Friday, 21 September 2018

Crushing terrorism online – or curtailing free speech? The proposed EU Regulation on online terrorist content




Professor Lorna Woods, University of Essex

On 12th September 2018, the Commission published a proposal for a regulation (COM(2018) 640 final) aiming to require Member States to require certain internet intermediaries to take proactive if not pre-emptive action against terrorist content on line as well as to ensure that state actors have the necessary capacity to take action against such illegal content. It is described as “[a] contribution from the European Commission to the Leaders’ meeting in Salzburg on 19-20 September 2018”. The proposal is a development from existing voluntary frameworks and partnerships, for example the EU Internet Forum, and the non-binding Commission Recommendation on measures to effectively tackle illegal content online ((C(2018)1177 final), 1st March 2018) and its earlier Communication on tackling illegal content online (COM(2017) 555 final). In moving from non-binding to legislative form, the Commission is stepping up action against such content; this move may also be seen as part of a general tightening of requirements for Internet intermediaries which can also be seen in the video-sharing platform provisions in the revised Audiovisual Media Services Directive and in the proposals regarding copyright. Since the proposal has an “internal market” legal base, it would apply to all Member States.

The Proposal

Article 1 of the proposed Regulation sets out its subject matter, including its geographic scope.  The scope of the proposed regulation is directed to certain service providers, “hosting service provider” in respect of specified content “illegal terrorist content”.  Terms are defined in Article 2. Article 2(1) defines “hosting service provider” (HSP) as “a provider of information society services consisting in the storage of information provided by and at the request of the content provider and in making the information stored available to third parties”. The definition of illegal terrorist content found in Article 2(5) is one (or more) of the following types of information:

(a) inciting or advocating, including by glorifying, the commission of terrorist offences, thereby causing a danger that such acts be committed;
(b) encouraging the contribution to terrorist offences;
(c) promoting the activities of a terrorist group, in particular by encouraging the participation in or support to a terrorist group within the meaning of Article 2(3) of Directive (EU) 2017/541
(d) instructing on methods or techniques for the purpose of committing terrorist offences.

The format does not matter: thus terrorist content can be found in text, images, sound recordings and videos.

Article 3 specifies the obligations of the HSPs. In addition to a specific obligation to prohibit terrorist content in their terms and conditions, HSPs are obliged to take appropriate, reasonable and   proportionate actions against terrorist content, though those actions must take into account fundamental rights, specifically freedom of expression.

Article 4 introduces the idea of a removal order, and requires that the competent authorities of the Member States are empowered to issue such orders; requirements relating to removal orders are set out in Article 4(3).  It does not seem that the issuing of such orders require judicial authorization, though the Regulation does envisage mechanisms for HSPs or the “content provider” to ask for reasons; HSPs may also notify issuing authorities when the HSP views the order as defective (on the basis set out in Article 4(8)), or to notify the issuing authority of force majeure. Article 4(2) states:

Hosting service providers shall remove terrorist content or disable access to it within one hour from receipt of the removal order.

The regulation also envisages referral orders; these do not necessitate the removal of content, nor – unlike the position for removal orders – does it specify deadlines for action. On receipt of a referral order, a HSP should assess the notified content for compatibility with its own terms and conditions. It is obliged to have in place a system for carrying out such assessments. There is also an obligation in Article 6 for HSPs in appropriate circumstances to take (unspecified) effective and proportionate proactive measures and must report upon these measures. Article 6 also envisages the possibility that competent authorities may – in certain circumstances – require a hosting service provider to take specified action.

Article 7 requires hosting service providers to preserve data for certain periods.  The hosting service provider is also required to provide transparency reports as well as to operate within certain safeguards specified in Section III, including transparency reporting, human oversight of decisions, complaints mechanisms and information to content providers – these are important safeguards to ensure that content is not removed erronously.  Section IV deals with cooperation between the relevant authorities and with the HSPs.  Cooperation with European bodies (e.g. Europol) is also envisaged.  As part of this, HSPs are to establish points of contact.

The Regulation catches services based in the EU but also those outside it which provide services in the EU (with jurisdiction in relation to Article 6 (proactive measures), 18 (penalties) and 21 (monitoring) going to the Member State in which the provider has its main establishment) and should designate a legal representative. The Member State in which the representative is based has jurisdiction (for the purposes of Articles 6, 18 and 21). Failure so to designate means that all Member States would have jurisdiction.  Note that as the legal form of the proposal is a Regulation, national implementing measures would not be required more generally.

Member States are required to designate competent authorities for the purposes of the regulation, and also to ensure that penalties are available in relation to specified articles such penalties to be effective, proportionate and dissuasive.  The Regulation also envisages a monitoring programme in respect of action taken by the authorities and the HSPs.  Member States are to ensure that their competent authorities have the necessary capacity to tackle terrorist content online.

Preliminary Comments

The proposal is in addition to the Terrorism Directive, the implementation date for which is September 2018.  That directive includes provisions requiring the blocking and removal of content; is the assumption that – even before they are require legally to be in place – these provisions are being seen as ineffective.

This is also another example of what seems to be a change in attitude towards intermediaries, particularly those platforms that host third party content.  Rather than the approach from the early 2000s – exemplified in the e-Commerce Directive safe harbour provisions – that these providers are and to some extent should be expected to be content-neutral, it now seems that they are being treated as a policy tool for reaching content viewed as problematic.  From the definition in the Regulation, it seems that some of the HSPs could have – provided they were neutral -fallen within the terms of Article 14 e-Commerce Directive: they are information society service providers that provide hosting services.  The main body of the proposed regulation does not deal with the priority of the respective laws but in terms of the impact on HSPs, the recitals claim

“any measures taken by the hosting service provider in compliance with this Regulation, including any proactive measures, should not in themselves lead to that service provider losing the benefit of the liability exemption provided for in that provision.  This Regulation leaves unaffected the powers of national authorities and courts to establish liability of hosting service providers in specific cases where the conditions under Article 14 of Directive 2000/31/EC for liability exemption are not met”.

This reading in of what is effectively a good Samaritan saving clause follows the approach that the Commission had taken with regard to its recommendation – albeit in that instance without any judicial or legislative backing.  Here it seems that the recitals of one instrument (the Regulation) are being deployed to interpret another (the e-Commerce Directive). 

The recitals here also specify that although Article 3 puts HSPs under a duty of care to take proactive measures, this should not constitute ‘general monitoring’; such general monitoring is precluded according to Article 15 e-Commerce Directive. How this boundary is to be drawn remains to be seen. Especially as the regulation envisages prevention of uploads as well as swift take-downs. Further, recital 19 also recognises that

“[c]onsidering the particularly grave risks associated with the dissemination of terrorist content, the decisions adopted by the competent authorities on the basis of this Regulation could derogate from the approach established in Article 15(1) of Directive 2000/31/EC, as regards certain specific, targeted measures, the adoption of which is necessary for overriding public security reasons”.

This is a new departure in the interpretation of Article 15 e-Commerce Directive.

The Commission press release suggests the following could be caught: social media platforms, video streaming services, video, image and audio sharing services, file sharing and other cloud services, websites where users can make comments or post reviews. There is a limitation in that the content hosted should be made available to third parties. Does this mean that if no one other than the content provider can access the content, the provider is not an HSP?  This boundary might prove difficult in practice.  The test does not seem to be one of public display so services where users who are content providers can choose to let others have access (even without the knowledge of the host) might fall within the definition. What would be the position of a webmail service where a user shared his or her credentials so that others within that closed circle could access the information? Note that the Commission is also envisaging services whose primary purpose is not hosting but which allows user generated content– e.g. a news website or even Amazon – also fall within the definition. 

The scope of HSP is broad and may to some extent overlap with that of video-sharing platforms or even audiovisual media service providers for the purposes of the Audiovisual Media Services Directive (AVMSD).  Priorities and conflicts will need to be ironed out in that respect. The second element of this broadness is that the HSP provisions are not just applying to the big companies, the ones to some extent already cooperating with the Commission, but also to small companies. In the view of the Commission terrorist content may be spread just as much by small platforms as large.  Similar to the approach in the AVMSD, the Commission claims that the regulatory burden will be proportionate as the proportionality with mean the level of risk as well as the economic capabilities would be taken into account. 

In line with the approach in other recent legislation (e.g. GDPR, video-sharing platforms provisions in AVMSD) the proposal has an extraterritorial dimension. HSPs would be caught if they provide a service in the EU.  The recitals clarify that “the mere accessibility of a service provider’s website or of an email address and of other contact details in one or more Member States taken in isolation should not be a sufficient condition for the application of this Regulation” [rec 10]; instead a substantial connection is required [rec 11]. Whether this will have a black out effect similar to the GDPR remains to be seen; it may depend on whether the operator is aware enough of the law; how central the hosting element is and how large a part of its operations the EU market is.

While criminal law, in principle, is a matter for Member States, the definition of terrorist content relies on a European definition – though whether this definition is ideal is questionable.  For companies that operate across borders, this is presumably something of a relief (and as noted above, the proposal is based on Article 114 TFEU, the internal market harmonisation power).  The Commission also envisages this a mechanisms limiting the possible scope of the obligations – only material that falls within the EU definition falls within the scope of this obligation – thereby minimising impact on freedom of expression (Proposal p. 8).  Whether national standards will consequently be precluded is a different question.  Note that the provisions in the AVMSD that focus on video sharing platforms were originally envisaged as maximum harmonisation but, as a result of amendments from the Council, retuned to minimum harmonisation (the Council amendments also introduced provisions on terrorist content into the AVMSD based on the same definition).

The removal notice is a novelty aimed at addressing differential approaches in the Member States in this regard (an on-going problem within the safe harbour provisions of the e-Commerce Directive), but also to ensure that such take down requests are enforceable.  Note, however, that it is up to each Member State to specify the competent authorities, which may give rise to differences between the Member States, perhaps also indicating differences in approach.  The startling point is probably the very short timescale: 1 hour (a complete contrast to the timing for example specified in the UK’s Terrorism Act 2006).  The removal notices have been a source of concern.  This is not very long which will mean that - especially with non-domestic providers and taking into account time differences - HSPs will need to think how to man such a requirement (unless the HSPs plan to automate their responses to notices), especially if the HSP hopes to challenge ‘unsatisfactory’ notices (Art 4(8)). 

Given the size of the penalties in view, industry commentators have suggested that all reported content will be taken down.  This is certainly would be a concern in relation to situations where the HSPs had to identify terrorist content (ie ascertain not just that it was in a certain location but also that it met the legal criteria) themselves.  Is it not the case that this criticism is fully appropriate here.  Here, HSPs are not having to decide whether or not the relevant content is terrorist or not- the notice will make that choice for them.  Further, the notice is made not by private companies with a profit agenda but instead by public authorities (presumably) orientated to the public good and with some experience in the topic as well as in legal safeguards.  Furthermore, the authority must include reasons. Indeed, the Commission is of the view that referrals are limited to the competent authorities which will have to explain their decisions ensures the proportionality of such notices (Proposal p. 8). Nonetheless, a one hour time frame is a very short period of time.

Another ambiguity arises in the context of referral notices. It seems that the objective here is to put the existing voluntary arrangements on a statutory footing but with no obligation on the HSP to take the content down within a specified period. Rather the HSP is to assess whether the content referred is compatible with the HSPs terms of service (not whether the content is illegal terrorist content).  Note this is a different from the situation where the HSP discovers the content itself and there has been no official view as to whether the content falls within the definition of terrorist content or not. This seems rather devoid of purpose: relevant authorities have either decided that the content is a problem (in which case the removal notice seems preferable as the decision is made by competent authorities not private companies) or the notice refers to content which is not quite bad enough to fall with the content prohibited by the regulation but the relevant authorities would still like it down, with the responsibility for that decision being pushed on to the HSP. Such an approach seems undesirable.

Article 6 requires HSPs to take effective proactive measures.  These are not specified in the Regulation, and may therefore allow the HSPs some leeway to take measures that seem appropriate in the light of each HSP’s own service and priorities, though it seems here that there may also be concerns about the HSPs’ interpretation of relevant terrorist content.  It is perhaps here that criticisms about the privatisation of the fight against terror comes to the fore.  Note, however that Article 6(4) allows a designated authority to impose measures specified by the authority on the HSP.  Given that this is dealt with at the national level, some fragmentation across the EU may arise; there seems to be no cooperation mechanism or EU coordination of responses under Article 6(4).

There is also the question of freedom of expression. Clearly state mandated removal of content should be limited, but it is the intention that HSPs have no freedom to remove objectionable content for other reasons. At some points, the recitals suggest precisely this: “hosting service providers should act with due diligence and implement safeguards, including notably human oversight and verifications, where appropriate, to avoid any unintended and erroneous decision leading to removal of content that is not terrorist content” [rec 17]. Presumably the intention is that HSPs should take steps to avoid mistakenly considering content to be terrorist.  They clearly are under obligations to take other forms of content down, e.g. child pornography and hate speech. 

More questionable is the position with regard other types of content: the controversial and the objectionable, for example.  As private entities human rights obligations do not bite on them in the same way as they do with regards to States, so there may be questions about the extent to which a content provider can claim freedom of expression against an unwilling HSP (e.g. for Mastodon, the different instances have different community standards set up by that community - should those communities not be entitled to enforce those standards (providing that they are not themselves illegal)?).  There may moreover be differences between the various Member States as to how such human rights have horizontal effect and the deference given to contractual autonomy.  With regard to the video sharing platforms, it seems that room is given to the platforms to enforce higher standards if they so choose; there is not such explicit provision here.

A final point to note is the size of the penalties that are proposed.  The proposal implicitly distinguished between one-off failings and a ‘systematic failure to comply with obligations’.  In the latter cases, penalties of up to 4% of global turnover- in this there are similarities to the scale of penalties under the GDPR.  This seems to be developing into a standard approach in this sector.

Barnard & Peers: chapter 25, chapter 9
JHA4: chapter II:5
Photo credit: Europol

Thursday, 20 September 2018

Analysis of the ECtHR judgment in Big Brother Watch: part 2





Lorna Woods, Professor of Internet Law, University of Essex

(These comments on the judgment follow part 1 of the analysis, which explained the Court’s reasoning).

The Big Brother Watch judgment is, depending on your point of view, a confirmation of the possibility of bulk surveillance (para 314) or a recognition of the fact that the Regulation of Investigatory Powers Act (RIPA) regime was insufficient and that, to the extent that these weaknesses are copied over into the Investigatory Powers Act (IPA), that act is deficient also.  These two different views reflect the fact that the judgment is long and complex and that a one sentence summary is unlikely to do justice to all its nuances. In fact, in an area where there is a rapidly increasing body of case law, it is likely that the full significance of the judgment will not be known for some time and we know how it has been interpreted, followed, distinguished, over-written or simply ignored.  What follows then is necessarily a preliminary indication of the issues and points of significance that arise from the judgment.  It contains a number of themes, or questions:-

-          To what extent is there a consistent, even if gradated, approach across the different forms of surveillance?
-          To what extent should we say that the case law from the analogue era is not the best indicator of necessary safeguards for the digital?
-          What impact will this ruling have for the IPA – especially given that the Court’s assessment of the RIPA regime changes to improve accountability following on from the Snowden disclosures?

Admissibility

The first question, at least in relation to two of the sets of applicants, was the question of exhaustion.  While the Court accepted that there were “special circumstances” (para 268) (recognised in Sejdovic v Italy (app no. 56581/00)), so that the case was admissible, it is worth noting briefly the Court’s approach in getting to this point.

The applicant’s argument was based on the reasoning of the Court in Kennedy, that while the Investigatory Powers Tribunal (IPT) has heard cases which effectively constitute a challenge to the legal regime itself (rather than a claim of interference in the claimant’s individual case), the domestic regime did not obviously “benefit the applicant, given that it did not appear to give rise to a binding obligation on the State to remedy the incompatibility” (Big Brother Watch para 251, Kennedy para 109). Here, the Court relied on Zakharov - in terms of its discussion of victimhood and the admissibility of a claim in abstracto rather than in the context of availability of a remedy - to suggest that the distinction in Kennedy between an individual grievance and a general complaint against the system (in which latter case the IPT cannot provide a remedy) as regards has been removed. 

The fact that there might still not be a remedy for an individual in the context of a general complaint, even if the IPT agrees to hear the complaint, is not addressed. Is the Court suggesting that a complainant should (in any event) bring an individual challenge so as to find a remedy to exhaust? Such a suggestion would follow the same line as the reasoning of the concurring opinion in Zakharov: that showed a preference for specific cases of interference. 

While the Court emphasised the importance of the IPT and how it has changed over its 15 year period – specifically its independence, the scope of its powers and techniques it has developed to allow it to hear cases without running into difficulties from the sensitivity of some of claims, it did not address head on the fact that the IPT has only rarely found against the Government in cases involving the security and intelligence services and that only after the Snowden disclosures (see for details the IPT’s report covering 2011-15 and the much shorter statistical report covering 2016).  While the elucidation of procedures – especially those “below the waterline” - is clearly helpful to the Court (see para 257), it does not help the victim if there is no remedy. 

This approach signals that the Court will not accept more applications which seek to avoid the delays and expense inherent in bringing an action before the IPT – campaigners take note.

Merits of Case

Article 8 and the Section 8(4) Regime

The applicants argued that the s. 8(4) regime was not lawful in the sense that the regime was complex and significant elements of the regime were not made public but were “below the waterline”; further they argued it did not comply with the 6 requirements to guard against unfettered discretion and the risk of abuse found in Weber.  The Court’s response is detailed and considered but -in the end – perhaps overly deferential to a set of institutions which seemed happily unaware of the practices of the security and intelligence services.

The Court’s reasoning starts with the statement that in previous judgments different approaches had been taken to different types of surveillance and that “there is no one set of general principles which apply in all cases concerning secret measures of surveillance” (para 303).  Weber consolidated the position in a number of earlier cases, though these were not cited: e.g Malone (App no. 8691/79); Huvig (App no. 11105/84) and -broadly speaking - Leander (App No. 9248/81 but crucially specifically identified the criteria whereas earlier case law operated on the basis of a broader test. Later in its judgment the Court pointed to Uzun (App no. 35623/05) (concerning GPS tracking where the Court considered that because the tracking of movements in public disclosed less information about the conduct, opinions and feelings of the person concerned less strict safeguards were required) and RE (App no. 62498/11) (concerning covert surveillance of consultations of individuals with legal advisors in a police station) as cases involving surveillance where the Weber 6 criteria were not applied (para 351).  Nonetheless, following the standard line for interception cases (albeit targetted interception rather than bulk), it agreed that the 6 principles from Weber should be the starting point for assessing foreseeability. In this, the Court is following a well-trodden path – one that case also be seen in Centrum för Rättvisa (App no. 35252/08) which also deals with bulk interception (para 99).  The Court found the complexity point was a question of foreseeability; insofar as it dealt with that issue, it did so as part of the Weber criteria.

While a consistent central principle is desirable, and the intention of the Court to set this out is to be applauded, the approach of the Court here suggests that there are differences between types of surveillance which are relevant (see similarly RE para 130), but it does not give us a clear framework as to what factors to be taken into account in determining what relevant differences are.  Should we look at the distinction between bulk and targeted interception, between content interception and meta-data collection; or even between the legitimate purposes? It may be that all are relevant; it would have been helpful had the impact of these differences been clearly mapped; this judgment, however, seems more to give rise to questions than answers.

One key factor the Court emphasised was the level of intrusion – and in this it followed previous jurisprudence. Notably, it argued that:

it would be wrong automatically to assume that bulk interception constitutes a greater intrusion into the private life of an individual than targeted interception, which by its nature is more likely to result in the acquisition and examination of a large volume of his or her communications (para 316). 

Does this mean that the level of safeguards in relation to bulk acquisition should be less than those for targeted interception based on the degree of intrusion? Or, might we argue that untargeted acquisition is more problematic because of its impact on society generally and because it is less likely to be proportionate? The Court deals with this issue by distinguishing between interception and selection/examination.  Another area in which the Court is unclear on the level of intrusion is in its consideration of meta data and whether it is less intrusive – more intrusive or similarly intrusive albeit in a different way. 

Nonetheless, in a statement that could be considered an important step forward in terms of the Court’s recognition of the importance of meta data, it Court commented that it was “not persuaded that the acquisition of related communications data is necessarily less intrusive that the acquisition of content” and by contrast to content interception, bulk acquisition magnified the problem (para 356). It seems from the discussion of the related communications that the Weber criteria can be applied to bulk communications data acquisition (para 350).  Finally, though lying outside the fact pattern, the Court referred to its recent decision in Ben Faiza (App no. 31446/12) to say that (perhaps in contrast to Uzun) that real time tracking was more intrusive than the transfer of historical data. 

It is regrettable that – despite its recognition of the significance of communications data - the Court did not investigate further the points raised in some submissions regarding the scope of the data collected and the impact of new technologies in terms of the types of analytical techniques used.  So far this issue has not attracted much judicial attention (the exception being the brief mention in the ECJ’s Canada PNR Opinion (Opinion 1/15)). Judge Koskelo in a partly concurring partly dissenting opinion commented that on the sea change that has taken place in terms of the amount and nature of data that is available, as well as mechanisms for carrying out surveillance, exposing individuals to greater intrusion than before (paras 11-13).

Despite this ‘sea change’, the Court also rejected the proposal to ‘update’ the Weber criteria to require objective evidence of reasonable suspicion in relation to the persons for whom data is being sought and the subsequent notification of the surveillance subject on the basis that it “would be inconsistent with the Court’s acknowledgement that the operation of a bulk interception regime in principle falls within a State’s margin of appreciation” (para 317).  This suggests that the powers of European review are in fact limited so that they cannot exclude a particular instance of bulk surveillance.  Such a position would seem to be a movement from that which says bulk surveillance is not automatically prohibited but it still must satisfy the three-stage test in Article 8(2) as determined at Convention level.  In terms of proportionality of a bulk regime, the Court refers to the Anderson Review of Bulk Powers. It accepts its findings that there is a case for bulk surveillance, but seemingly equates that to a finding that such surveillance is proportionate (paras 384-6). It is clear from the review, however, that the question of the proportionality of any such measures was not considered, this being a matter for Parliament.

A further consideration is the extent to which the proportionality analysis changes (or should change) depending on the public interest objective in view.  The headline statement about the acceptability of bulk surveillance related to national security, yet RIPA allowed (and the IPA does allow) the carrying out of bulk surveillance on a broader range of grounds.  In any event, as Judge Koskelo commented, is it appropriate to judge the adequacy of safeguards in the context of cases that arose in very different factual circumstances? In that context, note that much of the assessment of the facts in this case is based on what the Court previously found in Kennedy – prior to the Snowden disclosures. Further, this approach to generalised surveillance seems to be a point at which there is some divergence between the Court and the ECJ, as noted in the Joint Partly Dissenting and Partly Concurring Opinion of Judges Pardalos and Eicke.

The Court suggested that the 6 criteria in Weber needed to be adapted for the context of bulk surveillance (as it did in Centrum för Rättvisa para 114) despite the fact that Weber itself concerned a bulk regime. Moreover, when the Grand Chamber applied the Weber criteria in the case of targeted interception it did not adapt Weber, although it also considered ‘additional relevant factors’ in relation to the consideration of ‘necessary in a democratic society’ (Zakharov, para 232). It is not therefore clear what the nature of and necessity for this adaptation is in this case.  The Court here also proposed considering the regime in the light of the Zakharov additional factors (para 320).  This consolidation sees to becoming more common (see also Centrum för Rättvisa). It should be noted, however, that while the two sets of considerations will be based on similar facts, their content is slightly different, though whether this consolidation has a detrimental impact on the level of protection afforded is an open question. 

Another issue is the extent to which the ex post controls can be seen as compensating for a lack of ex ante controls.  While Judge Koskelo expressed concerns about the reliance on ex post control generally (paras 17, 20), a key point from this judgment is the Court’s re-iteration that prior judicial authorisation is not essential. Nonetheless, although the Court emphasised the importance of the ex post control by the IPT (para 318) (the new double lock system under the IPA not being in place at the time of the hearing), in relation to the selection of the material the ex post oversight seemed insufficient (paras 345-346).  It may be that the difference in the Court’s approach can be explained by its view of the degree of intrusion, with the selection of material being more intrusive than the collection though there is still a degree of uncertainty in what the test requires here. 

Significantly, the Court has viewed the interception of content as a potential violation in its own right. This seems to contradict the commonly made assertion that the automated collection of data (whether content of communications, communications meta data – or other data eg location via GPS or ANPR) is not an intrusion.  It also reminds us that the interception of content and its examination is not one event, but on ongoing process that may lead to multiple intrusions which need to be assessed individually (the data sharing reasoning reiterates this point too).  While the IPA has brought in greater ex ante controls, this is a weakness that remains in the new act.  The great unexplored territory is, as noted, whether a claim could be made that there should be some sort of control over types of analytical techniques used when analysing big data sets/predictive analytics.

A further point of some significance for the IPA regime is the Court’s approach to the use of related data which, despite some changes in terminology, is the same as in RIPA. It seems from the Court’s analysis that the selection for examination of such data for purposes beyond determining whether the individual is in the UK or Ireland requires greater oversight than the regime currently provides.   The Court also refrained from discussing (perhaps because the Government did not raise it) the question of where the interception takes place (para 271). This issue remains for another day.

Article 8 and Data Sharing

As regards the data-sharing regime, there will no doubt be disappointment that the Court accepted the regime. It could be said that the judgment thereby renders data sharing acceptable, especially given its emphasis on the global nature of terrorism and the States’ duties to protect security. The judgment is perhaps significant for what it did not cover. It carefully limited the topic on which it ruled, the receipt of intelligence and did not discuss the sharing of intelligence gather by the British services and shared overseas. There is also an assumption here that a person outside the UK who data is shared with the British services will still have convention rights when the information is shared/processed in the UK.  The issue of where the intrusion happens may become more complex in other situations – perhaps in the context of equipment interference warrants.

Article 8 and Bulk Communications Data

The Court’s analysis of the bulk communications data regime is in some ways disappointing as it does not deal directly with the substance. Instead the regime falls because there is no basis in law, despite the existing statutory framework (whether we consider RIPA or IPA). Simply put, the domestic courts have recognised that the statute must be disapplied for non-compliance with the requirements of EU law, and the Strasbourg Court therefore concluded that the regime “cannot be in accordance with the law within the meaning of Article 8” (para 467).  The point worth emphasising here is that the Court based its conclusion on its understanding of domestic law, not by relying directly on EU law.  It certainly has not gone as far as adopting the reasoning of the Court of Justice in the data retention cases.

Article 10

Finally, a relative novelty in Big Brother Watch is the Article 10 freedom of expression arguments (the Court not having considered the issue since Weber).  Note that the Court relied on its reasoning under 8(2) with regard to the assessment of 10(2): the considerations seem therefore to be the same, implicitly introducing the Weber criteria and the Zakharov additional considerations into freedom of expression.  Presumably this jurisprudence will not be relied on save in the specific context of the impact of secret surveillance on the media. While the Court did not state that journalistic communications would be entirely off-limits (similarly lawyers’ conversations are not sacrosanct: Kopp), there are a couple of points that will have implications for the IPA. In relation to bulk interception there were concerns about the lack of safeguards in relation to the selection of material (para 493), an area where the Court had already found the regime to be weak. Further, the IPA provides safeguards that are limited to applications that have the purpose of targetting journalists’ communications; the Court here noted that the protections did not “apply in every case where there is a request for the communications data of a journalist or where such collateral intrusion is likely” (para 499). This lack, adding to the general failings of the regime (above), meant that the regime could not be considered in accordance with the law for the purposes of Article 10(2).

Barnard & Peers: chapter 9
JHA4: chapter II:7
Photo credit: MiniPress news

Wednesday, 19 September 2018

Brexit means...no legal changes yet: the CJEU rules on the execution of European Arrest Warrants issued by the UK prior to Brexit Day





Professor Steve Peers, University of Essex

There’s a lot of legal debate about the consequences of Brexit, but the definitive word on the legal issues, as far as the EU is concerned, is the EU’s Court of Justice. Its first judgment on Brexit issues was released today, defining the legal position up until Brexit Day – and arguably influencing the approach to be taken after that date.

Today’s judgment in RO concerned whether Ireland was still obliged to execute a European Arrest Warrant (EAW) issued by the UK, in light of the UK’s expected withdrawal from the EU, having notified its intention to leave on the basis of Article 50 TEU.  In fact, the draft withdrawal agreement would regulate this issue to some extent: EU law (including the EAW) would still apply to the UK for a transition period (discussed here) until the end of 2020, subject to the caveat that EU Member States could refuse to surrender their own citizens pursuant to an EAW issued by the UK (the UK could reciprocate). At the end of the transition period, outstanding EAWs could still be executed between the UK and EU as long as the fugitive was arrested on the basis of the EAW before that date.  However, these specific provisions are not yet agreed, and of course nor is the entire withdrawal agreement, so inevitably the Court made no mention of this draft treaty in its ruling.

The UK issued two EAWs for the purpose of prosecuting RO on grounds of murder, rape and arson charges, but he has challenged the execution of the warrants in Ireland. RO is in detention pending execution of the EAWs, which is why the Court agreed to fast-track this case. (Note that it refused to fast-track an earlier reference on the same issues, referred by the Irish Supreme Court. It also refused to fast-track a similar case on whether the Dublin asylum rules still apply to the UK in light of Brexit). RO argued that he faced torture or inhuman or degrading treatment in UK prisons, based on 2016 CJEU case law (discussed here), which was since clarified in July. The Irish High Court therefore asked the issuing judicial authority to clarify that detention conditions in Northern Ireland would meet minimum standards, and it was satisfied with the reply.

However, the Irish High Court was still concerned about the impact of Brexit on RO’s case, and so asked the CJEU if it had any impact on executing the EAW. RO argued that there was no guarantee that the UK would continue to be bound by the EAW law after Brexit Day, in particular the rules on: deducting custody periods spent in the executing state from any subsequent sentence; the ‘specialty’ rule (the fugitive can only be prosecuted for the offences specified in the EAW); limits on further surrender or extradition to an EU or non-EU State; and the protection of human rights under the EU Charter of Fundamental Rights.  Furthermore, the CJEU would likely not be in a position to rule on these issues as regards the UK after Brexit Day.

Judgment

The Court began by noting that mutual trust between Member States was founded on “common values” referred to in Article 2 TEU. This principle means, as regards justice and home affairs, that “save in exceptional circumstances” Member States must presume all other Member States “to be complying with EU law and particularly with the fundamental rights recognised by EU law”. For the EAW, this manifested itself in a system of mutual recognition, entailing an obligation to execute an EAW issued by a Member State except “in principle” where the exhaustive grounds for refusal listed in the EAW apply. But the “exceptional circumstances” permit an executing State’s court to end the EAW process, for instance where there was a risk of torture et al under Article 4 of the Charter (which matches Article 3 ECHR). In this case the national court was satisfied that there was no risk of losing rights at present; but what about the position of the fugitive after Brexit day?  

On that point, the Court noted that an Article 50 notification “does not have the effect of suspending the application of EU law” in the withdrawing Member State. Therefore EU law, including the EAW legislation “and the principles of mutual trust and mutual recognition inherent in that decision, continues in full force and effect in that State until the time of its actual withdrawal from the European Union”. The Court summarised the Article 50 process without commenting on whether it would be possible to rescind the notification, as discussed here. That issue is relevant to this case since a withdrawal of the notification would render the fugitive’s argument moot, but the issue does not seem have been raised in the case, presumably because it would not have helped the fugitive and is only hypothetical as long as the UK government is not contemplating withdrawing the notice.

In the Court’s view, disapplying the EAW to the UK simply because an Article 50 notification had been sent would “be the equivalent of unilateral suspension of the provisions of the” EAW law, and would ignore the wording of its preamble, which says that it can only be suspended if the EU decides that an issuing Member State has breached the EU’s values. A recent CJEU judgment concerning alleged breaches of EU values in Poland (discussed here) concluded that EAWs could only be suspended on a case-by-case basis if no such finding of breach had been made.  An Article 50 notification was not an “exceptional circumstance” suspending the principle of mutual trust.

However, RO could argue that there were “substantial grounds for believing” that after Brexit, he was “at risk of being deprived of his fundamental rights and the rights derived” from the specific provisions of the EAW law referred to by the national court (listed above). On those points, the Irish court had already dismissed the argument that there was a risk of torture, et al, owing to UK prison conditions. Brexit would not affect that position, in the Court’s view:  

In that regard, it must be observed that, in this case, the issuing Member State, namely the United Kingdom, is party to the ECHR and, as stated by that Member State at the hearing before the Court, it has incorporated the provisions of Article 3 of the ECHR into its national law. Since its continuing participation in that convention is in no way linked to its being a member of the European Union, the decision of that Member State to withdraw from the Union has no effect on its obligation to have due regard to Article 3 of the ECHR, to which Article 4 of the Charter corresponds, and, consequently, cannot justify the refusal to execute a European arrest warrant on the ground that the person surrendered would run the risk of suffering inhuman or degrading treatment within the meaning of those provisions.

As for the specific provisions of the EAW, there were no “ongoing legal proceedings” which might infringe the specialty rule, and no “concrete evidence to suggest” that any such proceedings are being “contemplated”. This was equally true of the potential surrender or extradition to an EU or non-EU State. Furthermore, these provisions of the EAW law “reflect” provisions of the Council of Europe’s extradition Convention, which has been ratified by the UK and applied in its national law. So in the Court’s view, “[i]t follows that the rights relied on by RO in those areas are, in essence, covered by the national legislation of the issuing Member State, irrespective of the withdrawal of that Member State from the European Union”. The deduction of previous prison time served also exists in UK law and will apply regardless of whether the extradition process is part of EU law.

Since the rights based on the legislation and the Charter “are protected by provisions of [UK] national law in cases not only of surrender [under the EAW law], but also of extradition, those rights are not dependent on the application” of the EAW law as such to the UK, and “there is no concrete evidence to suggest that RO will be deprived of the opportunity to assert those rights before the courts and tribunals of” the UK after Brexit.

Nor was the potential absence of CJEU jurisdiction decisive, because the fugitive “should be able to rely on all those rights before a court or tribunal of” the UK, and the Court’s jurisdiction did not always apply to the EAW law anyway. Indeed while the law applied from 2004, the Court’s jurisdiction did not apply fully until 2014.

Overall then:

…in order to decide whether a European arrest warrant should be executed, it is essential that, when that decision is to be taken, the executing judicial authority is able to presume that, with respect to the person who is to be surrendered, the issuing Member State will apply the substantive content of the rights derived from the Framework Decision that are applicable in the period subsequent to the surrender, after the withdrawal of that Member State from the European Union. Such a presumption can be made if the national law of the issuing Member State incorporates the substantive content of those rights, particularly because of the continuing participation of that Member State in international conventions, such as the European Convention on Extradition of 13 December 1957 and the ECHR, even after the withdrawal of that Member State from the European Union. Only if there is concrete evidence to the contrary can the judicial authorities of a Member State refuse to execute the European arrest warrant.

Comments

What has the Court’s judgment told us about the Brexit process? First of all, it confirms that in the run up to Brexit nothing much will change, even though some legal relationships and processes begun before Brexit Day will conclude after it. The general statement that EU law continues to apply to the UK until Brexit Day is qualified, but those qualifications have little impact, as long as the UK continues to apply the ECHR, the Human Rights Act, EU legislation and any other relevant international treaties until that date. While the Court refers implicitly to the UK’s Extradition Act, the EU Withdrawal Act has more generally provided for the retention of EU law in UK domestic law after Brexit.  

Only if the UK starts making prospective changes to that retained law before Brexit Day will there be an issue about the UK/EU relationship during that time.  In that case the test will be whether the specific EU law rights which the litigant seeks to rely upon will be removed by the UK post-Brexit. There would have to be “concrete evidence” of the removal of such rights. Logically the rantings of an angry backbencher should not be enough evidence to that end, whereas a change in the law should be. In between those two ends of the spectrum, a government intention to amend policy, or a government bill tabled before parliament, would arguably be enough.

After Brexit it remains to be seen whether the EAW largely continues applying during the transition period, with an agreed phase out process (in the event that the withdrawal process is agreed). In that scenario attention will turn to the details of the future UK/EU relationship in this area (more on that issue here). Today’s judgment, with its acceptance that Member States can rely upon the future position of a non-Member State as long as it complies with the ECHR and EU legislation, even if no CJEU jurisdiction applies, does not lend support to those who claim that it will be impossible for the UK to have a close relationship with the EU in this field after Brexit. (Note also that in the NS judgment, the CJEU assumed that the principle of mutual trust can apply to non-EU States, in para 78). In any event, the limits on Member States extraditing citizens of another Member State to a non-EU State will apply (see discussion of the case law here).

If there’s no withdrawal agreement, then there may be conflicting approaches to the validity of EAWs pending on Brexit day (which the CJEU will likely be called upon to settle, along with similar issues relating to other EU legislation disapplying to the UK). There would also be a reversion to the use of the Council of Europe extradition treaty, with EAWs either being treated as extradition requests or having to be reissued. The UK would immediately lose access to the Schengen Information System, which is how many EAWs are transmitted. As a consequence, as evidenced by the impact of introducing the EAW, fewer people would be extradited and the process would take longer. All this would one among a number of legal and practical challenges arising from such a major disorganised disruption.

Barnard & Peers: chapter 25; chapter 27
JHA4: chapter II:3
Photo credit: The Journal.ie

Tuesday, 18 September 2018

The EU’s commitment to combatting violence against women: rhetoric or reality?





Catherine Briddick, Martin James Departmental Lecturer in Gender and Forced Migration at the Refugee Studies Centre of the University of Oxford - @CateBriddick

Background

The EU has, at its heart, a legal commitment to combat discrimination, including that based on sex, and to promote gender equality. It has however, been subject to sustained and justified criticism for its failure(s) to live up to these commitments, particularly in relation to its treatment of migrant and refugee women. The announcement by the Commission in 2016 that the EU would sign and conclude (ratify) the Council of Europe Convention on Preventing and Combatting Violence Against Women (the Istanbul Convention) was, therefore, warmly received by activists and academics alike.
 
The Istanbul Convention, for readers unfamiliar with it, is only the second international, legal instrument to focus on violence against women and the role of that violence in maintaining women’s inequality. The purposes of the Convention (set out in Article 2) are to protect women from all forms of violence and to prevent, prosecute and even eliminate violence against women and domestic violence. To achieve these purposes the Convention imposes on Parties a comprehensive range of obligations including that they:

-          adopt integrated, co-ordinated and properly resourced policies and programmes to challenge gender inequality, monitor and respond to violence against women (Istanbul Convention, Chapter II);
-          prevent violence through education, training and awareness-raising (Chapter III);
-          protect and support victims via a range of non-legal and legal measures (Chapters IV, V and VI);
-          investigate, prosecute and punish offenders (Chapter VI);
-          grant autonomous and/or renewable residence permits to migrant women who are victims of violence (Article 59); and,
-          ensure that refugee women’s claims for protection and dealt with in a gender-sensitive way (Arts 60 and 61).

Significantly, the rights and protections the Convention provides victims are to be secured by Parties without discrimination on any ground, including migration or citizenship status (Article 4(3)).

In force since 2014, the Convention has, at the time of writing, been ratified by thirty-three States (including Germany, Austria, Denmark, France, Italy, Spain, Sweden and Turkey) and signed by many others, including the UK.

The EU’s current approach

The Istanbul Convention itself envisages EU accession (Article 75), something that the EU can do to the full extent of its competences, as this blog has already discussed. The procedure to be followed involves the Council, following a Commission proposal and the consent of the European Parliament, adopting a decision which concludes the agreement. The agreement must identify the legal bases for the EU’s accession, bases derived from the EU’s legal competence (its ability or power) to act in a particular field. Once ratified, this agreement is binding on the institutions of the EU and EU Member States, to the extent that the EU has concluded the treaty. You can read more about this process here.

The EU’s competence in relation to violence against women is extremely broad. The legal bases under the Treaty on the Functioning of the European Union (TFEU) identified by the Commission in its Proposal for the Council on the conclusion of the Istanbul Convention were:

Article 16 (data protection), Article 19(1) (sex discrimination), Article 23 (consular protection for citizens of another Member State), Articles 18, 21, 46, 50 (free movement of citizens, free movement of workers and freedom of establishment), Article 78 (asylum and subsidiary and temporary protection), Article 79 (immigration), Article 81 (judicial cooperation in civil matters), Article 82 (judicial cooperation in criminal matters), Article 83 (definition of EU-wide criminal offences and sanctions for particularly serious crimes with a cross-border dimension), Article 84 (non-harmonising measures for crime prevention), and Article 157 (equal opportunities and equal treatment of men and women in areas of employment and occupation).

The Commission argued that it was appropriate to base a Council Decision signing the Istanbul Convention on Articles 82(2) and 84 TFEU because the ‘predominant purpose’ of the Convention is to prevent crime and protect victims. Selecting these bases would enable the EU to ‘exercise its competences over the entirety of the Convention’. Accordingly, the Commission’s draft Council Decision refers to Article 82(2) and Article 84 TFEU and refers to the EU signing up to the Convention as a whole.

The Council, however, took a radically different approach to that proposed by the Commission, taking not one but two decisions to sign the Convention in May 2017.

The first decision refers to Article 82(2) and Article 84 TFEU but states in Article 1 that:

The signing, on behalf of the European Union, of the Council of Europe Convention on preventing and combating violence against women and domestic violence with regard to matters related to judicial cooperation in criminal matters is hereby authorised, subject to the conclusion of the said Convention (emphasis added).

The second decision identifies Article 78(2) TFEU (on the establishment of a Common European Asylum System) as its legal base, stating in its Article 1 that the signing of the Convention is ‘with regard to asylum and non-refoulement’ (again, emphasis added).

These decisions limit the legal obligations the EU will accept in relation to the Istanbul Convention only to those that concern judicial cooperation in criminal matters and to asylum and non-refoulement (not, for example, European Union free movement law).

These decisions not only diverge from the Commission’s proposal, but also from the EU’s position in relation to the UN Convention on the Rights of Persons with Disabilities (the CRPD). The Council decision which signed the CRPD signed the Convention as a whole and took as its legal basis the EU’s commitment to non-discrimination.

Commentary

Readers of this blog can be forgiven for asking if any of the above really matters. The obligations that the EU is planning to assume under the Istanbul Convention are significant, even if they are more limited than many hoped for and anticipated. EU action in either of the two areas it has signed up to could yield significant improvements in the way that violence against women is responded to, at both an EU and national level.  

Well it does matter, for at least two reasons.

First, EU free movement law disadvantages women, including women who have been subject to violence. To take just one example, as this blog and I have argued, the CJEU’s shameful decision in NA (which concerned Article 13 of the Citizens Directive), left a third-country national woman whose EU citizen husband subjected her to domestic violence and then left the UK, without a secure migration status. Article 59 of the Istanbul Convention requires Parties to grant autonomous and/or renewable residence permits to victims of violence in a broader range of circumstances than that currently provided for by EU law, potentially improving the position of women like NA whose migration status is (or was) dependent on their partner. The EU’s decision not to sign up to this provision means that women who are subject to violence whose migration status is determined by EU law will continue to face considerable hardship.

Second, the Convention itself and the holistic approach it adopts to violence and discrimination against women have been attacked and undermined by States who are either Parties or signatories to it.  Some States, including Poland, Latvia, Lithuania and Croatia have sought to limit the obligations the Convention imposes by making impermissible and potentially invalid declarations / reservations to it. In Bulgaria the process of ratifying the Istanbul Convention has been halted following a controversial judgement from its Constitutional Court that the Convention contradicts Bulgaria’s constitutional protection of women as mothers. The Commission has expressed concern about these developments and has sought to encourage States to ratify the Convention fully and without delay, highlighting its own role as a potential enforcer of the Convention where EU competences are involved. The EU’s ability to provide either political leadership or legal support on these issues is, however, hampered by its own partial and highly selective engagement with the Convention. Not only is the EU open to allegations of hypocrisy, but its own actions give succour to, rather than challenge, the conduct of the very States whose behaviour it seeks to influence.

Can the Council’s position be challenged?

Whether the Council’s two decisions will actually lead to the EU engaging with the Istanbul Convention in the very limited way described here is, as yet, far from clear.  

The European Parliament has stated that it ‘regrets’ the Council’s approach because it raises ‘legal uncertainties as to the scope of the EU’s accession, as well as concerns regarding the implementation of the Convention’. The Parliament has recommended instead ‘a broad EU accession to the Convention without any limitations’. It is not known whether the Parliament’s ‘regret’ will extent to withholding its agreement to the Council’s decisions.

The decisions could also be subject to legal challenge. The Commission has successfully challenged a Council decision to enter into a legal agreement with a third country on the grounds that it did not proceed on the correct legal bases. A similar challenge, based on the arguments the Commission advanced in its Proposal (as discussed briefly above) or, more persuasively in my view, on the grounds that the EU’s legal response to violence against women should be based in its commitment to combat sex discrimination, may well yield success.

The Istanbul Convention is monitored and enforced by a committee, the Group of Experts on Action against Violence against women and Domestic Violence (GREVIO) via a reporting and inquiry procedure. The EU’s approach to the Istanbul Convention could also be challenged by GREVIO or another Party to it. Article 75 of the Istanbul Convention refers to the Convention as a whole being open for signature, not parts of it whilst Article 73 provides for a dispute mechanism to be created if Parties disagree over the application of its provisions.

At the time of writing the EU’s (stalled) ratification of the Istanbul Convention is being considered by the Council working party on Fundamental Rights, Citizens’ Rights and Free Movement of Persons (FREMP). This scrutiny is being accompanied by a concerted, EU-wide campaign in support of the Istanbul Convention and the EU’s full ratification of it. Over the next few months we will be able to gauge the impact of these processes, as the EU proceeds (slowly) to conclude the Convention. We will then find out whether the EU’s rhetoric on violence against women is any more than that. 

Barnard & Peers: chapter 9, chapter 20
JHA4: chapter I:5
Photo credit: Council of Europe