Category: 9.2 Intelligence – National security

After Paris : Justice and Home affairs Council draft Conclusions

ORIGINAL DOCUMENT ACCESSIBLE ON STATEWATCH SITE

(NOTA BENE : Comments will follow on the text finally adopted) 

Draft Conclusions of the Council of the EU and of the Member States meeting within the Council on Counter-Terrorism

  1. The Council is appalled by the heinous terrorist attacks which took place in Paris on 13 November 2015 and expresses its deepest condolences to the victims of these attacks, their families and friends. The Council emphasises its solidarity with the people of France and pays tribute to the courage and decisive actions of the French authorities. The attacks were an assault on the European values of freedom, democracy, human rights and the rule of law. This is not the first time that the EU has been confronted with a major terrorist attack and important measures have already been taken. The Council underlines the importance of accelerating the implementation of all areas covered by the statement on counter-terrorism issued by the Members of the European Council of 12 February 2015 and in particular of the measures outlined below.

PNR

  1. The Council reiterates the urgency and priority to finalise an ambitious EU PNR before the end of 2015, which should include internal flights in its scope, provide for a sufficiently long data period during which PNR data can be retained in non-masked out form and should not be limited to crimes with a transnational nature.

Firearms

  1. The Council:
  • welcomes the adoption of the Implementing Regulation on common deactivation standards on 18 November 2015,
  • welcomes the presentation by the Commission on 18 November 2015 of a proposal to revise the current Directive on Firearms,
  • is committed to increasing operational cooperation through Europol under the EU Policy Cycle on serious and organised crime, notably within the Operational Action Plan Firearms. All Member States affected by the problem are invited to join these efforts by the end of 2015,
  • invites Frontex and Europol to assist the Member States bordering the Western Balkans region with regard to increasing controls of external borders to detect smuggling of firearms.

Strengthening controls of external borders

4. Member States undertake to:

  • implement immediately the necessary systematic and coordinated checks at external borders, including on individuals enjoying the right of free movement,
    • on the bases of a quick identification of urgent needs and possible solutions, to be performed by the Commission before the end of 2015, upgrade the Member States border control systems (electronic connection to the relevant Interpol databases at all external border crossing points, automatic screening of travel documents) by March 2016,
    • in the context of the current migratory crisis, carry out a systematic registration, including fingerprinting, of all migrants entering into the Schengen area and perform systematic security checks by using relevant databases in particular SIS II, Interpol SLTD database, VIS and national police databases, with the support of Frontex and Europol, and ensure that hotspots are equipped with the relevant technology. Europol will deploy guest officers to the hotspots in support of the screening process, in particular by reinforcing secondary security controls,
    • strengthen the control at the external borders which are most exposed, in particular by deploying rapid border intervention teams (RABITs) and police officers in order to guarantee systematic screening and security checks.
    1. The Council reiterates its Conclusions of 9 November 2015 and invites the Commission to:
    • include EU nationals in the upcoming Smart Borders proposals and in this context present a proposal for the targeted revision of Art.7(2) Schengen Borders Code regarding systematic controls against relevant databases at EU external borders,
    • provide, in its proposal to update the Frontex Regulation, a solid legal basis for the contribution of Frontex to the fight against terrorism and organised crime and access to the relevant databases.
    1. Frontex will:
    • contribute to the fight against terrorism and support the coordinated implementation of the Common Risk Indicators (CRIs) before the end of 2015,
    • assist the Member States to tighten controls of external borders to detect suspicious travels of foreign terrorist fighters and smuggling of firearms, in cooperation with Europol,
    • work closely with Europol and Eurojust, in particular in the context of the hotspots, and exchange data with Europol on the basis of the cooperation agreement to exchange personal data. The latter should be concluded and become operational without delay.

    Information sharing

    7. The Council decides to step up law enforcement cooperation on counter-terrorism (CT):

    • Member States will instruct national authorities to enter data on all suspected foreign terrorist fighters into the SIS II under Article 36.3, carry out awareness raising and training on the use of the SIS and define a common approach to the use of the SIS II data relating to foreign fighters,
    • Europol will launch the European Counter Terrorist Centre (ECTC) on 1 January 2016 as a platform by which Member States can increase information sharing and operational coordination with regard to the monitoring and investigation of foreign terrorist fighters, the trafficking of illegal firearms and terrorist financing. The ECTC will provide national CT authorities with enhanced information sharing capacities notably via Focal Point Travellers, the Europol Information System and Europol’s SIENA system reserved for counter-terrorism cases. The new Europol Regulation, on which an agreement should be reached between the co-legislators before the end of the year, should be consistent with the mandate and objectives of the ECTC, including the IRU,
    • Member States will second CT experts to the ECTC to form an enhanced cross-border investigation support unit, capable of providing quick and comprehensive support to the investigation of major terrorist incidents in the EU. Eurojust should also participate,
    • The Commission is invited to ensure that Europol is reinforced with the necessary resources to support ECTC and to submit a legislative proposal in order to enable Europol to systematically cross-check the Europol databases against the SIS II as established by Council Decision 2007/533/JHA on the establishment, operation and use of the second generation Schengen Information System (SIS II),
    • Member States will make maximum use of these capabilities to improve the overall level of information exchange between CT authorities in the EU. Member States will instruct the relevant national authorities to further increase their contributions to Focal Point Traveller at Europol to reflect the threat and connect to relevant Europol information exchange systems.

     
    Terrorist financing

    1. The Council invites the Commission to present proposals to strengthen, harmonise and improve cooperation between Financial Intelligence Units (FIU’s), notably through the proper embedment of the FIU.net network for information exchange in Europol and ensure their fast access to necessary information, in order to enhance the effectiveness and efficiency of the fight against money laundering and terrorist financing in conformity with Financial Action Task Force (FATF) recommendations, to implement more quickly the asset freezing required by the UN Security Council (Resolution 1373), to strengthen controls of non-banking payment methods such as electronic/anonymous payments and virtual currencies and transfers of gold, precious metals, by pre-paid cards and to curb more effectively the illicit trade in cultural goods.

     Criminal justice response to terrorism and violent extremism

     9. The Council welcomes the signing in Riga on 22 October 2015 by the EU of the Council of Europe’s Convention on the Prevention of terrorism and of its additional Protocol on Foreign Terrorist Fighters and invites the Commission to present a proposal for a directive updating the Framework Decision on Combating Terrorism before the end of 2015 with a view to collectively implementing into EU law UNSC Resolution 2178 (2014) and the additional Protocol to the Council of Europe’s Convention.

     10. Member States will use ECRIS at its full potential. The Council invites the Commission to submit by January 2016 a proposal for the extension of ECRIS to cover third country nationals.

     11. The Council invites the Commission to allocate as a matter of urgency the necessary financial resources to implement the Council Conclusions on enhancing the criminal justice response to radicalisation leading to terrorism and violent extremism. This should notably support the development of rehabilitation programmes as well as risk assessment tools in order to determine the most appropriate criminal justice response, taking into account the individual circumstances and security and public safety concerns.

     Funding

    1. The Council invites Member States to use the Internal Security Fund to support the implementation of these conclusions and to prioritise relevant actions under the national programmes to this effect, and calls on the Commission to prioritise the funding available under centrally managed funds to the priorities identified in these conclusions.

    Implementation

    1. In view of its role on strengthening internal security within the Union, COSI shall coordinate the role of the various Council Working Parties and of the EU agencies in the implementation of these Council Conclusions. The Counter Terrorism Coordinator will monitor their implementation.

    Fundamental Rights Agency :  Surveillance by intelligence  services: fundamental rights safeguards and remedies in the EU.  Mapping Member States’ legal frameworks

    EXECUTIVE SUMMARY : FULL REPORT AVAILABLE HERE

     Introduction

    Recent revelations of mass surveillance underscore the importance of mechanisms that help prevent fundamental rights violations in the context of intelligence activities.

    This FRA report aims to evaluate such mechanisms in place across the European Union (EU) by describing the current legal framework related to surveillance in the 28 EU Member States. The report first outlines how intelligence services are organised, describes the various forms surveillance measures can take and presents Member States’ laws on surveillance. It then details oversight mechanisms introduced across the EU, outlines the work of entities set up thereunder, and presents various remedies available to individuals seeking to challenge surveillance efforts.

    The report does not assess the implementation of the respective laws, but maps current legal frameworks. In addition, it provides an overview of relevant fundamental rights standards, focusing on the rights to privacy and data protection.

    Background

    In June 2013, media worldwide began publishing the ‘Snowden documents’, describing in detail several surveillance programmes being carried out, including by the United States’ National Security Agency (NSA) and by the United Kingdom’s Government Communications Headquarters (GCHQ). These brought to light the existence of extensive global surveillance. Details of these programmes, which set up a global system of digital data interception and collection, have been widely publicised 1 and critically assessed.2

    Neither the US nor the British authorities questioned the authenticity of the revelations,3 and in some cases confirmed them.4 However, the media’s interpretation of the programmes was sometimes contested – for example, by the UK Intelligence and Security Committee of Parliament 5 and academia.6

    Since most of the Snowden revelations have not been recognised by the British government, the Investigatory Powers Tribunal, in hearing challenges to the legality of the programmes, took the approach of hearing cases on the basis of hypothetical facts closely resembling those alleged by the media.7 For the Austrian Federal Agency for State Protection and Counter Terrorism (BVT), the Snowden revelations represented a “paradigm shift”: “Up until a few years ago, espionage was largely directed at state or business secrets, and not, for the most part, at people’s privacy, which can now be interfered with extensively by intelligence services since they possess the necessary technical resources to do so”. 8

    The Snowden revelations were not the first to hint at the existence of programmes of large-scale communication surveillance set up in the aftermath of the 11 September 2001 attacks.9

    But the magnitude of the revelations was unprecedented, potentially affecting the entire world.

    The revelations triggered an array of reactions.10 In the intelligence community, and in particular among the specialised bodies in charge of overseeing the work of intelligence services, dedicated inquiries were conducted.11 The European Union reacted strongly.

    The European Commission (EC), the Council of the European Union and the European Parliament (EP) reported on the revelations, expressing concern about mass surveillance programmes, seeking clarification from US authorities, and working on “rebuilding trust” in light of the damage created by the revelations.12

    On 12 March 2014, the EP adopted a resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights, and transatlantic cooperation in Justice and Home Affairs (the Resolution).13

    The resolution drew on the in-depth inquiry that the EP tasked the Civil Liberties, Justice and Home Affairs Committee (LIBE) to conduct during the second half of 2013, shortly after the revelations on mass surveillance were published in the press.14

    The wide-reaching resolution launched a “European Digital Habeas Corpus”, aimed at protecting fundamental rights in a digital age while focusing on eight key actions. In this context, the EP called on the EU Agency for Fundamental Rights (FRA) “to undertake in-depth research on the protection of fundamental rights in the context of surveillance, and in particular on the current legal situation of EU citizens with regard to the judicial remedies available to them in relation to those practices”.15

    Scope of the analysis

    This report constitutes the first step of FRA’s response to the EP request. It provides an overview of the EU Member States’ legal frameworks regarding surveillance. FRA will further consolidate its legal findings with fieldwork research providing data on the day-to-day implementation of the legal frameworks. A socio-legal report based on an empirical study, to be published at a later stage, will expand on the findings presented ere.

    While the EP requested the FRA to study the impact of ‘surveillance’ on fundamental rights, given the context in which the resolution was drafted, it is clear that ‘mass surveillance’ is the main focus of the Parliament’s current work. During the data collection phase, FRA used the Parliament’s definition to delineate the scope of FRA net’s research.

    The EP resolution refers to “far-reaching, complex and highly techno-logically advanced systems designed by US and some Member States’ intelligence services to collect, store and analyse communication data, including content data, location data and metadata of all citizens around the world, on an unprecedented scale and in an indiscriminate and non-suspicion-based manner” (Paragaph 1).

    This definition encompasses two essential aspects: first, a reference to a collection technique, and second, the distinction between targeted and untargeted collection.

    The report does not analyse the surveillance techniques themselves, but rather the legal frameworks that enable these techniques. For Member States that carry out signals intelligence, the focus of the analysis is on this capacity, and not on other intrusive capabilities the services may have (such as wiretapping).

    This report covers the work of intelligence services. It does not address the obligations of commercial entities which, willingly or not, provide intelligence services with the raw data that constitute Signals Intelligence (SIGINT), and are otherwise involved in the implementation of the surveillance programmes.16 The private sector’s role in surveillance requires a separate study.

    While the premise of this report is the existence of an interference, since the “secret monitoring of communications” interferes with privacy rights from a fundamental rights point of view,17 the report focuses on analysing the legal safeguards in place in the EU Member States’ legal frameworks, and therefore on their approaches to upholding fundamental rights.

    “Assuming therefore that there remains a legal right to respect for the privacy of digital communications (and this cannot be disputed (see General Assembly Resolution 68/167)), the adoption of mass surveillance technology undoubtedly impinges on the very essence of that right.” UN, Human Rights Council, Emmerson, B. (2014), para. 18

    The report’s analysis of EU Member States’ legal frameworks tries to keep law enforcement and intelligence services separate. By doing so, the report excludes the work of law enforcement from its scope, while recognising that making this division is not always easy.

    As stated by Chesterman, “Governments remain conflicted as to the appropriate manner of dealing with alleged terrorists, the imperative to detect and prevent terrorism will lead to ever greater cooperation between different parts of government”.18 The EP resolution recognises this and called on the Europol Joint Supervisory Body (JSB) to inspect whether information and personal data shared with Europol have been lawfully acquired by national authorities, particularly if the data were initially acquired by intelligence services in the EU or a third country.19

    The Snowden revelations have also shed light on cooperation between intelligence services. This issue, important for the oversight of intelligence services’ activities, has been addressed by the EP resolution (Paragraph 22), by oversight bodies,20 by the Venice Commission,21 and by academia.22

    This aspect, however, proved impossible to analyse in a comparative study, since, in the great majority of cases, cooperation agreements or modalities for transferring data are neither regulated by law nor public. This in itself creates a fundamental rights issue linked to the rule of law and, more particularly, regarding the importance of the existence of a law that is accessible to the public, as well as regarding the rules governing the transfer of personal data to third countries.

    Though this report could not deal with this aspect beyond referencing the lack of proper control by over-sight bodies, it does raise important questions under relevant legal standards.

    Fundamental rights and safeguards Continue reading “Fundamental Rights Agency :  Surveillance by intelligence  services: fundamental rights safeguards and remedies in the EU.  Mapping Member States’ legal frameworks”

    A new wideranging EP resolution on mass surveillance in the “post Snowden” (and Schrems ) era.

    Below the provisional text voted yesterday 29 October by the European Parliament on mass surveillance and violation of fundamental rights to privacy and data protection. The press has already highlighted that  the EP voted by 285 to 281 to call on the member states to “drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistle-blower and international human rights defender”. Moreover  the EP  calls on the Commission to give consideration to the impact of the Court of Justice Safe Harbor ruling of 6 October on any other instruments for the transfer of personal data to the US and to report on the matter by the end of 2015.  Very rightly the Strasbourg plenary acknowledges that the Court ruling “has confirmed the long-standing position of Parliament regarding the lack of an adequate level of protection under this instrument” so that the Commission has to “immediately take the necessary measures to ensure that all personal data transferred to the US are subject to an effective level of protection that is essentially equivalent to that guaranteed in the EU”.

    But here is the point : bulk collection of personal data (as foreseen by several US practices agreed with the EU in the PNR and TFTP cases) are not themselves threatening the “essence” of data protection under EU law as protected by the art.52 of the EU Charter of fundamental rights so that they are no negotiable even with the best friend and ally such the USA? 

    Passed by 342 votes to 274 , with 29 abstentions, this is a center-left resolution where liberals and socialists voted together but (not surprisingly) EPP and ECR voted against. In this legislature where socialists and conservatives have created a sort of “grosse Koalitionen” the text risks to be only a political gesture before the public opinion if not followed by consistent votes on the legal binding texts currently on the EP table such as the data protection reform or the transatlantic negotiations on the so called “umbrella agreement” and on “Safe Harbor”.

    Moreover the text even if criticizes the European Commission as “inadequate” and evokes the possibility of a “fail to act” against it does not triggers it. The risk is then this very inspired and solid text remains a toothless tiger.. The coming weeks will show if this tiny majority will be confirmed when the post-Lisbon data protection reform will be voted.

    Emilio De Capitani

    European Parliament resolution of 29 October 2015 on the follow-up to the EP resolution of 12 March 2014 on the electronic mass surveillance of EU citizens (2015/2635(RSP)) Continue reading “A new wideranging EP resolution on mass surveillance in the “post Snowden” (and Schrems ) era.”

    The law enforcement challenges of cybercrime: are we really playing catch-up?

    FULL STUDY ( 68 pages) ACCESSIBLE HERE

    Abstract : This study was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. With a number of high-profile criminal cases, such as ‘Silk Road’, cybercrime has been very much in the spotlight in recent years, both in Europe and elsewhere. While this study shows that cybercrime poses significant challenges for law enforcement, it also argues that the key cybercrime concern for law enforcement is legal rather than technical and technological. The study further underlines that the European Parliament is largely excluded from policy development in the field of cybercrime, impeding public scrutiny and accountability. AUTHOR(S): Dr. Ben Hayes, Dr. Julien JeandesbozDr. Francesco Ragazzi, Dr. Stephanie Simon, and Prof. Valsamis Mitsilegas.

    EXECUTIVE SUMMARY

    Cybercrime has become one of the key priorities for EU law enforcement agencies, as demonstrated by the establishment of the European Cybercrime Centre (EC3) in January 2013 and the development of specific European threat assessment reports in this field. High-profile criminal investigations such as the ‘Silk Road’ case, major data breaches or particularly nefarious hacks or malware attacks have been very much in the spotlight and widely reported in the media, prompting discussions and debates among policymakers and in law enforcement circles. Over the last few months, the cybercrime debate has specifically evolved around the issue of encryption and anonymisation.

    In this context, this Study argues that debates on the law enforcement challenge of cybercrime in the EU should steer clear both of doomsday scenarios that overstate the problem and scepticism that understates it, and that the key cybercrime concern for law enforcement is legal in nature rather than simply technical and technological. Indeed, the Study finds that the key challenge for law enforcement is the lack of an effective legal framework for operational activities that guarantees the fundamental rights principles enshrined in EU primary and secondary law.

    In order to address this core argument, this Study starts by analysing claims and controversies over the Internet ‘going dark’ on law enforcement (Section 2). It shows that these claims have been made for quite some time and should be considered as moral panics rather than accurate reflections of the challenges posed by cybercrime to law enforcement. Moreover, current controversies rehash older ones, conflating law enforcement concerns with intelligence-gathering and surveillance concerns. Without denying the fact that criminal activities do take place online, pose technical difficulties to law enforcement services and require the availability of specific capabilities, this section demonstrates that these difficulties do not impede criminal investigation to such an extent that exceptional means should be envisaged. While these technical aspects need to be considered, they raise issues related to policy and law rather than technology as such. The policy and law-related challenges are made greater by the fact that defining cybercrime is not an easy task. Very broad definitions have been adopted at the EU level, often leading to overlapping and sometimes conflicting mandates.

    Section 3 thus analyses the institutional architecture of EU cybercrime policy. It shows that the complexity of cybercrime measures and the expansive mandates and number of actors involved in their implementation make it difficult to ascertain and circumscribe the full scope of EU cybercrime policy. Whereas the Council of Europe (CoE) sought to codify cybercrime powers into an international convention, much of the EU’s policy to fight cybercrime is based on non-legislative measures, including operational cooperation and ad hoc public-private partnerships. Furthermore, important distinctions and restrictions designed to ensure a ‘separation of powers’ between state agencies concerned with law enforcement (cyber-policing), civil protection (cybersecurity), national security (cyber-espionage) and military force (offensive cyber capabilities) are harder to distinguish in the area of cybercrime, at both national and EU level. Section 3 underlines that, within this complex architecture, and with the blurring of the boundaries between those responsible for policing the Internet, for gathering intelligence from it, for conducting cyber-espionage against foreign targets, and for ensuring the safety of critical internet infrastructure, the European    Parliament    and    civil    society    are    largely    excluded    from    policy development, impeding public scrutiny and accountability. This compounds the EP’s existing problems in ensuring that fundamental rights and data protection are diligently protected in the area of justice and home affairs.

    In light of these gaps in oversight and accountability, Section 4 analyses in particular the challenge of jurisdiction, cooperation and fundamental rights safeguards. This section argues that operational challenges in cybercrime law enforcement do not change the obligation of EU institutions and Member States to ensure the safeguarding of EU fundamental rights in any operating framework of internal or transnational cooperation in law enforcement and criminal justice. Cybercrime law enforcement frequently cites the challenge of accessing and transferring data through existing Mutual Legal Assistance agreements. Yet practices taken outside of established legal channels cannot guarantee rights protections and run the risk of raising mistrust in the general public, the private sector and in transatlantic relations. Furthermore, across the spectrum of cybercrime prevention, investigation, and prosecution, the particular geography of the digital environment is said to complicate the traditional territorial foundations of law. Law enforcement bodies make continuous reference to the ways in which traditional legal structures stand in the way of operations. However, an updated legal framework designed to overcome these challenges should foreground fundamental rights concerns, which are essential to ensure due process and a necessary condition for the successful prosecution of cybercriminal offences.

    In light of these findings, the Study concludes with key recommendations for the European Parliament.

    In particular, to ensure that the Parliament is not marginalised altogether with respect to the implementation and review of EU cybercrime policies by the exercise of delegated   powers,   EU   agency   discretion   and   non-legislative   decision-making   bodies, further monitoring of EU council structures, Europol and international cooperation agreements is required (Recommendation 1).

    Moreover, the EP should ensure that the development of any cooperation/information-sharing framework guarantees the respect of fundamental rights (Recommendation 2).

    In light of the current discussions on a revised CoE Cybercrime Convention, the European Parliament should, further, ensure that the Conventions obligations are consistent with EU law and fundamental rights protections (Recommendation 3).

    The EP must also ensure that cybercrime is not used as a justification to undermine new information security protocols and the right to privacy in telecommunications, both of which are fundamental components of the functioning of the Internet (Recommendation 4).

    Finally, if European law enforcement agencies need to keep pace with technological change, it is imperative that training courses on cybercrime forensics and digital evidence include an applied fundamental rights component (Recommendation 5).

    Continue reading…

    Cybersecurity in the European Union and Beyond: Exploring the Threats and Policy Responses

    FULL STUDY ( 152 pages) ACCESSIBLE HERE 

    This study was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. It sets out to develop a better understanding of the main cybersecurity threats and existing cybersecurity capabilities in the European Union and the United States. The study further examines transnational cooperation and explores perceptions of the effectiveness of the EU response, pinpointing remaining challenges and suggesting avenues for improvement. AUTHORS : Dr Nicole van der Meulen, Eun A Jo and Stefan Soesanto (RAND Europe)

    EXECUTIVE SUMMARY

    The European Commission published the European Union Cyber Security Strategy along with the accompanying proposal for a Network and Information Security (NIS) Directive in 2013. Since the proposal was published, the cybersecurity landscape has continued to evolve, leading to questions regarding the nature and seriousness of the cyberthreats faced by the European Union (EU), the capabilities of Member States to manage these threats and respond to incidents, and the effectiveness of these capabilities. At the time of writing, discussions about the content and scope of the proposed NIS Directive are continuing. This study of cybersecurity threats in the EU was commissioned by the European Parliament (EP). It has five objectives:

    • To identify key cyberthreats facing the EU and the challenges associated with their identification.
    • To identify the main cybersecurity capabilities in the EU.
    • To identify the main cybersecurity capabilities in the United States (US).
    • To assess the current state of transnational cooperation.
    • To explore perceptions of the effectiveness of the current EU response.

    Defining cybersecurity

    Any study of cybersecurity must reflect on the challenges introduced by the different meanings of the term. There is no consensus on a standard or universally accepted definition of cybersecurity. The term cybersecurity has roots in information security but is now used to refer to a broader range of issues, linked to national security. The observation that cybersecurity means different things to different people is not without its consequences. How the issue is framed influences what constitutes a threat as well as what counter-measures are needed and justified.

    Mapping cybersecurity threats

    The study team’s analysis of six threat assessments1 and an existing meta-analysis carried about by Gehem et al. (2015) highlight the difficulty with systematically comparing threat assessments and gauging the reliability of data and findings on the basis of which threat assessments are conducted. The challenge rests in part in the absence of a commonly accepted definition of what constitutes a threat and the variation in the methodology and metrics used for threat assessments. Moreover, some threat assessments reference or are based on other threat assessments, rather than original sources, leading to potential duplication of findings and lack of clarity about the evidence underlying threat assessments. As a result, there is no clearly established framework to classify and map threats.

    The study team created a framework for mapping threats. The framework distinguishes:

    • Threat    actors:    states,    profit-driven    cybercriminals,    and    hacktivists   and extremists.
    • Threat tools: malware and its variants, such as (banking) Trojans, ransomware, point-of-sale malware, botnets and exploits.
    • Threat   types:   unauthorised   access,   destruction,   disclosure,   modification   of information and denial of service.

    The mapping of the cyberthreat landscape through the review of the six threat assessments was complemented by a discussion on the varying perceptions of the severity of threats and the concept of‘threat inflation’.

    Cybersecurity capabilities in the EU

    To respond to the evolving threat in the area of cybersecurity, the EU has aimed to provide an overarching response through the publication of the EU Cyber Security Strategy together with the proposed NIS Directive. The Strategy identifies five objectives including:

    • Achieving cyberresilience.
    • Drastically reducing cybercrime.
    • Developing   cyberdefence   policy  and   capabilities  related  to  the  Common Security and Defence Policy (CSDP).
    • Developing the industrial and technological resources for cybersecurity.
    • Establishing   a   coherent   international   cyberspace   policy  for  the   EU   and promote core EU values.

    This study focuses on providing a descriptive overview of capabilities for the first three objectives. Capabilities for the purposes of this study have been operationalised as institutional structures, such as agencies and departments.

    • In the area of cyberresilience, the European Network and Information Security Agency (ENISA) is the primary player at the EU level. ENISA is tasked with addressing the existing fragmentation in the European approach to cybersecurity, namely by bridging the capability gaps of its Member States. In the cybercrime domain, the European Cyber Crime Centre (EC3) serves as a European cybercrime platform. Besides combatting cybercrime, EC3 also gathers cyberintelligence and serves as an intermediary among various stakeholders, such as law enforcement authorities, Computer Emergency Response Teams (CERTs), industry and academia.
    • In the area of cyberdefence, the European Defence Agency (EDA) supports the capability development necessary to implement the Strategy. Its most apparent activities remain in research and development and designing a common crisis response platform. Given that foreign and defence policies have conventionally been areas of domestic competence, it is understandable that EU-wide cyberdefence capabilities have developed at a different pace compared to the other two objectives, cyberresilience and cybercrime.

    Cybersecurity capabilities in the US

    Cybercapabilities in the US are challenging to map in a comprehensive manner. The tendency to layer initiatives and agencies makes navigating the different components difficult. For the purposes of a high-level comparison with the EU cyber capabilities, the study focuses on key institutional players and their roles in relation to three strategic priorities: cyberresilience, cybercrime and cyberdefence.

    • In the area of cyberresilience, the Department of Homeland Security (DHS) is the formal leader. The DHS is responsible for securing federal civilian government networks, protecting critical infrastructure and responding to cyberthreats.
    • In the area of cybercrime, the US has not designated any lead investigative agency. Instead, numerous federal law enforcement agencies combat cybercrime in their own capacity. These include the US Secret Service (USSS) and the US Immigration and Customs Enforcement (ICE) Cyber Crimes Center, which are both  agencies  within  the  DHS.  The  Federal   Bureau  of Investigation  (FBI)’s cyberdivision is also involved.
    • In cyberdefence, the Department of Defence (DoD) plays a leading role. It is readily apparent from the DoD’s multiple publications that the US has become more open about its capabilities and willing to name its adversaries. The DoD is also increasingly encompassing in its response to cyberthreats over time, investing in both defensive as well as offensive cybercapabilities, as detailed in its cyberdefence strategy published in April 2015. Commentators note that deterrence is a key characteristic of the US cyberdefence strategy.

    Transnational cooperation

    The necessity to engage in transnational cooperation to counter the complex challenge posed by cybercrime is widely recognised both inside and outside the EU. Transnational cooperation exists at both the strategic and the operational level. The EU-US Working Group on Cybersecurity and Cybercrime is an example of strategic cooperation and is the first transatlantic dialogue to tackle common challenges in the area of cybercrime and cybersecurity. On an operational level, transnational cooperation has manifested through a range of activities, from botnet takedown to disruption of underground forums.

    Challenges, however, remain in the area of combatting cybercrime as identified by the study team through the interviews. Mutual Legal Assistance Treaties (MLATs) are widely regarded as outdated and obstacles to effective and timely information sharing. Further, the importance of acquiring data for investigations is debated among law enforcement agencies and civil society groups. Deconfliction – avoiding the duplication or conflict of efforts – is another challenge. Due to the involvement of various stakeholders, cooperation is essential to avoid potentially disrupting others’ efforts. The draft Europol Regulation contains provisions that interviewees have reported could complicate the attainment of information from the private sector, possibly obstructing future operations.2

    Effectiveness of the EU response

    Ideally, capabilities respond directly to threats and the effectiveness of the EU response can be measured by noticeable changes in the threat landscape. However, such an assessment is not feasible; there is not enough information available in the public domain and measurement problems persist. Moreover, the EU response is still very much in development and geared towards addressing fragmentation in its approach to cybersecurity, as well as the approach taken by the 28 Member States. This consists of harmonising strategies and standards and coordinating regulatory interventions, as well as facilitating (or more precisely, requiring) information sharing and gap closures between Member States. Due to the inherently relative nature of cybersecurity and the challenges associated with attaining cyberresilience, it is difficult to state whether the new initiatives have been successful. Given these challenges to measuring effectiveness, the study team explored perceptions about the effectiveness of the EU response based on existing commentary and supplemented with interviewees’ responses.
     
    The first key finding in relation to the perceived effectiveness of the EU response is that while there is still fragmentation, there is also discernible improvement. Particularly noteworthy is the strategic cooperation agreement between ENISA and EC3, which aims to facilitate closer cooperation and the exchange of expertise. However, questions remain about fragmentation, especially with respect to the proposed NIS Directive. Various points of dissension remain as the trilogue negotiations between the European Commission, European Parliament and the Council of the European Union continue. Moreover, fragmentation is notable not only in terms of operational capabilities but also in terms of Member States’ understanding of the cyberdomain. Bridging these gaps will therefore require technical support as well as strategic guidance.

    The second finding is that differences in opinion persist as to whether the overall approach to cybersecurity should be voluntary and informal or mandatory and formal. For example, the CERT community, which has conventionally relied on voluntary participation and cooperation between private and public entities, appears less willing to move to a system in which information sharing is mandatory. In contrast, other security agencies favour law enforcement and support more stringent requirements, for instance in information sharing, as they believe voluntary reporting has failed.

    Third, as the new approach proposed through the Strategy and the draft NIS Directive is largely regulatory in nature, the issue of scope – in terms of the entities formally included as having a role in cybersecurity – is heightened and contested. One issue is whether Internet service providers (ISPs) should be included. These scoping challenges are likely to exacerbate existing contentions surrounding the NIS Directive and call into question whether the present regulatory approach is appropriate to secure European cyberspace.

    Policy options

    Based on this study’s findings the research team suggests the following policy options for the European Parliament’s consideration in terms of EU action on cybersecurity. Each option is elaborated in the Conclusion.

    1. Encourage ENISA, EC3 and others involved in European cyberthreat assessments to investigate further harmonisation of threat assessments, which can effectively incorporate information from Member States and other EU agencies and provide clearer indications of the evidence base for the assessment. This recommendation follows from the findings from the review of threat assessments undertaken for this study.
    2. Make use of existing structures as much as possible. One of the concerns identified by the study team – from a review of existing literature and in interviews with experts – was the tendency of the Commission to develop new structures and exclude existing initiatives and agencies.
    3. Consider reinserting law enforcement in the Network and Information Security (NIS) Directive. The attempt to overcome fragmentation at the EU level is hampered by the exclusion of law enforcement from provisions in the proposed NIS Directive.
    4. Ensure Europol has speedy and more direct access to information from the private sector. Speedy access to relevant information from the private sector is essential for Europol to combat transnational cybercrime. There is potential for this access to be hindered by having to go through the Member States, which may reduce the effectiveness of Europol’s operations, especially as Europol cooperates with partners at the transnational level.
    5. Assess what capability gaps actually exist between the Member States and measure progress. Despite the claims about gaps between Member States, our research suggests that there is very little empirical evidence to indicate which States are more advanced than others and in what areas. To improve this situation and to develop a better understanding of these gaps, ranking Member States and identifying areas of improvement could be made more explicit.

    …continue reading

    NOTES

    1  (ACSC: Threat Report; BSI: State of IT Security Germany; ENISA: Threat Landscape (ETL); Europol: Internet Organised Crime Threat Assessment (iOCTA); NCSC: Cyber Security Threat Assessment the Netherlands (CSAN); Verizon: Data Breach Investigations Report (DBIR).
    2 European Parliament. 2014b. Legislative resolution of 25 February 2014 on the proposal for a regulation of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA. P7_TA(2014)0121 (COM(2013)0173 – C7-0094/2013 – 2013/0091(COD)). As of 12 October 2015: http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0121&language=EN&ring=A7-2014-0096

     

    “Foreign Fighters” and EU implementation of the UNSC resolution 2178. Another case of “Legislate in haste, repent at leisure…” ? (2)

    by Dalila DELORENZI (FREE Group Trainee – Original in Italian)

    1. Foreword
    As the hostilities in Syria and Iraq continue and terrorism activities worldwide seem to be on the rise, EU Member States are increasingly confronted with the problem of aspiring and returning ‘foreign fighters’ as described already in this blog HERE. More precisely, in the EU the term is used to indicate European citizens who, after leaving to join jihadist groups, may have become further radicalised and acquired combat experience, and therefore be capable of carrying out deadly terrorist attacks once they return to Europe.

    Such phenomenon is anything but new; however, its scale certainly is: as illustrated by the rise of the terrorist group calling itself “Islamic state”, the phenomenon has acquired an entirely new dimension – according to the EU intelligence sources 19% of the total fighters originated from the EU.

    It explains then the wide perception of these individuals as a serious threat to the security of both individual Member States and the EU as a whole – especially in the aftermath of the recent terrorist attacks occurred in Brussels[1], Paris[2], Copenhagen[3].

    Broadly speaking , a different way to envision human mobility and checks at external borders of Schengen has come to light. Whereas initially, they were rather conceived to protect the Schengen area from threats coming from country outside the Schengen zone, now such threat to security is deemed to be already inside the EU, due to the fact that most of the time militants returning to Europe possess the nationality of a Member State.

    2. EU response Continue reading ““Foreign Fighters” and EU implementation of the UNSC resolution 2178. Another case of “Legislate in haste, repent at leisure…” ? (2)”

    Some notes on the relations between UNSC Resolution 2240 (2015) fighting smugglers in Mediterranean and the EUNAVFOR Med “Sophia” operation

    by Isabella Mercone  (Free Group Trainee – Original Version in Italian)

    1. INTRODUCTION

    On 9 October 2015, the Security Council of the United Nations adopted Resolution 2240 (2015), authorizing Member States to intercept vessels off  Libyan coast, suspected of migrant smuggling.

    The resolution was adopted in a short time, without much discussion and ahead of schedule, with 14 votes in favour and just one abstention (Venezuela). “Incredible!” – Someone could say – “For once, the Security Council succeeded in adopting a resolution on time.” However, the true is that the adopted resolution is not the one imagined in May by the High Representative for Foreign Affairs and Security Policy of the European Union, Federica Mogherini, when operation EUNAVFOR Med was launched. But let’s go one step at a time: let’s see first where the idea of ​​EUNAVFOR Med came from and what is its goal, and let’s try to understand why the EU should have required a resolution by the Security Council, allowing it to intervene in the Mediterranean and dismantle the smuggling of migrants.

    1. THE OPERATION EUNAVFOR MED (now renamed “SOPHIA”)

    Continue reading “Some notes on the relations between UNSC Resolution 2240 (2015) fighting smugglers in Mediterranean and the EUNAVFOR Med “Sophia” operation”

    EU-US Umbrella Data Protection Agreement : Detailed analysis by Douwe Korff

    14 October 2015 (NOTA BENE : This text is more than 60 pages)

    by Douwe KORFF (FREE GROUP MEMBER)

    About the Fundamental Rights Europe Expert Group (FREE): The Fundamental Rights European Experts Group (FREE Group : http://www.free-group.eu)  is a Belgian non governmental organisation (Association Sans But Lucratif (ASBL) Registered at Belgian Moniteur: Number 304811. According to art 3 and 4 of its Statute ( see below *) the association focus is on monitoring, teaching and advocating in the European Union freedom security and justice related policies. In the same framework we follow also the EU actions in protecting and promoting EU values and fundamental rights in the Member States as required by the article 2, 6 and 7 of the Treaty on the European Union (risk of violation by a Member State of EU founding values)

    About the author: Douwe Korff is a Dutch comparative and international law expert on human rights and data protection. He is Emeritus Professor of International Law, London Metropolitan University; Associate, Oxford Martin School, University of Oxford (Global Cybersecurity Capacity Centre); Fellow, Centre for Internet & Human Rights, University of Viadrina, Frankfurt/O and Berlin; and Visiting Fellow, Yale University (Information Society Project).

    Acknowledgments: The author would like to express his thanks to Mme. Marie Georges and Prof. Steve Peers, members of FREE Group, for their very helpful comments on and edits of the draft of this Note.

    OVERALL CONCLUSIONS

    We believe the following aspects of the Umbrella Agreement violate, or are likely to lead to violations of, the Treaties and the EU Charter of Fundamental Rights:

    1. The Umbrella Agreement appears to allow the “sharing” of data sent by EU law enforcement agencies to US law enforcement agencies with US national security agencies (including the FBI and the US NSA) for use in the latter’s mass surveillance and data mining operations; as well as the “onward transfer” of such data to “third parties”, including national security agencies of yet other (“third”) countries, which the Agreement says may not be subjected to “generic data protection conditions”;
    2. The Umbrella Agreement does not contain a general human rights clause prohibiting the “sharing” or “onward transfers” of data on EU persons, provided subject to the Agreement, with or to other agencies, in the USA or elsewhere, in circumstances in which this could lead to serious human rights violations, including arbitrary arrest and detention, torture or even extrajudicial killings or “disappearances” of the data subjects (or others);
    3. The Umbrella Agreement does not provide for equal rights and remedies for EU- and US nationals in the USA; but worse, non-EU citizens living in EU Member States who are not nationals of the Member State concerned – such as Syrian refugees or Afghan or Eritrean asylum-seekers, or students from Africa or South America or China – and non-EU citizens who have flown to, from or through the EU and whose data may have been sent to the USA (in particular, under the EU-US PNR Agreement), are completely denied judicial redress in the USA under the Umbrella Agreement.

    In addition:

    1. The Umbrella Agreement in many respects fails to meet important substantive requirements of EU data protection law;
    2. The Umbrella Agreement also fails to meet important requirements of EU data protection law in terms of data subject rights and data subjects’ access to real and effective remedies; and
    3. In terms of transparency and oversight, too, the Umbrella Agreement falls significantly short of fundamental European data protection and human rights requirements.

    The Agreement should therefore, in our view, not be approved by the European Parliament in its present form.

    FULL TEXT OF THE ANALYSIS 

    1. Introduction / Background

    Continue reading “EU-US Umbrella Data Protection Agreement : Detailed analysis by Douwe Korff”

    UNSC RESOLUTION 2240(215) (NB:fighting smugglers and traffickers in the Mediterranean Sea)

    NOTA BENE : After UNSC Resolution 2178(2014) on Foreign Fighters aiming to address a problem raised notably by the EU, UNSC Resolution 2240(2015) paves now the way for a strenghtened  EU intervention against smugglers and traffickers in the South Mediterranean currently conducted in the framework of the Operation EUNAVFOR -Sophia. Emphasis have been added to the original text and comment will follow in the coming days 

    UNITED NATIONS 

    Resolution 2240(2015) Adopted by the Security Council at its 7531st meeting, on 9 October 2015

    The Security Council,

    Recalling  its press statement of 21 April on the maritime tragedy in the Mediterranean Sea,

    Reaffirming its strong commitment to the sovereignty, independence, territorial integrity and national unity of Libya,

    Recalling that international law, as reflected in the United Nations Convention on the Law of the Sea of 10 December 1982, sets out the legal framework applicable to activities in the ocean,

    Reaffirming also the United Nations Convention against Transnational Organized Crime (UNTOC Convention) and its Protocol against the Smuggling of Migrants by Land, Air and Sea, as the primary international legal instruments to combat the smuggling of migrants and related conduct, and the Protocol to Prevent, Suppress and Punish Trafficking in Persons,

    Especially Women and Children, supplementing the UNTOC Convention, as the primary international legal instruments to combat trafficking in persons,

    Underlining that, although the crime of smuggling of migrants may share, in some cases, some common features with the crime of trafficking in persons, Member States need to recognise that they are distinct crimes, as defined by the UNTOC Convention and its Protocols, requiring differing legal, operational, and policy responses,

    Deploring the continuing maritime tragedies in the Mediterranean Sea that have resulted in hundreds of casualties, and noting with concern that such casualties were, in some cases, the result of exploitation and misinformation by transnational criminal organisations which facilitated the illegal smuggling of migrants via dangerous methods for personal gain and with callous disregard for human life,

    Expressing grave concern at the recent proliferation of, and endangerment of lives by, the smuggling of migrants in the Mediterranean Sea, in particular off the coast of Libya and recognizing that among these migrants may be persons who meet the definition of a refugee under the 1951 Convention relating to the Status of Refugees and the 1967 Protocol thereto,

    Emphasizing in this respect that migrants, including asylum-seekers and regardless of their migration status, should be treated with humanity and dignity and that their rights should be fully respected, and urging all States in this regard to comply with their obligations under international law, including international human rights law and international refugee law, as applicable, stressing also the obligation of States, where applicable, to protect the human rights of migrants regardless of their migration status, including when implementing their specific migration and border security policies,

    Reaffirming in this respect the need to promote and protect effectively the human rights and fundamental freedoms of all migrants, regardless of their migration status, especially those of women and children, and to address international migration through international, regional or bilateral cooperation and dialogue and through a comprehensive and balanced approach, recognizing the roles and responsibilities of countries of origin, transit and destination in promoting and protecting the human rights of all migrants, and avoiding approaches that might aggravate their vulnerability,

    Further recalling the International Convention for the Safety of Life at Sea and the International Convention on Maritime Search  and Rescue,

    Expressing further concern that the situation in Libya is exacerbated by the smuggling of migrants and human trafficking into, through and from the Libyan territory, which could provide support to other organised crime and terrorist networks in Libya,

    Mindful of its primary responsibility for the maintenance of international peace and security under the Charter of the United Nations,

    Underlining the primary responsibility of the Libyan Government to take appropriate action to prevent the recent proliferation of, and endangerment of lives by, the smuggling of migrants and human trafficking through the territory of Libya and its territorial sea,

    Mindful of the need to support further efforts to strengthen Libyan border management, considering the difficulties of the Libyan Government to manage effectively the migratory flows in transit through Libyan territory, and noting its concern for the repercussions of this phenomenon on the stability of Libya and of the Mediterranean region,

    Welcoming support already provided by the most concerned Member States, including Member States of the European Union (EU), taking into account inter alia the role of FRONTEX and the specific mandate of EUBAM Libya in support of the Libyan Government, and by neighbouring States,

    Acknowledging the European Council statement of 23 April 2015 and the press statement of the African Union Peace and Security Council of 27 April, which underlined the need for effective international action to address both the immediate and long-term aspects of human trafficking towards Europe,

    Taking note of the Decision of the Council of the European Union of 18 May 2015 setting up ‘EUNAVFOR Med’ which underlined the need for effective international action to address both the immediate and long-term aspects of migrant smuggling and human trafficking towards Europe,

    Taking further note of the ongoing discussions between the EU and the Libyan Government on migration related issues,

    Expressing also strong support to the States in the region affected by the smuggling of migrants and human trafficking, and emphasizing the need to step up coordination of efforts in order to strengthen an effective multidimensional response to these common challenges in the spirit of international solidarity and shared responsibility, to tackle their root causes and to prevent people from being exploited by migrant smugglers and human traffickers,

    Acknowledging the need to assist States in the region, upon request, in the development of comprehensive and integrated regional and national strategies, legal frameworks, and institutions to counter terrorism, transnational organised crime, migrant smuggling, and human trafficking, including mechanisms to implement them within the framework of States’ obligations under applicable international law,

    Stressing that addressing both migrant smuggling and human trafficking, including dismantling smuggling and trafficking networks in the region and prosecuting migrant smugglers, and human traffickers requires a coordinated, multidimensional approach with States of origin, of transit, and of destination, and further acknowledging the need to develop effective strategies to deter migrant smuggling and human trafficking in States of origin and transit,

    Emphasizing that migrants should be treated with humanity and dignity and that their rights should be fully respected, and urging all States in this regard to comply with their obligations under international law, including international human rights law and international refugee law, as applicable,

    Bearing in mind the obligations of States under applicable international law to exercise due diligence to prevent and combat migrant smuggling and human trafficking, to investigate and punish perpetrators, to identify and provide effective assistance to victims of trafficking and migrants and to cooperate to the fullest extent possible to prevent and suppress migrant smuggling and human trafficking,

    Affirming the necessity to put an end to the recent proliferation of, and endangerment of lives by, the smuggling of migrants and trafficking of persons in the Mediterranean Sea off the coast of Libya, and, for these specific purposes, acting under Chapter VII of the Charter of the United Nations,

    1. Condemns all acts of migrant smuggling and human trafficking into, through and from the Libyan territory and off the coast of Libya, which undermine further the process of stabilisation of Libya and endanger the lives of thousands of people;
    1. Calls on Member States acting nationally or through regional organisations, including the EU, to assist Libya, upon request, in building needed capacity including to secure its borders and to prevent, investigate and prosecute acts of smuggling of migrants and human trafficking through its territory and in its territorial sea; in order to prevent the further proliferation of, and endangerment of lives by, the smuggling of migrants and human trafficking into, through and from the territory of Libya and off its coast;
    1. Urges Member States and regional organisations, in the spirit of international solidarity and shared responsibility, to cooperate with the Libyan Government, and with each other, including by   sharing   information about acts of migrant smuggling and human trafficking in Libya’s territorial sea and on the high seas off the coast of Libya, and rendering assistance to migrants and victims of human trafficking recovered at sea, in accordance with international law;
    1. Urges States and regional organisations whose naval vessels and aircraft operate on the high seas and airspace off the coast of Libya, to be vigilant for acts of migrant smuggling and human trafficking, and in this context, encourages States and regional organisations to increase and coordinate their efforts to deter acts of migrant smuggling and human trafficking, in cooperation with Libya;
    2. Calls upon Member States acting nationally or through regional organisations that are engaged in the fight against migrant smuggling and human trafficking to inspect, as permitted under international law, on the high seas off the coast of Libya, any unflagged vessels that they have reasonable grounds to believe have been, are being, or imminently will be used by organised criminal enterprises for migrant smuggling or human trafficking from Libya, including inflatable boats, rafts and dinghies;
    1. Further calls upon such Member States to inspect, with the consent of the flag State, on the high seas off the coast of Libya, vessels that they have reasonable grounds to believe have been, are being, or imminently will be used by organised criminal enterprises for migrant smuggling or human trafficking from Libya;
    1. Decides, with a view to saving the threatened lives of migrants or of victims of human trafficking on board such vessels as mentioned above, to authorise, in these exceptional and specific circumstances, for a period of one year from the date of the adoption of this resolution, Member States, acting nationally or through regional organisations that are engaged in the fight against migrant smuggling and human trafficking, to inspect on the high seas off the coast of Libya vessels that they have reasonable grounds to suspect are being used for migrant smuggling or human trafficking from Libya, provided that such Member States and regional organisations make good faith efforts to obtain the consent of the vessel’s flag State prior to using the authority outlined in this paragraph;
    1. Decides to authorise for a period of one year from the date of the adoption of this resolution, Member States acting nationally or through regional organisations to seize vessels inspected under the authority of paragraph 7 that are confirmed as being used for migrant smuggling or human trafficking from Libya, and underscores that further action with regard to such vessels inspected under the authority of paragraph 7, including disposal, will be taken in accordance with applicable international law with due consideration of the interests of any third parties who have acted in good faith;
    1. Calls upon all flag States involved to cooperate with respect to efforts under paragraphs 7 and 8, and decides that Member States acting nationally or through regional organisations under the authority of those paragraphs shall keep flag States informed of actions taken with respect to their vessels, and calls upon flag States that receive such requests to review and respond to them in a rapid and timely manner;
    1. Decides to authorise Member States acting nationally or through regional organisations to use all measures commensurate to the specific circumstances in confronting migrant smugglers or human traffickers in carrying out activities under paragraphs 7 and 8 and in full compliance with international   human   rights   law,   as applicable, underscores that the authorizations in paragraph 7 and 8 do not apply with respect to vessels entitled to sovereign immunity under international law, and calls upon Member States and regional organisations carrying out activities under paragraphs 7, 8 and this paragraph, to provide for the safety of persons on board as an utmost priority and to avoid causing harm to the marine environment or to the safety of navigation;
    1. Affirms that the authorisations provided in paragraphs 7 and 8 apply only with respect to the situation of migrant smuggling and human trafficking on the high seas off the coast of Libya and shall not affect the rights or obligations or responsibilities of Member States under international law, including any rights or obligations under UNCLOS, including the general principle of exclusive jurisdiction of a flag State over its vessels on the high seas, with respect to any other situation, and further affirms that the authorisation provided in paragraph 10 applies only in confronting migrant smugglers and human traffickers on the high seas off the coast of Libya;
    1. Underscores that this resolution is intended to disrupt the organised criminal enterprises engaged in migrant smuggling and human trafficking and prevent loss of life and is not intended to undermine the human rights of individuals or prevent them from seeking protection under international human rights law and international refugee law;
    1. Emphasises that all migrants, including asylum-seekers, should be treated with humanity and dignity and that their rights should be fully respected, and urges all States in this regard to comply with their obligations under international law, including international human rights law and international refugee law, as applicable;
    1. Urges Member States and regional organisations acting under the authority of this resolution to have due regard for the livelihoods of those engaged in fishing or other legitimate activities;
    1. Calls upon all States, with relevant jurisdiction under international law and national legislation, to investigate and prosecute persons responsible for acts of migrant smuggling and human trafficking at sea, consistent with States’ obligations under international law, including international human rights law and international refugee law, as applicable;
    1. Calls for Member States to consider ratifying or acceding to, and for States Parties to effectively implement the Protocol against the Smuggling of Migrants by Land, Sea and Air, supplementing the United Nations Convention against Transnational Organized Crime, and as well as the Protocol to Prevent, Suppress and Punish Trafficking in Persons, Especially Women and Children;
    1. Requests States utilising the authority of this resolution to inform the Security Council within three months of the date of adoption of this resolution and every three months thereafter on the progress of actions undertaken in exercise of the authority provided in paragraphs 7 to 10 above;
    1. Requests the Secretary-General to report to the Security Council eleven months after the adoption of this resolution on its implementation, in particular with regards to the implementation of paragraphs 7 to 10 above;
    1. Expresses its intention to review the situation and consider, as appropriate, renewing the authority provided in this resolution for additional periods;
    1. Decides to remain seized of the matter.

    SCHREMS CASE : The Essence of Privacy, and Varying Degrees of Intrusion

    ORIGINAL PUBLISHED IN VERFASSUNGBLOG ON Wed 7 Oct 2015

    by Martin Scheinin

    This brief comment will address the 6 October 2015 CJEU Grand Chamber ruling inMax Schrems, asking what it tells us about the status of two fundamental rights in the EU legal order, namely the right to the respect for private life (privacy) and the right to the protection of personal data (EU Charter of Fundamental Rights, Articles 7 and 8, respectively). The ruling must be read together with the 8 April 2014 ruling inDigital Rights Ireland where Articles 7 and 8 were discussed side by side.

    Although the Max Schrems ruling contains many references to personal data, it does not really discuss the right to the protection of personal data as a distinct fundamental right. Article 8 of the Charter is mentioned in the dispositive part of the ruling but not for instance in what I would call the main finding by the Court which refers only to Article 7:

    In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter…

    The outcome of the case – declaring Commission’s Safe Harbor Decision 2000/52 invalid – flows from this finding of a breach of the essence of the right to privacy when we are dealing with indiscriminate blanket access to data. In Digital Rights Ireland the CJEU had already indicated (paras. 39-40) that blanket access to ‘content’ would trigger the application of the essence clause in Article 52 (1.1) of the Charter, while surveillance, even indiscriminate mass surveillance, based on even complex use of various categories of metadata amounted to a “particularly serious interference” (Digital Rights Ireland, para. 65) with fundamental rights but did not trigger the application of the essence clause. The Court’s distinction between ‘content’ and ‘metadata’ can be criticized, and it was indeed relativised by the Court itself in Digital Rights Ireland (para. 27).

    What is now remarkable in Max Schrems is that

    a) the Court actually identified the intrusion in question as falling under the notion of the essence of privacy – something the European Court of Human Rights has never done under the privacy provision of ECHR Article 8, and

    b) the identification of an intrusion as compromising the essence of privacy meant that there was no need for a proportionality assessment under Article 52 (1.2) of the Charter.

    This can be contrasted with theDigital Rights Ireland judgment (para. 69) where the final outcome was based on the application of a proportionality test. For these reasons, the Max Schrems judgment is a pathbreaking development, a major contribution to the understanding of the structure and legal effect of fundamental rights under the Charter. Digital Rights Ireland indicated where the path would go, and now the Court actually went that way.

    An equally important contribution is documented in the same paragraph, namely that mere “access” to communications by public authorities) constitutes an interference. Notably, Article 8 (2) of the Charter uses the notion of “processing” when defining the fundamental right to the protection of personal data. Surveillance advocates might have until the Max Schrems ruling enjoyed some credibility with their claims that mere access does not amount to processing, and therefore mere access to the flow of communications does not amount to an intrusion until the automated selectors and algorithms have made their job and the human eye starts to “process” a much more narrow set of data. Now we know, that mere access is an intrusion into privacy, and even into the essence of privacy when it provides for indiscriminate access to ‘content’.

    This gives rise to the next question, whether the Max Schrems rationale will only apply to the “transfer” of data from Europe to “servers” in the United States. This was the factual basis of the case, as reflected in paragraphs 2 and 31. The CJEU was asked a question about data transfers from Europe to Facebook servers in the US under the Safe Harbor arrangement, and it responded to that question. It did not address the scenario of “upstream” access to data flows through the splitting of fiber-optic cables to obtain generic access to all data that passes through transatlantic cables just because the Internet is built in the way that a lot of traffic ends up going through those cables. It would indeed be difficult to bring a case to the CJEU that would address this scenario.

    Nevertheless, paragraph 94 quoted above is formulated in a way that gives a generic answer concerning the contours of the right to privacy under Article 7 of the EU Charter: yes, also access through the upstream method of capturing the data flow in a fibre-optic cable is to be regarded as compromising the essence of privacy and therefore as prohibited under the Charter, without a need even to engage in a proportionality analysis. It may be hard to get a case to the CJEU but the content of the substantive norm under Article 7 of the Charter is now clear. One can on good grounds expect that the European Court of Human Rights will now be prepared to follow the lead of the CJEU and draw the same conclusion under ECHR Article 8.

    In closing, I dare to present the view that the Digital Rights Ireland and Max Schremsrulings taken together provide verification and demonstration of the utility of the methodology we developed in the SURVEILLE project where we produced a general framework for the holistic assessment of surveillance technologies for their security benefit, cost efficiency, moral hazards and fundamental rights intrusion. In short, in our model an intrusion into the essence of privacy would by definition produce the highest possible fundamental rights intrusion score which is, again by definition, higher than the maximum usability score and would therefore make redundant any proportionality assessment. Other types of intrusion – even particularly serious ones – would be assessed through giving separate scores to the importance of a fundamental right in a given situation and the depth of the intrusion into the same right as created by surveillance, and by then comparing the resulting fundamental right intrusion score against the usability score based on technology assessment. Here, a proportionality assessment is needed, even if the highest possible intrusion scores will be so high that the benefits obtained through surveillance cannot in practice outweigh them. Similarly to the CJEU in the Digital Rights Ireland case, the outcome will be that crude methods of mass surveillance, even when not triggering the essence clause, will be assessed as unlawful.

    Dieser Text steht unter der Lizenz CC BY NC ND

    (http://creativecommons.org/licenses/by-nc-nd/4.0/legalcode)