The UK implements EU free movement law – in the style of Franz Kafka

 

Steve Peers

Most laws are complicated enough to start with, but with EU Directives there is an extra complication – the obligation to transpose them into national law. A case study in poor transposition is the UK’s implementation of the EU’s citizens’ Directive, which regulates many aspects of the movement of EU citizens and their family members between EU Member States. Unfortunately, that defective implementation is exacerbated by a further gap between the wording of this national law and its apparent application in practice, and by the unwillingness of the EU Commission to sue the UK (or other Member States) even for the most obvious breaches of the law.

It’s left to private individuals, who usually have limited means, to spend considerable time and money challenging the UK government in the national courts. One such case was the recent victory in McCarthy (discussed here), concerning short-term visits to the UK by EU citizens (including UK citizens living elsewhere in the EU) with third-country (ie, non-EU) family members.  The UK government has just amended the national rules implementing the EU citizens’ Directive (the ‘EEA Regulations’) to give effect to that judgment – but it has neglected to amend the rules relating to another important free movement issue.

Implementing the McCarthy judgment

The citizens’ Directive provides that if EU citizens want to visit another Member State for a period of up to three months, they can do so with very few formalities. However, if those EU citizens are joined by a third-country family member, it’s possible that this family member will have to obtain a short-term visa for the purposes of the visit. The issue of who needs a short-term visa and who doesn’t is mostly left to national law in the case of people visiting the UK and Ireland, but it’s mostly fully harmonised as regards people visiting all the other Member States.

Although the EU’s citizens’ Directive does simplify the process of those family members obtaining a visa, it’s still a complication, and so the Directive goes further to facilitate free movement, by abolishing the visa requirement entirely in some cases. It provides that no visa can be demanded where the third-country family members have a ‘residence card’ issued by another EU Member State. According to the Directive, those residence cards have to be issued whenever an EU citizen with a third-country family member goes to live in another Member State – for instance, where a British man moves to Germany with his Indian wife. Conversely, though, they are not issued where an EU citizen has not left her own Member State – for instance, a British woman still living in the UK with her American wife.

How did the UK implement these rules? The main source of implementation is the EEA Regulations, which were first adopted in 2006, in order to give effect to the citizens’ Directive by the deadline of 30 April that year. Regulation 11 of these Regulation states that non-EU family members of EU citizens must be admitted to the UK if they have a passport, as well as an ‘EEA family permit, a residence card or a permanent residence card’. A residence card and permanent residence card are creations of the EU Directive, but an ‘EEA family permit’ is a creature of UK law.

While the wording of the Regulation appears to say that non-EU family members of EU citizens have a right of admission if they hold any of these three documents, the UK practice is more restrictive than the wording suggests. In practice, having a residence card was usually not enough to exempt those family members from a visa requirement to visit the UK, unless they also held an EEA family permit. Regulation 12 (in its current form) says that the family member is entitled to an EEA family permit if they are either travelling to the UK or will be joining or accompanying an EU citizen there. In practice, the family permit is issued by UK consulates upon application, for renewable periods of six months. In many ways, it works in the same way as a visa requirement.

An amendment to the Regulations in 2013 provided that a person with a ‘qualifying EEA State residence card’ did not need a visa to visit the UK. But only residence cards issued by Germany and Estonia met this definition. This distinction was made because the UK was worried that some residence cards were issued without sufficient checks or safeguards for forgery, but Germany and Estonia had developed biometric cards that were less likely to be forged.

In the McCarthy judgment, the CJEU ruled that the UK rules breached the EU Directive, which provides for no such thing as an EEA family permit as a condition for admission of non-EU family members of EU citizens with residence cards to the territory of a Member State. The UK waited nearly three months after the judgment to amend the EEA Regulations to give effect to it.

The new amendments cover many issues, but to implement McCarthy they simply redefine a ‘qualifying EEA State residence card’ to include a residence card issued by any EU Member State, as well as any residence card issued by the broader group of countries applying the EEA treaty; this extends the rule to cards issued by Norway, Iceland and Liechtenstein. Presumably this brings the rules into compliance with EU law on this point (the new rules apply from April 6th). That means that non-EU family members of EU citizens will not need a visa to visit the UK from this point, provided that they hold a residence card issued in accordance with EU law, because they are the non-EU family member of an EU citizen who has moved to another Member State. However, this depends also on the practice of interpretation of the rules, including the guidance given to airline staff.

‘Surinder Singh’ cases

On the other hand, the new Regulations do not implement other recent CJEU case law (discussed here) on what is known in the UK as the ‘Surinder Singh’ route. This is based on CJEU rulings which state that an EU citizen who moves to another Member State with non-EU family members can then return to his or her home Member State and invoke EU free movement law to ensure that this State admits his or her family members. The purpose of doing this is to avoid very restrictive rules on the admission of family members of British citizens into the UK, which are much more stringent than the EU free movement rules (Danish and Dutch citizens also use these rules).

The 2013 amendments to the Regulations state that this route can only be used where the ‘centre of life’ of the family concerned has shifted to another Member State. This is inconsistent with last year’s CJEU ruling, which requires only a three-month move to another Member State to trigger the rules. In practice, this test is then applied before an ‘EEA family permit’ is issued to the family member concerned, which allows that family member to reside in the UK with the UK citizen.

Since these parts of the Regulations have not been amended, and there is still provision for an ‘EEA family permit’ in the Regulations, presumably the intention is to continue to apply these rules to regulate the longer-term stay of UK citizens’ family members using the Surinder Singh route.

Conclusion

The better course from the outset for the UK would have been to avoid the creation of the ‘EEA family permit’, which is not provided for in any EU legislation or hinted at in any CJEU case law. Furthermore, not only do the UK rules not implement EU law correctly, they also are not applied in practice exactly as they are written, but on the basis of a general unwritten understanding about what they actually mean. This doesn’t even deserve to be called a ‘policy’. Instead, the best description comes from Yes, Minister: it’s the ‘policy of the administration of policy’.  

 

Barnard & Peers: chapter 13

Is the EU coming to save legal aid, or to bury it? An assessment of negotiations on the proposed Directive

by Claire Perinaud (FREE Group Trainee)

For many people facing criminal charges, legal aid is essential if they wish to defend themselves effectively. The EU is planning to adopt legislation on this issue in the near future. But will it actually make a significant contribution to ensuring suspects’ rights in this area?

State of implementation of the Procedural rights roadmap.

After years of unsuccessful attempts, starting in 2004 with a general Commission proposal on procedural rights, it was only from the end of 2009 that the EU legislation on procedural rights for suspects and accused persons in criminal proceedings has progressively taken shape. This was due to the entry into force of the Treaty of Lisbon (TFEU art. 82(2) now confer the power to adopt legislation on this issue), to article 47 of the Charter of Fundamental Rights (providing for the right to a fair trial) and to a political “roadmap” by which, in November 2009 the Council relaunched the Commission original proposals following a step-by-step approach instead of trying to adopt comprehensive legislation as initially foreseen in 2004.

However it is more than likely that this pragmatic approach and the transition from unanimity to qualified majority voting of the EU Member States in the Council (as from the entry into force of the Treaty of Lisbon) has made possible the adoption in co-decision with the European Parliament of the three first legislative measures on suspects’ rights: Directive 2010/64/EU on the right to interpretation and translation in criminal proceedings; Directive 2012/13/EU on the right to information in criminal proceedings; and Directive 2013/48/EU on the right of access to a lawyer in criminal proceedings.

Building on this success, at the end of November 2013 the Commission proposed a second “package” of suspects’ rights measures, comprising: a directive on procedural safeguards for children who are suspected or accused in criminal proceedings; a recommendation on procedural safeguards for vulnerable people suspected or accused in criminal proceedings; a directive strengthening of certain aspects of the presumption of innocence and of the right to be present at trial in criminal proceedings; a directive on the right to provisional legal aid for citizens suspected or accused of a crime; and a recommendation on the right to legal aid for suspects or accused persons in criminal proceedings.

In 2014 the Council already reached a general approach on the proposal for a directive on procedural safeguards for children and on the directive on the presumption of innocence. On this basis the dialogue between the Council and the European Parliament (EP) is about to start and it is possible that in the coming months an agreement could be reached so that these texts could be adopted already at the EP’s “first reading”.

Last week the Council reached (after eight months of internal negotiations!) a general approach also on the draft Directive on provisional legal aid for persons deprived of liberty in criminal proceedings and will start in the coming weeks the dialogue with the Parliament also on this text.  

The coming months will then be extremely important for EU procedural rights in criminal matters even if it will not be easy to achieve the high results that the European Parliament and some Member States were expecting. In the absence of the energetic push of the former Commission Vice President Reding there is a risk that the negotiations may achieve the lowest common denominator between the Member States also due to the unwillingness of some of them to adopt any EU legislation which can create further financial and internal institutional tensions.

Legal aid : why make it simple when you can make it tricky ?

The draft Directive on legal aid is probably the text which is currently facing the most adverse winds. Already the initial Commission’s political choice not to deal with legal aid in the Directive on the access to lawyer has created an artificial disconnection from the right to legal aid and the more general “right to legal advice” which is required by the ECHR jurisprudence as well as by the EU Charter (Articles 47 and 48). (On the human rights aspects of the right to legal aid, see the annex).

Instead of tabling a proposal that would cover these two interconnected rights, the Commission chose to come forward with a proposal on the right to access to a lawyer (now Directive 2013/48/EU) and, separately, with this proposal, which is intended however only as a partial complement to the 2013 Directive. In the words of the Commission, “the … proposal is closely linked to Directive 2013/48/EU on the right of access to a lawyer and it aims to contributing to rendering effective the right on access to a lawyer provided for in that Directive at the early stages of the proceedings for suspects or accused persons deprived of liberty”. Thus, no general rules on legal aid, but a mere stop-gap to ensure that in the very early phase of the proceedings some form of legal aid is provided.

Even worse, on the same day that the Commission transmitted its proposal to the European Parliament and to the Council, the Commission adopted a non-binding Recommendation on the right to legal aid for suspects or accused persons in criminal proceedings . The aim of this Recommendation is “to foster certain convergence as regards the assessment of eligibility of legal aid in the Member States, as well as encouraging the Member States to take action to improve the quality and effectiveness of legal aid services and administration“.

The legal basis of the Recommendation aside, its understanding of the implementation of the right to legal aid in criminal proceedings is broader than that of the draft Directive.
According to the Recommendation the right of legal aid has to be guaranteed to any suspect or accused person “from the time they are made aware, by official notification or otherwise, by the competent authorities, that they are suspected or accused of having committed a criminal offence, and irrespective of whether they are deprived of liberty”, by putting forward the purpose of the right to legal aid, namely to complement and render effective the right of access to a lawyer as set out in Directive 2013/48/EU of the European Parliament and of the Council.

The work in the Council

The Council started examination of this proposal only in July 2014 under the Italian Presidency. However, no agreement was found and at the December 2014 Justice and Home Affairs Council only a “state of play” was presented to Ministers. At the JHA Council on 12-13 March the Council agreed its general approach. Its position shows some significant differences compared to the initial Commission proposal which, as outlined above, was already unambitious:

o a wide possibility for Member States to introduce exceptions to the application of the right to provisional legal aid for minor offences (not further defined) (Article 2 (3));

o a further possibility for Member States to subject the admission to provisional legal aid to discretionary criteria if this refers to “less serious offences” (once again, undefined) (Article 4 (2bis));

o the elimination of the possibility to access provisional legal aid in European Arrest Warrant proceedings as far as legal assistance in the issuing Member State is concerned (Article 5 (2) of the Commission proposal).

In substance, Member States are left free to define the scope of application of the (limited) right to provisional legal aid, with all but the most serious offences as possible exceptions.

It is difficult, in light of this result, to find any real added value in the text provisionally agreed by the Council. This view is shared by a number of delegations (such as France, Spain, Italy, Portugal, Belgium), which, in the course of the Council debate, have made reference to the intention of subscribing a declaration, to be added to the minutes of the Council, in which they express their disappointment. However, these delegations have not blocked the adoption of the general approach, preferring instead to proceed with the legislative procedure and with the negotiations with the European Parliament.

These will be anything but easy: a rapid overview of the amendments tabled by the EP Rapporteur Dennis De Jong (LIBE Committee) and by the other MEPs of the Committee show two widely diverging views of what this Directive should be about. LIBE will vote its “orientation” on April 14 and dialogue can then start. So it is too early to say now if the EP will succeed in enhancing this right (maybe by taking inspiration from the Commission’s Recommendation and translating its content into a binding text).

Reblogged from: http://free-group.eu/2015/03/16/legal-aid-in-criminal-proceedings-will-the-european-parliament-improve-the-councils-general-approach/

[See also: Steve Peers' book chapter on EU law on legal aid in civil and administrative cases]
[Updates: the presumption of innocence Directive has been adopted (see later blog post here) and the Directive on child suspects' rights has been agreed (see later blog post here).

NOTES

Annex

FURTHER READING : Sources of the right to legal aid

The importance of the right to legal aid is linked with the right to an effective remedy and to a fair trial. Indeed as an ancillary right, it enshrines the principle of effective judicial protection and the right to access to justice, which is of primary importance in line with Human Rights declarations applicable in Europe.

Because of its ancillary dimension, the respect for the right to legal aid is provided for in a number of international instruments of utmost importance. It is guaranteed by Article 14 (3) of the International Covenant on Civil and Political Rights (ICCPR), and the fundamental principles on which it should be based are outlined in the United Nations Principles and Guidelines on Access to Legal Aid in Criminal Justice Systems adopted on 20 December 2012 by the General Assembly.

Article 6 (3)(c) of the European Convention on Human Rights (ECHR) sets out a “right to legal assistance where the defendant has insufficient means to pay for legal assistance, and to get free legal aid when the interest of justice so requires”.

Concerning the European Union as such, since the entry into force of the Treaty of Lisbon, the EU Charter has bound the EU institutions. Yet, Article 47(3) of the European Union Charter of Fundamental rights provides that “legal aid shall be made available to those who lack sufficient resources in so far as such aid is necessary to ensure effective access to justice”. Even implicitly, the need to provide for legal aid can be drawn from some other dispositions of the Charter such as Art. 48 (2), which states that “Respect for the rights of the defence of anyone who has been charged shall be guaranteed”.

Furthermore, the respect for the right to legal aid guaranteed by article 47(3) of the EU Charter has to be understood in light of the ECtHR case-law, which contributes to add to the strict procedural side of legal aid a more substantial element, through the requirement of enabling each suspect to present his or her case properly.

To assess the respect of this requirement, the ECtHR held in the case of Airey v. Ireland that the effectiveness of the right to access to justice throughout the right to free legal aid depends mostly on whether the individual in question would be able to present his/her case properly and satisfactorily without the assistance of a lawyer. Circumstances in which legal representation would be necessary for ensuring access to justice could be the complexity of the procedure before the court of first instance and complexity of the legal points involved. This assessment must also take into account personal circumstances of the applicant and the form of legal aid in question.
Therefore the right to legal aid can be limited as far as it is justified by a legitimate aim and that if there exists a reasonable relationship of proportionality between the limitation and the legitimate aim sought.

Barnard & Peers: chapter 26

Denmark and EU Justice and Home Affairs Law: Details of the planned referendum

 

 

Steve Peers

Danish participation in cross-border criminal law measures is symbolised by 'The Bridge', the 'Nordic Noir' series about cross-border cooperation in criminal matters between Denmark and Sweden. But due to the changes in EU law in this field, that cooperation might soon be jeopardised. As a result, in the near future, Denmark will in principle be voting on whether to replace the current nearly complete opt-out on EU Justice and Home Affairs (JHA) law with a partial, selective opt-out. I have previously blogged on the implications of this plan in general terms, but it’s now clear exactly what this vote will be about.

First of all, a short recap of the overall framework (for more detail, see that previous blog post). Back in 1992, Denmark obtained an opt-out from the single currency, defence and aspects of JHA law (it’s widely believed that it also obtained an opt-out from EU citizenship, but this is a ‘Euromyth’). These opt-outs were formalised in the form of a Protocol attached to the EU Treaties as part of the Treaty of Amsterdam. The JHA opt-out was then amended by the Treaty of Lisbon.

At present, Denmark participates in: the EU policing and criminal law measures adopted before the entry into force of the Treaty of Lisbon; measures relating to the Schengen border control system (as  matter of international law, not EU law); the EU rules on visa lists (as a matter of EU law); and the EU’s Dublin rules on allocation of asylum applications, ‘Brussels’ rules on civil jurisdiction and legislation on service of documents (in the form of treaties with the EU). In contrast, Denmark does not – and cannot – participate in other EU rules on immigration and asylum law or cross-border civil law, or policing and criminal law rules adopted since the entry into force of the Treaty of Lisbon.

The Protocol on Denmark’s legal position either allows it to repeal its JHA opt-out entirely, or selectively. If it chooses to repeal the opt-out selectively, it would then be able to opt in to JHA measures on a case-by-case basis, like the UK and Ireland, although (unlike those states) it would remain fully bound by the Schengen rules. Indeed, those rules will then apply as a matter of EU law in Denmark, not as a matter of international law.

In practice, while Danish governments have promised for a while to hold a referendum on the JHA opt-out, the concrete plans to hold one in the near future were triggered in light of the planned EU legislation to replace the current rules establishing Europol, the EU police agency, with new legislation (on that proposal, see here).  This led to an agreement between the government parties and several opposition parties (excluding the far-right Danish Peoples’ Party) known as the ‘Agreement on Denmark in Europol’ (for the text, see here). This agreement states that the referendum will take place after the next general election (which must be held by September 2015), and no later than 31 March 2016. The ‘main reason’ for the referendum is to allow Denmark to opt in to the new Europol rules, but the parties also agreed to study whether Denmark should opt in to other EU civil, criminal and policing laws which currently don’t apply. However, the parties agreed that Denmark should not opt in to any EU immigration or asylum law (besides Schengen, which already applies).

This analysis has now been completed (see the text in Danish here), and the parties have agreed that Denmark would apply to opt in to 22 EU laws if the referendum is successful. Conversely, they have agreed not to opt in to 10 other EU laws.

As regards civil cooperation, the parties have agreed to opt in to large majority of EU measures, as regards: insolvency; payment orders; small claims; the European enforcement order; mediation; the Rome Regulation (on conflicts of law concerning contract); the Rome II Regulation (on conflicts of law concerning non-contractual liability); external relations; protection orders; inheritance; maintenance proceedings; parental responsibility; and account preservation orders. It should be noted that changes to the insolvency proceedings regulation are about to be formally adopted, and changes to the small claims rules will likely be agreed later this year; presumably the agreement also entails opt-ins to the existing legislation as amended.

In contrast, the parties agreed not to opt in to legislation on legal aid in cross-border proceedings, or to the Rome III Regulation on conflicts of law in divorce cases. Nor have they agreed yet on whether to opt in to the pending proposals relating to jurisdiction and choice of law over marital property, and the property of civil partnerships, in the event of relationship breakdown. In general, the recent agreement states that decisions to opt in to measures which have not yet been adopted depend on a future consensus of the relevant parties, or endorsement in a general election.

As for policing and criminal law, the parties agree to opt in to all measures concerning substantive criminal law and most measures concerning EU agencies and mutual recognition. In particular, they agree to opt into seven Directives, regarding: the European Investigation Order; protection orders; trafficking in persons; sexual abuse of children; cyber-crime; market abuse; and counterfeiting the euro. Conversely, they rule out opting in to the legislation on crime victims’ rights, the three Directives on suspects’ rights (concerning interpretation and translation, access to a lawyer and the right to information) and the rules on confiscation of criminal assets. They also rule out opting in to the legislation on EU funding in JHA matters.

They have partly agreed on future measures in this field, agreeing to opt in to the Regulations now under discussion on Europol and Eurojust (the EU prosecutors’ agency) and the Directive on passenger name records, but to opt out of the legislation establishing the European Public Prosecutor. The Commission has also proposed legislation on the European Police College, fraud against EU funds and drug trafficking, along with three more suspects’ rights measures (concerning childrens’ rights, the presumption of innocence and legal aid). Decisions on those measures will again depend upon on a future consensus of the relevant parties, or endorsement in a general election.

The parties’ clarification of their intentions provides useful certainty for the Danish public when it has the opportunity to vote on these issues. In general, in criminal matters Denmark would be participating in the EU measures assisting the prosecution, without any counterbalance by means of recent legislation regarding the rights of victims or suspects. Similarly it would still be participating in the Schengen rules on external border controls and the abolition of internal border checks, without any of the accompanying harmonisation of immigration and asylum law that applies to other Schengen States which are EU members. On the whole, Denmark would also be participating in more JHA legislation than the UK and Ireland – not just as regards full participation in Schengen (as is already the case), but also as regards the EU legislation on inheritance, account preservation, investigation orders, market abuse, currency counterfeiting and Eurojust, all of which one or both of the UK and Ireland have opted out of. On the other hand, the UK and Ireland have opted in to the EU legislation on crime victims’ rights, some of the legislation on suspects’ rights and the first phase of EU asylum law. Given that Ireland participates in the single currency, a Danish 'yes' to selective participation in JHA law would cement the UK's position as the chief non-participant in EU laws which bind most other Member States.

 

Barnard & Peers: chapter 26

Fact-checking Nigel Farage: Do most countries ban migrant children from state schools?

Steve Peers

I was planning to wait until after Easter to comment in detail on the EU law issues in the UK’s general election. But yesterday’s reported comments by Nigel Farage, the leader of the UK Independence Party, demand an immediate short reply. In his view, the children of migrants should not have access to state schools or health for a number of years after their parents’ entry. He stated that this was the norm for most countries, and in particular that his children could not attend state schools if he was in the USA on the basis of a work permit.  

Is this true though? In fact, the UN Convention on the Rights of the Child and the Covenant on Economic, Social and Cultural Rights say that primary education should be free to all without discrimination. Perhaps it’s UKIP policy for the UK to denounce these treaties; but if so, we surely should be told. In practice, the numerous studies on migrant children’s sometimes difficult educational performance certainly don’t suggest that they are only allowed to attend private schools in most countries. For the USA in particular, a few seconds’ searching will show that not only are immigrant children allowed to attend state school, this even extends to the children of undocumented migrants.  How else could the USA have become a melting-pot for millions of immigrants over many decades, if their children were limited to attending private schools?

It’s instructive to examine the interplay between Farage’s comments and the latest version of UKIP’s immigration policy. By itself, that policy is coherent, and contains some very good elements – notably the exclusion of counting migrant students, and the absence of any numerical quota or target for overall migration. Rather, the policy would admit in only skilled workers who achieve a certain number of ‘points’ in the system; nurses would be exempt from the points requirement. This is similar to the system in several other wealthy countries.

Yet those other countries usually allow in family members straight away, whereas Farage states explicitly that there would be a lengthy delay before admitting dependents. In contrast, the EU’s Blue Card rules, which aim to attract highly-skilled migrants, waive any waiting period for family members, because such a forced split up of families obviously deters migrants from moving. The EU rules simply copy the standards in other wealthy countries on this point.

How many nurses – or skilled migrant workers – would move to the UK if it meant years of forced separation from their family? How many nurses could afford private school fees for their children, when they were finally allowed family reunion under Farage’s plans? His statements are not simply inaccurate, but render his party’s immigration policy incoherent.

On a personal note, Farage’s assertions rang false immediately for me, because I was a child in another country (Canada), and there was no difficulty gaining admission to state school, where I had classmates who had just moved from the (then) Yugoslavia. How else could Canada take a huge number of migrants every year, with a historically small private education system? Farage, on the other hand, attended private school. Undoubtedly some migrants (who can afford to do) send their children to private schools, for linguistic or cultural reasons, because developing countries cannot afford to offer high-quality state schooling, to ensure that their children get the right certificate for university entry back home, or due to simple personal preference for private education.

So probably Farage met some foreign students as a private schoolboy. But he has overgeneralised his own experience into a universal norm, without even checking basic facts. UKIP styles itself as ‘the People’s Party’; but Farage has just reminded us that he is about as working-class as Marie Antoinette.

When super-regulators fight: the ‘one-stop shop’ in the proposed Data Protection Regulation

Steve Peers

A guilty pleasure for fans of superhero comic books is the moment when our heroes pause in their valiant efforts to save the public from the nefarious plans of the supervillains – and start beating the hell out of each other instead. This is usually triggered by some trivial difference of opinion, perhaps concerning a continuity error or intellectual property rights.

Similarly, the EU vests its hopes for the effective enforcement of data protection law upon national data protection authorities (DPAs): the superheroes of the data protection world. They have considerable powers under the current data protection Directive, and the proposed Regulation would also give them more powers. But what if they disagree with each other? There’s nothing in the current legislation to settle this problem, which gives each DPA the power to regulate actions on its own territory without addressing the obvious complications that result in a digital age, when many forms of processing of personal data (most obviously via the Internet) take place across borders.  

To deal with this problem, the Commission proposal contains a conflict rule to determine who is the lead regulator in cross-border cases, with the possibility that a ‘European Data Protection Board’ or the Commission itself can issue an opinion on the issue. This has been dubbed the ‘one-stop shop’ rule. However, due to legal concerns, both the Council (which is about to adopt its position on this part of the proposed Regulation: see the draft text here), and the European Parliament (EP), which has already adopted its position on the entire text, propose instead that the Board must be able to make binding decisions to settle disputes.

So this is set to become one of the most significant innovations of the new legislation. Let’s take a look at what the future rules will likely say about the role of national DPAs, the one-stop-shop process and the powers of the Board.

National data protection authorities

The current Directive already provides for the existence of DPAs, and insists that they must exercise their powers in ‘complete independence’. CJEU case law (discussed here) has set out a very strong interpretation of this notion, ruling that Germany, Austria and Hungary breached it, because they provided for too much accountability to national parliaments (Germany), failed to separate the DPA from the ordinary civil service (Austria) and defenestrated the DPA boss before his normal term of office expired (Hungary).

The proposed Regulation would retain and elaborate upon this concept, and the Council and EP agree with most of the Commission’s suggestions. Admittedly, the DPAs have to be appointed by public authorities in the first place: after all, their powers don’t stem from being bitten by a radioactive spider, or orphaned in a bat-infested back alley. The Council would amend the proposal so that they don’t have to be appointed by the government or parliament, but could instead be appointed by the head of state or independent body. Only the last alternative would fully ensure their independence from the outset (although who appoints the ‘independent body’?)

Three points of concern here. First, the proposal would usefully require the national DPAs to be adequately funded. That is easier said than done, for most DPAs complain of an absence of sufficient funding. For instance, the Irish DPA occupies a small office next to a corner shop – but purports to regulate (among many other things) all of Facebook’s activities in the EU.  Secondly, the Council would remove the proposed rule requiring that DPAs be independent ‘beyond doubt’ when they are appointed; but DPAs should not be a resting ground for political hacks and bagmen. Thirdly, the Council would remove most of the details concerning the loss of office of DPAs, retaining only the minimum rule of four years in office. As the termination of the Hungarian DPA showed, it’s hard to exercise your powers independently if you constantly fear that there may be Kryptonite in your coffee.

As for the powers of the DPAs, the Regulation would strengthen and elaborate upon their current advisory and enforcement roles. In particular, the current powers to investigate, intervene and engage in legal proceedings would be fleshed out, by adding powers concerning audits, access to the premises of the controller and processor, ordering compliance with a data subject’s request, the suspension of data flows, or the imposition of fines.  

But with these great powers will come only limited accountability. DPAs will have to publish an annual public report (and the EP even wants to weaken this obligation). But that’s the only way that their decisions can be controlled, unless a cross-border complication means that other DPAs, or the European Data Protection Board (a sort of uber-DPA) gain jurisdiction, as discussed below. Otherwise, the only bodies which can watch these watchmen are the courts.

Settling disputes

Although the Commission is often accused of favouring over-centralisation in the EU, its proposed model for a ‘one-stop-shop’ was highly decentralised. Where a data processor or controller was established in the EU in more than one Member State, the supervisory authority of the ‘main establishment’ would have competence to regulate all that controller’s or processor’s activity in all Member States. There would be new rules on cooperation between supervisory authorities, in particular as regards mutual assistance (each DPA would usually have to comply with requests from another DPA) and joint operations.

In several cases, however, a DPA would have had to send a draft measure to the European Data Protection Board for its opinion. In particular, this would have applied to measures regulating processing concerning ‘offering of goods or services to data subjects in several Member States, or monitoring of their behaviour’, or which would ‘substantially affect’ the free movement of data. Following the Board’s opinion, the Commission could give its opinion, and then could ultimately adopt a binding measure if necessary. A decision of any supervisory authority is enforceable in all Member States, except where that DPA breaches the consultation rules, in which case its decision isn’t valid.

However, the Council and EP both agree to strip the Commission of all dispute settlement powers, and to confer binding powers on the Board instead. In the Council’s version, the DPA of the main establishment or single establishment of the controller or processor would not be the sole authority, but only the lead supervisory authority for transnational processing. Even then, each national supervisory authority would be competent to deal with an issue which only concerned an establishment in its State, or ‘substantially affects data subjects only in’ that State, unless the lead DPA decided to step in.

There’s a complex process for trying to reach a consensus on a decision between the lead DPA and the other DPAs involved. But in the event of a dispute between them, as regards the content of a draft decision, or who is the lead DPA in the first place, or where the procedures aren’t followed, then the European Data Protection Board can adopt a binding decision.  The Council would remove the rules on enforceability and unenforceability of DPA decisions, but the EP wants to strengthen them. In the event of disputes about the Board’s decisions, the preamble sets out detailed rules on whether litigation would take place before the national or EU courts.

The European Data Protection Board

It isn’t spelled out in the main text of the proposed Regulation, but the future Board is clearly a super-powered version of the current ‘Article 29 working party’, an advisory body which is (like the future Board) made up of members of the national DPAs. That working party can give opinions on national data protection law, data protection in the EU and third countries, the amendment of the Directive and codes of conduct. It has indeed issued many such opinions, which can be found on its website. They are interesting documents which fascinate data protection specialists, but which have not yet had any direct impact on the interpretation of the law by the CJEU. In the Commission’s proposal, the working party would be renamed and it would have more advisory powers, but its essential role would not change.

However, this puny body is about to be transformed at the behest of the Council and EP, which would both confer significant powers upon it as regards dispute settlement (discussed above), along with a longer list of advisory powers. The Council would also take the logical step of defining the Board as a ‘body’ of the EU, with express legal personality.

Finally, it should be noted that the future European Data Protection Board should not be confused with the current European Data Protection Supervisor (EDPS) – although I suspect that this warning will be in vain for many years to come. The EDPS is created by separate legislation, and has the role of enforcing data protection law against the EU’s institutions and other bodies, as well as advising on the development of EU data protection law. Its role in the new Regulation will be very limited. The Commission wants it to have a seat and a deputy chair post on the Board, but the Council rejects the first suggestion (relegating the EDPS to an observer role instead) and both the Council and the EP reject the second one. The EDPS will provide the Board’s secretariat, but the Council wants to build a firewall between the two administrations. In effect, while both the Board and the EDPS will have a significant role in the EU’s data protection architecture, there will be almost no crossover between them – rather like comic books produced by competing publishers.

Conclusion

It is certainly necessary for the EU to ensure that DPAs have effective powers to ensure the application of data protection law. Although it will still be possible for individuals to bring legal action directly against data processors or controllers (under other parts of the Regulation, which the Council has not yet agreed), DPAs remain the principal method of enforcing the rules. However, the draft legislation does not fully address the key practical question of sufficient ensuring resources for DPAs, and there is also not enough protection against dismissal or for the initial independence of DPA staff in the Council’s draft position.  

As for settlement of disputes, the Commission’s idea of a lead DPA having full jurisdiction was fairly attractive, although apparently it was torpedoed by the objections of the Council’s legal service. The replacement system is comparatively convoluted, and it has one key weakness – the absence of procedural rights for the original complainant before the Board. Also, it leaves intact greater possibilities of multiple DPAs acting as regards the same data processor or controller, with resulting greater complications for data subjects, DPAs and data processors and controllers alike. It will probably take some time (and possibly even litigation) before the new system will be working effectively. Furthermore, the Council’s removal of the rules about the unenforceability of DPA decisions which are taken in contravention of the rules could lead to complications in the event of rebellious DPAs. Finally, the existence of parallel bodies with similar names (the Board and the EDPS) may be unavoidable, but it unlikely to help public understanding of the EU’s data protection system.

Basic data protection principles in the proposed Data Protection Regulation: Back to the Future?

Steve Peers

So far, 2015 is not like the Back to the Future movies promised it would be like. In particular, there are no hoverboards (drones are a poor substitute). Moreover, instead of agreeing a data protection framework fully fit for 2015, the Council is probably about to agree that the key principles of the law should remain as they were in 1995 – which might as well be 1985 (or even 1955) in terms of technology law.

Background

The negotiations on the EU’s proposed General Data Protection Regulation finally seem to be nearing the final stretch, as far as the Council is concerned. Member States’ ministers in the Council seem likely to agree later this week on two more parts of the proposed Regulation: on basic principles of data protection (text here) and on supervisory authorities, including the idea of a ‘one-stop shop’ for data protection supervision (text here).

Previously they had agreed on three other parts of the Regulation, namely rules on: territorial scope and external relations (see discussion here); public-interest exceptions (see here); and the roles of data controllers and processors (see here; see particularly the discussion of the ‘privacy seals’ rules here). (For full consolidated text of everything the Council has agreed to date, see here). If the proposed texts on principles and data protection authorities are indeed agreed this week, the Council mainly only has to agree on the scope and definitions in the Regulation, along with the rights of data subjects, such as the right to be forgotten (see discussion of the proposed text on that issue here), and related individual remedies.

This blog post focusses on the issue of basic data protection principles. The Commission’s proposalsuggested some fairly modest changes to these basic rules as compared to the current data protection Directive, although the European Parliament (EP) would like to go further than the Commission (see its position here). However, the Council’s position would entail very modest changes indeed to the status quo. For this aspect of data protection law, if the Council has its way, the EU’s lengthy legislative reform journey would end up much where it originally started.

Details

Currently, the data protection Directive begins with a clause (Article 5) which appears to give the Member States a great deal of discretion in how to apply the Directive. The CJEU effectively sidelined that clause in its ASNEF judgment, emphasising instead the need for uniform interpretation of the Directive. The new Regulation would suppress this clause entirely, but the Council in particular wants to reintroduce a number of specific provisions referring back to national law. So in some respects, the current Directive resembles a Regulation already – but conversely, the future Regulation will continue to resemble a Directive. 

The basic principles of data protection as proposed and (nearly) agreed by the EU institutions are similar to the current Directive: fair and lawful processing; purpose limitation; data minimisation; accuracy; and storage minimisation. The changes would concern: the addition of ‘transparency’; some express protection for archiving or other scientific purposes; and the insertion of data security (by both the EP and the Council). The EP also suggests that the effective protection of rights should be listed as one of the principles. This is a useful suggestion, since although it might seem at first sight that such effective protection is a procedural, not a substantive rule, in the field of data protection it is necessary to ensure that procedural rights are built in to the system (the so-called ‘privacy by design’). An example would be a social network that makes it easy to complain that the user’s privacy has been violated.

Next, the proposal sets out the grounds for processing personal data, again based on the current Directive: consent; contract; compliance with a legal obligation; vital interests of the data subject; public interest or official authority; or legitimate interest of the controller or a third party, subject to an override for the privacy of the data subject. The latter rule is particularly important for the private sector, in the absence of consent or a contract, and the case law points in different directions. In ASNEF, the CJEU ruled that Member States restricted direct marketing companies too much in the interests of consumers, but in Google Spain (discussed here) it ruled that the privacy interests of those named in search results overrode Google’s financial interests as regards its search engine.

The rules would be amended to: refer to consent for specific purposes; extend to the vital interests of another person (according to the Council); and consider the interests of children as regards the ‘legitimate interests’ clause. (The Commission proposal, agreed by the EP, defines a child as anyone under 18; the Council has not agreed this definition yet). Also, the Commission would like to remove the possibility that the legitimate interests of third parties are a ground for processing, but the EP and Council both want to keep this. However, the EP wants to add an important new proviso that such private interests are linked to the ‘reasonable expectations’ of the data subject.  The Council also wants to retain the current rule that consent must be ‘unambiguous’, while the EP and Commission want to delete this adjective.

Furthermore, the institutions differ greatly on what happens if the purpose of data processing is changed. The Commission proposes that changing the purpose should be acceptable on any of the grounds for the initial processing of the data, except for the legitimate interests of the controller. The Council wants to allow a change of purpose for any of the grounds for the initial processing, including the legitimate interests of the controller; while the EP does not want to provide expressly for any incompatible processing at all. The Council’s position in particular would turn the purpose limitation principle into the very smallest of figleaves.

One of the most significant changes in the new rules would be a definition of consent (the CJEU has not yet been asked to clarify this concept under the current Directive). All the institutions agree that the data controller would have to prove consent. The Council’s version would add some very useful rules requiring the data controller to use plain language, while the EP would specify that the relevant contractual terms would be void. The institutions also agree that there should be an express power for the data subject to withdraw consent, although it’s arguable that such a power already exists implicitly under the current rules. Finally, the Commission wants a new clause that would reject the possibility of consent if there is a ‘significant imbalance’ between the data subject and the data controller, and the EP wants to disapply contract terms which are unnecessary for supplying a service. However, the Council rejects entirely the idea that the Regulation should protect Davids from Goliaths.

The other significant change would be a specific rule on children. The Commission proposes that information society services must get the consent of the parents of children under 13. This broadly reflects social networks’ practice of either requiring consent or not permitting younger children to join their network (as we know, this is not fully effective in practice). But the Council version, if agreed, will refer instead to national laws on contract, removing the reference to a particular age. For its part, the EP would broaden the scope of the clause to refer to all supply of goods and services, and would also add a very useful ‘plain language’ clause. Unfortunately, none of the EU institutions propose an amendment which would enormously improve the lives of parents across Europe: an EU-wide hour-long daily limit on children playing Minecraft.

Next, the proposed Regulation keeps largely intact the supposed prohibition on processing so-called sensitive personal data, namely data on racial origin, political opinions, religious beliefs, trade union membership and health or sex life. All institutions agree to add ‘genetic data’ to this list. The EP and Commission also want to add criminal convictions, but the Council wants to retain the current separate rule on this type of data. Furthermore, the EP wants to add sexual orientation, gender identity and biometric data to the list.

The ‘prohibition’ on processing such data is a legal fiction, since both the current rules and the proposed Regulation allow it to be processed on a number of grounds. In fact, the Council will likely agree to extend those grounds, to include social security and social protection, judicial activities, public health and archiving. The Council also wants to retain the current rule that consent by the data subject must be ‘explicit’, while the EP wants to add the possibility of processing based on a contract.

Finally, both the EP and the Council want to strengthen the current rule providing that the data controller is not obliged to obtain further data on the excuse that it has to identify the data subject in order to apply data protection law.

Comments

In summary, the Council’s likely version of the future Regulation would only differ from the current Regulation as regards: new principles of transparency and security; a new definition of consent; a largely cosmetic clause on children’s consent (since it refers back to national law); and a small extension of the list of sensitive data, coupled with a bigger list of exceptions to the prohibition on processing that data.

For its part, the EP would: add a new principle of effective exercise of rights; adjust the balance of interests between the data subject and data controller; limit incompatible further processing; curtail questionable contract terms; strengthen children’s rights; and widen the scope of the concept of sensitive data.

Despite all the fuss made over the proposed new legislation, the Council’s changes would amount to a very marginal change in the rules. (To be fair, though, there would be bigger changes in some other areas of data protection law, such as the new ‘one-stop-shop’ rules).  In particular, there are manifold protections for research-related activities in the Council version of the text: the end is clearly not as nigh for research as many advocates of it have been predicting. The key differences between the EP and the Council concern the balance between corporate interests and individual privacy rights, where it seems that companies have successfully lobbied the Council to make no significant changes, while privacy NGOs have convinced the EP to argue for modest improvements in individual rights. The forthcoming negotiations between the EP and the Council on the final version of the Regulation will determine whether the new rules will genuinely be different, or will merely amount to old cookies in new jars.  

 

The financial services industry and the European Central Bank: the UK has won a battle, but can it win the war?

 

Steve Peers

Until yesterday, two trends seemed consistent in the jurisprudence of the EU courts. First of all, the UK kept losing cases relating to the interests of its financial services industry: on short-selling (discussed here), the financial transactions tax (discussed here) and bankers’ bonuses (discussed here). Secondly, the UK kept losing cases concerning its opt-outs from EU law (for instance, on social security and the immigration opt out, see here).

However, yesterday’s judgment of the EU’s General Court on the UK’s challenge to the European Central Bank (ECB) policy on securities clearing systems bucks both trends. What are its implications for the UK's financial services industry, and for the UK's relationship with the EU?

The judgment

The UK challenged a ‘Policy Framework’ published by the ECB, which set out the role of the ‘Eurosystem’ (the ECB and the national central banks of Eurozone states) as regards payment, clearing and settlement systems. Sweden supported the UK, while Spain and France supported the ECB; the Commission stayed neutral. The UK objected to the Policy Framework provisions which stated that any central counterparties (CCPs) that held more than 5% of the credit exposure for one of the main euro-denominated product categories had to be legally incorporated and fully controlled from within the euro area. This would inevitably mean that a portion of the financial services industry which was traditionally located in the City of London would have to move to one or more Eurozone financial markets instead.

First of all, the judgment examined the admissibility of the action. The General Court rejected the ECB’s argument that its Policy Framework was not a reviewable act, ruling that despite its apparent soft law form it would perceived as a de facto binding policy and would be applied by Eurozone regulatory authorities in practice. Also, the Court ruled that the UK had standing to bring a legal action against acts of the ECB, despite its opt-out from the single currency.

Secondly, the Court ruled on the substance of the case. It was only necessary to rule on one of the UK’s five arguments against the validity of the Policy Framework: that the ECB lacked competence to adopt a measure on the location of CCPs. (The other arguments concerned Treaty free movement rules, competition law, non-discrimination on grounds of nationality and proportionality).

The ECB had claimed a power to regulate on the basis of Article 22 of its Statute, which takes the form of a Protocol attached to the Treaties, and states that the Bank ‘may make regulations, to ensure efficient and sound clearing and payment systems within the Union and with other countries’. Also, the Bank referred to Article 127(2) TFEU, which gave it the task ‘to promote the smooth operation of payment systems’, and the ECB’s general objective of maintaining price stability and supporting general economic policies, as set out in Article 127(1) TFEU.    

In the Court’s view, however, these powers only extended to the ability to regulate ‘payments’ in the narrow sense, ie the ‘cash leg’ of clearing operations, not the ‘securities leg’, since securities do not in themselves constitute payments. Article 22 of the ECB Statute could only apply to payment systems with a clearing stage, rather than all clearing systems, in the absence of any explicit reference to the clearing of securities. The Court also rejected the ECB’s argument that it had an implied power to regulate such issues, since such implied powers only existed ‘exceptionally’.

Finally, the Court concluded by sketching out (in effect) a ‘roadmap’ to change the current situation. Acknowledging that there are ‘very close links’ between payment systems and securities clearance systems, and that disturbances affecting securities clearance can affect payment systems, it stated that Article 129 TFEU could be used to amend the relevant provisions of the ECB Statute to extend the Bank’s powers in this field. So it suggested that the ECB could trigger that amendment process by requesting the EU legislature to amend the Statute.

Comments

The essential elements of the Court’s judgment (which could still be appealed to the Court of Justice) are convincing. From the perspective of accountability, the ECB should not be able to adopt ‘policy frameworks’ with quasi-mandatory language that will likely be applied in practice, as a means of evading the judicial review that would certainly apply if it adopted those rules (as its Statute specifies) in the form of regulations. Nor is it acceptable that the ECB could adopt measures with an impact on non-eurozone Member States and deny those countries standing to sue it, especially when the Treaties (as the Court pointed out) contain no limits on such standing.

As for the substance of the case, the Court is surely right, in the interests of accountability, to say that EU institutions’ implied powers have to be interpreted narrowly. There have been five major Treaty amendments in thirty years, and so there have been plenty of opportunities for Member States to decide what powers ought to be conferred upon EU institutions, and what powers should not. In the absence of an express conferral of power, the cases where the institutions have implied powers should be very exceptional indeed.

However, the Court takes an unusually narrow approach to the interpretation of an express power, namely the possibility for the ECB to regulate ‘clearing and payment systems’ as set out in its Statute. It is not self-evident that this provision can only apply to the ‘cash leg’ of clearing systems, especially in light of the links between payment and securities systems, and the impact of disturbances affecting securities clearance, which the Court expressly acknowledges.

This key aspect of the ruling can only be understood in light of the broader political context of this case. If the ECB had won, that result would have been widely regarded in the UK as a carte blanche for the ECB to split up the single market in financial services, as part of a broader ‘ganging up’ of Eurozone Member States against non-Eurozone Member States, in particular the UK. This would have been a rather hyperbolic reaction, since an ECB victory would not necessarily have had an impact beyond the specific issue of securities clearance, and the Eurozone Member States do not gang up as easily as is sometimes imagined: witness the current relationship between Greece and Germany, for starters. Nevertheless, it’s no wonder that the judges believed it would be wiser to hand this hot potato back to the politicians.

It’s striking, though, that the judges’ roadmap to give the ECB more powers is particularly easy to follow. The use of Article 129 TFEU to amend the ECB Statute only requires a proposal from the Commission or a recommendation of the ECB, followed by the ordinary legislative procedure, entailing joint power for the European Parliament and a qualified majority vote in Council. Although all Member States would have a vote, Eurozone States (if they do gang up together on this point) can now outvote non-Eurozone States.  The UK would have to seek alliances, rather than threaten vetoes, to block such a move. The referendum requirement in the UK’s European Union Act 2011 wouldn’t apply (see s. 10(1)(b) of the Act; the requirement for parliamentary approval there is meaningless, since the UK could be outvoted). Indeed, the UK would need the backing of some Eurozone States, as well as all non-Eurozone States, to block such a Treaty amendment. This would entail, for instance, securing the support of countries like Poland, at the same time as the UK (whichever of the two largest parties forms the biggest part of government after the next election) seeks to cut back the rights of Polish workers.

Failing that, the UK could bring a legal challenge to the Treaty amendment, or the ECB measure implementing it, invoking again its arguments concerning the internal market, competition law, discrimination and proportionality, which were not addressed in the General Court’s judgment. There’s a strong case to be made that the valid objective of regulating securities clearance effectively could be ensured by collaboration between the ECB and the Bank of England, rather than forcing some part of the financial services industry to move from the UK to the Eurozone, but the UK could not count on the EU courts accepting it.  

What are the broader implications of this judgment for the UK’s role in the EU? First of all, it weakens the pro-Brexit argument that ‘we should leave the EU because the Eurozone Member States are ganging up on us’. For now, the UK has won this battle, and it’s only a hypothetical possibility that it will lose the war later on. Secondly, it weakens the argument that ‘the City of London would be perfectly fine after Brexit’. If that were true, then why were Eurosceptics poised to make an unholy fuss if the UK had lost this case? Indeed, if the UK were not in the EU, it would not have had the privileged standing to sue the ECB, and the government (or British securities firms) would have had to go through national courts in the Eurozone to challenge this policy instead. Moreover, it might be harder to invoke the other arguments which the UK made in this case (and would have to make in future), depending on what legal arrangements governed the EU/UK relationship after Brexit.

 

Barnard & Peers: chapter 19