The Ever-expanding National Security State in Europe: the Case of Poland

by Luigi LIMONE (*)

One of the most alarming developments across the European Union is the effort by States to make it easier to invoke and prolong a “state of emergency” as a response to terrorism or the threats to violent attacks. Emergency measures, which are generally supposed to be temporary, have become embedded in ordinary criminal law. Parliaments across the European Union are adopting a number of coercive measures in fast-truck processes, leaving little time for consideration on their impact on human rights and civil liberties.

In compliance with international human rights law, exceptional measures should only be applied in genuinely exceptional circumstances and, as stated by Article 15 of the European Convention on Human Rights (ECHR), “in time of war or other public emergency threatening the life of the nation”.

Nevertheless, phenomena such as the rise of nationalist parties, anti-refugee sentiment, stereotyping and discrimination against Muslims communities, intolerance for speech or other forms of expression, risk that this “emergency measures” will target certain people for reasons which have nothing to do with a genuine threat to national security or from terrorist-related acts.

Up to now, France is the only EU Member State to have formally declared a state of emergency on national security grounds for terrorism-related acts on the last couple of years. However, other Member States have passed laws in fast-track processes and engaged in operations in response to real or perceived security threats. A clear example comes from Austria and Hungary, which have recently invoked the threat of terrorism in the context of the refugee crisis with profoundly negative impact on the right to seek and enjoy asylum in Europe.

One of the countries which is currently attracting the attention of several NGOs working in the field of human rights protection is Poland. Several cases of human rights violations as well as dismantlement of the rule of law have been reported since the Law and Justice (Prawo i Sprawiedliwość) party came to power in October 2015.

In June 2016, Poland enacted a new Counter-terrorism Law following a fast-track legislative process. This law consolidates sweeping powers in the hands of the Internal Security Agency (ISA) and, combined with other recent legislative amendments, it creates conditions for violations of the rights to liberty, privacy, fair trial, expression, peaceful assembly and non-discrimination.

The new Counter-terrorism Law gives a broad and vague definition of terrorism which paves the way for: a) the expansion of indiscriminate mass surveillance powers; b) the targeting of foreign nationals; c) the extension of pre-charge detention.

According to Amnesty International, such an ill-defined and imprecise definition allows for disproportionate interference with human rights as well as arbitrary application and abuse.

The UN Human Rights Committee recommended in October 2016 that a definition be adopted that “does not give the authorities excessive discretion or obstruct the exercise of rights”.

The Counter-terrorism law includes provision for the Director of the Internal Security Agency to order the immediate blocking of specific websites with no prior judicial authorization if he or she considers that a delay could result in “terrorist incident”. Such a provision compromises the right to freedom of expression, including the right to seek, receive and impart information.

Freedom of peaceful assembly is also under threat under the new Counter-terrorism Law.

The Law, in fact, establishes a terror alert system which, if it reaches the level of three or four, allows the authorities to ban assemblies and large-scale events in particular locations.

The lack of transparency in the operation of the alert system, together with the vague definition of terrorism, could result in violations of the right to peaceful assembly and freedom of expression. As a result, the terror alert system could be used by the government as an excuse to ban peaceful public protests against its policy on a wide range of issues, including abortion or Lesbian, Gay, Bisexual, Transgender and Intersex (LGBTI) rights.

Foreign nationals in Poland are particular targets of the new Counter-terrorism Law. They can be subjected to a range of covert surveillance measures, including wire-tapping, monitoring of electronic communications and surveillance of telecommunication networks and devices without any judicial oversight for the first three months.

Such surveillance is permitted if there is a “fear” that a foreign national may be involved in terrorism-related activities. In addition, the Law does not provide procedural safeguards to ensure that anyone made aware of surveillance can challenge it and have access to an effective remedy against unlawful surveillance. It also impacts Polish citizens who communicate or live with foreigners under investigation.

Poland’s new Counter-terrorism Law also provides for 14 days of detention without charge of people suspected of “terrorist crimes”. Since such detention measures can be adopted on the basis of information obtained through the broad surveillance powers given to the executive, the suspects and their lawyer may be denied access to the evidence upon which the pre-charge detention is based. Given the fact that the new surveillance powers primarily target foreigners, such measures could discriminate against non-nationals and have a disproportionate impact on foreign individuals, their families and communities.

Furthermore, the situation in Poland appears very critical when it comes to criminal law and to protection from discrimination and hate crimes in particular. While the country has made some progress in addressing hate crimes against certain groups, it has left others entirely behind, thus creating a double system and a significant protection gap in law as well as in practice.

Polish criminal law provides for the investigation and prosecution of hate crimes motivated by race, ethnicity, nationality, religion and political affiliation. However, it does not establish that age, disability, gender, gender identity and expression, sexual orientation and social or economic status are grounds to investigate and prosecute hate crimes.

As stated in a report published by Amnesty International in September 2015, members of ethnic minorities, refugees, asylum-seekers and migrants continue to experience discrimination and violence in practice. In addition, transgender and intersex people are not explicitly protected from discrimination on grounds of gender identity and expression, and protection on the grounds of disability and religion is limited as well.

The situation is particularly crucial with regard to discrimination motivated by gender identity as well as expression and sexual orientation. LGBTI people are not sufficiently protected, as demonstrated by the huge number of homophobic and transphobic hate crimes. As far as women and girls are concerned, they continue to face obstacles in accessing legal and safe abortion and frequent cases of sexual harassment and rape are still being reported.

The current legal framework governing abortion in Poland is one of the most restrictive in Europe with terminations legally permitted only when the life of the foetus is under threat, when there is a grave threat to the health of the mother and in the instance that the pregnancy resulted from rape or incest.

A new bill proposing to further restrict sexual and reproductive rights was submitted to Parliament on 5 July 2016. The restrictive measure is intended to ban abortion in all circumstances except for when it is considered to be the only means available to save a woman’s life. It would also criminalize women and girls who are found to have obtained abortion as well as the people encouraging or assisting them to do so.

Following mass protests and women’s strikes, the bill has been eventually rejected but the government, supported by the Polish Catholic church, has announced that it is considering other restrictions, including a total ban of emergency contraception and of the morning after-pill in particular.

In conclusion, significant deterioration in several areas has been observed since the Law and Justice party’s assumption of power in October 2015. A total of 148 new laws and legislative amendments have been enacted since then, which have led to serious violation of several fundamental rights enshrined in international human rights treaties, including the right to life, health and freedom from torture and other inhuman or degrading treatment as well as the right to privacy, information, equality and non-discrimination.

(*) FREE Group Trainee

Sources:

– Dangerously Disproportionate: The Ever-expanding National Security State in Europe, by Amnesty International, 17 January 2017, Index number: EUR 01/5342/2017

– Poland: Submission to the United Nations Human Rights Committee – 118th session, 17 Oct.-04 Nov. 2016, Index number: EUR 37/4849/2016

– Poland: Dismantling Rule of Law?, Amnesty International Submission for the UN Universal Periodic Review – 27th Session of the Upr Working Group, April/May 2017,  EUR: 37/5069/2016

 

Foreign fighters’ helpers excluded from refugee status: the ECJ clarifies the law

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

by Steve Peers

What if a person claiming to be a refugee is an alleged terrorist, or at least giving assistance to alleged terrorists? Can they still claim to be a refugee – and if not, how should we define ‘terrorism’ for the purposes of rejecting their claim to be one? Today’s judgment of the EU Court of Justice in the Lounani case usefully clarifies some aspects of this controversial and legally complex issue, but inevitably leaves some difficult questions open.

Legal framework

The starting point for this issue is the wording of the UN Refugee Convention, known by the EU as the ‘Geneva Convention’, which contains an ‘exclusion’ clause in Article 1.F:

  1. The provisions of this Convention shall not apply to any person with respect to whom there are serious reasons for considering that:

(a) he has committed a crime against peace, a war crime, or a crime against humanity, as defined in the international instruments drawn up to make provision in respect of such crimes;

(b) he has committed a serious non-political crime outside the country of refuge prior to his admission to that country as a refugee;

(c) he has been guilty of acts contrary to the purposes and principles of the United Nations.

The UN rules (which all EU Member States have signed up to) have been transposed, but with variations, in the EU’s Qualification Directive, which applies to every Member State except Denmark. (Technically the UK and Ireland are bound only by the first version of this Directive, but the rules on exclusion haven’t changed).  Article 12(3) of that Directive reads as follows:

  1. A third-country national or a stateless person is excluded from being a refugee where there are serious reasons for considering that:

(a) he or she has committed a crime against peace, a war crime, or a crime against humanity, as defined in the international instruments drawn up to make provision in respect of such crimes;

(b) he or she has committed a serious non-political crime outside the country of refuge prior to his or her admission as a refugee, which means the time of issuing a residence permit based on the granting of refugee status; particularly cruel actions, even if committed with an allegedly political objective, may be classified as serious non-political crimes;

(c) he or she has been guilty of acts contrary to the purposes and principles of the United Nations as set out in the Preamble and Articles 1 and 2 of the Charter of the United Nations.

  1. Paragraph 2 applies to persons who incite or otherwise participate in the commission of the crimes or acts mentioned therein.

It can be seen that the EU rules differ from the UN rules to the extent that: they add some wording on the timing and nature of ‘serious non-political crimes’; they clarify the reference to acts contrary to UN ‘purposes and principles’; and they apply the exclusion to those who ‘incite or otherwise participate’ in all three categories of acts leading to exclusion.

Despite this attempt at clarification, there will always be issues of interpreting these rules. The EU Court has ruled on them once before, in its judgment in B and D, when it stated that first of all that the second and third exclusion clauses can apply to terrorist offences.  However, exclusion must be assessed in each individual case, meaning that membership of a group listed as ‘terrorist’ in EU foreign policy sanctions against terrorists does not automatically trigger the exclusion clause, although it is a ‘factor’ to consider. Participating in a terrorist group, as defined by EU criminal law on terrorism, does not automatically trigger the exclusion clause either. Instead, there must be direct involvement by the person concerned in such offences, as further explained by the Court. Furthermore, there is no additional ‘proportionality’ or ‘present danger’ test for exclusion. Finally, the exclusion clause is mandatory: ie Member States cannot assert a right to apply higher standards and give someone refugee status if they fall within the exclusion criteria.

The judgment

What does today’s judgment add? The person concerned was convicted of participating in a terrorist group, but not of carrying out any terrorist acts as such. So is such a conviction sufficient to trigger the exclusion clause?

The EU court ruled that it was. First of all, the preamble to the EU Directive referred to UN Resolutions on ‘financing, planning and inciting’ terrorism; so the third exclusion clause goes beyond terrorist acts as such. Secondly, the EU legislature had not intended to match the exclusion clause in asylum law with the narrower definition of terrorism in (current) EU criminal law legislation.

Next, the EU court ruled that following a later UN Security Council Resolution, assisting with recruitment, organisation or transport of ‘foreign fighters’ could also fall within the scope of the exclusion clause. So could ‘participation’ in such activities, pursuant to Article 12(3) of the EU Directive. It was relevant that the group in question was listed as terrorist by the UN Security Council, and particularly relevant that the person concerned had been convicted of terrorist offences in Belgium.

Comments

The Court’s judgment asserts a broad scope of the exclusion clause, meaning that a degree of support for ‘foreign fighters’ will also result in exclusion from refugee status. In doing so, it answers the claims of those who believe that many refugees are ‘jihadists’. Simply put, anyone who has been directly involved in terrorist acts (B and D) or in facilitating the activities of ‘foreign fighters’ (today’s judgment) is not entitled to refugee status. Although the judgment does not mention it, this aligns the interpretation of the exclusion clause to some extent with recent developments in criminal law, namely the 2015 Protocol to the Council of Europe Convention on the prevention of terrorism, and the agreed revision of the EU’s anti-terrorism laws.

But the judgment cannot help leaving some difficult questions open. What if the asylum-seeker has not been convicted of terrorist offences anywhere, but there are allegations of such action? Since a conviction is particularly relevant to applying the exclusion clause, would a lack of such conviction conversely be particularly relevant in determining that the clause should not apply? Would that assessment be different if the person had been acquitted, or if an investigation or trial was pending? If the criminal law process was pending, should the asylum determination process be put on hold? What if the authorities had claimed to have information supplied from the security services, and were reluctant to bring criminal proceedings in order to preserve their sources and intelligence capability?

What if there is a criminal conviction for terrorism from another country – particularly in the asylum-seeker’s country of origin, which might define criticism of the government as ‘terrorism’? Similarly what about ‘provocation’ to terrorism, which might include ‘glorification’ of terrorist acts, according to the revised EU criminal law? Here the question is to what extent freedom of expression, not directly connected to violent acts, might justify a refusal of refugee status. Recent acts remind us that as far as criminal law is concerned, terrorist acts – and the climate of hatred that surrounds them – are not confined to Islamist extremists, but stem also from those who fanatically hate minority groups as well.

TELE2 SVERIGE AB AND WATSON ET AL: CONTINUITY AND …RADICAL CHANGE

ORIGINAL PUBLISHED ON EUROPEAN LAW BLOG  (JANUARY 12, 2017)
By Orla Lynskey

 

Introduction

The CJEU delivered its judgment in Tele2 Sverige AB and Watson on 21 December 2016. The Court had been asked by a Swedish and British court respectively to consider the scope and effect of its previous judgment in Digital Rights Ireland (discussed here). The judgment reflects continuity in so far as it follows in the line of this, and earlier judgments taking a strong stance on data protection and privacy. Yet, the degree of protection it offers these rights over competing interests, notably security, is radical. In particular, the Court unequivocally states that legislation providing for general and indiscriminate data retention is incompatible with the E-Privacy Directive, as read in light of the relevant EU Charter rights. While the judgment was delivered in the context of the E-Privacy Directive, the Court’s reasoning could equally apply to other EU secondary legislation or programmes interpreted in light of the Charter. This judgment will be a game-changer for state surveillance in Europe and while it offered an early Christmas gift to privacy campaigners, it is likely to receive a very mixed reaction from EU Member States as such. While national data retention legislation has been annulled across multiple Member States (Bulgaria, Czech Republic, Cyprus, Germany and Romania), this annulment has been based on an assessment of the proportionality of the relevant measures rather than on a finding that blanket retention is per se unlawful. For those familiar with the facts and findings, skip straight to the comment below.

Facts

The preliminary ruling stems from two Article 267 TFEU references regarding the interpretation of the Court’s judgment in Digital Rights Ireland (henceforth DRI). The first, Tele2 Sverige AB, was a Swedish reference resulting from the refusal by Tele2 Sverige (a Swedish electronic communications provider) to continue to retain electronic communications data following the finding in DRI that the Data Retention Directive was invalid. A dispute regarding the interpretation of DRI ensued and the Swedish Justice Minister commissioned a report to assess the compatibility of Swedish law with EU law and the ECHR. This report concluded that DRI could not be interpreted as prohibiting general and indiscriminate data retention as a matter of principle, or as establishing criteria – all of which must be fulfilled – in order for legislation to be deemed proportionate. Rather, it held that it was necessary to conduct an assessment of all the circumstances in order to determine the compatibility of Swedish legislation with EU law. Tele2 Sverige maintained that the report was based on a misinterpretation of DRI. Given these differing perspectives, the referring court asked the Court to give ‘an unequivocal ruling on whether…the general and indiscriminate retention of electronic communications data is per se incompatible with Articles 7 and 8 and 52(1) of the Charter’ [50].

The second preliminary reference (Watson) arose before the Court of Appeal in the context of applications for judicial review of the UK’s Data Retention and Investigatory Powers Act (DRIPA) on the grounds that this Act was incompatible with the EU Charter and the ECHR. It was disputed before the national court whether DRI laid down ‘mandatory requirements of EU law’ that national legislation for communications data retention and access must respect. The domestic referring court suggested that it was appropriate to distinguish between legislation governing retention, and legislation governing access. DRI was confined to an assessment of the former as it assessed the validity of the Data Retention Directive, which excluded provisions relating to data access. The latter, provisions on data access, must be subject to a distinct validity assessment in light of their differing context and objectives, according to the referring court. The Court of Appeal did not however deem the answer to this question obvious, given that six courts in other EU Member States had declared national legislation to be invalid on the basis of DRI. It therefore asked the Court to consider whether, firstly, DRI lays down mandatory requirements of EU law that would apply to the regime governing access to retained data at national level. It also asked whether DRI expands the scope of the Charter rights to data protection and privacy beyond the scope of Article 8 ECHR. The Watson reference was dealt with pursuant to the expedited procedure provided for in Article 105(1) of the Court’s Rules of Procedure and joined to the Tele2 Sverige reference for oral arguments and judgment.

Findings of the Court

The Scope of the E-Privacy Directive

The Court examined, as a preliminary point, whether national legislation on retention and access to data fell within the scope of the E-Privacy Directive. Article 15(1) of that Directive provides for restrictions to certain rights it provides for when necessary for purposes such as national security and the prevention, investigation, detection and prosecution of criminal offences. Article 15(1) also allows for the adoption of data retention legislation by Member States. However, Article 1(3) of that Directive states that the Directive will not apply to, amongst others, ‘activities concerning public security, defence, State security (…) and the activities of the State in areas of criminal law’. There is thus an apparent internal inconsistency within the Directive.

To guide its findings, the Court had regard to the general structure of the Directive. While the Court acknowledged that the objectives pursued by Articles 1(3) and 15(1) overlap substantially, it held that Article 15(1) of the Directive would be deprived of any purpose if the legislative measures it permits were excluded from the scope of the Directive on the basis of Article 1(3) [73]. Indeed, it held that Article 15(1) ‘necessarily presupposes’ that the national measures referred to therein fall within the scope of that directive ‘since it expressly authorizes the Member States to adopt them only if the conditions laid down in the directive are met’. [73]. In order to support this finding, the Court suggests that the legislative measures provided for in Article 15(1) apply to providers of electronic communications services [74] and extend to measures requiring data retention [75] and access to retained data by national authorities [76]. It justifies this final claim – that the E-Privacy Directive includes data access legislation – on the (weak) grounds that recital 21 of the directive stipulates that the directive’s aim is to protect confidentiality by preventing unauthorised access to communications, including ‘any data related to such communications’ [77]. The Court emphasises that provisions on data access must fall within the scope of the Directive as data is only retained for the purpose of access to it by competent national authorities and thus national data retention legislation ‘necessarily entails, in principle, the existence of provisions relating to access by the competent national authorities to the data retained’ [79]. The Court also noted that the Directive requires providers to establish internal procedures for responding to requests for access based on the relevant provisions of national law [80].

The compatibility of ‘general and indiscriminate’ data retention with EU law

The Court then moved on to consider the most important substantive point in the judgment: the compatibility of ‘general and indiscriminate’ data retention with the relevant provisions of EU law. It began by recalling that the E-Privacy Directive’s overarching aim is to offer users of electronic communications services protection against the risks to fundamental rights brought about by technological advances [83]. It emphasised, in particular, the general principle of confidentiality of communications in Article 5(1) of the Directive and the related safeguards for traffic data and location data (in Articles 6 and 9 respectively), [85-87]. While the Court acknowledged that Article 15(1) of the Directive allows for exceptions to these principles by restricting their scope, it held that this provision must be interpreted strictly. It clearly stated that Article 15(1) cannot permit the exception to the Directive’s confidentiality obligation to become the rule, as this would render the confidentiality obligation meaningless [89].

The Court also emphasised that according to Article 15(1)’s wording it must be interpreted in light of general principles of EU law, thus including the fundamental rights in the EU Charter [91]. The Court noted, with reference to its previous case-law, the importance of the fundamental rights engaged in the current context, namely the right to privacy (Article 7), the right to data protection (Article 8) and the right to freedom of expression (Article 11) ([92]-[93]). The limitations on the exercise of these Charter rights are echoed in the E-Privacy Directive, recital 11 of which states that measures derogating from its principles must be ‘strictly’ proportionate to the intended purpose, while Article 15(1) itself specifies that data retention should be ‘justified’ by reference to one of the  objectives stated in Article 15(1) and be for a ‘limited period’ [95]. In considering whether national legislation complies with these requirements of strict necessity, the Court observed that ‘the legislation provides for a general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’ and that the retention obligation on providers is ‘to retain the data systematically and continuously, with no exceptions’ [97].

Having established the scope of the retention obligation, the Court emphasised the revealing nature of this data and recalled its finding in DRI that the data ‘taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained’ [98]. The Court also stated that the data provides the means of profiling the individual concerned and – importantly – that the information is ‘no less sensitive having regard to the right to privacy, than the actual content of the communications’ [99]. The Court held that general and indiscriminate data retention legislation entailed a particularly serious interference with the rights to privacy and data protection and that the user concerned is, as a result, likely to feel that their private lives are the subject of constant surveillance [100]. It could also, according to the Court, affect the use of means of electronic communication and thus the exercise by users of their freedom of expression [101]. The Court therefore held that only the objective of fighting serious crime could justify national data retention legislation [102].

While the Court acknowledged that the fight against serious crime may depend on modern investigative techniques for its effectiveness, this objective cannot in itself justify the finding that general and indiscriminate data retention legislation is necessary for this fight against crime [103]. It noted in particular that such legislation applies to persons for whom ‘there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious criminal offences’ and that no exception is made for those whose communications are subject to professional secrecy [106]. As a result of these failings, the Court held that the national legislation exceeds the limits of what is strictly necessary and cannot be considered justified under Article 15(1), read in light of the Charter [107].

The Court did not go so far as to deem all data retention unlawful however. It highlighted that Article 15(1) does not prevent a Member State from introducing legislation that would facilitate targeted retention of traffic and location data for the preventive purpose of fighting serious crime. Such legislation must however be limited to what is strictly necessary in terms of the categories of data retained; the means of communication affected, the persons and the period of time concerned [108]. In particular, such legislation should indicate ‘in what circumstances and under which conditions’ a data retention measure could be adopted as a preventive measure [109]. The Court also emphasised that while the precise contours may vary, data retention should meet objective criteria that establish a connection between the data to be retained and the objective pursued [110]. The national legislation must therefore be evidence-based: this objective evidence should make it possible to ‘identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences’ [111].

Mandatory Requirements of DRI?

Having established the incompatibility of generalised data retention legislation with EU law, the Court then went on to consider whether EU law precludes national data retention and access legislation if that legislation:

  • does not restrict access solely to the objective of fighting serious crime;
  • does not require access to be subject to prior review by a court or independent body
  • and, if it does not require that the data should be retained within the EU [114].

The Court reiterated an early finding that access to retained data must be for one of the exhaustive objectives identified in Article 15(1) of the E-Privacy Directive, and that only the objective of fighting serious crime would justify access to retained data [115]. Such legislation must also set out clear and precise rules indicating when and how competent national authorities should be granted access to such data [117]. The Court also held that national legislation must set out the substantive and procedural conditions governing access based on objective criteria [118-119]. Such access can, ‘as a general rule’ be granted only ‘to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime’ [119]. Access to the data of others might exceptionally be granted where, for instance, vital national interests are threatened by terrorist activities, if there is objective evidence to reflect the effective contribution access to such data could make [119]. As a result, access to retained data should, with the exception of cases of validly established urgency, be subject to a prior review by a court or an independent administrative authority at the request of the competent national authorities [120]. These competent national authorities must also notify the persons affected by the data access, under the applicable national procedures, as soon as such notification no longer jeopardises the investigations. The Court highlighted that such notice is necessary to enable these individuals to exercise their right to a legal remedy pursuant to the Directive and EU data protection law [121].

On the issue of data security, the Court held that Article 15(1) does not allow Member States to derogate from the Directive’s data security provisions, which require providers to take appropriate technical and organisational measures to ensure the effective protection of retained data. The Court held that a particularly high level of data security was appropriate given the quantity and nature of the data retained and the riskiness of this operation. It therefore held that the national legislation must provide for the data to be retained within the EU, and for the irreversible destruction of the data at the end of the data retention period [122]. Member States must also ensure that an independent authority reviews compliance with EU law, as such independent control of data protection compliance is an essential element of the right to data protection set out in Article 8(3) Charter. The Court emphasised the link between such independent supervision and the availability of a legal remedy for data subjects [123]. The Court therefore concluded that national legislation that did not comply with these conditions would be precluded pursuant to Article 15(1) as read in light of the Charter [125]. However, it was for the relevant national courts to examine whether such conditions were satisfied in the present case [124].

Finally, in relation to the UK Court of Appeal’s query regarding the relationship between the EU Charter rights to data protection and privacy and Article 8 ECHR, the Court held that the answer to this question would not affect the interpretation of the E-Privacy Directive and thus matter in these proceedings [131]. It recalled its settled case-law that the preliminary reference procedure serves the purpose of effectively resolving EU law disputes rather than providing advisory opinions or answering hypothetical questions [130]. This did not however prevent it from offering a sneak preview of its thinking on this matter. It emphasised that, while the EU has not acceded to the ECHR, the ECHR does not constitute a formally incorporated element of EU law. It did however note that Article 52(3) seeks to ensure consistency between the Charter and the ECHR without adversely affecting the autonomy of EU law. EU law is not therefore precluded from providing more extensive protection than the ECHR. The Court added that Article 8 of the Charter concerns a fundamental right which is distinct from that enshrined in Article 7 and which has no equivalent in the ECHR. Therefore, while the Court did not answer the question of which offered a wider scope of protection, it did confirm the distinctiveness of these two rights.

Comment

The Tele2 judgment represents a rupture with the past in one very significant way: the Court, for the first time, unequivocally states that blanket data retention measures are incompatible with EU law, read in light of the Charter. This radical finding is likely to receive a mixed reaction. For instance, in the UK some will lament that this judgment comes too late to have influenced the passage into law of the UK’s new data retention legislation, the Investigatory Powers Act, 2016. This legislation – which allows for bulk interception and hacking, amongst other things – should now be found to be incompatible with EU law, with all of the post-Brexit implications for ‘adequacy’ this may entail (also here). Others, such as the UK’s Independent Reviewer of Terrorism Legislation – David Anderson QC – have expressed regret. Anderson QC suggests that:

‘Precisely because suspects are often not known in advance, data retention which is not universal in its scope is bound to be less effective as a crime reduction measure.  In addition, a person whose data has not been retained cannot be exonerated by use of that data (e.g. by using location data to show that the person was elsewhere).’

The Advocate General (here; and commentary here) had similarly noted that data retention could help competent authorities ‘examine the past’ [AG, 178]. He had refused to declare general retention measures per se unlawful, preferring instead to assess the compatibility of data retention legislation against strict proportionality requirements [AG, 116]. His approach could therefore be said to be more nuanced and systematic than that of the Court. While examining proportionality stricto sensu he concluded that it would be for national courts to weigh the benefit of ‘examining the past’ with the potential it would provide for authorities to abuse this power by using metadata to catalogue entire populations, noting that evidence of abuses had been put before the Court [AG, 259-260]. This evidence before the Court might help to refute the critique that the Court should have focused on the actual harm of communications metadata retention ‘and sought to avoid assertions based on theory or informal predictions of popular feeling’.

Blanket retention was not the only important point on which the Court and the Advocate General departed. The Advocate General explicitly claimed that DRI set out mandatory requirements [AG, 221] while the Court did not. The Advocate General was also more stringent than the Court by requiring that data is retained in the relevant Member State [AG, 241] while the Court opted for the marginally more realistic requirement that data is retained in the EU. The Advocate General did not, however, consider Article 15(1) a derogation to the E-Privacy Directive (and therefore not a provision that required strict interpretation). The Court did not however engage with his elaborate reasoning on this point [AG, 106-115]. The Court did however confirm that competent national authorities must notify persons affected by data access as soon as such notification no longer jeopardises the investigation [121]. This significant procedural right is likely to play an important role in acting as a check on abusive access requests.

Perhaps the only fly in the ointment for the digital rights groups that intervened before the Court is the Court’s seemingly uncritical endorsement of geographic and group profiling. It does this when it emphasises that there should be relationship between the data retained and the threat, for instance when the data pertains to a ‘geographic area’ [108]. The ethical and social issues such profiling may entail would require further consideration. The Court appears to recognise this by suggesting that such profiling would need to be strictly evidence-based ([111]). Should generalised retention measures be replaced by ad hoc location-based retention measures, the legality of the latter would itself be the subject of much controversy.

New ECJ ruling on data retention: Preservation of civil rights even in difficult times!

Original published here on 22. Dezember 2016

by

Translation – German version see here.

The European Court of Justice has made a Christmas present to more than 500 million EU citizens. With its new judgment on data retention (C-203/15 of 21 December 2016) – the highest court of the European Union stresses the importance of fundamental rights. All Member States are required to respect the rights represented in the European Charter of Fundamental Rights in their national legislation. The ECJ issued an important signal that can hardly be surmounted taking into account the current political discussions on internal and external threats and the strengthening of authoritarian political currents providing the public with simplistic answers to difficult questions.

The ECJ remains true to itself

The ruling of the European Court of Justice is in line with its judgment of 8 April 2014, by which the Court annulled Directive 2006/24/EC on the retention of data. The general obligation to retain traffic and location data required by this Directive was not limited to the absolutely necessary and thus disproportionate to the fundamental rights of respect for private life and the protection of personal data (Articles 7 and 8 of the European Charter of Fundamental Rights).

Despite the annulment of the Data Retention Directive by the ECJ, several Member States have continued or even broadened their practice of data retention. The latter took place in Great Britain, where shortly after the ECJ ruling – in July 2014 – a new legal basis for data retention was passed, which even went beyond the abolished EC directive. According to the British Parliament’s intention to implement the so-called „Investigatory Powers Act“, the major current commitments to compulsory data storage and the supervisory powers of the security authorities are to be extended in the short term and will include web services, in particular transactions on social networks. On November 29, 2016, the upper and lower house agreed on a corresponding legal text, which is to enter into force soon after its formal approval by the Queen. In other Member States, too, there are – differently broad-ranging – legal requirements which oblige providers of telecommunications and internet services to reserve traffic and location data whose conservation is not necessary for the provision or the billing of the respective service.

European Charter of Fundamental Rights binding for national legislature

A Swedish and a British court had asked the ECJ to clarify whether the respective national regulations on the retention of data corresponded to the European legal requirements.

In its new ruling the ECJ answered this question by stating that national regulations which provide a general and indiscriminate storage of data are not in line with the EU law. A national regulation providing for the storage of traffic and location data, is to be regarded as serious interference in fundamental rights. Member States must not maintain or re-adopt rules which are based on, or even go beyond, an EU act which has been annulled on grounds of its fundamental illegality.

The provisions of EU law bind the national legislature. The EU Directive 2002/58/EC on data protection in electronic communications (the ePrivacy Directive) has to be interpreted in the light of the Charter of Fundamental Rights. Exceptions to the protection of personal data should be limited to the absolutely necessary. This applies not only to the rules on data retention, but also to the access of authorities to the stored data. A national provision providing for general and indiscriminate data retention which does not require a link between the data for which it is originally intended to be stored and a threat to public security, and in particular is not limiting the data on a period and / or a geographical area and / or of a group of persons which could be involved in a serious criminal act, transcends the limits of the absolutely necessary and can not be regarded as justified in a democratic society. Laws of Member States that do not meet these requirements must be abolished or amended accordingly.

With regard to the contested British and Swedish laws, the competent national courts which had appealed to the ECJ are now required to enforce the ECJ ruling in substance. However, even the parliaments and governments of the Member States are, too, responsible for reviewing and, where appropriate, correcting the relevant provisions of national law.

What happens to German data retention?

The implications of the ECJ ruling for the German data retention recently reintroduced must also be urgently examined. The retention obligations of the new German Data Retention Act remain behind the predecessor regulation, which was repealed by the Federal Constitutional Court in 2010. However, it is highly doubtful whether the provisions of the ECJ will be fulfilled by the new data retention act, since it obliges the telecommunications providers to store the data without any material restriction on a specific area or a particular risk situation.

The fact that the Federal Government or the parliamentary fractions backing them will now carry out this examination in an objective manner appears to be highly unlikely in the light of the additional powers which they have recently decided to hand over to the security authorities. In the end, the Federal Constitutional Court will probably have to ensure clarity again.

Peter Schaar (21 December 2016)

‘I Travel, therefore I Am a Suspect’: an overview of the EU PNR Directive

ORIGINAL PUBLISHED ON  EU Immigration and Asylum Law and Policy BLOG

By Niovi Vavoula, Queen Mary University of London

According to the PNR (Passenger Name Record) Directive 2016/681 of 27 April2016, a series of everyday data of all air passengers (third-country nationals but also EU citizens, including those on intra-Schengen flights) will soon be transferred to specialised units to be analysed in order to identify persons of interest in relation to terrorist offences and other serious crimes. This new instrument raises once again fundamental rights challenges posed by its future operation, particularly in relation to privacy and citizenship rights. Therefore, the story of the PNR Directive, as described below, is probably not finished as such concerns open up the possibility of a future involvement of the Court of Justice.

1. The story behind the EU PNR System

In the aftermath of 9/11 and under the direct influence of how the terrorist attacks took place, the US legislature established inextricable links between the movement of passengers, ‘border security’ and the effective fight against international terrorism. Strong emphasis was placed on prevention through pre-screening of passengers, cross-checking against national databases and identification of suspicious behaviours through dubious profiling techniques. At the heart of this pre-emptive logic has been the adoption of legislation obliging airlines flying into the US to provide their domestic authorities with a wide range of everyday data on their passengers. These so-called PNR data constitute records of each passenger’s travel arrangements and contain the information necessary for air carriers to manage flight reservations and check-in systems. Under this umbrella definition, a broad array of data may be included: from information on name, passport, means of payment, travel arrangements and contact details to dietary requirements and requests for special assistance. Amidst concerns regarding the compliance of such mechanisms with EU privacy and data protection standards, this model was internalized at EU level through the conclusion of three PNR Agreements with the US – one in 2004, which wasstruck down by the CJEU in 2006, and others in 2007 and 2012. In addition, PNR Agreements with Canada (currently awaiting litigation before the CJEU) andAustralia have also been adopted.

The idea of developing a similar system to process EU air travel data had been on the agenda for almost a decade, particularly since the EU-US PNR Agreements contain reciprocity clauses referring to the possibility of the EU developing such systems. The first proposal for a Framework Decision dates back to 2007. However, no agreement was reached until the entry into force of the Lisbon Treaty. A revised proposal was released in 2011, essentially mimicking the EU-US PNR model, at least as regards the types of data to be processed and the focus on assessing the risks attached to passengers as a mean of preventing terrorist attacks or other serious crimes. In comparison to the proposed Framework Decision it constituted an improvement (for instance, it provided for a reduced retention period and prohibited the processing of sensitive data), yet it was met with great scepticism by a number of EU actors, including the European Data Protection Supervisor, the Fundamental Rights Agency and the Article 29 Working Party who argued that it failed to respect the principles of necessity and proportionality. Eventually, the proposal was rejected by the European Parliament on fundamental rights grounds, but the voting was postponed and the proposal was transferred back to the LIBE Committee.

The EU PNR project was brought back to life after the Charlie Hebdo events in January 2015. In the extraordinary JHA Council meeting of 20 November, immediately after the Paris terrorist attacks, the Council reiteratedthe urgency and priority to finalise an ambitious EU PNR before the end of 2015’. Indeed, on 4 December 2015 a compromise text was agreed. A few days later, the Council confirmed the agreement, but the Parliament did not give its blessing until April 2016, presumably in the light of the negotiations on the Data Protection legislative reforms, which were running in parallel. The fact that the legality of the EU-Canada PNR Agreement was disputed did not affect the course of the negotiations.

2. The EU PNR Directive in a nutshell

The EU PNR Directive places a duty on airline carriers operating international flights between the EU and third countries to forward PNR data of all passengers (as set out in Annex 1) to the Passenger Information Unit (PIU) established at domestic level for this purpose (Article 4). According to Article 2 of the Directive, Member States are given the discretion to extend the regime set out in the Directive to intra-EU flights, or to a selection of them (for a discussion see Council Documents 8016/11 and 9103/11, partly accessible). Perhaps unsurprisingly, all participating Member States have declared their intention to make use of their discretion.

Once transmitted, the data will be stored and analysed by the PIU. The purpose of this is to ‘identify persons who were previously unsuspected of involvement in terrorism or serious crime’ and require further examination by the competent authorities in relation to the offences listed in Annex II of the Directive. Contrary to the Commission’s assertions that PNR data will be used in different ways – reactively, pro-actively and in real-time – the focus on prevention is central. The analysis entails a risk assessment of all passengers prior to their travel on the basis of predetermined criteria to be decided by the respective PIU and possibly involving cross-checking with existing blacklists (Article 6(3)).

Furthermore, the PIUs will respond to requests by national authorities to access the data on a case-by-case basis and subject to sufficient indication (Article 6(2(b)). Nevertheless, processing should not take place on the basis of sensitive data revealing race, ethnic origin, religion or belief, political or any other opinion, trade union membership, health or sexual orientation etc. (Recital 20). According to Article 12, the initial retention period is six months, after which PNR data will be depersonalised, meaning that the PIU is entrusted with the task of masking out the names, address and contact information, payment information, frequent flyer information, general remarks and all API data. This process should not be confused with anonymisation, as the data could be re-identifiable and may still be used for criminal law purposes under ‘very strict and limited conditions’ (Recital 25). Therefore, upon expiry of the six-month retention period, disclosure of the full PNR data is permitted if so approved by a judicial authority or another national authority competent to review whether the conditions have been met and subject to information and ex post review by the Data Protection Officer of the PIU (Articles 12(3) and 5).

3. Privacy and surveillance of movement

The challenges that the development of the EU PNR system poses to the protection of privacy and data protection rights are acute. In essence, as with thePNR Agreements, the Directive allows the systematic, blanket and indiscriminate transfer, storage and further processing of a wide range of personal data of millions of travellers from and to the EU. Drawing from Digital Rights Ireland and the recent opinion of AG Mengozzi on the EU-Canada PNR Agreement, the interference with the rights to privacy (Article 7 EUCFR and 8 ECHR) and data protection (Article 8 EUCFR) is particularly serious. On the basis of the data collected, which include biographic information, credit card details and contact information, law enforcement authorities shall be able to compile a rather complete profile of travellers’ private lives.

The involvement of the private sector in the fight against terrorism and serious crime is considerably extended, particularly if one takes into account that the obligations on air carriers are extended to non-carrier economic operators (e.g. travel agencies). In addition, the inclusion of intra-EU flights within the scope of the Directive significantly expands the reach of surveillance. Indeed, back in 2011, it was noted that intra-EU flights represent the majority of EU flights (42%) followed by international flights (36%), and only 22% of flights operate within a single Member State (Council Document 8016/11). In this framework, the movement of the vast majority of travellers, including EU citizens, is placed under constant monitoring, irrespective of the fact that they are a priori innocent and not suspected of any criminal offence. In fact, the operation of the PNR scheme signifies the reversal of the presumption of innocence, whereby everyone is deemed as a potential security risk, thus necessitating their examination in order to confirm or rebut this presumption. Besides, there is no differentiation between flights transporting persons at risk and others.

Furthermore, the risk assessment will take place in a highly obscure manner, particularly since the Directive fails to prescribe comprehensively and in detail how the data will be analysed. The underlying rationale is the profiling of all passengers and the identifying of behavioural patterns in a probabilistic logic, but nowhere in the Directive it is indicated that this is indeed the case. This lack of clarity raises concerns considering that the recently adopted Data Protection Directive includes a definition of profiling (Article 3(4)). Moreover, it is stated that ‘relevant databases’ may be consulted, however, it is not clear which these are. For instance, a possible examination on a routine basis of the databases storing asylum seekers’ fingerprints’ or visa applicants’ data (Eurodac and VIS respectively) will frustrate their legal framework, resulting in a domino effect of multiple function creeps. It may even grow the appetite for Member States to desire the systematic processing of EU nationals’ personal data in centralised databases in the name of a more ‘efficient’ fight against terrorism.

This ambiguous modus operandi of PIUs may even call into question the extent to which the interference with privacy is ‘in accordance with law’ (Article 8(2) ECHR) or in EU terms ‘provided for by law’ (Article 52(1) EU Charter). According to settled case law of the ECtHR, every piece of legislation should meet the requirements of accessibility and foreseeability as to its effects (Rotaru v Romania). The lack of clear rules as to how the processing of data will take place may suggest that travellers cannot foresee the full extent of the legislation.

Another contested issue is the ambiguous definitions of terrorism and serious crimes at EU level. The offences falling under the remits of terrorism are currently revised, which had led to criticism for lack of clarity, whereas the definition of serious offences (acts punishable by a custodial sentence or detention order of a maximum period of three years or longer) constitutes a relatively low threshold, particularly in those Member States where domestic criminal law allows for potentially long custodial sentences for minor crimes. In addition, as regards the conditions of access by national competent authorities, the requirement that the request must be based on ‘sufficient indication’ seems to falls short of the criteria established in Digital Rights Ireland. The threshold is particularly low and may lead to generalised consultation by law enforcement authorities, whereas it is uncertain who will check that there is indeed sufficient indication. As for the offences covered by the scope of the Directive, although Annex II sets out a list in this regard, PNR data could still be used for other offences, including minor ones, when these are detected in the course of enforcement action further to the initial processing.

Moreover, in relation to the period for which the data will be retained, it appears that the EU institutions by no means have a clear understanding of what constitutes a proportionate retention period. For instance, the 2007 proposal envisaged an extensive retention period of five years, after which time the data would be depersonalised and kept for another eight years, whereas the 2011 proposal prescribed a significantly reduced initial retention period of 30 days, after which the data would be anonymised and kept for a further period of five years. In its General Approach (Council Document 14740/15), the Council called for an extension of the initial retention period to two years, followed by another three years of storage for depersonalised data. A more privacy-friendly approach can be found in an Opinion of the Council Legal Service dating from 2011, according to which the data of passengers in risky flights would be initially retained for 30 days and then be held for an overall period of six months (Council Document 8850/11in German). Some Member States supported a retention period of less than 30 days (Council Document 11392/11). Although it is welcomed that there are two sets of deadlines and, more importantly, that re-personalisation may take place only under limited circumstances. However, there is no indication of why the chosen retention periods are proportionate. Furthermore, an approach suggesting a differentiation between flights at risk or not at risk, with different retention periods, seems more balanced.

4. Free movement and citizenship concerns

In addition to the privacy challenges highlighted above, another point of concern is whether the processing of PNR data, including on intra-EU flights, could infringe free movement enjoyed by EU citizens. In this respect, the Commission Legal Service found that the EU PNR does not obstruct free movement (see Council Document 8230/11, which is partially available to the public, although the outcome of the opinion is attested in Council Document 8016/11). Nonetheless, the Parliament managed to include a reference that any assessments on the basis of PNR data shall not jeopardise the right of entry to the territory of the Member States concerned (in Article 4). The extent to which this reference is sufficient is doubtful.

According to Article 21 of the Schengen Borders Code, police controls performed in the territory of a Member State are allowed insofar as they do not have the equivalent effect of border control. Such an effect is precluded when, inter alia, the checks are carried out on the basis of spot-checks. In Melki, the CJEU found that ‘controls on board an international train or on a toll motorway’ limiting their application to the border region ‘might (…) constitute evidence of the existence of such an equivalent effect’ (para 72). By analogy, the focus on controls at the border area to the systematic manner set out in the directive, could have the equivalent effect of a border check. The lack of any differentiation between flights at risk or not at risk (an approach that was also favoured by the Council Legal Service, Council Document 8850/11) and the fact that member States are left entirely free to determine the extent to which they monitor flights to and from other Member States could enhance the risk of falling into the category of controls with an equivalent effect to border control.

5. Conclusion

The EU PNR Directive is yet another example of how the counter-terrorism rhetoric outweighs serious fundamental rights concerns in the name of ensuring security. The storyline is well-known: after a terrorist attack, numerous ideas – either incorporated in legislative proposals that have stalled or which were ultimately too ambitious and controversial to be presented in the first place – feature on the EU agenda. The EU PNR initiative was buried due to privacy concerns and was brought back from the dead when the circumstances matured. Soon national law enforcement authorities will put their hand into the passengers’ data jar and will deploy their surveillance techniques on an unprecedented and unpredictable scale.

By internalising US standards, the EU puts the privacy of individuals under threat. The new instrument does no longer target third-country nationals only, but also EU citizens, thus marking the end of an era where instruments were used ‘solely’ on foreigners. Undoubtedly, there is a strong ‘momentum’ for justifying mass surveillance practices. In waiting for the ruling on the EU-Canada PNR Agreement, as well as the ruling on Tele2 Sverige (following up on Digital Rights Ireland), one can only hope that the CJEU will uphold its inspiring reasoning and reiterate the important limits placed on deploying surveillance practices, by giving proper weight to the fundamental right to the protection of personal data.

Un commissaire britannique à la sécurité de l’Union européenne : le bon endroit, au bon moment, pour la bonne personne ?

PUBLISHED ALSO ON GDR  – English version will follow

 

La semaine dernière, la procédure de nomination de Sir Julian King en tant que nouveau commissaire en charge de la « sécurité de l’Union » a franchi l’obstacle de l’audition au Parlement européen. Par une large majorité de 394 membres pour contre 161 voix, le Parlement, qui est consulté en cas de démission d’un commissaire en vertu de l’article 246 TFUE, a donné son aval. Le 19 septembre 2016, le Conseil, en accord avec le président de la Commission, a donc nommé Sir Julian King, en remplacement de Jonathan Hill qui avait démissionné le 25 juin, ce pour la durée du mandat de la Commission restant à courir, c’est-à-dire jusqu’au 31 octobre 2019.

Auparavant, le 12 septembre, les trois heures d’audition du futur commissaire devant la Commission Libe ont été l’occasion de réfléchir à la nature et à la signification de ce choix pour le bon fonctionnement de l’Espace de liberté, sécurité et justice de l’Union européenne.

1. L’audition devant la Commission Libe

« A vaincre sans péril, on triomphe sans gloire », la citation du Cid vaut particulièrement en matière européenne. Il était facile de deviner que l’avis des coordinateurs politiques de la Commission Libe serait positif. Les échanges par écrit de questions/réponses diverses recoupaient en effet l’attitude largement positive des principaux groupes politiques du Parlement. Le détail de l’audition permet cependant de comprendre le climat dans lequel elle s’est déroulée (pour les documents de référence et la webstream de l’audience, voir ici et ici ).

L’habileté du candidat, d’abord, toute diplomatique, a été saluée par tous. Ambassadeur en poste à Paris, ayant travaillé à la représentation permanente britannique et dirigé un cabinet de commissaire, sa connaissance des dossiers de l’Union est évidente et incontestable. Il a donc eu beau jeu de séduire, en esquivant les questions délicates relatives au Brexit ou à l’accord PNR avec le Canada tout en assumant ses convictions pro-européennes : « j’ai plaidé résolument en faveur de la position du gouvernement britannique durant la campagne référendaire. J’ai toujours été fier d’être britannique et fier d’être européen, et je n’y vois aucune contradiction. Mais le 23 juin, une majorité de mes compatriotes ont décidé qu’ils voulaient quitter l’Union et nous devons respecter ce choix ».

Sur le fond et sans surprise ici non plus, dans sa déclaration d’ouverture à l’audition Sir Julian King a présenté huit points qui sont en fait un mantra récurrent des diverses communications de la Commission relatives à la sécurité intérieure, des positions du Conseil européen et des rapports du coordinateur de la lutte antiterroriste.

Donc, peu de choses nouvelles en définitive si ce n’est une référence intéressante à l’article 4 du traité sur l’Union, qui fut modifié à la dernière minute pour prendre en compte une ligne rouge du gouvernement britannique dans la négociation sur le traité. Pour Julian King, « in today’s world, security of one Member State is the security of all. Article 4 of the Treaty is clear: national security remains the sole responsibility of Member States. But they cannot address alone threats which are transnational ». Implicitement, l’intervention de l’Union en matière sécuritaire est ici légitimée …

Approfondir ce débat aurait sans aucun doute été instructif afin de mieux cerner le contenu réel de la déclaration du futur commissaire, de deviner sa vision de la « sécurité nationale » et dans quelles conditions une menace peut donc être considéré comme « transnationale», légitimant éventuellement une intervention de l’UE. On sait à cet égard que le coordinateur de la lutte antiterroriste a souvent insisté pour distinguer ce qui relève du « national » et de « l’interne », qui ne sont pas synonymes. D’un côté, la « sécurité intérieure » pourrait être un domaine de « compétence partagée » qui, en cas de menace transnationale, peut justifier et même exiger une intervention de l’Union «  dans les domaines de criminalité particulièrement grave ayant une dimension transfrontière résultant du caractère ou des incidences de ces infractions ou d’un besoin particulier de les combattre sur une base commune » visés par l’article 83 TFUE. De l’autre côté, la « sécurité nationale » est plutôt jusqu’à présent un concept beaucoup plus limité, axé sur la protection de l’Etat lui-même et justifiant de ses services de renseignement.

La commission LIBE connaît bien ces concepts, le Royaume Uni n’ayant pas hésité à invoquer la « sécurité nationale » (et non sa « sécurité intérieure ») pour justifier dans les années 2000 sa participation à Echelon ou, plus récemment, l’activité de la NSA au Royaume-Uni comme dénoncé par Edward Snowden.

Au delà, le propos du candidat ne s’est guère écarté des orientations dessinées dans la Communication de la Commission relative à la mise en œuvre du programme européen de sécurité (COM (2016) 230) et il demeure donc très convenu, à quelques remarques près. On notera cependant, à propos du PNR, l’opinion ouvertement critique du futur commissaire faisant état de la capacité de seulement 2 ou 3 Etats membres à établir les PIU (Passenger Information Unit) indispensables au fonctionnement du système …

Sur ces bases, prendre du recul par rapport à l’aspect procédural de cette nomination conduit à s’interroger sur la portée d’une telle nomination.

2.  La nomination d’un commissaire britannique à la Sécurité intérieure de l’Union

Deux questions surgissent immédiatement à l’esprit : existe-t-il aujourd’hui une nécessité de procéder à une telle nomination et, si oui et de façon un plus malicieuse, le choix d’un ressortissant britannique était-il le plus adapté, dans le contexte actuel ?

1.  L’encombrement du domaine institutionnel de la sécurité

Les questions de sécurité intérieure sont déjà largement couverts au plan institutionnel dans l’Union, comme l’audition de Sir Julian King le démontre aisément.

Au sein de la Commission, tout d’abord, puisque, malgré le découpage actuel discutable des porte-feuilles en deux grands domaines, Justice /Affaires intérieures qui amalgame malheureusement les questions migratoires et sécuritaires, le président a jugé utile d’en consacrer un troisième, largement entendu et sans que sa lettre de mission clarifie beaucoup les choses .

Aujourd’hui, on peut ainsi recenser sur ce champ : le premier vice-président Timmermans (en charge de la coordination des politiques sécuritaires européennes au regard des droits fondamentaux), le Haut Représentant et vice présidente de la Commission, Federica Mogherini ( en charge de la sécurité extérieure et de la défense), le commissaire Avramopoulos titulaire du portefeuille « Affaires intérieures » comportant notamment la lutte contre le terrorisme et la coopération policière) et, last but not least, la commissaire Jourová en charge de la coopération judiciaire en matière pénale dont nul ne semble beaucoup se préoccuper aujourd’hui …

Comme si l’embouteillage n’était pas suffisant, il faut ajouter à ce constat la place prépondérante des ConseilsJAI et, dans une moindre mesure Affaires étrangères, ainsi que, surtout, le rôle particulier réservé aucoordinateur de l’UE pour la lutte contre le terrorisme depuis les attentats de Madrid. A n’en pas douter, le mandat du nouveau commissaire recoupe le champ d’activité de ce coordinateur, rattaché à l’autre branche de l’exécutif. Pour faire un compte exact de l’encombrement, on mesurera la schizophrénie du système en rappelant le rôle d’impulsion dévolu au Conseil européen et les prétentions de son Président actuel à exercer cette fonction d’initiative.

Dans ces conditions, il aurait pu être judicieux de s’interroger sur la valeur ajoutée réelle d’une telle superposition de responsabilités. On aurait ainsi pu imaginer de confier aux parlements, européen et nationaux, le soin d’évaluer l’intérêt d’une nouvelle figure institutionnelle, sur la base de l’expérience et d’une analyse des faiblesses de la politique anti-terroriste de l’UE sur le terrain. Si, récemment, EUROPOL s’était avancé à soutenir une telle évaluation, aucune voix en revanche ne s’est élevée dans l’Union ou les Etats membres pour la réclamer. Le bilan de l’Union en matière de lutte anti-terroriste ne justifierait-il pas qu’elle se livre à un exercice que le Congrès des États-Unis a immédiatement lancé, dans des circonstances similaires, après le 11 Septembre ? Est-il vraiment inutile de vouloir tirer les leçons des échecs du passé immédiat ?

L’articulation de l’intervention des différents protagonistes en matière de sécurité intérieure demeure donc une question posée ouvertement. Elle pourrait se focaliser autour de la place que les Etats membres et le Haut représentant accepteront ou pas de consentir à Sir Julian King dans le train de la lutte contre le crime, celle de la locomotive ou du wagon de queue. En particulier sur le front extérieur où l’on sait que l’essentiel des enjeux de la sécurité intérieure de l’Union se dessine et se joue en pratique. La lecture de la lettre de mission adressée par le président de la Commission n’aide guère à y répondre pas davantage que le site, toujours exclusivement anglophone, du portefeuille Home Affairs de la Commission : Sir King y figure désormais en médaillon avec l’actuel titulaire Dimitris Avramopoulos…

Un défi de taille attend pourtant le nouveau commissaire à « la sécurité de l’Union », celui de la gestion des « l’agenciarisation » des politiques sécuritaires, dont les composantes interviennent à des titres divers, d’Europol et Eurojust à Eurosur et Frontex nouvelle version. Ce n’est un secret pour personne que le succès croissant de ces organismes repose en partie sur le fait que, grâce à eux, les États membres ont été en mesure de construire des circuits administratifs parallèles, sans contrainte excessive ni contrôle réel par le Comite pour la Sécurite intérieure (COSI) ou les parlements européens et nationaux, sans parler de leurs propres ministres.

L’absence de leadership fort de la Commission l’explique largement, dans le contexte d’une « lisbonnisation » de ces outils encore particulièrement en retard. On sait aussi que l’argument classique de l ‘ « indépendance » de ces agences masque en réalité l’omniprésence des Etats membres dans leurs conseils d’administration. D’où une forte tendance dans ces agences JAI à développer avec succès la « décision politique » dont la Commission se désintéresse au lieu d’en rester à un rôle, plus simple mais correspondant aux traités, de « mise en œuvre de la politique », comme il se doit dans une Union européenne régie par la primauté du droit et par les principes démocratiques.

Quoi qu’il en soit, au total, il ne sera pas facile pour ce nouvel acteur de trouver son chemin au cœur de ce paysage encombré même si l’histoire récente nous a malheureusement enseigné que, en cas d’attentat terroriste, la scène se vide et que personne ne se précipite plus devant les caméras ou dans les enceintes parlementaires pour expliquer que rien n’avait été prévu et pour quelles raisons nul ne s’en sent responsable…

2.  Un commissaire britannique à la sécurité 

Quoi que l’on enseigne dans les Facultés de droit sur l’indépendance des commissaires et la rupture de leurs liens avec leurs Etats d’origine comme avec le monde socio-professionnel, les choses sont un peu plus complexes que les affirmations de principe. L’actualité le démontre aujourd’hui amèrement à la Commission. Le contexte du Brexit autorise donc à s’interroger sur l’opportunité  de confier ce nouveau porte-feuille à un ressortissant britannique, notamment parce que la durée indispensable à l’installation d’un tel poste lui fera inévitablement défaut, dans la perspective d’un départ britannique futur.

La question ne touche en rien, évidemment, aux compétences personnelles du nouveau titulaire qui sont aussi manifestes que ses qualités humaines, ce dont témoigne la lecture de son audition. Pas davantage que ne se pose celle de la légitimité de la présence d’un commissaire britannique au sein de l’exécutif communautaire, jusqu’au retrait effectif du Royaume Uni. Bien au contraire. Elle repose simplement sur un constat objectif, relevant de la science administrative et trop éclatant pour s’expliquer uniquement par une coïncidence : l’espace de liberté, sécurité et justice a une forte, le mot est faible, tradition de présence et d’influence des hauts fonctionnaires britanniques, aussi inexplicable soit-elle quant on sait l’opposition résolue de leur Etat d’origine à la construction de cet espace. Qui plus est à des moments clés de cette construction.

De Sir Fortescue à la fin des années quatre vingt dix à Jonathan Faull au début des années 2000, de la direction d’Eurojust à celle d’Europol, le moins que l’on puisse en dire est que, pour un Etat en situation d’opt-out répété, son influence a été omniprésente … Sûrement faut-il d’ailleurs voir là une coïncidence regrettable dans le fait que, Europol mis à part, ce ne sont pas les années où le dynamisme et la clarté ont caractérisé l’action de l’Union … En d’autres termes, la réticence devant l’action législative et les schémas d’intégration n’était pas simplement une question de culture, donnant la priorité à l’action opérationnelle pour éviter de s’engager au plan européen. Elle marquait aussi une préférence à peine dissimulée pour l’intergouvernementalisme et, en fin de compte, les Etats étant incapables de décider efficacement, pour l’immobilisme. Il est permis de s’étonner que la Commission ait été contaminée par ce virus.

Trop visible pour être innocente, cette stratégie va buter dans les prochains mois sur un double obstacle. Juridique d’abord, avec l’obligation, enfin, d’assumer la pleine entrée en vigueur du  traité et de sa Charte des droits fondamentaux et l’expiration en 2015 d’une période de transition qui a d’ailleurs vu le Royaume Uni exercer un « opt-in/opt-out » préfigurant la situation actuelle… Factuel ensuite, la vague terroriste et la crainte grandissante des opinions publiques interdisant que cette politique de l’encéphalogramme plat à la Commission puisse durer.

Le défi du nouveau commissaire devrait donc être d’élever l’ambition de l’Union dans ce domaine. Deux dossiers permettront de tester sa réelle détermination.

Celui de l’évaluation, d’abord, qui fait cruellement défaut aujourd’hui, évaluation de ce qui n’a pas fonctionné dans la politique de lutte contre le terrorisme, non seulement au niveau européen mais au niveau national. Ce n’est qu’après une analyse sérieuse, totalement absente de la directive antiterroriste actuellement sur la table des institutions, qu’il sera possible de crédibiliser et de renouveler le cadre législatif de la coopération judiciaire en matière pénale et policière. Y compris en s’aventurant sur le terrain de la mise en cause des Etats membres défaillants.

Celui d’une proposition emblématique, ensuite, celle du futur Parquet européen. Le nouveau commissaire sera-t-il plus allant que son Etat d’origine à ce propos, par exemple en s’inscrivant dans la lettre et l’esprit de l’article 86 TFUE, c’est-à-dire en poussant à élargir le champ des compétences de ce Parquet à la criminalité transnationale, à donner sa véritable place à Eurojust et à accepter que le rôle d’Europe en subisse les conséquences ?

Wait and see …

Is the EU planning an army – and can the UK veto it?

 

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

by Steve Peers

Is the EU planning to create an army? If so, can and should the UK veto it – up until Brexit? The issue has been much debated in recent days. But this is the classic example of a debate that has created much heat but shed little light. The purpose of this post is to clear up misunderstandings. In short, the recently announced plans do not amount to an EU army – and so the UK is not able to veto the EU’s plans.

Background

Initially, the EU’s foreign policy had little to do with defence, in deference to Irish neutrality and the UK’s strong support for NATO. This has changed gradually over the years as the Cold War ended, US troops left Europe, and the parallel non-EU defence organisation (the Western European Union) was wound down.

Since the Treaty of Lisbon, the rules on EU defence policy are set out in Articles 42-46 of the Treaty on European Union (TEU). I have included the full text of these Articles in an Annex to this post. The starting point (Article 42(1)) is that the EU has an ‘operational capacity’ to use on non-EU missions ‘for peace-keeping, conflict prevention and strengthening international security’, consistently with the UN Charter, as explained further in Article 43. These actions shall use ‘capabilities provided by the Member States’, meaning that they each retain their own armed forces. There’s a reference to using ‘multinational forces’ too (Article 42(3)), but it’s clear that it’s optional both to set up such forces and to contribute them to support the EU defence policy.

However, there is also a long-term objective. Article 42(2) TEU says that the EU includes ‘the progressive framing of a common Union defence policy’, which ‘will lead to a common defence’. But this policy must ‘respect’ the obligations of those Member States who are parties of NATO, and be ‘compatible’ with NATO policy. Equally it ‘shall not prejudice the specific character’ of some Member States’ defence policy: this is an oblique reference to neutrality. (Six Member States are neutral).

Most importantly, it will only happen when the European Council (consisting of Member States’ presidents and prime ministers) ‘acting unanimously, so decides’.  That decision then needs to be ratified by Member States ‘in accordance with their respective constitutional requirements.’ For the UK, that would require a referendum, as set out in section 6(2) of the European Union Act 2011. It would need a referendum in Ireland too, since Article 29(4)(9) of the Irish Constitution rules out Irish participation in an EU common defence, and the Irish Constitution can only be amended by referendum.  Other Member States may also have stringent constitutional requirements to this end.

What happens in the meantime, before this rather mythical notion of a common defence is achieved? Article 42(3) says that Member States must ‘undertake progressively to improve their military capabilities’. A ‘European Defence Agency’ (see further Article 45) is set up to this end. It’s possible for a group of Member States to take on an EU-wide task (Article 42(5), as set out in more detail in Article 44). Member States have an obligation of ‘aid and assistance’ to each other, if one of them is ‘the victim of armed aggression’, in accordance with the UN Charter (Article 42(7)). Finally, certain Member States which meet higher standards as regards their ‘military capabilities’ and ‘which have made more binding commitments to one another in this area with a view to the most demanding missions shall establish permanent structured cooperation’ within the EU (Article 42(6), referring to Article 46).

New EU plans

What are the EU’s new military plans? Some newspapers and commentators have referred to plans for an ‘EU army’, which at first sight implies a ‘common defence’. In turn, the UK’s defence minister is quoted as saying he would veto these plans, as long as the UK is part of the EU.

As we saw above, any Member State can indeed veto an EU ‘common defence’. But still, it’s striking to hear a supporter of the Leave side acknowledge that the UK can veto an EU army, since many of them suggested during the referendum campaign that this scary prospect was unavoidable if the UK remained part of the EU. Having said that, there’s a misunderstanding here. According to the information available, the proposal is not to create an EU army, and therefore the UK can’t veto it.

In fact, the ‘State of the Union’ speech by Commission President Juncker proposed four things: a joint headquarters for EU military missions; common procurement to save on defence costs; a Defence Fund for the EU defence industry; and the development of ‘permanent structured cooperation’, as referred to briefly above (and see below). It did not propose merging armies to create a common army. Some press reports suggest that the recent EU summit discussed a ‘common military force’, but the ‘Declaration’ and ‘Road Map’ issued after the summit make no mention of such a thing.

So what exactly is ‘permanent structured cooperation’? It’s described in Article 46 TEU, as well in as a Protocol attached to the Treaties. Article 46 sets out the process: it’s set up by willing Member States only. Any unwilling Member States can simply choose not to take part. There’s no veto on setting it up, but that’s because participation is voluntary. Member States can join once it’s underway – and leave at any time, with no conditions attached. If more EU policies were this flexible, EU participation would be less controversial – although in a post-truth world some people would undoubtedly deny that those policies were flexible in the first place. (If the current EU plans go ahead, I expect to read somewhere that the soldiers are inspired by Hitler, and armed with Muslamic ray guns).

As for the substance of ‘permanent structured cooperation’, it’s explained fully in the Protocol (also reproduced in the Annex).  The criteria to join are development of defence capacities, and in particular supplying forces to support EU operations within a short period. Participating countries must aim to achieve approved levels of domestic spending, align their equipment and operability of their forces, fill capability gaps, and take part in joint procurement. That’s significant – but that’s it. It’s not an EU army.

Conclusions

Plans can always change. But the recent Commission plans, and the EU summit declaration, don’t amount to an EU army.  And if there’s no EU army, the UK can’t veto one.  It’s arguable whether a veto threat is a good negotiating strategy; but it’s indisputable that an empty threat is simply ridiculous.

A more rational approach to the issue would be to acknowledge (as a number of calmer voices on the Leave side have advocated) that the UK and the EU might well benefit mutually from continued defence and foreign policy cooperation after Brexit. In that light, the best way for the UK to spend its remaining time as an EU Member State as regards defence issues is to offer constructive criticism of the EU plans – and align that with sensible proposals for how post-Brexit EU/UK cooperation could go forward in this field.

Barnard & Peers: chapter 24

 

Annex – Treaty on European Union, defence clauses

Article 42

  1. The common security and defence policy shall be an integral part of the common foreign and security policy. It shall provide the Union with an operational capacity drawing on civilian and military assets. The Union may use them on missions outside the Union for peace-keeping, conflict prevention and strengthening international security in accordance with the principles of the United Nations Charter. The performance of these tasks shall be undertaken using capabilities provided by the Member States.
  2. The common security and defence policy shall include the progressive framing of a common Union defence policy. This will lead to a common defence, when the European Council, acting unanimously, so decides. It shall in that case recommend to the Member States the adoption of such a decision in accordance with their respective constitutional requirements.

The policy of the Union in accordance with this Section shall not prejudice the specific character of the security and defence policy of certain Member States and shall respect the obligations of certain Member States, which see their common defence realised in the North Atlantic Treaty Organisation (NATO), under the North Atlantic Treaty and be compatible with the common security and defence policy established within that framework.

  1. Member States shall make civilian and military capabilities available to the Union for the implementation of the common security and defence policy, to contribute to the objectives defined by the Council. Those Member States which together establish multinational forces may also make them available to the common security and defence policy.

Member States shall undertake progressively to improve their military capabilities. The Agency in the field of defence capabilities development, research, acquisition and armaments (hereinafter referred to as “the European Defence Agency”) shall identify operational requirements, shall promote measures to satisfy those requirements, shall contribute to identifying and, where appropriate, implementing any measure needed to strengthen the industrial and technological base of the defence sector, shall participate in defining a European capabilities and armaments policy, and shall assist the Council in evaluating the improvement of military capabilities.

  1. Decisions relating to the common security and defence policy, including those initiating a mission as referred to in this Article, shall be adopted by the Council acting unanimously on a proposal from the High Representative of the Union for Foreign Affairs and Security Policy or an initiative from a Member State. The High Representative may propose the use of both national resources and Union instruments, together with the Commission where appropriate.
  2. The Council may entrust the execution of a task, within the Union framework, to a group of Member States in order to protect the Union’s values and serve its interests. The execution of such a task shall be governed by Article 44.
  3. Those Member States whose military capabilities fulfil higher criteria and which have made more binding commitments to one another in this area with a view to the most demanding missions shall establish permanent structured cooperation within the Union framework. Such cooperation shall be governed by Article 46. It shall not affect the provisions of Article 43.
  4. If a Member State is the victim of armed aggression on its territory, the other Member States shall have towards it an obligation of aid and assistance by all the means in their power, in accordance with Article 51 of the United Nations Charter. This shall not prejudice the specific character of the security and defence policy of certain Member States.

Commitments and cooperation in this area shall be consistent with commitments under the North Atlantic Treaty Organisation, which, for those States which are members of it, remains the foundation of their collective defence and the forum for its implementation.

Article 43

  1. The tasks referred to in Article 42(1), in the course of which the Union may use civilian and military means, shall include joint disarmament operations, humanitarian and rescue tasks, military advice and assistance tasks, conflict prevention and peace-keeping tasks, tasks of combat forces in crisis management, including peace-making and post-conflict stabilisation. All these tasks may contribute to the fight against terrorism, including by supporting third countries in combating terrorism in their territories.
  2. The Council shall adopt decisions relating to the tasks referred to in paragraph 1, defining their objectives and scope and the general conditions for their implementation. The High Representative of the Union for Foreign Affairs and Security Policy, acting under the authority of the Council and in close and constant contact with the Political and Security Committee, shall ensure coordination of the civilian and military aspects of such tasks.

Article 44

  1. Within the framework of the decisions adopted in accordance with Article 43, the Council may entrust the implementation of a task to a group of Member States which are willing and have the necessary capability for such a task. Those Member States, in association with the High Representative of the Union for Foreign Affairs and Security Policy, shall agree among themselves on the management of the task.
  2. Member States participating in the task shall keep the Council regularly informed of its progress on their own initiative or at the request of another Member State. Those States shall inform the Council immediately should the completion of the task entail major consequences or require amendment of the objective, scope and conditions determined for the task in the decisions referred to in paragraph 1. In such cases, the Council shall adopt the necessary decisions.

Article 45

  1. The European Defence Agency referred to in Article 42(3), subject to the authority of the Council, shall have as its task to:

(a) contribute to identifying the Member States’ military capability objectives and evaluating observance of the capability commitments given by the Member States;
(b) promote harmonisation of operational needs and adoption of effective, compatible procurement methods;

(c) propose multilateral projects to fulfil the objectives in terms of military capabilities, ensure coordination of the programmes implemented by the Member States and management of specific cooperation programmes;
(d) support defence technology research, and coordinate and plan joint research activities and the study of technical solutions meeting future operational needs;
(e) contribute to identifying and, if necessary, implementing any useful measure for strengthening the industrial and technological base of the defence sector and for improving the effectiveness of military expenditure.

  1. The European Defence Agency shall be open to all Member States wishing to be part of it. The Council, acting by a qualified majority, shall adopt a decision defining the Agency’s statute, seat and operational rules. That decision should take account of the level of effective participation in the Agency’s activities. Specific groups shall be set up within the Agency bringing together Member States engaged in joint projects. The Agency shall carry out its tasks in liaison with the Commission where necessary.

Article 46

  1. Those Member States which wish to participate in the permanent structured cooperation referred to in Article 42(6), which fulfil the criteria and have made the commitments on military capabilities set out in the Protocol on permanent structured cooperation, shall notify their intention to the Council and to the High Representative of the Union for Foreign Affairs and Security Policy.

    2. Within three months following the notification referred to in paragraph 1 the Council shall adopt a decision establishing permanent structured cooperation and determining the list of participating Member States. The Council shall act by a qualified majority after consulting the High Representative.

    3. Any Member State which, at a later stage, wishes to participate in the permanent structured cooperation shall notify its intention to the Council and to the High Representative.

The Council shall adopt a decision confirming the participation of the Member State concerned which fulfils the criteria and makes the commitments referred to in Articles 1 and 2 of the Protocol on permanent structured cooperation. The Council shall act by a qualified majority after consulting the High Representative. Only members of the Council representing the participating Member States shall take part in the vote.
A qualified majority shall be defined in accordance with Article 238(3)(a) of the Treaty on the Functioning of the European Union.

  1. If a participating Member State no longer fulfils the criteria or is no longer able to meet the commitments referred to in Articles 1 and 2 of the Protocol on permanent structured cooperation, the Council may adopt a decision suspending the participation of the Member State concerned.

The Council shall act by a qualified majority. Only members of the Council representing the participating Member States, with the exception of the Member State in question, shall take part in the vote.
A qualified majority shall be defined in accordance with Article 238(3)(a) of the Treaty on the Functioning of the European Union.

  1. Any participating Member State which wishes to withdraw from permanent structured cooperation shall notify its intention to the Council, which shall take note that the Member State in question has ceased to participate.
  1. The decisions and recommendations of the Council within the framework of permanent structured cooperation, other than those provided for in paragraphs 2 to 5, shall be adopted by unanimity. For the purposes of this paragraph, unanimity shall be constituted by the votes of the representatives of the participating Member States only.

PROTOCOL
ON PERMANENT STRUCTURED COOPERATION

ESTABLISHED BY ARTICLE 42 OF THE TREATY ON EUROPEAN UNION

THE HIGH CONTRACTING PARTIES,
HAVING REGARD TO Article 42(6) and Article 46 of the Treaty on European Union,
RECALLING that the Union is pursuing a common foreign and security policy based on the achievement of growing convergence of action by Member States;
RECALLING that the common security and defence policy is an integral part of the common foreign and security policy; that it provides the Union with operational capacity drawing on civil and military assets; that the Union may use such assets in the tasks referred to in Article 43 of the Treaty on European Union outside the Union for peace-keeping, conflict prevention and strengthening international security in accordance with the principles of the United Nations Charter; that the performance of these tasks is to be undertaken using capabilities provided by the Member States in accordance with the principle of a single set of forces;
RECALLING that the common security and defence policy of the Union does not prejudice the specific character of the security and defence policy of certain Member States;
RECALLING that the common security and defence policy of the Union respects the obligations under the North Atlantic Treaty of those Member States which see their common defence realised in the North Atlantic Treaty Organisation, which remains the foundation of the collective defence of its members, and is compatible with the common security and defence policy established within that framework;

CONVINCED that a more assertive Union role in security and defence matters will contribute to the vitality of a renewed Atlantic Alliance, in accordance with the Berlin Plus arrangements;
DETERMINED to ensure that the Union is capable of fully assuming its responsibilities within the international community;
RECOGNISING that the United Nations Organisation may request the Union’s assistance for the urgent implementation of missions undertaken under Chapters VI and VII of the United Nations Charter;

RECOGNISING that the strengthening of the security and defence policy will require efforts by Member States in the area of capabilities;
CONSCIOUS that embarking on a new stage in the development of the European security and defence policy involves a determined effort by the Member States concerned;
RECALLING the importance of the High Representative of the Union for Foreign Affairs and Security Policy being fully involved in proceedings relating to permanent structured cooperation,
HAVE AGREED UPON the following provisions, which shall be annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union:
Article 1
The permanent structured cooperation referred to in Article 42(6) of the Treaty on European Union shall be open to any Member State which undertakes, from the date of entry into force of the Treaty of Lisbon, to:
(a) proceed more intensively to develop its defence capacities through the development of its national contributions and participation, where appropriate, in multinational forces, in the main European equipment programmes, and in the activity of the Agency in the field of defence capabilities development, research, acquisition and armaments (European Defence Agency), and
(b) have the capacity to supply by 2010 at the latest, either at national level or as a component of multinational force groups, targeted combat units for the missions planned, structured at a tactical level as a battle group, with support elements including transport and logistics, capable of carrying out the tasks referred to in Article 43 of the Treaty on European Union, within a period of 5 to 30 days, in particular in response to requests from the United Nations Organisation, and which can be sustained for an initial period of 30 days and be extended up to at least 120 days.
Article 2
To achieve the objectives laid down in Article 1, Member States participating in permanent structured cooperation shall undertake to:
(a) cooperate, as from the entry into force of the Treaty of Lisbon, with a view to achieving approved objectives concerning the level of investment expenditure on defence equipment, and regularly review these objectives, in the light of the security environment and of the Union’s international responsibilities;

(b) bring their defence apparatus into line with each other as far as possible, particularly by harmonising the identification of their military needs, by pooling and, where appropriate, specialising their defence means and capabilities, and by encouraging cooperation in the fields of training and logistics;
(c) take concrete measures to enhance the availability, interoperability, flexibility and deployability of their forces, in particular by identifying common objectives regarding the commitment of forces, including possibly reviewing their national decision-making procedures;
(d) work together to ensure that they take the necessary measures to make good, including through multinational approaches, and without prejudice to undertakings in this regard within the North Atlantic Treaty Organisation, the shortfalls perceived in the framework of the ’Capability Development Mechanism’;
(e) take part, where appropriate, in the development of major joint or European equipment programmes in the framework of the European Defence Agency.
Article 3
The European Defence Agency shall contribute to the regular assessment of participating Member States’ contributions with regard to capabilities, in particular contributions made in accordance with the criteria to be established, inter alia, on the basis of Article 2, and shall report thereon at least once a year. The assessment may serve as a basis for Council recommendations and decisions adopted in accordance with Article 46 of the Treaty on European Union.

WORTH READING : the final text of the EUROPEAN BORDER AND COAST GUARD REGULATION

The text below is the final version of the EU Regulation on the European Border and Coast Guard as revised by the Jurist Linguists of the EU institutions. Formally adopted this week as a “corrigendum” by the European Parliament and by written procedure by the Council it will be published on the Official Journal in the coming weeks. Presented, negotiated and adopted in extremely short time ([1]) under the pressure of the European Council the new EU Regulation on the European Border and Coast Guard could be seen at the same time a main evolutionary step and a revolutionary one in the relation between the EU and its Member States in the freedom security and justice area. 

Even if the main subject of the text is the border management it covers also directly and indirectly other EU policies such as refugee law, international protection, migration and even internal and external security. Not surprisingly  such an ambitious objective was difficult if not impossible to achieve in such a short time and several commentators and representatives of the civil society have already considered (see Peers , Carrera [1], Rijpma [2], and, more recently, De Bruycker [3])  that the text on one side does not deliver what it announces and on the other side is still rooted in an old intergovernamental model. Maybe from a legistic point of view instead of bringing all these objectives in a single legislative text it would had been more elegant to focus its content only on the organisational and operational aspect of the “new” Frontex  and deal with the general framework of the integrated EU border management in the Schengen Border Code where general rules on the definition, negotiation adoption and implementation would had been better placed together with the rules on its evaluation and on the adoption of extraordinary measures in case of emergency. However these have probably been considered by the Commission legal niceties to be dealt with in times with less political pressure.. 

With so many objectives it is not surprising that the final result is far from the expectations and the text is somewhere still elusive and somewhere too detailed. It can then be interesting to  compare the negotiation position of the three institutions as it result from a very interesting Multicolumn document leaked by Statewatch during the “confidential” legislative trilogies. It shows that the European Parliament has tried to improve the original Commission proposal and has obtained some concessions from the Council but regrettably, it had lost the main targets such as the definition in codecision of the European Border Strategy (instead of a simple decision of the Agency’s Management Board) and even on the procedure to appoint of the Agency Director where its position will be to express an opinion …which can be disregarded.

Further comments will follow. EDC

 

[1] See the CEPS study of Sergio Carrera and Leonhard den Hertog “A European Border and Coast Guard: What’s in a name?”

[2] See Jorrit RIJPMA study for the Civil Liberties Committee of the EP “The proposal for a European Border and Coast Guard: evolution or revolution in external border management?”

[3] See Philippe DE BRUYCKER “The European Border and Coast Guard: A New Model Built on an Old Logic

 

It is the latest (and quite likely not the last) of a chain of legal texts by which the EU has tried in the recent years to legally frame the issue of human mobility and human security in the EU by taking in account the new legal framework after the entry into force of the Lisbon Treaty and of the EU Charter of fundamental rights.

[1] A rather detailed and updated collection of the legislative preparatory works can be found here :  https://free-group.eu/2016/06/10/wiki-lex-the-new-eu-border-guard-proposal/

[2] As as verified by the Jurist Linguist and endorsed by the EP according to art 231 of its Rules of procedure)

————————————————–

REGULATION (EU) 2016/…OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of … on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No 863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 77(2)(b) and (d) and Article 79(2)(c) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee1,

Acting in accordance with the ordinary legislative procedure2,

Whereas: Continue reading “WORTH READING : the final text of the EUROPEAN BORDER AND COAST GUARD REGULATION”

THE FUTURE OF NATIONAL DATA RETENTION OBLIGATIONS – HOW TO APPLY DIGITAL RIGHTS IRELAND AT NATIONAL LEVEL?

ORIGINAL PUBLISHED ON EUROPEAN LAW BLOG ( JULY 25, 2016)
By Vanessa Franssen

 

On 19 July, Advocate General (AG) Saugmandsgaard Øe delivered his much awaited opinion on the joined cases Tele2 Sverige AB and Secretary of State for the Home Department, which were triggered by the Court of Justice’s (CJEU) ruling in Digital Rights Ireland, discussed previously on this blog. As a result of this judgment, invalidating the Data Retention Directive, many Member States which had put in place data retention obligations on the basis of the Directive, were confronted with the question whether these data retention obligations were compatible with the right to privacy and the right to protection of personal data, guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights (Charter). Hence, without a whisper of a doubt, several national legislators eagerly await the outcome of these joined cases, in the hope to get more guidance as to how to applyDigital Rights Ireland concretely to their national legislation. The large number of Member States intervening in the joined cases clearly shows this: in addition to Sweden and the UK, no less than 13 Member States submitted written observations. The AG’s opinion is a first – important – step and thus merits a closer look.

National and European shock waves after Digital Rights Ireland

The Digital Rights Ireland case was ground-breaking in many respects, and caused a real shock effect across the EU. As a result of the CJEU ruling, national data retention legislation was invalidated in several Member States. For instance, the District Court of The Hague struck down the Dutch national data retention legislation on 11 March 2015, and shortly afterwards, on 11 June 2015, the Belgian data retention law was annulled by the Constitutional Court, which largely copy-pasted the CJEU’s reasoning. This situation creates great uncertainty about the further potential use of traffic and location data of electronic communications in national and transnational criminal investigations (see eg the Workshop on data retention organized by the Consultative Forum and the Luxembourg Presidency), especially because such data are used in an increasingly large number of criminal cases, not just as incriminating, but also as exculpatory evidence.

In other Member States, the legislator very quickly launched the process for amending the national data retention legislation. For instance, in the UK, the Data Retention and Investigatory Powers Act was adopted only three months after the CJEU’s ruling. By contrast, in Luxembourg, which has invested significantly in the digital economy in the last few years while also emphasizing the importance of the protection of privacy and personal data, the legislative process kicked off in January 2015 but has still not resulted in new legislation.

At the European level, the legislator has so far shown little appetite to adopt a new Data Retention Directive, despite some attempts of the Luxembourg Presidency in the Autumn of 2016 to initiate such legislative process, or at least to stimulate the discussion. This should not come as a real surprise. On the one hand, the CJEU has been very active in the field of data protection over the last two years, addressing a large number of questions and raising new ones (some of which have been discussed previously on this blog: see here, here and here). On the other, the EU was already busy tackling other urgent and delicate data protection issues, such as the adoption of the new General Data Protection Regulation, repealing Directive 95/46/EC, and the Data Protection Directive with respect to the processing of personal data for criminal investigations, repealing Council Framework Decision 2008/977/JHA, and the negotiations and adoption of the new Umbrella Agreement with regard to EU-US law enforcement cooperation.

Short background to the cases

Immediately after the Digital Rights Ireland ruling, Tele2 Sverige AB (a provider of electronic communications) notified  the Swedish competent authority that it would no longer comply with the Swedish national data retention obligations as it considered those obligations were not meeting the CJEU’s conditions. This decision obviously caused great concern for the national authority, ordering Tele2 Sverige to resume its retention of data. Yet, Tele2 Sverige persevered and appealed this order before the Administrative Court in Stockholm and subsequently before the Administrative Court of Appeal, which referred the matter for a preliminary ruling to the CJEU. (Opinion, §§ 50-55)

In the meantime in the UK, the 2014 Data Retention and Investigatory Powers Act was challenged before the High Court of Justice of England and Wales and declared invalid on 17 July 2015, because the data retention regime did not provide for adequate safeguards in order to protect the right to privacy and the right to protection of personal data laid down in the Charter. In other words, the UK data retention regime did not comply with the conditions put forward by the CJEU inDigital Rights Ireland. However, the Home Secretary appealed this judgment and the Court of Appeal decided to refer two questions to the CJEU for a preliminary ruling. (Opinion, §§ 56-60)

Questions submitted to the CJEU

Interestingly, the approach of both referring courts is quite different, as results clearly from the way they formulate their respective questions for the CJEU.

The Swedish referring court asks the CJEU, first of all, whether

a general obligation to retain data in relation to all persons and all means of electronic communication and extending to all traffic data, without any distinction, limitation or exception being made by reference to the objective of fighting crime (…) [is] compatible with Article 15(1) of Directive 2002/58, taking into account Articles 7, 8 and 52(1) of the Charter?’ (Opinion, § 55)

Should such a general data retention obligation not be compatible with the Charter, could a data retention obligation then nevertheless be compatible with the Charter if the access of the competent authorities to the retained data is regulated as it is under Swedish law, if the protection and security of the data are regulated as they are under Swedish law, and if all relevant data must be retained for a period of 6 months before being erased, as imposed by Swedish law?

By contrast, the Court of Appeal of England and Wales is of the view that the CJEU did not set out ‘specific mandatory requirements of EU law with which national legislation must comply, but was simply identifying and describing protections that were absent from the harmonised EU regime.’ (Opinion, § 59)

Nevertheless, to be absolutely sure, it asks the CJEU to clarify this point:

Does the judgment of the Court of Justice in Digital Rights Ireland (including, in particular, paragraphs 60 to 62 thereof) lay down mandatory requirements of EU law applicable to a Member State’s domestic regime governing access to data retained in accordance with national legislation, in order to comply with Articles 7 and 8 of the [Charter]?’ (Opinion, § 60)

Furthermore, the Court of Appeal would like to know whether Digital Rights Irelandexpands the scope of Articles 7 and/or 8 of the Charter beyond that of Article 8 of the European Convention of Human Rights (ECHR), as interpreted by the European Court of Human Rights (ECtHR). Put differently, the referring court wonders whether the level of protection offered by the Charter is higher than that under the ECHR.

The AG’s opinion

The latter question raised by the Court of Appeal in the UK case should be rejected as inadmissible according to the AG, because it is only ‘of purely theoretical interest’ (§ 82) and not ‘relevant to the resolution of the disputes’ (§ 75). Even if the Court would want to address the question, EU law does of course not prevent the Court (or the legislator) from going beyond the protection offered by the ECHR (§ 80). On the contrary, in my view it may be quite desirable to go beyond the minimum safeguards guaranteed by the ECHR, and not just with respect to Article 8. Unfortunately, EU legislation – for instance also with respect to procedural safeguards in criminal proceedings – does not pass, or barely passes, the minimum level of protection granted by the ECHR (see, for instance, the analysis on this blog regarding the recently adopted Presumption of Innocence Directive).

Subsequently, the AG addresses the first question of the Swedish referring court, regarding the compatibility of a general data retention obligation with Article 15(1) ofDirective 2002/58/EC (the Directive on privacy and electronic communications) and Articles 7 and 8 of the Charter. In a first step, the AG affirms that a general data retention obligation falls within the scope of Directive 2002/58/EC, despite the exclusion of State activities relating to criminal law by Article 1(3) of the Directive. Indeed, it is not because the data retained can be accessed and used by police and judicial authorities for criminal investigations that the data retention rules, which address private actors providing electronic communications services (service providers), would themselves be excluded from the scope of the Directive (§§ 87-97). Next, the AG scrutinizes whether the possibility offered by Article 15(1) of Directive 2002/58/EC to restrict the rights and obligations of the Directive allows for the creation of a general data retention regime by national law. Unlike some of the civil liberties organisations intervening in the joined cases, the AG considers that the wording of Article 15(1) of Directive 2002/58/EC (‘Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period’) indicates that data retention obligations are not, as such, inconsistent with the Directive. The same goes for general data retention obligations, yet only if they ‘satisfy certain conditions’ (§ 108). Recital (11) of the Directive confirms this as it states that the Directive

does not alter the existing balance between the individual’s right to privacy and the possibility for Member States to take the measures referred to in Article 15(1) of this Directive, necessary for the protection of public security (…) and the enforcement of criminal law.

Hence, it

does not affect the ability of Member States to carry out lawful interception of electronic communications, or take other measures, if necessary for any of these purposes and in accordance with the [ECHR]

provided that those

measures [are] appropriate, strictly proportionate to the intended purpose and necessary within a democratic society and (…) subject to adequate safeguards in accordance with the [ECHR].

In sum, what matters, is that (general) data retention rules meet certain requirements, which ensure striking an acceptable balance between the purposes pursued by those rules and the individual’s fundamental rights. These rights are not just the ones laid down in the ECHR, but also the ones of the Charter as data retention rules ‘constitutes a measure implementing the option provided for in Article 15(1) of Directive 2002/58’ (§ 121). In other words, national legislation encompassing data retention obligations are ‘governed’ by EU law, which triggers the application of the Charter, as the CJEU clarified in the Åkerberg Fransson case(discussed on this blog) and refined in later case law (eg Siragusa, also analysed on this blog, and Julian Hernández and others, §§ 32-49). By contrast, whether the Charter also applies to the national rules determining under what conditions police and judicial authorities can access the retained data is less obvious, because Directive 2002/58/EC does not cover ‘activities of the State in areas of criminal law’ (Art. 1(3)). While the AG is inclined to conclude that the Charter does not apply to those rules (§§ 123-124), he also stresses that

the raison d’être of a data retention obligation is to enable law enforcement authorities to access the data retained, and so the issue of the retention of data cannot be entirely separated from the issue of access to that data. As the Commission has rightly emphasised, provisions governing access are of decisive importance when assessing the compatibility with the Charter of provisions introducing a general data retention obligation in implementation of Article 15(1) of Directive 2002/58. More precisely, provisions governing access must be taken into account in the assessment of the necessity and proportionality of such an obligation.’ (§ 125, emphasis)

In other words, does this mean that the Charter indirectly applies to national rules regulating the access to the retained data? It will be interesting to see if and how the CJEU addresses this point, adding another piece to what Benedikt Pirker described on this blog as ‘the jigsaw puzzle of earlier decisions on the scope of EU fundamental rights’.

This brings the AG to the biggest and most tricky questions submitted for a preliminary ruling, combining the second question of the Swedish court and the first question of the Court of Appeal, concerning the conditions national legislation should respect when creating a general data retention obligation. Without a doubt, general data retention obligations constitute a serious interference with the right to privacy (Article 7 of the Charter) and the right to the protection of personal data (Article 8 of the Charter) (§ 128). So the crucial question is whether such interference may be justified and on what conditions (§ 129).

Based on a reading of Article 15(1) of Directive 2002/58/EC and Article 52(1) of the Charter, the AG identifies six cumulative conditions that must be met to justify the serious interference caused by a general data retention obligation:

–        the retention obligation must have a legal basis;

–        it must observe the essence of the rights enshrined in the Charter;

–        it must pursue an objective of general interest;

–        it must be appropriate for achieving that objective;

–        it must be necessary in order to achieve that objective;

–        it must be proportionate, within a democratic society, to the pursuit of that same objective.’ (§ 132)

While most of these requirements were already put forward by the CJEU in Digital Rights Ireland, when evaluating the legal regime laid down in the Data Retention Directive, the AG nevertheless wishes to revisit them, ‘[f]or the sake of clarity and given the facts which distinguish the present cases from Digital Rights Ireland’ (§ 133). In particular, he wants to have a closer look at the requirement of a legal basis (which was not addressed in Digital Rights Ireland) and the necessity and proportionality of data retention obligations in a democratic society.

The first requirement, imposing the need for a legal basis, should be interpreted in light of Article 52(1) of the Charter, stating that limitations to the rights of the Charter should be ‘provided for by law’ – a phrase that resonates the wording of the ECHR (‘in accordance with the law’, Article 8 ECHR) and the case law of the ECtHR (§ 141) – as well as in light of Article 15(1) of Directive 2002/58/EC. As a result, a regime of general data retention should be established on the basis of measures adopted by a legislative authority, that are accessible and foreseeable while offering adequate protection against arbitrary interference with the rights of privacy and data protection (§ 153). That being said, considering the differences in the various language versions of Article 15(1) of Directive 2002/58/EC (§§ 145-147), the AG acknowledges that regulatory measures adopted by an executive authority might also suffice, although he would personally prefer to give the executive authority only the responsibility of implementing the measures adopted by the legislative authority (§§ 152-153).

Second, any general data retention regime should observe the essence of the rights enshrined in Articles 7 and 8 of the Charter, as the CJEU also highlighted inDigital Rights Ireland. As long as the national data retention obligations do not concern the content of the electronic communications and as long as they provide for safeguards that ‘effectively protect personal data’ retained by service providers ‘against the risk of abuse and against any unlawful access and use of that data’ (§ 159), this requirement does not seem to create particular problems in the cases submitted to the CJEU.

Third, the interference with the rights to privacy and data protection caused by a general data retention obligation can only by justified if the latter pursues ‘an objective of general interest recognised by the European Union’. As the CJEU pointed out in Digital Rights Ireland, the objective to fight serious crime (such as international terrorism) is definitely recognized by EU law; Article 6 of the Charter does not only warrant the right to liberty, but also the right to security. Yet, whether data retention obligations are also justifiable, more generally, to combat ordinary crime, or even in proceedings other than criminal proceedings, as the UK government argues in its submission before the CJEU, is much less obvious. It should be acknowledged that limitations allowed for by Article 15(1) of Directive 2002/58/EC are not confined to ‘serious crime’. Indeed, this provision allows Member States to adopt restrictions that are necessary, appropriate and proportionate within a democratic society ‘to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences’. Nevertheless, in the AG’s view, the interferences caused by a general data retention regime are so serious that the fight against ‘ordinary offences and the smooth conduct of proceedings other than criminal proceedings’ are not ‘capable of justifying a general data retention obligation’ considering the ‘considerable risks that such obligations entail’ (§§ 172-173).

Moving forward, the AG evaluates the proportionality of general data retention obligations, which he splits up in three separate (sub-)requirements: are they appropriate (fourth requirement) as well as strictly necessary (fifth requirement) to achieve the aforementioned objective of fighting serious crime and proportionate in a democratic society (sixth requirement). Like the CJEU in Digital Rights Ireland, the AG sees no obstacle in the appropriateness of general data retention obligations to fight serious crime (§ 177). He even insists on the usefulness of such data, which allow police and judicial authorities to ‘examine the past’, even with respect to persons who were not suspected of a serious crime at the time of the electronic communications (§§ 178-181). Considering the current safety threats and the numerous terrorist attacks that took place after the Digital Rights Irelandjudgment, any other viewpoint would have surprised.

Next, the AG addresses the fifth requirement: are general data retention obligations really (ie strictly) necessary to combat serious crime? This requirement unfolds in two questions. For one, is a general data retention obligation strictly necessary, or on the contrary, does it go ‘beyond the bounds of what is strictly necessary for the purposes of fighting serious crime, irrespectively of any safeguards that might accompany such an obligation’ (emphasis added)? For another, if a general data retention does not exceed what is strictly necessary, ‘must it be accompanied by all the safeguards mentioned by the Court in paragraphs 60 to 68 of Digital Rights Ireland’ (§ 189).

As regards the first of these two questions, the AG adheres to the point of view that most parties (in particular the Member States) took in their written submissions:  a general data retention obligation as such does not exceed the limits of strict necessity. According to the AG, paragraphs 56 to 59 of Digital Rights Irelandshould indeed be interpreted as meaning that a general data retention obligation does not pass the strict necessity test but only if ‘it is not accompanied by stringent safeguards concerning access to the data, the period of retention and the protection and security of the data’ (§ 195, original emphasis).

One may wonder whether this is a correct reading of the CJEU’s judgment, which emphasized that the Data Retention Directive required the retention of all traffic data relating to all means of electronic communications and regarding all persons (‘practically the entire European population’), ‘without any differentiation, limitation or exception being made in light of the objective of fighting against serious crime’ (§§ 56-57). That being said, as some governments pointed out, if the Court would have considered that a general data retention obligation by itself exceeds the threshold of what is strictly necessary, then why did it bother to spell out in the subsequent paragraphs the safeguards that should apply? The upcoming judgment will undoubtedly tell us which interpretation is the right one.

Furthermore, the AG insists on the fact that national courts will have to assess whether there are no equally effective and less restrictive means available in the national system to achieve the same goal as a general data retention obligation (§§ 206-215), thereby passing on a difficult but very important balancing exercise to the national courts.

Assuming a general data retention obligation is strictly necessary, then all the safeguards put forward by the CJEU in Digital Rights Ireland (§§ 60-68) should respected by national law. Any other approach which would allow for a further balancing exercise between the different safeguards (as, for instance, the German government suggested, using the metaphor of ‘communicating vessels’) would, according to the AG, empty those safeguards of their practical effect (§§ 221-227). This means that national data retention rules should

1) make sure that the ‘access to and the subsequent use of the retained data [are] strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating thereto’ (§ 229);

2) make the access to those data ‘dependent on a prior review carried out by a court or by an independent administrative body’ in order to assess the strict necessity of the access and subsequent use of the data (§ 232);

3) require service providers ‘to retain data within the European Union, in order to facilitate the review’ and to make sure that the EU safeguards apply (§§ 238-240), and

4) limit the retention period in function of the usefulness of the data (§ 242).

While it is again for national courts to evaluate whether the safeguards provided for by national law are sufficient, the AG does not hide his opinion that both the Swedish and the UK regime reveal a number of deficiencies in this respect (§§ 230, 233 and 239).

Sixth and last, the AG emphasizes the need to evaluate the ‘proportionality stricto sensu’ of a general data retention obligation, which consists in weighing the advantages and disadvantages of such an obligation within a democratic society (§ 248). Once more, the AG argues this is a task for national courts, but he nonetheless points out that a general data retention obligation entails a considerable risk of mass surveillance (§ 256). Based on an analysis of a large amount of (meta-)data, authorities could easily find as much, or even more, about an individual as they can by means of targeted surveillance measures, including the interception of content data (§§ 254 and 259). Unlike the content of communication, meta-data ‘facilitate the almost instantaneous cataloguing of entire populations’ (§ 259). If one just considers the large amount of requests service providers in Sweden and the UK receive from the competent authorities, one realizes that the risk of abusive or illegal access to the retained data is far from ‘theoretical’ (§ 260).

Some first thoughts

As the above analysis suggests, the AG’s opinion offers a lengthy and mitigated assessment of the six cumulative requirements that general data retention obligations under national law should meet. Some of these requirements (eg the requirement of a legal basis) can easily be fulfilled. Yet others will raise many problems for national legislators when delineating the domestic data retention framework.

For instance, the requirement that general data retention obligations must pursue ‘an objective of general interest recognised by the European Union that is capable of justifying a general data retention obligation’ will undoubtedly raise many problems at the national level. Is the fight against serious crime indeed the only acceptable objective? For sure, the ‘material objective’ of the Data Retention Directive was ‘to contribute to the fight against serious crime and thus ultimately to public security’, which made the CJEU decide that the Directive satisfied an objective of general interest (Digital Rights Ireland, §§ 41-44). But does this mean, as the AG advocates, that it is the only possible justifiable objective for nationaldata retention obligations, considering the seriousness of the interferences with the right to privacy and the right to protection of personal data? Furthermore, assuming it is, what offences are sufficiently ‘serious’ to justify a general data retention obligation? In Digital Rights Ireland, the CJEU explicitly stated that this is to be ‘defined by each Member States in its national law’ (§ 41). Yet, the AG suggest a different approach, by stressing that it should be ‘an objective of general interest recognized by the European Union’. Hence, how much leeway do Member States have? If an EU-wide understanding of the label ‘serious crime’ is to be preferred, would the list of Eurocrimes (which are in fact broad categories of crimes) in Article 83(1) TFEU then be of sufficient guidance?

Another concern of police and judicial authorities, which national legislators will want to take into account, is that what starts out as a simple, ‘ordinary’ criminal case, may very well turn out to be much more ‘serious’ in a later stage of the investigation. It may not be so easy to reconcile this concern with the safeguard to limit the data retention period in light of the usefulness of the data, ie considering the objective pursued or according to the persons concerned.

One may also wonder whether the AG’s opinion provides as much clarity as national legislators hope to get from the CJEU. Many issues will still need to be addressed by national legislators (eg to design safeguards that pass the Digital Rights Ireland test) and national courts (eg to evaluate whether there are no less restrictive alternatives than a general data retention obligation and whether the risk of mass surveillance does not outweigh the benefits offered by a general data retention obligation).

For sure, this is only a first reflection. Further reflection will undoubtedly follow after the Grand Chamber of the CJEU will have rendered its ruling. In the meantime, national legislators will have to be patient and uncertainty will persist about the potential use in criminal proceedings of traffic and location data retained on the basis of a general data retention obligation.

EU Referendum Brief 5: How would Brexit impact the UK’s involvement in EU policing and criminal law?

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

by Steve Peers

What impact does EU membership have on policing and criminal law in the UK – and what would be the impact of Brexit? I’ll give the shorter summary version of the answer to those questions first, followed by a longer more detailed version.

Summary

The UK had a veto over EU laws in this area adopted before the Treaty of Lisbon came into force (1 December 2009). Since then, it has had two opt-outs instead: a) it can opt in (or out) of any new EU law in this field adopted after that Treaty; and b) it could go back and opt out of any old EU laws which were adopted before that Treaty. The UK used the latter power to opt out of the majority of pre-Lisbon laws.

There are five main areas of EU criminal law and policing. One area is the definition of crime, where the UK has opted into a small number of EU laws on issues such as child abuse. A second area is criminal procedure, where the UK has opted into some EU laws on suspects’ rights and crime victims’ rights. These are basically domestic areas of law, and there’s no reason to think the UK would change its rules after Brexit.

However, the other three areas concern international cooperation, where it is impossible for any individual country to act alone. Those areas are: a) recognition of criminal decisions (on arrest warrants or gathering evidence, for instance); b) the exchange of police information; and c) EU agencies like Europol, the EU police intelligence agency.

On criminal law mutual recognition, there are other international rules on some of these issues – such as extradition – but they do not go as far as the EU rules. In some cases, there are no alternative international rules on the same issue. The UK could seek to negotiate a treaty with the EU on these issues, but the past precedents show that non-EU countries are able to negotiate only limited participation in these EU laws.

On EU agencies, non-EU countries can participate as associates, but this means a more limited involvement in each agency than they would have as EU Member States.

The UK’s involvement in police information exchange with the EU would also be subject to renegotiation if the UK left the EU. Again, past precedents show that non-EU countries are able to negotiate only limited participation in these EU laws. And if the UK did not continue to sign up to EU data protection laws fully, there would be difficult legal disputes that could limit the transfer of policing data to the UK’s law enforcement authorities from the EU.

It cannot be seriously argued that the UK has ‘lost control’ over its law enforcement and intelligence agency operations to the EU, given the UK’s opt-out, the focus of EU law on cross-border issues, and the lack of any EU law on intelligence issues.

Overall, a Brexit is very likely to lead to a significant reduction on cooperation in criminal and policing matters between the UK and the EU.

The details

First and foremost, while the EU has adopted a number of laws in this area, the UK only participates in some of those laws, and has an opt-out over future laws in this area too. This blog post will in turn: (a) describe the basics of EU law in this area, including the UK opt-out; (b) summarise the main EU laws in which the UK does (or does not) participate in; and (c) indicate what could happen in the event of ‘Brexit’. For a full academic treatment of these issues, see the fourth edition of my EU Justice and Home Affairs Law book (volume 2).

(a) The basics of EU policing and criminal law 

Before the entry into force of the Treaty of Lisbon (on 1 December 2009) police and criminal law matters were subject to a different legal framework from ordinary EU (or European Community) law. The powers of the EU institutions (Commission, European Parliament, EU Court) were more limited, and each Member State, including the UK, had a veto over all laws.

The Treaty of Lisbon repealed these special rules, bringing EU criminal and policing law into the general framework of EU law. From this point on, the usual rules of EU law have applied to this field, with a few exceptions. However, the key point for the UK is that in place of a veto, it got not just one but twoopt outs from EU law in this field.

First, the UK can opt out of (or into) any individual EU laws on criminal law or policing proposed after the entry into force of the Treaty of Lisbon.

Secondly, the UK got the power to opt out of EU criminal laws which it had already agreed to before the entry into force of the Treaty of Lisbon. It could invoke this power as of 1 December 2014. The UK government used this to opt out of all but 35 of the EU criminal laws adopted before the Treaty of Lisbon. (See the discussion of that process here).

(b) Which EU criminal and policing laws does the UK apply?

EU criminal and policing law touches on five main issues:

(a)    substantive criminal law (ie the definition of crimes);
(b)   mutual recognition in criminal matters (ie applying another EU Member States’ criminal law decision, where there is a cross-border issue like gathering evidence in another EU country, or asking another country to hand over a fugitive to face a trial or serve a sentence);
(c)    harmonisation of criminal procedure;
(d)   exchange of police information; and
(e)   EU agencies.

The effect of the two sets of opt-outs is that the UK has been highly selective about the EU law in this area which it wishes to apply. Taking the five areas of law in turn, first of all the UK has opted out of almost all EU substantive criminal law. It is covered by the EU Directives adopted since the Lisbon Treaty defining offences relating to trafficking in personssexual abuse of children and attacks on information systems (a form of cyber-crime), but not by EU laws defining offences relating to terrorism, organised crime, fraud, drugs, market abuse by bankers, racism, or currency counterfeiting.

Secondly, the UK is far more engaged in mutual recognition in criminal matters, in particular the flagship law on the European Arrest Warrant (EAW), which is a fast-track extradition system. The UK has also signed up to EU laws on:

(a)    mutual recognition of investigation orders (gathering physical evidence, or interviewing witnesses, in another EU country);
(b)   victim protection orders (where the victim of domestic violence moves to another EU country and wants a restraining order against her abuser to be transferred to that country when she moves there);
(c)    pre-trial supervision (so a criminal suspect can be released on bail to await trial on less serious offences back in Britain, rather than spend a long time in pre-trial detention in a foreign prison);
(d)   confiscation of assets and freezing orders (to ensure that the proceeds of crime held by alleged or convicted criminals in another EU country can be frozen pending trial, and seized if the suspect is convicted);
(e)   the effect of prior sentences or other judgments (so that previous criminal offences committed in another EU country are counted when assessing whether someone is a repeat offender); and
(f)     the transfer of prisoners and criminal sentences (simplifying the movement of foreign prisoners to jails in their EU country of origin, and recognizing fines imposed by a criminal court too – including any penalties imposed against companies for breach of criminal law).

Conversely, the UK has opted out of only one measure in this field, concerning the mutual recognition of probation and parole orders.

Thirdly, as regards the harmonisation of criminal procedure, the UK participates in the EU Directiveon crime victims’ rights. However, the UK has only opted in to two of the six EU laws which set out criminal suspects’ procedural rights. In particular, it has opted into the laws on translation and interpretation, and giving suspectsinformationon their rights; but it has opted out of laws on access to a lawyer,presumption of innocencechild suspects’ rights, and a proposed law on legal aid(not yet agreed).

Fourthly, the UK is particularly keen to participate in the exchange of police information. It participates in every significant measure in the field:

(a)    the Schengen Information System (information on wanted persons and stolen objects, including terrorist suspects under surveillance);
(b)   the Customs Information System (used particularly in drug trafficking cases);
(c)    the ‘Prum’ decisions (which give access to other EU countries’ police databases on fingerprints, licence plates and DNA); and
(d)   the laws on exchange of criminal records.

Finally, as regards EU agencies, the UK participates in Europol(the EU police intelligence agency) and Eurojust (the agency which coordinates work of prosecutors in cross-border cases) at present. However, it has opted out of a new law concerning Europol, and a proposed new EU law concerning Eurojust, which set out (or would set out) revised rules for those agencies following the entry into force of the Treaty of Lisbon, although it might decide to opt in to those Regulations after they are adopted. The UK used to host the European Police College (a training agency), but refusedto continue hosting it and opted out of a new version of the relevant law.

There has been some concern particularly about the prospect of the UK participating in a law to create a European Public Prosecutor. While the EU Commission proposeda law to create a European Public Prosecutor in 2013, the UK has opted out of that proposal. Indeed, the UK would have to hold another referendum before it opted in to that law, according to the European Union Act 2011.

(c) What would the impact of ‘Brexit’ be?

It’s sometimes argued that EU laws on policing and criminal law are irrelevant to the UK’s membership of the EU, because the UK can simply do everything it wishes to do in this field in its domestic law. That’s a valid argument for two of the five areas of law described above: substantive criminal law and harmonisation of procedure. But it doesn’t work for the three other areas – mutual recognition, exchange of information and participation in EU agencies – which necessarily require some cooperation with other states. Put simply, a British Act of Parliament cannot regulate how France or Germany issue extradition requests.

What would happen if the UK left the EU? In each case, as with other areas of EU law and policy, it would depend on what the UK and EU negotiated afterward. But it is possible to give some general indication of the consequences.

In the area of mutual recognition, the UK can fall back on Council of Europe treaties, which address some of the same issues (note that the Council of Europe is a separate body from the EU, which includes non-EU European countries like Turkey and Russia; some of its treaties can be signed also by non-European states like the USA).

However, the relevant treaties do not go into as much detail as the EU laws, and are often less effective.  As an indication of this, see the UK governmentinformationabout the application of EU law in this area. Extradition from the UK has gone from 60 people a year (to all countries) before 2004 to 7000 since 2004 on the basis of the European Arrest Warrant. Over 95% of those sent to other Member States are not British.

Moreover, in some cases the UK and/or some other Member States have not ratified the relevant treaties. For instance, fewer than half of all Member States have ratified the Council of Europe Convention on validity of criminal judgments; the UK has not ratified it either. But the EU law on mutual recognition of criminal penalties sets out rules on one of the key issues in that Council of Europe treaty: the recognition of criminal financial penalties imposed by another Member State’s court. Some issues have not been the subject of Council of Europe treaties at all, such as the pre-trial supervision rules set out in EU law. In these cases, the EU law is the only means of ensuring the cooperation in question.

Another alternative is to negotiate treaties with the EU on these issues.  The EU has been willing in practice to negotiate access to some aspects of its criminal law measures: a form of the EAW for Norway and Iceland, an extradition treaty with theUSA, and mutual assistance (exchange of evidence) with Norway and Iceland, theUSAand Japan. But the extradition treaty with Norway and Iceland took years to negotiate, is still not in force at time of writing, and does not oblige States to extradite their own citizens – meaning that the UK would not be able to ask Germany to extradite Germans, for example. That restriction cannot easily be negotiated away in the event of Brexit, because some EU countries have constitutional problems which prevent them extraditing their own citizens outside the EU. (On these sorts of issues, see E Guild, ed, Constitutional challenges to the European Arrest Warrant).

Overall, there are no such treaties agreed with any non-EU countries on the large majority of EU criminal law mutual recognition measures. Of the treaties which are agreed, not a single one goes as far as the relevant EU legislation in force.

A particular concern of critics of the EU rules on extradition is the ‘sufficient evidence’ (‘prima facie’) test which was traditionally applied by the UK before accepting an extradition request. While it is sometimes argued that the EAW abolished the ‘prima facie’ test as regards EU countries, this is not correct. In fact, the UK waived the right to apply this test to European countries when it signed up to the Council of Europe extradition treaty back in 1990, over a decade before it signed up to the EU’s EAW: see the Extradition Act 1989, section 9(4), which was implemented by the European Convention on Extradition Order 1990 (SI 1990 No. 1507). In other words, the test was not abolished because of EU law, but was already abolished well before the EU had any involvement in extradition law.

Why did the UK abolish the prima facie test? As noted in the 2011 Baker review of UK extradition law, the decision was made because of the difficulties it posed for extradition in practice: a White Paper of 1986 stated that it ‘did not offer a necessary safeguard for the person sought by the requesting State but was a formidable impediment to entirely proper and legitimate extradition requests’. Ultimately the Baker review recommended that there was ‘no good reason to re-introduce the prima facie case requirement’ where it had been abolished, and that ‘No evidence was presented to us to suggest that European arrest warrants are being issued in cases where there is insufficient evidence’.

The prima facie test is sometimes described as an aspect of the ‘presumption of innocence’, although in fact a fugitive who is extradited pursuant to this test still either has to be convicted pursuant to a trial in the requesting State, or has already been convicted but fled the country. In other words, the presumption of innocencestill applieswhen the substantive criminal trial takes place (or took place).

As regards the EU agencies, the UK can enter into agreements to cooperate with Europol and Eurojust, like other non-EU countries. However, as the Director of Europol points out, such agreements don’t allow the UK to have direct access to databases, to lead investigation teams, or to take part in the management of those agencies: both Europol and Eurojust have had British Directors.

Finally, as regards policing, the EU has given some non-EU states access to theSchengen Information System, and to the ‘Prum’ rules on access to each Member State’s national policing databases. But this was linked to those countries fully joining the Schengen system. The UK would obviously not do that after a Brexit.

The EU has also signed treaties on the exchange of passenger name records with non-EU countries (the USACanada and Australia), as well as a treaty on the exchange of financial information (concerning alleged terrorists) with the USA, so might be willing to sign similar treaties with the UK. It has also recently agreed an ‘umbrella’ treaty on general exchange of police information with the USA, although this is not yet in force.

However, the EU has not extended access to its system on exchange of criminal records to any non-EU countries. While there is a Council of Europe treaty on mutual assistance in criminal matters (which the UK and all other Member States are party to) that provides for some exchange of information of such records, it results in far less information exchange. The exchange of criminal records is particularly important for the UK: the government has reportedthat the UK is one of the biggest users of the EU system, and that criminal records checks of foreign nationals in the criminal justice system have increased 1,650% since 2010.

However, there is a particular issue that has complicated the exchange of personal data between the EU and with non-EU countries, particularly as regards policing data. Are their data protection standards sufficient as compared to the standards maintained by the EU? If not, then the European Parliament may be reluctant to approve the deal, or it might be challenged in the EU Court. This isn’t a hypothetical possibility – it has happened several times already.

I have discussed this issue in more detail in a recent blog post for The Conversation, but I will summarise the main points there again.

As regards deals between non-EU countries and the EU itself, the EU Court of Justice has struck down a Commission decision on the transfer of personal data to the USA, because there was insufficient examination of the data protection standards applied by US intelligence agencies as regards access to personal data on social media. A replacement deal is planned, but will also be challenged in court. A further case is pending, where the EU Court has been asked to rule on the legality of the most recent EU/Canada treaty on the exchange of passenger records data, to ascertain if it meets EU standards for data protection.

If the UK left the EU, any UK/EU agreement on the transfer of personal data would have to meet the same requirements. Those requirements cannot simply be negotiated away, since they stem from the EU Charter of Rights – part of the primary law of the EU. The Charter can be amended, but to have legal effect the EU Treaties would also have to be amended to refer to that revised text. It is hard to believe this could happen at the behest of a country which has just left the EU.

Would UK legislation meet the test of being sufficiently similar to EU standards? The Court of Justice has been asked in the pending Davis and Watson case whether the rules on police access to personal data comply with the EU law that binds the UK as a Member State. Another Bill on this issue is pending before the UK Parliament, and would likely become an Act of Parliament before Brexit. Since many privacy campaigners are critical the draft Bill, there would almost certainly be similar legal challenges to transfers of personal data to and from the UK after Brexit, unless the UK agrees to continue fully applying EU data protection law.

(d) Arguments by the referendum campaigns

The official leaflet summarising the position of the two sides in the referendum campaign contains a number of relevant claims from each side. For the Remain side, the pamphlet says that the EAW ‘allows us to deport criminals from the UK and catch those fleeing justice across Europe’, and that EU membership helps to tackle ‘global threats like terrorism’. For the Leave side, the pamphlet says that the EU ‘will continue to control…vital security policies such as counter-terrorism’ and the EU Court ‘will keep taking powers over how our intelligence services fight terrorism’.

Are these claims valid? As for the first Remain claim, as noted above the statistics show that the number of persons extradited to and from the UK have indeed increased since the EAW has been applied – although some extradition would still take place even if the UK did not apply the EAW.

In light of the official UK government information referred to above, other operational cooperation via Europol and other forms of EU police and criminal law cooperation presumably has some impact on combating threats like terrorism and other serious crimes in practice. However, it is not possible to estimate their impact compared to purely national actions and other forms of international  cooperation.

As for the arguments by the Leave side, it is clear from the description of the laws which the UK applies that the EU does not ‘control…vital security policies’. The functioning of the UK law enforcement authorities is up to the UK, and there is no EU regulation of intelligence agencies. EU law impacts only cross-border issues.

As we have seen, the only EU case law to date impacting intelligence agencies concerns non-EUintelligence agencies. The ruling restricts transfers of data gathered by social networks to those non-EU countries in that context, unless those countries apply EU data protection law. If the UK left the EU, it would therefore be subject to the same restrictions on obtaining personal data in criminal cases from the EU. Leaving the EU is therefore more likely to impede UK intelligence agencies’ work, than it is to facilitate it.

Conclusion

The UK’s participation in EU criminal and policing law has led to an increase in cooperation in areas such as extradition and the exchange of police information. In these cases, there are question marks about what would happen after Brexit – mainly political but to some extent legal too. In the event of Brexit, there is a very high likelihood that cooperation between the UK and the remaining EU would be reduced (although not to zero). And in light of the UK’s opt-outs and the limited effect of EU law on purely domestic matters, it cannot seriously be argued that UK law enforcement and intelligence agencies are ‘controlled by’ the EU.