Monday 28 May 2018

Revision of Audiovisual Media Services Directive – Video-sharing Platforms

Professor Lorna Woods, University of Essex

The revision of the Audiovisual Media Services Directive has been discussed since 2016.  There were significant differences between the responses of the Council and the European Parliament to the Commission’s proposal.  There have been 9 informal trilogue meetings up to and including that of 26th April 2018.  Although the institutions state progress has been made, the text has not yet been finalised - ‘technical details’ remain to be agreed in June. In response to a request to see the preparations for trilogue negotiations, the Council rejected the request even to access the agreed compromise positions, stating that “this file is under heavy pressure from interest groups which are particularly interested in the negotiations on commercial communications (i.e. advertising) where economic stakes are high”.  The concern is that even existing agreements may be undermined. Nonetheless, from the documents that are available some comments can be made. 

This note focusses on one of the more startling innovations from the Commission’s proposal – the provisions on “video-sharing platforms” - a further extension in scope of the AVMSD (or some parts of it).  So, the first point to note is that although there might be significant differences between the institutions as far as the nature of the obligations to be imposed on video-sharing platforms, and even understanding as to what constitutes such a platform, it seems that the institutions are agreed that some obligations should be imposed.  The question is not ‘if’, but ‘how’.

What is a Video-sharing Platform?

The proposal added at Article 1(1)(aa) a definition of “video-sharing platform” (VSP), with a corollary definition of “video-sharing platform provider” at Article 1(1)(aa).  As originally drafted, the definition of VSP contained 6 elements:

-          that there be a service within the meaning of the TFEU – in this, there is the same starting point as for audiovisual media services;

-          the service consists in the storage of a large amount of programmes (as defined in the directive, and this definition is proposed to be changed from its current formulation too);

-          that the provider of the service does not have editorial responsibility (another defined term) for the content stored – this seems to be a key element for drawing a boundary between on-demand audiovisual media services and VSPs, as on-demand AMS providers may also organise content;

-          the organisation of the stored content is determined by the service provider, whether automatically or not;

-          the principal purpose of the service (or of a ‘dissociable part thereof’) is “devoted to providing programmes and user-generated videos to the general public, in order to inform, entertain or educate’; and

-          as for other services within the AVMSD, the service is made available over an electronic communications network.

The obvious comment that was made – and that was made about the definitions in previous incarnations of the directive – is that there will be some very difficult boundary cases, especially as services and technologies develop.  This remains the case, but it seems that this definition is broad enough to catch most social networking sites, providing the requirement of ‘to the general public’ does not mean that open to all free to use sites that have a brief registration process are not open ‘to the general public’.

Some points of difference in the approach of the various institutions can be noted.  The Council proposal sought to remove the phrase ‘large amount of’, while the European Parliament suggested that the activity was not ‘storage’ but the ‘making available’ of such videos ‘to the general public’.  The first part of the European Parliament’s amendment makes the scope of the definition wider. One might infer that the Council’s concern was to make it clear that live streaming sites did not fall within the AVMSD and might be regulated under national rules, as can been seen in Council proposed recital 29a (subject to the constraints of the e-Commerce Directive or general principles of Union law – depending on the content of the service), though the Council has also proposed the removal of the word ‘hosting’ from the list of means by which the content may be organised.  Whether or not this is a ‘technology neutral’ approach – which is part of the motivation for revising the AVMSD -depends on what is meant by ‘technology neutral’ and the level of granularity as which the technology is to be assessed.   

The inclusion of the requirement that the videos must be ‘in order to inform, entertain or educate’ tracks the terminology used to define audiovisual media services which is so broad that one might have thought that nothing could fall outside scope.  The Court in Peugeot (Case C-132/17) ruled that self-promotional audiovisual media channels on YouTube did not satisfy this requirement – a conclusion that will make decisions about the applicability or otherwise of advertising rules to user-generated content more significant – and bring into focus questions about the extent to which general consumer protection rules would apply in this field.

There is a definition of “user-generated video” added at Article 1(1)(ba) which tracks the definition of “programme” in so far as it describes the format of the material, but is limited to such audiovisual material that “created and/or uploaded to a video-sharing platform by one or more users”.  This requirement, as drafted by the Commission, does not require the user to be uploading their own material, or that of other users of the VSP.  The definition could cover the uploading of pirated material. The EP amendment proposed the removal of the word ‘created’ and the phrase ‘by one or more users’. While the former change seems to narrow the definition slightly, this latter change would remove some superfluity, as to upload one would have to be a user of the platform in its normal sense of the word (“user” is not a defined term).  The Council proposed changes would also narrow the definition, as it proposes limiting user-generated to that created by the user.  This seemingly excludes pirated material. While this seems to have some logic, generate is not the same as create. This impact of this proposed narrowing may be slight because the focus of regulation is the sharing platform, which does not have to exclusively carry user-generated video.  Would the effect of this change be to exclude video-sharing sites the dealt primarily in pirated videos from the directive’s ambit?

What Rules Apply?

The rules are found in Article 28a, with Article 28b dealing with questions about group companies and attribution of responsibility in that context.  It seems that the intention is that only the rules in this section should apply to VSPs and not the provisions in the directive generally, though the position is not entirely clear – particularly as regards advertising rules.

The Commission proposal required Member /states to put an obligation on VSP providers to take ‘appropriate measures’ to protect two groups of people from two groups of harms:

-          minors as regards impairment of physical, mental or moral development; and

-          all citizens (but not non-citizens – the Council suggested changing this to ‘general public’) from content containing incitement to violence or hatred in respect of certain protected characteristics (sex, race, colour, religion, descent, national or ethnic origin).

The original proposal contained a second paragraph the determined the sorts of measures that could be required by producing an exhaustive list, including terms of use, age verification and ratings and flagging systems.  A third paragraph specified that Member States were to ‘encourage’ co-regulation with the appropriateness of the measures being assessed by the national independent regulatory authority.  Significantly, Member States were precluded from imposing stricter measures, save with respect to illegal content. These conditions were expressed to be without prejudice to Articles 14 and 15 of the e-Commerce directive and to respect the conditions set down by EU law including those in the those provisions. Another theme here is the desirability of co-regulation and reliance on codes of conduct, including Union-level codes of conduct.  Another question relates to the respective roles of the NRAs, the contact committee (already established under the existing directive) and ERGA, a new body set up to provide advice.  The detail on these points lies outside the scope of this note.

Both the Council and the European Parliament have put forward amendments, the Council’s broadly tended to increase Member State’s freedom of action, the European Parliament’s emphasising freedom of expression.  Both sets of amendments raise questions about the applicability of the rules to commercial communications rules or the general commercial communication rules to VSPs.

The major point to note is the rejection of the Council of the maximum harmonisation approach – changing the Commission’s exclusive list into an indicative list and paragraph 5 now states that Member States may take more detailed or stricter measures.  It seems unlikely that the Council would accept the proposed limitation on Member State freedom – especially as it borders areas close to the core of State competence – the determination of criminal law and penalties. In a similar vein, co-regulation is to refer to the sorts of measures VSPs are to use in paragraph 2 and not the obligation to protect in paragraph 1, and the requirement to assess the appropriateness of measures entrusted to the NRA is linked to the measures taken by the VSPs to comply with the obligations imposed under para 1, not the obligations in para 1 itself.  The Council also put forward the suggestion that proportionality should take into account the size of the VSP as well as the harm that provider has caused – though presumably this should not be read as a justification for a VSP not applying measures at all.

The Council also extended the scope of the areas in which VSPs will be required to take measures- in essence linking these obligations with obligations found elsewhere in Union law – so the Combatting Terrorism Directive (EU 2017/541), child pornography as understood in Directive 2011/93/EU and racism/xenophobia as found in Framework Decision 2008/913/JHA.  In general, both the Council and the Parliament proposed extending the protected characteristics for hate crimes. In this context it should be noted that the non-discrimination provision in Article 21 of the Charter contains a list of protected characteristics and, if coherence with other elements of the law is a driver, it would make sense to match that in this provision.  The Council’s list refers back to matters which are criminalised as a requirement of EU law, but it is not expressly so limited.  If the key concern is that the public is to be protected from content the dissemination which constitutes an activity which is a criminal offence under the EU law (by reference to the relevant legal instruments), this leaves the question of where this leaves Member States with regard to speech that is criminal by reference to domestic law but not EU law derived, or even speech that is objectionable but not criminal under national law.  It is notable that there is no reference to copyright infringement (which may have fallen within the catch-all phrase found in the initial Commission draft, ‘illegal content’).

The proposals of the Council and the Parliament aim to bring commercial communications within scope.  The obligations in relations to the harms are extended to include harms caused by commercial communications and the general obligations found in Art 9(1) are to be complied with too (See Art 28(a)(1)(1a)), though a distinction is made between arrangements made by the VSPs as opposed to communications  arranged by third parties.  The rules in 9(1) deal with the identifiability of advertising as being such, as well as contain some content rules (eg respect for human dignity).  It would seem that the ability to set stricter rules could come into play here too.  The European Parliament takes a broader view as to the rules to be applied, suggesting that Articles 9 and 10 should be complied with.  Article 9(2) concerns the rules relating to “unhealthy food” and the development of codes of conduct in relation to the marketing of alcoholic beverages to children.  Article 10 concerns rules relating to sponsorship, but not product placement.  On this basis it seems that some parts of the general framing will bleed into the specific video-sharing section – the question to be resolved is how much – and how much control VSPs can be expected to have over third party content. If the point is that the requirement to be transparent about advertising forms part of the VSP terms of use, how strongly would VSP providers be expected to monitor and enforce compliance?  Further, how far would the inclusion of some provisions on advertising mean that other EU or national rules are excluded – presumably a similar approach to the question of the harmonised field as taken in de Agostini could be envisaged here.

In terms of measures to be selected, there is a question as to who much freedom VSPs would have – and in particular whether such providers would be allowed to filter/monitor all content ‘to be on the safe side’ - with an impact on all users as well as the risk of over-control.  The users’ privacy and freedom of expression are in issue, but the VSP providers presumably have some choice about how they run their business. The argument that Article 15 e-Commerce Directive precludes general monitoring does not fit well here as Article 15 is directed to the Member State; the issue refers to the VSP providers’ choice, and not what there are required to do by the State. The e-Privacy Directive does not necessarily cover this point either.  As a fall back, the balance will presumably be found through the proportionality assessment to be carried out by the NRA under Article 28a(2).

Article 28b deals with establishment of jurisdiction for the purposes of this section of the directive.  A different approach from that set out with regard to AVMS is to be adopted – that found in the e-Commerce Directive.  This emphasises the split between AVMS and the VSPs – highlighting the add-on nature of the VSP provisions to the AVMSD.  Further provisions deal with the position where there is not an establishment in the EU.  Article 28b(2) ensures that the rules in Art 28a(1) do not bite on the wrong company (e.g. the advertising unit of a company group is established in the territory, but the primary service is run from the States – a model adopted by e.g. Google and Facebook).  This has been amended by the Council to ensure broad coverage so that where a non-EU VSP provider is part of a group and any other company in the same group is established in the territory of a Member State, that Member State may have jurisdiction, with hierarchy provisions trying to deal with possible multiple claims to jurisdiction.  There are no equivalent provisions to the anti-circumvention provisions applicable to AVMS, so it is unclear how disagreements between member States as to the appropriate level and intensity of regulation are to be resolved.

Photo credit: Thaivisa

Friday 25 May 2018

Right to erasure (right to be forgotten) under the GDPR – the danger of “rewriting history” or the individual’s chance to leave the past behind

Ketevan Kukava, PhD Student in Law, Tbilisi State University

In the internet age, when vast amount of information can be stored indefinitely and can be easily retrieved by means of a mouse click, controlling one’s personal data seems a particularly difficult task to do. Complete erasure of data from digital memory once it becomes publicly available is questionable from technological and practical point of view. As a result, the burden of remembering past events and behavior after they have lost their relevance and permanent digital accessibility of information can have significant implications for individuals at the present time.

While the internet and digitization has brought about huge benefits in terms of access to wide range of information, content-creation and public dissemination, its major downside is losing control on one’s personal data and the difficulties related to forgetting.  In his book “Delete: The Virtue of Forgetting in the Digital Age” Viktor Mayer-Schoenberger points out:

“Since the beginning of time, for us humans, forgetting has been the norm and remembering the exception. Because of digital technology and global networks, however, this balance has shifted. Today, with the help of widespread technology, forgetting has become the exception, and remembering the default“.

The debate over achieving a balance between privacy and freedom of expression has reached its highest level in the internet age. Some argue that removing lawfully published information from search results might pose the risk of Orwell’s dystopian history-rewriting. However, on the other hand, individual’s interest in controlling their personal data, leaving the past behind, and removing the past burden should not be underestimated.  

The General Data Protection Regulation (GDPR), which will become applicable on 25 May 2018, tries to answer the challenges emerged as a result of technological advancements in the digital age. Apart from ensuring uniform rules regarding personal data protection throughout the European Union (as the directive 95/46/EC by its nature left certain leeway to the states in terms of its implementation), the GDPR provides some additional guarantees, such as a clearer formulation of the right to erasure (right to be forgotten) which is probably one of the most controversial and hotly debated issues within the scope of the GDPR. Right to erasure (right to be forgotten) guarantees deletion of data when an individual no longer wants their data processed and there is no legitimate reason to keep it.

Although Directive 95/46/EC does not explicitly guarantee “the right to be forgotten”, in the widely known Google Spain judgment the Court interpreted legal provisions of the Directive in such way which made it possible to satisfy the data subject’s complaint. In particular, the Court relied on data subject’s right of access to data (the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive) as well as data subject’s right to object, which obliged the operator of a search engine to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person.

Right to erasure (“right to be forgotten”) guaranteed by Article 17 of the GDPR empowers the data subject “to obtain from the controller the erasure of personal data concerning him or her without undue delay”, and obliges the controller “to erase personal data without undue delay”. This provision is applicable when certain grounds determined by the Regulation exist, including when the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing.

One of the basis for erasing personal data is the data subject’s objection to the processing when there are no overriding legitimate grounds for the processing (Article 17(1)(c)). Notably, in such case the obligation of demonstrating compelling legitimate grounds is imposed upon the controller. While according to the Data Protection Directive, the data subject had to demonstrate “compelling legitimate grounds relating to his particular situation” and processing should no longer involve those data in case of a justified objection (Article 14(a)), according to the GDPR, “the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims” (Article 21(1)).

Article 17 of the GDPR imposes obligations upon the controller which according to the definition provided in Article 4 “alone or jointly with others, determines the purposes and means of the processing of personal data.” Further, apart from erasing personal data, additional duties are foreseen by the Regulation when the controller has made the personal data public: “The controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data” (Article 17(2)). Notably, the GDPR foresees certain exceptions from the above mentioned provisions, including when processing is necessary for exercising the freedom of expression and information, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, etc. (Article 17(3)).

Despite the significance of the efforts aimed at ensuring the data subject’s control over their own personal data, the very nature of the internet and constantly developing technologies might still pose certain legal and practical challenges in achieving the aims of being forgotten. In Google Spain the Court itself stressed “the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation” (paragraph 84). Indeed, once information is made publicly available, tracking personal data, controlling their further replication and their subsequent total erasure might seem practically impossible. Moreover, Google Spain is also a good illustration of the so-called “Streisand effect”, as the Spanish citizen who wanted to be forgotten ended up in publicizing his personal information more widely.

Probably, the practical difficulty of total erasure is the major rationale behind the focus of the GDPR on taking reasonable steps and obliging the controller to communicate erasure of personal data “to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort” (Article 19).

One of the important issues related to the enforcement of the right to be forgotten is the territorial scope of the Regulation and its applicability to companies incorporated outside the EU. Similar to the Data Protection Directive, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller in the Union. Furthermore, the Regulation explicitly stresses that this rule is applicable “regardless of whether the processing takes place in the Union or not” (Article 3(1)).  According to Recital 22, establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

Additionally, the GDPR determines that the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union are subject to the GDPR where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union (Article 3(2)).

Therefore, companies based outside the EU are not released from data protection obligations imposed by the GDPR when offering goods or services, or monitoring behavior of data subjects within the EU, which ensures significant extraterritorial reach of the GDPR.

Broad territorial scope of the GDPR together with high administrative fines in case of infringements of the Regulation (Article 83) is viewed as a strict regime by privacy sceptics and has given rise to a debate. However, on the other hand, there is no doubt that the legal framework should be adjusted in order to answer modern-day privacy challenges. In parallel with technological developments, privacy concerns increase which necessitates the emergence of appropriate safeguards and legal regulation.

Proportionality remains the significant principle which is explicitly guaranteed by the GDPR. In particular, Recital 4 declares that “the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” Furthermore, Article 85 of the GDPR refers to exemptions and derogations for processing carried out “for journalistic purposes and the purposes of academic, artistic or literary expression” if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information.

When enforcing the right to be forgotten in the online world, important questions arise whether the information should be removed globally. Google Spain judgment and its legal implications are of particular significance in this regard. In response to the requests submitted regarding removing certain URLs, Google started to delist links from all European versions of Google Search (like,,, etc) simultaneously. Moreover, Google also started to use geolocation signals (like IP addresses) to restrict access to the delisted URL on all Google Search domains, including, when accessed from the country of the person requesting the removal. However, the French data protection authority required Google to apply the right to be forgotten to all searches on all Google domains. Following the reference by French court, the Court of Justice has to decide on the question whether the ‘right to de-referencing’ be “interpreted as meaning that a search engine operator is required, when granting a request for de-referencing, to deploy the de-referencing to all of the domain names used by its search engine so that the links at issue no longer appear, irrespective of the place from where the search initiated on the basis of the requester’s name is conducted”. It should be noted that the global removal of information might produce negative consequences worldwide. As stressed by Google, “how long will it be until other countries - perhaps less open and democratic - start demanding that their laws regulating information likewise have global reach?”

Guaranteeing the right to erasure under the GDPR cannot be considered as a silver bullet answer to the risks and challenges of the internet age, however, the value of the overall aim of the regulation – increased control of individuals of their personal data - should not be underestimated. Can we have a realistic expectation of privacy online and how much valuable information might be lost in translating legal requirements into practice? – Probably these questions gain more and more relevance, and necessitate taking due account of the very nature and the challenges of the internet age.

Photo credit: PR Week

Thursday 24 May 2018

Data Retention incompatible with EU law: Victory? Victory you say?

*Photo credit:  

Matthew White, PhD candidate Sheffield Hallam University


On 27 April 2018, the High Court in Liberty v Secretary of State for the Home Department and Others [2018] EWHC 975 (Admin) ruled that Part 4 (retention of communications data) of the Investigatory Powers Act 2016 (IPA 2016) was incompatible with the European Union’s (EU) Charter of Fundamental Rights (CFR). They did so in holding that access to retained communications data was not limited to the purpose of serious crime, and it was not subject to prior review by a court or an independent administrative body. Liberty regarded this ruling as a landmark victory for privacy rights. This blog post questions this assertion by critically analysing the High Court’s judgment with regards to the specific aspect of data retention.

Ignore the European Convention on Human Rights at your peril:

In the second paragraph of the High Court’s judgment, it was acknowledged that the judicial review proceedings concerned not only the CFR but the European Convention on Human Rights (ECHR). The High Court, however, proceeded to only consider the former. This omission will become more important throughout this post.

Does not concern the content of communications?

The High Court acknowledged that retention notices under s.87(1) of the IPA 2016 affects a wide range of private information to do with communications, but not their content e.g. emails and texts [3]. Emails and texts are of course, but one example of content, however, some argue that communications data are equally (Elisabet Fura and Mark Klamberg, ‘The Chilling Effect of Counter-Terrorism Measures: A Comparative Analysis of Electronic Surveillance Laws in Europe and the USA’ (2012) Wolf Legal Publishers, Oisterwijk 463, 467) or more revealing (Alberto Escudero-Pascual and Gus Hosein, ‘Questioning lawful access to traffic data’ (2004) Communications of the ACM 47:3 77, 82). This is precisely why the UN Office of the High Commissioner for Human Rights (OHCHR) felt such distinction is no longer tenable (para 19). It was even demonstrated by iiNet that content is embedded in communications data in sites like Twitter and Facebook.

Moreover, the High Court considered s.87(1) of the IPA 2016 in isolation to, for example, s.87(4)(d) which prevents retention notices from requiring telecommunications operators to retain data which is not used by them for any lawful purpose. Lawful purpose is not defined in the IPA 2016, but s.46(4)(a) of the IPA 2016 allows (by regulation, s.46(1) and (2)) any business to conduct interception if it constitutes a legitimate practice reasonably required for the purpose, in connection with the carrying on of any relevant activities for the purpose of record keeping. Section 46(2)(b) includes communications relating to business activities, and this could allow interception for ‘business purposes.’ This would square with the Home Office’s position in 2009 where they noted that deep packet inspection (DPI) ‘is a term used to describe the technical process whereby many communications service providers currently identify and obtain communications data from their networks for their business purposes’ (p15). DPI enables Internet Service Providers (ISPs) to access information addressed to the recipient of the communication only, this requires the interception of communications data and content (para 32). This could legitimise practices such as those that occurred in the Phrom scandal where BT, TalkTalk and Virgin Media made a deal with Phorm to covertly intercept traffic of their customers. Whether it does or does not permit Phorm-like activities, is not the pressing issue at hand, it’s the allowance of intercepted data to be retained (para 125, p1104) which would constitute a lawful purpose under s.87(4)(d) of the IPA 2016. This highlights that the High Court’s focus on s.87(1) blinds them to the realities of communications data being just as, if not more serious than content, and in any event, content could be retained.

Appropriate remedy and the potential chaos that could ensue?

The High Court highlighted the dispute between the Defendants and the Claimants as to the appropriate remedy, where the former felt no more declaratory relief was necessary [32] because it was already conceded that elements of Part 4 were inconsistent with EU law [31], [38]. There was also a dispute as to the period of suspension should the High Court disapply Part 4 [32]. Despite this acknowledgment of the Defendants, they were of the position that Part 4 should continue as it currently is until it is amended by Parliament [40-1]. The Claimants advocated for a suspended disapplication, this for the High Court:

[W]as a realistic and fair acknowledgement that, in this context, it cannot reasonably be expected that there should, immediately, be no legislation at all in place allowing retention of data that is needed to apprehend criminals or prevent terrorist attacks [42].

The High Court noted that whatever remedy it granted, it should not have the effect of ‘immediately disapplying Part 4 of the 2016 Act, with the resultant chaos and damage to the public interest which that would undoubtedly cause in this country’ [46]. The use of ‘chaos’ was in reference to the Defendants who argued that disapplication was a recipe for chaos [75].

A reason why the High Court preferred not to disapply Part 4 immediately was because there would be no data retention laws in place to aid in the fight against crime and terrorism. This is not actually true, the Budapest or Cybercrime Convention has had legal force in the UK since 1 September 2011. This mainly concerns crimes committed via computer networks, but Article 14(2)(c) allows the UK to adopt measures to collect evidence in electronic form of a criminal offence. This does not appear to limit offences to those described in Articles 2-11. Moreover, Article 16 provides for data preservation, which is the alternative to data retention. This is not the only option available to the UK as discussed below. The High Court’s position is essentially a strawman because immediate disapplication was not argued, and in any event, would not be true if Part 4 were to be disapplied.  

The High Court refers to ‘chaos’ and ‘damage’ to the public interest without explaining why and in what ways this would be possible by disapplying Part 4. The language used by the High Court needs to be critically analysed. Prior to the Data Retention and Investigatory Powers Act 2014 (DRIPA 2014), communications data retention had been voluntary under s.102(1) of the Anti-terrorism, Crime and Security Act 2001 (ACTSA 2001), though the Data Retention (EC Directive) Regulations 2007 and 2009 required data retention to a lesser extent. Previous attempts at mandatory data retention, notably the draft Communications Data Bill (dCDB) in 2013 was halted by the then Coalition partners to the Conservatives, the Liberal Democrats. There was no chaos, or damage to the public interest prior to DRIPA 2014, when data retention was voluntary nor when the dCDB was rejected. When the High Court in Davis and Others v Secretary of State for the Home Department and Others [2015] EWHC 2092 (Admin) dispplied s.1 of DRIPA 2014, albeit delayed for eight months [122], they felt it appropriate to give Parliament enough time to scrutinise and pass new laws[121], and not because of the chaos and damage that would ensue due to immediate disapplication.   

The High Court’s position seemingly acts upon the assumption that if data retention obligations are immediately disapplied, there would be no communications data to be accessed. This is simply not the case when one considers one of the biggest telecommunications operators in the world, Google, who store ‘your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.’ The legal basis of this is questionable, but the fact remains, such communications data could still be accessed under s.61 of the IPA 2016 where a designated senior officer of a relevant public authority could obtain communications data, whether it exists at the time or not, meaning they could require a telecommunications operator to retain communications data on an forward looking basis (para 177). This authorisation process is however, subject to change, requiring authorisation by the Investigatory Powers Commissioner, but the fact remains, the power is unchanged. Moreover, Part 6, Chapter 2 of the IPA 2016 allows for the bulk collection of communications data by intelligence services.

The High Court referred to the Government swiftly enacting DRIPA 2014 [12]. What they did not mention was that following Digital Rights Ireland and the Court of Justice of the European Union’s (CJEU) invalidation of the Data Retention Directive (DRD), the Government did nothing for three months. The High Court in Davis and Others noted there was not a clear legal basis for the 2009 Regulations and thus some telecommunications operators were considering deleting retained communications data [45-6]. For three months, the Government must have known this was a possibility, but did nothing, then rushed DRIPA 2014 through Parliament with indecent haste in three days (Niklas Vainio and Samuli Miettinen, ‘Telecommunications data retention after Digital Rights Ireland: legislative and judicial reactions in the Member States’ (2015) International Journal of Law and Information Technology 23:3 290, 304).

Finally, the High Court refers to the ‘public interest’ without mentioning what aspects they mean. Is it the public interest in fighting serious crime and stopping terrorism? Even if this is what the High Court meant, they did so without acknowledging that privacy in and of itself is a public interest. This is specifically mentioned in s.2(2)(d) of the IPA 2016. Regan regards privacy as having public value because it is necessary to the proper functioning of a democratic political system (Priscilla M. Regan, ‘Legislating Privacy, Technology, Social Values and Public Policy’ (The University of North Carolina Press 1995). The then Labour Government even acknowledged that ‘that the protection of privacy is in itself a public service.’ Privacy is a prerequisite for liberal democracies because it sets limits on surveillance by acting as a shield for groups and individuals (Alan F. Westin, Privacy and Freedom, New York: Atheneum (1967), 24). Moreover, privacy underpins freedom of expression, religion, thought and conscious and assembly/association. Furthermore, privacy is not just an individual right nor does data retention just affects individuals. In Riddick v Board Mills Ltd [1977] QB 881, Lord Denning succinctly put it that:

The memorandum was obtained by compulsion. Compulsion is an invasion of the private right to keep one’s documents to oneself. The public interest in privacy and confidence demands that this compulsion should not be pressed further than the course of justice requires [p896].   

This acknowledges the public interest privacy serves, and to assume this only applies to the objectives such as fighting serious crime and terrorism is to underestimate the fundamental nature and importance of privacy.

Not general and indiscriminate data retention?

The High Court when considering whether Part 4 of the IPA 2016 permitted general and indiscriminate data retention referred to the Court of Appeal’s refusal in to apply Tom Watson and Others v Secretary of State for the Home Department [2018] EWCA Civ 70 [22-6]. The Court of Appeal’s reasoning remains unconvincing and their semantic reasoning indicates what they would have held. The Claimants before the High Court argued that Part 4 permitted general and indiscriminate data retention, and thus should be referred to the CJEU, however the Defendants argued that reading the IPA 2016 as a whole, this is not the case [120].

The High Court towed the same line as the Court of Appeal in Tom Watson and Others where they noted that the CJEU were specifically referring to Swedish law [121]. The High Court then summarises their view of the CJEU’s ruling noting that Member States:

[M]ay adopt legislation which permits decisions to be taken for the targeted retention of data which is (a) sufficiently connected with the objective being pursued, (b) is strictly necessary and (c) proportionate [124].

The High Court were of the opinion that CJEU’s judgment did not require more detailed factors which may be relevant as to the application of those tests [124]. For the High Court, it would be impracticable and unnecessary to set out in detail in legislation the range of factors to be applied with matters such as national security, public safety and serious crime [124]. It must be noted that the issue of national security is a matter that will be dealt with by the CJEU based upon the Investigatory Powers Tribunal’s preliminary reference (analysis here).

Public safety, however, is not an objective that CJEU’s considers to be capable of justifying data retention, only serious crime [102], so it is unclear why the High Court even mentions this. The CJEU does refer to serious threats to public security, but this is in regards to the links between the measure and objective evidence [111]. The High Court also does not explain why it would be impracticable and unnecessary to set out in detail the range of factors to be applied, when the CJEU themselves observed that national law must be clear and precise [109]. Not only does this raise issues with the EU law, because the Part 4 does not provide clear and precise rules (Jennifer Cobbe, ‘Casting the dragnet- communications data retention under the Investigatory Powers Act’ (2018) Public Law 10, 19), but also with the ECHR. The ECtHR have ruled that it is essential to have clear, binding [60] and detailed rules, especially as the technology available for use is continually becoming more sophisticated [229]. The reason for the ECtHR’s position is explained in Szabo and Vissy v Hungary [2016] ECHR 579:

Given the technological advances since the Klass and Others case, the potential interferences with email, mobile phone and Internet services as well as those of mass surveillance attract the Convention protection of private life even more acutely [53].

What the High Court regards as unnecessary and impracticable are actually requirements of both European Courts, with the ECtHR taking that step furthering in explaining why.

The High Court then notes that the combination of the scope and application of data retention measures and the minimum safeguards are designed to achieve effective protection against the risk of misuse of personal data [125]. Granted, the High Court are repeating points made by the CJEU [109], this approach overlooks what the ECtHR have held:

The mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8…The subsequent use of the stored information has no bearing on that finding [67].

The misuse of personal data is secondary to it actually being retained (and generated, see s.87(9)(b) of the IPA 2016). The High Court then distinguishes Swedish law from the IPA 2016 in that it does not require a blanket requirement requiring the general retention of communications data, because it relies upon the discretion of the Secretary of State [127]. This has already been argued to be a semantic argument ‘of distinguishing a catch all power, and a power that can catch all, which of course, in any event, amount to the same thing.’ The High Court also relies on the description that the Secretary of State will only exercise this power if it is considered necessary and proportionate, which for them, is in line with EU law [128]. But this position betrays their previous reasoning on DRIPA 2014, which had the same requirements of necessity and proportionality [47], with both parties and the High Court accepting this permitted a ‘general retention regime [65].’ A reason for this position was because the contents of a retention notice cannot be verified due to disclosure not being permitted, unless the Secretary of State permits it (see s.95(2)-(4) of the IPA 2016).

The High Court then argues that it would be difficult to conceive how the tests of necessity and proportionality could require the retention of all communications data due to the wording of ‘all data’ in the IPA 2016 [129]. This reasoning is problematic, because it relies upon the ‘surely the UK would not?’ position. As Lord Kerr observed in Beghal v Director of Public Prosecutions [2015] UKSC 49 that ‘is the potential reach of the power rather than its actual use by which its legality must be judged [102].’ This is precisely why Cobbe argues:

Retention notices may be tailored to an extent, including by requiring that only data which meets a certain description or is from a certain time period is retained. But s.87 does allow for ISPs to be required to retain "all data" indiscriminately, without differentiation, limitation, or exception, and without clear safeguards for data subject to professional confidentiality (Jennifer Cobbe, see above, 19).

As others and myself have argued, s.87(2)(a) and (b) theoretically allows for the possibility ‘all operators in the UK to be required to retain all data of users and subscribers’ (Matthew White, ‘Protection by Judicial Oversight, or an Oversight in Protection?’ (2017) Journal of Information Rights, Policy, and Practice 2:1, 26) and should be treated as a blanket and indiscriminate power (Matthew White, see above, 25; Jennifer Cobbe, see above, 18; ; Andrew D. Murray, ‘Data transfers between the EU and UK post Brexit?’ (2017) International Data Privacy Law 7:3 149, 161).

In Liberty v UK [2008] ECHR 568 the then UK Government accepted that s.3(2) of the Interception of Communications Act 1985 allowed:

[I]n principle, any person who sent or received any form of telecommunication outside the British Islands during the period in question could have had such a communication intercepted [64].

For the ECtHR, such a power was virtually unfettered [64], and violated Article 8 for not being in accordance with the law [70]. Furthermore, the High Court’s reasoning acts on the assumption that the only way Part 4 could be unlawful is if it did permit or made it possible for the retention of all communications data. This is simply not true as seen in the case of Liberty above, where this did not even concern communications within the UK, moreover in S and Marper [2008] ECHR 1581 the GC ‘ruled that general data retention, even on a specific group of individuals (suspects and convicts) violated Article 8.’

The High Court then also incorrectly claims that s.87(2)(b) of the IPA 2016 relates to a ‘description of data’ and not just to ‘all data’ [129] when the actual words are ‘any description of data’ which simply means any and/or all data could be retained. The High Court makes the same mistake with regards to telecommunications operators in that a retention notice may relate to a particular operator or to a description of operators [129] when, again the operative word in s.87(2)(a) is any description of operators. The suggestion here is that if a retention notice is issued on one telecommunications operator (because s.87(2) ‘list[s] the elements which may be used when delineating the content and scope of a retention notice so as to satisfy the necessity and proportionality tests in any particular case [129]’, this would be alright. If one uses BT as an example, with over nine million broadband subscribers, would a retention notice on BT to retain all this communications data sit well with the High Court? After all, BT is but one telecommunications operator, has a large subscriber base, but crucially not all of them, and the subscriber’s communications data does not amount to all the communications data that could be retained in the UK. In fairness, this is as much of the CJEU’s problem as it is the High Court’s, as this is where S and Marper makes a crucial distinction, that being, data retention measures that are general and indiscriminate within a group can still be unlawful.

The High Court then refers to the 12-month retention limit [130], but this only serves to highlight the constant interference with fundamental rights as retention notices will be renewed on a yearly basis. The High Court also refers to matters to which the Secretary of State must have regard to in s.88(1) of the IPA 2016 such as the benefits of the notice, number of users affected, costs etc and must also take reasonable steps to consult the relevant telecommunications operator (see s.88(2)). Regarding the former, the Secretary of State could still issue the intended retention notice irrespective of what has been regarded, and with the latter, there is no obligation to actually consult a telecommunications operator.    

The High Court then refers to the Judicial Commissioner’s (JC) role in the approval of retention notices based on the Secretary of State’s conclusions [133]. This is problematic because there ‘is no obligation on the Secretary of State to make a full and frank disclosure and therefore, the JC and IPC could be misled (accidently or deliberately) (30)’ and could ‘be given a summary a summary of a summary of a summary of a summary of the original intelligence case (30-1).’ The GC have noted that it is essential that the supervisory body has ‘access to all relevant documents, including closed materials and that all those involved in interception activities have a duty to disclose to it any material it required [281].’ This is currently not possible under the IPA 2016. The High Court then refers to the JC’s applying principles of judicial review to authorisations [133]. The question as to whether the Wednesbury principles would apply has been subject to debate (29), but the Investigatory Powers Commissioner (IPC) themselves have noted that when human rights issues arise, the necessity and proportionality tests of the ECHR and EU law will be applied instead of Wednesbury (para 17, 19). However, this statement is only advisory and admits it is not binding (para 1), thus is not a real safeguard.

The High Court then refers to the JC’s general duties under s.2 of the IPA 2016 [133]. The first of which concerns the JC having regard to whether there are less intrusive measures to achieve the objective. There is, data preservation, but this isn’t in the IPA 2016 (unless one considers s.61 to be form of data preservation). The second concerns the level of protection to sensitive information, which is much narrower than sensitive personal data in data projection instruments as it only includes legally privileged material, journalistic sources, communications with Members of Parliament etc. The JC’s cannot have regard to sensitive information because as the Bar Council and Law Society have highlighted that the problem bulk communications data retention is that it does not prevent legally privileged data from entering the ‘pool’ in the first place (para 32). With regards to journalistic sources, United Nations Educational, Scientific and Cultural Organization (UNESCO) noted that even when journalists encrypt the content, they may neglect to encrypt the communications data which means they still leave behind a digital trail when they communicate with their sources, making them identifiable (26).

The High Court then refers to the fact that a telecommunications operator can refer a retention notice back to the Secretary of State, which again would require approval by the IPC [134]. And if the IPC approves a notice on BT to retain all the communications data of their subscribers, then what? The High Court summarises Part 4 by noting that they ‘do not think it could possibly be said that the legislation requires, or even permits, a’ general retention regime [135]. However, it was never the argument that the IPA 2016 requires a general retention regime, but that it permits the Secretary of State and JC to require a general retention regime. As the ECtHR have maintained ‘it would be contrary to the rule of law for the discretion granted to the executive or to a judge to be expressed in terms of an unfettered power [230].’ The question is not ‘will they’ but ‘can they.’

The High Court continues that Part 4 and s.2 requires a range of factors to be taken into account before a retention notice is issued [135]. Although it was already argued that ‘catch all’ power is not necessary for Part 4 to be deemed unlawful, it is useful to play Devil’s Advocate. Can the Secretary of State issue a retention notice on all telecommunications operators to retain all communications data if they deem it necessary and proportionate? Can a JC approve this? Can this still be the case if the telecommunications operator refers this back to the Secretary of State subject to approval by the IPC? If the answer is yes, then this highlights that all the factors that the High Court refers to does not change the operation of the power itself. If the answer is no, then the High Court is ignoring the glaringly obvious implications of a power that can be applied to all or any telecommunications operator to retain any or all communications data.

The High Court then puts its previous judgment to one side (where they agreed DRIPA 2014 permitted a general retention regime) by arguing that:

Even if that assumption were to be applied in this case, it is plain from the analysis set out above, that the 2016 Act does not permit the general and indiscriminate retention of communications data. In any event, we would add that the issue of whether a UK enactment is inconsistent with EU legislation is not to be determined by evidence from either party as to how the domestic scheme is operated in practice or might be operated. Instead, the issue is an objective question of law which turns on the proper interpretation of the two pieces of legislation [136]. 

Essentially, the High Court are saying, even if the previous judgment was correct, IPA 2016 is somehow different, despite the wording of the power in DRIPA 2014 being identical. In amazing fashion, the High Court decided that it does not really matter how the law is or might be operated, but relies upon the notion of an ‘objection question of law’ and how it is interpreted. And this is why ignoring the ECHR, if it was not made clear above is problematic because the ECtHR have consistently held that:

[T]hat the mere existence of laws and practices which permitted and established a system for effecting secret surveillance of communications entailed a threat of surveillance for all those to whom the legislation might be applied. This threat necessarily affected freedom of communication between users of the telecommunications services and thereby amounted in itself to an interference with the exercise of the applicants’ rights under Article 8, irrespective of any measures actually taken against them [168].

The High Court’s position is in contrast to the position of the ECtHR in that secret surveillance can be judged in abstracto or where an individual can claim to actually be subject of a surveillance measure. All that is required is that one is able to show that they are ‘potentially at risk of being subjected to such measures [171].’ Whether retention notices apply to all telecommunications operators to retain all communications data, or to one telecommunications operator to retain all (or even some) communications data, this allows for the ‘automatic storage for six months of clearly irrelevant data’ and ‘ cannot be considered justified under Article 8 [255].’ Even six months is unacceptable to the ECtHR (which raises serious questions as to the 12-month retention limit), this position is strengthened by Advocate General Øe, who noted that:

The disadvantages of general data retention obligations arise from the fact that the vast majority of the data retained will relate to persons who will never be connected in any way with serious crime [252].


This blog post has highlighted many flaws in the approach of the High Court with regards data retention. Part 4 of the IPA 2016 is neither consistent with the ECHR or EU law. The High Court have fallen into the same trap as the Court of Appeal did earlier this year when distinguishing a catch all power, and a power that can catch all. This post only partially deals with the judgment as the aspects of entity data and serious crime deserve posts of their own. What is just as disappointing as this judgment is the claim that it was a landmark victory, when in actual fact, the rulings against the Defendants were concessions they already made, leaving the crucial aspect of Part 4 unscathed. A wise little green man might say ‘Victory? Victory you say? Master Liberty, not victory. The shroud of data retention persists. Continue the mass surveillance will.’

Tuesday 8 May 2018

Expelling EU citizen war criminals: no sympathy from the ECJ

Professor Steve Peers, University of Essex

If an EU citizen (or his or her family member) has been excluded from being a refugee, in what circumstances can he or she be expelled from a Member State? The ECJ clarified this issue in its K and HF judgment last week: its first ruling that touches on the relationship between EU (and international) refugee law and EU free movement law.

There’s a good reason why these two areas of law haven’t interacted previously in the Court’s case law: EU law itself tries to keep them apart. A Protocol attached to the EU Treaties, aiming to facilitate the extradition of alleged terrorists between Member States, says that in principle EU citizens cannot apply for asylum in another Member State, due to the presumption in that Protocol that each Member State ensures sufficient human rights protection.

However, there are exceptions to that general rule, and there are people it doesn’t cover. The exceptions in the Protocol are: a) the asylum seeker’s Member State of nationality invokes the “emergency” derogation from parts of the European Convention of Human Rights (ECHR); b) if the EU Council is considering whether to sanction the asylum seeker’s Member State of nationality for breaches of EU values; c) if the EU has already sanctioned the asylum seeker’s Member State of nationality for breaches of EU values; or d) if a Member State decides to do so unilaterally for another Member State’s national, in which case it must inform the EU Council and presume that the application is manifestly unfounded, without prejudice to the final decision on the application.

The people not covered by the Protocol include: EU citizens who obtained refugee status before they became EU citizens (for instance, because their State of nationality joined the EU); non-EU family members of EU citizens; those who apply for or obtain subsidiary protection status, as distinct from refugee status; and the citizens of some non-EU countries associated with the EU (Norway, Iceland, Switzerland and Liechtenstein), who have free movement rights but are not EU citizens. The recent ECJ ruling concerned people from the first two of these categories.

Exclusion from being a refugee

Some asylum seekers fail to satisfy the authorities that they meet the definition of “refugee” set out in the UN (Geneva) Refugee Convention. Quite apart from that, some asylum seekers are excluded from being a refugee under that Convention (and under the corresponding provisions of the EU’s qualification Directive), because their behaviour is considered so reprehensible that they do not deserve fully-fledged international protection, even if they are facing persecution on one of the grounds set out in the Convention. More precisely, Article 1.F of the Convention excludes:

any person with respect to whom there are serious reasons for considering that:

(a) he has committed a crime against peace, a war crime, or a crime against humanity, as defined in the international instruments drawn up to make provision in respect of such crimes;

(b) he has committed a serious non-political crime outside the country of refuge prior to his admission to that country as a refugee;

(c) he has been guilty of acts contrary to the purposes and principles of the United Nations.

The ECJ has interpreted the exclusion clause in the EU qualification Directive in its judgments in B and D and Lounani (discussed here), ruling inter alia that the second and third exclusion clauses can apply to terrorist offences, although exclusion must be assessed in each individual case, meaning that membership of a group listed as “terrorist” in EU foreign policy sanctions against terrorists does not automatically trigger the exclusion clause. Similarly, participating in a terrorist group, as defined by EU criminal law on terrorism, does not automatically trigger the exclusion clause either. Instead, there must be direct involvement by the person concerned in such offences, as further explained by the Court. Furthermore, there is no additional “proportionality” or “present danger” test for exclusion, and the exclusion clause is mandatory: ie Member States cannot assert a right to apply higher standards and give someone refugee status if they fall within the exclusion criteria. Finally, assisting with recruitment, organisation or transport of “foreign fighters” can also lead to exclusion, as it constitutes a form of “participation” in the terrorist acts covered by the exclusion clause.

However, it should be noted that even if a person is excluded from being a refugee, they are still protected against being removed to a country where they would face a real risk of torture or other inhuman or degrading treatment, according to the case law on Article 3 ECHR and the corresponding Article 4 of the EU Charter of Fundamental Rights. The ECJ reaffirmed as much recently in its judgment in MP (discussed here). But this non-removal obligation falls short of refugee status (which usually follows from recognition as a refugee) because it does not entail a fully-fledged immigration status including rights like access to employment and benefits.

Expelling EU citizens and their family members

The grounds for restricting free movement rights for reasons of “public policy or public security” are set out in the EU citizens’ Directive. The basic rule is that restrictions “shall comply with the principle of proportionality and shall be based exclusively on the personal conduct of the individual concerned. Previous criminal convictions shall not in themselves constitute grounds for taking such measures.” Furthermore, “[t]he personal conduct of the individual concerned must represent a genuine, present and sufficiently serious threat affecting one of the fundamental interests of society.”

Before expelling a person covered by the Directive on such grounds, Member States are obliged to “take account of considerations such as how long the individual concerned has resided on its territory, his/her age, state of health, family and economic situation, social and cultural integration into the host Member State and the extent of his/her links with the country of origin.” For those with permanent residence, there is a higher threshold to justify expulsion: “serious grounds of public policy or public security”. And for those who have resided in that Member State for the previous ten years, or who are minors, the threshold for expulsion is higher still: “imperative grounds of public security”.

The judgment

The Court’s judgment brought together two separate cases. In the first case, K, a dual citizen of Croatia and Bosnia-Herzegovina, had arrived in the Netherlands and applied for asylum in 2001 and 2011. Both applications were rejected. Subsequently, after Croatia joined the EU in 2013, the applicant was declared (in light of his EU citizenship) to be an “undesirable immigrant”, in light of the prior finding that he knew about and participated in war crimes and crimes against humanity in the Bosnian army. Since over twenty years had passed since that time, the issue was whether such conduct was a “genuine, present and sufficiently serious threat affecting one of the fundamental interests of society” within the meaning of the EU citizens’ Directive, taking account of the other factors referred to in the Directive.

In the second case, HF, an Afghan citizen excluded from being a refugee in the Netherlands, applied for a residence card in Belgium as the family member of an EU citizen (his Dutch daughter). His application was refused on the basis that the information about his exclusion, which the Dutch authorities had shared with their Belgian counterparts, showed that he could be denied free movement rights.

The Court first examined whether exclusion from being a refugee necessarily met the standard for restriction of free movement rights. It recalled its prior case law, holding that “public security” could include both internal security (including “a direct threat to the peace of mind and physical security of the population of the Member State concerned”) and external security (including “the risk of a serious disturbance to the foreign relations of that Member State or to the peaceful coexistence of nations”). Applying these principles to the facts, the Court accepted that Member States could consider that damage to international relations, the risk of contacting EU citizens who had been victims of war crimes could be considered threats to public policy and public security. Restricting those persons’ free movement rights could also contribute to ensuring “protection of the fundamental values of society in a Member State and of the international legal order and to maintaining social cohesion, public confidence in the justice and immigration systems of the Member States and the credibility of their commitment to protect the fundamental values enshrined in Articles 2 and 3 TEU”.  The Court added that the acts and crimes which led to exclusion from being a refugee “seriously undermine both fundamental values such as respect for human dignity and human rights, on which, as stated in Article 2 TEU, the European Union is founded, and the peace which it is the Union’s aim to promote, under Article 3 TEU”.

Nevertheless, the Court ruled that exclusion from being a refugee should not always lead to restriction on free movement rights. There must still be a “case-by-case assessment” which shows that “the personal conduct of the individual concerned currently constitutes a genuine and sufficiently serious threat to a fundamental interest of society”. This assessment must “take into account the findings of fact made in the decision of exclusion from refugee status taken with respect to the individual concerned and the factors on which that decision was based, in particular the nature and gravity of the crimes or acts that that individual is alleged to have committed, the degree of his individual involvement in them and the possible existence of grounds for excluding criminal liability such as duress or self-defence.” Furthermore, that examination “is all the more necessary” if, such as in these cases, “the person concerned has not been convicted of the crimes or acts that were relied on to justify the rejection, in the past, of his asylum application”.

The Court showed willingness to relax its usual insistence of looking closely at the EU citizen’s present threat, noting that in some cases “it is also possible that past conduct alone may constitute such a threat to the requirements of public policy”. In the case of war crimes, although “the time that has elapsed since the assumed commission of those acts is, indeed, a relevant factor….the possible exceptional gravity of the acts in question may be such as to require, even after a relatively long period of time, that the genuine, present and sufficiently serious threat affecting one of the fundamental interests of society be classified as persistent”. Equally, the Court de-emphasised the requirement that the person concerned was likely to reoffend, ruling that:

…however improbable it may appear that such crimes or acts may recur outside their specific historical and social context, conduct of the individual concerned that shows the persistence in him of a disposition hostile to the fundamental values enshrined in Articles 2 and 3 TEU, such as human dignity and human rights, as revealed by those crimes or those acts, is, for its part, capable of constituting a genuine, present and sufficiently serious threat affecting one of the fundamental interests of society...

Yet the person’s rights to private and family life and the principle of proportionality still had to be weighed against such threats.

Next, the Court reiterated that an expulsion decision has to consider with due regard to the principle of proportionality…inter alia, the nature and gravity of the alleged conduct of the individual concerned, the duration and, when appropriate, the legality of his residence in the host Member State, the period of time that has elapsed since that conduct, the individual’s behaviour during that period, the extent to which he currently poses a danger to society, and the solidity of social, cultural and family links with the host Member State.”
Yet the lengthy period of time spent on the territory in the Dutch case was not enough to qualify for the especially high level of protection against expulsion for EU citizens resident for ten years (“imperative grounds of public security”). For as the Court had recently ruled in B and Vomero, such special status was only attainable if the person concerned had already qualified for permanent residence (based on five years’ legal residence); and residence on national law grounds other than those set out in the citizens’ Directive or its predecessor laws did not count to that end (see Ziolkowski). It appeared that K could not show residence on an EU law basis, but only a national law basis, and therefore was not going to qualify for any extra degree of protection against expulsion.


The Court’s judgment is focussed on those excluded from refugee status on the basis of Article 1.F of the Refugee Convention. The wording of the ruling does not confine itself to the “war criminal” ground of exclusion, and so it applies to persons excluded from being a refugee on any of the Article 1.F grounds. It should logically be relevant if any EU law issues are raised about handing over any person to the International Criminal Court, or any ad hoc UN criminal tribunal, for prosecution for war crimes et al. But does it have any broader application?

First of all, it definitely applies to those who might apply for refugee status on what might be called the “Palestinian track” set out in Article 1.D of the Convention, since the general rules on exclusion also apply to such cases: see the ECJ’s El Kott judgment (para 76).

Secondly, it is questionable whether it applies to all cases of exclusion from subsidiary protection status, given that such exclusion is also possible for less serious behaviour than as regards refugee recognition. In particular, the qualification Directive allows for exclusion from subsidiary protection status on grounds of a “serious crime”, or in fact any crime which would be punishable by imprisonment in the Member State concerned.

Thirdly, it may be arguable whether the judgment is relevant by analogy to revoking refugee status due to criminal behaviour or a security risk (relevant in pending ECJ cases, discussed here), or to refusing a residence permit or travel document on national security or public order grounds, where the ECJ has ruled that a lower threshold applies (see the ruling in HT, discussed here).

Next, the judgment might be relevant to cases where a Member State seeks to revoke its nationality (and therefore EU citizenship) from a person, for instance due to their activities as a “foreign fighter”. (On the reviewability of such decisions as a matter of EU law, see Rottmann and the pending case of Tjebbes).

Could the judgment even be relevant by analogy to “ordinary” EU citizens, where there is no link to refugee law issues? At first sight no, because the Court’s focus is on the Refugee Convention’s exclusion clause. However, its willingness to consider that especially vile prior behaviour can outweigh an assessment of present threat and likely future conduct could arguably be relevant where an EU citizen has been convicted of crimes such as child abuse, rape, murder, or terrorism.

The judgment continues the Court’s established trend of disdain for criminality by EU citizens or their family members. In this case, its concern for crime victims is particularly striking; but here it strikes a discordant note in referring only to the victims of war criminals who are EU criminals living in EU Member States. For this overlooks the likely existence also of non-EU victims, both those who sought protection in a Member State and those in the war criminal’s state of origin, if he or she is referred there. Or rather, the surviving victims: the returning war criminals will likely cast a long shadow over the graves of those whom they murdered.

Barnard & Peers: chapter 26

JHA4: chapter I:5

Photo credit: Human Rights Watch