Schrems Versus Facebook: is the end of Safe Harbor approaching ?

by Emilio De Capitani

Today Advocate General Yves Bot has presented his long-awaited conclusions on the Case C‑362/14 Maximillian Schrems v Data Protection Commissioner. This case better described by the press as the “Schrems v Facebook” Case (why not “David V Goliath” ?)  put in question the so called Safe harbor “agreement” which frame the conditions under which personal data of the people under the EU jurisdiction can be transferred or treated by servers of US Companies (such as Facebook, Google, E-Bay) on the US territory.
As the protection of personal data is a fundamental right under EU law (notably after the entry into force of the art.8 of the EU Charter)  art. 25 of Directive 95/46 foresees that the transfer of these data to a third country is legitimate only if the data are “adequately” protected.
The problem is that in the US there is no comprehensive legal protection framework comparable to the one existing in the EU so that in 2000 the Commission negotiated with the US the establishment of a specific voluntary regime (the “Safe Harbor Principles”) which could had been considered granting an “adequate” protection of personal data  having regard to the standard applicable in Europe.

At the time the European Parliament voted against this regime but was unable to obtain stronger safeguards because of the unwillingness of the US authorities and moreover by the Commission which was more interested to the transfer of data than of their protection.

Since then the transatlantic flow of data has grown every day and with them the economic benefices of the US Companies without any real re-assesment of the compliance of the Safe Harbor principles on the US side (by the Federal Trade Commission) or on the EU side (by the Commission) even after the entry into force of the Lisbon Treaty which changed the legal basis of EU policies linked with the protection of personal data.

However when the Snowden revelations made clear to everybody that all these EU personal data could be massively analyzed without judicial overview by the US Intelligence Services someone in the EU  woke up.

Between the EU Institutions the European Parliament asked the suspension of the Safe Harbor agreement but its initiative was not followed by the Commission (as unfortunately happens more and more frequently); but it is thanks to the obstinacy of Maximilian Schrems, an Austrian law student that the case was finally been brought, first before to the Irish Data Protection Commissioner, then before the Irish High Court and now before the Court of Justice.

This case is extremely interesting  not only because it confirms that in a democracy someone has to …watch the watchers be they at national or European level (notably if they are sleeping or hiding behind each other…) but also because it shows that also an “ordinary” Citizen can dare to do in name of the EU law and of his rights what the EU Institutions are less and less willing to do.

Enjoy now the reading the instructive and very detailed Yves BOT arguments drawing him to declare that the Commission initial “adequacy finding” was not adequate at all (as also the EP wrote in its 2000 resolution) and that National Authorities should fully play their role and not hiding behind the Commission “Adequacy decisions”.

Such a strong reasoning if endorsed by the Luxembourg Judges should inspire

  • a re-assessment of other EU-US ‘executive’ agreements dealing with data protection (the draft “Umbrella agreement” included)
  • a revision of the Data Protection package at least as far as the regime of Commission “adequacy finding” is concerned (which due to its large marge of discretion could no more be considered a simple “implementing measure” but at least a “delegated” power …) and a stronger role of the Data Protection Board which should have a direct jurisdiction at least for Data controller “over the top” such as Facebook, Google, E-Bay and so on…

It is only unfortunate that the European Parliament which on these issues was on the right side between 1999 and 2004 is now slowly sliding away notwithstanding a much stronger constitutional framework and a binding Charter …

Anyway many thanks Max!! Hope that 10, 100, 1000 of European citizens could follow your example…

 

CONTINUE READING : OPINION OF ADVOCATE GENERAL BOT 

delivered on 23 September 2015 (1Case C‑362/14 Maximillian Schrems Data Protection Commissioner

Continue reading “Schrems Versus Facebook: is the end of Safe Harbor approaching ?”

EP Study : Big Data and smart devices and their impact on privacy

FULL STUDY ACCESSIBLE HERE
AUTHORS : Dr  Gloria  González Fuster, (Research  Professor  at  the Vrije Universiteit  Brussel  (VUB), Dr Amandine Scherrer, (European Studies Coordinator and Associate Researcher at the Centre d’Etudes sur les  Conflits,  Liberté  et  Sécurité -CCLS)

EXECUTIVE SUMMARY

EU citizens and residents and, more generally, all individuals deserving protection as ‘data subjects’ by EU law, are directly impacted by EU strategies in the field of Big Data. Indeed, the data-driven economy poses significant challenges to the EU Charter of Fundamental Rights, notably  in  the fields of  privacy and  personal data protection.

Big Data refers to the exponential growth both in the availability and automated use of information. Big Data comes from gigantic digital datasets held by corporations, governments and other large organisations; these are extensively analysed (hence the name ‘data analytics’) through computer algorithms. There are numerous applications of Big Data in various sectors, including healthcare, mobile communications, smart grids, traffic management, fraud detection, or marketing and retail (both on- and offline). The notion, primarily driven by economic concerns, has been largely promoted through market-led strategies and policies. Presented as an enabler of powerful analytical and predictive tools, the concept of Big Data has also raised numerous criticisms emphasising such risks as biased information, spurious correlations (associations that are statistically robust but happen only by chance), and statistical discrimination. Moreover, the promotion of Big Data as an economic driver raises significant challenges for privacy and digital rights in general. These challenges are even greater in a digital ecosystem with a proliferation of cheap sensors, numerous apps on mobile devices and an increasingly connected world that sometimes does not even require human intervention (as shown in the increasing development of the Internet of Things [IoT]). The flows of information on- and off line, shared and multiplied across computers, mobile devices, watches, SmartBands, glasses, etc., have dramatically increased the availability, storage, extraction and processing of data on a large scale. It has become increasingly difficult to track what is made of our data. This situation is complicated further by the wide variety of actors  engaged  in  data  collection  and  processing.

The numerous debates triggered by the increased collection and processing of personal data for various – and often unaccountable – purposes are particularly vivid at the EU level. Two interlinked, and to some extent conflicting, initiatives are relevant here: the development of EU strategies promoting a data-driven economy and the current reform of the EU personal data protection legal framework, in the context of the adoption of a General   Data  Protection  Regulation  (GDPR).

In order to address the issues at stake, the present Study provides an overview of Big Data and smart devices, outlining their technical components and uses (section 2). This section shows that many contemporary data processing activities are characterised by a high degree of opacity. This opacity directly affects the ability of individuals to know how data collected about them is used; it also hinders their capacity to assess and trust the manner in which choices are (automatically) made – whether, in other words, these choices are appropriate or fair. As regards smart devices, cheap sensors or the IoT, the pervasiveness of sensors and extensive routine data production might not be fully understood by individuals, who may be unaware of the presence of sensors and of the full spectrum of data they produce, as well as the data processing operations treating this diverse data. If Big Data, smart devices and IoT are often promoted as key enablers of market predictions and economic/social dynamics, data processing raises the question of who  controls one’s  data.

In this perspective, Section 3 presents the different EU approaches on the digital economy and the questions raised in terms of privacy and personal data protection (Section 3). This section argues that in the current context of the development of a Digital Single Market for Europe (DSM), the European Commission’s perspective is very much commercially and economically driven, with little attention to the key legal and social challenges regarding privacy and personal data protection. Even though the European Commission points out some of the key challenges of processing data for economic and market purposes (i.e., anonymisation, compatibility, minimisation), the complexity of these challenges is somehow under-estimated. These challenges can be grouped around the following questions any digital citizen may ask her/himself under EU law: which data about me are collected and for what purposes? Are data protected from unauthorised access and to  what  extent  is  control  exercised  upon  the processing  of my  personal   data?

Section 4 then considers these questions in the specific context of the Data Protection Reform package. Arguing that the digital citizens rights should be the main focus of the current debates around the GDPR, this Section underlines that Big Data, smart devices and the IoT reveal a series of potential gaps in the EU legal framework, in the following areas in particular: transparency and information obligations of data controllers; consent (including consent in case of repurposing); the need to balance public interest and the interests of data subjects for legitimising personal data processing; the regulation of profiling; and proper safeguarding of digital rights in case of data transfers to  third  parties and  third  countries.

In light of these findings, the Study concludes with key recommendations for the European Parliament and, in particular, the LIBE Committee responsible for the protection of natural persons with regards to the processing of personal data. These recommendations aim at ensuring that negotiations around the GDPR promote a strong and sustainable framework  of  transparency  and  responsibility  in which  the data  subject’s rights  are  central.

In particular, the guiding principle of any exploitation of personal data should be driven by the requirement of guaranteeing respect for the Fundamental Rights (privacy  and  personal  data protection) laid  down  in EU primary  and secondary  law (recommendations 1 & 2).

The role of data controllers in this perspective is central as they are legally required to observe a number of principles when they process personal data, compliance of which must be reinforced. The degree of information and awareness of data subjects must be of prime concern whenever personal data processing takes places, and the responsibility for protecting Fundamental Rights should be promoted along the data production chain and gather various stakeholders. Furthermore, the GDPR should ensure that individuals are granted complete and effective protection in the face of current   and   upcoming   technological   developments   of   Big   Data   and   smart   devices (recommendation 3).

The GDPR currently under discussion should in any case not offer less protection and guarantees than the 1995 Data Protection Directive, and users should remain in complete control of their personal data throughout the data lifecycle.

Finally, effective protection of individuals cannot be guaranteed solely by the adoption of a sound GDPR. It will also require a consistent review of the e-Privacy Directive (recommendation 4), an instrument that not only pursues the safeguarding of personal data protection but, more generally, aims to ensure this right and the right to respect for private life.

EU Provisional measures of Refugees Relocation: some progresses but still on a bumpy road…

by Emilio De Capitani

Yesterday, the Justice and Home Affairs Council thanks to Luxembourg Presidency endeavor has (finally!) taken an important decision to relocate 120,000 refugees from Greece, Italy and other Member States directly affected by the refugee crisis. From a political and Institutional point of view this is a big step forward and the Luxembourg Presidency should be praised to have asked for a vote notwithstanding the opposition of Hungary, the Czech Republic, Slovakia and Romania (and the abstention of Finland). The show down has become inevitable for several reasons. First and foremost because of the dimension of the migratory phenomenon even if it is hard to consider that it has  taken the European Union by surprise as the dimension of the Sirian crisis should had been taken in account much more in advance …

But the real reason is that several countries (such as Germany, Austria, Slovenia,) have decided to re-establish the controls at the internal borders of the Schengen area which is an exceptional possibility explicitly foreseen in and regulated by the new art 23 of the  Schengen Borders Code, in case of a serious threat to public policy or internal security.. However if the “exception” is triggered by too many countries is the general rule of the freedom of movement inside the Schengen area which is under threat and this risk to have an impact not only on the freedom of EU Citizens but on the internal market itself (which for national and European administrations is even more important of EU citizens rights..).

The decision has then been taken after painful discussions and under the growing  pressure of the European Council (as it happened previously only in exceptional cases such as after September 11th..). What is worrying is that the Visegrad Countries which have been outvoted risk to challenge the text adopted before the Court of Justice. (according to EUOBSERVER the Czech interior minister Milan Chovane said his country’s willing to do so).

If this was the case the Court will be confronted to a text which from a legal and institutional point of view is messy, inconsistent and under some perspectives probably contrary to the Treaty. Just to mention some of these aspects it is appalling that a Council Decision pretend to establish a “lex specialis” which could “temporary” amend the Dublin Regulation (an act adopted under a different legal basis and in codecision).

Moreover the Decision as adopted yesterday is different from the one voted by the European Parliament some days ago so that, under a constant CJEU Jurisprudence  the Council is under the obligation to re-consult the European Parliament on the latest modifications (such as the exclusion of Hungary from the mechanism…).

However the difficult path towards the implementation of a true EU solidarity and burden sharing in these policies (as foreseen by art 80 of the TFEU) is at least starting now…

ANNEX: THE TEXT OF THE COUNCIL DECISION (Council doc 12098/15 Interinstitutional File: 2015/0209 (NLE) BEWARE THE LEGAL LINGUISTIC REVISION IS STILL TO BE DONE ! COUNCIL DECISION (EU) 2015/… of … establishing provisional measures in the area of international protection for the benefit of Italy and Greece

Continue reading “EU Provisional measures of Refugees Relocation: some progresses but still on a bumpy road…”

A quest for accountability? EU and Member State inquiries into the CIA Rendition and Secret Detention Programme

EXCERPTS FROM A STUDY FOR THE EP LIBE COMMITTEE 

Authors: Prof. Didier Bigo, Dr Sergio Carrera, Prof. Elspeth Guild, and Dr Raluca Radescu.

At the request of the LIBE Committee, this study assesses the extent to which EU Member States have delivered accountability for their complicity in the US CIA-led extraordinary rendition and secret detention programme and its serious human rights violations. It offers a scoreboard of political inquiries and judicial investigations in supranational and national arenas in relation to Italy, Lithuania, Poland, Romania and the United Kingdom. The study takes as a starting point two recent and far-reaching developments in delivering accountability and establishing the truth: the publication of the executive summary of the US Senate Intelligence Committee (Feinstein) Report and new European Court of Human Rights judgments regarding EU Member States’ complicity with the CIA. The study identifies significant obstacles to further accountability in the five EU Member States under investigation: notably the lack of independent and effective official investigations and the use of the ‘state secrets doctrine’ to prevent disclosure of the facts, evade responsibility and hinder redress to the victims. The study puts forward a set of policy recommendations for the European Parliament to address these obstacles to effective accountability.

EXECUTIVE SUMMARY

Although much has been done over the last ten years to overcome major obstacles to ensuring democratic and judicial accountability in respect of EU Member States’ complicity in the unlawful US CIA-led extraordinary rendition and secret detention programme, much remains to be done to uncover the truth and hold those responsible accountable for their actions.

This study takes as a starting point two recent and highly significant developments that have helped to shed light on, and establish accountability for, the actions of EU Member States engaged in the Central Intelligence Agency (CIA) rendition and detention programme. The first is the U.S. Senate Intelligence Committee “Study of the Central Intelligence Agency’s Detention and Interrogation Program” (also known as the Feinstein Report) published in December 2014, which provided further evidence of the nature of the relationship between the CIA and several European state authorities and their wrongdoing. The second is the collection of recent judgments of the European Court of Human Rights (ECtHR), particularly in the Al Nashiri and Abu Zubaydah cases, which have helped to provide substantive rule of law standards against which to measure national political inquiries and judicial investigations.

Through the prism of these two important recent developments, this study builds on the 2012 European Parliament study on “The results of inquiries into the CIA’s programme of extraordinary rendition and secret prisons in European states in light of the new legal framework following the Lisbon treaty”. First (section 2), it pinpoints the critical findings of the Feinstein Report and their relevance for EU Member State inquiries, in particular the new revelations that: the CIA was isolated both nationally and internationally; European states that collaborated with the CIA were quick to withdraw assistance when scrutiny increased, leaving the CIA on the run; the UK failed to refute unfounded CIA claims about the intelligence value of information extracted by torture; and the CIA paid large sums of money to cooperative Member States. The study also examines the media controversy provoked by the release of the Feinstein Report and the efforts made by certain actors to undermine its findings.

The study then (section 3) offers an up-to-date account of political inquiries and judicial investigations in five Member States (Italy, Lithuania, Poland, Romania and the United Kingdom). It argues that, while political inquiries and domestic judicial investigations have been or are being conducted in all five Member States and there have been ECtHR cases regarding all but the UK, they have all been beset by obstacles to accountability. The response of the EU institutions is also analysed. While it is acknowledged that the European Commission has taken tentative steps to encouraging accountability (notably in sending letters to Member States in 2013 to request information on investigations underway), it is found that neither the Commission nor the Council have properly followed up on the European Parliament’s recommendations.

After providing a detailed analysis of the recent ECtHR judgments in the Al Nashiri and Abu Zubaydah cases (section 4) and detailing the rule of law benchmarks against which the effectiveness of national investigations can be tested, the study then measures the national political inquiries and judicial investigations and finds them wanting, either because of a lack of independence or because national security or state secrets have been invoked to prevent disclosure of the facts (section 5).

Finally, the study examines what has prevented EU institutions from taking effective action in response to the CIA programme (section 6). It finds a general lack of political will exacerbated by an absence of a clear enforcement mechanism to ensure compliance with the rule of law as laid down in Article 2 TEU, meaning that the important step taken by the Commission to send letters to Member States is bereft of a clear legal framework.

In light of the above considerations, the Study formulates the following policy recommendations to the European Parliament:

Recommendation 1: The Parliament, particularly the LIBE Committee, should establish regular structured dialogue with relevant counterparts in the U.S. Congress and Senate, which would provide a new framework for sharing information and cooperating more closely on interrelated inquiries in the expanding policy field of Justice and Home Affairs.

Recommendation 2: The Parliament should use the recent LIBE Committee decision to draw up a Legislative Own-Initiative Report on an EU mechanism on democracy, the rule of law and fundamental rights to develop and bring further legal certainty to the activation phases preceding the use of Article 7 TEU. Parliament should also insist that the Commission periodically evaluate Member States’ compliance with fundamental rights and the rule of law under a new ‘Copenhagen Mechanism’ to feed into a new EU Policy Cycle on fundamental rights and rule of law in the Union.

Recommendation 3: The Parliament should adopt a Professional Code for the transnational management and accountability of data in the EU. The Code would outline where ‘national security’ and ‘state secrets’ cannot be invoked (i.e. define what national security is not). It would additionally lay down clear rules aimed at preventing the use and processing of information originating from torture or any related human rights violations.

Recommendation 4: The Parliament should demand that the Commission properly follow up on its resolutions and recommendations.

Recommendation 5: The Parliament should call on the President of the European Council to issue an official statement on the rendition programme to the Plenary, stating clearly the degree of Member States’ complicity and detailing obstacles to proper accountability and justice for the victims.

Recommendation 6: The Parliament should call for effective judicial investigations into the Feinstein Report’s findings that the CIA paid large sums of money to Member States for their complicity in the rendition programme, which amount to allegations of corruption.

The EU-US Umbrella agreement on Data Protection just presented to the European Parliament. All people apparently happy, but….

ORIGINAL PUBLISHED BY EU-LOGOS

by Paola Tavola (EU LOGOS Trainee)

“For the first time ever, the EU citizens will be able to know, by looking at one single set of rules, which minimum rights and protection they are entitled to, with regards to data share with the US in the law enforcement sector”. These are the words of P. Michou, chief negotiator in charge of the negotiation process of the so called EU-US “Umbrella Agreement”, who gave a public overview on the lately finalized transatlantic data protection framework in the field of law enforcement cooperation. The speech, delivered during the last meeting of the LIBE committee of the European Parliament, has met a warm welcome by the MEPs. Great congratulations have been expressed by all the political groups, for the work done by the negotiating team of the Commission that, from its side, has thanked the LIBE committee for its strong support and pressures. As Mrs. Michou said, they “helped us to be stronger in our negotiations”. Negotiations that were dealt with a partner that is far from being an easy one. The words of Michou, however, have not completely reassured all the MEPs, who have called for a legal opinion on the text of the agreement to be delivered by the legal department of the European Parliament. Legal certainties about the potential benefits or detrimental effects that this agreement could have on the existing EU data protection rules, as well as on past and future agreements, have been asked by the majority of the deputies, as a necessary precondition for the vote.

Historical context

An EU-US agreement in the field of protection of personal data was already called by the European Parliament in the year 2009. At that time, in a resolution on the state of transatlantic relation, the Parliament underlined the necessity of a “proper legal framework, ensuring adequate protection of civil liberties, including the right to privacy”, to be agreed on the base of a binding international agreement. The Commission then, on the invitation of the European Council, proposed a draft mandate for starting the negotiations with the United States, on a high standard system of data protection. The final mandate, being adopted by the Council in December 2010, opened the negotiation procedure among the two partners, that formally started on March 2011.

The negotiations have been though, mainly because of a great cultural difference existing among the two partners in terms of data protection, but after four years of work, the agreement has been initialed in Luxembourg, last September 8th. The final text, that can be signed only with the authorization of the Council and the consent of the Parliament, represents a huge step forward: “if we look back to some years ago, it was clear that some of the issues that have been now achieved in the text, couldn’t even have been theoretically possible”, Jan Philippe Albrecht (Greens/EFA) said, by opening the debate after Mrs. Michou speech.

The european Commissioner for Justice, Consumers and Gender Equality, Věra Juorová, by declaring full satisfaction for the conclusion of the discussions, affirmed: “robust cooperation between the EU and the US to fight crime and terrorism is crucial to keep Europeans safe. But all exchanges of personal data, such as criminal records, names or address, need to be governed by strong data protection rules. This is what the Umbrella Agreement will ensure.”

Terrorism or organized crime are phenomena that definitely constitute serious threats to security. However, leaving aside the narrow concept of security, as many theories and authors consider nowadays, a threat to security can be identified as any threat to the “cherished values” of our society: thus also to those values such as the right of privacy and the data protection.

The issue concerns how security and law enforcement are able to positively and constructively interact with new technology, but also to clash with it.

On one side, the information and data sharing is now a fundamental and crucial aspect of policy and judicial inter-state cooperation, since major threats and criminal phenomena have assumed a transnational connotation. On the other side however, it is necessary to ensure the protection and the fair and limited treatment of information, that is transferred as part of the transatlantic cooperation in criminal matters, in order to avoid abuses and the setting up of mass surveillance systems.

The two transatlantic partner, have already settled a substantial framework of data transfer rules. In 2010 they signed an agreement on the processing and transfer of financial messaging data from the EU to the US, for the purposes of the Terrorist Finance Tracking Program (TFTP); while in 2012 they concluded a bilateral agreement for the exchange of PNR (Passenger Name Records) data.

“Data protection is a fundamental right of particular importance in the digital age. In addition to swiftly finalizing the legislative work on common data protection rules within the European Union, we also need to uphold this right in our external relations.” This principle was included by Jean-Claude Juncker in the political priorities of the European Commission agenda, presented in July 2014.

A look inside the “Umbrella Agreement” Continue reading “The EU-US Umbrella agreement on Data Protection just presented to the European Parliament. All people apparently happy, but….”

The Italian Job: the CJEU strengthens criminal law protection of the EU’s finances (Comment to ‘Taricco’ Case)

ORIGINAL PUBLISHED ON EU LAW ANALYSIS

by  Steve Peers

The stereotype of fraud against the EU budget is a sleazy EU official in Brussels receiving manila envelopes stuffed full of bribe money, spending his ill-gotten gains to ensure that his lavish lifestyle becomes ever more decadent. But according to the EU’s annual reports on such fraud, the typical offender is actually rather different: it’s an individual or company who finds ways to get hands on EU money being spent by the Member States, since they are largely in charge of the day-to-day management of EU spending. Furthermore, not all the breaches concern EU spending: some concern the reduction of EU income, for instance by avoiding the customs duties which apply to many goods coming from third countries.

Agreeing and enforcing EU-wide rules for such behaviour has long been a challenge. But in its recent judgment in Taricco, the Court of Justice has made a major effort to strengthen the law in this field.

Background

The CJEU ruled back in the 1980s (in the Greek maize judgment) that Member States could not simply ignore fraud against the EU budget, but had to take effective measures to stop it. This rule was later added to the Treaties, and now forms Article 325 TFEU, which reads in part as follows:

  1. The Union and the Member States shall counter fraud and any other illegal activities affecting the financial interests of the Union through measures to be taken in accordance with this Article, which shall act as a deterrent and be such as to afford effective protection in the Member States, and in all the Union’s institutions, bodies, offices and agencies.
  2. Member States shall take the same measures to counter fraud affecting the financial interests of the Union as they take to counter fraud affecting their own financial interests.

As regards criminal law, the current legal rules on the topic date back to 1995, and were adopted in the form of an international Convention (the ‘PFI Convention’) between the Member States, which came into force in 2002. This treaty applies to all Member States except for Croatia (although the Commission has just proposed its application to that State), and the UK – which was initially a party but no longer has legal obligations to apply the Convention since it opted out of many pre-Lisbon criminal law measures as from 1 December 2014 (on that process, see further here). Among other things, the PFI Convention obliges all Member States to impose criminal sanctions for serious cases of fraud against the EU budget.

The Commission proposed a Directive to replace the Convention in 2012, and this is currently in the late stages of negotiation between the Council and the European Parliament (for an update, see here; on the legal basis, see here). It’s evident that one of the main issues remaining in the negotiations is whether the proposed Directive should apply to VAT fraud, given that a small amount of VAT revenue goes to the EU budget. The Commission and the European Parliament argue that it should, while the Council argues against, presumably because the far larger part of the losses from VAT fraud affects national budgets, not the EU budget. There are other issues in the proposed legislation, such as a more precise possible penalty for fraud, and a rule on ‘prescription’ periods (ie the time limit after which a prosecution can no longer be brought or continued).

The proposed Directive is closely connected to another piece of proposed EU legislation: the Regulation establishing the European Public Prosecutor’s Office (EPPO). That’s because the EPPO will have jurisdiction only over EU fraud, and so it’s necessary to have a definition of that concept. (On the defence rights aspects of the EPPO proposal, see discussion here); for an update on negotiations, see here). And the EPPO Regulation is in turn linked to a third legislative proposal: the Regulation refounding Eurojust, the EU’s agency for coordinating national prosecutions. That’s because there will be close links between Eurojust and the EPPO, and so the Eurojust Regulation can’t be finalized before the EPPO Regulation is agreed. (The Council has agreed all of the Eurojust Regulation except for the bits relating to EPPO links: see the agreed text here. This will still have to be negotiated with the European Parliament, however).

Judgment

The recent CJEU judgment in Taricco concerns alleged VAT fraud against a national budget, and in particular the question of prescription periods. Italian rules on the breaks in prescription periods mean few cases involving VAT fraud are ever seen through to completion, since time simply runs out during the proceedings.  A frustrated Italian court therefore asked the CJEU whether these national rules infringed the economic law of the EU: namely the rules on competition, state aids, economic and monetary union and the main VAT Directive.

According to the CJEU, the national law does not infringe EU competition law, because inadequate enforcement of criminal law does not as such promote cartels. It does not infringe state aid law, because the Italian government was not waiving tax obligations as such. Furthermore, it does not infringe monetary union rules, since it was not closely enough linked to the obligation to maintain sound public finances.

That left the VAT Directive. In fact, that Directive sets out the scope of VAT (ie which goods and services have to be taxed), but does not include any rules on criminal law issues. The Court therefore assumed that the national court was asking it questions about EU law more generally, and proceeded to interpret Article 325 TFEU and the PFI Convention. According to the Court, building on the previous case law such as Fransson, there was not only an obligation pursuant to the VAT Directive and Article 325 TFEU to take effective measures in general against VAT fraud to defend the EU budget, there was also a specific obligation to criminalise such activity, where it was ‘essential to combat certain serious cases of VAT evasion in an effective and dissuasive manner’. This was consistent with obligations under the PFI Convention; the Court confirmed that the Convention applied to VAT fraud, despite the absence of express provisions to this effect under the Convention. Given the size of the alleged fraud in this case (several million euros), it had to be considered serious.

Furthermore, the Court ruled that the operation of the limitation periods in Italian law infringed Article 325 TFEU. A limitation period was not objectionable as such, but national law made it effectively possible to prosecute offences because the way in which it calculated breaks in the prosecution. Also, the national law infringed the principle of equality set out in Article 325, since other national laws on similar types of economic crime did not contain the same problematic rules on calculation of breaks.

The Court then ruled on the consequences of this breach of EU law. In the Court’s view, the national court has to disapply the relevant national law. This obligation was based on Article 325 TFEU, which sets out precise and unconditional rules on effective and equal protection of the EU’s financial interests. So the ‘precedence’ (ie, primacy or supremacy) of EU law required national law to be disapplied.

Finally, the CJEU dismissed a human rights objection to its ruling. While Article 49 of the EU Charter of Fundamental Rights does ban the retroactive application of more stringent criminal penalties than those in force when a crime was committed, the CJEU ruled (following the case law of the European Court of Human Rights on the equivalent Article 7 ECHR) that a limitation period was distinct from a substantive criminal offence. The acts which the defendants were accused of committing were undoubtedly criminal offences in national law at the time of their alleged commission, so there was no retroactivity of criminal law in the sense prohibited by the Charter.

Comments

“You were only supposed to blow the bloody doors off!” This classic quote from The Italian Job aptly summarises the CJEU’s approach to the relationship between national law and EU law in this judgment. Asked only to rule on the interpretation of EU economic law, the Court decided instead to strengthen the constitutional foundations of EU law in the criminal field.

Substantively, the Court’s judgment is significant because it extends EU criminal law obligations to VAT fraud. This is, in the Court’s view, a pre-existing obligation not only in the PFI Convention, but also in the TFEU itself. To overturn it, Member States would therefore have to amend the Treaty, not just the Convention (in the form of the proposed Directive). Also, Member States’ obligations extend not only to criminalisation of serious cases of VAT fraud, but to prescription (and so potentially other procedural issues) as well.  So if Member States (in the Council) do insist on excluding VAT from the scope of the EU fraud Directive, that would have limited impact. Indeed, the Council Presidency has already asked Member States if there is any point maintaining their opposition on this point after the Taricco judgment.

Presumably the Court’s rulings on prescription and criminalisation apply to other forms of EU fraud too. This means that including prescription rules in the Directive (as all of the EU institutions are willing to do) simply confirms the status quo – although the final Directive will likely be more precise on this issue than the CJEU’s ruling. Furthermore, since the Taricco judgment could help to unblock talks on the PFI Directive, this could have a knock-on effect on the negotiations on the EPPO and Eurojust.

Moreover, the Court’s ruling limits the effect of various opt-outs. Ireland and Denmark have opted out of the proposed Directive, but will remain bound by the PFI Convention; the UK has opted out of both. But they remain bound by the Court’s interpretation of the Convention (for Ireland and Denmark) and the Treaty (for all three Member States). This has limited practical impact, as long as national law remains compliant (assuming that it is already compliant) with these measures as interpreted by the Court. While the UK is no longer free to decriminalise fraud against the EU budget, it was never likely to use that ‘freedom’ anyway, particularly as regards VAT fraud, where the main loss would be to the British government’s revenue, not the EU’s.

More fundamentally, the Taricco judgment strengthens the constitutional foundations of criminal law obligations in the EU legal order. While this may only be relevant for EU fraud cases, the Court has already broadened that concept to include VAT fraud. In such cases, there is an obligation for national courts to disapply incompatible national law as regards the procedural aspects of criminal proceedings. Conversely, there is no obligation to disapply incompatible substantive national criminal law, since this would lead to a breach of Article 49 of the Charter.

The ruling is based on the legal effect of the Treaties – the Court does not rule on the legal effect of the ‘third pillar’ Convention. It sets out a test for primacy similar to the test for direct effect (the Court refers to the precise and unconditional nature of the rules in Article 325 TFEU). It is not clear how this rule fits into the EU’s overall constitutional architecture – as a clarification of the general rules or as a special rule relating to protection of the EU’s financial interests. But in any event, the Taricco judgment is a significant contribution toward strengthening the EU’s role in this particular field.

 

An updated version (2014) of the Handbook on European law relating to asylum, borders and immigration just published..

(EXCERPTS OF THE HANDBOOK INTRODUCTION)

A first version of the handbook on the European law relating to asylum, borders and immigration is co-authored by the European Agency for Fundamental Rights (FRA) and by by the European Court of Human Rights was published (in four languages) in June 2013. This second edition incorporates the changes to the EU asylum acquis published in the summer of 2013. Future updates of this handbook will become available on the FRA webpage at: http://fra.europa.eu/en/theme/asylum-migration-borders and on the European Court of Human Rights (ECtHR) webpage at: www.echr.coe.int under “Publications”.

This handbook provides an overview of the law applicable to asylum, border man-agement and immigration in relation to European Union (EU) law and the European Convention on Human Rights (ECHR). It looks at the situation of those foreigners whom the EU usually refers to as third-country nationals, although such distinction is not relevant for cited ECHR law.

The handbook does not cover the rights of EU citizens, or those of citizens of Iceland, Liechtenstein, Norway and Switzerland who, under EU law, can enter the territory of the EU freely and move freely within it. Reference to such categories of citizens will be made only where necessary in order to understand the situation of family members who are third-country nationals.

There are, under EU law, some 20 different categories of third-country nationals, each with different rights that vary according to the links they have with EU Member States or that result from their need for special protection.

For some, such as asylum seekers, EU law provides a comprehensive set of rules, whereas for others, such as students, it only regulates some aspects while leaving other rights to EU Member States’ discretion. In general, third-country nationals who are allowed to settle in the EU are typically granted more comprehensive rights than those who stay only temporarily. (…)

This handbook is designed to assist legal practitioners who are not specialised in the field of asylum, borders and immigration law; it is intended for lawyers, judges, prosecutors, border guards, immigration officials and others working with national authorities, as well as non-governmental organisations (NGOs) and other bodies that may be confronted with legal questions relating to these subjects.

It is a first point of reference on both EU and ECHR law related to these subject areas, and explains how each issue is regulated under EU law as well as under the ECHR, the European Social Charter (ESC) and other instruments of the Council of Europe. Each chapter first presents a single table of the applicable legal provisions under the two separate European legal systems. Then the relevant laws of these two European orders are presented one after the other as they may apply to each topic. This allows the reader to see where the two legal systems converge and where they differ.

Practitioners in non-EU states that are member states of the Council of Europe and thereby parties to the ECHR can access the information relevant to their own country  by going straight to the ECHR sections.

Practitioners in EU Member States will need to use both sections as those states are bound by both legal orders. For those who need more information on a particular issue, a list of references to more specialised material can be found in the ‘Further reading’ section of the handbook.

ECHR law is presented through short references to selected European Court of Human Rights (ECtHR) cases related to the handbook topic being covered. These have been chosen from the large number of ECtHR judgments and decisions on migration issues that exist.

EU law is found in legislative measures that have been adopted, in relevant provisions of the Treaties and in particular in the Charter of Fundamental Rights of the European Union, as interpreted in the case law of the Court of Justice of the European Union (CJEU, otherwise referred to, until 2009, as the European Court of Justice (ECJ)).

The case law described or cited in this handbook provides examples of an important body of both ECtHR and CJEU case law. The guidelines at the end of this handbook are intended to assist the reader in searching for case law online.

Not all EU Member States are bound by all the different pieces of EU legislation in the field of asylum, border management and immigration. Annex 1 on the ‘Applicability of EU regulations and directives cited in this handbook’ provides an overview of which states are bound by which provisions.

It also shows that Denmark, Ireland and the United Kingdom have most frequently opted out of the instruments listed in this handbook. Many EU instruments concerning borders, including the Schengen acquis – meaning all EU law adopted in this field – and certain other EU law instruments, also apply to some non-EU Member States, namely Iceland, Liechtenstein, Norway and/or Switzerland.

While all Council of Europe member states are party to the ECHR, not all of them have ratified or acceded to all of the ECHR Protocols or are State Party to the other Council of Europe conventions mentioned in this handbook. Annex 2 provides an overview of the applicability of selected Council of Europe instruments, including the relevant Protocols to the ECHR. Substantial differences also exist among the states which are party to the ESC. States joining the ESC system are allowed to decide whether to sign up to individual articles, although subject to certain minimum requirements. Annex 3 provides an overview of the acceptance of ESC provisions.

EU Anti-Money Laundering legal framework: the race has started again…

by Dalila DELORENZI (FREE Group Trainee)

After two years, the revision of the new EU Anti-Money Laundering (AML) framework has finally come to an end. The 20th May the European Parliament at its second reading has adopted the Fourth Directive AML  (Directive (EU) 2015/849) along with the new Regulation on information on the payer accompanying transfers of funds (Regulation (EU) 2015/847).

The revision was triggered by the necessity to adapt the legal framework to counter new threats of money laundering and terrorist financing and to reflect recent changes due to revised Financial Actiont Task Force (FATF)  Recommendations. In the following lines the new legal framework is presented by including some crucial measures which could represent a real step-up in the fight against money laundering, financing terrorism and tax evasion.

  1. Introduction of an European register of beneficial ownership

The creation of an European register of beneficial ownership has been one of the sticking point and the reason why the text has attracted much more political attention than the latest directives and the negotiations have taken much longer than it was expected.

1.1 Definition of beneficial ownership and the problems caused by “phantom firms”

A beneficial owner  is a natural person – a real, live human being and not another company or trust – who stands behind a company (or trust) as the ultimate owner and controller, directly or indirectly exercising substantial control over the company or receiving substantial economic benefits (such as receipt of income) from the company. If the true owner’s name is disguised, we deal with “anonymous companies”. In a majority of countries, keeping unknown the true owner’s name is perfectly legal and there is typically no requirement to disclose that the names listed are merely front-people.

Such anonymous companies can be created by using “nominees”, people who front the company in place of the true owner, or by incorporating one or more of the companies in a country which does not make details of the beneficial owners publicly available. Also called “phantom firms”, they exist only on paper, with no real employees or office.

Now, it’s certainly true that such entities can also have legitimate uses, but the untraceable company can also be a vehicle of choice for crimes such as money laundering, tax evaders and financier of terrorism.

1.2 The role of anonymous companies in money laundering

Although there are countless ways to launder money, money laundering can be broken down into three stages:

  • Placement: the initial entry of illicit money into the financial system. This might be done by breaking up large amounts of cash into less conspicuous smaller sums that are then deposited directly into a bank account.
  • Layering: the second step consists in the process of separating the funds from their source. This purpose is often followed by using anonymous shell companies: for instance, wiring money to account owned by anonymous shell company.
  • Integration: money re-enter the legitimate economy. For instance, by investing the funds into real estate and luxury assets.
  • That being said, it is clear that these secretive “shell” companies and trusts play a central role in laundering and channelling funds, concealing behind a veil of secrecy the identity of corrupt individuals and irresponsible businesses involved in activities, including tax evasion, terrorist financing, and the trafficking of drugs and people. More precisely, it is impossible for law enforcement officials go back to the real individuals ultimately responsible for the company’s actions and to track the origin of illicit funds.
  • 1.3 The importance of central registers

Continue reading “EU Anti-Money Laundering legal framework: the race has started again…”

EU-USA “UMBRELLA” AGREEMENT ON DATA PROTECTION: A …LEAKY UMBRELLA ?

Posted HERE on 18. September 2015

by

Leave a comment 

On 8 September 2015, the European Commission announced the successful completion of the negotiations with the US on a framework agreement („Umbrella Agreement“), that shall apply to the co-operation between law enforcement authorities. „Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic. It will in particular guarantee that all EU citizens have the right to enforce their data protection rights in US courts“, said the competent EU Commissioner Věra Jourová. Prerequisite for the signing of the agreement will be, however, that the US Congress will have approved the necessary legislative changes („Judicial Redress Bill“).

Although the Commission initially did not want to publish the agreement, the text – however – has found it’s way into the Internet, enabling the assessment.

First the good news: The agreement contains, in fact, substantial concessions from the US side. It has to be highlighted, that the US shall even provide EU citizens with a right to seek judicial redress if they are of the opinion that their privacy rights have been violated in the context of processing information the respective US authorities have received from the EU. Over years, the US government insisted on granting EU citizens only administrative redress. For Europe such limited redress – ultimately depending on the goodwill of the US administration – would not have provided an adequate level of data protection.

Another positive aspect is that both sides have agreed to commit to the principles of proportionality, necessity and purpose limitation and that they have to determine the use and duration of storage of personal information in accordance with these principles. The concrete purposes of data processing and the retention periods have to be determined by the specific legal acts.

However, although the agreement improves the legal status of EU citizens whose data are transferred to the US, it would be a misperception that the agreement provides EU citizens with the same privacy rights as US persons. If this would have been intended, the rights provided by US Privacy Act of 1974 and other laws, currently limited to US citizens and residents, could have been extended to EU citizens. Instead, the agreement text contains complicated rules, which do not ensure equality in the result. EU citizens have first to seek administrative redress. They may call a US court only after administrative redress definitely was exhausted. In addition, administrative and judicial redress are limited to those privacy rights explicitly specified in the Agreement, as the right to access and correction of the personal information. The agreement will not grant EU citizens – unlike US citizens – further rights to challenge the lawfulness of the entire process of data processing before a US court.

Furthermore, it should be noted that the agreement shall apply only to judicial and police authorities, but not to authorities with the task to guarantee the „national security“. US intelligence agencies like the NSA and the CIA share personal data with law enforcement agencies, even if they have received these information from their European partners. The provisions of the umbrella agreement would not apply in these cases. Last but not least the agreement does not cover data US and European authorities collect on the basis of national laws, i.e. the Foreign Intelligence Surveillance Act (FISA) or similar European legislation.

Another limitation of the umbrella: While according to the European data protection law, all personal data will be protected regardless of the nationality of the persons concerned, the agreement should apply only to data on EU citizens which have been transferred to the US by European authorities or companies based on bilateral or multilateral agreements. So data relating to citizens of third countries remain unprotected.

Finally, the agreement (Art. 21) falls short, however, with regard to the data protection oversight. It lacks an explicit commitment of both parties to ensure an independent data protection supervision. While the European Union commits that the independent data protection authorities shall be competent to check the provisions, the agreement refers with respect to the United States on a variety of oversight institutions, some of them not independent, which are to exercise the supervision of data protection „cumulatively“.

Given these shortcomings, to me the exultation of the agreement seem premature. The European legal bodies which need to approve the ratification of the agreement, in particular the European Parliament and the parliaments of the Member States are called upon to thoroughly examine the agreement, in particular, its compatibility with the provisions of the EU Charter of Fundamental Rights. Depending on the results of such assessment it might be necessary to renegotiating and caulking the umbrella.

 

HUMANITARIAN VISAS : AN EU TOOL FOR A SAFE ACCESS TO THE EU TERRITORY ?

The Civil Liberties Committee is currently examining a Commission proposal on the revision of the VISA Code. The EP Rapporteur, Lopez Aguilar has just submitted a draft report proposing several amendments some of which covering also the issue of the so-called Humanitarian visas as a possible complementary measure to overcome the current emergency situation for the EU migration policy. The deadline for amendments in view of the future LIBE vote is September 25 and between the external contributions the letter of several representatives of Churches of different confessions is worth reading. EDC

To Members of the European Parliament  LIBE Committee

Brussels, 15 September 2015

Humanitarian visa within the EU Visa Code (recast)

Dear Members of the EP LIBE Committee,

Our organizations represent Churches throughout Europe – Anglican, Orthodox, Protestant and Roman Catholic – as well as Christian agencies particularly concerned with migrants, refugees, and asylum seekers. Our position on humanitarian visas has been developed in close cooperation with the Brussels’ office of the Protestant Church of Germany EKD. Today, we are writing to you regarding the Commission’s proposal for a new EU Visa Code – COM(2014) 164 final.

In our policy paper released in November 2014 we urgently called for the development of a ‘toolbox’ of safe  and  legal   ways  to   protection   in   Europe.

Among the proposed ‘tools’ was the issuing of humanitarian visas. Recently, the European Union has taken several encouraging steps regarding asylum policy. Now, the recast of the EU Visa Code represents a unique opportunity to introduce humanitarian visas throughout the EU which would be an important way to allow for safe access to EU territory and could help save thousands of lives and contribute to putting      people     smugglers     out     of     business.

The European Commission’s communication on the EU Agenda on Migration May 2015 mentions that safe and legal ways need to be available for the most vulnerable groups of people reaching our borders. Moreover, in its resolution on the latest tragedies in the Mediterranean, adopted on 29 April 2015, the European Parliament has, inter alia, called on Member States in point 7: “to make full use of the existing possibilities for issuing humanitarian visas at their embassies and consular offices”.

The UN High Commissioner for Refugees Mr António Guterres called in a speech on 9 July 2015 for developing ways for legal migration giving the example of humanitarian visas. Additionally,  in its recent recommendations   for the Luxembourg  and Netherlands’  EU Presidencies, UNHCR underlined the need for other  legal and safe ways to Europe,  in addition to increasing refugee resettlement from first countries of asylum.

We welcome the recent adoption of an EU wide resettlement plan, allowing 22.504 Syrians refugees to be resettled by EU Member States. However, complementary legal avenues must be made available, to prevent further tragedies of refugees perishing at sea in their attempts to seek protection. As we have explained in our ‘toolbox’ the humanitarian visas are one among many solutions which could help some of the most vulnerable asylum seekers.

The purpose of this letter is threefold. Firstly, to explain what humanitarian visas are; secondly, to explore the experience of states in issuing humanitarian visas; and thirdly, to demonstrate how humanitarian visa fit within the EU Visa Code.

  1. What are humanitarian visas?

Continue reading “HUMANITARIAN VISAS : AN EU TOOL FOR A SAFE ACCESS TO THE EU TERRITORY ?”