-Terrorism Coordinator (CTC),  are attached. The first two can be considered as a sort of partially dissenting Opinions while the CTC  statement is quite obviously in full support of the recommendations set out by the report as it embodies for the first time at EU level the “Availability Principle” which was set up already in 2004 by the European Council. According to that principle if a Member State (or the EU) has a security related information which can be useful to another Member State it has to make it available to the authority of another Member State. It looks as a common sense principle which goes hand in hand with the principle of sincere cooperation between EU Member States and between them and the EU Institutions.

The little detail is that when information is collected for security purposes national and European legislation set very strict criteria to avoid the possible abuses by public EU and National Law enforcement authorities. This is the core of Data Protection legislation and of the art. 6, 7 and 8 of the EU Charter of Fundamental Rights which prevent the EU and its Member States from becoming a sort of Big Brother “State of surveillance”. Moreover, at least until now these principles have guided the post-Lisbon European Court of Justice jurisprudence in this domain and it is quite appalling that no reference is made in this report to the Luxembourg Court Rulings notably dealing with “profiling” and “data retention”(“Digital Rights”, “Schrems”, “TELE 2-Watson”…).

Needless to say to implement all the HLWG recommendations several legislative measures will be needed as well as the definition of a legally EU Security Strategy which should be adopted under the responsibility of the EU co-legislators. Without a strong legally founded EU security strategy not only the European Parliament will continue to be out of the game but also the control of the Court of Justice on the necessity and  proportionality of the existing and planned EU legislative measures will be weakened.  Overall this HLWG report is mainly focused on security related objectives and the references to fundamental rights and data protection are given more as “excusatio non petita” than as a clearly explained reasoning (see the Fundamental Rights Agency Statement). On the Content of the  perceived “threats” to be countered with this new approach it has to be seen if some of them (such as the mixing irregular migration with terrorism)  are not imaginary and, by the countrary, real ones are not taken in account.

At least this report is now public. It will be naive to consider it as purely “technical” : it is highly political and will justify several EU legislative measures. It will be worthless for the European Parliament to wake up when the formal legislative proposals will be submitted. If it has an alternative vision it has to show it NOW and not waiting when the Report will be quite likely “endorsed” by the Council and the European Council.

Emilio De Capitani

TEXT OF THE REPORT (NB  Figures have not been currently imported, sorry.)

——- Continue reading

Legal Frameworks for Hacking by Law Enforcement: Identification, Evaluation and Comparison of Practices

EXECUTIVE SUMMARY OF A STUDY FOR THE EP LIBE COMMITEE.

FULL TEXT ACCESSIBLE  HERE  

by Mirja  GUTHEIL, Quentin  LIGER, Aurélie  HEETMAN, James  EAGER, Max  CRAWFORD  (Optimity  Advisors)

Hacking by law enforcement is a relatively new phenomenon within the framework of the longstanding public policy problem of balancing security and privacy. On the one hand, law enforcement agencies assert that the use of hacking techniques brings security, stating that it represents a part of the solution to the law enforcement challenge of encryption and ‘Going Dark’ without systematically weakening encryption through the introduction of ‘backdoors’ or similar techniques. On the other hand, civil society actors argue that hacking is extremely invasive and significantly restricts the fundamental right to privacy. Furthermore, the use of hacking practices pits security against cybersecurity, as the exploitation of cybersecurity vulnerabilities to provide law enforcement with access to certain data can have significant implications  for  the security of the internet.

Against this backdrop, the present study provides the LIBE Committee with relevant, actionable insight into the legal frameworks and practices for hacking by law enforcement. Firstly, the study examines the international and EU-level debates on the topic of hacking by law enforcement (Chapter 2), before analysing the possible legal bases for EU intervention in the field (Chapter 3). These chapters set the scene for the primary focus of the study: the comparative analysis of legal frameworks and practices for hacking by law enforcement across six selected Member States (France, Germany, Italy, the Netherlands, Poland and the UK), with further illustrative examples from three non-EU countries (Australia, Israel and the US) (Chapter 4). Based on these analyses, the study concludes (Chapter 5) and presents concrete recommendations and policy proposals for  EU  action  in  the field (Chapter 6).

The international and EU-level debates on the use of hacking techniques by law enforcement primarily evolve from the law enforcement challenge posed by encryption – i.e. the  ‘Going  Dark’  issue.

Going Dark is a term used to describe [the] decreasing ability [of law enforcement agencies] to lawfully access and examine evidence at rest on devices and evidence in motion across   communications   networks.1

According to the International Association of Chiefs of Police (IACP), law enforcement agencies are not able to investigate illegal activity and prosecute criminals without this evidence. Encryption technologies are cited as one of the major barriers to this access. Although recent political statements from several countries (including France, Germany, the UK and the US) seemingly call for ‘backdoors’ to encryption technologies, support for strong encryption at international and EU fora remains strong. As such, law enforcement agencies across the world started to use hacking techniques to bypass encryption. Although the term ‘hacking’ is not used by law enforcement agencies, these practices essentially mirror the techniques used by hackers (i.e. exploiting any possible vulnerabilities – including technical, system  and/or human  vulnerabilities  – within  an  information  technology  (IT) system).

Law enforcement representatives, such as the IACP and Europol, report that access to encrypted and other data through such hacking techniques brings significant investigative benefits. However, it is not the only possible law enforcement solution to the ‘Going Dark’ issue. Outside of the scope of this study, the other options include: requiring users to provide their password or decrypt their data; requiring technology vendors and service providers to bypass   the   security   of   their   own   products   and   services;   and   the    systematic   weakening   of encryption through the mandated introduction of ‘backdoors’ and/or weakened standards for encryption.

With the benefits of hacking established, a 2016 Joint Statement published by the European Union Agency for Network and Information Security (ENISA) and Europol2 noted that the use of  hacking  techniques also brings  several   key  risks.

The primary risk relates to the fundamental right to privacy and freedom of expression and information, as enshrined in international, EU and national-level law. Hacking techniques are extremely invasive, particularly when compared with traditionally intrusive investigative tools (e.g. wiretapping, house searches etc.). Through hacking, law enforcement can gain access to all data stored or in transit from a device; this represents a significant amount of data (e.g. a recent investigation by Dutch law enforcement collected seven terabytes of data, which translates into around 86 million pages of Microsoft Word documents3), as well as extremely sensitive data (e.g. a person’s location and movements, all communications, all stored data etc.). Consequently, the use of hacking techniques will inherently restrict the fundamental right to privacy.

Therefore, current debates at international and EU fora focus on assessing and providing recommendations on the current legal balances and safeguards for the restriction of the right to privacy by hacking techniques. However, these debates have assumed that hacking practices are necessary for law enforcement and simply require governing laws; they have not discussed whether the use of hacking techniques by law enforcement is necessary and proportional. The law enforcement assertions regarding the necessity of these invasive tools have  not   been  challenged.

The second key risk relates to the security of the internet. Law enforcement use of hacking techniques has the potential to significantly weaken the security of the internet by “[increasing] the attack surface for malicious abuse”4. Given that critical infrastructure and defence organisations, as well as law enforcement agencies themselves, use the technologies targeted and potentially weakened by law enforcement hacking, the potential ramifications reach  far  beyond  the intended  target.

As such, debates at international and EU fora focus on the appropriate balances between security and privacy, as well as security and cybersecurity. Regarding security v. privacy, the debates to date have assessed and provided recommendations on the legislative safeguards required to ensure that hacking techniques are only permitted in situations where a restriction of the fundamental right to privacy is valid in line with EU legislation (i.e. legal, necessary and proportional). Regarding security v. cybersecurity, the debates have been limited and primarily centre around the use and/or reporting of zero-day vulnerabilities discovered  by  law enforcement agencies.

Further risks not discussed in the Joint Statement but covered by this study include: the risks to territorial sovereignty – as law enforcement agencies may not know the physical location of the target data; and the risks related to the supply and use of commercially-developed hacking tools by governments with poor consideration for human rights.

Alongside the analysis of international and EU debates, the study presents hypotheses on the legal  bases  for  EU  intervention  in  the  field. Although  possibilities for  EU  legal  intervention  in several areas are discussed, including mutual admissibility of evidence (Art. 82(2) TFEU), common investigative techniques (Art. 87(2)(c) TFEU), operational cooperation (Art. 87(3) TFEU) and data protection (Art. 16 TFEU, Art. 7 & 8 EU Charter), the onus regarding the development of legislation in the field is with the Member States. As such, the management of the risks associated with law enforcement activities is governed at the Member State level.

As suggested by the focus of the international and EU discussions, concrete measures need to be stipulated at national-level to manage these risks. This study presents a comparative analysis of the legal frameworks for hacking by law enforcement across six Member States, as well as certain practical aspects of hacking by law enforcement, thereby providing an overview of the primary Member State mechanisms for the management of these risks. Further illustrative examples are provided from research conducted in three non-EU countries.

More specifically, the study examines the legal and practical balances and safeguards implemented at national-level to ensure: i) the legality, necessity and proportionality of restrictions to the fundamental  right  to  privacy;   and ii) the security  of  the internet.

Regarding restrictions to the right to privacy, the study first examines the existence of specific legal frameworks for hacking by law enforcement, before exploring the ex-ante and ex-post conditions and mechanisms stipulated to govern restrictions of the right to privacy and ensure they are legal, necessary  and  proportional.

It is found that hacking practices are seemingly necessary across all Member States examined, as four Member States (France, Germany, Poland and the UK) have adopted specific legislative provisions and the remaining two are in the legislative process. For all Member States except Germany, the adoption of specific legislative provisions occurred in 2016 (France, Poland and the UK) or will occur later (Italy, the Netherlands).  This  confirms the  new  nature  of these investigative techniques.

Additionally, law enforcement agencies in all Member States examined have used, or still use, hacking techniques in the absence of specific legislative provisions, under so-called ‘grey area’ legal provisions. Given the invasiveness of hacking techniques, these grey areaprovisions are considered  insufficient  to adequately  protect the right to privacy.

Where specific legal provisions have been adopted, all stakeholders agree that a restriction of the right to privacy requires the implementation of certain safeguards. The current or proposed legal frameworks of all six Member States comprise a suite of ex-ante conditions and ex-post mechanisms that aim to ensure the use of hacking techniques is proportionate and necessary. As recommended by various UN bodies, the provisions of primary importance include judicial authorisation of hacking practices, safeguards related to the nature, scope and duration of possible measures (e.g. limitations to crimes of a certain gravity and the  duration  of  the hack,  etc.) and  independent   oversight.

Although many of these types of recommended conditions are common across the Member States examined – demonstrated in the below table – their implementation parameters differ. For instance, both German and Polish law permit law enforcement hacking practices without judicial authorisation in exigent circumstance if judicial authorisation is achieved in a specified timeframe. However, the timeframe differs (three days in Germany compared with five days in Poland). These differences make significant difference, as the Polish timeframe was criticised  by the Council  of  Europe’s  Venice Commission  for being  too long.5

Furthermore, the Member States examined all accompany these common types of ex-ante and ex-post conditions with different, less common conditions. This is particularly true for ex-post oversight mechanisms. For instance, in Poland, the Minister for internal affairs provides macro-level information to the lower (Sejm) and upper (Senat) chambers of Parliament;6 and in the UK, oversight is provided by the Investigatory Powers Commissioner, who reviews all cases of hacking by law enforcement, and the Investigatory Powers Tribunal, which  considers disputes or  complaints surrounding  law enforcement  hacking.7

Key ex-ante considerations
Judicial authorisation The    legal    provisions    of    all    six    Member    States    require    ex-ante judicial        authorisation        for        law        enforcement        hacking.        The information  to  be  provided  in  these requests differ.

Select     Member     States     (e.g.     Germany,     Poland,     the     UK)     also provide for hacking without prior judicial authorisation in exigent circumstances  if  judicial  authorisation  is subsequently  provided. The timeframes  for  ex-post authorisation  differ.

Limitation by crime and  duration All  six Member  States  restrict  the  use  of  hacking  tools  based  on the   gravity   of   crimes.    In    some    Member   States,    the    legislation presents  a  specific  list  of  crimes  for  which  hacking  is permitted; in     others,     the    limit    is    set     for    crimes    that    have    a    maximum custodial    sentence   of   greater   than    a   certain   number    of   years. The lists and numbers  of years required differ by Member   State.

Many Member States also restrict the duration for which hacking may   be   used.   This   restriction   ranges   from   maximum   1   month (France, Netherlands) to a maximum of 6 months (UK), although extensions     are     permitted     under     the     same     conditions     in     all Member States.

Key ex-post considerations
Notification and effective remedy Most    Member    States    provide    for    the    notification    of    targets    of hacking  practices and  remedy  in  cases  of unlawful   hacking.
Reporting and oversight Primarily, Member States report at a micro-level through logging hacking  activities and  reporting them  in  case  files.

However,   some   Member   States   (e.g.   Germany,   Poland   and   the UK) have macro-level  review  and  oversight mechanisms.

Furthermore, as regards the issue of territoriality (i.e. the difficulty law enforcement agencies face obtaining the location of the data to be collected using hacking techniques), only one Member States, the Netherlands, legally permits the hacking of devices if the location is unknown. If the device turns out to be in another jurisdiction, Dutch law enforcement must apply  for Mutual  Legal  Assistance.

As such, when aggregated, these provisions strongly mirror Article 8 of the European Convention on Human Rights, as well as the UN recommendations and paragraph 95 of the ECtHR  judgement  in  Weber and  Saravia  v.  Germany.  However,   there are  many,  and  varied, criticisms when the Member State conditions are examined in isolation. Some of the provisions criticised include: the limits based on the gravity of crimes (e.g. the Netherlands, France and Poland); the provisions for notification and effective remedy (e.g. Italy and the Netherlands); the process for screening and deleting non-relevant data (Germany); the definition of devices that can be targeted (e.g. the Netherlands); the duration permitted for hacking (e.g. Poland); and a lack of knowledge amongst the judiciary (e.g. France, Germany, Italy and the Netherlands).With this said, certain elements, taken in isolation, can be called good  practices. Such  examples  are  presented below.

Select  good practice: Member State legislative frameworks

Germany: Although they were deemed unconstitutional in a 2016 ruling, the provisions for the screening and deletion of data related to the core area of private life are a positive step. If the provisions are amended, as stipulated in the ruling, to ensure screening by an independent body, they would provide strong protection for the targeted individual’s private data.

Italy: The 2017 draft Italian law includes a range of provisions related to the development and monitoring of the continued use of hacking tools. As such, one academic stakeholder remarked that the drafting of the law must have been driven by technicians. However, these provisions bring significant benefits to the legislative provisions in terms of supervision and oversight of the use of hacking tools. Furthermore, the Italian draft law takes great care to separate the functionalities of the hacking tools, thus protecting against the overuse or abuse of a  hacking tool’s  extensive  capabilities.

Netherlands: The Dutch Computer Crime III Bill stipulates the need to conduct a formal proportionality assessment for each hacking request, with the assistance of a dedicated Central Review Commission (Centrale Toetsings Commissie). Also, the law requires rules to be laid down on the authorisation and expertise of the investigation officers that can perform hacking.

With these findings in mind, the study concludes that the specific national-level legal provisions examined provide for the use of hacking techniques in a wide array of circumstances. The varied combinations of requirements, including those related to the gravity of crimes, the duration and purpose of operations and the oversight, result in a situation where the law does not provide for much stricter conditions than are necessary for less  intrusive  investigative activities such  as interception.

Based on the study findings,  relevant  and actionable policy proposals and recommendations have been developed under the two key elements: i) the fundamental right  to  privacy;  and  ii) the security  of the internet.

Recommendations and policy proposals: Fundamental  right  to  privacy

It is recommended that the use of ‘grey area’ legal provisions is not sufficient to protect the fundamental right to privacy. This is primarily because existing legal provisions do not provide for the more invasive nature of hacking techniques and do not provide for the legislative precision  and  clarity  as  required  under  the  Charter and the  ECHR.

Furthermore, many of these provisions have only recently been enacted. As such, there is a need for robust evidence-based monitoring and evaluation of the practical application of these provisions. It is therefore recommended that the application of these new legal provisions is evaluated regularly at national level, and that the results of these evaluations are  assessed at  EU-level.

If specific legislative provisions are deemed necessary, the study recommends a range of good practice, specific ex-ante and ex-post provisions governing the use of hacking practices by  law  enforcement  agencies. These are detailed  in  Chapter 6.

Policy proposal 1: The European Parliament should pass a resolution calling on Member States to conduct a Privacy Impact Assessment when new laws are proposed to permit and govern the use of hacking techniques by law enforcement agencies. This Privacy Impact Assessment should focus on the necessity and proportionality of the use of hacking tools and should  require input  from  national  data protection  authorities.

Policy proposal 2: The European Parliament should reaffirm the need for Member States to adopt a clear and precise legal basis if law enforcement agencies are to use hacking techniques.

Policy proposal 3: The European Parliament should commission more research or encourage the European Commission or other bodies to conduct more research on the topic. In response to the Snowden revelations, the European Parliament called on the EU Agency for Fundamental Rights (FRA) to thoroughly research fundamental rights protection in the context of surveillance. A similar brief related to the legal frameworks governing the use of hacking techniques by law enforcement across all EU Member States would act as an invaluable piece  of  research.

Policy proposal 4: The European Parliament should encourage Member States to undertake evaluation and monitoring activities on the practical application of the new legislative provisions  that  permit  hacking  by  law  enforcement  agencies.

Policy proposal 5: The European Parliament should call on the EU Agency for Fundamental Rights (FRA) to develop a practitioner handbook related to the governing of hacking by law enforcement. This handbook should be intended for lawyers, judges, prosecutors, law enforcement officers and others working with national authorities, as well as non­governmental organisations and other bodies confronted with legal questions in the areas set out by the handbook. These areas should cover the invasive nature of hacking techniques and relevant safeguards as per international and EU law and case law, as well as appropriate mechanisms for supervision  and   oversight.

Policy proposal 6: The European Parliament should call on EU bodies, such as the FRA, CEPOL and Eurojust, to provide training for national-level members of the judiciary and data protection authorities, in collaboration with the abovementioned handbook, on the technical means for hacking in use across the Member States, their potential for invasiveness and the principles of  necessity  and  proportionality in  relation  to these  technical  means.

Recommendations and policy proposals: Security of  the  internet

The primary recommendation related to the security of the internet is that the position of the EU against the implementation of ‘backdoors’ and similar techniques, and in support of strong encryption standards, should be reaffirmed, given the prominent role encryption plays in our society and its importance to the EU’s Digital Agenda. To support this position, the EU should ensure continued engagement with global experts in computer science as well as civil society privacy and  digital  rights groups.

The actual impacts of hacking by law enforcement on the security of the internet are yet unknown. More work should be done at the Member State level to assess the potential impacts such that these data can feed in to overarching discussions on the necessity and proportionality of law enforcement hacking. Furthermore, more work should be done, beyond understanding the risks to the security of the internet, to educate those involved in the authorisation and use of  hacking  techniques by law enforcement.

At present, the steps taken to safeguard the security of the internet against the potential risks of hacking are not widespread. As such, the specific legislative provisions governing the use of hacking techniques by law enforcement, if deemed necessary, should safeguard the security of the internet and the security of the device, including reporting the vulnerabilities used to gain access to a device to the appropriate technology vendor or service provider; and  ensure  the  full  removal  of  the software  or hardware from the targeted  device.

Policy proposal 7: The European Parliament should pass a resolution calling on Member States to conduct an Impact Assessment to examine the impact of new or existing laws governing  the  use  of hacking  techniques by  law  enforcement on  the  security  of  the internet.

Policy proposal 8: The European Parliament, through enhanced cooperation with Europol
and the European Union Agency for Network and Information Security (ENISA), should
reaffirm its commitment to strong encryption considering discussions on the topic of hacking by law enforcement. In addition, the Parliament should reaffirm its opposition to the implementation of  
backdoors and  similar techniques in information technology infrastructures or  services.

Policy proposal 9: Given the lack of discussion around handling zero-day vulnerabilities, the European Parliament should support the efforts made under the cybersecurity contractual Public-Private Partnership (PPP) to develop appropriate responses to handling zero-day vulnerabilities, taking into consideration the risks related to fundamental rights and the security  of the internet.

Policy proposal 10: Extending policy proposal 4, above, the proposed FRA handbook should also cover the risks  posed  to  the  security  of the  internet  by  using hacking  techniques.

Policy proposal 11: Extending policy proposal 5, training provided to the judiciary by EU bodies such as FRA, CEPOL and Eurojust should also educate these individuals on the risks posed  to  the security  of  the internet  by  hacking  techniques.

Policy proposal 12: Given the lack of discussion around the risks posed to the security of the internet by hacking practices, the European Parliament should encourage debates at the appropriate fora specific to understanding this risk and the approaches to managing this risk. It is encouraged that law enforcement representatives should be present within such discussions.

Parliamentary Tracker : the EP incoming resolution on the EU-USA (so called) “Privacy Shield”…

 

NOTA BENE : Below the text that will be submitted to vote at the next EP plenary. As in previous occasions the text is well drafted, legally precise and it confirms the high level of  competence that the European Parliament (and its committee LIBE) has developed along the last 17 years from the first inquiry on Echelon (2000), the Safe Harbor (2000), the EU-USA agreement on PNR (since 2003 a thirteen year long lasting saga…) the SWIFT agreement (2006) …

What is puzzling are the critics raised against the  so called “adequacy finding” mechanism which empowers the European Commission to decide if a third Country protect “adequately” the EU citizens personal data. The weaknesses of the Commission face to our strongest transatlantic ally  were already very well known when recently the parliamentarians have reformed the European legal framework on data protection in view of the new legal basis foreseen by the Treaties and in the art. 7 and 8 of the EU Charter.  However the EP did’nt try to strengthen the “adequacy” mechanism by transforming it at least in a “delegated” function (so that it would had been possible for the EP to block something which could had weackened our standards).

Now the US Congress is weakening the (already poor) US data protection and the new US administration will probably go in the same direction.  It seems to me to easy  to complain now on something that you had recently the chance to fix..

Let’s now hope that the Court of Justice by answering to the request for opinion on the EU-Canada PNR agreement will give to the EU legislator some additional recommendations but as an EU citizen I would had preferred a stronger EU legislation instead of been ruled by european or national Judges…

Emilio De Capitani

B8‑0235/2017 European Parliament resolution on the adequacy of the protection afforded by the EU-US Privacy Shield (2016/3018(RSP))

The European Parliament,

–        having regard to the Treaty on European Union (TEU), the Treaty on the Functioning of the European Union (TFEU) and Articles 6, 7, 8, 11, 16, 47 and 52 of the Charter of Fundamental Rights of the European Union,

–        having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive)[1],

–        having regard to Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters[2],

–        having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)[3], and to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA[4],

–        having regard to the judgment of the Court of Justice of the European Union of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner[5],

–        having regard to the Commission communication to the European Parliament and the Council of 6 November 2015 on the transfer of personal data from the EU to the United States of America under Directive 95/46/EC following the judgment by the Court of Justice in Case C-362/14 (Schrems) (COM(2015)0566),

–        having regard to the Commission communication to the European Parliament and the Council of 10 January 2017 on Exchanging and Protecting Personal Data in a Globalised World (COM(2017)0007),

–        having regard to the judgment of the Court of Justice of the European Union of 21 December 2016 in Cases C-203/15 Tele2 Sverige AB v Post- och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson and Others[6],

–        having regard to Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield[7],

–        having regard to Opinion 4/2016 of the European Data Protection Supervisor (EDPS) on the EU-US Privacy Shield draft adequacy decision[8],

–        having regard to the Opinion of the Article 29 Data Protection Working Party of 13 April 2016 on the EU-US Privacy Shield draft adequacy decision[9] and its Statement of 26 July 2016[10],

–        having regard to its resolution of 26 May 2016 on transatlantic data flows[11],

–        having regard to Rule 123(2) of its Rules of Procedure,

  1. whereas the Court of Justice of the European Union (CJEU) in its judgment of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner invalidated the Safe Harbour decision and clarified that an adequate level of protection in a third country must be understood to be ‘essentially equivalent’ to that guaranteed within the European Union by virtue of Directive 95/46/EC read in the light of the Charter of Fundamental Rights of the European Union (hereinafter ‘the EU Charter’), prompting the need to conclude negotiations on a new arrangement so as to ensure legal certainty on how personal data should be transferred from the EU to the US;
  2. whereas, when examining the level of protection afforded by a third country, the Commission is obliged to assess the content of the rules applicable in that country deriving from its domestic law or its international commitments, as well as the practice designed to ensure compliance with those rules, since it must, under Article 25(2) of Directive 95/46/EC, take account of all the circumstances surrounding a transfer of personal data to a third country; whereas this assessment must not only refer to legislation and practices relating to the protection of personal data for commercial and private purposes, but must also cover all aspects of the framework applicable to that country or sector, in particular, but not limited to, law enforcement, national security and respect for fundamental rights;
  3. whereas transfers of personal data between commercial organisations of the EU and the US are an important element for the transatlantic relationships; whereas these transfers should be carried out in full respect of the right to the protection of personal data and the right to privacy; whereas one of the fundamental objectives of the EU is the protection of fundamental rights, as enshrined in the EU Charter;
  4. whereas in its Opinion 4/2016 the EDPS raised several concerns on the draft Privacy Shield; whereas the EDPS welcomes in the same opinion the efforts made by all parties to find a solution for transfers of personal data from the EU to the US for commercial purposes under a system of self-certification;
  5. whereas in its Opinion 01/2016 on the EU-US Privacy Shield draft adequacy decision the Article 29 Working Party welcomed the significant improvements brought about by the Privacy Shield compared with the Safe Harbour decision whilst also raising strong concerns about both the commercial aspects and access by public authorities to data transferred under the Privacy Shield;
  6. whereas on 12 July 2016, after further discussions with the US administration, the Commission adopted its Implementing Decision (EU) 2016/1250, declaring the adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-US Privacy Shield;
  7. whereas the EU-US Privacy Shield is accompanied by several letters and unilateral statements from the US administration explaining, inter alia, the data protection principles, the functioning of oversight, enforcement and redress and the protections and safeguards under which security agencies can access and process personal data;
  8. whereas in its statement of 26 July 2016, the Article 29 Working Party welcomes the improvements brought by the EU-US Privacy Shield mechanism compared with Safe Harbour and commended the Commission and the US authorities for having taken into consideration its concerns; whereas the Article 29 Working Party indicates, nevertheless, that a number of its concerns remain, regarding both the commercial aspects and the access by US public authorities to data transferred from the EU, such as the lack of specific rules on automated decisions and of a general right to object, the need for stricter guarantees on the independence and powers of the Ombudsperson mechanism, and the lack of concrete assurances of not conducting mass and indiscriminate collection of personal data (bulk collection);
  9. Welcomes the efforts made by both the Commission and the US administration to address the concerns raised by the CJEU, the Member States, the European Parliament, data protection authorities (DPAs) and stakeholders, so as to enable the Commission to adopt the implementing decision declaring the adequacy of the EU-US Privacy Shield;
  10. Acknowledges that the EU-US Privacy Shield contains significant improvements regarding the clarity of standards compared with the former EU-US Safe Harbour and that US organisations self-certifying adherence to the EU-US Privacy Shield will have to comply with clearer data protection standards than under Safe Harbour;
  11. Takes note that as at 23 March 2017, 1 893 US organisations have joined the EU-US Privacy Shield; regrets that the Privacy Shield is based on voluntary self-certification and therefore applies only to US organisations which have voluntarily signed up to it, which means that many companies are not covered by the scheme;
  12. Acknowledges that the EU-US Privacy Shield facilitates data transfers from SMEs and businesses in the Union to the US;
  13. Notes that, in line with the ruling of the CJEU in the Schrems case, the powers of the European DPAs remain unaffected by the adequacy decision and they can, therefore, exercise them, including the suspension or the ban of data transfers to an organisation registered with the EU-US Privacy Shield; welcomes in this regard the prominent role given by the Privacy Shield Framework to Member State DPAs to examine and investigate claims related to the protection of the rights to privacy and family life under the EU Charter and to suspend transfers of data, as well as the obligation placed upon the US Department of Commerce to resolve such complaints;
  14. Notes with satisfaction that under the Privacy Shield Framework, EU data subjects have several means available to them to pursue legal remedies in the US: first, complaints can be lodged either directly with the company or through the Department of Commerce following a referral by a DPA, or with an independent dispute resolution body, secondly, with regard to interferences with fundamental rights for the purpose of national security, a civil claim can be brought before the US court and similar complaints can also be addressed by the newly created independent Ombudsperson, and finally, complaints about interferences with fundamental rights for the purposes of law enforcement and the public interest can be dealt with by motions challenging subpoenas; encourages further guidance from the Commission and DPAs to make those legal remedies all the more easily accessible and available;
  15. Acknowledges the clear commitment of the US Department of Commerce to closely monitor the compliance of US organisations with the EU-US Privacy Shield Principles and their intention to take enforcement actions against entities failing to comply;
  16. Reiterates its call on the Commission to seek clarification on the legal status of the ‘written assurances’ provided by the US and to ensure that any commitment or arrangement foreseen under the Privacy Shield is maintained following the taking up of office of a new administration in the United States;
  17. Considers that, despite the commitments and assurances made by the US Government by means of the letters attached to the Privacy Shield arrangement, important questions remain as regards certain commercial aspects, national security and law enforcement;
  18. Specifically notes the significant difference between the protection provided by Article 7 of Directive 95/46/EC and the ‘notice and choice’ principle of the Privacy Shield arrangement, as well as the considerable differences between Article 6 of Directive 95/46/EC and the ‘data integrity and purpose limitation’ principle of the Privacy Shield arrangement; points out that instead of the need for a legal basis (such as consent or contract) that applies to all processing operations, the data subject rights under the Privacy Shield Principles only apply to two narrow processing operations (disclosure and change of purpose) and only provide for a right to object (‘opt-out’);
  19. Takes the view that these numerous concerns could lead to a fresh challenge to the decision on the adequacy of the protection being brought before the courts in the future; emphasises the harmful consequences as regards both respect for fundamental rights and the necessary legal certainty for stakeholders;
  20. Notes, amongst other things, the lack of specific rules on automated decision-making and on a general right to object, and the lack of clear principles on how the Privacy Shield Principles apply to processors (agents);
  21. Notes that, while individuals have the possibility to object vis-à-vis the EU controller to any transfer of their personal data to the US, and to the further processing of those data in the US where the Privacy Shield company acts as a processor on behalf of the EU controller, the Privacy Shield lacks specific rules on a general right to object vis-à-vis the US self-certified company;
  22. Notes that only a fraction of the US organisations that have joined the Privacy Shield have chosen to use an EU DPA for the dispute resolution mechanism; is concerned that this constitutes a disadvantage for EU citizens when trying to enforce their rights;
  23. Notes the lack of explicit principles on how the Privacy Shield Principles apply to processors (agents), while recognising that all principles apply to the processing of personal data by any US self-certified company ‘[u]nless otherwise stated’ and that the transfer for processing purposes always requires a contract with the EU controller which will determine the purposes and means of processing, including whether the processor is authorised to carry out onward transfers (e.g. for sub-processing);
  24. Stresses that, as regards national security and surveillance, notwithstanding the clarifications brought by the Office of the Director of National Intelligence (ODNI) in the letters attached to the Privacy Shield framework, ‘bulk surveillance’, despite the different terminology used by the US authorities, remains possible; regrets the lack of a uniform definition of the concept of bulk surveillance and the adoption of the American terminology, and therefore calls for a uniform definition of bulk surveillance linked to the European understanding of the term, where evaluation is not made dependent on selection; stresses that any kind of mass surveillance is in breach of the EU Charter;
  25. Recalls that Annex VI (letter from Robert S. Litt, ODNI) clarifies that under Presidential Policy Directive 28 (hereinafter ‘PPD-28’), bulk collection of personal data and communications of non-US persons is still permitted in six cases; points out that such bulk collection only has to be ‘as tailored as feasible’ and ‘reasonable’, which does not meet the stricter criteria of necessity and proportionality as laid down in the EU Charter;
  26. Deplores the fact that the EU-US Privacy Shield does not prohibit the collection of bulk data for law enforcement purposes;
  27. Stresses that in its judgment of 21 December 2016, the CJEU clarified that the EU Charter ‘must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’; points out that the bulk surveillance in the US therefore does not provide for an essentially equivalent level of the protection of personal data and communications;
  28. Is alarmed by the recent revelations about surveillance activities conducted by a US electronic communications service provider on all emails reaching its servers, upon request of the National Security Agency (NSA) and the FBI, as late as 2015, i.e. one year after Presidential Policy Directive 28 was adopted and during the negotiation of the EU-US Privacy Shield; insists that the Commission seek full clarification from the US authorities and make the answers provided available to the Council, Parliament and national DPAs; sees this as a reason to strongly doubt the assurances brought by the ODNI; is aware that the EU-US Privacy Shield rests on PPD-28, which was issued by the President and can also be repealed by any future President without Congress’s consent;
  29. Expresses great concerns at the issuance of the ‘Procedures for the Availability or Dissemination of Raw Signals Intelligence Information by the National Security Agency under Section 2.3 of Executive Order 12333’, approved by the Attorney General on 3 January 2017, allowing the NSA to share vast amounts of private data gathered without warrants, court orders or congressional authorisation with 16 other agencies, including the FBI, the Drug Enforcement Agency and the Department of Homeland Security; calls on the Commission to immediately assess the compatibility of these new rules with the commitments made by the US authorities under the Privacy Shield, as well as their impact on the level of personal data protection in the United States;
  30. Deplores the fact that neither the Privacy Shield Principles nor the letters of the US administration providing clarifications and assurances demonstrate the existence of effective judicial redress rights for individuals in the EU whose personal data are transferred to a US organisation under the Privacy Shield Principles and further accessed and processed by US public authorities for law enforcement and public interest purposes, which were emphasised by the CJEU in its judgment of 6 October 2015 as the essence of the fundamental right in Article 47 of the EU Charter;
  31. Recalls its resolution of 26 May 2016 stating that the Ombudsperson mechanism set up by the US Department of State is not sufficiently independent and is not vested with sufficient effective powers to carry out its duties and provide effective redress to EU individuals; notes that according to the representations and assurances provided by the US Government the Office of the Ombudsperson is independent from the US intelligence services, free from any improper influence that could affect its function and moreover works together with other independent oversight bodies with effective powers of supervision over the US Intelligence Community; is generally concerned that an individual affected by a breach of the rules can apply only for information and for the data to be deleted and/or for a stop to further processing, but has no right to compensation;
  32. Regrets that the procedure of adoption of an adequacy decision does not provide for a formal consultation of relevant stakeholders such as companies, and in particular SMEs’ representation organisations;
  33. Regrets that the Commission followed the procedure for adoption of the Commission implementing decision in a practical manner that de facto has not enabled Parliament to exercise its right of scrutiny on the draft implementing act in an effective manner;
  34. Calls on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 16 May 2018, and with the EU Charter;
  35. Calls on the Commission to ensure, in particular, that personal data that has been transferred to the US under the Privacy Shield can only be transferred to another third country if that transfer is compatible with the purpose for which the data was originally collected, and if the same rules of specific and targeted access for law enforcement apply in the third country;
  36. Calls on the Commission to monitor whether personal data which is no longer necessary for the purpose for which it had been originally collected is deleted, including by law enforcement agencies;
  37. Calls on the Commission to closely monitor whether the Privacy Shield allows for the DPAs to fully exercise all their powers, and if not, to identify the provisions that result in a hindrance to the DPAs’ exercise of powers;
  38. Calls on the Commission to conduct, during the first joint annual review, a thorough and in-depth examination of all the shortcomings and weaknesses referred to in this resolution and in its resolution of 26 May 2016 on transatlantic data flows, and those identified by the Article 29 Working Party, the EDPS and the stakeholders, and to demonstrate how they have been addressed so as to ensure compliance with the EU Charter and Union law, and to evaluate meticulously whether the mechanisms and safeguards indicated in the assurances and clarifications by the US administration are effective and feasible;
  39. Calls on the Commission to ensure that when conducting the joint annual review, all the members of the team have full and unrestricted access to all documents and premises necessary for the performance of their tasks, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities, for either law enforcement or national security purposes;
  40. Stresses that all members of the joint review team must be ensured independence in the performance of their tasks and must be entitled to express their own dissenting opinions in the final report of the joint review, which will be public and annexed to the joint report;
  41. Calls on the Union DPAs to monitor the functioning of the EU-US Privacy Shield and to exercise their powers, including the suspension or definitive ban of personal data transfers to an organisation in the EU-US Privacy Shield if they consider that the fundamental rights to privacy and the protection of personal data of the Union’s data subjects are not ensured;
  42. Stresses that Parliament should have full access to any relevant document related to the joint annual review;
  43. Instructs its President to forward this resolution to the Commission, the Council, the governments and national parliaments of the Member States and the US Government and Congress.

NOTES
[1] OJ L 281, 23.11.1995, p. 31.
[2] OJ L 350, 30.12.2008, p. 60.
[3] OJ L 119, 4.5.2016, p. 1.
[4] OJ L 119, 4.5.2016, p. 89.
[5] ECLI:EU:C:2015:650.
[6] ECLI:EU:C:2016:970.
[7] OJ L 207, 1.8.2016, p. 1.
[8] OJ C 257, 15.7.2016, p. 8.
[9] http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp238_en.pdf
[10] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf
[11] Texts adopted, P8_TA(2016)0233.