Thursday, 14 September 2023

The EU’s New Pact on Migration and Asylum: three key arguments



Lilian Tsourdi, Assistant Professor, University of Maastricht

 *Photo credit Délmagyarország/Schmidt Andrea


The New Pact on Migration and Asylum is the EU’s latest policy framework on asylum, migration, and border management policies, and the series of legislative proposals that accompany it. Its stated aim is to establish ‘seamless migration processes and stronger governance’. Negotiations on the Pact legislative instruments have been ongoing since September 2020.


The European Parliament (April 2023) and the Council of the European Union (June 2023) recently adopted negotiating positions on two key instruments: the Asylum Procedures Regulation (APR) that reforms rules on asylum determination and related rights, and the Asylum and Migration Management Regulation (AMMR) reforming the EU’s system on allocating responsibility for processing asylum claims and establishing a solidarity mechanism.


This commentary develops three key arguments: i) while not inherently negative, the Pact’s seamless migration processes are in fact geared to externalising protection obligations thus undermining fundamental rights; ii) the Pact instruments pay greater attention to the policies’ administrative design and carry potential to enhance implementation; iii) the Pact instruments contain a vision of flexible solidarity that remains linked with pressure and misses the mark of fair sharing. 



Externalization as the red thread


Creating seamless migration processes is not inherently negative. This approach acknowledges the intricate links between different policies at the operational level, especially at border areas. The UNHCR had voiced the need for swift identification at the external borders, differentiation between categories of persons making up mixed flows, and referral to an appropriate procedure, as early as 2007 through its so-called Ten Point Plan.


Nonetheless, the Pact’s seamless migration processes are in fact geared to externalising protection obligations thus undermining fundamental rights. First, the Pact instruments establish accelerated screening, asylum, and return procedures at the external borders with curtailed procedural guarantees. Combined with logistic constraints (e.g. facilities, access to counsel) they risk undermining migrants’ (procedural) rights. The instruments also blur the lines between deprivation of liberty and restrictions to the freedom of movement and could lead to the propagation of widespread de facto detention.


Next, the latest negotiating position of the Council on asylum procedures expands the use and scope of the safe third country concept. Where third counties have either not ratified the 1951 Refugee Convention or retain a geographical limitation to its scope (the latter is the case for Turkey for example) the APR introduces the notion of having access to effective protection instead as part of the third country safety assessment. The provisions contain minimal guarantees to ascertain what effective protection entails, which establish standards below those foreseen by the 1951 Refugee Convention.  


In parallel, migration management has been streamlined in the EU’s external relations affecting areas such as development and trade. One way the EU is establishing these linkages is through making access to funding for non-EU countries conditional to cooperation on migration management objectives. The ‘deal’ with Tunisia spearheaded by the EU, Italy, and the Netherlands is the most recent illustration.


A greater attention to the system’s governance


One of the main ills of the EU’s asylum policy is its lack of attention to the administrative dimension. The current administrative design allocates the vast majority of operationalisation obligations – including financial ones – to Member States with different levels of economic development and different conceptualisations of welfare.


The Pact instruments recognise, more adequately than previously, the policies’ implementation dimensions. The Council positions on the AMMR and the APR highlight the opportunities generated through EU funding and EU agencies to implement policy. Nonetheless, the Pact instruments fail to adequately regulate the implications of agency involvement in implementation, while the current design of the EU budget (Multi-Annual Framework 2021-2027) precludes the existence of truly structural forms of EU funding.


Next, the AMMR and APR provide a structured approach to define Member States’ relative capacities and to apportion responsibilities in some areas (e.g. implementing border procedures) on this basis. The triggering of solidarity measures is also linked with quantitative and qualitative indicators that, overall, seem to be well suited to provide a holistic picture and assess relative pressure.


Finally, the Council negotiating position on the AMMR foresees new permanent governance mechanisms, such as annual High Level EU Migration and Technical Level EU Migration fora that are meant to play pivotal roles in animating inter-state solidarity through pledges. Such permanent structures, mirroring UN level processes, seem more apt to establish effective and predictable inter-state cooperation compared to ad hoc bargaining and emergency-driven responses.   


An inadequate vision on solidarity


The AMMR largely keeps intact the basic premises of the current ‘Dublin system’, EU’s responsibility allocation system. In brief, Dublin allocates responsibility to the state primarily ‘responsible’ for the person’s presence in the EU. In practice, this should mean the state of first irregular entry to the EU territory is responsible. However, states have sought to evade their Dublin responsibility (by not registering asylum applications for example) and asylum seekers move clandestinely through the EU and evade Dublin procedures.


To counter this, the AMMR Council negotiating position aims for a more predictable operationalisation of inter-state solidarity through annual Member State pledges. Nonetheless, solidarity measures, gathered under the framework of a so-called Solidarity Pool, are still meant to be triggered in situations of pressure.


The Solidarity Pool will consist of i) relocations (i.e. organised intra-EU transfers) of asylum seekers or recently recognised beneficiaries of international protection or of migrants under a return obligation; ii) direct financial contributions provided by Member States aimed either at boosting Member State or third country capacities in the areas of asylum, migration, or border management; iii) alternative contributions such as capacity building, staff support, equipment etc. All these contributions are meant to be ‘considered of equal value’.


In breaking with the past, solidarity has a mandatory character in the sense that Member States are to annually contribute their fair share that will be calculated through a formula that takes to account their population size (50% weighting) and their total GDP (50% weighting). Nonetheless, to appease Member States that opposed relocation, the Pact instruments foresee that Member States retain full discretion in choosing between the types of solidarity measures they will contribute.


Overall, the Pact’s approach is likely to miss the mark on fair sharing. While creating permanent governance structures, the Pact continues to link the activation of solidarity with pressure. Thus, instead of establishing structural fair sharing, solidarity remains a palliative solution. Next, it is unlikely that capacity building activities in third states, or sharing of personnel and equipment, will be considered by the benefitting Member States as having equivalent impact on the ground as people sharing.


The Long and Winding Road Ahead


June 2023 saw one of the deadliest shipwrecks involving migrants seeking to reach the EU’s shores with more than 500 persons missing and presumed dead off the coast of Pylos in Greece. Unfortunately, such unnecessary loss of life is being normalized with IOM reporting over 27,500 missing migrants in the Mediterranean alone since 2014. Action to reform the EU’s migration policies is imperative.    


EU official cycles hailed the Council’s early June negotiating position as a breakthrough. The timing of the forthcoming European Parliament elections, scheduled for June 2024, generates additional impetus for the EU’s co-legislators to reach compromise positions in the next months. Nevertheless, political rifts remain intense with Poland and Hungary blocking a joint political statement of Heads of State on migration during the late June 2023 European Council meeting.


What promise do the Pact instruments carry? They pay greater attention to policy implementation, governance structures, and the operationalisation of solidarity. Nevertheless, by prioritizing externalization, and by seeking to appease a limited number of Member States that seem to oppose (inter-state solidarity in) migration, they are likely to undermine migrants’ fundamental rights, while missing the mark on fair-sharing. A reform that will fail to deliver results, risks enhancing polarization in migration matters.


Legislative developments in the EU echo the UK’s recently adopted Illegal Migration Act. They testify to Europe’s increasingly defensive policy stance in migration. It is to be hoped that future policy will eventually aim at mutually beneficial partnerships with third countries, migrant, and local populations that move beyond Eurocentric frames to meaningfully address the different components of migration processes and aim at co-development. 



Wednesday, 2 August 2023

The risk of circumvention of EU sanctions through the immediate family of leading businesspersons and the CJEU’s case law



Antje Kunst*

*Antje Kunst is an international lawyer and barrister of Pavocat Chambers, admitted to the bar of England and Wales and the Bar of Berlin advising and representing individuals in a wide range of matters related to the CFSP ranging from EU employment cases to EU and international sanctions against individuals.

***Comments of academic researcher of the University of Luxembourg, Ms. Francesca Finelli were gratefully received. All views contained in this article, however, remain those of the author alone.

Photo credit: W Bulach, via Wikimedia Commons


The inclusion of family members in the categories of persons covered by EU targeted sanctions against Russia has been justified, in the Council’s view, for maximising the effectiveness of those sanctions. The inclusion of family members of leading businesspersons aims to prevent the circumvention of EU targeted sanctions (in the forms of asset freeze) by the transfer of assets between targeted leading businesspersons and their immediate family.

Updating the EU sanctions regime against Russian businesspersons


The EU's targeted sanctions against Russia's economic elites introduced on 5 June 2023 a short but significant amendment to its current sanctions regime. It extended the scope of the sanctions regime through Council Decision (CFSP) 2023/1094 (‘Council decision of 5 June 2023’) to permit the designation of immediate family members of leading Russian businesspersons operating in Russia. There are in other words now EU legal acts in place which allow for the adoption of EU sanctions against the sons and daughters, spouses and parents of Russian oligarchs based on the autonomous designation criterion of immediate family members of leading Russian businesspersons operating in Russia. (In 2015 the Council introduced the ‘leading businessperson operating in Syria’ as an autonomous general listing criterion. See Council Decision (CFSP) 2022/329 and Council Regulation (EU) 2022/330 of 25 February 2022 on the criterion of ‘leading businesspersons’.) Family members of Russian leading businesspersons have been put on the lists since early 2022 but under different grounds.

The Council’s reason for the recent amendment, undoubtedly owing to the initial rulings on Russian sanctions from the General Court in recent months (Case T-743/22 R, Nikita Dmitrievich Mazepin v Council, Order of 1 March 2023 and Case T-212/22, Violetta Prigozhina v Council, ECLI:EU:T:2023:104), is that ‘leading Russian businesspersons have engaged in a systematic practice of distributing their funds and assets amongst their immediate family members and other persons, often in order to hide their assets, to circumvent the restrictive measures and to maintain control over the resources available to them’ (Recital 5 of Council Decision 2023/1094  of 5 June 2023).

The amendment was prompted, in particular by the successful annulment of the listing in Case T-212/22, Prigozhina, which was initiated by the mother of the head of the Wagner Group. In that case, the General Court emphasized that in a legal framework such as the Syrian sanctions regime (after 2015: see Council Decision (CFSP) 2015/1836 of 12 October 2015 and Council Regulation (EU) 2015/1828 of 12 October 2015), the family link with ‘certain families’ may be sufficient to include the name of the persons on the lists at issue. In Prigozhina however, so the General Court, the EU legal acts setting out the framework for EU sanctions as a result of the invasion of Ukraine by Russia, did not refer to the members of ‘certain families’. That is why the Council had not established the risk of circumvention (para. 105 of the judgment). Another main reason was that the Council could not prove a sufficient ‘association’ with the primary target beyond mere family ties.

The curious nature of words

With this most recent amendment of the framework in June 2023, the chosen wording is of particular note. It refers to the possibility of the inclusion of immediate family members of leading businesspersons operating in Russia, even if the question is what exactly immediate family members are. Also, the Council does not refer to members of ‘certain families’ as it previously did as regard sanctions taken against Syria. Rather, the Council’s wording vis-à-vis Russia it appears to imply a presumption of circumvention through immediate family members of leading businesspersons operating in Russia.

In the Syrian sanctions framework since 2015, the EU legal acts have explicitly provided for the freezing of funds of ‘leading businesspersons operating in Syria’ and ‘members of the Assad families or Makhlouf’, as well as persons ‘associated with them’ (Council Decision (CFSP) 2015/1836 and Regulation (EU) 2015/1828). In this context, presumptions are used (by the Council) and accepted by the CJEU (see for example C‑458/17 P, Rami Makhlouf v Council, ECLI:EU:C:2018:441, para. 91, Case T‑186/19, Zubedi v Council, ECLI:EU:T:2020:317 para. 72; Case T‑256/19, Bashar Assi v Council, ECLI:EU:T:2021:818 para. 166) that individuals falling under these categories benefit from the sanctioned regime in order inter alia ‘to avoid the risk of circumvention of restrictive measures through family members’ (Recital 7 of Council Decision (CFSP) 2015/1836). 

Testing the presumption of circumvention

The question, therefore, is whether the Court of Justice – on appeal from a raft of judgments that the General Court will continue to deliver in the immediate future, in the context of the Russian sanction regime – would accept a (new) rebuttable presumption of circumvention (see Case T-5/17 Sharif v Council, EU:T:2019:216, para. 86), i.e., that the Council can legitimately presume leading businesspersons operating in Russia will transfer assets within their immediate family to circumvent EU sanctions (see paras. 103–110 of that judgment).

There is no reference to ‘certain families’ in the EU sanctions legal framework as was the case in the Syrian sanctions regime. Thus, the Court of Justice might not so easily accept a presumption of circumvention based on a sole family link (taken in consideration the Court of Justice’s Tay Za reasoning, and the Advocate General’s Opinion). It is only if the Council could provide solid evidence that there is indeed a ‘systematic practice of distributing their and assets amongst their immediate family members’ (see Recital 5 of Council Decision of 5 June 2023), that the Court of Justice might accept the Council’s rationale, accounting for fundamental rights too.

This information of a ‘systematic practice’ of circumvention might be in the Council’s possession, but it might not be possible to disclose the evidence based on its classified nature. The alternative is disclosing classified evidence, which the Council may be reluctant to do. The Court of Justice’s closed evidence procedure (under Article 105 of the General Court’s Rules of Procedure), introduced as a possibility for use in restrictive measures cases, to date, remains inactive, and has never been utilised.


Immediate family members have been included in EU sanctions lists since early 2022 as ‘associated’ with leading Russian businesspersons in their individual statements of reasons. In Prigozhina, the Council was not able to establish ‘(economic) association’ of the mother of the chief of the Wagner Group at the time the measures were adopted, and sufficiently link her to her son, the primary target, and the Russian government. Thus, the General Court relied on its established case law of Tay Za regarding an ‘association’ which considers a mere family tie to the primary target, a business leader, associated with the government not sufficient. That said, the General Court in Prigozhina ruled that there is a ‘non-negligible risk’ that individuals providing support to the government, e.g., leading businesspersons, might exert pressure on individuals associated with them, e.g., their family members, in order to circumvent the effect of the measures to which they are subject (para. 105 of the Prigozhina judgment. See also Amer Foz v Council, Case T-296/20 ECLI:EU:T:2022:298, paras. 174 and 176, Sharif v CouncilT-540/19, not published, EU:T:2021:220, paragraph 159, and, by analogy, judgment of 4 September 2015, NIOC and Others v CouncilT-577/12, not published, EU:T:2015:596, para. 139).  

Businesspersons vs rulers

Generally speaking, the case law of the Court on the legality of family members’ designations is characterized by two main approaches. Regarding family members of leading businesspersons, their designation would be annulled if based on the sole ground that the family member also benefits from the economic policies of the government (Tay Za approach). Regarding the family members of rulers of a third country, their designation would be lawful by a presumed connection between the individual and the (targeted) regime (Al Assad approach). The case law has been though at times inconsistent. For a broader analysis on circumvention of EU restrictive measures, see Francesa Finelli, ‘Countering Circumvention of Restrictive Measures: The EU Response’.

In Al-Assad, another Syrian ‘immediate family member’ case (concerning the President’s sister), the Court of Justice found that the presumed risk of circumvention was ‘quite obvious’ between leaders of a state and their immediate family members. It also observed that, if the EU sanctions in question targeted only the leaders of the Syrian regime, the objectives pursued by the Council could have been frustrated as the leaders can ‘easily circumvent’ those measures by means of their relatives and associates.

The Al-Assad approach has generally not been followed by the CJEU in the case of immediate family members of leading business persons (see Tay Za) but only in cases of ‘immediate family members’ of rulers of a third country (see Butler, G 2023, 'Of Rulers, Relatives, and Businesspersons: The Imposition of EU Restrictive Measures through Sanctions on Family Members', Legal Issues of Economic Integration, vol. 50, no. 4). The rationale is explained by Advocate General Mengozzi in his Opinion in Tay Za with three circles of targeted individuals, which has been accepted by the CJEU. In the Syrian sanctions case of Foz, the CJEU  accepted the presumption of a real risk of circumvention, in a case of an immediate family member of a leading business person operating in Syria case.  The Court of Justice ruled in that case that it is reasonable to presume a ‘real risk of circumvention’ if a family member has close business and family ties with a designated individual, even when the designated person is a leading businessperson and not a political leader in Syria. Moreover, it found that family ties may pose a real risk of circumvention of EU restrictive measures, irrespective of the role of the designated individual in the targeted regime (see Finelli, ‘Countering Circumvention of Restrictive Measures: The EU Response’).

The relevance of presumptions

Generally, the CJEU has accepted indirect evidence such as rebuttable presumptions in view of the difficulties encountered by the Council to find direct evidence (see para 46 Anbouba v Council, C-605/13 P, ECLI:EU:C:2015:248) for the fact than an individual like an immediate family member of a primary target supports a regime or benefits from it. In Syrian sanctions cases, since 2015, the Council consistently relied on and the Court of Justice accepted rebuttable presumptions rather than evidence that they have engaged in prohibited conduct. Their designation presupposes the personal link between them and the already designated individuals, and ultimately the third country’s regime targeted.

Consistent case law of the Court of Justice provides that the use of presumptions is only permitted on the condition that (i) those presumptions have been provided for by the measures at issue, (ii) are consistent with the objective of the legislation at issue, (iii) proportionate to the aim pursued by the EU, (iv) rebuttable and (vi) safeguard rights of defence are safeguarded (see Case T‑714/20, Ovsyannikov v Council, ECLI:EU:T:2022:674).

The Council will need to establish that the inclusion of immediate family members of Russian business leaders is proportionate to the pursued aim of inter alia preventing circumvention of the sanctions imposed.

At the moment it is unclear whether the Court implied in the case of Prigozhina that the ‘real risk of circumvention’ through family members can only be invoked in the context of EU sanctions against Syria (see Finelli, ‘Countering Circumvention of Restrictive Measures: The EU Response’). The established case law of Tay-Za provides there can be no presumption that leading businesspersons with links and association to a governing regime are using their family members for circumventing EU sanctions (see Butler, 'Of Rulers, Relatives, and Businesspersons’).

The Court of Justice has accepted presumptions if they are rebuttable, but rebuttals for targeted individuals are immensely difficult and have not been successful in most Syrian sanctions cases before the Court of Justice since the presumptions were introduced (see the Zubedi and Bashar Assi judgments).

The family member would have to demonstrate to the Council that s/he has dissociated himself from a parent, child – the primary target – and that s/he does not pose a real risk of circumvention of the restrictive measures. Rebuttals may be possible based on evidence that immediate family members do not assist the primary target to have access or continue controlling the assets.  A difficult task.

The risk of circumventing EU sanctions

The risk of circumvention is considerable in the case of leading businesspersons operating in Russia and their immediate family and the Court of Justice might well opt in developing its case law further for the Russian sanctions context instead of simply continue applying its Tay-Za case law. Similarly, as in the RT France case, it might opt for an exceptional reasoning due to exceptional circumstances. It might even apply its case law on the immediate family of rulers, rather than on the immediate family of leading businesspersons, finding that in certain exceptional cases leading businesspersons are comparable to rulers in the Russian context.

A balance will have to be struck by the Court of Justice between the fundamental rights of the targeted immediate family members, who might pose no risk of circumvention whatsoever and the difficult task to rebut presumptions, on the one hand, and the importance of the effectiveness of targeted sanctions against Russia, accounting for the Council’s ability in certain cases to rely on presumptions on the other hand (for the reasons it set out in its case law (e.g., in Anbouba v Council, para. 46). A general blunt presumption of circumvention of sanctions in cases of immediate family members of leading businesspersons operating in Russia is unlikely to be accepted by the Court of Justice.

Friday, 14 July 2023

Is the UK data protection authority giving free pass to big tech giants?


Asress Adimi Gikay (PhD), Senior Lecture in AI, Disruptive Innovation and Law (Brunel University London)

Photo credit: 

In the online space, it is perhaps difficult to find a more empty promise than “we value your privacy.“ Businesses promise to preserve our data privacy rights, but in reality, they have neither the carrot, nor enough sticks, to make them respect data protection rules. This holds true even in the European Union (EU), where the most comprehensive data protection legislation—the General Data Protection Regulation (GDPR)— failed to satisfactorily deliver on its promise to protect the fundamental rights of citizens.  As businesses openly flout data privacy laws, regulators either struggle to adequately enforce the law or wilfully ignore infractions.

The UK’s data protection authority— the Information Commissioner's Office (ICO)— has succumbed the most to its ambition of promoting innovation and economic growth while simultaneously protecting data protection rights. Unfortunately, the drive to appeal to businesses has reduced data privacy rights to mere buzzwords, not just in the business world but also within the ICO itself.

As a result, the authority's enforcement record defies the primary objective of protecting the public's data privacy rights, displaying an unexplainable leniency towards corporations. I argue that this indefensible record of the ICO’s underscores the authority’s insistence on operating with failed enforcement policy.

The ICO’s enforcement track record—the numbers don’t lie

During the 2021-2022 fiscal year, the ICO reported receiving 35,558  data privacy violation complaints. The complaints were diverse including companies refusing to delete individuals’ personal data or processing their data without consent. Sometimes, organizations infringed the individual’s right to access their own personal data, contrary to what the data protection legislation requires.

Similarly, in the 2022-2023 financial year, a total of 27,130  complaints were filed with the ICO, excluding data from the most recent financial quarter, yet to be reported by the authority. Out of the 62,688 complaints filed over a span of two years, the authority levied only 59 monetary penalties. This means that only approximately 0.094% of the complaints led to real consequences— organizations being sanctioned for breaching data protection rules.

The ICO closed most of the complaints alleging insufficient information to proceed with the complaints or lack of evidence of infraction. It resolved numerous cases through discussions with infringing companies. In such cases, the authority recognises the presence of  infringement by the organization but does nothing concrete other than what it describes as “informal action taken.”

Due to the ICO’s practice of not disclosing comprehensive details about these cases, except for summaries that serve more statistical purposes, the public tends to perceive the authority as prioritizing business interests over safeguarding data privacy rights. Interestingly, this public perception aligns with the available evidence.

The broader context

The enforcement of the GDPR has been unsatisfactory across the EU, since the implementation of what has been described as a breakthrough law, that promised to empower people in the digital world, through giving them more control on their personal data. Even when applying a more forgiving standard, the ICO's enforcement record remains unsatisfactory. Between 2018 and 2022, it levied around 50 monetary penalties, while German and the Italian authorities imposed 606 and 228 penalties between 2018 and 2021.

The ICO is generally passive compared to its European counterparts. In a notable case, the French authority, Commission Nationale de l’Informatique et des Liberté  (CNIL) fined Meta and Google €60 million and €150 million respectively in 2021 for their illegal use of cookies. Despite engaging in similar unlawful data collection practices in the UK, the companies made changes to their cookie-based data collection practices in the UK only while complying with the French ruling. They faced no threat of sanction in the UK.

The ICO's consistently poor enforcement record clearly undermines public confidence in the authority. In its 2022 annual report, the authority itself acknowledged getting the lowest score in complaint resolution in a 2021 customer survey it backed. An independent review—Trustpilot— rates the authority at 1.1 out of 5. This is based on self-initiated reviews conducted by members of the public, some claiming that the ICO prioritizes business interests rather than protecting privacy rights.

Unfit enforcement policy— corporate free pass

The lack of adequate data protection law enforcement in the EU has been explained by resource constraints.  For example, a report by the Dutch ombudsman highlighted that the relevant authority in the country had 9,800 unresolved privacy complaints at the end of 2020. And according to the Irish Council for Civil Liberties, “almost all (98%) major GDPR cases referred to Ireland remain unresolved”— in part due to lack of budget and sufficient specialist staff.

However, the ICO is considered to be a relatively resourced authority. It also has the ability to impose substantial fines that could finance its operations. So, it is unlikely that resource constraints explain its inadequate enforcement record. The ICO’s enforcement policy is largely culpable. 

The authority’s risk-based approach prioritizes a softer approach to ensuring compliance, reserving enforcement actions to violations that are likely to possess the highest risk and harm to the public. Enforcement action includes requiring an offending organization to end violations and comply with relevant rules through enforcement notice and issuing penalty. The ICO considers several factors in determining whether imposing a penalty is appropriate, including the intentional or repeated nature of the breach, the degree of harm to the public, and the number of people impacted.

In practice however, the authority exercises discretion even in cases of intentional and repeat violations impacting millions of people. For example, numerous companies illegally collect consumers’ personal data using cookies.

By tracking a user's browsing behavior, third-party cookies, known as tracking cookies, usually gather information that is enough to identify the person behind a device. Besides visits to particular web pages, they can record a person’s search queries, goods or services purchased, IP address and location.

From this, it is possible to infer a person's name, nationality, language, religion, sexual orientation, health condition, and other intimate details – most of which are considered special categories of personal data. These types of data cannot be processed without the individual's explicit consent, unless limited exceptions apply. Whilst these data could be used, for example for marketing health products, insurance companies could also use them to assess premiums, in a manner unknown and detrimental to the interest of the individual.

To its credit, the ICO has fined Easylife Ltd £1.35m which has later been reduced to £250,000 for using personal data to profile medical conditions without consent, to target individuals with health-related products. But the authority does not seem to recognise that it takes a simple switch to transition from inferring personal data from browsing behavior using cookies to profiling health conditions.

Cookies-based unconsented data collection is illegal and potentially poses a serious harm to the public, as companies could process special categories of data in a detrimental manner. Unfortunately, companies openly violate cookies-related legislations in the UK with impunity.

The ICO also shows unwarranted leniency towards tech companies repeatedly violating data protection rules. In one fiscal year (2022/2023), the ICO found evidence of Google UK’s potential infringement or infringement of the law more than 25 times,  in separate complaints. But the authority claims to have taken informal actions, essentially advising the company to do better work to comply.

Google UK's infractions include refusal or delaying to delete personal data upon request by individuals exercising their right to be forgotten. Meta Platform(formerly Facebook Inc.) received 20 compliance suggestions, after evidence of its infringement or potential infringement has been found, while Microsoft and Twitter each received the same soft compliance advices 8 times, in the same year.

In all these cases, taxpayers go through the stressful process of demonstrating that their data protection rights were violated, providing evidence of infringement by big tech companies. Yet the ICO consistently chose to be lenient to companies that obviously do not mind being told repeatedly that their data protection practices are non-compliant. The authority has essentially transformed itself into a legal advisory office for tech companies, neglecting its role as an overseer.

Data protection law inherently creates hurdles for individuals seeking compensation for privacy rights violations. In 2021, the UK's highest court ruled that without evidence of material damage or distress, mere loss of control over personal data is not compensable under the GDPR. This effectively forces individuals to wait for a recognized harm to occur due to violation of their data privacy rather than preventing it. The ICO, which should deter privacy violation, is unfortunately impotent as well.

The need for policy change

The ICO's enforcement policy heavily relies on collaboration with regulated entities rather than utilizing effective sanctions to deter repeat violations. This approach aims to support the digital economy by avoiding excessive enforcement of data protection rights and fostering data innovation. In theory, it should attract businesses to the UK, create jobs, and stimulate economic growth. However, the policy is currently being misapplied to serve the interest of big tech companies.

The companies repeatedly violating data protection laws do not necessarily contribute to digital innovation exclusively in the UK, while most of them are not strategically positioned to provide job opportunities in the country. But the UK remains their crucial consumer market. As such, sanctioning them is unlikely to change their business decisions and behaviour.  In the event of firm and measured enforcement actions, these companies will be left with no choice but to adhere to the rule of law, considering the market they operate in is one they cannot afford to lose.

The ICO’s failure to effectively enforce data privacy laws risks eroding public trust. It could also discourage data innovation, as the public might refuse to provide data for research and innovation, which could in turn negatively affect the digital economy. 

Tuesday, 4 July 2023

EU cooperation on migration with third countries: Time to address the genealogy of informal agreements in EU migration law


Dr Céline Hocquet, Teaching Fellow, Birmingham Law School, University of Birmingham

Photo credit: Issam Barhoumi, via Wikimedia Commons 

As the EU makes yet another proposal to cooperate with a third country on containing migrants outside its territory, it is urgent to engage with a critical analysis of the EU externalisation policy and the use of informal cooperation informed by the historical, legal and political context underpinning the EU external migration and asylum policy.

From the EU-Turkey to the EU-Tunisia deal?

On 11th June, the EU and Tunisia issued a joint statement agreeing to work together on a comprehensive partnership package. This partnership would cover several cooperation areas, including economy, energy, and migration. More specifically, the EU and Tunisia declared ‘the fight against irregular migration’ and ‘the prevention of loss of life at sea’ as their ‘common priority’. As such, it addresses migrant smuggling and human trafficking and bolster border controls and migrants’ registration and return. In exchange for Tunisia’s cooperation, the EU offers 100 million euros for border management, search and rescue, anti-smuggling and return operations in addition to a 1 billion euros investment plan for Tunisian economic development, including projects in the digital and energy sectors.

To those familiar with EU migration law and policy, this news will, no doubt, sound familiar.

Back in March 2016, the European Council published a press release following a meeting with representatives from the Turkish government. The EU-Turkey Statement – widely known as the EU-Turkey deal – traded the containment and return to Turkey of all irregular migrants arriving in Greece in exchange for 6 billion euros of EU funding.

At the time, arrivals of migrants to Europe crossing the Mediterranean Sea were characterised by the EU as a ‘crisis’. Emphasis was put on the exceptional nature of migration flows, the extraordinary numbers of migrants reaching European shores and the severe loss of lives during sea crossings. In this way, the situation faced by the EU and its member states was presented as critical and unprecedented. Its characterisation as a ‘crisis’, highly questioned by researchers, highlighted potential threats to the stability and security of the EU and/or its asylum system. Swift and exceptional measures were, therefore, necessary to put an end to the ‘crisis’ situation and its disruption. Such measures focused on further controlling irregular migration and EU external borders notably by externalising controls to third countries and third actors.

The EU-Turkey Statement was rapidly considered a blueprint for future EU migration and asylum policy developments by swiftly reducing migrant arrivals from Turkey to Greece. Despite criticisms raised against the precedent set by its informal nature and the threats caused to migrants and asylum seekers’ rights (see for instance on this blog here and here), similar non-binding and opaque partnerships, such as the 2017 Italy-Libya memorandum of understanding or the 2016 Afghanistan-EU Joint Way Forward, were signed between the EU or its member states and third countries to facilitate the return and/or containment of unwanted migrants.

Investigating the lineage of EU informal cooperation on migration

In my PhD thesis, I focus on this development. Namely, the EU’s increasing use of informal cooperation arrangements with third countries to control migration. More specifically, my research focused on investigating the implications of characterising the arrivals of migrants to Europe as a 'crisis' for the EU migration and asylum law system. Rather than focusing on informal cooperation developed as a result of the so-called ‘crisis’, I argue for the need to contextualise these developments within the EU migration and asylum law system as a whole. Only by doing so are we able to step away from crisis-driven considerations of emergency and security and understand the genealogy of the EU’s use of informal cooperation to externalise migration and border controls.

Using an iterative approach, I looked at the emergence and early development of the EU migration and asylum law system, especially some of its key measures. My analysis shows that informal cooperation such as the EU-Turkey Statement, the Afghanistan-EU Joint Way Forward, or the Italy-Libya Memorandum of Understanding, is far from being the result of unprecedented circumstances specific to 2015-2016 requiring swift and exceptional measures. Instead, they fit within the genealogy of the EU external migration and asylum policy. In my analysis, I identified a number of long-lasting tendencies that underpin the EU migration and asylum law system throughout its evolution. One of these tendencies is the use of informal and diversified cooperation frameworks and measures circumventing regular procedures and fundamental rights guarantees.

The legacy of the intergovernmental era

The emergence of a common approach to asylum and migration law at the then-EEC level shows the significant role of informal cooperation between member states. Indeed, well before the 2015 crisis member states developed cooperation informally among themselves using intergovernmental cooperation. A particular example is the cooperation developed within the Trevi Group. An ad hoc group of interior ministers initiated by the 1975 European Council in Rome, the Trevi group initially focused on member states’ cooperation regarding counter-terrorism before its scope expanded to asylum and immigration in the 1980s. This informal cooperation led to the adoption of several soft law measures in the field of immigration and asylum with long-lasting impacts on the common migration and asylum law system. The Dublin Convention and acts related to its implementations were, for instance, originally agreed upon as part of this ad hoc group before being incorporated into the acquis communautaire and formalised by Maastricht. Still, this shows how fundamental informal and opaque cooperation has been in shaping the common migration and asylum policy. The use of informal cooperation circumventing existing frameworks is not uncommon in the field of EU migration and asylum law. Informal cooperation agreements with third countries are therefore not the result of exceptional circumstances in 2015-2016. Rather, they fit within the legacy of the common migration and asylum policy and of how cooperation in these fields emerged in the first place.

Tampere and the comprehensive approach to migration

Although the EU cooperation on migration with third countries initially focused on entering into formal EU readmission agreements, the use of informal and diversified tools is not recent. Back in 1999, the Tampere European Council called for a comprehensive approach to external migration policy. This meant diversifying external measures related to migration by using other tools of EU external action and by addressing ‘political, human rights and development issues’ in third countries as means to reduce immigration to the EU. Signed on 23 June 2000, the Cotonou Agreement is considered the first example of the diversification of EU externalised migration and border controls. This agreement was primarily focused on EU development cooperation with African, Caribbean and Pacific states. Yet it also included readmission clauses to facilitate the return of migrants irregularly staying in the EU. It corresponds to the widening of EU migration-related cooperation to other aspects of external action. The allocation of 6 billion euros funding in exchange for Turkey’s cooperation on migration containment is therefore not a practice unique to the crisis context at the time of the EU-Turkey deal.

The EU’s Global Approach to Migration and Mobility and political agreements

Following the adoption of the Global Approach to Migration and Mobility (GAMM) in 2011, the EU introduced a new tool to develop its cooperation with third countries on migration: mobility partnerships. These political agreements are non-binding and aim at providing ‘tailor-made’ partnerships addressing shared concerns between the EU and its partner. They provide significant flexibility in terms of how to conduct the cooperation and the areas covered and contain little guarantees for fundamental rights. Therefore, although informal and opaque cooperation with third countries circumventing human rights and ordinary procedures was presented as a shift in the EU external migration policy justified by the 2015 crisis, my findings suggest otherwise. The EU’s use of non-binding and flexible tools to develop cooperation on migration and border controls with third countries pre-dated the crisis. The adoption of such informal agreements from 2015 onwards, therefore, constitutes a continuation of pre-existing practices.


This brief overview shows the significance of genealogy when analysing developments in the field of EU migration and asylum law. Crisis-focused analyses of these developments only provide a limited understanding as they ignore the underpinnings and historical, political, and social contexts in which these arrangements operate. Contrastingly, contextualising informal cooperation with third countries (such as the EU-Turkey deal or the emerging negotiations between the EU and Tunisia) within the broader evolution of the EU migration and asylum policy enables us to distance ourselves from the crisis or exceptional circumstances used to justify such measures. In doing so, it reveals that far from being policy innovation driven by emergency and security considerations, informal arrangements and diversified tools to externalise EU migration and border controls are a long-lasting legacy of earlier developments in the EU migration and asylum policy.


Friday, 30 June 2023

The Concept of a Virtual Registered Office for EU Law


Virginijus Bitė, Professor of Law at the Law School of Mykolas Romeris University

Ivan Romashchenko, Senior Researcher of the Legal Technology Centre at the Law School of Mykolas Romeris University

Photo credit: EmDee, via Wikimedia Commons

On 29th of March 2023 the European Commission published a Proposal for a Directive within the initiative devoted to upgrading digital company law. It mostly focuses on the increased transparency and access to information as well as cross-border use of company data. These goals were earlier mentioned in the inception impact assessment report published on 20th of July 2021. However, the inception impact assessment included one more policy option that was omitted in the Proposal: making the EU company law rules and procedures fit for digital age. Virtual registered office (VRO), surprisingly, has not been given green light due to mixed feedback from stakeholders.

Before the European Commission mentioned VRO in the documents, there was an attempt in Lithuania to stipulate this concept at the national level. The draft law on the introduction of a VRO was submitted to the Lithuanian parliament, the Seimas, in 2018. Although the Seimas in general supported the idea, the provisions on VRO have not yet been adopted.

Despite the lack of regulation at the EU and national levels and the apparent lack of academic consideration of VROs, researchers and practitioners have displayed enthusiasm concerning the opportunities that the introduction of VRO might provide. According to the 2017 report by Adelė Jaškūnaitė and Raminta Olbutaitė, prepared within the ‘Create Lithuania’ programme, even in the absence of a legal framework on VROs, Lithuania possessed the technical resources necessary to ensure communication with public institutions as a basis for the establishment of VRO. They concluded that there was a need to replace the physical address with a virtual one since a physical address, as an official registered office, had not fulfilled its purposes effectively. Legal entities had often been registered at so-called ‘mass addresses’, with some addresses serving as the registered offices of hundreds of companies. If VRO were to be introduced properly, this idea would reduce the financial burden on both public authorities and companies. The introduction of VRO would neither impact the corporate governance negatively as most communication among stakeholders in a company has been happening digitally. Inspired by the editorial of Lina Mikalonienė, in our recent research we have delved into the concept of a VRO and tried to evaluate the proper way it might be introduced.

For a VRO to replace registered office, it should be able to achieve the same functions as the registered office does: to ensure that the applicable law and jurisdiction are determined with respect to the legal person, and to ensure proper communication between a legal entity and its counterparties.

As far as the first function is concerned, there are reasons to conclude that applicable law and jurisdiction can be determined without knowing the exact physical location of a legal entity: information about the country where the entity is located should suffice. The VRO would be perfectly able to cope with the function of ensuring a connection between a legal entity and applicable law, even if we only knew the country that the legal entity came from. In that case, national law would be assigned the task of connecting the entity with the proper local laws and regulations, as well as the relevant local authorities. For instance, as far as Lithuania is concerned, a legal entity might have a VRO with a link to Vilnius and its city authorities.

Regarding the second function, it should primarily be noted that the existing regulation needs change. Such change needs to move in the direction of wider digitalisation, so that legal entities can act through a VRO instead of a physical address. While moving in this direction care should be taken not to forget about weaker parties, including consumers, some of which might be forced to communicate by regular mail due to poor digital skills or the absence of access to electronic tools. In addition, it is possible that some foreign state authorities might be prohibited to use such electronic system and be allowed to use only regular mail or services of clerks. Therefore, a link to a physical address to establish communication between a legal entity and its counterparties seems temporarily practical for the transition period till all players and society adapt to the system of e-communication and accept it more easily.

For these reasons, it is recommended that the EU interferes in this sphere by removing any misunderstandings and defining a registered office as including both a physical address and a VRO. EU intervention should also stipulate requirements for organisations that provide VRO in Member States, as well as setting out a legal basis for selecting a virtual address instead of a physical one and for the communication of domestic and foreign actors through VRO. These new rules need to contain safeguards against fraudulent practices, for this all legal entities using VRO should temporarily maintain a link to a physical address – for instance, the address of the director or another contact person. The suggested connection to a physical address should be viewed as a transitional compromise on a path to full VRO and the gradual development of improved virtual cross-border communication being the future replacement of the traditional registered office with its virtual counterpart.


For more information see: Bitė, V. and Romashchenko, I., 2023. The Concept of a Virtual Registered Office in EU Law: Challenges and Opportunities.  Utrecht Journal of International and European Law,  38(1), p.25–38.DOI:

Friday, 2 June 2023

The UK's pro-innovation AI regulatory framework is a step in the right direction


Asress Adimi Gikay (PhD), Senior Lecturer in AI, Disruptive Innovation, and Law (Brunel University London) Twitter @DrAsressGikay

Photo credit: via Wikicommons media

The Essence of the UK's pro-innovation regulatory approach  

After several years of evaluating the available options to regulate AI technologies, and the publication of the  National AI Strategy in 2021 setting out a regulatory plan, the UK government finally set out its pro-innovation regulatory framework in a white paper published in March of this year. The government is currently collecting responses to consultation questions. 

The white paper specifies that the country is not ready to enact a statutory law in the foreseeable future governing AI. Instead, regulators will issue guidelines implementing five principles outlined in the white paper. According to the white paper, following the initial period of implementation, and when parliamentary time allows, 'introducing a statutory duty on regulators requiring them to have due regard to the principles' is anticipated. So, an obligation to enforce the identified principles will imposed on regulators, if it is deemed necessary based on the lessons learned from the non-statutory compliance experience. But this will most likely not take place in the coming 2 to 3 years, if not more.

The UK's pro-innovation regime starkly contrasts with the upcoming European Union(EU) AI Act's risk-based regulation, applying different legal standards to AI systems based on the risk they pose.  The EU's proposed regulation bans specific AI uses, such as facial recognition technology (FRT), in publicly accessible spaces while imposing strict standards for developing and deploying the so-called high risk AI systems, including detailed safety and security, fairness, transparency and accountability. The EU's regulatory effort aims to tackle AI risks through a single legislative instrument overseen by a single national authority of member states. 

Undoubtedly, AI poses many risks ranging from discrimination in healthcare to reinforcing structural inequalities or perpetuating systemic racism in policing tools that could utilize (il)literacy, race, and social background to predict a person's likelihood to commit crimes. Certain AI uses also pose risks to privacy and other fundamental rights, as well as democratic values. However, the technology also holds tremendous potential for improving human welfare through enhancing the  efficient delivery of public services such as education, healthcare, transportation, and welfare. 

But is the UK's self-proclaimed pro-innovation framework, which uses a non-statutory regulatory approach to tackle the potential risks of AI technologies, appropriate?  

I contend that with additional fine-tuning, the approach taken by the UK better balances the risks and benefits of the technology, while also promoting socio-economically beneficial innovation.

Key components of the envisioned framework

The UK approach to AI regulation has three crucial components.  First, it relies on existing legal frameworks relevant to each sector such as privacy, data protection, consumer protection, and product liability laws, rather than implementing comprehensive AI-specific legislation. It assumes that many of the existing legislations being technology neutral would apply to AI technologies. 

Second, the white paper establishes five principles to be applied by each regulator in conjunction with the existing regulatory framework relevant to the sector. These principles are safety, security and robustness, appropriate transparency and explainability, fairness, accountability and governance, and contestability and redress.

Third, rather than a single regulatory authority, each regulator would implement the regulatory framework supported by a central coordinating body that among others, facilitates consistent cross-sectoral implementation. As such, it is up to individual regulators to determine how they apply the fundamental principles in their sectors. This could be called a semi-sectoral approach as the principles apply to all sectors, but their implementation may differ across sectors.

Although the white paper does not envision prohibition of certain AI technologies, some of the principles could be used to effectively prohibit certain use cases, for example unexplainable AI with potentially harmful societal impact.  Regulators are given a leeway, as a natural consequence of the flexibility offered by the approach adopted.

There will not be a single regulatory authority comparable to, for example, the Information Commissioner's Office that enforces data protection law in all areas. Initially, a statute will not require regulators to implement the principles. Actors in the AI supply chain will also have no legal obligation to comply with the principles unless the relevant principle is part of an existing legal framework. 

For instance, the principle of fairness requires developing and deploying AI systems that do not discriminate against persons based on any protected characteristics. This means that a public authority must fulfil its  Public Sector Equality Duty (PSED) under the Equality Act by assessing how the technology could impact different demographics. On the other hand, a private entity has no PSED as this obligation applies only to public authorities. Thus, private actors may avoid the obligation to comply with this particular aspect of the fairness principle unless they voluntarily choose to comply.

Why is the UK's overall approach appropriate? 

The UK’s flexible framework is generally a suitable approach to the governance of an evolving technology. Three key reasons can be provided for this.

   It allows evidence-based regulation.

Sweeping regulation gives the sense of preventing and addressing risks comprehensively. However, as the technology and its potential risks are yet to be understood reasonably, most AI risks today are a product of guesswork. 

This is a significant issue in AI regulation, as insufficient and non-contextualised evidence is increasingly used to advocate for specific regulatory solutions. For instance, risks of inaccuracy and bias identified in gender classification AI systems are frequently cited to support a total ban on law enforcement use of FRT in the UK. 

Although FRT has been used by law enforcement authorities in the UK several times, no considerable risk of inaccuracy has been reported because the context of law enforcement of FRT, especially in the UK, is different from online gender classification AI systems. Law enforcement use of FRT is highly regulated, so the technology deployed is also more stringently tested for accuracy, unlike an online commercial gender classification algorithm that operates in less regulated environments. Ensuring that relevant and context-sensitive evidence is used in proposing regulatory solutions is crucial.

By augmenting existing legal frameworks with flexible principles, the UK's approach enables regulators to develop tailored frameworks in response to context-sensitive evidence of harm emerging from the real-world implementation of AI, rather than relying on mere speculation

Better enforcement of sectoral regulation 

Scholars have debated for a while on whether sector-specific regulations enforced by a sectoral regulator are suitable in algorithmic governance. In a seminal piece, 'An FDA for Algorithm,’ Andrew Tutt advocated for creating a central regulatory authority for algorithms in the US comparable to the Federal Drug Administration. The EU has adopted this approach by proposing a cross-sectoral AI Act, enforceable by a single national supervisory authority. The UK chose a different path, which is likely the more sensible way forward.

Entrusting AI oversight to a single regulator across multiple sectors could result in an inefficient enforcement system, lacking public trust. Different regulatory agencies possessing expertise in specific fields, such as transportation, aviation, drug administration, and financial oversight, are better placed to regulate AI systems used in their sectors. Centralising regulation may lead to corruption, regulatory capture, or misaligned enforcement objectives, impacting multiple sectors. In contrast, a decentralised approach allows specific regulators to set enforcement policies, goals, and strategies, preventing major enforcement failures and promoting accountability.

The ICO can provide a good example.  Its track record in enforcing data protection legislation is exceptionally poor, despite having the opportunity to bring together all the required resources and expertise needed to perform its tasks. The ICO has failed miserably, and its failure impacts data protection in all sectors.

As the Centre for Data Innovation asserted, “If it would be ill-advised to have one government agency regulate all human decision-making, then it would be equally ill-advised to have one agency regulate all algorithmic decision-making."

The UK's proposed sectoral approach avoids the risk of having a single inefficient regulatory authority by distributing regulatory power across sectors.

Non-statutory approach and flexibility to address new risks

The non-statutory regulatory framework allows regulators to swiftly respond to unknown AI risks, avoiding lengthy parliamentary procedures. AI technology's rapid advancement makes it difficult to fully comprehend real-world harm without concrete evidence. 

Predicting emerging risks is also challenging, particularly regarding "AI systems that have a wide range of possible uses, both intended and unintended by the developers"(known as general purpose AI) and machine learning systems. Implementing a flexible regulatory framework allows the framework to be easily adapted to the evolving nature of the technology and the resulting new risks.

But two challenges need to be addressed   

The UK's iterative, flexible, and sectoral approach could successfully balance the risks and benefits of AI technologies only, if the government implements additional appropriate measures.

Serious enforcement  

The iterative regulatory approach would be effective only if the relevant principles are enforceable by regulators. There must be a legally binding obligation for relevant regulators to incorporate these principles in their regulatory remit and create a reasonable framework for enforcement. This means that regulators should have the power to take administrative actions while individuals should be empowered to seek redress for the violation of their rights or to compel compliance with existing guidelines.  If no such mechanism is implemented, the envisioned framework will not address the risks posed by AI technologies. 

Without effective enforcement tools, companies like Google, Facebook, or Clearview AI that develop and/or use AI will have no incentive to comply with non-enforceable guidelines. There is no evidence to support this, and there will never be.

Enforcing the principles does not require changing the flexible nature of the UK’s envisioned approach, as how the principles are implemented is still left to regulators.  The flexibility remains largely in the fact that the overall principles can be amended without a parliamentary process. So, regulators can tighten or loosen their standards depending on the context. However, a statute that says the essence of those principles should be implemented and enforced by the relevant regulators is necessary.

Defining the Role of the central coordinating body

The white paper emphasizes the need for a  central function to ensure consistent implementation and interpretation of the principles, identify opportunities and risks, and monitor developments. But regulators must consult this office when implementing the framework and issuing guidelines. 

Although the power to issue binding decisions may not need to be conferred, the central office should be mandated to issue non-binding opinions on essential issues, similar to the European Data Protection Board. Regulators should also be required to initiate a request for an opinion on certain matters formally. This would facilitate cross-sectoral consistency in implementing the envisioned framework and enable early intervention in tackling potential challenges.


The UK has taken a step in the right direction in adopting a flexible AI regulation that fosters innovation and mitigates the risks of AI technologies. However, the regulatory framework needs to be enhanced to maintain the UK's leadership in AI. The lack of a credible enforcement system and solid coordination mechanism may undermine the objective of the envisioned framework, including deterring innovation and undermining public trust and international confidence in the UK regulatory regime.