After Paris : Justice and Home affairs Council draft Conclusions

ORIGINAL DOCUMENT ACCESSIBLE ON STATEWATCH SITE

(NOTA BENE : Comments will follow on the text finally adopted) 

Draft Conclusions of the Council of the EU and of the Member States meeting within the Council on Counter-Terrorism

  1. The Council is appalled by the heinous terrorist attacks which took place in Paris on 13 November 2015 and expresses its deepest condolences to the victims of these attacks, their families and friends. The Council emphasises its solidarity with the people of France and pays tribute to the courage and decisive actions of the French authorities. The attacks were an assault on the European values of freedom, democracy, human rights and the rule of law. This is not the first time that the EU has been confronted with a major terrorist attack and important measures have already been taken. The Council underlines the importance of accelerating the implementation of all areas covered by the statement on counter-terrorism issued by the Members of the European Council of 12 February 2015 and in particular of the measures outlined below.

PNR

  1. The Council reiterates the urgency and priority to finalise an ambitious EU PNR before the end of 2015, which should include internal flights in its scope, provide for a sufficiently long data period during which PNR data can be retained in non-masked out form and should not be limited to crimes with a transnational nature.

Firearms

  1. The Council:
  • welcomes the adoption of the Implementing Regulation on common deactivation standards on 18 November 2015,
  • welcomes the presentation by the Commission on 18 November 2015 of a proposal to revise the current Directive on Firearms,
  • is committed to increasing operational cooperation through Europol under the EU Policy Cycle on serious and organised crime, notably within the Operational Action Plan Firearms. All Member States affected by the problem are invited to join these efforts by the end of 2015,
  • invites Frontex and Europol to assist the Member States bordering the Western Balkans region with regard to increasing controls of external borders to detect smuggling of firearms.

Strengthening controls of external borders

4. Member States undertake to:

  • implement immediately the necessary systematic and coordinated checks at external borders, including on individuals enjoying the right of free movement,
    • on the bases of a quick identification of urgent needs and possible solutions, to be performed by the Commission before the end of 2015, upgrade the Member States border control systems (electronic connection to the relevant Interpol databases at all external border crossing points, automatic screening of travel documents) by March 2016,
    • in the context of the current migratory crisis, carry out a systematic registration, including fingerprinting, of all migrants entering into the Schengen area and perform systematic security checks by using relevant databases in particular SIS II, Interpol SLTD database, VIS and national police databases, with the support of Frontex and Europol, and ensure that hotspots are equipped with the relevant technology. Europol will deploy guest officers to the hotspots in support of the screening process, in particular by reinforcing secondary security controls,
    • strengthen the control at the external borders which are most exposed, in particular by deploying rapid border intervention teams (RABITs) and police officers in order to guarantee systematic screening and security checks.
    1. The Council reiterates its Conclusions of 9 November 2015 and invites the Commission to:
    • include EU nationals in the upcoming Smart Borders proposals and in this context present a proposal for the targeted revision of Art.7(2) Schengen Borders Code regarding systematic controls against relevant databases at EU external borders,
    • provide, in its proposal to update the Frontex Regulation, a solid legal basis for the contribution of Frontex to the fight against terrorism and organised crime and access to the relevant databases.
    1. Frontex will:
    • contribute to the fight against terrorism and support the coordinated implementation of the Common Risk Indicators (CRIs) before the end of 2015,
    • assist the Member States to tighten controls of external borders to detect suspicious travels of foreign terrorist fighters and smuggling of firearms, in cooperation with Europol,
    • work closely with Europol and Eurojust, in particular in the context of the hotspots, and exchange data with Europol on the basis of the cooperation agreement to exchange personal data. The latter should be concluded and become operational without delay.

    Information sharing

    7. The Council decides to step up law enforcement cooperation on counter-terrorism (CT):

    • Member States will instruct national authorities to enter data on all suspected foreign terrorist fighters into the SIS II under Article 36.3, carry out awareness raising and training on the use of the SIS and define a common approach to the use of the SIS II data relating to foreign fighters,
    • Europol will launch the European Counter Terrorist Centre (ECTC) on 1 January 2016 as a platform by which Member States can increase information sharing and operational coordination with regard to the monitoring and investigation of foreign terrorist fighters, the trafficking of illegal firearms and terrorist financing. The ECTC will provide national CT authorities with enhanced information sharing capacities notably via Focal Point Travellers, the Europol Information System and Europol’s SIENA system reserved for counter-terrorism cases. The new Europol Regulation, on which an agreement should be reached between the co-legislators before the end of the year, should be consistent with the mandate and objectives of the ECTC, including the IRU,
    • Member States will second CT experts to the ECTC to form an enhanced cross-border investigation support unit, capable of providing quick and comprehensive support to the investigation of major terrorist incidents in the EU. Eurojust should also participate,
    • The Commission is invited to ensure that Europol is reinforced with the necessary resources to support ECTC and to submit a legislative proposal in order to enable Europol to systematically cross-check the Europol databases against the SIS II as established by Council Decision 2007/533/JHA on the establishment, operation and use of the second generation Schengen Information System (SIS II),
    • Member States will make maximum use of these capabilities to improve the overall level of information exchange between CT authorities in the EU. Member States will instruct the relevant national authorities to further increase their contributions to Focal Point Traveller at Europol to reflect the threat and connect to relevant Europol information exchange systems.

     
    Terrorist financing

    1. The Council invites the Commission to present proposals to strengthen, harmonise and improve cooperation between Financial Intelligence Units (FIU’s), notably through the proper embedment of the FIU.net network for information exchange in Europol and ensure their fast access to necessary information, in order to enhance the effectiveness and efficiency of the fight against money laundering and terrorist financing in conformity with Financial Action Task Force (FATF) recommendations, to implement more quickly the asset freezing required by the UN Security Council (Resolution 1373), to strengthen controls of non-banking payment methods such as electronic/anonymous payments and virtual currencies and transfers of gold, precious metals, by pre-paid cards and to curb more effectively the illicit trade in cultural goods.

     Criminal justice response to terrorism and violent extremism

     9. The Council welcomes the signing in Riga on 22 October 2015 by the EU of the Council of Europe’s Convention on the Prevention of terrorism and of its additional Protocol on Foreign Terrorist Fighters and invites the Commission to present a proposal for a directive updating the Framework Decision on Combating Terrorism before the end of 2015 with a view to collectively implementing into EU law UNSC Resolution 2178 (2014) and the additional Protocol to the Council of Europe’s Convention.

     10. Member States will use ECRIS at its full potential. The Council invites the Commission to submit by January 2016 a proposal for the extension of ECRIS to cover third country nationals.

     11. The Council invites the Commission to allocate as a matter of urgency the necessary financial resources to implement the Council Conclusions on enhancing the criminal justice response to radicalisation leading to terrorism and violent extremism. This should notably support the development of rehabilitation programmes as well as risk assessment tools in order to determine the most appropriate criminal justice response, taking into account the individual circumstances and security and public safety concerns.

     Funding

    1. The Council invites Member States to use the Internal Security Fund to support the implementation of these conclusions and to prioritise relevant actions under the national programmes to this effect, and calls on the Commission to prioritise the funding available under centrally managed funds to the priorities identified in these conclusions.

    Implementation

    1. In view of its role on strengthening internal security within the Union, COSI shall coordinate the role of the various Council Working Parties and of the EU agencies in the implementation of these Council Conclusions. The Counter Terrorism Coordinator will monitor their implementation.

    Fundamental Rights Agency :  Surveillance by intelligence  services: fundamental rights safeguards and remedies in the EU.  Mapping Member States’ legal frameworks

    EXECUTIVE SUMMARY : FULL REPORT AVAILABLE HERE

     Introduction

    Recent revelations of mass surveillance underscore the importance of mechanisms that help prevent fundamental rights violations in the context of intelligence activities.

    This FRA report aims to evaluate such mechanisms in place across the European Union (EU) by describing the current legal framework related to surveillance in the 28 EU Member States. The report first outlines how intelligence services are organised, describes the various forms surveillance measures can take and presents Member States’ laws on surveillance. It then details oversight mechanisms introduced across the EU, outlines the work of entities set up thereunder, and presents various remedies available to individuals seeking to challenge surveillance efforts.

    The report does not assess the implementation of the respective laws, but maps current legal frameworks. In addition, it provides an overview of relevant fundamental rights standards, focusing on the rights to privacy and data protection.

    Background

    In June 2013, media worldwide began publishing the ‘Snowden documents’, describing in detail several surveillance programmes being carried out, including by the United States’ National Security Agency (NSA) and by the United Kingdom’s Government Communications Headquarters (GCHQ). These brought to light the existence of extensive global surveillance. Details of these programmes, which set up a global system of digital data interception and collection, have been widely publicised 1 and critically assessed.2

    Neither the US nor the British authorities questioned the authenticity of the revelations,3 and in some cases confirmed them.4 However, the media’s interpretation of the programmes was sometimes contested – for example, by the UK Intelligence and Security Committee of Parliament 5 and academia.6

    Since most of the Snowden revelations have not been recognised by the British government, the Investigatory Powers Tribunal, in hearing challenges to the legality of the programmes, took the approach of hearing cases on the basis of hypothetical facts closely resembling those alleged by the media.7 For the Austrian Federal Agency for State Protection and Counter Terrorism (BVT), the Snowden revelations represented a “paradigm shift”: “Up until a few years ago, espionage was largely directed at state or business secrets, and not, for the most part, at people’s privacy, which can now be interfered with extensively by intelligence services since they possess the necessary technical resources to do so”. 8

    The Snowden revelations were not the first to hint at the existence of programmes of large-scale communication surveillance set up in the aftermath of the 11 September 2001 attacks.9

    But the magnitude of the revelations was unprecedented, potentially affecting the entire world.

    The revelations triggered an array of reactions.10 In the intelligence community, and in particular among the specialised bodies in charge of overseeing the work of intelligence services, dedicated inquiries were conducted.11 The European Union reacted strongly.

    The European Commission (EC), the Council of the European Union and the European Parliament (EP) reported on the revelations, expressing concern about mass surveillance programmes, seeking clarification from US authorities, and working on “rebuilding trust” in light of the damage created by the revelations.12

    On 12 March 2014, the EP adopted a resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights, and transatlantic cooperation in Justice and Home Affairs (the Resolution).13

    The resolution drew on the in-depth inquiry that the EP tasked the Civil Liberties, Justice and Home Affairs Committee (LIBE) to conduct during the second half of 2013, shortly after the revelations on mass surveillance were published in the press.14

    The wide-reaching resolution launched a “European Digital Habeas Corpus”, aimed at protecting fundamental rights in a digital age while focusing on eight key actions. In this context, the EP called on the EU Agency for Fundamental Rights (FRA) “to undertake in-depth research on the protection of fundamental rights in the context of surveillance, and in particular on the current legal situation of EU citizens with regard to the judicial remedies available to them in relation to those practices”.15

    Scope of the analysis

    This report constitutes the first step of FRA’s response to the EP request. It provides an overview of the EU Member States’ legal frameworks regarding surveillance. FRA will further consolidate its legal findings with fieldwork research providing data on the day-to-day implementation of the legal frameworks. A socio-legal report based on an empirical study, to be published at a later stage, will expand on the findings presented ere.

    While the EP requested the FRA to study the impact of ‘surveillance’ on fundamental rights, given the context in which the resolution was drafted, it is clear that ‘mass surveillance’ is the main focus of the Parliament’s current work. During the data collection phase, FRA used the Parliament’s definition to delineate the scope of FRA net’s research.

    The EP resolution refers to “far-reaching, complex and highly techno-logically advanced systems designed by US and some Member States’ intelligence services to collect, store and analyse communication data, including content data, location data and metadata of all citizens around the world, on an unprecedented scale and in an indiscriminate and non-suspicion-based manner” (Paragaph 1).

    This definition encompasses two essential aspects: first, a reference to a collection technique, and second, the distinction between targeted and untargeted collection.

    The report does not analyse the surveillance techniques themselves, but rather the legal frameworks that enable these techniques. For Member States that carry out signals intelligence, the focus of the analysis is on this capacity, and not on other intrusive capabilities the services may have (such as wiretapping).

    This report covers the work of intelligence services. It does not address the obligations of commercial entities which, willingly or not, provide intelligence services with the raw data that constitute Signals Intelligence (SIGINT), and are otherwise involved in the implementation of the surveillance programmes.16 The private sector’s role in surveillance requires a separate study.

    While the premise of this report is the existence of an interference, since the “secret monitoring of communications” interferes with privacy rights from a fundamental rights point of view,17 the report focuses on analysing the legal safeguards in place in the EU Member States’ legal frameworks, and therefore on their approaches to upholding fundamental rights.

    “Assuming therefore that there remains a legal right to respect for the privacy of digital communications (and this cannot be disputed (see General Assembly Resolution 68/167)), the adoption of mass surveillance technology undoubtedly impinges on the very essence of that right.” UN, Human Rights Council, Emmerson, B. (2014), para. 18

    The report’s analysis of EU Member States’ legal frameworks tries to keep law enforcement and intelligence services separate. By doing so, the report excludes the work of law enforcement from its scope, while recognising that making this division is not always easy.

    As stated by Chesterman, “Governments remain conflicted as to the appropriate manner of dealing with alleged terrorists, the imperative to detect and prevent terrorism will lead to ever greater cooperation between different parts of government”.18 The EP resolution recognises this and called on the Europol Joint Supervisory Body (JSB) to inspect whether information and personal data shared with Europol have been lawfully acquired by national authorities, particularly if the data were initially acquired by intelligence services in the EU or a third country.19

    The Snowden revelations have also shed light on cooperation between intelligence services. This issue, important for the oversight of intelligence services’ activities, has been addressed by the EP resolution (Paragraph 22), by oversight bodies,20 by the Venice Commission,21 and by academia.22

    This aspect, however, proved impossible to analyse in a comparative study, since, in the great majority of cases, cooperation agreements or modalities for transferring data are neither regulated by law nor public. This in itself creates a fundamental rights issue linked to the rule of law and, more particularly, regarding the importance of the existence of a law that is accessible to the public, as well as regarding the rules governing the transfer of personal data to third countries.

    Though this report could not deal with this aspect beyond referencing the lack of proper control by over-sight bodies, it does raise important questions under relevant legal standards.

    Fundamental rights and safeguards Continue reading “Fundamental Rights Agency :  Surveillance by intelligence  services: fundamental rights safeguards and remedies in the EU.  Mapping Member States’ legal frameworks”

    PRACTICES AND APPROACHES IN EU MEMBER STATES TO PREVENT AND END STATELESSNESS

    EXECUTIVE SUMMARY OF A STUDY FOR THE EUROPEAN PARLIAMENT CIVIL LIBERTIES COMMITTEE (LIBE) Full study (121 pages) accessible HERE

    Authors: Prof Gerard Rene’ DE GROOT, Katja SWIDER, Olivier WONK

    Aim

    The aim of the present study is to describe the practices and approaches in all EU Member States concerning the prevention and eradication of statelessness. For that purpose the study analyses the relevant international and European standards (Chapter 2) and assesses the national practices in light of these standards (Chapter 3). Since the prevention and eradication of statelessness depends on proper mechanisms to identify stateless populations, the subject of procedures for determining statelessness is addressed. We also investigate whether installing such a procedure creates a ‘pull factor’ (Chapter 4). The study ends with a detailed analysis of the possible role of the European Union in preventing and reducing statelessness (Chapter 5).

    Key Findings

    International and European standards to prevent and end statelessness

    1. Important standards on the avoidance and reduction of statelessness can be found in the 1954 United Nations (UN) Convention relating to the status of stateless persons, the 1961 United Nations (UN) Convention on the reduction on statelessness and the 1997 Council of Europe (CoE) Convention on Nationality.
    2. The European Union pledged at the UN High-level Rule of Law Meeting in New York, which took place in September 2012, to stimulate EU Member States to address the issue of statelessness by ratifying the 1954 UN Convention and considering the ratification of the 1961 UN Convention.
    3. For the interpretation and further development of standards following from these conventions, the UNHCR Guidelines on Statelessness, published in 2012, and Recommendation 2009/13 of the Council of Europe on the position of children in nationality law are of paramount importance.
    4. Landmark court decisions are the 2010 decision of the Court of Justice of the European Union in Janko Rottmann v. Freistaat Bayern (C-135/08) (concluding that deprivation of nationality, with statelessness as a result, may only happen after applying a proportionality test to such a measure) and the 2011 European Court of Human Rights decision in Genovese v. Malta (application no. 53124/09) (concluding that nationality is part of one’s personal identity and as such protected by the concept of private life under Article 8 ECHR) as well as the 2014 decision in Sylvie Mennesson v. France (application no. 65192/11) and Francis Labassee v. France (application no. 65941/11) (stipulating that aspects relating to one’s social identity need to have consequences for the nationality position of children born from cross-border surrogacy arrangements).

    Assessment of Member State rules in light of international and European standards

    1. The comparative analysis shows that several Member States violate international and European standards regarding protection against statelessness.
    2. This is not only true for Member States that are not bound by the relevant international treaties, but also for Member States that have acceded to these conventions.
    1. Moreover, the standards of protection against statelessness differ considerably between the Member States.
    2. This is particularly problematic for the grounds for loss, since the loss of a Member State’s nationality, resulting in statelessness, implies the loss of European citizenship.
    3. Exclusion from both the protection that nationality offers and the benefits of EU citizenship prevent people from accessing fundamental civil, political, economic, cultural and social rights and put them at risk of repeated or prolonged detention and destitution.
    4. There is a need for greater clarity as regards the legal position of permanent resident non-citizens in Latvia and Estonia, who formerly held the citizenship of the Soviet Union, in light of international and European law. Indeed, in order to avoid that the activation of statelessness will prevent or reduce provisions, States sometimes deliberately do not classify a person as “stateless”, but assign the person involved a different label. This occurred in Latvia and Estonia with the introduction of the special status of “permanent resident non-citizen” in Latvia or a “person of undefined nationality” in Estonia.

    Protection of stateless persons in the migratory context and statelessness determination procedures Continue reading “PRACTICES AND APPROACHES IN EU MEMBER STATES TO PREVENT AND END STATELESSNESS”

    Attentats terroristes de Paris : “fluctuat nec mergitur”, envers et contre tout

    ORIGINAL PUBLISHED ON CDRE SITE ON NOVEMBER 15 2015

     par Henri Labayle

    Le carnage abominable commis dans les rues de Paris, ce vendredi soir, fait resurgir nombre d’interrogations déjà posées dans ces mêmes colonnes et restées sans réponses, il y a dix mois à peine.

    Semblables et pourtant différentes, ces questions interpellent la société européenne autant que la société française. Elles obligent à ne pas laisser notre émotion prendre le pas sur ce qu’il reste de notre raison, à conserver deux convictions : celle d’un destin commun commandant que ne soit pas sacrifiés les principes d’une Communauté de droit .

    1. Un destin commun

    L’image donne souvent à la réalité l’apparence du spectacle. Les sociétés européennes se sont ainsi habituées au feuilleton médiatique de la violence terroriste, de ces attentats aux multiples formes allant de l’assassinat aveugle aux explosions meurtrières. Des rues d’Israël à celles de Beyrouth, hier encore, la relation de ces vies fauchées et de ces corps démembrés conservait jusqu’alors un caractère passablement artificiel pour les opinions publiques européennes. En tous cas pour celles qui n’avaient pas eu à en connaître dans leur chair comme en Irlande ou en Espagne. Loin et donc irréel …

    Brutalement, l’attentat le plus violent que la France ait eu à connaître depuis plus d’un demi siècle ramène à la vérité. Les quatre vingt morts du Bataclan et la vision d’un corps de kamikaze devant le Stade de France donnent soudain une réalité tragique à des propos alarmistes que nous n’entendions pas, au sens premier du terme.

    Nous ne comprenions pas en effet que l’on ne peut prétendre agir à l’extérieur de nos frontières sans conséquences. Nos sociétés n’ont pas davantage assimilé l’interdépendance dans laquelle nos destins particuliers se lient. De l’exode des réfugiés à travers le continent jusqu’aux attentats de Paris, toute lecture autocentrée ou hexagonale des évènements en cours est sans issue. Désormais, la libre circulation de la période contemporaine ne concerne pas seulement les individus mais elle intègre aussi la violence.

    Or, là est le risque de voir le débat public s’égarer sans issue, dans la prétention qu’existerait une solution exclusivement nationale au défi que les sociétés démocratiques doivent relever. Au prétexte à peine dissimulé qu’à la pêche aux voix, l’argument fait recette.

    Certes, l’Europe et ses constructions sécuritaires demeurent des boucs émissaires faciles et cette attitude présente, au demeurant, l’avantage d’éviter la question des responsabilités nationales. L’espace de libre circulation de Schengen constitue l’archétype de ces procès en sorcellerie, ceci avant même que les progrès des investigations policières nous fournissent un tableau plus précis des choses et de leur exacte dimension, internationale ou européenne. Il est donc mis à profit pour essayer de persuader qu’à l’heure d’Internet, guérites et képis seraient une protection imparable. Incapables de gérer hier Sangatte et aujourd’hui Calais, nous serions à même de garantir la sécurité nationale en nous privant de la seule échelle pertinente qui vaille, l’échelle européenne…

    Que les inspirateurs et les commanditaires des attentats soient établis à l’étranger ne dissimule en rien la dimension nationale du crime, depuis l’implication de ses auteurs matériels jusqu’au lieu de sa réalisation. Le vieux fantasme de l’ennemi de l’étranger ne résiste guère à l’analyse et celle-ci doit nous conduire à l’introspection. Impossible de réduire ou d’oublier la nationalité française de plusieurs des terroristes. De même, si les yeux se tournent actuellement vers la Belgique, pays voisin, c’est là encore parce que des ressortissants français y auraient séjourné.

    Dès lors et comme hier à propos des attentats de janvier, il se confirme malgré nos réticences à l’admettre lucidement que nos propres sociétés ont enfanté des monstres criminels. Une prise de conscience est donc indispensable, avant tout anathème et tout discours guerrier.

    Prise de conscience, d’abord, de l’extrême vulnérabilité des sociétés modernes face à une criminalité atypique et asymétrique. Ni ses motivations ni ses modes opératoires ne sont encore pleinement assimilés par le corps social. Les sacrifices humains y sont délibérément assumés par ceux qui en sont à la fois auteurs et victimes. Dans l’histoire du terrorisme en Europe, que 7 des 8 assaillants répertoriés à ce jour se soient fait exploser avec leurs explosifs est une première, absolument terrifiante et sur les ressorts de laquelle nous devrions nous interroger en priorité. Elle exprime une détermination et une radicalisation extrêmes qui condamnent largement l’action policière à l’impuissance, malgré tous ses efforts et ses qualités.

    Prise de conscience, ensuite, de ce que ce mal n’est pas propre à une société nationale mais qu’il frappe l’ensemble de l’Union européenne. De façon quasiment identique, avec ou sans usage du principe de laïcité ou du respect de la diversité culturelle et religieuse, la société européenne s’avère incapable de dégager une réponse audible et convaincant dans un combat d’idées qui conduit à perdre celui des valeurs.

    Le juge de ses consciences lui-même, la Cour européenne des droits de l’Homme, vient de témoigner récemment en Grande Chambre de son impuissance à dessiner clairement les frontières de la liberté d’expression. Stigmatisant avec facilité les insanités de Dieudonné ou la négation de la Shoah, il tolère de façon passablement discutable la marge d’appréciation des Etats en matière de génocide arménien … Sans curseur, comment imaginer alors de façon efficace et incontestable un encadrement législatif de cette liberté en Europe, face aux discours radicaux ?

    Prise de conscience enfin de ce que l’abandon des questions sécuritaires au fond de commerce des partis extrémistes est une erreur couteuse. Elle alimente à la fois un sentiment désormais injustifié de quiétude civile mais elle risque aussi de nourrir la surenchère et l’excès dans la réaction politique, une fois la menace concrétisée. L’unanimité du pessimisme des services de sécurité français quant à la vraisemblance d’attentats graves contraste ici depuis de longues semaines avec le discours public aseptisé et politiquement correct.

    De ce destin commun, manifestement, nombre d’acteurs politiques n’ont pas pris la mesure, préférant évaluer les avantages politiciens qu’ils en escomptent dans les échéances à venir.

    Passe encore que l’effet d’aubaine ravisse les tenants des partis extrêmes. Il est moins normal que les représentants de certains Etats membres, comme la Pologne, se saisissent de la situation pour y trouver prétexte à habiller leur refus d’une politique commune d’asile et d’immigration actée à Lisbonne. Et il n’est pas davantage explicable que le souhait « d’une nouvelle politique européenne d’immigration » fasse irruption dans l’allocution d’un ancien Président de la République à un instant de l’enquête où la seule nationalité connue des criminels est française …

    A bon escient, Jean Claude Juncker a donc raison d’inciter à ne pas confondre les victimes, que sont l’immense majorité des syriens fuyant l’Etat islamique, et les criminels, que sont leurs tortionnaires.

    2. La guerre et le droit

    L’outrance des propos tenus ici et là peut s’expliquer par la gravité et l’émotion du moment. Si elle n’a qu’un mérite, c’est de signifier à quel point les attentats de Paris trouvent leurs racines à l’extérieur du territoire de l’Union.

    A user d’un mot, la « guerre », qu’il faudrait manier avec précaution face à ce qui est avant tout un crime au sens de la loi pénale, comme y incitent justement Bertrand Badie ou un ancien premier ministrefrançais, les autorités françaises n’ont pas réalisé à quel point les conséquences en étaient prévisibles. Le droit ne peut y être indifférent et le respect du principe de légalité doit demeurer l’axe de notre réaction.

    Passons sur le fait que les juristes demeurent interrogatifs sur certaines formes de l’action militaire sur les théâtres d’opération extérieurs, à commencer par l’élimination physique de l’adversaire. N’en restons qu’aux suites de l’abus des postures martiales, inversement proportionnelles à la réalité concrète de trois bombardements aériens en trois mois.

    Il ne fallait guère être devin pour comprendre que la propagande terroriste s’en nourrirait pour désigner ses objectifs opérationnels, en toute indifférence pour la subtilité de nos positionnements diplomatiques. « Faire la guerre » implique de se placer sous le feu de l’adversaire et s’il n’est pas certain que l’opinion française en ait eu conscience, il est sûr en revanche que nul ne le lui a expliqué franchement …

    Quitte à le faire, sans doute fallait-il introduire alors une cohérence plus grande dans la conduite de cette diplomatie. Par exemple envers les Etats qui sont les soutiens à peine déguisés de l’Etat islamique en Syrie et contribuent dans le même temps à équilibrer notre commerce extérieur, à notre grande satisfaction. Peut-être était-il bon aussi de déployer toute l’énergie nécessaire pour faire le jour sur les circuits de financement et de commercialisation de ses rapines par le même Etat islamique, au vu et au su de tous, au besoin en s’intéressant aux ambiguïtés du comportement des autorités turques et de ses voisins …

    Par ailleurs, les outils juridiques et opérationnels de la réponse au terrorisme qui avaient fait l’objet de sévères mises en cause, au plan européen comme national, appellent immédiatement un examen attentif. Gérer la crise en termes militaires n’empêchera pas de se livrer à l’évaluation de ce qui a été fait ou pas depuis 10 mois et les attentats de Charlie Hebdo.

    La mise en cause de l’entraide répressive européenne à l’époque a eu, au moins, des effets visibles. Les autorités allemandes ont ainsi immédiatement fait état de l’arrestation d’un suspect, muni d’armes et apparemment à destination de la France. Les prolongements de l’enquête vers la Belgique sont plus significatifs encore de la parenté des inquiétudes et de la qualité des coopérations. A la fois parce que la Belgique s’avère être un centre névralgique de l’action radicale islamique en Europe, comme en témoignent les affaires Nemmouche ou celle du Thalys, mais aussi comme l’illustre le nombre sidérant de « combattants étrangers » qui en partent.

    L’impuissance des autorités publiques belges à y faire face, 6 services de police et 19 municipalités différentes y concourent en vain (!!!) dans la banlieue bruxelloise, démontre si besoin en était la nécessité d’une action concertée. Deux des kamikazes français identifiés n’y résidaient-ils pas ? La qualité des échanges et des contrôles Schengen est une réponse avérée en ce sens. Le partage d’expérience aussi.

    Précédant le point d’étape qui devait être effectué en tout état de cause en Conseil au mois de décembre, les constats du coordinateur de la lutte contre le terrorisme devraient être instructifs de ce point de vue quant au degré d’engagement des Etats membres dans la lutte contre le terrorisme. Des indicateurs communs de risques positivés par la Commission à l’alimentation des fichiers tels que le SIS II ou le fichier Europol consacré aux « combattants étrangers » ou à l’entraide judiciaire au sein d’Eurojust, l’ambiance a changé. Elle semble, en tous cas, différente, au regard de ce qu’elle était au lendemain des attentats de Charlie Hebdo.

    Pour autant, les résistances du passé ne sont pas entièrement dépassées. S’il est trop tôt pour en évaluer l’impact dans le schéma criminel qui a conduit aux attentats de Paris, il conviendra de les confronter aux conclusions des diverses commissions d’enquête ayant fait suite aux attentats de janvier, à l’Assemblée nationale comme au Sénat.

    La tonalité du discours des autorités françaises n’est guère encourageante de ce point de vue, à écouter les propos pontifiants de leur ministre de l’Intérieur. Lecture purement intergouvernementale de cette coopération, silence sur les organes intégrés que sont Eurojust ou Europol et la valeur ajoutée que pourrait fournir une coordination européenne de la poursuite, impasse sur le caractère obligatoire que devrait présenter cette coopération au regard du traité de Lisbonne et sur la sanction des Etats défaillants, il semble que le logiciel de nombre d’Etats membres, dont le nôtre, n’ait guère été mis à jour depuis Maastricht.

    Ont-ils pris conscience que le monde et ses dangers ont changé et que le besoin de sécurité de ses citoyens est pourtant le moteur le plus fort de l’intégration européenne ?

    Implementing the Lisbon Treaty Improving the Functioning of the EU on Justice and Home Affairs

    EXECUTIVE SUMMARY OF A STUDY FOR THE CIVIL LIBERTIES PARLIAMENTARY COMMITTEE.  (FULL VERSION, 76 pages HERE)

    AUTHORS : Dr.  Sergio  Carrera  and Prof.  Elspeth  Guild .

    The functioning of EU Justice and Home Affairs (JHA) policies has been subject to important institutional and legislative reforms after the entry into force of the Lisbon Treaty in 2009. This study has examined the most important changes brought about by this new Treaty framework on European cooperation covering the Area of Freedom, Security and Justice (AFSJ)  and  explored  concrete  ways  to make  their  implementation  more  effective.

    The Lisbon Treaty introduced six main transformations to previous JHA cooperation setting which aimed at ensuring more legitimate, democratic and accountable EU decision-making in the JHA policy field:

    • First, the end of the former (First/Third) pillar divide and the expansion of the Community method of cooperation to a majority of JHA fields;
    • second, a stronger democratic accountability via an enhanced role played by the European Parliament and national parliaments;
    • third, a legally binding EU Charter of Fundamental Rights;
    • fourth, a wider judicial scrutiny by the Court of Justice of European Union (CJEU);
    • fifth, the establishment of new EU security and justice agencies;
    • and finally, the development of new external   dimensions  of  JHA policy.

    During the last five years the EU has adopted more than two-hundred legal acts falling under Title V (Area of Freedom, Security and Justice) of the Treaty on the Functioning of the European Union (TFEU).

    Yet, the above-mentioned innovations have been subject to exceptions and differentiation.

    These have covered the use of enhanced cooperation and special legislative procedures, a privileged position (‘opt out’/’opt in’ method) by the UK and Ireland, and transitional limitations affecting the enforcement powers by the Commission and the CJEU over police and criminal justice judicial cooperation and which came to an end in December 2014.

    This study has signalled four main challenges affecting the implementation and effective operability of EU JHA cooperation as foreseen in the Lisbon  Treaty:

    A first challenge relates to the inconsistency emerging from differentiation and variable geometry in European cooperation. While enhanced cooperation has been used in very limited occasions, furthering differentiation in JHA through the use of ‘integration or concentric circles’ could lead to the emergence of various ‘areas’ where different degrees of freedom, security and justice would exist.

    Such a fragmented picture would contravene the Treaty objective of establishing one “common Area where EU citizens enjoy the same European standards and rights across the Union’s territory. It would also challenge the practical effectiveness of EU JHA law acquis. Furthermore, discussions on the feasibility and desirability of different paths of integration for different countries draw attention away from the fact that much remains to be done to fully implement those Treaty articles playing a key  role in  strengthening  the commonality  of  the  EU  AFSJ.

    A second challenge relates to the negative impact that ‘variable geometry’ inflicts on EU citizens and residents’ rights and freedoms. The proliferation of parallel, concentric and even competing ‘areas’ of JHA cooperation may lead to a lack of legal protection or cases of discriminatory treatment depending on which area the individual happens to be or exercise free movement EU fundamental rights and freedoms enshrined in the Treaties and the EU Charter of Fundamental Rights should not be geographically conditioned to where an EU citizen or resident is across the EU.

    Moreover, any future legislative reform or Treaty change should not leave the door open to lowering down existing EU citizenship rights and freedoms.

    There are important practical issues and obstacles in the full exercise of democratic accountability throughout the application of the ordinary legislative procedure.

    The last five years have demonstrated that a number of barriers still persist towards the full acceptance and recognition of the EP as co-legislator and policy-setter in AFSJ policies. A case in point is the external dimensions of JHA. Another issue relates to the actual ways in which the ordinary legislative procedure works in practice, which is often subject to flexibility, informalities (e.g. ‘trilogues’) and early compromise   agreements which pose internal barriers towards transparency and accountability in legislative procedures. There is also not enough attention paid to the fundamental rights compliance of the EP’s internal legislative work and fundamental rights impact assessments in all relevant phases of the drafting of legislation.

    A final challenge concerns the lack of effective instruments or mechanisms to duly safeguard the foundations of the EU AFSJ and its legal principles enshrined in Articles 2 and 6 TEU. The presumption of mutual trust between the Member States on their compliance with rule of law and fundamental rights has been increasingly at stake during the last five years of implementation of the Lisbon Treaty.

    This is especially so in those EU JHA legal domains working on the basis of the principle of mutual recognition of judicial and administrative decisions.

    The EU faces a ‘Copenhagen dilemma’ consisting of the lack of an effective and legally binding monitoring/supervisory mechanism of EU Member States’ compliance with rule of law principles and fundamental rights after accession. If EU Member States cannot guarantee an independent and impartial judiciary able to test whether the EU State to which an EU citizen who is a suspect in criminal proceedings or a third country national seeking asylum are going to be sent to complies with fundamental rights, how can the  principle of mutual  recognition stay valid?

    The Study suggests that any future legislative or Treaty change should not promote or enable further differentiation or fragmentation in the next generations of EU AFSJ cooperation. It should neither allow for restricting existing EU rights and freedoms enjoyed by European citizens and residents. The European Parliament should give priority to devising and ensuring the effective implementation of a mutual trust-building agenda in the next generations of EU AFSJ cooperation.

    The agenda would focus on the following three trust  enhancing  policy  actions:

    First, implementation and evaluation: The European Parliament should focus on ways to ensure more timely, consistent and effective implementation of EU JHA legislation by EU Member States authorities. The relevant Parliament Committees could play a more actively role in following up the ways in which the Commission enforces the transposition JHA law. A new evaluation system should be developed on the basis of Article 70 TFEU to better ensure the full application of the principle of mutual recognition and strengthen mutual confidence  in  domains  such as judicial  cooperation in criminal  matters and  asylum   policies.

    Second, accountability, transparency and fundamental rights: The European Parliament should adopt an internal strategy aimed at strengthening internal accountability, transparency and fundamental rights compliance in the operability of the ordinary legislative procedure  and  other relevant  legislative processes   on  JHA cooperation.

    Third, the rule of law: The Parliament should call for the adoption of a new ‘EU Copenhagen mechanism’ to ensure independent and regular monitoring of rule of law compliance by EU Member States after accession. This mechanism should be based on independent academic expertise.

    It could be linked the monitoring processes and results of the European semester cycle on economic governance. This could take place through a ‘rule of law, democracy and fundamental rights Copenhagen Policy Cycle’ which would formalize EU inter-institutional coordination. The Parliament should play an active role. A new Copenhagen (rule of law) mechanism should not remain a purely inter-governmental process under the remits of the Council or an agreement between EU Member States. Instead it could be legally built under the current Article 7 TEU by mainly focusing on further elaborating and making more transparent the ways in which this provision is triggered by Council, Commission and/or the European Parliament.

    No Treaty change would be required for such an instrument to be established. From a longer-term perspective, democratic accountability and judicial controls of such an instrument could be further ensured and formally foreseen in the Treaties, which could  in  turn  imply  Treaty change.

    CAMERON’S CHATHAM HOUSE SPEECH: FULL SPEED AHEAD FOR THE RENEGOTIATION OF THE UK’S EU MEMBERSHIP?

    ORIGINAL PUBLISHED ON EU LAW ANALYSIS ON Tuesday, 10 November 2015

    by Steve Peers

    Today’s Chatham House speech by David Cameron set out more detail of the UK’s demands for renegotiation of its EU membership. It was accompanied by aletter from Cameron to the President of the European Council, Donald Tusk, which set out a summary of his requests.

    The speech also set out two changes to UK law which the government plans to make, as regards the EU Charter of Rights and (possibly) the role of UK courts reviewing the EU courts. Since these are changes to domestic law, they do not have to be negotiated with other Member States, unless there is a legal argument that they would breach EU law.

    This is the latest elaboration of Cameron’s requests; I have commented earlier on his specific suggestions regarding free movement of EU citizens, and regarding other issues. I will refer back to what I’ve said already in those posts where relevant.

    Changes to UK law

    On the first change to UK law, Cameron referred to the government’s plans to repeal the Human Rights Act and replace it with a ‘British Bill of Rights’, which (as he acknowledged) are separate from EU law as such. But he then went on to state: “And as we reform the relationship between our courts and Strasbourg, it is right that we also consider the role of the European Court of Justice and the Charter of Fundamental Rights. So – as was agreed at the time of the Lisbon Treaty – we will enshrine in our domestic law that the EU Charter of Fundamental Rights does not create any new rights. We will make it explicit to our courts that they cannot use the EU Charter as the basis for any new legal challenge citing spurious new human rights grounds.”

    This is a new point not raised in the Chatham House speech. What should we make of it? At first sight, it is not really any different from Article 1(1) of the special Protocol on the role of the Charter in the UK and Poland, which provides:

    1. The Charter does not extend the ability of the Court of Justice of the European Union, or any court or tribunal of Poland or of the United Kingdom, to find that the laws, regulations or administrative provisions, practices or action of Poland or of the United Kingdom are inconsistent with the fundamental rights, freedoms and principles that it reaffirms.

    A clause in the preamble to this Protocol provides: “WHEREAS the Charter reaffirms the rights, freedoms and principles recognised in the Union and makes those rights more visible, but does not create new rights or principles;”

    So the Prime Minister’s commitment to change UK law could be met simply by making express reference to these provisions of the Protocol – or by incorporating their wording – in an Act of Parliament. This would simply reiterate the application of these rules to the UK, given that the Protocol already applies in UK law by virtue of the European Communities Act.

    Any more far-reaching approach (such as that advocated by a House of Commons committee last year, as discussed here) would run the risk of complicated breaches of EU law. It’s impossible to say now whether that would happen or not, in the absence of  any proposed legislation on this point.

    For the sake of context, it should be noted that the CJEU has ruled in the NS case that the Charter did not add any rights to the ‘general principles of EU law’, which were the basis for protection of human rights in the EU legal system prior to the Treaty of Lisbon. And in Fransson, the Court ruled that the scope of the Charter (ie when it applied to Member States’ action) was the scope of the general principles. True, the Charter can be used to set aside Acts of Parliament, even by the lower UK courts, as in recent cases involving embassy staff andGoogle. But that’s true of EU law generally, including the previous general principles, as we saw in judgments like Kucukdeveci.

    The Prime Minister’s second pledge was to consider whether to introduce a national check on EU measures like that asserted by the German Federal Constitutional Court, concerning the loss of ‘essential constitutional freedoms’ and the review of acts by the EU institutions to check if they remain within the scope of the EU’s powers.

    Such a measure would breach EU law in principle, since the CJEU has long ruled that it is the sole judge of whether an EU law is invalid. But Cameron is correct to point out that other national constitutional courts have done the same thing. A full-bodied constitutional conflict has been avoided in practice because those other courts have been reluctant to use those powers, and because the CJEU has maintained a dialogue with them (which does not extend to agreeing with them all the time: see discussion of the recent case law on the ECB’s OMT scheme).

    It should be noted that the ‘essential constitutional freedoms’ which Cameron refers to are fundamental rights as protected by the German Basic Law (the de facto German constitution). It remains to be seen whether the ‘British Bill of Rights’ which Cameron plans will protect human rights so strongly in the UK that there is any real prospect of the EU taking those rights away. If not, Cameron’s proposal looks like the constitutional equivalent of shaving all his hair off, while simultaneously insisting on the fundamental importance of his comb.

    Changes to EU law Continue reading “CAMERON’S CHATHAM HOUSE SPEECH: FULL SPEED AHEAD FOR THE RENEGOTIATION OF THE UK’S EU MEMBERSHIP?”

    The EU-U.S. Safe Harbor Agreement on Personal Data Privacy: In Brief (US Congressional Research Service)

    ORIGINAL PUBLISHED HERE ON October 29, 2015  by the US Congressional Research Service : AUTHORS : Martin A. Weiss Specialist in International Trade and Finance and  Kristin Archick Specialist in European Affairs (*)

    Overview

    On October 6, 2015, the Court of Justice of the European Union (CJEU) delivered a judgment (1) that invalidates the Safe Harbor Agreement between the United States and the 28-member European Union (EU).(2)

    Safe Harbor is a 15-year-old accord, under which personal data could legally be transferred between EU member countries and the United States. The negotiation of Safe Harbor was largely driven by the EU’s 1995 Data Protection Directive (DPD) and European concerns that the U.S. approach to data privacy did not guarantee a sufficient level of protection for European citizens’ personal data. The Safe Harbor Agreement applies to a wide range of businesses and organizations that collect and hold personal data. When the parties concluded the Safe Harbor Agreement in 2000, however, the Internet was still in its infancy, and the range of public and private actors engaged in the mass processing of personal data, including across borders, was much more limited than today.

    The CJEU case stems from a 2013 complaint brought by an Austrian citizen and Facebook user, Maximillian Schrems, who claimed that the United States, and ultimately the Safe Harbor Agreement, failed to meet EU data protection standards in light of the unauthorized disclosures of classified U.S. surveillance programs by former U.S. National Security Agency (NSA) contractor Edward Snowden. In its decision, the CJEU determined that U.S. data protection measures do not provide an “adequate level of protection” for personal data as required by the EU DPD, and thus Safe Harbor, as currently agreed, is invalid.

    The CJEU ruling also found that the agreement’s national security exemptions essentially prevail over the Safe Harbor principles. Any companies that were using Safe Harbor as a legal basis for transatlantic data transfers must now individually implement alternative measures including so-called “model contractual clauses” or Binding Corporate Rules (BCRs) to legitimize the transfer of personal data between the United States and the EU.

    Given that some 4,500 U.S. companies (including U.S. subsidiaries of European firms) participate in Safe Harbor and that digital trade flows make up an important and growing segment of the transatlantic economy, many trade and industry groups were deeply dismayed by the CJEU’s decision. Experts suggest that the CJEU ruling could create legal uncertainties for many U.S. companies. Some contend that the CJEU judgment could raise operating costs, especially for small- and medium-size businesses, and negatively affect U.S.-EU trade and investment ties.

    Some analysts also contend that the broad nature of the CJEU’s decision could have implications for other U.S.-EU data-sharing arrangements, in both the commercial sector and the law enforcement field. Such U.S.-EU agreements, including Safe Harbor, have come under increased scrutiny since the revelation of the NSA programs and subsequent allegations that some U.S. Internet and telecommunication companies were involved in the reported NSA activities.

    The United States and the EU have engaged in a number of efforts to address European concerns about U.S.-EU data flows, including discussions started in late 2013 to improve the Safe Harbor Agreement. Although negotiations between the EU and U.S. authorities are reportedly close to completion, divisions still exist over the EU demand to ensure only limited access to “Safe Harbor data” for national security purposes. Some experts suggest, however, that U.S. legislation currently under consideration, the Judicial Redress Act of 2015 (H.R. 1428 and S. 1600), could help ease at least some concerns about U.S. data protection standards and facilitate a revised Safe Harbor accord. The proposed legislation would essentially provide citizens of EU countries with judicial redress for data protection breaches. H.R. 1428 passed the House on October 20, 2015.

    Data Privacy and Protection in the EU and the United States Continue reading “The EU-U.S. Safe Harbor Agreement on Personal Data Privacy: In Brief (US Congressional Research Service)”

    A new wideranging EP resolution on mass surveillance in the “post Snowden” (and Schrems ) era.

    Below the provisional text voted yesterday 29 October by the European Parliament on mass surveillance and violation of fundamental rights to privacy and data protection. The press has already highlighted that  the EP voted by 285 to 281 to call on the member states to “drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistle-blower and international human rights defender”. Moreover  the EP  calls on the Commission to give consideration to the impact of the Court of Justice Safe Harbor ruling of 6 October on any other instruments for the transfer of personal data to the US and to report on the matter by the end of 2015.  Very rightly the Strasbourg plenary acknowledges that the Court ruling “has confirmed the long-standing position of Parliament regarding the lack of an adequate level of protection under this instrument” so that the Commission has to “immediately take the necessary measures to ensure that all personal data transferred to the US are subject to an effective level of protection that is essentially equivalent to that guaranteed in the EU”.

    But here is the point : bulk collection of personal data (as foreseen by several US practices agreed with the EU in the PNR and TFTP cases) are not themselves threatening the “essence” of data protection under EU law as protected by the art.52 of the EU Charter of fundamental rights so that they are no negotiable even with the best friend and ally such the USA? 

    Passed by 342 votes to 274 , with 29 abstentions, this is a center-left resolution where liberals and socialists voted together but (not surprisingly) EPP and ECR voted against. In this legislature where socialists and conservatives have created a sort of “grosse Koalitionen” the text risks to be only a political gesture before the public opinion if not followed by consistent votes on the legal binding texts currently on the EP table such as the data protection reform or the transatlantic negotiations on the so called “umbrella agreement” and on “Safe Harbor”.

    Moreover the text even if criticizes the European Commission as “inadequate” and evokes the possibility of a “fail to act” against it does not triggers it. The risk is then this very inspired and solid text remains a toothless tiger.. The coming weeks will show if this tiny majority will be confirmed when the post-Lisbon data protection reform will be voted.

    Emilio De Capitani

    European Parliament resolution of 29 October 2015 on the follow-up to the EP resolution of 12 March 2014 on the electronic mass surveillance of EU citizens (2015/2635(RSP)) Continue reading “A new wideranging EP resolution on mass surveillance in the “post Snowden” (and Schrems ) era.”

    The law enforcement challenges of cybercrime: are we really playing catch-up?

    FULL STUDY ( 68 pages) ACCESSIBLE HERE

    Abstract : This study was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. With a number of high-profile criminal cases, such as ‘Silk Road’, cybercrime has been very much in the spotlight in recent years, both in Europe and elsewhere. While this study shows that cybercrime poses significant challenges for law enforcement, it also argues that the key cybercrime concern for law enforcement is legal rather than technical and technological. The study further underlines that the European Parliament is largely excluded from policy development in the field of cybercrime, impeding public scrutiny and accountability. AUTHOR(S): Dr. Ben Hayes, Dr. Julien JeandesbozDr. Francesco Ragazzi, Dr. Stephanie Simon, and Prof. Valsamis Mitsilegas.

    EXECUTIVE SUMMARY

    Cybercrime has become one of the key priorities for EU law enforcement agencies, as demonstrated by the establishment of the European Cybercrime Centre (EC3) in January 2013 and the development of specific European threat assessment reports in this field. High-profile criminal investigations such as the ‘Silk Road’ case, major data breaches or particularly nefarious hacks or malware attacks have been very much in the spotlight and widely reported in the media, prompting discussions and debates among policymakers and in law enforcement circles. Over the last few months, the cybercrime debate has specifically evolved around the issue of encryption and anonymisation.

    In this context, this Study argues that debates on the law enforcement challenge of cybercrime in the EU should steer clear both of doomsday scenarios that overstate the problem and scepticism that understates it, and that the key cybercrime concern for law enforcement is legal in nature rather than simply technical and technological. Indeed, the Study finds that the key challenge for law enforcement is the lack of an effective legal framework for operational activities that guarantees the fundamental rights principles enshrined in EU primary and secondary law.

    In order to address this core argument, this Study starts by analysing claims and controversies over the Internet ‘going dark’ on law enforcement (Section 2). It shows that these claims have been made for quite some time and should be considered as moral panics rather than accurate reflections of the challenges posed by cybercrime to law enforcement. Moreover, current controversies rehash older ones, conflating law enforcement concerns with intelligence-gathering and surveillance concerns. Without denying the fact that criminal activities do take place online, pose technical difficulties to law enforcement services and require the availability of specific capabilities, this section demonstrates that these difficulties do not impede criminal investigation to such an extent that exceptional means should be envisaged. While these technical aspects need to be considered, they raise issues related to policy and law rather than technology as such. The policy and law-related challenges are made greater by the fact that defining cybercrime is not an easy task. Very broad definitions have been adopted at the EU level, often leading to overlapping and sometimes conflicting mandates.

    Section 3 thus analyses the institutional architecture of EU cybercrime policy. It shows that the complexity of cybercrime measures and the expansive mandates and number of actors involved in their implementation make it difficult to ascertain and circumscribe the full scope of EU cybercrime policy. Whereas the Council of Europe (CoE) sought to codify cybercrime powers into an international convention, much of the EU’s policy to fight cybercrime is based on non-legislative measures, including operational cooperation and ad hoc public-private partnerships. Furthermore, important distinctions and restrictions designed to ensure a ‘separation of powers’ between state agencies concerned with law enforcement (cyber-policing), civil protection (cybersecurity), national security (cyber-espionage) and military force (offensive cyber capabilities) are harder to distinguish in the area of cybercrime, at both national and EU level. Section 3 underlines that, within this complex architecture, and with the blurring of the boundaries between those responsible for policing the Internet, for gathering intelligence from it, for conducting cyber-espionage against foreign targets, and for ensuring the safety of critical internet infrastructure, the European    Parliament    and    civil    society    are    largely    excluded    from    policy development, impeding public scrutiny and accountability. This compounds the EP’s existing problems in ensuring that fundamental rights and data protection are diligently protected in the area of justice and home affairs.

    In light of these gaps in oversight and accountability, Section 4 analyses in particular the challenge of jurisdiction, cooperation and fundamental rights safeguards. This section argues that operational challenges in cybercrime law enforcement do not change the obligation of EU institutions and Member States to ensure the safeguarding of EU fundamental rights in any operating framework of internal or transnational cooperation in law enforcement and criminal justice. Cybercrime law enforcement frequently cites the challenge of accessing and transferring data through existing Mutual Legal Assistance agreements. Yet practices taken outside of established legal channels cannot guarantee rights protections and run the risk of raising mistrust in the general public, the private sector and in transatlantic relations. Furthermore, across the spectrum of cybercrime prevention, investigation, and prosecution, the particular geography of the digital environment is said to complicate the traditional territorial foundations of law. Law enforcement bodies make continuous reference to the ways in which traditional legal structures stand in the way of operations. However, an updated legal framework designed to overcome these challenges should foreground fundamental rights concerns, which are essential to ensure due process and a necessary condition for the successful prosecution of cybercriminal offences.

    In light of these findings, the Study concludes with key recommendations for the European Parliament.

    In particular, to ensure that the Parliament is not marginalised altogether with respect to the implementation and review of EU cybercrime policies by the exercise of delegated   powers,   EU   agency   discretion   and   non-legislative   decision-making   bodies, further monitoring of EU council structures, Europol and international cooperation agreements is required (Recommendation 1).

    Moreover, the EP should ensure that the development of any cooperation/information-sharing framework guarantees the respect of fundamental rights (Recommendation 2).

    In light of the current discussions on a revised CoE Cybercrime Convention, the European Parliament should, further, ensure that the Conventions obligations are consistent with EU law and fundamental rights protections (Recommendation 3).

    The EP must also ensure that cybercrime is not used as a justification to undermine new information security protocols and the right to privacy in telecommunications, both of which are fundamental components of the functioning of the Internet (Recommendation 4).

    Finally, if European law enforcement agencies need to keep pace with technological change, it is imperative that training courses on cybercrime forensics and digital evidence include an applied fundamental rights component (Recommendation 5).

    Continue reading…

    Cybersecurity in the European Union and Beyond: Exploring the Threats and Policy Responses

    FULL STUDY ( 152 pages) ACCESSIBLE HERE 

    This study was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. It sets out to develop a better understanding of the main cybersecurity threats and existing cybersecurity capabilities in the European Union and the United States. The study further examines transnational cooperation and explores perceptions of the effectiveness of the EU response, pinpointing remaining challenges and suggesting avenues for improvement. AUTHORS : Dr Nicole van der Meulen, Eun A Jo and Stefan Soesanto (RAND Europe)

    EXECUTIVE SUMMARY

    The European Commission published the European Union Cyber Security Strategy along with the accompanying proposal for a Network and Information Security (NIS) Directive in 2013. Since the proposal was published, the cybersecurity landscape has continued to evolve, leading to questions regarding the nature and seriousness of the cyberthreats faced by the European Union (EU), the capabilities of Member States to manage these threats and respond to incidents, and the effectiveness of these capabilities. At the time of writing, discussions about the content and scope of the proposed NIS Directive are continuing. This study of cybersecurity threats in the EU was commissioned by the European Parliament (EP). It has five objectives:

    • To identify key cyberthreats facing the EU and the challenges associated with their identification.
    • To identify the main cybersecurity capabilities in the EU.
    • To identify the main cybersecurity capabilities in the United States (US).
    • To assess the current state of transnational cooperation.
    • To explore perceptions of the effectiveness of the current EU response.

    Defining cybersecurity

    Any study of cybersecurity must reflect on the challenges introduced by the different meanings of the term. There is no consensus on a standard or universally accepted definition of cybersecurity. The term cybersecurity has roots in information security but is now used to refer to a broader range of issues, linked to national security. The observation that cybersecurity means different things to different people is not without its consequences. How the issue is framed influences what constitutes a threat as well as what counter-measures are needed and justified.

    Mapping cybersecurity threats

    The study team’s analysis of six threat assessments1 and an existing meta-analysis carried about by Gehem et al. (2015) highlight the difficulty with systematically comparing threat assessments and gauging the reliability of data and findings on the basis of which threat assessments are conducted. The challenge rests in part in the absence of a commonly accepted definition of what constitutes a threat and the variation in the methodology and metrics used for threat assessments. Moreover, some threat assessments reference or are based on other threat assessments, rather than original sources, leading to potential duplication of findings and lack of clarity about the evidence underlying threat assessments. As a result, there is no clearly established framework to classify and map threats.

    The study team created a framework for mapping threats. The framework distinguishes:

    • Threat    actors:    states,    profit-driven    cybercriminals,    and    hacktivists   and extremists.
    • Threat tools: malware and its variants, such as (banking) Trojans, ransomware, point-of-sale malware, botnets and exploits.
    • Threat   types:   unauthorised   access,   destruction,   disclosure,   modification   of information and denial of service.

    The mapping of the cyberthreat landscape through the review of the six threat assessments was complemented by a discussion on the varying perceptions of the severity of threats and the concept of‘threat inflation’.

    Cybersecurity capabilities in the EU

    To respond to the evolving threat in the area of cybersecurity, the EU has aimed to provide an overarching response through the publication of the EU Cyber Security Strategy together with the proposed NIS Directive. The Strategy identifies five objectives including:

    • Achieving cyberresilience.
    • Drastically reducing cybercrime.
    • Developing   cyberdefence   policy  and   capabilities  related  to  the  Common Security and Defence Policy (CSDP).
    • Developing the industrial and technological resources for cybersecurity.
    • Establishing   a   coherent   international   cyberspace   policy  for  the   EU   and promote core EU values.

    This study focuses on providing a descriptive overview of capabilities for the first three objectives. Capabilities for the purposes of this study have been operationalised as institutional structures, such as agencies and departments.

    • In the area of cyberresilience, the European Network and Information Security Agency (ENISA) is the primary player at the EU level. ENISA is tasked with addressing the existing fragmentation in the European approach to cybersecurity, namely by bridging the capability gaps of its Member States. In the cybercrime domain, the European Cyber Crime Centre (EC3) serves as a European cybercrime platform. Besides combatting cybercrime, EC3 also gathers cyberintelligence and serves as an intermediary among various stakeholders, such as law enforcement authorities, Computer Emergency Response Teams (CERTs), industry and academia.
    • In the area of cyberdefence, the European Defence Agency (EDA) supports the capability development necessary to implement the Strategy. Its most apparent activities remain in research and development and designing a common crisis response platform. Given that foreign and defence policies have conventionally been areas of domestic competence, it is understandable that EU-wide cyberdefence capabilities have developed at a different pace compared to the other two objectives, cyberresilience and cybercrime.

    Cybersecurity capabilities in the US

    Cybercapabilities in the US are challenging to map in a comprehensive manner. The tendency to layer initiatives and agencies makes navigating the different components difficult. For the purposes of a high-level comparison with the EU cyber capabilities, the study focuses on key institutional players and their roles in relation to three strategic priorities: cyberresilience, cybercrime and cyberdefence.

    • In the area of cyberresilience, the Department of Homeland Security (DHS) is the formal leader. The DHS is responsible for securing federal civilian government networks, protecting critical infrastructure and responding to cyberthreats.
    • In the area of cybercrime, the US has not designated any lead investigative agency. Instead, numerous federal law enforcement agencies combat cybercrime in their own capacity. These include the US Secret Service (USSS) and the US Immigration and Customs Enforcement (ICE) Cyber Crimes Center, which are both  agencies  within  the  DHS.  The  Federal   Bureau  of Investigation  (FBI)’s cyberdivision is also involved.
    • In cyberdefence, the Department of Defence (DoD) plays a leading role. It is readily apparent from the DoD’s multiple publications that the US has become more open about its capabilities and willing to name its adversaries. The DoD is also increasingly encompassing in its response to cyberthreats over time, investing in both defensive as well as offensive cybercapabilities, as detailed in its cyberdefence strategy published in April 2015. Commentators note that deterrence is a key characteristic of the US cyberdefence strategy.

    Transnational cooperation

    The necessity to engage in transnational cooperation to counter the complex challenge posed by cybercrime is widely recognised both inside and outside the EU. Transnational cooperation exists at both the strategic and the operational level. The EU-US Working Group on Cybersecurity and Cybercrime is an example of strategic cooperation and is the first transatlantic dialogue to tackle common challenges in the area of cybercrime and cybersecurity. On an operational level, transnational cooperation has manifested through a range of activities, from botnet takedown to disruption of underground forums.

    Challenges, however, remain in the area of combatting cybercrime as identified by the study team through the interviews. Mutual Legal Assistance Treaties (MLATs) are widely regarded as outdated and obstacles to effective and timely information sharing. Further, the importance of acquiring data for investigations is debated among law enforcement agencies and civil society groups. Deconfliction – avoiding the duplication or conflict of efforts – is another challenge. Due to the involvement of various stakeholders, cooperation is essential to avoid potentially disrupting others’ efforts. The draft Europol Regulation contains provisions that interviewees have reported could complicate the attainment of information from the private sector, possibly obstructing future operations.2

    Effectiveness of the EU response

    Ideally, capabilities respond directly to threats and the effectiveness of the EU response can be measured by noticeable changes in the threat landscape. However, such an assessment is not feasible; there is not enough information available in the public domain and measurement problems persist. Moreover, the EU response is still very much in development and geared towards addressing fragmentation in its approach to cybersecurity, as well as the approach taken by the 28 Member States. This consists of harmonising strategies and standards and coordinating regulatory interventions, as well as facilitating (or more precisely, requiring) information sharing and gap closures between Member States. Due to the inherently relative nature of cybersecurity and the challenges associated with attaining cyberresilience, it is difficult to state whether the new initiatives have been successful. Given these challenges to measuring effectiveness, the study team explored perceptions about the effectiveness of the EU response based on existing commentary and supplemented with interviewees’ responses.
     
    The first key finding in relation to the perceived effectiveness of the EU response is that while there is still fragmentation, there is also discernible improvement. Particularly noteworthy is the strategic cooperation agreement between ENISA and EC3, which aims to facilitate closer cooperation and the exchange of expertise. However, questions remain about fragmentation, especially with respect to the proposed NIS Directive. Various points of dissension remain as the trilogue negotiations between the European Commission, European Parliament and the Council of the European Union continue. Moreover, fragmentation is notable not only in terms of operational capabilities but also in terms of Member States’ understanding of the cyberdomain. Bridging these gaps will therefore require technical support as well as strategic guidance.

    The second finding is that differences in opinion persist as to whether the overall approach to cybersecurity should be voluntary and informal or mandatory and formal. For example, the CERT community, which has conventionally relied on voluntary participation and cooperation between private and public entities, appears less willing to move to a system in which information sharing is mandatory. In contrast, other security agencies favour law enforcement and support more stringent requirements, for instance in information sharing, as they believe voluntary reporting has failed.

    Third, as the new approach proposed through the Strategy and the draft NIS Directive is largely regulatory in nature, the issue of scope – in terms of the entities formally included as having a role in cybersecurity – is heightened and contested. One issue is whether Internet service providers (ISPs) should be included. These scoping challenges are likely to exacerbate existing contentions surrounding the NIS Directive and call into question whether the present regulatory approach is appropriate to secure European cyberspace.

    Policy options

    Based on this study’s findings the research team suggests the following policy options for the European Parliament’s consideration in terms of EU action on cybersecurity. Each option is elaborated in the Conclusion.

    1. Encourage ENISA, EC3 and others involved in European cyberthreat assessments to investigate further harmonisation of threat assessments, which can effectively incorporate information from Member States and other EU agencies and provide clearer indications of the evidence base for the assessment. This recommendation follows from the findings from the review of threat assessments undertaken for this study.
    2. Make use of existing structures as much as possible. One of the concerns identified by the study team – from a review of existing literature and in interviews with experts – was the tendency of the Commission to develop new structures and exclude existing initiatives and agencies.
    3. Consider reinserting law enforcement in the Network and Information Security (NIS) Directive. The attempt to overcome fragmentation at the EU level is hampered by the exclusion of law enforcement from provisions in the proposed NIS Directive.
    4. Ensure Europol has speedy and more direct access to information from the private sector. Speedy access to relevant information from the private sector is essential for Europol to combat transnational cybercrime. There is potential for this access to be hindered by having to go through the Member States, which may reduce the effectiveness of Europol’s operations, especially as Europol cooperates with partners at the transnational level.
    5. Assess what capability gaps actually exist between the Member States and measure progress. Despite the claims about gaps between Member States, our research suggests that there is very little empirical evidence to indicate which States are more advanced than others and in what areas. To improve this situation and to develop a better understanding of these gaps, ranking Member States and identifying areas of improvement could be made more explicit.

    …continue reading

    NOTES

    1  (ACSC: Threat Report; BSI: State of IT Security Germany; ENISA: Threat Landscape (ETL); Europol: Internet Organised Crime Threat Assessment (iOCTA); NCSC: Cyber Security Threat Assessment the Netherlands (CSAN); Verizon: Data Breach Investigations Report (DBIR).
    2 European Parliament. 2014b. Legislative resolution of 25 February 2014 on the proposal for a regulation of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA. P7_TA(2014)0121 (COM(2013)0173 – C7-0094/2013 – 2013/0091(COD)). As of 12 October 2015: http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2014-0121&language=EN&ring=A7-2014-0096