(EUROPEAN LAW BLOG) EU/US Adequacy Negotiations and the Redress Challenge: How to Create an Independent Authority with Effective Remedy Powers (2)


Can the U.S. Government create, by non-statutory means, an independent redress authority capable of providing an effective remedy for a European person who believes that her or his rights have been infringed by an intelligence service? In this article we put forward a novel non-statutory solution that could resolve the “redress” problem in the EU/US adequacy negotiations. This solution is based on three “building blocks” inspired by methods utilized in U.S. administrative law. First, the U.S. Department of Justice should issue a binding regulation creating within that executive agency an independent “Foreign Intelligence Redress Authority” (FIRA). Second, the President should issue a separate Executive Order providing the necessary investigative powers and giving FIRA’s decisions binding effect across the intelligence agencies and other components of the U.S. government. Finally, European individuals could obtain judicial review of an independent redress decision by using the existing Administrative Procedure Act.

Our first article, published on January 31, concentrated on whether the U.S. Congress would necessarily have to enact a new statute in order to create an adequate redress mechanism. We examined political, practical, and U.S. constitutional difficulties in enacting such a statute. Based on careful attention to EU law, we concluded that relying on a non-statutory solution could be compatible with the “essential equivalence” requirements of Article 45 of the EU’s General Data Protection Regulation (GDPR), if the requisite substantive protections for redress were put into place.

This article examines, from both a U.S. and a European law perspective, measures that could address the substantive requirements, notably the deficiencies highlighted by the Court of Justice of the European Union (CJEU) in its Schrems II judgment: independence of the redress body; its ability to substantively review the requests; and its authority to issue decisions that are binding on the intelligence agencies. We discuss only the redress issues highlighted by the CJEU. We do not address here the other deficiency cited by the Court — whether U.S. surveillance statutes and procedures sufficiently incorporate principles of “necessity and proportionality” also required under EU law.

Part I of this article explains how the U.S. executive branch could create an independent administrative institution to review redress requests and complaints. The institution, which we call “FIRA”, would be similar in important ways to what in Europe is considered as an independent administrative authority, such as the several surveillance oversight/redress bodies operating in Europe and listed in the EU Agency for Fundamental Rights’ (FRA) 2017 comparative study on surveillance (p. 115 – in France, for example, the National Commission for Control of Intelligence Techniques, CNCTR). We submit that, in the U.S., such an institution could be based on a binding regulation adopted by the Department of Justice (DOJ). Despite being created by the executive branch, the independence of FIRA will be guaranteed, since leading U.S. Supreme Court precedent considers such a regulation to have binding effect and to protect members of the redress authority from interference by the President or the Attorney General. 

Next, Part II of this article assesses how the U.S. executive branch could provide the necessary investigatory powers for FIRA to review European requests and complaints and to adopt decisions binding upon intelligence agencies. This could be done through a Presidential Executive Order that the President may use to limit executive discretion. 

Finally, Part III of this article discusses the important question of whether the ultimate availability of judicial redress is necessary under EU law and whether there is a path under U.S. law to achieve it, despite the 2021 Supreme Court decision in the TransUnion case limiting standing in some privacy cases. We examine reasons why judicial review of decisions by the independent FIRA may not be required under EU law. Nonetheless, we describe a potential path to U.S. judicial review based on the existing Administrative Procedure Act.  

I. Creating an Independent Redress Authority

Based on our discussions with stakeholders, the most difficult intellectual challenge has been how a redress authority can be created within the executive branch yet have the necessary independence from it. We first present the EU criticisms of the Privacy Shield Ombudsperson approach, and then explain how a binding regulation issued by DOJ can address those criticisms satisfactorily. 

1. Identifying the problems of independence with the previous Privacy Shield mechanism

Four criteria for independence of the redress body have been identified by EU authorities in their critiques of the Ombudsperson approach included in the 2016 Privacy Shield. 

a) Protection against dismissal or revocation of the members of the redress body

A crucial measure of independence under EU law, is protection against removal of any member of the independent body. In Schrems II, the CJEU noted there was “nothing in [the Privacy Shield Decision] to indicate that the dismissal or revocation of the appointment of the Ombudsperson is accompanied by any particular guarantees” (§195), a point previously made in 2016 by the Article 29 Working Party (WP29) when it observed “the relative ease with which political appointees can be dismissed” (here, p. 51). Protection against removal is also recognized under U.S. law and a key indicator for independence.(1) 

b) Independence as protection against external intervention or pressure

Protection against external intervention is a major requirement for a redress authority, as stated by the Advocate General in his 2019 Schrems II Opinion

“The concept of independence has a first aspect, which is external and presumes that the body concerned is protected against external intervention or pressure liable to jeopardise the independent judgment of its members as regards proceedings before them” (note 213).  

By contrast, the Ombudsperson in the original Privacy Shield was “presented as being independent of the ‘intelligence community’, [but] (…) not independent of the executive” (§ 337). 

c) Impartiality

In the same opinion, Advocate General Saugmandsgaard Øe stressed (and the CJEU endorsed), the importance of impartiality: “The second aspect of [independence], which is internal, is linked to impartiality and seeks to ensure a level playing field for the parties to the proceedings and their respective interests with regard to the subject matter of those proceedings” (note 213, emphasis added). 

d)  Relationship to the intelligence community 

In its 2015 study on surveillance, FRA noted that there is a “Goldilocks” challenge concerning the ties between redress bodies and intelligence agencies: “While ties that are too close may lead to a conflict of interest, too much separation might result in oversight bodies that, while independent, are very poorly informed” (p. 71).  In 2016, the WP29 found that the Privacy Shield solution did not appropriately respond to this challenge:

“The Under Secretary is nominated by the U.S. President, directed by the Secretary of State as the Ombudsperson, and confirmed by the U.S. Senate in her role as Under Secretary. As the letter and the Memorandum representations stress, the Ombudsperson is ‘independent from the U.S. Intelligence community’. The WP29 however questions if the Ombudsperson is created within the most suitable department. Some knowledge and understanding of the workings of the intelligence community seems to be required in order to effectively fulfil the Ombudsperson’s role, while at the same time indeed sufficient distance from the intelligence community is required to be able to act independently.” (p.49)

2. How the creation of FIRA by DOJ Regulation could fix these problems 

To date, despite insightful discussions of the challenges, we have not seen any detailed public proposals for how the U.S. executive branch might create a redress institution to meet the strict EU requirements for independence.(2) One innovation, which we understand that the parties might now be considering, could be a binding U.S. regulation, issued by an agency pursuant to existing statutory authority, to create and govern FIRA. Crucially, leading U.S. Supreme Court cases have given binding effect to a comparable regulation, even in the face of objections by the President or Attorney General.

a) Binding DOJ regulation to ensure independence of the FIRA 

The Department of Justice could issue a regulation to create FIRA and guarantee its independent functioning.  It could guarantee independence for the members of FIRA, including protections against removal, in the same fashion.

Under the U.S. legal system, such an agency regulation has the force of law, making it suitable for defining the procedures for review of redress requests and complaints. DOJ regularly issues such regulations, under existing statutory authorities, and pursuant to established and public procedures. To protect against arbitrary or sudden change, modifying or repealing the regulation would require following the same public procedural steps as enacting the regulation in the first place did.  In Motor Vehicles Manufacturers Association vs. State Farm Mutual Automobile Insurance Co., the Supreme Court held that since a federal agency had the discretion to issue a regulation initially, it would have to utilize the same administrative procedures to repeal it.

In an EU/U.S. framework for a new Privacy Shield, the U.S. Government unilaterally could commit to maintain this DOJ regulation in force, and the European Commission could reference the U.S. commitment as a condition of its adequacy decision. This would provide both to the EU and to members of FIRA a guarantee against revocation of the regulation ensuring that the authority would act independently. 

b) Supreme Court precedents protect against external intervention or pressure 

During the Watergate scandal involving then-President Richard Nixon, the Department of Justice issued a regulation creating an independent “special prosecutor” (also called “independent counsel”) within that department. The special prosecutor was designed to be independent from Presidential control, with the regulation stipulating that he could not be removed except with involvement by designated members of Congress. 

Acting within the powers defined in the regulation, the special prosecutor issued a subpoena for audio tapes held by the White House. The President, acting through the Attorney General, objected to the subpoena.  In a unanimous 1974 Supreme Court decision, United States v. Nixon, it was held that the special prosecutor’s decision to issue the subpoena had the force of law, despite the Attorney General’s objection.  The Court noted that although the Attorney General has general authority to oversee criminal prosecutions, including by issuing a subpoena, the fact that the special prosecutor had acted pursuant to a binding DOJ regulation deprived the Attorney General of his otherwise plenary power over subpoenas. 

The Supreme Court observed that “[t]he regulation gives the Special Prosecutor explicit power” to conduct the investigation and issue subpoenas, and that “[s]o long as this regulation is extant, it has the force of law” (emphasis added).  The Court concluded: 

“It is theoretically possible for the Attorney General to amend or revoke the regulation defining the Special Prosecutor’s authority. But he has not done so. So long as this regulation remains in force, the Executive Branch is bound by it, and indeed the United States, as the sovereign composed of the three branches, is bound to respect and to enforce it.”

In sum, as supported by clear Supreme Court precedent, a DOJ regulation can create a mechanism within the executive branch, so that the members of the administration must comply with its terms, even in the face of contrary instructions from the President or Attorney General. And, as stated earlier, the lasting character of the DOJ regulation creating FIRA could be guaranteed by the US Government in the EU/US agreement and be identified by the European Commission in its subsequent adequacy decision as a condition for maintaining this decision in force.

c) Impartiality

We are not aware of significant U.S. constitutional obstacles to ensuring impartiality in FIRA. DOJ appoints Administrative Law Judges (ALJ), such as for deciding immigration matters, and “[t]he ALJ position functions, and is classified, as a judge under the Administrative Procedure Act.” 

U.S. law concerning ALJ’s, including those located in DOJ, states that they are “independent impartial triers of fact in formal proceedings”.(3) In Nixon the Supreme Court reaffirmed the lawfulness of an independent adjudicatory function located within the DOJ.(4) A DOJ FIRA regulation could similarly offer guarantees in terms of the impartiality and expertise of members.

d) Relationship to the intelligence community 

Furthermore, the DOJ appears to be the executive agency best-suited to resolve the “Goldilocks” problem, mentioned above, by combining knowledge and understanding of the intelligence agencies with sufficient distance to judge their conduct independently. 

As noted, EU bodies questioned whether the Department of State, a diplomatic agency, was a “suitable department” for the redress role. The DOJ is more suitable in part because of its experience with the Watergate independent counsel and, for instance, with Immigration Judges as independent triers of fact. 

At the same time, a FIRA located within the DOJ would be well-placed to have knowledge about the intelligence community. The DOJ provides extensive oversight of intelligence activities through its National Security Division, including by issuing regular reports concerning classified activities of the Foreign Intelligence Surveillance Court. Other DOJ components, such as the Office of Privacy and Civil Liberties, also have access to classified information including Top Secret information about intelligence agency activities. In addition, an Executive Order could empower the DOJ to enlist other agencies, such as the Office of the Director of National Intelligence, to gain information from the intelligence community.

II. Creating Effective Powers for the Independent Redress Authority

A DOJ regulation creating an independent redress authority within that executive department must be accompanied by additional government-wide steps for effectively investigating redress requests and for issuing decisions that are binding on the entire intelligence community. The DOJ-issued regulation would define the interaction of FIRA with other parts of that Department.  For the overall mechanism to be effective in other parts of the U.S. government, however, the key legal instrument would be a separate Executive Order issued by the President. In issuing an EO, the President would act within the scope of his overall executive power to define legal limits, such as by requiring intelligence agencies to be bound by FIRA decisions. 

1. Identifying the problems of effectiveness concerning the previous Privacy Shield mechanism

To meet the EU requirement of effective remedial powers, the new redress system would need to have two types of effective powers that the Privacy Shield Ombudsperson lacked. 

a) Investigative Powers 

The WP29 wrote in 2016: 

“concerns remain regarding the powers of the Ombudsperson to exercise effective and continuous control. Based on the available information (…), the WP29 cannot come to the conclusion that the Ombudsperson will at all times have direct access to all information, files and IT systems required to make his own assessment” (p. 51).

In 2019, the European Data Protection Board (EDPB) likewise stated: 

“[T]he EDPB is not in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non-compliance, (…)” (§103). 

b) Decisional Powers 

In Schrems II, the CJEU stated:  

Similarly, (…) although recital 120 of the Privacy Shield Decision refers to a commitment from the US Government that the relevant component of the intelligence services is required to correct any violation of the applicable rules detected by the Privacy Shield Ombudsperson, there is nothing in that decision to indicate that that ombudsperson has the power to adopt decisions that are binding on those intelligence services and does not mention any legal safeguards that would accompany that political commitment on which data subjects could rely” (§196).

The EDPB similarly concluded in 2019:

“Based on the available information, the EDPB still doubts that the powers to remedy non-compliance vis-à-vis the intelligence authorities are sufficient, as the ‘power’ of the Ombudsperson seems to be limited to decide not to confirm compliance towards the petitioner. In the understanding of the EDPB, the (acting) Ombudsperson is not vested with powers, which courts or other similarly independent bodies would usually be granted to fulfil their role” (§102).

2. How a Presidential Executive Order Could Confer These Powers upon FIRA 

These passages describe key EU legal requirements for a new redress system. President Biden could satisfy them by issuance of an Executive Order (EO).  The American Bar Association has published a useful overview explaining that an EO  is a “signed, written, and published directive from the President of the United States that manages operations of the federal government.” EOs “have the force of law, much like regulations issued by federal agencies.”  Once in place, only “a sitting U.S. President may overturn an existing executive order by issuing another executive order to that effect.”

As a general matter, the President has broad authority under Article II of the Constitution to direct the executive branch. In addition, the Constitution names the President as Commander-in-Chief of the armed forces, conferring additional responsibilities and powers with respect to national security. The President’s powers in some instances may be limited by a properly enacted statute, but we are not aware of any such limits relevant to redress.

Not only does the President enjoy broad executive powers, but he or she also may decide to limit how he or she exercises such powers through an EO which, under the law, would govern until and unless withdrawn or revised. Thus, the President would appear to have considerable discretion to instruct the intelligence community, by means of an EO, to cooperate in investigations and to comply with binding rulings concerning redress.

As with the DOJ regulation, the U.S. Government could commit in the EU/US adequacy arrangement to maintain this EO in force. But how could the EU and the general public have confidence that the EO is actually being followed by intelligence agencies? First, FIRA will be able to assess whether this is the case, backed by an eventual provision in the Presidential EO fixing penalties for lack of compliance with its orders (similarly as legislation in European countries fixes penalties for failure to comply with the orders of equivalent redress bodies – for an example see art. L 833-3 of the French surveillance law). Furthermore, U.S. intelligence agencies are already subject to parliamentary oversight, including on classified matters, by the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence. Oversight might also be performed by other governmental actors that have access to classified materials, such as an agency official called the Inspector General or the Civil Liberties and Privacy Office, or by the independent Privacy and Civil Liberties Oversight Board (whose new Director, Sharon Bradford Franklin, recently confirmed by the Senate, is known for her commitment to strong surveillance safeguards and oversight). Oversight may be performed at the Top Secret or other classification level, with unclassified summaries released to the public

III. Creating Judicial Review of the Decisions of the Independent Redress Authority

Finally, we turn to whether and how decisions of FIRA may be reviewed judicially. We first explain why judicial review in these circumstances may not be required under EU law.  Nonetheless, to minimize the risk of invalidation by the CJEU, we set forth possible paths for creating U.S. judicial review.

1. Reasons that judicial redress is not necessarily required 

There are at least four reasons to believe that EU law does not necessarily require judicial redress if FIRA is independent and capable of exercising the quasi-judicial functions described above by adopting decisions binding on intelligence agencies.

First, as explained in our earlier article, Article 13 of the European Convention on Human Rights (ECHR) may be the appropriate legal standard for the European Commission to use in deciding upon the “essential equivalence” of third countries for international data transfer purposes.  Article 13 only requires an independent “national authority,” thus a non-judicial body could suffice.

Second, the Advocate General in Schrems II seemed to give the impression that judicial review should only be required in a case where the redress body itself is not independent: 

“in accordance with the case-law, respect for the right guaranteed by Article 47 of the Charter thus assumes that a decision of an administrative authority that does not itself satisfy the condition of independence must be subject to subsequent control by a judicial body with jurisdiction to consider all the relevant issues. However, according to the indications provided in the ‘privacy shield’ decision, the decisions of the Ombudsperson are not the subject of independent judicial review.” (§340, emphasis added)

Since FIRA, unlike the Ombudsperson, will not only enjoy independence but also will exercise quasi-judicial functions by adopting decisions binding on intelligence agencies, separate judicial redress may not be required.

Third, this is exactly what seems to be happening in practice in EU Member States themselves. FRA noted in its 2017 comparative study on surveillance that, in most European countries, redress bodies are non-judicial bodies. It also observed that such non-judicial remedies appear better than judicial ones, because their procedural rules are less strict, proceedings are faster and cheaper, and non-judicial avenues generally offer greater expertise than judicial mechanisms. Furthermore, FRA found that “across the EU only in a few cases can decisions of non-judicial bodies be reviewed by a judge” (ibid., p.114 – and table pp.115-116). Requiring the U.S. to provide judicial redress would thus be more than what exists in many Member States.(5) 

Fourth, these observations are even more relevant when one focuses on international surveillance. In France, for instance, an individual may file complaints with the Supreme Administrative Court (Conseil d’Etat) on the basis of the domestic surveillance law of July 2015. There is no possibility to do so under the international surveillance law of November 2015, however, since that law gives only the CNCTR, an administrative authority, the power to initiate (under some conditions) proceedings in the Conseil d’Etat – but does not confer this right directly upon an individual.(6)

Of course, actual practice under Member States law does not necessarily mean that a third country’s similar practices meet the “essential equivalence” standard of EU fundamental rights law, since the relevant comparator seems to be European Law standards – not Member States’ practices which do not always necessarily meet these standards.(7) Nonetheless, demanding from the U.S. a much more elaborate process than what already exists for international surveillance in most EU Member States might be complicated, particularly if there is an effective independent administrative regime in the U.S. exercising quasi-judicial functions.

2. Ultimate judicial redress will however help ensure meeting CJEU requirements

Despite these indications that European law may not require judicial redress, we acknowledge that the position of the CJEU on this point remains ambiguous.  

As indicated in our first article, the CJEU in Schrems II expressly used the term “body,” giving the impression that an independent national administrative authority (in conformity with the requirements of Art. 13 ECHR) could be enough to fulfill the adjudicatory function. As we explained, this is how the EDPB seems to have read Schrems II in its 2020 European Essential Guarantees Recommendations. Long-time EU data protection official Christopher Docksey concurs as well. 

However, it is also true that the Schrems II judgment contains multiple references to judicial redress. It refers to “ the premiss [sic] that data subjects must have the possibility of bringing legal action before an independent and impartial court ” (§194); “the right to judicial protection” (ibid.); “data subject rights actionable in the courts against the US authorities” (§192); “the judicial protection of persons whose personal data is transferred to that third country” (§190); and “the existence of such a lacuna in judicial protection in respect of interferences with intelligence programmes” (§191). It is not clear whether these statements should also apply (following the Advocate General’s logic) to an independent redress body such as FIRA capable of exercising quasi-judicial functions, in contrast to the Ombudsperson examined by the CJEU. Nevertheless, the CJEU judgment might be read as requiring at least some form of ultimate judicial control of a redress authority’s decisions. This also appears to be the interpretation of a senior Commission official. 

In light of these statements, it would be prudent for the U.S. to provide for some form of ultimate judicial review of FIRA decisions, to increase the likelihood of passing the CJEU test in an eventual Schrems III case.  

3. A path to ultimate judicial review of FIRA decisions

As we explained in our first article, the U.S. constitutional doctrine of standing poses a major hurdle in creating a pathway to judicial redress. In the 2021 TransUnion case, the Supreme Court held that plaintiffs incorrectly identified by a credit reporting agency as being on a government terrorism watch list had not shown the required “injury in fact”. This lack of injury in fact, and thus lack of standing, existed even though the underlying statute appeared to confer the right to sue. While one might find this U.S. constitutional jurisprudence unduly restrictive, any new Privacy Shield agreement must take it into account.

There might be, however, another way to provide an individual with judicial redress. An unsatisfied individual could appeal to a federal court an administrative disposition of a redress petition on the grounds that FIRA has failed to follow the law. In such a case an individual would not be challenging the surveillance actions of intelligence agencies (for which injury in fact may be impossible to satisfy) as such; instead, the suit would allege the failure of an independent administrative body (FIRA) to take the actions required by law.  

As Propp and Swire have written previously, one useful precedent is the U.S. Freedom of Information Act (FOIA), under which any individual can request an agency to produce documents, without first having to demonstrate that he or she has suffered particular “injury in fact”. The agency is then required to conduct an effective investigation and to explain any decision not to supply the documents. After the agency responds, the individual may appeal the decision to federal court. The judge then examines the quality of the agency’s investigation to ensure compliance with law, and the judge can order changes in the event of mistakes by the agency.

Analogously, a European individual, unsatisfied by FIRA’s investigation and decision, could bring a challenge in court. Taking into consideration that FOIA concerns a distinct question,  the appeal against FIRA’s decisions would be based upon the umbrella U.S. Administrative Procedure Act (APA). The APA provides generally for judicial review of an agency action that is “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” Since both a regulation and an Executive Order have the force of law, an APA-based appeal could examine whether the FIRA decision and its implementation was “in accordance with law.” Since the APA applies generally, it could operate in these circumstances without need for an additional federal statute. In addition, U.S. federal courts deciding APA-based appeals already have methods for handling classified national security information. For instance, they access classified information under the Classified Information Procedures Act (CIPA).

Including judicial review under the APA would be a good faith effort by the U.S. government to respond to ultimate EU law concerns. However, since the FIRA approach has not been judicially tested, some legal uncertainty concerning standing to bring the APA suit in federal court would remain. FOIA practice provides a good legal basis for meeting the standing requirement through challenging agency action itself, but TransUnion highlighted the level of privacy injuries which must be shown to enable a decision in federal court.  


In these two articles, we have sought to examine rigorously and fully the requirements of EU law with respect to redress. We also have examined U.S. constitutional law, explaining both the difficulties surrounding some solutions (for instance the problem of standing for judicial redress) and the opportunities created by some precedents (such as the protection offered to independent investigative bodies by decisions of the U.S. Supreme Court).

We are not aware of any other published proposal that wrestles in such detail with the complexity of EU and U.S. law requirements for foreign intelligence redress. We hope that our contribution helps fill this gap and presents a promising path permitting resolution of the “redress challenge” in the EU/US adequacy negotiations.

Much will depend on the details of construction and implementation for this protective mechanism. What our articles contribute is the identification of three fundamental building blocks on which a solid and long-lasting transatlantic adequacy agreement could stand. We have shown that there is a promising way to create, by non-statutory means, an independent redress authority and to provide the necessary investigative and decisional powers to respond to redress requests by European persons. We also suggest a way to successfully address the problem of standing and thereby to provide for an ultimate possibility of judicial control. Using these building blocks to create an effective redress mechanism could enable the U.S. and the EU not only to establish a solid transatlantic adequacy regime capable of resisting CJEU scrutiny but also to advance human rights more broadly.


(1) In 2020, as discussed here, the Supreme Court addressed the President’s removal power in the Siela Law LLC case, finding unconstitutional Congress’ establishment of independence for an agency head. At the same time, the Court reaffirmed that protections against removal can exist for “inferior officers” (roughly, officials appointed through a civil service process rather than by the President) and for multi-member bodies. Either or both of these categories may apply to FIRA members. In 2021, the Supreme Court, in U.S. v. Arthrex, struck down a system of independent Administrative Patent Judges. The approach in our article would be different since the President here issues an executive order, and thus the President serves as the “politically accountable officer” required by the Supreme Court in Arthrex.

(2) More specifically, there have been proposals for providing redress for surveillance conducted pursuant to Section 702 FISA, such as here and here. However, an additional “thorny issue is whether international surveillance, conducted by US intelligence agencies outside the territory of the US on the basis of Executive Order 12333 (EO 12333) should be (or not) part of the adequacy assessment.” Although arguments exist under EU law that redress for EO 12333 surveillance might be excluded from the assessment, this article proceeds on the understanding that the current negotiations will only succeed if EO 12333 surveillance is covered as well. We are not aware of any published proposal that would do so, and seek in this article to present such an approach. For example, the proposal here would apply to requests for redress concerning surveillance conducted under EO 12333, such as programs recently declassified by the U.S. government.

(3) It appears that terms such as “adjudication” and “court” may be understood somewhat differently in the U.S. compared with the EU, creating a risk of confusion in proposals concerning redress. Under U.S. law, many federal agencies, including the Federal Trade Commission and Department of Justice, routinely conduct what is called “adjudication.” Many federal agencies have Administrative Law Judges, defined by the U.S. government as “independent impartial triers of fact in formal proceedings.”  By contrast, in Europe, “courts” and “judges” generally exist outside of the Executive. Therefore, our discussion of FIRA avoids words such as “adjudication” that may be understood differently in different legal systems.

(4) In the 1954 case, Accardi v. Shaughnessy, the Attorney General by regulation had delegated certain of his discretionary powers to the Board of Immigration Appeals. The regulation required the Board to exercise its own discretion on appeals for deportation cases. As noted in U.S. v. Nixon, the Supreme Court in Accardi had held that, “so long as the Attorney General’s regulations remained operative, he denied himself the authority to exercise the discretion delegated to the Board even though the original authority was his and he could reassert it by amending the regulations.”

(5) For a recent description of the German system, see here by Daniel Felz.

(6) This finding was confirmed in a June 2018 decision by the Conseil d’Etat following a request introduced in this court by the Member of the European Parliament Sophie In ’t Veld (analysis here). The Court also rejected the possibility for the claimant to challenge indirectly an alleged misuse of power resulting from the failure of the chairman of the CNCTR to refer the matter to the Council of State. However, as stated by the CNCTR (here, at 46) this is one of the points appearing in the (no less than) 14 challenges currently pending at the ECHR against the French surveillance laws.

(7) See for instance this study by I. Brown and D. Korff arguing that “the EU institutions should stand up for the rule of law and demand the member states and third countries bring their practices in line with those standards”  (at 111).

(EUROPEAN LAW BLOG) EU/US Adequacy Negotiations and the Redress Challenge: Whether a New U.S. Statute is Necessary to Produce an “Essentially Equivalent” Solution (1)


Must the U.S. Congress change statutory law to solve the major issue of “redress” in the EU-US adequacy negotiations? This is a crucial question, especially since a series of political, pragmatic and even legal/constitutional difficulties mean that the U.S. might not be able to come up with a short-term statutory solution for redress. In this article we analyse this question for the first time in detail, and argue that, provided the U.S. is able to address the deficiencies highlighted by the Court of Justice of the European Union (CJEU) in its Schrems II judgment (independence of the redress body; ability to substantively review the requests; and authority to issue decisions that are binding on the intelligence agencies), then relying on a non-statutory solution could be compatible with the “essential equivalence” requirements of Article 45 of the EU’s General Data Protection Regulation (GDPR). In a second, forthcoming article, we set forth specific elements of a novel non-statutory solution and assess whether it would meet the substantive European legal requirements for redress.

The CJEU issued its Schrems II judgment in July, 2020, invalidating the EU/U.S. Privacy Shield and creating uncertainty about the use of Standard Contractual Clauses (SCCs) for transfers of personal data to all third countries (see analysis herehereherehere and here). In light of the legal uncertainty and the increasing tensions concerning transatlantic data transfers resulting from the intensification of enforcement actions by European data protection authorities (DPAs) since Schrems II (such as this and this), there is both strong reason to reach a new EU/U.S. agreement and also a stated willingness of both sides to do so.  The European Commission, understandably, has emphasized though that there is no “quick fix” and that any new agreement must meet the full requirements of EU law.

This article focuses on one of the two deficiencies highlighted by the CJEU: the need for the U.S. legal system to provide a redress avenue accessible to all EU data subjects. We do not address here the other deficiency– whether U.S. surveillance statues and procedures sufficiently incorporate principles of ‘necessity and proportionality’ also required under EU law.

We concentrate our inquiry, from both a U.S. and a European law perspective, on whether the U.S. Congress would necessarily have to enact a new statute in order to create an adequate redress mechanism. Part I of this article explains the pragmatic and political reasons why it would be difficult to adopt a new U.S. statute, and especially to do so quickly. Part II examines the U.S. constitutional requirements for “standing”, and explains the legal difficulties and uncertainty concerning proposals, such as the one advanced by the American Civil Liberties Union (ACLU), to provide redress through an individual action in U.S. federal courts. Part III then addresses European law concerning whether a statute is necessary, concluding that the substance of the protections of fundamental rights and respect of the essence of the right to an effective remedy are the key considerations, rather than the form by which an independent and effective redress mechanism would be created.

This article will be followed by a second article exploring whether a non-statutory solution for redress is capable of satisfying the strict substantive standards required by EU law.

I. Political Difficulties of an Immediate Statutory Approach to Redress

There are important advantages to enacting a new U.S. statute to provide redress:

  • There is greater democratic legitimacy if the legislature passes a statute.
  • A law can set limits on Executive discretion that only may be changed by a subsequent statute.
  • A law can fix in a stable, permanent and objective way the rules and procedures for the appointment of the members of the redress body, the duration of their mandate, and guarantees concerning their independence.

However, there are strong pragmatic and political reasons why it would be difficult to enact a new statute in the short term to create a new redress mechanism.

  • First, it is no secret that the U.S. Congress currently finds it difficult to pass legislation generally, with partisan battles and procedural obstacles slowing passage of even essential legislation. As Politico recently reported, “it is increasingly unlikely that Congress will pass any digital-focused bills before lawmakers shut down ahead of November’s midterms”.
  • Second, legislative reform of U.S. surveillance laws is a particularly complex and contentious issue. The national security community in the U.S. has little appetite for sweeping reforms, and even a strong push from the White House may not be sufficient to move such legislation through Congress. In Europe as well, substantial reform of surveillance laws requires a lot of time to seek the necessary political consensus (see for instance this).[i]
  • Third, the international dimensions of a redress reform make legislation even more difficult. If a new redress mechanism benefits only EU data subjects, then it is hard to explain to Congress why they should get greater rights than Americans. On the other hand, if redress rights were also to be conferred on U.S. data subjects, then a novel and complex set of institutional changes to the overall U.S. surveillance system would be needed.
  • Fourth, it would be difficult for U.S. legislators to vote for a statute without knowing in advance whether the CJEU will accept it as good enough.
  • Fifth, Congress historically has been reluctant to regulate in great detail how the President conducts foreign policy and protects national security. For instance, Congress has adopted detailed statutes (such as the Foreign Intelligence Surveillance Act, FISA)) concerning “compelled access”, e.g. how intelligence agencies can request data from service providers. By contrast, it has rarely enacted any statute that applies to “direct” surveillance conducted outside of the U.S. under the standards of Executive Order (EO) 12,333. Furthermore, specific actions under that Executive Order have never, so far as we know, been subject to review by federal judges.

For these reasons, we believe at a pragmatic level that it would be extremely difficult for Congress to promptly pass legislation to provide redress to EU persons. By contrast, if an adequate fix to the redress problem can be created at least in large part without new legislation, then it would be considerably easier for Congress subsequently to enact a targeted statute ratifying the new mechanism, perhaps adding other provisions to perfect an initial non-statutory approach. That sort of legislation is far easier to enact than writing a law in Congress from a blank page.

II. Constitutional Difficulties for a U.S. Statutory Approach to Redress: The Problem of Standing

These political and pragmatic reasons alone would justify U.S. government and European Commission negotiators seeking to address the redress deficiencies highlighted in Schrems II through a non-statutory solution. But, in addition, there is a constitutional dimension. The U.S. Constitution establishes a “standing” requirement as a prerequisite to a case being heard before judges in the federal court system. Any new U.S. redress mechanism must be consistent with the U.S. Constitution, just as it must meet EU fundamental rights requirements.

U.S. standing doctrine derives from Article III of the U.S. Constitution, which governs the federal court system. The federal judicial power extends only to “cases” and “controversies” – meaning that there has to be an “injury in fact” in order to have a case heard. A related doctrine is the ban on issuance of “advisory opinions” by federal judges, a position of the Supreme Court dating back to the first President, George Washington, and defined most clearly in Muskrat v. United States. In sum, a statute that creates a cause of action in the federal courts is unconstitutional unless it meets the requirements of standing and injury in fact, and does not violate the prohibition on advisory opinions.

The ACLU in 2020 called for a “standing fix” to enable suit in federal court “where a person takes objectively reasonable protective measures in response to a good-faith belief that she is subject to surveillance.” However, since the right to redress under European law also exists for individuals who did not take protective measures, the proposal seems too narrow to meet the CJEU requirements.

A second difficulty with the ACLU approach is that the Supreme Court made standing related to privacy injuries even more difficult to establish in its TransUnion LLC v. Ramirez decision in June, 2021. As discussed here, the majority in that case made it significantly more difficult for privacy plaintiffs henceforth to sue in federal court. The Court restated its 2016 Spokeo case that a plaintiff does not automatically satisfy “the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” More bluntly, the Court stated: “An injury in law is not an injury in fact”. [ii] The majority in TransUnion found “concrete harm” for some plaintiffs but not others. Even individuals whose credit histories were badly mistaken – stating they were on a government list as “potential terrorists” – did not enjoy a right of action created by statute. In sum, there would be substantial legal uncertainty surrounding a U.S. statute conferring upon EU data subjects the right to go straight to U.S. courts to get redress (for a similar conclusion see here).

The standing objection applies only to direct access to federal courts, and not to an independent non-judicial redress authority. However, Congress might be reluctant to intervene ex nihilo in a field such as “direct” foreign surveillance conducted under EO 12,333, which traditionally belongs to the Executive power under the U.S. Constitution. Congress might be more willing to act and endorse by statute an effective redress mechanism if, as a first step, the Executive branch itself had first created such an independent non-judicial redress authority within the Executive branch. In any case, such a statute does not appear to be a necessary precondition under U.S. law for creating a redress system

III. Is a Non-Statutory Approach to Redress Compatible with European Law?

Since the U.S. government might not be able to produce a short-term statutory solution for redress, the question then arises as to whether a non-statutory approach would be acceptable under EU law. In order for the European Commission to be able to issue an adequacy decision under Article 45 of the GDPR, the U.S. must ensure an “adequate” level of protection.

If the U.S. is able to address by non-statutory means the deficiencies highlighted by the CJEU in Schrems II (mentioned above), then such a solution could be compatible with the “essential equivalence” requirements of Article 45 of the GDPR. We defer for now the question of whether a non-statutory path would indeed be able to address these substantive issues, instead focusing only on whether a non-statutory approach in principle is compatible with European law.

A. The Starting Point: The Right to Effective Remedy Under European Human Rights Law

What we call “redress” in the context of transatlantic adequacy negotiations corresponds to the “right to effective remedy” under European law. Article 47(1) of the Charter of Fundamental Rights of the European Union (“Charter”) states that:

“Everyone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal in compliance with the conditions laid down in this Article.”

The official explanations of Article 47 make clear that this article is “based on Article 13 of the European Convention of Human Rights” (ECHR), according to which:

“Everyone whose rights and freedoms as set forth in this Convention are violated shall have an effective remedy before a national authority notwithstanding that the violation has been committed by persons acting in an official capacity.”

A comparison of the two articles reveals that in EU law the protection is more extensive than in ECHR law, since the former guarantees the right to an effective remedy before a “tribunal” while the latter only refers to a “national authority”. The term “tribunal” seems to refer to a judicial body, as the official explanation suggests. This is confirmed by reference to non-English language versions of Article 47(1), which translate the word “tribunal” as “court” (e.g.“Gericht” in German and “Gerecht” in Dutch). It is also evident that neither Article 47(1) of the Charter nor Article 13 of the ECHR require that a redress body be created by statute.

 However, Article 47 (2) of the Charter adds additional, complicating requirements.:

“Everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal previously established by law. Everyone shall have the possibility of being advised, defended and represented”.

As the official explanations point out, this second paragraph “corresponds to Article 6(1) of the ECHR”, which reads as follows:

“In the determination of his civil rights and obligations or of any criminal charge against him, everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law. Judgment shall be pronounced publicly but the press and public may be excluded from all or part of the trial in the interests of morals, public order or national security in a democratic society, where the interests of juveniles or the protection of the private life of the parties so require, or to the extent strictly necessary in the opinion of the court in special circumstances where publicity would prejudice the interests of justice”.

Both Article 47(2) of the Charter and Article 6(1) of the ECHR thus require “an independent and impartial tribunal established by law”. Yet, what is the exact relationship between the provisions on “effective remedy” (Article 47(1) of the Charter and Article 13 of the ECHR), and those on “a fair and public hearing by independent and impartial tribunals established by law” (Article 47(2) of the Charter and Article 6(1) of the ECHR)?

A restrictive analysis would regard the two sets of articles as entirely interlinked, in which case redress bodies would always have to be “established by law”.

A second more flexible and plausible interpretation would maintain that this latter set of requirements constitutes lex specialis in relation to the former; in other words, the “right to effective remedy” (“redress”) is broader than the “right to a fair trial”. This interpretation finds support in the ECHR, which textually separates the two sets of rights and requirements (Articles 13 and 6(1)). It is also confirmed by the official guide to Article 13 which states that “Article 6 § 1 of the Convention is lex specialis in relation to Article 13” (here, at 41), and by the fact that Article 6(1) is limited in scope to civil rights and criminal charges. It therefore would be difficult to merge the obligation of states to put in place an “effective remedy” with the established by law” requirement, as this latter requirement only concerns the right to a fair trial before a “tribunal” under Article 6(1) – and not the broader right of redress before a “national authority” under Article 13. It seems then that, at least under the ECHR, a redress body need not always be a judicial body nor be “established by law”, provided that it satisfies the substantive requirements of the “right to effective remedy”. As we will see, the standards of the ECHR have always been particularly relevant for the European Data Protection Board (EDPB) in assessing the “essential equivalence” of “redress” mechanisms under Article 45 of the GDPR.

B. Flexibility Introduced by the “Essentially Equivalent” Standard of EU Data Protection Law

A flexible interpretation of the “effective remedy” requirement is also supported by the “essential equivalence” standard of the GDPR for third countries.

In Schrems I, the Court clearly acknowledged that “the means to which [a] third country has recourse, [… ] for the purpose of ensuring such a level of protection may differ from those employed within the European Union, [… ] those means must nevertheless prove, in practice, effective in order to ensure protection essentially equivalent to that guaranteed within the European Union” (§74 of the October 6, 2015 judgment, emphasis added).

The CJEU Advocate General emphasised in his 2019 Schrems II Opinion that the “essentially equivalent” standard “does not mean that the level of protection must be ‘identical’ to that required in the Union”. He explained that:

“It also follows from that judgment, in my view, that the law of the third State of destination may reflect its own scale of values according to which the respective weight of the various interests involved may diverge from that attributed to them in the EU legal order. Moreover, the protection of personal data that prevails within the European Union meets a particularly high standard by comparison with the level of protection in force in the rest of the world. The ‘essential equivalence’ test should therefore in my view be applied in such a way as to preserve a certain flexibility in order to take the various legal and cultural traditions into account” (§§ 248-249, emphasis added).

The EDPB previously had endorsed this flexible interpretation of the elements for adequacy. In its 2016 Opinion on Privacy Shield, for instance, the EDPB’s predecessor (WP29) emphasised that:

“the WP29 does not expect the Privacy Shield to be a mere and exhaustive copy of the EU legal framework […]. The Court has underlined that the term ‘adequate level of protection’, although not requiring the third country to ensure a level of protection identical to that guaranteed in the EU legal order, must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union [… ]” (p. 3).

It is precisely this flexible approach that allowed EU authorities to set aside the requirement that a redress body should be a “tribunal” – despite clear terms to the contrary in Article 47(1) of the Charter. As the EDPB noted in its Recommendations 02/2020 on the European Essential Guarantees for surveillance measures of November 10, 2020 (§47): “an effective judicial protection against such interferences can be ensured not only by a court, but also by a body which offers guarantees essentially equivalent to those required by Article 47 of the Charter” (emphasis added). The EDPB noted that the CJEU itself “expressly” used the word “body” in §197 of Schrems II. Indeed, in all its extant positions on U.S. redress mechanisms, the EDPB has recognised that the applicable standards equate with those in Article 13 of the ECHR, which “only obliges Members States to ensure that everyone whose rights and freedoms are violated shall have an effective remedy before a national authority, which does not necessarily need to be a judicial authority” (ibid, §46, emphasis added).

Therefore, provided that the U.S. redress mechanism meets the substantive requirements of Article 13 ECHR as cited in Schrems II and the EDPB opinions, a judicial body will not be necessarily required, and an “established by law” standard need not be applied in order to meet the “essential equivalence” test. As the astute European legal observer Chris Docksey concluded:

“This could be an opportunity for the CJEU to give meaning to the difference between essential equivalence and absolute equivalence mentioned above when deciding on the standard of individual redress to be applied in the specific case of international transfers. If the content of the right under Article 47 is ensured, then the form should not be an obstacle” (emphasis added).

C. Interpreting “Law” in a Substantive, Not Formal, Sense

European human rights law seems, in fact, to prioritise substance over form even in situations that go beyond an “essential equivalence” assessment. This can be shown by examining interpretations of the “in accordance with the law” requirement found in the ECHR, the Charter and several fundamental EU data protection sources of law, including the GDPR.

ECHR articles concerning human rights, including Article 8 (right to privacy), stipulate that some restrictions to these rights may be acceptable provided they are “in accordance with the law” and “necessary in a democratic society” in order to protect certain legitimate interests (such as national security, public safety, or the prevention of disorder or crime). Similarly, Article 52 of the Charter requires that: “Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law (…)”.

Both the Convention and the Charter, however, interpret the term “law” in a flexible way. The ECtHR, for instance, has emphasised on multiple occasions that:

“[A]s regards the words “in accordance with the law” and “prescribed by law” which appear in Articles 8 to 11 of the Convention, the Court observes that it has always understood the term “law” in its “substantive” sense, not its “formal” one; it has included both “written law”, encompassing enactments of lower ranking statutes and regulatory measures (…), and unwritten law” (Sanoma Uitgevers B.V. v. the Netherlands, 2010, § 83, emphasis added). See also Sunday Times (No. 1) v. the United Kingdom, 1979, §47).

Similarly, in EU data protection law, both the Law Enforcement Data Protection Directive (LED) and the GDPR also understand the term “law” in its substantive sense. According to Recital 33 of the LED, for instance:

“Where this Directive refers to Member State law, a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned (…)” (emphasis added).

Further, Recital 41 of the GDPR provides:

“Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the [CJEU] and the European Court of Human Rights” (emphasis added).

This flexible interpretation of the term “law” in the data protection context for assessing the incursion of state interests on fundamental rights is formally separate from the requirement in Article 47(2) of the Charter that a tribunal be “previously established by law”. However, this analytic flexibility is consistent with how EU bodies have interpreted the “essentially equivalent” standard, including in the context of the Privacy Shield. It therefore supports the conclusion that a U.S. decision to put in place an independent and effective redress mechanism for surveillance would satisfy the requirements of European law even if it does not involve the adoption of a statute. This conclusion is also supported by the European DPAs previous positions concerning the Privacy Shield Ombudsperson.

D. The CJEU and EU DPAs Did Not Object to Non-Statutory Redress

The fact that the Privacy Shield Ombudsperson was not created by statute did not seem to be a primary concern for either the CJEU or the EDPB in assessing whether this mechanism offers  “essentially equivalent” protection to European law.

In Schrems II the Court did not identify as a deficiency that the Ombudsperson mechanism was not created by statute. Rather, the problems detected were that there was “nothing in [the Privacy Shield Decision] to indicate that the dismissal or revocation of the appointment of the Ombudsperson is accompanied by any particular guarantees” and, also, that there was “nothing in that decision to indicate that the ombudsperson has the power to adopt decisions that are binding on those intelligence services (…)” (§§ 195-196). Thus, provided there is a way to fix these deficiencies by non-statutory means, the new redress solution could pass the “essential equivalence” test.

The EDPB also seems to support this argument. In its 2016 Opinion on Privacy Shield, the WP29 began by stating that:

“in addition to the question whether the Ombudsperson can be considered a ‘tribunal’, the application of Article 47 (2) Charter implies an additional challenge, since it provides that the tribunal has to be ‘established by law’. It is doubtful however whether a Memorandum which sets forth the workings of a new mechanism can be considered ‘law’” (p. 47).

The WP29 therefore seemed to link Articles 47(1) and 47(2). However, it did not appear to consider the legal form by which the Ombudsperson was created as an insuperable obstacle. It stated:

“As a consequence – with the principle of essential equivalency in mind – rather than assessing whether an Ombudsperson can formally be considered a tribunal established by law, the Working Party decided to elaborate further the nuances of the case law as regards the specific requirements necessary to consider ‘legal remedies’ and ‘legal redress’ compliant with the fundamental rights of Articles 7, 8 and 47 Charter and Article 8 (and 13) ECHR” (ibid., emphasis added).

The WP29 then went on to analyse the requirements of European law concerning the “right to effective remedy”, focusing primarily on the case law of the ECtHR, and concluded that the Ombudsperson did not meet these requirements, essentially for the same reasons mentioned by the CJEU in the Schrems II Judgment.

In their subsequent assessments of Privacy Shield, the WP29 and the EDPB arrived at the same conclusion. They did not consider that the means by which the Ombudsperson was created represented an obstacle to passing the “essentially equivalent” test. On the contrary, the EDPB “welcomed the establishment of an Ombudsperson mechanism as a new redress mechanism” (see for instance here, §99) and repeated that “having analysed the jurisprudence of the ECtHR in particular”, it “favored an approach which took into account the powers of the Ombudsperson” (see here, p.19).

Similarly, the European Data Protection Supervisor (EDPS) did not oppose the creation of the Ombudsperson on the grounds that it was done in a non-statutory way. On the contrary he argued that “in order to improve the redress mechanism proposed in the national security area, the role of the Ombudsperson should also be further developed, so that she is able to act independently not only from the intelligence community but also from any other  authority” (here, at 8, emphasis added). 


In sum, European law is flexible in interpreting whether the United States must adopt a new statute to meet redress requirements, especially when the question is viewed through the “essential equivalence” prism of data protection. Substance prevails over form. It remains true that a statutory approach would in abstracto be the easiest way for the United States to establish a permanent and independent redress body for effectively reviewing complaints and adopting decisions that bind intelligence services. However, when one takes into consideration the political, practical and constitutional difficulties confronting negotiators, it makes sense to achieve the same results in a different way.

In a second article, to be published shortly, we will detail specific elements of a non-statutory solution and assess whether it would meet the substantive European requirements on redress.

[i] As this report shows even in a country like Germany, particularly sensitive to intelligence law questions, its major Signals Intelligence (SIGINT) reform did not provide any judicial redress options for non-Germans: “There is no legally defined path for foreign individuals, such as journalists abroad, who want to find out if their communications have been collected in SIGINT operations and, if so, to verify whether the collection and processing of their data was lawful. What is more, the legislators opted to explicitly waive notification rights for foreigners regarding the bulk collection of their personal data.” (p. 63)

[ii] The European Court of Human Rights has developed jurisprudence that is more flexible than U.S. standing law in terms of who may bring a suit. European human rights law accepts since Klass and Others v. Germany case (1978) that an individual may, under certain conditions, claim to be the victim of a violation occasioned by the mere existence of legislation permitting secret measures of surveillance, without having to allege that such measures were in fact applied to him or that that he has been subject to a concrete measure of surveillance (the famous theory of “potential victim” of a human rights violation, see here, paras 34-38 and here, p. 15 for an updated analysis). Notwithstanding this greater flexibility in European law, we reiterate that the limits on U.S. standing are a matter of U.S. constitutional law, which cannot be overruled by a statute enacted by Congress.

VERFASSUNGSBLOG : A cautious green light for technology-driven mass surveillance

The Advocate General’s Opinion on the PNR Directive

by Christian Thönnes

Yesterday, on 27 January 2022, Advocate General (AG) Pitruzzella published his Opinion (“OP”) in the Court of Justice of the European Union’s (CJEU) preliminary ruling procedure C-817/19. The questions in this case pertain to Directive (EU) 2016/681 of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (in short: PNR Directive) and its compatibility with EU primary law.

In his Opinion (which, besides the Press Release (“PR”), was only available in French at the time of writing), the AG, while criticizing the PNR Directive’s overbroad data retention period and its lack of clarity and precision in certain points, generally considers the PNR Directive to be “compatible with the fundamental rights to respect for private life and to the protection of personal data” (PR). His arguments are not convincing.

Certainly, much more can and will be written about this case in general and the Opinion in particular. This entry can only shine a light on some of the AG’s major arguments. In so doing, it shall point out why, in my opinion, the CJEU would do well not to follow the AG’s recommendations. Instead, I believe the PNR Directive is incompatible with Articles 7 and 8 of the EU Charter of Fundamental Rights (CFR). Consequently, it ought to be invalidated.

What the AG has to say about the PNR Directive

The PNR Directive obliges EU Member States to require air carriers to transmit a set of data for each passenger to national security authorities, where they are subjected to automated processing against pre-existing databases (Art. 6 § 3 letter a) and “pre-determined criteria” (Art. 6 § 3 letter b), which contain (allegedly) suspicious flight behaviors (such as a mismatch between luggage and length of stay and destination, see the Commission’s Evaluation Report, point 5.1, in order to identify potential perpetrators of serious crimes or acts of terrorism (a more detailed description of the Directive’s workings can be found in paras 9-18 of the AG’s Opinion or here).

The AG points to certain (limited) problems with the Directive’s wording. Firstly, he contends that point 12 of Annex I, enabling “General Remarks” to be included in PNR data sets, fail to “satisfy the conditions of clarity and precision laid down by the Charter” (PR, also para 150 OP). He also considers the Directive’s five-year-retention period for PNR data excessive and proposes that this period be limited to cases where “a connection is established, on the basis of objective criteria, between those data and the fight against terrorism or serious crime” (PR, also para 245 OP). In addition, he provides clarifying criteria for the relevancy of databases under Art. 6 § 3 letter a (para 219 OP), regarding the applicability of the GDPR (para 53 OP) as well as collisions with the Schengen Borders Code (para 283 OP). He also demands that, due to their lack of transparency, (at least some) “machine-learning artificial intelligence systems” (PR), should not be used for pre-determined criteria (para 228 OP).

The most resounding message of his Opinion, however, is that the PNR Directive’s mass retention and processing regime is “relevant, adequate and not excessive in relation to the objectives pursued” (PR) and thus compatible with Articles 7 and 8 CFR. He therefore recommends to let it stand, albeit with some interpretative limitations (para 254 OP).

Incompatibility with Digital Rights Ireland and its successors

The AG’s reasoning in support of the PNR Directive’s proportionality relies on his central finding that “the Court’s case-law on data retention and access in the electronic communications sector is not transposable to the system laid down by the PNR Directive” (PR). He is referring to decisions like Digital Rights IrelandTele2 Sverige and Quadrature du Net, in which the CJEU had laid down strict limits on governments’ power to collect and process telecommunications data. Notably, it posited that “the fight against serious crime […] and terrorism […] cannot in itself justify that national legislation providing for the general and indiscriminate retention of all traffic and location data should be considered to be necessary for the purposes of that fight” (Tele2 Sverige, para 103; also Digital Rights Ireland, para 51). Instead, the CJEU required that in order to be considered “limited to what is strictly necessary […] the retention of data must continue nonetheless to meet objective criteria, that establish a connection between the data to be retained and the objective pursued” (Tele2 Sverige, para 110).

Evidently, the PNR Directive would clash with these criteria – were they found to be applicable. The collection and automated processing of PNR data is completely indiscriminate. Given Member States’ universal extension to EU domestic flights, it affects all European flight passengers, regardless of their personal histories and independently of a potential increased domestic threat situation (this is proposed as a possible criterion in Quadrature du Net, para 168). The use of pre-determined criteria is not, like the comparison against existing databases, aimed at recognizing known suspects, but at conjuring up new suspicions (see EU Commission PNR Directive Proposal, SEC(2011) 132, p. 12). Also, taking a flight is a perfectly ordinary form of human behavior. There is no empirically demonstrated connection to the perpetration of serious crimes or acts of terrorism (in para 203, the AG presupposes such a “lien objectif” without providing any evidence exceeding anecdotal intuitions about terrorism and human trafficking) and the PNR Directive, given its broad catalogue of targeted crimes, is not limited to dangers caused by air traffic. What behavior will be targeted next? Visiting the museum? Going to a rock concert? Belgium, for example, has already expanded the PNR Directive’s scope to international trains, busses and ferries (Doc. parl., Chambre, 20152016, DOC 54-2069/001, p.7).

Good reasons for applicability

It thus is quite clear: Should Digital Rights Ireland and its successors apply, the PNR Directive is in trouble. Now, why wouldn’t their criteria be transposable? The AG’s arguments mainly turn on a perceived difference in sensitivity of PNR data, compared to telecommunications meta-data. The latter, the AG explains, contain intimate information of users’ private lives (para 195, 196), and almost uncontrollable in their scope and processing because everyone uses telecommunication (paras 196, 198). Moreover, because they are used for communication, telecommunications data, unlike PNR data, have an intrinsic connection to fundamental democratic freedoms (para 197). PNR data, on the other hand, he opines, are limited to a delineated life domain and narrower target groups because fewer people use planes than telecommunication (paras 196, 198).

Under closer examination, this comparison falls apart. Firstly, PNR data contain very sensitive information, too. As the CJEU has pointed out in his Opinion 1/15 regarding the once-envisaged EU-Canada PNR Agreement, “taken as a whole, the data may, inter alia, reveal a complete travel itinerary, travel habits, relationships existing between air passengers and the financial situation of air passengers, their dietary habits or state of health” (para 128). Unlike the AG (see para 195 in his Opinion), I can find no remarks in Opinion 1/15 that would relegate PNR data to a diminished place compared to telecommunications data. But secondly, and more importantly, the AG fails to consider other factors weighing on the severity of the PNR Directive’s data processing when compared against the processing of Directive 2006/24/EC and its siblings: The method and breadth of processing and the locus of storage.

Only a small minority of telecommunication datasets, upon government requests in specific cases (see Articles 4 and 8 of Directive 2006/24/EC), underwent closer scrutiny, while the vast majority remained untouched. Under the PNR Directive, however, all passengers, without exception, are subjected to automated processing. In so doing, the comparison against pre-determined criteria, as the AG points out himself (para 228 OP), can be seen as inviting Member States to use self-learning algorithms to establish suspicious movement patterns. Other EU law statutes like Art. 22 GDPR or Art. 11 of Directive 2016/618, as well as comparable decisions by national constitutional courts (BVerfG, Beschluss des Ersten Senats vom 10. November 2020 – 1 BvR 3214/15 -, para 109) are inspired by an understanding that such automated processing methods greatly increase the severity of respective interferences with fundamental rights. Moreover, while telecommunications data were stored on telecommunication service providers’ servers (to whom users had entrusted these data), PNR data are all transferred from air carriers to government entities and then stored there.

Hence, there are good reasons to assume that the data processing at hand causes even more severe interferences with Articles 7 and 8 CFR than Directive 2006/24/EC did. It thus follows, that the case law of Digital Rights Ireland should apply a fortiori.

An inaccurate conception of automated algorithmic profiling and base rate fallacy

There are other problems with the AG’s reasoning; completely untangling all of them would exceed this space. Broadly speaking, however, the AG seems to underestimate the intrinsic pitfalls of unleashing predictive self-learning algorithms on datapools like these. The AG claims that the PNR Directive contains sufficient safeguards against false-positives and discriminatory results (para 176 OP).

Firstly, it is unclear what these safeguards are supposed to be. The Directive does not enunciate clear standards for human review. Secondly, even if there were more specific safeguards, it is hard to see how they could remedy the Directive’s central inefficiency. That inefficiency does not reside in the text, it’s in the math – and it’s called ‘base rate fallacy’. The Directive forces law enforcement to look for the needle in a haystack. Even if their algorithms were extremely accurate, false-positives would most likely exceed true-positives. Statistics provided by Member States showing extremely high false-positive rates support this observation. The Opinion barely even discusses false-positives as a problem (only in an aside in para 226 OP). Also, it is unclear how the antidiscrimination principle of Art. 6 § 4 is supposed to work. While the algorithms in question may be programmed in way to not process explicit data points on race, religion, health etc., indirect discrimination is a well-established problem of antidiscrimination law. Both humans and algorithms may just use the next-best proxy trait. (see for example Tischbirek, Artificial Intelligence and Discrimination).

Now, the AG attempts to circumvent these problems by reading the PNR Directive in a way that prohibits the use of self-learning algorithms (para 228 OP). But that interpretation, which is vaguely based on some “système de garanties“ (para 228 OP), is both implausible – it lacks textual support and the pile of PNR data is amassed precisely to create a use case for AI at EU borders – and insufficient to alleviate this surveillance tool’s inherent statistical inefficiency.

This cursory analysis sheds light on some of the AG’s Opinion’s shortcomings. It thus follows that the CJEU should deviate from Pitruzzella’s recommendations. The PNR Directive, due to the severity of its effects and its inherent inefficiency in fulfilling its stated purpose, produces disproportionate interferences with Articles 7 and 8 CFR. It ought to be invalidated.

Between 2017 and 2021, the author worked for the German NGO “Gesellschaft für Freiheitsrechte”, among other things, on a similar case (C-148/20 to C-150/20) directed against the PNR Directive.

UK/EU Security Cooperation After Brexit: the UK Government’s Future Partnership Papers


Professor Steve Peers

The Prime Minister’s big speech in Florence has received the most attention in recent weeks, but it’s also worth looking at the UK government’s recent papers on its planned EU/UK close partnership after Brexit.  I’ll look here at the papers on two aspects of security – external security (foreign policy and defence) on the one hand, and internal security (police and criminal law cooperation) on the other. Both of them are impacted in the short term by the Florence speech, since the Prime Minister called for the current UK/EU security arrangements to apply for a period of around two years, followed by a comprehensive EU/UK security treaty. Assuming that such a transition period is agreed, the issue is what happens after that. In other words, what will be the content of that future comprehensive security treaty?

External security: Foreign policy and defence

The UK government’s foreign policy paper devotes much of its space – the first 17 pages – to explaining the UK’s major commitments in this field, including via its EU membership. A Martian reader would assume that the UK was applying to join the Union. Only the last few pages discuss the government’s preferred policy – which is both rather vague and highly resembles EU membership.

In short (although there’s no long version), the government seeks to maintain a relationship with the EU in this field that’s closer than any other non-EU country – although without offering many specifics. The government does, however, state that it wants to contribute to EU defence missions and to align sanctions regimes with the EU. The point about sanctions is particularly relevant, since the UK provides intelligence to justify their imposition and some of the individuals concerned have placed their assets in the UK.

For instance, in the recent ECJ judgment in Rosneft (discussed here), which followed a reference from the UK courts, the sanctioned company tried to reopen the case to argue that the referendum result already meant that EU sanctions ceased to apply in the UK. The ECJ simply replied that the Russian company had not explained how the Brexit vote altered the jurisdiction of the Court or the effect of its judgments.

Of course, the legal position will certainly change from Brexit Day: the UK government plans to propose a new Bill regulating post-Brexit sanctions policy in the near future, following a White Paper on this issue earlier this year (see also the government response to that consultation). One key question will be whether that Bill already attempts to regulate the UK’s post-Brexit coordination with the EU on sanctions, or whether that will be left to the Brexit negotiations to address.

This brings us to the issue of the ECJ, which is a difficult question as regards many aspects of the Brexit talks. In principle, in the area of foreign policy and defence, Brexit talks should not be too complicated by ECJ issues, since the Court has only limited jurisdiction. However, as the case of Rosneft illustrates, it does have jurisdiction over sanctions issues. In fact, there are frequent challenges to EU sanctions and many challenges are successful, so there will be a risk of divergence between EU and UK policy after Brexit that may need to be discussed. Such divergence could lead to a knock-on complication with capital movement between the UK and EU.

The paper also covers development and external migration policy, where the UK again seeks something which is both vague and much like membership – collaboration on coordinating policy. While the EU has its own development policy, Member States are free to have their own policies, subject to loose coordination – which is what the UK is aiming for as a non-member.

This was, perhaps, a missed opportunity here to touch on the most difficult issue in the talks: the financial liabilities upon leaving in the EU. Some of the EU’s spending in these areas is not part of the ordinary EU budget (as the ECJ has confirmed), although it is part of the EU negotiation position. So the UK could have addressed that issue to move talks along and to make links between ‘upfront’ and ‘future’ issues to get around sequencing problems in the Brexit talks. (The Prime Minister’s subsequent speech in Florence did not explicitly mention these funds). Furthermore, the UK government could have used this paper to reassure some febrile people that it will have a veto on what it chooses to participate in, as well as on the ECJ.

Internal security: Criminal Law and Policing

In many ways, the government paper on criminal law matters is similar to the foreign policy paper. It also starts out by saying how useful the current relationship is, for instance as regards data on wanted persons and stolen objects uploaded into the Schengen Information System, the use of the European Arrest Warrant for fast-track extradition, and the EU police intelligence agency, Europol.

What happens after Brexit? The UK paper correctly points out that the EU already has agreements in this area with many non-EU countries, particularly as regards the exchange of policing data but also as regards some forms of criminal justice cooperation. But as with foreign policy and defence, the UK wants a distinctive relationship after Brexit, given the existing close links.

Again, however, the actual content of what the UK wants is vague. Which of the current EU laws in this field which the UK has signed up to (for a summary of those laws, see my referendum briefing here) would it still like to participate in? The only clear point is that the government doesn’t want direct ECJ jurisdiction. In principle, that should be fine for the long term, since the EU27 negotiation position only refers to the ECJ during a transition period. There’s no insistence on using it afterward, which is consistent with EU treaties in this field with non-EU countries.

However, some of those treaties refer to taking account of each other’s case law, and dispute settlement or (in some treaties) possible termination in the event of judicial or legislative divergences. The UK paper gives no idea of how it will tackle those issues, whereas the recent paper on the parallel issue of civil litigation (discussed here) at least indicated a willingness to require UK courts to take account of relevant ECJ rulings.


The contrast between the importance of these issues and the vagueness with which they are treated is striking. Imagine a television viewer aching to watch Tenko or Broadchurch – but having to settle for Last of the Summer Wine.  It is fair to assume that the government has more detailed plans than this but doesn’t want to release them; but presumably anything more specific would have opened division in the cabinet or run the perceived risk of making the government look awkward by disclosing an ultimately unsuccessful negotiation position (what the government refers to as undermining negotiations). Increasingly these papers look like an attempt to respond to poor polls about negotiations rather than a contribution to the talks.

The government does have a point, however: the UK and EU have significant shared interests in this area, and the UK has a lot to offer, in terms of its defence contribution, supply of intelligence and round-up of fugitives from other Member States, for instance. Of course, the UK benefits in turn from having swifter access to other countries’ intelligence, as well as fast track extradition and transfer of criminal evidence.  The Brexit process might also be an opportunity to address the civil liberties concerns that sometimes arise about these measures, but there is no detailed discussion of that.

It will likely be awhile before these issues are discussed in detail in the talks, and it remains to be seen how interested the EU27 side is in the UK government’s position. But at first sight, it seems possible that the future of the EU/UK relationship on security issues will not be vastly different from the present.

Counter-terrorism and the inflation of EU databases

Original published on Statewatch (*) on May 2017

By Heiner Busch (@Busch_Heiner) and Matthias Monroy (@matthimon)  (Translation from DE by Viktoria Langer)

The topic of counter-terrorism in Europe remains closely linked to the development and expansion of police (and secret service) databases. This was the case in the 1970s, after 11 September 2001 and has also been the case since 2014, when the EU Member States started working on their action plans against ‘foreign terrorist fighters’.

The first effect of this debate has been a quantitative one: the amount of data in the relevant databases has increased explosively since 2015. This can be seen by looking in particular at available data on the Europol databases, like ‘Focal Points’ (formerly: Analytical Work Files) of the Europol analysis system. Since 2015 they have become one of the central instruments of the European Counter Terrorism Centre (ECTC) which was established in January 2016. ‘Hydra’, the ‘Focal Point’ concerning Islamist terrorism was installed shortly after 9/11. In December 2003 9,888 individuals had been registered, a figure that seemed quite high at the time – but not compared with today’s figures. [1] In September 2016 ‘Hydra’ contained 686,000 data sets (2015: 620,000) of which 67,760 were about individuals (2015: 64,000) and 11,600 about organisations (2015: 11,000).

In April 2014 an additional ‘Focal Point’, named ‘Travellers’, was introduced, which is exclusively dealing with “foreign terrorist fighters” (FTF). One year later ‘Travellers’ included 3,600 individuals, including contact details and accompanying persons. In April 2016 the total number increased by a factor of six. Of the 21,700 individuals registered at the time, 5,353 were “verified” FTFs. In September 2016, of 33,911 registered individuals, 5,877 had been verified as FTFs.

Since 2010 Europol and the USA have operated the Terrorist Finance Tracking Programme (TFTP), which evaluates transfers made via the Belgian financial service provider SWIFT. Until mid-April 2016 more than 22,000 intelligence leads had been arisen out of that programme, of which 15,572 since the start of 2015. 5,416 (25%) were related to FTFs.

In contrast to Europol’s analytical system, the Europol Information System (EIS, the registration system of the police agency) can be fed and queried directly from the police headquarters and other authorities of EU Member States. Here, more than 384,804 ‘objects’ (106,493 individuals) were registered at the start of October 2016, 50% more than the year before. The increase is partly due to the growing number of parties participating in the EIS. In 2015 13 Member States were connected; in 2016 19 Member States. Some of the EU States, like the UK, also let their national secret services participate in the system. 16 Member States currently use automatic data uploaders for input. The number of third parties involved has also increased (in 2015 there were four, in 2016 there were eight). Interpol, the FBI and the US Department of Homeland Security are some of them.

Europol has reported further growth in the number of “objects” linked to terrorism in the EIS. According to the Slovak Presidency of the Council of the EU’s schedule for the improvement of information exchange and information management, in the third quarter of 2016 alone these grew another 20% to 13,645. [2] The EIS includes 7,166 data sets about individuals linked to terrorism, of which 6,506 are marked as FTFs or their supporters, or are assumed to be so. For May 2016 the CTC stated a figure of 4,129. [3] The increase in terrorism linked data can also be seen in the Schengen Information System (SIS) – in the alerts for “discreet checks or specific checks” following Article 36 of the SIS Decision. According to this, suspect persons are not supposed to be arrested. However, information about accompanying persons, vehicles etc. are recorded to provide insight into movements and to keep tabs on the contacts of the observed person. At the end of September 2016 the number of such checks by the police authorities (following Article 36(2)) was 78,015 (2015: 61,575, 2014: 44,669). The number of alerts of the national secret services based on Article 36(3) was 9,516 (2015: 7,945, 2014: 1,859). “Hits” on such alerts and additional information are supposed to be sent directly to the alerting authorities and not as usual to national SIRENE offices (which deal with the exchange of supplementary information regarding alerts in the SIS). This option was only introduced in February 2015.

The Schengen states used the instrument for discreet surveillance or specific checks very differently. On 1 December 2015 44.34% of all Article 36 alerts came from authorities in France, 14.6% from the UK, 12.01% from Spain, 10.09% from Italy and 4.63% from Germany. [4] How many of these alerts actually had a link to terrorism remains unclear; a common definition has not yet been found. However, the Council Working Party on Schengen Matters agreed on the introduction of a new reference (“activity linked to terrorism”) for security agencies’ alerts. According to Federal Ministry for the Interior, German alerts are marked with this reference when concrete evidence for the preparation of a serious act of violent subversion (§§129a, 129b Penal Code) can be presented. [5]

‘Unnoticed in the Schengen area’ Continue reading “Counter-terrorism and the inflation of EU databases”

Worth Reading: Justice against sponsors of terrorism (JASTA and its international impact)

European Parliament Research Service (EPRS)  Briefing published on October 2016


On 27 September 2016, the United States Congress overrode the presidential veto to pass the Justice Against Sponsors of Terrorism Act (JASTA), the culmination of lengthy efforts to facilitate lawsuits by victims of terrorism against foreign states and officials supporting terrorism. Until JASTA, under the ‘terrorism exception’ in the US Foreign Sovereign Immunities Act, sovereign immunity could only be denied to foreign states officially designated by the USA as sponsors of terrorism at the time or as a result of the terrorist act. JASTA extends the scope of the terrorism exception to the jurisdictional immunity of foreign states so as to allow US courts to exercise jurisdiction over civil claims regarding injuries, death or damages that occur inside the USA as result of a tort, including an act of terrorism committed anywhere by a foreign state or official.

The bill has generated significant debate within and outside the USA. State or sovereign immunity is a recognised principle of customary international law and, for that reason, JASTA has been denounced as potentially violating international law and foreign states’ sovereignty; some countries have already announced reciprocal measures against the USA. The terrorism exception to state immunity was already a controversial concept, with only the USA and Canada having introduced legislation on the matter.

In this briefing:
What is JASTA?
The law on state immunity and the terrorism exception
Debate in the United States
Reactions in third countries
Considerations for the European Union
The European Union’s approach to victims’ rights
Main references

What is JASTA?

The Justice Against Sponsors of Terrorism Act (JASTA) represents an attempt by the US Congress to reduce the number of obstacles faced by victims of terrorism when bringing lawsuits in the USA against foreign states and officials supporting terrorism. The bill amends the federal judicial code (USC) to expand the scope of the terrorism exception (Title 28 USC, section 1605A) to the jurisdictional immunity of a foreign state. It will give US courts jurisdiction over civil claims regarding injuries, death, or damages that occur inside the United States as a result of a tort, including an act of terrorism, committed anywhere by a foreign state or official. It also amends the federal criminal code to permit civil claims (Title 18 USC, section 2333) sought by individuals against a foreign state or official for injuries, death or damages from an act of international terrorism (unless the foreign state is immune under the Foreign Sovereign Immunities Act, as amended by JASTA). Additionally, the bill authorises federal courts to exercise personal jurisdiction over, and impose liability on, a person who commits, or aids, abets, or conspires to commit, an act of international terrorism against a US national (thus expanding the liability of foreign government officials in civil actions for terrorist acts). However, the foreign state will not be subject to the jurisdiction of US courts if the tortious act in question constitutes ‘mere negligence’. JASTA contains a stay of actions clause that can apply if the USA is engaged in good faith discussions with the foreign state or any parties as to the resolution of the claims. A stay can be granted for 180 days, and is renewable. JASTA will apply to any civil action ‘arising out of an injury to a person, property, or business, on or after September 11, 2001’.

The JASTA bill was approved by the US Senate in May 2016 (S. 2040) and by the House of Representatives in September 2016, but was vetoed by President Obama. The bill passed after Congress overrode the presidential veto on 27 September 2016. There are however indications that some changes to the law are already being considered by lawmakers. Several countries, including some EU Member States have expressed concern about the bill. The existing US terrorism exception to state immunity is already considered to be contrary to customary international law and is an isolated practice among other states.

The law on state immunity and the terrorism exception Continue reading “Worth Reading: Justice against sponsors of terrorism (JASTA and its international impact)”

Worth reading : the final report by the EU High Level Expert Group on Information Systems and Interoperability (HLEG),

NB: The full version (PDF)  of the Report is accessible HERE

On May 8th the (EU) High Level Expert Group on Information Systems and Interoperability (HLEG) which was set up in June 2016 following the Commission Communication on “Stronger and Smarter Information Systems for Borders and Security ” has published its long awaited 56 long pages Report on Information Systems and Interoperability.

Members of the HLEG were the EU Members States (+ Norway, Switzerland and Liechtenstein), the EU Agencies (Fundamental Rights Agency, FRONTEX, European Asylum Support Office, Europol and the EU-LISA “Large Information Support Agency”) as well as the representatives of the Commission and the European Data Protection Supervisor (EDPS) and the Anti-Terrorism Coordinator (an High Council General Secretariat Official designated by the European Council).

Three Statements, respectively of the EU Fundamental Rights Agency, of the European Data Protection Supervisor and of the EU Counter-Terrorism Coordinator (CTC),  are attached. The first two can be considered as a sort of partially dissenting Opinions while the CTC  statement is quite obviously in full support of the recommendations set out by the report as it embodies for the first time at EU level the “Availability Principle” which was set up already in 2004 by the European Council. According to that principle if a Member State (or the EU) has a security related information which can be useful to another Member State it has to make it available to the authority of another Member State. It looks as a common sense principle which goes hand in hand with the principle of sincere cooperation between EU Member States and between them and the EU Institutions.

The little detail is that when information is collected for security purposes national and European legislation set very strict criteria to avoid the possible abuses by public EU and National Law enforcement authorities. This is the core of Data Protection legislation and of the art. 6, 7 and 8 of the EU Charter of Fundamental Rights which prevent the EU and its Member States from becoming a sort of Big Brother “State of surveillance”. Moreover, at least until now these principles have guided the post-Lisbon European Court of Justice jurisprudence in this domain and it is quite appalling that no reference is made in this report to the Luxembourg Court Rulings notably dealing with “profiling” and “data retention”(“Digital Rights”, “Schrems”, “TELE 2-Watson”…).

Needless to say to implement all the HLWG recommendations several legislative measures will be needed as well as the definition of a legally EU Security Strategy which should be adopted under the responsibility of the EU co-legislators. Without a strong legally founded EU security strategy not only the European Parliament will continue to be out of the game but also the control of the Court of Justice on the necessity and  proportionality of the existing and planned EU legislative measures will be weakened.  Overall this HLWG report is mainly focused on security related objectives and the references to fundamental rights and data protection are given more as “excusatio non petita” than as a clearly explained reasoning (see the Fundamental Rights Agency Statement). On the Content of the  perceived “threats” to be countered with this new approach it has to be seen if some of them (such as the mixing irregular migration with terrorism)  are not imaginary and, by the countrary, real ones are not taken in account.

At least this report is now public. It will be naive to consider it as purely “technical” : it is highly political and will justify several EU legislative measures. It will be worthless for the European Parliament to wake up when the formal legislative proposals will be submitted. If it has an alternative vision it has to show it NOW and not waiting when the Report will be quite likely “endorsed” by the Council and the European Council.

Emilio De Capitani

TEXT OF THE REPORT (NB  Figures have not been currently imported, sorry.)

——- Continue reading “Worth reading : the final report by the EU High Level Expert Group on Information Systems and Interoperability (HLEG),”

Immigration detention and the rule of law: the ECJ’s first ruling on detaining asylum-seekers in the Dublin system


by Tommaso Poli (LL.M. candidate in Human Rights and Humanitarian Law at the University of Essex, School of Law).

One of the most controversial issues in immigration law is the detention of asylum-seekers. This issue was not initially addressed by the European Common Asylum System (CEAS), but is now addressed in some of the second-phase CEAS measures (the CEAS consists of the Asylum Procedures Directive, the Reception Conditions Directive, the Qualification Directive, the Dublin Regulation and the EURODAC Regulation).

In particular, the second-phase CEAS measures contain detailed rules on detaining asylum-seekers in two cases:  a) general rules in the Reception Conditions Directive, which were the subject of a first ECJ ruling in 2016 (discussed here) and a recent opinion of an Advocate-General; and b) more specific rules in the Dublin III Regulation, applying to asylum-seekers whose application is considered to be the responsibility of another Member State under those rules. Recently, the ECJ ruled for the first time on the interpretation of the latter provisions, in its judgment in the Al Chodor case.

As we will see, the Court took a strong view of the need for the rule of law to apply in detention cases. Moreover, its ruling is potentially relevant not just to Dublin cases, but also detention of asylum-seekers and irregular migrants in other contexts too.

The rules on detaining asylum-seekers in the context of the Dublin process are set out in Article 28 of the Dublin III Regulation. First of all, Article 28(1) states that asylum seekers can’t be detained purely because they are subject to the Dublin process. Then Article 28(2) sets out the sole ground for detention: when there is a ‘significant risk of absconding’. If that is the case ‘Member States may detain the person concerned in order to secure transfer procedures in accordance with’ the Dublin rules, ‘on the basis of an individual assessment and only in so far as detention is proportional and other less coercive alternative measures cannot be applied effectively’.

Next, Article 28(3) sets out detailed rules on time limits for ‘Dublin detention’; these are the subject of the pending Khir Amayry case. Finally, Article 28(4) states that the general rules on guarantees relating to procedural rights and detention conditions set out in the Reception Conditions Directive apply to asylum-seekers detained under the Dublin rules.

Al Chodor concerned the interpretation of the grounds for detention under Article 28(2): what is a ‘serious risk of absconding’?  The Dublin III Regulation offers some limited clarity, defining ‘risk of absconding’ as ‘the existence of reasons in an individual case, which are based on objective criteria defined by law, to believe that an applicant or a third country national or a stateless person who is subject to a transfer procedure may abscond.’ (Article 2(n) of the Regulation).


The case relates to an Iraqi man and his two minor children who were traveling from Hungary in the Czech Republic, without any documentation to establish their identity, with the aim of joining family members in Germany. After stopping the Al Chodors, the Czech Foreigners Police Section (FPS) consulted the Eurodac database and found that they had made an asylum application in Hungary. As a consequence, the Al Chodors were subjected to the transfer procedure according to Article 18(1)(b) of the Dublin III Regulation. In addition, the FPS took the view that there was a ‘serious risk of absconding’, given that the Al Chodors had neither a residence permit nor accommodation in the Czech Republic, while they were waiting for their transfer to Hungary.

So, they placed the Al Chodors in detention for 30 days pending their transfer pursuant to Paragraph 129(1) of the national law on the residence of foreign nationals, read in conjunction with Article 28(2) of the Dublin III Regulation. The Al Chodors brought an action against the decision ordering their detention to the regional Court, which annulled that decision, finding that Czech legislation does not lay down objective criteria for the assessment of the risk of absconding within the meaning of Article 2(n) of the Dublin III Regulation. That Court accordingly ruled that the decision was unlawful. Following the annulment of the decision of the FPS, the Al Chodors were released from custody.

The FPS brought an appeal on a point of law before the Supreme Administrative Court against the decision of the Regional Court. According to the FPS, the inapplicability of Article 28(2) of the Dublin III Regulation cannot be justified by the mere absence in Czech legislation of objective criteria defining the risk of absconding. That provision subjects the assessment of the risk of absconding to three conditions, namely an individual assessment taking account of the circumstances of the case, the proportionality of the detention, and the impossibility of employing a less coercive measure. The FPS has submitted that it satisfied those conditions.

The Supreme Administrative Court was uncertain whether the recognition by its settled case-law of objective criteria on the basis of which the detention of persons pursuant to Paragraph 129 of the Law on the residence of foreign nationals may be carried out can meet the requirement of a definition ‘by law’ within the meaning of Article 2(n) of the Dublin III Regulation, in so far as that case-law confirms a consistent administrative practice of the FPS which is characterised by the absence of arbitrary elements, and by predictability and an individual assessment in each case. So the Court decided to refer to the European Court of Justice for a preliminary ruling asking whether Article 2(n) and Article 28(2) of the Dublin III Regulation, read in conjunction, must be interpreted as requiring Member States to establish, in a national law, objective criteria underlying the reasons for believing that an applicant for international protection who is subject to a transfer procedure may abscond, and whether the absence of those criteria in a national law leads to the inapplicability of Article 28(2) of that regulation.


The Court of Justice first of all ruled that Article 2(n) of the Dublin III Regulation explicitly requires that objective criteria defining the existence of a risk of absconding be defined by the national law of each Member State (paragraph 27-28). Then, determining whether the word ‘law’ must be understood as including settled case-law, the Court reaffirmed that in interpreting a provision of EU law, it is necessary to consider not only its wording but also the context in which it occurs and the objectives pursued by the rules of which it forms part (judgment of 26 May 2016, Envirotec Denmark, paragraph 27).

So with regard to the general scheme of the rules of which Article 2(n) of Dublin III Regulation forms part, the Court, referring to recital 9 of that regulation, states that the regulation is intended to make necessary improvements, in the light of experience, not only to the effectiveness of the Dublin system but also to the protection of fundamental rights afforded to applicants under that system. This high level of protection is also clear from Articles 28 and 2(n) of that regulation, read in conjunction. As regards the objective pursued by Article 2(n) of the Dublin III Regulation, read in conjunction with Article 28(2) thereof, the Court recalls that, by authorizing the detention of an applicant in order to secure transfer procedures pursuant to that regulation where there is a significant risk of absconding, those provisions provide for a limitation on the exercise of the fundamental right to liberty enshrined in Article 6 of the Charter.

In that regard, it is clear from Article 52(1) of the Charter that any limitation on the exercise of that right must be provided for by law and must respect the essence of that right and be subject to the principle of proportionality. Furthermore, it is worth noting that in this ruling the European Court of Justice explicitly aligns its interpretation to the European Court of Human Rights (ECtHR), reaffirming that any deprivation of liberty must be lawful not only in the sense that it must have a legal basis in national law, but also that lawfulness concerns the quality of the law and implies that a national law authorizing the deprivation of liberty must be sufficiently accessible, precise and foreseeable in its application in order to avoid risk of arbitrariness (judgment of the European Court of Human Rights of 21 October 2013, Del Río Prada v Spain, paragraph 125).

The Court then concluded by stating that taking account of the purpose of the provisions concerned, and in the light of the high level of protection which follows from their context, only a provision of general application could meet the requirement of clarity, predictability, accessibility and, in particular, protection against arbitrariness. It follows that Article 2(n) and Article 28(2) of the Dublin III Regulation, read in conjunction, must be interpreted as requiring that the objective criteria underlying the reasons for believing that an applicant may abscond must be established in a binding provision of general application. In the absence of such criteria, the detention was unlawful.


First of all, the Court’s ruling is likely relevant to the interpretation of other EU measures concerning immigration detention. In the Returns Directive, which inter alia concerns the detention of irregular migrants (as distinct from asylum seekers), the ‘risk of absconding’ forms part of the ground for detention (as well as one of the grounds for refusing to allow the irregular migrant a period for voluntary departure); and it is defined exactly the same way as in the Dublin III Regulation. As for asylum seekers who are detained on grounds other than the Dublin process, a ‘risk of absconding’ is an element of one of the grounds for detention under the Reception Conditions Directive, but is not further defined. But a recent Advocate-General’s opinion notes (at para 73) that this clause aims to prevent ‘arbitrary’ detention, which was a key feature of the reasoning in the Al Chodor judgment. This surely points to a consistent interpretation of the two asylum laws. It follows that arguably the Court’s judgment should be relevant not just to Dublin cases but to any immigration detention of non-EU citizens in any Member State bound by the relevant EU legislation.

Secondly, this ruling has reiterated the principle by which although regulations generally have immediate effect in national legal systems without it being necessary for the national authorities to adopt measures of application, some of those provisions may necessitate, for their implementation, the adoption of measures of applicability by the Member States (judgment of 14 April 2011, Vlaamse Dierenartsenvereniging and Janssens, paragraphs 47 and 48).

Most significantly, the Court has reaffirmed the primacy of Human Rights law in EU asylum law implementation, highlighting that the development of the EU asylum law itself depends on its compliance with Human Rights law. In particular, the ECJ’s ruling in this case first of all reflects the ECtHR’s interpretation of the ‘arbitrariness’ of detention, which extends beyond the lack of conformity with national law. Notably, it states that a deprivation of liberty that is lawful under domestic law can still be arbitrary and thus contrary to the general principles, stated explicitly or implied, in the Convention (judgment of the European Court of Human Rights of 9 July 2009, Mooren v. Germany, paragraphs 73-77).

The Court’s ruling also reflects UN human rights norms. The Human Rights Committee’s General Comment No. 31 related to the nature of the general legal obligation imposed on State parties to the UN Covenant on Civil and Political Rights, which all EU Member States are State parties to, which reads that ‘in no case may the restrictions be applied or invoked in a manner that would impair the essence of a Covenant right’ (paragraph 4). Furthermore, the Human Rights Committee’s General Comment No. 35 points out that “arbitrariness is not to be equated with ‘against the law’, but must be interpreted more broadly to include elements of inappropriateness, injustice, lack of predictability and due process of law, as well as elements of reasonableness, necessity and proportionality” (paragraph 12, see also HRC, Van Alphen v. Netherlands, paragraph 5.8).

Finally, the Court’s ruling has confirmed the constitutional value of the Charter of Fundamental Rights of the European Union, which assumes a critical value in this historical period, since, as with any constitutional instrument, the more society as a whole is going through difficult times (such as the perceived ‘migration crisis’ in Europe), the more important it is to reaffirm its principles and values.

Likewise Article 52 of the EU Charter states that in no case may restrictions be applied or invoked in a manner that would impair the essence of a Charter right; in the context of detention, a fortiori it can be also affirmed that essential elements of guarantee for that right, as the requirement of lawfulness and non-arbitrariness for the right of liberty, cannot be disregarded in any circumstance. The Al Chodor ruling puts meat on the bones of that fundamental principle.

Authorization of deprivation of liberty by judicial authorities in the recast Reception conditions Directive proposal (ICJ OBSERVATIONS)


April 2017

The Commision proposal of the Reception Conditions Directive (recast) COM(2016) 465 final has been published by the European Commission on 13.7.2016. On 23 February 2017, the amendments[1] have been tabled in the European Parliament on the draft report by Sophia in ‘t Veld from 18 January 2017, the Rapporteur of the recast Directive.

The ICJ supports the amendments especially when it comes to its proposals on detention. In particular in the sense that detention or other restrictions of movement that may cumulatively amount to deprivation of liberty should always and only be ordered by judicial authorities (the proposed amendments 10, 30-33, 93-95, and 243-246 regarding Recital 20, Article 8.1, 9.2 and 9.3 of the proposal in particular).

The right to liberty and security of the person is protected under international human rights law (Article 9 ICCPR, Art 5 ECHR), and means that, as a general rule, asylum seekers should not be detained, except where detention can be justified as a necessary and proportionate measure for a legitimate purpose in the specific circumstances of the case. Asylum seekers may have already suffered imprisonment and torture in the country from which they have fled and therefore, the consequences of detention may be particularly serious, causing severe emotional and psychological stress and may amount to inhuman and degrading treatment.

Under international human rights law, it is established that asylum seekers should only be detained, as a last resort, in exceptional cases and where non-custodial measures have been proven on individual grounds not to achieve the stated, lawful and legitimate purpose. Detention must not be imposed arbitrarily, it must be lawful, necessary, and applied without discrimination. Judicial authorization, as well as judicial review, of detention provides an important safeguard against arbitrariness.

The Parliamentary Assembly of the Council of Europe has clearly stated in its Resolution 1707 (2010) on Detention of asylum seekers and irregular migrants in Europe, para 9.1.3, that “detention shall be carried out by a procedure prescribed by law, authorised by a judicial authority and subject to periodic judicial review.

It has been also established in international law that there is a right to judicial review of any form of detention, and that such review must always be of a judicial nature[2] UNHCR guidelines also require both automatic review of detention and regular automatic periodic reviews thereafter, and a right to challenge detention.[3]

 Taking account of the complexity of the assessment of whether a deprivation of liberty is justifiable as necessary and proportionate in the individual case of an asylum seeker and of the seriousness of the impact on human rights of deprivation of liberty, the ICJ considers that authorization by a judicial authority would always be preferential in cases of detention or other serious restrictions of movement.


[1] See Amendments 1-51:; Amendments 52-295:; Amendments 296-543:

[2] see European Court of Human Rights in Öcalan v. Turkey, para 70; Human Rights Committee in C. v. Australia, para 8.2-8.3; HRC General Comment No. 35, Article 9 (Liberty and security of person), UN Doc. CCPR/C/GC/35 (2014), para 18).

[3] Guideline 7: “(iii) to be brought promptly before a judicial or other independent authority to have the detention decision reviewed. This review should ideally be automatic, and take place in the first instance within 24–48 hours of the initial decision to hold the asylum-seeker. The reviewing body must be independent of the initial detaining authority, and possess the power to order release or to vary any conditions of release. (iv) following the initial review of detention, regular periodic reviews of the necessity for the continuation of detention before a court or an independent body must be in place, which the asylum-seeker and his/her representative would have the right to attend. Good practice indicates that following an initial judicial confirmation of the right to detain, review would take place every seven days until the one month mark and thereafter every month until the maximum period set by law is reached. (v) irrespective of the reviews in (iii) and (iv), either personally or through a representative, the right to challenge the lawfulness of detention before a court of law at any time needs to be respected. The burden of proof to establish the lawfulness of the detention rests on the authorities in question. As highlighted in Guideline 4, the authorities need to establish that there is a legal basis for the detention in question, that the detention is justified according to the principles of necessity, reasonableness and proportionality, and that other, less intrusive means of achieving the same objectives have been considered in the individual case.”

Legal Frameworks for Hacking by Law Enforcement: Identification, Evaluation and Comparison of Practices



by Mirja  GUTHEIL, Quentin  LIGER, Aurélie  HEETMAN, James  EAGER, Max  CRAWFORD  (Optimity  Advisors)

Hacking by law enforcement is a relatively new phenomenon within the framework of the longstanding public policy problem of balancing security and privacy. On the one hand, law enforcement agencies assert that the use of hacking techniques brings security, stating that it represents a part of the solution to the law enforcement challenge of encryption and ‘Going Dark’ without systematically weakening encryption through the introduction of ‘backdoors’ or similar techniques. On the other hand, civil society actors argue that hacking is extremely invasive and significantly restricts the fundamental right to privacy. Furthermore, the use of hacking practices pits security against cybersecurity, as the exploitation of cybersecurity vulnerabilities to provide law enforcement with access to certain data can have significant implications  for  the security of the internet.

Against this backdrop, the present study provides the LIBE Committee with relevant, actionable insight into the legal frameworks and practices for hacking by law enforcement. Firstly, the study examines the international and EU-level debates on the topic of hacking by law enforcement (Chapter 2), before analysing the possible legal bases for EU intervention in the field (Chapter 3). These chapters set the scene for the primary focus of the study: the comparative analysis of legal frameworks and practices for hacking by law enforcement across six selected Member States (France, Germany, Italy, the Netherlands, Poland and the UK), with further illustrative examples from three non-EU countries (Australia, Israel and the US) (Chapter 4). Based on these analyses, the study concludes (Chapter 5) and presents concrete recommendations and policy proposals for  EU  action  in  the field (Chapter 6).

The international and EU-level debates on the use of hacking techniques by law enforcement primarily evolve from the law enforcement challenge posed by encryption – i.e. the  ‘Going  Dark’  issue.

Going Dark is a term used to describe [the] decreasing ability [of law enforcement agencies] to lawfully access and examine evidence at rest on devices and evidence in motion across   communications   networks.1

According to the International Association of Chiefs of Police (IACP), law enforcement agencies are not able to investigate illegal activity and prosecute criminals without this evidence. Encryption technologies are cited as one of the major barriers to this access. Although recent political statements from several countries (including France, Germany, the UK and the US) seemingly call for ‘backdoors’ to encryption technologies, support for strong encryption at international and EU fora remains strong. As such, law enforcement agencies across the world started to use hacking techniques to bypass encryption. Although the term ‘hacking’ is not used by law enforcement agencies, these practices essentially mirror the techniques used by hackers (i.e. exploiting any possible vulnerabilities – including technical, system  and/or human  vulnerabilities  – within  an  information  technology  (IT) system).

Law enforcement representatives, such as the IACP and Europol, report that access to encrypted and other data through such hacking techniques brings significant investigative benefits. However, it is not the only possible law enforcement solution to the ‘Going Dark’ issue. Outside of the scope of this study, the other options include: requiring users to provide their password or decrypt their data; requiring technology vendors and service providers to bypass   the   security   of   their   own   products   and   services;   and   the    systematic   weakening   of encryption through the mandated introduction of ‘backdoors’ and/or weakened standards for encryption.

With the benefits of hacking established, a 2016 Joint Statement published by the European Union Agency for Network and Information Security (ENISA) and Europol2 noted that the use of  hacking  techniques also brings  several   key  risks.

The primary risk relates to the fundamental right to privacy and freedom of expression and information, as enshrined in international, EU and national-level law. Hacking techniques are extremely invasive, particularly when compared with traditionally intrusive investigative tools (e.g. wiretapping, house searches etc.). Through hacking, law enforcement can gain access to all data stored or in transit from a device; this represents a significant amount of data (e.g. a recent investigation by Dutch law enforcement collected seven terabytes of data, which translates into around 86 million pages of Microsoft Word documents3), as well as extremely sensitive data (e.g. a person’s location and movements, all communications, all stored data etc.). Consequently, the use of hacking techniques will inherently restrict the fundamental right to privacy.

Therefore, current debates at international and EU fora focus on assessing and providing recommendations on the current legal balances and safeguards for the restriction of the right to privacy by hacking techniques. However, these debates have assumed that hacking practices are necessary for law enforcement and simply require governing laws; they have not discussed whether the use of hacking techniques by law enforcement is necessary and proportional. The law enforcement assertions regarding the necessity of these invasive tools have  not   been  challenged.

The second key risk relates to the security of the internet. Law enforcement use of hacking techniques has the potential to significantly weaken the security of the internet by “[increasing] the attack surface for malicious abuse”4. Given that critical infrastructure and defence organisations, as well as law enforcement agencies themselves, use the technologies targeted and potentially weakened by law enforcement hacking, the potential ramifications reach  far  beyond  the intended  target.

As such, debates at international and EU fora focus on the appropriate balances between security and privacy, as well as security and cybersecurity. Regarding security v. privacy, the debates to date have assessed and provided recommendations on the legislative safeguards required to ensure that hacking techniques are only permitted in situations where a restriction of the fundamental right to privacy is valid in line with EU legislation (i.e. legal, necessary and proportional). Regarding security v. cybersecurity, the debates have been limited and primarily centre around the use and/or reporting of zero-day vulnerabilities discovered  by  law enforcement agencies.

Further risks not discussed in the Joint Statement but covered by this study include: the risks to territorial sovereignty – as law enforcement agencies may not know the physical location of the target data; and the risks related to the supply and use of commercially-developed hacking tools by governments with poor consideration for human rights.

Alongside the analysis of international and EU debates, the study presents hypotheses on the legal  bases  for  EU  intervention  in  the  field. Although  possibilities for  EU  legal  intervention  in several areas are discussed, including mutual admissibility of evidence (Art. 82(2) TFEU), common investigative techniques (Art. 87(2)(c) TFEU), operational cooperation (Art. 87(3) TFEU) and data protection (Art. 16 TFEU, Art. 7 & 8 EU Charter), the onus regarding the development of legislation in the field is with the Member States. As such, the management of the risks associated with law enforcement activities is governed at the Member State level.

As suggested by the focus of the international and EU discussions, concrete measures need to be stipulated at national-level to manage these risks. This study presents a comparative analysis of the legal frameworks for hacking by law enforcement across six Member States, as well as certain practical aspects of hacking by law enforcement, thereby providing an overview of the primary Member State mechanisms for the management of these risks. Further illustrative examples are provided from research conducted in three non-EU countries.

More specifically, the study examines the legal and practical balances and safeguards implemented at national-level to ensure: i) the legality, necessity and proportionality of restrictions to the fundamental  right  to  privacy;   and ii) the security  of  the internet.

Regarding restrictions to the right to privacy, the study first examines the existence of specific legal frameworks for hacking by law enforcement, before exploring the ex-ante and ex-post conditions and mechanisms stipulated to govern restrictions of the right to privacy and ensure they are legal, necessary  and  proportional.

It is found that hacking practices are seemingly necessary across all Member States examined, as four Member States (France, Germany, Poland and the UK) have adopted specific legislative provisions and the remaining two are in the legislative process. For all Member States except Germany, the adoption of specific legislative provisions occurred in 2016 (France, Poland and the UK) or will occur later (Italy, the Netherlands).  This  confirms the  new  nature  of these investigative techniques.

Additionally, law enforcement agencies in all Member States examined have used, or still use, hacking techniques in the absence of specific legislative provisions, under so-called ‘grey area’ legal provisions. Given the invasiveness of hacking techniques, these grey areaprovisions are considered  insufficient  to adequately  protect the right to privacy.

Where specific legal provisions have been adopted, all stakeholders agree that a restriction of the right to privacy requires the implementation of certain safeguards. The current or proposed legal frameworks of all six Member States comprise a suite of ex-ante conditions and ex-post mechanisms that aim to ensure the use of hacking techniques is proportionate and necessary. As recommended by various UN bodies, the provisions of primary importance include judicial authorisation of hacking practices, safeguards related to the nature, scope and duration of possible measures (e.g. limitations to crimes of a certain gravity and the  duration  of  the hack,  etc.) and  independent   oversight.

Although many of these types of recommended conditions are common across the Member States examined – demonstrated in the below table – their implementation parameters differ. For instance, both German and Polish law permit law enforcement hacking practices without judicial authorisation in exigent circumstance if judicial authorisation is achieved in a specified timeframe. However, the timeframe differs (three days in Germany compared with five days in Poland). These differences make significant difference, as the Polish timeframe was criticised  by the Council  of  Europe’s  Venice Commission  for being  too long.5

Furthermore, the Member States examined all accompany these common types of ex-ante and ex-post conditions with different, less common conditions. This is particularly true for ex-post oversight mechanisms. For instance, in Poland, the Minister for internal affairs provides macro-level information to the lower (Sejm) and upper (Senat) chambers of Parliament;6 and in the UK, oversight is provided by the Investigatory Powers Commissioner, who reviews all cases of hacking by law enforcement, and the Investigatory Powers Tribunal, which  considers disputes or  complaints surrounding  law enforcement  hacking.7

Key ex-ante considerations
Judicial authorisation The    legal    provisions    of    all    six    Member    States    require    ex-ante judicial        authorisation        for        law        enforcement        hacking.        The information  to  be  provided  in  these requests differ.

Select     Member     States     (e.g.     Germany,     Poland,     the     UK)     also provide for hacking without prior judicial authorisation in exigent circumstances  if  judicial  authorisation  is subsequently  provided. The timeframes  for  ex-post authorisation  differ.

Limitation by crime and  duration All  six Member  States  restrict  the  use  of  hacking  tools  based  on the   gravity   of   crimes.    In    some    Member   States,    the    legislation presents  a  specific  list  of  crimes  for  which  hacking  is permitted; in     others,     the    limit    is    set     for    crimes    that    have    a    maximum custodial    sentence   of   greater   than    a   certain   number    of   years. The lists and numbers  of years required differ by Member   State.

Many Member States also restrict the duration for which hacking may   be   used.   This   restriction   ranges   from   maximum   1   month (France, Netherlands) to a maximum of 6 months (UK), although extensions     are     permitted     under     the     same     conditions     in     all Member States.

Key ex-post considerations
Notification and effective remedy Most    Member    States    provide    for    the    notification    of    targets    of hacking  practices and  remedy  in  cases  of unlawful   hacking.
Reporting and oversight Primarily, Member States report at a micro-level through logging hacking  activities and  reporting them  in  case  files.

However,   some   Member   States   (e.g.   Germany,   Poland   and   the UK) have macro-level  review  and  oversight mechanisms.

Furthermore, as regards the issue of territoriality (i.e. the difficulty law enforcement agencies face obtaining the location of the data to be collected using hacking techniques), only one Member States, the Netherlands, legally permits the hacking of devices if the location is unknown. If the device turns out to be in another jurisdiction, Dutch law enforcement must apply  for Mutual  Legal  Assistance.

As such, when aggregated, these provisions strongly mirror Article 8 of the European Convention on Human Rights, as well as the UN recommendations and paragraph 95 of the ECtHR  judgement  in  Weber and  Saravia  v.  Germany.  However,   there are  many,  and  varied, criticisms when the Member State conditions are examined in isolation. Some of the provisions criticised include: the limits based on the gravity of crimes (e.g. the Netherlands, France and Poland); the provisions for notification and effective remedy (e.g. Italy and the Netherlands); the process for screening and deleting non-relevant data (Germany); the definition of devices that can be targeted (e.g. the Netherlands); the duration permitted for hacking (e.g. Poland); and a lack of knowledge amongst the judiciary (e.g. France, Germany, Italy and the Netherlands).With this said, certain elements, taken in isolation, can be called good  practices. Such  examples  are  presented below.

Select  good practice: Member State legislative frameworks

Germany: Although they were deemed unconstitutional in a 2016 ruling, the provisions for the screening and deletion of data related to the core area of private life are a positive step. If the provisions are amended, as stipulated in the ruling, to ensure screening by an independent body, they would provide strong protection for the targeted individual’s private data.

Italy: The 2017 draft Italian law includes a range of provisions related to the development and monitoring of the continued use of hacking tools. As such, one academic stakeholder remarked that the drafting of the law must have been driven by technicians. However, these provisions bring significant benefits to the legislative provisions in terms of supervision and oversight of the use of hacking tools. Furthermore, the Italian draft law takes great care to separate the functionalities of the hacking tools, thus protecting against the overuse or abuse of a  hacking tool’s  extensive  capabilities.

Netherlands: The Dutch Computer Crime III Bill stipulates the need to conduct a formal proportionality assessment for each hacking request, with the assistance of a dedicated Central Review Commission (Centrale Toetsings Commissie). Also, the law requires rules to be laid down on the authorisation and expertise of the investigation officers that can perform hacking.

With these findings in mind, the study concludes that the specific national-level legal provisions examined provide for the use of hacking techniques in a wide array of circumstances. The varied combinations of requirements, including those related to the gravity of crimes, the duration and purpose of operations and the oversight, result in a situation where the law does not provide for much stricter conditions than are necessary for less  intrusive  investigative activities such  as interception.

Based on the study findings,  relevant  and actionable policy proposals and recommendations have been developed under the two key elements: i) the fundamental right  to  privacy;  and  ii) the security  of the internet.

Recommendations and policy proposals: Fundamental  right  to  privacy

It is recommended that the use of ‘grey area’ legal provisions is not sufficient to protect the fundamental right to privacy. This is primarily because existing legal provisions do not provide for the more invasive nature of hacking techniques and do not provide for the legislative precision  and  clarity  as  required  under  the  Charter and the  ECHR.

Furthermore, many of these provisions have only recently been enacted. As such, there is a need for robust evidence-based monitoring and evaluation of the practical application of these provisions. It is therefore recommended that the application of these new legal provisions is evaluated regularly at national level, and that the results of these evaluations are  assessed at  EU-level.

If specific legislative provisions are deemed necessary, the study recommends a range of good practice, specific ex-ante and ex-post provisions governing the use of hacking practices by  law  enforcement  agencies. These are detailed  in  Chapter 6.

Policy proposal 1: The European Parliament should pass a resolution calling on Member States to conduct a Privacy Impact Assessment when new laws are proposed to permit and govern the use of hacking techniques by law enforcement agencies. This Privacy Impact Assessment should focus on the necessity and proportionality of the use of hacking tools and should  require input  from  national  data protection  authorities.

Policy proposal 2: The European Parliament should reaffirm the need for Member States to adopt a clear and precise legal basis if law enforcement agencies are to use hacking techniques.

Policy proposal 3: The European Parliament should commission more research or encourage the European Commission or other bodies to conduct more research on the topic. In response to the Snowden revelations, the European Parliament called on the EU Agency for Fundamental Rights (FRA) to thoroughly research fundamental rights protection in the context of surveillance. A similar brief related to the legal frameworks governing the use of hacking techniques by law enforcement across all EU Member States would act as an invaluable piece  of  research.

Policy proposal 4: The European Parliament should encourage Member States to undertake evaluation and monitoring activities on the practical application of the new legislative provisions  that  permit  hacking  by  law  enforcement  agencies.

Policy proposal 5: The European Parliament should call on the EU Agency for Fundamental Rights (FRA) to develop a practitioner handbook related to the governing of hacking by law enforcement. This handbook should be intended for lawyers, judges, prosecutors, law enforcement officers and others working with national authorities, as well as non­governmental organisations and other bodies confronted with legal questions in the areas set out by the handbook. These areas should cover the invasive nature of hacking techniques and relevant safeguards as per international and EU law and case law, as well as appropriate mechanisms for supervision  and   oversight.

Policy proposal 6: The European Parliament should call on EU bodies, such as the FRA, CEPOL and Eurojust, to provide training for national-level members of the judiciary and data protection authorities, in collaboration with the abovementioned handbook, on the technical means for hacking in use across the Member States, their potential for invasiveness and the principles of  necessity  and  proportionality in  relation  to these  technical  means.

Recommendations and policy proposals: Security of  the  internet

The primary recommendation related to the security of the internet is that the position of the EU against the implementation of ‘backdoors’ and similar techniques, and in support of strong encryption standards, should be reaffirmed, given the prominent role encryption plays in our society and its importance to the EU’s Digital Agenda. To support this position, the EU should ensure continued engagement with global experts in computer science as well as civil society privacy and  digital  rights groups.

The actual impacts of hacking by law enforcement on the security of the internet are yet unknown. More work should be done at the Member State level to assess the potential impacts such that these data can feed in to overarching discussions on the necessity and proportionality of law enforcement hacking. Furthermore, more work should be done, beyond understanding the risks to the security of the internet, to educate those involved in the authorisation and use of  hacking  techniques by law enforcement.

At present, the steps taken to safeguard the security of the internet against the potential risks of hacking are not widespread. As such, the specific legislative provisions governing the use of hacking techniques by law enforcement, if deemed necessary, should safeguard the security of the internet and the security of the device, including reporting the vulnerabilities used to gain access to a device to the appropriate technology vendor or service provider; and  ensure  the  full  removal  of  the software  or hardware from the targeted  device.

Policy proposal 7: The European Parliament should pass a resolution calling on Member States to conduct an Impact Assessment to examine the impact of new or existing laws governing  the  use  of hacking  techniques by  law  enforcement on  the  security  of  the internet.

Policy proposal 8: The European Parliament, through enhanced cooperation with Europol
and the European Union Agency for Network and Information Security (ENISA), should
reaffirm its commitment to strong encryption considering discussions on the topic of hacking by law enforcement. In addition, the Parliament should reaffirm its opposition to the implementation of  
backdoors and  similar techniques in information technology infrastructures or  services.

Policy proposal 9: Given the lack of discussion around handling zero-day vulnerabilities, the European Parliament should support the efforts made under the cybersecurity contractual Public-Private Partnership (PPP) to develop appropriate responses to handling zero-day vulnerabilities, taking into consideration the risks related to fundamental rights and the security  of the internet.

Policy proposal 10: Extending policy proposal 4, above, the proposed FRA handbook should also cover the risks  posed  to  the  security  of the  internet  by  using hacking  techniques.

Policy proposal 11: Extending policy proposal 5, training provided to the judiciary by EU bodies such as FRA, CEPOL and Eurojust should also educate these individuals on the risks posed  to  the security  of  the internet  by  hacking  techniques.

Policy proposal 12: Given the lack of discussion around the risks posed to the security of the internet by hacking practices, the European Parliament should encourage debates at the appropriate fora specific to understanding this risk and the approaches to managing this risk. It is encouraged that law enforcement representatives should be present within such discussions.