Friday, 3 January 2020

Gun Control in the EU: the CJEU’s Decision on the Legality of the Revised European Firearms Directive




Niels Kirst, PhD candidate, Dublin City University

Introduction

On the 3rd of December 2019, the European Court of Justice (hereafter ‘the Court’ or ‘CJEU’) gave its final verdict on the so-called Czech firearms case. In this detailed judgment which gives guidance on the law-making in the European Union (hereafter ‘the EU’), the Court touched on many principles of EU law and refined their meaning. The European Union legislator used its legal powers for the single market (Article 114 TFEU) to adopt Directive (EU) 2017/853, amend the previous firearms Directive 91/477 and Directive 2008/51/EC, in the aftermath of terrorist attacks in Paris and Copenhagen. The initial proposal of the Commission gained steam under the Dutch presidency of the Council in 2016. Finally, the Directive undergo the Trialogue process before being approved according to the co-decision procedure by the European Parliament (hereafter ‘the Parliament’) and the Council of the European Union (hereafter ‘the Council‘). The Parliament approved the amended Directive on 14th of March 2017, while the Council followed suit on the 25th of April 2017, with only the Czech Republic, Poland and Luxembourg disagreeing. Critical voices on political participation and accountability accompanied the legislative process. 

The Czech Republic had specifically harsh aversion towards the Directive, since civilian firearm ownership has a long tradition in the Czech Republic, and the Czech government, as well as Czech civil society groups, feared severe consequences for the Czech economy and the cultural heritage. After being outvoted in Parliament and Council, the Czech Government decided to challenge the Directive at the CJEU. It was alleged a breach of the principle of conferral of powers (Article 5 (2) TEU), of the principle of proportionality (Article 5 (4) TEU), of the principle of legal certainty and protection of legitimate expectations and finally, of the principle of non-discrimination. The Czech Republic, supported by Poland and Hungary in its claim, fired full blast to protect its political interest in front of the CJEU.

Earlier this year, AG Sharpston opined that the claims by the Czech Republic are unfounded and that the Court should uphold the Directive as it stands (see my analysis of the opinion here). The most important precedents for this case were the respective claims on the legal basis against the tobacco Directives from tobacco manufactures (see British American Tobacco and Philip Morris Brands). The trade, sale and possession of tobacco in the single market is situated in a field between health protection and the commerce, whereas, the sale, trade and possession of firearms is situated in a field between security and commerce. The critical question the CJEU had to answer was if Article 114 TFEU is an appropriate legal basis for measures which in large parts tighten security standards of firearm possession, or if this impinges of the national sovereignty of the Member States.

First Plea: Breach of the Principle of Conferral of Powers

The Czech Republic based its first plea on an alleged breach of the principle of conferral of powers by the European Union legislator. The baseline of this argument purported by the Czech Republic was that the aims of the new Directive diverted significantly from the aims of the earlier Directives of 1991 and 2008. Therefore, Article 114 TFEU did not constitute an appropriate legal basis anymore. The Czech Republic emphasised that an amended Directive shall not lead to new objectives which derogate from the original legal basis (Para. 21 – 24). By moving towards the fight against terrorism with the new Directive, the European Union legislator had no mandate to adopt these changes under the umbrella of the internal market competence.

The Court went into a general discussion on the appropriate legal basis for adopting a Directive or a Regulation (para. 31 – 33). Respectively, that new legislation might have several purposes, the Court explained. However, the predominant purpose determines the appropriate legal basis of the new legislation. These clarifications were followed by a discussion on the adequate use of Article 114 TFEU (para. 34 – 40), by assessing that the fight against international terrorism is an objective of general interest for the EU (by analogy health was identified as general interest in British American Tobacco and Imperial Tobacco). Subsequently, the Court tried to answer the question, if the safety and prevention of terrorist attacks had become the predominant purpose of the amended Directive and, if therefore, the legal basis of Article 114 TFEU was not appropriate anymore.

While the Czech Republic argued that the Directive should be analysed in isolation. Parliament and Council argued that the amended Directive has to be seen in light of the two earlier Directives (Para. 41 – 45). The Court clarified that an amended Directive must always be assessed in light of its earlier versions. Therefore, Directive 91/477 and the amendments by the new Directive serve as benchmark regarding the adequate legal basis. Assessing Directive 91/477 and the amendments made by the contested Directive, the Court concluded that by ‘adjusting the balance between the free movement of goods and security guarantees, [t]he EU legislature merely adapted the rule on the possession and acquisition of firearms set out in Directive 91/477 to changes in circumstances. [emphasis added]’ (para. 53) – which the EU legislature is entitled to do in its task of safeguarding the general interests recognised by the Treaty (see also Vodafone and Others) (para. 38). 

Finally, by pointing to the assessment of the firearms Directive in Buhagiar and Others the Court found that the predominant purpose of the measures read in conjunction with the earlier Directive was still ‘the free movement of goods, approximation of laws, regulations and administrative provisions of the Member States, whilst circumscribing that freedom with safety guarantees that are suited to the nature of the goods at issue’ (para. 59). Firearms are inherently dangerous goods, not only for the user itself (as the Czech Republic argued in the oral hearing) but also for fellow citizens, therefore, safety, as general interest recognised by the Treaty, can form a purpose of a Directive under Article 114 TFEU.   

Second Plea: Breach of the Principle of Proportionality

On a different note, the Czech Republic claimed that the European Union legislator did not have sufficient information at its disposal when drafting the Directive and therefore was unable to assess the proportionality of the Directive (para. 65 – 73). This argument was mainly based upon the European Commission skipping an impact assessment before drafting the Directive. The Commission pledged to carry out an impact assessment in an interinstitutional agreement with the Parliament under Article 295 TFEU. However, when the Commission drafted the Directive, it did not have time for a careful impact assessment and instead relied on the REFIT evaluation, which was carried out earlier. The Czech Republic contested that this was insufficient.

The Court highlighted the broad discretion the EU legislator has in evaluating and assessing legislative measures (para. 76 – 81). Further, the Court followed the Opinion of the AG that the pledge to carry out an impact assessment in an interinstitutional agreement under Article 295 TFEU is a non-binding commitment (para. 82). The Court reasoned that not conducting an impact assessment cannot automatically lead to an infringement of the principle of proportionality. Instead, the availability of existing information can still be sufficient to have a meaningful assessment of the principle of proportionality (para. 85). After going through the different studies, which the EU legislator took into account, the Court found that these studies, among them the REFIT evaluation, enabled the legislator to make a meaningful assessment of the proportionality of the new measures (para. 87 – 92).

In the second part of its second plea, the Czech Republic contested that specific articles of the new Directive failed the proportionality test of the EU. Namely, that these measures could have been achieved by less restrictive means (para. 95 – 101). The Czech Republic criticised in its claim the complete prohibition of semi-automatic firearms, as well as the stricter requirements for deactivated and antique firearms (para. 120 and 127). Technical details of the measures which the Czech Republic contested are omitted at this point but can be found in the judgement (para. 102 – 104). The Court first clarified that the judicial review of the proportionality of legislative acts is limited, and that the Court is not in the position to substitute its assessment for that of the EU legislature (para. 118). Instead, it is for the Court to define whether the legislator 'manifestly exceeded' its broad discretion (para. 119).

After going through the technical details of the new prohibitions of certain types of semi-automatic firearms, the Court concluded by pointing out that ‘those institutions [the Council and the Parliament] do not appear to have exceeded their broad discretion’ by these prohibitions (para. 126). The Court found the same regarding the proportionality of the new measures regarding deactivated and antique firearms (para. 131). The requirement of 'manifestly inappropriate in relation to the objectives' is a high bar to reach for new legislation to be deemed disproportionate. Therefore, the Court with its limited power and capacity of review declared the new measures to fulfil proportionality test. 

In the last place, the Czech Republic claimed that the contested Directive interfered with the right to property as it is enshrined in the Charter of Fundamental Rights (hereafter ‘the Charter’) (para. 132). The Court reasoned that Article 17 of the Charter is not an absolute right and may be restricted by limitations which meet the general interest recognised by the EU or the need to protect the rights and freedoms of others (para. 134) (in regard to the ‘right to property’ see a comment on SEGRO, in which the Court discussed Article 17 of the Charter). The Court found the evidence brought forward by the Czech Republic insufficient to prove a disproportionate interference with the right to property as enshrined in the Charter. The Court concluded that a ban on semi-automatic firearms for safety reasons is in the general interest which is recognized in the last sentence of Article 17 (1) of the Charter. 

Third Plea: Breach of the Principle of Legal Certainty and of the Protection of Legitimate Expectations

In its third plea, the Czech Republic claimed that specific measures of the new Directive impinged on the principle of legal certainty and legitimate expectations (para. 140 – 143). Specifically, the time requirements of the new Directive would lead to a retroactive application and the process of entering into force of the Directive to unattainable expectations on the part of individuals. Regarding legal certainty, the Court rebutted the argument by pointing out that the classification of firearms in the new Directive are clear and precise, and do, therefore, not lead to a retroactive application (para. 149 – 151). Regarding legitimate expectations of individuals, the Court highlighted that the EU legislator fulfilled its duties by publishing the contested Directive in the Official Journal of the European Union in a timely manner. This allowed individuals to know at which point the new rules will come into force and until when they could buy which kinds of firearms (para. 153 – 156).

Fourth Plea: Breach of the Principle of Non-Discrimination

In its fourth and final plea, the Czech Republic claimed that the so-called ‘Swiss exception’ (Article 6 (6) of the contested Directive), which allows Swiss militia soldiers to keep their semi-automatic firearms after completing their service with the Swiss army constitutes a discrimination against other EU nationals (para. 159 – 161). The Court recalled the principle of equality in EU law as requiring that 'comparable situations must not be treated differently and that different situations must not be treated in the same way unless such treatment is objectively justified' (para. 164). The Court found that the Swiss Confederation and the Member States are not comparable regarding the subject matter of that derogation. The Swiss Confederation 'has the proven experience and ability to trace and monitor persons and weapons concerned, which gives reason to assume that the public security and safety objectives' will be achieved (para. 166). Finally, the Czech Republic failed to bring forward evidence that there are other states within the Schengen area which fulfil the same system of mandatory subscription and transfer of military firearms as the Swiss Confederation. Therefore, the Court rejected the plea (para. 167 – 168).

Comment

This comprehensive and very detailed judgement closes the legal challenge between the Czech Republic and the EU. Exhausting legal remedies after being outvoted in the Council has a long tradition in the EU (see for example Spain v Parliament and Council). Also, in this case, it is the recurring storyline. The Czech Republic took legal actions after being outvoted in the Council and its MEPs had not won in the Parliament. The judicial route is a logical way to go. However, the question of firearms regulation seems to be of a more political than a legal nature. 

The contested Directive certainly lays more emphasis on the security requirements for legal firearms holders. The contested Directive prohibits the possession of semi-automatic firearms within the European single market by civilian citizens. The plea of the Czech Republic focused on the outer limits of Article 114 TFEU. Is this article suitable for tightening of firearms possession, or does it fall into the area of judicial cooperation in criminal matters and must, therefore, be adopted under Article 84 TFEU? As known, from the tobacco case-law of the Court, Article 114 TFEU can be interpreted broadly. Also, in this case, the Court followed this line of reasoning, by allowing a prominent place of security as an objective of a Directive which was adopted under the single market competence of Article 114 TFEU.

The Court affirmed the legislative mandate of the EU to lower the ceiling for firearm possession in the EU. Firearms are goods which are sold and purchased on the internal market; therefore, the EU is the adequate body to regulate, and the internal market competence is sufficient to harmonise the possession of firearms in the EU. As a result, Member States have to converge and adjust in their firearm regulations (if they not already did). Some Member States already have a higher bar of firearms possessions as the one purported by the Directive, others like the Czech Republic now have to change their national laws. The consequence is that also in highly political fields, such as firearms regulation, Member States have to abide by the qualified consensus on the Council level. 

Barnard & Peers: chapter 12
JHA4: chapter II:7
Photo credit: knowledge@Wharton

Thursday, 2 January 2020

Can Belgian, French and Swedish prosecutors issue European Arrest Warrants? The CJEU clarifies the requirement for independent public prosecutors




Laure Baudrihaye-Gérard, Fair Trials 

The question of who has the power to issue a European Arrest Warrant (“EAW”) has been addressed again by the Court of Justice of the EU (“CJEU”). The answer to this question has far-reaching consequences for the flagship EU measure of judicial cooperation, which is used by authorities across the continent thousands of times every month to obtain the surrender of persons found in another EU Member State either for the purposes of criminal investigations (e.g. interrogation) or to serve a custodial sentence.

Courts in Luxembourg and the Netherlands suspended the execution of EAWs issued by prosecutors in Belgium, France and Sweden, so that they could ask the CJEU, through the urgent preliminary reference procedure, whether they qualified as “judicial authorities” for the purposes of issuing EAWs. The questions were raised in relation to EAWs issued by the Belgian public prosecutor for the purposes of executing a custodial sentence (case C-627/19 PPU), and in relation to EAWs issued by French (case C-625/19 PPU) and Swedish prosecutors (joined cases C-566/19 and C-626/19 PPU) for the purposes of conducting a criminal investigation.

More specifically, the Dutch and Luxembourg courts sought clarification of the CJEU’s rulings of 27 May 2019 in relation to the German and Lithuanian prosecutors (cases C-508/18 and C-82/19 PPU), discussed further here. The CJEU had ruled that German public prosecutors do not provide a sufficient guarantee of independence from the executive when issuing an EAW, while the Prosecutor General of Lithuania does provide such a guarantee of independence. As a result of this ruling, only judicial authorities deemed completely independent from the executive will be able to issue EAWs. 

The CJEU confirmed that the Belgian, French and Swedish prosecutors were sufficiently independent from the executive to be able to issue EAWs. In its analysis, the CJEU clarified, first, the scope of the concept itself of an “issuing judicial authority” for the purposes of issuing an EAW under the Framework Decision on EAWs and second, the notion of effective judicial protection for individuals who are the subjects of EAWs.

Concept of issuing judicial authority: two, not three conditions to be met

The principle of procedural autonomy and Article 6 of the EAW Framework Decision leave it up to Member States to designate competent “issuing judicial authorities” for the purposes of the EAW, but the CJEU recognised that a uniform and autonomous interpretation is, nevertheless, necessary.

Public prosecutors will qualify as an issuing judicial authority where two conditions are met:

-          First, public prosecutors must administer or participate in the administration of justice. An authority, such as a public prosecutor’s office, which is competent, in criminal proceedings, to prosecute a person suspected of having committed a criminal offence so that that person may be brought before a court, must be regarded as participating in the administration of justice of the relevant Member State.
-          Second, public prosecutors must be in a position to act in an independent way, specifically with respect to the executive. The CJEU requires that the independence of public prosecutors be organised by a statutory framework and organisational rules that prevent the risk of prosecutors being subject to individual instructions by the executive (as was the case with the German prosecutor). Moreover, the framework must enable prosecutors to assess the necessity and proportionality of issuing an EAW. In the French prosecutor judgment, the CJEU specifically indicated that:

-          Even though the Minister of Justice can issue general instructions of criminal policy to prosecutors, French law expressly prohibits individual instructions. In so far as general instructions cannot prevent a prosecutor from exercising their own appreciation of the proportionality of a decision to issue an EAW, they are not incompatible with the EU notion of an “issuing judicial authority”.
-          Hierarchical subordination of prosecutors, as is the case in France, does not prevent independence. The CJEU is concerned about prosecutors being shielded from external instructions coming from the executive; not about internal instructions coming from other prosecutors, which are necessary for the organisation of the public prosecutor office.

Importantly, the CJEU made clear that the existence of a procedure to challenge the decision itself to issue an EAW does not constitute a condition for a national authority to qualify as an “issuing judicial authority” for the purposes of the EAW Framework Decision. In the Swedish and French cases, the CJEU specified that effective judicial protection is not a statutory or organisational rule that applies to prosecutors, but is a separate issue that relates to the issuing procedure of the EAW. The CJEU’s approach in respect of the concept of “effective judicial protection” is developed further below.

The CJEU adopts, in these judgments, a formalistic approach towards the concept of independence. The Court focuses on the national legal framework to assess prosecutorial independence, and is satisfied where statutory and organisational rules formally prevent the government from issuing individual instructions to the prosecuting authority. However, the CJEU does not seek to enquire into the practice or other potential forms of influence of the executive over prosecutors. The scope of the CJEU’s assessment of the independence of prosecutors is moreover limited to decisions to issue EAWs, and not to the exercise of prosecutorial powers more broadly, which is beyond the scope of EU law.

It is notable that, in the decision relating to the French prosecutor, the reasoning of the CJEU appears to be founded on the inquisitorial tradition of the criminal justice system, built on the concept that prosecutors are “impartial” and exercise their powers in an “objective manner”, taking into account all exculpatory and inculpatory elements. This approach does not reflect the system in several EU Member States and stands at odds with the current evolution of European criminal justice systems, where we see a trend towards an increasing role of defence lawyers during the investigative phase, typical of accusatory systems. For instance, the Directive on the European Investigation Order (“EIO”) foresees, in Article 1(3), that the defence may initiate a request for an EIO in the context of a cross-border investigation. The CJEU’s reliance on abstract concepts of “impartiality” and “objectivity”, without addressing the evolution of inquisitorial systems and the way in which this may have impacted the prosecutor’s role, gives the ruling a certain artificiality which requires further refinement.

Effective judicial protection

The CJEU had already ruled (see its judgment in relation to the German and Lithuanian prosecutors) that persons subject to an EAW must benefit from a two-tier system of judicial protection of procedural safeguards and fundamental rights: (i) in the context of the adoption of the national arrest warrant; and (ii) in relation to the decision to issue an EAW, in particular, whether, in the light of the particular circumstances of each case, it is proportionate to issue that warrant.

The executing authority must verify that the decisions to issue EAWs have been subject to prior judicial protection, i.e. that a court or judge assessed the proportionality of the EAW and that the conditions for issuing the EAW have been met. In other words, the decision of a prosecutor, who is not a judge, to issue an EAW, must be capable of being the subject, in the Member State, of judicial proceedings which meet in full the requirements inherent in effective judicial protection.

But the CJEU leaves it up to Member States to organise such effective judicial protection, which, by virtue of the principle of procedural autonomy, may vary from one national system to another. One possibility is for Member States to provide for an appeal procedure against the decision to issue an EAW. But this is only one possibility, and the CJEU considered that each of the examined national systems in Belgium, France and Sweden also met the requirement for effective judicial protection:

-          In the Swedish case, national law requires that the decision to issue an EAW be preceded by a court decision to order pre-trial detention. The CJEU confirmed that effective judicial protection is ensured when the court verifies the conditions and the proportionality of the EAW before it is issued by the prosecutor, i.e. during the hearing in relation to pre-trial detention. The Court also noted that the pre-trial detention order can be challenged after it is issued, and where the challenge is successful, the EAW is automatically invalidated. For the CJEU, this system satisfies the requirement for effective judicial protection, even in the absence of a stand-alone appeal procedure against the decision to issue an EAW by the prosecutor.

-          In the French case, the CJEU considered that in French law, EAWs for the purposes of criminal investigations may only be issued after a judge, typically an investigative judge (juge d’instruction), issues a national arrest warrant. In this case, the CJEU noted that the judge who issued the national arrest warrant also requested that the public prosecutor issue an EAW at the same time. It is at this point in the procedure that the judge assessed that the conditions for issuing the EAW were met, including its proportionality. In the CJEU’s view, this procedure demonstrates that the proportionality of the EAW may be assessed at the time the national arrest warrant is issued, which happens prior or at the same time as the issuing of the EAW, and noted that, further, the decision to issue an EAW may also subsequently be subject to an annulment challenge. Therefore, the French system satisfies the requirement for effective judicial protection.

-          Where the EAW is issued for the purposes of serving a custodial sentence, as in the Belgian case, the EAW stems from the court decision sentencing the person to a custodial sentence. The sentence, in the CJEU’s view, reverses the presumption of innocence that the person benefits from during the criminal proceedings. The existence of judicial proceedings leading to the finding of the person’s culpability enables the executing authority to presume that the decision to issue an EAW stems from a national procedure in which the rights of the person were upheld; and the proportionality of the EAW results from the requirement in the EAW Framework Decision that an EAW may only be issued in relation to sentences of at least 4 months’ imprisonment. In such circumstances, the requirement for effective judicial protection is satisfied by the decision to sentence the person.

The CJEU failed to take this opportunity to set meaningful standards around the concept of “effective judicial protection”, and in particular how executing judicial authorities must exercise their oversight over the proportionality of EAWs. This approach fails to recognise that it is extremely difficult for persons arrested and detained under an EAW to obtain legal assistance in order to challenge the decision to issue the EAW in the issuing state, prior to being surrendered. Fair Trials has documented the problems with the EAW system that continue to this day, with considerable impact on the lives and rights of ordinary people.


In the Swedish and French cases, the CJEU argued that effective judicial protection is further guaranteed by other instruments of EU law, most notably the Access to a Lawyer Directive (2013/48/EU), which requires the Member State who is asked to execute the EAW to inform the person that they have a right to appoint a lawyer in the country that has issued the EAW. This is, indeed, a requirement of EU law, however, the CJEU fails to take into consideration the lack of effective implementation of this requirement across the EU – which seriously undermines the reality of such an “effective judicial protection”. The new laws enacted by the EU guaranteeing suspects’ rights, while extremely beneficial to improving fair trials at the national level, have not been sufficient. The problems with the EAW go beyond the rights guaranteed in those laws, and the laws themselves still need better implementation.

Fair Trials, working with lawyers across the EU in the context of the Legal and Experts Advisory Panel (“LEAP”), continues to document the lack of access to a lawyer in the issuing State for persons arrested under EAWs. The European Commission itself, in its implementation report of 26 September 2019 on the Access to a Lawyer Directive, expressly states that “[t]he legislation in four Member States does not at all reflect the right of requested persons to appoint a lawyer in the issuing Member State. Some five Member States do not clearly ensure that requested persons receive information about this right without undue delay (Article 10(4) of the Directive). Moreover, the cooperation mechanism set out in Article 10(5) of the Directive is often not subject to specific rules. In seven Member States, the legislation lacks the requirement that the competent authority in the executing Member State promptly informs the competent authority in the issuing Member State in cases where requested persons who do not already have a lawyer in the issuing Member State wish to appoint one. Furthermore, the legislation in 10 Member States does not transpose the requirement for the competent authority of the issuing Member State to provide without undue delay the requested persons with information to help them appoint a lawyer there”.

We welcome the CJEU’s recognition that the EU procedural rights directives, including the Access to a Lawyer Directive, participate in ensuring effective judicial protection for people who are subject to EAWs. But to date, the case law of the EU’s Court of Justice has not been sufficient to resolve the EAW’s flaws. The CJEU needs actively to support the effective implementation of the procedural safeguards for suspects and accused persons enshrined in EU law. For more on our work to promote and support the effective implementation of EU law, please refer to our materials available here: https://www.fairtrials.org/publication/eu-law-materials.

JHA4: chapter II:3
Barnard & Peers: chapter 25
Photo credit: Wikicommons

Saturday, 21 December 2019

The AG Opinion in Schrems II: Facebook, national security and data protection law





Lorna Woods, Professor of Internet Law, University of Essex


Last week a CJEU Advocate-General gave an opinion in the case of Schrems II, the latest challenge to US national security rules as they apply to transfers of personal data from the EU (via Facebook). The original Schrems case (discussed here) shocked the data protection world when the Court of Justice of the EU (ECJ) ruled that the adequacy decision with regards to the United States (which simplified personal data transfers between the EU and the US) was invalid and – effectively - that US practices were incompatible with the EU Charter. Companies transferring data to the US turned to other legal mechanisms to legitimise the transfer of data and Schrems II (Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18)) concerns one of these mechanisms: standard contractual clauses (SCCs). Surely, given the similar context and the fact that those under US jurisdiction must comply with US law, the outcome must be the same?

The Facts

Max Schrems aimed to stop the transfer of his personal data from the EU to the US under SCCs, following on from the finding in Schrems I that US law did not provide sufficient safeguards for individuals’ privacy rights in the context of bulk surveillance. This resulted in an action being brought by the Irish Data Protection Commissioner (DPC). The DPC took the view that her assessment of whether the transfers were valid depended on whether the model SCCs (established by the European Commission by Decision 2010/87/EU) were valid and she brought an action before the Irish courts, which resulted in an 152 page judgment and a reference to the ECJ, to determine this.

The reference comprised 11 questions, which the Advocate General bundled into a number of topics:

-          the applicability of EU law when data transferred is processed for national security purposes in third countries;
-          the level of protection required;
-          the impact of the non-binding nature of an SCC on the authorities of a third country on the validity of Decision 2010/87;
-          the validity of Decision 2010/87 in the light of the EU Charter; and
-          an assessment of the Privacy Shield decision (the replacement adequacy decision for transfers to the US, following the finding in Schrems I that the previous decision, known as ‘Safe Harbour’, was invalid).

The Opinion

The first issue was whether the fact that the concerns regarding privacy occur in the policy space of national security (an area outwith EU competence) affects the applicability of the data protection directive (DPD) or the replacement law, the GDPR. Those rules are designed for the commercial sphere. As the Advocate General noted,

The significance of that question … lies in the fact that, if such a transfer fell out side the scope of EU law, all the objections raised ...would be rendered baseless [101].

Given the Court’s approach in Schrems I, it is unsurprising that the answer here was that the locus of regulation was the commercial activity that was being undertaken. The purpose of the transfer was not that of allowing the data to be processed for national security [106]. So, ‘the possibility that the data will undergo processing by the authorities of the third country of destination for the purposes of the protection of national security does not render EU law inapplicable...’ [108].

The second issue at which the Advocate General looked was that of the level of protection. He accepted that the approach of the Court in Schrems I to adequacy decisions (under Article 25(6) DPD, and now Article 45(3) GDPR) is also relevant to SCCs so that the ‘appropriate safeguards’ envisaged by Article 46 GDPR should ensure data subjects benefit from a level of protection ‘essentially equivalent’ to that which follows from the GDPR [115]. While the adequacy decision mechanism and the SCC mechanism both aim towards the same objective, the way they each achieve it may be different: the underlying difference between the mechanisms is that the adequacy decision considers whether the protections provided by law in the destination country are adequate; the SCCs accept that they are not and provide other safeguards [120, see also 123-4].

Validity of Decision 2010/87

Moving on to the question of validity of Decision 2010/87 in the light of the EU Charter, the fact that SCCs are not binding on the third country undermines the ability of the recipient of the data always to respect the data protection safeguards contained in the SCC. The Advocate General considered this in the context of the question the Irish Court raised regarding the obligations on the national supervisory authority to suspend transfer [122]. The Advocate General proposed that:

-          SCCs may be assessed only on the ‘soundness of the safeguards’ they each provide;
-          safeguards may be reduced/eliminated as a result of the law of the third country;
-          the mechanism imposes on the exporter/controller or the national supervisory authorities, on a case-by-case basis, to prohibit or suspend transfers.

The Advocate General concluded that this did not invalidate the Decision but rather raised the question of ‘whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour’ [127]. He also highlighted the requirement in Article 46(1) GDPR that data subjects’ rights must be enforceable and remedies available.

Obligations on data controllers

The SCC imposes obligations on exporter and importer to comply with the terms of the contract. Given the obligations on the data controller (the person in control of the uses to which the data is put) imposed by the GDPR, where the exporter is aware that the importer cannot honour the terms of the SCC, the controller does not have a choice to suspend transfer but is required to do so [132]. The Advocate General also suggested that the parties should carry out an examination into whether the law of the third country would entail such a breach [135]. The rights of the data subject are ensured as against the exporter/controller under the SCC in Decision 2010/87 and the data subject may also apply to the national supervisory authorities.

Obligations on the supervisory authorities

The Advocate General proposed that national supervisory authorities are required to order the suspension of the transfer. Specifically, the right to suspend is not only to be used in exceptional cases (this follows amendment of the SCC terms in the light of Schrems I) and recital 11 of Decision 2010/87 is ‘obsolete’ [143].  The Advocate General emphasised that

‘the exercise of the powers to suspend and prohibit transfers …. is no longer merely an option left to the supervisory authorities’ discretion’ [144].

Article 58(2) GDPR, which sets out the powers of supervisory authorities, should be understood in the light of Article 8(3) EUCFR and Article 16(2) TFEU (both of which provide that compliance with data protection law should be overseen by an independent authority) – the Advocate General inferred that this meant the authorities have to act in such a way as to ensure the proper application of the GDPR. This imposes a due diligence requirement on the authorities, as well as an obligation to react appropriately to infringements. Failure to do so can lead to judicial action, and this re-emphasises that the obligation on the national supervisory authorities is ‘strict’, not discretionary [150].

The DPC had contended that this obligation is insufficient: it fails to address the systemic problems of inadequate safeguards; and that the approach leaves unprotected those whose data have already been transferred. The Advocate General disagreed; while problems existed they were not sufficient to invalidate the decision. He stated that:

EU law does not require that a general and preventive solution be applied for all transfers to a given third country that might entail the same risks of violation of fundamental rights [154].

As regards, effective redress for those already affected, the Advocate General emphasised the roles of the supervisory authorities to take corrective measures and the rights under Article 82 GDPR.

Privacy Shield

The Advocate General than took the view that it was unnecessary to consider the ‘Privacy Shield’ decision, in part because it assumes that the general level of law and protection in the recipient state need to afford adequate protection for SCCs to be available – a point which the Advocate General had already rejected.  Nonetheless the Advocate General did produce some guidance for the Court were it to consider the issue.

The finding of adequacy under the Privacy Shield does not preclude a national supervisory authority from exercising its powers. A number of parties challenged (directly or indirectly) the finding of adequacy in relation to the Privacy Shield. He suggested that when considering the comparison between the law and safeguards of the third country the appropriate comparison would be with the approach of the Member States to their own national security within the framework of the European Convention on Human Rights (ECHR) [207] and that those standards must be known in advance. The Advocate General discussed the scope of the national security exception, defined as:

activities connected with the protection of national security in so far as they constitute activities of the State or of States authorities that are unrelated to fields in which individuals are active [para 210, citing inter alia Tele2 Sverige and Watson (Cases C-203/15 and C-698/15, discussed here)].

The Advocate General suggests that the exclusion covers measures ‘that are directly implemented by the State for the purposes of national security, without imposing specific obligations on private operators’ [211]. He notes that where private operators are involved the law is less clear with the earlier PNR judgment (Parliament v Council and Commission (Cases C-317/04 and C-318/04)) seemingly pointing in a different direction from more recent jurisprudence including Tele2/Watson.  He proposed a number of ways to reconcile the two lines of cases:

-          Tele2/Watson arose where operators were required to keep data; the airlines kept the data for their own commercial purposes [218];
-          Tele2/Watson arises where operators are required to cooperate as regards the access to the data, irrespective of whether there is a prior obligation to retain data - because the provision required the operators to engage in data processing [219-220].

The Advocate General favoured the second approach, suggesting it was also in line with Schrems I and that, once national authorities have the data and engage in further processing of them, such processing is not caught by the scope of the GDPR. In this view of the Advocate General, this means verification must take place by reference first to the GDPR and Charter and secondly by reference to the ECHR.

A further issue was whether continuity of protection means that measures must be in place during transit (e.g. through submarine cables). Article 44 GDPR refers to ‘after transfer’ which could mean after arrival or once transfer has been initiated. Relying on a teleological interpretation, the Advocate-General adopted the second interpretation.

Moving on to the validity of the Commission’s assessment of adequacy, the Advocate General assessed whether the Commission’s findings warranted the adoption of an adequacy decision, recalling the principles set down in Schrems I allowing for ‘a certain flexibility in order to take the various legal and cultural traditions into account’ but ‘that certain minimum safeguards and general requirements for the protection of fundamental rights that follow from the Charter and the ECHR have an equivalent ...’ [249].  It was this essential equivalence that the referring court challenged. The Advocate General re-stated case law from both Courts that recognised the existence of an interference, and as far as the ECJ is concerned it does not matter whether the data are sensitive. Further:

the obligation to make the data available to the NSA, in so far as it derogates from the principle of confidentiality of communications, entails in itself an interference even if those data are not subsequently consulted and used by the intelligence authorities [259].

As regards the requirement that interferences must be provided for by law, the Advocate General – treating the approach of the ECJ and ECtHR together states that this test means that:

regulations which entail an interference … lay down clear and precise rules governing the scope and application of the measure at issue and imposing a minimum of requirements, in such a way as provide the persons concerned with sufficient guarantees to protect their data against the risks of abuse and also against any unlawful access to or use of data [para 265, citing Digital Rights Ireland (discussed here), Tele 2 Sverige, Opinion 1/15 (discussed here), Weber and Saravia, Zakharov (discussed here) and Szabo and Vissy].

The Advocate General doubted whether the US framework met this threshold [266].  Following existing jurisprudence, however, the Advocate General accepted that the very essence of Article 7 or 8 was not compromised.  In this, the Advocate General noted that the position of the ECtHR was that such surveillance could, in principle, be capable of justification [282].

National security has long been accepted as a legitimate public interest ground justifying interferences with rights. The scope of ‘national security’ was challenged. The Advocate General accepted that some aspect of foreign affairs might fall within ‘national security’; further objectives dealt with under ‘foreign intelligence information’ could constitute other public interest objectives but that these would have a lesser weighting in a proportionality analysis. However, ‘it may be asked whether those measures are defined sufficiently clearly and precisely to prevent the risk of abuse and to permit a review of the proportionality.’ [289].

The Advocate General nonetheless considered the necessity and proportionality aspects, within the framing set down by Schrems I in particular. The Advocate General also noted the safeguards required by Article 23(2) GDPR. He doubted whether the selection criteria were sufficiently clear and precise and whether there were sufficient guarantees to prevent the risk of abuse noting in particular the difference between the requirement that an activity be ‘as tailored as feasible’ is not the same as an activity which is strictly necessary [300], nor does it necessarily forewarn data subjects [307]. There is no prior review. He therefore concluded that he had doubts about the adequacy of protection provided.

The next issue was the right to an effective remedy and the impact of the introduction of the Ombudsperson Mechanism which is intended to compensate for some of the deficiencies in the US system.  The Advocate General noted that the Article 47 right is in addition to the requirement that there be independent oversight/authorisation of surveillance activities. Re-iterating Schrems I, where there is no possibility to pursue legal remedies, the national rules do not respect the essence of the right. The right include that of receiving confirmation from national authorities whether or not they are processing data as well as being notified about an investigation once it would no longer jeopardise that investigation (though the ECtHR has not made this aspect a requirement). The US system is deficient in these aspects. The Advocate General considered whether the Ombudsperson Mechanism compensates but was not convinced. Such a body to be effective must be established by law and be independent. The Advocate General noted that the mechanism satisfied neither requirement and is not subject to judicial control.

Comment

A cursory look at the conclusion to the Opinion might suggest that there will be no change in the approach to data transfers and that in general this was a bit of a defeat for Schrems. This would mis-characterise the position (and also overlook the fact that it was the DPC that was arguing for invalidity of the SCC decision, not Schrems).  The Opinion is divided broadly into two topics: the first which deals the legality of the SCC decision and the second which deals with the Privacy Shield adequacy decision. 

The Advocate General may have suggested that the Decision underlying the SCCs should not be considered invalid but this does not mean that those transferring data to the US can ignore the privacy concerns. The response of the Advocate General - in avoiding challenging the underlying system itself - is to rely on decentralised, and ultimately private, enforcement by the exporter/data controllers, but also by the national supervisory authority.  This obligation is described in rather strong terms; certainly a data exporter cannot be passive but must investigate conditions and if it finds problems it must act to suspend transfers. A head in the sand approach – if the Court follows the reasoning of the Advocate General – is unlikely to be successful. For national supervisory authorities the obligation seems still stronger and the obligation to assess on a case by case basis potentially increases their workload. Underpinning this again is the threat of legal action by data subjects. While empowering data subjects is probably to be regarded as positive, viewing private enforcement of regulation as an essential element of that scheme is problematic.  It assumes data subjects have the energy and the resources to take action – a real weakness in this approach, despite the possibility for class actions.

It is noteworthy that while the Advocate General heads the section on the acceptability of the Decision as its acceptability under the Charter, in practice his analysis focuses on the right to a remedy. This leaves the impact of the transfers on privacy and data protection (especially against a backdrop of bulk surveillance) under-considered.  Further, the Advocate-General seems to assume that the ability to sue in the EU (under Article 80 causes of action) compensates for the difficulties in standing and lack of remedies in the relevant third country, and assumes that compensation is adequate (as opposed to more behavioural remedies such as ceasing processing).  This aspect of the analysis is in marked contrast to the considerations discussed under the Privacy Shield section.

While the ruling on the impact of national security in the early part of the Opinion may not come of much surprise, it is potentially significant for the UK. At the moment, as a member of the EU, the activities of its security and intelligence services mainly lie outside the ECJ’s purview (though note pending reference on scope of this: Privacy International v Secretary of State for Foreign and Commonwealth Affairs (Case C-623/17)); once it becomes a third country (and subject to any negotiated agreement) national security becomes a relevant consideration.  This difference between EU States and third countries did not escape the attention of those making representations before the court. On this difference, the Advocate General when discussing the comparison that must take place to come to any decision on whether a third State’s data privacy protections are essentially equivalent argues that, in regards to interferences arising in the context of national security (which falls outside EU law and therefore the scope of the Charter), the relevant standards are to be found in the ECHR. 

As noted, however, that boundary is somewhat uncertain and consequently the extent to which it is consistent with earlier jurisprudence, including Schrems I, open to question. The approach of the Advocate General does seem to move away from the approach in the PNR judgment, which was based on looking at the provision’s purpose to determine whether it fell within the national security exception. Perhaps the forthcoming cases will develop a clear and consistent line on this point going forward. The significance of drawing a boundary between the EU Charter and the ECHR lies in the extent of difference in approach of the Strasbourg and Luxembourg courts to bulk surveillance, especially that in relation to communications data. On this, the Big Brother Watch case (discussed here and here) is heading to the ECtHR Grand Chamber.

As regards the second aspect, having noted that the Advocate General seeks to avoid commenting on the Privacy Shield, some of his comments in this regard (made ‘in the alternative’) highlight some real problems for that system. In his discussion he beds his reasoning both in the ECJ’s jurisprudence but also that of the ECtHR.  The Opinion constitutes a clear statement as to the applicability of the law to ‘automated’ surveillance and also as to the requirement of legality (which is not particularly clear as regards the Strasbourg jurisprudence).  In this, as well as in the context of necessity and proportionality of the measures the Advocate General was not convinced the US framework passed the tests. This is not just one problem to fix, but many.  While the Advocate General did not the difference in the jurisprudence between the two courts, this difference did not seem to lead to a different outcome in terms of his assessment of the acceptability of the US regime.

If the Court chooses to consider this question, there will be some serious difficulties going forward for data flows.  Whether the approach will stick is a question; the ECJ has been under pressure to step back from its stance on bulk collection and automated assessment of data in particular. Some of the surveillance issues will be returning to the Court in a bevy of cases: in addition to Privacy International see La Quadrature du Net & Ors v Commission (Case T-738/16); La Quadrature du Net & Ors and French Data Network & Ors (Cases C-511-12/18); and Ordre des barreaux francophones et germanophone, Académie Fiscale ASBL, UA,  Liga voor Mensenrechten ASBL, Ligue des Droits de l’Homme ASBL, VZ, WY,  XX v Conseil des ministres (Case C-520/18). Further Advocates-General opinions in several of these cases are set for January.

Barnard & Peers: chapter 9
Photo credit: Forbes

Friday, 13 December 2019

Video surveillance in flats and data protection law: the CJEU's recent judgment in TK




Lorna Woods, Professor of Internet Law, University of Essex

There is an increasing incidence of the use of video-surveillance and with it a need to find a framework in which the conflicting rights or those who are subject to such surveillance may be balanced.  While there is increasing case law surrounding state surveillance the position as regards private actors – beyond the fact that data protection laws may well apply – is less well-developed.  The recent case of TK deals with such a balance, but the ruling of the Court of Justice is far from ground-breaking.

The Facts

Three video cameras were installed in the common areas of a block of flats to deal with issues of vandalism and burglaries.  The owner of one of the flats in that block objected and sought to have the cameras removed.  National law permitted the use of video-surveillance without the data subject’s consent for specified uses including the prevention and countering of crime and the safety and protection of persons, property and assets.  The national court referred a number of questions concerning the national law’s compatibility with the Data Protection Directive (Directive 95/46) (DPD) and provisions of the EU Charter.

The Judgment

The ECJ determined that the questions the national court referred should be understood together as asking whether Article 6(1)(c) and Article 7(f) DPD, read in the light of Articles 7 and 8 of the EU Charter, preclude national provisions which authorise the installation of a system of video surveillance installed in the common parts of a residential building, for the purposes of pursuing legitimate interests of ensuring the safety and protection of individuals and property, without the data subject’s consent.

These provisions of the DPD concern respectively the principle of data minimisation (Article 6(1)(c)), which requires that personal data must be ‘adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed’, and the permissibility of processing personal data where ‘necessary for the purposes of the legitimate interests pursued by the [data] controller [ie, the person who decides on the purposes and means of data processing] or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject’ (Article 7(f)). The subsequent EU data protection law, the GDPR, has not significantly amended these rules, so there is no reason to believe that the judgment would have been different under the GDPR.

The Court confirmed the position in Ryneš (Case C-212/13), a 2014 judgment concerning the use of a home security camera (discussed here), that the system of surveillance cameras constitutes the automatic processing of personal data, but left it to the national court to assess whether the characteristics identified in Ryneš were satisfied here. It also reiterated that processing must fall within one of the six cases identified in Article 7 DPD. Considering Article 7(f), the Court – citing Rīgas satiksme (Case C-13/16), a 2017 judgment concerning personal data in the context of a dispute over liability for an accident – identified a three stage test:

-          the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed;
-          the need to process personal data for the purposes of the legitimate interests pursued; and
-          the fundamental rights and freedoms of the person concerned by the data protection do not take precedence over the legitimate interest pursued.

Consent of the data subject is not required.  While a legitimate interest has been claimed, the referring court was uncertain as to whether that interest must be ‘proven’ and be ‘present and effective at the time of the data processing’.  The court agreed that hypothetical interests would not satisfy Article 7(f) but in this case the requirement of a present and effective interest is satisfied given the instances of theft and vandalism prior to the installation of the CCTV.

Considering the second element of the test, this in line with existing case law must be interpreted strictly, that is that the legitimate aims cannot reasonably be as effectively achieved by other means less restrictive of fundamental rights. It must also be understood in the light of the principle of data minimisation in Article 6(1)(c) DPD.  While previous means of dealing with the vandalism and thefts have been ineffective, and the CCTV relates only to the common parts of the building, the Court noted that the proportionality assessment also must take into account the specific methods or installing and operating that device – for example, limiting the hours with the CCTV operates, or obscuring some images.

The final element constitutes a balance between the opposing interests, and this will be fact specific bearing in mind the significance of the data subject’s rights and specifically the seriousness of any infringement [56]. Member States may not prescribe, for certain categories of data, the outcome of any such balancing (see Breyer (Case C-582/14), para 62 – a 2016 judgment about IP addresses as personal data, discussed here). The Court also distinguished between personal data available from public sources and that from non-public sources, with the latter constituting a more serious infringement.  It ‘implies that information relating to the data subject’s private life will thereafter be known by the data controller and, as the case may be, by the third party or parties to whom the data are disclosed’[55].  The Court also identified the following factors:

-          the nature of the personal data at issue, in particular of the potentially sensitive nature of those data
-          the nature and specific methods of processing the data at issue, in particular
-          the number of persons having access to those data and the methods of accessing them
-          reasonable expectations that his or her personal data will not be processed
-          the importance of the legitimate interests pursued.

These factors are for the national court to balance and to determine the legitimacy of the processing.  The DPD does not per se preclude such a system.

Comment

The Court did not strike the national regime down.  This should not be read as a ruling in favour of those who seek to place their neighbours under surveillance. In the end, the Court leaves it to the national court to decide on the facts.  This acceptance of the boundary between the competence of the national courts (in re facts and national law) and the Court of Justice (in re EU law) does not mean that the national law is automatically acceptable from the perspective of EU law. Crucially the national law in issue itself contained a balancing requirement, so that individual instances in which CCTV was to be deployed should be assessed in light of the impact on the data subjects’ rights.  A national rule that did not contain such a requirement could be seen to fall foul of the position in Breyer, noted by the Court here, of specifying the outcome of a conflict between interests.

As noted above, this chamber judgment, based on the DPD, presumably will apply also to the relevant provisions of the GDPR (Article 6(1)(f)), so it may have future relevance. What can be learned?  The Court’s approach is to try to base its reasoning in existing case law.  Of note is the reiteration of the point that an ‘images allowing natural persons to be identified’ can be personal data [35]. As a small point of detail, the phraseology is slightly different from that in Rynes: in Rynes the Court explained its reasoning by suggesting that “…the image of a person recorded by a camera constitutes personal data … inasmuch as it makes it possible to identify the person concerned...” (Rynes, para 22). Whether there is a significance in this difference is unclear.  Arguably, in Rynes the identification point seems to explain why an image is personal data; in TK it could be read as limiting the circumstances in which images could be personal data.  It is not as clear as the individuation argument accepted in the recent English High Court decision in Bridges, concerning automatic facial recognition.

The main body of the judgment is focused on the legitimate interest ground, analysing it according to a three-staged test.  In this the Court relies on the inter-connectedness of the requirements in Article 6 (concerning data quality) and Article 7 DPD (legitimacy of processing). The judgment gives some light as to when the legitimate interests of the processer are real or not; in this instance there had been instances of vandalism and theft, but the Court expressly notes that it’ cannot, however, be necessarily required, at the time of examining all the circumstances of the case, that the safety of property and individuals was previously compromised’ [44].  This does not however give us much guidance as to how far away from hypothetical such a case would need to be to be ‘present and effective’.

The second element focuses on ‘necessity’, which the Court reminds us should be ‘strictly necessary’.  Yet, the Court’s explanation of this requirement seems to adopt a lower standard, that of reasonableness.  It states the requirement thus: that the objective ‘cannot reasonably be as effectively achieved by other means less restrictive of the fundamental freedoms’ [47].  The Court also equates this element to a proportionality principle, understood in the light of the data minimisation principle. The Court states that proportionality has been taken into account because a previous system (using access cars to access the common areas) had been tried and failed. This, however, seems to refer to necessity.

The Court then does consider the operation of the CCTV system, and whether constant surveillance is required, implicitly at this point considering data minimisation.  It is suggested that this issue has relevance for the balancing of rights, though it is not a factor listed as relevant for the third element of the test by the court.  The third stage lists some familiar considerations but does not go beyond their identification, giving the national court little guidance as to what these considerations might mean, how they might inter-relate and their respective importance.   It may be that the Court did not want to have to get into the difficult consideration of private space, especially shared private space. In this context, note that Rynes considered the impact of private surveillance on public space, but for the assessment of a different question: the extent of the household exemption.  Nonetheless, while the Court notes the relevance of Articles 7 and 8 of the Charter it gives no separate consideration to the issue of the right to a private life and data protection seen as a fundamental right.  For this, the judgment might be legitimately criticised.

Barnard & Peers: chapter 9
Photo credit: Deacon Insurance