Category: 9.2 Intelligence – National security

Un commissaire britannique à la sécurité de l’Union européenne : le bon endroit, au bon moment, pour la bonne personne ?

PUBLISHED ALSO ON GDR  – English version will follow

par Henri Labayle, CDRE, et Emilio De Capitani, Free Group

 

La semaine dernière, la procédure de nomination de Sir Julian King en tant que nouveau commissaire en charge de la « sécurité de l’Union » a franchi l’obstacle de l’audition au Parlement européen. Par une large majorité de 394 membres pour contre 161 voix, le Parlement, qui est consulté en cas de démission d’un commissaire en vertu de l’article 246 TFUE, a donné son aval. Le 19 septembre 2016, le Conseil, en accord avec le président de la Commission, a donc nommé Sir Julian King, en remplacement de Jonathan Hill qui avait démissionné le 25 juin, ce pour la durée du mandat de la Commission restant à courir, c’est-à-dire jusqu’au 31 octobre 2019.

Auparavant, le 12 septembre, les trois heures d’audition du futur commissaire devant la Commission Libe ont été l’occasion de réfléchir à la nature et à la signification de ce choix pour le bon fonctionnement de l’Espace de liberté, sécurité et justice de l’Union européenne.

1. L’audition devant la Commission Libe

« A vaincre sans péril, on triomphe sans gloire », la citation du Cid vaut particulièrement en matière européenne. Il était facile de deviner que l’avis des coordinateurs politiques de la Commission Libe serait positif. Les échanges par écrit de questions/réponses diverses recoupaient en effet l’attitude largement positive des principaux groupes politiques du Parlement. Le détail de l’audition permet cependant de comprendre le climat dans lequel elle s’est déroulée (pour les documents de référence et la webstream de l’audience, voir ici et ici ).

L’habileté du candidat, d’abord, toute diplomatique, a été saluée par tous. Ambassadeur en poste à Paris, ayant travaillé à la représentation permanente britannique et dirigé un cabinet de commissaire, sa connaissance des dossiers de l’Union est évidente et incontestable. Il a donc eu beau jeu de séduire, en esquivant les questions délicates relatives au Brexit ou à l’accord PNR avec le Canada tout en assumant ses convictions pro-européennes : « j’ai plaidé résolument en faveur de la position du gouvernement britannique durant la campagne référendaire. J’ai toujours été fier d’être britannique et fier d’être européen, et je n’y vois aucune contradiction. Mais le 23 juin, une majorité de mes compatriotes ont décidé qu’ils voulaient quitter l’Union et nous devons respecter ce choix ».

Sur le fond et sans surprise ici non plus, dans sa déclaration d’ouverture à l’audition Sir Julian King a présenté huit points qui sont en fait un mantra récurrent des diverses communications de la Commission relatives à la sécurité intérieure, des positions du Conseil européen et des rapports du coordinateur de la lutte antiterroriste.

Donc, peu de choses nouvelles en définitive si ce n’est une référence intéressante à l’article 4 du traité sur l’Union, qui fut modifié à la dernière minute pour prendre en compte une ligne rouge du gouvernement britannique dans la négociation sur le traité. Pour Julian King, « in today’s world, security of one Member State is the security of all. Article 4 of the Treaty is clear: national security remains the sole responsibility of Member States. But they cannot address alone threats which are transnational ». Implicitement, l’intervention de l’Union en matière sécuritaire est ici légitimée …

Approfondir ce débat aurait sans aucun doute été instructif afin de mieux cerner le contenu réel de la déclaration du futur commissaire, de deviner sa vision de la « sécurité nationale » et dans quelles conditions une menace peut donc être considéré comme « transnationale», légitimant éventuellement une intervention de l’UE. On sait à cet égard que le coordinateur de la lutte antiterroriste a souvent insisté pour distinguer ce qui relève du « national » et de « l’interne », qui ne sont pas synonymes. D’un côté, la « sécurité intérieure » pourrait être un domaine de « compétence partagée » qui, en cas de menace transnationale, peut justifier et même exiger une intervention de l’Union «  dans les domaines de criminalité particulièrement grave ayant une dimension transfrontière résultant du caractère ou des incidences de ces infractions ou d’un besoin particulier de les combattre sur une base commune » visés par l’article 83 TFUE. De l’autre côté, la « sécurité nationale » est plutôt jusqu’à présent un concept beaucoup plus limité, axé sur la protection de l’Etat lui-même et justifiant de ses services de renseignement.

La commission LIBE connaît bien ces concepts, le Royaume Uni n’ayant pas hésité à invoquer la « sécurité nationale » (et non sa « sécurité intérieure ») pour justifier dans les années 2000 sa participation à Echelon ou, plus récemment, l’activité de la NSA au Royaume-Uni comme dénoncé par Edward Snowden.

Au delà, le propos du candidat ne s’est guère écarté des orientations dessinées dans la Communication de la Commission relative à la mise en œuvre du programme européen de sécurité (COM (2016) 230) et il demeure donc très convenu, à quelques remarques près. On notera cependant, à propos du PNR, l’opinion ouvertement critique du futur commissaire faisant état de la capacité de seulement 2 ou 3 Etats membres à établir les PIU (Passenger Information Unit) indispensables au fonctionnement du système …

Sur ces bases, prendre du recul par rapport à l’aspect procédural de cette nomination conduit à s’interroger sur la portée d’une telle nomination.

2.  La nomination d’un commissaire britannique à la Sécurité intérieure de l’Union

Deux questions surgissent immédiatement à l’esprit : existe-t-il aujourd’hui une nécessité de procéder à une telle nomination et, si oui et de façon un plus malicieuse, le choix d’un ressortissant britannique était-il le plus adapté, dans le contexte actuel ?

1.  L’encombrement du domaine institutionnel de la sécurité

Les questions de sécurité intérieure sont déjà largement couverts au plan institutionnel dans l’Union, comme l’audition de Sir Julian King le démontre aisément.

Au sein de la Commission, tout d’abord, puisque, malgré le découpage actuel discutable des porte-feuilles en deux grands domaines, Justice /Affaires intérieures qui amalgame malheureusement les questions migratoires et sécuritaires, le président a jugé utile d’en consacrer un troisième, largement entendu et sans que sa lettre de mission clarifie beaucoup les choses .

Aujourd’hui, on peut ainsi recenser sur ce champ : le premier vice-président Timmermans (en charge de la coordination des politiques sécuritaires européennes au regard des droits fondamentaux), le Haut Représentant et vice présidente de la Commission, Federica Mogherini ( en charge de la sécurité extérieure et de la défense), le commissaire Avramopoulos titulaire du portefeuille « Affaires intérieures » comportant notamment la lutte contre le terrorisme et la coopération policière) et, last but not least, la commissaire Jourová en charge de la coopération judiciaire en matière pénale dont nul ne semble beaucoup se préoccuper aujourd’hui …

Comme si l’embouteillage n’était pas suffisant, il faut ajouter à ce constat la place prépondérante des ConseilsJAI et, dans une moindre mesure Affaires étrangères, ainsi que, surtout, le rôle particulier réservé aucoordinateur de l’UE pour la lutte contre le terrorisme depuis les attentats de Madrid. A n’en pas douter, le mandat du nouveau commissaire recoupe le champ d’activité de ce coordinateur, rattaché à l’autre branche de l’exécutif. Pour faire un compte exact de l’encombrement, on mesurera la schizophrénie du système en rappelant le rôle d’impulsion dévolu au Conseil européen et les prétentions de son Président actuel à exercer cette fonction d’initiative.

Dans ces conditions, il aurait pu être judicieux de s’interroger sur la valeur ajoutée réelle d’une telle superposition de responsabilités. On aurait ainsi pu imaginer de confier aux parlements, européen et nationaux, le soin d’évaluer l’intérêt d’une nouvelle figure institutionnelle, sur la base de l’expérience et d’une analyse des faiblesses de la politique anti-terroriste de l’UE sur le terrain. Si, récemment, EUROPOL s’était avancé à soutenir une telle évaluation, aucune voix en revanche ne s’est élevée dans l’Union ou les Etats membres pour la réclamer. Le bilan de l’Union en matière de lutte anti-terroriste ne justifierait-il pas qu’elle se livre à un exercice que le Congrès des États-Unis a immédiatement lancé, dans des circonstances similaires, après le 11 Septembre ? Est-il vraiment inutile de vouloir tirer les leçons des échecs du passé immédiat ?

L’articulation de l’intervention des différents protagonistes en matière de sécurité intérieure demeure donc une question posée ouvertement. Elle pourrait se focaliser autour de la place que les Etats membres et le Haut représentant accepteront ou pas de consentir à Sir Julian King dans le train de la lutte contre le crime, celle de la locomotive ou du wagon de queue. En particulier sur le front extérieur où l’on sait que l’essentiel des enjeux de la sécurité intérieure de l’Union se dessine et se joue en pratique. La lecture de la lettre de mission adressée par le président de la Commission n’aide guère à y répondre pas davantage que le site, toujours exclusivement anglophone, du portefeuille Home Affairs de la Commission : Sir King y figure désormais en médaillon avec l’actuel titulaire Dimitris Avramopoulos…

Un défi de taille attend pourtant le nouveau commissaire à « la sécurité de l’Union », celui de la gestion des « l’agenciarisation » des politiques sécuritaires, dont les composantes interviennent à des titres divers, d’Europol et Eurojust à Eurosur et Frontex nouvelle version. Ce n’est un secret pour personne que le succès croissant de ces organismes repose en partie sur le fait que, grâce à eux, les États membres ont été en mesure de construire des circuits administratifs parallèles, sans contrainte excessive ni contrôle réel par le Comite pour la Sécurite intérieure (COSI) ou les parlements européens et nationaux, sans parler de leurs propres ministres.

L’absence de leadership fort de la Commission l’explique largement, dans le contexte d’une « lisbonnisation » de ces outils encore particulièrement en retard. On sait aussi que l’argument classique de l ‘ « indépendance » de ces agences masque en réalité l’omniprésence des Etats membres dans leurs conseils d’administration. D’où une forte tendance dans ces agences JAI à développer avec succès la « décision politique » dont la Commission se désintéresse au lieu d’en rester à un rôle, plus simple mais correspondant aux traités, de « mise en œuvre de la politique », comme il se doit dans une Union européenne régie par la primauté du droit et par les principes démocratiques.

Quoi qu’il en soit, au total, il ne sera pas facile pour ce nouvel acteur de trouver son chemin au cœur de ce paysage encombré même si l’histoire récente nous a malheureusement enseigné que, en cas d’attentat terroriste, la scène se vide et que personne ne se précipite plus devant les caméras ou dans les enceintes parlementaires pour expliquer que rien n’avait été prévu et pour quelles raisons nul ne s’en sent responsable…

2.  Un commissaire britannique à la sécurité 

Quoi que l’on enseigne dans les Facultés de droit sur l’indépendance des commissaires et la rupture de leurs liens avec leurs Etats d’origine comme avec le monde socio-professionnel, les choses sont un peu plus complexes que les affirmations de principe. L’actualité le démontre aujourd’hui amèrement à la Commission. Le contexte du Brexit autorise donc à s’interroger sur l’opportunité  de confier ce nouveau porte-feuille à un ressortissant britannique, notamment parce que la durée indispensable à l’installation d’un tel poste lui fera inévitablement défaut, dans la perspective d’un départ britannique futur.

La question ne touche en rien, évidemment, aux compétences personnelles du nouveau titulaire qui sont aussi manifestes que ses qualités humaines, ce dont témoigne la lecture de son audition. Pas davantage que ne se pose celle de la légitimité de la présence d’un commissaire britannique au sein de l’exécutif communautaire, jusqu’au retrait effectif du Royaume Uni. Bien au contraire. Elle repose simplement sur un constat objectif, relevant de la science administrative et trop éclatant pour s’expliquer uniquement par une coïncidence : l’espace de liberté, sécurité et justice a une forte, le mot est faible, tradition de présence et d’influence des hauts fonctionnaires britanniques, aussi inexplicable soit-elle quant on sait l’opposition résolue de leur Etat d’origine à la construction de cet espace. Qui plus est à des moments clés de cette construction.

De Sir Fortescue à la fin des années quatre vingt dix à Jonathan Faull au début des années 2000, de la direction d’Eurojust à celle d’Europol, le moins que l’on puisse en dire est que, pour un Etat en situation d’opt-out répété, son influence a été omniprésente … Sûrement faut-il d’ailleurs voir là une coïncidence regrettable dans le fait que, Europol mis à part, ce ne sont pas les années où le dynamisme et la clarté ont caractérisé l’action de l’Union … En d’autres termes, la réticence devant l’action législative et les schémas d’intégration n’était pas simplement une question de culture, donnant la priorité à l’action opérationnelle pour éviter de s’engager au plan européen. Elle marquait aussi une préférence à peine dissimulée pour l’intergouvernementalisme et, en fin de compte, les Etats étant incapables de décider efficacement, pour l’immobilisme. Il est permis de s’étonner que la Commission ait été contaminée par ce virus.

Trop visible pour être innocente, cette stratégie va buter dans les prochains mois sur un double obstacle. Juridique d’abord, avec l’obligation, enfin, d’assumer la pleine entrée en vigueur du  traité et de sa Charte des droits fondamentaux et l’expiration en 2015 d’une période de transition qui a d’ailleurs vu le Royaume Uni exercer un « opt-in/opt-out » préfigurant la situation actuelle… Factuel ensuite, la vague terroriste et la crainte grandissante des opinions publiques interdisant que cette politique de l’encéphalogramme plat à la Commission puisse durer.

Le défi du nouveau commissaire devrait donc être d’élever l’ambition de l’Union dans ce domaine. Deux dossiers permettront de tester sa réelle détermination.

Celui de l’évaluation, d’abord, qui fait cruellement défaut aujourd’hui, évaluation de ce qui n’a pas fonctionné dans la politique de lutte contre le terrorisme, non seulement au niveau européen mais au niveau national. Ce n’est qu’après une analyse sérieuse, totalement absente de la directive antiterroriste actuellement sur la table des institutions, qu’il sera possible de crédibiliser et de renouveler le cadre législatif de la coopération judiciaire en matière pénale et policière. Y compris en s’aventurant sur le terrain de la mise en cause des Etats membres défaillants.

Celui d’une proposition emblématique, ensuite, celle du futur Parquet européen. Le nouveau commissaire sera-t-il plus allant que son Etat d’origine à ce propos, par exemple en s’inscrivant dans la lettre et l’esprit de l’article 86 TFUE, c’est-à-dire en poussant à élargir le champ des compétences de ce Parquet à la criminalité transnationale, à donner sa véritable place à Eurojust et à accepter que le rôle d’Europe en subisse les conséquences ?

Wait and see …

Is the EU planning an army – and can the UK veto it?

 

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

by Steve Peers

Is the EU planning to create an army? If so, can and should the UK veto it – up until Brexit? The issue has been much debated in recent days. But this is the classic example of a debate that has created much heat but shed little light. The purpose of this post is to clear up misunderstandings. In short, the recently announced plans do not amount to an EU army – and so the UK is not able to veto the EU’s plans.

Background

Initially, the EU’s foreign policy had little to do with defence, in deference to Irish neutrality and the UK’s strong support for NATO. This has changed gradually over the years as the Cold War ended, US troops left Europe, and the parallel non-EU defence organisation (the Western European Union) was wound down.

Since the Treaty of Lisbon, the rules on EU defence policy are set out in Articles 42-46 of the Treaty on European Union (TEU). I have included the full text of these Articles in an Annex to this post. The starting point (Article 42(1)) is that the EU has an ‘operational capacity’ to use on non-EU missions ‘for peace-keeping, conflict prevention and strengthening international security’, consistently with the UN Charter, as explained further in Article 43. These actions shall use ‘capabilities provided by the Member States’, meaning that they each retain their own armed forces. There’s a reference to using ‘multinational forces’ too (Article 42(3)), but it’s clear that it’s optional both to set up such forces and to contribute them to support the EU defence policy.

However, there is also a long-term objective. Article 42(2) TEU says that the EU includes ‘the progressive framing of a common Union defence policy’, which ‘will lead to a common defence’. But this policy must ‘respect’ the obligations of those Member States who are parties of NATO, and be ‘compatible’ with NATO policy. Equally it ‘shall not prejudice the specific character’ of some Member States’ defence policy: this is an oblique reference to neutrality. (Six Member States are neutral).

Most importantly, it will only happen when the European Council (consisting of Member States’ presidents and prime ministers) ‘acting unanimously, so decides’.  That decision then needs to be ratified by Member States ‘in accordance with their respective constitutional requirements.’ For the UK, that would require a referendum, as set out in section 6(2) of the European Union Act 2011. It would need a referendum in Ireland too, since Article 29(4)(9) of the Irish Constitution rules out Irish participation in an EU common defence, and the Irish Constitution can only be amended by referendum.  Other Member States may also have stringent constitutional requirements to this end.

What happens in the meantime, before this rather mythical notion of a common defence is achieved? Article 42(3) says that Member States must ‘undertake progressively to improve their military capabilities’. A ‘European Defence Agency’ (see further Article 45) is set up to this end. It’s possible for a group of Member States to take on an EU-wide task (Article 42(5), as set out in more detail in Article 44). Member States have an obligation of ‘aid and assistance’ to each other, if one of them is ‘the victim of armed aggression’, in accordance with the UN Charter (Article 42(7)). Finally, certain Member States which meet higher standards as regards their ‘military capabilities’ and ‘which have made more binding commitments to one another in this area with a view to the most demanding missions shall establish permanent structured cooperation’ within the EU (Article 42(6), referring to Article 46).

New EU plans

What are the EU’s new military plans? Some newspapers and commentators have referred to plans for an ‘EU army’, which at first sight implies a ‘common defence’. In turn, the UK’s defence minister is quoted as saying he would veto these plans, as long as the UK is part of the EU.

As we saw above, any Member State can indeed veto an EU ‘common defence’. But still, it’s striking to hear a supporter of the Leave side acknowledge that the UK can veto an EU army, since many of them suggested during the referendum campaign that this scary prospect was unavoidable if the UK remained part of the EU. Having said that, there’s a misunderstanding here. According to the information available, the proposal is not to create an EU army, and therefore the UK can’t veto it.

In fact, the ‘State of the Union’ speech by Commission President Juncker proposed four things: a joint headquarters for EU military missions; common procurement to save on defence costs; a Defence Fund for the EU defence industry; and the development of ‘permanent structured cooperation’, as referred to briefly above (and see below). It did not propose merging armies to create a common army. Some press reports suggest that the recent EU summit discussed a ‘common military force’, but the ‘Declaration’ and ‘Road Map’ issued after the summit make no mention of such a thing.

So what exactly is ‘permanent structured cooperation’? It’s described in Article 46 TEU, as well in as a Protocol attached to the Treaties. Article 46 sets out the process: it’s set up by willing Member States only. Any unwilling Member States can simply choose not to take part. There’s no veto on setting it up, but that’s because participation is voluntary. Member States can join once it’s underway – and leave at any time, with no conditions attached. If more EU policies were this flexible, EU participation would be less controversial – although in a post-truth world some people would undoubtedly deny that those policies were flexible in the first place. (If the current EU plans go ahead, I expect to read somewhere that the soldiers are inspired by Hitler, and armed with Muslamic ray guns).

As for the substance of ‘permanent structured cooperation’, it’s explained fully in the Protocol (also reproduced in the Annex).  The criteria to join are development of defence capacities, and in particular supplying forces to support EU operations within a short period. Participating countries must aim to achieve approved levels of domestic spending, align their equipment and operability of their forces, fill capability gaps, and take part in joint procurement. That’s significant – but that’s it. It’s not an EU army.

Conclusions

Plans can always change. But the recent Commission plans, and the EU summit declaration, don’t amount to an EU army.  And if there’s no EU army, the UK can’t veto one.  It’s arguable whether a veto threat is a good negotiating strategy; but it’s indisputable that an empty threat is simply ridiculous.

A more rational approach to the issue would be to acknowledge (as a number of calmer voices on the Leave side have advocated) that the UK and the EU might well benefit mutually from continued defence and foreign policy cooperation after Brexit. In that light, the best way for the UK to spend its remaining time as an EU Member State as regards defence issues is to offer constructive criticism of the EU plans – and align that with sensible proposals for how post-Brexit EU/UK cooperation could go forward in this field.

Barnard & Peers: chapter 24

 

Annex – Treaty on European Union, defence clauses

Article 42

  1. The common security and defence policy shall be an integral part of the common foreign and security policy. It shall provide the Union with an operational capacity drawing on civilian and military assets. The Union may use them on missions outside the Union for peace-keeping, conflict prevention and strengthening international security in accordance with the principles of the United Nations Charter. The performance of these tasks shall be undertaken using capabilities provided by the Member States.
  2. The common security and defence policy shall include the progressive framing of a common Union defence policy. This will lead to a common defence, when the European Council, acting unanimously, so decides. It shall in that case recommend to the Member States the adoption of such a decision in accordance with their respective constitutional requirements.

The policy of the Union in accordance with this Section shall not prejudice the specific character of the security and defence policy of certain Member States and shall respect the obligations of certain Member States, which see their common defence realised in the North Atlantic Treaty Organisation (NATO), under the North Atlantic Treaty and be compatible with the common security and defence policy established within that framework.

  1. Member States shall make civilian and military capabilities available to the Union for the implementation of the common security and defence policy, to contribute to the objectives defined by the Council. Those Member States which together establish multinational forces may also make them available to the common security and defence policy.

Member States shall undertake progressively to improve their military capabilities. The Agency in the field of defence capabilities development, research, acquisition and armaments (hereinafter referred to as “the European Defence Agency”) shall identify operational requirements, shall promote measures to satisfy those requirements, shall contribute to identifying and, where appropriate, implementing any measure needed to strengthen the industrial and technological base of the defence sector, shall participate in defining a European capabilities and armaments policy, and shall assist the Council in evaluating the improvement of military capabilities.

  1. Decisions relating to the common security and defence policy, including those initiating a mission as referred to in this Article, shall be adopted by the Council acting unanimously on a proposal from the High Representative of the Union for Foreign Affairs and Security Policy or an initiative from a Member State. The High Representative may propose the use of both national resources and Union instruments, together with the Commission where appropriate.
  2. The Council may entrust the execution of a task, within the Union framework, to a group of Member States in order to protect the Union’s values and serve its interests. The execution of such a task shall be governed by Article 44.
  3. Those Member States whose military capabilities fulfil higher criteria and which have made more binding commitments to one another in this area with a view to the most demanding missions shall establish permanent structured cooperation within the Union framework. Such cooperation shall be governed by Article 46. It shall not affect the provisions of Article 43.
  4. If a Member State is the victim of armed aggression on its territory, the other Member States shall have towards it an obligation of aid and assistance by all the means in their power, in accordance with Article 51 of the United Nations Charter. This shall not prejudice the specific character of the security and defence policy of certain Member States.

Commitments and cooperation in this area shall be consistent with commitments under the North Atlantic Treaty Organisation, which, for those States which are members of it, remains the foundation of their collective defence and the forum for its implementation.

Article 43

  1. The tasks referred to in Article 42(1), in the course of which the Union may use civilian and military means, shall include joint disarmament operations, humanitarian and rescue tasks, military advice and assistance tasks, conflict prevention and peace-keeping tasks, tasks of combat forces in crisis management, including peace-making and post-conflict stabilisation. All these tasks may contribute to the fight against terrorism, including by supporting third countries in combating terrorism in their territories.
  2. The Council shall adopt decisions relating to the tasks referred to in paragraph 1, defining their objectives and scope and the general conditions for their implementation. The High Representative of the Union for Foreign Affairs and Security Policy, acting under the authority of the Council and in close and constant contact with the Political and Security Committee, shall ensure coordination of the civilian and military aspects of such tasks.

Article 44

  1. Within the framework of the decisions adopted in accordance with Article 43, the Council may entrust the implementation of a task to a group of Member States which are willing and have the necessary capability for such a task. Those Member States, in association with the High Representative of the Union for Foreign Affairs and Security Policy, shall agree among themselves on the management of the task.
  2. Member States participating in the task shall keep the Council regularly informed of its progress on their own initiative or at the request of another Member State. Those States shall inform the Council immediately should the completion of the task entail major consequences or require amendment of the objective, scope and conditions determined for the task in the decisions referred to in paragraph 1. In such cases, the Council shall adopt the necessary decisions.

Article 45

  1. The European Defence Agency referred to in Article 42(3), subject to the authority of the Council, shall have as its task to:

(a) contribute to identifying the Member States’ military capability objectives and evaluating observance of the capability commitments given by the Member States;
(b) promote harmonisation of operational needs and adoption of effective, compatible procurement methods;

(c) propose multilateral projects to fulfil the objectives in terms of military capabilities, ensure coordination of the programmes implemented by the Member States and management of specific cooperation programmes;
(d) support defence technology research, and coordinate and plan joint research activities and the study of technical solutions meeting future operational needs;
(e) contribute to identifying and, if necessary, implementing any useful measure for strengthening the industrial and technological base of the defence sector and for improving the effectiveness of military expenditure.

  1. The European Defence Agency shall be open to all Member States wishing to be part of it. The Council, acting by a qualified majority, shall adopt a decision defining the Agency’s statute, seat and operational rules. That decision should take account of the level of effective participation in the Agency’s activities. Specific groups shall be set up within the Agency bringing together Member States engaged in joint projects. The Agency shall carry out its tasks in liaison with the Commission where necessary.

Article 46

  1. Those Member States which wish to participate in the permanent structured cooperation referred to in Article 42(6), which fulfil the criteria and have made the commitments on military capabilities set out in the Protocol on permanent structured cooperation, shall notify their intention to the Council and to the High Representative of the Union for Foreign Affairs and Security Policy.

    2. Within three months following the notification referred to in paragraph 1 the Council shall adopt a decision establishing permanent structured cooperation and determining the list of participating Member States. The Council shall act by a qualified majority after consulting the High Representative.

    3. Any Member State which, at a later stage, wishes to participate in the permanent structured cooperation shall notify its intention to the Council and to the High Representative.

The Council shall adopt a decision confirming the participation of the Member State concerned which fulfils the criteria and makes the commitments referred to in Articles 1 and 2 of the Protocol on permanent structured cooperation. The Council shall act by a qualified majority after consulting the High Representative. Only members of the Council representing the participating Member States shall take part in the vote.
A qualified majority shall be defined in accordance with Article 238(3)(a) of the Treaty on the Functioning of the European Union.

  1. If a participating Member State no longer fulfils the criteria or is no longer able to meet the commitments referred to in Articles 1 and 2 of the Protocol on permanent structured cooperation, the Council may adopt a decision suspending the participation of the Member State concerned.

The Council shall act by a qualified majority. Only members of the Council representing the participating Member States, with the exception of the Member State in question, shall take part in the vote.
A qualified majority shall be defined in accordance with Article 238(3)(a) of the Treaty on the Functioning of the European Union.

  1. Any participating Member State which wishes to withdraw from permanent structured cooperation shall notify its intention to the Council, which shall take note that the Member State in question has ceased to participate.
  1. The decisions and recommendations of the Council within the framework of permanent structured cooperation, other than those provided for in paragraphs 2 to 5, shall be adopted by unanimity. For the purposes of this paragraph, unanimity shall be constituted by the votes of the representatives of the participating Member States only.

PROTOCOL
ON PERMANENT STRUCTURED COOPERATION

ESTABLISHED BY ARTICLE 42 OF THE TREATY ON EUROPEAN UNION

THE HIGH CONTRACTING PARTIES,
HAVING REGARD TO Article 42(6) and Article 46 of the Treaty on European Union,
RECALLING that the Union is pursuing a common foreign and security policy based on the achievement of growing convergence of action by Member States;
RECALLING that the common security and defence policy is an integral part of the common foreign and security policy; that it provides the Union with operational capacity drawing on civil and military assets; that the Union may use such assets in the tasks referred to in Article 43 of the Treaty on European Union outside the Union for peace-keeping, conflict prevention and strengthening international security in accordance with the principles of the United Nations Charter; that the performance of these tasks is to be undertaken using capabilities provided by the Member States in accordance with the principle of a single set of forces;
RECALLING that the common security and defence policy of the Union does not prejudice the specific character of the security and defence policy of certain Member States;
RECALLING that the common security and defence policy of the Union respects the obligations under the North Atlantic Treaty of those Member States which see their common defence realised in the North Atlantic Treaty Organisation, which remains the foundation of the collective defence of its members, and is compatible with the common security and defence policy established within that framework;

CONVINCED that a more assertive Union role in security and defence matters will contribute to the vitality of a renewed Atlantic Alliance, in accordance with the Berlin Plus arrangements;
DETERMINED to ensure that the Union is capable of fully assuming its responsibilities within the international community;
RECOGNISING that the United Nations Organisation may request the Union’s assistance for the urgent implementation of missions undertaken under Chapters VI and VII of the United Nations Charter;

RECOGNISING that the strengthening of the security and defence policy will require efforts by Member States in the area of capabilities;
CONSCIOUS that embarking on a new stage in the development of the European security and defence policy involves a determined effort by the Member States concerned;
RECALLING the importance of the High Representative of the Union for Foreign Affairs and Security Policy being fully involved in proceedings relating to permanent structured cooperation,
HAVE AGREED UPON the following provisions, which shall be annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union:
Article 1
The permanent structured cooperation referred to in Article 42(6) of the Treaty on European Union shall be open to any Member State which undertakes, from the date of entry into force of the Treaty of Lisbon, to:
(a) proceed more intensively to develop its defence capacities through the development of its national contributions and participation, where appropriate, in multinational forces, in the main European equipment programmes, and in the activity of the Agency in the field of defence capabilities development, research, acquisition and armaments (European Defence Agency), and
(b) have the capacity to supply by 2010 at the latest, either at national level or as a component of multinational force groups, targeted combat units for the missions planned, structured at a tactical level as a battle group, with support elements including transport and logistics, capable of carrying out the tasks referred to in Article 43 of the Treaty on European Union, within a period of 5 to 30 days, in particular in response to requests from the United Nations Organisation, and which can be sustained for an initial period of 30 days and be extended up to at least 120 days.
Article 2
To achieve the objectives laid down in Article 1, Member States participating in permanent structured cooperation shall undertake to:
(a) cooperate, as from the entry into force of the Treaty of Lisbon, with a view to achieving approved objectives concerning the level of investment expenditure on defence equipment, and regularly review these objectives, in the light of the security environment and of the Union’s international responsibilities;

(b) bring their defence apparatus into line with each other as far as possible, particularly by harmonising the identification of their military needs, by pooling and, where appropriate, specialising their defence means and capabilities, and by encouraging cooperation in the fields of training and logistics;
(c) take concrete measures to enhance the availability, interoperability, flexibility and deployability of their forces, in particular by identifying common objectives regarding the commitment of forces, including possibly reviewing their national decision-making procedures;
(d) work together to ensure that they take the necessary measures to make good, including through multinational approaches, and without prejudice to undertakings in this regard within the North Atlantic Treaty Organisation, the shortfalls perceived in the framework of the ’Capability Development Mechanism’;
(e) take part, where appropriate, in the development of major joint or European equipment programmes in the framework of the European Defence Agency.
Article 3
The European Defence Agency shall contribute to the regular assessment of participating Member States’ contributions with regard to capabilities, in particular contributions made in accordance with the criteria to be established, inter alia, on the basis of Article 2, and shall report thereon at least once a year. The assessment may serve as a basis for Council recommendations and decisions adopted in accordance with Article 46 of the Treaty on European Union.

WORTH READING : the final text of the EUROPEAN BORDER AND COAST GUARD REGULATION

The text below is the final version of the EU Regulation on the European Border and Coast Guard as revised by the Jurist Linguists of the EU institutions. Formally adopted this week as a “corrigendum” by the European Parliament and by written procedure by the Council it will be published on the Official Journal in the coming weeks. Presented, negotiated and adopted in extremely short time ([1]) under the pressure of the European Council the new EU Regulation on the European Border and Coast Guard could be seen at the same time a main evolutionary step and a revolutionary one in the relation between the EU and its Member States in the freedom security and justice area. 

Even if the main subject of the text is the border management it covers also directly and indirectly other EU policies such as refugee law, international protection, migration and even internal and external security. Not surprisingly  such an ambitious objective was difficult if not impossible to achieve in such a short time and several commentators and representatives of the civil society have already considered (see Peers , Carrera [1], Rijpma [2], and, more recently, De Bruycker [3])  that the text on one side does not deliver what it announces and on the other side is still rooted in an old intergovernamental model. Maybe from a legistic point of view instead of bringing all these objectives in a single legislative text it would had been more elegant to focus its content only on the organisational and operational aspect of the “new” Frontex  and deal with the general framework of the integrated EU border management in the Schengen Border Code where general rules on the definition, negotiation adoption and implementation would had been better placed together with the rules on its evaluation and on the adoption of extraordinary measures in case of emergency. However these have probably been considered by the Commission legal niceties to be dealt with in times with less political pressure.. 

With so many objectives it is not surprising that the final result is far from the expectations and the text is somewhere still elusive and somewhere too detailed. It can then be interesting to  compare the negotiation position of the three institutions as it result from a very interesting Multicolumn document leaked by Statewatch during the “confidential” legislative trilogies. It shows that the European Parliament has tried to improve the original Commission proposal and has obtained some concessions from the Council but regrettably, it had lost the main targets such as the definition in codecision of the European Border Strategy (instead of a simple decision of the Agency’s Management Board) and even on the procedure to appoint of the Agency Director where its position will be to express an opinion …which can be disregarded.

Further comments will follow. EDC

 

[1] See the CEPS study of Sergio Carrera and Leonhard den Hertog “A European Border and Coast Guard: What’s in a name?”

[2] See Jorrit RIJPMA study for the Civil Liberties Committee of the EP “The proposal for a European Border and Coast Guard: evolution or revolution in external border management?”

[3] See Philippe DE BRUYCKER “The European Border and Coast Guard: A New Model Built on an Old Logic

 

It is the latest (and quite likely not the last) of a chain of legal texts by which the EU has tried in the recent years to legally frame the issue of human mobility and human security in the EU by taking in account the new legal framework after the entry into force of the Lisbon Treaty and of the EU Charter of fundamental rights.

[1] A rather detailed and updated collection of the legislative preparatory works can be found here :  https://free-group.eu/2016/06/10/wiki-lex-the-new-eu-border-guard-proposal/

[2] As as verified by the Jurist Linguist and endorsed by the EP according to art 231 of its Rules of procedure)

————————————————–

REGULATION (EU) 2016/…OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of … on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No 863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 77(2)(b) and (d) and Article 79(2)(c) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee1,

Acting in accordance with the ordinary legislative procedure2,

Whereas: Continue reading “WORTH READING : the final text of the EUROPEAN BORDER AND COAST GUARD REGULATION”

THE FUTURE OF NATIONAL DATA RETENTION OBLIGATIONS – HOW TO APPLY DIGITAL RIGHTS IRELAND AT NATIONAL LEVEL?

ORIGINAL PUBLISHED ON EUROPEAN LAW BLOG ( JULY 25, 2016)
By Vanessa Franssen

 

On 19 July, Advocate General (AG) Saugmandsgaard Øe delivered his much awaited opinion on the joined cases Tele2 Sverige AB and Secretary of State for the Home Department, which were triggered by the Court of Justice’s (CJEU) ruling in Digital Rights Ireland, discussed previously on this blog. As a result of this judgment, invalidating the Data Retention Directive, many Member States which had put in place data retention obligations on the basis of the Directive, were confronted with the question whether these data retention obligations were compatible with the right to privacy and the right to protection of personal data, guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights (Charter). Hence, without a whisper of a doubt, several national legislators eagerly await the outcome of these joined cases, in the hope to get more guidance as to how to applyDigital Rights Ireland concretely to their national legislation. The large number of Member States intervening in the joined cases clearly shows this: in addition to Sweden and the UK, no less than 13 Member States submitted written observations. The AG’s opinion is a first – important – step and thus merits a closer look.

National and European shock waves after Digital Rights Ireland

The Digital Rights Ireland case was ground-breaking in many respects, and caused a real shock effect across the EU. As a result of the CJEU ruling, national data retention legislation was invalidated in several Member States. For instance, the District Court of The Hague struck down the Dutch national data retention legislation on 11 March 2015, and shortly afterwards, on 11 June 2015, the Belgian data retention law was annulled by the Constitutional Court, which largely copy-pasted the CJEU’s reasoning. This situation creates great uncertainty about the further potential use of traffic and location data of electronic communications in national and transnational criminal investigations (see eg the Workshop on data retention organized by the Consultative Forum and the Luxembourg Presidency), especially because such data are used in an increasingly large number of criminal cases, not just as incriminating, but also as exculpatory evidence.

In other Member States, the legislator very quickly launched the process for amending the national data retention legislation. For instance, in the UK, the Data Retention and Investigatory Powers Act was adopted only three months after the CJEU’s ruling. By contrast, in Luxembourg, which has invested significantly in the digital economy in the last few years while also emphasizing the importance of the protection of privacy and personal data, the legislative process kicked off in January 2015 but has still not resulted in new legislation.

At the European level, the legislator has so far shown little appetite to adopt a new Data Retention Directive, despite some attempts of the Luxembourg Presidency in the Autumn of 2016 to initiate such legislative process, or at least to stimulate the discussion. This should not come as a real surprise. On the one hand, the CJEU has been very active in the field of data protection over the last two years, addressing a large number of questions and raising new ones (some of which have been discussed previously on this blog: see here, here and here). On the other, the EU was already busy tackling other urgent and delicate data protection issues, such as the adoption of the new General Data Protection Regulation, repealing Directive 95/46/EC, and the Data Protection Directive with respect to the processing of personal data for criminal investigations, repealing Council Framework Decision 2008/977/JHA, and the negotiations and adoption of the new Umbrella Agreement with regard to EU-US law enforcement cooperation.

Short background to the cases

Immediately after the Digital Rights Ireland ruling, Tele2 Sverige AB (a provider of electronic communications) notified  the Swedish competent authority that it would no longer comply with the Swedish national data retention obligations as it considered those obligations were not meeting the CJEU’s conditions. This decision obviously caused great concern for the national authority, ordering Tele2 Sverige to resume its retention of data. Yet, Tele2 Sverige persevered and appealed this order before the Administrative Court in Stockholm and subsequently before the Administrative Court of Appeal, which referred the matter for a preliminary ruling to the CJEU. (Opinion, §§ 50-55)

In the meantime in the UK, the 2014 Data Retention and Investigatory Powers Act was challenged before the High Court of Justice of England and Wales and declared invalid on 17 July 2015, because the data retention regime did not provide for adequate safeguards in order to protect the right to privacy and the right to protection of personal data laid down in the Charter. In other words, the UK data retention regime did not comply with the conditions put forward by the CJEU inDigital Rights Ireland. However, the Home Secretary appealed this judgment and the Court of Appeal decided to refer two questions to the CJEU for a preliminary ruling. (Opinion, §§ 56-60)

Questions submitted to the CJEU

Interestingly, the approach of both referring courts is quite different, as results clearly from the way they formulate their respective questions for the CJEU.

The Swedish referring court asks the CJEU, first of all, whether

a general obligation to retain data in relation to all persons and all means of electronic communication and extending to all traffic data, without any distinction, limitation or exception being made by reference to the objective of fighting crime (…) [is] compatible with Article 15(1) of Directive 2002/58, taking into account Articles 7, 8 and 52(1) of the Charter?’ (Opinion, § 55)

Should such a general data retention obligation not be compatible with the Charter, could a data retention obligation then nevertheless be compatible with the Charter if the access of the competent authorities to the retained data is regulated as it is under Swedish law, if the protection and security of the data are regulated as they are under Swedish law, and if all relevant data must be retained for a period of 6 months before being erased, as imposed by Swedish law?

By contrast, the Court of Appeal of England and Wales is of the view that the CJEU did not set out ‘specific mandatory requirements of EU law with which national legislation must comply, but was simply identifying and describing protections that were absent from the harmonised EU regime.’ (Opinion, § 59)

Nevertheless, to be absolutely sure, it asks the CJEU to clarify this point:

Does the judgment of the Court of Justice in Digital Rights Ireland (including, in particular, paragraphs 60 to 62 thereof) lay down mandatory requirements of EU law applicable to a Member State’s domestic regime governing access to data retained in accordance with national legislation, in order to comply with Articles 7 and 8 of the [Charter]?’ (Opinion, § 60)

Furthermore, the Court of Appeal would like to know whether Digital Rights Irelandexpands the scope of Articles 7 and/or 8 of the Charter beyond that of Article 8 of the European Convention of Human Rights (ECHR), as interpreted by the European Court of Human Rights (ECtHR). Put differently, the referring court wonders whether the level of protection offered by the Charter is higher than that under the ECHR.

The AG’s opinion

The latter question raised by the Court of Appeal in the UK case should be rejected as inadmissible according to the AG, because it is only ‘of purely theoretical interest’ (§ 82) and not ‘relevant to the resolution of the disputes’ (§ 75). Even if the Court would want to address the question, EU law does of course not prevent the Court (or the legislator) from going beyond the protection offered by the ECHR (§ 80). On the contrary, in my view it may be quite desirable to go beyond the minimum safeguards guaranteed by the ECHR, and not just with respect to Article 8. Unfortunately, EU legislation – for instance also with respect to procedural safeguards in criminal proceedings – does not pass, or barely passes, the minimum level of protection granted by the ECHR (see, for instance, the analysis on this blog regarding the recently adopted Presumption of Innocence Directive).

Subsequently, the AG addresses the first question of the Swedish referring court, regarding the compatibility of a general data retention obligation with Article 15(1) ofDirective 2002/58/EC (the Directive on privacy and electronic communications) and Articles 7 and 8 of the Charter. In a first step, the AG affirms that a general data retention obligation falls within the scope of Directive 2002/58/EC, despite the exclusion of State activities relating to criminal law by Article 1(3) of the Directive. Indeed, it is not because the data retained can be accessed and used by police and judicial authorities for criminal investigations that the data retention rules, which address private actors providing electronic communications services (service providers), would themselves be excluded from the scope of the Directive (§§ 87-97). Next, the AG scrutinizes whether the possibility offered by Article 15(1) of Directive 2002/58/EC to restrict the rights and obligations of the Directive allows for the creation of a general data retention regime by national law. Unlike some of the civil liberties organisations intervening in the joined cases, the AG considers that the wording of Article 15(1) of Directive 2002/58/EC (‘Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period’) indicates that data retention obligations are not, as such, inconsistent with the Directive. The same goes for general data retention obligations, yet only if they ‘satisfy certain conditions’ (§ 108). Recital (11) of the Directive confirms this as it states that the Directive

does not alter the existing balance between the individual’s right to privacy and the possibility for Member States to take the measures referred to in Article 15(1) of this Directive, necessary for the protection of public security (…) and the enforcement of criminal law.

Hence, it

does not affect the ability of Member States to carry out lawful interception of electronic communications, or take other measures, if necessary for any of these purposes and in accordance with the [ECHR]

provided that those

measures [are] appropriate, strictly proportionate to the intended purpose and necessary within a democratic society and (…) subject to adequate safeguards in accordance with the [ECHR].

In sum, what matters, is that (general) data retention rules meet certain requirements, which ensure striking an acceptable balance between the purposes pursued by those rules and the individual’s fundamental rights. These rights are not just the ones laid down in the ECHR, but also the ones of the Charter as data retention rules ‘constitutes a measure implementing the option provided for in Article 15(1) of Directive 2002/58’ (§ 121). In other words, national legislation encompassing data retention obligations are ‘governed’ by EU law, which triggers the application of the Charter, as the CJEU clarified in the Åkerberg Fransson case(discussed on this blog) and refined in later case law (eg Siragusa, also analysed on this blog, and Julian Hernández and others, §§ 32-49). By contrast, whether the Charter also applies to the national rules determining under what conditions police and judicial authorities can access the retained data is less obvious, because Directive 2002/58/EC does not cover ‘activities of the State in areas of criminal law’ (Art. 1(3)). While the AG is inclined to conclude that the Charter does not apply to those rules (§§ 123-124), he also stresses that

the raison d’être of a data retention obligation is to enable law enforcement authorities to access the data retained, and so the issue of the retention of data cannot be entirely separated from the issue of access to that data. As the Commission has rightly emphasised, provisions governing access are of decisive importance when assessing the compatibility with the Charter of provisions introducing a general data retention obligation in implementation of Article 15(1) of Directive 2002/58. More precisely, provisions governing access must be taken into account in the assessment of the necessity and proportionality of such an obligation.’ (§ 125, emphasis)

In other words, does this mean that the Charter indirectly applies to national rules regulating the access to the retained data? It will be interesting to see if and how the CJEU addresses this point, adding another piece to what Benedikt Pirker described on this blog as ‘the jigsaw puzzle of earlier decisions on the scope of EU fundamental rights’.

This brings the AG to the biggest and most tricky questions submitted for a preliminary ruling, combining the second question of the Swedish court and the first question of the Court of Appeal, concerning the conditions national legislation should respect when creating a general data retention obligation. Without a doubt, general data retention obligations constitute a serious interference with the right to privacy (Article 7 of the Charter) and the right to the protection of personal data (Article 8 of the Charter) (§ 128). So the crucial question is whether such interference may be justified and on what conditions (§ 129).

Based on a reading of Article 15(1) of Directive 2002/58/EC and Article 52(1) of the Charter, the AG identifies six cumulative conditions that must be met to justify the serious interference caused by a general data retention obligation:

–        the retention obligation must have a legal basis;

–        it must observe the essence of the rights enshrined in the Charter;

–        it must pursue an objective of general interest;

–        it must be appropriate for achieving that objective;

–        it must be necessary in order to achieve that objective;

–        it must be proportionate, within a democratic society, to the pursuit of that same objective.’ (§ 132)

While most of these requirements were already put forward by the CJEU in Digital Rights Ireland, when evaluating the legal regime laid down in the Data Retention Directive, the AG nevertheless wishes to revisit them, ‘[f]or the sake of clarity and given the facts which distinguish the present cases from Digital Rights Ireland’ (§ 133). In particular, he wants to have a closer look at the requirement of a legal basis (which was not addressed in Digital Rights Ireland) and the necessity and proportionality of data retention obligations in a democratic society.

The first requirement, imposing the need for a legal basis, should be interpreted in light of Article 52(1) of the Charter, stating that limitations to the rights of the Charter should be ‘provided for by law’ – a phrase that resonates the wording of the ECHR (‘in accordance with the law’, Article 8 ECHR) and the case law of the ECtHR (§ 141) – as well as in light of Article 15(1) of Directive 2002/58/EC. As a result, a regime of general data retention should be established on the basis of measures adopted by a legislative authority, that are accessible and foreseeable while offering adequate protection against arbitrary interference with the rights of privacy and data protection (§ 153). That being said, considering the differences in the various language versions of Article 15(1) of Directive 2002/58/EC (§§ 145-147), the AG acknowledges that regulatory measures adopted by an executive authority might also suffice, although he would personally prefer to give the executive authority only the responsibility of implementing the measures adopted by the legislative authority (§§ 152-153).

Second, any general data retention regime should observe the essence of the rights enshrined in Articles 7 and 8 of the Charter, as the CJEU also highlighted inDigital Rights Ireland. As long as the national data retention obligations do not concern the content of the electronic communications and as long as they provide for safeguards that ‘effectively protect personal data’ retained by service providers ‘against the risk of abuse and against any unlawful access and use of that data’ (§ 159), this requirement does not seem to create particular problems in the cases submitted to the CJEU.

Third, the interference with the rights to privacy and data protection caused by a general data retention obligation can only by justified if the latter pursues ‘an objective of general interest recognised by the European Union’. As the CJEU pointed out in Digital Rights Ireland, the objective to fight serious crime (such as international terrorism) is definitely recognized by EU law; Article 6 of the Charter does not only warrant the right to liberty, but also the right to security. Yet, whether data retention obligations are also justifiable, more generally, to combat ordinary crime, or even in proceedings other than criminal proceedings, as the UK government argues in its submission before the CJEU, is much less obvious. It should be acknowledged that limitations allowed for by Article 15(1) of Directive 2002/58/EC are not confined to ‘serious crime’. Indeed, this provision allows Member States to adopt restrictions that are necessary, appropriate and proportionate within a democratic society ‘to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences’. Nevertheless, in the AG’s view, the interferences caused by a general data retention regime are so serious that the fight against ‘ordinary offences and the smooth conduct of proceedings other than criminal proceedings’ are not ‘capable of justifying a general data retention obligation’ considering the ‘considerable risks that such obligations entail’ (§§ 172-173).

Moving forward, the AG evaluates the proportionality of general data retention obligations, which he splits up in three separate (sub-)requirements: are they appropriate (fourth requirement) as well as strictly necessary (fifth requirement) to achieve the aforementioned objective of fighting serious crime and proportionate in a democratic society (sixth requirement). Like the CJEU in Digital Rights Ireland, the AG sees no obstacle in the appropriateness of general data retention obligations to fight serious crime (§ 177). He even insists on the usefulness of such data, which allow police and judicial authorities to ‘examine the past’, even with respect to persons who were not suspected of a serious crime at the time of the electronic communications (§§ 178-181). Considering the current safety threats and the numerous terrorist attacks that took place after the Digital Rights Irelandjudgment, any other viewpoint would have surprised.

Next, the AG addresses the fifth requirement: are general data retention obligations really (ie strictly) necessary to combat serious crime? This requirement unfolds in two questions. For one, is a general data retention obligation strictly necessary, or on the contrary, does it go ‘beyond the bounds of what is strictly necessary for the purposes of fighting serious crime, irrespectively of any safeguards that might accompany such an obligation’ (emphasis added)? For another, if a general data retention does not exceed what is strictly necessary, ‘must it be accompanied by all the safeguards mentioned by the Court in paragraphs 60 to 68 of Digital Rights Ireland’ (§ 189).

As regards the first of these two questions, the AG adheres to the point of view that most parties (in particular the Member States) took in their written submissions:  a general data retention obligation as such does not exceed the limits of strict necessity. According to the AG, paragraphs 56 to 59 of Digital Rights Irelandshould indeed be interpreted as meaning that a general data retention obligation does not pass the strict necessity test but only if ‘it is not accompanied by stringent safeguards concerning access to the data, the period of retention and the protection and security of the data’ (§ 195, original emphasis).

One may wonder whether this is a correct reading of the CJEU’s judgment, which emphasized that the Data Retention Directive required the retention of all traffic data relating to all means of electronic communications and regarding all persons (‘practically the entire European population’), ‘without any differentiation, limitation or exception being made in light of the objective of fighting against serious crime’ (§§ 56-57). That being said, as some governments pointed out, if the Court would have considered that a general data retention obligation by itself exceeds the threshold of what is strictly necessary, then why did it bother to spell out in the subsequent paragraphs the safeguards that should apply? The upcoming judgment will undoubtedly tell us which interpretation is the right one.

Furthermore, the AG insists on the fact that national courts will have to assess whether there are no equally effective and less restrictive means available in the national system to achieve the same goal as a general data retention obligation (§§ 206-215), thereby passing on a difficult but very important balancing exercise to the national courts.

Assuming a general data retention obligation is strictly necessary, then all the safeguards put forward by the CJEU in Digital Rights Ireland (§§ 60-68) should respected by national law. Any other approach which would allow for a further balancing exercise between the different safeguards (as, for instance, the German government suggested, using the metaphor of ‘communicating vessels’) would, according to the AG, empty those safeguards of their practical effect (§§ 221-227). This means that national data retention rules should

1) make sure that the ‘access to and the subsequent use of the retained data [are] strictly restricted to the purpose of preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating thereto’ (§ 229);

2) make the access to those data ‘dependent on a prior review carried out by a court or by an independent administrative body’ in order to assess the strict necessity of the access and subsequent use of the data (§ 232);

3) require service providers ‘to retain data within the European Union, in order to facilitate the review’ and to make sure that the EU safeguards apply (§§ 238-240), and

4) limit the retention period in function of the usefulness of the data (§ 242).

While it is again for national courts to evaluate whether the safeguards provided for by national law are sufficient, the AG does not hide his opinion that both the Swedish and the UK regime reveal a number of deficiencies in this respect (§§ 230, 233 and 239).

Sixth and last, the AG emphasizes the need to evaluate the ‘proportionality stricto sensu’ of a general data retention obligation, which consists in weighing the advantages and disadvantages of such an obligation within a democratic society (§ 248). Once more, the AG argues this is a task for national courts, but he nonetheless points out that a general data retention obligation entails a considerable risk of mass surveillance (§ 256). Based on an analysis of a large amount of (meta-)data, authorities could easily find as much, or even more, about an individual as they can by means of targeted surveillance measures, including the interception of content data (§§ 254 and 259). Unlike the content of communication, meta-data ‘facilitate the almost instantaneous cataloguing of entire populations’ (§ 259). If one just considers the large amount of requests service providers in Sweden and the UK receive from the competent authorities, one realizes that the risk of abusive or illegal access to the retained data is far from ‘theoretical’ (§ 260).

Some first thoughts

As the above analysis suggests, the AG’s opinion offers a lengthy and mitigated assessment of the six cumulative requirements that general data retention obligations under national law should meet. Some of these requirements (eg the requirement of a legal basis) can easily be fulfilled. Yet others will raise many problems for national legislators when delineating the domestic data retention framework.

For instance, the requirement that general data retention obligations must pursue ‘an objective of general interest recognised by the European Union that is capable of justifying a general data retention obligation’ will undoubtedly raise many problems at the national level. Is the fight against serious crime indeed the only acceptable objective? For sure, the ‘material objective’ of the Data Retention Directive was ‘to contribute to the fight against serious crime and thus ultimately to public security’, which made the CJEU decide that the Directive satisfied an objective of general interest (Digital Rights Ireland, §§ 41-44). But does this mean, as the AG advocates, that it is the only possible justifiable objective for nationaldata retention obligations, considering the seriousness of the interferences with the right to privacy and the right to protection of personal data? Furthermore, assuming it is, what offences are sufficiently ‘serious’ to justify a general data retention obligation? In Digital Rights Ireland, the CJEU explicitly stated that this is to be ‘defined by each Member States in its national law’ (§ 41). Yet, the AG suggest a different approach, by stressing that it should be ‘an objective of general interest recognized by the European Union’. Hence, how much leeway do Member States have? If an EU-wide understanding of the label ‘serious crime’ is to be preferred, would the list of Eurocrimes (which are in fact broad categories of crimes) in Article 83(1) TFEU then be of sufficient guidance?

Another concern of police and judicial authorities, which national legislators will want to take into account, is that what starts out as a simple, ‘ordinary’ criminal case, may very well turn out to be much more ‘serious’ in a later stage of the investigation. It may not be so easy to reconcile this concern with the safeguard to limit the data retention period in light of the usefulness of the data, ie considering the objective pursued or according to the persons concerned.

One may also wonder whether the AG’s opinion provides as much clarity as national legislators hope to get from the CJEU. Many issues will still need to be addressed by national legislators (eg to design safeguards that pass the Digital Rights Ireland test) and national courts (eg to evaluate whether there are no less restrictive alternatives than a general data retention obligation and whether the risk of mass surveillance does not outweigh the benefits offered by a general data retention obligation).

For sure, this is only a first reflection. Further reflection will undoubtedly follow after the Grand Chamber of the CJEU will have rendered its ruling. In the meantime, national legislators will have to be patient and uncertainty will persist about the potential use in criminal proceedings of traffic and location data retained on the basis of a general data retention obligation.

EU Referendum Brief 5: How would Brexit impact the UK’s involvement in EU policing and criminal law?

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

by Steve Peers

What impact does EU membership have on policing and criminal law in the UK – and what would be the impact of Brexit? I’ll give the shorter summary version of the answer to those questions first, followed by a longer more detailed version.

Summary

The UK had a veto over EU laws in this area adopted before the Treaty of Lisbon came into force (1 December 2009). Since then, it has had two opt-outs instead: a) it can opt in (or out) of any new EU law in this field adopted after that Treaty; and b) it could go back and opt out of any old EU laws which were adopted before that Treaty. The UK used the latter power to opt out of the majority of pre-Lisbon laws.

There are five main areas of EU criminal law and policing. One area is the definition of crime, where the UK has opted into a small number of EU laws on issues such as child abuse. A second area is criminal procedure, where the UK has opted into some EU laws on suspects’ rights and crime victims’ rights. These are basically domestic areas of law, and there’s no reason to think the UK would change its rules after Brexit.

However, the other three areas concern international cooperation, where it is impossible for any individual country to act alone. Those areas are: a) recognition of criminal decisions (on arrest warrants or gathering evidence, for instance); b) the exchange of police information; and c) EU agencies like Europol, the EU police intelligence agency.

On criminal law mutual recognition, there are other international rules on some of these issues – such as extradition – but they do not go as far as the EU rules. In some cases, there are no alternative international rules on the same issue. The UK could seek to negotiate a treaty with the EU on these issues, but the past precedents show that non-EU countries are able to negotiate only limited participation in these EU laws.

On EU agencies, non-EU countries can participate as associates, but this means a more limited involvement in each agency than they would have as EU Member States.

The UK’s involvement in police information exchange with the EU would also be subject to renegotiation if the UK left the EU. Again, past precedents show that non-EU countries are able to negotiate only limited participation in these EU laws. And if the UK did not continue to sign up to EU data protection laws fully, there would be difficult legal disputes that could limit the transfer of policing data to the UK’s law enforcement authorities from the EU.

It cannot be seriously argued that the UK has ‘lost control’ over its law enforcement and intelligence agency operations to the EU, given the UK’s opt-out, the focus of EU law on cross-border issues, and the lack of any EU law on intelligence issues.

Overall, a Brexit is very likely to lead to a significant reduction on cooperation in criminal and policing matters between the UK and the EU.

The details

First and foremost, while the EU has adopted a number of laws in this area, the UK only participates in some of those laws, and has an opt-out over future laws in this area too. This blog post will in turn: (a) describe the basics of EU law in this area, including the UK opt-out; (b) summarise the main EU laws in which the UK does (or does not) participate in; and (c) indicate what could happen in the event of ‘Brexit’. For a full academic treatment of these issues, see the fourth edition of my EU Justice and Home Affairs Law book (volume 2).

(a) The basics of EU policing and criminal law 

Before the entry into force of the Treaty of Lisbon (on 1 December 2009) police and criminal law matters were subject to a different legal framework from ordinary EU (or European Community) law. The powers of the EU institutions (Commission, European Parliament, EU Court) were more limited, and each Member State, including the UK, had a veto over all laws.

The Treaty of Lisbon repealed these special rules, bringing EU criminal and policing law into the general framework of EU law. From this point on, the usual rules of EU law have applied to this field, with a few exceptions. However, the key point for the UK is that in place of a veto, it got not just one but twoopt outs from EU law in this field.

First, the UK can opt out of (or into) any individual EU laws on criminal law or policing proposed after the entry into force of the Treaty of Lisbon.

Secondly, the UK got the power to opt out of EU criminal laws which it had already agreed to before the entry into force of the Treaty of Lisbon. It could invoke this power as of 1 December 2014. The UK government used this to opt out of all but 35 of the EU criminal laws adopted before the Treaty of Lisbon. (See the discussion of that process here).

(b) Which EU criminal and policing laws does the UK apply?

EU criminal and policing law touches on five main issues:

(a)    substantive criminal law (ie the definition of crimes);
(b)   mutual recognition in criminal matters (ie applying another EU Member States’ criminal law decision, where there is a cross-border issue like gathering evidence in another EU country, or asking another country to hand over a fugitive to face a trial or serve a sentence);
(c)    harmonisation of criminal procedure;
(d)   exchange of police information; and
(e)   EU agencies.

The effect of the two sets of opt-outs is that the UK has been highly selective about the EU law in this area which it wishes to apply. Taking the five areas of law in turn, first of all the UK has opted out of almost all EU substantive criminal law. It is covered by the EU Directives adopted since the Lisbon Treaty defining offences relating to trafficking in personssexual abuse of children and attacks on information systems (a form of cyber-crime), but not by EU laws defining offences relating to terrorism, organised crime, fraud, drugs, market abuse by bankers, racism, or currency counterfeiting.

Secondly, the UK is far more engaged in mutual recognition in criminal matters, in particular the flagship law on the European Arrest Warrant (EAW), which is a fast-track extradition system. The UK has also signed up to EU laws on:

(a)    mutual recognition of investigation orders (gathering physical evidence, or interviewing witnesses, in another EU country);
(b)   victim protection orders (where the victim of domestic violence moves to another EU country and wants a restraining order against her abuser to be transferred to that country when she moves there);
(c)    pre-trial supervision (so a criminal suspect can be released on bail to await trial on less serious offences back in Britain, rather than spend a long time in pre-trial detention in a foreign prison);
(d)   confiscation of assets and freezing orders (to ensure that the proceeds of crime held by alleged or convicted criminals in another EU country can be frozen pending trial, and seized if the suspect is convicted);
(e)   the effect of prior sentences or other judgments (so that previous criminal offences committed in another EU country are counted when assessing whether someone is a repeat offender); and
(f)     the transfer of prisoners and criminal sentences (simplifying the movement of foreign prisoners to jails in their EU country of origin, and recognizing fines imposed by a criminal court too – including any penalties imposed against companies for breach of criminal law).

Conversely, the UK has opted out of only one measure in this field, concerning the mutual recognition of probation and parole orders.

Thirdly, as regards the harmonisation of criminal procedure, the UK participates in the EU Directiveon crime victims’ rights. However, the UK has only opted in to two of the six EU laws which set out criminal suspects’ procedural rights. In particular, it has opted into the laws on translation and interpretation, and giving suspectsinformationon their rights; but it has opted out of laws on access to a lawyer,presumption of innocencechild suspects’ rights, and a proposed law on legal aid(not yet agreed).

Fourthly, the UK is particularly keen to participate in the exchange of police information. It participates in every significant measure in the field:

(a)    the Schengen Information System (information on wanted persons and stolen objects, including terrorist suspects under surveillance);
(b)   the Customs Information System (used particularly in drug trafficking cases);
(c)    the ‘Prum’ decisions (which give access to other EU countries’ police databases on fingerprints, licence plates and DNA); and
(d)   the laws on exchange of criminal records.

Finally, as regards EU agencies, the UK participates in Europol(the EU police intelligence agency) and Eurojust (the agency which coordinates work of prosecutors in cross-border cases) at present. However, it has opted out of a new law concerning Europol, and a proposed new EU law concerning Eurojust, which set out (or would set out) revised rules for those agencies following the entry into force of the Treaty of Lisbon, although it might decide to opt in to those Regulations after they are adopted. The UK used to host the European Police College (a training agency), but refusedto continue hosting it and opted out of a new version of the relevant law.

There has been some concern particularly about the prospect of the UK participating in a law to create a European Public Prosecutor. While the EU Commission proposeda law to create a European Public Prosecutor in 2013, the UK has opted out of that proposal. Indeed, the UK would have to hold another referendum before it opted in to that law, according to the European Union Act 2011.

(c) What would the impact of ‘Brexit’ be?

It’s sometimes argued that EU laws on policing and criminal law are irrelevant to the UK’s membership of the EU, because the UK can simply do everything it wishes to do in this field in its domestic law. That’s a valid argument for two of the five areas of law described above: substantive criminal law and harmonisation of procedure. But it doesn’t work for the three other areas – mutual recognition, exchange of information and participation in EU agencies – which necessarily require some cooperation with other states. Put simply, a British Act of Parliament cannot regulate how France or Germany issue extradition requests.

What would happen if the UK left the EU? In each case, as with other areas of EU law and policy, it would depend on what the UK and EU negotiated afterward. But it is possible to give some general indication of the consequences.

In the area of mutual recognition, the UK can fall back on Council of Europe treaties, which address some of the same issues (note that the Council of Europe is a separate body from the EU, which includes non-EU European countries like Turkey and Russia; some of its treaties can be signed also by non-European states like the USA).

However, the relevant treaties do not go into as much detail as the EU laws, and are often less effective.  As an indication of this, see the UK governmentinformationabout the application of EU law in this area. Extradition from the UK has gone from 60 people a year (to all countries) before 2004 to 7000 since 2004 on the basis of the European Arrest Warrant. Over 95% of those sent to other Member States are not British.

Moreover, in some cases the UK and/or some other Member States have not ratified the relevant treaties. For instance, fewer than half of all Member States have ratified the Council of Europe Convention on validity of criminal judgments; the UK has not ratified it either. But the EU law on mutual recognition of criminal penalties sets out rules on one of the key issues in that Council of Europe treaty: the recognition of criminal financial penalties imposed by another Member State’s court. Some issues have not been the subject of Council of Europe treaties at all, such as the pre-trial supervision rules set out in EU law. In these cases, the EU law is the only means of ensuring the cooperation in question.

Another alternative is to negotiate treaties with the EU on these issues.  The EU has been willing in practice to negotiate access to some aspects of its criminal law measures: a form of the EAW for Norway and Iceland, an extradition treaty with theUSA, and mutual assistance (exchange of evidence) with Norway and Iceland, theUSAand Japan. But the extradition treaty with Norway and Iceland took years to negotiate, is still not in force at time of writing, and does not oblige States to extradite their own citizens – meaning that the UK would not be able to ask Germany to extradite Germans, for example. That restriction cannot easily be negotiated away in the event of Brexit, because some EU countries have constitutional problems which prevent them extraditing their own citizens outside the EU. (On these sorts of issues, see E Guild, ed, Constitutional challenges to the European Arrest Warrant).

Overall, there are no such treaties agreed with any non-EU countries on the large majority of EU criminal law mutual recognition measures. Of the treaties which are agreed, not a single one goes as far as the relevant EU legislation in force.

A particular concern of critics of the EU rules on extradition is the ‘sufficient evidence’ (‘prima facie’) test which was traditionally applied by the UK before accepting an extradition request. While it is sometimes argued that the EAW abolished the ‘prima facie’ test as regards EU countries, this is not correct. In fact, the UK waived the right to apply this test to European countries when it signed up to the Council of Europe extradition treaty back in 1990, over a decade before it signed up to the EU’s EAW: see the Extradition Act 1989, section 9(4), which was implemented by the European Convention on Extradition Order 1990 (SI 1990 No. 1507). In other words, the test was not abolished because of EU law, but was already abolished well before the EU had any involvement in extradition law.

Why did the UK abolish the prima facie test? As noted in the 2011 Baker review of UK extradition law, the decision was made because of the difficulties it posed for extradition in practice: a White Paper of 1986 stated that it ‘did not offer a necessary safeguard for the person sought by the requesting State but was a formidable impediment to entirely proper and legitimate extradition requests’. Ultimately the Baker review recommended that there was ‘no good reason to re-introduce the prima facie case requirement’ where it had been abolished, and that ‘No evidence was presented to us to suggest that European arrest warrants are being issued in cases where there is insufficient evidence’.

The prima facie test is sometimes described as an aspect of the ‘presumption of innocence’, although in fact a fugitive who is extradited pursuant to this test still either has to be convicted pursuant to a trial in the requesting State, or has already been convicted but fled the country. In other words, the presumption of innocencestill applieswhen the substantive criminal trial takes place (or took place).

As regards the EU agencies, the UK can enter into agreements to cooperate with Europol and Eurojust, like other non-EU countries. However, as the Director of Europol points out, such agreements don’t allow the UK to have direct access to databases, to lead investigation teams, or to take part in the management of those agencies: both Europol and Eurojust have had British Directors.

Finally, as regards policing, the EU has given some non-EU states access to theSchengen Information System, and to the ‘Prum’ rules on access to each Member State’s national policing databases. But this was linked to those countries fully joining the Schengen system. The UK would obviously not do that after a Brexit.

The EU has also signed treaties on the exchange of passenger name records with non-EU countries (the USACanada and Australia), as well as a treaty on the exchange of financial information (concerning alleged terrorists) with the USA, so might be willing to sign similar treaties with the UK. It has also recently agreed an ‘umbrella’ treaty on general exchange of police information with the USA, although this is not yet in force.

However, the EU has not extended access to its system on exchange of criminal records to any non-EU countries. While there is a Council of Europe treaty on mutual assistance in criminal matters (which the UK and all other Member States are party to) that provides for some exchange of information of such records, it results in far less information exchange. The exchange of criminal records is particularly important for the UK: the government has reportedthat the UK is one of the biggest users of the EU system, and that criminal records checks of foreign nationals in the criminal justice system have increased 1,650% since 2010.

However, there is a particular issue that has complicated the exchange of personal data between the EU and with non-EU countries, particularly as regards policing data. Are their data protection standards sufficient as compared to the standards maintained by the EU? If not, then the European Parliament may be reluctant to approve the deal, or it might be challenged in the EU Court. This isn’t a hypothetical possibility – it has happened several times already.

I have discussed this issue in more detail in a recent blog post for The Conversation, but I will summarise the main points there again.

As regards deals between non-EU countries and the EU itself, the EU Court of Justice has struck down a Commission decision on the transfer of personal data to the USA, because there was insufficient examination of the data protection standards applied by US intelligence agencies as regards access to personal data on social media. A replacement deal is planned, but will also be challenged in court. A further case is pending, where the EU Court has been asked to rule on the legality of the most recent EU/Canada treaty on the exchange of passenger records data, to ascertain if it meets EU standards for data protection.

If the UK left the EU, any UK/EU agreement on the transfer of personal data would have to meet the same requirements. Those requirements cannot simply be negotiated away, since they stem from the EU Charter of Rights – part of the primary law of the EU. The Charter can be amended, but to have legal effect the EU Treaties would also have to be amended to refer to that revised text. It is hard to believe this could happen at the behest of a country which has just left the EU.

Would UK legislation meet the test of being sufficiently similar to EU standards? The Court of Justice has been asked in the pending Davis and Watson case whether the rules on police access to personal data comply with the EU law that binds the UK as a Member State. Another Bill on this issue is pending before the UK Parliament, and would likely become an Act of Parliament before Brexit. Since many privacy campaigners are critical the draft Bill, there would almost certainly be similar legal challenges to transfers of personal data to and from the UK after Brexit, unless the UK agrees to continue fully applying EU data protection law.

(d) Arguments by the referendum campaigns

The official leaflet summarising the position of the two sides in the referendum campaign contains a number of relevant claims from each side. For the Remain side, the pamphlet says that the EAW ‘allows us to deport criminals from the UK and catch those fleeing justice across Europe’, and that EU membership helps to tackle ‘global threats like terrorism’. For the Leave side, the pamphlet says that the EU ‘will continue to control…vital security policies such as counter-terrorism’ and the EU Court ‘will keep taking powers over how our intelligence services fight terrorism’.

Are these claims valid? As for the first Remain claim, as noted above the statistics show that the number of persons extradited to and from the UK have indeed increased since the EAW has been applied – although some extradition would still take place even if the UK did not apply the EAW.

In light of the official UK government information referred to above, other operational cooperation via Europol and other forms of EU police and criminal law cooperation presumably has some impact on combating threats like terrorism and other serious crimes in practice. However, it is not possible to estimate their impact compared to purely national actions and other forms of international  cooperation.

As for the arguments by the Leave side, it is clear from the description of the laws which the UK applies that the EU does not ‘control…vital security policies’. The functioning of the UK law enforcement authorities is up to the UK, and there is no EU regulation of intelligence agencies. EU law impacts only cross-border issues.

As we have seen, the only EU case law to date impacting intelligence agencies concerns non-EUintelligence agencies. The ruling restricts transfers of data gathered by social networks to those non-EU countries in that context, unless those countries apply EU data protection law. If the UK left the EU, it would therefore be subject to the same restrictions on obtaining personal data in criminal cases from the EU. Leaving the EU is therefore more likely to impede UK intelligence agencies’ work, than it is to facilitate it.

Conclusion

The UK’s participation in EU criminal and policing law has led to an increase in cooperation in areas such as extradition and the exchange of police information. In these cases, there are question marks about what would happen after Brexit – mainly political but to some extent legal too. In the event of Brexit, there is a very high likelihood that cooperation between the UK and the remaining EU would be reduced (although not to zero). And in light of the UK’s opt-outs and the limited effect of EU law on purely domestic matters, it cannot seriously be argued that UK law enforcement and intelligence agencies are ‘controlled by’ the EU.

European Data Protection Supervisor Opinion on the EU-U.S. Privacy Shield draft adequacy decision

ORIGINAL PUBLISHED HERE

Executive Summary (emphasis are added)

Data flows are global. The EU is bound by the Treaties and the Charter of Fundamental Rights of the European Union which protect all individuals in the EU. The EU is obliged to take all necessary steps to ensure the rights to privacy and to the protection of personal data are respected throughout all processing operations, including transfers.

Since the revelations in 2013 of surveillance activities, the EU and its strategic partner the United States have been seeking to define a new set of standards, based on a system of self-certification, for the transfer for commercial purposes to the U.S. of personal data sent from the EU. Like national data protection authorities in the EU, the EDPS recognises the value, in an era of global, instantaneous and unpredictable data flows, of a sustainable legal framework for commercial transfers of data between the EU and the U.S., which represent the biggest trading partnership in the world. However, this framework needs to fully reflect the shared democratic and individual rights-based values, which are expressed on the EU side in the Lisbon Treaty and the Charter of Fundamental Rights and on the U.S. side by the U.S. Constitution.

The draft Privacy Shield may be a step in the right direction but as currently formulated it does not adequately include, in our view, all appropriate safeguards to protect the EU rights of the individual to privacy and data protection also with regard to judicial redress. Significant improvements are needed should the European Commission wish to adopt an adequacy decision. In particular, the EU should get additional reassurances in terms of necessity and proportionality, instead of legitimising routine access to transferred data by U.S. authorities on the basis of criteria having a legal basis in the recipient country, but not as such in the EU, as affirmed by the Treaties, EU rulings and constitutional traditions common to the Member States.

Moreover, in an era of high hyperconnectivity and distributed networks, self-regulation by private organisations, as well as representation and commitments by public officials, may play a role in the short term whilst in the longer term they would not be sufficient to safeguard the rights and interests of individuals and fully satisfy the needs of a globalised digital world where many countries are now equipped with data protection rules.

Therefore, a longer term solution would be welcome in the transatlantic dialogue, to also enact in binding federal law at least the main principles of the rights to be clearly and concisely identified, as is the case with other non EU countries which have been ‘strictly assessed’ as ensuring an adequate level of protection; what the CJEU in its Schrems judgment expressed as meaning ‘essentially equivalent’ to the standards applicable under EU law, and which according to the Article 29 Working Party, means containing ‘the substance of the fundamental principles’ of data protection.

We take positive note of the increased transparency demonstrated by the U.S. authorities as to the use of the exception to the Privacy Shield principles for the purposes of law enforcement, national security and public interest.

However, whereas the 2000 Safe Harbour Decision formally treated access for national security as an exception, the attention devoted in the Privacy Shield draft decision to access, filtering and analysis by law enforcement and intelligence of personal data transferred for commercial purposes indicates that the exception may have become the rule. In particular, the EDPS notes from the draft decision and its annexes that, notwithstanding recent trends to move   from   indiscriminate   surveillance   on   a   general   basis   to   more   targeted   and   selected approaches, the scale of signals intelligence and the volume of data transferred from the EU, subject to potential collection and use once transferred and notably when in transit, may still be high and thus open to question.

Although these practices may also relate to intelligence in other countries, and while we welcome the transparency of the U.S. authorities on this new reality, the current draft decision may legitimise this routine. We therefore encourage the European Commission to give a stronger signal: given the obligations incumbent on the EU under the Lisbon Treaty, access and use by public authorities of data transferred for commercial purposes, including when in transit, should only take place in exceptional circumstances and where indispensable for specified public interest purposes.

On the provisions for transfers for commercial purposes, controllers should not be expected constantly to change compliance models. And yet the draft decision has been predicated on the existing EU legal framework, which will be superseded by Regulation (EU) 2016/679 (General Data Protection Regulation) in May 2018, less than one year after the full implementation by controllers of the Privacy Shield. The GDPR creates and reinforces obligations on controllers which extend beyond the nine principles developed in the Privacy Shield. Regardless of any final changes to the draft, we recommend the European Commission to comprehensively assess the future perspectives since its first report, to timely identify relevant steps for longer term solutions to replace the Privacy Shield, if any, with more robust and stable legal frameworks to boost transatlantic relations.

The EDPS therefore issues specific recommendations on the Privacy Shield.

(FULL TEXT)  Continue reading “European Data Protection Supervisor Opinion on the EU-U.S. Privacy Shield draft adequacy decision”

Detecting foreign fighters: the reinvigoration of the Schengen Information System in the wake of terrorist attacks

ORIGINAL PUBLISHED ON “EU IMMIGRATION AND ASYLUM LAW AND POLICY”

By Niovi Vavoula, Queen Mary, University of London

Since the past two decades, the exploitation of new technologies and the emphasis on collecting and exchanging information have been key aspects of the EU counter-terrorism strategy. An array of information exchange schemes have been developed on the basis of an intelligence-led approach, according to which the more data available, the more efficient the policies may be (for an overview of EU information exchange mechanisms see here).

The aim of the present blog post is to assess the role of the Schengen Information System (SIS) in the fight against the growing phenomenon of the “Foreign Fighters”. Landmarks in this context are, apart the terrorist events of 9/11 and the Madrid bombings in 2004, the recent attacks in Paris in January and November 2015 as well as in Brussels on 22 March 2016. It is demonstrated the extent to which the functionalities and the potential of the SIS have been slowly revisited in the wake of events with limited progress up to date. Despite the growing overreliance to this system has not been accompanied by proven effectiveness, the EU legislator calls for further exploitation of the database at the expense of fundamental rights and EU citizenship. The Commission proposal amending the Schengen Borders Code regarding the control of the crossing of external borders by foreign fighters should finally make the system effective but it could violate the principle of proportionality.

The SIS II in a nutshell

At the heart of the compensatory measures for the abolition of internal border controls, the SIS was established under the Schengen Convention and came into operation in 1995. Its overarching purpose was twofold; to maintain public order and security and to apply the provisions of the Convention relating to the movement of persons in the Schengen Area. On the criminal law side, it held basic alphanumeric data categorised in the form of ‘alerts’ on people or objects wanted for criminal law and policing purposes, such as persons wanted for arrest to be surrendered/extradited or missing persons. On the immigration law side, which in practice dominated the content of the database, it stored data on third-country nationals to be refused entry to the Schengen area. The system functioned on a hit / no hit basis, but it was supplemented by the SIRENE, which provided the infrastructure for exchanging additional information between national authorities.

Since April 2013, the SIS has been substituted by the SIS II so as to accommodate the new Member States after the enlargements of 2004 and 2007 and insert new functionalities. In this context, the current legal framework of the SIS II comprises of Regulation 1987/2006 involving the immigration functions of the system, Council Decision 2007/533/JHA regarding its use for policing and criminal law purposes and Regulation 1986/2006 concerning access by vehicle registration authorities. The overarching purpose of ensuring a high level of security remains the same, albeit worded more broadly.

First round: new functionalities of the SIS after 9/11 and Madrid bombings  Continue reading “Detecting foreign fighters: the reinvigoration of the Schengen Information System in the wake of terrorist attacks”

Goodbye, cruel world: visas for holidays after Brexit?

ORIGINAL PUBLISHED ON EU LAW ANALYSIS (April 25, 2016)

by Steve Peers

Until yesterday, I have consistently argued that the prospect of British citizens being subject to visas for short-term visits to the EU after Brexit was highly remote. In fact, I even told off some ‘Remain’ supporters who suggested that this might happen. EU policy is consistently to waive short-term visa requirements for wealthy countries (like the USA, Canada and Japan) as long as those countries waived short-term visa requirements for all EU citizens in return. I couldn’t imagine that it was likely that anyone on the ‘Leave’ side would wish to advocate short-term visa requirements for EU citizens visiting the UK after Brexit, thus damaging the British tourist industry and leading to a reciprocal obligation for UK citizens to get visas for short visits to the EU.

Incredibly, I was wrong on this. Yesterday, Dominic Raab, a senior figure on the Leave side, suggested that the UK might want to introduce visas for EU citizens after Brexit, and accepted that UK citizens might be subject to visa requirements for visits to the remaining EU in turn. It can’t seriously now be suggested that it’s ‘scaremongering’ to consider that this might become UK policy after Brexit – unless there’s such a thing as ‘self-scaremongering’ by the Leave side.

Let’s be clear about this. The idea of short-term visa requirements after Brexit is utterly and profoundly stupid. It is by no means a necessary consequence of Brexit, and would cause the maximum possible damage to UK businesses and the ordinary lives of British citizens who seek to visit the EU after Brexit, with little or no security benefit in return.

Background: EU visa policy

As an EU Member State, the UK allows short-term entry to EU citizens without a visa, as well as longer-term free movement of people – although the latter issue is severable from short-term visas. The reverse is also true, of course: simplifying the leisure, family and business visits of millions of British citizens to the EU every year. While there is an earlier treaty from the Council of Europe (a body separate from the EU) which abolishes visa requirements between European states, the UK is not a party to that treaty – and presumably would not become one under Raab’s plans.

The EU has agreements on free movement of people with Norway, Iceland and Switzerland, but it seems clear from official statements by the Leave side that the UK would not sign up to these after Brexit. But as I said, short-term visa waivers are a severable issue: the EU does have reciprocal short-term visa waiver treaties with a number of non-EU countries, as well as a unilateral policy of waiving short-term visa requirements for other wealthy countries who reciprocate. Therefore, all it would take for British citizens to retain the visa waiver for short-term visits to the EU after Brexit would be a British government policy not to impose short-term visa requirements on EU citizens, or a UK/EU treaty to this effect. This seemed highly likely – until Raab’s rant.

The EU decides visa policy as a bloc, so there is no possibility that the UK could do separate deals on short-term visas with individual EU countries. As an exception, Ireland (like the UK at present) has an opt-out from the EU’s visa policy, so the UK and Ireland could retain their separate Common Travel Area arrangements – if they wished to. It’s not clear if Raab also wants to impose visa requirements for Irish nationals (which might also then be reciprocated). If that happens, then border controls would have to be reimposed between Northern Ireland and the Irish Republic, as some on the Leave side have already called for (though others have taken a different view).

EU visas: the legal framework

The EU (apart from Ireland) has a standard short-term visa policy, which entails issuing ‘Schengen visas’ valid for all the Schengen states.  So in legal terms we know what the impact would be of the EU imposing visas on British citizens. The basic rules are set out in the EU visa code, although a few EU countries (Romania, Bulgaria, Cyprus and Croatia) don’t apply that code yet as they are not yet fully part of Schengen. While the Schengen system currently has many well-known problems as regards border control, this has not affected Schengen visa policy, and there is no reason why it would do.

To get a Schengen visa, the visa code requires an application at a consulate, although in practice the applications are often made through a private service provider. Applications can be made up to three months before the date of travel, or six months for multiple-entry visas. Applicants need to provide fingerprints, except for children under twelve and some other limited exceptions. They must also provide documents supporting the reason for their travel, obtain medical insurance and pay a fee of €60 per applicant, along with an extra fee if the applicant uses a private service provider. The fee is reduced to €35 for children between six and twelve, and waived for younger children, as well as pupils and teachers on study trips, researchers and representatives of NGOs. It may be waived in a small number of other cases; but it is always payable for tourist or business trips.

Most applications for Schengen visas are accepted, but applications are scrutinised for subsistence and intention to return, so it may be more likely that unemployed or low-waged British citizens find their visa applications refused. Any rejections will be registered in the EU’s Visa Information System for five years, which may make it less likely for a future application to be accepted. Usually a visa is valid for a period of three months over the next six months, but it is possible to get a multiple-entry visa (valid for several trips over a five year period) if there is a proven need to travel frequently. Visas can’t usually be obtained at the border, so British citizens would have to apply for a visa at least several days in advance to be sure of being able to travel. Without a visa, they would be denied boarding planes, trains or ferries, due to the EU law on carrier sanctions.

Back in 2014, the Commission proposed amendments to the EU visa code. They would, for instance, simplify the rules on getting multiple-entry visas, and allow for earlier applications. But such visas would still not be standard. Recently, both the Council and the European Parliament adopted their positions on this proposal, and so it will likely be agreed later this year. I’ve blogged separately on the main changes that the Commission proposed, as well as the chance to add rules on humanitarian visas, and on the specific proposals affecting UK citizens’ non-EU family members. But if the new code ultimately applies to all British citizens, its impact will be obviously be much greater.

The EU has signed some treaties on visa facilitation with non-EU countries. These treaties don’t waive the visa requirement, but they reduce the application fee and simplify the process. Of course they are reciprocal – the UK would have to cut the fees and simplify the process for EU citizens applying for short-term visas to visit the UK too.

Practical consequences: the unbearable madness of visa requirements

There’s no doubt that visa requirements reduce travel for tourism, business and other purposes. There are detailed estimates of the scale of the economic impact in a reportdrawn up for the Commission before it proposed the revised visa code. Think of it at the individual level: if there’s no visa facilitation treaty, a British couple with two teenagers would have to pay an extra €240 for a family holiday in the EU in visa application fees, with fees often paid to service providers on top. Even with a visa facilitation treaty like the one with Ukraine, the family would pay €70 in fees (€35/adult, under-18s exempt from fees), and again possibly service providers.

Raab argues that all this is justified on security grounds. Is it? First of all, the vast majority of terrorist (or other) offences in the UK are committed by British citizens. But some foreign visitors do commit crimes. How best to screen them out? The basic problem is that imposing a visa requirement doesn’t, in itself, increase our capacity to determine if a particular individual is likely to pose a threat. It simply, in effect, moves the decision on entry in time (to a date before arrival) and space (away from the border to a consulate – although individuals will still be checked at the border to ensure that there is a visa in their passport). The best way of knowing if a particular individual is a threat is by checking the available data.

That information is easy to find if the visa applicant has previously committed a crime in the UK, because in that case there ought to be a criminal record accompanied by an entry ban. But in this scenario, the entry ban information should in principle not only be available to consulates considering a visa application, but also to border guards deciding on entry at the border. So the visa requirement adds nothing. Nor does it add anything as far as EU citizens are concerned: the EU citizens’ Directive allows the UK to impose an entry ban on EU citizens who have committed serious crimes; and the UK can (and does) refuse entry to EU citizens at the border.

What if the visa applicant has committed a crime in another country? Whether people have to apply for a visa or are checked at the border, there is no general access to other countries’ criminal records. However, the UK does have access to some relevant dataas an EU Member State. Last year, it gained access to the Schengen Information System, which includes information on wanted persons, including some terrorist suspects. From 2012, the EU system for exchange of information on criminal recordswas set up (known as ECRIS: the European Criminal Records Information System), and the EU Commission recently reported that it had greatly improved the flow of information on this issue. The ECRIS law provides for criminal records to be exchanged more easily as regards a country’s own citizens (so we now have more information on UK citizens who have committed crimes abroad). Furthermore, the UK opted into the newly adopted EU law on passenger name records.

These laws don’t provide perfect security, of course. Not all terrorist suspects’ names appear in the Schengen Information System, for instance. The passenger name records law is likely to be challenged on human rights grounds, since it gathers information on all passengers, not just suspects. The criminal records law was unable to stop a tragic killing two years ago, because British police unfortunately did not ask another Member State about the killer’s criminal record (on the basis of a separate EU law) when they had the opportunity. As I suggested at the time, it would be desirable to provide for automatic circulation of the criminal records of EU citizens who have been convicted of very serious crimes, if they have been released from prison, so that they can be stopped and validly rejected from entry at the border.  The upcoming amendments to the Schengen Information System would be an opportunity to do this.

But how would Brexit, with or without a visa requirement, improve this situation? It would not give the UK any more access to EU databases, or to other Member States’ criminal records systems; indeed, it might mean less access. The EU has not extended ECRIS to any non-EU countries; the Schengen Information System has only been extended to those (like Norway and Switzerland) that are fully part of Schengen. The EU has some treaties on exchange of passenger name data with non-EU countries, but this policy is being challenged on data protection grounds in the EU court.

More broadly, the EU court has ruled in the Schrems case that personal data can only be transferred to non-EU countries that have data protection law ‘essentially equivalent’ to EU law. The UK would have to commit to continue applying a law very similar to EU law, or risk disruptions in the flow of personal data – affecting digital industries as well as exchange of data between law enforcement authorities. This restriction can’t easily be negotiated away, since the case law is based on the EU Charter of Fundamental Rights, which has the same legal effect as the Treaties. The UK’s compliance with the EU rules would almost certainly be challenged in practice: see by analogy the Davis and Watson case already pending before the EU court. Outside the EU, the effect of a ruling that the UK did not comply with the rules would be a potential disruption of the flows of personal data.

One final point. Let’s remind ourselves that the UK already allows nationals of over fiftynon-EU countries to visit for a short period without a visa. So obviously we have found a way to reconcile the possible security threat this might pose with the needs of the UK economy. Why should that be so difficult to do as regards EU countries after Brexit? The mere existence of that policy anyway creates a loophole: any EU citizen with the dual nationality of one of those non-EU states (or perhaps Ireland) would be able to visit the UK without a visa anyway. Or is the intention to require a visa for everyone?

Of course, this loophole would work the other way around too. As a dual citizen of the UK and Canada, I could still visit the EU visa-free on a Canadian passport. So could any other British people who are also citizens of a Member State, or a non-EU country on the EU visa whitelist. But many others (including my family, for instance) could not. Let’s conclude on the utter absurdity of this: a British citizen contemplating the use of a Canadian passport to visit the European Union. Is this really the vision of an open, liberal, global United Kingdom after Brexit that the Leave side want people to vote for on June 23rd?

The balance between criminal law and international humanitarian law in terrorism cases

Intervention at the 10th ECLAN Conference, 26 April 2016 in Brussels

by Vaios KOUTROULIS (*)

On April 8 2016, in Anderlecht, the Belgian police arrested five people linked to the 22nd March bombings in the airport and metro station of Brussels. Among them was Mohamed Abrini who has admitted that he was one of the three persons that were filmed by security cameras in the Brussels airport. Among the persons arrested was also Osama Kareym, who is suspected to have taken part in the bombing on the Brussels subway. Both are also linked to the 13 November Paris attacks.

Can these participants in the 22nd March bombings in the airport and metro station of Brussels be criminally persecuted for terrorist crimes before Belgian courts?

In principle, the answer seems to be a straightforward YES.
The object of my presentation is to show that the question is much more complicated than it may appear at first sight.
This complication stems from the Belgian Criminal Code.
Indeed, in the section relating to terrorist offences of the Belgian Criminal Code, the penultimate article (article 141bis) excludes from the scope of application of the section the activities of armed forces in times of armed conflict as defined and regulated by international humanitarian law (IHL).

The origin of this article, which is a saving clause, is the last preambular paragraph of the Council Framework Decision of 13 June 2002 on combatting terrorism which reads as follows:
“Actions by armed forces during periods of armed conflict, which are governed by international humanitarian law within the meaning of these terms under that law, and, inasmuch as they are governed by other rules of international law, actions by the armed forces of a State in the exercise of their official duties are not governed by this Framework Decision”.

This provision is reflected in several international conventions relating to the prohibition of terrorist acts.[1] As it is clear from the text of this article, the scope of application of the terrorist offences is defined / determined by the rules of IHL. So, under Belgian criminal law, IHL and terrorist offences are mutually exclusive legal regimes. Thus, in order to correctly appreciate which acts may be criminally prosecuted under Belgian law as terrorist acts, we need to go through the definition of the relevant IHL concepts.

I will make three points with respect to this provision, and this rule of mutual exclusion.

  1. First, I will briefly discuss the IHL notions of “armed forces” and “armed conflict” in order to give a clearer idea of what is excluded from the definition of terrorist offence.
  2. Second, I will briefly discuss how the savings clause has been applied in Belgian case-law
  3. Third, I will explain the purpose, la raison d’être, of the clause and why it is important to maintain it.

A. What is not a terrorist offence?

Actions by armed forces during periods of armed conflict, which are governed by international humanitarian law
Armed forces = both armed forces of a State, of an international organisation or of a non-State actor.

The argument is sometimes raised that the concept of “armed forces” should be limited only to State armed forces, in other words, that only activities by State armed forces are excluded from the scope of application of terrorist offences, while those of non-State actors are not. This interpretation is not supported by the text of the provision.

According to the ICRC, customary IHL defines armed forces as follows:
“The armed forces of a party to the conflict consist of all organized armed forces, groups and units which are under a command responsible to that party for the conduct of its subordinates.” (rule 4, source art. 43 AP I)
Armed forces of a State are quite clear to identify = regular forces of States (membership regulated by domestic law; members of irregular groups belonging to a party to the conflict)

Armed forces of a rebel group, a non-State actor are more difficult to identify.
Again according to the ICRC, “In non-international armed conflict, organized armed groups constitute the armed forces of a non-State party to the conflict and consist only of individuals whose continuous combat function it is to take a direct part in hostilities.” (ICRC, Interpretative guidance on DPH, 2009)

  • Continuous combat function requires a lasting integration into an organised armed group acting as the armed force of a non-State party to an armed conflict;
  • Individuals whose function involves the preparation, execution, command of acts or operations amounting to direct participation in hostilities have a continuous combat function;
  • Individuals recruited, trained and equipped by a group to continuously and directly participate in hostilities have a CCF;
  • Recruiters, trainers, financiers, propagandists may continuously contribute to the general war effort of a non-State party but are not members of the armed forces of the group, unless their activities amount to DPH[2].
  1. Armed conflict = both international and non-international

IAC: conflict between states or between a State and an intl org.
NIAC: conflict between State and rebel group or between two or more rebel groups.
Two conditions: intensity of hostilities[3] and organisation of the parties[4].

Another factor that may come into play in determining whether an armed conflict exists relates to the geographical scope of application of an armed conflict. This is interesting since there have been some very extensive interpretations relating to the geographical scope of application of armed conflict that have been suggested. I am referring to the concept of the “global war on terror” put forth by the United States. According to this view, an armed conflict against a terrorist group basically knows no boundaries and exists wherever the terrorist is found. This theory has been invoked by the United States in order to allow them to invoke IHL as a justification for drone strikes against terrorists around the world. However, the drawback of such an extensive reading of IHL is that is the armed conflict follows the terrorist, then any act committed by him/her anywhere in the world will be considered as committed in the context of an armed conflict and therefore will not be qualified as a terrorist offence…

B. How have the Belgian Courts applied the saving clause in art. 141bis?

The answer is simple: very restrictively.
The defendants’ lawyers have invoked the clause in some cases but Belgian Courts have been up to now very reluctant in applying it. This has resulted in some very problematic interpretations of IHL concepts, since in order for the judges to reject the clause, they have interpreted the notions of “armed forces” and “armed conflict” very restrictively.

Thus, for example, in a case concerning the death of a Belgian national in Iraq in the context of an attack against the US armed forces present in Iraqi territory[5]. The relevant period was from January 2004 to November 2005. The 2008 judgment by the first instance tribunal[6] considered that there was no armed conflict in Iraq during the period in question. This classification was clearly unsupported by the facts in question, since even the US recognised that they were involved in an armed conflict and a belligerent occupation at least for the first months of the relevant period.

Another example, in a more recent case, deals with Sharia4Belgium, a group founded in 2010 having played an active role in the departure of combatants in Syria in order to join armed groups Jahbat Al-Nusra and Majlis Shura Al Mujahidin (affiliated with Al-Qaeda).

In the First instance judgment, handed down in 2015[7], the Tribunal held that there was an armed conflict in Syria to which the groups in question was involved. It also clarified that the armed conflict did not extend to Belgium. The consequence of that was that, in any case, the saving clause could not be invoked for acts which took place in Belgium. However, turning to the notion of “armed forces” the Tribunal refused to recognise that the two groups in question are “armed forces” within the meaning of IHL. This goes against the classification of the UN Commission of Enquiry on Syria. It also goes against well-established IHL rules. Indeed, the Tribunal, in order to reject to the two groups their character as “armed forces” defines “armed forces” very restrictively and imposes the respect of many conditions for a group to be classified as an “armed force”, conditions which have no legal basis in IHL.[8]

C. Why does the saving clause exist and why should it be maintained?

The reason for the saving clause is the recognition of the specificity of IHL as the legal regime which is best adapted in dealing with situations of armed conflict.

The need to preserve this specificity.

Firstly, IHL has its own list of crimes (war crimes) => the fact that an act does not constitute a terrorist offence does not mean that it is not a crime under international and national law or that its authors will remain unpunished.
Terrorism as a method of warfare is prohibited under IHL, both in international and non-international conflicts (Art. 33 4th GC; art. 51§2 AP I; art. 4§2(d) and 13§2 AP II).
It is also a war crime (ICTR Statute; SCSL Statute).

Secondly, the difficulty in finding common ground with respect to a definition of terrorism in international law, entails the risk of abuse of the notion of terrorism. This risk is particularly high in situations of armed conflict, especially in NIACs since the government always considers that the rebels are terrorists.

NOTES

[1] 1997 International Convention for the suppression of terrorist bombings, art. 19§2:
“The activities of armed forces during an armed conflict, as those terms are understood under international humanitarian law, which are governed by that law, and the activities undertaken by military forces of a State in the exercise of their official duties, inasmuch as they are governed by other rules of international law, are not governed by this Convention.”
2005 International Convention for the Suppression of Acts of Nuclear Terrorism, art. 4§2:
“The activities of armed forces during an armed conflict, as those terms are understood under international humanitarian law, which are governed by that law are not governed by this Convention, and the activities undertaken by military forces of a State in the exercise of their official duties, inasmuch as they are governed by other rules of international law, are not governed by this Convention.”
2005 Council of Europe Convention on the Prevention of Terrorism, art. 26 §5:
“The activities of armed forces during an armed conflict, as those terms are understood under international humanitarian law, which are governed by that law, are not governed by this Convention, and the activities undertaken by military forces of a Party in the exercise of their official duties, inasmuch as they are governed by other rules of international law, are not governed by this Convention. »
1979 International Convention against the Taking of Hostages, art 12
“In so far as the Geneva Conventions of 1949 for the protection of war victims or the Protocols Additional to those Conventions are applicable to a particular act of hostage-taking, and in so far as States parties to this Convention are bound under those conventions to prosecute or hand over the hostage-taker, the present Convention shall not apply to an act of hostage-taking committed in the course of armed conflicts as defined in the Geneva Conventions of 1949 and the Protocls thereto (including IACs of AP I)”
1999, International Convention for the suppression of the Financing of Terrorism, art. 2:

  1. Any person commits an offence within the meaning of this Convention if that person by any means, directly or indirectly, unlawfully and wilfully, provides or collects funds with the intention that they should be used or in the knowledge that they are to be used, in full or in part, in order to carry out:

(…)
(b) Anyotheractintendedtocausedeathorseriousbodilyinjurytoacivilian,orto any other person not taking an active part in the hostilities in a situation of armed conflict, when the purpose of such act, by its nature or context, is to intimidate a population, or to compel a government or an international organization to do or to abstain from doing any act.
[2] DPH condition – direct causation = one causal step between activity and the harm to the adversary:

  • although recruitment and training of personnel is crucial to the military capacity of a party to the conflict, the causal link with the harm inflicted on the adversary will generally remain indirect. Only where persons are specifically recruited and trained for the execution of a predetermined hostile act can such activities be regarded as an integral part of that act and thus as DPH.
  • General war effort and war sustaining activities (design, production, shipment of weapons, propaganda, financial support) are not DPH.
  • Purchase, smuggling of the components of an explosive device, assembly of the device, storage of the device are connected with the resulting harm but are not DPH; only planting and detonating the device are DPH.
  • General preparatory acts do not constitute DPH: purchase, roduction, smuggling, hiding of weapons, general recruitment and training of personnel, financial administrative or political support.

[3] For the intensity of the conflict, these factors include ‘the number, duration and intensity of individual confrontations; the type of weapons and other military equipment used; the number and calibre of munitions fired; the number of persons and type of forces partaking in the fighting; the number of casualties; the extent of material destruction; and the number of civilians fleeing combat zones. The involvement of the UN Security Council may also be a reflection of the intensity of a conflict’; ICTY, Haradinaj 2008 Trial Judgment, supra note 26, para. 49. For further references, see ICTY, Boškoski and Tarčulovski 2008 Trial Judgment, supra note 26, paras. 177-178.
[4] As to the organisation of the parties, relevant for dissident armed groups, the indicative factors identified by the ICTY, include ‘the existence of a command structure and disciplinary rules and mechanisms within the group; the existence of headquarters; the fact that the group controls a certain territory; the ability of the group to gain access to weapons, other military equipment, recruits and military training; its ability to plan, coordinate and carry out military operations, including troop movements and logistics; its ability to define a unified military strategy and use military tactics; and its ability to speak with one voice and negotiate and conclude agreements such as cease-fire or peace accords’; ICTY, Haradinaj 2008 Trial Judgment, supra note 26, para. 60. For further references, see ICTY, Boškoski and Tarčulovski 2008 Trial Judgment, supra note 26, paras. 199-203.
[5] Case of the “fillières iraquiennes”, Muriel Degauque.
[6] Tribunal correctionnel de Bruxelles, 10 janvier 2008.
[7] Tribunal correctionnel d’Anvers, 11 février 2015.
[8] Such as the obligation to respect rules of IHL.

Data retention and national law: whatever the CJEU rules, data retention may still survive!

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

by Matthew White, Ph.D candidate, Sheffield Hallam University

Should governments be able to retain data on everyone’s use of the Internet and their phones – because it might arguably aid the fight against terrorism and serious crime? This ‘data retention’ issue raises fundamental questions about the balance between privacy and security, at both national and EU level. Initially, in the electronic privacy (e-Privacy)Directive, EU legislation set out an option for Member States to adopt data retention rules, as a derogation from the normal rule of confidentiality of communications in that Directive. Subsequently, in 2006, at the urging of the UK government in particular, the EU went a step further. It adopted the Data Retention Directive (DRD), which requiredtelecom and Internet access providers to keep data on all use of the Internet and phones in case law enforcement authorities requested it.

However, on 8 April 2014, the Court of Justice of the European Union (CJEU) ruled that the latter Directive went too far. In its Digital Rights Ireland judgment (discussed here), that Court said that the EU’s Data Retention Directive (DRD) was invalid in light of a lack of compliance with the rights to privacy and data protection set out in Articles 7 and 8 of the EU Charter of Fundamental Rights (CFR) (para 69 and 73). This left open an important question: what happens to national data retention laws? Can they also be challenged for breach of the EU Charter rights, on the grounds that they are linked to EU law (the derogation in the e-Privacy Directive)? If so, do the standards in the Digital Rights Ireland judgment apply by analogy?

Instead of addressing this matter urgently, the United Kingdom government sat on its hands for a while and then unprecedentedly rushed through the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014). DRIPA 2014 was intended to be a reactionto the Digital Rights Ireland ruling, giving the UK as a matter of national law the power to retain data that had been struck down by the CJEU as a matter of EU law.

In 2015, Tom Watson (now the deputy leader of the UK Labour Party), David Davis (a Conservative party backbencher) and others challenged s.1 of DRIPA 2014 arguing that the powers to obligate data retention on public telecommunication operators set out in that section of DRIPA did not sufficiently reflect what the CJEU ruled in Digital Rights Ireland. Although that CJEU ruling only applied to EU legislation, they argued that it also applied by analogy to national legislation on data retention, since such legislation fell within the scope of the option to retain communications data set out in the derogation in the e-Privacy Directive, and so was linked to EU law (and therefore covered by the Charter). Even though the e-Privacy Directive only related to publicly available electronic communications services (Article 3(1)), it is submitted that any extension of the definition of public telecommunications operator would fall within the Data Protection Directive, and thus the CFR would still apply. The High Court (HC) ruled in the claimants’ favour inDavis where an order was made for s.1 of DRIPA to be disapplied by the 31st of March 2016, insofar as it is incompatible with Digital Rights Ireland (para 122). This was in the hopes that it would give Parliament sufficient time to come up with a CFR compliant data retention law (para 121).

The government appealed to the Court of Appeal (CoA) which took a radically different approach maintaining that ‘the CJEU in Digital Rights Ireland was not laying down definitive mandatory requirements in relation to retained communications data’ (para 106). But for the sake of caution, the CoA made a preliminary reference to the CJEU asking:

(1) Did the CJEU in Digital Rights Ireland intend to lay down mandatory requirements of EU law with which the national legislation of Member States must comply?

(2) Did the CJEU in Digital Rights Ireland intend to expand the effect of Articles 7 and/or 8, EU Charter beyond the effect of Article 8 ECHR as established in the jurisprudence of the ECtHR?

The CoA was not the only national court to make a preliminary reference to the CJEU on matters regarding data retention and the reach of Digital Rights Ireland. On the 4th May 2015, the Force was with Kammarrätten i Stockholm when it asked the CJEU:

Is a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime (as described [below under points 1-6]) compatible with Article 15(1) of Directive 2002/58/EC [the electronic privacy Directive], 1 taking account of Articles 7, 8 and 15(1) of the Charter?

If the answer to question 1 is in the negative, may the retention nevertheless be permitted where:

access by the national authorities to the retained data is determined as [described below under paragraphs 7-24], and

security requirements are regulated as [described below under paragraphs 26-31],

and all relevant data are to be retained for six months, calculated as from the day the communication is ended, and subsequently deleted as [described below under paragraphs 25]?

The way in which the first question in Davis and Watson is asked doesn’t specify whether the general obligation applies to every service provider under the state’s jurisdiction or specific service providers to retain what they individually process. The assumption is the former as ‘all means of electronic communication and all traffic data without any distinctions’ implies a catch all to the relevant services. The Home Secretary (and indeed the government) may argue that if the CJEU rules in the negative (note that Article 15(1) of the e-Privacy Directive only applies to publically available electronic communications services, thus the justification for retaining data from other services would have to be found in the Data Protection Directive (DPD)) it would mostly have affected cl.78 of theInvestigatory Powers Bill (IPB) (currently before Parliament) which would grant the Secretary of State the power to issue retention notices on a telecommunications or any number of operators to retain for e.g. any or all data for 12 if the power in cl.1 of the draft Communications Data Bill (dCDB) had been replicated. The dCDB was a legislative measure introduced in 2012 to allow public authorities to keep up to date with the sophistication of e-Crime. Clause 1 maintained that:

1 Power to ensure or facilitate availability of data

(1) The Secretary of State may by order—

(a) ensure that communications data is available to be obtained from telecommunications operators by relevant public authorities in accordance with Part 2, or

(b) otherwise facilitate the availability of communications data to be so obtained from telecommunications operators.

(2) An order under this section may, in particular—

(a) provide for—

(i) the obtaining (whether by collection, generation or otherwise) by telecommunications operators of communications data,

(ii) the processing, retention or destruction by such operators of data so obtained or other data held by such operators.

This measure was, however abandoned because the Liberal Democrats (in the then Coalition Government) did not approve of the far reaching nature of the proposal. In regards to cl.1, it clearly was a general power, as no distinction was made on who the obligation to retain may fall upon, and thus it is submitted that this power is analogous to the power which is the subject of the question being asked of the CJEU. Clause 78(1) of the IPB on the other hand, makes the distinction that a data retention notice may require a telecommunications operator to retain relevant communications data. Though there are two possible conflicts, the first, based on the assumption that the CJEU rules in the negative (to the first question) is cl.78(2)(a) and (b). This gives the Secretary of State the discretion to issue retention notices on any description of operators to retain all or any description of data. This could be considered a general obligation because it could affect all telecommunications operators and then be classed as a general obligation.

Secondly, retention ‘without distinction’ or ‘exceptions’ may be important when it comes to traffic data pertaining to journalists, politicians, and the medical and legal professions. But because the reference doesn’t mention specific service providers it cannot be said with certainty how much this would affect cl.78(1) which doesn’t make distinctions or exceptions.

When it comes to limitations on data retention, there is at least one, which was first noted in s.1(5) of DRIPA 2014 which allowed for a 12 month maximum period of retention. This is replicated in cl.78(3) and takes on board the recommendation of the Advocate General’s opinion (AG) in Digital Rights Ireland (para 149).

The President of the CJEU felt it was desirable to combine both preliminary references. The questions of access by both the Swedish and UK courts do not directly affect the cl.78 issuing of retention notices (insofar that it at least doesn’t involve everytelecommunications operator) nor does answering whether Article 7 and 8 was intended to extend beyond Article 8 ECHR jurisprudence. The security arrangements are dealt with by cl.81 (whether they are adequate is a different matter) and thus not relevant to the issuing of retention notices.

This, however, proceeds on the assumption that the CJEU will rule in the negative to the Swedish preliminary reference regarding retention being lawful for the purposes ofaccess, because if it does not, cl.78(2)(a) and (b) would not be affected at all. Moreover, the HC in Davis felt that the CJEU believed that data retention genuinely satisfied an objective of general interest (para 44) and that it must be understood to have held that a general retention regime is unlawful unless it is accompanied by an access regime which has sufficiently stringent safeguards to protect citizens’ rights set out in Articles 7 and 8 of the CFR (para 70). The CoA was silent on this matter, and therefore for the mean time, it is understood that if the CJEU rules in the positive, cl.78 would not be affected as a matter of EU law.

On the matter of whether the HC or the CoA had interpreted Digital Rights Irelandcorrectly, it is important to highlight one of the justifications for the CoA conclusions. It maintained in relation to mandatory requirements, that in the opinion of the AG, he was at least, not looking for the Directive to provide detailed regulation (para 77). Yet the CoA failed to mention his conclusions, where it was stated that the DRD was invalid as a result of the absence of sufficient regulation of the guarantees governing access to (by limiting access, if not solely to judicial authorities, at least to independent authorities, or, failing that, by making any request for access subject to review by the judicial authorities or independent authorities and it should have required a case-by-case examination of requests for access in order to limit the data provided to what is strictly necessary (para 127)) the data collected/retained and that the DRD should be suspended until the EU legislature adopts measures necessary to remedy the invalidity, but such measures must be adopted within a reasonable period (para 157-158). So at least in this regard the AG actually supports the stance of the HC (even though no reference was made on this point) and may therefore have had implications for the IPB (which does not require judicial or independent authorisation/review) in relation to access to communications data without a word from the CJEU.

Many thanks to Steve Peers for helpful comments on an earlier draft.