Category: 9. Internal security -police cooperation

Safe Harbor – No Future? How the General Data Protection Regulation and the rulings of the Court of Justice of the European Union (CJEU) will influence transatlantic data transfers

(ORIGINAL Posted on 1. Oktober 2015  in PETER SCHAAR. Der Blog. )

 by    (*)

Ladies and gentlemen,

One week ago, the Advocate General at the Court of Justice of the European Union (CJEU) issued his vote on the Safe Harbor case of Max Schrems vs. the Irish Data Protection Commissioner.

Since 1995 when the General European Directive on Data Protection came into force, data transfers from the European Union and its member states to non-EU countries have been subject to specific privacy and security restrictions. Such restrictions do not exist only in Europe.

For example in the US several legal acts and decisions of regulatory authorities constitute the obligation to store specific data in the own country, in particular data, which have been generated by public bodies and providers of critical infrastructures. The US Federal Trade Commission has stated that a company subject to privacy obligations under US law is not allowed to avoid such obligations by outsourcing their data processing activities to offshore service providers.

The key message of Art. 25 of the 1995 GD is that transfer of personal data to a third country may take place only if the recipient in question ensures an adequate level of data protection. The adequacy shall be assessed in the light of all the circumstances surrounding the data transfer operation.

The main road to adequacy are the so-called adequacy decisions of the European Commission, that the said country ensures an adequate level of data protection. These decisions are binding for the member states. They shall take the measures necessary to comply with the Commission’s decision.

One of the most discussed adequacy decisions concerns the United States – the decision on Safe Harbor, although the Commission was of the opinion, that the US in general failed to provide an adequate level of data protection for the private sector, because of the lack of any comprehensive data protection legislation.

The Safe Harbor principles, negotiated between the Commission and the US government in the late 1990s should bridge this obstacle. The SH arrangement has been aimed at guaranteeing the adequate level of protection required by EU law for those companies, committing themselves to comply with the SH principles.

From the beginning, since the Safe Harbor was agreed in the year 2000 there has been some criticism against it. The main critical argument was that the principles do not meet the high EU data protection standards defined by the General Directive.

A scientific implementation study on SH done 2004 on behalf of the Commission came to the result that „Key concepts such as ‚US organization‘, ’personal data’,’deceptive practices’ lack clarity. Moreover, the jurisdiction of the FTC with regard to certain types of data transfers is dubious.“

It also has been criticized, that companies which declare compliance with the principles at once may profit from the Safe Harbor privileges, even if their privacy practices were not yet subject to an independent audit.

These issues remain important until our days. But after the vote the Advocate General at the CJEU (GA) issued recently, the focus lays on another question: How far practices and powers of US authorities have been ignored in the adequacy assessments.

At the first glance, law enforcement authorities, police and intelligence do not fall within the scope of the Safe Harbor agreement and therefore they do not have to be subject to the assessment. But this first impression is wrong.

As Art. 25 of the GD is pointing out, the assessment is to be done in the light of „all circumstances“ surrounding a data transfer to the third country. Even activities of authorities in the third country have to be examined. It is unclear how far this happened during the Safe Harbor assessment in the late 1990s.

But even if such assessment once took place, the result may be invalid today, because things changed dramatically after 9/11 2001. As we have learnt from Edward Snowden and other whistleblowers, US government has obtained broad access to private companies’ databases, telecommunications and Internet services.

Many companies which have co-operated with the NSA – voluntarily or based on legal obligations – have been safe harborists and there is no doubt that NSA and other services have got access to big amounts of data stemming from Europe or related to EU citizens.

The PATRIOT ACT and secret Presidential Orders, issued after 9/11 provided intelligence and law enforcement agencies with a lot of new powers and simultaneously demolished many safeguards which have been introduced in the 1970s to protect civil rights and privacy.

For years it seemed that many of these changes were not on the screen of the European Commission and other European stakeholders. The implementation study on SH of 2004 came to the conclusion: „Since the new US legislation only rarely contradicts the SH principles for data covered by SH, these conflicts do not appear to undermine the level of protection for any significant flows of personal data to the United States. The controversial provisions of the USA PATRIOT Act are essentially irrelevant for SH data flows.“ (p. 101)

But 2013, after the the beginning of the Snowdon revelations, nobody can ignore any more, that the practices of NSA, CIA and FBI introduced after 9/11 have impact on the level of data protection in the United States: The legal provisions on Government access to personal information, especially the Foreign Intelligence Surveillance Act (FISA), do not meet the basic standards of the rule of law at least so far data of non-US-persons are concerned. The practices disclosed in the last two years and the commitments of US officials on mass surveillance provided the public with loads of evidence that the NSA and others are involved in bulk collection of personal data coming from Europe. Therefore it seems evident, that these practices have to be taken into account by the CJEU.

Another change happened in Europe: The Lisbon Treaty came into force in 2009, and at least since then privacy and data protection, including the independent oversight, have been fundamental rights of the European Union, as parts of the European primary law. European secondary law and European Commission’s decisions have to fulfill these requirements. Even older legislation, agreements with third countries as to PNR or TFTP and Commission’s decisions have to be reviewed in the light of Art. 7 and 8 of the EU Charter of Fundamental Rights.

Acknowledging this, the vote of Advocate General Bot (AG) in the case of Maximilian Schrems versus the Irish Data Protection Commissioner, issued last week, is not really surprising. The vote touches two big points:

Even if the Commission decides that the level of data protection in a country is adequate, this does not prevent national data protection authorities from suspending the transfer of the data, it they are of the opinion, that in the concrete case adequacy criteria are not met by the recipient. As we have learnt from the Snowden revelations, Facebook and other Internet companies cooperated closely with the NSA and provided them with broad access to personal data stored on their servers.
The AG is of the opinion that the Safe Harbor arrangement itself is invalid, because the US, especially the intelligence services, do not provide adequate protection for the personal data coming from Europe. Therefore he proposes to suspend the Safe Harbor.

Nobody knows how the European Court of Justice will decide the case. The ruling is expected on 6 October. Perhaps you know the sentence „How the judge decides depends what he ate for breakfast“. It is correct: The vote of the advocate general is only an opinion and it does not bind anybody.

But for me it seems likely that the judges will acknowledge the vote, at least in the result. In two earlier cases, the court decided last year, on data retention and on the right to be forgotten, the judges underlined the high importance of European fundamental rights on privacy and data protection. In these cases the court went beyond the Advocate general’s vote. In the Schrems’ case the AG adapted this recent orientation of the judges.

If the CJEU will decide as proposed by the AG, this does not mean automatically the end of Safe Harbor. But the Safe Harbor arrangement must be renegotiated and at the end there might be a better safe Harbor System, meeting the principles of fundamental rights and complying with the new EU Data Protection Regulation.

Art. 41 of the Commissions proposal contains criteria, conditions and procedures for adequacy assessments, more specific than the current Art. 25 of the GD from 1995: The criteria which shall be taken into account for the Commission’s assessment of an adequate or not adequate level of protection include expressly the rule of law, judicial redress and independent supervision. The new article confirms explicitly the possibility for the Commission to assess the level of protection afforded by a territory or a processing sector within a third country.

My conclusion for today: Safe Harbor will be possible even in the future. But such a „happy end“ requires changes in the SH arrangement. And it requires effective legal guarantees for EU citizens in the US.

Also necessary is a new thinking in Europe, in particular on the fields of law enforcement and intelligence. If we urge the US to respect our privacy, European secret services have to respect fundamental rights of all EU citizens and citizens of third countries as well.

(*) Keynote on the conference „New Directions in Cyber Security“  Berlin, 1 October 2015

Repetita Juvant ? The EDPS 2nd Opinion on the EU system of collection of passenger name records (PNR)

Foreword:
The systematic collection for prevention of terrorism of Air traveller’s personal data (PNR) from Airlines, Travel Agencies and Computer Reservation Systems started in the US, Australia, Canada after 9/11 and was considered illegal by the European Data Protection authorities as well by the European Parliament who challenged in 2004 before the Court of Justice the first EU-US agreement in this matter as well as the Commission Declaration (“Adequacy Finding”) which considered the adequate the condition of treatment of EU passengers data on the other side of the Atlantic.

The Court of Justice Judgment recognized in 2006 that the Commission’s “Adequacy Finding” and the EU-US Agreement were not founded on the correct legal basis but did not examined the EP plea on the fact that the agreement could had infringed the fundamental right to protection of personal data because of lack of clarity and of its incompatibility with a democratic society (at the time required by art.8 of the ECHR)

Therefore it has to be noted that already in 2004 the Commission considered that also the EU should develop its own PNR system for security purposes and after the CJ ruling decided to renegotiate with the US (on a security related legal basis) a new PNR agreements which explicitly made reference to the possibility of exchanging PNR data as soon as the EU would had has its own PNR related System.
In the absence of an EU internal legal framework for PNR data some EU Countries started building their own national systems with a more or less open support by the Commission notwithstanding the (vocal) opposition of the European Parliament.

Quite surprisingly it is after the entry into force of the LISBON Treaty and of the Charter of Fundamental Rights which recognize a self-standing fundamental right of protection of personal data that the Gericho Walls have fallen and the European Parliament has approved a transatlantic agreement in this matter (even if there was not yet an internal EU legal framework in this matter and the level of protection of Personal data in the agreement was much lower than the one that the same Parliament challenged before the Court of Justice in 2004…).

This change of strategy (due to an clear change of political majority) was seized by the Commission as the right signal to create an EU internal PNR system. After a first badly written proposal the Bruxelles Executive came back with a legislative proposal to authorise the collection of PNR data also by the EU Member States.

Needless to say this move was contested by the national data protection authorities and less convincingly by the European Parliament. Even if it blocked in the last legislature the legislative procedure it has finally decided to reopen the negotiations this year. This is probably due to the converging pressure of the European Council, of the Council Interior Ministers as well as by the convergence of the two biggest political groups (also thanks to the good offices of the EP President..).

From a procedural point of view, the legislative proposal is still in its first phase (parliamentary first reading) but the new majority (covering also the ALDE and ECR) has decided to try to obtain an early agreement with the Council in the framework of the so called “first reading agreements”.
As usual the informal (secret) dialogue has started and there is a clear political will to reach an agreement in the coming months (still under the Luxembourg Presidency).

This being the case both the National Data Protection Authorities and the European Data Protection Supervisor EDPS) are trying to slow down the process by repeating the constitutional, legislative and operational reservations which have also been summarized in the EDPS opinion adopted last week and published below.

Most of these arguments have been raised hundred of times (even by the European Parliament since its first resolution in march 2003) but quite paradoxically the new political majority in the EP, notwithstanding the stronger post-Lisbon constitutional framework of data protection, has decided to change its mind and is giving up the points which has defended in the previous legislatures.

Under such a new political situation it is more than likely that the very well drafted EDPS considerations will not be taken in account. But even if in this case REPETITA (will not) JUVANT other obstacles can arise before the adoption by the European Parliament of the EU PNR legislative proposal.

“There are still judges in Berlin”?

Like the humble miller who facing an unjust decision the Prussian King Frederick II, the Great exclaimed that “There are still judges in Berlin” our “Berlin” judges can be the European Court of Justice which will give an important judgment partially related to this matter on October 6.

The judgment deals with a case raised by Max SCHREMS, an Austrian Student who has considered that his personal data accessible via Facebook were not adequately protected in the US territory (because they can be too easily accessed by the US Security Services).

It will be interesting to see if the Court of Justice meeting as Grand Chamber (as it happens for “big” judgments) will follow the recent Conclusions of Advocate General Yves BOT who has raised strong concerns on the compatibility with the EU Charter of the current US data protection standards in the security domain.

If this was the case the same doubts could be extended on the envisaged EU PNR system which (badly) mirror the US PNR system… Will the determination of one European Citizen be more effective for the rights of each one of us of the hundred pages and countless debates of the European Parliament in the last twelve years? We will know it very soon and in the meantime let’s …fasten our seat belts.

Emilio De Capitani

EDPS SECOND OPINION ON EU PNR – ORIGINAL PUBLISHED HERE Continue reading “Repetita Juvant ? The EDPS 2nd Opinion on the EU system of collection of passenger name records (PNR)”

‘HOTSPOTS’ FOR ASYLUM APPLICATIONS: SOME THINGS WE URGENTLY NEED TO KNOW

PUBLISHED ON EU LAW ANALYSIS on Tuesday, 29 September 2015

by Frances Webber (*)

Through the mechanisms it is setting up for the relocation of refugees from Italy and Greece, the EU is trying to regain control of refugee movement in the EU. The tough screening process it is setting up at points of entry into the EU seems designed as a crude instrument to separate out a minority of ‘good’ refugees from what EU ministers want to convince us are a majority of ‘bad’ economic migrants, and to dispatch the latter rapidly and efficiently. But life is not that simple, and the hotspots’ screening procedures could result in large numbers of people being returned to unsafe or unviable situations without proper consideration of their claims.

According to the Commission’s explanation of ‘hotspots’, as part of the package decided on in September,  EU agencies including Frontex and Europol, as well as the EU’s asylum agency will help national officials in Greece and Italy to identify, fingerprint, screen and register asylum applicants, organise relocation to other member states of those who qualify and remove from the territory those ‘who either did not apply for international protection or whose right to remain on the territory has ceased’. (See Article 7 of the second Council Decision on relocation of asylum-seekers).  TheEuropean Commission has said that these functions will be performed in ‘hotspots’ in Greece and Italy. Four locations in Italy are already apparently operating, with a total capacity of 1,500:, with another two promised for the end of the year. In Greece, a ‘headquarters hotspot’ is to be set up in Piraeus, where asylum seekers arriving on the islands will be gathered and processed.

Organisations such as Doctors of the World welcomed the announcement as providing some official framework for reception, which they hope will allow them to operate in a more regulated environment. But questions arise immediately. What will the hotspots look like? Will refugee applicants be detained there? Are they to be refugee camps or removal centres? Matteo Renzi suggests they will be EU-run refugee camps, while Francois Hollande sees them as deportation camps – which suggests detention and coercion. And how are decisions to be made, and reviewed?

Who benefits?

We know from the Council decisions of 15 and 22 September that only those nationalities with a recognition rate (as refugees or persons needing international protection) of 75 percent or more will be accepted for relocation. As Steve Peers points out in his previousblog post on relocation, those who benefit from the process (for instance, Syrians, Iraqis and Eritreans, according to current statistics) will be allocated on a no-choice basis (although family unity must be respected), while host countries can express a preference for the kinds of asylum seekers they are prepared to take. No prizes for guessing those at the top and bottom of any preference list. For those relocated, attempts to move from their new host country to somewhere more sympathetic, less racist or where more compatriots live will be met with speedy return to the allocated host. Beggars can’t be choosers.

Peers covers the problems of relocation in his piece. I want to raise questions about the screening process, and what happens to those who are not selected for relocation. Will tests be administered to determine whether applicants are genuinely of the nationality they claim? According to the EU Commission’s paper, Frontex already deploys screening and ‘debriefing’ experts in Italy and Greece (presumably to ask questions about routes taken to get there, with a view to gathering intelligence about smugglers), in addition to ‘advance-level document experts’. These ‘experts’ are likely to be seconded civil servants from member states’ interior ministries. As such, will their mindset be attuned to detecting fraud rather than responding to need? What documents will they be scrutinising? Will possession of a genuine and valid Syrian, Iraqi or Eritrean passport (for instance) be a prerequisite to acceptance?  If not, what will nationality-testing entail? And given the shambolic nature of the language and knowledge tests imposed by the Home Office in the UK to determine asylum claimants’ nationality, what appeal or review rights will there be against a decision that someone is not in fact Syrian, or Eritrean or Iraqi?

And what will happen to those not from the big three refugee-producing countries? Presumably, the idea behind the hotspots is that all claims for international protection which do not lead to relocation will be dealt with there. If so, will claimants remain there for the duration, and if not, where and how will the residual group of claimants not selected for relocation live while their claims are processed? And how will their claims be processed? What will the timescales be? In the pressured environment of the camps, where speedy processing will be a priority, claims for international protection are unlikely to receive the careful and sympathetic assessment required by the 1979 UNHCR Handbook. So what will the procedures be? Crucially, what rights of appeal will there be against negative decisions?

The ‘safe countries’ list

It is presumably to facilitate speedy decision-making that the Commission’s package includes a proposed regulation for a list of safe countries of origin, containing countries of the western Balkans – Albania, Bosnia and Herzegovina, the former Yugoslav Republic of Macedonia, Kosovo, Montenegro and Serbia – and Turkey. While the proposed list does not mean automatic rejection of claims, its presumption that the country is a safe one for nationals to return to is a strong one, and forms the basis of an accelerated procedure which, as we know from the UK experience (the ‘detained fast-track’ process, currently suspended after judicial recognition of its unfairness to applicants), easily becomes a self-fulfilling process of rejection. The Commission itself acknowledges the un-safety of most of these countries for Roma, for LGBTI and for other minorities, and for Kurds, journalists and ‘others’ (such as political opponents) in Turkey. As Steve Peers points out in his blog post, ‘Safe countries of origin: assessing the new proposal’, Turkey does not belong on any safe country list; nearly a quarter of asylum applications by Turkish citizens were successful.

Accelerated removals

But if fair determination procedures are not in place, or if it soon becomes apparent that the hotspots are not a gateway to protection, or that application could lead to relocation to a hostile country, why would those who need international protection apply? The Council decisions state the obvious – that only those who have sought protection are eligible for relocation. But Frontex’s removal remit covers not just those whose claims are exhausted and so have no claim to remain on the territory, but also those who have not claimed protection. Does this mean that Frontex officials have a roaming mandate to go around Italy and Greece rounding up all those who have not registered a claim for asylum? The opportunity to claim international protection should be available at any time, up to the point of removal; but how will this right be guaranteed?

Without clear and robust safeguards in place, the EU’s relocation package could turn out to be a figleaf for a quiet but massive removal operation against, rather than a protection operation for, those arriving on Europe’s shores.

(*) Barrister, journalist and lecturer; vice chair, Institute of Race Relations; co-editor of Macdonald’s Immigration Law and Practice, 5th and 6th editions (2001, 2005) and of Halsbury’s Laws: British Nationality, Immigration and Asylum Law(2002); Author of Borderline Justice: the fight for refugee and migrant rights (Pluto, 2012)

(MEIJERS COMMITTEE) Military action against human smugglers: legal questions concerning the EUNAVFOR Med operation

ORIGINAL PUBLISHED HERE ON 23 September 2015

  1. The EUNAVFOR Med operation

On 22 June 2015, the Council of Ministers of the European Union adopted a Common Foreign Security Policy (CFSP) Decision establishing a military crisis management operation with the aim of combatting fighting people smuggling: EUNAVFOR Med.1 This mission is currently in its first phase, focusing on intelligence gathering, i.e. surveillance and the   assessment of existing smuggling networks.

A second phase would involve searching and possibly diverting vessels on the high seas and territorial waters, either under a mandate of the UN Security Council or with the consent of the appropriate coastal state. The Foreign Affairs Council has recently established that the conditions for the second phase have been met insofar as operations in international waters are concerned.2 During the third phase, vessels and related assets of human smugglers would be destroyed and smugglers apprehended.

The mission will operate in a complex legal environment of overlapping rules of refugee law, international human rights law, the law of the sea, and international rules on the use of force. This note discusses some of the most pressing legal questions raised by this operation.

  1. General remarks

At the outset, the Meijers Committee would like to raise a general point regarding the focus on people smuggling as a response to the loss of life at sea. In the absence of safe and legal access to the right to seek asylum in Europe, together with routes for legal migration, people will turn to human smugglers as a last resort. Increased border controls have resulted in higher casualties as people are forced to take more dangerous routes.

The Meijers Committee questions the appropriateness of the approach taken under EUNAVFOR Med to stop the loss of life at sea. The Committee would like to point to the shift from saving lives at sea under  the  Italian-led  Mare  Nostrum  Operation,  to  border management  (Triton),  to  military  action (EUNAVFOR Med). The Meijers Committee emphasizes that the legal obligation to save lives at sea should have primacy in all Union action at sea and that a long-term solution must also involve improving legal access to asylum and legal employment.

  1. Human smuggling as a threat to international peace and
    security

The Meijers Committee notes that the decision establishing the EUNAVFOR Med operation refers explicitly to the need for a UN Security Council Resolution or consent of the coastal states concerned before the second phase of the operation can enter into force.

In this respect the Meijers Committee notes a fundamental difference from the EUNAVFOR operation Atalanta against piracy off the Somalian coast, which was taken as a model for EUNAVFOR Med. The Atalanta operation was explicitly supported by a UN Security Council Resolution, and had the consent of the coastal state involved.3

Articles 39 and 42 UN Charter stipulate that the Security Council shall only authorize the use of force if ‘necessary to maintain or restore international peace and security’. The Meijers Committee is not convinced that the EUNAVFOR MED mission meets this standard. Although the humanitarian crisis may meet this standard, the activities of human smugglers – unlike piracy do not qualify. Although the Security Council has previously adopted resolutions in response to refugee crises in Iraq and Haiti, these were intended to stabilize the countries of origin and not to prevent persons from seeking refuge elsewhere.

  1. Phase 2: search and diversion of ships

The Second Phase of the operation would involve the search and diversion of ships in third-country territorial waters, which requires the consent of the flag state or a UN Security Council Resolution.

The Meijers Committee recalls that on the high seas, Article 87 UN Convention on the Law of the Sea (UNCLOS) ensures the right to freedom of navigation. Article 110 permits a warship to board and inspect a vessel if, inter alia, it has no nationality. As regards the vessel, a finding of statelessness should allow states to exercise jurisdiction in order to ensure compliance with the ‘minimum public order on the high seas’, namely, the duties that normally fall on the flag state (Art. 94 UNCLOS).4 This could include a state’s power to escort the vessel into harbor for inspection. As regards the people on board, UNCLOS does not seem to provide a basis for the exercise of jurisdiction.

Although Article 110(1) UNCLOS expressly allows that grounds of interference may be established by Treaty, the UN Smuggling Protocol seems to impose a duty of cooperation only on the contracting parties, while maintaining the requirement of flag state authorization. Article 8(7) of the Smuggling Protocol provides a firmer legal basis for interference with stateless vessels than Article 110 UNCLOS. The wording ‘suppressing the use of the vessel’ or ‘take appropriate measures’ implies the possible use of force. Nevertheless, such force should be used as a means of last resort and will be subject to the requirement of necessity and proportionality. It is noted, however, that the Migrant Smuggling Protocol lacks the precision of, for instance, the UN drug trafficking regime, which explicitly sets out the measures that an intercepting power may take against a drug transport.5 Accordingly, no clear legal basis for action is provided in international law.

Diversions on the high seas may not result in the refoulement of people on board. It is important to stress that States cannot relieve themselves of this obligation by labelling an operation as ‘search and rescue’. The IMO Guidelines on the treatment of persons rescued at sea state that ‘[disembarkation of asylum-seekers and refugees recovered at sea, in territories where their lives and freedom would be threatened should be avoided.’ This approach has been confirmed by the European Court of Human Rights in the Hirsi case.6 Member States remain bound by their obligations under international human rights law, independently of the nature and location of their intervention. In this regard it is particularly problematic that Libya one of the most important coastal states whose cooperation is sought is currently a notoriously dangerous and unstable country.

It is unclear how the EU intends to give practical effect to these obligations in the course of the EUNAVFOR Med mission. The Meijers Committee would recommend that clear guidelines be put in place, comparable to the rules applicable in the framework of Frontex coordinated operations at sea.7

  1. Phase 3: destruction of vessels and apprehension of smugglers

The Third Phase of the Operation would entail the destruction of vessels and related assets, and the apprehension of smugglers. The Meijers Committee argues that clear, binding, publicly available rules should be adopted prior to the commencement of Phase 3.

As regards the smugglers it must be noted that unlike piracy and international crimes, international law does not establish universal criminal jurisdiction over human smuggling. As with diversions, the interference with vessels believed to be engaged in human smuggling requires the consent of the flag state (or a UN SC Resolution). In case the ship is sailing without a flag, Article 8 of the Protocol allows a party to take ‘appropriate measures in accordance with relevant domestic and international law’. The extent to which this includes the exercise of criminal jurisdiction over human smugglers is not clear, however.

The Council decision establishing EUNAVFOR Med is silent about the possible detention and prosecution of smugglers. The Meijers Committee points out that even though EUNAVFOR Med is executed by military forces, the EU is not acting as party to an armed conflict and thus normal peace­time law applies. This means that after arrest, those suspected of migrant smuggling should be brought promptly before a judge8. In the case of subsequent criminal prosecution, jurisdiction should be established in one of the Member States. In this respect it is noted that not all Member States have established universal jurisdiction over human smuggling. If smugglers are to be extradited or released to third countries, their fundamental rights should be guaranteed.

The Meijers Committee notes that EUNAVFOR Med is aimed at the destruction of vessels used or suspected of being used for migrant smuggling, possibly even inside third-country territory, yet it remains unclear what legal standard is applied to identify such vessels. The Meijers Committee cautions that the destruction of vessels cannot be arbitrary. Unlike UNCLOS, which provides for clear rules on the seizure and liability for seizure of pirate ships, there is no explicit legal basis in international law for the seizure of migrant smuggling boats. The right to property as enshrined in Article 1 of Protocol 1 ECHR, which will apply to the Member States acting extra-territorially, prescribes that any destruction of property must be provided for by law and must be necessary and proportionate.

  1. Unclear division of responsibility between the EU and its
    Member States

The Meijers Committee recalls that Article 21 TEU requires CFSP actions to be based on human rights. This includes respect for human dignity, including the prohibition of torture and inhuman treatment; personal security and liberty; and protection from arbitrary detention and arrest.9 It also notes, however, that the Court of Justice of the EU has no authority to ensure this respect for fundamental rights as it lack jurisdiction over the CFSP.10 This means that legal remedies would have to be provided under the national law of the participating Member States.

The experience with joint operations under the coordination of Frontex shows that in case of violations of fundamental rights, it is unclear to whom wrongful conduct must be attributed. Although the operation is coordinated by the EU, it is the Member States that provide the assets and personnel, over which they maintain operational command.

Case law issuing from the European Court of Human Rights on the obligations of the Member States as contracting parties to the European Convention on Human Rights clearly indicates with regard to the Member States that they cannot escape their responsibilities under the Convention by acting outside the Convention’s territorial scope. The situation is more complicated, however, when Member States act as agents for the European Union (Bosphorus) or within the context of UN Peace Keeping Operations (Al Jeddah, Behrami, and Saramati). The Meijers Committee therefore stresses that it is fundamentally important that questions of international responsibility and responsibility under the European Convention for Human Rights are addressed prior to commencement of Phases 2 and 3.

Conclusions and recommendations

I. There are no indications that combating migrant smuggling contributes to the restoration of international peace and security or to ending the ongoing humanitarian crises;

II.      Without express consent from third states or authorization from the UN Security Council, the EU lacks jurisdiction over   vessels or assets in third-country territorial waters;
III.      Without express consent from third-country coastal states or   authorization from the UN Security Council, there is no clear legal basis for coercive measures against vessels or assets on the high seas;
IV Despite the unclear legal framework covering interdiction on the high seas, international human rights law does apply;
V.      Should a legal basis for action on the high seas and in territorial waters be provided, clear rules of engagement and proper safeguards should be in place to prevent indiscriminate destruction of civilian property; any undue loss should be compensated;
VI.      An unambiguous legal basis for the arrest and detention of suspected smugglers is needed, and also for the seizure and destruction of any personal property. Suspects should either be prosecuted, extradited or released, the last action having due regard to the right to asylum and the prohibition of refoulement;
VII.      Clear attribution rules and accountability mechanisms for human rights violations committed by EUNAVFOR assets should be in place;
VIII.      The right to apply for asylum, access to asylum procedures on land with proper language and legal assistance, and the prohibition of refoulement should be respected and subject to judicial oversight;
IX.       Outsourcing migration control to third countries, even though outside Member State jurisdiction, should take place with assurances and safeguards against human rights violations.

Notes

1 Council Decision (CFSP) 2015/972 of 22 June 2015 launching the European Union military operation in the southern Central Mediterranean (EUNAVFOR MED), OJ 2015, L157/51.

2 Council of the European Union, “EUNAVFOR Med: Council adopts a positive assessment on the conditions to move to the first step of phase 2 on the high seas”, Press Release, 14 September 2015, no. 643/15.
3 http://www.un.org/Depts/los/piracy/piracy_documents.htm
4 E. Papastavridis, ‘Enforcement Jurisdictions in the Mediterranean Sea: Illicit Activities and the Rule of Law on the High Seas’, International Journal of Marine and Coastal Law, Vol. 25, 2010, p. 585.
5 See Council of Europe Agreement on Illicit Traffic by Sea, implementing article 17 of the United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances.
6 ECHR, Hirsi Jamaa and others v. Italy, Grand Chamber, Judgment, 23 February 2012, Application no. 27765/09.
7 Regulation (EU) No 656/2014 of the European Parliament and of the Council of 15 May 2014 establishing rules for the surveillance of the external sea borders in the context of operational cooperation coordinated by the European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union, L 189, 27 June 2014.
8 ECHR, Medvedyev v France, 9 March 2010, appl. no. 3394/03.
9 The promotion and protection of human rights during common security and defence policy operations. In-between a spreading state of mind and an unsolved concern. M L Sánchez Barrueco, in The EU as a ”Global Player” in human rights?, J E Wetzel (edit.), 2011, pp. 158-160.
10 See also Case T-271/10, under appeal C-455/14 P.

About : The Meijers Committee is an independent group of legal scholars, judges and lawyers that advises on European and International Migration, Refugee, Criminal, Privacy, Anti-discrimination and Institutional Law. The Committee aims to promote the protection of fundamental rights, access to judicial remedies and democratic decision-making in EU legislation.

The Meijers Committee is funded by the Dutch Bar Association (NOvA), Foundation for Democracy and Media (Stichting Democratie en Media) the Dutch Refugee Council (VWN), Foundation for Migration Law Netherlands (Stichting Migratierecht Nederland), the Dutch Section of the International Commission of Jurists (NJCM), Art. 1 Anti-Discrimination Office, and the Dutch Foundation for Refugee Students UAF.

Contact info: Louis Middelkoop Executive secretary post@commissie-meijers.nl +31(0)20 362 0505

Please visit www.commissie-meijers.nl

AMERICAN MASS SURVEILLANCE OF EU CITIZENS: IS THE END NIGH?

ORIGINAL PUBLISHED ON EU LAW ANALYSIS  (Wednesday, 23 September 2015)

by Steve PEERS

*This blog post is dedicated to the memory of the great privacy campaigner Caspar Bowden, who passed away recently. What a tragedy he did not leave to see the developments in this case. To continue his work, you can donate to the Caspar Bowden Legacy Fund here.

 

A brilliant university student takes on the hidebound establishment – and ultimately wins spectacularly. That was Mark Zuckerberg, founding Facebook, in 2002. But it could be Max Schrems, taking on Zuckerberg and Facebook, in the near future – if the Court of Justice decides to follow the Advocate-General’s opinion in the Schrems case, released today.

In fact, Facebook is only a conduit in this case: Schrems’ real targets are the US government (for requiring Facebook and other Internet companies to hand over personal data to intelligence agencies), as well as the EU Commission and the Irish data protection authority for going along with this. In the Advocate-General’s opinion, the Commission’s decision to allow EU citizens’ data to be subject to mass surveillance in the US is invalid, and the national data protection authorities in the EU must investigate these flows of data and prohibit them if necessary. The case has the potential to change much of the way that American Internet giants operate, and to complicate relations between the US and the EU in this field.

Background

There’s more about the background to this litigation here, and Simon McGarr has summarised the CJEU hearing in this case here. But I’ll summarise the basics of the case again here briefly.

Max Schrems is an Austrian Facebook user who was disturbed by Edward Snowden’s revelations about mass surveillance by US intelligence agencies. Since such mass surveillance is put into effect by imposing obligations to cooperate upon Internet companies, he wanted to complain about Facebook’s transfers of his personal data to the USA. Since Facebook’s European operations are registered in Ireland, he had to bring his complaints to the Irish data protection authority.

The legal regime applicable to such transfers of personal data is the ‘Safe Harbour’ agreement between the EU and the USA, agreed in 2000 – before the creation of Facebook and some other modern Internet giants, and indeed before the 9/11 terrorist attacks which prompted the mass surveillance. This agreement was put into effect in the EU by a decision of the Commission, which used the power conferred by the EU’s current data protection Directive to declare that transfers of personal data to the USA received an ‘adequate level of protection’ there.

The primary means of enforcing the arrangement was self-certification of the companies concerned (not all transfers to the USA fall within the scope of the Safe Harbour decision), enforced by the US authorities.  But it was also possible (not mandatory) for the national data protection authorities which enforce EU data protection law to suspend transfers of personal data, if the US authorities or enforcement system have found a breach of the rules, or on the following further list of limited grounds set out in the decision:

there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond.

In fact, Irish law prevents the national authorities from taking up this option. So the national data protection authority effectively refused to consider Schrems’ complaint. He challenged that decision before the Irish High Court, which doubted that this system was compatible with EU law (or indeed the Irish constitution). So that court asked the CJEU to rule on whether national data protection authorities (DPAs) should have the power to prevent data transfers in cases like these.

The Opinion

The Advocate-General first of all answers the question which the Irish court asks, and then goes on to examine whether the Safe Harbour decision is in fact valid. I’ll address those two issues in turn.

In the Advocate-General’s view, national data protection authorities have to be able to consider claims that flows of personal data to third countries are not compatible with EU data protection laws, even if the Commission has adopted a decision declaring that they are. This stems from the powers and independence of those authorities, read in light of the EU Charter of Fundamental Rights, which expressly refers to DPAs’ role and independence. (On the recent CJEU case law on DPA independence, see discussion here). It’s worth noting that the new EU data protection law under negotiation, the data protection Regulation, will likely confirm and even enhance the powers and independence of DPAs. (More on that aspect of the proposed Regulation here).

On the second point, the opinion assesses whether the Safe Harbour Decision correctly decided that there was an ‘adequate level of protection’ for personal data in the USA. Crucially, it argues that this assessment is dynamic: it must take account of the protection of personal data now, not just when the Decision was adopted back in 2000.

As for the meaning of an ‘adequate level of protection’, the opinion argues that this means that third countries must ensure standards ‘essentially equivalent to that afforded by the Directive, even though the manner in which that protection is implemented may differ from that’ within the EU, due to the importance of protecting human rights within the EU. The assessment of third-country standards must examine both the content of those standards and their enforcement, which entailed ‘adequate guarantees and a sufficient control mechanism’, so there was no ‘lower level of protection than processing within the European Union’. Within the EU, the essential method of guaranteeing data protection rights was independent DPAs.

Applying these principles, the opinion accepts that personal data transferred to the USA by Facebook is subject to ‘mass and indiscriminate surveillance and interception’ by intelligence agencies, and that EU citizens have ‘no effective right to be heard’ in such cases. These findings necessarily mean that the Safe Harbour decision was invalid for breach of the Charter and the data protection Directive.

More particularly, the derogation for the national security rules of US law set out in the Safe Harbour principles was too general, and so the implementation of this derogation was ‘not limited to what is strictly necessary’. EU citizens had no remedy against breaches of the ‘purpose limitation’ principle in the US either, and there should be an ‘independent control mechanism suitable for preventing the breaches of the right to privacy’.

The opinion then assesses the dispute from the perspective of the EU Charter of Rights. It first concludes that the transfer of the personal data in question constitutes interference with the right to private life. As in last year’s Digital Rights Ireland judgment (discussed here), on the validity of the EU’s data retention directive, the interference with rights was ‘particularly serious, given the large numbers of users concerned and the quantities of data transferred’. In fact, due to the secret nature of access to the data, the interference was ‘extremely serious’. The Advocate-General was also concerned about the lack of information about the surveillance for EU citizens, and the lack of an effective remedy, which breaches Article 47 of the Charter.

However, interference with these fundamental rights can be justified according to Article 52(1) of the Charter, as long as the interference is ‘provided for by law’, ‘respect[s] the essence’ of the right, satisfies the ‘principle of proportionality’ and is ‘necessary’ to ‘genuinely meet objectives of general interest recognized by’ the EU ‘or the need to protect the rights and freedoms of others’.

In the Advocate-General’s view, the US law does not respect the ‘essence’ of the Charter rights, since it extends to the content of the communications. (In contrast, the data collected pursuant to the data retention Directive which the CJEU struck down last year concerned only information on the use of phones and the Internet, not the content of phone calls and Facebook posts et al). On the same basis, he objected to the ‘broad wording’ of the relevant derogations on national security grounds, which did not clearly define the ‘legitimate interests’ at stake. Therefore, the derogation did not comply with the Charter, ‘since it does not pursue an objective of general interest defined with sufficient precision’. Moreover, it was too easy under the rules to escape the limitation that the derogation should only apply when ‘strictly necessary’.

Only the ‘national security’ exception was sufficiently precise to be regarded as an objective of general interest under the Charter, but it is still necessary to examine the ‘proportionality’ of the interference. This was a case (like Digital Rights Ireland) where the EU legislature’s discretion was limited, due to the importance of the rights concerned and the extent of interference with them. The opinion then focusses on whether the transfer of data is ‘strictly necessary’, and concludes that it is not: the US agencies have access to the personal data of ‘all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security’.

Crucially, the opinion concludes that ‘[s]uch mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference’ with Charter rights. The Advocate-General agreed that since the EU and the Member States cannot adopt legislation allowing for mass surveillance, non-EU countries ‘cannot in any circumstances’ be considered to ensure an ‘adequate level of protection’ of personal data if they permit it either.

Furthermore, there were not sufficient guarantees for protection of the data. Following the Digital Rights Ireland judgment, which stressed the crucial importance of such guarantees, the US system was not sufficient. The Federal Trade Commission could not examine breach of data protection laws for non-commercial purposes by government security agencies, and nor could specialist dispute resolution bodies. In general, the US lacks an independent supervisory authority, which is essential from the EU’s perspective, and the Safe Harbour decision was deficient for not requiring one to be set up. A third country cannot be considered to have ‘an adequate level of protection’ without it. Furthermore, only US citizens and residents had access to the judicial system for challenging US surveillance, and EU citizens cannot obtain remedies for access to or correction of data (among other things).

So the Commission should have suspended the Safe Harbour decision. Its own reports suggested that the national security derogation was being breached, without sufficient safeguards for EU citizens. While the Commission is negotiating revisions to that agreement with the USA, that is not sufficient: it must be possible for the national supervisory authority to stop data transfers in the meantime.

Comments

The Advocate-General’s analysis of the first point (the requirement that DPAs must be able to stop data flows if there is a breach of EU data protection laws) is self-evidently correct. In the absence of a mechanism to hear complaints on this issue and to provide for an effective remedy, the standards set out in the Directive could too easily be breached. Having insisted that the DPAs must be fiercely independent of national governments, the CJEU should not now accept that they can be turned into the tame poodles of the Commission.

On the other hand, his analysis of the second point (the validity of the Safe Harbour Decision) is more problematic – although he clearly arrives at the correct conclusion. With respect, there are several flaws in his reasoning. Although EU law requires strong and independent DPAs within the EU to ensure data protection rights, there is more than one way to skin this particular cat. The data protection Directive notably does not expressly require that third countries have independent DPAs. While effective remedies are of course essential to ensure that data protection law (likely any other law) is actually enforced in practice, those remedies do not necessarily have to entail an independent DPA. They could also be ensured by an independent judiciary. After all, Americans are a litigious bunch; Europeans could join them in the courts. But having said that, it is clear that in national security cases like this one, EU citizens have neither an administrative nor a judicial remedy worth the name in the USA. So the right to an effective remedy in the Charter has been breached; and it is self-evident that processing information from Facebook interferes with privacy rights.

Is that limitation of rights justified, however? Here the Advocate-General has muddled up several different aspects of the limitation rules. For one thing, the precision of the law limiting rights and the public interest which it seeks to protect are too separate things. In other words, the public interest does not have to be defined precisely; but the law which limits rights in order to protect the public interest has to be. So the opinion is right to say that national security is a public interest which can justify limitation of rights in principle, but it fails to undertake an examination of the precision of the rules limiting those rights. As such, it omits to examine some key questions: should the precision of the law limiting rights be assessed as regards the EU law, the US law, or both?  Should the US law be held to the same standards of clarity, foreseeability and accessibility as European states’ laws must be, according to the ECHR jurisprudence?

Next, it’s quite unconvincing to say that processing the content of communications interferes with the ‘essence’ of the privacy and data protection rights. The ECHR case law and the EU’s e-privacy directive expressly allow for interception of the content of communications in specific cases, subject to strict safeguards. So it’s those two aspects of the US law which are problematic: its nature as mass surveillance, plus the inadequate safeguards.

On these vital points, the analysis in the opinion is correct. The CJEU’s ruling inDigital Rights Ireland suggests, in my view, that mass surveillance is inherently a problem, regardless of the safeguards in place to limit its abuse. This is manifestly the Advocate-General’s approach in this case; and the USA obviously has in place mass surveillance well in excess of the EU’s data retention law. The opinion is also right to argue that EU rules banning mass surveillance apply to the Member States too, as I discuss here. But even if this interpretation is incorrect, and mass surveillance is only a problem if there are weak safeguards, then the Safe Harbour decision still violates the Charter, due to the lack of accessible safeguards for EU citizens as discussed above. Hopefully, the Court of Justice will confirm whether mass surveillance is intrinsically problematic or not: it is a key issue for Member States retaining data by way of derogation from the e-privacy Directive, for the validity of EU treaties (and EU legislation) on specific issues such as retaining passenger data (see discussion here of a pending case), and for the renegotiation of the Safe Harbour agreement itself.

This brings us neatly to the consequences of the CJEU’s forthcoming judgment (if it follows the opinion) for EU/US relations. Since the opinion is based in large part upon the EU Charter of Rights, which is primary EU law, it can’t be circumvented simply by amending the data protection Directive (on the proposed new rules on external transfers under the planned Regulation, see discussion here). Instead, the USA must, at the very least, ensure that adequate remedies for EU citizens and residents are in place in national security cases, and that either a judicial or administrative system is in place to enforce in practice all rights which are supposed to be guaranteed by the Safe Harbour certification. Facebook and others might consider moving the data processing of EU residents to the EU, but it’s hard to see how this could work for any EU resident with (for instance) Facebook friends living in the USA. Surely in such cases processing of the EU data in the USA is unavoidable.

Moreover, arguably it would not be sufficient for the forthcoming EU/US trade and investment agreement (known as ‘TTIP’) to provide for a qualified exemption for EU data protection law, along the lines of the WTO’s GATS. Only a complete immunity of EU data protection law from the TTIP – and any other EU trade and investment agreements – would be compatible with the Charter. Otherwise, companies like Facebook and Google might try to invoke the controversial investor dispute settlement system (ISDS) every time a judgment like Google Spain or (possibly) Schrems cost them money.

Schrems Versus Facebook: is the end of Safe Harbor approaching ?

by Emilio De Capitani

Today Advocate General Yves Bot has presented his long-awaited conclusions on the Case C‑362/14 Maximillian Schrems v Data Protection Commissioner. This case better described by the press as the “Schrems v Facebook” Case (why not “David V Goliath” ?)  put in question the so called Safe harbor “agreement” which frame the conditions under which personal data of the people under the EU jurisdiction can be transferred or treated by servers of US Companies (such as Facebook, Google, E-Bay) on the US territory.
As the protection of personal data is a fundamental right under EU law (notably after the entry into force of the art.8 of the EU Charter)  art. 25 of Directive 95/46 foresees that the transfer of these data to a third country is legitimate only if the data are “adequately” protected.
The problem is that in the US there is no comprehensive legal protection framework comparable to the one existing in the EU so that in 2000 the Commission negotiated with the US the establishment of a specific voluntary regime (the “Safe Harbor Principles”) which could had been considered granting an “adequate” protection of personal data  having regard to the standard applicable in Europe.

At the time the European Parliament voted against this regime but was unable to obtain stronger safeguards because of the unwillingness of the US authorities and moreover by the Commission which was more interested to the transfer of data than of their protection.

Since then the transatlantic flow of data has grown every day and with them the economic benefices of the US Companies without any real re-assesment of the compliance of the Safe Harbor principles on the US side (by the Federal Trade Commission) or on the EU side (by the Commission) even after the entry into force of the Lisbon Treaty which changed the legal basis of EU policies linked with the protection of personal data.

However when the Snowden revelations made clear to everybody that all these EU personal data could be massively analyzed without judicial overview by the US Intelligence Services someone in the EU  woke up.

Between the EU Institutions the European Parliament asked the suspension of the Safe Harbor agreement but its initiative was not followed by the Commission (as unfortunately happens more and more frequently); but it is thanks to the obstinacy of Maximilian Schrems, an Austrian law student that the case was finally been brought, first before to the Irish Data Protection Commissioner, then before the Irish High Court and now before the Court of Justice.

This case is extremely interesting  not only because it confirms that in a democracy someone has to …watch the watchers be they at national or European level (notably if they are sleeping or hiding behind each other…) but also because it shows that also an “ordinary” Citizen can dare to do in name of the EU law and of his rights what the EU Institutions are less and less willing to do.

Enjoy now the reading the instructive and very detailed Yves BOT arguments drawing him to declare that the Commission initial “adequacy finding” was not adequate at all (as also the EP wrote in its 2000 resolution) and that National Authorities should fully play their role and not hiding behind the Commission “Adequacy decisions”.

Such a strong reasoning if endorsed by the Luxembourg Judges should inspire

  • a re-assessment of other EU-US ‘executive’ agreements dealing with data protection (the draft “Umbrella agreement” included)
  • a revision of the Data Protection package at least as far as the regime of Commission “adequacy finding” is concerned (which due to its large marge of discretion could no more be considered a simple “implementing measure” but at least a “delegated” power …) and a stronger role of the Data Protection Board which should have a direct jurisdiction at least for Data controller “over the top” such as Facebook, Google, E-Bay and so on…

It is only unfortunate that the European Parliament which on these issues was on the right side between 1999 and 2004 is now slowly sliding away notwithstanding a much stronger constitutional framework and a binding Charter …

Anyway many thanks Max!! Hope that 10, 100, 1000 of European citizens could follow your example…

 

CONTINUE READING : OPINION OF ADVOCATE GENERAL BOT 

delivered on 23 September 2015 (1Case C‑362/14 Maximillian Schrems Data Protection Commissioner

Continue reading “Schrems Versus Facebook: is the end of Safe Harbor approaching ?”

EP Study : Big Data and smart devices and their impact on privacy

FULL STUDY ACCESSIBLE HERE
AUTHORS : Dr  Gloria  González Fuster, (Research  Professor  at  the Vrije Universiteit  Brussel  (VUB), Dr Amandine Scherrer, (European Studies Coordinator and Associate Researcher at the Centre d’Etudes sur les  Conflits,  Liberté  et  Sécurité -CCLS)

EXECUTIVE SUMMARY

EU citizens and residents and, more generally, all individuals deserving protection as ‘data subjects’ by EU law, are directly impacted by EU strategies in the field of Big Data. Indeed, the data-driven economy poses significant challenges to the EU Charter of Fundamental Rights, notably  in  the fields of  privacy and  personal data protection.

Big Data refers to the exponential growth both in the availability and automated use of information. Big Data comes from gigantic digital datasets held by corporations, governments and other large organisations; these are extensively analysed (hence the name ‘data analytics’) through computer algorithms. There are numerous applications of Big Data in various sectors, including healthcare, mobile communications, smart grids, traffic management, fraud detection, or marketing and retail (both on- and offline). The notion, primarily driven by economic concerns, has been largely promoted through market-led strategies and policies. Presented as an enabler of powerful analytical and predictive tools, the concept of Big Data has also raised numerous criticisms emphasising such risks as biased information, spurious correlations (associations that are statistically robust but happen only by chance), and statistical discrimination. Moreover, the promotion of Big Data as an economic driver raises significant challenges for privacy and digital rights in general. These challenges are even greater in a digital ecosystem with a proliferation of cheap sensors, numerous apps on mobile devices and an increasingly connected world that sometimes does not even require human intervention (as shown in the increasing development of the Internet of Things [IoT]). The flows of information on- and off line, shared and multiplied across computers, mobile devices, watches, SmartBands, glasses, etc., have dramatically increased the availability, storage, extraction and processing of data on a large scale. It has become increasingly difficult to track what is made of our data. This situation is complicated further by the wide variety of actors  engaged  in  data  collection  and  processing.

The numerous debates triggered by the increased collection and processing of personal data for various – and often unaccountable – purposes are particularly vivid at the EU level. Two interlinked, and to some extent conflicting, initiatives are relevant here: the development of EU strategies promoting a data-driven economy and the current reform of the EU personal data protection legal framework, in the context of the adoption of a General   Data  Protection  Regulation  (GDPR).

In order to address the issues at stake, the present Study provides an overview of Big Data and smart devices, outlining their technical components and uses (section 2). This section shows that many contemporary data processing activities are characterised by a high degree of opacity. This opacity directly affects the ability of individuals to know how data collected about them is used; it also hinders their capacity to assess and trust the manner in which choices are (automatically) made – whether, in other words, these choices are appropriate or fair. As regards smart devices, cheap sensors or the IoT, the pervasiveness of sensors and extensive routine data production might not be fully understood by individuals, who may be unaware of the presence of sensors and of the full spectrum of data they produce, as well as the data processing operations treating this diverse data. If Big Data, smart devices and IoT are often promoted as key enablers of market predictions and economic/social dynamics, data processing raises the question of who  controls one’s  data.

In this perspective, Section 3 presents the different EU approaches on the digital economy and the questions raised in terms of privacy and personal data protection (Section 3). This section argues that in the current context of the development of a Digital Single Market for Europe (DSM), the European Commission’s perspective is very much commercially and economically driven, with little attention to the key legal and social challenges regarding privacy and personal data protection. Even though the European Commission points out some of the key challenges of processing data for economic and market purposes (i.e., anonymisation, compatibility, minimisation), the complexity of these challenges is somehow under-estimated. These challenges can be grouped around the following questions any digital citizen may ask her/himself under EU law: which data about me are collected and for what purposes? Are data protected from unauthorised access and to  what  extent  is  control  exercised  upon  the processing  of my  personal   data?

Section 4 then considers these questions in the specific context of the Data Protection Reform package. Arguing that the digital citizens rights should be the main focus of the current debates around the GDPR, this Section underlines that Big Data, smart devices and the IoT reveal a series of potential gaps in the EU legal framework, in the following areas in particular: transparency and information obligations of data controllers; consent (including consent in case of repurposing); the need to balance public interest and the interests of data subjects for legitimising personal data processing; the regulation of profiling; and proper safeguarding of digital rights in case of data transfers to  third  parties and  third  countries.

In light of these findings, the Study concludes with key recommendations for the European Parliament and, in particular, the LIBE Committee responsible for the protection of natural persons with regards to the processing of personal data. These recommendations aim at ensuring that negotiations around the GDPR promote a strong and sustainable framework  of  transparency  and  responsibility  in which  the data  subject’s rights  are  central.

In particular, the guiding principle of any exploitation of personal data should be driven by the requirement of guaranteeing respect for the Fundamental Rights (privacy  and  personal  data protection) laid  down  in EU primary  and secondary  law (recommendations 1 & 2).

The role of data controllers in this perspective is central as they are legally required to observe a number of principles when they process personal data, compliance of which must be reinforced. The degree of information and awareness of data subjects must be of prime concern whenever personal data processing takes places, and the responsibility for protecting Fundamental Rights should be promoted along the data production chain and gather various stakeholders. Furthermore, the GDPR should ensure that individuals are granted complete and effective protection in the face of current   and   upcoming   technological   developments   of   Big   Data   and   smart   devices (recommendation 3).

The GDPR currently under discussion should in any case not offer less protection and guarantees than the 1995 Data Protection Directive, and users should remain in complete control of their personal data throughout the data lifecycle.

Finally, effective protection of individuals cannot be guaranteed solely by the adoption of a sound GDPR. It will also require a consistent review of the e-Privacy Directive (recommendation 4), an instrument that not only pursues the safeguarding of personal data protection but, more generally, aims to ensure this right and the right to respect for private life.

EU Provisional measures of Refugees Relocation: some progresses but still on a bumpy road…

by Emilio De Capitani

Yesterday, the Justice and Home Affairs Council thanks to Luxembourg Presidency endeavor has (finally!) taken an important decision to relocate 120,000 refugees from Greece, Italy and other Member States directly affected by the refugee crisis. From a political and Institutional point of view this is a big step forward and the Luxembourg Presidency should be praised to have asked for a vote notwithstanding the opposition of Hungary, the Czech Republic, Slovakia and Romania (and the abstention of Finland). The show down has become inevitable for several reasons. First and foremost because of the dimension of the migratory phenomenon even if it is hard to consider that it has  taken the European Union by surprise as the dimension of the Sirian crisis should had been taken in account much more in advance …

But the real reason is that several countries (such as Germany, Austria, Slovenia,) have decided to re-establish the controls at the internal borders of the Schengen area which is an exceptional possibility explicitly foreseen in and regulated by the new art 23 of the  Schengen Borders Code, in case of a serious threat to public policy or internal security.. However if the “exception” is triggered by too many countries is the general rule of the freedom of movement inside the Schengen area which is under threat and this risk to have an impact not only on the freedom of EU Citizens but on the internal market itself (which for national and European administrations is even more important of EU citizens rights..).

The decision has then been taken after painful discussions and under the growing  pressure of the European Council (as it happened previously only in exceptional cases such as after September 11th..). What is worrying is that the Visegrad Countries which have been outvoted risk to challenge the text adopted before the Court of Justice. (according to EUOBSERVER the Czech interior minister Milan Chovane said his country’s willing to do so).

If this was the case the Court will be confronted to a text which from a legal and institutional point of view is messy, inconsistent and under some perspectives probably contrary to the Treaty. Just to mention some of these aspects it is appalling that a Council Decision pretend to establish a “lex specialis” which could “temporary” amend the Dublin Regulation (an act adopted under a different legal basis and in codecision).

Moreover the Decision as adopted yesterday is different from the one voted by the European Parliament some days ago so that, under a constant CJEU Jurisprudence  the Council is under the obligation to re-consult the European Parliament on the latest modifications (such as the exclusion of Hungary from the mechanism…).

However the difficult path towards the implementation of a true EU solidarity and burden sharing in these policies (as foreseen by art 80 of the TFEU) is at least starting now…

ANNEX: THE TEXT OF THE COUNCIL DECISION (Council doc 12098/15 Interinstitutional File: 2015/0209 (NLE) BEWARE THE LEGAL LINGUISTIC REVISION IS STILL TO BE DONE ! COUNCIL DECISION (EU) 2015/… of … establishing provisional measures in the area of international protection for the benefit of Italy and Greece

Continue reading “EU Provisional measures of Refugees Relocation: some progresses but still on a bumpy road…”

A quest for accountability? EU and Member State inquiries into the CIA Rendition and Secret Detention Programme

EXCERPTS FROM A STUDY FOR THE EP LIBE COMMITTEE 

Authors: Prof. Didier Bigo, Dr Sergio Carrera, Prof. Elspeth Guild, and Dr Raluca Radescu.

At the request of the LIBE Committee, this study assesses the extent to which EU Member States have delivered accountability for their complicity in the US CIA-led extraordinary rendition and secret detention programme and its serious human rights violations. It offers a scoreboard of political inquiries and judicial investigations in supranational and national arenas in relation to Italy, Lithuania, Poland, Romania and the United Kingdom. The study takes as a starting point two recent and far-reaching developments in delivering accountability and establishing the truth: the publication of the executive summary of the US Senate Intelligence Committee (Feinstein) Report and new European Court of Human Rights judgments regarding EU Member States’ complicity with the CIA. The study identifies significant obstacles to further accountability in the five EU Member States under investigation: notably the lack of independent and effective official investigations and the use of the ‘state secrets doctrine’ to prevent disclosure of the facts, evade responsibility and hinder redress to the victims. The study puts forward a set of policy recommendations for the European Parliament to address these obstacles to effective accountability.

EXECUTIVE SUMMARY

Although much has been done over the last ten years to overcome major obstacles to ensuring democratic and judicial accountability in respect of EU Member States’ complicity in the unlawful US CIA-led extraordinary rendition and secret detention programme, much remains to be done to uncover the truth and hold those responsible accountable for their actions.

This study takes as a starting point two recent and highly significant developments that have helped to shed light on, and establish accountability for, the actions of EU Member States engaged in the Central Intelligence Agency (CIA) rendition and detention programme. The first is the U.S. Senate Intelligence Committee “Study of the Central Intelligence Agency’s Detention and Interrogation Program” (also known as the Feinstein Report) published in December 2014, which provided further evidence of the nature of the relationship between the CIA and several European state authorities and their wrongdoing. The second is the collection of recent judgments of the European Court of Human Rights (ECtHR), particularly in the Al Nashiri and Abu Zubaydah cases, which have helped to provide substantive rule of law standards against which to measure national political inquiries and judicial investigations.

Through the prism of these two important recent developments, this study builds on the 2012 European Parliament study on “The results of inquiries into the CIA’s programme of extraordinary rendition and secret prisons in European states in light of the new legal framework following the Lisbon treaty”. First (section 2), it pinpoints the critical findings of the Feinstein Report and their relevance for EU Member State inquiries, in particular the new revelations that: the CIA was isolated both nationally and internationally; European states that collaborated with the CIA were quick to withdraw assistance when scrutiny increased, leaving the CIA on the run; the UK failed to refute unfounded CIA claims about the intelligence value of information extracted by torture; and the CIA paid large sums of money to cooperative Member States. The study also examines the media controversy provoked by the release of the Feinstein Report and the efforts made by certain actors to undermine its findings.

The study then (section 3) offers an up-to-date account of political inquiries and judicial investigations in five Member States (Italy, Lithuania, Poland, Romania and the United Kingdom). It argues that, while political inquiries and domestic judicial investigations have been or are being conducted in all five Member States and there have been ECtHR cases regarding all but the UK, they have all been beset by obstacles to accountability. The response of the EU institutions is also analysed. While it is acknowledged that the European Commission has taken tentative steps to encouraging accountability (notably in sending letters to Member States in 2013 to request information on investigations underway), it is found that neither the Commission nor the Council have properly followed up on the European Parliament’s recommendations.

After providing a detailed analysis of the recent ECtHR judgments in the Al Nashiri and Abu Zubaydah cases (section 4) and detailing the rule of law benchmarks against which the effectiveness of national investigations can be tested, the study then measures the national political inquiries and judicial investigations and finds them wanting, either because of a lack of independence or because national security or state secrets have been invoked to prevent disclosure of the facts (section 5).

Finally, the study examines what has prevented EU institutions from taking effective action in response to the CIA programme (section 6). It finds a general lack of political will exacerbated by an absence of a clear enforcement mechanism to ensure compliance with the rule of law as laid down in Article 2 TEU, meaning that the important step taken by the Commission to send letters to Member States is bereft of a clear legal framework.

In light of the above considerations, the Study formulates the following policy recommendations to the European Parliament:

Recommendation 1: The Parliament, particularly the LIBE Committee, should establish regular structured dialogue with relevant counterparts in the U.S. Congress and Senate, which would provide a new framework for sharing information and cooperating more closely on interrelated inquiries in the expanding policy field of Justice and Home Affairs.

Recommendation 2: The Parliament should use the recent LIBE Committee decision to draw up a Legislative Own-Initiative Report on an EU mechanism on democracy, the rule of law and fundamental rights to develop and bring further legal certainty to the activation phases preceding the use of Article 7 TEU. Parliament should also insist that the Commission periodically evaluate Member States’ compliance with fundamental rights and the rule of law under a new ‘Copenhagen Mechanism’ to feed into a new EU Policy Cycle on fundamental rights and rule of law in the Union.

Recommendation 3: The Parliament should adopt a Professional Code for the transnational management and accountability of data in the EU. The Code would outline where ‘national security’ and ‘state secrets’ cannot be invoked (i.e. define what national security is not). It would additionally lay down clear rules aimed at preventing the use and processing of information originating from torture or any related human rights violations.

Recommendation 4: The Parliament should demand that the Commission properly follow up on its resolutions and recommendations.

Recommendation 5: The Parliament should call on the President of the European Council to issue an official statement on the rendition programme to the Plenary, stating clearly the degree of Member States’ complicity and detailing obstacles to proper accountability and justice for the victims.

Recommendation 6: The Parliament should call for effective judicial investigations into the Feinstein Report’s findings that the CIA paid large sums of money to Member States for their complicity in the rendition programme, which amount to allegations of corruption.

The EU-US Umbrella agreement on Data Protection just presented to the European Parliament. All people apparently happy, but….

ORIGINAL PUBLISHED BY EU-LOGOS

by Paola Tavola (EU LOGOS Trainee)

“For the first time ever, the EU citizens will be able to know, by looking at one single set of rules, which minimum rights and protection they are entitled to, with regards to data share with the US in the law enforcement sector”. These are the words of P. Michou, chief negotiator in charge of the negotiation process of the so called EU-US “Umbrella Agreement”, who gave a public overview on the lately finalized transatlantic data protection framework in the field of law enforcement cooperation. The speech, delivered during the last meeting of the LIBE committee of the European Parliament, has met a warm welcome by the MEPs. Great congratulations have been expressed by all the political groups, for the work done by the negotiating team of the Commission that, from its side, has thanked the LIBE committee for its strong support and pressures. As Mrs. Michou said, they “helped us to be stronger in our negotiations”. Negotiations that were dealt with a partner that is far from being an easy one. The words of Michou, however, have not completely reassured all the MEPs, who have called for a legal opinion on the text of the agreement to be delivered by the legal department of the European Parliament. Legal certainties about the potential benefits or detrimental effects that this agreement could have on the existing EU data protection rules, as well as on past and future agreements, have been asked by the majority of the deputies, as a necessary precondition for the vote.

Historical context

An EU-US agreement in the field of protection of personal data was already called by the European Parliament in the year 2009. At that time, in a resolution on the state of transatlantic relation, the Parliament underlined the necessity of a “proper legal framework, ensuring adequate protection of civil liberties, including the right to privacy”, to be agreed on the base of a binding international agreement. The Commission then, on the invitation of the European Council, proposed a draft mandate for starting the negotiations with the United States, on a high standard system of data protection. The final mandate, being adopted by the Council in December 2010, opened the negotiation procedure among the two partners, that formally started on March 2011.

The negotiations have been though, mainly because of a great cultural difference existing among the two partners in terms of data protection, but after four years of work, the agreement has been initialed in Luxembourg, last September 8th. The final text, that can be signed only with the authorization of the Council and the consent of the Parliament, represents a huge step forward: “if we look back to some years ago, it was clear that some of the issues that have been now achieved in the text, couldn’t even have been theoretically possible”, Jan Philippe Albrecht (Greens/EFA) said, by opening the debate after Mrs. Michou speech.

The european Commissioner for Justice, Consumers and Gender Equality, Věra Juorová, by declaring full satisfaction for the conclusion of the discussions, affirmed: “robust cooperation between the EU and the US to fight crime and terrorism is crucial to keep Europeans safe. But all exchanges of personal data, such as criminal records, names or address, need to be governed by strong data protection rules. This is what the Umbrella Agreement will ensure.”

Terrorism or organized crime are phenomena that definitely constitute serious threats to security. However, leaving aside the narrow concept of security, as many theories and authors consider nowadays, a threat to security can be identified as any threat to the “cherished values” of our society: thus also to those values such as the right of privacy and the data protection.

The issue concerns how security and law enforcement are able to positively and constructively interact with new technology, but also to clash with it.

On one side, the information and data sharing is now a fundamental and crucial aspect of policy and judicial inter-state cooperation, since major threats and criminal phenomena have assumed a transnational connotation. On the other side however, it is necessary to ensure the protection and the fair and limited treatment of information, that is transferred as part of the transatlantic cooperation in criminal matters, in order to avoid abuses and the setting up of mass surveillance systems.

The two transatlantic partner, have already settled a substantial framework of data transfer rules. In 2010 they signed an agreement on the processing and transfer of financial messaging data from the EU to the US, for the purposes of the Terrorist Finance Tracking Program (TFTP); while in 2012 they concluded a bilateral agreement for the exchange of PNR (Passenger Name Records) data.

“Data protection is a fundamental right of particular importance in the digital age. In addition to swiftly finalizing the legislative work on common data protection rules within the European Union, we also need to uphold this right in our external relations.” This principle was included by Jean-Claude Juncker in the political priorities of the European Commission agenda, presented in July 2014.

A look inside the “Umbrella Agreement” Continue reading “The EU-US Umbrella agreement on Data Protection just presented to the European Parliament. All people apparently happy, but….”