Category: Security and Justice

Data retention and bulk data: sometime the Council raises some good questions. But what about the answers ?

It does not happen very often but in a PUBLIC document diffused yesterday the Council Presidency raises some very interesting questions arising from the 2014 CJEU ruling on data retention (see below). It is worth recalling that already at that time the Court justified its decision with reference not only to art. 8 of the Charter (protection of personal data) but also to art. 7 (protection of privacy). The same happened this year with the Schrems case which deals with a similar situation (even if referred to a third country). Quite surprisingly the Council Presidency does not make reference to this ruling even if , according some doctrine (see the Martin Scheinin position published here)  it contain already an answer to the first question. According to Martin Scheinin the Court by referring to Article 7 of the Charter makes clear that:  In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter…

When the “essence” itself of a fundamental right is threatened, according to art.52 of the Charter is no more question of verify the “proportionality” of this kind of measures as they would be per se against the Charter (and the Treaty)

Let’s see what will be the MS (and judiciary) reaction and if they will take this occasion to re-examine some wide ranging legislative proposals which foresee a generalised collection of personal data (PNR, Entry-exit systems, not to speak of the monthly bulk transmission of EU citizens personal data to the US administration within the EU-USA TFTP (“SWIFT”) agreement…).

EDC

 

DOC  14246/15 24 November 2015 NOTE
From:Presidency
To:Permanent Representatives Committee/Council
No. prev. doc.:14369, 13085/15, 11747/1/15 REV 1
Subject: Retention of electronic communication data – General debate

1. The invalidation of the Data Retention Directive 1 by the Court of Justice of the EU 2on the grounds that it disproportionately restricted the rights to privacy and to the protection of personal data, has given rise to questions in the Member States, in particular as regards national transposition legislation and the availability of electronic communication data collected for access by law enforcement authorities and their use as evidence in criminal proceedings.

2. Member States had been given a wide margin of discretion in the implementation of the Data Retention Directive. This lead to considerable differences in the national legal frameworks3, which are compounded by the varying consequences of the assessment of the national data retention schemes by national parliaments and courts, especially in view of the Data Retention Judgement and the pending “Tele2” case 4.

3. The Data Retention Judgement has not directly affected national implementing legislations of the Data Retention Directive and these remain valid until amended, or repealed by national parliaments, or invalidated by national courts, provided that they comply with Articles 7 and 8 of the Charter of Fundamental Rights of the EU. Member States thus find themselves in a situation where they no longer have an obligation deriving from a specific Union legal instrument to introduce or maintain a national data retention regime providing for the mandatory storage of electronic communication data by providers for the purposes of detecting, investigating, and prosecuting serious crime. However, Member States retain the possibility to do so under Article 15(1) of the “E-privacy Directive” 5.

4. Opinions diverge on the interpretation of the Court’s judgement and thus on the legality of schemes for retaining bulk electronic communication data without specific reason. This has inter alia resulted in a large variety of situations at national level6. Some Member States have already adopted or are in a process of preparing new legislation on data retention, that, according to the information received by delegations, aims at ensuring strengthened procedural guarantees and safeguards in compliance with the Charter and in line with the ruling of the Court (EE, ES, IE, LT, LU, LV, MT, PL), including some Member States where the national law has been invalidated by the constitutional Court (DE, BG, NL).

5.Eurojust’s analysis of the current situation7 and expert debates held during the Luxembourg Presidency8 highlight that this fragmentation of the legal framework on data retention across the Union has an impact on the effectiveness of criminal investigations and prosecutions at national level, in particular in terms of reliability and admissibility of evidence to the courts based on the collection of electronic communication data, as well as on cross-border judicial cooperation between Member States and internationally.

6 In view of these challenges and the legal, procedural and practical problems they pose for investigations and prosecutions of all kinds of crime, not in the least in relation to counter-terrorism, the Presidency invites Ministers to address the following questions:

  • Is the Data Retention Judgement to be interpreted in the sense that retaining bulk electronic communication data without specific reason is still allowed ?
  • Considering the current fragmented situation throughout the Union, and the consequences it entails, should an EU-wide response be considered or should it be up to individual Member States to address the issue ?
  • Should the Commission be invited to present a new legislative initiative and if yes in what timeframe ?

 

NOTES

1        Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC
3        It is recalled that the transposition did not go easily in certain Member States, as a number of national constitutional courts annulled the national transposition laws for being contrary to the Constitution or the European Convention on Human Rights and certain national parliaments raised serious concerns.
2        Judgement of the Court of justice of the European Union (CJEU) (Grand Chamber) “Digital Rights Ireland and Seitlinger and others” of 8 April 2015 in joined Cases C-293/12 and C-594/12
4        The CJEU currently examines a preliminary ruling (pending Case C-203/15, lodged on 4 May 2015, Tele2 Sverige AB v. Post-och telestyrelsen ) on the compatibility of a national legislation (Swedish law in this case) to retain traffic data covering all persons, all means of electronic communication and all traffic data for the purpose of combating crime, with Article 15(1) of Directive 2002/58/EC (the e-privacy Directive), taking account of Articles 7, 8 and 15(1) of the Charter.
5        Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector
6        The current state of play is as follows: the transposition law of the Data Retention Directive has been invalidated in at least 11 Member States (AT, BE, BG, DE, LT, NL, PL, RO, SI, SK, UK). Amongst these, 9 countries have had the law invalidated by the Constitutional Court (AT, BE, BG, DE, SI, NL, PL, RO, SK). In 15 Member States (CY, CZ, DK, EE, ES, FI, FR, HR, HU, IE, LU, LV, MT, PT, SE) the domestic law on data retention remains in force, while they are still processing communication data.
7        Doc. 13085/15 and 13689/15
8        Doc. 11747/1/15 REV 1

After Paris : Justice and Home affairs Council draft Conclusions

ORIGINAL DOCUMENT ACCESSIBLE ON STATEWATCH SITE

(NOTA BENE : Comments will follow on the text finally adopted) 

Draft Conclusions of the Council of the EU and of the Member States meeting within the Council on Counter-Terrorism

  1. The Council is appalled by the heinous terrorist attacks which took place in Paris on 13 November 2015 and expresses its deepest condolences to the victims of these attacks, their families and friends. The Council emphasises its solidarity with the people of France and pays tribute to the courage and decisive actions of the French authorities. The attacks were an assault on the European values of freedom, democracy, human rights and the rule of law. This is not the first time that the EU has been confronted with a major terrorist attack and important measures have already been taken. The Council underlines the importance of accelerating the implementation of all areas covered by the statement on counter-terrorism issued by the Members of the European Council of 12 February 2015 and in particular of the measures outlined below.

PNR

  1. The Council reiterates the urgency and priority to finalise an ambitious EU PNR before the end of 2015, which should include internal flights in its scope, provide for a sufficiently long data period during which PNR data can be retained in non-masked out form and should not be limited to crimes with a transnational nature.

Firearms

  1. The Council:
  • welcomes the adoption of the Implementing Regulation on common deactivation standards on 18 November 2015,
  • welcomes the presentation by the Commission on 18 November 2015 of a proposal to revise the current Directive on Firearms,
  • is committed to increasing operational cooperation through Europol under the EU Policy Cycle on serious and organised crime, notably within the Operational Action Plan Firearms. All Member States affected by the problem are invited to join these efforts by the end of 2015,
  • invites Frontex and Europol to assist the Member States bordering the Western Balkans region with regard to increasing controls of external borders to detect smuggling of firearms.

Strengthening controls of external borders

4. Member States undertake to:

  • implement immediately the necessary systematic and coordinated checks at external borders, including on individuals enjoying the right of free movement,
    • on the bases of a quick identification of urgent needs and possible solutions, to be performed by the Commission before the end of 2015, upgrade the Member States border control systems (electronic connection to the relevant Interpol databases at all external border crossing points, automatic screening of travel documents) by March 2016,
    • in the context of the current migratory crisis, carry out a systematic registration, including fingerprinting, of all migrants entering into the Schengen area and perform systematic security checks by using relevant databases in particular SIS II, Interpol SLTD database, VIS and national police databases, with the support of Frontex and Europol, and ensure that hotspots are equipped with the relevant technology. Europol will deploy guest officers to the hotspots in support of the screening process, in particular by reinforcing secondary security controls,
    • strengthen the control at the external borders which are most exposed, in particular by deploying rapid border intervention teams (RABITs) and police officers in order to guarantee systematic screening and security checks.
    1. The Council reiterates its Conclusions of 9 November 2015 and invites the Commission to:
    • include EU nationals in the upcoming Smart Borders proposals and in this context present a proposal for the targeted revision of Art.7(2) Schengen Borders Code regarding systematic controls against relevant databases at EU external borders,
    • provide, in its proposal to update the Frontex Regulation, a solid legal basis for the contribution of Frontex to the fight against terrorism and organised crime and access to the relevant databases.
    1. Frontex will:
    • contribute to the fight against terrorism and support the coordinated implementation of the Common Risk Indicators (CRIs) before the end of 2015,
    • assist the Member States to tighten controls of external borders to detect suspicious travels of foreign terrorist fighters and smuggling of firearms, in cooperation with Europol,
    • work closely with Europol and Eurojust, in particular in the context of the hotspots, and exchange data with Europol on the basis of the cooperation agreement to exchange personal data. The latter should be concluded and become operational without delay.

    Information sharing

    7. The Council decides to step up law enforcement cooperation on counter-terrorism (CT):

    • Member States will instruct national authorities to enter data on all suspected foreign terrorist fighters into the SIS II under Article 36.3, carry out awareness raising and training on the use of the SIS and define a common approach to the use of the SIS II data relating to foreign fighters,
    • Europol will launch the European Counter Terrorist Centre (ECTC) on 1 January 2016 as a platform by which Member States can increase information sharing and operational coordination with regard to the monitoring and investigation of foreign terrorist fighters, the trafficking of illegal firearms and terrorist financing. The ECTC will provide national CT authorities with enhanced information sharing capacities notably via Focal Point Travellers, the Europol Information System and Europol’s SIENA system reserved for counter-terrorism cases. The new Europol Regulation, on which an agreement should be reached between the co-legislators before the end of the year, should be consistent with the mandate and objectives of the ECTC, including the IRU,
    • Member States will second CT experts to the ECTC to form an enhanced cross-border investigation support unit, capable of providing quick and comprehensive support to the investigation of major terrorist incidents in the EU. Eurojust should also participate,
    • The Commission is invited to ensure that Europol is reinforced with the necessary resources to support ECTC and to submit a legislative proposal in order to enable Europol to systematically cross-check the Europol databases against the SIS II as established by Council Decision 2007/533/JHA on the establishment, operation and use of the second generation Schengen Information System (SIS II),
    • Member States will make maximum use of these capabilities to improve the overall level of information exchange between CT authorities in the EU. Member States will instruct the relevant national authorities to further increase their contributions to Focal Point Traveller at Europol to reflect the threat and connect to relevant Europol information exchange systems.

     
    Terrorist financing

    1. The Council invites the Commission to present proposals to strengthen, harmonise and improve cooperation between Financial Intelligence Units (FIU’s), notably through the proper embedment of the FIU.net network for information exchange in Europol and ensure their fast access to necessary information, in order to enhance the effectiveness and efficiency of the fight against money laundering and terrorist financing in conformity with Financial Action Task Force (FATF) recommendations, to implement more quickly the asset freezing required by the UN Security Council (Resolution 1373), to strengthen controls of non-banking payment methods such as electronic/anonymous payments and virtual currencies and transfers of gold, precious metals, by pre-paid cards and to curb more effectively the illicit trade in cultural goods.

     Criminal justice response to terrorism and violent extremism

     9. The Council welcomes the signing in Riga on 22 October 2015 by the EU of the Council of Europe’s Convention on the Prevention of terrorism and of its additional Protocol on Foreign Terrorist Fighters and invites the Commission to present a proposal for a directive updating the Framework Decision on Combating Terrorism before the end of 2015 with a view to collectively implementing into EU law UNSC Resolution 2178 (2014) and the additional Protocol to the Council of Europe’s Convention.

     10. Member States will use ECRIS at its full potential. The Council invites the Commission to submit by January 2016 a proposal for the extension of ECRIS to cover third country nationals.

     11. The Council invites the Commission to allocate as a matter of urgency the necessary financial resources to implement the Council Conclusions on enhancing the criminal justice response to radicalisation leading to terrorism and violent extremism. This should notably support the development of rehabilitation programmes as well as risk assessment tools in order to determine the most appropriate criminal justice response, taking into account the individual circumstances and security and public safety concerns.

     Funding

    1. The Council invites Member States to use the Internal Security Fund to support the implementation of these conclusions and to prioritise relevant actions under the national programmes to this effect, and calls on the Commission to prioritise the funding available under centrally managed funds to the priorities identified in these conclusions.

    Implementation

    1. In view of its role on strengthening internal security within the Union, COSI shall coordinate the role of the various Council Working Parties and of the EU agencies in the implementation of these Council Conclusions. The Counter Terrorism Coordinator will monitor their implementation.

    Fundamental Rights Agency :  Surveillance by intelligence  services: fundamental rights safeguards and remedies in the EU.  Mapping Member States’ legal frameworks

    EXECUTIVE SUMMARY : FULL REPORT AVAILABLE HERE

     Introduction

    Recent revelations of mass surveillance underscore the importance of mechanisms that help prevent fundamental rights violations in the context of intelligence activities.

    This FRA report aims to evaluate such mechanisms in place across the European Union (EU) by describing the current legal framework related to surveillance in the 28 EU Member States. The report first outlines how intelligence services are organised, describes the various forms surveillance measures can take and presents Member States’ laws on surveillance. It then details oversight mechanisms introduced across the EU, outlines the work of entities set up thereunder, and presents various remedies available to individuals seeking to challenge surveillance efforts.

    The report does not assess the implementation of the respective laws, but maps current legal frameworks. In addition, it provides an overview of relevant fundamental rights standards, focusing on the rights to privacy and data protection.

    Background

    In June 2013, media worldwide began publishing the ‘Snowden documents’, describing in detail several surveillance programmes being carried out, including by the United States’ National Security Agency (NSA) and by the United Kingdom’s Government Communications Headquarters (GCHQ). These brought to light the existence of extensive global surveillance. Details of these programmes, which set up a global system of digital data interception and collection, have been widely publicised 1 and critically assessed.2

    Neither the US nor the British authorities questioned the authenticity of the revelations,3 and in some cases confirmed them.4 However, the media’s interpretation of the programmes was sometimes contested – for example, by the UK Intelligence and Security Committee of Parliament 5 and academia.6

    Since most of the Snowden revelations have not been recognised by the British government, the Investigatory Powers Tribunal, in hearing challenges to the legality of the programmes, took the approach of hearing cases on the basis of hypothetical facts closely resembling those alleged by the media.7 For the Austrian Federal Agency for State Protection and Counter Terrorism (BVT), the Snowden revelations represented a “paradigm shift”: “Up until a few years ago, espionage was largely directed at state or business secrets, and not, for the most part, at people’s privacy, which can now be interfered with extensively by intelligence services since they possess the necessary technical resources to do so”. 8

    The Snowden revelations were not the first to hint at the existence of programmes of large-scale communication surveillance set up in the aftermath of the 11 September 2001 attacks.9

    But the magnitude of the revelations was unprecedented, potentially affecting the entire world.

    The revelations triggered an array of reactions.10 In the intelligence community, and in particular among the specialised bodies in charge of overseeing the work of intelligence services, dedicated inquiries were conducted.11 The European Union reacted strongly.

    The European Commission (EC), the Council of the European Union and the European Parliament (EP) reported on the revelations, expressing concern about mass surveillance programmes, seeking clarification from US authorities, and working on “rebuilding trust” in light of the damage created by the revelations.12

    On 12 March 2014, the EP adopted a resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights, and transatlantic cooperation in Justice and Home Affairs (the Resolution).13

    The resolution drew on the in-depth inquiry that the EP tasked the Civil Liberties, Justice and Home Affairs Committee (LIBE) to conduct during the second half of 2013, shortly after the revelations on mass surveillance were published in the press.14

    The wide-reaching resolution launched a “European Digital Habeas Corpus”, aimed at protecting fundamental rights in a digital age while focusing on eight key actions. In this context, the EP called on the EU Agency for Fundamental Rights (FRA) “to undertake in-depth research on the protection of fundamental rights in the context of surveillance, and in particular on the current legal situation of EU citizens with regard to the judicial remedies available to them in relation to those practices”.15

    Scope of the analysis

    This report constitutes the first step of FRA’s response to the EP request. It provides an overview of the EU Member States’ legal frameworks regarding surveillance. FRA will further consolidate its legal findings with fieldwork research providing data on the day-to-day implementation of the legal frameworks. A socio-legal report based on an empirical study, to be published at a later stage, will expand on the findings presented ere.

    While the EP requested the FRA to study the impact of ‘surveillance’ on fundamental rights, given the context in which the resolution was drafted, it is clear that ‘mass surveillance’ is the main focus of the Parliament’s current work. During the data collection phase, FRA used the Parliament’s definition to delineate the scope of FRA net’s research.

    The EP resolution refers to “far-reaching, complex and highly techno-logically advanced systems designed by US and some Member States’ intelligence services to collect, store and analyse communication data, including content data, location data and metadata of all citizens around the world, on an unprecedented scale and in an indiscriminate and non-suspicion-based manner” (Paragaph 1).

    This definition encompasses two essential aspects: first, a reference to a collection technique, and second, the distinction between targeted and untargeted collection.

    The report does not analyse the surveillance techniques themselves, but rather the legal frameworks that enable these techniques. For Member States that carry out signals intelligence, the focus of the analysis is on this capacity, and not on other intrusive capabilities the services may have (such as wiretapping).

    This report covers the work of intelligence services. It does not address the obligations of commercial entities which, willingly or not, provide intelligence services with the raw data that constitute Signals Intelligence (SIGINT), and are otherwise involved in the implementation of the surveillance programmes.16 The private sector’s role in surveillance requires a separate study.

    While the premise of this report is the existence of an interference, since the “secret monitoring of communications” interferes with privacy rights from a fundamental rights point of view,17 the report focuses on analysing the legal safeguards in place in the EU Member States’ legal frameworks, and therefore on their approaches to upholding fundamental rights.

    “Assuming therefore that there remains a legal right to respect for the privacy of digital communications (and this cannot be disputed (see General Assembly Resolution 68/167)), the adoption of mass surveillance technology undoubtedly impinges on the very essence of that right.” UN, Human Rights Council, Emmerson, B. (2014), para. 18

    The report’s analysis of EU Member States’ legal frameworks tries to keep law enforcement and intelligence services separate. By doing so, the report excludes the work of law enforcement from its scope, while recognising that making this division is not always easy.

    As stated by Chesterman, “Governments remain conflicted as to the appropriate manner of dealing with alleged terrorists, the imperative to detect and prevent terrorism will lead to ever greater cooperation between different parts of government”.18 The EP resolution recognises this and called on the Europol Joint Supervisory Body (JSB) to inspect whether information and personal data shared with Europol have been lawfully acquired by national authorities, particularly if the data were initially acquired by intelligence services in the EU or a third country.19

    The Snowden revelations have also shed light on cooperation between intelligence services. This issue, important for the oversight of intelligence services’ activities, has been addressed by the EP resolution (Paragraph 22), by oversight bodies,20 by the Venice Commission,21 and by academia.22

    This aspect, however, proved impossible to analyse in a comparative study, since, in the great majority of cases, cooperation agreements or modalities for transferring data are neither regulated by law nor public. This in itself creates a fundamental rights issue linked to the rule of law and, more particularly, regarding the importance of the existence of a law that is accessible to the public, as well as regarding the rules governing the transfer of personal data to third countries.

    Though this report could not deal with this aspect beyond referencing the lack of proper control by over-sight bodies, it does raise important questions under relevant legal standards.

    Fundamental rights and safeguards Continue reading “Fundamental Rights Agency :  Surveillance by intelligence  services: fundamental rights safeguards and remedies in the EU.  Mapping Member States’ legal frameworks”

    CAMERON’S CHATHAM HOUSE SPEECH: FULL SPEED AHEAD FOR THE RENEGOTIATION OF THE UK’S EU MEMBERSHIP?

    ORIGINAL PUBLISHED ON EU LAW ANALYSIS ON Tuesday, 10 November 2015

    by Steve Peers

    Today’s Chatham House speech by David Cameron set out more detail of the UK’s demands for renegotiation of its EU membership. It was accompanied by aletter from Cameron to the President of the European Council, Donald Tusk, which set out a summary of his requests.

    The speech also set out two changes to UK law which the government plans to make, as regards the EU Charter of Rights and (possibly) the role of UK courts reviewing the EU courts. Since these are changes to domestic law, they do not have to be negotiated with other Member States, unless there is a legal argument that they would breach EU law.

    This is the latest elaboration of Cameron’s requests; I have commented earlier on his specific suggestions regarding free movement of EU citizens, and regarding other issues. I will refer back to what I’ve said already in those posts where relevant.

    Changes to UK law

    On the first change to UK law, Cameron referred to the government’s plans to repeal the Human Rights Act and replace it with a ‘British Bill of Rights’, which (as he acknowledged) are separate from EU law as such. But he then went on to state: “And as we reform the relationship between our courts and Strasbourg, it is right that we also consider the role of the European Court of Justice and the Charter of Fundamental Rights. So – as was agreed at the time of the Lisbon Treaty – we will enshrine in our domestic law that the EU Charter of Fundamental Rights does not create any new rights. We will make it explicit to our courts that they cannot use the EU Charter as the basis for any new legal challenge citing spurious new human rights grounds.”

    This is a new point not raised in the Chatham House speech. What should we make of it? At first sight, it is not really any different from Article 1(1) of the special Protocol on the role of the Charter in the UK and Poland, which provides:

    1. The Charter does not extend the ability of the Court of Justice of the European Union, or any court or tribunal of Poland or of the United Kingdom, to find that the laws, regulations or administrative provisions, practices or action of Poland or of the United Kingdom are inconsistent with the fundamental rights, freedoms and principles that it reaffirms.

    A clause in the preamble to this Protocol provides: “WHEREAS the Charter reaffirms the rights, freedoms and principles recognised in the Union and makes those rights more visible, but does not create new rights or principles;”

    So the Prime Minister’s commitment to change UK law could be met simply by making express reference to these provisions of the Protocol – or by incorporating their wording – in an Act of Parliament. This would simply reiterate the application of these rules to the UK, given that the Protocol already applies in UK law by virtue of the European Communities Act.

    Any more far-reaching approach (such as that advocated by a House of Commons committee last year, as discussed here) would run the risk of complicated breaches of EU law. It’s impossible to say now whether that would happen or not, in the absence of  any proposed legislation on this point.

    For the sake of context, it should be noted that the CJEU has ruled in the NS case that the Charter did not add any rights to the ‘general principles of EU law’, which were the basis for protection of human rights in the EU legal system prior to the Treaty of Lisbon. And in Fransson, the Court ruled that the scope of the Charter (ie when it applied to Member States’ action) was the scope of the general principles. True, the Charter can be used to set aside Acts of Parliament, even by the lower UK courts, as in recent cases involving embassy staff andGoogle. But that’s true of EU law generally, including the previous general principles, as we saw in judgments like Kucukdeveci.

    The Prime Minister’s second pledge was to consider whether to introduce a national check on EU measures like that asserted by the German Federal Constitutional Court, concerning the loss of ‘essential constitutional freedoms’ and the review of acts by the EU institutions to check if they remain within the scope of the EU’s powers.

    Such a measure would breach EU law in principle, since the CJEU has long ruled that it is the sole judge of whether an EU law is invalid. But Cameron is correct to point out that other national constitutional courts have done the same thing. A full-bodied constitutional conflict has been avoided in practice because those other courts have been reluctant to use those powers, and because the CJEU has maintained a dialogue with them (which does not extend to agreeing with them all the time: see discussion of the recent case law on the ECB’s OMT scheme).

    It should be noted that the ‘essential constitutional freedoms’ which Cameron refers to are fundamental rights as protected by the German Basic Law (the de facto German constitution). It remains to be seen whether the ‘British Bill of Rights’ which Cameron plans will protect human rights so strongly in the UK that there is any real prospect of the EU taking those rights away. If not, Cameron’s proposal looks like the constitutional equivalent of shaving all his hair off, while simultaneously insisting on the fundamental importance of his comb.

    Changes to EU law Continue reading “CAMERON’S CHATHAM HOUSE SPEECH: FULL SPEED AHEAD FOR THE RENEGOTIATION OF THE UK’S EU MEMBERSHIP?”

    A new wideranging EP resolution on mass surveillance in the “post Snowden” (and Schrems ) era.

    Below the provisional text voted yesterday 29 October by the European Parliament on mass surveillance and violation of fundamental rights to privacy and data protection. The press has already highlighted that  the EP voted by 285 to 281 to call on the member states to “drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistle-blower and international human rights defender”. Moreover  the EP  calls on the Commission to give consideration to the impact of the Court of Justice Safe Harbor ruling of 6 October on any other instruments for the transfer of personal data to the US and to report on the matter by the end of 2015.  Very rightly the Strasbourg plenary acknowledges that the Court ruling “has confirmed the long-standing position of Parliament regarding the lack of an adequate level of protection under this instrument” so that the Commission has to “immediately take the necessary measures to ensure that all personal data transferred to the US are subject to an effective level of protection that is essentially equivalent to that guaranteed in the EU”.

    But here is the point : bulk collection of personal data (as foreseen by several US practices agreed with the EU in the PNR and TFTP cases) are not themselves threatening the “essence” of data protection under EU law as protected by the art.52 of the EU Charter of fundamental rights so that they are no negotiable even with the best friend and ally such the USA? 

    Passed by 342 votes to 274 , with 29 abstentions, this is a center-left resolution where liberals and socialists voted together but (not surprisingly) EPP and ECR voted against. In this legislature where socialists and conservatives have created a sort of “grosse Koalitionen” the text risks to be only a political gesture before the public opinion if not followed by consistent votes on the legal binding texts currently on the EP table such as the data protection reform or the transatlantic negotiations on the so called “umbrella agreement” and on “Safe Harbor”.

    Moreover the text even if criticizes the European Commission as “inadequate” and evokes the possibility of a “fail to act” against it does not triggers it. The risk is then this very inspired and solid text remains a toothless tiger.. The coming weeks will show if this tiny majority will be confirmed when the post-Lisbon data protection reform will be voted.

    Emilio De Capitani

    European Parliament resolution of 29 October 2015 on the follow-up to the EP resolution of 12 March 2014 on the electronic mass surveillance of EU citizens (2015/2635(RSP)) Continue reading “A new wideranging EP resolution on mass surveillance in the “post Snowden” (and Schrems ) era.”

    The law enforcement challenges of cybercrime: are we really playing catch-up?

    FULL STUDY ( 68 pages) ACCESSIBLE HERE

    Abstract : This study was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. With a number of high-profile criminal cases, such as ‘Silk Road’, cybercrime has been very much in the spotlight in recent years, both in Europe and elsewhere. While this study shows that cybercrime poses significant challenges for law enforcement, it also argues that the key cybercrime concern for law enforcement is legal rather than technical and technological. The study further underlines that the European Parliament is largely excluded from policy development in the field of cybercrime, impeding public scrutiny and accountability. AUTHOR(S): Dr. Ben Hayes, Dr. Julien JeandesbozDr. Francesco Ragazzi, Dr. Stephanie Simon, and Prof. Valsamis Mitsilegas.

    EXECUTIVE SUMMARY

    Cybercrime has become one of the key priorities for EU law enforcement agencies, as demonstrated by the establishment of the European Cybercrime Centre (EC3) in January 2013 and the development of specific European threat assessment reports in this field. High-profile criminal investigations such as the ‘Silk Road’ case, major data breaches or particularly nefarious hacks or malware attacks have been very much in the spotlight and widely reported in the media, prompting discussions and debates among policymakers and in law enforcement circles. Over the last few months, the cybercrime debate has specifically evolved around the issue of encryption and anonymisation.

    In this context, this Study argues that debates on the law enforcement challenge of cybercrime in the EU should steer clear both of doomsday scenarios that overstate the problem and scepticism that understates it, and that the key cybercrime concern for law enforcement is legal in nature rather than simply technical and technological. Indeed, the Study finds that the key challenge for law enforcement is the lack of an effective legal framework for operational activities that guarantees the fundamental rights principles enshrined in EU primary and secondary law.

    In order to address this core argument, this Study starts by analysing claims and controversies over the Internet ‘going dark’ on law enforcement (Section 2). It shows that these claims have been made for quite some time and should be considered as moral panics rather than accurate reflections of the challenges posed by cybercrime to law enforcement. Moreover, current controversies rehash older ones, conflating law enforcement concerns with intelligence-gathering and surveillance concerns. Without denying the fact that criminal activities do take place online, pose technical difficulties to law enforcement services and require the availability of specific capabilities, this section demonstrates that these difficulties do not impede criminal investigation to such an extent that exceptional means should be envisaged. While these technical aspects need to be considered, they raise issues related to policy and law rather than technology as such. The policy and law-related challenges are made greater by the fact that defining cybercrime is not an easy task. Very broad definitions have been adopted at the EU level, often leading to overlapping and sometimes conflicting mandates.

    Section 3 thus analyses the institutional architecture of EU cybercrime policy. It shows that the complexity of cybercrime measures and the expansive mandates and number of actors involved in their implementation make it difficult to ascertain and circumscribe the full scope of EU cybercrime policy. Whereas the Council of Europe (CoE) sought to codify cybercrime powers into an international convention, much of the EU’s policy to fight cybercrime is based on non-legislative measures, including operational cooperation and ad hoc public-private partnerships. Furthermore, important distinctions and restrictions designed to ensure a ‘separation of powers’ between state agencies concerned with law enforcement (cyber-policing), civil protection (cybersecurity), national security (cyber-espionage) and military force (offensive cyber capabilities) are harder to distinguish in the area of cybercrime, at both national and EU level. Section 3 underlines that, within this complex architecture, and with the blurring of the boundaries between those responsible for policing the Internet, for gathering intelligence from it, for conducting cyber-espionage against foreign targets, and for ensuring the safety of critical internet infrastructure, the European    Parliament    and    civil    society    are    largely    excluded    from    policy development, impeding public scrutiny and accountability. This compounds the EP’s existing problems in ensuring that fundamental rights and data protection are diligently protected in the area of justice and home affairs.

    In light of these gaps in oversight and accountability, Section 4 analyses in particular the challenge of jurisdiction, cooperation and fundamental rights safeguards. This section argues that operational challenges in cybercrime law enforcement do not change the obligation of EU institutions and Member States to ensure the safeguarding of EU fundamental rights in any operating framework of internal or transnational cooperation in law enforcement and criminal justice. Cybercrime law enforcement frequently cites the challenge of accessing and transferring data through existing Mutual Legal Assistance agreements. Yet practices taken outside of established legal channels cannot guarantee rights protections and run the risk of raising mistrust in the general public, the private sector and in transatlantic relations. Furthermore, across the spectrum of cybercrime prevention, investigation, and prosecution, the particular geography of the digital environment is said to complicate the traditional territorial foundations of law. Law enforcement bodies make continuous reference to the ways in which traditional legal structures stand in the way of operations. However, an updated legal framework designed to overcome these challenges should foreground fundamental rights concerns, which are essential to ensure due process and a necessary condition for the successful prosecution of cybercriminal offences.

    In light of these findings, the Study concludes with key recommendations for the European Parliament.

    In particular, to ensure that the Parliament is not marginalised altogether with respect to the implementation and review of EU cybercrime policies by the exercise of delegated   powers,   EU   agency   discretion   and   non-legislative   decision-making   bodies, further monitoring of EU council structures, Europol and international cooperation agreements is required (Recommendation 1).

    Moreover, the EP should ensure that the development of any cooperation/information-sharing framework guarantees the respect of fundamental rights (Recommendation 2).

    In light of the current discussions on a revised CoE Cybercrime Convention, the European Parliament should, further, ensure that the Conventions obligations are consistent with EU law and fundamental rights protections (Recommendation 3).

    The EP must also ensure that cybercrime is not used as a justification to undermine new information security protocols and the right to privacy in telecommunications, both of which are fundamental components of the functioning of the Internet (Recommendation 4).

    Finally, if European law enforcement agencies need to keep pace with technological change, it is imperative that training courses on cybercrime forensics and digital evidence include an applied fundamental rights component (Recommendation 5).

    Continue reading…

    Cybersecurity in the European Union and Beyond: Exploring the Threats and Policy Responses

    FULL STUDY ( 152 pages) ACCESSIBLE HERE 

    This study was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. It sets out to develop a better understanding of the main cybersecurity threats and existing cybersecurity capabilities in the European Union and the United States. The study further examines transnational cooperation and explores perceptions of the effectiveness of the EU response, pinpointing remaining challenges and suggesting avenues for improvement. AUTHORS : Dr Nicole van der Meulen, Eun A Jo and Stefan Soesanto (RAND Europe)

    EXECUTIVE SUMMARY

    The European Commission published the European Union Cyber Security Strategy along with the accompanying proposal for a Network and Information Security (NIS) Directive in 2013. Since the proposal was published, the cybersecurity landscape has continued to evolve, leading to questions regarding the nature and seriousness of the cyberthreats faced by the European Union (EU), the capabilities of Member States to manage these threats and respond to incidents, and the effectiveness of these capabilities. At the time of writing, discussions about the content and scope of the proposed NIS Directive are continuing. This study of cybersecurity threats in the EU was commissioned by the European Parliament (EP). It has five objectives:

    • To identify key cyberthreats facing the EU and the challenges associated with their identification.
    • To identify the main cybersecurity capabilities in the EU.
    • To identify the main cybersecurity capabilities in the United States (US).
    • To assess the current state of transnational cooperation.
    • To explore perceptions of the effectiveness of the current EU response.

    Defining cybersecurity

    Any study of cybersecurity must reflect on the challenges introduced by the different meanings of the term. There is no consensus on a standard or universally accepted definition of cybersecurity. The term cybersecurity has roots in information security but is now used to refer to a broader range of issues, linked to national security. The observation that cybersecurity means different things to different people is not without its consequences. How the issue is framed influences what constitutes a threat as well as what counter-measures are needed and justified.

    Mapping cybersecurity threats

    The study team’s analysis of six threat assessments1 and an existing meta-analysis carried about by Gehem et al. (2015) highlight the difficulty with systematically comparing threat assessments and gauging the reliability of data and findings on the basis of which threat assessments are conducted. The challenge rests in part in the absence of a commonly accepted definition of what constitutes a threat and the variation in the methodology and metrics used for threat assessments. Moreover, some threat assessments reference or are based on other threat assessments, rather than original sources, leading to potential duplication of findings and lack of clarity about the evidence underlying threat assessments. As a result, there is no clearly established framework to classify and map threats.

    The study team created a framework for mapping threats. The framework distinguishes:

    • Threat    actors:    states,    profit-driven    cybercriminals,    and    hacktivists   and extremists.
    • Threat tools: malware and its variants, such as (banking) Trojans, ransomware, point-of-sale malware, botnets and exploits.
    • Threat   types:   unauthorised   access,   destruction,   disclosure,   modification   of information and denial of service.

    The mapping of the cyberthreat landscape through the review of the six threat assessments was complemented by a discussion on the varying perceptions of the severity of threats and the concept of‘threat inflation’.

    Cybersecurity capabilities in the EU

    To respond to the evolving threat in the area of cybersecurity, the EU has aimed to provide an overarching response through the publication of the EU Cyber Security Strategy together with the proposed NIS Directive. The Strategy identifies five objectives including:

    • Achieving cyberresilience.
    • Drastically reducing cybercrime.
    • Developing   cyberdefence   policy  and   capabilities  related  to  the  Common Security and Defence Policy (CSDP).
    • Developing the industrial and technological resources for cybersecurity.
    • Establishing   a   coherent   international   cyberspace   policy  for  the   EU   and promote core EU values.

    This study focuses on providing a descriptive overview of capabilities for the first three objectives. Capabilities for the purposes of this study have been operationalised as institutional structures, such as agencies and departments.

    • In the area of cyberresilience, the European Network and Information Security Agency (ENISA) is the primary player at the EU level. ENISA is tasked with addressing the existing fragmentation in the European approach to cybersecurity, namely by bridging the capability gaps of its Member States. In the cybercrime domain, the European Cyber Crime Centre (EC3) serves as a European cybercrime platform. Besides combatting cybercrime, EC3 also gathers cyberintelligence and serves as an intermediary among various stakeholders, such as law enforcement authorities, Computer Emergency Response Teams (CERTs), industry and academia.
    • In the area of cyberdefence, the European Defence Agency (EDA) supports the capability development necessary to implement the Strategy. Its most apparent activities remain in research and development and designing a common crisis response platform. Given that foreign and defence policies have conventionally been areas of domestic competence, it is understandable that EU-wide cyberdefence capabilities have developed at a different pace compared to the other two objectives, cyberresilience and cybercrime.

    Cybersecurity capabilities in the US

    Cybercapabilities in the US are challenging to map in a comprehensive manner. The tendency to layer initiatives and agencies makes navigating the different components difficult. For the purposes of a high-level comparison with the EU cyber capabilities, the study focuses on key institutional players and their roles in relation to three strategic priorities: cyberresilience, cybercrime and cyberdefence.

    • In the area of cyberresilience, the Department of Homeland Security (DHS) is the formal leader. The DHS is responsible for securing federal civilian government networks, protecting critical infrastructure and responding to cyberthreats.
    • In the area of cybercrime, the US has not designated any lead investigative agency. Instead, numerous federal law enforcement agencies combat cybercrime in their own capacity. These include the US Secret Service (USSS) and the US Immigration and Customs Enforcement (ICE) Cyber Crimes Center, which are both  agencies  within  the  DHS.  The  Federal   Bureau  of Investigation  (FBI)’s cyberdivision is also involved.
    • In cyberdefence, the Department of Defence (DoD) plays a leading role. It is readily apparent from the DoD’s multiple publications that the US has become more open about its capabilities and willing to name its adversaries. The DoD is also increasingly encompassing in its response to cyberthreats over time, investing in both defensive as well as offensive cybercapabilities, as detailed in its cyberdefence strategy published in April 2015. Commentators note that deterrence is a key characteristic of the US cyberdefence strategy.

    Transnational cooperation

    The necessity to engage in transnational cooperation to counter the complex challenge posed by cybercrime is widely recognised both inside and outside the EU. Transnational cooperation exists at both the strategic and the operational level. The EU-US Working Group on Cybersecurity and Cybercrime is an example of strategic cooperation and is the first transatlantic dialogue to tackle common challenges in the area of cybercrime and cybersecurity. On an operational level, transnational cooperation has manifested through a range of activities, from botnet takedown to disruption of underground forums.

    Challenges, however, remain in the area of combatting cybercrime as identified by the study team through the interviews. Mutual Legal Assistance Treaties (MLATs) are widely regarded as outdated and obstacles to effective and timely information sharing. Further, the importance of acquiring data for investigations is debated among law enforcement agencies and civil society groups. Deconfliction – avoiding the duplication or conflict of efforts – is another challenge. Due to the involvement of various stakeholders, cooperation is essential to avoid potentially disrupting others’ efforts. The draft Europol Regulation contains provisions that interviewees have reported could complicate the attainment of information from the private sector, possibly obstructing future operations.2

    Effectiveness of the EU response

    Ideally, capabilities respond directly to threats and the effectiveness of the EU response can be measured by noticeable changes in the threat landscape. However, such an assessment is not feasible; there is not enough information available in the public domain and measurement problems persist. Moreover, the EU response is still very much in development and geared towards addressing fragmentation in its approach to cybersecurity, as well as the approach taken by the 28 Member States. This consists of harmonising strategies and standards and coordinating regulatory interventions, as well as facilitating (or more precisely, requiring) information sharing and gap closures between Member States. Due to the inherently relative nature of cybersecurity and the challenges associated with attaining cyberresilience, it is difficult to state whether the new initiatives have been successful. Given these challenges to measuring effectiveness, the study team explored perceptions about the effectiveness of the EU response based on existing commentary and supplemented with interviewees’ responses.
     
    The first key finding in relation to the perceived effectiveness of the EU response is that while there is still fragmentation, there is also discernible improvement. Particularly noteworthy is the strategic cooperation agreement between ENISA and EC3, which aims to facilitate closer cooperation and the exchange of expertise. However, questions remain about fragmentation, especially with respect to the proposed NIS Directive. Various points of dissension remain as the trilogue negotiations between the European Commission, European Parliament and the Council of the European Union continue. Moreover, fragmentation is notable not only in terms of operational capabilities but also in terms of Member States’ understanding of the cyberdomain. Bridging these gaps will therefore require technical support as well as strategic guidance.

    The second finding is that differences in opinion persist as to whether the overall approach to cybersecurity should be voluntary and informal or mandatory and formal. For example, the CERT community, which has conventionally relied on voluntary participation and cooperation between private and public entities, appears less willing to move to a system in which information sharing is mandatory. In contrast, other security agencies favour law enforcement and support more stringent requirements, for instance in information sharing, as they believe voluntary reporting has failed.

    Third, as the new approach proposed through the Strategy and the draft NIS Directive is largely regulatory in nature, the issue of scope – in terms of the entities formally included as having a role in cybersecurity – is heightened and contested. One issue is whether Internet service providers (ISPs) should be included. These scoping challenges are likely to exacerbate existing contentions surrounding the NIS Directive and call into question whether the present regulatory approach is appropriate to secure European cyberspace.

    Policy options

    Based on this study’s findings the research team suggests the following policy options for the European Parliament’s consideration in terms of EU action on cybersecurity. Each option is elaborated in the Conclusion.

    1. Encourage ENISA, EC3 and others involved in European cyberthreat assessments to investigate further harmonisation of threat assessments, which can effectively incorporate information from Member States and other EU agencies and provide clearer indications of the evidence base for the assessment. This recommendation follows from the findings from the review of threat assessments undertaken for this study.
    2. Make use of existing structures as much as possible. One of the concerns identified by the study team – from a review of existing literature and in interviews with experts – was the tendency of the Commission to develop new structures and exclude existing initiatives and agencies.
    3. Consider reinserting law enforcement in the Network and Information Security (NIS) Directive. The attempt to overcome fragmentation at the EU level is hampered by the exclusion of law enforcement from provisions in the proposed NIS Directive.
    4. Ensure Europol has speedy and more direct access to information from the private sector. Speedy access to relevant information from the private sector is essential for Europol to combat transnational cybercrime. There is potential for this access to be hindered by having to go through the Member States, which may reduce the effectiveness of Europol’s operations, especially as Europol cooperates with partners at the transnational level.
    5. Assess what capability gaps actually exist between the Member States and measure progress. Despite the claims about gaps between Member States, our research suggests that there is very little empirical evidence to indicate which States are more advanced than others and in what areas. To improve this situation and to develop a better understanding of these gaps, ranking Member States and identifying areas of improvement could be made more explicit.

    …continue reading

    NOTES

    1  (ACSC: Threat Report; BSI: State of IT Security Germany; ENISA: Threat Landscape (ETL); Europol: Internet Organised Crime Threat Assessment (iOCTA); NCSC: Cyber Security Threat Assessment the Netherlands (CSAN); Verizon: Data Breach Investigations Report (DBIR).
    2 European Parliament. 2014b. Legislative resolution of 25 February 2014 on the proposal for a regulation of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA. P7_TA(2014)0121 (COM(2013)0173 – C7-0094/2013 – 2013/0091(COD)). As of 12 October 2015: http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0121&language=EN&ring=A7-2014-0096

     

    “Foreign Fighters” and EU implementation of the UNSC resolution 2178. Another case of “Legislate in haste, repent at leisure…” ? (2)

    by Dalila DELORENZI (FREE Group Trainee – Original in Italian)

    1. Foreword
    As the hostilities in Syria and Iraq continue and terrorism activities worldwide seem to be on the rise, EU Member States are increasingly confronted with the problem of aspiring and returning ‘foreign fighters’ as described already in this blog HERE. More precisely, in the EU the term is used to indicate European citizens who, after leaving to join jihadist groups, may have become further radicalised and acquired combat experience, and therefore be capable of carrying out deadly terrorist attacks once they return to Europe.

    Such phenomenon is anything but new; however, its scale certainly is: as illustrated by the rise of the terrorist group calling itself “Islamic state”, the phenomenon has acquired an entirely new dimension – according to the EU intelligence sources 19% of the total fighters originated from the EU.

    It explains then the wide perception of these individuals as a serious threat to the security of both individual Member States and the EU as a whole – especially in the aftermath of the recent terrorist attacks occurred in Brussels[1], Paris[2], Copenhagen[3].

    Broadly speaking , a different way to envision human mobility and checks at external borders of Schengen has come to light. Whereas initially, they were rather conceived to protect the Schengen area from threats coming from country outside the Schengen zone, now such threat to security is deemed to be already inside the EU, due to the fact that most of the time militants returning to Europe possess the nationality of a Member State.

    2. EU response Continue reading ““Foreign Fighters” and EU implementation of the UNSC resolution 2178. Another case of “Legislate in haste, repent at leisure…” ? (2)”

    Some notes on the relations between UNSC Resolution 2240 (2015) fighting smugglers in Mediterranean and the EUNAVFOR Med “Sophia” operation

    by Isabella Mercone  (Free Group Trainee – Original Version in Italian)

    1. INTRODUCTION

    On 9 October 2015, the Security Council of the United Nations adopted Resolution 2240 (2015), authorizing Member States to intercept vessels off  Libyan coast, suspected of migrant smuggling.

    The resolution was adopted in a short time, without much discussion and ahead of schedule, with 14 votes in favour and just one abstention (Venezuela). “Incredible!” – Someone could say – “For once, the Security Council succeeded in adopting a resolution on time.” However, the true is that the adopted resolution is not the one imagined in May by the High Representative for Foreign Affairs and Security Policy of the European Union, Federica Mogherini, when operation EUNAVFOR Med was launched. But let’s go one step at a time: let’s see first where the idea of ​​EUNAVFOR Med came from and what is its goal, and let’s try to understand why the EU should have required a resolution by the Security Council, allowing it to intervene in the Mediterranean and dismantle the smuggling of migrants.

    1. THE OPERATION EUNAVFOR MED (now renamed “SOPHIA”)

    Continue reading “Some notes on the relations between UNSC Resolution 2240 (2015) fighting smugglers in Mediterranean and the EUNAVFOR Med “Sophia” operation”

    EU-US Umbrella Data Protection Agreement : Detailed analysis by Douwe Korff

    14 October 2015 (NOTA BENE : This text is more than 60 pages)

    by Douwe KORFF (FREE GROUP MEMBER)

    About the Fundamental Rights Europe Expert Group (FREE): The Fundamental Rights European Experts Group (FREE Group : http://www.free-group.eu)  is a Belgian non governmental organisation (Association Sans But Lucratif (ASBL) Registered at Belgian Moniteur: Number 304811. According to art 3 and 4 of its Statute ( see below *) the association focus is on monitoring, teaching and advocating in the European Union freedom security and justice related policies. In the same framework we follow also the EU actions in protecting and promoting EU values and fundamental rights in the Member States as required by the article 2, 6 and 7 of the Treaty on the European Union (risk of violation by a Member State of EU founding values)

    About the author: Douwe Korff is a Dutch comparative and international law expert on human rights and data protection. He is Emeritus Professor of International Law, London Metropolitan University; Associate, Oxford Martin School, University of Oxford (Global Cybersecurity Capacity Centre); Fellow, Centre for Internet & Human Rights, University of Viadrina, Frankfurt/O and Berlin; and Visiting Fellow, Yale University (Information Society Project).

    Acknowledgments: The author would like to express his thanks to Mme. Marie Georges and Prof. Steve Peers, members of FREE Group, for their very helpful comments on and edits of the draft of this Note.

    OVERALL CONCLUSIONS

    We believe the following aspects of the Umbrella Agreement violate, or are likely to lead to violations of, the Treaties and the EU Charter of Fundamental Rights:

    1. The Umbrella Agreement appears to allow the “sharing” of data sent by EU law enforcement agencies to US law enforcement agencies with US national security agencies (including the FBI and the US NSA) for use in the latter’s mass surveillance and data mining operations; as well as the “onward transfer” of such data to “third parties”, including national security agencies of yet other (“third”) countries, which the Agreement says may not be subjected to “generic data protection conditions”;
    2. The Umbrella Agreement does not contain a general human rights clause prohibiting the “sharing” or “onward transfers” of data on EU persons, provided subject to the Agreement, with or to other agencies, in the USA or elsewhere, in circumstances in which this could lead to serious human rights violations, including arbitrary arrest and detention, torture or even extrajudicial killings or “disappearances” of the data subjects (or others);
    3. The Umbrella Agreement does not provide for equal rights and remedies for EU- and US nationals in the USA; but worse, non-EU citizens living in EU Member States who are not nationals of the Member State concerned – such as Syrian refugees or Afghan or Eritrean asylum-seekers, or students from Africa or South America or China – and non-EU citizens who have flown to, from or through the EU and whose data may have been sent to the USA (in particular, under the EU-US PNR Agreement), are completely denied judicial redress in the USA under the Umbrella Agreement.

    In addition:

    1. The Umbrella Agreement in many respects fails to meet important substantive requirements of EU data protection law;
    2. The Umbrella Agreement also fails to meet important requirements of EU data protection law in terms of data subject rights and data subjects’ access to real and effective remedies; and
    3. In terms of transparency and oversight, too, the Umbrella Agreement falls significantly short of fundamental European data protection and human rights requirements.

    The Agreement should therefore, in our view, not be approved by the European Parliament in its present form.

    FULL TEXT OF THE ANALYSIS 

    1. Introduction / Background

    Continue reading “EU-US Umbrella Data Protection Agreement : Detailed analysis by Douwe Korff”