9. Internal security -police cooperation – Page 2 – European Area of Freedom Security & Justice

Systèmes d’information européens sécurité-immigration : lorsqu’ “interopérabilité” ne rime effectivement pas avec “interconnexion”

ORIGINAL PUBLISHED ON “EU Immigration and Asylum Law and Policy” BLOG

by Pierre BERTHELET

“Il convient d’exploiter toutes les possibilités offertes par d’éventuelles synergies entre les systèmes d’information nationaux et européens, sur la base de l’interopérabilité”. Ces propos ne datent pas des conclusions du dernier Conseil JAI sur ce thème, celles du 9 juin 2017, mais bien d’une communication de la Commission remontant au mois de mai 2005. La problématique de l’interopérabilité des bases de données JAI est par conséquent tout sauf neuve. Elle revêt néanmoins une acuité particulière à la lumière des efforts axés sur le renforcement de l’efficacité et de l’efficience de la gestion des données dans l’UE. Comme le fait remarquer une étude juridique de mai 2017, le volume des données échangées entre les Etats membres et stockées au sein des systèmes européens d’information s’est accru considérablement depuis les attaques de Paris de 2015.

L’interopérabilité s’insère ainsi dans l’optique d’une rationalisation d’informations désormais abondantes au niveau de l’Union. Elle constitue un chantier majeur de la construction européenne en matière de gestion des systèmes d’information. Plus exactement, l’interopérabilité – et l’interconnexion par ailleurs – peuvent être envisagées sous la forme de poupées russes : l’interconnexion est un élément de la réponse des institutions européennes apportée en matière d’interopérabilité qui, elle-même, constitue un volet de la réforme actuelle ayant trait à la gestion des systèmes européens d’information. Elle est un concept générique qui s’inscrit dans le cadre de travaux interinstitutionnels visant à améliorer les mécanismes d’échange et de traitement de l’information, en toile de fond du développement considérable qu’ont connu ces systèmes cette dernière décennie. Son caractère ambigu tient au fait qu’elle renvoie autant au projet lui-même qu’à l’objectif porté par ce projet. Or, force est de constater que, depuis 2016, le degré d’avancement du chantier entrepris dans le domaine de l’interopérabilité est déjà élevé (1). Quant à l’interconnexion, il s’agit, à la lumière des récents textes l’évoquant, d’un processus loin de recueillir l’assentiment unanime (2).

1. L’interopérabilité des systèmes, un degré d’avancement du projet déjà élevé

Bien qu’évoquée depuis plusieurs années, l’interopérabilité des systèmes est un projet ayant connu un regain d’intérêt récent. Elle correspond à un processus interinstitutionnel initié il y a quelques mois seulement (a). L’objectif est de rendre la gestion de l’information dans le domaine de la sécurité, des frontières et des flux migratoires davantage performante (b).

a. Un processus interinstitutionnel initié il y a quelques mois seulement

Avant d’entrer de plain-pied dans l’analyse, il importe de préciser les termes employés, à savoir l’interopérabilité d’une part et l’interconnexion d’autre part. Une communication de novembre 2005, consacrée au renforcement de l’efficacité et de l’interopérabilité des bases de données européennes fournit un éclairage à ce sujet. Dans ce texte destiné, déjà à l’époque, à lancer un débat en profondeur sur la forme et l’architecture à long terme des systèmes d’information, la Commission définit la connectivité comme un terme générique renvoyant à la connexion de systèmes aux fins de transfert de données. En France, le Conseil d’État considère, dans une décision du 19 juillet 2010, l’interconnexion «comme l’objet même d’un traitement qui permet d’accéder à, exploiter et de traiter automatiquement les données collectées pour un autre traitement et enregistrées dans le fichier qui en est issu ».

Tirant cette définition d’un document élaboré par l’European Interoperability Framework (qui est la concrétisation du plan d’action eEurope approuvé par le Conseil européen de Séville de 2002, et visant promouvoir les services publics en ligne), l’interopérabilité signifie, selon cette communication de novembre 2005, la « capacité qu’ont les systèmes d’information et les processus opérationnels dont ils constituent le support d’échanger des données et d’assurer le partage des informations et des connaissances ».

Ceci étant dit, les travaux actuels trouvent leur origine dans une communication de la Commission du 6 avril 2016 visant à lancer un débat sur l’existence de lacunes ainsi que de défaillances systémiques au sujet des bases de données JAI. Plus exactement, il s’agit d’œuvrer dans l’amélioration de l’architecture de gestion des données de l’UE concernant le contrôle aux frontières et de la sécurité intérieure. Le périmètre est ainsi réduit à un pan de l’ELSJ, et ce, même si la dimension judiciaire est évoquée ponctuellement à travers le projet d’interconnexion des casiers judiciaires européen. En outre, il est étendu partiellement aux systèmes d’information nationaux, l’objectif étant d’assurer une fluidité de l’information à la fois au niveau horizontal (les systèmes européens) et au niveau vertical (entre les systèmes européens et les systèmes nationaux).

Pour mener à bien cette réflexion, la Commission a réuni le mois suivant sa communication d’avril 2016, un « groupe d’experts de haut niveau sur les systèmes d’information et l’interopérabilité ». Ce groupe d’experts, qui a mené ses travaux conformément aux prescriptions d’une feuille de route sur l’échange d’information et l’interopérabilité, approuvée par le Conseil JAI du 10 juin 2016, a rassemblé des représentants des Etats membres (y compris les pays Schengen non membres de l’UE), ceux des agences européennes (Frontex, eu-LISA, Europol, EASO et FRA), le Coordinateur pour la lutte antiterroriste et le CEPD (et ont été associés aux travaux, le secrétariat général du Conseil et celui de la commission LIBE du Parlement européen au titre d’observateur). L’objectif de ce projet relatif à l’interopérabilité, précise le Conseil, vise à appuyer les investigations opérationnelles, notamment dans le domaine de la lutte antiterroriste, et d’apporter rapidement aux autorités nationales de terrain (garde-frontières, policiers, agents de l’immigration et procureurs notamment) toutes les informations nécessaires en temps et en heure pour mener à bien leurs missions.

Les travaux du groupe ont trouvé un soutien politique fort émanant à la fois du président de la Commission, Jean-Claude Juncker, ainsi que du Conseil européen. Le premier, dans son discours sur l’état de l’Union en septembre 2016, peu avant la tenue du Conseil européen informel de Bratislava, a souligné l’imminence de la présentation par la Commission, du système européen d’information et d’autorisation concernant les voyages (ETIAS). Le second, dans des conclusions de décembre 2016, a appelé « à poursuivre les efforts en matière d’interopérabilité des systèmes d’information et des bases de données » (point 9). Ce groupe à haut niveau a rendu son rapport final le 11 mai 2017, dont le contenu a nourri l’analyse de la Commission dans l’élaboration de son septième rapport publié une semaine plus tard, sur les progrès accomplis dans la mise en place d’une union de la sécurité réelle et effective. Enfin, le Conseil, jugeant l’interopérabilité comme essentielle à la sécurité, a approuvé, le 9 juin 2017, les conclusions précitées dans lesquelles il approuve les solutions dégagées par le groupe d’experts et ce, en vue d’une gestion de l’information davantage performante.

b. Une gestion de l’information se voulant davantage performante

L’importance de l’interopérabilité des systèmes d’information est clairement rappelée par la Commission dans ce septième rapport. En réalité, ce constat est dressé quelques mois plus tôt, dans sa communication d’avril 2016, qui elle-même, fait suite à différentes conclusions du Conseil. Ainsi, concernant le seul SIS II, dans celles d’octobre 2014, le Conseil a envisagé une connexion entre ce système et la base de données « faux documents » d’Interpol (SLTD), de manière à ce que les utilisateurs finaux aient accès simultanément aux deux systèmes lors d’une même recherche. Dans celles approuvées peu avant, en juin 2014, il a invité les États membres utiliser pleinement le SIS II dans le cadre de la lutte contre le terrorisme, invitation répétée au demeurant dans la déclaration commune de Riga, adoptée après les attaques contre le journal Charlie Hebdo. Quant aux conclusions du 20 novembre 2015, approuvées après les attaques du Bataclan et la fuite consécutive de Salah Abdeslam avec l’aide de deux complices venus de Belgique, le Conseil a souligné l’importance d’une consultation systématique du SIS II lors des contrôles frontaliers.

À cette fin, la Commission, en se référant à certains de ces textes ainsi qu’à la déclaration commune sur les attentats terroristes du 22 mars 2016 à Bruxelles préconisant de renforcer l’interopérabilité, a présenté dans sa communication d’avril 2016, dans laquelle elle identifie un ensemble d’incohérences et de dysfonctionnements, parmi lesquelles, des fonctionnalités non optimales des systèmes européens d’information et un problème de la qualité des données auquel s’ajoute des lacunes dans l’architecture de l’UE en matière de gestion des données liée notamment à l’absence pure et simple d’une série de systèmes d’information. Quant à ceux existants, leur fonctionnement doit être amélioré. C’est le cas du SIS II, dont Europol n’a pas encore fait pleinement usage, alors même que l’agence dispose d’un droit d’accès à celui-ci. En outre, certains systèmes existent partiellement, mais ils ne sont pas encore pleinement opérationnels. C’est le cas des systèmes nationaux mis en place dans le cadre des décisions dites « de Prüm » et pour lesquelles plusieurs États membres ne remplissent toujours pas leurs engagements. Le paysage européen des systèmes d’information se caractérise donc par une multiplicité de dispositifs, des niveaux d’achèvement différents et des modes de fonctionnement distincts. Il en résulte une mosaïque complexe, car ces systèmes sont soumis à des régimes juridiques variables, rendant l’ensemble difficilement intelligible.

Cette superposition de systèmes conduit à une architecture européenne fragmentée au sujet de la gestion des données. Chacun système fonctionne en silo, faisant que les informations contenues sont peu interconnectées. Ce compartimentage des données a des conséquences problématiques concrètes. Ainsi, l’auteur de l’attaque terroriste de Berlin de décembre 2016, Anis Amri, a eu recours à pas moins de quatorze identités différentes. Ces fausses identités ont permis à ce ressortissant tunisien de se déplacer aisément en Allemagne, puis de prendre la fuite hors du pays avant d’être abattu à Milan. Or, comme le fait observer le quatrième rapport de la Commission sur la sécurité, ses déplacements auraient pu être détectés si les systèmes employés étaient dotés d’une fonctionnalité permettant une recherche simultanée dans plusieurs d’entre eux, au moyen d’identificateurs biométriques.

L’interopérabilité apparaît dès lors comme une réponse aux défis sécuritaires, en particulier terroristes, pour lesquels le recours aux systèmes d’information est un élément indispensable de la réponse à fournir.

La réforme de la gestion de l’information est effectuée au moyen d’une approche horizontale, via les travaux du groupe d’experts de haut niveau. Elle s’effectue aussi de manière sectorielle, à travers l’adoption de textes instituant des systèmes d’information (ou modifiant ceux existants).

En premier lieu, des systèmes sont en projet ou en cours de réalisation. Peuvent être mentionnés la proposition présentée en janvier 2016, étendant aux ressortissants de pays tiers le Système européen d’information sur les casiers judiciaires (ECRIS-TCN), la proposition révisée établissant le système d’entrée/sortie (EES) et présentée en avril 2016 (en parallèle à une modification du règlement de mars 2016 relatif au Code Frontières Schengen), la proposition de règlement instituant l’ETIAS présentée quant à elle en novembre 2016, ou le système d’index européen des registres de la police (EPRIS) dont l’ébauche correspondrait au projet auquel la France prend part et dénommé ADEP (Automated Data Exchange Process).

En deuxième lieu, d’autre systèmes existent, mais ils doivent être réformés. Il s’agit en particulier d’Eurodac (une proposition de règlement, présentée en mai 2016, permettant notamment de stocker l’image faciale, est en cours de discussion entre le Conseil et le Parlement européen), et du SIS II (un paquet législatif, présenté en décembre 2016, composé de quatre propositions de règlement est également en cours de discussion, prévoyant l’obligation pour les États membres d’émettre des alertes concernant des personnes liées à des infractions terroristes).

Or, le processus de refonte opéré des différents systèmes (et la création de ceux n’existant pas encore) est pensé dans la perspective de l’interopérabilité et même de l’interconnexion. Par exemple, concernant le SIS II, une disposition de la proposition de règlement créant l’ETIAS, prévoit que l’unité centrale ETIAS puisse opérer des recherches dans le SIS II. De prime abord, l’interconnexion des systèmes est, au vu de cet exemple, effective, ou du moins, en voie de l’être. Or, ce n’est pas cas en réalité et il s’agit plutôt de l’exception qui confirme la règle.

2. L’interconnexion des systèmes, un projet suscitant peu l’enthousiasme institutionnel

L’interconnexion est une option visant à atteindre le stade de l’interopérabilité des systèmes d’information. Cependant, il s’agit d’une option parmi d’autres (a), et qui ne reçoit qu’un accueil institutionnel pour le moins prudent (b).

a. L’interconnexion, une option parmi d’autres

L’interconnexion, au sens défini ci-dessus, apparaît seulement comme une option parmi celles avancées par la Commission dans sa communication d’avril 2016. Plus exactement, le texte en présente quatre aux fins de parvenir à une situation d’interopérabilité : l’interface de recherche unique, le service partagé de mise en correspondance de données biométriques, le répertoire commun de données d’identité et enfin l’interconnexion des systèmes d’information proprement dite.

Dans le premier cas, l’interface de recherche unique, il s’agit de permettre à une autorité nationale d’interroger plusieurs systèmes d’information de manière simultanée. Ce système, qui existe en France avec l’application COVADIS (Contrôle et vérification automatiques des documents sécurisés), permet au service interrogeant d’obtenir sur un seul écran les résultats des requêtes, ceci dans le respect des droits d’accès propre à ce service. Cette hypothèse de l’interface unique a, au demeurant, reçu l’assentiment des ministres français et allemand dans le cadre de leur « initiative sur la sécurité intérieure en Europe » du 23 août 2016.

Le service partagé de mise en correspondance de données biométriques vise, quant à lui, à proposer au service utilisateur, une interrogation des systèmes à partir des identifiants biométriques. Pour l’heure, chaque système européen dispose de son propre dispositif d’identification. L’objectif est, au moyen de ce service partagé, d’effectuer des recherches dans les différents systèmes d’information et de mettre en évidence les coïncidences, par exemple sous forme de hit/no hit, entre ces données.

Le troisième cas a trait à l’établissement d’un répertoire commun de données d’identité en tant que module central dans lequel figure un portefeuille de données (nom, prénom, date et lieu de naissance par exemple). Ces données constituent un socle commun à tous les systèmes, les autres données étant, quant à elles, stockées au sein de modules spécifiques à chacun d’eux. Comme le précise le rapport du Sénat du 29 mars 2017 consacré à l’espace Schengen, la proposition de règlement créant l’ETIAS envisage ce dispositif, du moins entre ce système et l’EES.

Enfin, la dernière option a trait précisément à l’interconnexion des systèmes d’information. L’avantage est de permettre la consultation automatique des données figurant dans un système, par l’intermédiaire d’un autre système. L’interconnexion, ajoute ce rapport du Sénat, présente l’intérêt d’assurer un contrôle croisé automatique des données, limitant ainsi le volume d’informations circulant au sein des réseaux. À cet égard, la proposition de règlement relatif à l’EES envisage une interconnexion avec le VIS. Cette option est évoquée, mais elle va être, dans une large mesure du moins, délaissée.

b. L’interconnexion, une option en grande partie délaissée

Sans pour autant être totalement écartée (en particulier dans la proposition de règlement relatif à l’EES), l’interconnexion ne rencontre pas un franc succès et c’est le moins que l’on puisse dire. D’abord, elle n’a pas l’assentiment du groupe d’experts de haut niveau. Dans leur rapport intermédiaire, remis en décembre 2016, celui-ci avait considéré l’interconnectivité des systèmes comme une solution ponctuelle. Le rapport final consacre ce point de vue en rejetant l’idée d’une généralisation de l’interconnexion et il privilégie trois solutions qui font écho aux autres options avancées par la Commission, à savoir un portail de recherche européen, un service partagé de mise en correspondance de données biométriques et un répertoire commun de données d’identité. Plus exactement, l’interface de recherche unique est préférée à l’interconnexion, ce qui va dans le sens de la position du Conseil qui, dans sa feuille de route sur l’échange d’informations, s’était déclaré pour cette solution de l’interface unique. Reste que si cette dernière avait les faveurs du Conseil et ce, au regard des autres options, les experts ont, pour leur part, conservé l’idée d’un répertoire commun de données et la mise en correspondance de données biométriques comme des pistes exploitables à court terme, et non à moyen et long termes comme le suggérait la feuille de route.

Ensuite, l’interconnexion ne trouve pas non plus un écho favorable auprès de la Commission. Celle-ci fait sienne, à cet égard, les recommandations figurant dans le rapport du groupe d’expert, en se bornant à préciser que des réunions tripartites Conseil-Parlement-Commission au niveau technique devraient avoir lieu en automne 2017, en vue de dégager une vision commune avant la fin de l’année 2017, ceci afin de parvenir à cet objectif d’interopérabilité des systèmes à l’horizon de l’année 2020. La Commission reprend donc à son compte les options retenues par le groupe à haut niveau, en se bornant à fixer cette date-butoir, étant entendu par ailleurs que celle-ci correspond à l’échéance à laquelle l’EES devrait être opérationnel. À cette fin, une proposition législative sur l’interopérabilité devrait être présentée, en parallèle à une proposition de révision du VIS, à une proposition sur l’ECRIS, ainsi qu’à une autre visant à renforcer le mandat de l’agence européenne euLISA.

Au final, concernant les systèmes d’information européens sécurité-immigration, l’interopérabilité ne rime pas avec l’interconnexion. Cette lapalissade reflète parfaitement la volonté des institutions européennes préférant à la centralisation, la synergie ainsi que l’avaient souligné en leur temps, la déclaration de mars 2004 sur la lutte contre le terrorisme, le programme de La Haye et la déclaration du Conseil de juillet 2005 suite aux attentats de Londres. La voie choisie par ces institutions est bien résumée par le Commissaire à la sécurité, Sir Julian King, qui avait déclaré le 29 mai 2017 dans une allocution devant les députés de la commission LIBE, « ce que l’on ne propose pas, c’est une base de données gigantesque où tout serait interconnecté ».

Legislative Tracker : an interinstitutional agreement on the new EU “Entry-Exit” system is approaching …

by Beatrice FRAGASSO (Free-Group trainee)

On 6 April 2016 the European Commission put forward the Smart Borders Package, a set of measures intended to provide a more effective and modern external border management. One of the proposals consists in the introduction of the Entry/Exit System (EES), a centralized information system based on biometrics that would be interconnected with VIS and focus on third-country nationals.

The creation of the european Entry-Exit system will require the adoption of two draft Regulations, one (COM/2016/0194) setting up the EES and amending Regulation (EC) No 767/2008 and Regulation (EU) No 1077/2011, the other (COM/2016/0196) amending Regulation (EU) 2016/399 (Schengen Borders Code) to embody this new system. The proposals has been accompanied by an Impact assessment.

The introduction of the EES aims at speeding up and reinforcing border check procedures for non-EU nationals travelling to the EU, by improving the quality and efficiency of controls as well as the detection of document and identity fraud. The new texts replace the proposals presented by the European Commission in February 2013 and for which the co-legislators had voiced technical, financial and operational concerns.

The European Parliament defined its negotiating mandate on the latest Commission Proposals on 27 February 2017: the LIBE Committee adopted his reports (on establishing EES and amending 2016/399) and decided to enter into negotiations with the Council on the basis of these mandates.

The rapporteur Agustín Dían De Mera García Consuegra stated before the LIBE Committee (11 May 2017) that progresses have been made during the “trilogue” negotiations and that the good cooperation between delegations will probably allow to come to a political agreement by the end of the summer. Two “political” trilogues as well as nine technical meetings have already taken place and a third political “trilogue” is scheduled for 31 May 2017. Needless to say no public recording is accessible on the debates which took place during these trilateral meetings

Further information on other aspects of the procedure is accessible on the European Parliament Research Service site HERE.

The scope of the Entry-Exit System (EES)

The EES will apply to non-EU nationals crossing the external borders of the Member States of the EU for a short stay (maximum 90 days period in any period of 180 days), both those that require a visa and those that are exempted.

How it will work

The introduction of the EES aims to:

address border check delays and improve the quality of border checks for third-country nationals;
ensure systematic and reliable identification of “overstayers”;
reinforce internal security and the fight against terrorism and serious crime.

The system is intended to register the name, type of travel document, biometrics (four fingerprints and a visual image) and the date and place of entry and exit.

These actions will facilitate the border crossing of bona fide travelers, detect over-stayers and identify undocumented persons in the Schengen area. The system will also record refusals of entry.

Currently, the only possibility for national authorities to calculate the duration of stay of a third-country national in the Schengen area (and to verify their potential overstay), is the stamping of their travel document with the dates of entry and exit. This method is deemed to be slow and error-prone, since the entry/exit stamps may be unreadable or counterfeit. Under the new proposal, the current system of manual stamping of passports would be replaced by registration in a database and most of the data will be automated.

By using self-service systems and e-gates, third country national travelers would have their data verified, their picture or fingerprint taken and a set of questions asked. While using the self-service system, all mandatory checks would be triggered in the security databases (SIS, Interpol Stolen and Lost Travel Documents database). By the time the traveler is guided towards a border control lane, all his information would have reached the border guard, who may ask additional questions before granting the passenger access to the Schengen area.

The automation of the preparatory steps is expected to reduce the workload of border guards. This would mean that that Member States would not have to hire extra border guards to accommodate the growing traveler flows. It is also expected to reduce the long queues before passengers reach the border checkpoint.

Interoperability

The system would be interconnected with the Visa Information System (VIS) database, which would help reduce duplication of data processing, in accordance with the ‘privacy by design’ principle.

The European Parliament position (Libe Committee Debate)

The parliamentary debate showed that in the Commission proposal there are some controversial elements that the LIBE committee tried to address in the draft report approved on 27 February 2017.

The rapporteur Agustín Dían De Mera García Consuegra (EPP, Spain) presented the draft report before the LIBE Committee on 8 December 2016. According to him, establishing an EES will benefit travellers (they will spend less time waiting at borders), as well as border Member States and transit Member States, because of the speeding of the entire process. Border guards would carry on their tasks more easily. The aim of the draft report is to strike a balance between speeding up the process and guaranteeing security, protecting at the same time fundamental rights. In particular, one of the main concerns of the rapporteur is to ensure high standards for data protection: many of the amendments have been tabled in order to protect data in the system with reference to interoperability, data retention period and access to data by law enforcement authorities. According to the Rapporteur his amendments follow the indications given by the European Data Protection Supervisor (EDPS- Giovanni Buttarelli), in order to boost legal certainty in data protection area and to the role of EDPS and National Data Protection Authorities.[i] Another objective highlighted by the rapporteur is to guarantee more technical certainty, in order to know exactly who can access to the system as well as the circumstances of the access (logs). The procedure to follow in case of temporary failure, then, still has to be clarified. The rapporteur then pointed out the necessity to establish high standards for the procedure used to take facial images and fingerprints. Finally, it has been remarked the key-role played by Eu Lisa (here the Agency’s report on the Smart Borders Pilot Project), that will be responsible to manage the system.

The S&D “shadow rapporteur” Tanja Fajon (Slovenia) stated that she’s not convinced by the argument put forward by the Commission to justify the link between crime and border management. The purpose of the proposal is the border management, not the law enforcement and the proposal should clarify the way in which data will be processed in these two different situations. The difference between people who’s travelling legally and people who’s violating rules should be remarked, in order to guarantee fundamental rights. She criticized the retention period as disproportionate.

Mrs Fajon, then, pointed out that it’s necessary to better inform travellers about how the smart border system will change the current situation and which impact the regulation will have on their rights to enter and exit. People need to be aware about their rights and duties and about the consequences of possible infringments. Finally, she stated that some measures risk to be unpractical in some Member States (as for example Slovenia) whose borders with non-Schegen countries are always busy, especially during summer.

The ECR “shadow rapporteur” Jussi Halla-Aho (Finland) stated that ECR supports an Entry/Exit System and that probably it was needed even before the abolition of internal controls. His group finds that law enforcement authorities should have a sufficient access to the database for a sufficient period of time. The amendments tabled by the rapporteur are well considered and balanced and ECR appreciate that the rapporteur has tried to make the instrument coherent with the existing tools, for example Eurodac: Regulations have to be harmonised and they have to work one with the others.

According to the ALDE shadow rapporteur Angelika Mlinar (Austria) the amendments improve the Commission proposal. But there are still some problematic issues to address, concerning the protection of fundamental rights and in particular the disproportionate and unjustified retention period that is equally applied to all the scope of the regulation. In addiction, the former 2013 proposal had one single purpose (speeding up border management procedures), while the current proposal has also an unjustified law enforcement purpose. Her political group presented amendments in order to:

– Limit and optimise the collection of biometrical data.
– Limit the law enforcement access to what is strictly necessary, ensuring safeguards.
– Reduce the data retention period.

Also the Greens’ shadow rapporteur Jan Philipp Albrecht (Germany) highlighted that the most controversial points are the long data retention period and the possibility for law enforcement authorities to access these data for other purposes. The risk is that the EES will create a huge (and very expensive) database with a long retention period that won’t be effective for the purpose of smart border management. Finally, the shadow rapporteur pointed out that data protection in EES should meet the same high standards in the data protection package recently adopted (and which should be transposed at national level for May 2018).

Where we are…

The LIBE Committee adopted the report establishing EES and the report amending 2016/399 on 27 February 2017 and the modifications proposed by the committee echo the parliamentary debate. Data should be stored for only two years, and not the five years proposed by Commission. MEPs also want to ensure that the text is in line with the provisions of the General Data Protection Regulation, for example by allowing the data subject the right to access his or her own data.

MEPs found that the purposes of data processing in the new system should also be clarified. Migration handling should be the first purpose and law enforcement an additional one. The two should be treated separately, as the conditions for the use and storage of the data are not the same.

The Council Position

According to a preparatory document of the Council (leaked by Statewatch, file 6572/17), it emerges that the most controversial issues concern the territorial scope of the EES (an issue linked to the question of the access to VIS for those Member States which do not yet fully apply the Schengen acquis but for which the verification in accordance with the applicable Schengen evaluation procedures has already been successfully completed) and the calculation of the duration of the short-stay.

A Guidance on these sensitive issues was then obtained at COREPER level on 1 February 2017. Concerning the territorial scope of application, COREPER gave clear guidance on the need to include into it all Member States that, while not applying the Schengen Acquis in full, meet nonetheless the cumulative conditions listed in Art. 60 of the draft EES Regulation (i.e.: have successfully completed the verification in accordance with applicable Schengen evaluation procedures, (ii) have put into effect the provisions of the Schengen acquis relating to SIS and (iii) to the VIS).

If these conditions are met, the Member State concerned can deploy the EES, with the consequences that such deployment implies, including with reference to the calculation of the duration of stay in its territory. As a consequence, the automated calculator set out in Art. 10 of the EES draft Regulation will be a common one, covering the stays in any Member State operating the EES. According to the internal Council document, some delegations still oppose this solution on legal and practical grounds, notably because of its implications for other legal instruments and for the current practice in particular in the area of visa policy. However, the Presidency considers that the policy guidance given by Coreper, supported by a clear majority, should be followed.

MS Bilateral agreements with third Countries

Another outstanding issue is whether the bilateral visa waiver agreements will be compatible with the EES (Art 54). At the trilogue meeting that took place on 29 September 2016 (file 12571/16), the Chair presented a drafting proposal by the Presidency that would set up a procedure which allows to keep those agreements into force while making the EES work. The Commission rejected the proposal because the proposal would comprehend only a few agreements, excluding those which provide for a stay less than 90 days, creating more problems than it was deemed to solve.

Secondly, the proposal would have been cumbersome both for Member States and third country nationals concerned and had the practical consequence of extending the effects of bilateral agreements to Member States that were not party to them. On the contrary, Member States showed a general support to the Presidency solution.

Access by national Law enforcement authorities

EES would be used by the same authorities that already use VIS: consular posts and border control. Moreover, it would allow law enforcement authorities as well as Europol to perform restricted queries in the database for criminal identification and intelligence to prevent serious crime and terrorism.

The conditions to grant access to the EES to law enforcement authorities (Chapter IV of the proposal) are one of the most controversial point of the proposal. According to the preparatory document of the Council (file 6572/17), some delegations have expressed the wish to further simplify it [the access to the EES by law enforcement authorities] in order to facilitate investigations in cases of serious crimes and terrorist offences. However, recent deliberations have shown a good degree of support for the Presidency compromise proposal, in which, upon request of a majority of delegations, the conditions for access have been softened to the maximum extent compatible to the current legal framework and case-law.

The European Parliament expressed major concerns with reference to Chapter IV and the Council in a document dated 22 may 2017 (file 9415/17) proposed a compromise.

In particular, the Council position would be maintained on:

(a) the reference to ‘designated authorities’ rather than ‘law enforcement authorities’;
(b) the possibility to access the EES even when the search in national databases results in a hit;
(c) the possibility to proceed to access the EES once the Prum search is launched; and
(d) the possibility to also check against refusal of entry records.

On the other hand, some amendments proposed by the European Parliament would be broadly accepted (some with amendments). These suggestions are in particular:

(a) limiting the urgency procedure to cases where there is an ‘imminent danger’ related to a terrorist offence or other serious criminal offence and requiring the ex post verification to take place within two working days.
(b) providing that there must be reasonable grounds to consider that consulting the EES will (rather than may) contribute to the detection, investigation or prevention of a terrorist/other serious criminal offence. Actually, it should be noted that ‘reasonable grounds’ would still be enough and certainty is not required. Moreover, a substantiated suspicion that the person falls within the scope of the EES would still be sufficient to fulfil this requirement.

Transfer of data to third countries and international organisations (Article 38) and to Member States not bound by, or not operating the EES (Article 38a)

The European Parliament opposes the possibility to transfer information to third countries and international organisations for the purpose of returns, unless there is a decision by the Commission regarding the adequate protection of personal data in that third country or a binding readmission agreement.

In particular, the European Parliament opposes the possibility to transfer such information on the basis of an arrangement similar to readmission agreements, arguing that these are not binding and do not contain the necessary data protection safeguards. The European Parliament also insists on the provision of guarantees by the third country concerned to use the data only for the purposes for which it is transferred, and that such transfers should only be possible once the return decision is final, and subject to the consent of the Member State that entered the data.

The EP also maintains its position against the transfer of information to third countries or to Member States not operating, or bound by, the EES, in cases of immediate threat of terrorist or other serious criminal offences (Article 38(4a) and Article 38a).

Reassurances have been provided that the relevant data protection legislation must still be respected (General Data Protection Regulation in case of returns/readmission and Data Protection Directive in case of terrorism/serious criminal offences), but this has not convinced the European Parliament.

Another concern raised by the European Parliament regards the fact that the conditions required to access the EES by national authorities (set out in Chapter IV) are not all reproduced for the transfer of such data to third countries, international organisations and Member States not operating the EES or to which the EES does not apply.

Data Retention (Article 31)

The European Parliament in its position reduces the data retention period from five years to:
– four years for third-country nationals who overstay;
– two years for third country nationals who respect the period of authorised stay.

According to a document dated 22 May 2017 (file 9415/17), the Council is still managing to find a compromise.

NOTE

[i] In its opinion 06/2016 of 21 September 2016, the European Data Protection Supervisor (EDPS) recognizes the need for coherent and effective information systems for borders and security. However, the EDPS underlines the significant and potentially intrusive nature of the proposed processing of personal data under the EES, which must therefore be considered under both Articles 7 and 8 of the EU Charter of Fundamental Rights.

According to EDPS opinion, necessity and proportionality of the EES scheme are to be assessed globally, taking into consideration the already existing large-scale IT systems in the EU.

The EDPS, then, notes that EES data will be processed for two different purposes, on the one hand for border management and facilitation purposes and on the other hand for law enforcement purposes. The EDPS strongly recommends clearly introducing the difference between these objectives, as these purposes entail a different impact on the rights to privacy and data protection.

Worth reading : the final report by the EU High Level Expert Group on Information Systems and Interoperability (HLEG),

NB: The full version (PDF) of the Report is accessible HERE

On May 8th the (EU) High Level Expert Group on Information Systems and Interoperability (HLEG) which was set up in June 2016 following the Commission Communication on “Stronger and Smarter Information Systems for Borders and Security ” has published its long awaited 56 long pages Report on Information Systems and Interoperability.

Members of the HLEG were the EU Members States (+ Norway, Switzerland and Liechtenstein), the EU Agencies (Fundamental Rights Agency, FRONTEX, European Asylum Support Office, Europol and the EU-LISA “Large Information Support Agency”) as well as the representatives of the Commission and the European Data Protection Supervisor (EDPS) and the Anti-Terrorism Coordinator (an High Council General Secretariat Official designated by the European Council).

Three Statements, respectively of the EU Fundamental Rights Agency, of the European Data Protection Supervisor and of the EU Counter-Terrorism Coordinator (CTC), are attached. The first two can be considered as a sort of partially dissenting Opinions while the CTC statement is quite obviously in full support of the recommendations set out by the report as it embodies for the first time at EU level the “Availability Principle” which was set up already in 2004 by the European Council. According to that principle if a Member State (or the EU) has a security related information which can be useful to another Member State it has to make it available to the authority of another Member State. It looks as a common sense principle which goes hand in hand with the principle of sincere cooperation between EU Member States and between them and the EU Institutions.

The little detail is that when information is collected for security purposes national and European legislation set very strict criteria to avoid the possible abuses by public EU and National Law enforcement authorities. This is the core of Data Protection legislation and of the art. 6, 7 and 8 of the EU Charter of Fundamental Rights which prevent the EU and its Member States from becoming a sort of Big Brother “State of surveillance”. Moreover, at least until now these principles have guided the post-Lisbon European Court of Justice jurisprudence in this domain and it is quite appalling that no reference is made in this report to the Luxembourg Court Rulings notably dealing with “profiling” and “data retention”(“Digital Rights”, “Schrems”, “TELE 2-Watson”…).

Needless to say to implement all the HLWG recommendations several legislative measures will be needed as well as the definition of a legally EU Security Strategy which should be adopted under the responsibility of the EU co-legislators. Without a strong legally founded EU security strategy not only the European Parliament will continue to be out of the game but also the control of the Court of Justice on the necessity and proportionality of the existing and planned EU legislative measures will be weakened. Overall this HLWG report is mainly focused on security related objectives and the references to fundamental rights and data protection are given more as “excusatio non petita” than as a clearly explained reasoning (see the Fundamental Rights Agency Statement). On the Content of the perceived “threats” to be countered with this new approach it has to be seen if some of them (such as the mixing irregular migration with terrorism) are not imaginary and, by the countrary, real ones are not taken in account.

At least this report is now public. It will be naive to consider it as purely “technical” : it is highly political and will justify several EU legislative measures. It will be worthless for the European Parliament to wake up when the formal legislative proposals will be submitted. If it has an alternative vision it has to show it NOW and not waiting when the Report will be quite likely “endorsed” by the Council and the European Council.

Emilio De Capitani

TEXT OF THE REPORT (NB Figures have not been currently imported, sorry.)

——- Continue reading “Worth reading : the final report by the EU High Level Expert Group on Information Systems and Interoperability (HLEG),”

Legislative Tracker : the European Travel Information and Authorisation System (ETIAS)

by Beatrice FRAGASSO (Free-Group Trainee)

The European Commission, on 16 November 2016, has put forward a proposal (COM(2016) 731, 16.11.2016, 2016/0357(COD)) establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulation (EU) (EU) 2016/399 (the ‘Schengen Borders Code’), (EU) 2016/794 and (EU) 2016/1624.

This proposal is being negotiated as part of the Smart Border Package and aims to ensure a high level of internal security and free movement of persons in the Schengen area. The Commission didn’t conduct an impact assessment but published a feasibility study on ETIAS, conducted between June and October 2016.

The system designed by the proposal would require also visa-exempt travellers to undergo a risk assessment with respect to security, irregular migration and public health risks prior to their arrival at the Schengen borders. This assessment would be carried out by means of cross- checking applicant’s data submitted through ETIAS system against other EU information systems, a dedicated ETIAS watch list and screening rules. This process will result in granting or denying an automated authorization for entering the EU.

Further information from the European Parliament Research Service are available HERE

The current situation
Currently, both visa-obliged and visa-exempt travelers are subject to border controls when entering the Schengen area. According to Regulation (EU) 2016/399, both categories of travelers need to comply with the conditions for short-term stay, which include not being a threat to public order and security, holding valid travel documents, justifying the purpose and conditions of the intended stay, not being the subject of any alert in the SIS for the purpose of refusing entry, and having sufficient means of subsistence.

For visa holders the compliance with this conditions is assessed at the time on the request for a visa and relevant data are stored in visa information system (VIS) which can be consulted by law enforcement authorities for the purposes of combatting serious crime and terrorism.

However, no such advance information can be currently obtained for visa-exempt nationals arriving at the Schengen external borders. This means that border guards need to decide on allowing or refusing access to the Schengen area without prior knowledge regarding any security, migration or public-health risks associated with visa exempt travelers.

This is particularly true for visa-exempt travelers arriving by land, as the only source of information about them is their travel document presented at the time of crossing the EU external border.

The situation is different for passengers arriving by air as Council Directive 2004/82/EC obliges carriers to communicate all passenger data, known as ‘advance passenger information’ (API), including name, date of birth, passport number and nationality at the time of the check-in for inbound flights to the EU. Another Directive (EU) 2016/681 on the use of passenger name record data (the ‘PNR Directive’) collect 19 types of personal data already at the time of the flight reservation and obliges airlines to hand over to EU MS authorities their passengers’ data linked with the travel reservation (which includes travel dates, travel itinerary, ticket information, frequent flyer data, contact details, baggage information, credit card and general remarks stored in the Airline files).

For visa-exempt passengers arriving on foot or by car, bus or train, no such comparable advance information is available prior to their arrival.

The changes the proposal would bring

Schengen Border Checks
Prior to arriving in the Schengen area, all carriers will verify if visa-exempt third-country nationals have a valid ETIAS travel authorization, without which boarding will not be authorized. A valid ETIAS travel authorization, should be obtained in advance of arrival at a Schengen border crossing point, and this will be a precondition for entering the Schengen area. However, border guards at the external Schengen borders will still take the final decision to grant or refuse entry according to the Schengen Borders Code.

Online application
As it is currently the case for visa-exempt travelers to Canada “ETA”, USA “ESTA” and Australia “ETA” who have to ask for a travel authorization also travelers wanting enter the Schengen area will have to fill in an online application by providing their biographical and passport data, contact details, information on intended travel, and answers to background questions relating to public health risks, criminal records, presence in war zones and previous refusals of entry or an order to leave the territory of a Member State.

At the same time, an application fee of €5, which will go to the EU budget, will be mandatory for all applicants above the age of 18 before their application can be processed.

Processing of applications
The automated processing will be carried out by the central system, which will be in charge of checking data provided by applicants against security databases, such as the VIS, Europol data, the SIS, Eurodac, the Interpol SLTD database , the European Criminal Records Information System (ECRIS) and the planned future EU “Entry-Exit” system (currently negotiated between the EP and the Council). Personal Data will also be screened against a ETIAS “watch list” (where people suspected to have committed, or be likely to commit a criminal offence will be listed by the EU MS) and against specific risk indicators (irregular migration, security or public- health risks) which will be defined in consultation with an ETIAS screening board.

In the case of a positive hit after the automatic processing, that personal application will be further assessed manually by operators in the ETIAS central unit and in the national units.
In case no risks has been detected a positive response, in a form of a travel authorisation valid for five years (or until the expiry of the passport) will be delivered. In the case of a refusal, a justification will be given and applicants will have the right to appeal.

Authorisation will be revoked or annulled when the conditions for its issuance are no longer met, particularly when it is believed that it was fraudulently obtained or when a new alert for refusal of entry is created in the SIS.

Etias structure
ETIAS will consist of an information system, a central unit and national units.

The information system will be designed for processing applications and will be interoperable with other security databases that ETIAS will be connected. The new system will be managed by the European Agency for the operational management of large-scale information systems in the area of freedom, security and justice (eu-LISA).

The central unit will be part of Frontex (the European Border and Coast Guard Agency) and will ensure that the data stored in the application files and the data recorded in ETIAS are correct and up to date. Where necessary, it will also verify travel authorisation applications whenever there are doubts regarding the identity of an applicant in cases where the latter’s data produced a match (a ‘hit’) against the stored data during automated processing.
The national units will be responsible for making the risk assessment and deciding on travel authorisation for applications rejected by the automated application process. They will also issue opinions when consulted by other national units, and act as a national access point for requests for access to the ETIAS data for law enforcement purposes related to terrorist and other serious criminal offences.

The role of Europol
Europol will be involved in ETIAS in several ways.
Firstly, Europol’s data related to criminal offences, convictions or potential threats will be compared to those provided by applicants for an ETIAS authorization.
Secondly, Europol will help define ETIAS screening rules by participating in the ETIAS screening board and managing the ETIAS watch list.
Thirdly, Europol will be consulted by the ETIAS national units in case of a match with Europol data during the ETIAS automated processing.
And finally, Europol will be able to consult personal data in the ETIAS central system for the prevention, detection or investigation of terrorist offences or other serious criminal offences (as provided by its mandate).

The Council’s position
In a document om March 17, 2017 authored by the Maltese Presidency of the Council of the EU and covering also the other legislative pending measures connected to ETIAS, a number of compromises are suggested: The Presidency identified other key issues that needed to be clarified and decided upon before revised text proposals could be submitted to delegations. The Presidency therefore prepared a discussion paper on which delegations were invited to comment. The issues outlined by the Presidency related to the division of competences between Frontex and the Member States, the definition of ‘responsible Member State’ as regards the decision to grant a travel authorisation, and the duration of a travel authorization […] With respect to the definition of the ‘responsible Member State’, delegations were divided into two groups, one in favour of the Member State of first entry, as proposed by the Commission, while the other stressed the key role played by the Member State at the origin of an alert triggering a “hit”. The following issues are the “object of extensive debates”:

“– the scope of the regulation;
– the ETIAS watchlist and the screening rules;
– the access to the ETIAS data;
– the interoperability of ETIAS with other systems and databases.”

More recently the Council Presidency has also submitted some possible compromise proposals to the other delegations (docs 8579/17 and 8584/17) and it is more than likely that the EP will be under pressure to launch the negotiations for a first reading agreement on this subject.

The European Parliament position (Libe Committee Debate)
On the EP side works are still at an initial phase (SEE OEIL DOSSIER HERE). The LIBE Committee has been informed for the first time by a Commission representative (Belinda Pyke) on 22 March 2017. It has been stressed that the purpose of the proposal is to improve internal security and border management and that policy visa liberalization is essential in the system. This proposal will contribute to the security of the Schengen area because as any risks will be identified prior to departure. Due to the political pressure of the European Council and the very tight deadlines the Commission did not have the time to conduct an impact assessment although it would have been desirable; however, the Commission published a detailed study on the subject. The Commission representative made reference to the comparable systems in Australia, Canada and USA and declared that the ETIAS system will take stock of the experience of these countries by overcoming their weaknesses and mirroring the strengths of these systems.
Firstly, request authorization will be easy and cheap. Applicants will receive rapidly (within 12 hours) a positive feedback and those without authorization will save travel costs. The ETIAS system provides an automatic control: such control will allow to verify that the criminal record is clean. These checks will take place on the basis of SIS, Interpol, ECRIS, Eurodac.
The ETIAS central unit will compare the data in the database and the identity of the applicant and the rest of the operations will be managed by the national units.
The decision of the unit will be delivered within 72 hours, unless it will be necessary to gather special information (in this case it will be possible an extension to a two-week maximum).
ETIAS will be financially self-sustaining, thanks to the tax that will be paid by applicants. It is estimated that the costs for developing it will amount to €212.1 million, while the average annual operations costs, to be covered by the revenue from fees, will be €85 million.
The data will be protected from abuse and the information may be given to law enforcement only in the case of very serious crimes (this possibility also exist for Eurodac).

The EP rapporteur Kinga Gal (PPE – Hungary) was not present at the debate, but a colleague read her statement. The rapporteur argues that the text is of great importance and it will cover three categories of passengers
1) European Citizens or persons enjoying the right of free movement under Union law
2) Third-country nationals under visa obligation
3) Third-country nationals without visa obligation
From now until 2020 the countries without visa obligation will increase. For third-country nationals without visa obligation it’s difficult to gather information; it’s therefore necessary to create an information system well established in legal terms, so as not to put excessive burdens for Member States.

The debate that followed, however, showed controversial elements in the proposal, criticized by MEPs.
Firstly, almost all the MEPs who spoke remarked the necessity of an impact assessment, finding it unacceptable yet another lack of it. An issue of such importance can not be studied without taking into account an impact assessment: the urgency can not justify such a lack.

Birgit Sippel (S&D – Germany), for instance, affirmed that she’s tired to listen to the Commission affirming that it’s necessary to adopt better legislation and that impact assessments are not conducted anymore because of urgency. EU needs to regulate well, not in a hurry: this rush to legislate, then, does not make sense if the execution by the Member States is so slow. She also remarked that one of the problems in this proposal is that the form requires a bit of everything and there is the risk that if an applicant forgets a small offense did at 15 years old he cannot enter.

The shadow rapporteur Gérard Deprez (ALDE – Belgium) wondered what professional criteria will be provided for ETIAS units and how it will be possible to apply Article 7 of the Schengen Code, because compulsory systematic checks for everybody (as provided in that Article) would have a significant impact on traffic at the border. Deprez considered that the term of 72 hours is reasonable whereas he considers excessive the term of validity of five years, because in the course of five years many things can change in a person’s life. Also foreign experiences in fact suggest different solutions: in US visa is valid for one year and in Australia for two years. Also with regard to rates, Deprez is at odds with the proposal: 5 euro is a low price if compared to the prices of US (14 euro) and Australia (20 euro). According to Deprez, then, in the request the applicant should indicate the member state where he would like to go. The proposal, in addiction, should define a better balancing of criminal convictions. For example, prison sentences of less than one year should not be an obstacle to the granting of authorization.

It may also emerge a serious problem for air traffic. It is estimated that for a plane carrying 300 people controls may last from four hours and a half to seven hours and a half. The controls are certainly a necessary corollary for visa liberalization, but the parliament should find more efficient solutions.

On behalf of DG HOME of the European Commission Mrs Belinda Pike replied that the validity of five years would be reasonable. Of course it is noted that in the case in which the person commits an offense such information is immediately acquired in the system. Contrary to what Deprez stated, then, the cost is not too low, but it’s instead sufficient to ensure the smart management of borders. It is a fee that will cover the costs and ensures a small gain. In the US half of the fee (therefore, 7 euros) is invested in the tourism sector. Do not pay anything on the other hand would be a huge burden on the EU budget.

Belinda Pike finally stressed that the screening does not immediately lead to the rejection of the request, but simply involves manual handling of the request.

Marie – Christine Vergiat (GUE/NGL – France) and Bodil Valero (Greens/EFA – Sweden) highlighted that visas are returned, albeit with a different name (authorization). According to Marie – Christine Vergiat, then, this proposal does not promote cooperation between member states, it is repressive and attacks the fundamental rights, like others in this area of “smart” borders. Security and immigration are matters to be addressed in different texts, because adhere to different problems. The fact that some people should be identified through a profiling system also raises an ethical problem.

Bodil Valero remarked the privacy-issue. People will also provide information on education and health and Greens/Efa group would like to receive explanations about what is the reason for these provisions: perhaps the Commission’s intention is to gather information that cannot be collected in other ways. Furthermore, the 5-year period envisaged for data stocking is too long. She underlined that also the EDPS (European Data Protection Supervisor) has taken a fairly critical position on some of the elements of the proposal.
In his opinion, in fact, the EDPS states, among other things, that the establishment of ETIAS would have a significant impact on the right to the protection of personal data, since various kinds of data, collected initially for very different purposes, will become accessible to a broader range of public authorities (i.e. immigration authorities, border guards, law enforcement authorities, etc). For this reason, the EDPS considers that there is a need for conducting an assessment of the impact that the Proposal will entail on the right to privacy and the right to data protection enshrined in the Charter of Fundamental Rights of the EU, which will take stock of all existing EU-level measures for migration and security objectives.

Last but not least, during a TRAN (transport and tourism) committee on Wednesday 22 March, different speakers representing the tourist sector expressed concerns about the costs generated by the ETIAS in the tourism sector. However, the TRAN Committee decided not to give an opinion to LIBE.

NEXT STEPS

As soon as the two co-legislators will have defined their position a trilogue could be launched which can bring to an agreement on first reading. As things currently stay an agreement will probably go hand in hand with the other “ENTRY/EXIT” legislative proposal.

Legal Frameworks for Hacking by Law Enforcement: Identification, Evaluation and Comparison of Practices

EXECUTIVE SUMMARY OF A STUDY FOR THE EP LIBE COMMITEE.

FULL TEXT ACCESSIBLE HERE

by Mirja GUTHEIL, Quentin LIGER, Aurélie HEETMAN, James EAGER, Max CRAWFORD (Optimity Advisors)

Hacking by law enforcement is a relatively new phenomenon within the framework of the longstanding public policy problem of balancing security and privacy. On the one hand, law enforcement agencies assert that the use of hacking techniques brings security, stating that it represents a part of the solution to the law enforcement challenge of encryption and ‘Going Dark’ without systematically weakening encryption through the introduction of ‘backdoors’ or similar techniques. On the other hand, civil society actors argue that hacking is extremely invasive and significantly restricts the fundamental right to privacy. Furthermore, the use of hacking practices pits security against cybersecurity, as the exploitation of cybersecurity vulnerabilities to provide law enforcement with access to certain data can have significant implications for the security of the internet.

Against this backdrop, the present study provides the LIBE Committee with relevant, actionable insight into the legal frameworks and practices for hacking by law enforcement. Firstly, the study examines the international and EU-level debates on the topic of hacking by law enforcement (Chapter 2), before analysing the possible legal bases for EU intervention in the field (Chapter 3). These chapters set the scene for the primary focus of the study: the comparative analysis of legal frameworks and practices for hacking by law enforcement across six selected Member States (France, Germany, Italy, the Netherlands, Poland and the UK), with further illustrative examples from three non-EU countries (Australia, Israel and the US) (Chapter 4). Based on these analyses, the study concludes (Chapter 5) and presents concrete recommendations and policy proposals for EU action in the field (Chapter 6).

The international and EU-level debates on the use of hacking techniques by law enforcement primarily evolve from the law enforcement challenge posed by encryption – i.e. the ‘Going Dark’ issue.

‘Going Dark’ is a term used “to describe [the] decreasing ability [of law enforcement agencies] to lawfully access and examine evidence at rest on devices and evidence in motion across communications networks”.¹

According to the International Association of Chiefs of Police (IACP), law enforcement agencies are not able to investigate illegal activity and prosecute criminals without this evidence. Encryption technologies are cited as one of the major barriers to this access. Although recent political statements from several countries (including France, Germany, the UK and the US) seemingly call for ‘backdoors’ to encryption technologies, support for strong encryption at international and EU fora remains strong. As such, law enforcement agencies across the world started to use hacking techniques to bypass encryption. Although the term ‘hacking’ is not used by law enforcement agencies, these practices essentially mirror the techniques used by hackers (i.e. exploiting any possible vulnerabilities – including technical, system and/or human vulnerabilities – within an information technology (IT) system).

Law enforcement representatives, such as the IACP and Europol, report that access to encrypted and other data through such hacking techniques brings significant investigative benefits. However, it is not the only possible law enforcement solution to the ‘Going Dark’ issue. Outside of the scope of this study, the other options include: requiring users to provide their password or decrypt their data; requiring technology vendors and service providers to bypass the security of their own products and services; and the systematic weakening of encryption through the mandated introduction of ‘backdoors’ and/or weakened standards for encryption.

With the benefits of hacking established, a 2016 Joint Statement published by the European Union Agency for Network and Information Security (ENISA) and Europol² noted that the use of hacking techniques also brings several key risks.

The primary risk relates to the fundamental right to privacy and freedom of expression and information, as enshrined in international, EU and national-level law. Hacking techniques are extremely invasive, particularly when compared with traditionally intrusive investigative tools (e.g. wiretapping, house searches etc.). Through hacking, law enforcement can gain access to all data stored or in transit from a device; this represents a significant amount of data (e.g. a recent investigation by Dutch law enforcement collected seven terabytes of data, which translates into around 86 million pages of Microsoft Word documents³), as well as extremely sensitive data (e.g. a person’s location and movements, all communications, all stored data etc.). Consequently, the use of hacking techniques will inherently restrict the fundamental right to privacy.

Therefore, current debates at international and EU fora focus on assessing and providing recommendations on the current legal balances and safeguards for the restriction of the right to privacy by hacking techniques. However, these debates have assumed that hacking practices are necessary for law enforcement and simply require governing laws; they have not discussed whether the use of hacking techniques by law enforcement is necessary and proportional. The law enforcement assertions regarding the necessity of these invasive tools have not been challenged.

The second key risk relates to the security of the internet. Law enforcement use of hacking techniques has the potential to significantly weaken the security of the internet by “[increasing] the attack surface for malicious abuse”⁴. Given that critical infrastructure and defence organisations, as well as law enforcement agencies themselves, use the technologies targeted and potentially weakened by law enforcement hacking, the potential ramifications reach far beyond the intended target.

As such, debates at international and EU fora focus on the appropriate balances between security and privacy, as well as security and cybersecurity. Regarding security v. privacy, the debates to date have assessed and provided recommendations on the legislative safeguards required to ensure that hacking techniques are only permitted in situations where a restriction of the fundamental right to privacy is valid in line with EU legislation (i.e. legal, necessary and proportional). Regarding security v. cybersecurity, the debates have been limited and primarily centre around the use and/or reporting of zero-day vulnerabilities discovered by law enforcement agencies.

Further risks not discussed in the Joint Statement but covered by this study include: the risks to territorial sovereignty – as law enforcement agencies may not know the physical location of the target data; and the risks related to the supply and use of commercially-developed hacking tools by governments with poor consideration for human rights.

Alongside the analysis of international and EU debates, the study presents hypotheses on the legal bases for EU intervention in the field. Although possibilities for EU legal intervention in several areas are discussed, including mutual admissibility of evidence (Art. 82(2) TFEU), common investigative techniques (Art. 87(2)(c) TFEU), operational cooperation (Art. 87(3) TFEU) and data protection (Art. 16 TFEU, Art. 7 & 8 EU Charter), the onus regarding the development of legislation in the field is with the Member States. As such, the management of the risks associated with law enforcement activities is governed at the Member State level.

As suggested by the focus of the international and EU discussions, concrete measures need to be stipulated at national-level to manage these risks. This study presents a comparative analysis of the legal frameworks for hacking by law enforcement across six Member States, as well as certain practical aspects of hacking by law enforcement, thereby providing an overview of the primary Member State mechanisms for the management of these risks. Further illustrative examples are provided from research conducted in three non-EU countries.

More specifically, the study examines the legal and practical balances and safeguards implemented at national-level to ensure: i) the legality, necessity and proportionality of restrictions to the fundamental right to privacy; and ii) the security of the internet.

Regarding restrictions to the right to privacy, the study first examines the existence of specific legal frameworks for hacking by law enforcement, before exploring the ex-ante and ex-post conditions and mechanisms stipulated to govern restrictions of the right to privacy and ensure they are legal, necessary and proportional.

It is found that hacking practices are seemingly necessary across all Member States examined, as four Member States (France, Germany, Poland and the UK) have adopted specific legislative provisions and the remaining two are in the legislative process. For all Member States except Germany, the adoption of specific legislative provisions occurred in 2016 (France, Poland and the UK) or will occur later (Italy, the Netherlands). This confirms the new nature of these investigative techniques.

Additionally, law enforcement agencies in all Member States examined have used, or still use, hacking techniques in the absence of specific legislative provisions, under so-called ‘grey area’ legal provisions. Given the invasiveness of hacking techniques, these ‘grey area’ provisions are considered insufficient to adequately protect the right to privacy.

Where specific legal provisions have been adopted, all stakeholders agree that a restriction of the right to privacy requires the implementation of certain safeguards. The current or proposed legal frameworks of all six Member States comprise a suite of ex-ante conditions and ex-post mechanisms that aim to ensure the use of hacking techniques is proportionate and necessary. As recommended by various UN bodies, the provisions of primary importance include judicial authorisation of hacking practices, safeguards related to the nature, scope and duration of possible measures (e.g. limitations to crimes of a certain gravity and the duration of the hack, etc.) and independent oversight.

Although many of these types of recommended conditions are common across the Member States examined – demonstrated in the below table – their implementation parameters differ. For instance, both German and Polish law permit law enforcement hacking practices without judicial authorisation in exigent circumstance if judicial authorisation is achieved in a specified timeframe. However, the timeframe differs (three days in Germany compared with five days in Poland). These differences make significant difference, as the Polish timeframe was criticised by the Council of Europe’s Venice Commission for being too long.⁵

Furthermore, the Member States examined all accompany these common types of ex-ante and ex-post conditions with different, less common conditions. This is particularly true for ex-post oversight mechanisms. For instance, in Poland, the Minister for internal affairs provides macro-level information to the lower (Sejm) and upper (Senat) chambers of Parliament;⁶ and in the UK, oversight is provided by the Investigatory Powers Commissioner, who reviews all cases of hacking by law enforcement, and the Investigatory Powers Tribunal, which considers disputes or complaints surrounding law enforcement hacking.⁷

*Key ex-ante* considerations**
Judicial authorisation	The legal provisions of all six Member States require ex-ante judicial authorisation for law enforcement hacking. The information to be provided in these requests differ. Select Member States (e.g. Germany, Poland, the UK) also provide for hacking without prior judicial authorisation in exigent circumstances if judicial authorisation is subsequently provided. The timeframes for ex-post authorisation differ.
Limitation by crime and duration	All six Member States restrict the use of hacking tools based on the gravity of crimes. In some Member States, the legislation presents a specific list of crimes for which hacking is permitted; in others, the limit is set for crimes that have a maximum custodial sentence of greater than a certain number of years. The lists and numbers of years required differ by Member State. Many Member States also restrict the duration for which hacking may be used. This restriction ranges from maximum 1 month (France, Netherlands) to a maximum of 6 months (UK), although extensions are permitted under the same conditions in all Member States.
*Key ex-post* considerations**
Notification and effective remedy	Most Member States provide for the notification of targets of hacking practices and remedy in cases of unlawful hacking.
Reporting and oversight	Primarily, Member States report at a micro-level through logging hacking activities and reporting them in case files. However, some Member States (e.g. Germany, Poland and the UK) have macro-level review and oversight mechanisms.

Furthermore, as regards the issue of territoriality (i.e. the difficulty law enforcement agencies face obtaining the location of the data to be collected using hacking techniques), only one Member States, the Netherlands, legally permits the hacking of devices if the location is unknown. If the device turns out to be in another jurisdiction, Dutch law enforcement must apply for Mutual Legal Assistance.

As such, when aggregated, these provisions strongly mirror Article 8 of the European Convention on Human Rights, as well as the UN recommendations and paragraph 95 of the ECtHR judgement in Weber and Saravia v. Germany. However, there are many, and varied, criticisms when the Member State conditions are examined in isolation. Some of the provisions criticised include: the limits based on the gravity of crimes (e.g. the Netherlands, France and Poland); the provisions for notification and effective remedy (e.g. Italy and the Netherlands); the process for screening and deleting non-relevant data (Germany); the definition of devices that can be targeted (e.g. the Netherlands); the duration permitted for hacking (e.g. Poland); and a lack of knowledge amongst the judiciary (e.g. France, Germany, Italy and the Netherlands).With this said, certain elements, taken in isolation, can be called good practices. Such examples are presented below.

Select good practice: Member State legislative frameworks

Germany: Although they were deemed unconstitutional in a 2016 ruling, the provisions for the screening and deletion of data related to the core area of private life are a positive step. If the provisions are amended, as stipulated in the ruling, to ensure screening by an independent body, they would provide strong protection for the targeted individual’s private data.

Italy: The 2017 draft Italian law includes a range of provisions related to the development and monitoring of the continued use of hacking tools. As such, one academic stakeholder remarked that the drafting of the law must have been driven by technicians. However, these provisions bring significant benefits to the legislative provisions in terms of supervision and oversight of the use of hacking tools. Furthermore, the Italian draft law takes great care to separate the functionalities of the hacking tools, thus protecting against the overuse or abuse of a hacking tool’s extensive capabilities.

Netherlands: The Dutch Computer Crime III Bill stipulates the need to conduct a formal proportionality assessment for each hacking request, with the assistance of a dedicated Central Review Commission (Centrale Toetsings Commissie). Also, the law requires rules to be laid down on the authorisation and expertise of the investigation officers that can perform hacking.

With these findings in mind, the study concludes that the specific national-level legal provisions examined provide for the use of hacking techniques in a wide array of circumstances. The varied combinations of requirements, including those related to the gravity of crimes, the duration and purpose of operations and the oversight, result in a situation where the law does not provide for much stricter conditions than are necessary for less intrusive investigative activities such as interception.

Based on the study findings, relevant and actionable policy proposals and recommendations have been developed under the two key elements: i) the fundamental right to privacy; and ii) the security of the internet.

Recommendations and policy proposals: Fundamental right to privacy

It is recommended that the use of ‘grey area’ legal provisions is not sufficient to protect the fundamental right to privacy. This is primarily because existing legal provisions do not provide for the more invasive nature of hacking techniques and do not provide for the legislative precision and clarity as required under the Charter and the ECHR.

Furthermore, many of these provisions have only recently been enacted. As such, there is a need for robust evidence-based monitoring and evaluation of the practical application of these provisions. It is therefore recommended that the application of these new legal provisions is evaluated regularly at national level, and that the results of these evaluations are assessed at EU-level.

If specific legislative provisions are deemed necessary, the study recommends a range of good practice, specific ex-ante and ex-post provisions governing the use of hacking practices by law enforcement agencies. These are detailed in Chapter 6.

Policy proposal 1: The European Parliament should pass a resolution calling on Member States to conduct a Privacy Impact Assessment when new laws are proposed to permit and govern the use of hacking techniques by law enforcement agencies. This Privacy Impact Assessment should focus on the necessity and proportionality of the use of hacking tools and should require input from national data protection authorities.

Policy proposal 2: The European Parliament should reaffirm the need for Member States to adopt a clear and precise legal basis if law enforcement agencies are to use hacking techniques.

Policy proposal 3: The European Parliament should commission more research or encourage the European Commission or other bodies to conduct more research on the topic. In response to the Snowden revelations, the European Parliament called on the EU Agency for Fundamental Rights (FRA) to thoroughly research fundamental rights protection in the context of surveillance. A similar brief related to the legal frameworks governing the use of hacking techniques by law enforcement across all EU Member States would act as an invaluable piece of research.

Policy proposal 4: The European Parliament should encourage Member States to undertake evaluation and monitoring activities on the practical application of the new legislative provisions that permit hacking by law enforcement agencies.

Policy proposal 5: The European Parliament should call on the EU Agency for Fundamental Rights (FRA) to develop a practitioner handbook related to the governing of hacking by law enforcement. This handbook should be intended for lawyers, judges, prosecutors, law enforcement officers and others working with national authorities, as well as nongovernmental organisations and other bodies confronted with legal questions in the areas set out by the handbook. These areas should cover the invasive nature of hacking techniques and relevant safeguards as per international and EU law and case law, as well as appropriate mechanisms for supervision and oversight.

Policy proposal 6: The European Parliament should call on EU bodies, such as the FRA, CEPOL and Eurojust, to provide training for national-level members of the judiciary and data protection authorities, in collaboration with the abovementioned handbook, on the technical means for hacking in use across the Member States, their potential for invasiveness and the principles of necessity and proportionality in relation to these technical means.

Recommendations and policy proposals: Security of the internet

The primary recommendation related to the security of the internet is that the position of the EU against the implementation of ‘backdoors’ and similar techniques, and in support of strong encryption standards, should be reaffirmed, given the prominent role encryption plays in our society and its importance to the EU’s Digital Agenda. To support this position, the EU should ensure continued engagement with global experts in computer science as well as civil society privacy and digital rights groups.

The actual impacts of hacking by law enforcement on the security of the internet are yet unknown. More work should be done at the Member State level to assess the potential impacts such that these data can feed in to overarching discussions on the necessity and proportionality of law enforcement hacking. Furthermore, more work should be done, beyond understanding the risks to the security of the internet, to educate those involved in the authorisation and use of hacking techniques by law enforcement.

At present, the steps taken to safeguard the security of the internet against the potential risks of hacking are not widespread. As such, the specific legislative provisions governing the use of hacking techniques by law enforcement, if deemed necessary, should safeguard the security of the internet and the security of the device, including reporting the vulnerabilities used to gain access to a device to the appropriate technology vendor or service provider; and ensure the full removal of the software or hardware from the targeted device.

Policy proposal 7: The European Parliament should pass a resolution calling on Member States to conduct an Impact Assessment to examine the impact of new or existing laws governing the use of hacking techniques by law enforcement on the security of the internet.

Policy proposal 8: The European Parliament, through enhanced cooperation with Europol
and the European Union Agency for Network and Information Security (ENISA), should
reaffirm its commitment to strong encryption considering discussions on the topic of hacking by law enforcement. In addition, the Parliament should reaffirm its opposition to the implementation of ‘backdoors’ and similar techniques in information technology infrastructures or services.

Policy proposal 9: Given the lack of discussion around handling zero-day vulnerabilities, the European Parliament should support the efforts made under the cybersecurity contractual Public-Private Partnership (PPP) to develop appropriate responses to handling zero-day vulnerabilities, taking into consideration the risks related to fundamental rights and the security of the internet.

Policy proposal 10: Extending policy proposal 4, above, the proposed FRA handbook should also cover the risks posed to the security of the internet by using hacking techniques.

Policy proposal 11: Extending policy proposal 5, training provided to the judiciary by EU bodies such as FRA, CEPOL and Eurojust should also educate these individuals on the risks posed to the security of the internet by hacking techniques.

Policy proposal 12: Given the lack of discussion around the risks posed to the security of the internet by hacking practices, the European Parliament should encourage debates at the appropriate fora specific to understanding this risk and the approaches to managing this risk. It is encouraged that law enforcement representatives should be present within such discussions.

Parliamentary Tracker : the EP incoming resolution on the EU-USA (so called) “Privacy Shield”…

NOTA BENE : Below the text that will be submitted to vote at the next EP plenary. As in previous occasions the text is well drafted, legally precise and it confirms the high level of competence that the European Parliament (and its committee LIBE) has developed along the last 17 years from the first inquiry on Echelon (2000), the Safe Harbor (2000), the EU-USA agreement on PNR (since 2003 a thirteen year long lasting saga…) the SWIFT agreement (2006) …

What is puzzling are the critics raised against the so called “adequacy finding” mechanism which empowers the European Commission to decide if a third Country protect “adequately” the EU citizens personal data. The weaknesses of the Commission face to our strongest transatlantic ally were already very well known when recently the parliamentarians have reformed the European legal framework on data protection in view of the new legal basis foreseen by the Treaties and in the art. 7 and 8 of the EU Charter. However the EP did’nt try to strengthen the “adequacy” mechanism by transforming it at least in a “delegated” function (so that it would had been possible for the EP to block something which could had weackened our standards).

Now the US Congress is weakening the (already poor) US data protection and the new US administration will probably go in the same direction. It seems to me to easy to complain now on something that you had recently the chance to fix..

Let’s now hope that the Court of Justice by answering to the request for opinion on the EU-Canada PNR agreement will give to the EU legislator some additional recommendations but as an EU citizen I would had preferred a stronger EU legislation instead of been ruled by european or national Judges…

Emilio De Capitani

B8‑0235/2017 European Parliament resolution on the adequacy of the protection afforded by the EU-US Privacy Shield (2016/3018(RSP))

The European Parliament,

– having regard to the Treaty on European Union (TEU), the Treaty on the Functioning of the European Union (TFEU) and Articles 6, 7, 8, 11, 16, 47 and 52 of the Charter of Fundamental Rights of the European Union,

– having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive)[1],

– having regard to Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters[2],

– having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)[3], and to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA[4],

– having regard to the judgment of the Court of Justice of the European Union of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner[5],

– having regard to the Commission communication to the European Parliament and the Council of 6 November 2015 on the transfer of personal data from the EU to the United States of America under Directive 95/46/EC following the judgment by the Court of Justice in Case C-362/14 (Schrems) (COM(2015)0566),

– having regard to the Commission communication to the European Parliament and the Council of 10 January 2017 on Exchanging and Protecting Personal Data in a Globalised World (COM(2017)0007),

– having regard to the judgment of the Court of Justice of the European Union of 21 December 2016 in Cases C-203/15 Tele2 Sverige AB v Post- och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson and Others[6],

– having regard to Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield[7],

– having regard to Opinion 4/2016 of the European Data Protection Supervisor (EDPS) on the EU-US Privacy Shield draft adequacy decision[8],

– having regard to the Opinion of the Article 29 Data Protection Working Party of 13 April 2016 on the EU-US Privacy Shield draft adequacy decision[9] and its Statement of 26 July 2016[10],

– having regard to its resolution of 26 May 2016 on transatlantic data flows[11],

– having regard to Rule 123(2) of its Rules of Procedure,

whereas the Court of Justice of the European Union (CJEU) in its judgment of 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner invalidated the Safe Harbour decision and clarified that an adequate level of protection in a third country must be understood to be ‘essentially equivalent’ to that guaranteed within the European Union by virtue of Directive 95/46/EC read in the light of the Charter of Fundamental Rights of the European Union (hereinafter ‘the EU Charter’), prompting the need to conclude negotiations on a new arrangement so as to ensure legal certainty on how personal data should be transferred from the EU to the US;
whereas, when examining the level of protection afforded by a third country, the Commission is obliged to assess the content of the rules applicable in that country deriving from its domestic law or its international commitments, as well as the practice designed to ensure compliance with those rules, since it must, under Article 25(2) of Directive 95/46/EC, take account of all the circumstances surrounding a transfer of personal data to a third country; whereas this assessment must not only refer to legislation and practices relating to the protection of personal data for commercial and private purposes, but must also cover all aspects of the framework applicable to that country or sector, in particular, but not limited to, law enforcement, national security and respect for fundamental rights;
whereas transfers of personal data between commercial organisations of the EU and the US are an important element for the transatlantic relationships; whereas these transfers should be carried out in full respect of the right to the protection of personal data and the right to privacy; whereas one of the fundamental objectives of the EU is the protection of fundamental rights, as enshrined in the EU Charter;
whereas in its Opinion 4/2016 the EDPS raised several concerns on the draft Privacy Shield; whereas the EDPS welcomes in the same opinion the efforts made by all parties to find a solution for transfers of personal data from the EU to the US for commercial purposes under a system of self-certification;
whereas in its Opinion 01/2016 on the EU-US Privacy Shield draft adequacy decision the Article 29 Working Party welcomed the significant improvements brought about by the Privacy Shield compared with the Safe Harbour decision whilst also raising strong concerns about both the commercial aspects and access by public authorities to data transferred under the Privacy Shield;
whereas on 12 July 2016, after further discussions with the US administration, the Commission adopted its Implementing Decision (EU) 2016/1250, declaring the adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-US Privacy Shield;
whereas the EU-US Privacy Shield is accompanied by several letters and unilateral statements from the US administration explaining, inter alia, the data protection principles, the functioning of oversight, enforcement and redress and the protections and safeguards under which security agencies can access and process personal data;
whereas in its statement of 26 July 2016, the Article 29 Working Party welcomes the improvements brought by the EU-US Privacy Shield mechanism compared with Safe Harbour and commended the Commission and the US authorities for having taken into consideration its concerns; whereas the Article 29 Working Party indicates, nevertheless, that a number of its concerns remain, regarding both the commercial aspects and the access by US public authorities to data transferred from the EU, such as the lack of specific rules on automated decisions and of a general right to object, the need for stricter guarantees on the independence and powers of the Ombudsperson mechanism, and the lack of concrete assurances of not conducting mass and indiscriminate collection of personal data (bulk collection);
Welcomes the efforts made by both the Commission and the US administration to address the concerns raised by the CJEU, the Member States, the European Parliament, data protection authorities (DPAs) and stakeholders, so as to enable the Commission to adopt the implementing decision declaring the adequacy of the EU-US Privacy Shield;
Acknowledges that the EU-US Privacy Shield contains significant improvements regarding the clarity of standards compared with the former EU-US Safe Harbour and that US organisations self-certifying adherence to the EU-US Privacy Shield will have to comply with clearer data protection standards than under Safe Harbour;
Takes note that as at 23 March 2017, 1 893 US organisations have joined the EU-US Privacy Shield; regrets that the Privacy Shield is based on voluntary self-certification and therefore applies only to US organisations which have voluntarily signed up to it, which means that many companies are not covered by the scheme;
Acknowledges that the EU-US Privacy Shield facilitates data transfers from SMEs and businesses in the Union to the US;
Notes that, in line with the ruling of the CJEU in the Schrems case, the powers of the European DPAs remain unaffected by the adequacy decision and they can, therefore, exercise them, including the suspension or the ban of data transfers to an organisation registered with the EU-US Privacy Shield; welcomes in this regard the prominent role given by the Privacy Shield Framework to Member State DPAs to examine and investigate claims related to the protection of the rights to privacy and family life under the EU Charter and to suspend transfers of data, as well as the obligation placed upon the US Department of Commerce to resolve such complaints;
Notes with satisfaction that under the Privacy Shield Framework, EU data subjects have several means available to them to pursue legal remedies in the US: first, complaints can be lodged either directly with the company or through the Department of Commerce following a referral by a DPA, or with an independent dispute resolution body, secondly, with regard to interferences with fundamental rights for the purpose of national security, a civil claim can be brought before the US court and similar complaints can also be addressed by the newly created independent Ombudsperson, and finally, complaints about interferences with fundamental rights for the purposes of law enforcement and the public interest can be dealt with by motions challenging subpoenas; encourages further guidance from the Commission and DPAs to make those legal remedies all the more easily accessible and available;
Acknowledges the clear commitment of the US Department of Commerce to closely monitor the compliance of US organisations with the EU-US Privacy Shield Principles and their intention to take enforcement actions against entities failing to comply;
Reiterates its call on the Commission to seek clarification on the legal status of the ‘written assurances’ provided by the US and to ensure that any commitment or arrangement foreseen under the Privacy Shield is maintained following the taking up of office of a new administration in the United States;
Considers that, despite the commitments and assurances made by the US Government by means of the letters attached to the Privacy Shield arrangement, important questions remain as regards certain commercial aspects, national security and law enforcement;
Specifically notes the significant difference between the protection provided by Article 7 of Directive 95/46/EC and the ‘notice and choice’ principle of the Privacy Shield arrangement, as well as the considerable differences between Article 6 of Directive 95/46/EC and the ‘data integrity and purpose limitation’ principle of the Privacy Shield arrangement; points out that instead of the need for a legal basis (such as consent or contract) that applies to all processing operations, the data subject rights under the Privacy Shield Principles only apply to two narrow processing operations (disclosure and change of purpose) and only provide for a right to object (‘opt-out’);
Takes the view that these numerous concerns could lead to a fresh challenge to the decision on the adequacy of the protection being brought before the courts in the future; emphasises the harmful consequences as regards both respect for fundamental rights and the necessary legal certainty for stakeholders;
Notes, amongst other things, the lack of specific rules on automated decision-making and on a general right to object, and the lack of clear principles on how the Privacy Shield Principles apply to processors (agents);
Notes that, while individuals have the possibility to object vis-à-vis the EU controller to any transfer of their personal data to the US, and to the further processing of those data in the US where the Privacy Shield company acts as a processor on behalf of the EU controller, the Privacy Shield lacks specific rules on a general right to object vis-à-vis the US self-certified company;
Notes that only a fraction of the US organisations that have joined the Privacy Shield have chosen to use an EU DPA for the dispute resolution mechanism; is concerned that this constitutes a disadvantage for EU citizens when trying to enforce their rights;
Notes the lack of explicit principles on how the Privacy Shield Principles apply to processors (agents), while recognising that all principles apply to the processing of personal data by any US self-certified company ‘[u]nless otherwise stated’ and that the transfer for processing purposes always requires a contract with the EU controller which will determine the purposes and means of processing, including whether the processor is authorised to carry out onward transfers (e.g. for sub-processing);
Stresses that, as regards national security and surveillance, notwithstanding the clarifications brought by the Office of the Director of National Intelligence (ODNI) in the letters attached to the Privacy Shield framework, ‘bulk surveillance’, despite the different terminology used by the US authorities, remains possible; regrets the lack of a uniform definition of the concept of bulk surveillance and the adoption of the American terminology, and therefore calls for a uniform definition of bulk surveillance linked to the European understanding of the term, where evaluation is not made dependent on selection; stresses that any kind of mass surveillance is in breach of the EU Charter;
Recalls that Annex VI (letter from Robert S. Litt, ODNI) clarifies that under Presidential Policy Directive 28 (hereinafter ‘PPD-28’), bulk collection of personal data and communications of non-US persons is still permitted in six cases; points out that such bulk collection only has to be ‘as tailored as feasible’ and ‘reasonable’, which does not meet the stricter criteria of necessity and proportionality as laid down in the EU Charter;
Deplores the fact that the EU-US Privacy Shield does not prohibit the collection of bulk data for law enforcement purposes;
Stresses that in its judgment of 21 December 2016, the CJEU clarified that the EU Charter ‘must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’; points out that the bulk surveillance in the US therefore does not provide for an essentially equivalent level of the protection of personal data and communications;
Is alarmed by the recent revelations about surveillance activities conducted by a US electronic communications service provider on all emails reaching its servers, upon request of the National Security Agency (NSA) and the FBI, as late as 2015, i.e. one year after Presidential Policy Directive 28 was adopted and during the negotiation of the EU-US Privacy Shield; insists that the Commission seek full clarification from the US authorities and make the answers provided available to the Council, Parliament and national DPAs; sees this as a reason to strongly doubt the assurances brought by the ODNI; is aware that the EU-US Privacy Shield rests on PPD-28, which was issued by the President and can also be repealed by any future President without Congress’s consent;
Expresses great concerns at the issuance of the ‘Procedures for the Availability or Dissemination of Raw Signals Intelligence Information by the National Security Agency under Section 2.3 of Executive Order 12333’, approved by the Attorney General on 3 January 2017, allowing the NSA to share vast amounts of private data gathered without warrants, court orders or congressional authorisation with 16 other agencies, including the FBI, the Drug Enforcement Agency and the Department of Homeland Security; calls on the Commission to immediately assess the compatibility of these new rules with the commitments made by the US authorities under the Privacy Shield, as well as their impact on the level of personal data protection in the United States;
Deplores the fact that neither the Privacy Shield Principles nor the letters of the US administration providing clarifications and assurances demonstrate the existence of effective judicial redress rights for individuals in the EU whose personal data are transferred to a US organisation under the Privacy Shield Principles and further accessed and processed by US public authorities for law enforcement and public interest purposes, which were emphasised by the CJEU in its judgment of 6 October 2015 as the essence of the fundamental right in Article 47 of the EU Charter;
Recalls its resolution of 26 May 2016 stating that the Ombudsperson mechanism set up by the US Department of State is not sufficiently independent and is not vested with sufficient effective powers to carry out its duties and provide effective redress to EU individuals; notes that according to the representations and assurances provided by the US Government the Office of the Ombudsperson is independent from the US intelligence services, free from any improper influence that could affect its function and moreover works together with other independent oversight bodies with effective powers of supervision over the US Intelligence Community; is generally concerned that an individual affected by a breach of the rules can apply only for information and for the data to be deleted and/or for a stop to further processing, but has no right to compensation;
Regrets that the procedure of adoption of an adequacy decision does not provide for a formal consultation of relevant stakeholders such as companies, and in particular SMEs’ representation organisations;
Regrets that the Commission followed the procedure for adoption of the Commission implementing decision in a practical manner that de facto has not enabled Parliament to exercise its right of scrutiny on the draft implementing act in an effective manner;
Calls on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 16 May 2018, and with the EU Charter;
Calls on the Commission to ensure, in particular, that personal data that has been transferred to the US under the Privacy Shield can only be transferred to another third country if that transfer is compatible with the purpose for which the data was originally collected, and if the same rules of specific and targeted access for law enforcement apply in the third country;
Calls on the Commission to monitor whether personal data which is no longer necessary for the purpose for which it had been originally collected is deleted, including by law enforcement agencies;
Calls on the Commission to closely monitor whether the Privacy Shield allows for the DPAs to fully exercise all their powers, and if not, to identify the provisions that result in a hindrance to the DPAs’ exercise of powers;
Calls on the Commission to conduct, during the first joint annual review, a thorough and in-depth examination of all the shortcomings and weaknesses referred to in this resolution and in its resolution of 26 May 2016 on transatlantic data flows, and those identified by the Article 29 Working Party, the EDPS and the stakeholders, and to demonstrate how they have been addressed so as to ensure compliance with the EU Charter and Union law, and to evaluate meticulously whether the mechanisms and safeguards indicated in the assurances and clarifications by the US administration are effective and feasible;
Calls on the Commission to ensure that when conducting the joint annual review, all the members of the team have full and unrestricted access to all documents and premises necessary for the performance of their tasks, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities, for either law enforcement or national security purposes;
Stresses that all members of the joint review team must be ensured independence in the performance of their tasks and must be entitled to express their own dissenting opinions in the final report of the joint review, which will be public and annexed to the joint report;
Calls on the Union DPAs to monitor the functioning of the EU-US Privacy Shield and to exercise their powers, including the suspension or definitive ban of personal data transfers to an organisation in the EU-US Privacy Shield if they consider that the fundamental rights to privacy and the protection of personal data of the Union’s data subjects are not ensured;
Stresses that Parliament should have full access to any relevant document related to the joint annual review;
Instructs its President to forward this resolution to the Commission, the Council, the governments and national parliaments of the Member States and the US Government and Congress.

NOTES
[1] OJ L 281, 23.11.1995, p. 31.
[2] OJ L 350, 30.12.2008, p. 60.
[3] OJ L 119, 4.5.2016, p. 1.
[4] OJ L 119, 4.5.2016, p. 89.
[5] ECLI:EU:C:2015:650.
[6] ECLI:EU:C:2016:970.
[7] OJ L 207, 1.8.2016, p. 1.
[8] OJ C 257, 15.7.2016, p. 8.
[9] http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp238_en.pdf
[10] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf
[11] Texts adopted, P8_TA(2016)0233.

(EP BRIEFING) Revision of the Schengen Information System for law enforcement

ORIGINAL PUBLISHED HERE (PDF FILE)

by Costica Dumbrava (Members’ Research Service)

OVERVIEW

The Schengen Information System (SIS) is a large-scale information database that supports external border control and law enforcement cooperation in the Schengen states. It enables competent authorities, such as police and border guards, to enter and consult alerts on certain categories of wanted or missing persons and lost or stolen property. In December 2016, the European Commission adopted a package of proposals aimed at responding more effectively to new migration and security challenges. One of these proposals is focused on improving and extending the use of the SIS in the field of police cooperation and judicial cooperation in criminal matters. It clarifies procedures, creates new alerts and checks, extends the use of biometrics, and enlarges access for law enforcement authorities. The proposal is part of a legislative package that includes a proposal to revise the rules of the SIS in the field of border checks and a proposal for establishing a new role of the SIS in the return of illegally staying third-country nationals.

Proposal for a regulation of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2010/261/EU
Committee responsible:	Civil Liberties, Justice and Home Affairs (LIBE)	COM(2016) 883 21.12.2016
Rapporteur:	To be appointed	2016/0409(COD)
Shadow rapporteurs: Next steps expected:	To be appointed Initial discussions in committee	Ordinary legislative procedure (COD) (Parliament and Council on equal footing – formerly ‘co-decision’)

Introduction

The Schengen Information System (SIS) was established by the Convention implementing the Schengen Agreement in 1990, as a primary compensatory measure for the abolition of controls at the internal borders in the Schengen area. SIS II – the current version of the SIS – was established in 2006 and became operational in 2013. Its legal basis is currently defined by Regulation (EC) No 1987/2006 on alerts on persons, Regulation (EC) No 1986/2006 on alerts on vehicles, and Council Decision 2007/533/JHA on alerts on missing and wanted persons and objects.

To respond more effectively to new migration and security challenges in recent years, the European Union (EU) has decided to implement a set of measures aimed at strengthening its external borders, and enhancing cooperation and information exchange between Member States. One such measure was the proposal for a European Border and Coast Guard Agency in 2015 which resulted in the guard being launched in October 2016. Similarly, in December 2015, the European Commission proposed a targeted modification of the Schengen Borders Code to establish mandatory systematic checks for all travellers entering or exiting the EU, and put forward a proposal for a directive on combating terrorism. In January 2016, the European Commission launched a proposal for a directive on the European criminal records information system. In May 2016, the European Commission proposed a revision of the Eurodac Regulation to allow the Eurodac database to be used for identifying illegally staying third-country nationals who do not claim asylum in the EU.

The proposal for a European travel information and authorisation system, put forward in November 2016, is aimed at introducing a mechanism requiring visa-exempt third-country nationals to obtain authorisation to travel to the Schengen area.
In December 2016, the European Commission launched a proposal to establish an EU entry/exit system for recording data on the entry and exit of third-country nationals crossing the EU’s external borders.
The proposal on the revision of the SIS in the field of police cooperation and judicial cooperation is part of a legislative package along with a proposal to revise the SIS in the field of border checks and a proposal to use the SIS for the return of illegally staying third-country nationals.
The first two proposals contain a number of identical provisions and would constitute the new legal basis for the SIS. The Commission announced it will launch a second set of proposals, to further improve the interoperability of the SIS with other information technology (IT) systems, in mid-2017.

Figure 1 -Terrorism-related arrests, attacks and deaths

Data source: Europol, 2014; 2015; 2016.

Context

In 2015, Frontex recorded 1.8 million detections of irregular crossings of the EU’s external borders (about 1 million irregular migrants). Despite EU efforts to stop the flow of irregular migrants, about 0.5 million detections are estimated to have been made in 2016. The number of terrorist attacks in the EU – foiled, failed and completed attacks – increased from 152 to 211 from 2013 to 2015, while the number of persons arrested on terrorism-related charges has doubled in the same period (see Figure 1). At least 151 persons were killed in terrorist attacks in 2015 and the number of deaths caused by such attacks remained high in 2016. Although the majority of perpetrators were EU citizens, many had links with terrorist organisations from outside the EU, and some entered the EU irregularly by exploiting weaknesses of the EU external borders. According to Europol, the perpetrators of the Charlie Hebdo attacks in Paris had links to Al-Qaeda in the Arabian Peninsula (AQAP) in Yemen, while a number of the suspects involved in the November 2015 Paris attacks had previously travelled to and been trained in Syria. The growing phenomenon of foreign fighters (EU citizens travelling to conflict zones abroad to engage in fighting) reveals another dimension of the complex relationship between migration and cross-border crime. In 2015, about 5 000 EU citizens travelled abroad to engage in terrorist activities. The crackdown against the self-proclaimed ‘Islamic State’ in Iraq and Syria (ISIL/Da’esh) has raised serious concerns about the return to Europe of many of these foreign fighters.

Existing situation

Characteristics of the SIS

The SIS consists of three components: 1) a central system; 2) national systems in each Member State that communicate with the central system; and 3) a communication infrastructure. Member States can enter, update, delete, and search data via their national systems, and exchange information via the supplementary information request at the national entry bureaux (Sirene). Member States are responsible for setting up, operating and maintaining their national systems and national Sirene bureaux. The EU Agency for large-scale IT systems in the area of freedom, security and justice (eu-LISA) is responsible for the operational management of the central system and the communication infrastructure. The Commission is responsible for the general oversight and evaluation of the system and for the adoption of implementing measures. The European Data Protection Supervisor (EDPS) monitors the application of the data protection rules for the central system, while the national data protection authorities supervise the application of the data protection rules in their respective countries.

SIS alerts cover the following categories of persons and objects:

refusal of entry or stay to third-country nationals who are not entitled to enter or stay in the Schengen area;
persons for whom a European arrest warrant or an extradition request (in the case of associated countries) has been issued;
missing persons, in view of placing them under protection, if necessary;
persons sought to assist with criminal judicial procedures;
persons and objects for discreet or specific checks, in view of prosecuting criminal offences and preventing threats to public or national security;
objects for seizure or use as evidence in criminal procedures.

SIS alerts consist of three types of data: identification data for the person or object an alert is about; information about why the person or object is being sought; and instructions for concrete action to be taken by officers on the ground when the person or object is found.

Access to data is given to national authorities responsible for border control, police, customs, visa and vehicle registration and, by extension, to national judicial authorities when this is necessary for the performance of their tasks.

The European Police Office (Europol) and the European Union’s Judicial Cooperation Unit (Eurojust) have limited access rights for performing certain types of queries. SIS checks are mandatory for the processing of short-stay visas, for border checks for third-country nationals and, on a non-systematic basis, for EU citizens and other persons enjoying the right of free movement. Every police check on the territory of a Schengen state should include a check in the SIS. Any person has the right to access SIS data related to them, as provided for by the national law of the Member State concerned. Access may only be refused when this is indispensable for the performance of a lawful task related to an alert, and for protecting the rights and freedoms of other people. Individuals may bring actions before the courts or other authorities competent under the national law to access, correct, delete or retrieve information, or to obtain compensation in connection with an alert relating to them.

Identified shortcomings

According to eu-LISA reports, the total number of alerts inserted in the SIS increased between December 2013 and December 2015 (see Figure 2). These alerts have been distributed unevenly across Member States.

In 2015, three countries had more than half of the total number of alerts: Italy (18 million), Germany (9.5 million) and France (6.5 million). Despite an increase in the total number of SIS alerts between 2013 and 2015, the number of alerts on persons has slightly decreased. The number of searches in the SIS increased from 1.2 billion to 2.9 billion between April 2013 and December 2015. Member States do not use the SIS equally: in 2015, three Member States conducted about half of the searches: France (555 million), Spain (398 million) and Germany (393 million).
Currently, identity checks in the SIS are based on alphanumeric searches (name and date of birth).
Fingerprints can be used only in order to verify and confirm the identity of a person who has already been identified by name. The SIS legal framework allows the use of facial images and fingerprints in order to verify identity, provided that the necessary technology is available.
In 2016, the European Commission asked eu-LISA to start working on implementing the fingerprint functionality in the SIS. In its March 2016 report, the European Counter-terrorism Coordinator (ECTC) pointed to problems related to the absence of common standards for inserting alerts, interpreting and reporting information in SIS.
With regard to using SIS to combat terrorism, the ECTC noted that Member States continue to apply different standards and did not enter systematically in SIS identified foreign terrorist fighters.
The European Commission has made several legal and technical improvements to the SIS to enable real-time communication from the ground to relevant services in other Member States, and to improve information exchange on terrorist suspects.
In 2015, the Commission revised the Schengen handbook and finalised a set of common risk indicators to be used during border checks in order to detect foreign terrorist fighters. The proposal for a directive on combating terrorism obliges Member States to enter systematically in the SIS alerts on suspected or convicted terrorist offenders.
Currently, there is little interoperability and interconnection between different information systems. The ECTC reported a discrepancy between the numbers of SIS alerts on national security grounds and the number of entries on foreign terrorist fighters in the Europol’s European information system (EIS). All SIS alerts related to terrorism should, by default, also be recorded in the EIS. The Commission announced that it would start working towards introducing a single search interface to allow simultaneous searches to be performed in all relevant systems without changing existing access rights.

Parliament’s starting position

The European Parliament has consistently advocated more effective cooperation between Member States’ law enforcement authorities, provided that appropriate safeguards on data protection and privacy are maintained.
In its resolution of 17 December 2014 on renewing the EU internal security strategy, the Parliament called on the Member States to make better use of valuable existing instruments, including through ‘more expeditious and efficient sharing of relevant data and information’.
In its resolution of 11 February 2015 on anti-terrorism measures, the Parliament restated its call on the Member States to make optimal use of existing databases, and reiterated that ‘all data collection and sharing, including by EU agencies such as Europol, should be compliant with EU and national law and based on a coherent data protection framework offering legally binding personal data protection standards at an EU level’.
In its resolution of 6 July 2016 on the strategic priorities for the Commission work programme 2017, the Parliament called on the Commission to present proposals to improve and develop existing information systems, address information gaps and move towards interoperability.

Council and European Council starting positions

The European Council has repeatedly called to reinforce the management of the EU’s external borders in order to cope with migration pressure and security challenges.
The European Council’s strategic guidelines for justice and home affairs of June 2014 identified the need to improve the link between the EU’s internal and external policies, and called for the intensification of operational cooperation among Member States, ‘while using the potential of information and communication technologies’ innovations’.
In its conclusions of 15 October 2015, the European Council called for devising ‘technical solutions to reinforce the control of the EU’s external borders to meet both migration and security objectives, without hampering the fluidity of movement’. In its conclusions of 17- 18 December 2015, the European Council urged to address the shortcomings at the external borders, notably by ensuring systematic security checks with relevant databases.
On 16 September 2016, the 27 Heads of State or Government attending the Bratislava Summit adopted the Bratislava declaration and roadmap, in which they called for the intensification of cooperation and information exchange, and urged the ‘adoption of the necessary measures to ensure that all persons, including nationals from EU Member States, crossing the Union’s external borders will be checked against the relevant databases, that must be interconnected’.
The Council also called for ‘reinforc[ing] border security through systematic and coordinated checks against the relevant databases based on risk assessment’, and for ‘improving information exchange and accessibility, especially by ensuring the interoperability of different information systems’ in its conclusions of 10 June 2015 on the renewed European Union internal security strategy 2015-2020.
On 6 June 2016, the Council Presidency put forward a roadmap to enhance information exchange and information management including interoperability solutions in the area of justice and home affairs. In a note on IT measures related to border management, presented on 3 October 2016, the Council Presidency maintained that well-functioning information architecture constituted a prerequisite for effective border management.

Preparation of the proposal

In April 2016, the European Commission adopted a communication on stronger and smarter information systems for borders and security, in which it identified a number of key shortcomings in the existing information systems and explored options on how existing and future information systems could enhance external border management and internal security.
With regard to the SIS, the communication outlined several possible developments: the creation of SIS alerts on irregular migrants subject to return decisions; the use of facial images for biometric identification; the automatised transmission of information on a hit following a check; and the creation of a new alert category on ‘wanted unknown persons’.
In June 2016, the high-level expert group on information systems and interoperability (HLEG) was established to work on a joint strategy to make data management in the EU more effective and efficient. The HLEG is composed of high-level representatives of the Commission, Member States, associated members of the Schengen area (Iceland, Norway and Switzerland), EU agencies (eu-LISA, Frontex, the European Union Agency for Fundamental Rights (FRA), the European Asylum Support Office (EASO) and Europol) and the Counter-terrorism Coordinator.
The Council Secretariat and representatives of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) participate as observers.
The HLEG’s interim report, presented in December 2016, emphasised the need to raise the standards of data quality and data usage, and identified priority options to be considered in promoting information systems interoperability.
The comprehensive evaluation of the SIS II, finalised by the Commission in December 2016, found that, despite the ‘obvious success’ of the system, changes were needed in order to provide a better response to ongoing security and migration challenges.
The report emphasised the need to reinforce the use of the SIS for counter-terrorism purposes, to clarify the situation of children who are under threat of parental abduction, to extend the use of biometric identifiers and to enhance security standards, data quality and the transparency of SIS.
In the preparation of the proposal, the Commission took into account the results of consultations with relevant stakeholders, such as the SISVIS committee, the SIS II supervision coordination group, and the Member States’ national data protection authorities. The Commission did not carry out an impact assessment but relied on the findings of three independent studies.

The changes the proposal would bring

New alerts and checks

The proposal would introduce a new alert category of ‘unknown wanted persons’ who are connected to a crime, for example persons whose fingerprints are found on a weapon used in a crime.
The scope of the existing alert on missing persons would be extended to allow national authorities to issue preventive alerts for children who are at high risk of parental abduction. The proposal would establish an obligation on the Member States to create SIS alerts for cases related to terrorist offences.
A new ‘inquiry check’ would allow authorities to question a person more thoroughly than in the case of a discreet check, in order to gather more information about the person and to decide on whether further action should be taken. This new type of check is intended to support measures to counter terrorism and serious crime. The proposal would further expand the list of objects for which alerts can be issued, to cover, for example, blank official documents, issued identity papers, vehicles, falsified documents and falsified banknotes.

Extended use of biometrics

The proposal would provide for more effective use of existing biometrics, such as facial imaging and fingerprints and introduce new elements of biometric identifiers, such as palm prints and DNA profiles. It would be mandatory to carry out a fingerprint search if the identity of the person cannot be ascertained in any other way. The system would allow for the storage of fingerprints of ‘unknown wanted persons’. DNA profiles could be used in the case of missing persons who need to be placed under protection when fingerprint or palm prints are not available.

Wider access for law enforcement authorities

The proposal would grant access to SIS to national authorities responsible for examining conditions, and taking decisions, relating to entry, stay, and return of third-country nationals on the territory of Member States.
The extension of access to various immigration authorities would enable the consultation of SIS in relation to irregular migrants who have not been checked at a regular border control. Registration authorities for boats and aircraft would receive limited access to SIS to carry out their tasks, provided that they are governmental services. Europol would receive full access rights to SIS, including to alerts on missing persons. The European border and coast guard agency and its teams would be allowed to access SIS when carrying out operations in support of Member States.

Enhanced data protection and security

The proposal would allow to enter more detailed information in alerts, such as whether a person is involved in terrorism-related activities (as defined by Articles 1-4 of Council Framework decision 2002/475/JHA on combating terrorism), details of a person’s identity or travel documents, and other person-related remarks.
It would expand the list of personal data to be entered and processed in SIS for the purpose of dealing with misused identities. It would provide for the recording of the details of data subjects’ personal identification documents and make it possible to categorise missing children according to the circumstances of their disappearance.
The proposal would introduce additional safeguards to ensure that the collection and processing of, and access to, data is limited to what is strictly necessary, in full respect of EU legislation and fundamental rights. It would provide for specific alert-deletion rules and reduce the retention period for object alerts.
According to the proposal, Member States would be prohibited from copying data entered by another Member State into other national data files.
The proposal would establish a uniform set of rules and obligations for end-users (officers on the ground) on how to access and process SIS data in a secure way. In order to ensure proper monitoring of SIS, eu-LISA would be charged with providing daily, monthly and annual statistics on how the system is used.

Budgetary implications

The estimated costs related to the proposal amount to €64.3 million for the 2018-2020 period and would serve to cover, among other things, implementing the changes provided for in the proposed revision of SIS in the field of police cooperation and judicial cooperation in criminal matters. Each Member State would receive a lump sum of €1.2 million to upgrade its national system. The budget would be secured through a re-programming of the smart borders envelope of the Internal Security Fund.

Advisory committees
The advisory committees are not mandatorily consulted on this proposal.

National parliaments
To date, none of the national parliaments has submitted a reasoned opinion on the compatibility of the proposal with the principle of subsidiarity.

Stakeholders’ views
This section aims to provide a flavour of the debate and is not intended to be an exhaustive account of all different views on the proposal. Additional information can be found in related publications listed under ‘EP supporting analysis’.
No major stakeholder has issued a position on the Commission’s proposal so far.

Legislative process
The legislative proposal (COM(2016) 883), adopted on 21 December 2016, falls under the ordinary legislative procedure (2016/0409(COD)) and, within the European Parliament, has been assigned to the Committee on Civil Liberties, Justice and Home Affairs (LIBE). Work in the committee is still at an early stage. In the Council, the working party for Schengen matters is likewise still at an early stage in its examination of the proposal.

EP supporting analysis
– Bakowski, P., Puccio, L., Foreign fighters – Member State responses and EU action, EPRS, March 2016.
– van Ballegooij, W., The cost of non-Schengen: Civil liberties, justice and home affairs aspects, EPRS, September 2016.
– Gatto, A., Carmona, J., European Border and Coast Guard System, EPRS, October 2016.
– Gatto, A., Goudin, P., Niemenen, R., Schengen area: Update and state of play, EPRS, March 2016.
– Malmersjo, G., Remáč, M., Schengen and the management of the EU’s external borders, Implementation appraisal, EPRS, April 2016.
– Voronova, S., Combating terrorism, EPRS, July 2016.

Other sources
Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, European Parliament, Legislative Observatory (OEIL).

Disclaimer and Copyright
The content of this document is the sole responsibility of the author and any opinions expressed therein do not necessarily represent the official position of the European Parliament. It is addressed to the Members and staff of the EP for their parliamentary work. Reproduction and translation for non-commercial purposes are authorised, provided the source is acknowledged and the European Parliament is given prior notice and sent a copy.
© European Union, 2017.

eprs@ep.europa.eu http://www.eprs.ep.parl.union.eu (intranet) http://www.europarl.europa.eu/thinktank (internet) http://epthinktank.eu (blog)
First edition. The ‘EU Legislation in Progress’ briefings are updated at key stages throughout the legislative procedure.

TERROR AND EXCLUSION IN EU ASYLUM LAW CASE – C-573/14 LOUNANI (GRAND CHAMBER, 31 JANUARY 2017)

ORIGINAL PUBLISHED ON EUROPEAN LAW BLOG ON MARCH 3, 2017 (NB: EMPHASIS ARE ADDED)

By Stephen Coutts

The on-going conflict in the Middle East has profound implications for the global legal order in two areas of law in particular: asylum law and anti-terrorist law.

The European Union and EU law have not been immune from this development and in many respects are closely affected by these geopolitical developments and their legal impact. After a fitful start, the EU has become a major actor in the area of criminal law, and in particular anti-terrorist law, on the one hand and in asylum law on the other.[1]

The two fields meet in Article 12(2)(c) of the Qualification Directive, itself reflecting Article 1F of the Geneva convention,[2] providing that an individual shall be excluded from eligibility for refugee status for acts contrary to the principles and purposes of the United Nations, acts which have been held to include acts of terrorism.

Furthermore, Article 12(3) of the Qualification Directive extends that exclusion to ‘persons who instigate or otherwise participate in the commission of the crimes or acts’ mentioned in Article 12(2). The status of terrorist and refugee are legally incompatible and mutually exclusive; one simply cannot be a terrorist and also a refugee. What, however, constitutes a terrorist for the purposes of Article 12 of the Qualification Directive? That essentially is the question at stake in Lounani.

Facts and Background Context

Mr Lounani, a Moroccan national, arrived in Europe in 1991 and initially applied for asylum in Germany where his application was rejected. He moved to Belgium in 1997 and lived there illegally. In 2010 he was convicted of membership of the Moroccan Islamic Combatant Group (MICG), an organisation that has been listed by the United Nations Security Council as a terrorist organisation. It appears he occupied a leading role in the MICG over many years and participated in various aspects of its organisation including fund-raising, forging of documents and arranging the travel of individuals to Iraq.

Crucially, however, he was never convicted of direct terrorist acts and there appears to be some dispute as to whether the MICG and/or individuals Mr Lounani aided in travelling to Iraq themselves participated directly in terrorist acts.

Mr Lounani subsequently claimed asylum in Belgium on the grounds that, following his conviction for terrorist related offences, he would be persecuted upon return to Morocco. An initial decision excluding him from refugee status on the basis of Article 12(2)(c) of the Qualification directive was overturned on review. That decision was in turn appealed to the Conseil d’Etat which stayed the case and referred a number of questions to the Court of Justice asking essentially if the exclusion clause operated only in relation to terrorist acts as defined in Article 1 of the Framework Decision on Combatting Terrorism (FDCT)[4] or if ancillary acts of participation in terrorist organisation and facilitating the commission of terrorist acts could be considered contrary to the principles and values of the UN as referred to in Articles 12(2)(c) and 12(3)[5] of the Qualification Directive.

Finally, if so, the Conseil d’Etat queried if a criminal conviction would automatically lead to the application of the exclusion clause.

Opinion of AG Sharpston[6] Continue reading “TERROR AND EXCLUSION IN EU ASYLUM LAW CASE – C-573/14 LOUNANI (GRAND CHAMBER, 31 JANUARY 2017)”

The European Union’s Policies on Counter-Terrorism. Relevance, Coherence and Effectiveness

FULL TEXT (226 pages) ACCESSIBLE HERE

(*)This research paper was requested by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs and was commissioned, overseen and published by the Policy Department for Citizens’ Rights and Constitutional Affairs. (January 2017)

AUTHORS :
(PwC) : Wim WENSINK, Bas WARMENHOVEN, Roos HAASNOOT, Rob WESSELINK, Dr Bibi VAN GINKEL,
International Centre for Counter-Terrorism (ICCT) – The Hague: Stef WITTENDORP, Dr Christophe PAULUSSEN, Dr Wybe DOUMA, Dr Bérénice BOUTIN, Onur GÜVEN, Thomas RIJKEN, With research assistance from: Olivier VAN GEEL, Max GEELEN, Geneviève GIRARD, Stefan HARRIGAN, Lenneke HUISMAN, Sheila JACOBS and Caroline TOUSSAINT.

EXECUTIVE SUMMARY (emphasis are added)

Background and aim

The series of recent terrorist attacks, as well as the various foiled and failed terrorist plots on European soil, have more than ever reinforced the popular awareness of the vulnerabilities that go hand-in-hand with the open democracies in the European Union (EU). The fact that these attacks followed each other with short intervals, but mostly due to the fact that they often did not fit the profile and modus operandi of previous attacks, have significantly contributed to the difficulty for security agencies to signal the threats as they are materialising. The modi operandi used showed a diversity of targets chosen, were committed by a variety of actors including foreign fighter returnees, home-grown jihadist extremists, and lone actors, and were executed with a variety of weapons or explosives. Furthermore, another complicating factor is the trend towards the weaponisation of ordinary life in which a truck or a kitchen knife already fulfils the purpose.

Governments, policy-makers, and politicians in most EU Member States feel the pressure of the population who call for adequate responses to these threats. Similarly, the various actors of the EU on their own accord, or the European Council driven by (some) Member States, have stressed the importance of effective responses to these increased threats, and have specifically underlined the importance of sharing of information and good cooperation. Very illustrating in this respect are the conclusions adopted during the European Council meeting of 15 December 2016, in which the European Council stressed the importance of the political agreement on the Counter-Terrorism Directive, emphasised the need to swiftly adopt the proposals on regulation of firearms and anti-money laundering, as well as the implementation of the new passenger name record (PNR) legislation.1 The European Council furthermore welcomed the agreement on the revised Schengen Borders Code, and stressed the importance of finding agreement on the Entry/Exit System and the European Travel Information and Authorisation System.2

Although the easy way to satisfy the call for action by the national populations seems to be to just take action for the sake of it, the responsibility lies with the relevant actors, in line with the objectives and principles of the EU Treaty and the values the EU represents 3, to actually assess the security situation, and implement, amend or suggest (new) policies that are adequate, legitimate, coherent and effective in the long run. It is with that objective in mind that this study, commissioned by the European Parliament, has made an assessment of the current policy architecture of the EU in combating terrorism, particularly looking into loopholes, gaps or overlap in policies in areas ranging from international and inter-agency cooperation, data exchange, external border security, access to firearms and explosives, limiting the financing of terrorist activities, criminalising terrorist behaviour and prevention of radicalisation. This study furthermore looks into the effectiveness of the implementation of policies in Member States and the legitimacy and coherence of the policies.

Seven major policy themes were selected and addressed in depth by this study:

Measures and tools for operational cooperation and intelligence/law enforcement and judicial information exchange;
Data collection and database access and interoperability;
Measures to enhance external border security;
Measures to combat terrorist financing;
Measures to reduce terrorists’ access to weapons and explosives; . Criminal justice measures;
Measures to combat radicalisation and recruitment.

The research team has assessed the degree of implementation of EU counter-terrorism measures under these seven themes in a selection of seven Member States: Belgium, Bulgaria, France, Germany, the Netherlands, Slovakia and Spain. This study sets out policy options for the future direction of EU counter-terrorism policy. The focus of policy options is on future threats and developments, and on developing creative yet feasible policy solutions.

Main findings Continue reading “The European Union’s Policies on Counter-Terrorism. Relevance, Coherence and Effectiveness”

The Mejiers Committee on the inter-parliamentary scrutiny of Europol

ORIGINAL PUBLISHED ON THE MEJIERS COMMITTE (*) PAGE HERE

Introducton

Article 88 TFEU provides for a unique form of scrutiny on the functioning of Europol. It lays down that the [regulations on Europol] shall also lay down the procedures for scrutiny of Europol’s activities by the European Parliament, together with national Parliaments.

Such a procedure is now laid down in Article 51 of the Europol Regulation (Regulation (EU) 2016/794), which provides for the establishment of a “specialized Joint Parliamentary Scrutiny Group (JPSG)”, which will play the central role in ensuring this scrutiny. The Europol Regulation shall apply from 1^st of May 2017.

Article 51 of the Europol Regulation also closely relates to Protocol (1) of the Lisbon Treaty on the role of national parliaments in the EU. Article 9 of that protocol provides: “The European Parliament and national Parliaments shall together determine the organization and promotion of effective and regular inter-parliamentary cooperation within the Union.”

Article 51 (2) does not only lay down the basis for the political monitoring of Europol’s activities (the democratic perspective), but also stipulates that “in fulfilling its mission”, it should pay attention to the impact of the activities of Europol on the fundamental rights and freedoms of natural persons (the perspective of the rule of law).

The Meijers Committee takes the view that improving the inter-parliamentary scrutiny of Europol, with appropriate involvement of both the national and the European levels, will by itself enhance the attention being paid by Europol on the perspectives of democracy and the rule of law, and more in particular the fundamental rights protection. It will raise the alertness of Europol as concerns these perspectives.

Moreover, the scrutiny mechanism could pay specific attention to the fundamental rights protection within Europol. This is particularly important in view of the large amounts of – often sensitive – personal data processed by Europol and exchanged with national police authorities of Member States and also with authorities of third countries.

The implementation of Article 51 into practice is currently debated, e.g. in the inter-parliamentary committee of the European Parliament and national parliaments.¹ As specified by Article 51 (1) of the Europol regulation, the organization and the rules of procedure of the JPSG shall be determined.

The Meijers Commitee wishes to engage in this debate and makes, in this note, recommendations on the organization and rules of procedure.

Context

Continue reading “The Mejiers Committee on the inter-parliamentary scrutiny of Europol”