Category: 9. Internal security -police cooperation

THE UK IMPLEMENTS EU FREE MOVEMENT LAW – IN THE STYLE OF FRANZ KAFKA

ORIGINAL PUBLISHED ON EU LAW ANALYSIS 

Thursday, 19 March 2015

By Steve PEERS

Most laws are complicated enough to start with, but with EU Directives there is an extra complication – the obligation to transpose them into national law. A case study in poor transposition is the UK’s implementation of the EU’s citizens’ Directive, which regulates many aspects of the movement of EU citizens and their family members between EU Member States. Unfortunately, that defective implementation is exacerbated by a further gap between the wording of this national law and its apparent application in practice, and by the unwillingness of the EU Commission to sue the UK (or other Member States) even for the most obvious breaches of the law.

It’s left to private individuals, who usually have limited means, to spend considerable time and money challenging the UK government in the national courts. One such case was the recent victory in McCarthy (discussed here), concerning short-term visits to the UK by EU citizens (including UK citizens living elsewhere in the EU) with third-country (ie, non-EU) family members.  The UK government has just amended the national rules implementing the EU citizens’ Directive (the ‘EEA Regulations’) to give effect to that judgment – but it has neglected to amend the rules relating to another important free movement issue.

Implementing the McCarthy judgment

The citizens’ Directive provides that if EU citizens want to visit another Member State for a period of up to three months, they can do so with very few formalities. However, if those EU citizens are joined by a third-country family member, it’s possible that this family member will have to obtain a short-term visa for the purposes of the visit. The issue of who needs a short-term visa and who doesn’t is mostly left to national law in the case of people visiting the UK and Ireland, but it’s mostly fully harmonised as regards people visiting all the other Member States.

Although the EU’s citizens’ Directive does simplify the process of those family members obtaining a visa, it’s still a complication, and so the Directive goes further to facilitate free movement, by abolishing the visa requirement entirely in some cases. It provides that no visa can be demanded where the third-country family members have a ‘residence card’ issued by another EU Member State. According to the Directive, those residence cards have to be issued whenever an EU citizen with a third-country family member goes to live in another Member State – for instance, where a British man moves to Germany with his Indian wife. Conversely, though, they are not issued where an EU citizen has not left her own Member State – for instance, a British woman still living in the UK with her American wife.

How did the UK implement these rules? The main source of implementation is the EEA Regulations, which were first adopted in 2006, in order to give effect to the citizens’ Directive by the deadline of 30 April that year. Regulation 11 of these Regulation states that non-EU family members of EU citizens must be admitted to the UK if they have a passport, as well as an ‘EEA family permit, a residence card or a permanent residence card’. A residence card and permanent residence card are creations of the EU Directive, but an ‘EEA family permit’ is a creature of UK law.

While the wording of the Regulation appears to say that non-EU family members of EU citizens have a right of admission if they hold any of these three documents, the UK practice is more restrictive than the wording suggests. In practice, having a residence card was usually not enough to exempt those family members from a visa requirement to visit the UK, unless they also held an EEA family permit. Regulation 12 (in its current form) says that the family member is entitled to an EEA family permit if they are either travelling to the UK or will be joining or accompanying an EU citizen there. In practice, the family permit is issued by UK consulates upon application, for renewable periods of six months. In many ways, it works in the same way as a visa requirement.

An amendment to the Regulations in 2013 provided that a person with a ‘qualifying EEA State residence card’ did not need a visa to visit the UK. But only residence cards issued by Germany and Estonia met this definition. This distinction was made because the UK was worried that some residence cards were issued without sufficient checks or safeguards for forgery, but Germany and Estonia had developed biometric cards that were less likely to be forged.

In the McCarthy judgment, the CJEU ruled that the UK rules breached the EU Directive, which provides for no such thing as an EEA family permit as a condition for admission of non-EU family members of EU citizens with residence cards to the territory of a Member State. The UK waited nearly three months after the judgment to amend the EEA Regulations to give effect to it.

The new amendments cover many issues, but to implement McCarthy they simply redefine a ‘qualifying EEA State residence card’ to include a residence card issued by any EU Member State, as well as any residence card issued by the broader group of countries applying the EEA treaty; this extends the rule to cards issued by Norway, Iceland and Liechtenstein. Presumably this brings the rules into compliance with EU law on this point (the new rules apply from April 6th). That means that non-EU family members of EU citizens will not need a visa to visit the UK from this point, provided that they hold a residence card issued in accordance with EU law, because they are the non-EU family member of an EU citizen who has moved to another Member State. However, this depends also on the practice of interpretation of the rules, including the guidance given to airline staff.

Surinder Singh’ cases Continue reading “THE UK IMPLEMENTS EU FREE MOVEMENT LAW – IN THE STYLE OF FRANZ KAFKA”

DENMARK AND EU JUSTICE AND HOME AFFAIRS LAW: DETAILS OF THE PLANNED REFERENDUM

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

Tuesday, 17 March 2015

by STEVE PEERS 

Danish participation in cross-border criminal law measures is symbolised by ‘The Bridge’, the ‘Nordic Noir’ series about cross-border cooperation in criminal matters between Denmark and Sweden. But due to the changes in EU law in this field, that cooperation might soon be jeopardised. As a result, in the near future, Denmark will in principle be voting on whether to replace the current nearly complete opt-out on EU Justice and Home Affairs (JHA) law with a partial, selective opt-out. I have previously blogged on the implications of this plan in general terms, but it’s now clear exactly what this vote will be about.

First of all, a short recap of the overall framework (for more detail, see that previous blog post). Back in 1992, Denmark obtained an opt-out from the single currency, defence and aspects of JHA law (it’s widely believed that it also obtained an opt-out from EU citizenship, but this is a ‘Euromyth’). These opt-outs were formalised in the form of a Protocol attached to the EU Treaties as part of the Treaty of Amsterdam. The JHA opt-out was then amended by the Treaty of Lisbon.

At present, Denmark participates in: the EU policing and criminal law measures adopted before the entry into force of the Treaty of Lisbon; measures relating to the Schengen border control system (as  matter of international law, not EU law); the EU rules on visa lists (as a matter of EU law); and the EU’s Dublin rules on allocation of asylum applications, ‘Brussels’ rules on civil jurisdiction and legislation on service of documents (in the form of treaties with the EU). In contrast, Denmark does not – and cannot – participate in other EU rules on immigration and asylum law or cross-border civil law, or policing and criminal law rules adopted since the entry into force of the Treaty of Lisbon.

The Protocol on Denmark’s legal position either allows it to repeal its JHA opt-out entirely, or selectively. If it chooses to repeal the opt-out selectively, it would then be able to opt in to JHA measures on a case-by-case basis, like the UK and Ireland, although (unlike those states) it would remain fully bound by the Schengen rules. Indeed, those rules will then apply as a matter of EU law in Denmark, not as a matter of international law. Continue reading “DENMARK AND EU JUSTICE AND HOME AFFAIRS LAW: DETAILS OF THE PLANNED REFERENDUM”

The European Area of Freedom Security and Justice : still.. lost in transition ?

by Emilio De Capitani

More than five years ago the Lisbon Treaty entered into force carrying along great expectations for the transformation of the EU into a Freedom Security and Justice area. However even if some progress has been made on Schengen,  asylum policies, procedural guarantees in criminal proceedings and judicial cooperation in civil matters the results are far lower than the initial expectations and of the ambitious objectives enshrined in the Stockholm Programme adopted by the European Council on December 10th 2009.

That Programme has been criticized by some member states as it was a sort of “Christmas tree”. However what the European Council adopted in June  last year is little more than a “dry bush” mainly focused on the need for …thorough reflections before adopting new EU legislation. Some commentators considered that this was a Machiavellian move of the European Council to pass the baton to the newly appointed President of the European Commission so that it could take the lead of this European policy as for any other “ordinary” policy.

A deceiving Commission..

In the following months this interpretation was confirmed by the appointment of the first Commission Vice President, in charge of the implementation of the rule of law, of the European Charter of fundamental rights and of better legislation. Moreover the creation of a specific portfolio for migration policy gave the impression of the Commission’s stronger political commitment “..to place the individual at the heart of its activities, by establishing the citizenship of the Union and by creating an area of freedom, security and justice” (European Charter Preamble)

However very soon these initial hopes had been deceived:

1 The rule of law mechanism which was suggested by the last “Barroso” Commission was soon forgotten

2 As far as the Charter is concerned the Commission has apparently been taken by surprise by the Court of Justice opinion 2/13 dealing with the EU accession to the ECHR and is still considering what to do. But the Juncker Commission also seems lost when the issue at stake is to transpose the EU Charter principles into new EU legislation. It will only take more than one year to evaluate what could be the impact of the CJEU ruling on data retention on the pending legislation such as the EU PNR, the entry-exit and the registered travel proposals (not to speak of its impact on EU legislation and agreements that are already in force..)

3 Migration and human mobility are still dealt with and financed by the same General Directorate which is in charge of internal security policy instead of being moved to social affairs policies which should have been a real holistic and individual-centred approach.

4 Last but not least the Commission’s legislative programme for 2015 is more than reticent and it appears more and more evident that for the time being most (if not all) of the Commission’s political energy will be focused on economic objectives so that the Freedom security and justice area related policies have to wait for a new season.

but the situation between Member States is even worse..

The situation of FSJA policies is even more frustrating on the Member States side.

Not only some legislative procedures like the ones on consular protection, access to documents  or the fight against discrimination remain blocked and others including the data protection reform will require a caesarean section to come to life,  but day after day it appears clearer and clearer  that there is still a majority of member states which do not want  the modernisation of measures adopted before the Lisbon treaty (or even before the entry into force of the Amsterdam Treaty. This is notably the case of Germany which (as a rule)  oppose any new measure which can have a financial impact or will change the former “unbalance” of power between the Council and the European Parliament. Take the case of the recent three Commission proposals (1) repealing FSJA measures dating back to the intergovernamental period. According to German delegation even a 1998 Schengen decision on the adoption of measures to fight illegal immigration should be preserved because “None of the (current) legal instruments include a similarly comprehensive approach to fight illegal migration and immigrant smuggling.” This is appalling : would it not be wiser to urge the Commission to submit a new proposal which could better comply with the EU Treaties and with the Charter by also associating the European Parliament to this endeavour ?

This case apart it is worth noting that all the pre-Lisbon measures dealing with police cooperation and judicial cooperation in criminal matters (2) have been legally “embalmed” by art 9 of Prot.36 according to which “The legal effects of the acts of the institutions, bodies, offices and agencies of the Union adopted on the basis of the Treaty on European Union prior to the entry into force of the Treaty of Lisbon shall be preserved until those acts are repealed, annulled or amended in implementation of the Treaties. The same shall apply to agreements concluded between Member States on the basis of the Treaty on European Union.”

A “Transitional” period ….until when ? Continue reading “The European Area of Freedom Security and Justice : still.. lost in transition ?”

The European Union and State Secrets: a fully evolving institutional framework…in the wrong direction (2).

 By Emilio DE CAPITANI

In a passionate intervention before the Civil Liberties Committee of the European Parliament (LIBE) on January 8 the European Ombudsman has denounced the fact that:For the first time in its twenty year history, the European Ombudsman was denied its right under Statute to inspect an EU institution document, even under the guarantee of full confidentiality, as part of an inquiry… This power to inspect documents is fundamental to the democratic scrutiny role of the Ombudsman and acts as a guarantor of certain fundamental rights to the EU citizen.”

The case concerned Europol’s refusal to give access to a Joint Surpervisory Body (JSB) report on the implementation of the EU-US Terrorist Finance Tracking Program (TFTP) Agreement (known as “SWIFT” agreement). The JSB consists of representatives of the data protection authorities of the Member States which should ensure that the storage, processing and use of the data held by Europol do not violate fundamental EU rights. To check if  Europol was correctly applying EU law the Ombusdman has asked to inspect the JSB report. ”However”,as stated by Mrs O’Reilly,”..according to Europol, the “technical modalities” agreed between the Commission and the US under Article 4(9) of the TFTP Agreement required Europol to obtain the permission of the US authorities before allowing the Ombudsman, or any other entity, any access, including an Ombudsman confidential inspection, to the record. The US authorities have refused such permission to Europol.” Reportedly the  US authorities refused this permission because the Ombudsman “need to know” requirement for having access to that classified document was not met.

Many LIBE members have considered this statement quite appalling because it allowed the US authorities to be the arbiters of whether or not the Ombudsman may exercise her statutory, democratic power to inspect the document at issue in conformity with EU law. It is worth recalling that art. 3 par. 2 of the Ombusdman statute states that : The Community institutions and bodies shall be obliged to supply the Ombudsman with any information he has requested from them and give him access to the files concerned. Access to classified information or documents, in particular to sensitive documents within the meaning of Article 9 of Regulation (EC) No 1049/2001, shall be subject to compliance with the rules on security of the Community institution or body concerned.” 

To shed some light on this controversy it could be worth recalling some elements which to my opinion have not been developed during the parliamentary debate and I had the occasion to recall in a previous post …five years ago.

The “Originator’s principle” in art. 9 of Regulation 1049/01

First of all it should be noted that art. 9 of Regulation 1049/01 cited in the Ombudsman Statute is the only EU legislative basis which allows the classification of “sensitive documents” which are “..documents are documents originating from the institutions or the agencies established by them, from Member States, third countries or International Organizations, classified as ‘TRÈS SECRET/TOP SECRET’, ‘SECRET’ or ‘CONFIDENTIEL’ in accordance with the rules of the institution concerned, which protect essential interests of the European Union or of one or more of its Member States in the areas covered by Article 4(1)(a), notably public security, defense and military matters.” According to paragraph 3 of the same article “Sensitive documents shall be recorded in the register or released only with the consent of the originator.”

However, according to Regulation 1049/01 the Originator’s consent is an exception to the general rule according to which an Institution when requested for access to a document should be driven by objective criteria and not by the will of the “originator” even when the latter it is an EU Member State (see art. 4 p.4-6 of Regulation 1049/01). The only obligation foreseen by the Regulation is to establish a fair dialogue with the “originator” and the final judge will remain the Court of justice which should assess if Regulation 1049/01 principles and rules have been violated. Not surprisingly this general rule was not easy to agree with the Member States but it was chosen as it was the only possible way out to preserve the autonomy of EU law against the risk of inconsistent decisions at EU level if taken  following national standards which are still extremely diverse (think how different is the approach to transparency in Sweden or in Spain..).

Why then establish an exception in art. 9 ?

The main factor has been the Council reqyest to cover the first 2000 EU-NATO agreement  on exchange of classified information  which, like all similar international agreements was built on the “originator” principle and also because of this was challenged by the European Parliament before the Court of Justice. Mid 2001 a deal was then struck with the European Parliament which obtained that the exception of the “originator’s principle” should had been limited to the intergovernmental domains (at the time the internal and external security policies covered by art. 24 and 38 of the EU Treaty). The logic was that for these policies the Member States are mainly under the control of their national parliaments so that the European Parliament (as well as the Court of Justice) could not be considered co-responsible for violation of EU law.

On this basis the Council has progressively built an autonomous legal framework which can hardly be considered a simple implementation of Art.9 of Regulation 1049/01. Not only the Council has added another lower level of classified documents (“Restricted”) but it embodied  the “originator’s principle”. The Council latest version of these security rules is the Decision 2013/488/EU and  has been adopted  by the Council on its internal organizational powers (art. 240 TFEU) and “without prejudice to Articles 15 and 16 of the Treaty on the Functioning of the European Union (TFEU) and to instruments implementing them”.(eg Regulation 1049/01 and the measures protecting personal data).

Notwithstanding this “disclaimer” this Council Decision has become “de facto” an harmonizing measure as it  define the “principles” which should frame the European Union Classified Informations (EUCI). To comply with the rule of law and democratic principles these “principles” should had been adopted by the  co-legislator as foreseen by art. 15 of the TFEU (1) and by the EU Charter. But the general application of these “internal rules” derives by the fact that they should be “copy and pasted” as such in all the EU Institutions agencies and bodies “internal” security rules if the latter want to share classified informations with the Council or between them.

Also in the international negotiations the Originator’s principle has been spread in dozen of international agreements even if since the entry into force of the Lisbon Treaty these agreements deals with the exchange of classified information linked with  the common foreign and security policy (art. 37 of the TEU) (2). When classified informations deals with Judicial and police cooperation in criminal matters they now require an internal legal basis as it happened  for the  Decision concluding the EU-US agreement on TFTP. The “mutual respect clause foreseen by art. 40 TEU (3) should be respected and the European Parliament approbation is required.

Quite rightly then the European Parliament Legal Service has considered that the “technical modalities” invoked by Europol to justify the refusal of access by the Ombusdman could not be considered a sound legal basis as they were simple  “implementing measures” of the TFTP agreement and have been not part of the agreement itself.

Can the Ombusdman, the European Parliament and the Court of justice be considered simple “third parties” ?

However I am less convinced of the EP Legal Service reasoning  when it justify  the EUROPOL refusal to give the Ombusdman access to the JSB report because the originator’s  principle is embodied in …the Europol internal Security Rules.

First of all I believe that in case of conflict between the Europol Security Rules (which mirror the Council Internal security rules which themselves are implementing measure of art. 9 of Regulation 1049/01) and the Ombudsman Statute the latter should  prevail as the latter it is a direct implementation of the Treaty and is of legislative nature (as it has been adopted in codecision by the European Parliament and the Council).

Secondly (and more importantly) I consider that the question as highlighted by the Ombudsman is indeed more of constitutional nature and deals with the preservation of the principle of institutional balance in an autonomous legal order as it is the European Union (see the recent Court of Justice opinion 2/13 on the EU accession to the ECHR).

Under this perspective I think that the way how the Council has implemented the art 9 of Regulation 1049/01 is creating a sort of “executive privilege” which has no  basis in the EU primary law and can which moreover is threatening the prerogatives of the other institutions.

I find also misleading (to say the least) the formula applied by the Council in the international agreements on the exchange of classified information (even if now limited to external security policy). The formula is the following : 

The EU institutions and entities to which this Agreement applies shall be: the European Council, the Council of the European Union (hereinafter ‘the Council’), the General Secretariat of the Council, the High Representative of the Union for Foreign Affairs and Security Policy, the European External Action Service (hereinafter ‘the EEAS’) and the European Commission. For the purposes of this Agreement, these institutions and entities shall be referred to as ‘the EU’..

How can be considered complying with the EU founding values of democracy and of the rule of law as well as with the principle of legal certainty a formula which give the right to a third country such as Russia, Georgia, Turkey,  (4)  to decide that the Ombudsman, the European Parliament and the Court of Justice are “third parties which can be forbidden from acceding to classified information” even when their access is linked with the exercise of their constitutional prerogatives? (5)

Conclusions

For all these reasons I think that the Ombudsman should had challenged the Europol refusal before the Court of justice by giving to the Luxembourg Judges the possibility to better frame the scope of the originator’s principle and of the “third party” rule in the EU law.

In the meantime it could also be possible that the Commission (and notably its Vice president of  Timmermans in charge of the Rule of law of the EU Charter) take on board the amendments to Regulation 1049/01 (and to art. 9) as voted by the European Parliament on December 2011.

Last but not least I think that also the European Parliament should take advantage of what he has learned in Ombudsman-Europol case in  the  current negotiations with the Council on the post-Lisbon  EUROPOL decision. It could be worth amending some worrying articles of the Council “general approach” (Council Doc 10033/14 of May 28 2014) . For instance art.67 of rightly makes reference to Regulation 1049/01 but art. 69 makes reference to the Council Internal Security rules instead to art. 9 of Regulation 1049/01. I think it could also be wise to examine the content of the Europol adopted and pending international agreements as the Council “general approach” foresee  that Europol International agreements “established on the basis of Decision 2009/371/JHA and agreements concluded by Europol as established by the Europol Convention before 1 January 2010 should remain in force”.

NOTES

(1)  “General principles and limits on grounds of public or private interest governing this right of access to documents shall be determined by the European Parliament and the Council, by means of regulations, acting in accordance with the ordinary legislative procedure.” (art. 15 p 3 TFEU)

(2)  See for example the 2011 agreement between the EU and Serbia on the exchange of classified information)

(3) Art 40 TEU. “The implementation of the common foreign and security policy shall not affect the application of the procedures and the extent of the powers of the institutions laid down by the Treaties for the exercise of the Union competences referred to in Articles 3 to 6 of the Treaty on the Functioning of the European Union. 

Similarly, the implementation of the policies listed in those Articles shall not affect the application of the procedures and the extent of the powers of the institutions laid down by the Treaties for the exercise of the Union competences under this Chapter.”

(4)  The third Countries with which the agreements have been concluded are :   Australia, Bosnia and Herzegovina, Former Yugoslav Republic of Macedonia, Iceland,  Israel, Liechtenstein, Montenegro, Norway, Serbia, Switzerland, Ukraine and United States of America. Agreements have also been signed with: Canada (Negotiating mandate approved by the Council  on 21.10.2003 – Under negotiation),  Turkey (Negotiated but not yet approved by the Council), Russian Federation (Agreement signed on 01.6.2010 and published  in OJ L 155, 22.6.2010, p.57. Exchange of  notes verbales following entry into force of the  Lisbon Treaty . Negotiations on  the implementing arrangements are ongoing), Albania Negotiating mandate approved by the Council  on 20.01.2014 (Under  negotiation), Georgia (Negotiating mandate approved by the Council  on 20.01.2014.Under negotiation).

(5) The fact that  the “third party rule” constitutes a guarantee for the third party to a certain extent, but it is not an absolute principle of law has been debated during the negotiations of the EU-Canada exchange of classified informations (with reference to Section 38 of the Canada Evidence Act).

TRIBUNE : “Schengen”, terrorism and security (Bertoncini / Vitorino)

by Yves Bertoncini and Antonio Vitorino (*)

The Paris attacks of January 2015 gave rise to an emotion shared by millions of Europeans, while fueling some doubts on their ability to combat terrorist threats within the “Schengen Area”, write Yves Bertoncini and António Vitorino.

1. The Schengen Agreement has resulted in a diversification of police checks, making them more effective, including those to identify terrorist threats.

The creation of the Schengen Area, which currently comprises twenty-six member countries, including twenty-two of the twenty-eight EU Member States, has led to a redeployment of national and European police checks, based on four complementary principles.

Firstly, the closure of permanent “internal” border posts within the Schengen Area, in order to avoid long and pointless queues to hundreds of thousands of Europeans who cross over every week to work, study, meet relatives and enjoy themselves – while this wait remains compulsory for those who wish to travel to or from Bulgaria, Cyprus, Croatia, Ireland, Romania and the United Kingdom.

Secondly, the organisation of mobile patrols across all Schengen Area member countries, which may be conducted jointly: these checks are much more effective, particularly with regard to the fight against cross-border crime and terrorism, as they can be used to flush out wanted persons when they are not expecting it (as is the case at a border). No terrorist has ever declared his intention when crossing a border!

Thirdly, the joint management of external borders, which are ipso facto “our” borders, as those crossing them can travel to other member countries, provided that they comply with European regulations on visas and resources. These common borders are land, sea and air borders (all airports welcoming flights from non-Schengen countries). Each country is in charge of a section of these borders, and must act to combat terrorist threats as a priority, particularly when they escalate due to conflicts occurring around the EU, namely in the Middle East and the Sahel regions.

Lastly, the possibility of applying “safeguard clauses” to reestablish national border checks for a limited period of time, for example during sporting or social events, and also in the case of terrorist threats. These clauses have already been used dozens of times since 1985, under EU supervision, in order to enable governments to deal with emergency situations.

2. Terrorist threats call for the spirit of the Schengen Agreement to be furthered

The emotion aroused in the aftermath of terrorist attacks often revives a need for reassurance that can be centred around the reopening of posts at national borders, given their importance in the collective psyche. In-depth considerations, however, urge us to satisfy this need for security within the very framework of the Schengen Area, in which the spirit of cooperation and mutual trust must be fostered.

The Madrid bombings in March 2004 were perpetrated by Islamic fundamentalists from Morocco and the East, with the complicity of Spanish nationals: it is through increased security at the Schengen Area’s external borders and stronger police and judicial cooperation that this terrorist attack could have been thwarted. While it is not a member of the Schengen Area, the United Kingdom was the target of bloody attacks in July 2005. These attacks were perpetrated by British nationals, one of whom was able to leave the country after crossing a national border: he was arrested in Rome, thanks to European police and judicial cooperation.

The perpetrators of the Paris attacks in January 2015 were born in France and were known to the country’s police and legal departments and/or its intelligence services. One of the men had been checked by Paris police a few days prior to the attacks and a few hours before leaving for Spain with his girlfriend, currently in hiding in Syria. In light of the information in the police’s possession, it’s equally unlikely that he would have been detained at the border between France and Spain. In hindsight, it can be noted that the surveillance of the three terrorists was insufficiently constant and effective to be able to detect their intention to attack.

It is by granting additional financial, human and legal resources to the police and justice bodies on both national and European levels that we can combat such terrorist attacks more effectively. Not by allocating these resources to controls at Schengen Area internal borders, which would result in pointless and very onerous checks of the millions of crossings that take place each month.

3. The police and judicial cooperation organised by the Schengen Agreement and the EU must be reinforced, including cooperation to combat terrorism

The Convention implementing the Schengen Agreement is made up of 141 articles, which were then integrated into community legislation. The first articles set out the rules that offer residents of member countries the possibility of freedom of movement. Most of the articles concern the organisation of police and judicial cooperation between national authorities – in which even non-member countries such as the United Kingdom may take part occasionally. “Schengen” therefore results in greater freedom and increased security, efforts intended to compensate and to balance, but which could be reassessed in light of terrorist threats.

The reinforcement of the financial and human resources allocated to member country policing and justice must come together with an improvement of the “Schengen Information System”, and the stepping up of exchanges between intelligence services, including bilateral arrangements. The creation of a European legal framework for air passenger data exchanges (known as “EU-PNR”) will improve police forces’ effectiveness – while the guarantees governing the use of personal data are reinforced in consequence.

European bodies such as Europol, Eurojust and the Frontex agency could step up their technical assistance for member countries if they were allocated more resources. They will contribute to reinforcing the quality of checks conducted in all respects of the Schengen Area, including on the basis of one-off assessment assignments that target suspected “weak links” and by heightening mutual trust between countries.

In conclusion, European cooperation with third countries in which terrorists are likely to travel must be improved – for example Turkey and North African countries – and also with the USA. A globalised movement of police and judicial cooperation must be promoted to increase Europeans’ safety, against a movement of unrealistic and ineffective focus on national borders.

An improved application of the Schengen Area’s operating rules is without doubt possible, to enable its member countries and the EU to withstand terrorist threats. Questioning these rules does not in any way impede freedom of movement, a right granted since the Rome Treaty to all EU residents, regardless of whether or not their country is a member of the Schengen Area. Yet this would make the exercise of this right much more complex and costly, while undermining the shared responsibility that Europeans require in order to dismantle terrorist networks.

(*) António Vitorino is president and Yves Bertoncini director of Notre Europe – Jacques Delors Institute, the EU think tank based in Paris. Vitorino is also former European Commissioner for justice and home affairs.

This Tribune of Notre Europe / Jacques DELORS Institute was also published on the HuffingtonPost.fr and on Euractiv.com.

(S. PEERS) BRINGING THE PANOPTICON HOME: THE UK JOINS THE SCHENGEN INFORMATION SYSTEM

ORIGINAL PUBLISHED ON EU LAW ANALYSIS blog

BY Steve Peers

Over two hundred years ago, British philosopher Jeremy Bentham devised the concept of the ‘Panopticon’: a prison designed so that a jailer could in principle watch any prisoner at any time. His theory was that the mere possibility of constant surveillance would induce good behaviour in prison inmates. In recent years, his idea for a panopticon has become a form of shorthand for describing developments of mass surveillance and social control.

The EU’s forays in this area began with the creation of the Schengen Information System (SIS) in the 1990s. The SIS is a well-known EU-wide database containing enormous amounts of information used by policing, immigration and criminal law authorities.

Until now, the UK has not had any access to the SIS. But this week, the EU Council finally approved the UK’s participation in the System, thereby linking the EU’s most iconic database with the intellectual home of the panopticon theory. What are the specific consequences and broader context of this decision?

Background

The main purpose of the Schengen system is to abolish internal border checks between EU Member States, as well as some associated non-EU States.  At the moment, the full Schengen rules apply to all EU Member States except the UK, Ireland, Cyprus, Romania, Bulgaria and Croatia. Those rules also apply to four associates: Norway, Iceland, Switzerland and Liechtenstein.

All of the Member States are obliged ultimately to become part of the Schengen system, except for the UK and Ireland. Those two Member States negotiated an exemption in the form of a special Protocol at the time when the Schengen rules (which originated in theSchengen Convention, ie a treaty drawn up outside the EU legal order) were integrated into the EU legal system, as part of the Treaty of Amsterdam (in force 1999).

The UK and Ireland are not entirely excluded from the Schengen system. In fact, they negotiated the option to apply to join only some of the Schengen rules if they wished. Their application has to be approved by the Council, acting unanimously. The UK and Ireland essentially chose to opt in to the Schengen rules concerning policing and criminal law, including the SIS, but not the rules concerning the abolition of internal border controls and the harmonisation of rules on external borders and short-term visas.

The UK’s application to this end was approved in 2000 (see Decision here), and Ireland’s was approved in 2002 (see Decision here). But in order to apply each Decision in practice, a separate subsequent Council decision was necessary, because the Schengen system cannot be extended before extensive checks to see whether the new participant is capable of applying the rules in practice.  On that basis, most of the Schengen rules which apply to the UK have applied from the start of 2005 (see Decision, after later amendments, here). The exception is the rules on the SIS, which the UK was not then ready to apply. After spending considerable sums trying to link to the SIS, the UK gave up trying to do so, on the basis that the EU was anyway planning to replace the SIS with a second-generation system (SIS II). There’s a lot of further background detail in the House of Lords report on the UK’s intention to join the SIS (see here), on which I was a special advisor. (Note that Ireland does not apply any of the Schengen rules in practice yet).

It took ages for the EU to get SIS II up and running, and it finally accomplished this task by April 2013 (see Decision here). The UK had planned to join SIS II shortly after it became operational, but this was complicated by the process of opting out of EU criminal law and policing measures adopted before the entry into force of the Treaty of Lisbon, and simultaneously opting back in to some of them again, on December 1st 2014 (see discussion of that process here). This included an opt back in to the SIS rules.

Once that particular piece of political theatre concluded its final act, the EU and the UK returned to the business of sorting out the UK’s opt in to SIS II in practice. This week’sdecision completed that process, giving the UK access to SIS II data starting from March 1st. The UK can actually use that data, and enter its own data into the SIS, from April 13th.

Consequences

What exactly does participation in the SIS entail? The details of the system are set out in the 2007 Decision which regulates the use of SIS II for policing and criminal law purposes. There are also separate Regulations governing the use of SIS II for immigration purposesand giving access to SIS II data for authorities which register vehicles. The former Regulation provides for the storage of ‘alerts’ on non-EU citizens who should in principle be denied a visa or banned from entry into the EU, while the latter Regulation aims to ensure that vehicles stolen from one Member State are not registered in another one. The UK participates in the latter Regulation, but not the former, since it could only have access to Schengen immigration alerts if it fully participated in the Schengen rules on the abolition of internal border controls. On current plans, this will happen when hell freezes over.

The SIS II Decision provides for sharing ‘alerts’ on five main categories of persons or things: persons wanted for arrest for surrender or extradition purposes (mainly linked to the European Arrest Warrant); missing persons; persons sought to assist with a judicial procedure; persons and objects who should be subject to discreet checks or specific checks (ie police surveillance); and objects for seizure or use as evidence in criminal proceedings. There are also rules on the exchange of supplementary information between law enforcement authorities after a ‘hit’. For instance, if the UK authorities find that a European Arrest Warrant has been issued for a specific person, they could ask for further details from the authority which issued it.

On the other hand, the SIS does not, as is sometimes thought, provide for a basis for sharing criminal records or various other categories of criminal law data, although the EU has set up some other databases or information exchange systems dealing with such other types of data. (On criminal records in particular, see my earlier blog post here). The main point of setting up the second-generation system was to extend the SIS to new Member States (although in the end a new system wasn’t actually necessary for that purpose), and to provide for new functionalities such as storing fingerprints, which will likely be put into effect in the near future.

In practice, the UK’s participation in SIS II is likely to result in the Crown Prosecution Service receiving more European Arrest Warrants (EAWs) to process, and in more efficient processing of EAWs which the UK has issued to other Member States. It will also be easier, for instance, to check on whether a car or passport stolen in the UK has ended up on the continent, or vice versa.

Broader context

As noted already, while the UK is only now joining the SIS, the System has been around for many years, and has proved to be the precursor of many EU measures in this field. Indeed, as EU surveillance measures go, the SIS turned out to be a ‘gateway drug’: the friendly puff that led inexorably to the crack den of the data retention Directive.

Of course, interferences with the right to privacy can be justified on the basis of the public interest in enforcement of criminal law and ensuring public safety – if the interference is proportionate and in accordance with the law. Compared to (for instance) the data retention Directive and the planned passenger name records system, the SIS is highly targeted, focussing only on those individuals involved in the criminal law process, or police surveillance, or banned from entry from the EU’s territory. The legitimacy of the system therefore depends upon the accuracy and legality of the personal data placed in to it, and the connected data protection rules. On this point, the EU and national data protection supervisors have reported that many data subjects do not even know about the data held on them in SIS II, and they have produced a guide to help them with accessing their data in the system.

There’s an inevitable tension between the EU’s goal to set the world’s highest data protection standards, on the one hand, while also developing multiple huge databases, information exchange systems and surveillance laws, on the other.  It’s as if the brains of the utilitarian Jeremy Bentham and the libertarian John Stuart Mill were both battling for control of the same body – forcing it to draw up plans for the Panopticon at the same time as it was storming the Bastille. If this tension manifested itself in fiction, it would probably take the form of a comedy about a vegetarian butcher, or a virgin porn star. But the need to ensure that measures to protect our security do not remove all our liberty is not a laughing matter.

 

*This blog post is linked to ongoing research on the upcoming 4th edition of EU Justice and Home Affairs Law (forthcoming, OUP).

 

Image credit: nytimes.com

Barnard & Peers: chapter 25

Posted by Steve Peers at 23:48 No comments:

Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest

Labels: criminal law, data protection, databases, opt-outs, right to privacy, Schengen, Schengen Information System, United Kingdom

Friday, 6 February 2015

Rights, remedies and state immunity: the Court of Appeal judgment in Benkharbouche and Janah

 

Steve Peers

Yesterday’s important judgment in Benkharbouche v Sudan and Janah v Libya by the Court of Appeal raised important issues of public international law, the ECHR and the EU Charter of Fundamental Rights, and demonstrated the relationship between them in the current state of the British constitution. The case involved two domestic workers bringing employment law complaints against the respective embassies of Sudan and Libya, which responded to the complaints by claiming state immunity, based on a UK Act of Parliament (the State Immunity Act) which transposes a Council of Europe Convention on that issue.

The question is whether invoking state immunity for these employment claims amounted to a breach of human rights law, given that Article 6 of the ECHR (the right to a fair trial) guarantees access to the courts, according to the case law of the European Court of Human Rights (ECtHR). In turn, this raised issues of EU law, given that Article 47 of the EU Charter of Fundamental Rights likewise guarantees the right to a fair trial, and some of the claims concerned EU law issues (the race discrimination and working time Directives). (Other claims, such as for ordinary wages and unfair dismissal, were not linked to EU law). The two cases didn’t concern human trafficking or modern slavery, although sometimes embassies are involved in such disputes too. But they would be relevant by analogy to such disputes, and there would also be a link to EU law in such cases, since there is an EU Directive banning human trafficking, which the UK has opted in to.

The Court of Appeal, essentially following the prior judgment of the Employment Appeal Tribunal, made a careful study of recent ECtHR case law, concluding that state immunity could no longer be invoked against all employment law claims, but only against those claims concerning core embassy staff. This could not apply to domestic workers; Ms. Janah’s tasks did not involve (for instance) shooting any British policewomen.

But what was the remedy for this breach of human rights principles? At lower levels, the tribunals had been powerless to rule on the claims for breach of the ECHR, since the UK’sHuman Rights Act awards the power to issue a ‘declaration of incompatibility’ that an Act of Parliament breaches the ECHR to higher courts only. So the Court of Appeal was the first court that could issue such a declaration, and it did so in this case. (The Court concluded that it could not ‘read down’ the relevant clauses in the State Immunity Act to interpret them consistently with the ECHR).

However, as compared to the effect of EU law, even a declaration of incompatibility with the ECHR is relatively weak, given that the potential remedy for a breach of EU law is the disapplication of national law, even Acts of Parliament if necessary, by the national courts. So the Court of Appeal also ruled that the relevant provisions of the State Immunity Acthad to be disapplied, to the extent that they were applied as a barrier to the claims based on EU law. On this point, the Court was following the Employment Appeal Tribunal, which had also ruled to disapply the Act, given that any level of national court or tribunal has the power to disapply an act of parliament if necessary to give effect to EU law.

If I had a pound for every law student who has confused the remedies in UK law for the breach of EU law with the remedies for the breach of the ECHR, I would be very rich indeed. Fortunately, the facts of this case easily demonstrate the distinction between them. Only the higher courts could even contemplate issuing a declaration of incompatibility with the ECHR; and the remedy of disapplication of the Act of Parliament is obviously stronger than the declaration of incompatibility, allowing the case to proceed on the merits (as far as it relates to EU law) rather than having to wait for Parliament to change the law in order to do so. And equally, the case shows the importance of the requirement that a case has to be linked to EU law in order for the Charter to apply: only the race discrimination and working time claims benefit from the disapplication of provisions of the Act of Parliament, and so only those claims can proceed to court as things stand.

From an EU law perspective, the most interesting point examined by the Court of Appeal was the application of the ‘horizontal direct effect’ of Charter rights, ie the application of EU law against private parties (since non-EU States aren’t bound by EU law as States, the court assimilated them to private parties). In its judgment last year in AMS (discussedhere), the CJEU distinguished between those Charter rights which could give rise to a challenge against national law based on the principle of supremacy of EU law, and those Charter rights which could not, since they were too imprecise to base a free-standing Charter claim upon. The right to non-discrimination on grounds of age fell within the former category, whereas the right of workers to be consulted and informed fell within the latter category. (Note that the CJEU case law classifies this as an application of the principle of supremacy, not horizontal direct effect, although the final outcome is the same no matter how the principle is classified, at least in cases like these).

The Court of Appeal reaches the conclusion that Article 47 of the Charter is also a provision which is precise enough to be used to challenge national legislation. That’s an important point, since Article 47 is a far-reaching and frequently invoked provision, and applies not just to state immunity issues but to many broader issues concerning access to the courts (including legal aid) and effective remedies.  For that reason, this judgment is an important precedent for national courts across the European Union faced with challenges to national laws based on Article 47 of the Charter, although of course it doesn’t formally bind any court besides the lower courts of England and Wales.

The Court didn’t need to rule on whether the substantive Charter rights raised by these cases would have the effect of disapplying national law, since it wasn’t ruling on the merits of the cases, but only on the issue of access to court. If it were ruling on the substantive issues, it would seem obvious that race discrimination claims have the same strong legal effect as age discrimination claims, as both claims are based on the same provision of the Charter (Article 21). However, claims based on breach of Article 31 of the Charter (the working time provision) might not have that strong legal effect. Indeed, an Advocate-General’s opinion in the pending case of Fennoll has concluded as much.

Furthermore, the social rights in the Charter (such as the rights set out in Article 31) are subject to a special rule in the Protocol to the EU Treaties which attempts to limit the effect of the Charter in the UK and Poland. The CJEU ruled in its NS judgment that this Protocol does not generally disapply the Charter in the UK, but it did not then rule if the Protocol might nonetheless affect the enforceability of social rights. Given that yesterday’s judgment was about Article 47 of the Charter, not about a substantive social right, it was not necessary for the Court of Appeal to grasp this nettle either.

 

Barnard & Peers: chapter 9, chapter 20

Videosurveillance and privacy in a transatlantic perspective

by Fiammetta Berardo (1)

The following article aims at illustrating how the creation of “societies under surveillance”, whose instruments reshape all people’s life, had started well before September the 11th. For instance within the USA in 1978 an investigation on the privacy violations committed in the course of foreign intelligence surveillance programmes had been leading to the adoption of a special law, the Foreign Intelligence Surveillance Act or FISA. The attacks to the Twin Towers have been offering the context and the casualty for an improvement in quality and intensity. For some political forces or for some economic actors this was an extraordinary opportunity to further develop programmes, ideas (for instance John Ashcroft’s projects previous to September the 11th) or already existing technologies in the field of mass surveillance.

Introduction

Videosurveillance and other surveillance techniques are now used as a tool in the fight against international terrorism worldwide. In Europe measures used in the fight against terrorism that interfere with privacy (in particular body searches, house searches, bugging, telephone tapping, surveillance of correspondence and use of undercover agents) must be provided for by law. But it must be possible to challenge the lawfulness of these measures before a Court.

For instance, with regard to wiretapping, it must be done in conformity with the provisions of Article 8 of the European Convention on Human Rights, notably it must be done in accordance with the law. The adoption of such tools has then to be balanced with the right to privacy. The author tries to sum up the main privacy concerns surveillance techniques and mainly videosurveillance do raise in order to question whether the adoption of these tools in the fight against international terrorism has been challenging such a fundamental right.

Videosurveillance in the United States of America as a response to international terrorism Continue reading “Videosurveillance and privacy in a transatlantic perspective”

“Lisbonisation” of Europol and Eurojust : an in depth analysis for the European Parliament

The inter-agency cooperation and future architecture of the EU criminal justice and law enforcement area

Upon request by the LIBE Committee, the study aims at analysing the current relationship and foreseeable cooperation between several EU agencies and bodies: Europol, Eurojust, the European Anti-Fraud Office, the European Judicial Network and the future European Public Prosecutor’s Office. The study reflects on their cooperation regarding the fight against serious transnational crime and the protection of the European Union’s financial interests. It also identifies good practices and difficulties and suggests possible ways of improvements. AUTHORS Prof. Anne Weyemberg, Université Libre de Bruxelles and Coordinator of the European Criminal Law Academic Network (ECLAN) Mrs Inés Armada, PhD researcher, VUB-ULB, FWO Fellow Mrs Chloé Brière, GEM PhD researcher, ULB – UNIGE

BELOW THE TEXT OF PAGES 8-26. THE FULL STUDY  IS AVAILABLE HERE 

  1. INTRODUCTION

1.1. Context of the study

For the time being, there are 9 JHA decentralised agencies: 6 depending from DG Home, namely EUROPOL, CEPOL, FRONTEX, the European Asylum Support Office (EASO), the European Monitoring Centre for Drugs and Drug Addiction (EMCDDA) and the EU Agency for large-scale IT systems (Eu-LISA) and 3 depending from DG Justice, namely Eurojust, the European Union Agency for Fundamental Rights (FRA) and the European Institute for Gender Equality (EIGE).

Besides the agencies, some other EU bodies/networks, which do not have the agency status, are to be mentioned, such as the EU Anti-Fraud Office (OLAF), the European judicial network (EJN) or the European judicial training network (EJTN). Others are yet to be established, the main one on its way being the European Public Prosecutor’s Office (EPPO).

Complementarity, consistency and a good articulation between all these bodies is crucial if the purpose is to establish a consistent Area of Freedom, Security and Justice (AFSJ) and effectively implement its three components. A good articulation between the EU bodies is also crucial to develop a multidisciplinary approach in the fight against serious cross-border crime.

This need has been repeatedly underlined, particularly by EU institutions1. A better delineation or a clearer definition of each EU agency/body’s competences and functions has been requested. Overlaps are however inevitable (i.e., grey zones) and may even present advantages. The key issue lies in learning how to manage them in good will and good faith. The key word here must be complementarity, which implies working hand in hand for the realisation of common goals, respect of respective mandates and expertise and good communication and coordination in case of overlap. Establishing such complementarity might prove a difficult task, and this for different reasons:

– The different agencies and bodies have been established at different times, in different contexts and in various decisional frameworks. The current agencies/bodies belong to different generations and are more or less mature, the three oldest being OLAF (ex-UCLAF), Europol and the EJN. Some of them are still under the pressure of figures, still fighting/struggling or feeling they have to fight/struggle to justify their existence and prove their added-value.

– The different agencies and bodies are driven/marked by different philosophies/natures/logics: for instance, OLAF has an EC nature, with real « autonomous »/supranational administrative powers, whereas Europol and Eurojust are still marked by the « intergovernmental third pillar spirit » and constitute « service providers » depending on the final decision taken by national authorities;

– They are also marked by differences in professional cultures, be it administrative, police, or judicial;

– Their structure differs (e.g. very different organisation/structure within Europol and Eurojust);

– The resources/means available to each of them are different. Some agencies/bodies are more powerful than others, including in the field of policy orientation. For instance, the major role played by Europol in the design of the EU Internal Security Strategy (ISS) and in the EU policy cycle must be mentioned.

– The articulation between the EU agencies/bodies must accommodate the differences between the different national criminal justice systems. These include the different distribution of competences/tasks between the administrative/criminal, police/justice and police/intelligence services. The treaty imposes respect to such differences, with the result that the EU agencies/bodies must be able to adapt to all the concerned systems. Thus, there is a need to remain vague in the definition of mandates/tasks and to safeguard flexibility. Such vagueness might however make more difficult a good articulation and relationship between the bodies concerned.

– The abovementioned difficulties result in a lack of a consistent vision of the EU area of criminal justice, which is somehow to be built/organised a posteriori. The fact that the different EU agencies/bodies are dealt with by different DGs within the Commission (that do not always entertain the best relations) and the silo approach taken by the General Secretariat of the Council2 clearly do not improve the situation.

– Against this background, the legislative instruments governing each EU agency/body remain quite vague with regard to cooperation with counterparts. Interagency relations are thus mostly left to the EU agencies/bodies themselves.

– Last but not least, the importance of personal relations must be stressed. Sometimes people understand each other and sometimes they do not…

Generally speaking, an improvement in the relations between the EU agencies/bodies has been witnessed, due to the conclusion/revision of bilateral agreements/memorandum of understandings and to the passage of time and the consequent gain of experience.

Such improvement is also due to other reasons such as the creation of coordination/monitoring mechanisms and the encouragement of inter-agency cooperation in the JHA field.

It has especially taken the form of the JHA contact group and the JHA Heads of Agencies meetings. They annually report to the Standing Committee on operational cooperation on internal security (COSI)3, notably through a scorecard on cooperation, which is annexed to the annual report.

However, and in spite of a lot of quite positive official declarations, difficulties remain. Identifying them is the main purpose of this study, in order to suggest, where possible, ways of improvement. Continue reading ““Lisbonisation” of Europol and Eurojust : an in depth analysis for the European Parliament”

Trafficking in Human Beings: the EU legislates but the Member States keep dragging their feet…

by Federica VIGNALE (Free Group Trainee)

Since more than ten years Trafficking in Human beings is a recurrent issue on the agenda of the European Parliament Committee on Civil Liberties, Justice and Home Affairs. The last debate [i] was notably focused on the Commission Mid-term report on the 2012-2016 EU strategy towards the eradication of trafficking in human beings and the Global Report on Trafficking in persons of United Nations Office on Drugs and Crime.

Trafficking in Human Beings (THB) is recognized by the European and the international law as a gross violation of human rights and as a form of organized crime[ii]. At European level, THB is defined as “the recruitment, transportation, transfer, harbouring or reception of persons, including the exchange or transfer of control over those persons, by means of the threat or use of force or other forms of coercion, of abduction, of fraud, of deception, of the abuse of power or of a position of vulnerability or of the giving or receiving of payments or benefits to achieve the consent of a person having control over another person, for the purpose of exploitation”. Furthermore, due to the presence of these forms of violence or coercion, trafficking in human beings represents also a form of modern slavery. Currently there are tens of thousands potential people who are kept in captivity or forced to provide services against their will, but there are some people who were lucky enough to have been identified.

In this respect and before analysing the European and the international legal context, it is worthwhile analysing the data related to victims and traffickers that emerge from the Trafficking in Human Beings Report that the DG Home Affairs and Eurostat published on the occasion of the EU Anti-Trafficking day anniversary. Between 2010 and 2012, 30.146 people were registered by the authorities, but this number is more alarming if we consider that there are certainly other victims of THB that have not been registered. The above-mentioned Report indicates also that:

  • “80 % of registered victims were female.
  • Over 1 000 child victims were trafficked for sexual exploitation[iii].
  • 69 % of registered victims were trafficked for sexual exploitation.
  • 95 % of registered victims of sexual exploitation were female.
  • 71 % of registered victims of labour exploitation were male.
  • 65 % of registered victims were EU citizens.
  • There are no discernible trends in the variation of victim data at EU level over the three reference years.
  • 8 551 prosecutions for trafficking in human beings were reported by Member States over the three years 2010-2012.
  • Over 70 % of traffickers were male. This is the case for suspects, prosecutions and convicted traffickers.
  • 3 786 convictions for trafficking in human beings were reported by Member States over the three years.
  • There are no discernible trends in the number of prosecutions or convictions at EU level”.

Two thirds of the victims are from the countries within the EU (Romania, Bulgaria, the Netherlands, Hungary and Poland), and the rest of the victims are primarily from Nigeria, China, Vietnam, Brazil and Russia. These figures are extremely worrying, especially because – in terms of legislation – the EU has built a very ambitious legal framework that consists of: Continue reading “Trafficking in Human Beings: the EU legislates but the Member States keep dragging their feet…”

Terrorists and serious criminals beware ! Your travel data can tell everything about you..

by Emilio DE CAPITANI

After the last terrorist attacks the President of The European Council, the EU interior ministers, the EU Counter-Terrorism Coordinator (CTC), the European Commission, some national parliaments and even the press have raised their voice against the European Parliament which is blocking since years a legislative measure on the access by law enforcement authorities to the passenger name record (PNR) managed by the airlines when you make a flight reservation.
Beware!
PNR data are not used to find criminals or already known dangerous persons.
This will be a too easy solution but will require a change in the Member state internal security policy. Member states remain extremely jealous of their security related data. According to the current EU legislation (and the Europol revised proposal) data dealing with already known criminals, terrorists, serial killers dangerous persons remain under the control of each national authority which can share them with other EU member States and EU agencies, (such as Europol and Eurojust), only on voluntary basis.

On the contrary PNR data of ordinary citizens could be mandatory collected from airlines and shared to a enable Law enforcement authorities “..to identify persons who were previously “unknown”, i.e. persons previously unsuspected of involvement in terrorism or serious crime, but whom an analysis of the data suggests may be involved in such crime and who should therefore be subject to further examination by the competent authorities.”

The (non exhaustive) list of “serious crimes” which according to the Council and the Commission can be prevented thanks to these miraculous bits of information is indeed impressive :
1. participation in a criminal organisation, 2. trafficking in human beings, 3. sexual exploitation of children and child pornography, 4. illicit trafficking in narcotic drugs and psychotropic substances, 5. illicit trafficking in weapons, munitions and explosives, 6. fraud, 7. laundering of the proceeds of crime, 8. computer-related crime,9. environmental crime, including illicit trafficking in endangered animal species and in endangered plant species and varieties, 10. facilitation of unauthorised entry and residence, 11. illicit trade in human organs and tissue, 12. kidnapping, illegal restraint and hostage-taking, 13. organised and armed robbery, 14. illicit trafficking in cultural goods, including antiques and works of art, 15. forgery of administrative documents and trafficking therein, 16. illicit trafficking in hormonal substances and other growth promoters, 17. illicit trafficking in nuclear or radioactive materials, 18. unlawful seizure of aircraft/ships, 19. sabotage, and 20. trafficking in stolen vehicles.

But which kind of data are so meaningful that they to reveal such diverse kinds of criminal behavior ?

The (again, non exhaustive) list of these data is attached to the draft Directive and is as follows:
(1) PNR record locator (2) Date of reservation/issue of ticket (3) Date(s) of intended travel (4) Name(s) (5) Address and contact information (telephone number, e-mail address) (6) All forms of payment information, including billing address (7) Complete travel itinerary for specific PNR (8) Frequent flyer information (9) Travel agency/travel agent (10) Travel status of passenger, including confirmations, check-in status, no show or go show information (11) Split/divided PNR information (12) General remarks (including all available information on unaccompanied minors under 18 years, such as name and gender of the minor, age, language(s) spoken, name and contact details of guardian on departure and relationship to the minor, name and contact details of guardian on arrival and relationship to the minor, departure and arrival agent) (13) Ticketing field information, including ticket number, date of ticket issuance and one-way tickets, Automated Ticket Fare Quote fields (14) Seat number and other seat information (15) Code share information (16) All baggage information (17) Number and other names of travellers on PNR (18) Any Advance Passenger Information (API) data collected (inter alia document type, document number, nationality, country of issuance, date of document expiration, family name, given name, gender, date of birth, airline, flight number, departure date, arrival date, departure port, arrival port, departure time, arrival time) (19) All historical changes to the PNR listed in numbers 1 to 18.

The draft Council text allows Member States also to collect other personal data if they so wish. (Guess if also the place of birth was added it would be possible to know also the Astrological profile and we all know after thousand years of consistent scientific observation that people with the sun or ascendant in Scorpio can be extremely dangerous..)

On this basis You still consider that this “machinery” deemed to filter millions a record a day by 28 different Passenger Unit in the member states without a meaningful judicial control and storing them for five years is not only an abuse of fundamental rights of millions of passengers, but is also contrary to the freedom of movement protected by the Treaty and the Charter, and is disproportionate? Moreover is contrary to the rule of law principle discriminatory because data on passengers will differ simply because of the different methods followed by each airline when dealing with their reservation systems?

Do you still think that such a machinery which in the US is backed by an intelligence counter terrorism endeavor of hundred billion dollars per year, will work in countries where police has hardly the resource to pay the petrol for their cars and were the first reflex is not to share “its” criminal records with the other member states and even less with EU agencies (which also stand side by side only for the family photo of the annual budget before the European Parliament) ?

In this framework would not be much wise, as a matter of priority, for the European Union to prevent and fight terrorism and serious crime by interconnecting the member states criminal record systems and by adding also the data of third country nationals who have already been convicted and condemned in their country for serious crimes?

Do you not consider that 28 national PNR (following each one its own profiling tactics) will be useless at European level where in any case only 2% of the Europol data deal with terrorist and are fed by only 4 of the 28 EU Countries ?

Last but not least, a real terrorist and criminals will not be tempted to avoid all of this by using false documents (easily accessible on internet) or, more safely, by keeping a train ?

Read the text below and (maybe) you will change your mind. But if you still consider that the PNR is the silver bullet to fight terrorists I have a used car that can be of your interest..

——————————————
COUNCIL OF THE EUROPEAN UNION
Brussels, 23 April 2012
8916/12
Interinstitutional File: 2011/0023 (COD)
GENVAL 23 AVIATION 73 DATAPROTECT 52 CODEC 1024
NOTE
From: Presidency
to: Council
No. prev. doc.: 8448/1/12 REV 1 GENVAL 17 AVIATI*N 60 DATAPR*TECT 40 C*DEC 897
Subject: Proposal for a Directive of the Council and the European Parliament on the use of
Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime

Background

1. The Commission submitted the proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) for law enforcement purposes to the Council on 17 November 2007. This proposal was discussed in detail during the Slovenian, the French and the Czech Presidency. When the Lisbon Treaty entered into force, the proposal, which was not yet adopted, became legally obsolete.

2. On 3 February 2011 the Commission presented a proposal for a Directive of the European Parliament and of the Council on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

3. At the Council meeting on 11 April 2011, a discussion was held on whether intra-EU flights should be included in the scope of the draft Directive. Further to that discussion, the
preparatory work on the draft PNR Directive continued at expert-level at the Working Party on General Matters, including Evaluations on the basis of the indication by the Council that the Directive should allow individual Member States the option to mandate the collection of PNR data with regard to intra-EU flights and that the collection and processing of such data should be subject to the legal regime created by the PNR Directive1.

4. Since the Commission presented its proposal, the Working Party on General Matters, including Evaluations has worked on the proposal for over a year. The scope of the proposal has been thoroughly discussed and further refined and it is now established for which purposes and under which conditions PNR data collected under the Directive can be used. A few Member States have argued in favour of extending the scope of the Directive to other purposes than those presently covered. It is, however, the Presidency’s assessment that a clear and strict purpose limitation is important in order to safeguard the proportionality of the Directive. The Presidency therefore considers that no further changes should be made to the scope of the Directive at the present stage. The review clause in the proposal will, however, allow for future revision of the Directive on the basis of national experiences.

5. The Presidency considers that the extensive work on the file and the considerable efforts that have been made to take all views into account during the Hungarian, Polish and Danish Presidency have resulted in a well-balanced draft Directive.
6. Nine delegations maintain a general scrutiny reservation on the proposal, two have a general reservation and two hold a parliamentary scrutiny reservation.

Retention period

7. The Commission had proposed an initial storage period of 30 days, followed by a further retention period of five years of masked out data. The negotiations have shown that an initial storage period of 30 days is generally considered much too short from an operational point of view. Article 9 has been redrafted in such a way that the overall retention period of 5 years is subdivided into two periods: a first period in which the data are fully accessible and a second period during which the data are masked out and where full disclosure of the data is subject to strict conditions. Taking into consideration the operational needs the initial retention period is set at two years. In comparison the initial retention period in the 2011 EU-Australia Agreement, to which the Council has agreed and the EP has given its consent, is three years.

Inclusion of intra-EU flights

8. Article 1a, which has been drafted in line with the indications given at the Council meeting on 11 April 2011, allows Member States to apply this Directive to all or selected intra-EU flights. Hence, the Article allows any Member State to collect PNR data from those intra-EU flights it considers necessary in order to prevent, detect, investigate or prosecute serious crime or terrorism. It thus constitutes a compromise between those Member States that are in favour of mandatory inclusion of all intra-EU flights and those that are opposed to any inclusion of intra-EU flights.

9. The Presidency considers the above solutions as part of a package, which constitutes a compromise between those Member States which would prefer to limit the impact of the collection and processing of PNR data and those Member States which are in favour of an extension of the scope of the collection and processing of PNR data. At the Coreper meeting of 18 April 2012 some Member States maintained for the time being their reservations on the issues of retention periods and intra-EU flights. However, only three delegations indicated that they could not accept the overall package as a basis for commencing negotiations with the EP.

10. In view of the above, the Presidency invites the Council to confirm the compromise text set out in the Annex as a basis for starting the negotiations with the Parliament.

ANNEX

DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on the use of Passenger Name Record (PNR) data for the prevention, detection, investigation
and prosecution of terrorist offences and serious crime

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 82(1)(d) and 87(2)(a) thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national Parliaments,
Having regard to the opinion of the European Economic and Social Committee2,
Having regard to the opinion of the Committee of the Regions3,
Acting in accordance with the ordinary legislative procedure,

Whereas:

(1) On 6 November 2007 the Commission adopted a proposal for a Council Framework Decision on the use of Passenger Name Record (PNR) data for law enforcement purposes. However, upon entry into force of the Treaty of Lisbon on 1 December 2009, the Commission’s proposal, which had not been adopted by the Council by that date, became obsolete.

(2) The `Stockholm Programme An open and secure Europe serving and protecting the citizens’4 calls on the Commission to present a proposal for the use of PNR data to prevent, detect, investigate and prosecute terrorism and serious crime.

(3) In its Communication of 21 September 2010 “*n the global approach to transfers of Passenger Name Record (PNR) data to third countries” the Commission outlined certain core elements of a Union policy in this area.

(4) Council Directive 2004/82/EC of 29 April 2004 on the obligation of air carriers to communicate passenger data5 regulates the transfer of advance passenger data by air carriers to the competent national authorities for the purpose of improving border controls and combating illegal immigration.

(5) PNR data are necessary to effectively prevent, detect, investigate and prosecute terrorist offences and serious crime and thus enhance internal security, inter alia by comparing them with various databases of persons and objects sought, to construct evidence and, where relevant, to find associates of criminals and unravel criminal networks.
(6) ….

(7) PNR data enable to identify persons who were previously “unknown”, i.e. persons previously unsuspected of involvement in terrorism or serious crime, but whom an analysis of the data suggests may be involved in such crime and who should therefore be subject to further examination by the competent authorities. By using PNR data it is possible to address the threat of terrorism and serious crime from a different perspective than through the processing of other categories of personal data. However, in order to ensure that the processing of data of innocent and unsuspected persons remains as limited as possible, the aspects of the use of PNR data relating to the creation and application of assessment criteria should be further limited to terrorist offences and relevant forms of serious crime. Furthermore, the assessment criteria shall be defined in a manner which ensures that as few innocent people as possible are identified by the system.

(8) Air carriers already collect and process PNR data from their passengers for their own commercial purposes. This Directive should not impose any obligation on air carriers to collect or retain any additional data from passengers or to impose any obligation on passengers to provide any data in addition to that already being provided to air carriers.

(9) Some air carriers retain any collected advance passenger information (API) data as part of the PNR data, while others do not. The use of PNR data together with API data has added value in assisting Member States in verifying the identity of an individual and thus reinforcing their law enforcement value and minimising the risk of carrying out checks and investigations on innocent people. It is therefore important to ensure that, where air carriers collect API data, they should transfer it, irrespective of whether the API data is retained as part of the PNR data or not.

(10) In order to prevent, detect, investigate and prosecute terrorist offences and serious crime, it is essential that all Member States introduce provisions laying down obligations on air carriers operating extra EU-flights, and if the Member State wishes to do so also on air carriers operating intra EU-flights, to transfer any collected PNR and API data. These provisions should be without prejudice to Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data.

(11) The processing of personal data must be proportionate to the specific security goals pursued by this Directive.

(12) The definition of terrorist offences applied in this Directive should be the same as in Council Framework Decision 2002/475/JHA on combating terrorism6 and the definition of serious crime applied in this Directive should be the same as in Council Framework Decision 2002/584/JHA of 13 June 2002 on the European Arrest Warrant and the surrender procedure between Member States7. The list of relevant serious crime with relation to which PNR data may be used for the creation and application of assessment criteria should be based on Framework Decision 2002/584/JHA.

(13) PNR data should be transmitted to a single designated unit (Passenger Information Unit) in the relevant Member State, so as to ensure clarity and reduce costs to air carriers. The Passenger Information Unit may have different locations in one Member State and Member States may also jointly set up one Passenger Information Unit.

(13a) It is desirable that co-financing of the costs related to the establishment of the national Passenger Information Units will be provided for under the instrument for financial support for police cooperation, preventing and combating crime, and crisis management as part of the Internal Security Fund.

(14) The contents of any lists of required PNR data to be obtained by a Passenger Information Unit should be drawn up with the objective of reflecting the legitimate requirements of public authorities to prevent, detect, investigate and prosecute terrorist offences or serious crime, thereby improving internal security within the Union as well as protecting the fundamental rights of persons, notably privacy and the protection of personal data. Such lists should not be based on a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual life. The PNR data should contain details on the passenger’s reservation and travel itinerary which enable competent authorities to identify air passengers representing a threat to internal security.

(15) There are two possible methods of data transfer currently available: the `pull’ method, under which the competent authorities of the Member State requiring the data can reach into (access) the air carrier’s reservation system and extract (`pull’) a copy of the required data, and the `push’ method, under which air carriers transfer (`push’) the required PNR data to the authority requesting them, thus allowing air carriers to retain control of what data is provided. The `push’ method is considered to offer a higher degree of data protection and should be mandatory for all air carriers.

(16) The Commission supports the International Civil Aviation *rganisation (ICA*) guidelines on PNR. These guidelines should thus be the basis for adopting the supported data formats for transfers of PNR data by air carriers to Member States. This justifies that such supported data formats, as well as the relevant protocols applicable to the transfer of data from air carriers should be adopted in accordance with the examination procedure provided for in Regulation (EU) No182/2011 of the European Parliament and of the Council of 16 February 2011 lying down rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers8.

(17) The Member States should take all necessary measures to enable air carriers to fulfil their obligations under this Directive. Dissuasive, effective and proportionate penalties, including financial ones, should be provided for by Member States against those air carriers failing to meet their obligations regarding the transfer of PNR data.

(18) Each Member State should be responsible for assessing the potential threats related to terrorist offences and serious crime.

(19) Taking fully into consideration the right to the protection of personal data and the right to non-discrimination, no decision that produces an adverse legal effect on a person or seriously affects him/her should be taken only by reason of the automated processing of PNR data. Moreover, in respect of Article 21 of the Charter of Fundamental Rights of the European Union no such decision should discriminate on any grounds such as a person’s sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation.

(20) Member States should share with other Member States the PNR data that they receive where this is necessary for the prevention, detection, investigation or prosecution of terrorist offences or serious crime. The provisions of this Directive should be without prejudice to other Union instruments on the exchange of information between police and judicial authorities, including Council Decision 2009/371/JHA of 6 April 2009 establishing the European Police *ffice (Europol)9 and Council Framework Decision 2006/960/JHA of 18 September 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union10. Such exchange of PNR data between law enforcement and judicial authorities should be governed by the rules on police and judicial cooperation.

(21) The period during which PNR data are to be retained should be proportionate to the purposes of the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Because of the nature of the data and their uses, it is necessary that the PNR data are retained for a sufficiently long period for carrying out analysis and for use in investigations. In order to avoid disproportionate use, it is necessary that, after an initial period, the data are depersonalised through masking out and that the full PNR data are only accessible under very strict and limited conditions.

(22) Where specific PNR data have been transmitted to a competent authority and are used in the context of specific criminal investigations or prosecutions, the retention of such data by the competent authority should be regulated by the national law of the Member State, irrespective of the retention periods set out in this Directive.

(23) The processing of PNR data domestically in each Member State by the Passenger Information Unit and by competent authorities should be subject to a standard of protection of personal data under their national law which is in line with Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters11.

(24) Taking into consideration the right to the protection of personal data, the rights of the data subjects concerning the processing of their PNR data, such as the right of access, the right of rectification, erasure and blocking, as well as the rights to compensation and judicial remedies, should be in line with Framework Decision 2008/977/JHA.

(25) Taking into account the right of passengers to be informed of the processing of their personal data, Member States should ensure they are provided with accurate information about the collection of PNR data and their transfer to the Passenger Information Unit.

(25a) This Directive allows the principle of public access to official documents to be taken into account.

(26) Transfers of PNR data by Member States to third countries should be permitted only on a case-by-case basis and in compliance with Framework Decision 2008/977/JHA. To ensure the protection of personal data, such transfers should be subject to additional requirements relating to the purpose and the necessity of the transfer.

(27) The national supervisory authority that has been established in implementation of Framework Decision 2008/977/JHA should also be responsible for advising on and monitoring of the application and of the provisions adopted by the Member States pursuant to this Directive.

(28) This Directive does not affect the possibility for Member States to provide, under their domestic law, for a system of collection and handling of PNR data for purposes other than those specified in this Directive, or from transportation providers other than those specified in the Directive, provided that such domestic law respects the Union acquis.

(29) This Directive is without prejudice to the current Union rules on the way border controls are carried out or with the Union rules regulating entry and exit from the territory of the Union.

(30) As a result of the legal and technical differences between national provisions concerning the processing of personal data, including PNR, air carriers are and will be faced with different requirements regarding the types of information to be transmitted, as well as the conditions under which this information needs to be provided to competent national authorities. These differences may be prejudicial to effective cooperation between the competent national authorities for the purposes of preventing, detecting, investigating and prosecuting terrorist offences or serious crime.

(31) Since the objectives of this Directive cannot be sufficiently achieved by the Member States, and can be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary in order to achieve that objective.

(32) This Directive respects the fundamental rights and the principles of the Charter of Fundamental Rights of the European Union, in particular the right to the protection of personal data, the right to privacy and the right to non-discrimination as protected by Articles 8, 7 and 21 thereof and has to be implemented accordingly. The Directive is compatible with data protection principles and its provisions are in line with the Framework Decision 2008/977/JHA. Furthermore, and in order to comply with the proportionality principle, the Directive, on specific issues, will have stricter rules on data protection than the Framework Decision 2008/977/JHA.

(33) In particular, the scope of this Directive is as limited as possible, as it allows retention of PNR data in the Passenger Information Units for period of time not exceeding 5 years, after which the data should be deleted, as the data should be depersonalised through masking out after an initial period, and as the collection and use of sensitive data is prohibited. In order to ensure efficiency and a high level of data protection, Member States are required to ensure that an independent national supervisory authority is responsible for advising and monitoring the way PNR data are processed. All processing of PNR data should be logged or documented for the purpose of verification of its legality, self-monitoring and ensuring proper data integrity and security of the processing. Member States should also ensure that passengers are clearly and precisely informed about the collection of PNR data and their rights.

(34) In accordance with Article 3 of the Protocol (No 21) on the position of United Kingdom and Ireland in respect of the Area of Freedom, Security and Justice, annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, those Member States have notified their wish to participate in the adoption and application of this Directive.
(35) In accordance with Articles 1 and 2 of the Protocol (No 22) on the position of Denmark annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, Denmark is not taking part in the adoption of this Directive and is not bound by it or subject to its application.

HAVE ADOPTED THIS DIRECTIVE:

CHAPTER I GENERAL PROVISIONS

Article 1 Subject matter and scope
1. This Directive provides for the transfer by air carriers of Passenger Name Record (PNR) data of passengers of extra-EU flights to and from the Member States, as well as the processing of that data.
2. The PNR data collected in accordance with this Directive may be processed only for the purpose of prevention, detection, investigation and prosecution of terrorist offences and serious crime as provided for in Article 4 (2) (a), (b) and (c).

Article 1a Application of the directive to intra-EU flights
1. If a Member State wishes to apply this Directive to intra-EU flights, it shall give notice in writing to the Commission to that end. The Commission shall publish such a notice in the Official Journal of the European Union. A Member State may give or revoke such notice at any time after the entry into force of this Directive.
2. Where such a notice is given, all the provisions of this Directive shall apply in relation to intra-EU flights as if they were extra-EU flights and to PNR data from intra-EU flights as if it were PNR data from extra-EU flights.
3. A Member State may decide to apply this Directive only to selected intra-EU flights. In making such a decision the Member State shall select the flights it considers necessary in order to further the purposes of this Directive. The Member State may decide to change the selected intra-EU flights at any time.

Article 2 Definitions
For the purposes of this Directive the following definitions shall apply:
(a) `air carrier’ means an air transport undertaking with a valid operating licence or equivalent permitting it to carry out carriage by air of passengers;
(b) `extra-EU flight’ means any scheduled or non-scheduled flight by an air carrier flying from a third country planned to land on the territory of a Member State or from the territory of a Member State planned to land in a third country, including in both cases flights with any stopovers at the territory of Member States or third countries;
(c) `intra-EU flight’ means any scheduled or non-scheduled flight by an air carrier flying from the territory of a Member State planned to land on the territory of one or more of the other Member States, without any stop-overs at the territory/airports of a third country;
(d) `Passenger Name Record’ or’PNR data’ means a record of each passenger’s travel requirements which contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers for each journey booked by or on behalf of any person, whether it is contained in reservation systems, Departure Control Systems (DCS, the system used to check passengers onto flights) or equivalent systems providing the same functionalities.
(e) `passenger’ means any person, except members of the crew, carried or to be carried in an aircraft with the consent of the air carrier, which is manifested by the persons’ registration in the passengers list and which includes transfer or transit passengers;
(f) `reservation systems’ means the air carrier’s internal reservation system, in which PNR data are collected for the handling of reservations;
(g) `push method’ means the method whereby air carriers transfer PNR data into the database of the authority requesting them;
(h) `terrorist offences’ means the offences under national law referred to in Articles 1 to 4 of Council Framework Decision 2002/475/JHA;
(i) `serious crime’ means the offences under national law referred to in Article 2(2) of Council Framework Decision 2002/584/JHA if they are punishable by a custodial sentence or a detention order for a maximum period of at least three years under the national law of a Member State;
(k) ‘depersonalising through masking out of data’ means rendering certain data elements of such data invisible to a user without deleting these data elements.

CHAPTER II RESPONSIBILITES OF THE MEMBER STATES

Article 3 Passenger Information Unit
1. Each Member State shall set up or designate an authority competent for the prevention, detection, investigation or prosecution of terrorist offences and serious crime or a branch of such an authority to act as its `Passenger Information Unit’ (“PIU”) responsible for collecting PNR data from the air carriers, storing them, processing them and transmitting the PNR data or the result of the processing thereof to the competent authorities referred to in Article 5. The PIU is also responsible for the exchange of PNR data or the result of the processing thereof with PIUs of other Member States in accordance with Article 7. Its staff members may be seconded from competent public authorities. It shall be provided with adequate resources in order to fulfil its tasks.

2. Two or more Member States may establish or designate a single authority to serve as their Passenger Information Unit. Such a Passenger Information Unit shall be established in one of the participating Member States and shall be considered the national Passenger Information Unit of all such participating Member States. The participating Member States shall agree on the detailed rules for the operation of the Passenger Information Unit and shall respect the requirements laid down in this Directive.

3. Each Member State shall notify the Commission within one month of the establishment or designation of the Passenger Information Unit thereof. It may at any time modify its notification. The Commission shall publish this information, including any modifications of it, in the Official Journal of the European Union.

Article 4 Processing of PNR data
1. The PNR data transferred by the air carriers shall be collected by the Passenger Information
Unit of the relevant Member State, as provided for in Article 6. Should the PNR data transferred by air carriers include data beyond those listed in Annex I, the Passenger Information Unit shall delete such data immediately upon receipt.
2. The Passenger Information Unit shall process PNR data only for the following purposes:
(a) carrying out an assessment of the passengers prior to their scheduled arrival to or departure from the Member State in order to identify persons who require further examination by the competent authorities referred to in Article 5, in view of the fact that such persons may be involved in a terrorist offence or serious crime.
(i) In carrying out such an assessment the Passenger Information Unit may compare PNR data against databases relevant for the purpose of prevention, detection, investigation and prosecution of terrorist offences and serious crime, including databases on persons or objects sought or under alert, in accordance with Union, international and national rules applicable to such databases.
(ii) When carrying out an assessment of persons who may be involved in a terrorist offence or serious crime listed in Annex II to this Directive, the Passenger Information Unit may also process PNR data against pre-determined criteria.
Member States shall ensure that any positive match resulting from automated processing of PNR data conducted under point (a) of paragraph 2 is individually reviewed by non-automated means in order to verify whether the competent authority referred to in Article 5 needs to take action in accordance with national law;
(b) responding, on a case-by-case basis, to duly reasoned requests from competent authorities to provide PNR data and process PNR data in specific cases for the purpose of prevention, detection, investigation and prosecution of a terrorist offence or serious crime, and to provide the competent authorities with the results of such processing; and
(c) analysing PNR data for the purpose of updating or creating new criteria for carrying out assessments referred to point (a) (ii) in order to identify any persons who may be involved in a terrorist offence or serious crimes listed in Annex II.
3. The assessment of the passengers prior to their scheduled arrival or departure from the
Member State carried out against pre-determined criteria referred to in point (a)(ii) of paragraph 2 shall be carried out in a non-discriminatory manner on the basis of assessment criteria established by its Passenger Information Unit. Member States shall ensure that the assessment criteria are set by the Passenger Information Units, in cooperation with the competent authorities referred to in Article 5. The assessment criteria shall in no circumstances be based on a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual life.
4. The Passenger Information Unit of a Member State shall transmit the PNR data or the results
of the processing of PNR data of the persons identified in accordance with point (a) of paragraph 2 for further examination to the competent authorities of the same Member State referred to in Article 5. Such transfers shall only be made on a case-by-case basis.
5. The consequences of the assessments of passengers referred to in point (a) of paragraph 2
shall not jeopardise the right of entry of persons enjoying the Union right of free movement into the territory of the Member State concerned as laid down in Directive 2004/38/EC. In addition, the consequences of such assessments, where these are carried out in relation to intra-EU flights between Member States to which the Regulation (EC) No 562/2006 of the European Parliament and of the Council of 15 March 2006 establishing a Community Code on the rules governing the movement of persons across borders12 applies, shall comply with that Code.

12 OJ L 105, 13.4.2006, p. 1.

Article 5 Competent authorities
1. Each Member State shall adopt a list of the competent authorities entitled to request or receive PNR data or the result of the processing of PNR data from the Passenger Information Units in order to examine that information further or take appropriate action for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.
2. The authorities referred to in paragraph 1 shall be competent for the prevention, detection, investigation or prosecution of terrorist offences or serious crime.
3. For the purpose of Article 7(4), each Member State shall notify the list of its competent authorities to the Commission eighteen months after entry into force of this Directive at the latest, and may at any time update this notification. The Commission shall publish this information, as well as any modifications of it, in the Official Journal of the European Union.
4. The PNR data and the result of the processing of PNR data received from the Passenger Information Unit may be further processed by the competent authorities of the Member States only for the purpose of preventing, detecting, investigating or prosecuting terrorist offences or serious crime.
5. Paragraph 4 shall be without prejudice to national law enforcement or judicial powers where other violations of criminal law, or indications thereof, are detected in the course of enforcement action further to such processing.
6. The competent authorities shall not take any decision that produces an adverse legal effect on a person or significantly affects a person only by reason of the automated processing of PNR data.

Article 6
Obligations on air carriers on transfer of data
1. Member States shall adopt the necessary measures to ensure that air carriers transfer (‘push’) the PNR data as defined in Article 2(d) and specified in Annex I, to the extent that such data are already collected by them, to the database of the Passenger Information Unit of the Member State on the territory of which the flight will land and/or from the territory of which the flight will depart. Where the flight is code-shared between one or more air carriers, the obligation to transfer the PNR data of all passengers on the flight shall be on the air carrier that operates the flight. Where an extra-EU flight has one or more stopovers at the airports of different Member States, air carriers shall transfer the PNR data of all passengers to the Passenger Information Units of all the Member States concerned. This also applies where an intra-EU flight has one or more stopovers at the airports of different Member States, but only in relation to Member States which are collecting PNR data.
1a. In case the air carriers have collected any advance passenger information (API) data listed under item (18) of Annex 1 to this directive but do not retain these data as part of the PNR data, Member States shall adopt the necessary measures to ensure that air carriers also transfer (‘push’) these data to the Passenger Information Unit of the Member State referred to in paragraph 1. In case of such transfer, all the provisions of this Directive shall apply in relation to these API data as if they were part of the PNR data.
2. Air carriers shall transfer PNR data by electronic means using the common protocols and supported data formats to be adopted in accordance with the procedure referred to in Articles 13 and 14, or, in the event of technical failure, by any other appropriate means ensuring an appropriate level of data security:
(a) once 24 to 48 hours before the scheduled time for flight departure; and
(b) once immediately after flight closure, that is once the passengers have boarded the aircraft in preparation for departure and it is no longer possible for passengers to board or leave.
3. Member States shall permit air carriers to limit the transfer referred to in point (b) of paragraph 2 to updates of the transfer referred to in point (a) of paragraph 2.
4. On a case-by-case basis and where access to PNR data is necessary to respond to a specific and actual threat related to terrorist offences or serious crime, air carriers shall, upon request from a Passenger Information Unit in accordance with the procedures provided under national law, transfer PNR data at other points in time than those mentioned in paragraph 2(a) and (b).

Article 7
Exchange of information between Member States
1. Member States shall ensure that, with regard to persons identified by a Passenger Information Unit in accordance with Article 4(2)(a), the PNR data or the result of any processing thereof is transmitted by that Passenger Information Unit to the corresponding units of other Member States where it considers such transfer to be necessary for the prevention, detection, investigation or prosecution of terrorist offences, or serious crime. The Passenger Information Units of the receiving Member States shall transmit the received information to their competent authorities in accordance with Article 4(4).
2. The Passenger Information Unit of a Member State shall have the right to request, if necessary, the Passenger Information Unit of any other Member State to provide it with PNR data that are kept in the latter’s database and have not yet been depersonalised through masking out under Article 9(2) and, if necessary, also the result of any processing thereof, if it has already been prepared pursuant to Article 4(2)(a). The duly reasoned request for such data may be based on any one or a combination of data elements, as deemed necessary by the requesting Passenger Information Unit for a specific case of prevention, detection, investigation or prosecution of terrorist offences or serious crime. Passenger Information Units shall provide the requested data as soon as practicable. In case the requested data have been depersonalised through masking out in accordance with Article 9(2) the Passenger Information Unit shall only provide the full PNR data where it is reasonably believed that it is necessary for the purpose of Article 4(2)(b) and only when authorised to do so by an authority competent under Article 9(3).
3. (…)
4. Only when necessary in cases of emergency and under the conditions laid down in paragraph 2 may the competent authorities of a Member State request directly the Passenger Information Unit of any other Member State to provide it with PNR data that are kept in the latter’s database. The requests from the competent authorities, a copy of which shall always be sent to the Passenger Information Unit of the requesting Member State, shall be reasoned. In all other cases the competent authorities shall channel their requests through the Passenger Information Unit of their own Member State.
5. Exceptionally, where access to PNR data is necessary to respond to an specific and actual threat related to terrorist offences or serious crime, the Passenger Information Unit of a Member State shall at any time have the right to request the Passenger Information Unit of another Member State to obtain PNR data in accordance with article 6(4) and provide it to the requesting Passenger Information Unit.
6. Exchange of information under this Article may take place using any existing channels for cooperation between the competent authorities of the Member States. The language used for the request and the exchange of information shall be the one applicable to the channel used. Member States shall, when making their notifications in accordance with Article 3(3), also inform the Commission with details of the contact points to which requests may be sent in cases of emergency. The Commission shall communicate to the Member States the notifications received.

Article 8 Transfer of data to third States
A Member State may transfer PNR data as well as the results of the processing of such data stored by the Passenger Information Unit in accordance with Article 9 to a third State only on a case-bycase basis and if-
(a) the conditions laid down in Article 13 of Council Framework Decision 2008/977/JHA are fulfilled;
(b) it is necessary for the purposes of this Directive as specified in Article 1(2);
(c) the third State agrees to transfer the data to another third country only where it is necessary for the purposes of this Directive as specified in Article 1(2) and only with the express authorisation of the Member State that provided the third State with the data; and
(d) similar conditions as those laid down in Article 7(2) are fulfilled.

Article 9 Period of data retention
1. Member States shall ensure that the PNR data provided by the air carriers to the Passenger
Information Unit are retained in a database at the Passenger Information Unit for a period of five years after their transmission to the Passenger Information Unit of the Member State on whose territory the flight is landing or departing.
2. Upon expiry of a period of two years after the transfer of the PNR data as referred to in
paragraph 1, the PNR data shall be depersonalised through masking out of the following data elements which could serve to directly identify the passenger to whom the PNR data relate:
1. Name (s), including the names of other passengers on PNR travelling together;
2. Address and contact information;
3. All forms of payment information, including billing address, to the extent that it contains any information which could serve to directly identify the passenger to whom PNR relate or any other persons;
4. Frequent flyer information;
5. General remarks to the extent that it contains any information which could serve to directly identify the passenger to whom the PNR relate; and
6. Any collected advance passenger information.
3. Upon expiry of the two-year period referred to in paragraph 2, disclosure of the full PNR data shall be permitted only where it is reasonably believed that it is necessary for the purpose of Article 4(2)(b) and only when approved by a judicial authority or by another national authority competent under national law to verify whether the conditions for disclosure are fulfilled.

4. Member States shall ensure that the PNR data are deleted upon expiry of the period specified in paragraph 1. This obligation shall be without prejudice to cases where specific PNR data have been transferred to a competent authority and are used in the context of specific case for the purpose of prevention, detection, investigation or prosecution, in which case the retention of such data by the competent authority shall be regulated by the national law of the Member State.

5. The result of the processing referred to in Article 4(2)(a) shall be kept by the Passenger
Information Unit only as long as necessary to inform the competent authorities of a positive match. Where the result of an automated processing has, further to individual review by non-automated means as referred to in Article 4(2)(a) last subparagraph, proven to be negative, it may, however, be stored so as to avoid future `false’ positive matches for as long as the underlying data have not yet been deleted in accordance with paragraph 1.

Article 10 Penalties against air carriers
Member States shall ensure, in conformity with their national law, that dissuasive, effective and proportionate penalties, including financial penalties, are provided for against air carriers which, do not transmit the data as provided for in Article 6, or do not do so in the required format or otherwise infringe the national provisions adopted pursuant to this Directive.

Article 11 Protection of personal data
1. Each Member State shall provide that, in respect of all processing of personal data pursuant to this Directive, every passenger shall have the same right to access, the right to rectification, erasure and blocking, the right to compensation and the right to judicial redress as those adopted under the national law implementing Articles 17, 18, 19 and 20 of the Council Framework Decision 2008/977/JHA. The provisions of Articles 17, 18, 19 and 20 of the Council Framework Decision 2008/977/JHA shall therefore be applicable.
2. Each Member State shall provide that the provisions adopted under the national law to
implement Articles 21 and 22 of the Council Framework Decision 2008/977/JHA regarding confidentiality of processing and data security shall also apply to all processing of personal data pursuant to this Directive.
3. Any processing of PNR data revealing a person’s racial or ethnic origin, political opinions, religious or philosophical belief, trade union membership, health or sexual life shall be prohibited. In the event that PNR data revealing such information are received by Passenger Information Unit they shall be deleted without delay.
4. All processing, including receipt of PNR data from air carriers and all transfers of PNR data by Passenger Information Units and all requests by competent authorities or Passenger Information Units of other Member States and third countries, even if refused, shall be logged or documented by the Passenger Information Unit concerned and the competent authorities for the purposes of verification of the lawfulness of the data processing, self-monitoring and ensuring proper data integrity and security of data processing, in particular by the national data protection supervisory authorities. These logs shall be kept for a period of five years unless the underlying data have not yet been deleted in accordance with Article 9(4) at the expiry of those five years, in which case the logs shall be kept until the underlying data are deleted.
5. Member States shall ensure that air carriers, their agents or other ticket sellers for the carriage of passengers on air service inform passengers of flights at the time of booking a flight and at the time of purchase of a ticket in a clear and precise manner about the transmission data to the Passenger Information Unit, the purposes of their processing, the period of data retention, their possible use to prevent, detect, investigate or prosecute terrorist offences and serious crime, the possibility of exchanging and sharing such data and their data protection rights, in particular the right to complain to the competent national data protection supervisory authority. The same information shall be made available by the Member States to the public.
6. Without prejudice to Article 10, Member States shall in particular lay down effective, proportionate and dissuasive penalties to be imposed in case of infringements of the provisions adopted pursuant to this Directive.

Article 12 National supervisory authority
Each Member State shall provide that the national supervisory authority or authorities established to implement Article 25 of Framework Decision 2008/977/JHA shall also be responsible for advising on and monitoring the application within its territory of the provisions adopted by the Member States pursuant to the present Directive. The further provisions of Article 25 Framework Decision 2008/977/JHA shall be applicable.

CHAPTER IV IMPLEMENTING MEASURES

Article 13 Common protocols and supported data formats
1. All transfers of PNR data by air carriers to the Passenger Information Units for the purposes
of this Directive shall be made by electronic means or, in the event of technical failure, by any other appropriate means, for a period of one year following the adoption of the common protocols and supported data formats in accordance with Article 14.
2. Once the period of one year from the date of adoption, for the first time, of the common
protocols and supported data formats by the Commission in accordance with paragraph 3, has elapsed, all transfers of PNR data by air carriers to the Passenger Information Units for the purposes of this Directive shall be made electronically using secure methods in the form of those accepted common protocols which shall be common to all transfers to ensure the security of the data during transfer, and in a supported data format to ensure their readability by all parties involved. All air carriers shall be required to select and identify to the Passenger Information Unit the common protocol and data format that they intend to use for their transfers.
3. The list of accepted common protocols and supported data formats shall be drawn up taking due account of ICAO regulations and, if need be, adjusted, by the Commission by means of implementing acts in accordance with the procedure referred to in Article 14(2).
4. As long as the accepted common protocols and supported data formats referred to in paragraphs 2 and 3 are not available, paragraph 1 shall remain applicable.
5. Each Member State shall ensure that the necessary technical measures are adopted to be able to use the common protocols and data formats within one year from the date referred to in paragraph 2.

Article 14 Committee procedure
1. The Commission shall be assisted by a committee. That Committee shall be a committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers. The Commission shall not adopt the draft implementing act when no opinion is delivered by the Committee and the third subparagraph of Article 5(4) of Regulation (EU) No 182/2011 shall apply.
2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

CHAPTER V FINAL PROVISIONS

Article 15 Transposition
1. Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive at the latest 36 months after the entry into force of this Directive. They shall forthwith communicate to the Commission the text of those provisions.
When Member States adopt those provisions, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. Member States shall determine how such reference is to be made.
2. Member States shall communicate to the Commission the text of the main provisions of national law which they adopt in the field covered by this Directive.

Article 17 Review
1. The Council shall, at the appropriate level, discuss regularly the practical experiences and relevant issues within the scope and subject matter of the Directive.
2. On the basis of these discussions as well as other information provided by the Member States, including the statistical information referred to in Article 18 (2), the Commission shall undertake a review of the operation of this Directive and:
(a) within two years after the date mentioned in Article 15(1) submit a report to the European Parliament and the Council on the feasibility and necessity of including all or selected intra-EU flights in the scope of this Directive on a mandatory basis, taking into account the experience gained by Member States, especially those Member States that in accordance with Article 1a collect PNR with regard to intra-EU flights,
(b) within four years after the date mentioned in Article 15(1) submit a report to the European Parliament and the Council on all other elements of this Directive and on the feasibility and necessity of including transportation providers other than air carriers in the scope of this Directive, taking into account the experience gained by Member States, especially those Member States that collect PNR from other transportation providers.
3. If appropriate, in light of the review referred to in paragraph 2, the Commission shall make a legislative proposal to the European Parliament and the Council with a view to amending this Directive.

Article 18 Statistical data

1. Member States shall provide on a yearly basis the Commission with a set of statistical information on PNR data provided to the Passenger Information Units. These statistics shall not contain any personal data.
2. The statistics shall as a minimum cover:
1. total number of passengers whose PNR data were collected and exchanged;
2. number of passengers identified for further scrutiny;
3. number of subsequent law enforcement actions that were taken involving the use of PNR data;
3. On a yearly basis, the Commission shall provide the Council with cumulative statistics referred to in Article 18(1).

Article 19 Relationship to other instruments
1. Member States may continue to apply bilateral or multilateral agreements or arrangements
between themselves on exchange of information between competent authorities, in force when this Directive is adopted, in so far as such agreements or arrangements are compatible with this Directive.
2. This Directive is without prejudice to any obligations and commitments of Member States or
of the Union by virtue of bilateral and/or multilateral agreements with third countries.

Article 20 Entry into force
This Directive shall enter into force the twentieth day following that of its publication in the Official Journal of the European Union.
This Directive is addressed to the Member States in accordance with the Treaties.
Done at Brussels,
For the European Parliament For the Council
The President The President

ANNEX I Passenger Name Record data as far as collected by air carriers
(1) PNR record locator
(2) Date of reservation/issue of ticket
(3) Date(s) of intended travel
(4) Name(s)
(5) Address and contact information (telephone number, e-mail address)
(6) All forms of payment information, including billing address
(7) Complete travel itinerary for specific PNR
(8) Frequent flyer information
(9) Travel agency/travel agent
(10) Travel status of passenger, including confirmations, check-in status, no show or go show information
(11) Split/divided PNR information
(12) General remarks (including all available information on unaccompanied minors under 18 years, such as name and gender of the minor, age, language(s) spoken, name and contact details of guardian on departure and relationship to the minor, name and contact details of guardian on arrival and relationship to the minor, departure and arrival agent)
(13) Ticketing field information, including ticket number, date of ticket issuance and one-way tickets, Automated Ticket Fare Quote fields
(14) Seat number and other seat information
(15) Code share information
(16) All baggage information
(17) Number and other names of travellers on PNR
(18) Any Advance Passenger Information (API) data collected (inter alia document type, document number, nationality, country of issuance, date of document expiration, family name, given name, gender, date of birth, airline, flight number, departure date, arrival date, departure port, arrival port, departure time, arrival time)
(19) All historical changes to the PNR listed in numbers 1 to 18.

ANNEX II
1. participation in a criminal organisation,
2. trafficking in human beings,
3. sexual exploitation of children and child pornography,
4. illicit trafficking in narcotic drugs and psychotropic substances,
5. illicit trafficking in weapons, munitions and explosives,
6. fraud,
7. laundering of the proceeds of crime,
8. computer-related crime,
9. environmental crime, including illicit trafficking in endangered animal species and in endangered plant species and varieties,
10. facilitation of unauthorised entry and residence,
11. illicit trade in human organs and tissue,
12. kidnapping, illegal restraint and hostage-taking,
13. organised and armed robbery,
14. illicit trafficking in cultural goods, including antiques and works of art,
15. forgery of administrative documents and trafficking therein,
16. illicit trafficking in hormonal substances and other growth promoters,
17. illicit trafficking in nuclear or radioactive materials,
18. unlawful seizure of aircraft/ships,
19. sabotage, and
20. trafficking in stolen vehicles.