Category: 9.2 Intelligence – National security

The Discreet Charm of Passenger Data: Big Data Surveillance Coming Home

Posted HERE on January 14, 2016

by Rocco Bellanova & filed under Security.

Several governments see in the mass-surveillance of passenger data the key tool of counter-terrorism. These data are generally known as PNR – Passenger Name Records, and their potential for law enforcement has been discussed at least since the 1990s. Now European Union (EU) debates about the creation of a European PNR scheme seem settled once and for all. Others have already provided legal analyses of the measure to come. Here the goal is different: I aim to show how urgent it is to start researching the political dimensions of this security program right when all politics fade away.

Example of a PNR.

PNR-584x438

PHOTO: Edward Hasbrouck, The Practical Nomad.

While PNR were part of my PhD research and as such a big chunk of my everyday world, I often have quite a hard time to explain what PNR are beyond a quite small circle of geeks. It was even difficult to explain colleagues how this kind of topic may be relevant for international and EU studies. Blame it on my lack of training or competence in the vulgarization of scientific research. Blame it on my choice of a theme considered either a technicality or something for ‘legal scholars only’.

Since November 2015, things (might) have changed. The surveillance of air passengers has become a trumpeted European priority in the revamped War on Terror, while before it was largely considered an expert-only business. Several political declarations voice the need to create a system able to identify potential ‘returning jihadists’ and better track their travels within and outside of Europe, and the EU institutions seem closer than ever to adopt legislation on the matter. But, what are we speaking about when we speak about PNR? And what are the challenges ahead for researchers, advocates and institutions alike?

The many lives of PNR

First things first: PNR are a set of information that is generated at the booking of a travel, especially when it comes to flights (for a more critical presentation: here). PNRs include widely different data, from the name of the passenger and the method of payment used, to frequent flyer numbers and travel itineraries. PNRs can also show whether the reservation includes other persons, where the ticket was bought and which changes have occurred. In other words, every time you fly – better: every time you or somebody else books a flight for you – chances are that you get a PNR.

Through the last decades, PNR have become the backbone of airline reservation systems and, to make a long story short, are now presented as a key element for carrying out intelligence-led policing. Following the Paris attacks in January and November 2015, several institutional actors, from the French Interior Minister to the EU Counter-Terrorism Coordinator, have insisted on the need for the EU to set up a PNR scheme. Actually the idea was looming around since a while, and the Commission had already tabled twice a legislative proposal, in 2007 and in 2009. However, the draft had been put on hold after a negative vote in the European Parliament (EP) Committee for Civil Liberties, Justice and Home Affairs (LIBE) in April 2013.

Some countries have already developed quite comprehensive security systems that rely on the processing of PNR, notably the United States (US) and Canada, but also the UK within the EU. Generally speaking, PNR systems could be used for both more traditional investigative work and for profiling-based surveillance. It is mostly this second aspect that has attracted the attention of critical security researchers and law scholars, and it is this profiling potential that makes it a very tempting security measure for its proponents. So, when we speak about PNR we speak about many controversial topics: the deployment of mass-surveillance measures, a far-reaching interference into the private life of millions of passengers, the potential risk of discrimination, a shift towards pre-emptive security, the role of private actors in the creation of security measures, etc. Hence, PNR is also the name of the new concerns that surveillance raises in contemporary liberal societies.

At EU level, most of the debates revolve(d) around the impact on privacy and, notably, the possible role for data protection. Actually, the text that was recently agreed among representatives of the Commission, the Council and the Parliament – the new ‘EU PNR directive’ as it is called in EU jargon – abounds of references to data protection law, principles, and organizational tools. It seems to have a two-fold purpose: to facilitate the processing of passenger data and to protect the same data. Notably, the Members of the European Parliament made compulsory the appointment of Data Protection Officers within each of the national units that will collect, store and process data, and the powers of national data protection authorities have been further clarified. From this perspective, the PNR is the name of the tentative efforts to govern big data.

Les jeux sont faits (?)

Taking into account both these safeguards and the perceived need to use PNR as a crucial means in the fight against terrorism, the LIBE Committee has green-lighted the compromise version of the EU PNR Directive. The next legislative step is a vote in a plenary, then the adoption from the Council and a few other ‘technical’ steps. All resistance is coming to an end: controversies seem settled and the EU will have its common EU PNR scheme. After close to 8 years of debates among EU institutions, and more than a decade at international level, EU countries will finally have their own PNR-based security systems, and stop gazing with envy at other countries’ systems (notably the mighty US program). From this perspective, PNR is the name of a properly working EU – which delivers what is a needed at the right time – and will be remembered as a milestone in the creation of a common policy response in the field of counter-terrorism.

Then, what does remain to be done now that institutional politics are settled? Research-wise, the next step is just taking the time to submit a paper to a major peer-reviewed journal – now with the EU PNR Directive written down in the EU Official Journal and no more surprises and twists. Let’s finally call PNR with its due research name: one more case study to show the added-value of one or another theory of EU studies.

Then I read the leaked text. I read also the tough criticism by the European Data Protection Supervisor (EDPS – an EU institution focusing on data protection). And I started to think again about all of the above.

The EU PNR Directive foresees the capture of PNR of all passengers on EU-bound flights, departing or arriving from a third country. As the EDPS notes, this measure introduces mass-surveillance by security authorities on European scale. A huge amount of data will be stored for 5 years: 6 months with all personal information immediately available, and 4.5 years partially “masked”, in a depersonalized format that can be still reversed into the original in specific cases. All these data will be processed by run against given databases or specific lists, against specific profiling criteria, and in response to specific queries of security services. These data will also be used to create or update new profiling benchmarks. Not even the Data Retention Directive had such an outreach, because in that case traffic and location data of telecommunication remained stored with the providers, and not automatically and systematically transmitted to law enforcement authorities. As such, PNR is also the name of big data surveillance coming to Europe.

The future of PNR

Surely, the EU PNR Directive sounds quite robust in terms of data protection safeguards. As discussed elsewhere, I kind of ‘love’ data protection and I am confident that data protection safeguards and institutions will contribute to the governing of PNR. And yet, there is still too much of passenger data, despite all guarantees provided by data protection. From this troubling perspective, PNR is also the name of the limits of data protection.

Moreover, despite the fact we’ve seen so much of PNR for so long, there are very few PNR security systems already operational in Europe. Apparently, only the UK eBorders system is up and running (and has recently gone through a storm of criticism), and few others have been slowly launched but not fully implemented. Experience is that this kind of large-scale high-tech systems will be difficult to set up in Europe. For example, this has been the case with the new Schengen Information System (SIS2), whose difficult implementation even delayed for several member states the full enjoyment of a series of Schengen related advantages. The political impact of high-tech security systems was generally discussed – mostly in terms of respect of privacy, data protection and other fundamental rights – until their adoption, but then politics always seem to fade away. PNR becomes the name of the already obliterated future of the politics of high-tech security.

Keeping the pace of PNR

Yet, I believe that it is worth speaking of PNR today and keep looking for the upcoming controversies precisely because of this tendency to obliterate the future political implications of high-tech security. Unless popular TV series decides to show fewer drones and more passenger data, the current attention on PNR is probably the biggest societal exposure that the theme will ever get.

The challenge now is to keep the pace of so much of PNR. To follow how the EU PNR scheme will be set in place – how this mass-surveillance measure will be implemented, which kinds of problems will emerge and how actors will fix them. Notably, the challenge is to keep feel interested in PNR (and other very diverse security systems, such the EUROSUR program for border controls, the European Cybercrime Centre at EUROPOL, etc.) and better understand the ways in which national or European institutions, private companies, individuals or collectives may find leverages of political action through, or against, them.

This is a challenge for research, and in particular for the kind of research approach I tend to ascribe myself to. Several voices within studies on critical security and governmentality have emphasized the need to get closer to the everyday making of security and surveillance. But this is also a challenge for policy makers as well as concerned users and advocates. The deployment of a technology is not a linear process of implementation, but rather a successive enchainment of controversies and arrangements.

 

Strasbourg Court: Hungarian legislation on secret anti-terrorist surveillance does not have sufficient safeguards against abuse

Press release accessible here 

In January 12 Chamber judgment1 in the case of Szabó and Vissy v. Hungary (application no. 37138/14) the European Court of Human Rights held, unanimously, that there had been:

  • a violation of Article 8 (right to respect for private and family life, the home and correspondence)
  • of the European Convention on Human Rights, and
  • no violation of Article 13 (right to an effective remedy) of the European Convention.

The case concerned Hungarian legislation on secret anti-terrorist surveillance introduced in 2011.

The Court accepted that it was a natural consequence of the forms taken by present-day terrorism that governments resort to cutting-edge technologies, including massive monitoring of communications, in pre-empting impending incidents.

However, the Court was not convinced that the legislation in question provided sufficient safeguards to avoid abuse. Notably, the scope of the measures could include virtually anyone in Hungary, with new technologies enabling the Government to intercept masses of data easily concerning even persons outside the original range of operation. Furthermore, the ordering of such measures was taking place entirely within the realm of the executive and without an assessment of whether interception of communications was strictly necessary and without any effective remedial measures, let alone judicial ones, being in place.

Principal facts

The applicants, Máté Szabó and Beatrix Vissy, are Hungarian nationals who were born in 1976 and 1986 respectively and live in Budapest. At the relevant time they worked for a non-governmental watchdog organisation (Eötvös Károly Közpolitikai Intézet) which voices criticism of the Government.

A specific Anti-Terrorism Task Force was established within the police force as of 1 January 2011. Its competence is defined in section 7/E of Act no. XXXIV of 1994 on the Police, as amended by Act no. CCVII of 2011. Under this legislation, the task force’s prerogatives in the field of secret intelligence gathering include secret house search and surveillance with recording, opening of letters and parcels, as well as checking and recording the contents of electronic or computerised communications, all this without the consent of the persons concerned.

In June 2012 the applicants filed a constitutional complaint arguing that the sweeping prerogatives in respect of secret intelligence gathering for national security purposes under section 7/E (3) breached their right to privacy. The Constitutional Court dismissed the majority of the applicants’ complaints in November 2013. In one aspect the Constitutional Court agreed with the applicants, namely, it held that the decision of the minister ordering secret intelligence gathering had to be supported by reasons. However, the Constitutional Court held in essence that the scope of national security-related tasks was much broader than the scope of the tasks related to the investigation of particular crimes, thus the differences in legislation between criminal secret surveillance and secret surveillance for national security purposes were not unjustified.

Complaints, procedure and composition of the Court

Relying on Article 8 (right to respect for private and family life, the home and the correspondence), the applicants complained that they could potentially be subjected to unjustified and disproportionately intrusive measures within the Hungarian legal framework on secret surveillance for national security purposes (namely, “section 7/E (3) surveillance”). They alleged in particular that this legal framework was prone to abuse, notably for want of judicial control. They also complained that their exposure to secret surveillance without judicial control or remedy breached their rights under Article 6 § 1 (right to a fair hearing/ access to court) and Article 13 (right to an effective remedy) read in conjunction with Article 8.

The application was lodged with the European Court of Human Rights on 13 May 2014.

Privacy International and the Center for Democracy & Technology, both non-governmental organisations, were given permission to make written submissions as third parties.

Judgment was given by a Chamber of seven judges, composed as follows:

Vincent A. de Gaetano (Malta), President,
András Sajó (Hungary),
Boštjan M. Zupančič (Slovenia),
Nona Tsotsoria (Georgia),
Paulo Pinto de Albuquerque (Portugal),
Krzysztof Wojtyczek (Poland),
Iulia Antoanella Motoc (Romania),
and also Fatoş Aracı, Deputy Section Registrar.

————————————————-
Decision of the Court

Article 8 (privacy rights)

Firstly, the Court noted that the Constitutional Court, having examined the applicants’ constitutional complaint on the merits, had implicitly acknowledged that they had been personally affected by the legislation in question. In any case, whether or not the applicants – as staff members of a watchdog organisation – belonged to a targeted group, the Court considered that the legislation directly affected all users of communication systems and all homes. Moreover, the domestic law does not apparently provide any possibility for an individual who suspected that their communications were being intercepted to lodge a complaint with an independent body. Considering these two circumstances, the Court was of the view that the applicants could therefore claim to be victims of a violation of their rights under the European Convention. Furthermore, the Court was satisfied that the applicants had exhausted domestic remedies by bringing to the attention of the national authorities – namely the Constitutional Court – the essence of their grievance.

The Court found that there had been an interference with the applicants’ right to respect for private and family life as concerned their general complaint about the rules of section 7/E (3) (and not as concerned any actual interception of their communications allegedly taking place). It was not in dispute between the parties that that interference’s aim was to safeguard national security and/or to prevent disorder or crime and that it had had a legal basis, namely under the Police Act of 1994 and the National Security Act. Furthermore, the Court was satisfied that the two situations permitting secret surveillance for national security purposes under domestic law, namely the danger of terrorism and rescue operations of Hungarian citizens in distress abroad, were sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities were empowered to resort to such measures.

However, the Court was not convinced that the Hungarian legislation on “section 7/E (3) surveillance” provided safeguards which were sufficiently precise, effective and comprehensive in as far as the ordering, execution and potential redressing of such measures were concerned.

Notably, under “section 7/E”, it is possible for virtually any person in Hungary to be subjected to secret surveillance as the legislation does not describe the categories of persons who, in practice, may have their communications intercepted. The authorities simply have to identify to the government minister responsible the name of the individual/s or the “range of persons” to be intercepted, without demonstrating their actual or presumed relation to any terrorist threat.

Furthermore, under the legislation, when requesting permission from the Minister of Justice to intercept an individual’s communications, the anti-terrorism task force is merely required to argue that the secret intelligence gathering is necessary, without having to provide evidence in support of their request. In particular, such evidence would provide a sufficient factual basis to apply such measures and would enable an evaluation of their necessity based on an individual suspicion regarding the targeted individual. The Court reiterated that any measure of secret surveillance which did not correspond to the criteria of being strictly necessary for the safeguarding of democratic institutions or for the obtaining of vital intelligence in an individual operation would be prone to abuse by authorities with formidable technologies at their disposal.

Another element which could be prone to abuse is the duration of the surveillance. It was not clear from the wording of the law whether the renewal of a surveillance warrant (on expiry of the initial 90 days stipulated under the National Security Act) for a further 90 days was possible only once or repeatedly.

Moreover, these stages of authorisation and application of secret surveillance measures lacked judicial supervision. Although the security services are required, when applying for warrants, to outline the necessity of the secret surveillance, this procedure does not guarantee an assessment of whether the measures are strictly necessary, notably in terms of the range of persons and the premises concerned. For the Court, supervision by a politically responsible member of the executive, such as the Minister of Justice, did not provide the necessary guarantees against abuse. External, preferably judicial control of secret surveillance activities offers the best guarantees of independence, impartiality and a proper procedure.

As concerned the procedures for redressing any grievances caused by secret surveillance measures, the Court noted that the executive did have to give account of surveillance operations to a parliamentary committee. However, it could not identify any provisions in Hungarian legislation permitting a remedy granted by this procedure to those who are subjected to secret surveillance but, by necessity, are not informed about it during their application. Nor did the twice yearly general report on the functioning of the secret services presented to this parliamentary committee provide adequate safeguards, as it was apparently unavailable to the public. Moreover, the complaint procedure outlined in the National Security Act also seemed to be of little relevance, since citizens subjected to secret surveillance measures were not informed of the measures applied. Indeed, no notification – of any kind – of secret surveillance measures is foreseen in Hungarian law. The Court reiterated that as soon as notification could be carried out without jeopardising the purpose of the restriction after the termination of the surveillance measure, information should be provided to the persons concerned.

In sum, given that the scope of the measures could include virtually anyone in Hungary, that the ordering was taking place entirely within the realm of the executive and without an assessment of whether interception of communications was strictly necessary, that new technologies enabled the Government to intercept masses of data easily concerning even persons outside the original range of operation, and given the absence of any effective remedial measures, let alone judicial ones, the Court concluded that there had been a violation of Article 8 of the Convention.

Other articles

Given the finding relating to Article 8, the Court considered that it was not necessary to examine the applicants’ complaint under Article 6 of the Convention.
Lastly, the Court reiterated that Article 13 could not be interpreted as requiring a remedy against the state of domestic law and therefore found that there had been no violation of Article 13 taken together with Article 8.

Article 41 (just satisfaction)

The Court held that the finding of a violation constituted in itself sufficient just satisfaction for any non-pecuniary damage sustained by the applicants. It awarded 4,000 for costs and expenses.

Separate opinion

Judge Pinto de Albuquerque expressed a separate opinion which is annexed to the judgment. The judgment is available only in English.

Under Articles 43 and 44 of the Convention, this Chamber judgment is not final. During the three-month period following its delivery, any party may request that the case be referred to the Grand Chamber of the Court. If such a request is made, a panel of five judges considers whether the case deserves further examination. In that event, the Grand Chamber will hear the case and deliver a final judgment. If the referral request is refused, the Chamber judgment will become final on that day.

Once a judgment becomes final, it is transmitted to the Committee of Ministers of the Council of Europe for supervision of its execution. Further information about the execution process can be found here: www.coe.int/t/dghl/monitoring/execution.

Press contacts

echrpress@echr.coe.int | tel.: +33 3 90 21 42 08
Tracey Turner-Tretz (tel: + 33 3 88 41 35 30)
Nina Salomon (tel: + 33 3 90 21 49 79) Denis Lambert (tel: + 33 3 90 21 41 09) Inci Ertekin (tel: + 33 3 90 21 55 30)

The European Court of Human Rights was set up in Strasbourg by the Council of Europe Member States in 1959 to deal with alleged violations of the 1950 European Convention on Human Rights.

Police et justice à l’échelle de l’Union européenne, du désamour au divorce ? La Sécurité intérieure européenne contre l’Espace pénal européen

par Pierre Berthelet (*)

La police et la justice se portent un « amour réciproque » affirme le Professeur Labayle non sans ironie. Il suffit de se rappeler les relations parfois tendues entre les forces de sécurité intérieure d’un côté, et l’autorité judiciaire de l’autre. Il suffit aussi de se remémorer les relations de temps à autre houleuses entre le ministre de l’Intérieur et le Garde des Sceaux, et ce, quelle que soit d’ailleurs la couleur politique du gouvernement.

Même si la rivalité police-justice demeure une question toujours délicate à évoquer, elle est somme toute assez banale en France et dans bon nombre d’États membres de l’Union. Un élément reste néanmoins remarquable, ayant trait, en l’occurrence, à un déplacement à l’échelle européenne de cet affrontement existant au niveau national.

D’emblée, le déplacement de la problématique des rapports difficiles entre la police et la justice à l’échelon de l’Union peut sembler surprenant en raison du fait qu’il n’existe pas d’autorité judiciaire pénale européenne, du moins avant la création d’un Parquet européen dont les statuts sont encore actuellement en négociation.

Il n’y a pas non plus de police européenne. L’office européen de police, Europol, ne possède pas de pouvoirs coercitifs et le traité de Lisbonne de 2007 l’a clairement précisé, enterrant, s’il en est, les derniers espoirs d’un FBI européen.

Ensuite, les questions relatives aux rapports entre la police et la justice ont été abordées au niveau européen sous l’angle de la coopération. En effet, les États souverains ont accepté de mettre en commun certaines de leurs compétences dans ce domaine. Néanmoins, étant donné la sensibilité des matières évoquées (liées intimement aux prérogatives régaliennes du droit de punir et du droit de protéger), ils ont consenti uniquement à la création de mécanismes destinés à faciliter l’entraide entre services policiers d’États différents, de même qu’entre autorités judiciaires.

Pour ces deux raisons, un affrontement police-justice peut paraître en décalage avec le regard porté sur l’Union européenne en tant que projet politique et sur son action dans le domaine des politiques pénales et de sécurité. Elle l’est d’autant plus que police et justice cohabitent sous le même toit, c’est-à-dire dans le cadre d’un même projet, à savoir l’Espace de liberté, de sécurité et de justice (ELSJ) qui, comme son nom l’indique, associe étroitement la sécurité à la liberté et à la justice.

Reste que depuis la création de la « justice et affaires intérieures » (JAI) par le traité de Maastricht de 1992 et l’instauration de cet ELSJ par le traité d’Amsterdam de 1997, beaucoup d’eau a coulé. En premier lieu, le cadre institutionnel a changé et même fondamentalement.

Le traité de Lisbonne a substitué la méthode communautaire à la méthode intergouvernementale. L’ELSJ relève, à présent, du mécanisme de procédure législative ordinaire : le Parlement européen est co-législateur avec le Conseil de l’UE et la Commission européenne dispose d’un quasi-monopole d’initiative législative, tandis que la Cour de justice de Luxembourg peut statuer pleinement sur les actes adoptés.

En deuxième lieu, et ce point mérite d’être souligné, police et justice ont noué des rapports de concurrence depuis le début. La JAI était déjà marquée par des tensions entre les avancées de la coopération policière et les retards de la coopération judiciaire.

La création d’Europol en 1995 a été l’un des éléments justifiant, à côté du souci de ne laisser aucune zone d’impunité aux délinquants au sein du territoire européen, la création d’Eurojust en 2002. Cependant, cette compétition prenait les atours d’une émulation : l’intégration en matière policière s’accompagnait d’une intégration dans le domaine judiciaire.

À l’heure actuelle, la situation est différente. La concurrence se transforme en rivalité et l’émulation en séparation. En effet, l’action de l’Union européenne en matière policière et judiciaire s’organise autour de deux projets distincts : l’Espace pénal européen et la Sécurité intérieure européenne. L’objectif de cette contribution est de montrer que le développement de ces deux projets n’est pas complémentaire et que ceux-ci sont sous-tendus par des logiques distinctes, promus par des communautés rivales, chacune essayant d’imposer ses conceptions à l’autre concernant le rapport liberté/sécurité.

Deux projets différents

Prenant le relais de la Justice et des Affaires intérieures (JAI), l’Espace de liberté, de sécurité et de justice (ELSJ) connecte étroitement diverses problématiques : lutte contre le terrorisme et les formes graves de la criminalité (criminalité organisée, blanchiment, drogue, corruption, traite des êtres humains, etc.), gestion des migrations et des frontières de l’UE, entraide policière et judiciaire civile et pénale.

Cet espace a constitué le terreau sur lequel sont nés plusieurs projets dont le degré de maturation est variable, notamment l’Espace pénal européen et la Sécurité intérieure européenne, chacun d’eux étant mu par des logiques distinctes, l’un tendant à accorder une place de plus en plus prioritaire à la « liberté », alors que l’autre offre clairement une place prééminente à la « sécurité ».

L’Espace pénal européen est bien connu des pénalistes et même au-delà. Il dérive des travaux menés en matière de collaboration judiciaire européenne, initiés dans le cadre du Conseil de l’Europe et prolongés dans celui l’Union européenne à partir du traité de Masstricht. Les actions menées par l’Union consistent à améliorer les dispositifs d’entraide entre les autorités judiciaires nationales. L’objectif de cet Espace pénal européen vise, à travers différents mécanismes, tels que la reconnaissance mutuelle des décisions judiciaires nationales et le rapprochement des législations pénales des États membres, à faire émerger une solidarité judiciaire à l’échelle européenne.

Au-delà de l’idée d’un renforcement de l’arsenal pénal destiné à mieux lutter contre la criminalité et à faire en sorte que les frontières entre États membres ne soient plus un obstacle pour les autorités judiciaires des différents pays, le projet d’Espace pénal revêt un caractère politique au sens où il s’agit d’un projet d’intégration tendant vers l’émergence d’une justice pénale européenne. Les projets menés, dont le plus emblématique est, sans nul doute le mandat d’arrêt européen, ont pour but de conférer aux autorités judiciaires nationales un sentiment d’appartenance à un ensemble supranational. L’Espace pénal européen a une dimension à la fois juridique (à travers divers outils mis en place pour lutter contre la criminalité transnationale) et symbolique (en référence à l’adhésion aux valeurs communes, en premier lieu la justice entendue comme un idéal).

La Sécurité intérieure européenne est, quant à elle, plus récente. Mentionnée ponctuellement dans les textes adoptés dans la foulée des attentats du 11 septembre 2001, elle émerge formellement seulement quelques années plus tard. Envisagée par le programme de Stockholm, en tant que document directeur de l’Espace de liberté, de sécurité et de justice pour la période 2009-2014, elle repose sur un document que le Conseil de l’UE a approuvé les 25 et 26 février 2010. Il s’agit en l’occurrence de la stratégie européenne de sécurité intérieure qui énonce les menaces et les risques pesant sur l’Union et ses États membres.

Cette stratégie détermine les orientations d’une action européenne dans le domaine de la sécurité intérieure et structure la réponse à donner. Elle est un document politique préconisant une approche transversale et intégrée. Il s’agit d’apporter une réponse qui dépasse les politiques de l’UE existantes. À côté de cette dimension intersectorielle, la stratégie entend également transcender les clivages culturels et/ou nationaux. Il est question de mettre en commun les connaissances et les savoir-faire d’acteurs émanant d’horizons différents. Elle vise donc à inclure les organismes publics et privés, à caractère lucratif ou non, de même que les organisations non gouvernementales. Enfin, la stratégie entend développer une approche fondée sur l’information, et ce, sur un mode proactif, le but étant d’intervenir de manière précoce à l’encontre des menaces et des risques identifiés.

La Commission européenne a réalisé, à plusieurs reprises, un bilan de l’action menée. Dans tous les cas de figure, elle a considéré que les avancées étaient conséquentes et que la Sécurité intérieure européenne prenait forme.

Des projets aux logiques distinctes

La stratégie européenne de sécurité intérieure est fondée essentiellement sur l’idée d’un monde dangereux, l’objectif étant de mieux protéger l’Union et ses citoyens, et de préserver plus efficacement ses États membres vis-à-vis de menaces évolutives dans une Europe en pleine mutation. Les préoccupations sont donc de parer les menaces et de faire face aux risques en évitant que des attaques ou des catastrophes surviennent et, lorsque celles-ci ont lieu, de gérer les conséquences.

L’Espace pénal européen repose sur une logique différente. Historiquement, le droit pénal européen tire sa légitimité de cette conception « épée » (sur cette image, voir les travaux d’Anne Weyembergh), de nombreux instruments ayant été adoptés en ce sens au cours des années 1990 et 2000. Les rapports entre répression et droits de l’homme sont incarnés par deux images, d’un côté, le glaive de la justice, figurant l’imperium et la sévérité de la réponse pénale à l’égard des auteurs d’infraction, et de l’autre côté, le bouclier, représentant une justice faisant preuve de modération dans la fixation des peines, se montrant proportionnée dans la détermination du quantum de la santion au regard de la gravité des actes, et surtout protectrice des droits dont jouissent ces mêmes auteurs dans la procédure pénale.

Répression et protection sont en tension, mais dans un État de droit, le souci d’une sanction efficace est toujours contrebalancé par une volonté de respecter les règles définissant avec minutie le cadre procédural à respecter et octroyant un ensemble de droits à la personne mise en cause.

Cela étant dit, les attentats du 11 septembre 2001 ont accentué la dimension répressive du droit pénal. Le mandat d’arrêt européen, dont le projet a été approuvé dans le sillage des attaques, est une illustration du phénomène selon lequel, selon la formule de Thierry Balzacq, la « sécurité » a conquis la « justice ».

Néanmoins, un mouvement inverse s’est opéré en réaction aux mesures sécuritaires prises après les attaques de New York. En germe avec l’adoption de la Charte européenne des droits fondamentaux proclamée au cours du Conseil européen de Nice, le 7 décembre 2000, ce mouvement s’est développé au cours des années 2000 et il s’est prolongé au début des années 2010. Une mobilisation des pénalistes a eu lieu à compter de l’adoption de ces mesures sécuritaires, manifestant une critique des effets d’une vision trop répressive jugée néfaste à la préservation des libertés. Elle résulte aussi de la prise de conscience, avec l’adoption du texte instituant le mandat d’arrêt européen en 2002, de l’impact du droit pénal européen sur le droit national.

Une opposition autour de deux communautés sectorielles

Sécurité intérieure européenne et Espace pénal européen associent chacun des acteurs aux origines multiples. Le projet de Sécurité intérieure européenne permet, à travers la dimension « sécurité » de l’Espace de liberté, de sécurité et de justice, d’associer les services nationaux variés allant des services de renseignement aux gardes-frontières en passant par la police judiciaire, cette dernière étant amenée progressivement à modifier ses techniques d’enquête, au nom de la lutte contre la menace dans une « Europe des insécurités », autour d’une approche davantage proactive.

Le projet d’Espace pénal européen contribue, quant à lui, à mettre à l’agenda la protection des droits fondamentaux. Il rassemble les acteurs mettant l’accent sur la dimension « liberté » et « justice » de l’Espace de liberté, de sécurité et de justice.

Les communautés sectorielles promouvant respectivement la Sécurité intérieure européenne et l’Espace pénal européen se caractérisent par leur forte hétérogénéité.

Il y a d’un côté des magistrats, certains universitaires, notamment des pénalistes favorables à la sauvegarde des droits fondamentaux, des hauts fonctionnaires nationaux et des membes des cabinets de la Justice, la direction générale « Justice » (DG Justice) pour la Commission européenne, des ONG défendant les droits de l’Homme, dans une certaine limite la commission des libertés civiles du Parlement européen (LIBE), le Contrôleur européen à la protection des données soucieux de préserver les citoyens européens de toute atteinte à la vie privée, la Cour de justice de l’Union (CJUE), gardienne de l’État de droit et garante du respect du droit de l’Union européenne, en particulier les dispositions de la Charte européenne des droits fondamentaux, et l’Agence des droits fondamentaux de l’Union européenne (FRA) dont la mission est de protéger à l’échelle de l’Union, aux côtés de la Cour de justice, les libertés des citoyens européens.

Il y a de l’autre, les « sécuritaires », à savoir les services de sécurité des États membres (services de renseignement, garde-frontières, police, douane), des hauts fonctionnaires nationaux et des membres du cabinet de l’Intérieur, la direction générale « Affaires intérieures » (DG HOME) pour la Commission européenne, les agences de sécurité (Europol et Frontex) et le secteur privé (en particulier l’industrie de la sécurité et notamment, les entreprises spécialisées dans le data mining, de même que les sociétés productrices de nouvelles technologies de surveillance des frontières).

Sécurité versus liberté et justice

Les divergences de vues entre les partisans de la Sécurité intérieure européenne et ceux de l’Espace pénal européen constituent une opposition de principe sur les rapports entre la liberté et la sécurité. Elle procède de l’affrontement d’acteurs aux cultures professionnelles distinctes, aux logiques d’action différentes et aux conceptions divergentes, voire antagonistes.

Il existe d’un côté, la conception des participants à l’élaboration de l’Espace pénal européen auquel appartiennent les magistrats, du moins ceux qui se considèrent comme protecteurs des droits fondamentaux et comme gardiens de l’État de droit, et pour qui l’entraide policière doit s’intégrer dans le projet d’Espace pénal européen. Cet espace doit déboucher à long terme, sur l’édification d’une justice pénale européenne organisée autour d’un parquet européen, et reposant sur un ensemble juridique composé de normes pénales européennes harmonisées. L’intervention de l’Union préconisée par les partisans de l’Espace pénal européen repose sur un ensemble de principes d’action tels qu’« il faut lutter contre la criminalité dans le respect des garanties offertes aux mis en cause », « la sécurité ne doit pas constituer une atteinte excessive aux libertés fondamentales », « l’Espace de liberté, de sécurité et de justice est un espace de droit ».

Il existe de l’autre côté, les acteurs appartenant à la Sécurité intérieure européenne estimant peu ou prou que l’entraide policière s’intègre dans un vaste ensemble organisé autour de la lutte contre les diverses formes d’insécurité identifiées. Cet ensemble se développe autour de principes d’action tels que « la manière de faire la sécurité doit se renouveler face à l’hybridation des menaces transnationales », « la réponse doit être globale à l’égard d’un monde de plus en plus mondialisé où les différentes formes de criminalité sont interconnectées », avec, en toile de fond, la nécessité de protéger l’Union vis-à-vis d’un ensemble de menaces et de risques : les réseaux de passeurs de clandestins, les trafiquants de drogue, les organisations criminelles venant notamment de Russie et des Balkans occidentaux, certaines formes particulières de radicalisation et de terrorisme comme les « loups solitaires ». Il s’agit aussi de se doter des moyens permettant de dépister de manière précoce le crime, devenu une question stratégique au même titre que le terrorisme ou la cybermenace, et ce, à partir de techniques permettant de travailler en amont des réalités criminelles. Il est question également d’améliorer le cycle de gestion de catastrophes en renforçant la collaboration entre États membres et en optimisant les différentes phases du cycle à travers des processus plus élaborés, par exemple dans le domaine de la protection des infrastructures critiques.

L’absence d’opposition rigide et monolithique

Les acteurs des communautés sectorielles s’affrontent par projets spécifiques. Néanmoins, l’opposition entre deux pôles antagonistes est en recomposition constante. Il n’y a pas en effet deux blocs figés et homogènes. Ainsi, le pôle des « sécuritaires » est loin de former un tout cohérent. L’élaboration de la Sécurité intérieure européenne est un enjeu entre participants, qu’il s’agisse des agences européennes, des États membres par l’entremise des représentants des cabinets ministériels, des hauts fonctionnaires nationaux et des services de police, de douane, de renseignement ou de surveillance des frontières, ou encore des entreprises privées désireuses de nourrir un marché européen de la sécurité en pleine croissance.

Quant aux promoteurs de la protection des libertés, tous ne sont pas sur la même ligne. Si les pénalistes sont soucieux de la préservation des garanties procédurales lors du procès pénal, le Contrôleur européen à la protection des données est plus attaché à la défense de la vie privée contre diverses formes d’atteintes, et ce, indépendamment de la dimension pénale de celles-ci.

De leur côté, les hauts fonctionnaires et les membres de cabinets de la Justice des États membres ont une sensibilité diverse concernant l’amplitude de la protection des libertés à accorder, liée notamment aux différences culturelles, en particulier selon que leur tradition juridique s’inscrit dans le champ de la Common law ou de la Civil law.

Le Parlement européen est, de son côté, préoccupé par la défense des droits fondamentaux, mais également par ses prérogatives de colégislateur, et il arrive qu’il doive arbitrer entre ces deux types de préoccupation, parfois au détriment de la sauvegarde des libertés. Quant à la Cour de justice de l’Union de Luxembourg, elle doit parvenir à s’imposer dans un domaine, la sauvegarde des droits fondamentaux, dans lequel la Cour européenne des droits de l’Homme de Strasbourg a dégagé une jurisprudence abondante depuis des décennies, notamment concernant les garanties procédurales.

(*) Cet article est une version allégée et simplifiée de l’article publié dans les Cahiers de la sécurité et de justice, n° 31, 2015, pp 39-49. Voir aussi alias securiteinterieure.fr

The Paris Terrorist Attacks : Failure of the EU’s Area of Freedom, Security and Justice?

Original published on the CDRE site on 8 JANVIER 2016

by P. de Bruycker et D. Watt (Odysseus Omnia), H. Labayle (CDRE), A. Weyembergh et C. Brière (Eclan)

In the immediate aftermath of the terrorist attacks in Paris on Friday 13th November, the French President declared a state of emergency and announced the introduction of a number of measures to “mobilise all possible forces in order to neutralise the terrorists and to guarantee the security of all the areas which could be concerned”. These measures included the reintroduction of controls by France at its internal borders with other Schengen States in the interest of preventing both the entry into the territory of dangerous individuals seeking to carry out terrorist attacks, and to thwart the escape of the attackers.

Nonetheless, Salah Abdeslam, a suspect believed to be one of the masterminds of the attacks, managed to escape by crossing the border between France and Belgium during the night from Friday to Saturday without being apprehended and has still not been arrested since, despite significant effort on the part of the Belgian and French police forces. More surprising, although relatively ignored by the media is that he was checked by French police in the border region (around the city of Cambrai) but not apprehended. How can this have happened in the heart of the EU where border guards, police, judges and intelligence services use modern technology to trace such people?

Before putting the area of freedom, security and justice on trial – as some politicians have done – it is certainly important to objectively examine the manner in which the workings of this beast have been confronted by the reality of terrorism. Whether it has to do with controls carried out at borders (Section 1 of this article), or cooperation between national police forces (Section 2), it must be noted that the primary responsibility in this case does not rest with the mechanisms created by the European Union. In contrast, the failure to prevent the rather predictable attacks now creates the question of sharing intelligence between the competent national intelligence agencies, a matter which does not fall within the Union’s competences (Section 3).

1. The pending questions about border policy

Knowing what we know today about the Paris attacks and the background of the perpetrators, a distinction needs to be made between the matter of terrorists crossing internal and external borders of the Schengen Area.

a. The crossing of internal borders

The Schengen Borders Code (SBC) regulates the crossing of the borders of the concerned EU Member States. As outlined in an article by Evelien Brouwer on this blog, Schengen States can, on the basis of Article 23 of the SBC, temporarily reintroduce controls at their internal borders if there is clear justification on the grounds of a threat to public policy or internal security. The existence of such a threat is obviously not in question here.

Schengen States have certain instruments at their disposal to guarantee effective border management in the Schengen Area. The Schengen Information System (SIS) is a database for storing and sharing information about certain individuals who should not enter or travel within the Schengen Area. The second generation – “SIS II” – was established to include the new Member States after the 2004 enlargement by Regulation 1987/2006, which also sets out rules on its operation and use.

There are several reasons a person may be registered in the SIS. Firstly, alerts may be issued in order to refuse entry or stay to third-country nationals either because they are criminals or because their entry has been banned due to non-respect of the immigration rules (Article 24 of Regulation 1987/2006). Secondly, alerts may be issued in order to arrest third-country nationals or EU citizens on the basis of a European arrest warrant (EAW) or extradition. This type of alert applies to missing individuals, persons sought to assist with a judicial procedure, and for the purpose of discreet or specific checks (see Council Decision 2007/533).

As Salah Abdeslam is French and not a third-country national, he could not, by definition, be the object of an alert related to the immigration policy. When he was checked by the French police during the night of 13 to 14 November, he was not known to the French authorities apparently because, despite being French, he was living in Belgium. He was also not the object of an alert for the purpose of arrest as the EAW was only issued by Belgium after the attacks, on Sunday. He had however been signalled in the SIS by the Belgian authorities as a person to be the object of a “discreet or specific check”. Following Article 36 of Council Decision 2007/533, such an alert may be issued for the purposes of prosecuting criminal offences and for the prevention of threats to public security, “in particular where an overall assessment of a person, in particular on the basis of past criminal offences, gives reason to suppose that that person will also commit serious criminal offences in the future”.

Given the stated goals of the closure of French borders – to stop the escape of those who carried out the attacks – one might begin to question how it can be that the check conducted by the French police did not lead to the arrest of Salah Abdeslam. Even if he was not mentioned in the SIS for the purpose of arrest, a signal for a discreet or specific check should have attracted the attention of the police and could have lead to his arrest. One can rightly wonder what happened: was the information stored in the SIS not precise enough? In this case, did the French police use the SIRENE system to get more information from the Belgian authorities? If not, why? We are used to Schengen-bashing and recently to Belgium-bashing, could it be fair to say that this time there should be some France-bashing?

It would be interesting to get an answer to those questions in order to understand what was indeed the problem. In any case, even if there had been a problem with the SIS and not with the actions of the French Police, it is clear that such transnational criminality can only be addressed at the international level. In any case, the answer lies perhaps in a better SIS or a better use of the SIS by Member States. The answer is certainly not less Schengen.

b. The crossing of external borders

The attacks in Paris have brought a significant amount of attention to the issue of border controls, in particular since it has been confirmed that at least one of the terrorists, holding a Syrian passport, entered the EU through Greece via a route used by refugees. It is also suggested that the Paris attackers, themselves EU citizens, had left the EU to fight in Syria and returned to carry out the attacks in Paris, and that one of them, Salah Abdeslam, could even have managed to flee to Syria after the attacks. This is the phenomenon of so-called “Foreign Fighters”: EU citizens who become radicalised and leave their home in the EU to join the war in Syria before returning to Europe. The European Union’s Counter-Terrorism Coordinator, Gilles de Kerchove, has been warning Member States for many months about the need for strong action to be taken in this area, though his warnings have not been heeded. The main concern here is that such individuals are extremely difficult to detect, including when they enter or leave the Schengen Area by crossing its external borders.

The Schengen Borders Code provides in Article 7(2) that European citizens and other people enjoying the right to free movement in the EU, such as the family members of these groups, who cross the Schengen external border shall only be subject to minimum checks. This concerns the travel documents presented by those persons at the external border, such as an identity card or passport. On the contrary, third-country nationals are subject to thorough checks following Article 7(3) that foresees under point (a)(vi) “the direct consultation of the data and alerts on persons and, where necessary, objects included in the SIS and in national data files”. Such checks are sometimes described as being about persons instead of about documents.

Although Border Guards may consult relevant databases such as the SIS to ensure, among other things, that European citizens crossing the external borders do not represent a serious threat to internal security, a systematic consultation of these databases is not permitted. The EU and  its Member States have been struggling with this prohibition of systematic checks of persons for some years now. It is clear that absolutely all EU citizens cannot be checked against databases at one crossing point of the external borders as this would directly contravene this provision. The Commission considers that this does not prevent conducting systematic checks of persons selected on the basis of a risk assessment, for instance some category of persons embarking on flights going to or coming from the vicinity of a conflict zone. TheHandbook for Border Guards was modified on 15 June 2015 to include that interpretation.

Nonetheless, Member States in the Council have been calling for the revision of the SBC regarding the systematic consultation of databases for persons enjoying free movement since the beginning of the year, motivated in large part by the Charlie Hebdo attacks in Paris in January 2015. The concerns about the threat of foreign fighters crossing back into the EU undetected are also the basis for a list of Common Risk Indicators (CRI’s), which has been drawn up by the Commission. However, it appears that these confidential CRI’s are too general and too vague in nature, leading to their ineffective implementation by Border Guards. Indeed, a Council document from 5 October from the EU Counter-Terrorism Coordinator explains that “challenges remain in the proper implementation of CRI’s at the external border”. No doubt the ineffectiveness of CRI’s is a contributing factor to the Council’s renewed call for revision of the SBC, as expressed by the Ministers for Justice and Home Affairs on 20 November. Meeting in the wake of the Paris attacks, the Council stated that Member States shall “undertake to implement immediately the necessary systematic and coordinated checks at external borders, including on individuals enjoying the right of free movement”.

One can hardly deny that such checks can be necessary, in particular at the external borders of some areas that foreign fighters are believed to cross more often than others. The current provision of the Schengen Borders Code seems inappropriate by forbidding systematic checks and this explains why the European Commission finally decided on 15 December 2015 to present a proposal to amend Article 7 of the SBC that will, once adopted, not only allow but oblige border guards to verify that an EU citizen is not “considered to be a threat to the internal security, public policy, international relations of any of the Member States or to public health, including by consulting the relevant Union and national databases, in particular the SIS”.

Does this contravene the freedom of movement that EU citizens enjoy on the basis of the EU treaties? The answer seems at first look negative, because freedom of movement concerns a priorimovement within the borders of the European Union and not the crossing of its external borders. Nevertheless, Directive 2004/38 implementing freedom of movement also contains provisions recognising the right of EU citizens to enter and to leave the territory of the Member States that could be considered part of the freedom of movement. Article 4 on the right of exit and Article 5 of the right of entry exist “without prejudice to the provisions on travel documents applicable to national border controls”. If this provision, interpreted narrowly, does not explicitly cover the consultation of databases, one should not forget that Article 27 of the same Directive allows Member States to restrict the freedom of movement and residence of Union citizens on the grounds of public policy, public security or public health. There is no doubt that the consultation of databases for security purposes like the SIS falls under the exception of public security. The conclusion is that the Commission proposal is in line with freedom of movement enjoyed by EU citizens.

Even if one may consider that a proposal to modify Article 7 of the SBC could have been presented earlier by the Commission without wasting time to discuss its possible interpretation with Member States, the Schengen acquis will be clarified to allow the systematic control of the movement of foreign fighters at the external borders of the EU. The sooner the better, so that the Council of Ministers and the European Parliament must now prove that when necessary, they can amend existing EU rules in a period of time comparable to that within which Member States with a Parliament made of two chambers can operate.

2. The effectiveness of police and judicial cooperation in criminal matters after the attacks

The Paris attacks and their subsequent developments, such as the flight of the suspected terrorist, Salah Abdeslam, to Belgium by car, trigger the application of mechanisms of police and judicial cooperation in criminal matters. These mechanisms have been extensively developed since the mid-1990’s, and particularly after the entry into force of the Amsterdam Treaty. Today a vast array of instruments, actors and databases are at the disposal of national authorities in charge of investigating and prosecuting terrorism. The anti-EU discourse that followed the attacks, which so often focusses on inaction during grave events, should have been balanced by an analysis of what happened in reality.

In the field of police cooperation, the importance of Europol should be underlined, both in terms of exchange and analysis of information and in terms of support for operational actions. The adoption of the compromise text on the Commission’s original proposal for a Europol Regulation, which was approved by the Council on 4 December 2015, should contribute to the improvement of cross-border police cooperation, as it should increase the agency’s capacity to act as “a hub for information exchange between the law enforcement authorities of the Member States”. One “Focal Point Travellers » has especially been set up in 2014, in which “foreign fighters” are recorded, even though it is for the Member States to make the focal point a reality by providing the content. The so-called 2008 “Prüm Decision” should be mentioned here as well. It aims particularly at mandating the exchange of DNA, fingerprint and vehicle registration data (VRD) amongst the Member States.

In terms of judicial cooperation in criminal matters, Christiane Taubira, French Minister for Justice, insisted after the JHA Council of 20 November 2015, that we do have instruments to address this type of crime and they have worked well for the cooperation with the Member States affected by the investigations.

On the morning following the attacks, requests for mutual assistance in judicial matters were issued and sent to Belgium and Germany. They were addressed very quickly on the basis of the 2000 Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union.

Among the other instruments specific to the EU legal order which have been used in this context, theFramework Decision 2002/584/JHA on the European Arrest Warrant (EAW) is to be mentioned. Adopted in the aftermath of 9/11, the EAW, which is considered the “success story” of the EU area for criminal justice, organises faster and simplified surrender procedures, directly conducted by judicial authorities, without political involvement and with a limited number of grounds for refusal. One or more EAWs have been issued since the Paris attacks against suspects, which implies that competent law enforcement authorities located on the EU territory have the duty to arrest them. On the request of the issuing judicial authority, the issuance of an EAW can be coupled with its transmission via an alert in the Schengen Information System and/or in the Interpol database.

The European Criminal Records Information System (ECRIS), based on a 2009 Council Decision, which is to be read with the Framework Decision on the organisation and the content of the exchange of information extracted from the criminal record between Member States, has also been mobilised and proved its added value for the collection of information on the past convictions of the terrorist suspects. Operational since 2012, this system couples the principle of centralising convictions in the criminal records of the Member State of nationality with an interconnection of the criminal records of the Member States, enabling electronic exchange of standardised information.

Finally, joint investigation teams (JITs), belonging both to police cooperation and judicial cooperation, have a clear added-value. A JIT has been set up between France and Belgium, for which the Ministries of Justice of each country gave their agreement on 16 November. The setting up of a JIT allows the constitution of a team consisting of judges, prosecutors and law enforcement authorities, established for a fixed period and a specific purpose, to carry out criminal investigations in one or more of the involved States. One of the advantages of such JITs is the exchange of information and evidence obtained, without having to go through requests for mutual legal assistance.

Despite these positive elements, cooperation between authorities of the EU Member States can still be improved:

  • Firstly, some of the abovementioned instruments, such as the 2008 Prüm Decision or the JITs Framework Decision, have not or have not correctly been transposed by Member States. The importance of correct implementation at the national level has been frequently underlined, for instance by the European Council Strategic Guidelines of June 2014 and by the conclusions of the JHA Council of 20 November. In this respect the end of the transitional period on the 1st December 2014 should push the recalcitrant Member States to conform with EU law as they may be subject to enforcement proceedings for non implementation of acts adopted before the entry into force of the Lisbon Treaty.
  • Secondly, some difficulties are also being witnessed at the level of implementation in practice. There is, for instance, a considerable shortfall between, on the one hand, the information available at national level and, on the other hand, the information transmitted to and shared with the competent authorities of other Member States. Besides, the information transmitted to Europol is not always sufficient, hampering the completion of its mandate. In this context, on 20 November 2015, the JHA Council announced the establishment of the European Counter-Terrorism Centre (ECTC) on 1 January 2016, which is envisaged as a platform by which Member States can increase information sharing and operational cooperation with regard to the monitoring and investigation of foreign terrorist fighters, the trafficking of illegal firearms and terrorist financing. A similar centre, the EC3, was set up a few years ago in the field of cybercrime, and it has proven to be a useful tool. The utility of the ECTC will largely depend upon the willingness of Member States to share their information, which has been insufficient to date, as shown by the example of the “Focal Point Travellers” of Europol about foreign fighters following a discussion paper of the EU Counter-Terrorism Coordinator.
  • Thirdly, some of the abovementioned instruments suffer from certain limits. ECRIS works efficiently only with regard to EU citizens. Concerning third country nationals, it is still necessary to consult all Member States’ criminal records to know about their past convictions. For years, the possibility of establishing a European index for convicted third country nationals has been discussed. In its conclusions of 20 November, the JHA Council welcomed the intention of the Commission to submit an ambitious proposal for the extension of ECRIS to cover third country nationals by January 2016.
  • Finally, further new legislative measures should be proposed shortly, for instance in the field of the approximation of substantive criminal law, particularly the criminalisation of terrorist offences. Indeed, according to the Council conclusions of 20 November, the Commission should present a proposal for a directive updating the 2002 and 2008 Framework Decisions on Combating Terrorism . This revision will implement in EU law the UNSC Resolution 2178 (2014) and the additional Protocol to the Council of Europe Convention on Foreign Terrorist Fighters. This will especially aim to oblige Member States to criminalise offences linked to travelling abroad for the purpose of terrorism.

In conclusion, the recent tragic terrorist attacks have shown that national police and judicial authorities are aware of the tools at their disposal in the field of police cooperation and judicial cooperation in criminal matters. They do not hesitate to rely on them. However there is still room for improvement. The transnational elements of the recent attacks clearly illustrate the need for cross-border cooperation in the criminal field. Member States should realise that the solution encompasses more cooperation and that reflexes of national sovereignty are vain and detrimental to the identification and prosecution of terrorist suspects. In such a move forward, the EU must ensure the right balance between the different interests at stake and not sacrifice fundamental rights at the altar of security as underlined by Stefan Braum in a recent paper published on the blog of the GDR/ELSJ.

3. The failure of intergovernmental cooperation in the field of intelligence

In the days following the attacks, criticisms were voiced against the deficiencies in the cooperation between national intelligence services. It was for instance reported that the Belgian services had information about the danger represented by the Abdeslam brothers, but never shared this information with their French colleagues.

It is important to make a preliminary remark distinguishing cooperation in the field of police information on the one hand and intelligence in the sense of renseignements in French on the other hand.

Whereas police information sharing is subject to EU legislation, adopted under the EU competences in police cooperation in criminal matters, as described above, intelligence sharing does not fall within the EU competences, and the EU is prevented from taking any action in this regard. In the current legal framework, in force since the adoption of the Treaty of Lisbon, no less than three provisions insist on the lack of competence for the EU in matters of national security. Article 4(2) TEU provides that the EU shall respect the essential State functions of its Member States, including safeguarding national security. InArticles 72 and 73 TFEU, it is stated that the Title of the Area of Freedom, Security and Justice shall not affect the exercise of the responsibilities incumbent upon Member States with regard to the safeguarding of internal security, and it is open to the Member States to organise between themselves and upon their responsibility such form of cooperation and coordination as they deem appropriate between the competent departments of their administration responsible for safeguarding national security. In other words, cooperation between national intelligence services in charge of safeguarding national security is left in the hands of the Member States, and is thus conducted on an intergovernmental basis.

As a consequence, blaming the EU for the lack of intelligence sharing between France and Belgium is an unjustified criticism. The idea of creating a European Intelligence Agency has been mentioned by some observers but was promptly rejected on Friday 20 November by the JHA Council, as it appears to be outside of the scope of EU competences in the current state of the EU treaties. Moving forward in this field in the institutional framework of the EU would clearly imply a revision of the treaties. The feasibility of such revision is of course questionable because of its extremely high sensitivity in terms of national sovereignty. It shall indeed not be forgotten that intelligence is, by definition, extremely sensitive data, which national authorities may be reluctant to share, for instance in order to safeguard the safety of their informants. Furthermore, even cooperation within each Member State is sometimes problematic, as intelligence service might be reluctant to cooperate extensively with law enforcement, judicial or other authorities.

The absence of EU competences does not imply that there is a complete absence of European multilateralisation of cooperation in the field of the intelligence. In this regard, the EU Intelligence and Situation Centre (EU INTCEN) is to be mentioned. However, this centre has a limited mandate, which is to provide intelligence analysis, early warning and situational awareness to the High Representative and to the EEAS, in the fields of security, defence and counter-terrorism. This agency is the successor of the EU Situation Centre (SITCEN), created to answer the need of timely and accurate intelligence analysis to support EU policymaking. Despite its title, this agency is not a European Intelligence Agency. It has no operational powers, nor powers in the field of cooperation between national intelligence services. Its core mandate consists of publishing intelligence assessments, reports and summaries, as well as threat assessments for EU personnel, on the basis of open sources and analytical reports transferred from national intelligence authorities. Another initiative to mention is the so-called ‘Club de Berne’, which is an intelligence-sharing forum between the intelligence services of the EU Member States, Norway and Switzerland, within which a counter-terrorism group was established in 2001. It works outside the EU institutional framework but entertains some relations with it, especially via the participation of the INTCEN.

Conclusion

In conclusion, the shock generated by the Paris attacks should push the EU and its Members to engage in a much deeper reflection than their many working meetings have provoked. They must reflect firstly on the criminal motivations which led EU citizens, both French and Belgian, to commit such abominations. To stubbornly insist to the public that these criminals were not the product of our own societies is a grave error which prevents us from considering the causes and therefore inhibits us from conceiving of the appropriate response. They must further reflect on the multiple failures and responsibilities relating to the events in Paris. Rather than exploiting them to justify criticism of the EU, it should be realised that a more integrated and coordinated area of freedom and security is the only possible solution.

This is true on two conditions. The first condition is that there must be real responsibility in its administration, which is far from the case in current border management and intelligence sharing. The second condition is that, above all, there must be an agreement on the values which make up this area, in both the central role of the judicial institution and its fundamental guarantees.

The New EU General Data Protection Regulation – A First Assessment

Original published on the European Academy for Freedom of Information and Data Protection  site (EAID)

by Peter SCHAAR

The results of the trilogue of the EU institutions (European Parliament, Commission and Council) on the data protection reform package (SEE BELOW)  is an important milestone on the way into the global information society. The General Data Protection Regulation (GDPR) will replace 28 different data protection laws of the Member States.

The reach of the new legal framework extends beyond the European Union. Even companies with headquarters outside the EU will have to comply with the GDPR so far they are doing business in EU Member States and process data generated here (article 3 para. 2). Compliance with the rules is monitored by independent data protection authorities, which all have in future same, effective sanction powers.

In cases of serious infringements they may impose fines up to up to 4% of the global annual turnover against the respective companies (art. 79). It has to be highlighted, that a number of last minute attempts have failed to mitigate or weaken the new privacy requirements in central points, such as on scope of the regulation or the purpose limitation rules.

Nevertheless, there are also areas where the result is less positive than hoped for. Thus, the EP has not been completely successful in the requirements on individual consent to the processing of personal data (‚the data subject’s consent‘ means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative, signifies agreement to personal data relating to them being processed“ – article 4 para 8). Explicit consent is only required if consent refers to „special categories of personal data“ (article 9) – such as health data or genetic information. Also the rules on profiling lag behind the demands of privacy advocates. The relevant provisions are limited to decisions based solely on automated processing, which produce legal effects concerning the data subject or similarly significantly affects him or her (article 20).

During the negotiations, critics – in particular from Germany – complained the GDPR would weaken or undermine the data protection requirements defined by national law.  Today we can say, this fear did not realize, at least in general.

Only in specific areas the new legal requirements are lagging behind the present national laws, for example with regard to the more stringent data protection provisions for Internet services of the German Telemedia Act.  On the other hand, the German data protection level is just here high only in theory, but not de facto.

This became evident from the example Facebook: German data protection authorities have failed with lawsuits against the company whose European headquarters is located in Dublin – to undertake to comply with the German data protection rules.

However, every company that does business in Europe in future must comply with the new single European data protection law. This is real progress, even if the GDPR in certain areas lagging behind the national law.

In addition, there are other areas – such as the Federal Citizens Registration Act – where data protection requirements of new EU regulation are stricter than the present German legislature.

The unconditional dissemination of public register data on request to everybody is not compatible any more with European law and must be terminated.

Light and shadow also for the rules on the internal data protection officer (DPO). On one hand, article 35 obliges public authorities and government agencies – except for courts acting in their judicial capacity – to designate a DPO.  Also those private companies have to designate a DPO, whose „core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and sistematic monitoring of data subjects on a large scale“ or with core activities consisting „of processing on a large scale of special categories of  data pursuant to Article 9 and data relating to criminal convictions and offences“.

However, the significantly more stringent requirements of the German Federal Data Protection Act on DPOs have not completely been included in the GDPR. At least the adopted text allows the national legislators to stick to the mandatory designation of DPO (article 35 (4): „in cases other than those referred to in paragraph 1, the controller or processor … may or, where required by Union or Member State law shall, designate a data protection officer …“) .

Even if, as expected, the provisions now adopted – the GDPR and the Directive on data protection for police and justice – will soon pass the formal EU legislative procedure, a lot of work has still to be done at European and at national level prior to their entry into force in 2018.

  • At EU level the compatibility of other legal provisions with the GDPR has to be reviewed. This particularly applies to the directive on data protection in electronic communications („ePrivacy Directive“).
  • Governments and parliaments of the Member States are requested to review their national law. This applies in particular for Germany with its numerous sector specific data protection provisions. Many laws need to be revised, some need to be eliminated.
  • A special mission coming to the national legislators is the processing of personal data in the employment context. Article 82 GDPR provides the national legislators with  competence to regulate the handling of employee data in detail. („Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees‘ personal data in the employment context, …“).
  • National regulators have also to deal with the question of how far the legal provisions for data processing for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties need to be adapted to the requirements of the new Data Protection Directive for police and justice.
  • Finally, businesses and public authorities have to adapt their practices to the new rules. New processes and procedures have to be designed, existing procedures need to be changed …

The European Academy for Freedom of Information and Data Protection (EAID), Berlin, will focus in the coming years on the impact of new EU data protection rules. For 2016 we are planning workshops for decision-makers in business, politics and administration on implementation of the new EU rules and on needs for revision of national legislation.

READ MORE ON THE DATA PROTECTION REFORM PACKAGE:

The text of the Draft Regulation as agreed is accessible HERE  (204 Pages !)
The text of the Multicolumn Table (with the positions of the three institutions) of the Draft REGULATION is here (671 pages !)
The text of the Draft Directive (data protection in the law enforcement sector) as agreed is accessible here ( 102 pages)
The text of the Multicolumn Table with the position of the three institutions on the Draft DIRECTIVE  is accessible here (271 pages !)

Zakharov v Russia: Mass Surveillance and the European Court of Human Rights

Reblogged also by EU LAW ANALYSIS on Wednesday, 16 December with permission from the IALS Information Lawand Policy Centre blog

by Lorna Woods, (*) 

Introduction 

The European Court of Human Rights has heard numerous challenges to surveillance regimes, both individual and mass surveillance, with mixed results over the years.   Following the Snowden revelations, the question would be whether the ECtHR would take a hard line particularly as regards mass surveillance, given its suggestion in Kennedy that indiscriminate acquisition of vast amounts of data should not be permissible. Other human rights bodies have condemned this sort of practice, as can be seen by the UN Resolution 68/167 the Right to Privacy in the Digital Age. Even within the EU there has been concern as can be seen in cases such as Digital Rights Ireland (discussed here) and more recently in Schrems (discussed here). The Human Rights Court has now begun to answer this question, in the Grand Chamber judgment in Zakharov v. Russia(47143/06), handed down on December 4 2015.

Facts

Zakharov, a publisher and a chairman of an NGO campaigning for media freedom and journalists’ rights, sought to challenge the Russian system for permitting surveillance in the interests of crime prevention and national security. Z claimed that the privacy of his communications across mobile networks was infringed as the Russian State, by virtue of Order No. 70, had required the network operators to install equipment which permitted the Federal Security Service to intercept all telephone communications without prior judicial authorisation.

This facilitated blanket interception of mobile communications. Attempts to challenge this and to ensure that access to communications was restricted to authorised personnel were unsuccessful at national level. The matter was brought before the European Court of Human Rights. He argued that the laws relating to monitoring infringe his right to private life under Article 8; that parts of these laws are not accessible; and that there are no effective remedies (thus also infringing Art. 13 ECHR).

Judgment

The first question was whether the case was admissible. The Court will usually not rule on questions in abstracto, but rather on the application of rules to a particular situation. This makes challenges to the existence of a system, rather than its use, problematic. The Court has long recognised that secret surveillance can give rise to particular features that may justify a different approach. Problematically, there were two lines of case law, one of which required the applicant to show a ‘reasonable likelihood’ that the security services had intercepted the applicant’s communications (Esbester) and which favoured the Government’s position, and the other which suggested the menace provided by a secret surveillance system was sufficient (Klass) and which favoured the applicant.

The Court took the opportunity to try to resolve these potentially conflicting decisions, developing its reasoning in Kennedy. It accepted the principle that legislation can be challenged subject to two conditions: the applicant potentially falls within the scope of the system; and the level of remedies available. This gives the Court a form of decision matrix in which a range of factual circumstances can be assessed. Where there are no effective remedies, the menace argument set out in its ruling in Klass would be accepted.

Crucially, even where there are remedies, an applicant can still challenge the legislation if ‘due to his personal situation, he is potentially at risk of being subjected to such measures’ [para 171]. This requirement of ‘potentially at risk’ seems lower than the ‘reasonable likelihood’ test in the earlier case of Esbester. The conditions were satisfied in this case as it has been recognised that mobile communications fall within ‘private life’ and ‘correspondence’ (see Liberty, para 56, cited here para 173).

This brought the Court to consider whether the intrusion could be justified. Re-iterating the well-established principles that, to be justified, any interference must be in accordance with the law, pursue a legitimate aim listed in Article 8(2) and be necessary in a democratic society, the Court considered each in turn.

The requirement of lawfulness has a double aspect, formal and qualitative. The challenged measure must be based in domestic law, but it must also be accessible to the person concerned and be foreseeable as to its effects (see e.g Rotaru). While these principles are generally applicable to all cases under Article 8 (and applied analogously in other rights, such as Articles 9, 10 and 11 ECHR), the Court noted the specificity of the situation. It stated that:

‘…. domestic law must be sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures’ [para 229].

In this, the Court referred to a long body of jurisprudence relating to surveillance, which recognises the specific nature of the threats that surveillance is used to address. In the earlier case of Kennedy for example, the Court noted that ‘threats to national security may vary in character and may be unanticipated or difficult to define in advance’ [para 159].

While the precision required of national law might be lower than the normal standard, the risk of abuse and arbitrariness are clear, so the exercise of any discretion must be laid down by law both as to its scope and the manner of its exercise. It stated that ‘it would be contrary to the rule of law … for a discretion granted to the executive in the sphere of national security to be expressed in terms of unfettered power’ [para 247]. Here, the Court noted that prior judicial authorisation was an important safeguard [para 249]. The Court gave examples of minimum safeguards:

  • The nature of offences which may give rise to an interception order
  • A definition of the categories of people liable to have their telephones tapped
  • A limit on the duration of telephone tapping
  • Protections and procedures for use, storage and examination of resulting data
  • Safeguards relating to the communication of data to third parties
  • Circumstances in which data/recordings must be erased/destroyed (para 231)
  • the equipment installed by the secret services keeps no logs or records of intercepted communication, which coupled with the direct access rendered any supervisory arrangements incapable of detecting unlawful interceptions
  • the emergency procedure provided for in Russian law, which enables interception without judicial authorization, does not provide sufficient safeguards against abuse.

The Court then considered the principles for assessing whether the intrusion was ‘necessary in a democratic society’, highlighting the tension between the needs to protect society and the consequences of that society of the measures taken to protect it. The Court emphasised that it must be satisfied that there are adequate and effective guarantees against abuse.

In this oversight mechanisms are central, especially where individuals will not – given the secret and therefore unknowable nature of surveillance – be in a position to protect their own rights. The court’s preference is to entrust supervisory control to a judge. For an individual to be able to challenge surveillance retrospectively, affected individuals need either to be informed about surveillance or for individuals to be able to bring challenges on the basis of a suspicion that surveillance has taken place.

Russian legislation lacks clarity concerning the categories of people liable to have their phones tapped, specifically through the blurring of witnesses with suspects and the fact that the security services have a very wide discretion. The provisions regarding discontinuation of surveillance are omitted in the case of the security services. The provisions regarding the storage and destruction of data allow for the retention of data which is clearly irrelevant; and as regards those charged with a criminal offence is unclear as to what happens to the material after the trial.

Notably, the domestic courts do not verify whether there is a reasonable suspicion against the person in respect of whose communications the security services have requested interception be permitted. Further, there is little assessment of whether the interception is necessary or justified: in practice it seems that the courts accept a mere reference to national security issues as being sufficient.

The details of the authorisation are also not specified, so authorisations have been granted without specifying – for example – the numbers to be interception. The Russian system, which at a technical level allows direct access, without the police and security services having to show an authorisation is particularly prone to abuse. The Court determined that the supervisory bodies were not sufficiently independent. Any effectiveness of the remedies available to challenge interception of communications is undermined by the fact that they are available only to persons who are able to submit proof of interception, knowledge and evidence of which is hard if not impossible to come by.

Comments

The Court could be seen as emphasising in its judgment by repeated reference to its earlier extensive case law on surveillance that there is nothing new here. Conversely, it could be argued that Zakharov is a Grand Chamber judgment which operates to reaffirm and highlight points made in previous judgments about the dangers of surveillance and the risk of abuse. The timing is also significant, particularly from a UK perspective. Zakharov was handed down as the draft Investigatory Powers Bill was published. Cases against the UK are pending at Strasbourg, while it follows the ECJ’s ruling in Schrems, with Davis (along with the Swedish Tele2 reference), querying whether theDigital Rights ruling applies to national data retention schemes, now pending before the ECJ (on that issue, see discussion here). The ECtHR noted the Digital Rights Ireland case in its summary of applicable law.

In setting out its framework for decisions, the Court’s requirement of ‘potentially at risk’ even when remedies are available seems lower than the ‘reasonable likelihood’ test in Esbester. The Court’s concern relates to ‘the need to ensure that the secrecy of surveillance measures does not result in the measures being effectively unchallengeable and outside the supervision of the national judicial authorities and of the Court’ [para 171]. This broad approach to standing is, as noted by Judge Dedon’s separate but concurring opinion, in marked contrast to the approach of the United States Supreme Court in Clapper where that court ‘failed to take a step forward’ (Opinion, section 4).

The reassessment of ‘victim status’ simultaneously determines standing, the question of the applicability of Article 8 and the question of whether there has been an infringement of that right. The abstract nature of the review then means that a lot falls on the determination of ‘in accordance with the law’ and consequently the question of whether the measures (rather than individual applications) are necessary in a democratic society. The leads to a close review of the system itself and the safeguards built in. Indeed, it is noteworthy that the Court did not just look at the provisions of Russian law, but also considered how they were applied in practice.

The Court seemed particularly sceptical about broadly determined definitions in the context of ‘national, military, economic or ecological security’ which confer ‘almost unlimited degree of discretion’ [para 248]. Although the system required prior judicial authorisation (noted para 259], in this case it was not sufficient counter to the breadth of the powers. So, prior judicial authorisation will not be a ‘get out of gaol free’ card for surveillance systems. There must be real oversight by the relevant authorities.

Further, the Court emphasised the need for the identification of triggering factor(s) for interception of communications, as otherwise this will lead to overbroad discretion [para 248]. Moreover, the Court stated that the national authorisation authorities must be capable of ‘verifying the existence of a reasonable suspicion against the person concerned’ [260-2], which in the context of technological access to mass communications might be difficult to satisfy. The Court also required that specific individuals or premises be identified. If it applies the same principles to mass surveillance currently operated in other European states, many systems might be hard to justify.

A further point to note relates to the technical means by which the interception was carried out. The Court was particularly critical of a system which allows the security services and the police the means to have direct access to all communications. It noted that ‘their ability to intercept the communications of a particular individual or individuals is not conditional on providing an interception authorisation to the communications service provider’ [para 268], thereby undermining any protections provided by the prior authorisation system.

Crucially, the police and security services could circumvent the requirement to demonstrate the legality of the interception [para 269]. The problem is exacerbated by the fact that the equipment used does not create a log of the interceptions which again undermines the supervisory authorities’ effectiveness [para 272]. This sort of reasoning could be applied in other circumstances where police and security forces have direct technical means to access content which is not dependent on access via a service provider (e.g. hacking computers and mobiles).

In sum, not only has the Russian system been found wanting in terms of compliance with Article 8, but the Court has drawn its judgment in terms which raised questions about the validity of other systems of mass surveillance.

  • Professor of Internet Law, University of Essex

 

The new Europol: no more European FBI, not yet European NSA…

by Emilio DE CAPITANI

On November 30th the European Parliament Civil Liberties Committee “informally”  endorsed (by 43 votes to 5 with 4 abstentions) the text that the Council will soon adopt as “its” position on the post-Lisbon European Union Agency for Law Enforcement Cooperation and Training (Europol).

Following the “informal” interinstitutional practice of the so-called “legislative trilogues” (particularly the so-called “early second reading” agreements), the Chair of the LIBE Committee has already addressed a letter to the President of the Permanent Representatives Committee announcing that when the Council will formally send the text to the plenary, LIBE will recommend the Council’s text be approved  without amendments in the Parliament’s second reading so that the legislative procedure will be finalized and the “informally” agreed text (after some linguistic corrections) could be published in the coming months in the Official Journal.

I have already expressed my strong personal reservations on the legitimacy of such “informal” practices, notably because they are done in secret when treaties require the transparency of legislative debates (and negotiations) also for the Council. In the Europol case the latest public texts were: the first “reading” of the EP adopted on 25 February 2014 (at the end of the previous legislature) and the “general approach” of the Council  on 5 June 2014. Ten secret “trilogues” have been held in the following 16 months until suddenly, at the end of November 2015, a draft compromise has finally emerged and has been submitted to the vote of the Coreper and of the Parliamentary committee, paving the way to the “formal” legislative procedure.

Leaving aside European procedural (and democratic) intricacies, the text agreed (see below) is far below what could have been expected after the entry into force, six years ago, of the Lisbon Treaty. Because of the confidentiality of the negotiations, it is difficult to say now if such of a low-level compromise is due to the lack of ambition of the European Parliament or, more likely, of the EU Member States.

What is evident even from a quick reading, is that most of the possible improvements resulting from the Lisbon treaty have not been agreed and even if many things have apparently changed, the most important aspects are still as they were in the pre-Lisbon era (not to say the Maastricht era) and some new worrying aspects are taking shape.

First and foremost, the revision of the most important tool for police cooperation is taking place in the absence of a comprehensive post-Lisbon legally binding framework for police cooperation, as could have been done on the basis of art.87 of the TFEU.  So, even if the new Regulation recognises that “Large-scale criminal and terrorist networks pose a significant threat to the internal security of the Union and to the safety and livelihood of its citizens”  it  considers that such “EU internal security” matters should remain framed only by the Council and the Commission with “soft law” tools like the European Internal Security Strategy or the so-called “Policy Cycle”. The problem is that these tools associate the Member States only on a voluntary basis so there is no assurance that the common goals which have been defined will be reached nor is it possible to sanction those who do not contribute as was originally planned. Even the creation of a Center of excellence pooling important technical and human resources to fight Cybercrime or Terrorism as was (at last!) recently decided remains in the form of important opportunities offered to the EU member states and not of common binding tools. Unlike Frontex which is playing an increasing role in a well settled EU binding legislative framework (Schengen Border Code and EUROSUR), Europol is still floating in an unchartered legislative framework and building its own mission as a permanent laboratory or a taxi for Member states which are willing to use it. Last but not least, relying on “soft law instruments” makes the role of the European Parliament irrelevant, even if the latter try to follow up the initiatives taken by the Council and/or the Commission (a situation which is hardly acceptable for an EU which, after Lisbon, claims to be bound by democratic principles…) with non-binding resolutions.

This aspect should be very present in the EP’s mind as it has been co-responsible of EU policies linked with police and judicial cooperation in criminal matters for six years but for inexplicable reasons it continues to accept being marginalized, as happened with this draft Regulation in which the objectives of Europol’s activity will be defined only by …the Council and the Commission (not to speak of the EU Member States which are represented on its Management Board).

Even more surprisingly the European Parliament, which is also the Budgetary authority (which finances EUROPOL with 80/90 million euros per year), does not ask to have a say on the appointment of the Director of the Agency. Even in countries (such as the USA) where there is a clear distinction between the executive and the legislature the official responsible for federal agencies should have the approval of the Congress..

Even more worrying is the way in which the management of classified informations is framed. Here the draft Regulation takes the “originator principle” as the cornerstone of everything and places private entities, third countries and EU Member States or other EU and National agencies on the same ground. Now, in a European Union which claims to be founded on the principle of the rule of law, it is the legislator who should decide under which conditions information can be classified / declassified and has to be shared in the interest of the EU regardless of the good or bad will of the “originator”. Moreover, the principle of loyal cooperation should frame relations between EU institutions, agencies and bodies so that each one of them could fulfil its constitutional role regardless of the will of the “originator”.

Under this perspective the treatment that the European Parliament has accepted in this regulation is grotesque because it has accepted to be bound by the internal security rules of ….the Council and not by legislation to be adopted on the basis of art. 15 of the TFEU (and of the Charter). The point is not who should be the winner of an inter institutional game, as much as who among the EU institutions the European citizens can trust. By abdicating to its role the EP is thus deliberately weakening its own legitimacy and the democratic principles on which the EU claims to be founded.

Another weak aspect of the new text is the absence of a real link (and interdependence) with the judicial dimension of the European Freedom Security and Justice Area. Such a link, which is vital in the member states to avoid possible abuses on the police side, is practically absent in the new regulation which makes a vague reference to administrative agreements with Eurojust and plainly ignores its possible relation to the future European Public Prosecutor  who ” shall be responsible for investigating, prosecuting and bringing to judgment, where appropriate in liaison with Europol, the perpetrators of, and accomplices in, offences against the Union’s financial interests,….” (art.86.2 TFEU). The point is that Europol, by claiming an increasing role in the collection and treatment of intelligence informations linked with Cybersecurity, Terrorism and PNR, is trying to become the main EU “intelligence information hub” which brings it closer to the model of an EU National Security Agency than to a European FBI as it was in its first phase.

A further weak aspect of the draft Regulation is the protection of personal data where the situation is so confused that, in a declaration attached to the text, the EP and Council already declare: “… that, following the adoption of the proposed General Data Protection Regulation and Data Protection Directive for data processing in the police and justice sector, including the new, soon to be created European Data Protection Board, and in light of the announced review of Regulation (EC) No 45/2001, the different mechanisms for cooperation between the European Data Protection Supervisor and the national supervisory authorities in this field, including the Cooperation Board set up in this Regulation, should in the future be reorganised in such a way as to ensure effectiveness and consistency and avoid unnecessary duplication, without prejudice to the Commission’s right of initiative.”

Many other points may be raised, but if you are really interested, have a look at the text below (which is over 90 pages long..).

Continue reading “The new Europol: no more European FBI, not yet European NSA…”

Schengen, un coupable idéal ?

ORIGINAL PUBLISHED ON CDRE SITE (25 NOVEMBRE 2015)

par Henri Labayle, 

Les réalisations européennes servent de bouc émissaire aux crises nationales. Ce n’est pas chose nouvelle. Après l’Euro, l’espace « Schengen » de l’Union est aujourd’hui sur la sellette. Les attentats terroristes lui auraient donné le coup de grâce, après ceux de la crise des migrants. Est-ce bien réaliste, est-ce vraiment opportun ?

Les discours officiels relèvent ici de la vieille fable de la paille et de la poutre. C’est aux Etats membres eux-mêmes que le conseil du ministre de l’Intérieur français de « se reprendre » devrait être donné tant la construction de Schengen est dépendante de leur volonté. Néanmoins, le réalisme interdit l’optimisme. Ayant perdu de vue ses caractéristiques initiales, Schengen n’échappera pas à une remise en question profonde.
Le fabuleux destin de l’espace Schengen, sa « success story », enregistrent incontestablement au coup d’arrêt, dont il conviendra de mesurer l’impact réel. Il y a des explications à cela.

1. Une construction datée

Les principes de Schengen sont inscrits désormais dans les traités : abolition des contrôles aux frontières intérieures, reportés là où l’espace commun est en contact avec les pays tiers. Sont-ils toujours à la hauteur des défis ? Répondent-ils à la menace terroriste comme à la pression migratoire ? A trop raisonner à logiciel constant, on peut en douter.

Le contexte de la création de Schengen, en 1985, a été oublié. Fruit d’un accord bilatéral franco-allemand, rejoint par les Etats du Bénélux, Schengen s’inscrivait dans un paysage aujourd’hui disparu : peu de participants, ensemble homogène animé des mêmes buts. Au point d’être scellé dans une convention d’application dont la date n’est pas indifférente : 1990, au lendemain de la chute du mur de Berlin …

En attendre une réponse efficace à des défis qui n’existaient pas lors de sa conception est un peu simpliste.
Que Schengen n’ait pas été à même, en 2015, d’arrêter les flots de réfugiés remontant le ventre mou du couloir des Balkans s’explique : il a été conçu en 1990 dans la logique d’un continent fermé, d’une Europe coupée en deux par le rideau de fer, ignorant les 7700 kilomètres de frontières terrestres devenues les siennes aujourd’hui. Figée dans une problématique Nord/Sud, l’Europe de l’époque n’avait aucune idée de la dimension Est/Ouest qui s’y est surajoutée.
Le contexte géopolitique de l’époque le confirme. L’environnement de Schengen était fait de l’Union soviétique de Gromyko au Maroc d’Hassan II en passant par la Tunisie de Ben Ali et la Libye de Kadhafi, sans parler de la Syrie ou de la Yougoslavie de Tito. Les dictateurs qui l’entouraient étaient ses meilleurs garde-frontières et la vague migratoire de 2015 inimaginable …

L’argument vaut aussi en matière terroriste. Oubli ou mauvaise foi des partisans d’un retour aux frontières nationales, celles-ci font obstacle à la lutte anti-terroriste. D’ETA réfugié en France à l’IRA en République d’Irlande ou à la bande à Baader en France, les exemples ne manquent pas. Leur maîtrise nationale empêcha-t-elle la vague d’attentats des années 80 en France ? Evidemment non.
Pour autant, « l’obsession » de la frontière justement décrite par Michel Foucher n’a pas disparu. En fait, Schengen se borne à déplacer le lieu où la frontière joue toujours son rôle de barrière, de protection. Il est un compromis entre l’ouverture d’un continent, notamment pour des besoins économiques, et sa fermeture, pour des raisons sécuritaires.

La crise de 2015 met ouvertement en question l’équilibre de ce compromis, sa capacité à assumer la fonction sécuritaire de la frontière commune. Les Etats, en trente ans, l’ont construit et maintenu envers toute logique, d’où leur responsabilité centrale.

2. Des compromis boiteux

Habillé d’un prétexte sécuritaire, ce que l’on appelait à l’époque le « déficit sécuritaire », Schengen répondait en fait à une autre réalité : celle du besoin économique d’un continent asphyxié, cloisonné en Etats aussi nombreux que petits. Le marché intérieur, lancé exactement à la même période, ne pouvait s’en satisfaire.
Le détour par la case « sécurité » dissimule à peine cette vérité. Ouvrir l’espace intérieur était d’abord un impératif économique, satisfaisant les opérateurs mais plus facile à assumer en mettant en avant la lutte contre l’immigration ou le crime. La réinstauration des contrôles provoquée par la crise des attentats de Paris confirme l’impact économique de cette ouverture : retards dans les aéroports, kilomètres de bouchons sur les autoroutes aux passages frontaliers avec l’Espagne ou l’Italie… Le compromis entre mobilité et sécurité, pourtant exclusivement au cœur du projet initial Schengen, s’est réalisé au détriment de la seconde. Quitte à ignorer les aspirations des citoyens européens.
D’autant que, dans sa quête de points d’appui, la construction européenne s’est emparée de Schengen pour en faire un symbole. Curieux retournement des choses, Schengen vilipendé lors de sa création, stigmatisé parce que qualifié de « liberticide » et que « l’Europe des polices » était alors un gros mot, fut ensuite présenté comme l’acquis principal de la liberté des citoyens européens. Avant aujourd’hui d’être à nouveau accusé de tous les maux d’une intégration européenne qu’il ne réalise pourtant pas.

La vérité se cache ailleurs. A force de non-dits et de compromis étatiques, la démarche sécuritaire quasi-exclusive sur laquelle reposait Schengen initialement s’est progressivement banalisée.
Elle imposait le respect d’un certain nombre de principes. Avant toute autre chose, celui de la responsabilité de chaque Etat, garant par son sérieux de la sécurité de tous. D’où le refus initial de l’ouvrir à des partenaires jugés peu fiables, de l’Italie à la péninsule ibérique ou à la Grèce.
La logique communautaire, celle des élargissements, l’a emporté sur ce paramètre. Une prétendue « confiance mutuelle » entre Etats a été vantée dans un univers où la méfiance demeure la règle, peu sensible au credo du monde libéral.

Puisque, depuis des années, la Grèce était une passoire et ne remplissait plus ses obligations, comment s’étonner que le système ait volé en éclat au début de l’été ? Puisque, depuis des années, le système dit de « Dublin » (imaginé à Schengen) ne remplissait pas son office, pourquoi s’étonner de l’abcès de fixation ouvert hier à Sangatte, aujourd’hui à Calais ? Enfin, faute de donner un sens au mot « sanction », pourquoi l’Union européenne ne s’est-elle pas préoccupée d’une réaction vigoureuse, réservant ses foudres aux eaux de baignade et aux aides d’Etat …

Arbitrant au moyen de compromis médiocres, quand il aurait sans doute fallu établir publiquement et respecter des priorités politiques, l’Union s’est donc trouvée démunie lorsque la bise est venue, lorsque les urnes nationales et européennes se sont emplies de votes protestataires. Faisant l’aubaine de partis extrémistes dépourvus de toute réponse réaliste, elle s’est ainsi placée sur la défensive.
L’impasse faite sur la dimension économique du contrôle des frontières illustre cette absence de pilotage. Le mirage des solutions technologiques de demain, les « smarts borders » et la biométrie, ajouté au lobbying des grandes multinationales désireuses d’obtenir les marchés publics y sacrifiant, ne peut dissimuler l’aberration consistant à confier la sécurité de tous à un Etat membre, la Grèce, étranglé financièrement et budgétairement pour les raisons que l’on sait …

S’il est exact que les Etats Unis consacrent 32 milliards de dollars à leur politique migratoire dont la moitié au contrôle des frontières, comment comprendre les 142 millions d’Euros du budget de Frontex ?

Dilué, Schengen a perdu de vue l’originalité de sa charge pour être appréhendé comme une politique ordinaire. Sauf que les Etats membres n’ont en rien abdiqué.

3. Une logique intergouvernementale

Laboratoire de la construction européenne, Schengen demeure une construction aux mains des Etats.
Au prix d’une certaine schizophrénie, les Etats ont en effet prétendu à la fois intégrer leur action mais en conserver la maîtrise. Entre ceux qui voulaient mais ne pouvaient pas en faire partie (la Bulgarie, la Roumanie), ceux qui pouvaient mais ne le voulaient pas (les iles britanniques), ceux qui ne pouvaient pas mais que l’on a voulu (la Suisse, la Norvège, l’Islande) et ceux qui ne pouvaient pas et dont on aurait pas du vouloir (la Grèce), Schengen est devenu un véritable patchwork.

La greffe aurait pu prendre. Elle n’a été qu’imparfaite.
D’abord car la diversité des situations nationales n’a pas disparu. D’une part, les législations et pratiques nationales demeurent suffisamment éloignées pour que l’effet « vases communicants » ne joue pas. Migrants comme criminels ont parfaitement identifié ces points faibles. D’autre part car le degré d’attraction des Etats membres de cet espace ne s’est pas réduit, rendant inutile le souhait de responsabiliser l’ensemble. Convaincus que l’Allemagne et la Suède étaient des eldorados, les demandeurs de refuge n’envisagent pas d’autre destination, pour la plus grande satisfaction des Etats membres qu’ils traversent et qui vont jusqu’à leur faciliter la tâche.

Ensuite, parce que les Etats refusent toujours la contrainte. En indiquant clairement dans son article 4 que « la sécurité nationale relève de la seule souveraineté de chaque Etat membre », le traité sur l’Union fixe une barrière infranchissable.

Les enseignements des commissions d’enquête au lendemain des attentats de Charlie Hebdo le confirment. Le dispositif européen est moins en cause que les conditions de sa mise en œuvre. La faillite de Schengen n’est pas dans la poursuite mais dans la prévention, dans le renseignement en amont des attentats et l’alimentation des outils communs qui n’est pas obligatoire. La qualité remarquable de l’action policière et judiciaire, y compris par delà la frontière franco-belge, ne dissimule la faillite de la prévention politique et policière, des deux cotés de cette frontière.
Comment Mehdi Nemmouche hier, Abaaoud ou les frères Abdeslam cette semaine, ont-ils pu perpétrer leurs crimes sans obstacle réel, échappant aux contrôles Schengen autant que nationaux ? Qui refusait jusqu’au Conseil de vendredi dernier d’inclure les « combattants étrangers » dans le SIS et pourquoi 5 Etats seulement fournissent-ils plus de la moitié des informations sur leurs déplacements au Système d’information d’Europol de l’aveu du coordinateur européen de la lutte contre le terrorisme ?

L’absence de transparence de l’Union ne facilite pas la réponse. La responsabilité des Etats membres est pourtant au cœur de ce fiasco, constat déjà posé après Charlie Hebdo, sans réelle suite.

La France n’y échappe pas, étonne par l’arrogance de notre discours public. Des failles de son contrôle judiciaire aux pannes de son système de fichier Chéops, à sa gestion des documents d’identité, aux  erreurs de ses services de renseignements ou aux moyens alloués et à l’autisme de ses gouvernants qui qualifient de simples « complicités françaises » l’action des terroristes de Paris, elle n’est pas en situation d’administrer les leçons qu’elle prétend donner à la Belgique et à l’Union.

Celle-ci doit pourtant se remettre en question.

Quant au périmètre de son action d’abord. Malgré le politiquement correct, la composition de l’espace commun où contrôles comme échanges de renseignement s’effectuent est une question ouverte. Les Pays Bas, comme d’autres, semblent réfléchir à un redimensionnement effectué soit par un repli, sur un petit nombre de partenaires performants, soit par une mise à l’écart, de membres jugés non fiables.

Quand au fond ensuite. Les principes d’organisation sur lesquels Schengen repose, frontières intérieures/extérieures demeurent aussi pertinents qu’hier. En revanche, ils ne peuvent plus se satisfaire du vide politique actuel. La cohérence exige de percevoir l’asile comme un même devoir, réclame de criminaliser le radicalisme et le terrorisme de façon identique. Ce préalable n’est pas satisfait aujourd’hui dans l’Union. De même que la « solidarité » doit avoir un sens concret pour les Etats membres, ces derniers doivent partager l’accueil des réfugiés et privilégier la coopération et la police judiciaires et la coordination des poursuites à l’action exclusive des services de renseignement. Dans tous les cas, il faut y mettre le prix.

Alors, pourquoi n’entendons nous pas les mots de « parquet européen », « d’équipes communes d’enquête », « d’Eurojust » ? Pourquoi l’essentiel du contingent de la relocalisation est-il encore vacant ? Parce que nous n’osons pas lever le tabou de l’action commune, de la quasi-fédéralisation qu’impliquent le développement des agences se substituant aux Etats défaillants, que nous prétendons que l’administration nationale des politiques européennes est toujours l’alpha et l’oméga de la construction européenne ?

L’hypothèse de l’avancée, même si celle du repli est peu crédible sinon impossible, est donc incertaine. A l’image de celle du projet européen tout entier dont Schengen demeure bien, toujours, un « laboratoire ».

Statewatch leaked document on the state of play of EU Antiterrorism policy (and its perspectives..)

On the Statewatch site is now accessible a very interesting document of the EU Counter terrorism Coordinator in preparation of the Justice and Home affairs Council meeting of December 4, 2015. Without prejudice of the political and legal judgment that anyone can have on the initiatives listed below the text gives a very comprehensive (and relatively objective ) view of the current state of play of the EU initiatives. It remains a mystery why this kind of purely descriptive documents are not directly accessible to the public, to the European and national parliaments.

EDC

DOC14438/15
NOTE From: EU Counter-Terrorism Coordinator To: Delegations
Subject: Report: State of play on implementation of the statement of the Members of the European Council of 12 February 2015 on counter-terrorism

The extraordinary Council (JHA) of 20 November 2015 highlighted the need to accelerate the implementation of all areas covered by the statement on counter-terrorism issued by the Members of the European Council on 12 February 2015 (doc 14406/15). Therefore, in preparation of the Council of 4 December 2015, this paper lists all the measures foreseen in the February 2015 Statement and assesses their implementation. Implementation of the Conclusions of the Council of 20 November 2015 will enhance implementation of the February 2015 statement.

Documents 9422/1/15 and 12318/15 drafted by the EU CTC assessed the state of implementation in June and October 2015. Document 12551/15, drafted by the Presidency and the EU CTC, was endorsed by the Council in October 2015. It suggests five priorities for action by December 2015. Discussion in the extraordinary JHA Council of 20 November (doc 14406/15) and COSI of 16 November 2016 focused on firearms, strengthening external border controls, information sharing and terrorist financing (doc 14122/15).

I. ENSURING THE SECURITY OF CITIZENS

  1. PNR

Following the adoption of the rapporteur’s report by the LIBE Committee on 15 July 2015, four trilogues and three technical meetings have taken place. Important differences of view between the Council and the EP remain, notably on the inclusion of internal flights, the scope (transnational element of serious crime) and the period during which PNR data can be stored in an unmasked manner. Agreement on many other issues is outstanding.

The rapporteur’s ability to broker a deal with the Presidency is hampered by the fact that, except for the EPP shadow rapporteur, his report was not supported by other shadow rapporteurs, but by a heterogeneous majority across party lines. The EP’s commitment in its resolution of 11 February 2015 to work towards passage of a PNR Directive by the end of 2015 has so far not been shared by the shadow rapporteurs (S&D, ALDE, Greens, GUE) who voted against the Kirkhope report.

As long as there is no EU PNR Directive, Member States who do not have national legislation do not have a legal basis to acquire data from carriers. On 20 November 2015, the Council reiterated the urgency and priority to finalise an ambitious EU PNR before the end of 2015.

  1. Information sharing

–   Europol: by November 2015, 14 EU MS had connected their counter terrorism authorities to the Secure Information Exchange Network Application (SIENA) hosted by Europol, a key enabling platform for information exchange. This means that half of the Member States are still not connected. Siena will be upgraded to “confidential” in 2016. Terrorism crime related information and intelligence exchange remains low. A dedicated area for counter-terrorism authorities was created in SIENA in October 2015, allowing for direct bilateral and multilateral communication between counter-terrorism authorities, with Europol and third parties with an operational cooperation agreement.

There has been a strong increase of the use of the Europol Information System (EIS) since December 2014. By 13 November 2015, 1595 foreign terrorist fighters have been registered in EIS by 14 EU MS, 5 third parties and Interpol. Nevertheless, considering the much higher number of existing EU foreign terrorist fighters and the fact that half of all EU MS still have not used EIS, the system is clearly a work in progress.

FP Travellers, both from a quantitative and qualitative perspective, is not yet a tool which can provide in depth analysis in relation to all contributed operational cases across the EU. To date, 50.45 % of all contributions originate from just five MS and one associated third country. 2081 confirmed foreign terrorist fighters have been entered into FP Travellers.

Europol will launch the European Counter-Terrorism Center (ECTC) in early 2016 to strengthen information exchange. This will provide inter alia a robust security and confidentiality framework. A more robust information-sharing and operational-coordination platform will be established at Europol as part of ECTC to connect the police CT authorities. In the Council Conclusions of 20 November 2015, Member States committed to seconding CT experts to the ECTC to form an enhanced cross-border investigation support unit and indicated that Eurojust should also be involved. As Europol is actively engaged in support of ongoing CT investigations in several Member States and has been tasked by the Council to set up the IRU and the ECTC, it will be important to increase Europol ‘s resources accordingly to achieve sustainability.

–   Eurojust: Operational cooperation and information sharing have increased considerably. But this still does not reflect the extent of ongoing investigations and prosecutions. Operational cooperation in terrorism cases referred to Eurojust for assistance has more than doubled (13 cases in 2014, 29 cases so far in 2015, cases related foreign terrorist fighters increased from 3 to 14). Ten coordination meetings in terrorist cases have been organized in 2015, four of which related to FTF. In November 2015, Eurojust coordinated a joint action in six countries in a case of a radical terrorist group, leading to 13 arrests. The information on prosecutions and convictions for terrorist offences shared with Eurojust has more than doubled since 2014. So far in 2015, 109 cases were opened at Eurojust in relation to information exchange on terrorist offences – 17 on court results and 92 on ongoing prosecutions.
This is a threefold increase on the figure for 2014. Eurojust also animates several relevant networks such as the network of national correspondents for terrorism matters and the consultative forum of prosecutors-General and Directors of Public Prosecutions, specialized cybercrime prosecutors etc. The association of Eurojust to Europol’s Focal Point Travellers has allowed for improved information exchange.

Update of the Framework Decision on Combating Terrorism: The EU signed the Council of Europe Convention on the Prevention of Terrorism and its additional Protocol on Foreign Terrorist Fighters on 22 October 2015 in Riga. The Commission plans to present a proposal for the update of the Framework Decision before the end of 2015.

  1. External border controls

    2. Continue reading “Statewatch leaked document on the state of play of EU Antiterrorism policy (and its perspectives..)”

Data retention and bulk data: sometime the Council raises some good questions. But what about the answers ?

It does not happen very often but in a PUBLIC document diffused yesterday the Council Presidency raises some very interesting questions arising from the 2014 CJEU ruling on data retention (see below). It is worth recalling that already at that time the Court justified its decision with reference not only to art. 8 of the Charter (protection of personal data) but also to art. 7 (protection of privacy). The same happened this year with the Schrems case which deals with a similar situation (even if referred to a third country). Quite surprisingly the Council Presidency does not make reference to this ruling even if , according some doctrine (see the Martin Scheinin position published here)  it contain already an answer to the first question. According to Martin Scheinin the Court by referring to Article 7 of the Charter makes clear that:  In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter…

When the “essence” itself of a fundamental right is threatened, according to art.52 of the Charter is no more question of verify the “proportionality” of this kind of measures as they would be per se against the Charter (and the Treaty)

Let’s see what will be the MS (and judiciary) reaction and if they will take this occasion to re-examine some wide ranging legislative proposals which foresee a generalised collection of personal data (PNR, Entry-exit systems, not to speak of the monthly bulk transmission of EU citizens personal data to the US administration within the EU-USA TFTP (“SWIFT”) agreement…).

EDC

 

DOC  14246/15 24 November 2015 NOTE
From:Presidency
To:Permanent Representatives Committee/Council
No. prev. doc.:14369, 13085/15, 11747/1/15 REV 1
Subject: Retention of electronic communication data – General debate

1. The invalidation of the Data Retention Directive 1 by the Court of Justice of the EU 2on the grounds that it disproportionately restricted the rights to privacy and to the protection of personal data, has given rise to questions in the Member States, in particular as regards national transposition legislation and the availability of electronic communication data collected for access by law enforcement authorities and their use as evidence in criminal proceedings.

2. Member States had been given a wide margin of discretion in the implementation of the Data Retention Directive. This lead to considerable differences in the national legal frameworks3, which are compounded by the varying consequences of the assessment of the national data retention schemes by national parliaments and courts, especially in view of the Data Retention Judgement and the pending “Tele2” case 4.

3. The Data Retention Judgement has not directly affected national implementing legislations of the Data Retention Directive and these remain valid until amended, or repealed by national parliaments, or invalidated by national courts, provided that they comply with Articles 7 and 8 of the Charter of Fundamental Rights of the EU. Member States thus find themselves in a situation where they no longer have an obligation deriving from a specific Union legal instrument to introduce or maintain a national data retention regime providing for the mandatory storage of electronic communication data by providers for the purposes of detecting, investigating, and prosecuting serious crime. However, Member States retain the possibility to do so under Article 15(1) of the “E-privacy Directive” 5.

4. Opinions diverge on the interpretation of the Court’s judgement and thus on the legality of schemes for retaining bulk electronic communication data without specific reason. This has inter alia resulted in a large variety of situations at national level6. Some Member States have already adopted or are in a process of preparing new legislation on data retention, that, according to the information received by delegations, aims at ensuring strengthened procedural guarantees and safeguards in compliance with the Charter and in line with the ruling of the Court (EE, ES, IE, LT, LU, LV, MT, PL), including some Member States where the national law has been invalidated by the constitutional Court (DE, BG, NL).

5.Eurojust’s analysis of the current situation7 and expert debates held during the Luxembourg Presidency8 highlight that this fragmentation of the legal framework on data retention across the Union has an impact on the effectiveness of criminal investigations and prosecutions at national level, in particular in terms of reliability and admissibility of evidence to the courts based on the collection of electronic communication data, as well as on cross-border judicial cooperation between Member States and internationally.

6 In view of these challenges and the legal, procedural and practical problems they pose for investigations and prosecutions of all kinds of crime, not in the least in relation to counter-terrorism, the Presidency invites Ministers to address the following questions:

  • Is the Data Retention Judgement to be interpreted in the sense that retaining bulk electronic communication data without specific reason is still allowed ?
  • Considering the current fragmented situation throughout the Union, and the consequences it entails, should an EU-wide response be considered or should it be up to individual Member States to address the issue ?
  • Should the Commission be invited to present a new legislative initiative and if yes in what timeframe ?

 

NOTES

1        Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC
3        It is recalled that the transposition did not go easily in certain Member States, as a number of national constitutional courts annulled the national transposition laws for being contrary to the Constitution or the European Convention on Human Rights and certain national parliaments raised serious concerns.
2        Judgement of the Court of justice of the European Union (CJEU) (Grand Chamber) “Digital Rights Ireland and Seitlinger and others” of 8 April 2015 in joined Cases C-293/12 and C-594/12
4        The CJEU currently examines a preliminary ruling (pending Case C-203/15, lodged on 4 May 2015, Tele2 Sverige AB v. Post-och telestyrelsen ) on the compatibility of a national legislation (Swedish law in this case) to retain traffic data covering all persons, all means of electronic communication and all traffic data for the purpose of combating crime, with Article 15(1) of Directive 2002/58/EC (the e-privacy Directive), taking account of Articles 7, 8 and 15(1) of the Charter.
5        Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector
6        The current state of play is as follows: the transposition law of the Data Retention Directive has been invalidated in at least 11 Member States (AT, BE, BG, DE, LT, NL, PL, RO, SI, SK, UK). Amongst these, 9 countries have had the law invalidated by the Constitutional Court (AT, BE, BG, DE, SI, NL, PL, RO, SK). In 15 Member States (CY, CZ, DK, EE, ES, FI, FR, HR, HU, IE, LU, LV, MT, PT, SE) the domestic law on data retention remains in force, while they are still processing communication data.
7        Doc. 13085/15 and 13689/15
8        Doc. 11747/1/15 REV 1