Category: 9. Internal security -police cooperation

The Paris Terrorist Attacks : Failure of the EU’s Area of Freedom, Security and Justice?

Original published on the CDRE site on 8 JANVIER 2016

by P. de Bruycker et D. Watt (Odysseus Omnia), H. Labayle (CDRE), A. Weyembergh et C. Brière (Eclan)

In the immediate aftermath of the terrorist attacks in Paris on Friday 13th November, the French President declared a state of emergency and announced the introduction of a number of measures to “mobilise all possible forces in order to neutralise the terrorists and to guarantee the security of all the areas which could be concerned”. These measures included the reintroduction of controls by France at its internal borders with other Schengen States in the interest of preventing both the entry into the territory of dangerous individuals seeking to carry out terrorist attacks, and to thwart the escape of the attackers.

Nonetheless, Salah Abdeslam, a suspect believed to be one of the masterminds of the attacks, managed to escape by crossing the border between France and Belgium during the night from Friday to Saturday without being apprehended and has still not been arrested since, despite significant effort on the part of the Belgian and French police forces. More surprising, although relatively ignored by the media is that he was checked by French police in the border region (around the city of Cambrai) but not apprehended. How can this have happened in the heart of the EU where border guards, police, judges and intelligence services use modern technology to trace such people?

Before putting the area of freedom, security and justice on trial – as some politicians have done – it is certainly important to objectively examine the manner in which the workings of this beast have been confronted by the reality of terrorism. Whether it has to do with controls carried out at borders (Section 1 of this article), or cooperation between national police forces (Section 2), it must be noted that the primary responsibility in this case does not rest with the mechanisms created by the European Union. In contrast, the failure to prevent the rather predictable attacks now creates the question of sharing intelligence between the competent national intelligence agencies, a matter which does not fall within the Union’s competences (Section 3).

1. The pending questions about border policy

Knowing what we know today about the Paris attacks and the background of the perpetrators, a distinction needs to be made between the matter of terrorists crossing internal and external borders of the Schengen Area.

a. The crossing of internal borders

The Schengen Borders Code (SBC) regulates the crossing of the borders of the concerned EU Member States. As outlined in an article by Evelien Brouwer on this blog, Schengen States can, on the basis of Article 23 of the SBC, temporarily reintroduce controls at their internal borders if there is clear justification on the grounds of a threat to public policy or internal security. The existence of such a threat is obviously not in question here.

Schengen States have certain instruments at their disposal to guarantee effective border management in the Schengen Area. The Schengen Information System (SIS) is a database for storing and sharing information about certain individuals who should not enter or travel within the Schengen Area. The second generation – “SIS II” – was established to include the new Member States after the 2004 enlargement by Regulation 1987/2006, which also sets out rules on its operation and use.

There are several reasons a person may be registered in the SIS. Firstly, alerts may be issued in order to refuse entry or stay to third-country nationals either because they are criminals or because their entry has been banned due to non-respect of the immigration rules (Article 24 of Regulation 1987/2006). Secondly, alerts may be issued in order to arrest third-country nationals or EU citizens on the basis of a European arrest warrant (EAW) or extradition. This type of alert applies to missing individuals, persons sought to assist with a judicial procedure, and for the purpose of discreet or specific checks (see Council Decision 2007/533).

As Salah Abdeslam is French and not a third-country national, he could not, by definition, be the object of an alert related to the immigration policy. When he was checked by the French police during the night of 13 to 14 November, he was not known to the French authorities apparently because, despite being French, he was living in Belgium. He was also not the object of an alert for the purpose of arrest as the EAW was only issued by Belgium after the attacks, on Sunday. He had however been signalled in the SIS by the Belgian authorities as a person to be the object of a “discreet or specific check”. Following Article 36 of Council Decision 2007/533, such an alert may be issued for the purposes of prosecuting criminal offences and for the prevention of threats to public security, “in particular where an overall assessment of a person, in particular on the basis of past criminal offences, gives reason to suppose that that person will also commit serious criminal offences in the future”.

Given the stated goals of the closure of French borders – to stop the escape of those who carried out the attacks – one might begin to question how it can be that the check conducted by the French police did not lead to the arrest of Salah Abdeslam. Even if he was not mentioned in the SIS for the purpose of arrest, a signal for a discreet or specific check should have attracted the attention of the police and could have lead to his arrest. One can rightly wonder what happened: was the information stored in the SIS not precise enough? In this case, did the French police use the SIRENE system to get more information from the Belgian authorities? If not, why? We are used to Schengen-bashing and recently to Belgium-bashing, could it be fair to say that this time there should be some France-bashing?

It would be interesting to get an answer to those questions in order to understand what was indeed the problem. In any case, even if there had been a problem with the SIS and not with the actions of the French Police, it is clear that such transnational criminality can only be addressed at the international level. In any case, the answer lies perhaps in a better SIS or a better use of the SIS by Member States. The answer is certainly not less Schengen.

b. The crossing of external borders

The attacks in Paris have brought a significant amount of attention to the issue of border controls, in particular since it has been confirmed that at least one of the terrorists, holding a Syrian passport, entered the EU through Greece via a route used by refugees. It is also suggested that the Paris attackers, themselves EU citizens, had left the EU to fight in Syria and returned to carry out the attacks in Paris, and that one of them, Salah Abdeslam, could even have managed to flee to Syria after the attacks. This is the phenomenon of so-called “Foreign Fighters”: EU citizens who become radicalised and leave their home in the EU to join the war in Syria before returning to Europe. The European Union’s Counter-Terrorism Coordinator, Gilles de Kerchove, has been warning Member States for many months about the need for strong action to be taken in this area, though his warnings have not been heeded. The main concern here is that such individuals are extremely difficult to detect, including when they enter or leave the Schengen Area by crossing its external borders.

The Schengen Borders Code provides in Article 7(2) that European citizens and other people enjoying the right to free movement in the EU, such as the family members of these groups, who cross the Schengen external border shall only be subject to minimum checks. This concerns the travel documents presented by those persons at the external border, such as an identity card or passport. On the contrary, third-country nationals are subject to thorough checks following Article 7(3) that foresees under point (a)(vi) “the direct consultation of the data and alerts on persons and, where necessary, objects included in the SIS and in national data files”. Such checks are sometimes described as being about persons instead of about documents.

Although Border Guards may consult relevant databases such as the SIS to ensure, among other things, that European citizens crossing the external borders do not represent a serious threat to internal security, a systematic consultation of these databases is not permitted. The EU and  its Member States have been struggling with this prohibition of systematic checks of persons for some years now. It is clear that absolutely all EU citizens cannot be checked against databases at one crossing point of the external borders as this would directly contravene this provision. The Commission considers that this does not prevent conducting systematic checks of persons selected on the basis of a risk assessment, for instance some category of persons embarking on flights going to or coming from the vicinity of a conflict zone. TheHandbook for Border Guards was modified on 15 June 2015 to include that interpretation.

Nonetheless, Member States in the Council have been calling for the revision of the SBC regarding the systematic consultation of databases for persons enjoying free movement since the beginning of the year, motivated in large part by the Charlie Hebdo attacks in Paris in January 2015. The concerns about the threat of foreign fighters crossing back into the EU undetected are also the basis for a list of Common Risk Indicators (CRI’s), which has been drawn up by the Commission. However, it appears that these confidential CRI’s are too general and too vague in nature, leading to their ineffective implementation by Border Guards. Indeed, a Council document from 5 October from the EU Counter-Terrorism Coordinator explains that “challenges remain in the proper implementation of CRI’s at the external border”. No doubt the ineffectiveness of CRI’s is a contributing factor to the Council’s renewed call for revision of the SBC, as expressed by the Ministers for Justice and Home Affairs on 20 November. Meeting in the wake of the Paris attacks, the Council stated that Member States shall “undertake to implement immediately the necessary systematic and coordinated checks at external borders, including on individuals enjoying the right of free movement”.

One can hardly deny that such checks can be necessary, in particular at the external borders of some areas that foreign fighters are believed to cross more often than others. The current provision of the Schengen Borders Code seems inappropriate by forbidding systematic checks and this explains why the European Commission finally decided on 15 December 2015 to present a proposal to amend Article 7 of the SBC that will, once adopted, not only allow but oblige border guards to verify that an EU citizen is not “considered to be a threat to the internal security, public policy, international relations of any of the Member States or to public health, including by consulting the relevant Union and national databases, in particular the SIS”.

Does this contravene the freedom of movement that EU citizens enjoy on the basis of the EU treaties? The answer seems at first look negative, because freedom of movement concerns a priorimovement within the borders of the European Union and not the crossing of its external borders. Nevertheless, Directive 2004/38 implementing freedom of movement also contains provisions recognising the right of EU citizens to enter and to leave the territory of the Member States that could be considered part of the freedom of movement. Article 4 on the right of exit and Article 5 of the right of entry exist “without prejudice to the provisions on travel documents applicable to national border controls”. If this provision, interpreted narrowly, does not explicitly cover the consultation of databases, one should not forget that Article 27 of the same Directive allows Member States to restrict the freedom of movement and residence of Union citizens on the grounds of public policy, public security or public health. There is no doubt that the consultation of databases for security purposes like the SIS falls under the exception of public security. The conclusion is that the Commission proposal is in line with freedom of movement enjoyed by EU citizens.

Even if one may consider that a proposal to modify Article 7 of the SBC could have been presented earlier by the Commission without wasting time to discuss its possible interpretation with Member States, the Schengen acquis will be clarified to allow the systematic control of the movement of foreign fighters at the external borders of the EU. The sooner the better, so that the Council of Ministers and the European Parliament must now prove that when necessary, they can amend existing EU rules in a period of time comparable to that within which Member States with a Parliament made of two chambers can operate.

2. The effectiveness of police and judicial cooperation in criminal matters after the attacks

The Paris attacks and their subsequent developments, such as the flight of the suspected terrorist, Salah Abdeslam, to Belgium by car, trigger the application of mechanisms of police and judicial cooperation in criminal matters. These mechanisms have been extensively developed since the mid-1990’s, and particularly after the entry into force of the Amsterdam Treaty. Today a vast array of instruments, actors and databases are at the disposal of national authorities in charge of investigating and prosecuting terrorism. The anti-EU discourse that followed the attacks, which so often focusses on inaction during grave events, should have been balanced by an analysis of what happened in reality.

In the field of police cooperation, the importance of Europol should be underlined, both in terms of exchange and analysis of information and in terms of support for operational actions. The adoption of the compromise text on the Commission’s original proposal for a Europol Regulation, which was approved by the Council on 4 December 2015, should contribute to the improvement of cross-border police cooperation, as it should increase the agency’s capacity to act as “a hub for information exchange between the law enforcement authorities of the Member States”. One “Focal Point Travellers » has especially been set up in 2014, in which “foreign fighters” are recorded, even though it is for the Member States to make the focal point a reality by providing the content. The so-called 2008 “Prüm Decision” should be mentioned here as well. It aims particularly at mandating the exchange of DNA, fingerprint and vehicle registration data (VRD) amongst the Member States.

In terms of judicial cooperation in criminal matters, Christiane Taubira, French Minister for Justice, insisted after the JHA Council of 20 November 2015, that we do have instruments to address this type of crime and they have worked well for the cooperation with the Member States affected by the investigations.

On the morning following the attacks, requests for mutual assistance in judicial matters were issued and sent to Belgium and Germany. They were addressed very quickly on the basis of the 2000 Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union.

Among the other instruments specific to the EU legal order which have been used in this context, theFramework Decision 2002/584/JHA on the European Arrest Warrant (EAW) is to be mentioned. Adopted in the aftermath of 9/11, the EAW, which is considered the “success story” of the EU area for criminal justice, organises faster and simplified surrender procedures, directly conducted by judicial authorities, without political involvement and with a limited number of grounds for refusal. One or more EAWs have been issued since the Paris attacks against suspects, which implies that competent law enforcement authorities located on the EU territory have the duty to arrest them. On the request of the issuing judicial authority, the issuance of an EAW can be coupled with its transmission via an alert in the Schengen Information System and/or in the Interpol database.

The European Criminal Records Information System (ECRIS), based on a 2009 Council Decision, which is to be read with the Framework Decision on the organisation and the content of the exchange of information extracted from the criminal record between Member States, has also been mobilised and proved its added value for the collection of information on the past convictions of the terrorist suspects. Operational since 2012, this system couples the principle of centralising convictions in the criminal records of the Member State of nationality with an interconnection of the criminal records of the Member States, enabling electronic exchange of standardised information.

Finally, joint investigation teams (JITs), belonging both to police cooperation and judicial cooperation, have a clear added-value. A JIT has been set up between France and Belgium, for which the Ministries of Justice of each country gave their agreement on 16 November. The setting up of a JIT allows the constitution of a team consisting of judges, prosecutors and law enforcement authorities, established for a fixed period and a specific purpose, to carry out criminal investigations in one or more of the involved States. One of the advantages of such JITs is the exchange of information and evidence obtained, without having to go through requests for mutual legal assistance.

Despite these positive elements, cooperation between authorities of the EU Member States can still be improved:

  • Firstly, some of the abovementioned instruments, such as the 2008 Prüm Decision or the JITs Framework Decision, have not or have not correctly been transposed by Member States. The importance of correct implementation at the national level has been frequently underlined, for instance by the European Council Strategic Guidelines of June 2014 and by the conclusions of the JHA Council of 20 November. In this respect the end of the transitional period on the 1st December 2014 should push the recalcitrant Member States to conform with EU law as they may be subject to enforcement proceedings for non implementation of acts adopted before the entry into force of the Lisbon Treaty.
  • Secondly, some difficulties are also being witnessed at the level of implementation in practice. There is, for instance, a considerable shortfall between, on the one hand, the information available at national level and, on the other hand, the information transmitted to and shared with the competent authorities of other Member States. Besides, the information transmitted to Europol is not always sufficient, hampering the completion of its mandate. In this context, on 20 November 2015, the JHA Council announced the establishment of the European Counter-Terrorism Centre (ECTC) on 1 January 2016, which is envisaged as a platform by which Member States can increase information sharing and operational cooperation with regard to the monitoring and investigation of foreign terrorist fighters, the trafficking of illegal firearms and terrorist financing. A similar centre, the EC3, was set up a few years ago in the field of cybercrime, and it has proven to be a useful tool. The utility of the ECTC will largely depend upon the willingness of Member States to share their information, which has been insufficient to date, as shown by the example of the “Focal Point Travellers” of Europol about foreign fighters following a discussion paper of the EU Counter-Terrorism Coordinator.
  • Thirdly, some of the abovementioned instruments suffer from certain limits. ECRIS works efficiently only with regard to EU citizens. Concerning third country nationals, it is still necessary to consult all Member States’ criminal records to know about their past convictions. For years, the possibility of establishing a European index for convicted third country nationals has been discussed. In its conclusions of 20 November, the JHA Council welcomed the intention of the Commission to submit an ambitious proposal for the extension of ECRIS to cover third country nationals by January 2016.
  • Finally, further new legislative measures should be proposed shortly, for instance in the field of the approximation of substantive criminal law, particularly the criminalisation of terrorist offences. Indeed, according to the Council conclusions of 20 November, the Commission should present a proposal for a directive updating the 2002 and 2008 Framework Decisions on Combating Terrorism . This revision will implement in EU law the UNSC Resolution 2178 (2014) and the additional Protocol to the Council of Europe Convention on Foreign Terrorist Fighters. This will especially aim to oblige Member States to criminalise offences linked to travelling abroad for the purpose of terrorism.

In conclusion, the recent tragic terrorist attacks have shown that national police and judicial authorities are aware of the tools at their disposal in the field of police cooperation and judicial cooperation in criminal matters. They do not hesitate to rely on them. However there is still room for improvement. The transnational elements of the recent attacks clearly illustrate the need for cross-border cooperation in the criminal field. Member States should realise that the solution encompasses more cooperation and that reflexes of national sovereignty are vain and detrimental to the identification and prosecution of terrorist suspects. In such a move forward, the EU must ensure the right balance between the different interests at stake and not sacrifice fundamental rights at the altar of security as underlined by Stefan Braum in a recent paper published on the blog of the GDR/ELSJ.

3. The failure of intergovernmental cooperation in the field of intelligence

In the days following the attacks, criticisms were voiced against the deficiencies in the cooperation between national intelligence services. It was for instance reported that the Belgian services had information about the danger represented by the Abdeslam brothers, but never shared this information with their French colleagues.

It is important to make a preliminary remark distinguishing cooperation in the field of police information on the one hand and intelligence in the sense of renseignements in French on the other hand.

Whereas police information sharing is subject to EU legislation, adopted under the EU competences in police cooperation in criminal matters, as described above, intelligence sharing does not fall within the EU competences, and the EU is prevented from taking any action in this regard. In the current legal framework, in force since the adoption of the Treaty of Lisbon, no less than three provisions insist on the lack of competence for the EU in matters of national security. Article 4(2) TEU provides that the EU shall respect the essential State functions of its Member States, including safeguarding national security. InArticles 72 and 73 TFEU, it is stated that the Title of the Area of Freedom, Security and Justice shall not affect the exercise of the responsibilities incumbent upon Member States with regard to the safeguarding of internal security, and it is open to the Member States to organise between themselves and upon their responsibility such form of cooperation and coordination as they deem appropriate between the competent departments of their administration responsible for safeguarding national security. In other words, cooperation between national intelligence services in charge of safeguarding national security is left in the hands of the Member States, and is thus conducted on an intergovernmental basis.

As a consequence, blaming the EU for the lack of intelligence sharing between France and Belgium is an unjustified criticism. The idea of creating a European Intelligence Agency has been mentioned by some observers but was promptly rejected on Friday 20 November by the JHA Council, as it appears to be outside of the scope of EU competences in the current state of the EU treaties. Moving forward in this field in the institutional framework of the EU would clearly imply a revision of the treaties. The feasibility of such revision is of course questionable because of its extremely high sensitivity in terms of national sovereignty. It shall indeed not be forgotten that intelligence is, by definition, extremely sensitive data, which national authorities may be reluctant to share, for instance in order to safeguard the safety of their informants. Furthermore, even cooperation within each Member State is sometimes problematic, as intelligence service might be reluctant to cooperate extensively with law enforcement, judicial or other authorities.

The absence of EU competences does not imply that there is a complete absence of European multilateralisation of cooperation in the field of the intelligence. In this regard, the EU Intelligence and Situation Centre (EU INTCEN) is to be mentioned. However, this centre has a limited mandate, which is to provide intelligence analysis, early warning and situational awareness to the High Representative and to the EEAS, in the fields of security, defence and counter-terrorism. This agency is the successor of the EU Situation Centre (SITCEN), created to answer the need of timely and accurate intelligence analysis to support EU policymaking. Despite its title, this agency is not a European Intelligence Agency. It has no operational powers, nor powers in the field of cooperation between national intelligence services. Its core mandate consists of publishing intelligence assessments, reports and summaries, as well as threat assessments for EU personnel, on the basis of open sources and analytical reports transferred from national intelligence authorities. Another initiative to mention is the so-called ‘Club de Berne’, which is an intelligence-sharing forum between the intelligence services of the EU Member States, Norway and Switzerland, within which a counter-terrorism group was established in 2001. It works outside the EU institutional framework but entertains some relations with it, especially via the participation of the INTCEN.

Conclusion

In conclusion, the shock generated by the Paris attacks should push the EU and its Members to engage in a much deeper reflection than their many working meetings have provoked. They must reflect firstly on the criminal motivations which led EU citizens, both French and Belgian, to commit such abominations. To stubbornly insist to the public that these criminals were not the product of our own societies is a grave error which prevents us from considering the causes and therefore inhibits us from conceiving of the appropriate response. They must further reflect on the multiple failures and responsibilities relating to the events in Paris. Rather than exploiting them to justify criticism of the EU, it should be realised that a more integrated and coordinated area of freedom and security is the only possible solution.

This is true on two conditions. The first condition is that there must be real responsibility in its administration, which is far from the case in current border management and intelligence sharing. The second condition is that, above all, there must be an agreement on the values which make up this area, in both the central role of the judicial institution and its fundamental guarantees.

Attentats terroristes de Paris : une défaillance de l’Espace de liberté, sécurité et justice ?

PUBLISHED ON CDRE SITE (8 JANVIER 2016)

 par P. de Bruycker et D. Watt (Odysseus Omnia), H. Labayle (CDRE), A. Weyembergh et C. Brière (Eclan)

 

Les attaques terroristes du 13 novembre à Paris ont conduit le Président de la République française à déclarer l’état d’urgence et annoncer l’introduction de mesures visant à « mobiliser toutes les forces possibles afin de neutraliser les terroristes et de garantir la sécurité de tous les lieux qui pourraient être visés ». Parmi ces mesures figure la réintroduction des contrôles aux frontières intérieures avec les autres Etats de l’espace Schengen, dans le but de prévenir l’entrée sur le territoire d’individus dangereux qui cherchent à commettre des attaques terroristes ainsi que d’empêcher les assaillants de fuir.

Néanmoins, Salah Abdeslam, le cerveau présumé des attaques, a réussi à s’enfuir en traversant la frontière entre la France et la Belgique dans la nuit du vendredi au samedi sans être appréhendé, et il n’a toujours pas été arrêté depuis, malgré les importants moyens déployés par les forces de police belges et françaises. Plus surprenant, bien que relativement ignoré par les médias, est le fait qu’il ait été contrôlé par la police française dans la région frontalière (près de la ville de Cambrai) sans être arrêté. Comment cela a-t-il pu se produire au cœur de l’UE où les garde-frontières, la police, les juges et les services de renseignement aidés par des moyens technologiques modernes suivent en permanence de tels individus ?

Avant, comme certains responsables politiques l’ont fait hâtivement, d’instruire le procès de l’Espace de liberté, sécurité et justice, sans doute est-il bon d’examiner objectivement les conditions dans lesquelles les rouages de cet espace ont été confrontés à la réalité du terrorisme. Qu’il s’agisse du contrôle opéré aux frontières (1) ou de la collaboration des polices (2), force est de constater que la première des responsabilités n’incombe pas ici aux mécanismes institués par l’Union européenne. En revanche, et la question ne relève pas des compétences de l’Union, l’échec à prévenir des attentats pourtant largement prévisibles pose désormais la question de l’échange des renseignements entre les services nationaux compétents (3) ?

1. Les questions en suspens au sujet de la politique des frontières

D’après ce que l’on sait aujourd’hui de la réalisation des attentats de Paris et des trajectoires de leurs auteurs, une distinction doit être faite entre le franchissement par les terroristes des frontières internes etexternes de l’espace Schengen.

a. le franchissement des frontières internes :

Le Code Frontières Schengen (CFS) règlemente le franchissement des frontières des Etats Membres concernés. Ainsi que l’a souligné Evelien Brouwer dans son article sur le blog Omnia, les Etats parties à l’espace Schengen peuvent, sur base de l’Article 23 du CFS, temporairement réintroduire des contrôles aux frontières internes s’il existe une justification claire sur base d’une menace pour l’ordre public ou la sécurité intérieure. L’existence d’une telle menace n’est évidemment pas contestable ici.

Les Etats de l’espace Schengen disposent d’un certain nombre d’instruments pour garantir une gestion efficace des frontières au sein de cet espace. Ainsi, le Système d’Information Schengen (SIS) est un fichier informatique utilisé pour enregistrer et partager l’information au sujet de certains individus qui ne devraient pas pouvoir entrer ou voyager au sein de l’espace Schengen. Sa deuxième génération – « SIS II » – a été mise en place pour inclure les nouveaux Etats Membres suite à l’élargissement de 2004 par le règlement 1987/2006 qui comporte également les règles relatives à son fonctionnement et son utilisation.

Une personne peut être fichée dans le SIS pour différentes raisons. Premièrement, un signalement peut être lancé afin d’empêcher l’entrée ou le séjour d’une personne ressortissante d’un pays tiers à l’UE qui a commis un crime ou qui a fait l’objet d’une interdiction d’entrée pour non-respect des règles en matière d’immigration (article 24 du Règlement 1987/2006). Deuxièmement, un signalement peut être lancé au sujet de ressortissants de pays tiers, mais aussi de citoyens européens, recherchés en vue d’une arrestation aux fins de remise sur base du mandat d’arrêt européen (MAE) ou aux fins d’extradition. Le SIS II contient également des signalements concernant des personnes disparues, des personnes recherchées dans le cadre d’une procédure judiciaire, ou des personnes aux fins de contrôle discret ou spécifique (voir décision 2007/533 du Conseil).

Salah Abdeslam étant Français et non un ressortissant de pays tiers, il ne pouvait pas, par définition, faire l’objet d’un signalement pour un motif lié à la politique migratoire. Lorsqu’il a été contrôlé pour la police française dans la nuit du 13 au 14 novembre, il n’était pas connu des autorités françaises apparemment parce que, bien que Français, il habitait en Belgique. Il ne faisait pas non plus l’objet d’un signalement en vue d’une arrestation car le MAE le concernant n’a été délivré par la Belgique qu’après les attaques, le dimanche. Il avait toutefois été signalé dans le SIS par les autorités belges comme étant une personne devant faire l’objet de contrôle « discret » ou spécifique. D’après l’Article 36 de la décision 2007/533 du Conseil précitée, un tel signalement peut être effectué pour la répression d’infractions pénales et pour la prévention de menaces pour la sécurité publique, notamment « lorsque l’appréciation globale portée sur une personne, en particulier sur la base des infractions pénales commises jusqu’alors, laisse supposer qu’elle commettra également à l’avenir des infractions pénales graves ».

Vu les objectifs énoncés pour justifier la fermeture des frontières françaises – mettre en échec la fuite des assaillants – on peut donc se demander pourquoi les contrôles effectués par la police française n’ont pas donné lieu à l’arrestation de Salah Abdeslam. Même s’il n’était pas mentionné dans le SIS en vue d’une arrestation, un signalement aux fins de contrôle discret ou spécifique aurait dû attirer l’attention de la police opérant le contrôle. On peut légitimement se demander ce qu’il s’est passé : l’information enregistrée dans le SIS n’était-elle pas suffisamment précise ? Dans ce cas, la police française a-t-elle utilisé le système SIRENE afin de recevoir plus d’informations de la part des autorités belges ? Si non, pourquoi ? Les reproches adressés généralement à la Belgique lors de ces tragiques épisodes, ne doivent-ils pas être partagés ?

Répondre à ces questions serait instructif afin de cerner le problème réel. Au delà, et même si cet échec est imputable au SIS et non aux agents nationaux, il est évident qu’une telle criminalité transnationale ne peut être réglée qu’au niveau international. Dans tous les cas, la réponse se trouve peut-être dans un SIS plus performant ou une meilleure utilisation du SIS par les Etats Membres. Elle n’est certainement pas pas le moins de Schengen évoqué ici et là.

b. le franchissement des frontières extérieures 

Les attaques de Paris ont attiré une part importante de l’attention sur la question des contrôles aux frontières extérieures, en particulier après la confirmation qu’au moins un des terroristes était entré sur le territoire de l’UE par la route utilisée par les réfugiés en utilisant un passeport syrien. On avance également que les assaillants, citoyens européens, ont pu quitter l’UE pour se battre en Syrie et revenir pour commettre les attaques de Paris. On craint même que l’un d’entre eux, Salah Abdeslam, ait réussi à s’enfuir en Syrie après les attaques. Il s’agit là du phénomène desdits « combattants étrangers » : des citoyens européens qui, après être devenus radicalisés, quittent leur maison en Europe pour aller se battre en Syrie avant de revenir. Depuis de longs mois, le coordinateur de la lutte contre le terrorisme, Gilles de Kerchove, alertait les Etats membres sur la nécessité d’une réaction vigoureuse, en vain. La préoccupation concrète, ici, est que ces individus sont extrêmement difficile à détecter lorsqu’ils entrent ou quittent l’espace Schengen.

Le Code Frontières Schengen prévoit dans son Article 7(2) que les citoyens européens, ainsi que toute personne jouissant du droit communautaire à la libre circulation, ne font l’objet que d’une vérification minimale lorsqu’ils franchissent les frontières extérieures de l’espace Schengen. Cela vise les documents de voyage présentés par ces personnes aux frontières extérieures, carte d’identité ou passeport. Au contraire, les ressortissants de pays tiers sont sujets à des contrôles plus approfondis en vertu de l’Article 7(3) qui prévoit au point (a)(vi) « la consultation directe des données et des signalements relatifs aux personnes et, si nécessaire, aux objets intégrés dans le SIS et dans les fichiers de recherche nationaux ». De tels contrôles sont parfois décrits comme portant sur les personnes plutôt que les documents.

Bien que les garde-frontières puissent consulter les bases de données utiles, comme le SIS, afin de s’assurer, entre autres, que les citoyens européens qui franchissent les frontières extérieures ne représentent pas une menace sérieuse pour la sécurité intérieure, une consultation systématique de ces bases de données n’est pas permise.

Cette interdiction pose problème depuis quelques années à l’UE et aux Etats Membres. Selon la disposition en cause, il est évident que chaque citoyen européen ne peut pas être contrôlé lorsqu’il franchit les frontières extérieures de l’UE. D’après la Commission, cela n’empêche pas de mener des contrôles systématiques au sujet de certaines personnes sur base d’une évaluation des risques, par exemple des personnes embarquant sur un vol à destination ou en provenance d’une région proche d’un conflit. LeManuel à l’intention des garde-frontières a ainsi été modifié le 15 juin 2015 pour inclure cette dernière interprétation.

Néanmoins, depuis le début de l’année 2015 et après les attentats de Charlie Hebdo, les Etats Membres au sein du Conseil ont demandé à ce que le CFS soit révisé au sujet de la consultation systématique des bases de données pour les personnes jouissant de la liberté de circulation. Les inquiétudes au sujet de la menace que représentent les combattants étrangers de retour dans l’espace Schengen sans être détectés ont également donné lieu à l’établissement d’une liste d’Indicateurs du Risque Communs (IRC) par la Commission. Cependant, il apparaît que ces indicateurs confidentiels sont trop généraux et trop vagues. Ils ne sont dès lors pas mis en œuvre de manière efficace par les garde-frontières.

Le 5 octobre 2015, dans un document à destination du Conseil de l’UE, le coordinateur de l’UE pour la lutte contre le terrorisme expliquait ainsi qu’il reste des problèmes à régler en ce qui concerne la mise en œuvre coordonnée des indicateurs de risque communs. Il fait peu de doute que l’inefficacité des IRC pousse le Conseil à réclamer la révision du CFS, ainsi que l’ont exprimé les Ministres du Conseil « Justice et Affaires Intérieures » le 20 novembre 2015. Se réunissant au lendemain des attaques de Paris, le Conseil a affirmé que les Etats Membres s’engageaient à « mettre immédiatement en œuvre les contrôles systématiques et coordonnés nécessaires aux frontières extérieures, y compris des personnes jouissant du droit à la libre circulation ».

Il n’est pas contestable que de tels contrôles soient nécessaires, notamment aux frontières extérieures par lesquelles les « combattants étrangers » sont susceptibles de passer plus souvent. Leur interdiction par le Code Frontières Schengen apparaît en définitive inapproprié et cela explique pourquoi la Commission européenne a finalement décidé de présenter le 15 décembre 2015 une proposition visant à modifier l’Article 7 du CFS, dont elle n’a d’ailleurs pas jugé utile de fournir encore la traduction en langue française près d’un mois après. Une fois adoptée, non seulement elle autorisera mais elle obligera les garde-frontières à vérifier qu’un citoyen européen n’est pas « considéré comme étant une menace pour la sécurité intérieure, l’ordre public, les relations internationales d’un Etat Membre ou pour la santé publique, y compris en consultant les bases de données européennes et nationales pertinentes, en particulier le SIS ».

Cela contrevient-il pour autant à la liberté de circulation dont jouissent les citoyens européens sur base des Traités européens ? A première vue, la réponse semble négative, car la liberté de circulation concerne a priori les mouvements au sein de l’Union européenne et non le franchissement de ses frontières extérieures. Néanmoins, la directive 2004/38 mettant en œuvre la liberté de circulation contient des dispositions qui reconnaissent aux citoyens européens le droit d’entrer et de quitter le territoire des Etats Membres. L’article 4 sur le droit de sortie et l’article 5 sur le droit d’entrée existent « sans préjudice des dispositions concernant les documents de voyage, applicables aux contrôles aux frontières nationales ». Si ces dispositions, interprétées restrictivement, ne couvrent pas explicitement la consultation des bases de données, il ne faut pas oublier que l’Article 27 de la même directive autorise les Etats Membres à restreindre la liberté de circulation et de séjour d’un citoyen de l’UE pour des raisons d’ordre public, de sécurité publique ou de santé publique. Il ne fait aucun doute que la consultation des bases de données pour des raisons de sécurité comme c’est le cas pour le SIS tombe sous l’exception de sécurité publique. En conclusion, la proposition de la Commission ne viole pas la liberté de circulation dont jouissent les citoyens européens.

Même si d’aucuns estiment que la proposition de la Commission aurait pu venir plus tôt, l’acquis de Schengen sera clarifié pour permettre le contrôle systématique des combattants étrangers aux frontières extérieures de l’UE. Au plus vite au mieux, ensuite le Conseil des Ministres et le Parlement européen devront prouver qu’ils peuvent modifier les règles européennes existantes quand cela est nécessaire et dans un laps de temps comparable à celui dans lequel les Etats Membres avec un Parlement bicaméral peuvent opérer.

2. L’efficacité de la coopération policière et judiciaire en matière pénale après les attaques

Les attaques de Paris et les événements qui ont suivis, telle que la fuite en Belgique du suspect Salah Abdeslam, ont déclenché la mise en oeuvre des mécanismes de coopération policière et judiciaire en matière pénale institués dans l’Union. Depuis le milieu des années 90 et en particulier depuis l’entrée en vigueur du Traité d’Amsterdam, ces mécanismes sont de plus en plus développés. Aujourd’hui, une série importante d’instruments, d’acteurs et de bases de données est à la disposition des autorités nationales en charge d’enquêter et de poursuivre les faits de terrorisme. Le discours europhobe qui a suivi les attentats aurait donc gagné à être équilibré par un examen de ce qui s’est réellement passé, bien loin des blocages que la gravité de tels évènements conduit parfois à constater au sein des Etats. Là encore les constats de Gilles de Kerchove à l’adresse du Conseil, opérés au lendemain des attentats, sont sans appel. Ils témoignent de la large inutilisation des outils à disposition.

En termes de coopération policière, l’importance d’Europol doit être soulignée, à la fois en termes d’échange et d’analyse d’informations et en termes de support opérationnel. L’approbation par le Conseil, le 4 décembre 2015, d’un texte de compromis sur un projet de règlement relatif à Europol émanant de la Commission devrait contribuer à améliorer la coopération policière entre Etats car Europol devrait avoir plus de moyens pour agir comme « le centre névralgique de l’échange d’informations entre les services répressifs des États membres ». Un « point de contact voyageurs » (focal point travellers) a spécialement été créé en 2014, dans lequel les combattants étrangers sont enregistrés, même s’il appartient aux Etats membres de lui donner une réalité concrète en l’alimentant. La dite « décision Prüm » doit également être mentionnée ici. Elle vise particulièrement à rendre obligatoire l’échange entre Etats membres de données relatives à l’ADN, l’empreinte digitale et l’immatriculation des voitures.

En termes de coopération judiciaire en matière pénale, Christiane Taubira, la garde des Sceaux française, a réaffirmé, suite à la réunion du Conseil Justice et Affaires Intérieures du 20 novembre 2015, que nous disposions des instruments nécessaires pour faire face aux crimes de terrorisme et que ces instruments ont bien fonctionnés en ce qui concerne la coopération entre les Etats membres impliqués dans l’enquête.

Au lendemain des attaques, une demande d’entraide judiciaire en matière pénale a été envoyée à la Belgique et à l’Allemagne. Ces demandes ont été envoyées très rapidement sur base de la convention de 2000 relative à l’entraide judiciaire en matière pénale entre les États membres de l’Union européenne.

Parmi les autres instruments spécifiques à l’ordre juridique européen et qui ont été utilisés dans ce contexte, la décision-cadre 2002/584/JAI relative au mandat d’arrêt européen (MAE) doit être mentionnée. Adoptée suite aux événements du 11 septembre 2001, le MAE, qui est considéré comme étant la « success story » de l’espace pénal européen, met en place des procédures de remise simplifiées et plus rapides, directement entre autorités judiciaires, sans implications politiques et avec un nombre limité de motifs de non-exécution. Au moins un MAE a été délivré depuis les attaques de Paris ce qui implique que les autorités policières et judiciaires compétentes des Etats membres ont l’obligation d’arrêter les personnes visées. Sur requête de l’autorité judiciaire qui délivre un MAE, ce dernier peut être accompagné par un signalement dans le Système d’Information Schengen (SIS) et/ou dans la base de données Interpol.

Le système européen d’information sur les casiers judiciaires (ECRIS), basé sur une décision du Conseil de 2009 et qui doit être lue en combinaison avec la décision-cadre concernant l’organisation et le contenu des échanges d’informations extraites du casier judiciaire entre les Etats membres, a aussi été mobilisé et les informations contenues au sujet des condamnations passées des suspects ont démontré la valeur ajoutée de ce système. Opérationnel depuis 2012, ce système combine la centralisation des condamnations dans les archives pénales de chaque Etat membre et l’interconnexion de ces archives, permettant l’échange électronique d’informations standardisées.

Enfin, les équipes communes d’enquêtes (ECE), faisant partie à la fois de la coopération policière et de la coopération judiciaire, ont une valeur ajoutée évidente. En l’espèce, une ECE a été créée immédiatement entre la France et la Belgique, pour laquelle les Ministres de la Justice des deux pays ont donné leur accord le 16 novembre. Cette création a permis la constitution d’une équipe composée de juges, de procureurs et d’autorités policières pour une durée déterminée et pour un objectif défini, à savoir mener des enquêtes pénales dans chacun des pays concernés. Un des avantages de ces ECE est l’échange d’informations et des preuves obtenues, sans devoir faire une demande d’entraide judiciaire.

Malgré ces éléments positifs, la coopération entre les autorités nationales doit encore être améliorée :

  • premièrement, certains des instruments décrits ci-dessus, telle que la décision Prüm de 2008 ou la décision-cadre relative aux ECE, n’ont pas du tout ou pas correctement été transposés par les Etats membres. L’importance de la correcte mise en application des dispositifs européens au niveau national a à maintes fois été soulignée, par exemple dans les orientations stratégiques du Conseil européen de juin 2014 et dans les conclusions du Conseil Justice et Affaires Intérieures du 20 novembre 2015. A cet égard, la fin de la période de transition le 1er décembre 2014 devrait pousser les Etats Membres récalcitrants à se conformer au droit européen car un Etat peut faire désormais l’objet de poursuites pour non-application du droit dérivé européen, même adopté avant l’entrée en vigueur du Traité de Lisbonne.
  • deuxièmement, des difficultés se manifestent également au niveau de l’application pratique des instruments européens. Il y a, par exemple, une différence considérable entre l’information disponible au niveau national et l’information transmise et/ou partagée avec les autorités compétentes d’autres Etats membres; en outre, les informations transmises à Europol ne sont pas toujours suffisantes, mettant ainsi à mal la réalisation de son mandat. Dans ce contexte, le Conseil Justice et Affaires Intérieures a annoncé le 20 novembre 2015 l’établissement le 1er janvier 2016 du Centre européen de lutte contre le terrorisme (CELCT), qui a vocation à devenir une plateforme permettant aux Etats Membres de renforcer l’échange d’informations et la coopération opérationnelle en ce qui concerne la surveillance des combattants terroristes étrangers et les enquêtes à leur sujet, le trafic d’armes illicites et le financement du terrorisme. Un centre similaire a été créé il y a quelques années en matière de cybercriminalité, le EC3, et cela s’est avéré être un outil utile. L’utilité du CELCT dépendra en grande partie de la volonté des Etats membres de partager les informations dont ils disposent, qui aujourd’hui reste insuffisante comme le démontre l’exemple du point de contact « voyageurs » d’Europol au sujet des combattants étrangers.
  • troisièmement, certains des instruments décrits ci-dessus souffrent de limites intrinsèques. ECRIS fonctionne bien mais seulement en ce qui concerne les citoyens européens. Au sujet des ressortissants de pays tiers, il est toujours nécessaire de consulter les archives de chaque Etat membre afin de connaître les condamnations passées de ces individus. La possibilité de créer une base de données européenne au sujet des ressortissants de pays tiers ayant fait l’objet d’une condamnation est discutée depuis plusieurs années. Dans ses conclusions du 20 novembre, le Conseil JAI a accueilli favorablement l’intention de la Commission de soumettre d’ici la fin janvier 2016 une initiative ambitieuse visant à étendre ECRIS pour inclure les ressortissants de pays tiers.
  • enfin, de nouvelles mesures législatives devraient être initiées incessamment, notamment au niveau du rapprochement des droits matériels en matière pénale, et en particulier en ce qui concerne la criminalisation des infractions terroristes. En effet, selon les conclusions du Conseil du 20 novembre, la Commission devrait présenter une proposition de directive mettant à jour les décisions-cadre de 2002 et 2008 relatives à la lutte contre le terrorisme. Cette réforme intégrera en droit européen la Résolution 2178 (2014) du Conseil de Sécurité de l’ONU ainsi que leProtocole additionnel à la Convention du Conseil de l’Europe pour la prévention du terrorisme. Cela aura principalement pour effet d’obliger les Etats Membres à criminaliser les voyages à l’étranger à des fins terroristes.

En résumé, les récentes et tragiques attaques terroristes ont démontré que les polices nationales et les autorités judiciaires ont connaissance des outils à leur disposition en matière de coopération policière et judiciaire dans le domaine pénal. Des améliorations sont néanmoins toujours possibles. La nature transnationale des récentes attaques illustrent clairement la nécessité de la coopération transfrontalière en matière pénale. Les Etats membres devraient se rendre compte que la solution passe par une coopération renforcée et que les réflexes souverainistes sont non seulement vains mais aussi préjudiciables à l’identification et à la poursuite des personnes suspectées de terrorisme. En ce faisant, l’UE doit veiller à garantir un juste équilibre entre les différents intérêts en jeu et ne pas sacrifier les droits fondamentaux au nom de la sécurité, ainsi que la récemment souligné Stefan Braum dans un article publié sur ce blog.

3. L’échec de la coopération intergouvernementale en matière de renseignement

Dans les jours suivants les attaques, des critiques se sont élevées à l’encontre des carences au niveau de la coopération entre les services de renseignement nationaux. Il a, par exemple, été avancé que les services belges détenaient des informations relatives au danger représenté par les frères Abdeslam, sans que jamais ces informations n’aient été transmises à leurs collègues français.

Il est important de distinguer la coopération policière, d’une part, et la coopération en matière de renseignement, d’autre part. Alors que l’échange d’informations au niveau de la police est soumis au droit dérivé européen, adopté sur base des compétences de l’Union en matière de coopération policière, l’échange d’informations entre services de renseignement n’entre pas dans les compétences de l’UE, et l’UE n’a pas capacité à agir de façpn contraignante dans ce domaine.

Dans le cadre législatif en vigueur depuis l’adoption du Traité de Lisbonne, pas moins de trois dispositions insistent sur le fait que l’UE n’est pas compétente en matière de sécurité nationale. L’Article 4(2) du TUE stipule que l’Union respecte les fonctions essentielles de l’Etat, y compris la sauvegarde de la sécurité nationale. Aux articles 72 et 73 du TFUE, il est affirmé que le titre relatif à l’Espace de Liberté, de Sécurité et de Justice « ne porte pas atteinte à l’exercice des responsabilités qui incombent aux États membres pour le maintien de (…) la sauvegarde de la sécurité intérieure » et qu’il « est loisible aux États membres d’organiser entre eux et sous leur responsabilité des formes de coopération et de coordination qu’ils jugent appropriées entre les services compétents de leurs administrations chargées d’assurer la sécurité nationale ». En d’autres termes, la coopération entre les services de renseignement nationaux chargés d’assurer la sécurité nationale reste entre les mains des Etats membres et est donc menée sur une base intergouvernementale.

Par conséquent, imputer à l’UE le manque de coopération en matière de renseignement entre la France et la Belgique est injustifié. L’idée de créer une agence de renseignement européenne a été mentionnée par certains Etats mais elle a rapidement été rejetée le vendredi 20 novembre par le Conseil JAI tant cette hypothèse excède les compétences de l’Union dans l’état actuel des Traités, indépendamment de son opportunité. Toute avancée institutionnelle dans ce domaine requiert au préalable une révision des Traités. La faisabilité d’une telle révision est évidemment incertaine en raison de l’extrême sensibilité que cela poserait au regard de la souveraineté nationale tant il est clair que les services de renseignement disposent, par définition, de données sensibles dont les autorités nationales ne peuvent envisager le partage. Ceci sans développer un autre argument, très concret, la coopération au sein même d’un Etat est parfois elle-même problématique face à la réticence des services de renseignement à l’idée de coopérer trop largement avec les autorités policières, judiciaires ou autres.

L’absence de compétences de l’UE ne signifie pas qu’il y ait une absence complète de multilatéralisation européenne de la coopération en matière de renseignement. A cet égard, le Centre de l’UE pour l’analyse d’informations (INTCEN) mérite la mention. Cependant, ce centre a un mandat limité qui est de fournir des analyses des renseignements, des alertes précoces et des comptes rendus de la situation au Haut Représentant ainsi qu’au service européen pour l’action extérieure, en matière de sécurité, de défense et de contre-terrorisme. Cette agence a succédé au Centre d’information de l’UE (SITCEN), créée pour répondre au besoin d’analyses de renseignement afin d’aider les décideurs européens. Malgré son titre, cette agence n’est pas une agence de renseignement européenne. Elle n’a aucun moyen opérationnel, ni aucun pouvoir en matière de coopération entre agences de renseignement nationales. Son mandat consiste à publier des évaluations des services de renseignements, des rapports et des résumés, ainsi que des évaluations des risques pour le personnel de l’Union sur base de sources librement accessibles et des rapports analytiques que les services de renseignement nationaux lui transmettent. Une autre initiative à mentionner concerne l’existence du dit « Club de Berne », forum d’échange de renseignements entre les services de renseignement des Etats membres, de la Norvège et de la Suisse, au sein duquel un groupe anti-terrorisme a été créé en 2001. Il fonctionne en-dehors du cadre institutionnel européen mais il entretient néanmoins des relations avec celui-ci, particulièrement à travers la participation du INTCEN.

Conclusion

Au total, le choc provoqué par les attentats de Paris devrait obliger l’Union et ses membres à une réflexion d’une autre ampleur que celle qu’elle a proposée à ses citoyens lors de ses multiples réunions de travail.

Réflexion, d’abord, sur les itinéraires criminels ayant pu conduire des citoyens de cette Union, français comme belges, à de telles abominations. Persister à prétendre aux opinions publiques inquiètes que ces criminels ne seraient pas le produit de nos sociétés est une erreur grave, empêchant de réfléchir aux causes et donc d’imaginer les réponses. L’est tout autant l’abus des postures et des vocabulaires guerriers. C’est ici le droit pénal qui est en cause et non celui de la guerre, c’est ici dans le refus de toute légitimité au criminel que réside l’enjeu majeur. Pourquoi paraître alors valoriser son action en lui accordant un statut autre que celui d’un criminel de droit commun ? Démarche, par parenthèse, que poursuit l’Union depuis quarante ans …

Réflexions ensuite sur les défaillances et responsabilités multiples en cause. Loin d’être en première ligne, et donc de justifier la démagogie des critiques accablant l’Union européenne, la réalisation d’un espace de liberté et de sécurité est, en aval, la seule réponse possible.

A deux conditions. Celle d’une responsabilité réelle de ses membres dans son administration, ce qui est loin d’être le cas tant dans le domaine de la gestion des frontières que dans celui du partage de renseignements. Celle surtout d’un accord sur les valeurs structurant cet espace, tant dans le rôle central de l’institution judiciaire qu’à propos des garanties fondamentales.

The New EU General Data Protection Regulation – A First Assessment

Original published on the European Academy for Freedom of Information and Data Protection  site (EAID)

by Peter SCHAAR

The results of the trilogue of the EU institutions (European Parliament, Commission and Council) on the data protection reform package (SEE BELOW)  is an important milestone on the way into the global information society. The General Data Protection Regulation (GDPR) will replace 28 different data protection laws of the Member States.

The reach of the new legal framework extends beyond the European Union. Even companies with headquarters outside the EU will have to comply with the GDPR so far they are doing business in EU Member States and process data generated here (article 3 para. 2). Compliance with the rules is monitored by independent data protection authorities, which all have in future same, effective sanction powers.

In cases of serious infringements they may impose fines up to up to 4% of the global annual turnover against the respective companies (art. 79). It has to be highlighted, that a number of last minute attempts have failed to mitigate or weaken the new privacy requirements in central points, such as on scope of the regulation or the purpose limitation rules.

Nevertheless, there are also areas where the result is less positive than hoped for. Thus, the EP has not been completely successful in the requirements on individual consent to the processing of personal data (‚the data subject’s consent‘ means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative, signifies agreement to personal data relating to them being processed“ – article 4 para 8). Explicit consent is only required if consent refers to „special categories of personal data“ (article 9) – such as health data or genetic information. Also the rules on profiling lag behind the demands of privacy advocates. The relevant provisions are limited to decisions based solely on automated processing, which produce legal effects concerning the data subject or similarly significantly affects him or her (article 20).

During the negotiations, critics – in particular from Germany – complained the GDPR would weaken or undermine the data protection requirements defined by national law.  Today we can say, this fear did not realize, at least in general.

Only in specific areas the new legal requirements are lagging behind the present national laws, for example with regard to the more stringent data protection provisions for Internet services of the German Telemedia Act.  On the other hand, the German data protection level is just here high only in theory, but not de facto.

This became evident from the example Facebook: German data protection authorities have failed with lawsuits against the company whose European headquarters is located in Dublin – to undertake to comply with the German data protection rules.

However, every company that does business in Europe in future must comply with the new single European data protection law. This is real progress, even if the GDPR in certain areas lagging behind the national law.

In addition, there are other areas – such as the Federal Citizens Registration Act – where data protection requirements of new EU regulation are stricter than the present German legislature.

The unconditional dissemination of public register data on request to everybody is not compatible any more with European law and must be terminated.

Light and shadow also for the rules on the internal data protection officer (DPO). On one hand, article 35 obliges public authorities and government agencies – except for courts acting in their judicial capacity – to designate a DPO.  Also those private companies have to designate a DPO, whose „core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and sistematic monitoring of data subjects on a large scale“ or with core activities consisting „of processing on a large scale of special categories of  data pursuant to Article 9 and data relating to criminal convictions and offences“.

However, the significantly more stringent requirements of the German Federal Data Protection Act on DPOs have not completely been included in the GDPR. At least the adopted text allows the national legislators to stick to the mandatory designation of DPO (article 35 (4): „in cases other than those referred to in paragraph 1, the controller or processor … may or, where required by Union or Member State law shall, designate a data protection officer …“) .

Even if, as expected, the provisions now adopted – the GDPR and the Directive on data protection for police and justice – will soon pass the formal EU legislative procedure, a lot of work has still to be done at European and at national level prior to their entry into force in 2018.

  • At EU level the compatibility of other legal provisions with the GDPR has to be reviewed. This particularly applies to the directive on data protection in electronic communications („ePrivacy Directive“).
  • Governments and parliaments of the Member States are requested to review their national law. This applies in particular for Germany with its numerous sector specific data protection provisions. Many laws need to be revised, some need to be eliminated.
  • A special mission coming to the national legislators is the processing of personal data in the employment context. Article 82 GDPR provides the national legislators with  competence to regulate the handling of employee data in detail. („Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees‘ personal data in the employment context, …“).
  • National regulators have also to deal with the question of how far the legal provisions for data processing for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties need to be adapted to the requirements of the new Data Protection Directive for police and justice.
  • Finally, businesses and public authorities have to adapt their practices to the new rules. New processes and procedures have to be designed, existing procedures need to be changed …

The European Academy for Freedom of Information and Data Protection (EAID), Berlin, will focus in the coming years on the impact of new EU data protection rules. For 2016 we are planning workshops for decision-makers in business, politics and administration on implementation of the new EU rules and on needs for revision of national legislation.

READ MORE ON THE DATA PROTECTION REFORM PACKAGE:

The text of the Draft Regulation as agreed is accessible HERE  (204 Pages !)
The text of the Multicolumn Table (with the positions of the three institutions) of the Draft REGULATION is here (671 pages !)
The text of the Draft Directive (data protection in the law enforcement sector) as agreed is accessible here ( 102 pages)
The text of the Multicolumn Table with the position of the three institutions on the Draft DIRECTIVE  is accessible here (271 pages !)

Zakharov v Russia: Mass Surveillance and the European Court of Human Rights

Reblogged also by EU LAW ANALYSIS on Wednesday, 16 December with permission from the IALS Information Lawand Policy Centre blog

by Lorna Woods, (*) 

Introduction 

The European Court of Human Rights has heard numerous challenges to surveillance regimes, both individual and mass surveillance, with mixed results over the years.   Following the Snowden revelations, the question would be whether the ECtHR would take a hard line particularly as regards mass surveillance, given its suggestion in Kennedy that indiscriminate acquisition of vast amounts of data should not be permissible. Other human rights bodies have condemned this sort of practice, as can be seen by the UN Resolution 68/167 the Right to Privacy in the Digital Age. Even within the EU there has been concern as can be seen in cases such as Digital Rights Ireland (discussed here) and more recently in Schrems (discussed here). The Human Rights Court has now begun to answer this question, in the Grand Chamber judgment in Zakharov v. Russia(47143/06), handed down on December 4 2015.

Facts

Zakharov, a publisher and a chairman of an NGO campaigning for media freedom and journalists’ rights, sought to challenge the Russian system for permitting surveillance in the interests of crime prevention and national security. Z claimed that the privacy of his communications across mobile networks was infringed as the Russian State, by virtue of Order No. 70, had required the network operators to install equipment which permitted the Federal Security Service to intercept all telephone communications without prior judicial authorisation.

This facilitated blanket interception of mobile communications. Attempts to challenge this and to ensure that access to communications was restricted to authorised personnel were unsuccessful at national level. The matter was brought before the European Court of Human Rights. He argued that the laws relating to monitoring infringe his right to private life under Article 8; that parts of these laws are not accessible; and that there are no effective remedies (thus also infringing Art. 13 ECHR).

Judgment

The first question was whether the case was admissible. The Court will usually not rule on questions in abstracto, but rather on the application of rules to a particular situation. This makes challenges to the existence of a system, rather than its use, problematic. The Court has long recognised that secret surveillance can give rise to particular features that may justify a different approach. Problematically, there were two lines of case law, one of which required the applicant to show a ‘reasonable likelihood’ that the security services had intercepted the applicant’s communications (Esbester) and which favoured the Government’s position, and the other which suggested the menace provided by a secret surveillance system was sufficient (Klass) and which favoured the applicant.

The Court took the opportunity to try to resolve these potentially conflicting decisions, developing its reasoning in Kennedy. It accepted the principle that legislation can be challenged subject to two conditions: the applicant potentially falls within the scope of the system; and the level of remedies available. This gives the Court a form of decision matrix in which a range of factual circumstances can be assessed. Where there are no effective remedies, the menace argument set out in its ruling in Klass would be accepted.

Crucially, even where there are remedies, an applicant can still challenge the legislation if ‘due to his personal situation, he is potentially at risk of being subjected to such measures’ [para 171]. This requirement of ‘potentially at risk’ seems lower than the ‘reasonable likelihood’ test in the earlier case of Esbester. The conditions were satisfied in this case as it has been recognised that mobile communications fall within ‘private life’ and ‘correspondence’ (see Liberty, para 56, cited here para 173).

This brought the Court to consider whether the intrusion could be justified. Re-iterating the well-established principles that, to be justified, any interference must be in accordance with the law, pursue a legitimate aim listed in Article 8(2) and be necessary in a democratic society, the Court considered each in turn.

The requirement of lawfulness has a double aspect, formal and qualitative. The challenged measure must be based in domestic law, but it must also be accessible to the person concerned and be foreseeable as to its effects (see e.g Rotaru). While these principles are generally applicable to all cases under Article 8 (and applied analogously in other rights, such as Articles 9, 10 and 11 ECHR), the Court noted the specificity of the situation. It stated that:

‘…. domestic law must be sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures’ [para 229].

In this, the Court referred to a long body of jurisprudence relating to surveillance, which recognises the specific nature of the threats that surveillance is used to address. In the earlier case of Kennedy for example, the Court noted that ‘threats to national security may vary in character and may be unanticipated or difficult to define in advance’ [para 159].

While the precision required of national law might be lower than the normal standard, the risk of abuse and arbitrariness are clear, so the exercise of any discretion must be laid down by law both as to its scope and the manner of its exercise. It stated that ‘it would be contrary to the rule of law … for a discretion granted to the executive in the sphere of national security to be expressed in terms of unfettered power’ [para 247]. Here, the Court noted that prior judicial authorisation was an important safeguard [para 249]. The Court gave examples of minimum safeguards:

  • The nature of offences which may give rise to an interception order
  • A definition of the categories of people liable to have their telephones tapped
  • A limit on the duration of telephone tapping
  • Protections and procedures for use, storage and examination of resulting data
  • Safeguards relating to the communication of data to third parties
  • Circumstances in which data/recordings must be erased/destroyed (para 231)
  • the equipment installed by the secret services keeps no logs or records of intercepted communication, which coupled with the direct access rendered any supervisory arrangements incapable of detecting unlawful interceptions
  • the emergency procedure provided for in Russian law, which enables interception without judicial authorization, does not provide sufficient safeguards against abuse.

The Court then considered the principles for assessing whether the intrusion was ‘necessary in a democratic society’, highlighting the tension between the needs to protect society and the consequences of that society of the measures taken to protect it. The Court emphasised that it must be satisfied that there are adequate and effective guarantees against abuse.

In this oversight mechanisms are central, especially where individuals will not – given the secret and therefore unknowable nature of surveillance – be in a position to protect their own rights. The court’s preference is to entrust supervisory control to a judge. For an individual to be able to challenge surveillance retrospectively, affected individuals need either to be informed about surveillance or for individuals to be able to bring challenges on the basis of a suspicion that surveillance has taken place.

Russian legislation lacks clarity concerning the categories of people liable to have their phones tapped, specifically through the blurring of witnesses with suspects and the fact that the security services have a very wide discretion. The provisions regarding discontinuation of surveillance are omitted in the case of the security services. The provisions regarding the storage and destruction of data allow for the retention of data which is clearly irrelevant; and as regards those charged with a criminal offence is unclear as to what happens to the material after the trial.

Notably, the domestic courts do not verify whether there is a reasonable suspicion against the person in respect of whose communications the security services have requested interception be permitted. Further, there is little assessment of whether the interception is necessary or justified: in practice it seems that the courts accept a mere reference to national security issues as being sufficient.

The details of the authorisation are also not specified, so authorisations have been granted without specifying – for example – the numbers to be interception. The Russian system, which at a technical level allows direct access, without the police and security services having to show an authorisation is particularly prone to abuse. The Court determined that the supervisory bodies were not sufficiently independent. Any effectiveness of the remedies available to challenge interception of communications is undermined by the fact that they are available only to persons who are able to submit proof of interception, knowledge and evidence of which is hard if not impossible to come by.

Comments

The Court could be seen as emphasising in its judgment by repeated reference to its earlier extensive case law on surveillance that there is nothing new here. Conversely, it could be argued that Zakharov is a Grand Chamber judgment which operates to reaffirm and highlight points made in previous judgments about the dangers of surveillance and the risk of abuse. The timing is also significant, particularly from a UK perspective. Zakharov was handed down as the draft Investigatory Powers Bill was published. Cases against the UK are pending at Strasbourg, while it follows the ECJ’s ruling in Schrems, with Davis (along with the Swedish Tele2 reference), querying whether theDigital Rights ruling applies to national data retention schemes, now pending before the ECJ (on that issue, see discussion here). The ECtHR noted the Digital Rights Ireland case in its summary of applicable law.

In setting out its framework for decisions, the Court’s requirement of ‘potentially at risk’ even when remedies are available seems lower than the ‘reasonable likelihood’ test in Esbester. The Court’s concern relates to ‘the need to ensure that the secrecy of surveillance measures does not result in the measures being effectively unchallengeable and outside the supervision of the national judicial authorities and of the Court’ [para 171]. This broad approach to standing is, as noted by Judge Dedon’s separate but concurring opinion, in marked contrast to the approach of the United States Supreme Court in Clapper where that court ‘failed to take a step forward’ (Opinion, section 4).

The reassessment of ‘victim status’ simultaneously determines standing, the question of the applicability of Article 8 and the question of whether there has been an infringement of that right. The abstract nature of the review then means that a lot falls on the determination of ‘in accordance with the law’ and consequently the question of whether the measures (rather than individual applications) are necessary in a democratic society. The leads to a close review of the system itself and the safeguards built in. Indeed, it is noteworthy that the Court did not just look at the provisions of Russian law, but also considered how they were applied in practice.

The Court seemed particularly sceptical about broadly determined definitions in the context of ‘national, military, economic or ecological security’ which confer ‘almost unlimited degree of discretion’ [para 248]. Although the system required prior judicial authorisation (noted para 259], in this case it was not sufficient counter to the breadth of the powers. So, prior judicial authorisation will not be a ‘get out of gaol free’ card for surveillance systems. There must be real oversight by the relevant authorities.

Further, the Court emphasised the need for the identification of triggering factor(s) for interception of communications, as otherwise this will lead to overbroad discretion [para 248]. Moreover, the Court stated that the national authorisation authorities must be capable of ‘verifying the existence of a reasonable suspicion against the person concerned’ [260-2], which in the context of technological access to mass communications might be difficult to satisfy. The Court also required that specific individuals or premises be identified. If it applies the same principles to mass surveillance currently operated in other European states, many systems might be hard to justify.

A further point to note relates to the technical means by which the interception was carried out. The Court was particularly critical of a system which allows the security services and the police the means to have direct access to all communications. It noted that ‘their ability to intercept the communications of a particular individual or individuals is not conditional on providing an interception authorisation to the communications service provider’ [para 268], thereby undermining any protections provided by the prior authorisation system.

Crucially, the police and security services could circumvent the requirement to demonstrate the legality of the interception [para 269]. The problem is exacerbated by the fact that the equipment used does not create a log of the interceptions which again undermines the supervisory authorities’ effectiveness [para 272]. This sort of reasoning could be applied in other circumstances where police and security forces have direct technical means to access content which is not dependent on access via a service provider (e.g. hacking computers and mobiles).

In sum, not only has the Russian system been found wanting in terms of compliance with Article 8, but the Court has drawn its judgment in terms which raised questions about the validity of other systems of mass surveillance.

  • Professor of Internet Law, University of Essex

 

The Reform of Frontex: Saving Schengen at Refugees’ Expense?

ORIGINAL PUBLISHED ON EU LAW ANALYSIS (Wednesday, 16 December 2015)

by Steve Peers

Years ago, shortly before the creation of Frontex (the EU’s border control agency) and the big EU enlargement of 2004, I discussed the future of EU borders policy with a senior German civil servant. Anxious about the forthcoming enlargement of the EU (and, in time, Schengen), his vision was that every Lithuanian or Polish border post would be jointly staffed by a friendly German.

Yesterday’s proposals from the European Commission don’t precisely reproduce that vision – but they do embody the same doubt that Member States (in the south, rather than the east) can be fully trusted to patrol the external border. Given that Frontex has been created in the meantime, it’s the agency itself – flanked by reserves from national border agencies – which would be sent in to help patrol the borders of Member States, albeit only in certain cases.

This is only one of a batch of proposals made yesterday. I’ll sum them all up, but focus on this one, as it’s the most important. Overall, though, the proposals are flawed, in two contradictory ways: they simultaneously seek to do too much in the area of border controls (where the Frontex proposal exceeds EU powers and is politically unprincipled) and too little in the area of asylum (since there is no significant attempt to address humanitarian or protection needs within the EU). In short, they seek to save the Schengen system, at the expense of refugees.

Overview

There’s a Commission communication issued yesterday which tries to sum up all the new proposals. But in an even smaller nutshell, here’s what the Commission has tabled. The flagship proposal is a Regulation which would replace the existing Frontex legislation, creating a new ‘European Border and Coast Guard’ (EBCG) consisting of national border guards plus the agency.  This is accompanied by two proposals for minor consequential amendments to the Regulations establishing the EU’s Fisheries Control Agency and Maritime Safety Agency, whose work would be coordinated with the EBCG.

Next, an amendment to the Schengen Borders Code would increase checks at the external borders on EU citizens and, to some extent, non-EU citizens, for security purposes. A fifth proposed Regulation attempts to make expulsion and readmission more effective, by creating a uniform document to be used during removals of irregular migrants to their country of origin.

There are non-binding measures on border control issues too. The Commission has adopted a Handbook for use operating the EU’s ‘Eurosur’ system of maritime surveillance. It has also released its latest regular report on the Schengen system in practice.

In the area of asylum, there’s only one proposal for a binding measure: a Decisionwhich would exempt Sweden from the EU’s system of relocation of asylum-seekers (which I previously discussed here), for a period of one year. There’s a non-binding Commission Recommendation for a voluntary humanitarian admission programme of refugees from Turkey. Finally, there are Commission reports on the operation of the ‘hotspots’ for immigration control in Greece and Italy, and on the application of the recent plan to manage asylum and migration flows coming through the Western Balkans.

The new European Border and Coast Guard

As noted already, the proposal would replace the existing legislation establishing Frontex, which was first adopted in 2004, then amended in 2007 and 2011. (I previously produced a codified text of the Regulation – see here). To compare it with the text of the rules it replaces, see the Annex to the proposal. There would be no change to the separate legislation, adopted in 2014, which regulates Frontex actions as regards maritime surveillance (see my comments on that law here).

It should be emphasised that the legislation would not apply to the UK or Ireland, because they don’t participate fully in Frontex. In fact, according to CJEU case law, they can’t participate fully in Frontex unless they join the Schengen system fully – which is hardly likely, to say the least (it would require a referendum in the UK). However, the current loose cooperation between Frontex, the UK and Ireland would be retained, particularly for joint expulsions.

These new rules would – if agreed – significantly transform the status and role of Frontex. I won’t examine every detail for now (I might come back to the finer points during or at the end of the negotiations). Rather, my focus here is on the key aspects of the proposal. Keep in mind that this proposal is far from a ‘done deal’, since it has to be approved by a qualified majority in the Council (the UK and Ireland don’t have a vote, due to their opt-out) as well as the European Parliament. Already press stories suggest that many Member States oppose some key features of the proposal.

The first key feature of the law is the relationship between Frontex and national border forces. At present, the current Regulation states that ‘the responsibility for the control and surveillance of the external borders lies with the Member States’. Frontex is merely tasked with the ‘coordination’ of national forces.

But the proposed Regulation would, in effect, promote Frontex from the job of tea lady to the role of chief executive officer. The new law would not just upgrade the EU agency itself, but create a ‘European Border and Coast Guard’ consisting of national forces and the Agency. The Agency will adopt an ‘operational and technical strategy for the European integrated border control management’. National authorities then adopt their own strategies, but they must be ‘coherent’ with the Agency’s strategy. To put the strategy into effect, the Agency will not only be ‘reinforcing, assessing and coordinating’ national forces, but also taking control of them when Member States are not able to do so effectively.

The current tasks of Frontex – training, risk analysis, research, operational support, border surveillance, and support for expulsions – would all be retained and considerably enhanced. For instance, Frontex would have powers to send liaison officers to Member States, to check the ‘vulnerability’ of external border controls, to create a ‘return office’, and to gather and analyse more personal data. It would also have powers to send staff to third countries to participate in operations, not just (as at present) liaison officers. It would have more staff and funding, as well as reserve forces from Member States to call upon for border control or joint return operations. Most significantly, it would be able to send forces to an external border, in certain cases, without a Member State’s consent.

Is this power compatible with the limits on the powers of the EU? Article 72 TFEU states that the Justice and Home Affairs (JHA) Title of the Treaty ‘shall not affect the exercises of the responsibilities incumbent upon Member States with regard to the maintenance of law and order and the safeguarding of internal security’. This Article must apply to border control as well as policing, since there was an equivalent clause in the border controls and immigration Title of the Treaty before it was merged with the policing rules by the Treaty of Lisbon. It obviously does not rob the EU of all power to adopt laws regulating borders, since Article 77 TFEU goes on to confer powers to adopt laws on ‘the checks to which persons crossing external borders are subject’ and which are ‘necessary for the gradual establishment of an integrated management system for external borders’.

But the JHA Title specifically restricts EU powers regarding intelligence agencies, and bans coercive powers for Europol (the EU police agency) and prosecutorial powers for Eurojust (the EU prosecutors’ agency). In my view these restrictions are particular applications of the general rule set out in Article 72, which must mean that while the EU can establish rules on border controls and regulate how Member States’ authorities implement them, it cannot itself replace Member States’ powers of coercion or control, or require Member States to carry out a particular operation.  This is consistent with Article 4(2) TEU, which requires the EU to respect Member States’ ‘essential state functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding internal security’, and with the requirement that any common EU defence would have to be agreed unanimously and ratified by national parliaments.

So the EU does not have the powers to send Frontex or its reserve forces to other Member States without their consent, or to require Member States to deploy those reserve forces without their consent either. Moreover, this is politically problematic for many Member States, who have historic concerns about foreign forces coming on to their territory without consent, stemming from the Cold War, the Second World War, and earlier history besides. While Frontex and its reserves should not be regarded as an ‘army’, due to their limited size and functions, they will nonetheless be perceived as such. So this aspect of the proposals is not only legally suspect, but politically ill-judged.

What to make of Frontex’s other enhanced powers, which Member States are rather more likely to accept? The key issue here is the accountability of Frontex for human rights abuses. The agency has fought a long battle with the EU Ombudsman to evade any accountability for individual cases, but it would finally lose that war, if this proposal is accepted. Individuals (or someone acting on their behalf) could make a complaint about human rights abuses, but it would be rejected if it was ‘anonymous, malicious, frivolous, vexatious, hypothetical or inaccurate’. Each complaint would go through the Frontex Fundamental Rights Officer, who would decide on admissibility and then either forward the complaint to the Frontex Executive Director or a national border force. If the complaint is well-founded it will be followed up, possibly by disciplinary action.

However, the proposed process is inadequate. The Executive Director, who will decide on the merits of admissible claims, is obviously not independent of Frontex. There is no reference to a remedy if the complainant believes that his or his complaint has been wrongly rejected as inadmissible or not well-founded. Even where Frontex considers the complaint well-founded, the remedies are ineffective: there is no reference to damages, or a possible criminal prosecution in the most outrageous cases. Furthermore, the new rules are limited in scope, as they do not apply to national border guards, who are responsible for alleged cases of illegal push-backs and assaults upon migrants. To address this, the other proposals released yesterday should be amended to require Member States to hold independent investigations with effective remedies in any case where national border guards are alleged to have acted in breach of fundamental rights.

There is also a need for specific rules regulating Frontex (and national authorities’) action as regards the ‘hotspots’ for migrants at external borders, to clarify that they are not making decisions on the merits of asylum applications or issuing return decisions, and that only national authorities can make such decisions with full respect for the safeguards and content of EU and national law. (For more on the lack of clarity regarding the ‘hotspots’, see Frances’ Webber’s analysis here).

Other new measures

The most significant other new measure is the proposal for changes to theSchengen Borders Code. At present (see codified text here), Member States must check EU citizens at the external borders (either on entry or exit), to ensure that they hold an EU Member State’s passport which is not registered as lost or stolen. But there is no obligation to check them in security databases, except on a ‘non-systematic basis’. As for non-EU citizens, they must be more thoroughly checked on entry, including the use of security databases, but on exit the consultation is only optional, and security checks need only be carried out ‘wherever possible’.

Both sets of rules would be amended by the new proposal. EU citizens would have to be checked in security databases, both on entry and exit. But if this ‘would have a disproportionate impact on the flow of traffic’ at land and sea borders, Member States could decide to carry out such checks on a ‘targeted’ basis. There is no such derogation for air borders, which will also be subject to separate legislation (recently agreed in principle) concerning the collection of passenger records (Member States will also apply this law to internal Schengen flights). Also, the enhanced border checks won’t be recorded as such in a database, although that would happen in future if recent plans to include EU citizens in the future ‘smart borders’ rules are put into effect. As for non-EU citizens, the current derogation relating to exit will be abolished, and there will always have to be a check in security databases, regardless of any disproportionate impact on traffic.

So overall, checks on EU citizens in security databases would no longer be the exception to the rule (as at present); they would be the rule – subject to exceptions. The exceptions are relatively limited and the proposal does not accept that pressure at air borders could also be ‘disproportionate’. Surely that is a possibility, since if checks add several seconds each to a check of hundreds of disembarking passengers, a back-up could swiftly ensue. Given that data on air passenger movements will soon be recorded anyway, and that the Schengen Information System can’t be used to deny entry to EU citizens, the only practical use for the new rules would be in catching someone who was meant to be arrested, perhaps on the basis of a European Arrest Warrant, or who should be placed under surveillance. But in the latter case it might be awkward to arrange for the surveillance to start without tipping off the person concerned that it’s happening. The proposal might prove useful in detecting people subject to potential arrest due to suspicion of receiving terrorist training (see the separate recent proposal on this point), but is it really necessary for that purpose that it apply at all air borders?

Overall, it may be questionable whether any increase in security that may result from this proposal is proportionate to its impact on passenger movements. There would be a stronger case to amend the Borders Code to allow Member States to check certain flights or border crossings systematically following a risk assessment. This may give rise to concerns about discrimination, but there are already distinctions based on nationality as to who needs a visa, and it would have to be specified that all those on the particular flight must be checked – not just those who ‘appear Muslim’. Checks on all flights could only be justified if it were clear that ‘foreign fighters’ were returning to the EU via other countries too.

As for the other proposals, the Regulation on a standard travel document for expulsion would not change the substantive rules on expulsion; time will tell if it leads to non-EU countries accepting more expelled persons.

The real problem is with the lack of ambition of the asylum measures. As noted above, the only binding measure suggested yesterday would exempt Sweden from the EU’s relocation rules. This is largely a cosmetic gesture, since only a tiny fraction of the 160,000 who were meant to be relocated – which anyway is not a huge proportion of those entering Greece and Italy – have in fact been relocated. In the meantime, the capacity of Greece and other States to register migrants, process asylum applications, and ensure basic living conditions for the persons concerned is clearly under immense strain.

What the EU really needs is a new strategy to deal with these protection and humanitarian needs. Is there anything it can do to make the relocation programme work? Failing that, can it assist Member States to process asylum applications, or do more than it is doing to ensure basic living conditions are satisfied? Why the focus on empowering Frontex, and no parallel attempt to empower the EU’s asylum support agency to play a greater role to address some or all of these issues?

Furthermore, pending a full review of the EU’s Dublin system (to be completed early next year), the Commission could at least have issued a recommendation to Member States on how to apply the existing Dublin rules on family reunion, and to widen the admission of family members to admit siblings, and the relatives of EU citizens or non-EU citizens who are legally resident other than as refugees or asylum-seekers.

As Thomas Spijkerboer and Tamara Last have pointed out, there is no shortage of migration controls in the EU. The death toll of migrants and refugees has built up over the decades in which visa requirements were imposed and carriers were sanctioned for letting those without authorisation get on a flight or a ferry. Bolstering Frontex may have an impact on the management of those who arrive, but solves neither the underlying problems in the country of origin or the huge pressure placed on national asylum systems – or the human misery that accompanies it.

The new Europol: no more European FBI, not yet European NSA…

by Emilio DE CAPITANI

On November 30th the European Parliament Civil Liberties Committee “informally”  endorsed (by 43 votes to 5 with 4 abstentions) the text that the Council will soon adopt as “its” position on the post-Lisbon European Union Agency for Law Enforcement Cooperation and Training (Europol).

Following the “informal” interinstitutional practice of the so-called “legislative trilogues” (particularly the so-called “early second reading” agreements), the Chair of the LIBE Committee has already addressed a letter to the President of the Permanent Representatives Committee announcing that when the Council will formally send the text to the plenary, LIBE will recommend the Council’s text be approved  without amendments in the Parliament’s second reading so that the legislative procedure will be finalized and the “informally” agreed text (after some linguistic corrections) could be published in the coming months in the Official Journal.

I have already expressed my strong personal reservations on the legitimacy of such “informal” practices, notably because they are done in secret when treaties require the transparency of legislative debates (and negotiations) also for the Council. In the Europol case the latest public texts were: the first “reading” of the EP adopted on 25 February 2014 (at the end of the previous legislature) and the “general approach” of the Council  on 5 June 2014. Ten secret “trilogues” have been held in the following 16 months until suddenly, at the end of November 2015, a draft compromise has finally emerged and has been submitted to the vote of the Coreper and of the Parliamentary committee, paving the way to the “formal” legislative procedure.

Leaving aside European procedural (and democratic) intricacies, the text agreed (see below) is far below what could have been expected after the entry into force, six years ago, of the Lisbon Treaty. Because of the confidentiality of the negotiations, it is difficult to say now if such of a low-level compromise is due to the lack of ambition of the European Parliament or, more likely, of the EU Member States.

What is evident even from a quick reading, is that most of the possible improvements resulting from the Lisbon treaty have not been agreed and even if many things have apparently changed, the most important aspects are still as they were in the pre-Lisbon era (not to say the Maastricht era) and some new worrying aspects are taking shape.

First and foremost, the revision of the most important tool for police cooperation is taking place in the absence of a comprehensive post-Lisbon legally binding framework for police cooperation, as could have been done on the basis of art.87 of the TFEU.  So, even if the new Regulation recognises that “Large-scale criminal and terrorist networks pose a significant threat to the internal security of the Union and to the safety and livelihood of its citizens”  it  considers that such “EU internal security” matters should remain framed only by the Council and the Commission with “soft law” tools like the European Internal Security Strategy or the so-called “Policy Cycle”. The problem is that these tools associate the Member States only on a voluntary basis so there is no assurance that the common goals which have been defined will be reached nor is it possible to sanction those who do not contribute as was originally planned. Even the creation of a Center of excellence pooling important technical and human resources to fight Cybercrime or Terrorism as was (at last!) recently decided remains in the form of important opportunities offered to the EU member states and not of common binding tools. Unlike Frontex which is playing an increasing role in a well settled EU binding legislative framework (Schengen Border Code and EUROSUR), Europol is still floating in an unchartered legislative framework and building its own mission as a permanent laboratory or a taxi for Member states which are willing to use it. Last but not least, relying on “soft law instruments” makes the role of the European Parliament irrelevant, even if the latter try to follow up the initiatives taken by the Council and/or the Commission (a situation which is hardly acceptable for an EU which, after Lisbon, claims to be bound by democratic principles…) with non-binding resolutions.

This aspect should be very present in the EP’s mind as it has been co-responsible of EU policies linked with police and judicial cooperation in criminal matters for six years but for inexplicable reasons it continues to accept being marginalized, as happened with this draft Regulation in which the objectives of Europol’s activity will be defined only by …the Council and the Commission (not to speak of the EU Member States which are represented on its Management Board).

Even more surprisingly the European Parliament, which is also the Budgetary authority (which finances EUROPOL with 80/90 million euros per year), does not ask to have a say on the appointment of the Director of the Agency. Even in countries (such as the USA) where there is a clear distinction between the executive and the legislature the official responsible for federal agencies should have the approval of the Congress..

Even more worrying is the way in which the management of classified informations is framed. Here the draft Regulation takes the “originator principle” as the cornerstone of everything and places private entities, third countries and EU Member States or other EU and National agencies on the same ground. Now, in a European Union which claims to be founded on the principle of the rule of law, it is the legislator who should decide under which conditions information can be classified / declassified and has to be shared in the interest of the EU regardless of the good or bad will of the “originator”. Moreover, the principle of loyal cooperation should frame relations between EU institutions, agencies and bodies so that each one of them could fulfil its constitutional role regardless of the will of the “originator”.

Under this perspective the treatment that the European Parliament has accepted in this regulation is grotesque because it has accepted to be bound by the internal security rules of ….the Council and not by legislation to be adopted on the basis of art. 15 of the TFEU (and of the Charter). The point is not who should be the winner of an inter institutional game, as much as who among the EU institutions the European citizens can trust. By abdicating to its role the EP is thus deliberately weakening its own legitimacy and the democratic principles on which the EU claims to be founded.

Another weak aspect of the new text is the absence of a real link (and interdependence) with the judicial dimension of the European Freedom Security and Justice Area. Such a link, which is vital in the member states to avoid possible abuses on the police side, is practically absent in the new regulation which makes a vague reference to administrative agreements with Eurojust and plainly ignores its possible relation to the future European Public Prosecutor  who ” shall be responsible for investigating, prosecuting and bringing to judgment, where appropriate in liaison with Europol, the perpetrators of, and accomplices in, offences against the Union’s financial interests,….” (art.86.2 TFEU). The point is that Europol, by claiming an increasing role in the collection and treatment of intelligence informations linked with Cybersecurity, Terrorism and PNR, is trying to become the main EU “intelligence information hub” which brings it closer to the model of an EU National Security Agency than to a European FBI as it was in its first phase.

A further weak aspect of the draft Regulation is the protection of personal data where the situation is so confused that, in a declaration attached to the text, the EP and Council already declare: “… that, following the adoption of the proposed General Data Protection Regulation and Data Protection Directive for data processing in the police and justice sector, including the new, soon to be created European Data Protection Board, and in light of the announced review of Regulation (EC) No 45/2001, the different mechanisms for cooperation between the European Data Protection Supervisor and the national supervisory authorities in this field, including the Cooperation Board set up in this Regulation, should in the future be reorganised in such a way as to ensure effectiveness and consistency and avoid unnecessary duplication, without prejudice to the Commission’s right of initiative.”

Many other points may be raised, but if you are really interested, have a look at the text below (which is over 90 pages long..).

Continue reading “The new Europol: no more European FBI, not yet European NSA…”

Can Schengen be suspended because of Greece? Should it be?

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

by Steve Peers

A leaked Council document (see separate blog post) suggests in effect that the Schengen system should be suspended for up two years, due to ‘systemic deficiencies’ in the control of external borders by Greece. That would allow any Schengen States which wish to do so to maintain or introduce border checks on their ‘internal’ borders with each other. Probably not all Schengen States would take this opportunity, but many would (especially since a number of them already do so). This follows a recent press report in the Financial Times (paywalled), which states that some Member States are considering threatening to throw Greece out of the Schengen system, due to its management of refugees and migrants at the external borders.

It’s possible that the general threat to suspend Schengen is intended as a threat to suspend Greece only, but is simply badly drafted. Or perhaps the idea is to threaten to suspend the whole of Schengen, and pin the blame on Greece. Either way, in my view, this threat is seriously mistaken, for both legal and political reasons.

The Legal Framework

In principle, the Schengen system can’t be scrapped completely without amending the EU Treaties, since the Treaties refer to it several times. Instead, there are two types of possible suspensions: short-term (up to three months) and long-term (up to two years). The leaked Council document refers to use of the long-term suspension.

The short-term waiver rules have always formed part of the Schengen system. They allow individual Member States to reimpose checks on internal borders  for a short time, for reasons of public policy and public security. Over the years, those provisions have often been invoked by Member States, usually for a few days during an international summit or football tournament. This autumn, they have been invoked more often and for longer periods, as a response to the refugee crisis affecting the continent. Since this reintroduction is only allowed for a maximum period of six months, there is an upcoming legal problem if Member States with to prolong these controls past next spring.

But a newer, different set of rules apply to suspending a Member State from the Schengen system. As a response to the ‘Arab Spring’ of 2011, and a spat between Italy and France over responsibility for some Tunisians, the Schengen rules were amended in 2013 in order to provide for the collective reimposition of internal border controls for up to two years. Those amendments need to be read in conjunction with the rest of the rules which they amended. So I suggest you read them in the codified version (showing the amendments), which is set out in an Annex to the report which I wrote for the SIEPS thinktank on the revised rules (start on page 121).

These amendments were generally understood as providing in effect for the possible suspension of individual Member States from the Schengen system. However, that is not expressly set out in the rules, and the leaked Council document clearly intends something broader, since it refers explicitly to continuation of existing border checks, ie between Germany and Austria, not (only) between other Member States and Greece. But the role of individual Member States is still relevant, because this collective suspension of Schengen can only be triggered if there are ‘serious deficiencies’ in how one Member State applies the Schengen external borders rules.

The process would start with a Commission recommendation following a Schengen evaluation, according to the separate rules (also amended in 2013) on the process of assessing whether Schengen states comply with their obligations. If the Commission finds in its report that there are ‘serious deficiencies’ in a Member State complying with its external border control obligations, then it can recommend that this country take ‘specific measures’, including accepting assistance from the EU’s border agency, Frontex, and submitting plans for Frontex to assess.

If there is not enough action on settling these problems within three months, the process can escalate. In ‘exceptional cases’ where there is a ‘serious threat to public policy or public security’ in the Schengen area or parts of it, the Council can recommend ‘as a last resort’ to Member States that they reimpose border controls against that Member State for periods of six months, renewable up to the two-year maximum. It’s arguable that this process can be fast-tracked and be applied even without giving the Member State three months to fix its problems.  Since Member States would have to vote in favour of it in the Council (by a qualified majority), it can be assumed that most Member States would then follow this recommendation. The Council has to act on a proposal from the Commission, but Member States can request the Commission to make such a proposal.

In adopting this recommendation, the Council has to assess whether it will ‘adequately remedy’ the threat to public policy, as well as the ‘proportionality’ of the measure in relation to the threat. This must be based on detailed information, and consider the EU assistance which was provided or which could have been requested, the likely impact of the deficiencies in border control upon the threat to public policy or public security, and the impact on the free movement of persons.

The legality of suspending Schengen and/or sanctioning Greece

It’s not clear exactly where we stand in the process as regards Greece. The Commission has recently adopted a Schengen evaluation report, but it’s not public. It’s not even clear if that report concerns Greece (all Schengen states are evaluated). So it would take a while (three months after a formal finding of ‘serious deficiencies’, which hasn’t happened yet as far as I know) before Greece could be sanctioned, unless the process is fast-tracked.

Indeed, the Council document seems to be aiming to fast-track the process. It wants the Council already to request a Commission recommendation to suspend the abolition of border controls for up to two years. Since (as far as I am aware) there’s not even a finding of Greek ‘serious deficiencies’ yet, there’s obviously not yet a three month period during which those problems continued. And the Council document doesn’t even attempt to assess whether the substantive criteria apply; the intention simply seems to be to find some way to justify a longer period to continue the internal border checks which Member States have reintroduced recently.

If the current threats get to the stage of a Council Recommendation that border controls be reimposed, it’s not clear if Greece could sue the Council in the EU Court of Justice (since technically Recommendations are not binding), or would have to sue Member States for following the Recommendation instead. Individual travellers could also sue Member States in national courts for imposing border controls, indirectly challenging the legality of the Recommendation; national courts could then send the issue to the Court of Justice.

Procedural issues apart, is there a substantive case for suspending Schengen rules and reimposing border controls, because of ‘serious deficiencies’ due to Greek control of the external border? In my view, there are serious doubts that there is such a case, for two main reasons.

First of all, according to the Financial Times article, other Member States are annoyed because Greece did not accept the support of Frontex, register enough asylum-seekers, or request humanitarian aid to assist them. While the failure to request support from Frontex is referred to in the EU border controls legislation, the other issues are not. And for very good reason: because the failure to control the numbers of refugees at the external borders is NOT a breach of the Schengen rules.

This assertion may seem surprising, because the critics of the EU’s response to the refugee crisis – on either side of the argument – often assume that EU law requires refugees and asylum-seekers to be refused entry at the borders. From one side, the EU is criticised for letting refugees and asylum-seekers in, and therefore ‘not protecting its borders’. From the other side, the EU is criticised for establishing a ‘Fortress Europe’.

Both sides are clearly wrong – at least, on this specific legal issue. This follows from the Schengen Borders Code itself, which expressly exempts refugees from the rules on penalising non-EU citizens for unauthorised entry across the borders, and includes an exemption from the usual conditions on border crossing if the non-EU citizen is claiming asylum. It equally follows from the EU’s asylum procedures Directive, which requires Member States to process not only asylum applications made on the territory, but also those made at the border. (Of course, Member States don’t always fully comply with their EU legal obligations).

So it’s really the border crossing rule itself which is controversial, not Greece’s failure to apply it. There’s a political problem with the rule in practice, either because (from one side’s perspective) it is no longer keeping out enough people, or (from the other side’s perspective), it is too difficult for genuine refugees to reachEU territory without the risk of drowning or paying money to smugglers.

But for the purposes of finding that there are ‘serious deficiencies’ in Greek control of the external border, the point is that Greece is not failing in any obligation to stop asylum-seekers crossing the external borders – quite simply because there’s no such obligation. Just the opposite. Of course, due to the sheer scale of the numbers involved, it’s difficult for Greece to operate an effective asylum system, but that failure is subject to a wholly separate process. Indeed, the European Court of Human Rights and the CJEU have already said that Member States cannot send asylum-seekers back to Greece, because the asylum system has effectively collapsed there. The Dublin III Regulation sets out rules which apply in the event that the Dublin system has to be suspended for those reasons, and the EU has recently adopted Decisions (discussed here) to relieve the burden on Greece a little by relocating some asylum-seekers from that country.

Of course, some of those who cross the Greek border do not apply for asylum immediately, or later fail in their asylum applications. According to UNHCR statistics, about half of those recently arriving in the Greek island of Lesvos (the main destination) are coming from Syria and Iraq (countries with high refugee recognition rates) and half are coming from other countries, with lower recognition rates. In that context, it is legitimate to suggest that Greece ought to accept assistance from Frontex and other EU agencies, and that Frontex in particular has a role coordinating the fingerprinting and registration of people when they first arrive. (Fingerprinting of irregular migrants and asylum-seekers isn’t a panicked authoritarian response to the refugee crisis, as is sometimes suggested, but a long-standing EU law obligation, going back to 2003).

The second problem is the link between the Greek ‘deficiencies’ and the reimposition of border controls, either against Greece or between other Schengen states. There’s certainly no link between the deficiencies and the borders between Greece and other Schengen States, since none of those are land borders, and (would-be) asylum-seekers and refugees travel by land between Greece and other Member States. So checking people flying between Greece and other Schengen States would be hugely disproportionate to the relevant deficiencies.

What about border controls between other Schengen States? These are the controls that the Council document expressly wants to continue. Here there is a link between the people originally entering via Greece and later trying to cross the Austria/Germany border, for instance. But again, the real deficiencies are with the EU’s asylum system, not Greek border controls, since EU rules provide for admission of asylum-seekers. Asylum-seekers move on to other Member States because the Dublin rules were not drawn up with today’s increased numbers of asylum-seekers in mind, and Greece can’t manage the numbers that it would be responsible for under the rules. That’s certainly a problem – but that problem is notcaused by Greek deficiencies in external border controls. The EU has to use the legal instruments available under its asylum policy to try to fix it.

Political context

Although it’s not evident from the face of the document, the political context of the Council paper may be an attempt to convince Greece to agree to further measures relating to border control. That’s evident from the Financial Times article, which conveys several Member States’ allegations against Greece (summarised above). In turn, the Greek government has defended itself and made counter-allegations against the EU, which are summarised in a Guardian article.

In some ways, this resembles the attempt by some Member States this summer to coerce Greece to leave the euro ‘temporarily’. As I argued at the time, this process did not have a shred of legality, unless we use the creative argument that Greece had never legally joined the euro.

However, there are differences as regards Schengen. There is on paper a process to suspend Schengen rules temporarily; the only question is the correct interpretation of those rules. Undoubtedly some will not share my interpretation above, and would argue that defects in the asylum system are implicitly part of the assessment of whether there are ‘serious deficiencies’ in external border control. In the absence of case law to date, it’s an open question which of us would be correct. It’s also an open question whether the Commission – which has made much of its strong support for Schengen – would be willing to suggest a suspension for two years.

Even if it’s legal to threaten Greece this way, is it wise? The EU was heavily criticised for trying to strong-arm Greece as regards the euro – although technically it wasn’t the EU institutions making the threats last summer, but rather the parallel ‘Eurogroup’ bodies which are not an ordinary part of the EU’s political system.

Far better for the EU to redouble its efforts to help both Greece and the people concerned, by ensuring that there are decent reception centres and living conditions in the country, by making greater effort to ensure that the relocation system works, and by working with Turkey to genuinely improve the living conditions of refugees there, so that fewer of them want to leave (more on that recent EU/Turkey deal in a later blog post).

As regards Schengen itself, if a temporary suspension is strongly desired, it might be better to provide for it by means of a legislative amendment to the Schengen Borders Code (with a ‘sunset clause’ providing for its expiry, since permanent suspension would violate the Treaties) rather than by the indirect means of threatening Greece. Or an amendment to the rules on checks near the internal borders could justify some occasional checks in the event of dysfunctional applications of EU asylum rules, if fixing those rules proves politically impossible – as well it might.

Schengen, un coupable idéal ?

ORIGINAL PUBLISHED ON CDRE SITE (25 NOVEMBRE 2015)

par Henri Labayle, 

Les réalisations européennes servent de bouc émissaire aux crises nationales. Ce n’est pas chose nouvelle. Après l’Euro, l’espace « Schengen » de l’Union est aujourd’hui sur la sellette. Les attentats terroristes lui auraient donné le coup de grâce, après ceux de la crise des migrants. Est-ce bien réaliste, est-ce vraiment opportun ?

Les discours officiels relèvent ici de la vieille fable de la paille et de la poutre. C’est aux Etats membres eux-mêmes que le conseil du ministre de l’Intérieur français de « se reprendre » devrait être donné tant la construction de Schengen est dépendante de leur volonté. Néanmoins, le réalisme interdit l’optimisme. Ayant perdu de vue ses caractéristiques initiales, Schengen n’échappera pas à une remise en question profonde.
Le fabuleux destin de l’espace Schengen, sa « success story », enregistrent incontestablement au coup d’arrêt, dont il conviendra de mesurer l’impact réel. Il y a des explications à cela.

1. Une construction datée

Les principes de Schengen sont inscrits désormais dans les traités : abolition des contrôles aux frontières intérieures, reportés là où l’espace commun est en contact avec les pays tiers. Sont-ils toujours à la hauteur des défis ? Répondent-ils à la menace terroriste comme à la pression migratoire ? A trop raisonner à logiciel constant, on peut en douter.

Le contexte de la création de Schengen, en 1985, a été oublié. Fruit d’un accord bilatéral franco-allemand, rejoint par les Etats du Bénélux, Schengen s’inscrivait dans un paysage aujourd’hui disparu : peu de participants, ensemble homogène animé des mêmes buts. Au point d’être scellé dans une convention d’application dont la date n’est pas indifférente : 1990, au lendemain de la chute du mur de Berlin …

En attendre une réponse efficace à des défis qui n’existaient pas lors de sa conception est un peu simpliste.
Que Schengen n’ait pas été à même, en 2015, d’arrêter les flots de réfugiés remontant le ventre mou du couloir des Balkans s’explique : il a été conçu en 1990 dans la logique d’un continent fermé, d’une Europe coupée en deux par le rideau de fer, ignorant les 7700 kilomètres de frontières terrestres devenues les siennes aujourd’hui. Figée dans une problématique Nord/Sud, l’Europe de l’époque n’avait aucune idée de la dimension Est/Ouest qui s’y est surajoutée.
Le contexte géopolitique de l’époque le confirme. L’environnement de Schengen était fait de l’Union soviétique de Gromyko au Maroc d’Hassan II en passant par la Tunisie de Ben Ali et la Libye de Kadhafi, sans parler de la Syrie ou de la Yougoslavie de Tito. Les dictateurs qui l’entouraient étaient ses meilleurs garde-frontières et la vague migratoire de 2015 inimaginable …

L’argument vaut aussi en matière terroriste. Oubli ou mauvaise foi des partisans d’un retour aux frontières nationales, celles-ci font obstacle à la lutte anti-terroriste. D’ETA réfugié en France à l’IRA en République d’Irlande ou à la bande à Baader en France, les exemples ne manquent pas. Leur maîtrise nationale empêcha-t-elle la vague d’attentats des années 80 en France ? Evidemment non.
Pour autant, « l’obsession » de la frontière justement décrite par Michel Foucher n’a pas disparu. En fait, Schengen se borne à déplacer le lieu où la frontière joue toujours son rôle de barrière, de protection. Il est un compromis entre l’ouverture d’un continent, notamment pour des besoins économiques, et sa fermeture, pour des raisons sécuritaires.

La crise de 2015 met ouvertement en question l’équilibre de ce compromis, sa capacité à assumer la fonction sécuritaire de la frontière commune. Les Etats, en trente ans, l’ont construit et maintenu envers toute logique, d’où leur responsabilité centrale.

2. Des compromis boiteux

Habillé d’un prétexte sécuritaire, ce que l’on appelait à l’époque le « déficit sécuritaire », Schengen répondait en fait à une autre réalité : celle du besoin économique d’un continent asphyxié, cloisonné en Etats aussi nombreux que petits. Le marché intérieur, lancé exactement à la même période, ne pouvait s’en satisfaire.
Le détour par la case « sécurité » dissimule à peine cette vérité. Ouvrir l’espace intérieur était d’abord un impératif économique, satisfaisant les opérateurs mais plus facile à assumer en mettant en avant la lutte contre l’immigration ou le crime. La réinstauration des contrôles provoquée par la crise des attentats de Paris confirme l’impact économique de cette ouverture : retards dans les aéroports, kilomètres de bouchons sur les autoroutes aux passages frontaliers avec l’Espagne ou l’Italie… Le compromis entre mobilité et sécurité, pourtant exclusivement au cœur du projet initial Schengen, s’est réalisé au détriment de la seconde. Quitte à ignorer les aspirations des citoyens européens.
D’autant que, dans sa quête de points d’appui, la construction européenne s’est emparée de Schengen pour en faire un symbole. Curieux retournement des choses, Schengen vilipendé lors de sa création, stigmatisé parce que qualifié de « liberticide » et que « l’Europe des polices » était alors un gros mot, fut ensuite présenté comme l’acquis principal de la liberté des citoyens européens. Avant aujourd’hui d’être à nouveau accusé de tous les maux d’une intégration européenne qu’il ne réalise pourtant pas.

La vérité se cache ailleurs. A force de non-dits et de compromis étatiques, la démarche sécuritaire quasi-exclusive sur laquelle reposait Schengen initialement s’est progressivement banalisée.
Elle imposait le respect d’un certain nombre de principes. Avant toute autre chose, celui de la responsabilité de chaque Etat, garant par son sérieux de la sécurité de tous. D’où le refus initial de l’ouvrir à des partenaires jugés peu fiables, de l’Italie à la péninsule ibérique ou à la Grèce.
La logique communautaire, celle des élargissements, l’a emporté sur ce paramètre. Une prétendue « confiance mutuelle » entre Etats a été vantée dans un univers où la méfiance demeure la règle, peu sensible au credo du monde libéral.

Puisque, depuis des années, la Grèce était une passoire et ne remplissait plus ses obligations, comment s’étonner que le système ait volé en éclat au début de l’été ? Puisque, depuis des années, le système dit de « Dublin » (imaginé à Schengen) ne remplissait pas son office, pourquoi s’étonner de l’abcès de fixation ouvert hier à Sangatte, aujourd’hui à Calais ? Enfin, faute de donner un sens au mot « sanction », pourquoi l’Union européenne ne s’est-elle pas préoccupée d’une réaction vigoureuse, réservant ses foudres aux eaux de baignade et aux aides d’Etat …

Arbitrant au moyen de compromis médiocres, quand il aurait sans doute fallu établir publiquement et respecter des priorités politiques, l’Union s’est donc trouvée démunie lorsque la bise est venue, lorsque les urnes nationales et européennes se sont emplies de votes protestataires. Faisant l’aubaine de partis extrémistes dépourvus de toute réponse réaliste, elle s’est ainsi placée sur la défensive.
L’impasse faite sur la dimension économique du contrôle des frontières illustre cette absence de pilotage. Le mirage des solutions technologiques de demain, les « smarts borders » et la biométrie, ajouté au lobbying des grandes multinationales désireuses d’obtenir les marchés publics y sacrifiant, ne peut dissimuler l’aberration consistant à confier la sécurité de tous à un Etat membre, la Grèce, étranglé financièrement et budgétairement pour les raisons que l’on sait …

S’il est exact que les Etats Unis consacrent 32 milliards de dollars à leur politique migratoire dont la moitié au contrôle des frontières, comment comprendre les 142 millions d’Euros du budget de Frontex ?

Dilué, Schengen a perdu de vue l’originalité de sa charge pour être appréhendé comme une politique ordinaire. Sauf que les Etats membres n’ont en rien abdiqué.

3. Une logique intergouvernementale

Laboratoire de la construction européenne, Schengen demeure une construction aux mains des Etats.
Au prix d’une certaine schizophrénie, les Etats ont en effet prétendu à la fois intégrer leur action mais en conserver la maîtrise. Entre ceux qui voulaient mais ne pouvaient pas en faire partie (la Bulgarie, la Roumanie), ceux qui pouvaient mais ne le voulaient pas (les iles britanniques), ceux qui ne pouvaient pas mais que l’on a voulu (la Suisse, la Norvège, l’Islande) et ceux qui ne pouvaient pas et dont on aurait pas du vouloir (la Grèce), Schengen est devenu un véritable patchwork.

La greffe aurait pu prendre. Elle n’a été qu’imparfaite.
D’abord car la diversité des situations nationales n’a pas disparu. D’une part, les législations et pratiques nationales demeurent suffisamment éloignées pour que l’effet « vases communicants » ne joue pas. Migrants comme criminels ont parfaitement identifié ces points faibles. D’autre part car le degré d’attraction des Etats membres de cet espace ne s’est pas réduit, rendant inutile le souhait de responsabiliser l’ensemble. Convaincus que l’Allemagne et la Suède étaient des eldorados, les demandeurs de refuge n’envisagent pas d’autre destination, pour la plus grande satisfaction des Etats membres qu’ils traversent et qui vont jusqu’à leur faciliter la tâche.

Ensuite, parce que les Etats refusent toujours la contrainte. En indiquant clairement dans son article 4 que « la sécurité nationale relève de la seule souveraineté de chaque Etat membre », le traité sur l’Union fixe une barrière infranchissable.

Les enseignements des commissions d’enquête au lendemain des attentats de Charlie Hebdo le confirment. Le dispositif européen est moins en cause que les conditions de sa mise en œuvre. La faillite de Schengen n’est pas dans la poursuite mais dans la prévention, dans le renseignement en amont des attentats et l’alimentation des outils communs qui n’est pas obligatoire. La qualité remarquable de l’action policière et judiciaire, y compris par delà la frontière franco-belge, ne dissimule la faillite de la prévention politique et policière, des deux cotés de cette frontière.
Comment Mehdi Nemmouche hier, Abaaoud ou les frères Abdeslam cette semaine, ont-ils pu perpétrer leurs crimes sans obstacle réel, échappant aux contrôles Schengen autant que nationaux ? Qui refusait jusqu’au Conseil de vendredi dernier d’inclure les « combattants étrangers » dans le SIS et pourquoi 5 Etats seulement fournissent-ils plus de la moitié des informations sur leurs déplacements au Système d’information d’Europol de l’aveu du coordinateur européen de la lutte contre le terrorisme ?

L’absence de transparence de l’Union ne facilite pas la réponse. La responsabilité des Etats membres est pourtant au cœur de ce fiasco, constat déjà posé après Charlie Hebdo, sans réelle suite.

La France n’y échappe pas, étonne par l’arrogance de notre discours public. Des failles de son contrôle judiciaire aux pannes de son système de fichier Chéops, à sa gestion des documents d’identité, aux  erreurs de ses services de renseignements ou aux moyens alloués et à l’autisme de ses gouvernants qui qualifient de simples « complicités françaises » l’action des terroristes de Paris, elle n’est pas en situation d’administrer les leçons qu’elle prétend donner à la Belgique et à l’Union.

Celle-ci doit pourtant se remettre en question.

Quant au périmètre de son action d’abord. Malgré le politiquement correct, la composition de l’espace commun où contrôles comme échanges de renseignement s’effectuent est une question ouverte. Les Pays Bas, comme d’autres, semblent réfléchir à un redimensionnement effectué soit par un repli, sur un petit nombre de partenaires performants, soit par une mise à l’écart, de membres jugés non fiables.

Quand au fond ensuite. Les principes d’organisation sur lesquels Schengen repose, frontières intérieures/extérieures demeurent aussi pertinents qu’hier. En revanche, ils ne peuvent plus se satisfaire du vide politique actuel. La cohérence exige de percevoir l’asile comme un même devoir, réclame de criminaliser le radicalisme et le terrorisme de façon identique. Ce préalable n’est pas satisfait aujourd’hui dans l’Union. De même que la « solidarité » doit avoir un sens concret pour les Etats membres, ces derniers doivent partager l’accueil des réfugiés et privilégier la coopération et la police judiciaires et la coordination des poursuites à l’action exclusive des services de renseignement. Dans tous les cas, il faut y mettre le prix.

Alors, pourquoi n’entendons nous pas les mots de « parquet européen », « d’équipes communes d’enquête », « d’Eurojust » ? Pourquoi l’essentiel du contingent de la relocalisation est-il encore vacant ? Parce que nous n’osons pas lever le tabou de l’action commune, de la quasi-fédéralisation qu’impliquent le développement des agences se substituant aux Etats défaillants, que nous prétendons que l’administration nationale des politiques européennes est toujours l’alpha et l’oméga de la construction européenne ?

L’hypothèse de l’avancée, même si celle du repli est peu crédible sinon impossible, est donc incertaine. A l’image de celle du projet européen tout entier dont Schengen demeure bien, toujours, un « laboratoire ».

Statewatch leaked document on the state of play of EU Antiterrorism policy (and its perspectives..)

On the Statewatch site is now accessible a very interesting document of the EU Counter terrorism Coordinator in preparation of the Justice and Home affairs Council meeting of December 4, 2015. Without prejudice of the political and legal judgment that anyone can have on the initiatives listed below the text gives a very comprehensive (and relatively objective ) view of the current state of play of the EU initiatives. It remains a mystery why this kind of purely descriptive documents are not directly accessible to the public, to the European and national parliaments.

EDC

DOC14438/15
NOTE From: EU Counter-Terrorism Coordinator To: Delegations
Subject: Report: State of play on implementation of the statement of the Members of the European Council of 12 February 2015 on counter-terrorism

The extraordinary Council (JHA) of 20 November 2015 highlighted the need to accelerate the implementation of all areas covered by the statement on counter-terrorism issued by the Members of the European Council on 12 February 2015 (doc 14406/15). Therefore, in preparation of the Council of 4 December 2015, this paper lists all the measures foreseen in the February 2015 Statement and assesses their implementation. Implementation of the Conclusions of the Council of 20 November 2015 will enhance implementation of the February 2015 statement.

Documents 9422/1/15 and 12318/15 drafted by the EU CTC assessed the state of implementation in June and October 2015. Document 12551/15, drafted by the Presidency and the EU CTC, was endorsed by the Council in October 2015. It suggests five priorities for action by December 2015. Discussion in the extraordinary JHA Council of 20 November (doc 14406/15) and COSI of 16 November 2016 focused on firearms, strengthening external border controls, information sharing and terrorist financing (doc 14122/15).

I. ENSURING THE SECURITY OF CITIZENS

  1. PNR

Following the adoption of the rapporteur’s report by the LIBE Committee on 15 July 2015, four trilogues and three technical meetings have taken place. Important differences of view between the Council and the EP remain, notably on the inclusion of internal flights, the scope (transnational element of serious crime) and the period during which PNR data can be stored in an unmasked manner. Agreement on many other issues is outstanding.

The rapporteur’s ability to broker a deal with the Presidency is hampered by the fact that, except for the EPP shadow rapporteur, his report was not supported by other shadow rapporteurs, but by a heterogeneous majority across party lines. The EP’s commitment in its resolution of 11 February 2015 to work towards passage of a PNR Directive by the end of 2015 has so far not been shared by the shadow rapporteurs (S&D, ALDE, Greens, GUE) who voted against the Kirkhope report.

As long as there is no EU PNR Directive, Member States who do not have national legislation do not have a legal basis to acquire data from carriers. On 20 November 2015, the Council reiterated the urgency and priority to finalise an ambitious EU PNR before the end of 2015.

  1. Information sharing

–   Europol: by November 2015, 14 EU MS had connected their counter terrorism authorities to the Secure Information Exchange Network Application (SIENA) hosted by Europol, a key enabling platform for information exchange. This means that half of the Member States are still not connected. Siena will be upgraded to “confidential” in 2016. Terrorism crime related information and intelligence exchange remains low. A dedicated area for counter-terrorism authorities was created in SIENA in October 2015, allowing for direct bilateral and multilateral communication between counter-terrorism authorities, with Europol and third parties with an operational cooperation agreement.

There has been a strong increase of the use of the Europol Information System (EIS) since December 2014. By 13 November 2015, 1595 foreign terrorist fighters have been registered in EIS by 14 EU MS, 5 third parties and Interpol. Nevertheless, considering the much higher number of existing EU foreign terrorist fighters and the fact that half of all EU MS still have not used EIS, the system is clearly a work in progress.

FP Travellers, both from a quantitative and qualitative perspective, is not yet a tool which can provide in depth analysis in relation to all contributed operational cases across the EU. To date, 50.45 % of all contributions originate from just five MS and one associated third country. 2081 confirmed foreign terrorist fighters have been entered into FP Travellers.

Europol will launch the European Counter-Terrorism Center (ECTC) in early 2016 to strengthen information exchange. This will provide inter alia a robust security and confidentiality framework. A more robust information-sharing and operational-coordination platform will be established at Europol as part of ECTC to connect the police CT authorities. In the Council Conclusions of 20 November 2015, Member States committed to seconding CT experts to the ECTC to form an enhanced cross-border investigation support unit and indicated that Eurojust should also be involved. As Europol is actively engaged in support of ongoing CT investigations in several Member States and has been tasked by the Council to set up the IRU and the ECTC, it will be important to increase Europol ‘s resources accordingly to achieve sustainability.

–   Eurojust: Operational cooperation and information sharing have increased considerably. But this still does not reflect the extent of ongoing investigations and prosecutions. Operational cooperation in terrorism cases referred to Eurojust for assistance has more than doubled (13 cases in 2014, 29 cases so far in 2015, cases related foreign terrorist fighters increased from 3 to 14). Ten coordination meetings in terrorist cases have been organized in 2015, four of which related to FTF. In November 2015, Eurojust coordinated a joint action in six countries in a case of a radical terrorist group, leading to 13 arrests. The information on prosecutions and convictions for terrorist offences shared with Eurojust has more than doubled since 2014. So far in 2015, 109 cases were opened at Eurojust in relation to information exchange on terrorist offences – 17 on court results and 92 on ongoing prosecutions.
This is a threefold increase on the figure for 2014. Eurojust also animates several relevant networks such as the network of national correspondents for terrorism matters and the consultative forum of prosecutors-General and Directors of Public Prosecutions, specialized cybercrime prosecutors etc. The association of Eurojust to Europol’s Focal Point Travellers has allowed for improved information exchange.

Update of the Framework Decision on Combating Terrorism: The EU signed the Council of Europe Convention on the Prevention of Terrorism and its additional Protocol on Foreign Terrorist Fighters on 22 October 2015 in Riga. The Commission plans to present a proposal for the update of the Framework Decision before the end of 2015.

  1. External border controls

    2. Continue reading “Statewatch leaked document on the state of play of EU Antiterrorism policy (and its perspectives..)”

Data retention and bulk data: sometime the Council raises some good questions. But what about the answers ?

It does not happen very often but in a PUBLIC document diffused yesterday the Council Presidency raises some very interesting questions arising from the 2014 CJEU ruling on data retention (see below). It is worth recalling that already at that time the Court justified its decision with reference not only to art. 8 of the Charter (protection of personal data) but also to art. 7 (protection of privacy). The same happened this year with the Schrems case which deals with a similar situation (even if referred to a third country). Quite surprisingly the Council Presidency does not make reference to this ruling even if , according some doctrine (see the Martin Scheinin position published here)  it contain already an answer to the first question. According to Martin Scheinin the Court by referring to Article 7 of the Charter makes clear that:  In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter…

When the “essence” itself of a fundamental right is threatened, according to art.52 of the Charter is no more question of verify the “proportionality” of this kind of measures as they would be per se against the Charter (and the Treaty)

Let’s see what will be the MS (and judiciary) reaction and if they will take this occasion to re-examine some wide ranging legislative proposals which foresee a generalised collection of personal data (PNR, Entry-exit systems, not to speak of the monthly bulk transmission of EU citizens personal data to the US administration within the EU-USA TFTP (“SWIFT”) agreement…).

EDC

 

DOC  14246/15 24 November 2015 NOTE
From:Presidency
To:Permanent Representatives Committee/Council
No. prev. doc.:14369, 13085/15, 11747/1/15 REV 1
Subject: Retention of electronic communication data – General debate

1. The invalidation of the Data Retention Directive 1 by the Court of Justice of the EU 2on the grounds that it disproportionately restricted the rights to privacy and to the protection of personal data, has given rise to questions in the Member States, in particular as regards national transposition legislation and the availability of electronic communication data collected for access by law enforcement authorities and their use as evidence in criminal proceedings.

2. Member States had been given a wide margin of discretion in the implementation of the Data Retention Directive. This lead to considerable differences in the national legal frameworks3, which are compounded by the varying consequences of the assessment of the national data retention schemes by national parliaments and courts, especially in view of the Data Retention Judgement and the pending “Tele2” case 4.

3. The Data Retention Judgement has not directly affected national implementing legislations of the Data Retention Directive and these remain valid until amended, or repealed by national parliaments, or invalidated by national courts, provided that they comply with Articles 7 and 8 of the Charter of Fundamental Rights of the EU. Member States thus find themselves in a situation where they no longer have an obligation deriving from a specific Union legal instrument to introduce or maintain a national data retention regime providing for the mandatory storage of electronic communication data by providers for the purposes of detecting, investigating, and prosecuting serious crime. However, Member States retain the possibility to do so under Article 15(1) of the “E-privacy Directive” 5.

4. Opinions diverge on the interpretation of the Court’s judgement and thus on the legality of schemes for retaining bulk electronic communication data without specific reason. This has inter alia resulted in a large variety of situations at national level6. Some Member States have already adopted or are in a process of preparing new legislation on data retention, that, according to the information received by delegations, aims at ensuring strengthened procedural guarantees and safeguards in compliance with the Charter and in line with the ruling of the Court (EE, ES, IE, LT, LU, LV, MT, PL), including some Member States where the national law has been invalidated by the constitutional Court (DE, BG, NL).

5.Eurojust’s analysis of the current situation7 and expert debates held during the Luxembourg Presidency8 highlight that this fragmentation of the legal framework on data retention across the Union has an impact on the effectiveness of criminal investigations and prosecutions at national level, in particular in terms of reliability and admissibility of evidence to the courts based on the collection of electronic communication data, as well as on cross-border judicial cooperation between Member States and internationally.

6 In view of these challenges and the legal, procedural and practical problems they pose for investigations and prosecutions of all kinds of crime, not in the least in relation to counter-terrorism, the Presidency invites Ministers to address the following questions:

  • Is the Data Retention Judgement to be interpreted in the sense that retaining bulk electronic communication data without specific reason is still allowed ?
  • Considering the current fragmented situation throughout the Union, and the consequences it entails, should an EU-wide response be considered or should it be up to individual Member States to address the issue ?
  • Should the Commission be invited to present a new legislative initiative and if yes in what timeframe ?

 

NOTES

1        Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC
3        It is recalled that the transposition did not go easily in certain Member States, as a number of national constitutional courts annulled the national transposition laws for being contrary to the Constitution or the European Convention on Human Rights and certain national parliaments raised serious concerns.
2        Judgement of the Court of justice of the European Union (CJEU) (Grand Chamber) “Digital Rights Ireland and Seitlinger and others” of 8 April 2015 in joined Cases C-293/12 and C-594/12
4        The CJEU currently examines a preliminary ruling (pending Case C-203/15, lodged on 4 May 2015, Tele2 Sverige AB v. Post-och telestyrelsen ) on the compatibility of a national legislation (Swedish law in this case) to retain traffic data covering all persons, all means of electronic communication and all traffic data for the purpose of combating crime, with Article 15(1) of Directive 2002/58/EC (the e-privacy Directive), taking account of Articles 7, 8 and 15(1) of the Charter.
5        Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector
6        The current state of play is as follows: the transposition law of the Data Retention Directive has been invalidated in at least 11 Member States (AT, BE, BG, DE, LT, NL, PL, RO, SI, SK, UK). Amongst these, 9 countries have had the law invalidated by the Constitutional Court (AT, BE, BG, DE, SI, NL, PL, RO, SK). In 15 Member States (CY, CZ, DK, EE, ES, FI, FR, HR, HU, IE, LU, LV, MT, PT, SE) the domestic law on data retention remains in force, while they are still processing communication data.
7        Doc. 13085/15 and 13689/15
8        Doc. 11747/1/15 REV 1